[PATCH] Expose custom MC-JIT memory allocation through the C API

Kaylor, Andrew andrew.kaylor at intel.com
Tue May 21 12:40:07 PDT 2013


If LLVMCreateSimpleMCJITMemoryManager prevents NULL functions from getting through, then I'm OK with calling them without a check, but it would be nice to have a comment explaining why it will never be NULL.

How about "CallbackArg" for the client-defined parameter?  I was looking for some kind of convention in LLVM, and that was the best I could find (decodeInstruction does something like this).  LLDB uses 'baton' but I don't see that in LLVM.

-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Tuesday, May 21, 2013 12:05 PM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API


On May 21, 2013, at 12:00 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:


I don't think you need to put "Custom" in all the memory manager function and type names.

OK.



In LLVMInitializeMCJITCompilerOptions, if SizeOfPassedOptions is less than sizeof(options) you'll be leaving part of the structure uninitialized.  I suppose that part of the structure will never be used anyway, but it seems like a source of potential problems.  That is, I can imagine ways for clients to mess things up with that behavior.

Note that LLVMCreateMCJITCompilerForModule() also calls LLVMInitializeMCJITCompilerOptions(), and fills in the bits that are not within the user's SizeOfPassedOptions.  I don't think this is a problem.



You'll need to update your patch to reflect the new name of 'applyPermissions' (now 'finalizeMemory').

OK.



I don't like the name 'Object' as the parameter passed to the callbacks.  This is something that has arbitrary meaning defined by the client, right?  In the context of MCJIT I would expect Object to refer to the generated object image.

How about calling it Opaque?



In SimpleBindingMemoryManager, the allocate functions should check the struct member they will be calling and return NULL if the function is NULL.  I know an assert in the constructor checks this, but in release builds we should fail as gracefully as possible.  The function that creates the memory manager should also return NULL if these arguments are NULL.

How about instead of asserts in SimpleBindingMemoryManager::SimpleBindingMemoryManager, LLVMCreateSimpleMCJITMemoryManager() will return NULL if any of the passed functions are NULL.

-Filip




It seems like it should be OK to provide NULL for the Destroy and ApplyPermissions/FinalizeMemory functions.

-Andy


From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Saturday, May 18, 2013 9:18 AM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API

Hi everyone!

New patch, which addresses a bunch of review comments.

- RTDyldMemoryManager now has default implementations of registerEHFrames and getPointerToNamedFunction. These are moved from SectionMemoryManager.
- A C API client now initializes a memory manager by calling LLVMCreateSimpleCustomMCJITMemoryManager() and passing all callbacks in one go. In the future, we could create alternatives to this constructor, that take functions with different signatures.
- The C API no longer has the option of supplying implementations of registerEHFrames and getPointerToNamedFunction.

I've split this into two patches, the first moves things from SectionMemoryManager into RTDyldMemoryManager; the second actually exposes things in the C API.

-Filip




On May 17, 2013, at 1:57 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:



I can live with that.

-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Friday, May 17, 2013 1:36 PM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API

OK, I think we're actually roughly on the same page.  The only question is whether refactoring SectionMemoryManager is a prerequisite to the C API change.

What about this: put the SectionMemoryManager implementations of registerEHFrame() and getPointerToNamedFunction() inside RTDyldMemoryManager.  I'm not proposing this as the long-term solution, but it does immediately accomplish the following:

a) The C API BindingMemoryManager doesn't have to care about registerEHFrames() and getPointerToNamedFunction().  It will just use the ones already provided by RTDyldMemoryManager.

b) Clients wishing to use SectionMemoryManager's memory management but override registerEHFrames and getPointerToNamedFunction() can still do so, as they do now.

c) Clients wishing to use the default registerEHFrames() and getPointerToNamedFunction() but do their own memory management can do what the C API BindingMemoryManager does, and inherit from RTDyldMemoryManager.

I think that c) is a more common use-case than b).  My suspicion is that clients who wish to do their own named function resolution are more likely to just do it at the IR level.  I realize that this is less powerful (since it requires resolving everything at IR generation time), but it's also how you're most likely to do things, if you're writing a JIT.

I do like the idea of splitting out those functions into separate classes, somehow, and I hope to get back to that.  I'd just like to finish the C API changes while they are still fresh in my mind.  Sound good?

-Filip


On May 17, 2013, at 12:57 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:

> LLVMCreateSimpleCustomMCJITMemoryManager etc.

I like that.

> Are you suggesting entirely separate classes like EHFrameRegistrar and NamedFunctionResolver, which are set in the EngineBuilder separately from the RTDyldMemoryManager?

No, what I was thinking was that SectionMemoryManager and BindingMemoryManager could just internally own an instance of some external class that did the work of getPointerToNamedFunction, as a way of sharing that code.  From a strictly functional perspective this is no different than putting it in a base class, but from a class hierarchy perspective I don't feel like that belongs in a base class to SectionMemoryManager.  There's no logical relationship there.  Putting it in a contained class feels like a better step to future separation.

The handler to register EH frames is a bit different.  I could see having a base class named something like HostBasedMemoryManager that provided that capability.  That makes sense to me.

What I'm trying to avoid is a situation where the hierarchy looks like this:

    RTDyldMemoryManager -> CommonCodeMemoryManager -> SectionMemoryManager -> CustomResolverMemoryManager

Where a user has derived from SectionMemoryManager to get its allocation scheme but provided a custom method to resolve external functions, thus effectively negating the existence of the CommonCodeMemoryManager (except, of course, for the EH frame bits) and really not wanting it in the hierarchy anyway.

I guess what I'm saying is that function resolution seems to me like it belongs further up the chain than the allocation scheme (at least some of the time).  I'm obviously splitting hairs here.  Maybe it doesn't even matter.  The problem is only there because we previously put things together in the interface that don't really belong together.  It makes a clean hierarchy difficult to find, and the problem would go away if we split up the interfaces.

-Andy


From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Friday, May 17, 2013 11:42 AM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API


On May 17, 2013, at 10:05 AM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:



Hi Filip,

Let me clarify that I'm actually in favor of getting this into the API.  I just wanted to highlight the imminent obstacles.

I'm flexible on the method for passing in the memory manager functions.  If you can convince Sean, I'll be happy with your method.
I do have a few suggestions, though.

1.       We could put the size of the structure into the structure as the first member.  This isn't a big deal, but it strikes me as a bit odd to have it outside, especially in the options case where it's an additional parameter.
2.       We could put a version number in the structure.  If we did that, we could arguably even change the signatures of functions in future versions if there were a backward compatible way to call older versions of the same functions.

We could "change" the signatures of functions by just extending the struct in the future, with new functions, that have different signatures.  We could then require that the user only sets either the old, or new, version of the function.

Example:

struct LLVMMCJITMemoryManagerFunctions {
    uint8_t *(*AllocateCodeSegment)(things); /* old, deprecated */
    ... /* more stuff */
    uint8_t *(*AllocateCodeSegmentForModule)(things, LLVMModuleRef); /* new function we added */
};

But more on this below...



3.       We could put some sort of a signature in the structure that was set by the binding layer when you made the call to initialize to default values.  This would give us a way to be sure that the caller had used our initialization function and not just initialized the values that they knew about.

Note, right now I'm using memset(ptr, 0, size) instead of an initialization function.  But this could change.



4.       We could add some kind of a checksum for the function pointer structure so we could verify that what we received and what the user intended to pass in matched.  I might be getting paranoid with this one.

Passing in a structure of pointers to functions that we're going to call makes me a bit nervous from a security perspective.  If the structure grows in a way that the caller doesn't know about but malicious code might, it's a point of vulnerability.  I just want to make sure that we've done enough to protect that point against possible attack.

So it seems that we have a couple of things going on:

- My current version uses the size-of-structure as a kind of versioning.  You're suggesting a version number.  A version number could obviate the need for a size-of-structure.  Version numbers are better than size-of-structure because having a struct that has multiple versions of the same callback, with a requirement that you only set either the old or new version, is likely to be confusing to users.

- The current approach doesn't give us a static way of ensuring that the user initialized all of the functions that they should have, or that the user initialized the structure in a binary-compatibiltiy-aware way.

So what about going with this (I don't know if this is what Sean was thinking or if this is my idea):

- LLVMCustomMCJITMemoryManager is an opaque.

- You create it with:

LLVMCreateCustomMCJITMemoryManager(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));

I.e. the creation function takes all of the callbacks in one go.  The consequence of this is that versioning is implicit, and we have a static guarantee that everything was initialized.  If we ever wanted to change the callback API in the future we would just create a new construction function:

LLVMCreateCustomMCJITMemoryManagerNew(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));

Or somesuch.  I'd prefer to future-proof this API a bit by having the current creation function be called:

LLVMCreateSimpleCustomMCJITMemoryManager(void *Object, uint8_t *(*AllocateCodeSegment)(...), uint8_t *(*AllocateDataSegment)(...), LLVMBool (*ApplyPermissions)(...), void (*Destroy)(...));

Where "Simple" refers to the fact that there is no support for remote JITing and the allocation callbacks don't allow the allow the allocator to reason about multiple modules.


As to your suggestion about having an abstract base class that both SectionMemoryManager and BindingMemoryManager inherit from, I'd rather have an external class that both SectionMemoryManager and BindingMemoryManager aggregate.  I expect that it will be at least as common for clients to want to provide their own implementation of getPointerToNamedFunction while accepting the default allocation scheme as the reverse, and probably more common.  The registerEHFrames implementation is more architecture specific, so it doesn't really belong with getPointerToNamedFunction either.  In fact, that probably makes sense to go in a base class.

Are you suggesting entirely separate classes like EHFrameRegistrar and NamedFunctionResolver, which are set in the EngineBuilder separately from the RTDyldMemoryManager?

I agree that this would be good, but I was more suggesting an incremental step that would allow me to extend the C API without also having to make a significant change to the C++ API.  A bunch of code currently assumes that RTDyldMemoryManager is also the thing that knows about resolution and EH frames.  It will take some carnage to change that, and I was thinking that the intermediate class solution would just be a first step towards both having a sensible C API story and also nudging the C++ API in the right direction.

-Filip





-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com<http://apple.com/>]
Sent: Thursday, May 16, 2013 4:48 PM
To: Kaylor, Andrew
Cc: Sean Silva; llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API


On May 16, 2013, at 3:44 PM, "Kaylor, Andrew" <andrew.kaylor at intel.com<mailto:andrew.kaylor at intel.com>> wrote:




I'm a bit concerned about the implications this has for the future rigidity of the memory manager interface.  There are definitely some things about that interface that I can see changing.

First, as you mention registerEHFrames isn't exactly a memory manager function.  In the same way, getPointerToNamedFunction isn't either.  The reason these two functions are in the memory manager is that the memory manager is the component that knows where the JITed code is going to end up (i.e. in another process or local).  But I can see us wanting to change that.

We can remove those functions from the C API for now.  See below.


Second, at some point we're probably going to want to add something to communicate the memory manager what code model is being used.  That will probably be just another function being added.

Then we can add another function.  I don't think that's a showstopper.





Third, it's entirely possible that we'll want to add a way to associate allocations with a particular module that's being JITed.  Right now, there's a 1-to-1-to-1 relationship between MCJIT engines, modules and memory managers, but in the near future the MCJIT engine will support multiple modules, and it may be desirable for the memory manager to know which of the sections it is allocating go together.  This would involve changing function signatures.

I agree that there are many things that we could add, and that the API may need to be amended.  But I don't like the idea of not exposing any API just because of hypotheticals.  For example, while it's true that MCJIT will ultimately support multiple modules, it's not clear that this will necessitate changing the MM interface.

That being said:





I realize that this is quite inconvenient for C API usage purposes, but if there's any way we can design the API to anticipate these sorts of changes I think we should.  And of course there are always the changes we don't yet know we'll need.

What about making the current API be:

allocateCodeSection(size, alignment, sectionID, module)
allocateDataSection(size, alignment, sectionID, module, isReadOnly)
applyPermissions(module)

In the initial cut, the API will provide default implementations of registerEHFrames and getPointerToNamedFunction that do what SectionMemoryManager does.  This can initially be done by having an intermediate abstract class that implements registerEHFrames and getPointerToNamedFunction in the same way that SectionMemoryManager does currently, and both SectionMemoryManager and BindingMemoryManager will inherit from it.

-Filip


-Andy

From: Filip Pizlo [mailto:fpizlo at apple.com]
Sent: Thursday, May 16, 2013 2:10 PM
To: Sean Silva
Cc: llvm-commits at cs.uiuc.edu<mailto:llvm-commits at cs.uiuc.edu>; Rafael Ávila de Espíndola; Kaylor, Andrew
Subject: Re: [PATCH] Expose custom MC-JIT memory allocation through the C API

I considered using an opaque struct with getters and setters. But instead I went with the old-school C idiom of having a struct that the user memset's to zero up to the size they saw:

memset(&functions, 0, sizeof(functions));

And then the LLVM bindings also memset according to what LLVM sees and does a copy:

memset(&myFunctions, 0, sizeof(myFunctions));
memcpy(&myFunctions, PassedFunctions, SizeOfPassedFunctions);

This ensures both forward source compatibility and forward binary compatibility, except if we wanted to remove a function:

Source compatibility for added functions: the user's compiler would see a larger sizeof(functions), and the memset() would zero-initialize those pointers, causing the bindings to provide default implementations.

Binary compatibility for added functions: the user would end up passing a value of SizeOfPassedFunctions that is smaller than LLVM expected, and LLVM would zero-initialize the added functions.

AFAIK, this is no less robust than an opaque struct. Both handle added functions gracefully, and neither can handle removed functions gracefully unless we do something crazy. The un-opaque struct just makes writing the code a bit easier, both for LLVM and for the client. But that's just my opinion. :-)

I am curious what y'all think about the weirder functions like registerEHFrames. It feels weird that this is part of the MM to begin with.

-Filip

On May 16, 2013, at 1:50 PM, Sean Silva <silvas at purdue.edu<mailto:silvas at purdue.edu>> wrote:



On Thu, May 16, 2013 at 1:28 PM, Filip Pizlo <fpizlo at apple.com<mailto:fpizlo at apple.com>> wrote:

On May 16, 2013, at 10:42 AM, Sean Silva <silvas at purdue.edu<mailto:silvas at purdue.edu>> wrote:





Is basing the JSC fourth tier on LLVM something that you guys have committed to, or mainly exploratory? You seem to describe it as a "study" on <https://bugs.webkit.org/show_bug.cgi?id=112840>.

If we can get LLVM to provide a speed-up over our own optimizing JIT, then it will be turned on in WebKit trunk.  As you can see from that bug, we've put a lot of work into this so far, and still have a lot of work ahead of us.  The results so far are promising and I like where it's going,

Great!

but given the amount of work remaining I cannot commit to anything.


Given that this is generally useful functionality that will probably be needed by any serious use case, and that your work is already pretty far along, it's probably fine to expose this in the C API.

(Now to review the patch).

Factoring out RTDyldMemoryManager into its own header should be its own patch. This code move is probably a good idea to do anyway independently of adding functionality to the C API.

As for the API change, my concern is that it potentially exposes too much. As far as I can tell, `struct LLVMMCJITMemoryManagerFunctions` is basically a thin wrapper around the vtable of RTDyldMemoryManager, which raises the question of what will happen if RTDyldMemoryManager changes.

Rafael, Andrew: could you take a look at this patch? In particular, is this API stable enough that it will be OK to proxy the RTDyldMemoryManager API like this?

+    if (options.SizeOfMCJMMFunctions > sizeof(functions)) {
+      *OutError = strdup(
+        "Refusing to use MCJIT memory manager functions struct that is larger "
+        "than my own; assuming LLVM library mismatch.");
+      return 1;
+    }

In order to avoid this, it would be better to expose a an opaque struct, and have all manipulation of that struct happen through getter/setter functions, which will push library mismatch errors to link time rather than runtime and overall be easier to maintain/extend. That opaque struct could also hold the `void *` callback data. Sadly, the surrounding code already falls into the brittle "sizeof" pattern.

-- Sean Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20130521/bd48edd9/attachment.html>


More information about the llvm-commits mailing list