[prev in list] [next in list] [prev in thread] [next in thread]
List: squeak-vm-dev
Subject: Re: [Vm-dev] SafeFFI concept
From: Ben Coman <btc () openinworld ! com>
Date: 2018-03-31 23:55:14
Message-ID: CAProBT=dMWhDHEwkmB6jbriZxToqnX=23rtznFsxRcZr-FdiuA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
[Attachment #3 (multipart/alternative)]
On 1 April 2018 at 02:15, Todd Blanchard <tblanchard@mac.com> wrote:
>
> Problem with that is when you want to do something like integrate with
> Cocoa on a Mac of iOS. The thing you want to talk to is in your process
> already.
>
On 1 April 2018 at 02:10, Eliot Miranda <eliot.miranda@gmail.com> wrote:
>
> Hi Ben,
>
> I think it's a fun idea (my Spur memory debugging scheme uses the clone
> idea too) but for the FFI it isn't useful. IMO so much state is associated
> with a specific process that only a fraction of library and system calls
> would work, and debugging those that didn't would be very strange. Just
> take a system call that opens a file for example. On return the file
> handle would be present only in the child. Any use of the file descriptor
> from the parent would fail. There are simpler alternatives:
>
> a) modify the already installed low-level exception handlers in the VM to
> fail an FFI call, reporting exception location and code, when a low-level
> exception occurs during an FFI call.
>
> b) allow write-protecting the Smalltalk heap during an FFI call
>
> I like a). b) doesn't play nicely with the threaded FFI
>
Thanks for your consideration.
Helps me put the idea aside.
cheers -ben
>
>
>
> On Mar 31, 2018, at 6:25 AM, Ben Coman <btc@openinworld.com> wrote:
>
> This idea is not fully formed. I've been nibbling away at composing this
> post for a month and thought I'd just send it out rather than let it drift
> on further. Its an idea that keeps resurfacing but I've not been in a
> position to follow it up, so I'm just sharing the rough outline.
>
> One of the great features of programming at the Image level is protection
> from memory access violations. We get to continue from errors after
> debugging them. However all bets are off when we use FFI. The bane of FFI
> are memory violations in the C-callout. Memory violations in FFI C
> callouts are harder than usual to diagnose since we lose our usual
> debugging environment. Its hard to recovery from a memory violation since
> the C callout has full access to VM's heap and thus everything is suspect.
>
> So the idea is the FFI callouts to execute in a separate child-process. That
> child-process has no access to the VM's memory so a memory violation in the
> C-callout could not crash the VM.
>
> Obviously there will be some performance penalty, but the question is to
> what degree. There are two reasons to use an external library via FFI.
> 1. Speed
> 2. Functionality
> Where its more about functionality than speed (e.g. git, libusb,
> libsodium, pdfium) application developers newly programming against an
> unfamiliar C library may be willing to trade speed for safety. Perhaps its
> used part-time like the Assert-VM during development, and production uses
> the standard higher performance FFI.
>
> The idea of executing FFI callouts in a child-process arose while reading
> about Linux's clone() function that the parent process can allocate memory
> for the stack of the child process.
> https://stackoverflow.com/questions/1083172/how-to-mmap-the-
> stack-for-the-clone-system-call-on-linux
> https://nullprogram.com/blog/2015/05/15/
>
> The child-process might be a simple event loop waiting on a semaphore.
> My understanding of the FFI callout mechanism is that stack frame is
> constructed in the form expected by the function being invoked. With
> SafeFFI, when "fficallout" semaphore is being waited on, the child stack is
> static, so maybe the VM-parent-process could arrange the stack in the
> child-process such that sem_wait() returns not to line 005 but instead
> executes the required FFI-callout function. The "fficallout" semaphore
> is signalled from the Image once the stack frame has been constructed.
>
> 001 main()
> 002 { expose_child_function_addresses_to_parent_process();
> 003 while(true)
> 004 { sem_wait(&fficallout); // Smalltalk image reconstructs
> stack frame here
> 005 printf("Dummy statement. Never gets here");
> 006 }
> 007 }
> 008
> 009 demo_redirect()
> 010 { printf("SafeFFI demo success");
> 011 }
>
>
> So how feasible would something like that be?
>
> cheers -ben
>
>
> P.S. For initial simplicity of the presentation I've avoided discussing
> return values and callbacks.
>
>
>
[Attachment #6 (text/html)]
<div dir="ltr">
On 1 April 2018 at 02:15, Todd Blanchard<span> </span><span dir="ltr"><<a \
href="mailto:tblanchard@mac.com" target="_blank" \
style="color:rgb(17,85,204)">tblanchard@mac.com</a>></span><span> \
</span>wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br><div \
style="word-wrap:break-word"><span \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Problem \
with that is when you want to do something like integrate with Cocoa on a Mac of iOS. \
The thing you want to talk to is in your process already. </span><br \
class="gmail-Apple-interchange-newline">
</div></blockquote><br><div class="gmail_extra"><br><div class="gmail_quote">On 1 \
April 2018 at 02:10, Eliot Miranda <span dir="ltr"><<a \
href="mailto:eliot.miranda@gmail.com" \
target="_blank">eliot.miranda@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <br><div dir="auto"><div>Hi Ben,<br><br></div><div \
id="m_8445316658952114988AppleMailSignature"> I think it's a fun idea (my \
Spur memory debugging scheme uses the clone idea too) but for the FFI it isn't \
useful. IMO so much state is associated with a specific process that only a \
fraction of library and system calls would work, and debugging those that didn't \
would be very strange. Just take a system call that opens a file for example. On \
return the file handle would be present only in the child. Any use of the file \
descriptor from the parent would fail. There are simpler alternatives:</div><div \
id="m_8445316658952114988AppleMailSignature"><br></div><div \
id="m_8445316658952114988AppleMailSignature">a) modify the already installed \
low-level exception handlers in the VM to fail an FFI call, reporting exception \
location and code, when a <span \
style="background-color:rgba(255,255,255,0)">low-level exception occurs during an FFI \
call.</span></div><div id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)"><br></span></div><div \
id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)">b) allow write-protecting the Smalltalk \
heap during an FFI call</span></div><div \
id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)"><br></span></div><div \
id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)">I like a). b) doesn't play nicely \
with the threaded FFI</span></div></div></blockquote><div><br></div><div>Thanks for \
your consideration.</div><div>Helps me put the idea aside.</div><div>cheers \
-ben</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 \
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div \
id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)"><br></span></div><div \
id="m_8445316658952114988AppleMailSignature"><span \
style="background-color:rgba(255,255,255,0)"><br></span></div><div><br>On Mar 31, \
2018, at 6:25 AM, Ben Coman <<a href="mailto:btc@openinworld.com" \
target="_blank">btc@openinworld.com</a>> wrote:<br><br></div><blockquote \
type="cite"><div><span></span></div></blockquote><blockquote type="cite"><div><div \
dir="ltr"><div>This idea is not fully formed. I've been nibbling away at \
composing this post for a month and thought I'd just send it out rather than let \
it drift on further. Its an <span \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">idea \
that keeps resurfacing but I've not been in a position to follow it up, so \
I'm just sharing the rough outline. </span></div><div><br></div>One of the \
great features of programming at the Image level is protection from memory access \
violations. We get to continue from errors after debugging them. However all bets \
are off when we use FFI. The bane of FFI are memory violations in the C-callout. \
Memory violations in FFI C callouts are harder than usual to diagnose since we lose \
our usual debugging environment. Its hard to recovery from a memory violation since \
the C callout has full access to VM's heap and thus everything is \
suspect.<div><div><div><br></div><div><div>So the idea is the FFI callouts to execute \
in a separate child-process.
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-sty \
le:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;lette \
r-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norm \
al;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">That \
child-process has no access to the VM's memory so a memory violation in the \
C-callout could not crash the VM. </span>
</div><div><br></div><div>Obviously there will be some performance penalty, but the \
question is to what degree. There are two reasons to use an external library via \
FFI.<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font- \
style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;le \
tter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:n \
ormal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"> \
1. Speed</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:s \
mall;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-wei \
ght:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whi \
te-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"> \
2. Functionality </div></div></div><div>Where its more about functionality than \
speed (e.g. git, libusb, libsodium, pdfium) application developers newly programming \
against an unfamiliar C library may be willing to trade speed for safety. Perhaps \
its used part-time like the Assert-VM during development, and production uses the \
standard higher performance FFI.</div><div><br></div><div>The idea of executing FFI \
callouts in a child-process arose while reading about Linux's clone() function \
that the parent process can allocate memory for the stack of the child process. \
</div><div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-styl \
e:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter \
-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norma \
l;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255)"><a \
href="https://stackoverflow.com/questions/1083172/how-to-mmap-the-stack-for-the-clone-system-call-on-linux" \
style="color:rgb(17,85,204)" \
target="_blank">https://stackoverflow.com/ques<wbr>tions/1083172/how-to-mmap-the-<wbr>stack-for-the-clone-system-cal<wbr>l-on-linux</a><br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255)"><a \
href="https://nullprogram.com/blog/2015/05/15/" style="color:rgb(17,85,204)" \
target="_blank">https://nullprogram.com/blog/2<wbr>015/05/15/</a></div>
<br></div><div>The child-process might be a simple event loop waiting on a \
semaphore.<br></div><div>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-sty \
le:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;lette \
r-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norm \
al;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">My \
understanding of the FFI callout mechanism is that stack frame is constructed in the \
form expected by the function being invoked. With SafeFFI, when \
"fficallout" semaphore is being waited on, the child stack is static, so \
maybe the VM-parent-process could arrange the stack in the child-process such that \
sem_wait() returns not to line 005 but instead executes the required FFI-callout \
function. </span> The "fficallout" semaphore is signalled from the \
Image once the stack frame has been constructed.</div><div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-styl \
e:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter \
-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norma \
l;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">001 \
main()</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:sma \
ll;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weigh \
t:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white \
-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">002 \
{ expose_child_function_<wbr>addresses_to_parent_process();</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">003 \
while(true)<br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">004 \
{ sem_wait(&fficallout);
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-sty \
le:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;lette \
r-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norm \
al;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">// \
Smalltalk image reconstructs stack frame</span> here</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">005 \
printf("Dummy statement. Never gets here");</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">006 \
}</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;fo \
nt-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400 \
;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-spac \
e:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">007 \
}</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;fo \
nt-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400 \
;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-spac \
e:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">008</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">009 \
demo_redirect()</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">010 \
{ printf("SafeFFI demo success");</div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">011 \
} </div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:smal \
l;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight \
:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white- \
space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-sty \
le:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;lette \
r-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:norm \
al;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">So \
how feasible would something like that be?</span>
<br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small \
;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight: \
400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-s \
pace:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></div></div></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">cheers \
-ben</div></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div \
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:nor \
mal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spac \
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor \
d-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">P.S. \
For initial simplicity of the presentation I've avoided discussing return values \
and callbacks. <br><br class="m_8445316658952114988gmail-Apple-interchange-newline">
</div></div>
</div></blockquote></div><br></blockquote></div><br></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic