You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: chap-rationale.tex
+15-12Lines changed: 15 additions & 12 deletions
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
\chapter{Detailed Design Rationale}
1
+
vvggg\chapter{Detailed Design Rationale}
2
2
\label{chap:rationale}
3
3
4
4
During the design of CHERI that began in 2010, we considered many
@@ -184,7 +184,7 @@ \section{The Compiler is Not Part of the TCB for Isolated Code}
184
184
goal of CHERI that it be able to run legacy code written in C.
185
185
186
186
Some earlier capability machines, such as the Burroughs B5000, made the compiler
187
-
a privileged program. We have followed the approach taken in capability machines
187
+
a privileged program. We have followed the altenative approach taken in capability machines
188
188
such as CAP, in which the compiler was not privileged.
189
189
190
190
\mrnote{We could expand on this, perhaps in the high-assurance section. We do depend
@@ -199,15 +199,15 @@ \section{The Compiler is Not Part of the TCB for Isolated Code}
199
199
\section{Base and Length Versus Lower and Upper Bounds}
200
200
201
201
The CHERI architecture permits two different interpretations of capabilities:
202
-
as a virtual address paired with lower and upper bounds; and as a base,
202
+
as a virtual address paired with lower and upper bounds, and as a base,
203
203
length, and current offset.
204
204
These different interpretations support differing C-language models for
205
205
pointers.
206
-
The former, in which pointercasts to integers return their virtual addresses, is more compatible with current software, but risks leaking those virtual
206
+
The former, in which pointer-casts to integers return their virtual addresses, is more compatible with current software, but risks leaking those virtual
207
207
addresses (or their implications) out of tagged values where they cannot be
208
208
found for the purposes of pointer-transformation techniques such as copying
209
209
garbage collection.
210
-
The latter, in which pointercasts to integers return their offsets, is less
210
+
The latter, in which pointer-casts to integers return their offsets, is less
211
211
compatible (as comparisons between pointers into different buffers may give
212
212
surprising equality results), but avoids leakage of virtual address out of
213
213
tagged values, enabling techniques such as copying garbage collection.
@@ -221,28 +221,31 @@ \section{Base and Length Versus Lower and Upper Bounds}
221
221
For example, run-time linkers and memory allocators both naturally consider
222
222
integer virtual addresses as part of their operation.
223
223
More subtly, techniques such as ordering locks for objects based on object
224
-
address, or sorting trees based on object address, makes copying garbage
224
+
address, or sorting trees based on object address, make copying garbage
225
225
collection a difficult prospect.
226
+
\pgnnote{copying???}
226
227
Compressed capabilities further complicate this story, as a precise lower
227
228
bound may not be possible without padding; this is easy to arrange within
228
229
memory allocators for new allocations, but when subsetting an existing
229
230
allocation (e.g., to describe the bounds of an array embedded within another
230
231
structure), the 0 offset from the bottom of the embedded structure may not
231
232
carry over to being a 0 offset relative to the base address of a capability.
232
233
233
-
In recent versions of the CHERI C compiler, we have shifted to preferring a
234
-
virtual-address interpretation of pointers in all cases except those where
235
-
specific built-in functions are used to query the offset.
236
-
We retain an optional compiler mode utilizing an offset interpretation, which
237
-
will be suitable for future experimentation with copying garbage collection.
234
+
In recent versions of the CHERI C compiler (with the CHERI-LLVM
235
+
back-end), we have shifted to preferring a virtual-address
236
+
interpretation of pointers in all cases except those where specific
237
+
built-in functions are used to query the offset. We retain an
238
+
optional compiler mode utilizing an offset interpretation, which will
239
+
be suitable for future experimentation with copying garbage
240
+
collection.
238
241
239
242
\section{Signed and Unsigned Offsets}
240
243
241
244
In the CHERI instructions that take both a register offset and an immediate
242
245
offset, the register offset is treated as unsigned integer, whereas the
243
246
immediate offset is treated as a signed integer.
244
247
245
-
Register offsets are treated as unsigned so that given a capability to
248
+
Register offsets are treated as unsigned, so that given a capability to
246
249
the entire address space (except for the very last byte, as
247
250
explained above), a register offset can be used to access any byte within it.
248
251
Signed register offsets would have the disadvantage that negative offsets
0 commit comments