Metacircular Virtual Machine Layering for Run-Time Instrumentation. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.

Size: px

Start display at page:

Download "Metacircular Virtual Machine Layering for Run-Time Instrumentation. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie."

Garey Joseph Campbell
6 years ago
Views:

1 Metacircular Virtual Machine Layering for Run-Time Instrumentation Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com 1

2 Motivation 2 2

3 Context Program comprehension Benchmark generation Hybrid analysis design Security invariant monitoring Run-Time optimization design 3 3

4 Run-Time Instrumentation Object model operations Function calls Scope chain Control-flow

5 Direct Instrumentation of Virtual Machine + Guaranteed compliance + Integrated in a browser + Straightforward on a simple interpreter - Needs maintenance - Tied to a single browser - Becoming more complex 5 5

6 Research Problem 6 6

7 Research Problem How can we reify opaque aspects of JavaScript for high-level run-time instrumentation at a minimal cost in performance? 7 7

8 Approach 8 8

9 Metacircular Virtual Machine Layering + Differential implementation + Independent from Host VM implementation - Run-time cost JavaScript program Metacircular JS VM Host JS VM 9 9

10 Application 10 10

11 Program Comprehension What is the contribution of application data structures to its overall memory footprint? Where are these objects created with regard to the source code? What is the contribution of every function to the overall object creation? What is the abstract shape of those object in memory? 11 11

12 Run-Time Instrumentation Object model operations Function calls Scope chain Control-flow

13 Design Goals Sandboxing of application runtime environment Dynamically redefinable instrumentation, for activation and deactivation at run-time Specialization of reified operations, instrumented or not, at their call-site 13 13

14 Design Application Full JavaScript Support Source-to-Source JIT Compiler Function Calls, Object Ops Dynamically Redefinable Function Calls and Object Ops Message Sending Object Ops, Function Calls Litteral Object Creation Object Ops Instrumentation Instrumented Object Ops and Function Calls Control-flow, Primitives, etc. Control-flow, Primitives, etc. Caching and Specialization Fast Global Function Calls Object Representation Specialization Inline Caching and Specialization of Method Calls Containers Native Objects High-Performance Virtual Machine with a JIT Compiler Data Structures Native Objects 14 14

15 Reifying Object Model Operations var o = {}; var o = send(root.object, new ); o.p = 42; send(o, set, p, 42); o.p; send(o, get, p ); delete o.p; send(o, delete, p ); new F(); send(f, ctor ); 15 15

16 Counting the Number of Property Accesses var getcounter = 0; send(root.object, set, get, function (name) { getcounter++; return this.get(name); } ); 16 16

17 Reifying Function Calls function (g) {g();}; h.call(); function (g) { send(g, call ); }; send(h, call ); f(); send(global, f ); o.p(); send(o, p ); 17 17

18 Semantics of Message Sending function send(obj, msg,..args) { var method = obj.get(msg); return method.call(obj,..args); } 18 18

19 Semantics of Message Sending function send(obj, msg,..args) { var method = obj.get(msg); var callfn = method.get( call ); return callfn.call(method, obj,..args); } 19 19

20 Intercepting Function Calls function beforecall() {...} send(root.function, set, call, function (obj,..args) { beforecall(this, obj,..args); return this.call(obj,..args); } ); 20 20

21 Optimization 21 21

22 Object Representation Encapsulate invariants of the implementation Provide fast object creation, accesses and updates Allow transparent per-object information collection 22 22

23 Basic Object Representation Object.prototype parent's proxy parent object's proxy object Legend prototype proxied object 23 23

24 Special Object Representation Object.prototype object's proxy object Array.prototype array's proxy array Legend prototype proxied object 24 24

25 Object Representation Operations var o = {}; root.object.create(); o.p = 42; o.set( p, 42); o.p; o.get( p ); delete o.p; o.delete( p ); 25 25

26 Call-Site Specialization of Arguments Nb function f(g) { return g(); } new FunctionProxy(function f(g) { return (g instanceof FunctionProxy)? g.proxiedobject.call($global) : error(g); }); 26 26

27 Call-Site Specialization of Arguments Nb function f(g) { return g(); } new FunctionProxy(function f($this,g) { return (g instanceof FunctionProxy)? g.proxiedobject($global) : error(g); }); 27 27

28 Call-Site Specialization of Arguments Nb function f(g) { return g(); } new FunctionProxy(function f($this,g) { return g.call($global); }); FunctionProxy.prototype.call = function (obj) { return this.proxiedobject.apply(obj, Array.prototype.slice.call(arguments, 1)); }; 28 28

29 Call-Site Specialization of Arguments Nb function f(g) { return g(); } new FunctionProxy(function f($this,g) { return g.callwith0arg($global); }); FunctionProxy.prototype.callWith0Arg = function (obj) { return this.proxiedobject(obj); }; function invfn() { throw Error( Invalid Function ); }; ObjectProxy.prototype.callWith0Arg = invfn; String.prototype.callWith0Arg = invfn;

30 Counting the Number of Property Accesses (revisited) var getcounter = 0; send(root.object, set, get, new FunctionProxy( function ($this, name) { getcounter++; return $this.get(name); } ) ); 30 30

31 Empirical Evaluation 31 31

32 Baseline Performance Table 5.1: Baseline performance on V8 benchmarks Benchmark Pn SM V8 V8/Pn SM/Pn Crypto DeltaBlue EarleyBoyer NavierStokes RayTrace RegExp Richards Splay V8 Score

33 Baseline Memory Usage 5.3: Baseline memory usage on V8 bench Benchmark Pn V8 Pn/V8 Crypto DeltaBlue EarleyBoyer NavierStokes RayTrace RegExp Richards Splay

34 Instrumented Performance Table 5.5: Instrumented performance on V8 benchmarks Benchmark Pn Pn-spl Pn-fast Pn/Pn-spl Pn/Pn-fast Crypto DeltaBlue EarleyBoyer NavierStokes RayTrace RegExp Richards Splay V8 Score

35 Conclusion 35 35

36 Conclusion Metacircular VM layering can be used to reify object model operations and function calls at a performance level 2x slower than a state-of-the-art interpreter Simple implementation (~1700 LOC runtime library excluding JS-to-JS translator) 36 36

37 Future Work Support DOM to integrate with a browser Apply approach to reify scope chain and control-flow for other applications Improve performance by exploiting dynamic recompilation to remove redundant checks Develop metacompilers to generate custom VMs for specific instrumentation tasks 37 37

In Praise of Metacircular Virtual Machine Layering. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com

In Praise of Metacircular Virtual Machine Layering Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com Motivation 2 Context Program comprehension Benchmark generation Hybrid