MinSFI: Add loader

tests/minsfi/init_trusted.c

+/*
+ * Copyright (c) 2014 The Native Client Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "native_client/src/include/minsfi.h"
+#include "native_client/src/include/minsfi_priv.h"
+#include "native_client/src/include/nacl_assert.h"
+
+manifest init_manifest(void) {
+  manifest sb;
+  layout mem;
+
+  sb.ptr_size = 24;
+  sb.dataseg_offset = 0x1000;
+  sb.dataseg_size = 0x400;

[jvoung (off chromium), 2014/09/05 00:32:00]

Is it important that dataseg_size < page_size? (to test rounding up?)

[dbrazdil, 2014/09/05 19:41:38]

It's more the fact that dataseg_size is not page size-aligned, which
reflects what will happen with real manifests. I should put a comment
there and even make it bigger than page_size.

+
+  ASSERT_EQ(true, generate_layout(&sb, 0x1000, &mem));
+  return sb;
+}
+
+void test_valid_layout(void) {
+  unsigned page_size = 0x1000;
+  manifest sb = init_manifest();
+  layout mem;
+
+  ASSERT_EQ(true, generate_layout(&sb, page_size, &mem));
+
+  ASSERT_EQ(   0x1000, mem.dataseg.offset);
+  ASSERT_EQ(   0x2000, mem.dataseg.offset + mem.dataseg.length);
+  ASSERT_EQ(   0x3000, mem.heap.offset);
+  ASSERT_EQ( 0xFDF000, mem.heap.offset + mem.heap.length);
+  ASSERT_EQ( 0xFE0000, mem.stack.offset);
+  ASSERT_EQ(0x1000000, mem.stack.offset + mem.stack.length);
+}
+
+void test_page_size_not_pow2(void) {
+  manifest sb = init_manifest();
+  layout mem;
+
+  ASSERT_EQ(false, generate_layout(&sb, 1234, &mem));
+}
+
+void test_ptrsize_invalid(void) {
+  unsigned page_size = 0x1000;
+  manifest sb = init_manifest();
+  layout mem;
+
+  sb.ptr_size = 0;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+
+  sb.ptr_size = 19;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+
+  sb.ptr_size = 33;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+}
+
+void test_dataseg_pos_invalid(void) {
+  unsigned page_size = 0x1000;
+  manifest sb = init_manifest();
+  layout mem;
+
+  /* offset not page-aligned */
+  sb.dataseg_offset = 0x1001;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+
+  /* offset out of bounds */
+  sb.dataseg_offset = (1 << 25);

[jvoung (off chromium), 2014/09/05 00:32:00]

Maybe the "25" could have been based off sb.ptr_size instead, so that it's
easier to change.

Similar for other spots that refer to 24?

[dbrazdil, 2014/09/05 19:41:38]

Done. All of these constants are quite fragile so I was trying to avoid
adding logic into the tests and rather have the tests fail if something
changes than potentially stop testing the right thing. But I guess this
is harmless.

+  sb.dataseg_size = 0x400;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+
+  /* end of the region out of bounds */
+  sb.dataseg_offset = 0x1000;
+  sb.dataseg_size = (1 << 24) - 0x1001;  /* gets rounded up and fails */
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+}
+
+void test_no_space_for_heap(void) {
+  unsigned page_size = 4096;
+  manifest sb = init_manifest();
+  layout mem;
+  bool ret;
+
+  /* heap size exactly one page */
+  sb.dataseg_size = (1 << 24) - sb.dataseg_offset - 35 * page_size;
+  ret = generate_layout(&sb, page_size, &mem);
+  ASSERT_EQ(true, ret);
+  ASSERT_EQ(page_size, mem.heap.length);
+
+  /* heap size less than one page. */
+  sb.dataseg_size += 1;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+
+  /* heap size negative */
+  sb.dataseg_size += page_size;
+  ASSERT_EQ(false, generate_layout(&sb, page_size, &mem));
+}
+
+void test_invoke_sandbox(void) {
+  int i;
+  int ret_val = 0xCAFEBABE;
+
+  /* multiple invocations without destroying */
+  for (i = 0; i < 3; i++)
+    ASSERT_EQ(ret_val, minsfi_exec());
+
+  /* multiple invocations with destroying */
+  for (i = 0; i < 3; i++) {
+    ASSERT_EQ(ret_val, minsfi_exec());

[jvoung (off chromium), 2014/09/05 00:32:00]

Do you expect that sandbox base to be random/re-initialized?

[dbrazdil, 2014/09/05 19:41:38]

Possibly in the future? The extension unpacking won't do that
but having the flexibility seems like a useful thing for 
features that might come next (threads, multiple sandboxes).

+    ASSERT_EQ(true, minsfi_destroy());
+  }
+
+  /* multiple destroys without initialization */
+  for (i = 0; i < 3; i++)
+    ASSERT_EQ(true, minsfi_destroy());
+}
+
+int main(void) {
+  test_valid_layout();
+  test_page_size_not_pow2();
+  test_ptrsize_invalid();
+  test_dataseg_pos_invalid();
+  test_no_space_for_heap();
+  test_invoke_sandbox();
+  return 0;
+}