Added a new Verifier class to the BPF compiler.

sandbox/linux/seccomp-bpf/verifier.h

Index: sandbox/linux/seccomp-bpf/verifier.h
diff --git a/sandbox/linux/seccomp-bpf/verifier.h b/sandbox/linux/seccomp-bpf/verifier.h
new file mode 100644
index 0000000000000000000000000000000000000000..4e4e90910ad66d3d0290a6b2d0fa95e59adb79a6
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/verifier.h
@@ -0,0 +1,70 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef VERIFIER_H__
+#define VERIFIER_H__
+
+#include <linux/filter.h>
+
+#include <utility>
+#include <vector>
+
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+
+namespace playground2 {
+
+class Verifier {
+ public:
+  // Evaluate the BPF program for all possible inputs and verify that it
+  // computes the correct result. We use the "evaluators" to determine
+  // the full set of possible inputs that we have to iterate over.
+  // Returns success, if the BPF filter accurately reflects the rules
+  // set by the "evaluators".
+  static bool verifyBPF(const std::vector<struct sock_filter>& program,
+                        const Sandbox::Evaluators& evaluators,
+                        const char **err);
+
+  // Evaluate a given BPF program for a particular set of system call
+  // parameters. If evaluation failed for any reason, "err" will be set to
+  // a non-NULL error string. Otherwise, the BPF program's result will be
+  // returned by the function.
+  // We do not actually implement the full BPF state machine, but only the
+  // parts that can actually be generated by our BPF compiler. If this code
+  // is used for purposes other than verifying the output of the sandbox's
+  // BPF compiler, we might have to extend this BPF interpreter.
+  static uint32_t evaluateBPF(const std::vector<struct sock_filter>& program,
+                              const struct arch_seccomp_data& data,
+                              const char **err);
+
+ private:
+  struct State {
+    State(const std::vector<struct sock_filter>& p,
+          const struct arch_seccomp_data& d) :
+      program(p),
+      data(d),
+      ip(0),
+      accumulator(0),
+      accIsValid(false) {
+    }
+    const std::vector<struct sock_filter>& program;
+    const struct arch_seccomp_data&        data;
+    unsigned int                           ip;
+    uint32_t                               accumulator;
+    bool                                   accIsValid;
+  };
+
+  static void     ld (State *state, const struct sock_filter& insn,
+                      const char **err);
+  static void     jmp(State *state, const struct sock_filter& insn,
+                      const char **err);
+  static uint32_t ret(State *state, const struct sock_filter& insn,
+                      const char **err);
+
+  DISALLOW_IMPLICIT_CONSTRUCTORS(Verifier);
+};
+
+}  // namespace
+
+#endif  // VERIFIER_H__