• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2017 The PDFium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CORE_FXCRT_UNOWNED_PTR_H_
6 #define CORE_FXCRT_UNOWNED_PTR_H_
7 
8 // UnownedPtr is a smart pointer class that behaves very much like a
9 // standard C-style pointer. The advantages of using it over native T*
10 // pointers are:
11 //
12 // 1. It documents the nature of the pointer with no need to add a comment
13 //    explaining that is it // Not owned.
14 //
15 // 2. An attempt to delete an unowned ptr will fail to compile rather
16 //    than silently succeeding, since it is a class and not a raw pointer.
17 //
18 // 3. It is initialized to nullptr by default.
19 //
20 // When implemented via PartitionAlloc, additional properties apply.
21 //
22 // 4. When built using one of the dangling pointer detectors, the class
23 //    detects that the object being pointed to remains alive.
24 //
25 // 5. When built against PartitionAlloc's BRP feature, it provides the same
26 //    UaF protections as base::raw_ptr<T>
27 //
28 // Hence, when using UnownedPtr, no dangling pointers are ever permitted,
29 // even if they are not de-referenced after becoming dangling. The style of
30 // programming required is that the lifetime an object containing an
31 // UnownedPtr must be strictly less than the object to which it points.
32 //
33 // The same checks are also performed at assignment time to prove that the
34 // old value was not a dangling pointer.
35 //
36 // The array indexing operator[] is not supported on an unowned ptr,
37 // because an unowned ptr expresses a one to one relationship with some
38 // other heap object. Use pdfium::span<> for the cases where indexing
39 // into an unowned array is desired, which performs the same checks.
40 
41 #include "build/build_config.h"
42 #include "core/fxcrt/compiler_specific.h"
43 
44 #if defined(PDF_USE_PARTITION_ALLOC)
45 #include "partition_alloc/partition_alloc_buildflags.h"
46 #include "partition_alloc/pointers/raw_ptr.h"
47 
48 #if !PA_BUILDFLAG(USE_PARTITION_ALLOC)
49 #error "pdf_use_partition_alloc=true requires use_partition_alloc=true"
50 #endif
51 
52 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS) || \
53     PA_BUILDFLAG(USE_RAW_PTR_ASAN_UNOWNED_IMPL)
54 #define UNOWNED_PTR_DANGLING_CHECKS
55 #endif
56 
57 static_assert(raw_ptr<int>::kZeroOnConstruct, "Unsafe build arguments");
58 static_assert(raw_ptr<int>::kZeroOnMove, "Unsafe build arguments");
59 
60 template <typename T>
61 using UnownedPtr = raw_ptr<T>;
62 
63 #else  // defined(PDF_USE_PARTITION_ALLOC)
64 
65 #include <cstddef>
66 #include <functional>
67 #include <type_traits>
68 #include <utility>
69 
70 #include "core/fxcrt/unowned_ptr_exclusion.h"
71 
72 namespace fxcrt {
73 
74 template <class T>
75 class TRIVIAL_ABI GSL_POINTER UnownedPtr {
76  public:
77   constexpr UnownedPtr() noexcept = default;
78 
79   // Deliberately implicit to allow returning nullptrs.
80   // NOLINTNEXTLINE(runtime/explicit)
UnownedPtr(std::nullptr_t ptr)81   constexpr UnownedPtr(std::nullptr_t ptr) {}
82 
UnownedPtr(T * pObj)83   explicit constexpr UnownedPtr(T* pObj) noexcept : m_pObj(pObj) {}
84 
85   // Copy-construct an UnownedPtr.
86   // Required in addition to copy conversion constructor below.
87   constexpr UnownedPtr(const UnownedPtr& that) noexcept = default;
88 
89   // Move-construct an UnownedPtr. After construction, |that| will be NULL.
90   // Required in addition to move conversion constructor below.
UnownedPtr(UnownedPtr && that)91   constexpr UnownedPtr(UnownedPtr&& that) noexcept
92       : m_pObj(that.ExtractAsDangling()) {}
93 
94   // Copy-conversion constructor.
95   template <class U,
96             typename = typename std::enable_if<
97                 std::is_convertible<U*, T*>::value>::type>
UnownedPtr(const UnownedPtr<U> & that)98   UnownedPtr(const UnownedPtr<U>& that) : m_pObj(static_cast<U*>(that)) {}
99 
100   // Move-conversion constructor.
101   template <class U,
102             typename = typename std::enable_if<
103                 std::is_convertible<U*, T*>::value>::type>
UnownedPtr(UnownedPtr<U> && that)104   UnownedPtr(UnownedPtr<U>&& that) noexcept
105       : m_pObj(that.ExtractAsDangling()) {}
106 
107   // Assign an UnownedPtr from nullptr.
108   UnownedPtr& operator=(std::nullptr_t) noexcept {
109     m_pObj = nullptr;
110     return *this;
111   }
112 
113   // Assign an UnownedPtr from a raw ptr.
114   UnownedPtr& operator=(T* that) noexcept {
115     m_pObj = that;
116     return *this;
117   }
118 
119   // Copy-assign an UnownedPtr.
120   // Required in addition to copy conversion assignment below.
121   UnownedPtr& operator=(const UnownedPtr& that) noexcept = default;
122 
123   // Move-assign an UnownedPtr. After assignment, |that| will be NULL.
124   // Required in addition to move conversion assignment below.
125   UnownedPtr& operator=(UnownedPtr&& that) noexcept {
126     if (*this != that) {
127       m_pObj = that.ExtractAsDangling();
128     }
129     return *this;
130   }
131 
132   // Copy-convert assignment.
133   template <class U,
134             typename = typename std::enable_if<
135                 std::is_convertible<U*, T*>::value>::type>
136   UnownedPtr& operator=(const UnownedPtr<U>& that) noexcept {
137     if (*this != that) {
138       m_pObj = static_cast<U*>(that);
139     }
140     return *this;
141   }
142 
143   // Move-convert assignment. After assignment, |that| will be NULL.
144   template <class U,
145             typename = typename std::enable_if<
146                 std::is_convertible<U*, T*>::value>::type>
147   UnownedPtr& operator=(UnownedPtr<U>&& that) noexcept {
148     if (*this != that) {
149       m_pObj = that.ExtractAsDangling();
150     }
151     return *this;
152   }
153 
~UnownedPtr()154   ~UnownedPtr() {
155     m_pObj = nullptr;
156   }
157 
158   bool operator==(std::nullptr_t ptr) const { return m_pObj == nullptr; }
159   bool operator==(const UnownedPtr& that) const {
160     return m_pObj == static_cast<T*>(that);
161   }
162   bool operator<(const UnownedPtr& that) const {
163     return std::less<T*>()(m_pObj, static_cast<T*>(that));
164   }
165 
166   operator T*() const noexcept { return m_pObj; }
get()167   T* get() const noexcept { return m_pObj; }
168 
ExtractAsDangling()169   T* ExtractAsDangling() { return std::exchange(m_pObj, nullptr); }
ClearAndDelete()170   void ClearAndDelete() { delete std::exchange(m_pObj, nullptr); }
171 
172   explicit operator bool() const { return !!m_pObj; }
173   T& operator*() const { return *m_pObj; }
174   T* operator->() const { return m_pObj; }
175 
176  private:
177   UNOWNED_PTR_EXCLUSION T* m_pObj = nullptr;
178 };
179 
180 }  // namespace fxcrt
181 
182 using fxcrt::UnownedPtr;
183 
184 #endif  // defined(PDF_USE_PARTITION_ALLOC)
185 
186 namespace pdfium {
187 
188 // Type-deducing wrapper to make an UnownedPtr from an ordinary pointer,
189 // since equivalent constructor is explicit.
190 template <typename T>
WrapUnowned(T * that)191 UnownedPtr<T> WrapUnowned(T* that) {
192   return UnownedPtr<T>(that);
193 }
194 
195 }  // namespace pdfium
196 
197 #endif  // CORE_FXCRT_UNOWNED_PTR_H_
198