An Analysis of Inline Assembly in C Projects Manuel Rigger, Stefan Marr, Hanspeter Mössenböck VMM, September 29, 2017 Johannes Kepler University Linz 

Inline Assembly in C Projects 2 uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } 

Inline Assembly in C Projects 3 uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Instructions 

Inline Assembly in C Projects 4 uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Output operands 

Inline Assembly in C Projects 5 uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Output operand constraints 

Inline Assembly in C Projects 6 uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Input operands, side effects ,… 

uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Inline Assembly in C Projects 7 clock_cycles(): rdtsc shl rdx, 32 mov eax, eax or rax, rdx ret 

uint64_t clock_cycles() { unsigned int tickl, tickh; asm("rdtsc":"=a"(tickl),"=d"(tickh)); return ((uint64_t)tickh << 32)|tickl; } Inline Assembly in C Projects 7 What about C tools that cannot use an assembler to defer the work? clock_cycles(): rdtsc shl rdx, 32 mov eax, eax or rax, rdx ret 

Sulong 8 

Sulong 8 Ad-hoc approach to adding unsupported instructions 

Sulong 9 public abstract static class LLVMAMD64RdtscReadNode extends LLVMExpressionNode { public long executeRdtsc() { return System.currentTimeMillis(); } } 

Sulong 9 public abstract static class LLVMAMD64RdtscReadNode extends LLVMExpressionNode { public long executeRdtsc() { return System.currentTimeMillis(); } } Emulate the behavior of assembly 

Splint 10 Splint 3.1.2 --- 03 May 2009 test.c: (in function rdtsc) test.c:5:3: Unrecognized identifier: asm Identifier used in code has not been declared. (Use –unrecog to inhibit warning) test.c:5:15: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. 

Splint 10 Splint 3.1.2 --- 03 May 2009 test.c: (in function rdtsc) test.c:5:3: Unrecognized identifier: asm Identifier used in code has not been declared. (Use –unrecog to inhibit warning) test.c:5:15: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. Many analysis tools ignore inline assembly 

c2go 11 c2go transpile test.c panic: unknown node type: 'GCCAsmStmt 0x3a991f8 'goroutine 1 [running]:github_com_elliotchance_c2go_ast.Parse go/src/github.com/elliotchance/c2go/ast/ast.go:211main.convertLinesToNodes go/src/github.com/elliotchance/c2go/main.go:81main.Start go/src/github.com/elliotchance/c2go/main.go:219main.runCommand go/src/github.com/elliotchance/c2go/main.go:350main.main go/src/github.com/elliotchance/c2go/main.go:277goroutine 6 [finalizer wait]: 

c2go 11 Many source-to-source translators ignore inline assembly c2go transpile test.c panic: unknown node type: 'GCCAsmStmt 0x3a991f8 'goroutine 1 [running]:github_com_elliotchance_c2go_ast.Parse go/src/github.com/elliotchance/c2go/ast/ast.go:211main.convertLinesToNodes go/src/github.com/elliotchance/c2go/main.go:81main.Start go/src/github.com/elliotchance/c2go/main.go:219main.runCommand go/src/github.com/elliotchance/c2go/main.go:350main.main go/src/github.com/elliotchance/c2go/main.go:277goroutine 6 [finalizer wait]: 

Current assumptions 12 “Inline assembly is rare in most programs” (Johnson 2014) “[…] programmers could provide C implementations of inline assembly blocks” (Johnson 2014) 

Current assumptions 13 “…” [Other papers] 

Open questions • How frequent is inline assembly? • How “complex” is the usage of inline assembly? • Which domains use inline assembly? • How diverse is the usage of inline assembly? 14 

Open questions • How frequent is inline assembly? • How “complex” is the usage of inline assembly? • Which domains use inline assembly? • How diverse is the usage of inline assembly? 14 Survey of inline assembly in C projects 

Approach • grep-based analysis of Github projects (excluding OS-level projects) • Most popular* 327 C projects • 937 C projects by keywords • Quantitative analysis  database for AMD64 instructions • Qualitative analysis 15 *C projects >= 850 Github stars 

How frequent is inline assembly? • ∼28% of the most popular C projects • ∼11% of the other C projects 16 

How frequent is inline assembly? • ∼28% of the most popular C projects • ∼11% of the other C projects 16 Sulong and other tools that process C cannot ignore inline assembly! 

How “complex” is its usage? 17 36 projects (18%) with inline assembly used complicated macro-metaprogramming  ignored 

How “complex” is its usage? 18 The majority of inline assembly fragments contain one or two instructions 

How “complex” is its usage? 18 The majority of inline assembly fragments contain one or two instructions 1 instruction 

How “complex” is its usage? 18 The majority of inline assembly fragments contain one or two instructions 2 instructions 

How “complex” is its usage? 19 The majority of projects with inline assembly contain only a few fragments 

How “complex” is its usage? 19 The majority of projects with inline assembly contain only a few fragments 10 fragments 

How “complex” is its usage? 20 rep nop 

How “complex” is its usage? 20 rep nop 0xF3 0x90 pause 

How “complex” is its usage? 20 rep nop 0xF3 0x90 pause Programmers sometimes have to work around old assemblers 

How “complex” is its usage? 21 .byte 0x66; clflush %0 

How “complex” is its usage? 21 .byte 0x66; clflush %0 0x0FAE clflushopt 

Which domains use inline assembly? Domain # projects % projects Crypto 32 11.7% Networking 20 10.2% Media 17 8.6% Database 16 8.1% Language implementation 15 7.6% Misc 14 6.6% Concurrency 9 4.6% SSL 8 4.1% Text processing 8 4.1% Math library 7 3.6% Web server 7 3.6% 22 The domains of inline assembly are diverse 

How diverse is the usage of inline assembly? • ∼190 unique inline assembly fragments • ∼170 unique instructions • Implement 46 instructions  support 76% of projects 23 

How diverse is the usage of inline assembly? • ∼190 unique inline assembly fragments • ∼170 unique instructions • Implement 46 instructions  support 76% of projects 23 Only a small subset of the ∼1000 AMD64 instructions (Heule 2016) is needed 

How diverse is the usage of inline assembly? Instructions Contained in % projects (with inline assembly) rdtsc 26.9% cpuid 24.9% mov 23.9% 21.3% lock xchg 14.2% … … 24 

How diverse is the usage of inline assembly? • Instruction ordering and SMP programming 25 Compiler barriers Memory barriers Atomics … 

How diverse is the usage of inline assembly? • Instruction ordering and SMP programming • Performance optimizations 26 SIMD Endianness conversions Bitscans … 

How diverse is the usage of inline assembly? • Instruction ordering and SMP programming • Performance optimizations • Functionality unavailable in C 27 Elapsed clock cycles CPU features Data prefetching … 

How diverse is the usage of inline assembly? • Instruction ordering and SMP programming • Performance optimizations • Functionality unavailable in C • “Supporting” instructions (moves etc.) 28 

Selected Threat to Validity 29 #ifdef SOME_CONDITION // use inline assembly implementations #else // use other implementation #endif Instructions are not necessarily included in the binary 

Conclusions • We cannot ignore inline assembly • Majority of projects use few and short inline assembly fragments • <200 different instructions • But: • Projects that provide different SIMD implementations • Non-mnemonic instructions 30 

Thanks for listening! 31 https://github.com/graalvm/sulong/ @RiggerManuel 

Bibliography • Stefan Heule, Eric Schkufza, Rahul Sharma, and Alex Aiken. 2016. Stratified synthesis: automatically learning the x86-64 instruction set. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '16). • Rob Johnson and David Wagner. 2004. Finding user/kernel pointer bugs with type inference. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13 (SSYM'04), Vol. 13. USENIX Association, Berkeley, CA, USA, 9-9. 32 

Images • Page 13: Faras Saint Anne, Public Domain, https://en.wikipedia.org/wiki/File:Faras_Saint_Anne_(detail).jpg • Page 15: Cessna 172 Airplane: Nick Dean, Frze, Creative Commons Attribution-Share Alike 3.0 Unported license, https://commons.wikimedia.org/wiki/File:WRM_Airplane_-_Flugzeug_Cessna_172_m.jpg • Page 15: Under construction, Public Domain, https://commons.wikimedia.org/wiki/Category:Under_construction_icons#/media/File:UnderCon_icon_b lack.svg • Page 18: Stein der fünften Sonne, sog. Aztekenkalender: Anagoria, GNU Free Documentation License, https://commons.wikimedia.org/wiki/File:1479_Stein_der_f%C3%BCnften_Sonne,_sog._Aztekenkalend er,_Ollin_Tonatiuh_anagoria.JPG 33