Sulong: Executing Low-level Languages on Truffle Manuel Rigger Advanced Software Technologies Lab (Zhendong Su) ETH Zurich 1. April 2019 Interconnecting Code Workshop @ 2019 @RiggerManuel
Sulong Interacts also with Other Code 7 Compiler builtins System calls External Libraries Low-level libc/POSIX functions Linkage features Compiler extensions Inline assembly
8 The importance of inline assembly and compiler builtins GraalVM, its language interoperability mechanism, and Sulong’s role Safe Sulong and how it safely executes LLVM- based languages
GraalVM 12 (Würthinger et al. 2016) TruffleRuby Graal.js Graal.python FastR Truffle Truffle is an language- implementation framework • Written in Java • Optimization primitives • Debugging and profiling • Language interoperability!
GraalVM 14 (Würthinger et al. 2016) TruffleRuby Graal.js Graal.python FastR Graal Truffle Can execute on the JVM, be compiled to a standalone executable, … JVM
AST Interpreters Optimization 19 = a b 3 + Truffle AST Interpreters specialize for their input 5 2 a b if (input is as expected) { execute specialized operation } else { rewrite node } Variable Integer
GraalVM 24 (Grimmer et al. 2015) TruffleRuby Graal.js Graal.python FastR Language interoperability support for individual language pairs would not scale
Message-Based Foreign Access 26 a = b + 3 = a READ b 3 + 2 b Foreign objects can be accessed by sending a message to the foreign language implementation
Example: Ruby C Extension 33 # Ruby Code: array.rb s = CArray.new puts s.arraySum([1,2,3]) // The C extension: array.c #include “ruby.h” VALUE c_arraySum(VALUE self, VALUE array) { int sum = 0; for (int i = 0; i < RARRAY_LEN(array); i++) { sum += FIX2INT(rb_ary_entry(array, i)); } return INT2FIX(sum); } Slide modified from Matthias Grimmer, with permission
Example: Ruby C Extension 34 // The C extension: array.c #include “ruby.h” VALUE c_arraySum(VALUE self, VALUE array) { int sum = 0; for (int i = 0; i < RARRAY_LEN(array); i++) { sum += FIX2INT(rb_ary_entry(array, i)); } return INT2FIX(sum); } // ruby.h typedef VALUE void*; typedef ID void *; VALUE rb_ary_entry(VALUE ary, long idx); Slide modified from Matthias Grimmer, with permission Programmers write their native extensions using the API provided by MRI
Example: Ruby C Extension 35 // The C extension: array.c #include “ruby.h” VALUE c_arraySum(VALUE self, VALUE array) { int sum = 0; for (int i = 0; i < RARRAY_LEN(array); i++) { sum += FIX2INT(rb_ary_entry(array, i)); } return INT2FIX(sum); } Slide modified from Matthias Grimmer, with permission // ruby.c #include “ruby.h” #include “truffle.h” VALUE rb_ary_entry(VALUE ary, long idx) { return truffle_read_idx(ary, (int) idx); } int FIX2INT(VALUE value) { return truffle_invoke_i(RUBY_CEXT, “rb_fix2int”, value); } truffle_read_idx and truffle_invoke_i are Sulong intrinsics that send messages
Example: Ruby C Extension 36 // The C extension: array.c #include “ruby.h” VALUE c_arraySum(VALUE self, VALUE array) { int sum = 0; for (int i = 0; i < RARRAY_LEN(array); i++) { sum += FIX2INT(rb_ary_entry(array, i)); } return INT2FIX(sum); } Slide modified from Matthias Grimmer, with permission // ruby.c #include “ruby.h” #include “truffle.h” VALUE rb_ary_entry(VALUE ary, long idx) { return truffle_read_idx(ary, (int) idx); } int FIX2INT(VALUE value) { return truffle_invoke_i(RUBY_CEXT, “rb_fix2int”, value); }
Example: Ruby C Extension 36 // The C extension: array.c #include “ruby.h” VALUE c_arraySum(VALUE self, VALUE array) { int sum = 0; for (int i = 0; i < RARRAY_LEN(array); i++) { sum += FIX2INT(rb_ary_entry(array, i)); } return INT2FIX(sum); } Slide modified from Matthias Grimmer, with permission // ruby.c #include “ruby.h” #include “truffle.h” VALUE rb_ary_entry(VALUE ary, long idx) { return truffle_read_idx(ary, (int) idx); } int FIX2INT(VALUE value) { return truffle_invoke_i(RUBY_CEXT, “rb_fix2int”, value); } # ruby.rb def rb_fix2int(value) if value.nil? raise TypeError else int = value.to_int raise RangeError if int >= 2**32 int end end
Performance 37 11 32 0 5 10 15 20 25 30 35 Peak performance relative to MRI running pure Ruby MRI with C Extensions GraalVM with C Extensions Slide modified from Matthias Grimmer, with permission
Performance 37 11 32 0 5 10 15 20 25 30 35 Peak performance relative to MRI running pure Ruby MRI with C Extensions GraalVM with C Extensions Slide modified from Matthias Grimmer, with permission Truffle can inline the function call from Ruby to C!
Problem: C/C++ are unsafe languages 39 Undefined Behavior (UB) “behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements “ (C99 standard)
Buffer Overflows: Leaking Sensitive Data 43 long *arr = malloc(3 * sizeof(long)); long dest[4]; memcpy(dest, arr, sizeof(dest)); arr: dest: secret secret Heartbleed and Cloudbleed were such vulnerabilities
Buffer Overflows: Leaking Sensitive Data 43 long *arr = malloc(3 * sizeof(long)); long dest[4]; memcpy(dest, arr, sizeof(dest)); arr: dest: secret secret Heartbleed and Cloudbleed were such vulnerabilities Writes can allow attackers to change a program’s control flow
Use-after-free Error 44 long *arr = malloc(3 * sizeof(long)); free(arr); arr[0] = …; UB Another object can be overwritten if the memory has been reallocated
Integer Overflow 46 void pause() { int a = 0; // run until overflow while (a < a + 1) { a++; } } What’s the compilation output of Clang/GCC? 1. The function works as expected by the programmer 2. The function body is optimized away 3. The function results in an endless loop 4. It depends on the optimization level
State of the Art: Instrumentation-based Tools Compile-time instrumentation • AddressSanitizer • SoftBound+CETS 52 a.out Clang/GCC C ./a.out Hello world!
Conundrum: Finding Bugs vs. Performance 53 a.out Clang/GCC C ./a.out Hello world! Static compilers: optimize code based on Undefined Behavior Bug-finding tools: find bugs assuming that violations are visible side effects (Wang et al. 2012, D'Silva 2015)
Map Data Structures and Operations to Java 55 long[] arr = new long[3]; arr[4] = … long *arr = malloc(3 * sizeof(long)); arr[4] = … Map to Java Code The semantics of an out-of- bounds access are well specified
Map Data Structures and Operations to Java 55 long[] arr = new long[3]; arr[4] = … long *arr = malloc(3 * sizeof(long)); arr[4] = … Map to Java Code ArrayIndexOutOfBoundsException The semantics of an out-of- bounds access are well specified
Map Data Structures and Operations to Java 55 long[] arr = new long[3]; arr[4] = … long *arr = malloc(3 * sizeof(long)); arr[4] = … Map to Java Code ArrayIndexOutOfBoundsException The semantics of an out-of- bounds access are well specified The JVM’s compiler optimizes the program, but without optimizing Undefined Behavior away
Sulong 56 Sulong is a Truffle-based LLVM IR Interpreter LLVM IR Interpreter LLVM IR Clang program.c libc.c Truffle Graal JVM We need to disable Clang’s optimizations
Safe Optimizations 64 ArrayIndexOutOfBoundsException NullPointerException ArithmeticException Exceptions are visible side effects and cannot be optimized away
Evaluation Hypotheses • Effectiveness: Safe Sulong detects bugs that are overlooked by other tools • Performance: Safe Sulong’s performance overhead is “reasonable” 65
Effectiveness: Errors in GitHub Projects • Valgrind detected half of the errors • 8 errors not found by LLVM’s AddressSanitizer (and Valgrind) • Compiler optimizations (ASan –O3) prevented the detection of 4 additional bugs 67 [Comparison tools]
Effectiveness: Errors in GitHub Projects 68 int main(int argc, char** argv) { printf("%d %s\n", argc, argv[5]); } [Comparison tools] Out-of-bounds accesses to argv are not instrumented by ASan
Effectiveness: Errors in GitHub Projects • 8 errors not found by LLVM’s AddressSanitizer and Valgrind 70 int main(int argc, char** argv) { printf("%d %s\n", argc, argv[5]); } [Comparison tools] In Safe Sulong instrumentation cannot be omitted by design
Sulong as Part of GraalVM 72 Java Virtual Machine Graal Compiler Truffle Framework TruffleRuby Graal.js Graal.python FastR LLVM IR Interpreter LLVM IR Clang Flang Optimization Boundary Managed Sulong, derived from Safe Sulong, is available in GraalVM
Sulong Key Collaborators 73 Jacob Kreindl Raphael Mosaner Roland Schatz Josef Eisl Christian Häubl Matthias Grimmer Thomas Pointhuber Daniel Pekarek Chris Seaton Lukas Stadler Florian Angerer David Gnedt https://github.com/graalvm/sulong/graphs/contributors Swapnil Gaikwad
82 if (__builtin_expect(x, 0)) foo (); asm("rdtsc":"=a"(tickl),"=d"(tickh)); Inline Assembly C Projects Consist of More Than C Code Compiler builtins [Inline assembly details] [Inline Assembly and GCC Builtins in Sulong]
83 if (__builtin_expect(x, 0)) foo (); asm("rdtsc":"=a"(tickl),"=d"(tickh)); Inline Assembly C Projects Consist of More Than C Code Compiler builtins [Inline assembly details] [Inline Assembly and GCC Builtins in Sulong] ~1,000 instructions for a single complex ISA like x86-64
if (__builtin_expect(x, 0)) foo (); asm("rdtsc":"=a"(tickl),"=d"(tickh)); Inline Assembly C Projects Consist of More Than C Code Compiler builtins [Inline assembly details] [Inline Assembly and GCC Builtins in Sulong] Over 1,000 GCC builtins 84
C Projects Consist of More Than C Code 85 How frequently are these used? How are they used? What is the implementation effort to cover most programs? How well do comparable tools support them?
C Projects Consist of More Than C Code 85 How frequently are these used? How are they used? What is the implementation effort to cover most programs? How well do comparable tools support them? Informed decision to decide whether and do what extent to implement them in Sulong!
Mining of C GitHub Projects 86 GCC Builtins Inline Assembly # studied projects ~5,000 ~1,300 Considered projects All C projects C Client Applications Identification grep name> grep asm
Mining of C GitHub Projects 86 GCC Builtins Inline Assembly # studied projects ~5,000 ~1,300 Considered projects All C projects C Client Applications Identification grep name> grep asm Different setups, so the comparison should be taken with a grain of salt
In How Many Projects are They Used? 28% 37% 0 10 20 30 40 % of projects Popular projects with inline assembly (Popular) projects with GCC builtins Both GCC builtins and inline assembly are frequently used by projects 88
How Often are They Used Within a Project? 50k 6k 0 10 20 30 40 50 Density (occurrence per KLOC) Popular projects with inline assembly (Popular) projects with GCC builtins They are infrequently used within a project 89
Inline Assembly 91 Inline assembly fragments can contain an arbitrary number of instructions; how many do they typically contain? uint64 sqlite3Hwtime(void){ unsigned long val; __asm__ ("rdtsc" : "=A" (val)); return val; }
How are Inline Assembly Fragments Used? 92 0 10 20 30 40 50 60 70 80 90 100 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 Cumulative percentage Number of unique fragments per project 36% A number of projects only uses a single inline assembly fragments
How are Inline Assembly Fragments Used? 0 10 20 30 40 50 60 70 80 90 100 1 2 3 4 5 6 7 8 9 10 11 12 Cumulative percentage Number of instructions per unique fragment 94 100% 438 … We also found fragments with several hundred instructions
How are GCC Builtins Used? 96 if (__builtin_expect(x, 0)) foo (); Architecture-independent builtin c = __builtin_ia32_paddb(a, b); Architecture-specific builtin Architecture-specific builtins are similar to inline assembly. Are they used?
How are GCC Builtins Used? 97 38% 36% 8% 0 500 1000 1500 2000 Number of projects Used builtins Machine-independent Machine-specific Mainly machine-independent GCC builtins are used.
Tool Support for Inline Assembly 100 c2go transpile test.c panic: unknown node type: 'GCCAsmStmt 0x3a991f8 'goroutine 1 [running]:github_com_elliotchance_c2go_ast.Parse go/src/github.com/elliotchance/c2go/ast/ast.go:211main.convertLinesToNodes go/src/github.com/elliotchance/c2go/main.go:81main.Start go/src/github.com/elliotchance/c2go/main.go:219main.runCommand go/src/github.com/elliotchance/c2go/main.go:350main.main go/src/github.com/elliotchance/c2go/main.go:277goroutine 6 [finalizer wait]: Splint 3.1.2 --- 03 May 2009 test.c: (in function rdtsc) test.c:5:3: Unrecognized identifier: asm Identifier used in code has not been declared. (Use –unrecog to inhibit warning) test.c:5:15: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue.
How much effort is needed to implement GCC Builtins? 104 1600 builtins to support 99% of projects 32 builtins to support half of projects [Details] Machine-independent builtins are the “low-hanging fruits”
GCC Builtin Usage Over Time Trend Projects Increasing 38% Stagnant 26% Decreasing 14% Inconclusive 22% 107 64% of projects have been mainly adding builtins
Research Opportunities • Other elements, such as compiler pragmas and function attributes are not widely understood • Testing the correct usage of inline assembly and GCC builtins • Support in formal models and static analysis tools • Automatic approaches? 108
Pareto Principle 112 It is useful to consider the “seemingly” less- important 20% of a problem • Avoids oversimplifications • Helps designing holistic solutions • Leads to new research questions
Discussion: What About Other Overlooked Problems? 113 In which 20% of important use cases do current language interoperability approaches fail? Which 20% of important use cases cannot be expressed with and how does it affect users? Which 20% of an approach for connecting heterogeneous code provides bad usability and how can we improve on it?
mrigger
shunk031
kitachan_black
sorami
masakat0
gamella
yamdan
yumulab
cybozuinsideout
shun74
hide2kano
sgnm
tanoku
samanthasiow
keathley
jonyablonski
caitiem20
notwaldorf
hursman
paulrobertlloyd
lauravandoore
mza
kneath
rasmusluckow