[llvm-dev] Pool allocator + safecode
John Criswell via llvm-dev
llvm-dev at lists.llvm.org
Thu Oct 8 14:14:59 PDT 2015
On 10/8/15 5:37 AM, Ed Robbins wrote:
> Thanks for the fast response John.
> On Thu, Oct 1, 2015, at 04:51 PM, John Criswell wrote:
>> Dear Ed,
>> First, someone has updated the DSA code in the poolalloc project to LLVM
>> 3.7, and a Master's student worked for me over the summer to update a
>> large chunk of SAFECode to LLVM 3.7. However, the update to LLVM 3.7
>> isn't finished (we need to finish integrating SAFECode back into Clang),
>> and my student has opted to focus on his studies instead of finishing
>> the update, so the current status of SAFECode for LLVM 3.7 is that it's
>> nearly done but suspended.
>> If you want the currently updated code, you can get it at
> It's great that someone has begun work on this! I will look at it now.
> Can I ask what happened to the llvm-gcc (or dragonegg) front end? I
> haven't looked into how it works too much yet (I'm just starting out
> with LLVM/clang etc), but if integration with the clang front end works
> do you get dragonegg integration for free? From the web page I'm not
> sure if dragonegg is also bit-rotting, but a gcc front end would be
> useful for me.
The original llvm-gcc (in which we modified gcc to produce LLVM bitcode)
no longer exists. When GCC was extended to use plugins, someone created
the DragonEgg plugin. I am not sure if that still exists.
Is there a reason you need a GCC-based front-end? Clang is intended to
be a drop-in replacement for GCC and supports many of the GCC extensions.
FWIW, integrating SAFECode into Clang does not automatically give you
DragonEgg support. Integrating into Clang simply makes it easier to run
the SAFECode transformation passes after the LLVM passes have been run.
>> Second, if you need the pool allocation transform, then I must sadly
>> disappoint. The Automatic Pool Allocation (APA) transformation has
>> suffered bit-rot over the years, and we've stopped using it. We haven't
>> updated it to work with LLVM 3.7 and currently have no plans to do so.
>> The code is still publicly available, so if you are sufficiently
>> motivated, you can update it and fix it if you would like.
> I do need the APA transform. I'm a bit confused as to how the DSA code
> is useful without APA? I'll cross my fingers and hope that the API
> changes to 3.7 aren't too bad. Am I right in thinking that llvm-3.2 is
> the last time this worked? Does the above github repo include the latest
> APA stuff (albeit disabled)?
DSA is a points-to and call graph analysis. As such, it is used for
many things in addition to APA and SAFECode. For example, the SMACK
verifier uses DSA.
The APA code has been bit rotting for awhile. While you can compile and
run it with LLVM 3.2, it won't work as well as it did for the paper, and
it probably needs some work to make it robust. Please remember that APA
has always been a research prototype.
>> Just out of curiosity, what are you trying to accomplish? Depending on
>> what you need, there may be simpler approaches that will require less
>> engineering effort.
> We really want the all singing all dancing safecode framework with APA
> as detailed in the 2005 TECS SafeCode paper (Memory Safety Without
> Garbage Collection for Embedded Applications). We are trying to build a
> C based embedded system that is type safe at the lowest possible run
> time cost. So I am also going to modify the uninitialized pointer MMU
> based stuff to work with the ARM Cortex M3 MPU. I don't think there are
> any shortcuts here (I'd be happy to be proved wrong though) - we need
If you just need to isolate processes on your system so that they don't
overwrite each other, it looks like the ARM Cortex M3 MPU can do that.
Is there a reason why that won't work?
However, if you want to isolate processes using inferred type safety,
you will need to address three significant challenges:
1) Due to changes in LLVM, DSA has a difficult time inferring types. In
a nutshell, some LLVM optimizations turned typed-getelementptr (GEP)
instructions into GEPs that use byte-level indexing. DSA was written
with the assumption that GEPs carried high-level type information.
I think this is fixable by refactoring DSA's type inference code to act
more like Value Set Analysis: it would use a map between a 4-tuple and a
type. The 4-tuple (a, b, c, d) describes a formula ax + b in which a
and b denote offset and stride and c and d place a limit on the lower
and upper bounds of x. c and d can be +- infinity, allowing the 4-tuple
to denote a type that occurs in an unbounded array.
As an FYI, there are multiple research groups interested in accurate
points-to analysis results (mine included). I'll be holding a BoF at
the LLVM Developer's meeting this year to discuss who needs what and if
there's a way to develop it.
2) Making APA robust. In my personal opinion, the original APA may be
more complicated than necessary for your application. APA currently
creates context sensitive pools, which means that it needs to pass pool
handles around. This requires transforming function signatures which
makes inter-operating with external code a real pain. It also makes the
A simpler design would be to create one pool for each type that DSA
infers. The points-to analysis would not be sound (unless it unified
all points-to sets that have the same type), but it would allow all
pools (or nearly all pools) to be global variables, greatly simplifying
the transformation. It would also continue to prevent the application
from accessing data outside its allocated memory.
3) The version of SAFECode in that paper used the Omega constraint
solver to prove that array accesses are safe. That code has long
bit-rotted away, and its implementation was not the most efficient (it
exec()'ed the Omega solver for every query). A better approach today
would be to integrate the constraint solver into the compiler proper.
Additionally, you now have other tools available, such as CVC4, Z3, and
SMACK/Boogie, for building and solving the constraints.
As an FYI, later versions of SAFECode use run-time checks for
type-unsafe pools and array accesses so that it can support the full
generality of C (see Dhurjati's PLDI 2007 paper and my SVA
publications). You could probably do something simple in which
type-safe data goes into pools and type-unsafe data goes into a large
area for which loads and stores are subjected to simple SFI-like
instrumentation (e.g., Google Native Client). There may be solutions in
the middle of the spectrum between fast-but-difficult-to-implement and
> Thanks again,
>> John Criswell
>> On 10/1/15 10:51 AM, Ed Robbins via llvm-dev wrote:
>>> I'm trying to get the pool allocator and safe code building against llvm
>>> trunk. I've run into a build error, and I see that in the past another
>>> user was told just not to build the pool allocator for use with safecode
>>> . However, I really want the pool allocator transforms, so I just
>>> wanted to check why the suggestion was not to use it. Has it been
>>> superseded in some way by something else? Or is it just broken at the
>>> moment? I'll assume the latter for now and see if I can fix it...
>> John Criswell
>> Assistant Professor
>> Department of Computer Science, University of Rochester
Department of Computer Science, University of Rochester
More information about the llvm-dev