Re: [Tinycc-devel] enforced immutability - proposed research project

[Michael Matz]

Hello,

On Mon, 18 Jan 2021, Barath Aron via Tinycc-devel wrote:

> Hello,
>
> On Mon, 18 Jan 2021 12:32:29 +0100 Bruno Haible <bruno@clisp.org> wrote:
> >         ((struct data *) p)->x = 9; // Violation of immutability,
> > crashes ...
>
> If you do not allow such cast, you don't have to do anything at runtime.

Depends what happens with the original wp in Brunos example.  To remind, 
the context was:

  wp = malloc(); wp->foo = ...;
  p = freeze(wp);

Now, if you only disallow to cast away immutability, then you still would 
be able to write to the object via *wp.  So, you either need to do 
something at runtime, or encode the fact that wp becomes invalid after 
freezing it.  That might sound easy, but you also need to invalidate all 
_copies_ of wp:

  wp = malloc(); init(wp);
  p = freeze(wp);
  globalp->foo = ...;  // should be disallowed

where init(wp) is something like:

   struct S *globalp;
   void init(struct S *x) { x->foo = 1; globalp = x; }

Doing things at runtime also isn't super-easy: you either waste full pages 
for each allocation, no matter how small (in order to write-protect them 
at freeze), or you need to copy contents around (to write-controlled 
areas) invalidating addresses already pointing to it, or you need to do 
checked-writes for each memory write.  The latter is basically what 
current bounds-checking in tcc already does, just with even more meta-data.

I think the latter would actually be the quickest route to success here: 
reuse the bounds-checking code.  You just need a way to register read-only 
regions (which is what freezing does), and then check that list of regions 
at each write.


Ciao,
Michael.

> Also, freestanding mode would work that way too.
> But for that, you need a more complex type system.
>
> Aron
>
> _______________________________________________
> Tinycc-devel mailing list
> Tinycc-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/tinycc-devel