tag:blogger.com,1999:blog-2744072865491516720.post6622636443961196058..comments2023-05-03T06:35:33.259-04:00Comments on Higher Logics: CIL Verification and SafetySandro Magihttp://www.blogger.com/profile/05446177882449578817noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-2744072865491516720.post-61765747702593473742012-02-03T16:30:57.363-05:002012-02-03T16:30:57.363-05:00I agree, not only would a jmp be useful for exotic...I agree, not only would a jmp be useful for exotic dispatch, but often (in performance-sensitive code) I write two versions of a method, a "public" version that verifies the arguments and a "protected" one that assumes the arguments are valid:<br /><br />void RemoveAt(int i)<br />{ /* verify the index and call RemoveAtCore */ }<br />void RemoveAtCore(int i)<br /><br />This allows code inside the class to bypass the index check if the caller knows it's safe. A tail call helps, but a jmp might be more efficient since you know the JIT won't duplicate the argument(s).<br /><br />It is irritating also that tail calls cannot be guaranteed to work, so self-recursive functions can cause stack overflow in cases where the equivalent code in Haskell couldn't.<br /><br />Anyway, surely the verifier should at least allow jmp in cases where there are no "ref" args (given that it would be so little work to implement.)Qwertiehttps://www.blogger.com/profile/04595705428290721343noreply@blogger.comtag:blogger.com,1999:blog-2744072865491516720.post-48895089704875871542010-05-17T22:48:51.685-04:002010-05-17T22:48:51.685-04:00Right, passing a byref argument to a local should ...Right, passing a byref argument to a local should be prevented. It's pretty trivial to do this conservatively, ie. detect when there's both a jmp and an starg of a local address in the same function.<br /><br />A control-flow analysis to detect whether the starg and the jmp are ever on the same execution path is just a nice refinement.Sandro Magihttps://www.blogger.com/profile/05446177882449578817noreply@blogger.comtag:blogger.com,1999:blog-2744072865491516720.post-22733152580315224492010-05-17T22:28:01.915-04:002010-05-17T22:28:01.915-04:00A managed pointer is 335 parlance for a byref argu...A managed pointer is 335 parlance for a byref argument/local.<br /><br />Tail calls/jmp to methods with such kind of parameters are not verifiable without complex dataflow analysis or significant restrictions.<br /><br />I did use a very bad wording for 'conditional execution' of tail calls. I meant that a CLI implementation is not required to obey a tail prefix, while it must for jmp.Rodrigo Kumperahttps://www.blogger.com/profile/07856199840612069281noreply@blogger.comtag:blogger.com,1999:blog-2744072865491516720.post-6991852381790064732010-05-17T22:16:24.022-04:002010-05-17T22:16:24.022-04:00I don't think I understand your objection. Wha...I don't think I understand your objection. What do you consider a "managed pointer"?<br /><br />If you just meant an ordinary reference, then I disagree that this is unsafe.<br /><br />If you meant an actual unsafe pointer, well we're already handling unsafe types so verification isn't an issue.<br /><br />I agree that general tail calls are better, but MS is kind of stubborn that tail calls remain inefficient. JMP just seemed like a sort of middle ground that might be useful in lieu of tail calls for some scenarios.<br /><br />Finally, I disagree that it doesn't allow for conditional execution. All that's required is that the evaluation stack is empty and you're not in a protected block. This should be more or less valid:<br />IL_001: ldnull<br />IL_002: brtrue IL_004<br />IL_003: jmp void Target1(void)<br />IL_004: jmp void Target2(void)Sandro Magihttps://www.blogger.com/profile/05446177882449578817noreply@blogger.comtag:blogger.com,1999:blog-2744072865491516720.post-53292315302904693272010-05-17T21:54:22.782-04:002010-05-17T21:54:22.782-04:00You forgot to mention an additional restriction re...You forgot to mention an additional restriction required to make jmp verifiable. No managed pointers must be passed as arguments.<br /><br />It would otherwise require much more sophisticated verification rules.<br /><br />Besides possible historical artifacts and mistakes, one issue is that some implementation specific constraints could make it impossible to implement jmp. And unlike the tail prefix, it doesn't allow for conditional execution.<br /><br />Honestly, I never got it, the need for jmp. A tail call can do the exect same thing and be JIT'd to the same code sequence.Rodrigo Kumperahttps://www.blogger.com/profile/07856199840612069281noreply@blogger.com