How to stop symbol searching without aborting

Hi!

Today we use Lua to let 3rd party developers add driver-like modules to our application.

The advantages to using Lua compared to DLL:s etc. are that:

1) the same driver binary can be used on all OS:es and processor architectures etc.

2) We can provide a small API to the Lua drivers and they _cannot_ call any other external functions.

3) A buggy driver cannot crash our application. (Almost true statement.)

I'm looking into using LLVM and the bitcode format for this instead. The additional, very important advantages are:

4) 3rd parties can port existing (huge amounts of) C / C++ code much easier - no need to rewrite all code in Lua.

5) Performance. We will use the LLVM JIT.

Problem: I can't figure out how to do (2) with the LLVM JIT.

It is very important that the driver does not have access to any other function in the application except those I provide. It's not OK for our application to abort if a driver calls an undefined function - I want to just disable _that driver_ in that event.

I can use DisableSymbolSearching() but that causes application to abort for unknown symbols.

Please advice!

/Marcus

Marcus Zetterquist <marcus.zetterquist@gmail.com> writes:

Today we use Lua to let 3rd party developers add driver-like modules
to our application.

The advantages to using Lua compared to DLL:s etc. are that:

1) the same driver binary can be used on all OS:es and processor
architectures etc.

[snip]

I'm looking into using LLVM and the bitcode format for this instead.
The additional, very important advantages are:

4) 3rd parties can port existing (huge amounts of) C / C++ code much
easier - no need to rewrite all code in Lua.

AFAIK, LLVM code is not platform-independent. A C compiler that targets
x86 will generate different LLVM bitcode than the same C compiler when
it targets x86_64, for instance.

5) Performance. We will use the LLVM JIT.

Problem: I can't figure out how to do (2) with the LLVM JIT.

It is very important that the driver does not have access to any other
function in the application except those I provide. It's not OK for
our application to abort if a driver calls an undefined function - I
want to just disable _that driver_ in that event.

I can use DisableSymbolSearching() but that causes application to
abort for unknown symbols.

An LLVM program can call any address, valid or not. If the programmer
figures out the address of one of those "forbidden" functions, he can
call it. You may write some pass for detecting suspicious constructs and
reject them, but solving the problem the right way looks very hard or
impossible to me, mostly because you want to use LLVM code generated by
a C/C++ compiler.

An LLVM program can call any address, valid or not. If the programmer
figures out the address of one of those "forbidden" functions, he can
call it. You may write some pass for detecting suspicious constructs and
reject them, but solving the problem the right way looks very hard or
impossible to me, mostly because you want to use LLVM code generated by
a C/C++ compiler.
  
you may want to take a look at
http://nativeclient.googlecode.com/svn/trunk/nacl/googleclient/native_client/documentation/nacl_paper.pdf
The paper look promising. I didn't try there implementation
http://code.google.com/p/nativeclient/ . The license is new BSD.
Will it is currently developped for the web, it could be useful for any applications which does not trust its plugins.

regards,

Cédric

Have you tried llvm-lua? It adds JIT & static compiling support to the Lua VM
using LLVM as the backend. I just released version 1.0 about a week ago.

The project website is here:

Hi Robert-

I notice that llvm-lua requires LLVM 2.4 rather than anything recent - are there any plans to upgrade?

Alastair

Sorry I forgot to update the projects home page.
Version 1.0 will work with LLVM 2.5 and should still work with 2.4 (I haven't
tested against 2.4 recently so it might not work any more). Also there is a
branch "llvm-svn" that works with the SVN copy of LLVM as of a few days ago.