Mill Computing, Inc. Forums The Mill Tools Compilers ensuring bounds of arrays

Tagged: , ,

  • Author
  • jobol
    Post count: 5
    #1162 |

    Hi, many times that discussion came on the table and I would like to put it here again under the spotlight. It would be great to have array bounds checked by the hardware. I saw the presentation on security and how a caller can ‘pass’ a temporary memory controlled segment (i don’t find here the exacts terms or description, please imagine what lacks).

    I’m writing a compiler and studying a kernel for implementing security by software (here again looking for performance). The concepts for the Mill are really good and ‘turfs’ are also great. But what would be really great is to have arrays with bounds checked by the hardware.

    This kind of request isn’t new and had been debated many times. So the question is just: do you intend to provide it?

    • This topic was modified 3 years, 6 months ago by  jobol. Reason: orthograf
  • Will_Edwards
    Post count: 98

    We plan to have hardware-checked “bounded” pointers, yes 🙂

    Bounded pointers are pointers with special flags in them so the hardware knows to extract bounds as well as offset from the pointer and enforce them.

    However, as these bound pointers are still 64-bit, and as the address space is 64-bit, its not possible to encode every combination of bounds and offset into so few bits. Bounded pointers compromise precision for truly humongous arrays.

    (Here is a link to an old post on the Mill bounded pointers in comp.arch. The Mill mechanism has been refined somewhat since that post, but it gives the gist.)

    On the Mill, which is wider-issue than other architectures, there are likely enough free slots so a compiler can also pipeline exact bounds checks that will likely have no performance penalty in the common case.

  • jobol
    Post count: 5


    The compromise is good, good enough for me…

    Thanks for the link

  • PeterH
    Post count: 35

    Looks like bounded pointers would frequently miss the relatively common array access one past the end. But it would seem likely to trigger if someone attempted to exploit a bug similar to heartbleed, especially if they got greedy trying to grab a larger amount of data.

    • Ivan Godard
      Post count: 473

      Any bounding scheme would have to support the language standards, which explicitly permit one-past-the-end addresses, though not actual access at that address.

You must be logged in to reply to this topic.