[PATCH] Expose custom MC-JIT memory allocation through the C API
Filip Pizlo
fpizlo at apple.com
Fri May 17 11:41:57 PDT 2013
On May 17, 2013, at 10:05 AM, "Kaylor, Andrew" <andrew.kaylor at intel.com> wrote:
> Hi Filip,
>
> Let me clarify that I’m actually in favor of getting this into the API. I just wanted to highlight the imminent obstacles.
>
> I’m flexible on the method for passing in the memory manager functions. If you can convince Sean, I’ll be happy with your method.
> I do have a few suggestions, though.
>
> 1. We could put the size of the structure into the structure as the first member. This isn’t a big deal, but it strikes me as a bit odd to have it outside, especially in the options case where it’s an additional parameter.
> 2. We could put a version number in the structure. If we did that, we could arguably even change the signatures of functions in future versions if there were a backward compatible way to call older versions of the same functions.
We could "change" the signatures of functions by just extending the struct in the future, with new functions, that have different signatures. We could then require that the user only sets either the old, or new, version of the function.
Example:
struct LLVMMCJITMemoryManagerFunctions {
uint8_t *(*AllocateCodeSegment)(things); /* old, deprecated */
... /* more stuff */
uint8_t *(*AllocateCodeSegmentForModule)(things, LLVMModuleRef); /* new function we added */
};
But more on this below...
> 3. We could put some sort of a signature in the structure that was set by the binding layer when you made the call to initialize to default values. This would give us a way to be sure that the caller had used our initialization function and not just initialized the values that they knew about.
Note, right now I'm using memset(ptr, 0, size) instead of an initialization function. But this could change.
> 4. We could add some kind of a checksum for the function pointer structure so we could verify that what we received and what the user intended to pass in matched. I might be getting paranoid with this one.
>
> Passing in a structure of pointers to functions that we’re going to call makes me a bit nervous from a security perspective. If the structure grows in a way that the caller doesn’t know about but malicious code might, it’s a point of vulnerability. I just want to make sure that we’ve done enough to protect that point against possible attack.
So it seems that we have a couple of things going on:
- My current version uses the size-of-structure as a kind of versioning. You're suggesting a version number. A version number could obviate the need for a size-of-structure. Version numbers are better than size-of-structure because having a struct that has multiple versions of the same callback, with a requirement that you only set either the old or new version, is likely to be confusing to users.
- The current approach doesn't give us a static way of ensuring that the user initialized all of the functions that they should have, or that the user initialized the structure in a binary-compatibiltiy-aware way.
So what about going with this (I don't know if this is what Sean was thinking or if this is my idea):
- LLVMCustomMCJITMemoryManager is an opaque.
- You create it with:
LLVMCreateCustomMCJITMemoryManager(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));
I.e. the creation function takes all of the callbacks in one go. The consequence of this is that versioning is implicit, and we have a static guarantee that everything was initialized. If we ever wanted to change the callback API in the future we would just create a new construction function:
LLVMCreateCustomMCJITMemoryManagerNew(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));
Or somesuch. I'd prefer to future-proof this API a bit by having the current creation function be called:
LLVMCreateSimpleCustomMCJITMemoryManager(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));
Where "Simple" refers to the fact that there is no support for remote JITing and the allocation callbacks don't allow the allow the allocator to reason about multiple modules.
>
> As to your suggestion about having an abstract base class that both SectionMemoryManager and BindingMemoryManager inherit from, I’d rather have an external class that both SectionMemoryManager and BindingMemoryManager aggregate. I expect that it will be at least as common for clients to want to provide their own implementation of getPointerToNamedFunction while accepting the default allocation scheme as the reverse, and probably more common. The registerEHFrames implementation is more architecture specific, so it doesn’t really belong with getPointerToNamedFunction either. In fact, that probably makes sense to go in a base class.
Are you suggesting entirely separate classes like EHFrameRegistrar and NamedFunctionResolver, which are set in the EngineBuilder separately from the RTDyldMemoryManager?
I agree that this would be good, but I was more suggesting an incremental step that would allow me to extend the C API without also having to make a significant change to the C++ API. A bunch of code currently assumes that RTDyldMemoryManager is also the thing that knows about resolution and EH frames. It will take some carnage to change that, and I was thinking that the intermediate class solution would just be a first step towards both having a sensible C API story and also nudging the C++ API in the right direction.
-Filip
>
> -Andy
>
> From: Filip Pizlo [mailto:fpizlo at apple.com]
> Sent: Thursday, May 16, 2013 4:48 PM
> To: Kaylor, Andrew
> Cc: Sean Silva; llvm-commits at cs.uiuc.edu; Rafael Ávila de Espíndola
> Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API
>
>
> On May 16, 2013, at 3:44 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com> wrote:
>
>
> I’m a bit concerned about the implications this has for the future rigidity of the memory manager interface. There are definitely some things about that interface that I can see changing.
>
> First, as you mention registerEHFrames isn’t exactly a memory manager function. In the same way, getPointerToNamedFunction isn’t either. The reason these two functions are in the memory manager is that the memory manager is the component that knows where the JITed code is going to end up (i.e. in another process or local). But I can see us wanting to change that.
>
> We can remove those functions from the C API for now. See below.
>
>
> Second, at some point we’re probably going to want to add something to communicate the memory manager what code model is being used. That will probably be just another function being added.
>
> Then we can add another function. I don't think that's a showstopper.
>
>
>
> Third, it’s entirely possible that we’ll want to add a way to associate allocations with a particular module that’s being JITed. Right now, there’s a 1-to-1-to-1 relationship between MCJIT engines, modules and memory managers, but in the near future the MCJIT engine will support multiple modules, and it may be desirable for the memory manager to know which of the sections it is allocating go together. This would involve changing function signatures.
>
> I agree that there are many things that we could add, and that the API may need to be amended. But I don't like the idea of not exposing any API just because of hypotheticals. For example, while it's true that MCJIT will ultimately support multiple modules, it's not clear that this will necessitate changing the MM interface.
>
> That being said:
>
>
>
> I realize that this is quite inconvenient for C API usage purposes, but if there’s any way we can design the API to anticipate these sorts of changes I think we should. And of course there are always the changes we don’t yet know we’ll need.
>
> What about making the current API be:
>
> allocateCodeSection(size, alignment, sectionID, module)
> allocateDataSection(size, alignment, sectionID, module, isReadOnly)
> applyPermissions(module)
>
> In the initial cut, the API will provide default implementations of registerEHFrames and getPointerToNamedFunction that do what SectionMemoryManager does. This can initially be done by having an intermediate abstract class that implements registerEHFrames and getPointerToNamedFunction in the same way that SectionMemoryManager does currently, and both SectionMemoryManager and BindingMemoryManager will inherit from it.
>
> -Filip
>
>
> -Andy
>
> From: Filip Pizlo [mailto:fpizlo at apple.com]
> Sent: Thursday, May 16, 2013 2:10 PM
> To: Sean Silva
> Cc: llvm-commits at cs.uiuc.edu; Rafael Ávila de Espíndola; Kaylor, Andrew
> Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API
>
> I considered using an opaque struct with getters and setters. But instead I went with the old-school C idiom of having a struct that the user memset's to zero up to the size they saw:
>
> memset(&functions, 0, sizeof(functions));
>
> And then the LLVM bindings also memset according to what LLVM sees and does a copy:
>
> memset(&myFunctions, 0, sizeof(myFunctions));
> memcpy(&myFunctions, PassedFunctions, SizeOfPassedFunctions);
>
> This ensures both forward source compatibility and forward binary compatibility, except if we wanted to remove a function:
>
> Source compatibility for added functions: the user's compiler would see a larger sizeof(functions), and the memset() would zero-initialize those pointers, causing the bindings to provide default implementations.
>
> Binary compatibility for added functions: the user would end up passing a value of SizeOfPassedFunctions that is smaller than LLVM expected, and LLVM would zero-initialize the added functions.
>
> AFAIK, this is no less robust than an opaque struct. Both handle added functions gracefully, and neither can handle removed functions gracefully unless we do something crazy. The un-opaque struct just makes writing the code a bit easier, both for LLVM and for the client. But that's just my opinion. :-)
>
> I am curious what y'all think about the weirder functions like registerEHFrames. It feels weird that this is part of the MM to begin with.
>
> -Filip
>
> On May 16, 2013, at 1:50 PM, Sean Silva <silvas at purdue.edu> wrote:
>
>
>
>
> On Thu, May 16, 2013 at 1:28 PM, Filip Pizlo <fpizlo at apple.com> wrote:
>
> On May 16, 2013, at 10:42 AM, Sean Silva <silvas at purdue.edu> wrote:
>
>
>
> Is basing the JSC fourth tier on LLVM something that you guys have committed to, or mainly exploratory? You seem to describe it as a "study" on <https://bugs.webkit.org/show_bug.cgi?id=112840>.
>
> If we can get LLVM to provide a speed-up over our own optimizing JIT, then it will be turned on in WebKit trunk. As you can see from that bug, we've put a lot of work into this so far, and still have a lot of work ahead of us. The results so far are promising and I like where it's going,
>
> Great!
>
> but given the amount of work remaining I cannot commit to anything.
>
>
> Given that this is generally useful functionality that will probably be needed by any serious use case, and that your work is already pretty far along, it's probably fine to expose this in the C API.
>
> (Now to review the patch).
>
> Factoring out RTDyldMemoryManager into its own header should be its own patch. This code move is probably a good idea to do anyway independently of adding functionality to the C API.
>
> As for the API change, my concern is that it potentially exposes too much. As far as I can tell, `struct LLVMMCJITMemoryManagerFunctions` is basically a thin wrapper around the vtable of RTDyldMemoryManager, which raises the question of what will happen if RTDyldMemoryManager changes.
>
> Rafael, Andrew: could you take a look at this patch? In particular, is this API stable enough that it will be OK to proxy the RTDyldMemoryManager API like this?
>
> + if (options.SizeOfMCJMMFunctions > sizeof(functions)) {
> + *OutError = strdup(
> + "Refusing to use MCJIT memory manager functions struct that is larger "
> + "than my own; assuming LLVM library mismatch.");
> + return 1;
> + }
>
> In order to avoid this, it would be better to expose a an opaque struct, and have all manipulation of that struct happen through getter/setter functions, which will push library mismatch errors to link time rather than runtime and overall be easier to maintain/extend. That opaque struct could also hold the `void *` callback data. Sadly, the surrounding code already falls into the brittle "sizeof" pattern.
>
> -- Sean Silva
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20130517/50d86a2a/attachment.html>
More information about the llvm-commits
mailing list