[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tinycc-devel] enforced immutability - proposed research project

From: Michael Matz
Subject: Re: [Tinycc-devel] enforced immutability - proposed research project
Date: Tue, 19 Jan 2021 16:17:58 +0100 (CET)
User-agent: Alpine 2.21 (LSU 202 2017-01-01)


On Mon, 18 Jan 2021, Bruno Haible wrote:

Michael Matz wrote:
... you also need to invalidate all _copies_ of wp:

   wp = malloc(); init(wp);
   p = freeze(wp);
   globalp->foo = ...;  // should be disallowed

where init(wp) is something like:

    struct S *globalp;
    void init(struct S *x) { x->foo = 1; globalp = x; }

This is a perfectly valid code, with no "bad" cast. I would say that
assigning to globalp->foo should be allowed.

I see, but see below for what this then means.

Many programs don't make copies of wp. The typical idiom is that the
function that allocates an object also fills it and selectively stores or
returns writable and read-only views to the object. Enforced immutability
should only verify that some code that received a read-only pointer does
not do a write access.

Okay, that's quite limited, and very easy to implement: disallow casting away immutability and you're done. But in this limited form you then can't infer anything useful from this, in particular you can't infer that the (immutably) pointed to object is unmodified when you allow mutable references to exist to it at the same time. Obviously I misunderstood your proposal, I thought you also wanted to defend against accidental (or malicious) modification of frozen objects.

Doing things at runtime also isn't super-easy: you either waste full pages for each allocation, no matter how small (in order to write-protect them at freeze), or you need to copy contents around (to write-controlled areas) invalidating addresses already pointing to it, or you need to do checked-writes for each memory write.

The cited implementation (immutable.h, immutable.c) does none of these.

Ahh, two shared mappings to the same thing. Okay, I retract my claim and say: cute idea! :) (sorry for not checking gnulib earlier)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]