Quantcast

Re: trampolines - how to work around

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trampolines - how to work around

jeremy (Bugzilla)
Julian Seward wrote:

>So we can easily enough generate self-checking translations.  A problem
>is, since self-checking translations are expensive to run, we want to
>make as few as possible.  That means having a good heuristic for deciding
>when to do so.  The currently postulated heuristic is to make a self-
>checking translation for code within some small offset of the stack
>pointer.  Ideally the heuristic should say "yes" as infrequently as
>possible, but it should also never miss any such cases either.
>
>Is that correct?  Any other things I need to take into account?
>  
>
How about "generate self-checking code if the code is being fetched from
a writable page"?  That will never happen in normal operation, since all
code is mapped read-only.  It could be fooled by someone changing page
permissions with mprotect (write some code into a page, make it RO,
execute it, make it RW, change it), but you could fix that by clearing
the translation cache for a memory range when either switching it from
RW->RO or RO->RW (one or the other should do the trick).

The problem with the "near ESP" heuristic is that it won't cope with
generated elsewhere in the address space, such as running another JIT VM
under Valgrind.

    J


-------------------------------------------------------
SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate
online with coworkers and clients while avoiding the high cost of travel and
communications. There is no equipment to buy and you can meet as often as
you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trampolines - how to work around

Julian Seward-2

> How about "generate self-checking code if the code is being fetched from
> a writable page"?

Yes, also plausible ...

> That will never happen in normal operation, since all
> code is mapped read-only.  It could be fooled by someone changing page
> permissions with mprotect (write some code into a page, make it RO,
> execute it, make it RW, change it), but you could fix that by clearing
> the translation cache for a memory range when either switching it from
> RW->RO or RO->RW (one or the other should do the trick).

... sigh, yes I see.  More cross-module dependencies and complexity, tho.

> The problem with the "near ESP" heuristic is that it won't cope with
> generated elsewhere in the address space, such as running another JIT VM
> under Valgrind.

Yeh.  True.

The "near SP" (we can't say "near ESP" any more) thing at least gets
the Ada folks moving again.  I was thinking:

  --check-translations={no,auto,yes} [default: auto]

with auto being 'near SP', no being none and yes being all.

Hmm.  I suppose transparently supporting JVMs as well as Ada folks
would be a good thing.

One other problem with checking TC at each mprotect is that any TC
check requires inspecting all translations.  I wonder if TC should be
redone so that instead of being based on a hash table it is based on an
AVL tree, so that address range invalidation is O(log(N)) in the number
of translations instead of O(N).

J


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trampolines - how to work around

Karl Hasselström
In reply to this post by jeremy (Bugzilla)
On 2005-05-25 17:44:58 -0700, Jeremy Fitzhardinge wrote:

> How about "generate self-checking code if the code is being fetched
> from a writable page"? That will never happen in normal operation,
> since all code is mapped read-only. It could be fooled by someone
> changing page permissions with mprotect (write some code into a
> page, make it RO, execute it, make it RW, change it), but you could
> fix that by clearing the translation cache for a memory range when
> either switching it from RW->RO or RO->RW (one or the other should
> do the trick).

You can't fix it by clearing translations only on rw->ro transitions.
If you do, then after an ro->rw transition, you would have
non-self-invalidating code based on writeable memory.

The other option works: then, after a rw->ro transition, you would
have self-invalidating code based on read-only memory, which is
inefficient but correct.

--
Karl Hasselström, [hidden email]
      www.treskal.com/kalle


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trampolines - how to work around

jeremy (Bugzilla)
In reply to this post by Julian Seward-2
Julian Seward wrote:

>>That will never happen in normal operation, since all
>>code is mapped read-only.  It could be fooled by someone changing page
>>permissions with mprotect (write some code into a page, make it RO,
>>execute it, make it RW, change it), but you could fix that by clearing
>>the translation cache for a memory range when either switching it from
>>RW->RO or RO->RW (one or the other should do the trick).
>>    
>>
>
>... sigh, yes I see.  More cross-module dependencies and complexity, tho.
>  
>
Well, there should be a general "code may have changed" interface to the
translation cache, which should be a fairly narrow interface.  In 2.4
(haven't looked at 3 in detail), the Segment list has a flag to keep
track of which regions of memory have had code generated from them, so
its fairly cheap to tell if something needs to be done.

>Yeh.  True.
>
>The "near SP" (we can't say "near ESP" any more) thing at least gets
>the Ada folks moving again.  I was thinking:
>
>  --check-translations={no,auto,yes} [default: auto]
>
>with auto being 'near SP', no being none and yes being all.
>  
>
I think "fetch from writable" is general enough, and should be pretty
foolproof.  It would be interesting to see if there are any instances of
code being executed from RW memory which hasn't been generated (for
example someone running from RW mmaped memory).  Given some of the
strange executables we've seen various compilers generate, it could
happen, so it probably needs a way to turn it off.

>One other problem with checking TC at each mprotect is that any TC
>check requires inspecting all translations.  I wonder if TC should be
>redone so that instead of being based on a hash table it is based on an
>AVL tree, so that address range invalidation is O(log(N)) in the number
>of translations instead of O(N).
>
The existing skiplist implementation can do that easily.

    J


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trampolines - how to work around

jeremy (Bugzilla)
In reply to this post by Karl Hasselström
Karl Hasselström wrote:

>You can't fix it by clearing translations only on rw->ro transitions.
>If you do, then after an ro->rw transition, you would have
>non-self-invalidating code based on writeable memory.
>
>The other option works: then, after a rw->ro transition, you would
>have self-invalidating code based on read-only memory, which is
>inefficient but correct.
>
Yep, you're right.

    J


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Loading...