CodeGen: refactor API [1/3]

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <linux/filter.h>
 #include <sys/syscall.h>
 
 #include <limits>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
-#include "sandbox/linux/seccomp-bpf/instruction.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 
 namespace sandbox {
 namespace bpf_dsl {
 
 namespace {
 
 #if defined(__i386__) || defined(__x86_64__)
@@ skipping 107 matching lines @@
       SANDBOX_DIE("We'd rather die than enable unsafe traps");
     }
   }
 
   // Assemble the BPF filter program.
   scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
   gen_.Compile(AssemblePolicy(), program.get());
   return program.Pass();
 }
 
-Instruction* PolicyCompiler::AssemblePolicy() {
+CodeGen::Node PolicyCompiler::AssemblePolicy() {
   // A compiled policy consists of three logical parts:
   //   1. Check that the "arch" field matches the expected architecture.
   //   2. If the policy involves unsafe traps, check if the syscall was
   //      invoked by Syscall::Call, and then allow it unconditionally.
   //   3. Check the system call number and jump to the appropriate compiled
   //      system call policy number.
   return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
 }
 
-Instruction* PolicyCompiler::CheckArch(Instruction* passed) {
+CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS,
       SECCOMP_ARCH_IDX,
       gen_.MakeInstruction(
           BPF_JMP + BPF_JEQ + BPF_K,
           SECCOMP_ARCH,
           passed,
           RetExpression(Kill("Invalid audit architecture in BPF filter"))));
 }
 
-Instruction* PolicyCompiler::MaybeAddEscapeHatch(Instruction* rest) {
+CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
   // If no unsafe traps, then simply return |rest|.
   if (!has_unsafe_traps_) {
     return rest;
   }
 
   // Allow system calls, if they originate from our magic return address
   // (which we can query by calling Syscall::Call(-1)).
   uint64_t syscall_entry_point =
       static_cast<uint64_t>(static_cast<uintptr_t>(Syscall::Call(-1)));
   uint32_t low = static_cast<uint32_t>(syscall_entry_point);
@@ skipping 16 matching lines @@
               BPF_LD + BPF_W + BPF_ABS,
               SECCOMP_IP_MSB_IDX,
               gen_.MakeInstruction(
                   BPF_JMP + BPF_JEQ + BPF_K,
                   hi,
                   RetExpression(ErrorCode(ErrorCode::ERR_ALLOWED)),
                   rest)),
           rest));
 }
 
-Instruction* PolicyCompiler::DispatchSyscall() {
+CodeGen::Node PolicyCompiler::DispatchSyscall() {
   // Evaluate all possible system calls and group their ErrorCodes into
   // ranges of identical codes.
   Ranges ranges;
   FindRanges(&ranges);
 
   // Compile the system call ranges to an optimized BPF jumptable
-  Instruction* jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
+  CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
 
   // Grab the system call number, so that we can check it and then
   // execute the jump table.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
 }
 
-Instruction* PolicyCompiler::CheckSyscallNumber(Instruction* passed) {
+CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
   if (kIsIntel) {
     // On Intel architectures, verify that system call numbers are in the
     // expected number range.
-    Instruction* invalidX32 =
+    CodeGen::Node invalidX32 =
         RetExpression(Kill("Illegal mixing of system call ABIs"));
     if (kIsX32) {
       // The newer x32 API always sets bit 30.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
     } else {
       // The older i386 and x86-64 APIs clear bit 30 on all system calls.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
     }
@@ skipping 22 matching lines @@
             : invalid_err;
     if (!err.Equals(old_err)) {
       ranges->push_back(Range(old_sysnum, old_err));
       old_sysnum = sysnum;
       old_err = err;
     }
   }
   ranges->push_back(Range(old_sysnum, old_err));
 }
 
-Instruction* PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
-                                               Ranges::const_iterator stop) {
+CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
+                                                Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least one distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 0) {
     SANDBOX_DIE("Invalid set of system call ranges");
   } else if (stop - start == 1) {
     // If we have narrowed things down to a single range object, we can
     // return from the BPF filter program.
     return RetExpression(start->err);
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
   Ranges::const_iterator mid = start + (stop - start) / 2;
 
   // Sub-divide the list of ranges and continue recursively.
-  Instruction* jf = AssembleJumpTable(start, mid);
-  Instruction* jt = AssembleJumpTable(mid, stop);
+  CodeGen::Node jf = AssembleJumpTable(start, mid);
+  CodeGen::Node jt = AssembleJumpTable(mid, stop);
   return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
 }
 
-Instruction* PolicyCompiler::RetExpression(const ErrorCode& err) {
+CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
   switch (err.error_type()) {
     case ErrorCode::ET_COND:
       return CondExpression(err);
     case ErrorCode::ET_SIMPLE:
     case ErrorCode::ET_TRAP:
       return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
     default:
       SANDBOX_DIE("ErrorCode is not suitable for returning from a BPF program");
   }
 }
 
-Instruction* PolicyCompiler::CondExpression(const ErrorCode& cond) {
+CodeGen::Node PolicyCompiler::CondExpression(const ErrorCode& cond) {
   // Sanity check that |cond| makes sense.
   if (cond.argno_ < 0 || cond.argno_ >= 6) {
     SANDBOX_DIE("sandbox_bpf: invalid argument number");
   }
   if (cond.width_ != ErrorCode::TP_32BIT &&
       cond.width_ != ErrorCode::TP_64BIT) {
     SANDBOX_DIE("sandbox_bpf: invalid argument width");
   }
   if (cond.mask_ == 0) {
     SANDBOX_DIE("sandbox_bpf: zero mask is invalid");
   }
   if ((cond.value_ & cond.mask_) != cond.value_) {
     SANDBOX_DIE("sandbox_bpf: value contains masked out bits");
   }
   if (cond.width_ == ErrorCode::TP_32BIT &&
       ((cond.mask_ >> 32) != 0 || (cond.value_ >> 32) != 0)) {
     SANDBOX_DIE("sandbox_bpf: test exceeds argument size");
   }
   // TODO(mdempsky): Reject TP_64BIT on 32-bit platforms. For now we allow it
   // because some SandboxBPF unit tests exercise it.
 
-  Instruction* passed = RetExpression(*cond.passed_);
-  Instruction* failed = RetExpression(*cond.failed_);
+  CodeGen::Node passed = RetExpression(*cond.passed_);
+  CodeGen::Node failed = RetExpression(*cond.failed_);
 
   // We want to emit code to check "(arg & mask) == value" where arg, mask, and
   // value are 64-bit values, but the BPF machine is only 32-bit. We implement
   // this by independently testing the upper and lower 32-bits and continuing to
   // |passed| if both evaluate true, or to |failed| if either evaluate false.
   return CondExpressionHalf(cond,
                             UpperHalf,
                             CondExpressionHalf(cond, LowerHalf, passed, failed),
                             failed);
 }
 
-Instruction* PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
-                                                ArgHalf half,
-                                                Instruction* passed,
-                                                Instruction* failed) {
+CodeGen::Node PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
+                                                 ArgHalf half,
+                                                 CodeGen::Node passed,
+                                                 CodeGen::Node failed) {
   if (cond.width_ == ErrorCode::TP_32BIT && half == UpperHalf) {
     // Special logic for sanity checking the upper 32-bits of 32-bit system
     // call arguments.
 
     // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
-    Instruction* invalid_64bit = RetExpression(Unexpected64bitArgument());
+    CodeGen::Node invalid_64bit = RetExpression(Unexpected64bitArgument());
 
     const uint32_t upper = SECCOMP_ARG_MSB_IDX(cond.argno_);
     const uint32_t lower = SECCOMP_ARG_LSB_IDX(cond.argno_);
 
     if (sizeof(void*) == 4) {
       // On 32-bit platforms, the upper 32-bits should always be 0:
       //   LDW  [upper]
       //   JEQ  0, passed, invalid
       return gen_.MakeInstruction(
           BPF_LD + BPF_W + BPF_ABS,
@@ skipping 149 matching lines @@
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
 ErrorCode PolicyCompiler::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 }  // namespace bpf_dsl
 }  // namespace sandbox