[PATCH] Expose custom MC-JIT memory allocation through the C API

Kaylor, Andrew andrew.kaylor at intel.com
Fri May 17 10:05:05 PDT 2013 

Hi Filip,

Let me clarify that I'm actually in favor of getting this into the API.  I just wanted to highlight the imminent obstacles.

I'm flexible on the method for passing in the memory manager functions.  If you can convince Sean, I'll be happy with your method.  I do have a few suggestions, though.


1.       We could put the size of the structure into the structure as the first member.  This isn't a big deal, but it strikes me as a bit odd to have it outside, especially in the options case where it's an additional parameter.

2.       We could put a version number in the structure.  If we did that, we could arguably even change the signatures of functions in future versions if there were a backward compatible way to call older versions of the same functions.

3.       We could put some sort of a signature in the structure that was set by the binding layer when you made the call to initialize to default values.  This would give us a way to be sure that the caller had used our initialization function and not just initialized the values that they knew about.

4.       We could add some kind of a checksum for the function pointer structure so we could verify that what we received and what the user intended to pass in matched.  I might be getting paranoid with this one.

Passing in a structure of pointers to functions that we're going to call makes me a bit nervous from a security perspective.  If the structure grows in a way that the caller doesn't know about but malicious code might, it's a point of vulnerability.  I just want to make sure that we've done enough to protect that point against possible attack.

As to your suggestion about having an abstract base class that both SectionMemoryManager and BindingMemoryManager inherit from, I'd rather have an external class that both SectionMemoryManager and BindingMemoryManager aggregate.  I expect that it will be at least as common for clients to want to provide their own implementation of getPointerToNamedFunction while accepting the default allocation scheme as the reverse, and probably more common.  The registerEHFrames implementation is more architecture specific, so it doesn't really belong with getPointerToNamedFunction either.  In fact, that probably makes sense to go in a base class.

-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Thursday, May 16, 2013 4:48 PM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API


On May 16, 2013, at 3:44 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:


I'm a bit concerned about the implications this has for the future rigidity of the memory manager interface.  There are definitely some things about that interface that I can see changing.

First, as you mention registerEHFrames isn't exactly a memory manager function.  In the same way, getPointerToNamedFunction isn't either.  The reason these two functions are in the memory manager is that the memory manager is the component that knows where the JITed code is going to end up (i.e. in another process or local).  But I can see us wanting to change that.

We can remove those functions from the C API for now.  See below.


Second, at some point we're probably going to want to add something to communicate the memory manager what code model is being used.  That will probably be just another function being added.

Then we can add another function.  I don't think that's a showstopper.



Third, it's entirely possible that we'll want to add a way to associate allocations with a particular module that's being JITed.  Right now, there's a 1-to-1-to-1 relationship between MCJIT engines, modules and memory managers, but in the near future the MCJIT engine will support multiple modules, and it may be desirable for the memory manager to know which of the sections it is allocating go together.  This would involve changing function signatures.

I agree that there are many things that we could add, and that the API may need to be amended.  But I don't like the idea of not exposing any API just because of hypotheticals.  For example, while it's true that MCJIT will ultimately support multiple modules, it's not clear that this will necessitate changing the MM interface.

That being said:



I realize that this is quite inconvenient for C API usage purposes, but if there's any way we can design the API to anticipate these sorts of changes I think we should.  And of course there are always the changes we don't yet know we'll need.

What about making the current API be:

allocateCodeSection(size, alignment, sectionID, module)
allocateDataSection(size, alignment, sectionID, module, isReadOnly)
applyPermissions(module)

In the initial cut, the API will provide default implementations of registerEHFrames and getPointerToNamedFunction that do what SectionMemoryManager does.  This can initially be done by having an intermediate abstract class that implements registerEHFrames and getPointerToNamedFunction in the same way that SectionMemoryManager does currently, and both SectionMemoryManager and BindingMemoryManager will inherit from it.

-Filip


-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Thursday, May 16, 2013 2:10 PM
To: Sean Silva
Cc: llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola; Kaylor, Andrew
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API

I considered using an opaque struct with getters and setters. But instead I went with the old-school C idiom of having a struct that the user memset's to zero up to the size they saw:

memset(&functions, 0, sizeof(functions));

And then the LLVM bindings also memset according to what LLVM sees and does a copy:

memset(&myFunctions, 0, sizeof(myFunctions));
memcpy(&myFunctions, PassedFunctions, SizeOfPassedFunctions);

This ensures both forward source compatibility and forward binary compatibility, except if we wanted to remove a function:

Source compatibility for added functions: the user's compiler would see a larger sizeof(functions), and the memset() would zero-initialize those pointers, causing the bindings to provide default implementations.

Binary compatibility for added functions: the user would end up passing a value of SizeOfPassedFunctions that is smaller than LLVM expected, and LLVM would zero-initialize the added functions.

AFAIK, this is no less robust than an opaque struct. Both handle added functions gracefully, and neither can handle removed functions gracefully unless we do something crazy. The un-opaque struct just makes writing the code a bit easier, both for LLVM and for the client. But that's just my opinion. :-)

I am curious what y'all think about the weirder functions like registerEHFrames. It feels weird that this is part of the MM to begin with.

-Filip

On May 16, 2013, at 1:50 PM, Sean Silva <silvas at purdue.edu<mailto:silvas at purdue.edu>> wrote:


On Thu, May 16, 2013 at 1:28 PM, Filip Pizlo <fpizlo at apple.com<mailto:fpizlo at apple.com>> wrote:

On May 16, 2013, at 10:42 AM, Sean Silva <silvas at purdue.edu<mailto:silvas at purdue.edu>> wrote:



Is basing the JSC fourth tier on LLVM something that you guys have committed to, or mainly exploratory? You seem to describe it as a "study" on <https://bugs.webkit.org/show_bug.cgi?id=112840>.

If we can get LLVM to provide a speed-up over our own optimizing JIT, then it will be turned on in WebKit trunk.  As you can see from that bug, we've put a lot of work into this so far, and still have a lot of work ahead of us.  The results so far are promising and I like where it's going,

Great!

but given the amount of work remaining I cannot commit to anything.


Given that this is generally useful functionality that will probably be needed by any serious use case, and that your work is already pretty far along, it's probably fine to expose this in the C API.

(Now to review the patch).

Factoring out RTDyldMemoryManager into its own header should be its own patch. This code move is probably a good idea to do anyway independently of adding functionality to the C API.

As for the API change, my concern is that it potentially exposes too much. As far as I can tell, `struct LLVMMCJITMemoryManagerFunctions` is basically a thin wrapper around the vtable of RTDyldMemoryManager, which raises the question of what will happen if RTDyldMemoryManager changes.

Rafael, Andrew: could you take a look at this patch? In particular, is this API stable enough that it will be OK to proxy the RTDyldMemoryManager API like this?

+    if (options.SizeOfMCJMMFunctions > sizeof(functions)) {
+      *OutError = strdup(
+        "Refusing to use MCJIT memory manager functions struct that is larger "
+        "than my own; assuming LLVM library mismatch.");
+      return 1;
+    }

In order to avoid this, it would be better to expose a an opaque struct, and have all manipulation of that struct happen through getter/setter functions, which will push library mismatch errors to link time rather than runtime and overall be easier to maintain/extend. That opaque struct could also hold the `void *` callback data. Sadly, the surrounding code already falls into the brittle "sizeof" pattern.

-- Sean Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20130517/1183d3ec/attachment.html>

More information about the llvm-commits mailing list