[libc-dev] Summary of the roundtable discussion at the US LLVM Dev Meeting 2019
David Chisnall via libc-dev
libc-dev at lists.llvm.org
Tue Oct 29 03:07:59 PDT 2019
Thank you for that excellent summary. A few comments inline:
On 28/10/2019 21:18, Siva Chandra via libc-dev wrote:
> Hello all,
>
> It was encouraging to see positive support for LLVM libc during the
> round table discussion. For the benefit of those were not present,
> below is a high level summary of what was discussed. I encourage
> others to add items I missed here.
>
> 1. Many expressed a desire to use LLVM libc in sandboxed environments.
> This requires that LLVM libc provide the ability to selectively pick
> and choose pieces suitable for one's context.
> Side Note: This is in line with our goal of building a modular libc.
> Header generation etc are part of the solution to build a modular
> libc.
>
> 2. Some of the members pointed out that LLVM libc should be
> implemented in a modern language so that modern static analysis tools
> and sanitizers can be used to test them.
> Side Note: We have started the implementation in C++. So, I guess we
> are already good with respect to this point.
I think we're off to a good start here, but there's C++ and C++. We
should aim to use modern C++ idioms that reduce the likelhood of
vulnerabilities. For the most part, libc interfaces have very simple
memory management and so we should be in a good position to write code
that is amenable to analysis.
> 3. Some of the members were curious about how we build the abstraction
> layer above the OS-specific syscall layer. This did not lead to a
> discussion about any particular way. It was more a discussion about
> making a case for the need for an abstraction layer to accommodate the
> differences across OSes.
> Side Note: I agree that this will be interesting. I am of the opinion
> that there cannot be one single solution libc-wide. That is, how we
> build the abstraction layers has to be taken up on a case-by-case
> basis.
There are two issues that I'd like to highlight here. The first is not
so much the *kind* of platform abstraction layer, but simply the
*existence* of a platform abstraction layer. It is far easier to modify
an existing platform abstraction layer than to insert one from scratch.
A few things to think about:
- Don't assume that all platforms expose file handles that are `int`s.
For example, on Windows a HANDLE is a pointer. For the C standard
`FILE*` abstraction, the `FILE` can contain an arbitrary handle, for
POSIX compatibility, some platforms will need to implement a file
descriptor table on top of the platform's native support. Don't
depend on that existing for non-POSIX APIs.
- Don't assume that all platforms support ELF linker tricks. COFF and
WebAssembly both have different linkage models that support
overlapping feature sets.
- Don't assume that you can open a file. Embedded platforms and some
sandboxed environments will want to bake resources into the binary.
Don't assume you can `[f]open` things like locales and time-zone
files. Add a PAL function to open a specific resources. On most
POSIXy systems, this may just be an `open` call in a specific
directory.
- Even if you can open a file, don't assume that you can open an
*arbitrary* file or network connection. Some sandboxing policies
require you to explicitly state intent for these (either statically
in a policy manifest or by dynamically presenting a capability).
> 4. It was also suggested to check whether we can write parts of the
> libc++ implementations in a way that they can be used by LLVM libc as
> well. The implementation of std::vector was pointed out as an example
> where such a scheme can be attempted.
There was also some brief discussion about whether the same modularity
approaches can be applied to libc++. If we can make a libc that
supports lightweight embedded or sandboxed platforms with no filesystem
and no locale support, it would be nice to be able to build a libc++ on
top of it that also didn't expose these dependencies.
> 5. With respect to header generation, there were questions about
> selectively including/excluding specific standards.
> Side Note: My personal opinion is that there will be aspects like this
> for which we will end up using a hybrid (macros + header generation)
> solution.
+1. I really like where the TableGen approach seems to be going.
David
More information about the libc-dev
mailing list