is the JIT memory-safe?
Can you clarify what you mean? Memory-safe with respect to what API or action?
In general, you can JIT-compile code that loads or stores to any memory address, so if you invoke that code, the answer is necessarily "no". However the invocation itself is unsafe; if you consider the compiler itself as some abstract function from IR to machine-code bytes, that API is fully safe; it's "just" a computation.
so why not maintain memory safety all the way from the frontend down to the assembler. in particular, applying optimizations while maintaining memory safety.
(like yeah you can't maintain memory safety in the machine code layer, but you should be able to in every other layer above that including the assembler)
(tho, using this definition of memory safety, we can say that there are no memory-safe programming languages today)
I'm not really sure what you mean. I've worked on formal verification of Cranelift; are you talking about translation validation? Are you talking about memory safety of the compilation process itself? It would be useful to understand what you are thinking when you say "memory safety"; it's not just a buzzword, it is a nuanced term that can mean different things in different contexts.
well, ultimately memory safety comes from typing and constraint checking. so, we should maintain full typing all the way from the frontend down to the assembler. no compiler we know of does this today.
ofc, it may be necessary to peel layers off types while dealing with some of those lower-level constructs, but the relevant passes, the assembler, etc should still be able to constraint check the entire thing.
OK, you're talking about type-preserving compilation. Yes, that'd be really neat. As I'm sure you're aware, it's a research challenge, especially if you want a formal proof (even in a translation-validation sense, i.e., a witness object for one compilation as opposed to a forall-proof ahead of time) of the correspondence.
You'd also probably want something like dependent typing, or at least refinement typing, to encode invariants that JIT producers routinely make use of -- once you lock the hatches and say everything must be typesafe, you need a way to put all the system invariants in the types
I'd welcome you to study this, produce a set of solutions, and write the three PhD theses that would result from all of the ideas necessary to make it practical :-)
peeling the type layers is usually done with unsafe
in rust, where you translate (e.g. transmute) one set of types into a different set of types, each enforcing the constraints in different ways (this is often done with e.g. lifetimes)
but yes we understand that's an escape hatch
Last updated: Dec 23 2024 at 12:05 UTC