Rafael Espíndola via llvm-dev
2016-Mar-22 11:27 UTC
[llvm-dev] Need help with code generation
> Maybe not, but it's not impossible either - browsers manage to harden themselves against malicious input and they operate in a far hostile environment with many more input formats than we do.It is important to note how different they are. Both Firefox and Chromium have people working just to try to make them more secure. Compare that with LLVM: One week ago I pointed out that your patch (r263521) introduces a crash. It still hasn't been reverted or even acknowledge yet.> I'm not trying to shift your personal goal, or to direct the features that you choose to put your time into, but I am interested in project policy.Why do you care about policy that is not followed? A policy saying llvm should not crash on any input is as relevant as one that says that clang should keep bootstrapping in under one second. So, if we stick to reality, what we have is that lld (ELF and COFF) are already the most reliable parts of the toolchain. If not for Rui and I being upfront about it most people would not even know that you could crash it. So please, just let us keep working on the most reliable part of the toolchain. Cheers, Rafael
Rafael,
I appreciate that your goals are to create a performant linker, quickly. I
understand that and wouldn't want to slow you down unnecessarily,
especially as I appreciate that I'm on the sidelines and not producing
patches for LLD at the moment.
I also appreciate that LLD/ELF development has certainly picked up pace
recently and we might actually have a functioning linker sometime soon.
That is very exciting, and thankyou for all your work.
My worry is that the technical debt accrued will have to be paid off by
someone at some point. At some point, someone will have to come along and
make LLD robust ("enough", for some definition), and the current
decision
will make that person's job much harder.
I'm not asking for horrendously defensive programming - hell, a simple
"FIXME" on every place where you deliberately dereference a
non-bounds-checked pointer would be sufficient! Re-discovering this sort of
thing is exponentially more difficult than taking a small amount of time
when originally writing the code.
Just an opinion.
Cheers,
James
On Tue, 22 Mar 2016 at 11:27 Rafael Espíndola <llvm-dev at lists.llvm.org>
wrote:
> > Maybe not, but it's not impossible either - browsers manage to
harden
> themselves against malicious input and they operate in a far hostile
> environment with many more input formats than we do.
>
> It is important to note how different they are. Both Firefox and
> Chromium have people working just to try to make them more secure.
> Compare that with LLVM: One week ago I pointed out that your patch
> (r263521) introduces a crash. It still hasn't been reverted or even
> acknowledge yet.
>
>
> > I'm not trying to shift your personal goal, or to direct the
features
> that you choose to put your time into, but I am interested in project
> policy.
>
> Why do you care about policy that is not followed? A policy saying
> llvm should not crash on any input is as relevant as one that says
> that clang should keep bootstrapping in under one second.
>
> So, if we stick to reality, what we have is that lld (ELF and COFF)
> are already the most reliable parts of the toolchain. If not for Rui
> and I being upfront about it most people would not even know that you
> could crash it. So please, just let us keep working on the most
> reliable part of the toolchain.
>
> Cheers,
> Rafael
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/d6f08ed3/attachment.html>
Rafael Espíndola via llvm-dev
2016-Mar-22 12:16 UTC
[llvm-dev] Need help with code generation
On Mar 22, 2016 8:03 AM, "James Molloy" <james at jamesmolloy.co.uk> wrote:> > Rafael, > > I appreciate that your goals are to create a performant linker, quickly.I understand that and wouldn't want to slow you down unnecessarily, especially as I appreciate that I'm on the sidelines and not producing patches for LLD at the moment.> > I also appreciate that LLD/ELF development has certainly picked up pacerecently and we might actually have a functioning linker sometime soon. That is very exciting, and thankyou for all your work.> > My worry is that the technical debt accrued will have to be paid off bysomeone at some point. At some point, someone will have to come along and make LLD robust ("enough", for some definition), and the current decision will make that person's job much harder. Again: users *today* are less likely to see a crash in lld than llvm or clang and those are much larger code bases. Cheers, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/dbb4618a/attachment.html>
David Blaikie via llvm-dev
2016-Mar-22 15:18 UTC
[llvm-dev] Need help with code generation
On Tue, Mar 22, 2016 at 4:27 AM, Rafael Espíndola <llvm-dev at lists.llvm.org> wrote:> > Maybe not, but it's not impossible either - browsers manage to harden > themselves against malicious input and they operate in a far hostile > environment with many more input formats than we do. > > It is important to note how different they are. Both Firefox and > Chromium have people working just to try to make them more secure. > Compare that with LLVM: One week ago I pointed out that your patch > (r263521) introduces a crash. It still hasn't been reverted or even > acknowledge yet. > > > > I'm not trying to shift your personal goal, or to direct the features > that you choose to put your time into, but I am interested in project > policy. > > Why do you care about policy that is not followed? A policy saying > llvm should not crash on any input is as relevant as one that says > that clang should keep bootstrapping in under one second. >It's pretty different when you say, essentially, that patches to address these things are unlikely to be accepted. It doesn't seem surprising that people wouldn't try to provide those patches and would choose not to use the project if that's the expressed policy of the developers on the project and doesn't line up with the needs of other people.> > So, if we stick to reality, what we have is that lld (ELF and COFF) > are already the most reliable parts of the toolchain. If not for Rui > and I being upfront about it most people would not even know that you > could crash it. So please, just let us keep working on the most > reliable part of the toolchain. > > Cheers, > Rafael > _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/e39a2f10/attachment.html>
Hi Rafael, One week ago I pointed out that your patch (r263521) introduces a crash. It> still hasn't been reverted or even > acknowledge yet.My apologies - your reply slipped through my filters, but that should absolutely be fixed. I've responded to your mail and will have a fix for this shortly. - Lang. On Tue, Mar 22, 2016 at 4:27 AM, Rafael Espíndola < rafael.espindola at gmail.com> wrote:> > Maybe not, but it's not impossible either - browsers manage to harden > themselves against malicious input and they operate in a far hostile > environment with many more input formats than we do. > > It is important to note how different they are. Both Firefox and > Chromium have people working just to try to make them more secure. > Compare that with LLVM: One week ago I pointed out that your patch > (r263521) introduces a crash. It still hasn't been reverted or even > acknowledge yet. > > > > I'm not trying to shift your personal goal, or to direct the features > that you choose to put your time into, but I am interested in project > policy. > > Why do you care about policy that is not followed? A policy saying > llvm should not crash on any input is as relevant as one that says > that clang should keep bootstrapping in under one second. > > So, if we stick to reality, what we have is that lld (ELF and COFF) > are already the most reliable parts of the toolchain. If not for Rui > and I being upfront about it most people would not even know that you > could crash it. So please, just let us keep working on the most > reliable part of the toolchain. > > Cheers, > Rafael >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/f1e6adbe/attachment.html>
Hi Rafael, Why do you care about policy that is not followed? A policy saying> llvm should not crash on any input is as relevant as one that says > that clang should keep bootstrapping in under one second.Policy is never adhered to perfectly. We don't follow coding conventions uniformly either, but that doesn't mean we shouldn't have them. The policy should be to that LLVM libraries are robust in the face of broken user input (or provide verifiers so that users can sanity-check inputs before passing them to the library). If that policy were made explicit, nobody would expect you or any other LLD developer to drop everything and work on security, but it'd be clear that if people contribute patches to make LLD more robust they should be accepted like any other patch. - Lang. On Tue, Mar 22, 2016 at 8:22 AM, Lang Hames <lhames at gmail.com> wrote:> Hi Rafael, > > One week ago I pointed out that your patch (r263521) introduces a crash. >> It still hasn't been reverted or even >> acknowledge yet. > > > My apologies - your reply slipped through my filters, but that should > absolutely be fixed. I've responded to your mail and will have a fix for > this shortly. > > - Lang. > > On Tue, Mar 22, 2016 at 4:27 AM, Rafael Espíndola < > rafael.espindola at gmail.com> wrote: > >> > Maybe not, but it's not impossible either - browsers manage to harden >> themselves against malicious input and they operate in a far hostile >> environment with many more input formats than we do. >> >> It is important to note how different they are. Both Firefox and >> Chromium have people working just to try to make them more secure. >> Compare that with LLVM: One week ago I pointed out that your patch >> (r263521) introduces a crash. It still hasn't been reverted or even >> acknowledge yet. >> >> >> > I'm not trying to shift your personal goal, or to direct the features >> that you choose to put your time into, but I am interested in project >> policy. >> >> Why do you care about policy that is not followed? A policy saying >> llvm should not crash on any input is as relevant as one that says >> that clang should keep bootstrapping in under one second. >> >> So, if we stick to reality, what we have is that lld (ELF and COFF) >> are already the most reliable parts of the toolchain. If not for Rui >> and I being upfront about it most people would not even know that you >> could crash it. So please, just let us keep working on the most >> reliable part of the toolchain. >> >> Cheers, >> Rafael >> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/1feddbd1/attachment.html>
----- Original Message -----> From: "David Blaikie via llvm-dev" <llvm-dev at lists.llvm.org> > To: "Rafael Espíndola" <rafael.espindola at gmail.com> > Cc: "llvm-dev" <llvm-dev at lists.llvm.org>, "Bruce Hoult" > <bruce at hoult.org> > Sent: Tuesday, March 22, 2016 10:18:03 AM > Subject: Re: [llvm-dev] Need help with code generation> On Tue, Mar 22, 2016 at 4:27 AM, Rafael Espíndola < > llvm-dev at lists.llvm.org > wrote:> > > Maybe not, but it's not impossible either - browsers manage to > > > harden themselves against malicious input and they operate in a > > > far hostile environment with many more input formats than we do. >> > It is important to note how different they are. Both Firefox and > > > Chromium have people working just to try to make them more secure. > > > Compare that with LLVM: One week ago I pointed out that your patch > > > (r263521) introduces a crash. It still hasn't been reverted or even > > > acknowledge yet. >> > > I'm not trying to shift your personal goal, or to direct the > > > features that you choose to put your time into, but I am > > > interested in project policy. >> > Why do you care about policy that is not followed? A policy saying > > > llvm should not crash on any input is as relevant as one that says > > > that clang should keep bootstrapping in under one second. >> It's pretty different when you say, essentially, that patches to > address these things are unlikely to be accepted. It doesn't seem > surprising that people wouldn't try to provide those patches and > would choose not to use the project if that's the expressed policy > of the developers on the project and doesn't line up with the needs > of other people.+1 -Hal> > So, if we stick to reality, what we have is that lld (ELF and COFF) > > > are already the most reliable parts of the toolchain. If not for > > Rui > > > and I being upfront about it most people would not even know that > > you > > > could crash it. So please, just let us keep working on the most > > > reliable part of the toolchain. >> > Cheers, > > > Rafael > > > _______________________________________________ > > > LLVM Developers mailing list > > > llvm-dev at lists.llvm.org > > > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >> _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev-- Hal Finkel Assistant Computational Scientist Leadership Computing Facility Argonne National Laboratory -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160322/80054e53/attachment.html>