1
Distributed Virtual Machines for Scientific Programming
Distributed programming has been recognized as a sub discipline of computer science for almost half a century, although it has not evolved into an essential computing technology until the last decade. During the long history, distributed programs have traditionally required support that the operating system (OS) did not provide – at least not directly. This stimulated research and development in software that would extend the behavior of the OS, yet not be a part of the OS. Traditionally such extensions have been libraries of new functions such as buffered I/O routines, graphics functions, and so on. Runtime libraries (also called runtime systems) are built to support the execution of programs in a specific language, for example the C runtime library implements a set of functions on which the language depends for correct operation. Virtual machines are a step in abstraction over traditional libraries and runtime systems, even though they are generally implemented with libraries. A virtual machine is a software abstraction of an underlying machine that defines an application program’s runtime environment. Intuitively, a virtual machine is distinguished from a runtime system in that the virtual machine middleware can be moved from one platform to another, providing the same application programming interface (API) to the application programs. Even with this informal definition, there are other virtual machines that capture the spirit of the definition, but which allow some aspects of the platform to be visible at the API: For example, there is little disagreement that an OS is a virtual machine that provides abstractions for the CPU, memory and devices; however it does not abstract away the user mode instruction set. In this example, the program uses system calls (trap instructions) to invoke OS virtual machine instructions, and user mode instructions for all other operations. It is also possible to build a virtual machine abstraction on top of the OS, sometime completely obscuring the OS. The Smalltalk virtual machine is an early example of such a complete virtual machine [Goldberg and Robson, 1983]. Smalltalk-80 incorporated a compiler and a byte code interpreter for the compiler output, allowing the system to execute Smalltalk programs that were essentially independent of the underlying OS and hardware. Our goal is to focus on contemporary distributed virtual machines (DVMs) that support general purpose program execution in a distributed systems environment. A DVM provides an abstraction of a network of underlying platforms rather than just a single platform. This technology evolved from early work to support high performance computing and communication (HPCC1), primarily concentrating on scientific programming problems. Java (deployed in 1995) was created to support a broader application domain than HPCC, including programs to manage information on the public Internet. In order to understand why contemporary DVMs are designed as they are, we will first review the evolution of DVMs in the high performance computing arena in the remainder of this chapter. We will then focus on the kinds of technology used in Java in Chapter 2. The remainder of the book will then discuss the details of the ECMA-335 Common Language Infrastructure (CLI) DVM. In 1956 Gerald Estrin joined the Computer Science Department at UCLA, and launched a research program focused on “… computer architectures, parallel processing models of computation, computer instrumentation, and computer networks.” (from “Reflections on the History of Computer Engineering & Computer Science at UCLA,” at www.cs.ucla.edu/csd/overview/history.html2). Estrin and his students, along with other research groups around the world, began to look seriously at how to understand parallel and distributed programming, and how to build systems that would best support this form of computation. Parallel and distributed programming continued as a rather specialized research area until the 1980s. Three major events caused the technology to emerge as a mainstream part of computer science at that time: • Microcomputer technology blossomed as a technology suitable for numeric computing. 1
The HPCC abbreviation comes from an NSF initiative of the 1990s. The initiative was intended to stimulate advancement in high performance scientific computing technology. 2 I have thought long and hard about including URIs to web sites in this book. Web sites come and go, leaving URI links dangling. I have decided that much of the reference information in this book is to information that is so new that it is only available on the web. However, please consider each URI that appears in the book to be no better than a hint to a web location. At times, your browser search engine will be your best friend.
•
Various types of parallel computers became commercially viable (often as a collection of “killer microcomputers”). • Local area networks (LANs) became cost-effective. After these landmark events occurred, the character of software evolved rapidly from a world of serial programs executed in heavyweight processes to a world in which a computation can be partitioned into a number of parts that can be executed concurrently as a community of processes, threads, and/or objects. The hardware technologies have created a world where distributed programming is both practical and desirable. Above we mentioned that the HPCC initiative (see http://www.hpcc.gov/) stimulated development of distributed programming. This initiative was at least partially driven by the U.S. government decision to stimulate research that could be used to solve a set of Grand Challenge computing problems. An example of a Grand Challenge problem is to be able to define a global climate model capable of predicting how the earth’s climate might change due to various conditions. Another highly visible project was to build a software system to model and analyze genomic sequences. The Grand Challenge problems generally required an HPCC environment. Grand Challenge problems could usually only be solved by employing a computing environment that harnessed multiple computing platforms interconnected by a communication mechanism. The Grand Challenge initiative was a major catalyst for the rapid development of distributed programming.
1.1
User Space DVM Technology
Software environments generally employ a (user space code) runtime system that implements languagespecific functionality in terms of the host OS. To varying degrees, this runtime system behaves as a virtual machine, defining a computational model that is well-suited to a broad application environment (such as high performance computing or web-based computing). Every application program compiles to a set of machine instructions, some of which are executed directly on the hardware, some of which are OS system calls, and some of which are calls to the virtual machine library programs (see Figure 1-1). The complete virtual machine used by the application program is a combination of machine instructions, system calls, and library function calls.
System Calls
Machine Instructions
Application Environment VM calls •Remote threads/objects •Shared memory •Network IPC •…
Virtual Machine
OS Conventional Computer
System Calls •Processes/threads •Address spaces •Virtual memory •Files •Resources •…
Figure 1-1: Virtual Machines for Programming Domains A contemporary DVM is implemented on a general purpose computing system that defines the syntax and semantics of the API to be used by distributed application programs. The scope of functionality provided by the runtime system (DVM) is ultimately determined by the hardware and operating systems on which it is implemented. In this section, we provide a quick review of the abstract machines exported by contemporary hardware and operating systems.
1.1.1 Hardware The movement toward distributed programming was stimulated by computer hardware and network innovation. In the early 1980s, developments in microprocessors and local area networks (LANs) created a world which appeared to be able to easily support distributed programs. The 10 Mbps Ethernet was released as an open standard in 1980 (eventually becoming the IEEE 802.3 standard, then the ISO/IEC 8802-3). This was a landmark event, since it was the first time that a relatively high-speed communication network became generally available at a reasonable cost. The idea was that application software could be partitioned into N relatively independent parts, each running on a distinct hardware platform. The parts could use the LAN to communicate so that they could solve a problem as a cooperating community of subcomputations (see Figure 1-2). The token ring and token bus LANs also had an impact, though the Ethernet was more widely used than these alternatives. The impact was explosive, although not necessarily as one might expect: Since there was no widely accepted software package to enable application programmers to use the LAN (without having to learn the excruciating details) it was used primarily for file transfer applications (such as ftp), email, and remote login (such as telnet). Software Software Part PartNN
Software Software Part Part11 Software Software Part Part22
Hardware LAN
Hardware
Hardware
Figure 1-2: Hardware and Network Support The first significant distributed computing platforms were shared memory multiprocessors – a configuration of “killer micros” interconnected with a common memory unit by a bus [Hwang and Briggs, 1984]. These machines eventually evolved to be symmetric multiprocessors (SMPs), and are widely used today on the modest end of the distributed computing. The larger configurations of shared memory machines suffered from serious bus contention, leading the architects to design processor memory caches, then memory consistency mechanisms, and so on. By 1990, a significant fraction of the cost of a shared memory multiprocessor was in the interconnection mechanism. It had to accommodate multiple processors, shared memory units, and mechanisms to keep the memory caches consistent. By the mid to late 1990s, it became apparent that these machines were not cost-effective for large-scale distribution, and were much too costly for small-scale distribution. Today, multiprocessors are still widely used, but by interconnecting them with simplified switches or small, fast LANs. Distributed memory multiprocessors also contributed to the evolution of distributed systems. These multiprocessors were configured so that each processor had its own memory, but the memory could be accessed from another processor through a processor-to-processor protocol. Such machines are also called non-uniform memory access (NUMA) multiprocessors, since a process could access any of the memory in the multicomputer, but the speed of the access depended whether or not the target memory cell was in the local memory or on a different processor.
Several of the experimental distributed architectures effectively used a LAN as the interconnection mechanism. (Of course, the consistency mechanism had to augment the LAN.) Eventually, cluster computers emerged as a compromise solution. A cluster computer is a set of independent von Neumann machines whose members are interconnected by a high-speed LAN. The collection of computers is designed to operate as a single unit to solve a distributed or parallel problem. However, they generally do not include a hardware mechanism to ensure that cached copies of information are consistent. Instead, that is assumed to be a problem that is solved by the software. The Network of Workstations (NOW) experiment at Berkeley was a highly visible variant of cluster computing [Anderson, et al., 1995]. The NOW experiment focuses on software that harnesses a collection of currently unused individual workstations to work on a distributed problem. The hardware is off-theshelf workstations interconnected with a conventional LAN. As all this hardware evolved, application programmers began to understand the issues in creating distributed programs: Even though the hardware provided cost-effective computation and data transmission, it was difficult for application programmers to harness the hardware because of its complex interface. In short, application programmers needed a virtual machine to simplify the task of constructing distributed programs. OS designers began to work on the problem. 1.1.2 System Software As application programmers began to try to solve the Grand Challenge problems, OS requirements suddenly grew immense: Besides solving the normal concurrency problems, the new application domain demanded distributed files and shared memory, or if these were not possible, then a fast and easy-to-use interprocess communication (IPC) mechanism. Further, processes were proving to be rather awkward in the target distributed computing environment – the applications required a better model of computation, one more suited to distributed programming. The earlier work on timesharing and networked operating system had also largely neglected protection mechanisms and security policies. Distributed programmers required a useful way to keep their information secure when it moved among the processors. The OS community responded to the need by focusing on practical, low-level mechanisms that would support many different types of virtual machines for parallel and distributed computing. There were many new services required, so the OS researchers searched for the most fundamental ones that would provide the basis for more specific services required by distributed application programmers; the customization for a particular application domain could be designed and implemented later. There were significant studies in many aspects of distributed systems [Singhal and Shivaratri, 1994]: • Network protocols • Distributed mutual exclusion • Global clock synchronization • Distributed deadlock • Agreement protocols • Distributed file systems • Distributed shared memory • Distributed scheduling • Fault tolerance • Protection and security It was soon evident that the OS would not be able to provide solutions to all the application domain requirements in short order. Therefore, Grand Challenge researchers began to derive their own DVMs as middleware mechanisms (built on top of the evolving OS APIs). Meanwhile the OS designers began to create efficient IPC mechanisms for networks, distributed synchronization primitives, distributed shared memory, distributed file systems, and extensible kernels. This was the movement that established DVMs as an essential element in supporting HPCC distributed programming. Next we review the nature of the support that a contemporary OS provides to the DVM designers.
1.1.3 Contemporary OS Support for Distributed Programming Contemporary commercial operating systems such as UNIX and Windows are multiprogramming operating systems, designed to manage a single computer – server or workstation – and which are also intended to cooperate with one another in a network environment. These systems are generally classified as network operating systems (as opposed to “distributed operating systems”) in that they provide sufficient mechanisms to support the execution of multiple, cooperating processes or threads on distinct host computers interconnected by the network. By contrast, a distributed OS is designed to support simultaneous network execution in such a manner that machine boundaries and the network are transparent to the application processes/threads. UNIX and Windows provide a robust multiprogramming environment for a single machine. Each is constructed with an OS nucleus that implements the core functionality that executes with the CPU in supervisor mode. Each also has a large complementary body of OS software – compilers, loaders, libraries, and so on – that executes with the CPU in user mode. The portion of the OS that is critical to the correct and efficient operation of the OS executes in this nucleus – the kernel in UNIX systems, and the Executive plus Kernel in Windows (Windows NT, 2000, and XP) systems. Nucleus software is responsible for directly manipulating critical parts of the hardware, including the I/O devices, protection registers, virtual memory registers, and the like. User space software invokes the OS to perform these critical services by executing a system call. Each system call requires that the call be authenticated, that the user process and thread context be saved before the nucleus code begins to execute. Because of this, system calls are relatively costly in terms of performance. As an OS matures, the responsibilities of the nucleus tend to suffer from an ever-increasing growth – the “creeping featurism” syndrome. System designers tend to incorporate more and more functionality into the nucleus, since system call overhead can often be avoided by implementing various functions wholly within the nucleus. For example, in the 1980s, many versions of UNIX supported bitmap graphics in the kernel, and even today, the Windows NT family supports windows as nucleus code. Because of the potential for creeping featurism of the nucleus, many OS designers resist adding functionality whenever possible. Application programmers desire as much function as possible in the kernel (to avoid system calls and increase performance), but OS designers would like the kernel to be minimal so that it provides efficient, general support to all domains.
Part PartNN
Part Part11 Part Part22
OS Hardware Network
OS Hardware
OS Hardware
Figure 1-3: OS Support Network operating systems are the result of compromise in such a situation. They are designed to manage a single machine environment, but also to incorporate the minimum amount of incremental functionality to support distributed programming. As shown in Figure 1-3, a collection of machines with a network OS is sufficient for supporting distributed programming. However, application programs rarely consider them to be an ideal platform on which to implement distributed applications for at least two reasons:
•
While the primitives are sufficient, programmers must have relatively detailed knowledge of ways to exploit primitives that are exported by the OS. As a hypothetical example, if the OS exported only low-level network functionality, then application programmers would have to reimplement (or use a library that contained) a suitable API. • In the absence of shared user space middleware, application would need to replicate basic functionality in order to use the requisite OS functionality. This is not a new problem for application software designers. File access software usually runs as user space middleware to augment the minimum file functionality implemented in the nucleus. That is, application designers often add another layer of user space system software to adapt the OS so that it provides an idealized abstraction on which one can develop their applications. DVMs are yet another example of such an extension (see Figure 1-4). In the remainder of this section, we will briefly review the functionality exported by a network OS (for additional details about operating systems, see a contemporary OS book such as [Nutt, 2004]). The DVM designer uses this functionality as the development platform.
Part PartNN
Part Part11 Part Part22
Distributed Virtual Machine OS Hardware Network
OS Hardware
OS Hardware
Figure 1-4: Extending the OS with a DVM Historically, a multiprogramming OS is responsible for four basic types of work: • Process, thread, and resource management: Implements the multiprogramming abstraction, resulting in the definition of the fundamental computational elements – processes and threads. This part of the OS also defines the idea of an abstract resource as any entity that a thread might request and subsequently be blocked on if the entity is unavailable. The resource management function of the OS handles the allocation of these abstract resources. • Memory management: Implements the abstraction of the computer’s memory system. In older systems, the memory manager only manages the machine’s primary memory (directly executable memory such as RAM and ROM), though contemporary systems employ paged virtual memory to manage parts of the secondary memory (I/O storage devices) in harmony with the primary memory. • Device management: Manages the allocation and use of the machine’s physical I/O devices. Device management defines a framework for handling specific devices (driver function calls, interrupt handling, and so on), and a collection of device-specific drivers. • File management: Exports a uniform, abstract view of storage devices that allow application programs to read/write the device as a byte or record stream.
Process/thread management is the heart of a multiprogramming OS. It incorporates a scheduler to multiplex the CPU across the schedulable units of computation – threads in the case of Windows, and processes in UNIX.3 The system call interface includes functions to create/delete processes and threads. In FreeBSD and OS X, the POSIX thread library API is used to export thread functionality to the DVM. Some versions implement the API with kernel threads, and others are implemented with user space threads (we will look at this more closely in the CLI context in Chapter 9). An important concept in the process abstraction is that of address space. An address space defines the set of all resource addresses accessible to a thread executing in a process. When a process is created, it is allocated a large set of addresses – its address space. However, before any of these virtual addresses can be used, they must be bound to some resource. The vast majority of addresses are bound to primary memory locations, though they can also be bound to other OS resources. In the remainder of our discussion, we will assume that each process can “host” multiple threads (older versions of UNIX can only host a single thread, but provide the appearance of the more general thread model using the POSIX thread API). Thus a process address space defines a set of addresses that its threads use to reference physical memory. We will see how the CLI extends the address space ideas for other computational models in Chapter 6. The process manager provides one or more synchronization mechanisms. These mechanisms are sufficient for coordinating thread execution – within an address space as well as across address spaces. These primitives are based on the Dijkstra semaphore (though few accurately implement semaphores). In Windows, an NT dispatcher Kernel object incorporates the fundamental synchronization mechanism used by all application threads. Because various NT Executive mechanisms (such as a thread descriptor) inherit the dispatcher object, the synchronization mechanisms are widely accessible. The classic UNIX definition uses the file manager to synchronize single-threaded processes. However, most versions now incorporate “System V shared memory” which also includes an implementation of a semaphore variant. The CLI implementation discussed in this book uses the Win32 API synchronization model. IPC requires that threads be able to exchange messages with one another. If both threads are in the same process (address space), the exchange is trivial. However, if the threads are in distinct processes, then the information exchange requires that the OS copy the information from the sending process address space into an area in the receiving process address space. Windows and UNIX both use pipes to accomplish this. Most UNIX systems also support System V shared memory, which allows blocks of memory to be shared among processes. Windows also provides memory-mapped files as a mechanism for sharing information across address spaces. BSD UNIX designers defined a minimal mechanism for extending the conventional file I/O functions so that they could be used with network protocols to implement IPC across machine boundaries. A socket is a kernel data structure that defines one high-level endpoint of a network communication. Application programmers can make a system call to create a socket, then use the socket to transmit datagrams (using the User Datagram Protocol – UDP) or to connect to another network host and transmit byte streams (using the Transmission Control Protocol – TCP). If the process wishes to have remote threads be able to transmit information its socket, it can bind the socket to an abstract address of the form (net#, host#, port#). The (net#, host#) components of the address refer to the receiver machine and the network to which it is connected, and the port# defines a low-level communication endpoint in that host machine. By binding a high-level socket to (MyHost, MyNet, MyPort) to a low-level endpoint on the local machine, any internet host can send information to the socket created by the program. This mechanism is the foundation of most network communication on Windows and UNIX systems. It is a sufficient mechanism with which a thread on one machine can transmit blocks or streams of data to a thread (in a process) on another machine. However, to use the socket package, the application programmer must understand the details for sockets, and for how TCP/UDP/IP work.
3
FreeBSD can support kernel threads using the rfork() system call. This call is the same as a fork() call, except that the resulting unit of computation executes in the same address space as the parent process. In some versions of FreeBSD, the POSIX thread library, Pthreads, use this call to implement threads.
Byte stream files organized in a hierarchical directory structure are well-entrenched in application programmers’ model of computing. Though the formats of file systems for different operating systems differ in detail, the general model is consistent across a surprisingly large set of systems. In the late 1980s operating systems begin to incorporate an abstraction called a file system switch (or virtual file system) that allowed a file manager to administer mounted file systems of different types. This allowed a UNIX system to be able to read/write its native file system, a DOS floppy disk, and to read an ISO 9000 compliant CDROM. It is also the basis of remote file functionality: The file system specific part of the file manager is designed to use transport or network layer protocols to read and write files stored on a remote file server as if they were locally mounted files. Today, modern operating systems support remote files in the nucleus. Remote procedure call (RPC) support also began to appear in UNIX systems in the late 1980s. RPC exports an API that allows a programmer to use transport and network layer protocols to call a procedure on a remote machine as if it were a local procedure. The abstraction is not perfect (for example, the called procedure cannot reference global data nor use call-by-reference arguments), but it is sufficiently similar to normal procedure call that it enables an application programmer to access remote functions without knowing any details of the network protocols. Research studies have been conducted to experiment with incorporating various other functions into the OS so that it provides better support for distributed programming. During the 1990s there was a significant effort to build a distributed shared memory in hardware or OS software. By the end of the decade, OS designers had generally abandoned the effort in favor of DVM-style extensions that achieved a similar functionality without incorporating it in the OS nucleus. Network operating systems export all the normal functions for serial programming, and a few additional ones to support distributed programming, such as sockets, remote files, and RPC (much of RPC is implemented in library code rather than OS code). Though these are sufficient for supporting distributed programming, they require that considerable additional code be written to abstract these operations into ones that are frequently used in distributed programming. In the WBCC context, these features would be more useful if they were extended to support “automatic” downloading of mobile code, security authentication and authorization, and remote object management. Now we are ready to begin considering such extensions. 1.1.4 The Software Interface to the Network Contemporary network software conforms to the ISO Open Systems Interconnect (OSI) software architecture (see [Zimmerman, 1980; Stevens, 1994]). In conventional implementations of this model, the transport layer provides the API used by applications. Programmers using the transport layer need not be concerned with any of the physical details of the network, nor of the way networks are interconnected to form a network of networks – an internet. The ARPAnet User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP) are the dominant transport layer protocols. Although technically the ARPAnet protocols do not comply with every detail of the ISO OSI transport layer standard, they provide the same functions as do compliant transport layer protocols. They can be made consistent with the ISO OSI model by adapting TCP and UDP to work with an ISO-compliant network layer. The ARPAnet transport layer protocols support two main data types: Datagrams and byte streams. Datagrams are individual network packets. Byte streams allow processes on two different machines to exchange information by transmitting and receiving contiguous bytes of information (using multiple network packets), similar to UNIX and Windows pipes. UDP Datagrams. The User Datagram Protocol (UDP) delivers blocks of information at the transport level. A datagram is a block of information that is transmitted in a network packet (which implies that datagrams are encapsulated within network packets). In UDP, a datagram may be larger than a network packet, so the protocol will fragment large datagrams so that they can be transmitted as a set of network packets, then rebuild the datagram at the receiving machine’s transport layer. The network delivers individual datagrams to arbitrary hosts on the internet without ensuring reliable delivery. That is, UDP does not guarantee that any packet will be delivered to its destination. However, it does guarantee that if any part of the datagram is delivered, then all of the datagram will be delivered, that is, datagram fragmentation and rebuilding is reliable.
Datagram services provide a level of abstraction of the network similar to the block I/O abstraction for storage devices. If the programmer decides that the underlying implementations of the network and lower layers are sufficiently reliable for the application, then the application software can be written to use datagrams with a protocol such as UDP. It is rare that data is lost when reading/writing a local storage device operation. However it is not so rare for network communication to lose information. For example, the network may lose a frame at the data link layer or a packet may be lost at the network level. Even so, UDP makes no provision to notify or correct for the loss. Reliability is the full responsibility of the application program. As a result, UDP is generally not used for applications where reliable transmission is required, as in the case of most applications. It can, however, be used for transmitting audio or video information, since the application program would normally interpolate the information it received prior to using it. The incremental OS support (beyond network layer functions) of datagram service is small— namely, the management of the port component of the address—since most of the functionality is logically part of the underlying network layer. Byte Streams. The Transmission Control Protocol (TCP) implements reliable byte streams among processes on different hosts on an internet. (These byte streams are sometimes called connections and sometimes virtual circuits.) Before two threads can establish a byte stream between them, both must be willing to communicate. The two threads take on different roles in establishing the byte stream. The active thread requests that a byte stream be established with a passive receiver thread prior to exchanging information. If the passive receiver accepts the request, a connection (or virtual circuit) is established between the two processes that host the threads. Once the connection has been established, the sender can write variable-sized blocks to the byte stream and the receiver reads variable-sized blocks from the connection to obtain the information. In TCP, the size of the blocks read need not correspond to the size of the blocks that are written. Since the byte stream is created between a pair of processes, it is unnecessary to include the destination of each piece of information transmitted over the connection. Datagrams are analogous to telegrams in the sense that each is separately addressed and sent to the receiver. Byte streams implicitly assume reliable packet delivery. Reliability can be achieved by using a communication model that bears more resemblance to telephony than to telegraphy. The telephone system uses the notion of a connection (or circuit) for communication. A caller establishes a connection by placing a call to the callee prior to exchanging information. Once the connection has been established, the caller need not include addressing information, since the connection already specifies the communication ports for both the caller and the callee. The telephone analogy is used by the TCP to implement the virtual circuits (logical end-to-end connections). If two threads agree to establish a virtual circuit between them, then either can transmit a byte stream across the virtual circuit without being concerned about packet boundaries. Furthermore, TCP guarantees that all packets used to hold the byte stream will be delivered in the order they were sent. This is accomplished by attaching sequence numbers to each packet used by the byte stream. The transport layer then uses a peer-to-peer protocol to generate and test sequence numbers to ensure that no packet is lost or delivered out of order. Opening a virtual circuit requires that the sender and the receiver agree to exchange information. As described previously, any thread intending to communicate with other threads must create a port so that other threads have a delivery point, (net#, host#, port#), on which to connect the virtual circuit. After both threads have created a port, one of them—the active one—requests that the virtual circuit be established. The passive thread can then accept (or reject) the request to connect the virtual circuit to the specified communication port on behalf of the receiver. Transport layer connections use handshaking protocol for flow control on the byte stream. Such protocols help ensure that packets do not get lost, since lost packets will cause retransmission. When a flow control protocol such as the sliding-window protocol is used at the transport layer, it manages a stream of packets between ports, rather than the flow of frames between host machines, as is done at the data link layer (see [Stevens, 1994]. Thus a sliding-window protocol could conceivably be used at the data link level and again at the transport level. When a pair of threads have completed their use of the virtual circuit, they must “tear it down,” since network resources are required to keep the virtual circuit intact.
TCP is the prevailing transport layer implementation in contemporary networks. It provides virtual circuit capabilities that enable a sending process to establish a virtual circuit to a remote machine and to exchange information bidirectionally over the connection. Communication using TCP is reliable, so TCP has become the workhorse protocol for contemporary network applications. It is used in window systems (including the X windows system), WWW, remote file systems, and mail systems. 1.1.5 The Client-Server Computing Model The client-server model is a general distributed computation paradigm that can be used to exploit the ISO OSI transport layer facilities. According to the model, one process, the server, is a passive process that provides a specified service to any active process, a client, desiring the service. Several contemporary products employ the client-server model, including file servers, print servers, database servers, and window servers. As suggested by the name, the client-server model has asymmetric behavior. The server always exists in the network, passively waiting for requests for service, while autonomous client processes decide when to utilize the server. In other words, a server is a worker process soliciting work, while a client is a supervisory process requiring services. The server is initiated as an autonomous process in a network of machines. A pseudo code schematic for a server process is shown in Figure 1-5. The idea is that the server creates a communication endpoint on which to listen for client requests. That endpoint is called “serverSkt” in this example. After initializaing the serverSkt, the server main loop waits for an incoming request on the endpoint, then services the request. It then waits for the next request, and so on. int serverSkt; struct request_type *request; serverSkt = initialize();
/* The socket used to receive requests */ /* Details of a request */ /* Create a socket and bind it * Register server with the registry * Initialize data structures, etc */ while(TRUE) { /* Service requests until the process dies */ request = waitForRequest(); /* Get a request */ serviceTheRequest(request); /* Then service it */ };
Figure 1-5: Server Structure A client process can request service from the server by sending it a datagram containing the details of the request. Once the client makes the request, it will ordinarily wait for the results of the request before it continues to execute. That is, in this case, the client and the server interoperate synchronously, as if the server is executing a called procedure on behalf of the client. The client-server model is the most widely used paradigm for organizing distributed computations. OS designers use the model heavily in implementing the OS, and application designers use it for organizing their distributed program. 1.1.6 Extending the OS Because of the national interest in solving Grand Challenge problems, application scientists were stuck on the horns of a dilemma: Should they wait for the OS researchers to provide all the requisite system software for their DVM as part of the OS, or should they themselves begin using the early results to define and implement their own middleware DVM. The research and funding environment encouraged considerable activity in the latter area: Research groups interested in solving Grand Challenge problems began to design and implement software to provide specific services needed by distributed applications. Since this new class of software was not part of the OS, each computer’s OS was extended with a DVM library, designed so that peer DVMs cooperated to implement a distributed platform (see Figure 1-6).
These DVMs used simple OS mechanisms (such as classic IPC mechanisms along with TCP/IP) to implement a customized distributed virtual machine. This DVM is well-suited to supporting distributed programming by implementing features needed in many Grand Challenge programs, but which are not implemented in the OS. For example, the DVM might implement threads, high-level synchronization primitives, RPC, a distributed file system, network directory services, and/or distributed shared memory. Part PartNN
Part Part11 Part Part22
DVM OS Hardware Network
DVM OS Hardware
DVM OS Hardware
Figure 1-6: Middleware DVMs Encapsulating Distribution Functionality An early example of this middleware was the C threads package that accompanied the Mach distribution. [Walmer and Thompson, 1989]. Application programmers wanted to write their applications using schedulable units of computation that shared an address space, instead of using single-threaded processes operating in individual address spaces. Through judicious use of the IPC mechanism, the C threads library provided a virtual machine in which applications could be written using a new “lightweight process” to accomplish computation. Instead of worrying about using IPC to accomplish sharing, the threads in a process shared variables that each thread could read and write directly. Distributed objects are another example of a user space DVM extension to the OS. CORBA [Object Management Group, 2002] was developed as a standard by which objects implemented in different languages, executing on different machines with different operating systems, could work on a common application. The idea is that an application programmer refers to methods in objects without knowing where the objects are actually instantiated. The CORBA distributed virtual machine routes method calls, exceptions, and results among machine to implement remote object invocation (RMI). A trend emerged: Application programmers could define an idealized application environment, then write a collection of user mode programs to implement the environment in terms of different host operating systems. In the remainder of this chapter we will review the evolution of DVMs in the HPCC domain. This will help you to understand the characteristics of HPCC DVMs, and subsequently to see similarities and differences between HPCC and DVMs used for web-based programming when we begin to look at them more closely in the next chapter.
1.2
HPCC: High Performance Computing and Communication
Distributed application programmers of the 1980s and early 1990s were focused on diverse scientific problems, such as analyzing data to predict the weather, or to determine the structure of a DNA sequence. In a network environment, their OS platform typically supported TCP, enabling them to use TCP’s virtual circuit mechanism as the basis for building their solution. However, TCP-level functionality does not address process management tasks such as creating a child process on another computer. The scientific programming community began to develop their own first generation DVM middleware libraries to accomplish IPC and remote process management (see Figure 1-7).
HPCC Execution Model Remote Remote Files Files
Remote Remote Files Files
IPC IPC
Remote Remote Execution Execution
Socket Socket IPC IPC
Other Other
Other Kernel Functions
OS Kernel Figure 1-7: Middleware HPCC Support Inserting middleware between the application programs and the OS accomplishes the goal of abstracting the supporting platform API so that it provides better support for domain-specific programming. The tradeoff is potential performance loss – precisely the enemy of HPCC. Remote files are the backbone of early distributed applications. Even in high performance computing, a major issue is to get the data to the correct machine in a network. Early DVMs used the OS remote file capability to provide this functionality. Domain-specific IPC is intended to allow parts of a computation to communicate while: • Abstracting away the details of network protocols • Providing tailorable information formatting protocols (for message formats, data types, and so on). These operations do add significant functionality, although they may introduce significant performance overhead costs. The most significant performance factor in message management is the cost of repeatedly copying the message. Briefly, messages are blocks of information sent by one process and received by another. The message serves two purposes: • It is an explicit mechanism for one process to share information with another. • It can be used to synchronize the operation of the receiver with the operation of the sender. A receiver process must have a mailbox to buffer messages that have been sent to, but have not yet been logically accepted by, the receiver. Send operations can be synchronous or asynchronous. In a synchronous send operation, the sender waits until the message is safely delivered to the receiver’s mailbox before it proceeds. In an asynchronous send operation, the sender transmits the message and proceeds without waiting to see if the message was actually placed in a mailbox. Receive operations can be blocking or nonblocking. When a receiver reads a mailbox the blocking receive prevents the receiver from proceeding until a message is available. In a nonblocking receive operation, a receiver proceeds whether or not there is a message in the mailbox (meaning that the application is expected to test the result of the receive operation to determine if information was received or not). The OS may not implement all these possibilities, or other variants that application programmers may desire (such as broadcast send). The DVM can define a canonical set of IPC functions, then implement them so that they work on a range of different operating systems.
DVMs can introduce a new remote execution environment. In the earliest days, this might have been based on a remote shell facility that would allow the middleware on the local machine to cause programs to be executed on the remote machine. As DVM solutions grew in sophistication, the idea of abstract units of execution began to be defined at the middleware layer – PVM processes, Pthreads, and so on (these ideas are explained in the following sections). The performance cost of these abstractions can be considerable, so the challenge in the HPCC environment is in implementing a remote execution environment that provides a suitable abstraction, yet which is highly efficient. In early 1990s, programmers and computer buyers were concerned about open systems – heterogeneous systems that could be used in a network [Nutt, 1992b]. Every development organization wanted a set of standards to fall out of the ISO OSI, OS (POSIX), ANSI programming languages, etc. standards work – then they could just use the set of standards. POSIX was a leader, OSF followed the lead with DCE. The ad hoc solution was to not wait for an all-encompassing standard, but to adopt things that looked like the would win in the long run: TCP/IP; FTP, SMTP; DNS; ARP/RARP; Berkeley sockets; Sun RPC, NFS & yellow pages; Berkeley mail, X.500 directory services (or its LDAP variant), PGP, Kerberos, POSIX.1, CORBA, … and later, things like DHCP, Slip/PPP, Mosaic, X windows, HTTP 1.0/1.1,HTML, and SGM. Next, we will look at a few early DVMs that were oriented toward HPCC application domains.
1.3
PVM: The Parallel Virtual Machine
Probably the most widely-used DVM used to support HPCC during the early 1990s was the PVM (Parallel Virtual Machine) software package [Geist and Sunderam, 1992]. By the late 1990s, many of the developers of PVM had joined forces with others to develop a refinement called the Message Passing Interface (MPI) [Gropp, et al., 1998]. At the time of this writing, a splinter group of MPI developers are now focused on the HARNESS DVM [Beck, et a., 1999] (also see http://icl.cs.utk.edu/harness/ and Section 1.6). PVM was a classic DVM that provided an API built on top of different host OS network messagepassing facilities. PVM were intentionally designed so that it could be used with various operating systems (as a practical matter, that meant different versions of UNIX). If a distributed application programmer implemented a program on top of PVM, then the distributed components could be executed on a wide variety of versions of UNIX. At the time PVM was deployed, it immediately found wide spread use for high performance computing, even though the PVM package was generally user space software. PVM was implemented on many different kinds of machines. Thus a programmer could install PVM on a set of heterogeneous machines connected to a common network and then use the underlying TCP/UDP implementations to support interoperating PVM library routines. An application could then be written to distribute computation across machines built by different manufacturers without having to address any of the details of each machine’s transport layer protocols. In cases where PVM was expected to be heavily used, the PVM implementation was implemented as part of the OS. For example, some organizations (such as Control Data Corporation) implemented parts of PVM in the OS to avoid the performance overhead. PVM uses the library functions built on top of the local OS process management facilities to create and manage PVM processes. A PVM task is a schedulable unit of computation that uses a parallel virtual machine to execute. The pvm_mytid() call must be executed by each PVM task so as to associate the task with a parallel virtual machine; the call returns a task identifier. The task identifier for other tasks using the virtual machine are obtained with the pvm_gettid() call. A task can create another task using pvm_spawn() and can destroy itself with pvm_exit(). A set of tasks can be identified as siblings by joining a logical group with the pvm_joingroup() call. A task can abandon the group using pvm_lvgroup(). PVM contains synchronization calls, including conventional signal() and wait() calls. The portable PVM library implements the equivalent of a semaphore using TCP/IP protocols, as if there were a shared memory with a semaphore.
PVM messages contain sets of typed data. A sending task initializes a message buffer with the pvm_initsend() call. Typed data is placed into a message buffer using packing routines, for example, pvm_pkint() is used to place an integer into a message. The receiver uses pvm_upkint() to retrieve the data from the message buffer. Once a sending task has filled its message buffer, it sends the buffer to another task using the task identification with the pvm_send(), pvm_multicast(), or pvm_broadcast() operations. Messages are accepted with the pvm_recv() operation, thus causing the message to be placed in a buffer where data is unpacked using the unpack command set and the values placed in local variables.
1.4
The Beowulf Cluster Computing Environment
In 1994, the Beowulf Project, led by Sterling and Becker, built a multiprocessor from a collection of “commodity off-the-shelf” (“COTS”) microprocessors interconnected with Ethernet technology – a cluster computer [Becker, et al., 1995]. Like PVM, this project was driven by the need for support of high performance computing through parallelism. The system was at the Goddard Space Flight Center built by parallel programmers to be solve earth and space science problems (it was not a systems research project) – the Beowulf developers refer to themselves as “do-it-yourself’ers.” The Beowulf computer was so successful that other researchers in the community decided to adopt the approach and build their own “Beowulf class cluster computer.” (see http://www.beowulf.org/intro.html). Beowulf differs from the network of workstations (NOW) research systems that also use independent machines interconnected by an Ethernet [Anderson, et al., 1995]. A NOW is intended to operate on a conventional network with general purpose workstations. When a workstation is not in use by its normal user, the NOW uses its resources. This means that a significant part of the contribution of the NOW is in determining when a workstation can be used, and in load balancing. In Beowulf, all the machines are dedicated to the cluster computer. The Beowulf hardware is standard hardware, interconnected using Ethernet technology. The challenge to harnessing the hardware so that it can be used to solve high performance computing problems is in finding an appropriate set of software to support distributed application execution. Just as the Beowulf designers exhibited great initiative in building the hardware, they used the same approach in building the distributed programming environment. A Beowulf cluster uses various freely available software packages to created the environment, including Linux, PVM, MPI, and GNU software. The first Beowulf computer was built using DX4 processors and a 10 Mbps Ethernet. The processors were much faster than the network, so the developers created a technique in which they used two Ethernets with each carrying half the transmission load. This required that they be able to do extensive device driver development – something for which Linux was well suited. As 100 Mbps (and 1Gbps) Ethernets became generally available, Beowulf clusters have dropped the old “striped” Ethernet pair in favor of a single highspeed Ethernet. Network drivers are a critical part of the Beowulf approach, and these developers have contributed numerous network drivers to the Linux community. The programmers who developed Beowulf were already quite familiar with PVM, and the then emerging MPI package. They had used various parts of the DVM on top of other computer platforms as the basis for much of the paralled/distributed programming support. Therefore, it was natural for them to use PVM/MPI as the distributed process management approach in Beowulf. PVM IPC can be slow due to the copy operations necessary to support a user space IPC package. It is possible to implement a very fast mechanism wholly within in a device manager that exports the PVM/MPI IPC interface – this can eliminate several copy operations, thereby removing the performance bottleneck often associated with PVM/MPI. The Beowulf Project established an avid community of people that wanted to create their own cluster of dedicated computers. By creating a simple distributed hardware platform, concentrating on network driver development, exploiting the open Linux environment, and using the PVM/MPI interface, the community is able to build and use an inexpensive but very high performance cluster computing environment.
1.5
The Open Systems Foundation (Open Group) DCE
Throughout the 1980s there was a continuing competition between the two dominant versions of UNIX: BSD UNIX and AT&T System III/V UNIX. Sun Microcomputers had adopted BSD UNIX as their OS, so the competition was primarily between Sun and AT&T. In 1988 Sun and AT&T reached an agreement in which the competition between the two versions was put to rest – essentially resulting in Solaris. The Open Software Foundation (OSF) was formed soon thereafter as a response to the Sun-AT&T agreement. The OSF was a consortium of computer manufacturers that wished to support the idea of an open version of UNIX. (In 1995, OSF merged with another open software consortium named X/Open to form the Open Group.) Besides OSF’s interest in versions of UNIX, it also intended to supported distributed application programming. OSF created a unified DVM middleware package explicitly intended to support distributed computation, called the Distributed Computing Environment (DCE) [Open Group, 1996]. DCE can be supported by various operating systems, including OSF’s own OS recommendation (called OSF/1). Whereas PVM was supported and developed primarily by the high performance scientific computing community, DCE was created by a commercial OS community; therefore, it was intended to address a broader class of applications than just the HPCC domain. Like Beowulf, DCE was generally built by combining a collection of independently-developed open technologies, rather than being derived as a new collection of functions. Like PVM, DCE was designed to support heterogeneous networks, computers, and operating systems. The goal was for programmers to be able to write distributed software using the DCE API, then to have that software run on any of OSF/1, various forms of UNIX, and any other OS that included the DCE DVM. Programmers could then largely ignore the type of computer and network being used under the OS. DCE applications are generally client programs that request services from the distributed infrastructure. Applications are implemented as a community of DCE threads that communicate with servers on remote machines using a built-in RPC protocol. The DCE middleware is implemented as a set of library routines that run on the local client machine OS – providing services if they are available at the local machine, or acting as client stubs if services are obtained from a remote machine. Remote services can be provided by the DCE, and others by application programmers. The built-in DCE services are: • Distributed File Service • Security Service for user authentication and resource access authorization • Directory Service for uniformly naming and locating resources in the distributed environment. • Time Service that is able to synchronize clocks across a network. Of course application services are defined by the DCE programmer. Next we will discuss the DCE mechanisms and built-in services.
Threads Threads are the schedulable unit of computation for the DCE. The thread package is defined by the POSIX3.4a standard, which can be implemented as a library or with kernel support. At the time that DCE was defined, most of the underlying OS platforms were single-thread per process UNIX systems. This meant that an application executed as a single classic process that multiplexed across user space threads under the control of middleware code. The OS kernel was unaware that a process might be multithreaded, since from the kernel point of view, thread multiplexing within the process was completely invisible. User space threads work fine unless one of the threads in the process happens to block. When one thread blocks, then the process is blocked. This means that all threads in the process are blocked. This is a big motivator for kernel threads – threads that are managed by the kernel instead of user space code. With kernel threads, the OS scheduler allocates the process directly to the thread instead of to the process. This means that one of the threads in a process can block without blocking the other threads in the process. DCE implementations of threads were intended to support at least user level threads, but preferably kernel threads. Today many implementations of the POSIX thread package use kernel threads rather than the library implementation. That, of course, was the rationale for using POSIX threads in the early days of DCE: A program could be written to work with the POSIX interface, and thus would work with both user and kernel threads without modification.
rpcServer
theClient main int main(…) { … localF(…); … remoteF(…); … } void localF(…) { … return; }
clientStub lookup(remote); pack(…); send(rpcServer, msg); receive(rpcServer); unpack(…); return;
register(remoteF); while(1) { receive(msg); unpack(msg); remoteF(…); pack(rtnMsg); send(theClient,rtnMsg); }
void remoteF(…) { … return; }
Name Server void register(…) { … } void lookup(…) { … }
Figure 1-8: Remote Procedure Call Implementation
Remote Procedure Call DCE distributed applications use RPC for interprocess communication. The RPC model generally conforms to the detailed discussion provided in Chapter 17 of [Nutt, 2004]. As summarized in Figure 1-8, the client is configured with a client stub for each remote procedure it calls, and the server stub is the main program for the server. The RPC server is started first. It registers the remote procedures with a name service, then waits for a client to invoke a procedure. The address space used by the client thread has all the client stubs linked into it (as if they were normal local procedures). When the thread calls a remote procedure, it really calls the client stub. The client stub looks up the remote procedure server that implements the target procedure. In DCE, the global name space in which the client should search for a remote procedure is specified by an administrator-defined cell, or collection of host machines. Next it marshals the arguments and sends them to the remote procedure server. The client stub then blocks, waiting for a response from the server. The remote procedure server is normally waiting for a client call. When the call arrives, the remote procedure server unmarshals the arguments, then uses them to call the target procedure. When the procedure returns to the server stub code, it marshals the return results and returns them to the waiting client stub. The client stub unmarshals the results, then returns them to the calling code. The DCE RPC provides a collection of tools to enable a programmer to generate client and server stubs, and to specify the details of the procedures and arguments (Sun RPC also does this). It also provides flexible ways to use the mechanism, for example, so that two different clients can call the same remote procedure server at the same time, or so that a client can cancel a remote procedure call that is in process (but not yet complete). The remote procedure call server is built in the listener-server pattern (see [Nutt, 2004]). This means that the client stub contacts the remote procedure server, who then couples the client with a listener thread on the server. In this manner, the server can support multiple concurrent calls – each call has its own listener server thread.
In a production level DVM, one should not expect that the entire system can be halted to update a particular remote procedure. Though the updated procedure may fix bugs, it could also change parameter characteristics or the semantics of the original procedure. Therefore, the RPC system supports multiple versions of each remote procedure. Each remote procedure has an associated major and minor number; to designate the version of the procedure. When a client calls a remote procedure, it must provide the major/minor numbers of the target procedure to assure that the correct one is called. These version numbers are also kept with the registration information in the name server. Argument number and types are part of the definition of a procedure, that is, the calling and called procedures must agree on the characteristics of the argument list. In ANSI C, function prototypes are used to define a procedure signature – the name of the procedure, as well as the number of arguments and the types of each argument. The DCE does not assume that all programs are written in C; it is possible for a client written in one language to call a remote procedure written in a different language. This means that the procedure interface specification is language-independent. It is generated by a tool that is part of the RPC package – the output of the tool is header file, the client stub, and the server stub. The client stub is combined with the client application code, and the server stub is combined with the remote procedures, resulting in the running system.
Distributed Files The DCE DFS is a descendant of the Andrew File System – AFS (see [Satyanarayanan, 1990]). The DFS refinement of AFS was developed by HP, IBM, Locus Computing, and Transarc [Kazar, et al., 1990]. AFS/DFS uses the file caching approach, meaning that when a client opens a file, the file is copied (or cached) to the client If the client has enough primary memory available, the file is kept in the primary memory, otherwise it is copied to a storage device on the client machine. This means that in the implementation of the remote file server, most of the file manager is on the server side, with a relatively small part of the functionality implemented on the client side. Since AFS/DFS uses file caching, it must handle file consistency. That is, when a copy of a file is cached to more than one client, and is then updated by one of them. The brute force solution would be to simply let clients overwrite the file whenever it is “checked back into the server.” AFS/DFS does a better job than this by introducing the notion of tokens. A token represents the right to perform certain operations on a cached (and potentially shared) file. For example there is a token to allow a client to access file descriptor and directory information, and tokens to lock parts of a file. When a client wants to perform one of these protected operations, it must obtain the corresponding token from the server. Client application software accesses remote files using POSIX.1 (OS) system calls. If the OS is POSIX.1 compliant, then there is no difference between DFS and local OS file manager calls, otherwise the application programmer must use the local OS system call interface for local calls and the DFS POSIX.1 calls to manipulate remote files (see Figure 1-9). The client interacts with the server using the RPC mechanism, thus file manager system calls are represented at the client by stubs. The other significant job on the client side is to manage cached copies of files when they are opened by application software. The Cache Manager is the DFS client module that handles this task. Whenever a file is opened, the Cache Manager looks in its local cache (on a local storage device) to determine if a copy of the file is already loaded at this client machine. If there is a copy, then the application uses that copy. If there is not a copy, then the Cache Manager requests one from the server Client side software can be implemented as middleware. The DFS server must be implemented in user and kernel space. At the file access level, AFS/DFS uses Sun vnodes and the virtual file switch (VFS) – see [Sandberg, et al., 1985]. This means that AFS/DFS has a preferred file system (called the Local File System Figure 1-9), though it can also mount other types of file systems. The VFS+ (meaning Sun VFS plus extensions for DFS) implements the file system independent part of the server’s file manager. The Local File System implements the file system dependent part of the file manager. Other types of file systems can be implemented on the server by implementing modules corresponding to the Local File System module; the VFS is explicitly designed to accommodate such implementations. The File Exporter is the server stub for RPCs. Each RPC that is issued by a client is fielded by the File Exporter. It will call its own procedures (file manager system functions) to execute commands issued by the client. The File Exporter’s functions make calls on the VFS+ (and thus the underlying file system modules) to cause file management operations.
Client Applications Client Stubs Cache Manager
Network Layer
Other User Space Services
Server File Exporter Token Manager VFS+ Local File System File Storage
Figure 1-9: The DCE Distributed File System Tokens are intended to enable the client and server to implement a file manager that has the same file access semantics as a UNIX file manager. This means that in cases where there is the possibility of action by clients that will introduce inconsistencies due to replication, the Token Manager must prevent that from happening. It does this by inspecting each client’s request to perform actions that might break the UNIX semantics. The Token Manager can then handle these operations as critical sections to ensure consistent operation. Rather than having the Token Manager simply implement a collection of semaphores, the Token Manager allocates a token to a client that has permission to alter a file or directory. When the client has completed the operation, the Token Manager can reclaim the token and allocate it to another client if one is waiting. There are other services provided by the DFS server. Generally, these services are related to file system administration, for example handling file system partitions (called DFS filesets), managing the server threads, monitoring performance, and so on.
Security Considerable effort has gone into the DCE security mechanisms. The facility provides all three aspects of security mechanisms described in Chapter 14 of [Nutt, 2004]: Authentication, authorization, and cryptography. Throughout the DCE design it is assumed that distribution is achieved by having clients interacting with servers. In providing a secure distributed environment, a Security Server is introduced to implement many of the mechanisms used in the approach. Additionally, an Administrator is assumed to be defining a protection policy at a fourth network site (see Figure 1-10). The Registry service in the Security Server manages the cell-wide security policy. The administrator’s interface is designed to securely interact with the Registry to create and maintain the desired policy specification. The active elements of the system (those that can request access to a passive element) are called principals in DCE. The Security DB contains an entry for each principal that keeps all relevant information about that principal (for example, encryption keys and authentication information). It also maintains general security information for the cell.
The Authentication service is the Kerberos authentication system (see Chapter 14, [Nutt, 2004]). Kerberos uses encryption to enable clients and servers to establish secure connections over an untrusted network. For example, it is possible to have a secure connection over the IP network layer where intruders can peek at all the information that crosses the network, yet not be able to interpret it. Once the client and server are able to trust one another (using Kerberos tickets), they can exchange encrypted information until their session expires.
Client
Application Server
Applications
App Service ACL
Session Authentication User Authentication
Admin Interface Administrator Client-server information DCE Security information
Authentication Privilege Registry
Authorization
Login
Security DB
Security Server
Figure 1-10: DCE Security Components The Authentication service relies on the client being able to authenticate its user. The Login service at the client machine is responsible for authenticating the user that launches client applications. User authentication is accomplished through login/password pair. Once the user is authenticated, information is conveyed between the application client and server as encrypted information. Recall that all client-server interactions use RPC. It is the RPC mechanism that invokes the authentication services, including the Kerberos session initialization. The RPC mechanism also implements encryption and decryption as part of the normal command/result transmissions. The application service can determine which clients are authorized to use the service by checking the access using access control lists, or ACLs (see [Nutt, 2004]). The ACL service can be implemented in any server.
Network Directory From its inception, DCE was intended to support large-scale distribution over large networks. In this type of environment, it can be surprisingly difficult for a thread to locate resources – machines, files, services – on the network. Developers recognized this problem several years ago: In 1988 the first version of the X.500 directory services draft standard was released (the fourth edition of the spec was released in 2001). X.500 defines an extensive set of tools for locating resources in a network. The DCE Network Directory service uses the X.500 directory service, more specifically, the LDAP subset of X.500. The Network Directory service is based on domains – the cells mentioned in the RPC discussion. Roughly speaking, a cell is an administrative collection of network resources that can be used in a distributed computation. RPCs can be used to make procedure calls within a cell, distributed files can be accessed throughout a cell, security policies apply to a cell, and so on. The Cell Directory Service is the mechanism by which a client can find resources within the cell. The Global Directory Service provides a means for spanning cells if that is required, but the default operation is within a cell.
Each resource has a unique DCE name within the cell, and each cell name is unique in the space of all DCE cell names. So any resource within a cell can be referenced using the intra cell name. Specifically, resources in remote cells can be referenced using the cell name and the intra cell name. The actual names are a bit more complicated than this, but the important idea is to note that there are names used within a cell by the Cell Directory Service, and more general names used by the Global Directory Service to reference resources in remote cells. The X.500 Directory Access Protocol (DAP) is used to access a directory server to find a resource. DAP provides a user interface allowing users to construct their own queries of the directory server to find resources. DAP is a high-level protocol, that can run on top of TCP/IP. The Lightweight DAP (LDAP) was developed as simplified version of DAP that required fewer client machine resources than DAP. During the 1990s, LDAP quickly caught on as a protocol for performing X.500 directory service queries without incurring the cost of supporting a full DAP client. Today, LDAP is widely used on desktops, even though the original motivation no longer holds – that is, any modern desktop has more than enough resources to support a DAP client implementation. LDAP is also important because now it is being used in mobile computers where, once again, there are limited client resources.
Time Service Distributed software components often need to synchronize according to some absolute measure such as the passage of time. For example, suppose that the correct operation of the computation depended on an agreement that event R on machine X occurred before Event S occurs on machine Y. The key element here is determining if the time that Event R occurred is earlier than the time at which Event S occurred. This problem would be trivial on a uniprocessor system, since one could simply observe the time that Event R occurred and the time that Event S occurred, then compare the two times. In a network of computers, there are difficulties. When Event R occurs, it uses the time from Machine X, but when Event S occurs it uses the time from Machine Y. What assurance can there be that the clocks for the two machines are synchronized? Even if the two machines have there time synchronized, say at the top of the hour, their clocks will drift before the top of the next hour. If the clock on Machine X loses time (counts only 59 minutes and 59 seconds in the hour) and Machine Y gains time (counts 6 minutes and 1 second in the hour), then we cannot determine if Event R actually occurred before Event S or not. The DCE Time Service provides a means for the network of computers to manage time: • There is a way for all hosts to periodically synchronize their clocks. This assures that they times at the different hosts stay within an acceptable range of one another. • Each clock reading is given as a range of times, with the assurance that the correct time lies within the range. Each client is configured with a Time Clerk that is responsible for synchronizing that machine’s time with the DCE time. The Time Clerk interacts with a collection of Timer Servers whenever it needs to synchronize the local clock. To do this, the Time Clerk observes drift on each synchronization action. Eventually it will determine the amount and direction of drift in the local machine’s clock. Once it has determined this information, it knows that when the local clock has had time to drift too far from the DCE time, it synchronizes with the Timer Servers.
1.6
HPCC Today: Grid Computing
The HPCC initiative stimulated research in scientific distributed and parallel computing in the 1990s, particularly with the development of NSFnet – an experimental wide area research net. NSF issued their first grants to support the TeraGrid initiative in August, 2001 to build “… the world's largest, fastest, distributed infrastructure for open scientific research.” (see http://archive.ncsa.uiuc.edu/About/TeraGrid/). The TeraGrid provides 4 centers with clusters of high-speed computing. The challenge is for the system architects and programmers to learn to move data around the network so that it can exploit the computing clusters. Many of these modern scientific applications are intended to process terabytes of data, as a consequence the data movement is a major obstacle to this grid computing at the time of this writing.
There is considerable research and development in progress on DVMs for the grid computing organization. HARNESS (Hetrogeneous Adapatable Reconfigurable Networked SystemS) is a DVM environment intended to support dynamically adaptable parallel computations [Dongarra, et al., 1998]. HARNESS is an outgrowth of earlier work on PVM and MPI. Globus is another well-known project to develop similar tools to build virtual [machine] organizations to meet a parallel applications particularly needs from resources in a grid (such as the TeraGrid) [Foster, et al., 2001]. The Legion project is a third example of a grid-based DVM [Grimshaw and Wulf, 1997]. Interestingly, the web provides some of the inspiration and motivation for the Legion model: Programmers should be able to combine networkaccessible resources (from the Grid) to create a tailored distributed computing environment (a DVM). Legion is the metasystem for constructing individual DVMs. HARNESS, Globus, and Legion represent significant grid computing systems that have evolved at the same time as the WBCC models discussed in this book. Today, as in 1995, HPCC and WBCC distributed computing environments differ in terms of their purpose, and therefore in detail. Nevertheless, they also continue to use common underlying OS and hardware.
Installing Rotor on Your UNIX Development Machine 1. Installing Rotor on your development machine is not directly related to the content of this chapter, although it is the first step in your exploration of the software distribution. This Rotor software has been designed so that the same code can be installed on Windows XP, FreeBSD, and OS X. The lab exercises and examples in this book assume that you are using a FreeBSD implementation, though you can also do all exercises using Rotor on the other platforms. Before you do any of the exercises in the later chapters, you will need to install a current copy of Rotor on a computer with a UNIX family operating system. For FreeBSD Rotor can be built using either the Bourne shell or the C shell. The distribution contains the env.sh and env.csh build scripts, respectively, to set environment variables prior to performing the build. The env.bat file performs a similar task for the Windows environment. Once the compilation environment has been initialized, the buildall command begins to compile various parts of Rotor. Here is an annotated abstract of the build script (the annotations are comments with a leading ##): ## Build the UNIX PAL cd ${ROTOR_DIR}/pal/unix if test X"$1" = "X-c" then make clean make depend fi make ## Build a version of nmake cd ${ROTOR_DIR}/tools/nmake … ## Build cppmunge is a preprocessor for C++ programs to translate ## strings into a format (still 2-bytes/char) better suited for UNIX cd ${ROTOR_DIR}/tools/cppmunge … ## This tool installs binaries in the correct directories cd ${ROTOR_DIR}/tools/binplace … ## This tool runs make-like scripts. After it is compiled, ## it is used for the rest of the build (instead of make). cd ${ROTOR_DIR}/tools/build … cd ${ROTOR_DIR}/tools/resourcecompiler build $* cd ${ROTOR_DIR}/palrt/src build $* ## Here is where the SSCLI gets built cd ${CORBASE}/src build $* cd ${ROTOR_DIR}/fx/src build $* cd ${ROTOR_DIR}/managedlibraries build $* cd ${ROTOR_DIR}/jscript build $* cd ${ROTOR_DIR}/samples build $*
The CLI and most of the tools have been built to run on top of the Win32 API. The Rotor developers created a Platform Adaptation Layer (PAL) to implement the API described in …/pal/rotor_pal.h. Roughly speaking, this include file defines subset of Win32 API types and functions used by the SSCLI and many of its tools. (Other tools are implemented directly on the host OS environment.) The first phase of buildall is to compile the PAL. After the PAL has been built, buildall compiles the nmake utility. This tool is the Windows counterpart of UNIX make. It will be used throughout the remainder of the build. buildall then compiles various other tools (cppmunge, binplace, build, and resourcecompiler. It then finishes the toolbuilding by compiling the source code in the …/palrt directory – various files that are common to Windows and UNIX. Next the CLI code can be compiled and linked with the appropriate PAL functions. After these have been built, the build procedure compiles the C# managed libraries, the JScript compiler, and the sample code. At this point, you should be ready to use Rotor. The detailed directions for installing Rotor is documented software distribution. In summary, you should: 1. Install FreeBSD 4.5 or later on a computer with an Intel Pentium microprocessor. There is considerable documentation available on the web – start with http://www.freebsd.org/. 2. Install the version of Rotor on the CD-ROM included with this book, or the current version downloaded from the web site. To use the distribution, you will need to unzip and untar the package into a directory, at the pathname ${ROTOR_DIR}. Most (but not all) of the source code is in the clr directory. As the included documentation describes (see ${ROTOR_DIR}/docs/index.html), you can build Rotor by executing the appropriate version of env.<shell>, then the build script. 3. Run the provided tests to ensure that you have your installation working properly.
1.7
Exercise Suggestions
In many cases, you may wish to explore HPCC DVM technology further. Here are some exercises that you can solve to help you learn about HPCC DVM technology. 1.7.1 Lab Exercise: Using PVM Successive overrelaxation (SOR) is a method to solve linear n × n systems of equations, Ax = b. Given the n × n coefficient matrix A, the right-side vector b, and an initial estimated solution vector x, the algorithm recomputes each of the n different xi based on the xj (i ≠ j), A, and b. SOR works by rewriting equations. Notice that the original n equations are written as follows: a11x1 + a12x2 + ... + a1nxn = b1 a21x1 + a22x2 + ... + a2nxn = b2 ... an1x1 + an2x2 + ... + annxn = bn By rewriting the equations, we can arbitrarily use the ith equation to solve for xi, that is: xi = (bi - ai1x1 - ai2x2 - ... - ainxn) / aii. Now you can implement SOR on an n-process system by defining n different PVM processes (all running the same program) where the ith process computes xi using the rewritten equation. Implement a SOR solution using PVM. You can also solve this exercise using the OSF DCE or Beowulf.
Figure 1-11 and Figure 1-12 is a small illustration of PVM code abstracted from an example in the PVM 3.3 documentation [Geist et al., 1994]. SPMD is a distributed computation paradigm, meaning several processes execute the same procedure (“SP”) on multiple data streams (“MD”). Each host machine in a set of PVM hosts executes the code shown in the figures to pass a token from one host to another. #define NPROC 4 #include “pvm3.h” main() { int mytid; /* my task id */ int tids[NPROC]; /* array of task id */ int me; /* my process number */ int i; mytid = pvm_mytid(); /* enroll in pvm */ /* Join a group; if first in the group, create other tasks */ me = pvm_joingroup(“foo”); if(me == 0) pvm_spawn(“spmd”, (char**)0, 0, “”, NPROC–1, &tids[1]); /* Wait for everyone to startup before proceeding. */ pvm_barrier(“foo”, NPROC); /*––––––––––––––––––--------------------------------------–-*/ dowork(me, NPROC); /* program finished leave group and exit pvm */ pvm_lvgroup(“foo”); pvm_exit(); exit(1); }
Figure 1-11: The SPMD Computation in the PVM Main Program dowork(int me, int nproc) { int token; int src, dest; int count = 1; int stride = 1; int msgtag = 4; /* Determine neighbors in the ring */ src = pvm_gettid(“foo”, me-1); dest= pvm_gettid(“foo”, me+1); if(me == 0) src = pvm_gettid(“foo”, NPROC-1); if(me == NPROC-1) dest = pvm_gettid(“foo”, 0); if(me == 0) { token = dest; pvm_initsend(PvmDataDefault); pvm_pkint(&token, count, stride); pvm_send(dest, msgtag); pvm_recv(src, msgtag); printf(“token ring done\n”); } else { pvm_recv(src, msgtag); pvm_upkint(&token, count, stride); pvm_initsend(PvmDataDefault); pvm_pkint(&token, count, stride); pvm_send(dest, msgtag); } }
Figure 1-12: The SPMD dowork Function in PVM
1.7.2 Lab Exercise from [Nutt, 2004]: Using Remote Procedure Call This exercise can be solved using the Sun RPC mechanism. This package is implemented in a number of operating systems, including Solaris and Linux. You can see [Nutt, 2004] and/or web documentation for additional background information. This exercise uses the Sun RPC package to manipulate structured data on a server machine. First, you are to write a program that generates a stream of structured data records each of the form: { struct timeval; char *; }
so, for example, a record might look like this: { { 1016305702 40184 }; “This is a string” }
Using the Sun RPC package, construct three remote procedures in a common module that will execute on a remote procedure server machine: int openRemote(char *file_name); int storeRemote(int my_file, struct struct_t record); int closeRemote(int my_file);
The openRemote() procedure opens a named file on the server. The closeRemote() procedure uses the return value from openRemote() to close a specified file. The storeRemote() procedure should be called once for each record that is generated, causing the record to be stored in an open file on the server machine. Your client program should generate at least 25 records (containing random, but recognizable data), using the three remote procedures to store this in a file on a server machine. Your solution should work on a single machine, and on two machines interconnected with a network.
Background Sun RPC is based on the client-server model (the Remote Procedure Call Programming Guide is available at many different URLs on the WWW; consult any copy that is easily available to you). The idea is to create a server running on a remote machine that is able to call procedures on behalf of a thread on a local machine. The Sun software was designed to be used internally in the implementation of NFS. It was originally released with a low and an intermediate level API. The low-level functionality allows a programmer to be able to implement very general forms of shared computing between the client and server, although it is more complex to use than is the intermediate layer API. The intermediate layer is an abstraction of the low layer that enables an application programmer to implement a form of RPC without the extra features possible in the low layer API (for example, there is a signal-like facility in the low-level API that is not available in the intermediate layer). An advantage of using the intermediate layer (compared to the low layer) is that you do not have to learn any details about forming IP addresses, using sockets, and so on. The low-level API was not generally intended to be used by application programmers unless they intended to learn the details of UDP/TCP network protocols and required specialized features. If you write code using the low-level interface, then you will be explicitly managing sockets and transport layer protocols.
The intermediate layer API implements most of the concepts shown in Figure 1-8. However, an important feature it does not implement is one that makes remote procedure calls transparent to the client application. That is, all remote procedures are invoked by calling a single client stub program–– callrpc()––explained below. A few years after the intermediate layer API had been introduced, Sun released a third layer (generally called the rpcgen level API rather than the “high level” API). This highest layer API implements transparency so that local and remote procedure calls have the same appearance in the calling program. The rpcgen level accomplishes this using a source code generation tool (the rpcgen program). The programmer writes a high-level language specification of remote procedures––think of it as an function prototype on steroids––that rpcgen uses to generate programspecific source code for both the client and the server. You can provide a solution to this laboratory exercise using the rpcgen level. In all levels of the API, the client machine runs an application program that uses a client stub. In the intermediate layer implementation, there is a single stub even if the application program calls more than one different remote procedure. In the high-level API, the rpcgen program creates a separate client stub for each remote procedure––much more like the schematic shown in Figure 1-8. The server program (or “server stub”) is constructed manually in the intermediate- or low-level approaches, and it is automatically generated from the rpcgen specification in the high-level approach.
The Server Organization The server program defines a persistent single-threaded process that will initialize and then run until it is halted by some external action (such as an operator terminating it). As different clients call the RPC server, it accepts a request, calls its local version of the procedure, returns the results to the client, and then waits for another request. If a client calls while the server is busy with a previous client request, the second client waits for the first to finish before it begins. The server code first sets up a name service for the client to locate the server that can execute a particular remote procedure; this is called remote procedure registration. Once a remote procedure has been registered, a client can then find the remote procedure server by consulting the name service. In the simplest case, the registration is done only on the server machine, requiring the client to know the DNS name of the RPC server. After the server has registered its remotely callable procedures, it will begin waiting for RPC requests. When a request arrives, the server unmarshalls the details of the call (the procedure identification and arguments), makes the local procedure call, and then marshalls results and returns them to the client (stub). Sun designed its RPC package to allow multiple remote procedures to be packaged together in a single RPC program. This allows the single server thread to call different remote procedures, allowing those procedures to work in the same address space on the server. There is an additional, important consideration in providing support for RPC. Once an RPC program is deployed, it is expected to run for an indefinite period of time. Further, any number of client programs ought to be able to depend on the remote procedure once it has been made available. Suppose the procedure implementation contains a minor bug, or a programmer creates a newer version of the procedure that has additional features. Some of the clients using the existing version will not want to upgrade to the newer version, since it might require some client programming to take advantage of the newer features. Other clients may require the new version if it does, in fact, repair a minor bug. Because of these possibilities, Sun designed the RPC facility so that it supports multiple versions of each remote procedure. That is, there can be different remote procedures that have the same RPC program and remote procedure name, but different version numbers. This means that whenever a client looks up an implementation of its remote procedure, it has to know the remote procedure name, the RPC program name, and the version number. That is, the RPC server program distinguishes among implementations by (remote_procedure, RPC_program, version). In implementing a particular remote procedure server, the designer first decides which remote procedures will be implemented. Suppose the server is to support n different remote procedures named RP1, RP2, …, RPn all with the same version number (RPCPROGVERS) in a particular RPC program (RPCPROG). RPC program numbers less than 0x4000000 are permanently reserved by the system. Applications (including your solution to this laboratory exercise) use a randomly selected program number that is greater than 0x4000000. Then the main program will have the form:
main(int argc, char *argv[]){ register SVCXPRT *transp; /* Register the remote procedures with the name service */ transp = svcudp_create(RPC_ANYSOCK); if(!svc_register(transp, RPCPROG, RPCPROGVERS, RP1, IPPROT_UDP)) { fprintf(stderr, “%s”, “unable to register (X, X), udp).”); exit(1); } transp = svcudp_create(RPC_ANYSOCK); if(!svc_register(transp, RPCPROG, RPCPROGVERS, RP2, IPPROT_UDP)) { fprintf(stderr, “%s”, “unable to register (X, X), udp).”); exit(1); } … transp = svcudp_create(RPC_ANYSOCK); if(!svc_register(transp, RPCPROG, RPCPROGVERS, RPn, IPPROT_UDP)) { fprintf(stderr, “%s”, “unable to register (X, X), udp).”); exit(1); }
/* Turn control over to a library routine that makes the calls */ svc_run(); fprintf(stderr, %s”, “svc_run returned”); exit(1); /* Should never reach this point */ };
Before the server can register a remote procedure, it must open a UDP socket that will be used by the client machine to address the server. This is done with the intermediate-level function call svcudp_create(RPC_ANYSOCK)
This RPC library function creates a UDP socket at the server end that will be registered with the remote procedure name. The svc_register() procedure can then register the procedure. In this function, if the last argument specifies a protocol number (IPPROT_UDP in the skeleton), then the socket is registered for external use with the server OS port manager, called the portmapper. This allows clients to discover the port on which the RPC procedure is registered by using the server’s portmapper as well as the more general network name server (provided the client knows the name of the machine running this server code). If you study this code skeleton, you can see that it is made up of a collection of recurring “templates” to register each remote procedure using svc_register(). By “template,” it is meant that you could copy the seven lines of code that begin with the svcudp_create() call and then paste them below to create another procedure registration (you would then have to change the remote procedure name in the new seven-line code instance). The second part of the server main program is the three-line block of code in every RPC server that calls svc_run() without ever returning from the call. The svc_run() function is another library function that implements a canonical server loop: svc_run( … while(1) { /* Blocking read on transport socket */
read(…); /* Now we have a RPC request */ switch() { case 0: /* issue an error */ case RP1: /* call RP1 */ case RP2: /* call RP2 */ … case RPi: /* call RPi */ svc_getargs(…); /* Unmarshall the arguments */ rp_i_svc(…); /* The local procedure call */ svc_sendreply(…); /* Marshall the args, return */ break; … case RPn: /* call RPn */ default: } /* Should never reach this point */ };
The main tasks are to wait for an RPC request from a client and then perform the call according to the number of the remote procedure being requested. We have left out all the details of how arguments are handled, although that is discussed below in the subsection about External Data Representation. In this code skeleton, you can see that after the RPC request arrives, the arguments are retrieved from the request and used to make the procedure call in the server. When the procedure returns, the results are packaged into a UDP packet and then returned to the client caller. This code––the registration and svc_run() function––define the server stub.
The Client Organization The client program will consist of application-specific code along with a call to the client RPC software–– the client stub. Sun RPC exports interfaces to other high-level languages, but the original API and implementation were all done in C––the explanation is all based on C. The general framework again corresponds to the one shown in Figure 1-8 As mentioned above, the intermediate level RPC package does not support transparency. For example, to call RPi at the server, the application code would have the form: #include <rpc/rpc.h> … main(int argc, char *argv[]) { int result; … /* Call RPi */ result = callrpc(rpc_host_name, RPCPROG, RPCPROGVERS, RPi, …); if(result != 0) { clnt_perrno(result); exit(1); } }
First, the intermediate-level RPC interface presumes that the application programmer is able to determine the name of the RPC server (rpc_host_name in the code fragment) without using a name server. In a simple case, such as this laboratory exercise, the server host name can be specified to the client via command line parameter or input data (for example, read using scanf()). In a production environment, the application programmer would have to confer with a name server to determine the name of the RPC server. The remote call itself––the callrpc() library function call––also specifies the (remote_procedure, RPC_program, version) that is used by the server.
The elided arguments in the callrpc() call are the details for transmitting arguments and for receiving results passed as arguments. The server-side functions, svc_getargs() and svc_sendreply() (in the svc_run() function above) process these argument lists according to the argument number and types for the particular remote procedure. These are specified by the programmerdefined external data representation (discussed next). We will describe how the rpcgen tool allows the application programmer to use the local procedure call interface after we consider the external data representation.
External Data Representation In a remote procedure call, it must be possible for an application program (executing on one machine in a network) to call a procedure in another, possibly different type, machine on the network. For example, a machine that uses one representation of data must be able to pass an argument to another machine that uses another representation of the same data. This means that integers, floating point numbers, strings, structures, and so on, must be converted from the representation used in the calling machine when arguments are passed to the server. And when results are returned from the server, they must be converted into the form expected by the client software. This is handled by adding one more piece to the RPC mechanism––the External Data Representation conversion mechanism (abbreviated to XDR). As shown in Figure 1-13, the client stub uses the XDR conversion library code to translate the data representations used in the client machine into an RPC-specific data representation (XDR). The client stub then transmits the RPC request to the server with the data in the RPC-specific format. When the request is processed by the RPC server, it converts the arguments from XDR into the internal format used by the server computer. This is a primary task of svc_getargs() shown in the svc_run() code fragment. After the procedure call has completed, svc_run() calls svc_sendreply(), which converts the results into XDR and transmits them back to the client. The client stub software uses the XDR conversion mechanism to convert the results into the client machine format before returning the results to the client application. Client
XDR Spec XDR XDR conversion conversion
Network XDR Transmit
XDR XDR conversion conversion
RPC Server
Figure 1-13: XDR Conversion The Sun RPC package provides XDR specifications for various argument types. For example, if the remote procedure takes a single integer argument, the built-in XDR function, xdr_int(), provides the necessary specification used by the XDR conversion tool. Other built-in XDR specifications handle long, short, char, and their unsigned versions, as well as a few others. Now let’s suppose that the remote procedure, RPi, passes a single character argument and returns an integer result. Then the client code fragment shown above would call the remote procedure with this statement: /* Call RPi */ result = callrpc(rpc_host_name, RPCPROG, RPCPROGVERS, RPi, xdr_char, &arg, xdr_int, &result);
That is, the last four arguments to callrpc() describe the XDR conversion specifications. The general form of the call is that the fifth argument is the name of an XDR specification for the argument list (which is the sixth argument to callrpc()); similarly, the seventh argument specifies the XDR specification for the return value and the eighth argument is a pointer to the results. Suppose you want to transmit multiple arguments or receive multiple results, or that your single argument is not one of the built-in types. In this case, you will need to write your own XDR specification. Here is an example from the Sun documentation. Suppose the argument is of type struct simple { int a; short b; };
Then you would need to define a new XDR specification by defining a C function named, say, xdr_simple(), as shown in this code fragment: #include <rpc/rpc.h> … xdr_simple(XDR *xdrsp, struct simple *simplesp) { if(!xdr_int(xdrsp, &simplesp->a)) return(0); if(!xdr_short(xdrsp, &simplesp->b)) return(0); return(1); }
That is, the XDR routine should return 0 if it fails, but 1 if it succeeds. This XDR routine is used by a statement such as: /* Call RPi */ result = callrpc(rpc_host_name, RPCPROG, RPCPROGVERS, RPi, xdr_simple, &arg, …);
XDR specification programs can be arbitrarily complex; for example, they can have embedded structures (as required to solve this laboratory exercise). Consult the online remote procedure call programming guide for more details.
The Stub Generator: rpcgen The callrpc() style interface and many of the mundane details of XDR have a very regular set of tasks to handle. The Sun RPC developers recognized that they could make RPC much easier to use by creating a programming tool to generate client-side and server-side code. Further, these generated client stubs could then be given conventional function names that would look just like any local function, but when they were called, they would execute the stub code to make the remote procedure call. The programmer must write a specification of the remote procedures and their arguments, but once the specification is written, the rpcgen tool would create three files. When a programmer uses rpcgen, three files will be automatically created. Figure 1-14 shows the files and their relationships to one another. The rproc.x is the specification file; its purpose is to provide enough information to rpcgen to allow it to generate the three C source code files. The generated files are all named using the base filename of the .x file; that is, if the rpcgen reads a file named foobar.x, it will create three files named foobar.h, foobar_clnt.c, and foobar_svc.c. These files contain C source statements corresponding to the “template” code in the server and as a corresponding “template” on the client side (the client stub program).
main.c main.c
rproc.x rproc.x
rproc.c rproc.c
rpcgen
rproc_clnt.c rproc_clnt.c
rproc.h rproc.h
rproc_svc.c rproc_svc.c
C compiler
C compiler
RPC RPCclient client
RPC RPCserver server Figure 1-14: The rpcgen Files
Your solution to this problem requires that you know the details of Sun RPC programming. The background information in this exercise provides you with the minimal amount of information you will need to solve the problem. You can find more discussion and examples of RPC programming in two excellent programming guides that were originally produced by Sun, but which are now located in various places on the Web: • rpcgen Programming Guide • Remote Procedure Call Programming Guide To find a copy of these guides, do a search on the programming guide name.
2
Second Generation DVMs
Prior to the emergence of the World Wide Web (“the Web”) in the early 1990s [Berners-Lee, 1996], almost all attention in distributed computation support was for software that solved scientific problems – problems that demanded the highest performance possible from the hardware, and that was typically compute-bound. Since that time many people have begun to use web browsers and other tools to access information over the public Internet. This form of distributed computation is intended to allow clients to read information from content server machines using widely-accepted file formats (html or xml) and protocols (http). This new distributed application domain is not as focused on high performance as is the HPCC domain, but much more directed at effective information (or content) distribution and exchange. That is, people who browse the web would like to have all the information that is stored on the web be instantly available at their web browser. This includes information that could be created as a result of a web request, for example, the response to a query such as “how many widgets did Salesman Jones sell in Detroit in July?” Electronic commerce (“e commerce”) and other application domains are common companions/extensions of content distribution applications, so we generally characterize this technology area as web-based computation and communication (WBCC)1 to illustrate a relationship to (but a distinction from) HPCC. By 1995 Java had emerged as a new, powerful programming environment that was well suited to the WBCC domain. In the Java context, an application program uses the abstractions provided by the Java Virtual Machine (JVM), an alternative DVM compared to those introduced in Chapter 1. Most of the details for how distributed software is managed are encapsulated within a set of cooperating JVM instances: A collection of JVMs export a distributed virtual machine capable of supporting distributed programming. As illustrated in Figure 2-1, a DVM is distinguished from a conventional virtual machine in that it provides an abstraction for distributed computation rather than for single-machine computation [Sirer et al, 1999][Beck, et al., 1999]. Despite their significant differences, DVMs for HPCC and WBCC share several approaches and technologies. The figure is intended to illustrate that almost every DVM exports basic file transfer (such as ftp), remote procedures, and other facilities. An HPCC DVM typically exports messagepassing interprocess communication (IPC) mechanisms, shared memory, scheduling, load balancing, and other related features. On the other hand, a WBCC DVM provides support for objects, structured data, dynamic loading, security against loading foreign objects from an arbitrary web source, and so on. Generally, the two different styles of DVM can be supported on the same OS (such as Windows or UNIX).
HPCC
WBCC •File transfer •Remote Procedures •…
•IPC model •Shared memory •Scheduling •Load migration •…
•Object model •Dynamic loading •Security •Content delivery •…
DVM OS
OS
Conventional Computer
Conventional Computer
Figure 2-1: HPCC and WBCC Distributed Virtual Machines
1
“Web-based computing and communication” is not a name that is generally recognized in the discipline, but we have chosen to use it to emphasize its relationship to the widely recognized NSF HPCC designation
After a few years of experience with Java and JVM, people began to see both the power behind the JVM, and also some limitations. Java continues to evolve so that it can better support distributed computations in the Web/Internet domain. In 2001 the Common Language Infrastructure (CLI) and C# programming language emerged as an alternative technology. The CLI is derived from Microsoft’s Common Language Runtime (CLR), a technological and commercial competitor with Java and JVM, but the CLI application programming interface (API) is a publicly-available ECMA and ISO/IEC standard [ECMA-335, 2002]. This chapter is about the evolution of WBCC during the last half of the 1990s – from the deployment of the web and the introduction of Java, up until the introduction of .NET. By 1997 there were many users transferring files across the public Internet – orders of magnitude more users and network traffic than that due to HPCC. Entrepreneurs observed a marketing opportunity: Here was a consumer medium that had literally millions of observers. The question in the “.com” circles was “given that there are so many people using the Internet for file retrieval, how can I make money in this situation?”. It is interesting to note that in this environment, three quarters of the file requests were for perhaps a dozen server sites. System designers recognized that in this case, file caching would be critical to overall performance. As a consequence, almost every web browser caches a copy of recently visited files. Entrepreneurs began to build systems that handle file caching across the public Internet (see the squid web cache at http://www.squid-cache.org/ for discussion of how these things work). In the commercial world web cache or web proxy computers were used by Internet Service Providers (ISPs) to cache files at various remote sites. Then whenever one of the ISP’s (paying) clients fetched a file, a copy of the file would be kept on the ISP’s web cache machine. Since most requests are to a relatively small number of files, if another customer (or the same customer) requests a cached file, it is delivered from the ISP’s web cache rather than from the distant content server. This eliminates the need for the file to be copied across the Internet more than once. Of course the downside is that the web cache must be large in order to benefit from repeated file read requests, and as the file sits in the web cache, changes to the content at the content server are not reflected in the cached file copy. File caching is not appropriate for situations in which the information is dynamic, such as for stock quotes. File transfer is a degenerate distributed computation: The two parts of the computation take on classic client and server identities. A unit of service is provided with a single request, but there is no further application level interaction. In general, after the client requests the file, it suspends itself until the file begins to arrive. On the server side, the server blocks until it receives a file transfer request. HPCC DVMs provide facilities that enable part of a computation to be performed on one machine, and another part of the computation on another machine. This is also desirable in more sophisticated WBCC applications, since it allows two machines to cooperatively work on a task, rather than having either do all the work. In the WBCC domain, the motivation is often response time, rather than raw performance improvement. For example, Java developers demonstrated the power of their approach by showing how an HTTP file could contain a small block of code to perform an animation sequence (without interacting with the server), once the file was downloaded. Today, people who distribute content on the Internet make heavy use of these Java applets to distribute simple tasks such as animation, query dialogues, and so on. We will discuss applets in more detail in Section 2.1. The requirements for WBCC continue to evolve. This is evident in the continuing development of Java and its related software, in the Microsoft .NET initiative, and in the spectrum of other software for remotely executed scripts and plug-ins. This next wave of applications is built on a broader target domain than the first generation of web applications. Most people agree that the first significant part of the evolution is from the HTML file format to the newer XML format. XML can be viewed as an extension of HTML, providing additional tags to enable more comprehensive specification of file content structure and computation. XML has been widely embraced as a data format for information transfer in evolving WBCC applications. Many industry leaders have predicted revolutionary new environments in which consumers will use their computers, ranging from Bell and Gray’s digital immortality idea [Bell and Gray, 2000], to Sun’s Jini vision [Sun, 2003], to Microsoft’s .NET ideas. We expect that the next generation of WBCC support needs to be able to support most of these known ideas, as well as others that have yet to be invented.
HPCC defined the first generation of DVMs during the 1980s and 1990s, and Java established a new style of DVM that is well-suited for WBCC. Here are some comparisons and contrasts between the DVMs used for HPCC and WBCC distributed system domains. First, the contrasts: • The primary motivation for HPCC comes from the desire to execute compute-intensive algorithms as fast as possible. On the other hand, WBCC has evolved to support interactive and diverse content delivery over the public Internet – generally I/O-intensive computation. • HPCC applications are designed to run in small to medium scale parallel platforms, for example up to 1,000 processors. WBCC applications are intended to be used, potentially, by many thousands of machines (for example, the CNN web service is expected to have thousands of clients accessing their content at any given moment). • Software styles vary considerably between the two domains. The dominant programming language in HPCC is High Performance Fortran, whereas WBCC languages are object-oriented languages (C++, Java, and now C#). • The granularity of information exchange among the constituents of a distributed application tend to be much smaller in HPCC than in WBCC. This manifests itself in that the primary IPC mechanism in HPCC is message passing – to exchange small amounts of information and to synchronize operation. WBCC information exchange tends to be in terms of files. Despite this sweeping generalization, HPCC applications often use file-sized information transfers, and WBCC applications often use message-sized IPC. • HPCC applications tend to be homogeneous, meaning that data partitioning is particularly effective in some of these types of applications (such as a numerical optimization problem). In WBCC applications temporarily assign a computation to a host machine, then the functionality is deleted after it has been executed. • HPCC applications are often execute in a closed environment where secure information exchange is not a major issue. On the other hand, WBCC computing uses the public Internet, so any proprietary information that is exchanged among constituents must be protected. Further, the system must provide appropriate authentication and authorization facilities as a normal course of operation. Even with these differences, there are still similarities between the two domains, particularly in some of the underlying technology: • Both domains strive to build network abstractions that can use widely-available network protocols (TCP or UDP over IP). Programmers in both domains can make good use of an efficient distributed shared memory implementation. • Though remote procedure call is not a high performance approach, it is widely used in both HPCC and WBCC domains. Generalizations of remote procedure call that allow the system to perform runtime procedure binding are very important in both areas, and as we shall see, a major contribution of the CLI. • Distributed file systems have quickly established themselves as an invaluable platform mechanism. Both domains incorporate some form of distributed file system. The introduction of Java (May, 1995) was a landmark event in the evolution of this class of software. Java was a new, type safe programming language that could allow applets to be executed inside a conventional web browser. This required that the browser incorporate a DVM capability – the JVM [Lindhom and Yellin, 1997]. Soon other developers created more software that used some of the Java/JVM ideas, and new ones of their own. The web browser – Netscape Navigator or Microsoft Internet Explorer – became the client software environment to host the execution of applets, plugins, scripts, and so on. According to the web page celebrating its third birthday (http://java.sun.com/features/1998/05/birthday.html), the Java effort began as a programming language for the Green Project. This project was an experimental project at Sun to consider future directions in digital devices. The group built a prototype of a mobile, interactive, home-entertainment device named “*7” that could be used to control a TV, VCR, or other electronic devices. The language, initially called “Oak,” was just one part of the development project.
From the beginning, Java was intended to be a language for network programming. After its use in *7, the team realized that Java could be a useful internet programming language – particularly because it was designed explicitly with the idea of having objects interacting with one another over networks. Java developers embraced the idea of applets because they recognized that the underlying internet technology could easily deliver content using FTP, TCP, UDP, and other protocols. Though Java was not built to support classic distributed programming, would it be useful in that context? As you examine various aspects of Java below, you will recognize that most of the mechanisms are in place to support high performance computing, though they are all aimed at content distribution. In February, 1998 ACM sponsored a research “Workshop on Java for High Performance Network Computing” (see http://www.cs.ucsb.edu/conferences/java98/program.html). The program provides a convincing argument that Java is, indeed, appropriate for the classic distributed programming problem domain.
2.1
Mobile Code
Earlier we mentioned the Java/JVM demonstration of a web browser that was able to download a file, then to have the client execute code from the file to create an animation sequence. The Java team built a web browser, first called Web Runner, then HotJava®, in which they could execute Java applets (see Figure 2-2). The idea is that Web Runner incorporates a copy of the JVM capable of interpreting a Java program. As with all other HTML files, the server downloads the file to Web Runner (using the HTTP file transfer protocol). All of the information in the HTML file is tagged, since it is a markup file. In particular, a reference to the Java code is tagged so that the Web Runner can identify it and route it to the JVM. All other information is passed to the normal HTML interpreter in the Web Runner.
Server
Client Process Web Runner Other HTML JVM
Web Service
Java Applet
Figure 2-2: Java Applets Here is a description of the HTML applet tags from online (http://java.sun.com/docs/books/tutorial/applet/appletsonly/appletTag.html): <APPLET CODEBASE=URL of the directory containing the applet CODE=applet filename … >
…
Sun
documentation
The JVM uses the location, filename, and parameter information to download the applet from a local directory or network server, then to execute the applet using the parameters specified in the
tagged field within the <APPLET> field. Once the code has been loaded, it can then perform the animation sequence without interacting with the web service – a clever form of distributed programming where the client’s code is downloaded in conjunction with the file, then discarded with the file is discarded. Let’s consider cases where the applet could be designed to accomplish more complex interactions between the client and server. A transaction is an exchange between a client and a server composed of multiple message. For example, a transaction with an airline reservation agent requires that you interact to find a flight, to determine the price of a ticket, to purchase a ticket, to reserve a particular seat, and to pay for the ticket. The transaction is not completed until all the individual interactions have been completed. The applet idea can is especially useful to support transaction-based computations. As shown in Figure 2-3, the applet program is downloaded during phase 1 of the transaction, then during phase 2, the applet interacts with the server using a specialized server-applet protocol. Again, the applet only resides in the web browser while the transaction is in progress, then it is discarded. Since the applet is intended to work only with a particular service, it can be optimized for that particular type of transaction. Now you can see that the server could even (dynamically) delegate an entire computation to a client – one that used the web browser human-computer interface to present information derived by the applet and service. Server
Client Process Web Browser
1
JVM Java Applet
Service
2
Figure 2-3: Interacting Applets Applets were an immediate and significant success. They enabled a web browser to temporarily become a remote extension of a computation whose main part was executing on the server. The term “applet” is associated with Java; since this idea is also used in many other systems, including the CLI, we will refer to this style of software as mobile code – code that is dynamically loaded into a client machine only when it is needed.
2.2
Objects
Object-oriented (OO) programming emerged as a popular model for defining computations at about the same time that WBCC emerged as an important application domain. In general, OO programming is intended to offer the advantages of abstract data types (hidden implementation of a public interface), while providing an inheritance/polymorphism model to stimulate the reuse of software. OO programming did not immediately succeed in its promises, probably because the technology was over hyped, and partly because there was a dearth of useful base classes to serve as the foundation of reusable software. Within a few years, OO programming began to mature as programmers learned to design class hierarchies for a commercial environment, OO languages stabilized, and as appropriate base classes were designed to support useful application domains. The C++ Standard Template Library provided a set of base classes that clearly demonstrated the utility of OO programming [Musser and Saini, 1996]. Java and its class hierarchy firmly established OO programming as a preferred WBCC technology. Most developers had essentially shifted their web-based application programming environments to OO environments by 2000.
An object relies on messages (referred to as method calls in some OO programming languages) as the exclusive2 means of interaction with other objects (see Figure 2-4). Every class exports a public API so that when an object is instantiated from the class, external code (such as another object) invokes a public method by branching indirectly through the object’s method table. The figure shows a “client object” invoking method #i in a “server object.”
Object Object
Method Table Method #i i
Info Info
Figure 2-4: Referencing Information in Another Object Objects are a fundamental building block in the distributed computation model. The DVM provides a mechanism to allow an object on one machine to issue a message to (invoke a method on) another object located on a remote machine. As shown in Figure 2-5, this can be done by creating a client stub and a server proxy as program-specific aspects of the DVM. Once these two mechanisms have been setup, the local object sends a message to its client stub, which (like an RPC stub) marshals the OO message into a network message and transmits it to the server proxy on the appropriate remote machine. The server proxy unmarshals the method invocation message, then invokes the method on its local copy of the targeted object. Results (and even exceptions) are returned through similar cooperation between the client stub and server proxy. Notice that this remote method invocation (RMI) is remarkably similar to the RPC design shown in Error! Reference source not found..
Object Object
Remote RemoteObject Object Client ClientStub Stub
Network
Remote RemoteObject Object Server ServerProxy Proxy
Methods Method #i i
Info Info
Figure 2-5: Referencing a Remote Object
2
Some OO languages provide other mechanisms, such as class variables, for referencing information in another object.
CORBA The CORBA standard appeared in about 1990 as the first widely recognized specification for implementing distributed objects. CORBA (Common Object Request Broker Architecture) [Object Management Group, 2002.] is managed by the Object Management Group, a not-for-profit organization intended to define a standard for distributed objects. The goal of the CORBA specification is to define an architecture in which client software can reference remote objects, without being concerned about their implementation details (such as the language used to define the associated class). Further, object locations are transparent to the software that references a CORBA object. The Object Request Broker (ORB) is the underlying system that makes remote object references work (see Figure 2-6). It is responsible for implementing the request, network, and request delivery services at the client and object server ends of a session. The ORB exports an API ORB interface that is used by both the client and object server for general object management functions. In addition, the ORB provides an object adaptor to each object in the server. Each object adaptor is responsible for converting general ORB-style requests into the object implementation requests. For example, a C++ object adaptor would convert a CORBA member function invocation into a C++ member function call at the server. The ORB provides an interface definition language (IDL) to be used by the client software. When an object is created at a server, it exports its interface to the ORB. The ORB can then provide a CORBAspecific interface using the interface definition language (by creating a stub that can be linked into the client software). The details of the programmer-defined IDL interface are available at the object server through a matching IDL skeleton. When the client wishes to call a member function on a CORBA object, it calls a function in the interface definition language stub. The ORB then: • Translates the client request into its own format • Locates the target object server • Transmits the request to the server • Translates the request (using the object adaptor) so that it can be accepted by the object • Delivers the request to the object. Results of the call can be returned through a similar mechanism.
Client Client ORB ORBInterface Interface
Interface Repository
IDL IDLStub Stub Stub StubImplement Implement
Dynamic DynamicAPI API Dynamic DynamicStub Stub
ORB Core
ORB ORBInterface Interface Object ObjectAdaptor Adaptor
IDL IDLSkeleton Skeleton IDL IDLAPI API
Object Object Implementation Implementation
Figure 2-6: The CORBA Approach
Dynamic DynamicSkel. Skel. Dynamic API Dynamic API
CORBA also provides a dynamic mechanism that allows a client to determine an object interface at runtime. A similar idea is also incorporated into Microsoft DCOM objects. The idea is that the ORB keeps an interface repository that describes the interface to all the objects that it is managing. The dynamic interface binding mechanism queries the interface repository to determine the target object’s CORBA interface, then makes the call so that it complies with the interface. For programmers to use CORBA, they may define an IDL specification for remote objects, or use the dynamic stub facility (to determine the characteristics of remote objects at runtime). Once the interface is known to the client thread, it can then invoke methods on remote objects by calling the client IDL or dynamic stub. The significance of CORBA is that it is that it was the first comprehensive remote object package that worked in a commercial environment. Further, it works well enough to allow programs written in almost any procedural language to invoke member functions on remote objects that are written in a wide variety of languages. This requires that the client and the object server both include software to translate to and from the CORBA intermediate language, and that the client and server software be able to use the network to exchange communication. CORBA provided a proof that it is feasible to provide cost-effective remote object services. However, just about when CORBA began to enjoy commercial success, Java appeared, providing stiff competition for CORBA.
Java Remote Objects Java also supports remote objects (though it relies on all objects being implemented in Java). The idea is that the collective JVMs implement a slice of the CORBA functionality for heterogeneous distributed objects. An object can make itself accessible to other JVMs by being registered. That is, a Java application can decide that it wants to export some of its objects. It registers each such object with its local JVM through an appropriate JVM call. This causes these objects to be placed in a global name space within a domain. Other JVMs in this domain use the same global name space, so once an object has been registered, it can have its methods invoked by any client in the domain. Java RMI is not nearly as complex as CORBA, since the environment is homogeneous. Communication only takes place among Java programs via cooperating JVMs. This means that the registration of an object, and identifying an object that is in the global name space are the only unusual operations required to use RMI. Once the object has been loaded, say from a server to a client machine, then the server needs to be able to invoke methods on the client object. Notice that in this situation, the original client and server may change roles (see Figure 2-7). The original server is now behaving like a client, since it now issues a service request message to the object in the original client. The model is still client-server computing, but once the target object has been loaded into the client machine, it begins to behave like a server object.
Client
Server
Web Browser
1. Load Applet 2. RMI
Applet/Object
3. RMI result
Service Client Behavior
Server Behavior
Figure 2-7: Remote Objects – Servers inside Clients
Software Components Component technology is frequently associated with OO technology, but it is not necessarily dependent on OO programming. However contemporary components are defined and implemented in the context of OO systems. The phrase “write once, run anywhere” is the mantra for component programming. The idea is to create a software subassembly (possibly a collection of cooperating objects) – called a component – then to be able to dynamically use the component without recompiling it. Provided that the component has been built as a collection of objects, you can see that a component-based technology aggregates the collection of method tables to form its own public component method table. The table is a runtime data structure, that can be referenced by compiled methods as they execute. This enables a component’s functions to be reused without recompiling the component. As with OO programming, component technology promised a solution, but it was slow to deliver. A significant milestone in establishing components as a viable technology was the “gang of four” book on OO paradigms [Gamma, et al., 1994], even though it is not really about components per se. The important contribution was that a collection of classes could be defined to work together to implement some desired subassembly. The subassembly can then be reused in different applications. Today, components are an essential element of WBCC DVMs. Java supports components with the JavaBeans Component Architecture (for example, see http://java.sun.com/products/javabeans/). The CLI has a new component model that we will introduce in Chapter Error! Reference source not found..
2.3
The Execution Model
Java and C# are object-oriented programming languages that have evolved from the C and C++ programming languages. You will need to read language reference materials to see a comprehensive description of Java (see [Arnold and Gosling, 1996] for a complete definition) or C# (see [ECMA-334, 2002]). In the Java approach, the behavior of the DVM is defined by the language definition, base classes, and the JVM semantics. In the C#/CLI approach, there are three levels of abstraction, with the lowest level defined by the CLI specification [ECMA-335, 2002], the intermediate level being the .NET foundation class library definition, and the language layer defined by C# semantics. In particular, note that the DVM is language independent, supporting C++, J#, and other languages. Part of Microsoft’s motivation for building the CLI was to make it possible for objects written in various Microsoft languages to be able to interact in a CORBA-like way – updated to use contemporary virtual machine technology. Second generation DVMs use a similar execution engine model, summarized in Figure 2-8. In the Java case, when a source program is compiled, it is translated from Java into an intermediate language called the Java bytecode format. In general, this is called the intermediate language (IL) representation of the program. The IL can be thought of as a machine language for an idealized target computer – which, of course, is the JVM IL interpreter in the Java case. In the simplest case, when a Java class is to be instantiated and executed, the JVM interprets the IL for the class to execute the object’s methods. Interpreted execution is widely used in three different situations that are relevant to our discussion: When the program might be generated or otherwise defined on-the-fly; when program is to be executed on a variety of different computing platforms; or when the program is small and is to be executed a small number of times between changes (or downloads). All these situation apply to the Java application domain, particularly to Java applets. Therefore uses the interpretation approach for common execution. However, compiled code can usually be made to run faster than interpreted code. This means that if a method is to be executed many times, the interpreted IL will take much more time to execute than if the source program had been translated into the native machine language and executed directly on the hardware. Java popularized the idea of “just in time” (JIT) compilation, meaning that the IL is translated into the host machine’s native machine language, then executed directly rather than being interpreted (again, see Figure 2-8). The JVM always has the option of either interpreting the IL representation, or translating the IL into the native machine language and executing it.
Source Program
Language Language Compiler Compiler
Intermediate Intermediate Representation Representation
JIT JIT Compiler Compiler
Native NativeCode Code
Interpreter Interpreter
CPU Execution
Figure 2-8: Code Translation and Execution The CLI uses almost the same approach as shown in the figure. The primary difference is that the CLI never interprets the IL representation of the language. Instead it always JIT compiles the IL into native machine code that executes directly on the host computer. Now we have a better idea about how remote objects and mobile code can be implemented. As shown in Figure 2-9, a development machine is used to create the IL representation of a class. It compiles all of the methods in the class into a package containing the IL for each method. Once the IL has been generated, it is saved in a file. The file can now be copied from the development machine to any environment that requests a copy of the class code – recall how the <APPLET> tag is used in HTML interpreters that are Java-enabled. In fact, now the problem of deploying the code is no more difficult than file transfer. This file can by dynamic, say using HTTP, or manual using the OS remote file copy facility (such as FTP).
File copy, FTP, HTTP, … Source Program IL IL Representation Representation
Language Language Compiler Compiler
IL IL Representation Representation
JIT JIT Compiler Compiler
Interpreter Interpreter
Native NativeCode Code
CPU Execution
Figure 2-9: Mobile IL Execution In the WBCC context, we may be able to assume that all objects were written in the same source language, but be executed on different hardware platforms. This is because the IL representation is independent of any physical hardware platform characteristics. The Interpreter or the JIT compiler is responsible for translating the IL into executing machine language. This approach requires that the DVM be ported to various hardware platforms, but once it has been ported, then application programs can execute on any platform with only JIT compilation or interpretation.
2.4
Secure Operation
There are three distinct aspects of security in DVMs (see Figure 2-10): 1. Preventing mobile code that comes from an untrusted source from executing on the client machine 2. Preventing applets from unauthenticated, unauthorized access of client machine resources 3. Secure interaction between distributed objects. Client
Server
Process Web Browser JVM Applet/Object
2
1 Service
3
Figure 2-10: Security in a Second Generation DVM
Digitally Signed Mobile Code The first element of the security mechanism – marked number 1 in the figure – is to authenticate the source of the mobile code before it is loaded into the client machine. Considerable attention has been devoted to this problem in the commercial world. The general idea is that elements in the distributed environment are prepared to accept information from a remote location only if the information has been authenticated with a digital signature. The digital signature is an encrypted piece of information that assures the receiver that the sender is who it claims to be – authentication (see [Nutt, 2004]). Now, mobile code can be delivered with an associated certificate of authenticity, containing the service’s digital signature. The client software can inspect the certificate and either accept or reject the mobile code based on the identity the server that is attempting to load the mobile code. A message digest is a refinement of the digital signature. A message digest is a block of information called a “message” (such as server authentication information) that has been encrypted and transformed to a relatively small, fixed sized block of information. (In PGP, the message digest is 128 bits long [Zimmerman, 1994].) A message digest can be created from the applet, then be digitally signed, producing a robust certificate. This enables each applet to have a different digital signature – one that is dependent on the message content, yet easy to check.
The Sandbox Model Java and CLI code is specifically intended to run as mobile code in a network environment. A person using a web browser should be able to implicitly download a unit of the mobile code, have it execute on the client machine, then disappear into the night without the user even realizing that it ran. This scenario would be completely unacceptable if the mobile code behaved like a Trojan horse, for example reading or writing the client machine’s information without authorization from the host environment (such as from the web brower). Can the mobile code be trusted to execute in its downloaded environment with an assurance that it will not make unauthorized access to the host platform? Second generation and newer DVMs use the sandbox model for mobile code execution. The DVM assures its host software environment (such as the process that hosts the web browser, which hosts the DVM) that no mobile code has the ability to read or write information other than from its parameters and local variables. That is, the mobile code is like a child in a sandbox: It can do anything it likes inside the sandbox, but it cannot import things into the sandbox, nor export things out of the sandbox except as parameters to the mobile code.
OS and hardware technology use the idea of a process address space to assure that any thread executing within the process can neither read nor write memory addresses that lie outside the address space allocated to the process [Nutt, 2004]. The OS relies on hardware assistance (such as virtual memory mapping mechanisms) to ensure that threads never violate their host process’s address space boundaries. Can each unit of mobile code simply be assigned to a unique process so that when the mobile code executes, the OS and hardware prevent it from reading or writing the host software address space? Yes, it is possible, but it would be very slow [Wallach, et al., 1997]. Here is an alternative approach that is used in the JVM and CLI: The problem is to ensure that each memory reference emitted from the mobile code fall within a local address space for that mobile code – its sandbox. From a programming language perspective, memory is read when a variable name or expression appears on the right hand side of an assignment statement, and it is written to the address specified on the left hand side of an assignment operator. For example, in the statement a = b + c –100;
the memory locations assigned to the variables b and c are read when the right hand side of the expression is evaluated, and the memory location assigned to the variable a has the value of the expression written to it. When a program containing this statement is compiled, suppose that the compiler checks for type safety of the statement by ensuring that the type of the expression on the right hand side is the same as the type of the variable on the left hand side. If there is a type conflict, the assignment statement is a determined to be an error. Before this can be assured of working, the programming language must be a strongly typed language, meaning that the compiler can always determine the type of expressions and variables, and it never allows binary operations (such as assignment) among operands of different types. In this situation, programs can only store integers into variables of type int., or store a pointer to foo_type into a variable that is of type foo_type *. It is a compile time error to assign a pointer value (memory address) to any variable that is not of type “pointer to memory cell” – a void * type – which is not an allowed type in most of these languages. Also notice that since the compiler emits IL instead of machine code, type information can be left in the IL representation so that a downstream tool, such as an interpreter or JIT compiler, can test the validity of any software module written in the IL. When an object is instantiated in the DVM, it is referenced only by a type-checked reference (remember, no generic pointers are allowed). The compiler prevents the source code from performing perform arithmetic operations to a data structure referent – the referent can only be set by type-safe operations such as the new function that instantiates an object. Now, provided that the DVM only executes IL, then the strong typed language is sufficient to prevent an IL program from reading or writing information outside of its local address space.
Secure Data Transmission The third problem in Figure 2-10 is that of transferring information among remote objects using an internet (even the public Internet). Here second generation DVMs tracked the rest of network technology. They typically provide a set of supplementary tools that use traditional encryption/decryption approach (with digital signatures and message digests) [Nutt, 2004]. These tools are usually implemented in classes used by the heart of the DVM. This is one of the areas that has been greatly improved with the current generation of WBCC DVMs.
2.5
Threads and Active Objects
Objects can be thought of as being either active or passive objects [Booch, 1994]. An active object has its own thread of execution, but a passive object behaves like a set of functions that can be “called” by an active object. Every object-oriented program begins execution with one active object (corresponding to the main program). At the OS level, this means that the execution of all the objects “in the program” are executed by having that single thread in the process time multiplex across each of the objects that are logically executing. If the host system supports multiple threads per process, then each active object is allocated to a host system thread. If host system threads are implemented in the OS, then the OS scheduler multiplexes across the set of active objects by multiplexing across the threads.
A Java programmer can create a new thread by defining a subclass of the Thread base class, then by instantiating an object of the subclass. The thread has all the normal properties of user space threads: It shares code, but keeps its own context. Threads are multiplexed within the OS schedulable unit of computation (thread or process), though it would be possible to implement the base Thread class so that it used a kernel thread if the underlying operating system supported them. Creating an object whose base class is Thread starts the thread, but it does not define the nature of its work. The Thread class has a function named run(), that does not do any work. The subclass is expected to redefine the run() method with the encoded algorithm (that is, the program) that the thread is intended to execute when the thread object receives the message “new MyThread(…).start()”. Creating the thread object will not actually start it running – that must be done by sending the created object the start() message. public class MyThread extends Thread { public MyThread(…) { // The constructor } public void run() { // Insert the thread code here } }
There are other ways to define the run() method in the thread, the essential idea being that you can create a multithreaded application by instantiating an object from a class that inherits from the Thread class. You can define the code that the new thread is to execute by providing a definition for the run() method in your thread class. When the thread is running, it makes various calls to the runtime system. Any of these functions can contain a yield() call that will cause the OS thread to multiplex to another Java thread through the action of a scheduler in the JVM. This is the same way that C and POSIX threads are scheduled when they are implemented as user threads. The JVM scheduler uses priority scheduling. When a thread object is created, it inherits the priority from its parent. The priority can be altered through other calls into the runtime system, though the default is that it uses the parent’s priority. Thread synchronization uses a monitor-like approach (see Chapter 9 [Nutt, 2004]). Any method in a thread object can be marked as synchronized, meaning that the only one thread at a time can execute a synchronized method in an object. The synchronized keyword can also be used to lock every method in a particular object while an arbitrary statement is executed. Finally, synchronized methods can also use wait() and notify() (or notifyAll()) much like condition variables. If a synchronized method is in execution and the method determines that it cannot procede until some condition becomes true, then it calls wait(), releasing the lock on the method. Thus, multiple threads could block on a particular condition, each calling wait(). When some other thread causes the condition to change, it can call notify()to unlock the thread that has been waiting the longest, or notifyAll() to unlock all waiting threads. The C# and CLI approach is again similar: Base classes are organized into a set of hierachical namespaces, the root of which is called the System namespace. The System.Threading namespace contains the base classes related to creating an independent thread. Here is a C# program fragment that creates a new thread: using System; using System.Threading; // The worker thread class public class Worker { public Worker(int i) { …}; public void Launch() {…}; }
// Main program class MainApp { Thread *wThread; public static void Main() { Worker wt = new Worker(i); wThread = new Thread(new ThreadStart(wt.Launch)); wThread[i].Start(); … // Abort the thread wThread.Abort(); wThread.Join(); … } }
2.6
Lab Exercise: Writing C# Programs
This exercise is intended to give you some practice with C# programming (if you have never used the language before). This book does not provide enough information for you to learn C# from scratch; instead it provides enough information for a seasoned C++ or Java programmer to learn to write the programs. As with all new programming languages and environments you will need to consult the language documentation (the online MSDN documentation at http://msdn.microsoft.com/library/default.asp works well for this purpose). Depending on your previous experience with this class of languages, you may find it helpful to see [Richter, 2002] or another book that focuses on C#/.NET programming. Part A: Write a C# program that creates an 8-element list of integers, checks to see which are odd and which are even, changes their values and then repeats the odd-even test. If you compile and run the program, it should produce output similar to: 0 1 2 … 7
is an even number is an odd number is an even number is an odd number
(The numbers in the array have been changed) 1 is an even number 0 is an odd number … 6 is an odd number
Compile the program using the Rotor C# compiler (csc), then execute the resulting file using the Rotor clix.exe program. See the lab exercise for Chapter 1 for details about compiling and running your code. Part B: The following C program was written to generate a CPU load on a system that exports the Win32 API (Lab Exercise 1 in [Nutt, 1999]). This is a multithreaded program that places a synthetic load on the CPU. Convert this program to a C# program that uses the classes from the System.Threading namespace. You can reorganize the code a moderate amount to better fit the tools exported through the .NET namespaces (the .NET DVM). In particular, please use Abort() and Join() to terminate the child threads (rather than the runFlag shown in the C code). #include #include #include #include
<windows.h> <math.h> <stdio.h> <process.h>
#include
<stdlib.h>
#define TRUE 1 #define FALSE 0 static int runFlag = TRUE; void main(int argc, char *argv[]) { /* Prototypes */ DWORD WINAPI threadWork(LPVOID); /* Local variables */ char c = 'n'; HANDLE aThread; /* int i; int N; /* unsigned int runTime; /* _beginthreadex parameters */ LPSECURITY_ATTRIBUTES lpsa = NULL; DWORD cbStack = 0; /* DWORD fdwCreate = 0; /* DWORD aThreadID; /*
Child thread */ Number of threads */
/* default value */ default value */ Execute the thread immediately */ child's ID */
/* Get command line argument */ if(argc != 3) { fprintf(stderr, "Usage: cpuload
\n"); ExitProcess(1); } else { N = atoi(argv[1]); runTime = atoi(argv[2]); } /* Create N child threads */ for (i = 0; i < N; i++) { printf("cpuload: Creating child thread[%d]\n",i); aThread = (HANDLE) _beginthreadex ( (void *) lpsa, (unsigned) cbStack, (unsigned (_stdcall *)(void *)) threadWork, (void *) &i, (unsigned) fdwCreate, (unsigned *) &aThreadID ); Sleep(100); /* Let the new thread run */ } /* Wait while children work ... */ Sleep(runtime*1000); /* Time to halt */ runFlag = FALSE; printf("cpuload: Terminating at child threads …\n”); Sleep(5000); printf("cpuload: Base thread & process terminated\n"); }
DWORD WINAPI threadWork(LPVOID threadNo) { /* Local variables */ double y; const double x = 3.14159; const double e = 2.7183; int i, me, itCount; const int napTime = 500; // in milliseconds const int busyTime = 500000; DWORD result = 0; /* Announce existence */ me = *((int *) threadNo); printf("cpuload: Child thread[%d] alive\n", me); /* Create load according to parameters */ itCount = 0; while(runFlag) { /* Parameterized CPU burst phase */ for(i = 0; i < busyTime; i++) y = pow(x, e); /* Parameterized sleep phase */ Sleep(napTime); /* Write record to stdout */ printf("cpuload: Child thread[%d] completed iteration %d\n", me, itCount++); } /* Terminating */ printf("cpuload: Child thread[%d] terminating\n", me); return result; }
2.6.1
Background
Here is the sample “hello, world” C# …/sscli/samples/hello/hello.cs ):
program
from
the
SSCLI
distribution
(from
// ==++== // // // Copyright (c) 2002 Microsoft Corporation. All rights reserved. // // The use and distribution terms for this software are contained in the file // named license.txt, which can be found in the root of this distribution. // By using this software in any fashion, you are agreeing to be bound by the // terms of this license. // // You must not remove this notice, or any other, from this software. // // // ==--== using System; class MainApp {
public static void Main() { Console.WriteLine("Hello World!"); } }
As expected, the program looks very similar to the famous Kernighan and Ritchie program [Kernighan and Ritchie, 1988]. All of the SSCLI code has the comment header shown in this code example (though we will not always show it in our examples form the SSCLI distribution).. The System namespace is part of the .NET foundation class library (as opposed to the CLI). Nevertheless, the System namespace contains fundamental information required of every program that uses the CLI, including the base class for fundamental object behavior. You must tell the compiler that you want to use this namespace with the using System; directive. The MainApp class defines the main entry point for an application program – the object that will be instantiated when the CLI executes the code. In this example, there is only one method defined for MainApp, namely public static void Main(), which is the main entry point method for the initial object. By cutting and pasting this code (deleting the Console.WriteLine() method call) you will have a template for writing a simple C# program. The Console.WriteLine() method call – a call to the WriteLine() method in the Console class in the System namespace – writes the message to the console. Let’s take a look at another example. This program is part of the test suite for the SSCLI (you can find it in …/sscli/tests/perf/Xmlperf1.cs). It is another simple program, but it illustrates a few additional concepts for C# programming. // ==++== // // Copyright (c) 2002 Microsoft Corporation. // … // ==--==
All rights reserved.
// This is performance test for raw xml parsing speed. This is a realworld benchmark // for the quality of the jitted code using System; using System.Xml; class MainApp { public static void DoStuff() { XmlTextReader r = new XmlTextReader( "hamlet.xml" ); while ( r.Read()); } public static void Main(string[] args) { int iterations = (args.Length!=0)?Int32.Parse(args[0]):100; Console.WriteLine("Doing " + iterations.ToString() + " iterations"); int tstart = Environment.TickCount; for (int i = 0; i < iterations; i++) { int start = Environment.TickCount; DoStuff(); int end = Environment.TickCount; Console.WriteLine(i.ToString() + ". iteration [ms]: " + (end - start).ToString()); } int tend = Environment.TickCount; Console.WriteLine("Average [ms]: " + ((double)(tend - tstart) / iterations).ToString()); }
Since this code tests the performance for JIT compiled code to read XML, it uses the System.Xml namespace (in addition to the System namespace). The MainApp class now has two methods: DoStuff() and Main(). If you inspect the DoStuff() method, you will see that it creates a new object of type XmlTextReader – a type that is defined in the System.Xml namespace. How can you determine the details for this method? Look at its description in the MSDN online documentation. Go to the MSDN library web site and search for “XmlTextReader,” which will lead you to the documentation (after a couple of hops), including a C# example for how it is used. The while-loop reads the file until it encounters an EOF. The Main() method looks just like C (or C++ or Java) code, using another object of type Environment.TickCount to measure the performance (read the MSDN documentation to learn about this class). At this point you should be able to solve Part A of this exercise. You can use the information in “Attacking the Problem” for additional assistance.
Part B The solution to Part B follows the same general form as for Part A (the hello.cs schema). However, you will need to use the System.Threading namespace to solve this problem. Start by browsing the MSDN documentation for System.Threading, where you will discover that there is a namespace for System.Threading.Thread, which defines the .NET Thread class. The ThreadStart() method is used with the Thread constructor to define the entry point for the new thread (an address in the calling process’s address space). For example, suppose we had a class to define the behavior of a thread: public class MyThread { public MyThread(…) {…} public void DoTheWork() { … } }
Then another object can create a new thread to run an instance of MyThread by the following code fragment: MyThread mt = new MyThread(…); Thread nThrd = new Thread(new ThreadStart(mt.DoTheWork)); wThread[i].Start();
There is a whole collection of methods for each Thread object (see the MSDN documentation). These are used for control, synchronization, and so on. This information should be enough for you to solve Part B, though you can consult the next subsection for some additional guidance. 2.6.2 Attacking the Problem This section provides some additional information to solve the problems if you think you need it. First, here is a program skeleton for solving Part A:
Part A using System; // Main application for the assembly class MainApp { … public static void Main() { … // Create some numbers in an array …
// Scan the objects, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); // Scan the objects again, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); }
Suppose you wanted to write another solution to Part A that used more than one class. Here is a skeleton that uses a “number class” to show how to create your own new class. using System; // A very simple class public class Num { private int value; public bool isEven; public Num(int i) { value = i; isEven = ((i % 2) == 0) ? true: false; } public int incr() { … } public int decr() { … } } // Main application for the assembly class MainApp { … public static void Main() { Num[] number = new Num[MAX_N]; … // Create some numbers in an array … // Scan the objects, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); // Scan the objects again, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); }
Part B This is a code skeleton for my solution to the problem. You should try to solve the problem without using it. using System; using System.Threading; // The worker thread class
public class Worker { private int me; public Worker(int i) { me = i; } public void Launch() { … // Announce existence Console.WriteLine("cpuload: Child thread[{0}] alive", me); // Create load according to parameters … while(true) { // Parameterized CPU burst phase for(i = 0; i < busyTime; i++) y = (y + x/e) / x; // Parameterized sleep phase Thread.Sleep(napTime); // Write record to stdout Console.WriteLine( "cpuload: Child thread[{0}] completed iteration {1}\n", me, itCount++); } } }
// Main program to determine load parameters, launch threads, then terminate // them at the appropriate time class MainApp { … public static void Main() { … // Get command line argument … // Create N child threads … // Wait for threads to do their work Thread.Sleep(runTime*1000); Console.WriteLine("cpuload: Terminating child threads ..."); // Abort the threads … } }
3
.NET and the CLI: A Contemporary DVM
The JVM had an enormous impact on the formation of DVMs for the WBCC domain: • Mobile code provided an excellent, lightweight mechanism for configuring a particular distributed computation instance. • The sandbox model proved to be remarkably robust (though certainly not infallible, for example see [McGraw, et al, 1997]). • Late bound (JIT compiled) code is often a very effective in the WBCC environment. There were also important lessons learned from this early experience, including: • The mobile code distribution framework could be improved by providing more context for JIT compiling the intermediate language. • Mobile code solutions highlighted the need for better, more comprehensive forms of security [Wallach, et al., 1997]. • Scalability became an increasingly important issue in designing computations [Beck, et al., 1999] • When used in a distributed environment, it is important to distinguish between static and dynamic parts of the software [Sirer, et al., 1999] • With the potential for a very large number of users of mobile code, a full version management capability was needed (this was a lesson that remote procedure designers had incorporated into their systems from the beginning). • Application development could be improved with a more general mobile code deployment approach. • The DVM would be more useful if it were independent of the programming language. Java and JVM clearly demonstrated the viability of secure systems based on the sandbox model implemented with strong typed languages and a suitable DVM. One practical problem that arose was that while the Java technology was sound in what it did, it relied on all the application software being written in Java – it is a single-language solution. The purpose of .NET and the CLI is to create a “next generation” competitor to the first wave of Java technology (there is also a second wave of Java technology, Java 2 – see http://java.sun.com/). As shown in Figure 3-1, this third generation of DVMs is actually the second wave of WBCC DVMs. These DVMs use the same basic execution model for mobile code, but provide a much more robust environment in which mobile code can be used in a very large network environment. First Generation DVM
Second Generation DVM (First Generation WBCC) Third Generation DVM (Second Generation WBCC
DVMs that are intended to support applications in the HPCC domain. The technology centers on remote files, RPC, distributed shared memory, and distributed process/thread management. Java 1 and the JVM. The technology addresses mobile objects, especially the applet model, JIT compilation, RMI, and the sandbox model. These DVMs (Java 2, CLR, and CLI) are an evolution from the second generation models. The technology is focused on more general methods for object distribution, late method binding, version administration, and secure operation.
Figure 3-1: DVM Generations
In the summer of 2000, Microsoft announced the Microsoft® .NET Framework (.NET) software initiative. .NET can be viewed as a DVM that is implemented as a core package (the CLR) and a supplementary class library intended to support various types of client-server WBCC computing. .NET was designed to support a broad spectrum of Microsoft software products, notably including Visual Basic, C#, and scripting languages such as JScript. It was also intended to run on multiple OS and hardware platforms. It should be possible for people to use products and components constructed with different software products to create a new composite product that operates as intended, even on the same computer that uses different versions of the same components. The commercial .NET framework is divided into two parts (see Figure 3-2): • The Framework Class Library (FCL) provides inter host services, including XML web services, web forms, Windows forms, Windows console applications, Windows services, and component libraries [Richter, 2002]. • The Common Language Runtime (CLR) that provides a per host runtime system. The FCL is a collection of classes that use the execution environment provided by the CLR. [DevelopMentor, 2001] describes the separation of the functions of .NET into the FCL and the CLR by saying that the predecessor Microsoft DCOM functionality has evolved to host-to-host Web Services, while the Win32 API and COM technology have evolved to the “in-memory” CLR architecture. As shown in the figure, and describe in Chapter 2, the CLR supports managed applications – application code that compiles into IL code, and uses the CLI API and FCL for system services. The CLI and FCL translate the IL into native machine instructions by JIT compiling the IL, and by implementing the CLI functions using machine instructions and host OS system calls.
FCL
System Calls
Machine Instructions
CLR/CLI
FCL Calls
CLI Calls
IL Instructions
Managed Application
OS Conventional Computer
Figure 3-2: The .NET DVM
After the CLR had been commercially launched, the API and essential behavior of the CLR and parts of the FCL were disclosed in the ECMA-335 standard [ECMA-335, 2002]. In retrospect, you can think of the CLR as being an instance of the CLI. In March 2002, Microsoft released the Rotor shared source CLI (SSCLI) reference implementation of the CLI. Rotor is derived from the commercial CLR implementation. In the remainder of the book we will focus on the Rotor CLI implementation and the parts of the FCL that are part of the SSCLI source code distribution. Several other books describe how to write programs that use the .NET framework (for example, see [Chappell, 2002], [DevelopMentor, 2000], [Nathan, 2002]). There are a few others that address aspects of writing programs that use the CLR directly (for example, see [Richter, 2002]). Our goal is to focus on the internal design of the Rotor CLI so that we can better understand the technology that is used in one contemporary DVM for the WBCC domain. Specifically, the remainder of this book is concerned with: • The general CLI architecture as it relates to supporting mobile code, specifically including o General design and operation (Chapters 3, 4, and 7) o Source language independence (Chapters 3 and 4). o Software component version management (Chapters 5 and 6) o The software deployment model (chapter 6). • Security mechanisms that address the mechanism that allows such general distribution of mobile code (Chapter 7 and 8). • CLI communication mechanisms (Chapter 9). • Rotor-specific adaptation (Chapter 10). We are not addressing JIT compiling, the internal code management mechanism, garbage collection, or structured exception handling – these topics are covered well in [Stutz, et al., 2003] (and are only of peripheral interest in the study of DVMs). A fundamental facet of virtual machine development is the choice of its logical model of operation and the associated API. In the early 1990s, PVM illustrated that if the virtual machine contained the “right” features and optimizations, it could quickly become the dominant approach to software development. To some extent, the same can be said of Java/JVM in the late 1990s. The success of the .NET/CLI DVM depends on many factors (including major business and commercial factors), but it also depends on the DVM providing the “right” features and optimization to support as much of the general WBCC application space as possible. If the CLI’s operational model and API are not natural and intuitive to the application programmers, then they will not use it. Computer science history is littered with the carnage of rejected virtual machines, languages, middleware, and runtime systems. These models seemed ideal to their developers, but just did not provide the right model of operation to its clients. What is a concrete example of the “right” technology? At the OS level, BSD sockets are an excellent example of incorporating the “right” technology. By understanding the then extant mid layer network protocols (such as XNS, TLI, TCP, UDP, IP, and others), the BSD designers thought carefully about the kind of mechanism that could support all these protocols and others that were likely to appear in the future. The resulting socket primitives extended the BSD kernel with a half dozen new system calls, yet enabled a very broad class of mid layer protocols to be implemented without further kernel modification. BSD sockets are now used in most UNIX systems as well as in Windows operating systems. There are many other examples that programming communities have adopted as their preferred virtual machine component: The SQL relational database, X windows, the Sun Network File System (NFS), the OpenGL graphics language, and so on. What are the “right” distributed programming features for the CLI to export to the programmers of its virtual machine? In Section Error! Reference source not found., we saw that HPCC middleware focused on IPC mechanisms, a remote execution environment, remote files, and various other functions (such as time management in OSF DCE). Java/JVM established the framework for WBCC DVMs: Mobile code (applets), threads, remote objects, RMI, the sandbox model, and so on. Java web services embraced HTTP and FTP as file transfer protocols at supporting mobile code in the form of applets, threads, remote objects, and security. The remainder of this chapter describes the CLI’s model of operation. As such, it is the introduction to the design of the Rotor CLI. Time will tell whether or not this is “the right stuff” to support WBCC distributed programming in the future.
3.1
CLI: The Common Language Infrastructure
In .NET each host machine has a copy of the CLI to support individual elements of a cadre of distributed elements. Individual units of computations (components) use the CLI as its execution environment, while using Web Services for host-to-host information transport. Regarding the purpose of the CLI, Chapter 5 in Partition I of the ECMA-335 document states: The Common Language Infrastructure (CLI) provides a specification for executable code and the execution environment (the Virtual Execution System, or VES) in which it runs. … The objective of the CLI is to make it easier to write components and applications from any language. It does this by defining a standard set of types, making all components fully selfdescribing, and providing a high performance common execution environment. This ensures that all CLI compliant system services and components will be accessible to all CLI aware languages and tools. In addition, this simplifies deployment of components and applications that use them, all in a way that allows compilers and other tools to leverage the high performance execution environment. The CLI specification addresses a more basic problem than distributed programming support, but in solving the general problem, it also provides a leading edge runtime system for distributed programming. In the practical Microsoft development context, a number of difficult problems had arisen by the turn of the century: • There was a spectrum of different runtime facilities that only worked with specific languages and packages. Visual Basic and Visual C++ had each evolved to incorporate more and more functionality in their respective runtime systems, causing many common features to be redundantly designed and implemented for each system. The CLI provides a single, comprehensive set of features that can be used by all language compilers, even allowing interaction among programs written in different languages (see Section 3.1.1). • There were also other “software platform products” and tools that were intended to be common to many language and product packages. For example the COM system is intended to be used by any Microsoft language system as well as by packages such as Windows Forms. Such features are generally implemented in dynamically linked libraries (DLLs). Executable files (“.EXE files”) can dynamically load and use DLLs as their functionality is needed. As different products made use of a particular DLL, it was sometimes necessary to modify the DLL. This meant that as a DLL matured, there could be many different versions of the DLL. Any particular software product might depend on a particular version of the DLL for proper operation. This creates an environment for the following scenario (that we have all encountered): You install a new software package that replaces an existing DLL with a new version. While the newly installed software works fine, the previously installed software that depended on an older version of the DLL suddenly stops working. This is called “DLL Hell” by experienced Microsoft developers [Richter, 2002], [Stutz, et al., 2003]. Within Microsoft, a major commercial motivation for developing the CLR was to avoid DLL Hell. The CLI avoids DLL Hell by supporting managed code that: • Conforms to the programming model exported by the CLI • Uses common implementations of things like COM • References software components using versions • Attempts to localize parts of the platform environment that it uses (CLI code does not use the Windows registry) In providing an environment to support managed code, the CLI provides other facilities related to distributed programming: • Self-describing type systems that can be interpreted in distributed, homogeneous environments • Dynamic loading and binding of parts of an application
• •
Extensive authentication of these parts with regard to their developers’ constraints, the user’s constraints, and the host computer’s constraints. Fundamental mechanisms for inter address space (remote) method invocation.
The CLI presumes that object-oriented programming will be the programming model. The ECMA-335 standard defines a Common Type System, a Common Language Specification, and a multithreaded execution environment capable of supporting applications composed of modules derived from programs written in multiple languages. The basis of the CLI as a DVM is shown in Figure 3-3. Each host machine in the network configuration has its own copy of the CLI (and FCL, though that is omitted from this diagram). The CLI is designed to allow managed application programs (“Parts” in the figure) to interact using the CLI’s communication facilities. That is, the CLI exports its own virtual network, built on top of the host OS and the TCP/IP network (for example, the public Internet).
App Part 1 App Part N
App Part 2
CLI
CLI Network
CLI
OS Hardware TCP/IP Network
OS Hardware
CLI OS Hardware
Figure 3-3: The CLI Network 3.1.1 Multiple Languages and Platforms A conventional programming language is implemented to run on a target OS and host machine by providing a compiler and runtime library. For example, to support C++ on FreeBSD for a Pentium processor, the compiler translates each C++ source code module into a FreeBSD binary module that contains machine instructions for a Pentium processor. This means that if there are K different programming languages to be executed on L different operating systems on M different hardware platforms, you would have to build K*L*M different compilers and runtime systems. The CLI compiles to a single virtual host and hardware platform – a CLI compliant execution module. Therefore it is only necessary to create K different compilers (for the K different programming languages) – see Figure 3-4. Then CLI can then be ported to each of the L*M combinations of OS and hardware. In the case of Rotor, the CLI is implemented on Windows XP, FreeBSD, and Mac OS X.
Source Program
Source Program
…
Source Program
Source Specific Module Compiler for Language1
Compiler for Language2
Compiler for Language K
CLI Compliant Module Assembly
CLI Figure 3-4: Multilanguage Runtime A conventional language runtime system provides a set of functions that complement those normally exported by the OS. For example, the C runtime library (which runs on top of UNIX, Windows, and other operating systems) extends the OS virtual machine with “dynamic memory,” buffered I/O, and other functions. The underlying OS provides the process and resource management functions. The CLI has been designed to absorb the OS functionality into its interface, so that there is a single API for all of the virtual machine functions. The DVM is composed of a low-level virtual execution system capable of executing CLI program modules, the Framework class library, and ultimately the .NET application programs.1 As a result, application programs that execute on top of the Rotor CLI are independent of the OS and hardware type.2 The CLI compliant compiler target machine is defined by the Common Language Specification (CLS) and Common Type System (CTS) [ECMA-335, 2002]. All compilers generate CTS selfdescribing types that provide enough information to allow them to be combined with software components written in other languages. Thus the different parts of a computation can be written in different languages that can then be statically linked at compile/link time, or dynamically linked at run time. For example, a Visual Basic program can call a member function in a C++ object, and the call can extend across the OS process address spaces. Microsoft has released commercial compiler products for C++, Visual Basic, JScript, and C# as parts of their commercial .NET/CLR product. Rotor includes C# and Jscript compilers. Richter [2000] mentions that other companies are building CLI compliant compilers for APL, CAML, Cobol, Haskell, Mercury, ML, Oberon, Oz, Pascal, Perl, Python, Scheme, Smalltalk, and even Java. Besides being a multiple language runtime, the CLI can be implemented on different operating system and hardware platforms (see Figure 3-5). Microsoft is primarily responsible for defining the CLI architecture. Intel and Hewlett-Packard joined Microsoft in shepherding the specification of the CLI through the ECMA standard adoption process. Now that the ECMA-335 standard exists, any party can implement an execution environment (in any OS environment) capable of interpreting the code generated by a CLI compliant compiler. 1
Because the CLI depends on the presence of certain classes for its operation (such as the Object type definition) technically speaking all applications run on top of some part of the Framework Class Library rather than as standalone programs. 2 This is the principle of the Rotor CLI, and it does a pretty good job; most CLI application modules can be compiled, downloaded, then run on any of the target operating systems. The principle can be jeopardized in subtle ways, such as the form of a file pathname (should it use fore or back slashes to be compatible with Windows or UNIX, respectively).
Prior to proposing the CLI for standardization, Microsoft built their own commercial implementation of a complete CLI environment (compilers, tools, and a execution environment) – the CLR – for the Windows NT family of operating systems (Windows NT/2000/XP). There are other implementation of the CLI (ECMA-335), notably the Mono project for Linux, hosted by Ximian, Inc. (see http://www.gomono.com/), and the DotGNU Portable.NET project (see http://www.gnu.org/projects/dotgnu/). Interestingly, there is also a port of the Rotor code to Linux (see http://www.oreillynet.com/pub/a/dotnet/2002/07/01/rotorlinux.html). This list of CLI implementations increases with each passing month.
CLI Implementation
OS Independent Dependent
OS1 Hardware
OS2 Hardware
…
OSL Hardware
Figure 3-5: Multiple OS Implementations As mentioned previously Microsoft released a preliminary version of the Rotor shared source CLI on March, 2002, followed Version 1.0 in November, 2002. The Rotor source code is available at no cost on the Internet (Version 1.0 is contained on a CD-ROM included with this book).
3.2
The CLI DVM Model of Operation
The most recent HPCC ancestor of the CLI is the OSF DCE. It focused on providing: • Threads • Remote procedure call • Distributed file system • Directory services • Protection mechanisms • Time synchronization By direct comparison, the CLI provides support for similar functionality in the WBCC context: • Threads • Dynamic binding among classes, assemblies, and application domains. (The Framework Class Library contains implementations of WSDL and SOAP.) • (Distributed file system functionality is implemented below the CLI in the OS.) • (Directory services are implemented above the CLI with UDDI) • Protection mechanisms • (Time synchronization would be implemented above the CLI) The CLI provides additional support for distributed programming: • Self-describing type system – the CTS • Cross assembly method/member function invocation • Side-by-side execution (simultaneous support for separate versions of the same component) • Managed and unmanaged code interoperability
3.2.1 The Component Model: Assemblies and Application Domains All managed software is defined as classes and executed as objects. A CLI-compliant compiler translates each source program stored in a file into a module (contrasted with the conventional relocatable object module output of a conventional compiler). A module contains one or more class definitions. Similar to Java, the compiled code (called the Common Intermediate Language – CIL) is in an IL form that will be processed by the execution engine. In the CLI, it is always translated into native machine code prior to execution. (Recall that Java bytecodes were designed to either be compiled or directly interpreted.) Each module incorporates metadata used to by the compile-time environment to pass a complete CTS self-description of the types that are defined in the module to the CLI runtime system. When the module is to be compiled into native code, the JIT compiler will have the complete class (type) definition for all the classes used in the CIL code. Metadata is also used to pass other information to the runtime, including security information, but its primary purpose is to make the CTS type description available in the same file as the CIL. Conceptually, the metadata is a mechanism by which the translation environment can pass arbitrary information to the parts of the system that execute the CIL. Since the metadata is part of the module, the type checking system can combine static and dynamic techniques. When the CIL is executed, the execution environment has all of the type definition information available, so it can easily perform runtime type checking – called reflection in the CLI. (That is, reflection is the means of interpreting the self-describing types). A CLI-compliant compiler produces modules with metadata and CIL. This representation is independent of the source language used to create the module. Of course, it must be possible for the compiler to translate all elements of the source program into classes with type safe construction. If the source program is not a type safe OO program, then the CLI compliant compiler is normally not able to translate it into one before compiling it. The third component of the module is a resource record. Strings, images, and other data that are used in the code are isolated from the CIL by placing them in a resource constituent of the file. The execution engine evaluates the resource description when there is a request to load the module; it can then check the authorization to use the requested resources before allowing the module to be executed. There are other by products of isolating the resources, such as simplifying the task of implementing a module so that it works in different cultures and languages. The translation environment can combine modules to define an assembly (or a DLL that is treated much like an assembly). Within the collection of modules in an assembly, at least one of the modules must include a manifest to provide an overall description of the assembly (including the list of modules in the assembly). That is, an assembly is a collection of modules, exactly one of which incorporates a manifest. The assembly has a single main entry point in one of its modules, a set of exported type definitions (such as member functions), and a set of unbound external references to other assemblies. An assembly is the unit of deployment managed by the CLI – it defines: • The unit of code that will be downloaded to a machine when it is needed. • A unit of management for security mechanisms. • A scope for type definitions and references (though an object in one assembly can invoke a member function in another assembly) • A unit of software that corresponds to a complete version of that software. An assembly is a reusable software component that can be used by itself or be combined with other components to implement a more complex unit of computation. As is customary with components, an assembly can be reused without recompiling it. An assembly can even be dynamically bound to calling code on its first reference. CLI assemblies satisfy most definitions of a component (for example, see [Szyperski, 1997]): • They are independently defined subassemblies of software that can be combined without recompilation. • They are custom-made software • They can be deployed independently • They export and use well-defined APIs to interact with other components
An assembly is stored in a file using the portable executable (PE) format. The PE format is also used for ordinary Windows EXE files. When an ordinary Windows EXE file is executed, the OS loader behaves in the conventional manner. But when the file contains an assembly, the OS loader loads the CLI execution engine and starts it executing. The CLI then manages the loading of the assembly, then executes the assembly as managed code. Figure 3-6 summarizes the procedure by which the commercial Microsoft CLR prepares PE files containing assemblies for deployment. An assembly can be saved on the development machine, on an application server, and/or on the target machine that will ultimately execute the assembly. Further, the assembly can be deployed on-the-fly, meaning that (at runtime) the target machine can download an assembly when it encounters a reference to a class in that assembly. The Rotor CLI fits within this framework, but does not allow all of the possibilities allowed in the CLR, specifically, Rotor does not download assemblies from remote machines. Subsequent assemblies are not loaded until they are referenced. Upon first reference, the assembly loader invokes the CLI downloader to obtain a copy of the assembly from its repository – the application directory, a subdirectory, a local file cache, or a network location that has been specified by a URL. The assembly loader then prepares the file for execution.
Source Source Source Source Source Source
Development Machine CLI CLI Compiler Compiler
Application Application Directory Directory
Assembly Assembly ininPE PEFile File
Server Server Directory Directory
Machine Machine Assembly Assembly Cache Cache
App Server
Application Application Directory Directory
Target Machine
Figure 3-6: Assembly Development and Deployment An assembly is loaded into an application domain (or simply app domain) that is defined by the CLI when it is launched. Normally, the CLI implementation expects that the external references from within an assembly will be into the public interface of another assembly that is to execute within the same app domain. Thus, an app domain defines a composition of assemblies that implements a particular end user feature. The assembly loading procedure (within a single app domain) binds external references from one assembly to methods in other assemblies. We will examine the assembly loader in Section 3.2.3 and Chapter Error! Reference source not found.. In the abstract each app domain defines an address space that is managed by the CLI execution engine rather than by the OS – it performs the same function as a Java sandbox. That is, all address references are type-checked to ensure that they are within the app domain. There is another layer in the CLI address space hierarchy: Application domains are loaded into a CLI address space. A CLI address space roughly corresponds to an operating system process’s address space, for example in the Rotor CLI, the CLI address space is the same as the OS process address space in the Windows XP, FreeBSD, and OS X implementations. (The CLI address space is distinguished from the OS address space so that the CLI semantics are distinct from any particular operating system’s definition of address space. In the Rotor implementations, there is no need to modify semantics, so the CLI address space is the same as an OS process address space.) Each address space provides explicit memory boundaries, that are enforced by a mechanism external to the CLI. For example in Windows and UNIX implementations, the mechanism is the hardware dynamic address relocation facilities (see Chapters 11-12 of [Nutt, 2004]).
Each CLI address space can (and normally does) contain multiple app domains – there is an app domain for system assemblies, and another that contains assemblies that can be shared with other app domains. The inter app domain address space mechanism prevents interaction among these app domains, except under the supervision of the CLI. The CLI also supports inter app domain (but intra address space) communication. Of course this requires that the CLI provide a loophole in the type checking mechanism – called remoting (see Section 3.2.3 below). The same mechanism can also be used to span address spaces – that is, it is used as the interface to the host OS IPC mechanism. The relationship among modules, assemblies, app domains, and address spaces is summarized in Figure 3-7. The unit created by the compiler is a module. Modules are combined to form a deployable unit called an assembly. Assemblies can operate by themselves, or be combined to execute within an app domain. Multiple app domains can execute in a single address space without fear of interference because they are type-safe. And, of course, the OS ensures that multiple address spaces can be supported simultaneously using its own process-oriented memory protection mechanism.
Rotor CLI CLR
Windows WindowsXP XP i386 i386
PAL PAL
Rotor CLI Windows WindowsXP XP i386 i386
FreeBSD FreeBSD i386 i386
Rotor CLI PAL PAL OS OSXX Adaptor Adaptor Apple AppleTools Tools PowerPC PowerPC
Figure 3-7: Address Spaces, App Domains, Assemblies, and Modules 3.2.2 The Virtual Execution System Regarding the CLI execution engine, Chapter 11 in Partition I of the ECMA-335 document states: The Virtual Execution System (VES) provides an environment for executing managed code. It provides direct support for a set of built-in data types, defines a hypothetical machine with an associated machine model and state, a set of control flow constructs, and an exception handling model. To a large extent, the purpose of the VES is to provide the support required to execute the Common Intermediate Language instruction set (see Partition III). The VES is the heart of the CLI DVM, and much of the study of the CLI focuses on the VES. To distinguish the VES from the other parts of the CLI (such as the loaders), we will use the Rotor terminology for the VES, which is the Execution Engine (EE). In the code, the VES is also referred to as the MSCOREE (Microsoft Common Object Runtime EE – a name that is left over from the commercial CLR code). As mentioned above, the CLI treats assemblies as the deployable units of computation. When the compilation system creates an assembly, it stores it as a PE file in some form of assembly storage (again see Figure 3-6). In order to deploy an assembly to a remote machine, its PE files will ultimately be copied to the target machine. This can be done in anticipation of its use, or the assembly can be dynamically downloaded on demand.
An assembly can be installed in a known location by administrative configuration directives, or “automatically” when something in the assembly is referenced (see Figure 3-8). The assembly installation procedure requires that the EE obtain a copy (referred to as downloading) of the assembly from the assembly (local or remote) storage, to check the authorization of the caller, to check the validity of the assembly, then to bind the assembly into the app domain. Once the assembly has been verified and loaded into the app domain, other executing code in the app domain can reference public members and fields in its classes under the supervision of the EE. However, the elements of a class are not bound to the calling code until the cross class reference is actually invoked. This causes another part of the EE to find the target class in the assemblies loaded into the app domain, to verify access authorization, to extract the details of the target class description from the metadata, and to build an appropriate call table data structure – the class info in the figure.
Assembly Storage
Load Assembly into App Domain
Load Class into VES App AppDomain Domain
Call to another assembly
Call to another class Execute Code
Class ClassInfo Info JIT JIT Compiler Compiler
Call within class
Native NativeCode Code
Figure 3-8: The Virtual Execution System On the first reference to a member in a class, its definition will be in the CIL form. Unlike JVM, CLI implementations always uses the JIT compiler – called a JITter in the CLI documentation – to translate the CIL into native code. Subsequent references to the member will use the previously JITted version of the member function rather than recompiling it. When the JIT compiler translates the CIL, it interprets the metadata in the assembly with the CIL. As contrasted with CORBA, the metadata eliminates the need for function prototypes and interface description languages. Once the CIL code has been translated into native machine language by the JIT compiler, it can execute directly on the underlying OS and hardware platform. There are other features of the EE, notably a garbage collector and a structured exception handler. 3.2.3 Referencing Remote Objects Remoting is the mechanism that supports remote object references in the CLI. This facility allows an object in one CLI address space to invoke a member function in an object in a distinct CLI address space (see Figure 3-9). Remoting is also used for inter app domain references. Rotor implements remoting, with the help of the MarshalByRefObject base class from the framework (this is the first example of how the CLI relies on the behavior of certain classes in the FCL). The idea is that a remotely accessible object is an instance of a subclass of MarshalByRefObject class; by using this base class, the CLI is able to create the Real Proxy server stub for the remote object, register it in a global name space, and prepare it for runtime linkage to support RMI when a client object invokes it. The Channel object in the figure is also instantiated and registered by the server as a result of being a subclass of the MarshalByRefObject class.
On the client side, the Channel must also be registered with the CLI before it can be used. When the client references the remote object, the Transparent Proxy (client stub part of the MarshalByRefObject class) is created to marshal the client side of the call. As with any form of RPC that is able to cross machine boundaries, the client stub serializes the RMI call so that the call itself and all its parameters (which can include call-by-value copies of objects) are translated into a network neutral format. The local object makes a method call on the Transparent Proxy, which marshals the call then transmits its over the Channel to the Real Proxy. The Real Proxy unmarshals the RMI and performs the local method call. If there are results or exceptions from the local call, the Real Proxy returns them to the calling object.
App Domain
App Domain
Result Or Exception Transparent Transparent Proxy Proxy
Channel Channel
Marshaling (Serialization)
RMI
Address Space
Assembly
Real Real Proxy Proxy Unmarshaling (Deserialization)
(Local call)
Remoting call
Assembly
Address Space Figure 3-9: Remoting
The CLR implements a comprehensive programming model for remoting, specifically it supports various Channel protocols including TCP, HTML, and SMTP (see the online MSDN .NET Framework SDK QuickStart tutorial for Common Tasks – Remoting). This allows very general forms of interaction between the client and server, including the ability for a client object to invoke a remote object asynchronously, receiving results or exceptions with various IPC paradigms. We will look at remoting in Rotor in detail in Chapter Error! Reference source not found.. 3.2.4 Threads The CLI supports independent execution of different objects using the notion of a CLI thread (again, a concept that is semantically distinguished from an OS-level thread). The CLI incorporates its own thread pool – a collection of objects, each of which can behave as an independent unit of computation. A CLI thread can execute according to its own synchronization paradigm, blocking and running according to conditions that exist among a set of active objects. As is the case with all thread-based systems, this allows programmers to assign asynchronous tasks to independent threads without having to explicitly poll conditions from a single thread of execution. CLI threads are a similar paradigm to JVM (see Section Error! Reference source not found.). As you saw in Part B of the exercise in Chapter Error! Reference source not found., the System.Threading namespace provides a ThreadPool class by which a programmer can instantiate a thread object as needed. The new thread inherits behavior from the System.Threading.Thread namespace, and is provided with application code to be executed.
Threads have various public members for synchronization – Interrupt(), Join(), Resume(), Sleep(), SpinWait(), Suspend(), and Wait(). These members can be used to control the threads state – Running, WaitSleepJoin, SuspendRequested, Suspended, AbortRequested, Stopped, and Background. CLI threads are unique in that they can be in multiple states at one time, for example a thread could be in Background state and Running, Suspended and AbortRequested, and so on. Thread semantics were determined by the CLR implementation on top of the Windows NT kernel facilities, but in Rotor they are also implemented on top of the POSIX thread library – a user space thread implementation in FreeBSD 4.5. 3.2.5 Security The .NET framework provides cryptographic tools in the FCL, and authentication and authorization mechanisms within the CLI. Before an assembly is used, it must be authenticated to determine its origin, and to ensure that its execution in a given computing environment is authorized both by the assembly and computing environment “owners.” The CLI uses evidence based authentication and authorization – meaning the assemblies are only executed in the presence of evidence that the developer has authorized the use of the assembly, and that the computing environment has the authority to use the assembly. Assemblies can use simple names or strong names. A simple name is a text name similar to file names used in other computing environments (for example autoexec.bat, cmd.com, testprogram.exe, a.out, or myfile). A strong name is a 4-component name: • Name. A simple (text) name to identify the assembly to the OS file manager. • Version. This is a 4-part number to identify a version of the assembly. The parts are the major number, the minor number, the build number, and the revision number. • CultureInfo. This part of the name identifies the spoken language and country code for the assembly. For example, “en-US” is the CultureInfo for English in the United States. • PublicKey. This is either an 8-byte public key token or a 128-byte public key that uniquely identifies the assembly developer. There are several interesting aspects of this complex name. First, assembly names is part of a huge name space. Within this name space there is a substantial set of names available to each developer. A fully qualified name is almost assuredly unique. Second, the version field highlights the fact that assemblies may exist in a network in various versions. This is used to address a severe problem in distributed systems (and systems with many different components): Once a piece of shared software is made accessible via a dynamic binding mechanism, how can one be sure that it is no longer needed when a new version of the same software is released (avoiding DLL Hell). RPC packages have used version numbers since their early days; each client that intends to use a remote procedure must identify it by name and version. The CLI is designed to distinguish among assembly versions (and even to allow multiple versions of an assembly to be loaded into a machine at the same time – this is called side-by-side execution). The CultureInfo field is self-explanatory; it is encouraging to see internationalization/localization incorporated into CLI at such a basic level. Fourth, the PublicKey field disambiguates the rest of the name, effectively providing each developer (or development organization) with its unique name space. Perhaps more importantly, the PublicKey is used to ensure that the assembly has not been tampered with after it was developed (see Chapter 14 of [Nutt, 2004]). When the assembly is prepared for deployment, a message digest of its contents is prepared. The message digest is a hash of all the contents of the assembly that has been encrypted with the developer’s private key. If a recipient recompute the hash, it can then use the public key to decrypt the message digest. If the decrypted value and the computed hash do not exactly match, then the assembly is different from the one that the developer deployed. This is the essential element by which a recipient can authenticate the source of the assembly.
Whenever an assembly is loaded into an execution environment, the evidence-based policy manager checks the authentication and authorization. As described in the previous paragraph, the first step is to authenticate the source of the assembly, ensuring that the assembly is the same one that the original developer created. The policy manager can then begin to extract encrypted evidence from the assembly’s message digest. The message digest provides evidence relating to the source from which the assembly was obtained (the deployment policy), and a description of how the assembly wishes to use the computing environment’s resources (the assembly resource access). The policy manager will next obtain the machine’s host policy (defined by the system administrator). The policy manager can then check the authorization rights of the deployment system and host system to determine if the assembly can be executed in the given host environment. We will focus on the CLI security mechanism in Chapter Error! Reference source not found..
3.3
CLI Class Libraries
The CLI is the runtime system environment in which assemblies are executed, including the assembly loader and execution engine. However, the CLI relies on the existence of various classes in an accompanying library. The Microsoft .NET commercial product encapsulates much of their intellectual property in their FCL, so they are not generally inspired to release it as part of the Rotor SSCLI. However, some of the classes in the FCL are required for the CLI to be at all useful. This has led to the idea of class library profiles: The kernel profile is the minimum base class library required for the CLI to execute assemblies [ECMA-335, 2002]. The Rotor SSCLI base class library is a superset of the kernel profile, but smaller than the Microsoft commercial class library (the FCL). The class library is a diverse set of software to handle a diverse set of classes of computation, built on top of the CLI. The components in the class library are organized into collections of similar components called namespaces. As mentioned earlier, the System namespace contains a number of classes that are used by every .NET application, so even the CLI depends on the existence of this part of the FCL. For example, the System namespace contains the Object base class. Besides namespaces that focus on tools such as those for XML and data manipulation, there are namespaces for Windows Forms, Web Forms, Windows consoles, and so on [Chappell, 2002]. The current list of .NET namespaces can be found in the online MSDN Library (see the .NET Development/.NET Framework SDK/.NET Framework/Class Library entry). You can get an appreciation for how the FCL is used by considering a simple example from the System.Web namespace. Components in this namespace support distributed programming using XML information. These web services are intended to enable programmers to create remote services, then to make them available to clients. This means that a programmer can define a service, register it with accompanying information that can be used to browse services, then to accept requests from clients. All of this is intended to be done using widely-accepted protocols. There is a Web Service Description Language (WSDL – see http://www.w3.org/TR/wsdl) that is used to register the service. The Universal Discovery Description and Integration (UDDI) describes a name service protocol for searching WSDL descriptions to locate services. Once an appropriate service has been located, the Simple Object Access Protocol (SOAP – see http://www.w3.org/TR/SOAP) is used by the client and service to interact according to the services offered. WSDL, UDDI, and SOAP are all important elements of the way a programmer constructs .NET distributed applications, but they are implemented above the CLR. There are a number of excellent reference books that focus on the FCL and the general API to .NET (for example, see [Chappell, 2002], [DevelopMentor, 2001], [Nathan, 2000], [Thai and Lam, 2002]). Here is an example of how clients can use a WebRequest object to invoke a remote service, then use a WebResponse object to accept the response (see Figure 3-10). These two classes are part of the System.Net namespace. The general paradigm is implemented in the WebRequest and WebResponse base classes, and protocols are implemented in subclasses that inherit base class behavior. For example the HTTPWebRequest and HTTPWebResponse classes add the HTTP protocol to the basic request-response classes. In this case, the communication model is asynchronous: The client can request information (using different protocols from different subclasses), do other processing, then later accept the result of the request.
WebRequest WebRequest Class Class
WebResponse WebResponse Class Class
Inheritance HTTPWebRequest HTTPWebRequest Class Class
HTTPWebRequest HTTPWebRequest Class Class
Instantiation
HTTPWebRequest Object
HTTPWebResponse Object
App Object
Method Call
Method Call
Figure 3-10: WebRequest/WebResponse Interactions
3.4
Programming the .NET Environment
Framework Class Library
The CLI extends the distributed programming environment provided by the underlying operating system by defining a comprehensive DVM. The OS provides abstract devices, files, memory, resources, processes, threads, synchronization primitives, and IPC primitives. The CLI DVM creates a new set of abstractions that are used by the FCL and applications – app domains, assemblies, and classes along with tools to enforce security, to dynamically load and bind assemblies, to support autonomous units of computation within an assembly, metadata to define the types used by the assembly (thereby greatly enhancing its portability), and a new level of IPC (remoting). As shown in Figure 3-11, the .NET compilers, linkers, tools, and FCL use the CLI and its underlying OS to provide a comprehensive DVM for WBCC.
UDDI UDDI
WSDL WSDL
Distributed Distributed Objects Objects Client-Server Client-Server
SOAP SOAP
Mobile MobileCode Code
HTTP HTTP
Remote RemoteFiles Files
XML XML
Namespaces Namespaces
RPC RPC
… …
Security Security
Compilers, Compilers,Linkers, Linkers,Tools, Tools,… …
CLI
App AppDomain Domain
Assembly Assembly
Assy AssyBinding Binding
Class Class
Metadata Metadata
Security Security
Remoting Remoting
Thread Thread
Strong StrongTypes Types
OS
… … Devices Devices
Files Files
Memory Memory
Re sources Resources
Processes Processes Threads Threads
Figure 3-11: The Framework, CLI, and OS
Of course, the CLI is not absolutely required in order to implement the FCL, though its presence considerably simplifies the software design at this level. The CLI provides specialized support for distributed programming in its security model, thread model, assembly loading and binding model, use of metadata, the object model support, and the remoting mechanism for IPC among objects.
3.5
Lab Exercise: Multi Assembly Program
In the Part A of the Lab Exercise for Chapter 2, you implemented a simple program to manipulate odd and even numbers. This exercise gives you some hands-on experience with assemblies and configurations – an essential element of the foundation for studying the CLI internals. Here is the skeleton for the two-class implementation of the odd-even program: using System; // A very simple class public class Num { private int value; public bool isEven; public Num(int i) { value = i; isEven = ((i % 2) == 0) ? true: false; } public int incr() { … } public int decr() { … } } // Main application for the assembly class MainApp { … public static void Main() { Num[] number = new Num[MAX_N]; … // Create some numbers in an array … // Scan the objects, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); // Scan the objects again, changing odds to evens, and evens to odds for(i = 0; i < …; i++) { … Console.WriteLine("{0} is …", number[i]); }
Part A Flesh out the code skeleton so that it is a full solution (if you did not do Part A in Chapter 2). Split the code so that each class is in a separate file. Compile and execute the resulting code so that it results in two different assemblies (you will have to consult the online MSDN .NET/CLR documentation to do this). Part B Create a copy of your solution to Part A and place it in a new directory. Move (copy and delete) the file containing the number class to a subdirectory in the new directory. Notice that the assembly will no longer execute since the CLI will not be able to find the assembly containing the number class. Create a configuration file to direct the CLI to the assembly for the number class.
Part C
You will need to use a Windows XP CLR system to solve this part (since it uses functionality that is not distributed in the Rotor CLI). In Chapter 6, you will provide the missing functionality to the Rotor CLI, and provide a solution for this problem on Rotor CLI systems. Copy your solution from Part B into another new directory. Next, move (copy and delete) the assembly containing the number class to a web-accessible directory on a remote machine. Construct a configuration file to direct the execution of the assembly so that it downloads the number class from the remote machine. 3.5.1 Background Configuration files are used to specify settings to direct the way that the CLI behaves. In particular, they can be used to tell the CLI where an assembly is stored if it is in a location other than the directory from which the root assembly was launched. The details of configuration files are provided in the online MSDN documentation in
.NET Development/.NET Framework SDK/.NET Framework/Configuring Applications/Configuration Files. The information in this section is just a brief introduction to the MSDN information. A configuration file is in the XML format, that is, it is a text file in which each field is marked with a tag. The fields can be hierarchical, so there can be tagged fields inside of other tagged fields.
The configuration file can contain various fields to specify the configuration: • <startup>: Specifies the version of the runtime to use • : Specifies assembly binding and runtime behavior • <system.runtime.remoting>: Specifies aspects of the client and server for remoting configurations. • Network settings: Fields to specify interactions between the CLI and the internet. • : Specifies the association between popular (“friendly”) names for various cryptography algorithms to their implementations. • : A field for miscellaneous configuration settings. • Trace and debug settings. • Commercial .NET ASP settings (not relevant for Rotor). The above list is meant to convey some idea of the breadth of settings you can use to control the way the CLI behaves. In our study of Rotor internals, we will only need to control simple configurations. To solve Part B of this exercise, you will need to construct a configuration file that controls the directories in which the CLI will look for target assemblies. This directory search is called probing in the CLI literature There is a default probing algorithm, though it will not find desired PE file in this problem. Instead, you will have to use a configuration file to customize the probing strategy. To direct probing, your configuration file will need to contain a field, which will contain an field. In the field, you can include a <probing> field that will identify the directory you used for the number class. In Part C, you will need to add digital signatures and version numbers (strong names) to the PE file to be downloaded, which, of course, causes the assembly that references the file to need to know the strong name for the target file. Strong name information is specified in the configuration file. Alternatively, you can use the SN tool that comes with the Rotor distribution (see the Rotor and generic MSDN documentation for a description of how to us SN).
The <dependentAssembly> element (instead of the <probing> option) is used to define the binding policy and URL locations to search for an assembly. A <dependentAssembly> can contain an , , and/or a . Thus a segment of a configuration file that contains two <dependentAssembly> elements might look like this: <dependentAssembly> <dependentAssembly>
The first <dependentAssembly> defines a new assembly named “teazle”, which is located at the URL http://www.darkhole.com/RotorBin/basil.dll. Notice that there is a publicKeyToken required to access this PE file. The second <dependentAssembly> is named “ducktale”, and the is used to change references to version 1.0.0.0 so that they refer to version 2.0.0.0. Refer to the MSDN documentation on the <dependentAssembly> element of an . 3.5.2 Attacking the Problem Configuration files can be quite complex. If you are having trouble with the MSDN documentation, take a look at the technical article in MSDN at .NET Development/.Net Development (General)/.NET Remoting/Format for .NET Remoting Configuration Files. [Richter, 2002] also has a good explanation of how to use configuration files.
4
The Rotor CLI Implementation
The Rotor SSCLI software distribution includes a publicly-available reference implementation of the CLI, subject to the provisions of Microsoft’s shared source (SS) license. Microsoft usually refers to the Rotor CLI implementation as the SSCLI, so we will use both the terms Rotor CLI and SSCLI to refer to this implementation. The distribution is a complete collection of source code to build an ECMA-335 compliant runtime system, along with necessary compilers, tools, and classes. Error! Reference source not found. is a generic diagram of an ECMA-335 compliant CLI system. Figure 4-1 is a Rotor-specific diagram of the CLI runtime implementation. In Figure 4-1, each of the clouds in the generic figure has been replaced by a box to represent a logical part of the Rotor implementation. The explanation for the generic VES (execution engine) applies to Figure 4-1 as well as to Error! Reference source not found.. In this chapter, our goal is to provide a summary description of the design of Rotor, then we will focus on the parts that are most relevant to DVMs in the remainder of the book. File File System System Assembly Assembly Loader Loader
Assemblies Assemblies In InApp App Domain Domain
Policy Policy Manager Manager
Class Class Loader Loader
New Class Reference
New Assembly Reference
JIT JIT Compiler Compiler Managed Managed Execution Execution Execution Engine
PAL
Figure 4-1: The Rotor CLI Implementation
4.1
The Software Distribution
The Rotor software distribution is relatively large: The first beta release of the code was 1.9 M lines of code in 5,900 files.1 Ordinarily, the SSCLI directory is loaded into the file system at a location whose absolute pathname is stored in the environment variable named ROTOR_DIR. Thus the root of the Rotor source tree can be referenced using ${ROTOR_DIR} in UNIX environments (or %ROTOR_DIR% in Windows). Besides the complete implementation of a CLI, the software distribution also includes the source code for C# and JScript compilers, a generous set of libraries from the FCL, and various useful tools. The current version is publicly available on the Internet (http://msdn.microsoft.com/downloads/) under Software Development Kits), though readers will be best served by the book if they use the version included on the CD-ROM with this book.
1
The first release occurred on March 27, 2002, followed by a second release to provide a slight reorganization and bug fix on June 25, 2002. Release 1.0 occurred on November 5, 2002. This book was written using the Release 1.0 of the SSCLI code. The sizes of the three releases are about the same.
The execution engine (the collection of elements shown in the EE box Figure 4-1) is implemented as an object oriented system, primarily using C++ (but also including some assembly language code). It is derived from the production CLR – much of the code is an edited version of the production CLR code – though many of the features that are in the CLR have been removed from Rotor so that the software can better serve as a research and education tool. This is simultaneously “a good thing” and “a bad thing.” On the positive side, Rotor captures the essential structure of the CLR implementation, thereby providing a real software system than can be used to provide comprehensive support for managed software. However, that same structure of the code is built to be industrial strength, meaning that the Rotor code has a good deal of complexity that is not actually used in the Rotor implementation. For example, Rotor has the full CLR security infrastructure, but much of the security mechanisms are not included. Even though the Rotor code was derived from a particular version of the CLR, there is no implication or assurance that it will track the subsequent development of the CLR code. When you obtain the source code distribution, you can install it in any directory you please. (For my experimentation, I placed the source code in my home directory.) In UNIX systems, the ROTOR_DIR environment variable will then be set to be the pathname of that directory when the system is built. Once you have installed the source code at ${ROTOR_DIR} – even before you build the system – you can begin to browse the source code. The main directory has about a dozen subdirectories and another dozen files. You will use many of these file to install Rotor (see the Laboratory Exercise at the end of this chapter). The directories that will be of the most interest while you are using this book are • ${ROTOR_DIR}/clr/src. This is the directory that contains most of the source code that implements the runtime – you will spend considerable time browsing this directory. • ${ROTOR_DIR}/pal. This directory contains the source code that implements the Portable Adaptation Layer (PAL) that enables a single version of the runtime to be executed on top of FreeBSD, OS X, or Windows XP. We will discuss this code in Chapter Error! Reference source not found.. • ${ROTOR_DIR}/palrt. This directory contains PAL tools that were considered to be more general that the PAL itself. • ${ROTOR_DIR}/docs. The docs directory contains all the documentation for the Rotor release. This is an excellent place to start your investigation of any particular aspect of Rotor. The C# compiler source code can be found in ${ROTOR_DIR}/clr/src/csharp/, the Jscript system is located in ${ROTOR_DIR}/jscript/engine/), and there is a CIL assembler is in ${ROTOR_DIR}/clr/src/ilasm/.2 The clr directory contains a bin directory and a src directory. Our attention will almost always be on the src directory. The …/clr/src directory contains about twenty subdirectories. This is the first major partition of the Rotor functionality (though the source code partition does not exactly correspond to the logical partition shown in Figure 4-1). The main subdirectories in which we will work is the vm directory, though, for example, we will work in the fusion directory in Chapter 5. The vm directory has over 300 .cpp and .h files – the heart of the runtime. Header files appear in various places in the distribution; many of them are in …/clr/src/inc, but sometimes they appear close to (or within) their implementation directory. An instance of the CLI cannot operate in isolation; it must be accompanied by a library of supplementary classes. In the Rotor distribution, the …/clr/src/bcl is a set of classes that are needed for the Rotor CLI to operate. The ECMA-335 standard defines the notion of a CLI instance profile: A Profile is simply a set of Libraries, grouped together to form a consistent whole that provides a fixed level of functionality. A conforming implementation of the CLI shall specify a Profile it implements, as well as any additional Libraries that it provides. The Kernel Profile (see Section 3.1) shall be included in all conforming implementations of the CLI.
2
In the remainder of this book, we will elide the ${ROTOR_DIR} from each pathname. This means that we will refer to a pathname such as “${ROTOR_DIR}/clr/src/csharp/” simply as “…/clr/src/csharp/”.
The idea is that this Kernel Profile is the minimum set of classes needed in order for an instance of the CLI to operate properly. Whittington says this about the Kernel Profile: Developers who want to build absolute minimum functionality implementations can adhere to the Kernel Profile. This profile is minimalist to the extreme—it doesn't even include floatingpoint math. The Kernel Profile is so puny that all of the CLI implementations I am aware of implement at least the next step up, the Compact Profile. [Whittington, 2002]. Whittington goes on to say that the SSCLI class libraries essentially conform to the Compact Profile.
4.2
Loading the Assembly
After a program has been compiled into an assembly, it can then be processed as managed code by the Rotor CLI. The first part of Rotor to touch an assembly is the assembly loader (see Figure 4-1). The purpose of the assembly loader is to locate the assembly in the secondary storage system, then to load it into the app domain. In the initial phase of loading, the assembly loader will have the policy manager validate the relevant security policies and evidence to ensure that the host machine is allowed to use the assembly – the policy manager is introduced in the next subsection. Internally, the assembly loader is called the fusion loader (see …/clr/src/fusion). The first assembly identified by the command line parameter that is passed to clix.exe. Requests for subsequent assemblies are made known by a reference during code execution. That is, as an object executes, it may reference a member or field in a distinct assembly. On first reference, the execution engine transfers control back to the assembly loader. In Rotor, target assemblies can either be in the application directory or one of its subdirectories, or be loaded into the Global Assembly Cache (GAC). There is one GAC per host machine. All Rotor instances running on the machine load common assemblies from the GAC if they have been placed there (normally, an assembly is placed in the GAC by a system administrator). The downloader part of the assembly loader first looks for the target assembly in the GAC, then in the application directory and its subdirectories. As you learned in the Lab Exercise for Chapter 3, a programmer can provide additional assembly download locations by using a configuration file. A configuration file must be saved in the application directory, using a well-formatted name. For example, if the base assembly is named foo.exe, the configuration file would be named foo.exe.config, and be stored in the same directory as foo.exe. The downloader is responsible for locating the referenced file – in the GAC, the application directory, or in a location specified by the configuration file – and making it available for the binding. The assembly loader first extracts security evidence from the assembly and passes it to the policy manager. Provided that the assembly is authorized to run in the environment, and that the user has permission to use the assembly, the loading procedure can then continue. The reference to the assembly will have been to an entity in a module in the assembly – a field or a member function. The loader continues by binding the assembly into the app domain, then invoking the class loader to prepare the target object for execution. We will consider the assembly loader in detail in Chapter Error! Reference source not found..
4.3
The Class Loader
The class loader is invoked whenever a class is prepared for execution. This can occur in two different circumstances: The MainApp class in the assembly is being loaded, or an object is executing in the EE and it references an object that is defined by a class that has not previously been loaded. When the initial assembly is started, the class loader prepares the MainApp class for execution. Every class is initially defined by its CIL and metadata when it is bound into the app domain. The class loader uses the metadata to determine the external definitions and references made by the class – that is to build the MethodTable, Vtable, and EEClass objects. We will look at more details of the class loader in Section Error! Reference source not found..
4.4
The JIT Compiler
An object can be executed under the control of the EE once the class loader has created the appropriate information in the Vtable SLOT. However the Vtable entry will reference a member function that may still be in the CIL/metadata format. The JIT compiler translates the CIL representation of a class into a runtime image at the time of the first referenced to the method. The translation creates a block of native code, information used by the garbage collector (GC), and information used by the structured exception handler (SEH). On the first call to the member function, the flow of control will be directed to the JIT compiler (see …/clr/src/fjit and Section Error! Reference source not found.), which will then translate the CIL into the native machine language for the host computer. Once the JIT compiler has translated a CIL member function, the resulting code is available to any app domain that is executing in the same address space as the app domain in which it was translated. In the CLR, the native code representation will be kept in the memory until the app domain is unloaded. The Rotor CLI does not make this assurance, allowing a translated member to be unloaded if the garbage collector needs to reclaim memory. If the member function is invoked again later, the JIT compiler will create a new translation of the code. This means that Rotor only works correctly with members that are reentrant – meaning that the code cannot have any persistent state (such as static variables) saved in it.
4.5
The Execution Engine
Continuing our bottom up sweep of the Rotor implementation (see Figure 4-1), we will next consider how the managed code executes as native code. The code to be executed is either managed or unmanaged code, meaning that it was either designed and compiled to use the features of the CLI DVM, or it was built to execute in some other runtime environment (unmanaged code). For example, managed code can run in an app domain with no danger of violating the address space protection mechanism provided by the CLI, but no such assurance exists for unmanaged code. The problem would be much easier if the Rotor CLI could be assured that it need only support managed code; however that is not the case, since managed code uses unmanaged libraries (all PAL code is unmanaged) and other adjunct software (such as OS and library calls). Assemblies Assemblies In InApp App Domain Domain
Class Class Loader Loader
class
Vtable Vtable&& Class ClassInfo Info
method
JIT JIT Compiler Compiler
Native NativeCode Code GC Info GC Info Except ExceptInfo Info
Code Code Manager Manager Class Classinit init Garbage Garbage Collector Collector Exceptions Exceptions … …
Figure 4-2: The Execution Engine Organization
Application code is delivered as a PE file to the CLI containing CIL and metadata. By the time that the EE begins to execute the code, the CIL will have been converted it into native machine language code and the metadata will have defined a precise, secure execution environment in which the native code will execute. The EE’s job is to control the execution of the native code so that it is consistent with the tailored execution environment. The upstream parts of the CLI (the JIT compiler, Class Loader, Assembly Loader, and other parts of the Rotor CLI) will have defined the precise execution environment. In other words, the EE is responsible for maintaining the context for object execution, for invoking the upstream mechanisms when they are needed, for entering and exiting managed code, for handling language exceptions, and for garbage collection. Like any other user space code, the EE can direct the OS behavior by making system calls (to unmanaged code), by using synchronization primitives, by manipulating scheduling priorities, by manipulating the stack, and by handling OS exceptions. 4.5.1 CLI Threads Recall that each assembly has a single main entry point. Whenever an assembly is activated in the Rotor CLI, the EE creates an abstract CLI thread to act as the serial execution agent for assembly’s objects. As a result, the CLI thread defines a stack context that is managed by the EE. Any given app domain has one or more CLI threads running in it – at least one per assembly. The EE administers the local state of the computation, including its stack contents. In Rotor, each CLI thread is implemented using a thread that is exported from the host system through the rotor_pal.h thread (see Figure 4-3). If the underlying OS supports kernel threads, the PAL takes advantage of that implementation, implementing each CLI thread with a kernel thread. However, if the host system does not support kernel threads, then a middleware package such as POSIX threads will be used by the PAL, and the middleware package will then use OS processes to implement Rotor threads. In any case, SSCLI thread management above the rotor_pal.h interface is handled by the ThreadPool and related classes in the EE in terms of a set of underlying threads, which we will refer to as PAL threads.
SSCLI SSCLI SSCLI Thread Thread Manager Manager PAL PAL
System Level Kernel Kernel Thread Manager
•Assembly Load •Stack Manipulation •Exceptions •Adapt to System •Create/Destroy •Scheduling •Synchronization
Figure 4-3: The Thread Hierarchy There are at least three issues that complicate CLI thread management: • Managed software can call unmanaged software • The CLI execution model supports exception handling • The CLI execution model supports garbage collection The complication manifests itself in many ways, but an obvious one is in stack management. From Figure 4-3 one can infer that each box has its own mechanism for managing thread context. In the CLI, the context is saved in a System.Thread object and a stack frame. Next we consider how Rotor manages the stacks for its CLI threads. It is useful to note that the host hardware ordinarily supports stack operations by including a hardware stack – a block of memory addressed using a stack base and offset (top of stack) registers. The stack operations in the machine instruction repertoire rely on the values in these registers to perform correct operations.
Each time that a CLI thread of execution enters a CLI thread context, some part of the system creates a stack frame, then pushes it onto the hardware stack. For language-based operations such as procedure call, the stack frame can be generated by the compiler. However, the CLI thread manager also keeps information in stack frames. That is, there is only one physical stack per OS unit (process or thread), but we can rely on the host system software to correctly implement thread stacks on top of the process stack. How it is able to do that is a matter of design for the system thread implementation – the Rotor CLI designers assume a stack per thread (as shown in Figure 4-4). As suggested by the figure, at any given moment, there is a stack for each CLI thread. Some of the stack frames are created by conventional scope management, and some by the CLI thread manager. We also know that somehow, the hardware will be able to use its base and offset registers to perform stack operations, even for CLI threads.
SSCLI A
B
Z
SSCLI SSCLI Thread Thread Manager Offset
Base B’s Stack
A’s Stack
Z’s Stack
Figure 4-4: Thread Stacks Offset
SSCLI A
B
Z
SSCLI SSCLI Thread Manager Offset
Base A’s Stack
B’s Stack
Z’s Stack
Base
…
The PAL Thread’s Stack
Figure 4-5: SSCLI Thread Stack Implementation
The Rotor CLI is user space software, so in the obvious implementation it would have to make a system call each time it wanted to manipulate the stack. However, the CLI implements the stack in a different way – by multiplexing different types of stack frames on the PAL thread stack, then keeping track of those frames whenever the software wants to use their contents (see Figure 4-5). In some cases the frame is pushed by the scope management rules, and in others it is pushed onto the stack by the CLI thread manager. However, this adds a significant level of complexity to the CLI, because the EE must be able to logically reconstruct the individual CLI thread stacks as needed, and it must be able to traverse logical thread stacks for exception handling, security, and garbage collection operations. Now we get a glimpse of how unmanaged code is interleaved with managed code. Whenever managed code calls unmanaged code, the CLI thread will change scope. When the unmanaged code is entered, it will create a stack frame and push it on the PAL thread stack – creating the white frames in Figure 4-5. Any Rotor CLI stack walk must also cope with these unmanaged software frames when abstracting the CLI thread frames into the logical stacks in the figure. 4.5.2 In-Memory Objects CLI threads execute on the abstract stacks described in the previous section. PAL threads can be thought of as OS threads that execute on top of the OS thread manager (scheduler, virtual memory, and so on). When code begins to execute, the CLI thread is executed by the PAL thread, which is executed by the underlying hardware. That is, at execution time, all code is expressed in the machine language of the host hardware. Of course, a key aspect of managed code is that it is linked into the app domain as CIL and metadata. From the discussion of Chapter Error! Reference source not found. and the schematic of Figure 4-1, you know that the CIL and metadata will be converted to native code by the JIT compiler before it is executed. Once this translation has taken place, the code will be bound to the platform execution environment – it is no longer in a form where it can be downloaded and executed on any CLI instance. Roughly speaking, the CIL/metadata representation is for classes, while native code representations are for objects. The runtime object representation format must be able to preserve parts of the class structure, but not the CIL and generic metadata. That is, every class – and hence every object – inherits a MethodTable pointer from class Object (see …/clr/src/vm/object.h for the class definition). Class object’s only data member is a pointer to a MethodTable for the object. As shown in Figure 4-6, when an object is instantiated on the heap, it will have space allocated for the MethodTable pointer, an ObjHeader (which references a sync block header that is used for miscellaneous runtime support, including synchronization involving the object – see …/clr/src/vm/syncblk.h), and the object’s instance data (defined by the metadata). You can explore the class Object methods in object.h to discover some “tricky code” by which the EE uses the ObjHeader to reference the information in the sync block – see Chapter 5 of [Stutz, et al., 2003].
… MethodTable* MethodTable* ObjHeader ObjHeader
MethodTable
SyncBlock Table
Instance Instance Data Data
…
SyncBlock entry
Heap
Figure 4-6: The Object’s Data Structure
The meta information about the object is derived from the language metadata and EE state when the object is created – in generic terms, it would be thought of as the EE’s object descriptor. This information is stored in the object in its MethodTable and EEClass (see Figure 4-7) and …/clr/src/vm/class.h). The MethodTable data is information that is used at a relatively high frequency (such as pointers to the class methods), while the EEClass holds information that is used infrequently (such as the number of interfaces in the class, and the template description for the instance data). As indicated in the figure, the EEClass instance and the MethodTable instance reference each other so that it is easy to retrieve information from the sibling object whenever a thread is execution in the other. It is interesting to note that the EEClass includes a set of MethodDesc objects, each of which define a Call method for the class. This Call method is used by the EE to invoke the methods in this class. Space for the Vtable is allocated at the same time as space for the MethodTable. The first entry of the Vtable overlaps the last entry of the MethodTable – another performance-oriented coding trick. Each Vtable entry (of type SLOT) is effectively a reference to a method for the class. The Vtable is organized so that all static methods are defined first, followed by all methods inherited from super classes, then a set of additional methods defined by the runtime system. The details of how the EE sets up and uses these data structures is beyond the scope of this book , though Chapter 5 of [Stutz, et al., 2003] provides a great description of the procedure. MethodTable
EEClass
EEClass*
Vtable SLOT
MethodTable*
SLOT SLOT
SLOT
Figure 4-7: The MethodTable, EEClass, and Vtable 4.5.3 Garbage Collection Object-oriented programming languages make heavy use of dynamic data structures – objects themselves are ordinarily created dynamically. Like many OO systems, the Rotor CLI includes a garbage collector for dynamically allocated objects. Whenever an object is created, there is a reference to the object from the calling program. If the reference is copied, then there are two references to the object. The runtime system determines when all references have been removed (by redefining the variables that refer to the object, or by having the variables go out of scope). When an object is no longer referenced, it is automatically deallocated by the CLI implementation. Garbage collection is a complex mechanism, but it is not directly related to DVM technology. You can read the details of the CLI garbage collector in Chapter 7 of [Stutz, et al., 2003]. There are several critical EE issues in implementing a garbage collector: • The garbage collector must have intimate knowledge of the memory used by all objects – the heap and the stack. The types described earlier in this section are extended to provide “cubby holes” for storing information to be used by the garbage collector. These runtime types are created by the class loader and JITter, then used by the garbage collector.
•
•
The SSCLI garbage collector uses the mark-and-sweep technique, for reclaiming unused space [Jones and Lins, 1996]. This requires that it inspect each object to determine if is being used, then if it is not, to release the corresponding storage back to the heap. In order to reduce fragmentation, the garbage collector also partitions the heap according to the amount of time they existed. All objects start out as “young objects,” but are moved to the “old objects” part of the heap if they last through one garbage collection cycle. The garbage collector also compacts the heap when it runs. This style of garbage collector is reading and writing various parts of the heap as it executes – a dangerous situation if applications should happen to also be creating and destroying objects at the same time. Therefore the garbage collector is only allowed to run while all other execution is suspended. As a result, the EE coordinates the times at which garbage collector can run with its other execution activities.
4.5.4 The Exception Handler Exceptions have been used in operating systems for many years (divide-by-zero exceptions, and so on). In their first uses, if the hardware detected an exceptional condition it could effectively cause an interrupt, which would allow the interrupt handler to address the exception – usually killing the process that was responsible for the exception. The trap is a software-generated exception – a situation in which software detects an exceptional condition; like an interrupt, the software condition causes the processor to begin executing a trap handler to address the condition. In the 1970s, programming language designers began to include a mechanism to allow called procedures to “throw” exceptions that could potentially be “caught” by the called procedure. The ECMA335 specification incorporates a structured exception handling (SEH) mechanism, allowing any calling procedure to provide catch phrases (exception handlers) for a procedure call. In terms of the Rotor CLI, this introduces considerable complexity for the EE. For a good discussion of SEH see Chapter 6 of [Stutz, et al., 2003]. The critical EE issues for SEH include: • The stack includes frames especially designed to process thrown exceptions. Of course this makes thread management, garbage collection, and stack walking more difficult. It also means that the class loader and JIT compiler must provide extra information as part of each object’s context to enable the SEH mechanism to work. • When the exception is thrown, the EE must be able to unwind the stack to the context that will catch the exception. • The EE must be prepared to pass exceptions through to managed code even when the exception is thrown by the hardware or unmanaged code (including the OS). 4.5.5 Starting the EE The SSCLI is an adjunct to any executing program – a very important one, but not really a main program. An instance of the SSCLI is started whenever a managed assembly is started. In the case of Rotor, this happens when the clix.exe tool is called. This is discussed at the code level in the accompanying Lab Exercise, so the description here is at the summary level. The clix.exe program parses the command line to get the file name of the first assembly. It then loads the EE and branches to the _CorExeMain2() entry point in …/clr/src/vm/ceemain.c. The default app domain is initialized by creating a Rotor thread and placing its context on the stack. The EE is then ready to begin loading the target assembly, checking authorizations, loading the first class, JIT compiling the first member function, then executing the native code.
4.6
The Policy Manager
An assembly is the atomic unit of software for downloading, loading, and which can be protected using a security policy. Rotor (and the CLR) uses an evidence-based protection mechanism. The basic scheme is illustrated in Figure 4-8. When the assembly loader has downloaded the assembly, it extracts the resource request (the host’s resources that the assembly wishes to use) and the publisher evidence (information provided by the assembly publisher/developer to restrict the set of environments in which the assembly can be used). Recall from Section Error! Reference source not found. that an assembly can have a strong name, meaning a message digest of the assembly is created by its developer. The message digest can be decrypted using the public key component of the strong name, allowing the policy manager to hash the assembly again, then to compare the newly computed hash with the has provided by the publisher. If the hashes match, the CLI assumes that the assembly was delivered in tact, meaning that its contents are exactly the same as when the publisher digitally signed the assembly. In particular, the resource request fields and the publisher evidence must be information written by the assembly publisher when the assembly was signed. Assembly
Host Environment
IL Metadata Manifest Resources
Host Policy
Resource Requests Publisher Evidence
Policy Policy Manager Manager
Host Evidence
Figure 4-8: The Policy Manager The policy manager examines the assembly’s resource request to determine which of the host’s resources the assembly will need. Next, the policy manager analyzes the publisher and host evidence to determine security state requirements of the assembly and the host. Finally, the policy manager determines if the assembly can be loaded according to the request, evidence, and the host’s loading policy. If the policy manager determines that the assembly or the calling software is not authorized, then the assembly load fails, causing an exception in the object that referenced the new assembly. Otherwise, the assembly is bound into the app domain, and the class loader makes the class ready for the execution engine to use. We will return to the policy manager details in Chapter Error! Reference source not found..
4.7
Communicating Across Application Domains
Objects within an app domain share an address space, so it is easy for them to communicate with one another. However, whenever an object wants to communicate with an object in another app domain, the CLI will have to provide assistance. In Section Error! Reference source not found. you learned about remoting, a mechanism for supporting RMI across app domains. The Rotor CLI remoting design is similar to the seminal work in this area by [Birrell, et al., 1993]. This paper describes an extension to Modula-3, called network objects (their work was inspired by Liskov’s earlier work on Argus, work on Eden at the University of Washington, and work by Shapiro et al. at INRIA). Modula-3 network objects were like normal local objects, except that they could be located on remote machines. Even so, local objects could invoke methods on remote objects as if those objects were local. The basic ideas build on RPC technology, though in the context of strong type checking and OO environments.
In Modula-3 network objects, each accessible remote method incorporates a client stub (analogous to the Transparent Proxy) of the type used for ordinary RPC. Each stub is unique to the method interface, as defined by the signature of the method. The stub’s job is to marshal the details of the call including the arguments that are to be passed to the remote method. That is, marshalling is the act of converting a collection of data structures into a serial representation that can be transmitted from one machine to another over a serial network connection. In the network objects work, complex data types are handled by the pickle package – a package designed to handle arbitrarily complex data types. Pickling serializes a data structure by performing a “deep copy” of the data structure and all other data structures to which it points. Additionally, the pickle package allows the basic marshaling strategy to be overridden by allowing the programmer to specify a custom algorithm to direct how the data structure is to be marshaled. In particular, it is possible to pickle an object, allowing one object to pass another complete object as an argument if it desires; pickling handles object mobility by argument passing. The Transparent/Real Proxy remoting protocol is similar to the Modula-3 network objects. The Transparent Proxy pickles data when a RMI occurs, and the Real proxy unpickles the data prior to making its local method invocation at the server end. The Rotor CLI implementation will be discussed in more detail in Chapter Error! Reference source not found.. One of the important things to notice about pickling/remoting is that this defines a means by which objects can become first class mobile code – by being passed as parameters.
4.8
The Platform Adaptation Layer
The Rotor runtime is built to run on top of an API – defined in …/pal/rotor_pal.h (see Figure 4-9a). The Platform Adaptation Layer (PAL) exports the rotor_pal.h API, using the facilities provided by the host OS and hardware. The “SSCLI Proper” box represents the implementation of the runtime system itself – the software that provides the managed environment in which applications execute. The commercial CLR is implemented to execute directly on the Win32 API, which is exported by the Win32 Subsystem that is part of Windows NT/2000/XP. The approach taken in Rotor is to implement the CLI on an interface that is quite similar to (but slightly different from) the Win32 API. In the Windows XP implementation (see Figure 4-9b), the “SSCLI Proper” executes using the rotor_pal.h API, which has a modest amount of work to do in the PAL since most of the real implementation of the OS support functions is done in the Windows XP OS – the Win32 Subsystem on top of the Windows NT Executive. Notice that Rotor only executes on computers that use the Intel x86 instruction set.
SSCLI SSCLI Proper Proper
SSCLI SSCLI Proper Proper
SSCLI SSCLI Proper Proper
rotor_pal.h rotor_pal.h Platform Platform Adaptation Adaptation Layer Layer
rotor_pal.h rotor_pal.h win32 win32PAL PAL
rotor_pal.h rotor_pal.h
Win32 Win32Subsystem Subsystem
UNIX UNIXPAL PAL
Windows WindowsNT NT Executive Executive
UNIX UNIXKernel Kernel and andLibraries Libraries
x86 x86Hardware Hardware
x86 x86Hardware Hardware
The Host OS and Hardware
(a) Using the PAL
(b) The win32 PAL
Figure 4-9: The PAL
(c) The UNIX PAL
Figure 4-9(c) is a schematic diagram of the FreeBSD/OS X implementation. The relative sizes of the boxes in the diagram are intended to convey the idea that the UNIX PAL is large (compared to the Win32 PAL implementation). This is because the UNIX PAL must adapt the Win32 API style OS calls in the rotor_pal.h API into UNIX kernel and library function calls. And because the UNIX libraries and kernel do not implement all the functionality that is needed by the “SSCLI Proper”, it must also implement all of the missing functionality. 3 The Rotor distribution includes a PAL for Windows, one for OS X, and one for FreeBSD. However, since the rotor_pal.h API is delivered with the software package, anyone can write their own PAL to port the “SSCLI Proper” to any OS and platform. Rotor is delivered with support for Intel x86 processors, meaning that the build environment compiles to that hardware. To port the SSCLI to a different OS, it is possible to write a new PAL for the target hardware. For example, within 3 months of the first release of the SSCLI, people had begun to report ports of the SSCLI to Linux. Linux ports are particularly simple since the Linux PAL is so similar to the other UNIX PALs. Before moving onto the “SSCLI Proper”, consider some of the details that the UNIX PAL must implement. As a simple example, the rotor_pal.h API contains a CreateThread() function call. The implementation must adapt the host OS thread package so that it provides the same service as the Win32 CreateThread() function. In UNIX systems, this might be implemented using a kernel threads package, or using a library thread package such as POSIX threads. In cases where the underlying OS does not include any thread support, the PAL would effectively have to implement an entire user space thread package in the PAL. As another example, FreeBSD does not support memory-mapped files. However the PAL exports the following function: PALIMPORT LPVOID PALAPI MapViewOfFile( IN HANDLE hFileMappingObject, IN DWORD dwDesiredAccess, IN DWORD dwFileOffsetHigh, IN DWORD dwFileOffsetLow, IN SIZE_T dwNumberOfBytesToMap);
This means that the UNIX PAL implementation implements various aspects of Windows memory-mapped files as user space code on top of FreeBSD’s memory manager. As you will see in our subsequent study of the PAL in Chapter Error! Reference source not found., there is considerable code to implement each PAL system call with user space code and UNIX library and system calls.
4.9
Design Summary
Each managed application that is launched by the OS uses its own copy of the runtime. This means that there can be many copies of the runtime executing on any given machine. On a Windows machine, there may even be copies of the CLR running at the same time as Rotor. Though an individual instance of the runtime is capable of supporting multiple address spaces, the runtime and its associated application code will ordinarily execute in a single OS address space.
3
The UNIX PAL implementation in Rotor has been constructed to support only the parts of the Win32 API that are needed by the SSCLI code. This means that the rotor_pal.h API is a subset of the Win32 API and that some of the implemented functions only implement the subset of the function behavior needed to support Rotor. The UNIX PAL does not support general use of the functions on the rotor_pal.h API as it would be described in Windows OS documentation.
Each instance of Rotor runs in its own OS process, defining an address space all of which can be shared by all the parts of the Rotor implementation. However, only a subset of the address space can be accessed by the managed code that runs within an app domain on top of Rotor. That is, an app domain is a computational environment that operates within a subset of the address space. The runtime system can administer multiple app domains, preventing the managed objects in each app domain from referencing objects in sibling app domains – even those that are in the same address space. In other words, an app domain defines a logical address space in which an application; further, multiple app domains can coexist peacefully within a single process (using a single copy of the runtime). Since each copy of Rotor can support multiple app domains, the runtime keeps a list of the app domains that are executing in the address space (see Figure 4-10). There are three default app domains: The base app domain, which contains the application code, a system app domain used by Rotor, and a shared app domain that can contain assemblies used by different app domains within the process address space. List of App Domains in this Address Space
… App Domain … Assembly Assembly Assembly Assembly Assembly … Module Module Module Module … EEClass EEClass EEClass
App Domain
App Domain
Figure 4-10: Fundamental Rotor Data Structures Since each app domain can have multiple assemblies, the runtime keeps a list of the assemblies that are currently loaded in that app domain. When Rotor is started, it is passed an assembly, so there will be at least one assembly in the base app domain. If multiple assemblies are loaded into the app domain, then a list of those assemblies will be maintained in the app domain object. As first indicated in Error! Reference source not found., and further illustrated in Figure 4-10, each assembly has one or more modules, again, conceptually maintained as a list in the assembly object. And of course, each module has a set of classes. In the figure, we see that each module has a list of objects that inherit behavior from the EEClass. (In the diagram this emphasized by showing each node in the per module list as an EEClass object.) The EEClass characteristics provide the parts of the class used by the execution engine. With these introductory remarks, you are ready to begin looking at the details of various parts of Rotor. We start with a code reading exercise.
4.10 Lab Exercise: The Code that Launches an Application In this exercise you will explore various parts of the system involved in preparing a single-assembly application for execution. We will do this by considering how the “hello, world” program (that is included in …\samples\hello\hello.cs) is launched (using clix.exe) by the Rotor CLI. The exercise is for you to read the trace of the Rotor source code along with the description provided in the background section. At two different points in the trace, a segment of the trace will be left for you to determine how the flow of control moves from one block of code to another. Here is the source program: // ==++== // //
// Copyright (c) 2002 Microsoft Corporation. All rights reserved. // //The use and distribution terms for this software are contained in the file //named license.txt, which can be found in the root of this distribution. //By using this software in any fashion, you are agreeing to be bound by the //terms of this license. // // You must not remove this notice, or any other, from this software. // // // ==--== using System; class MainApp { public static void Main() { Console.WriteLine("Hello World!"); } }
Compiing the Program The program is compiled with the following (UNIX) commands: % cd …/samples/hello % csc hello.cs
The csc compiler produces the hello.exe Portable Executable (PE) file that can be loaded and executed by the CLI. hello.cs uses the System namespace (specifically, System.Console) to reference the WriteLine() member. The translation system recognizes that the reference will require that mscorlib.dll be linked to hello.exe when it calls this function. (Find the C# Console.WriteLine() function definition in …\clr\src\bcl\console.cs.) The functions in mscorlib.dll are defined in …\clr\src\bcl\. By contrast, the C++ code that implements the CLI is compiled into mscoree.dll, which is also linked to hello.exe at run time.
Launching the CLI If you are experimenting with the Rotor CLI on a Windows machine that also supports .NET, you can type C:…\sscli\samples\hello>hello.exe Hello World!
In this case, the hello.exe PE file is loaded and executed by the Microsoft production CLR that accompanies .NET, rather than by the Rotor CLI. How can you get the system to use the Rotor CLI ? The clix program is the key: The shell will use the CLR by default, but if you type C:\Rotor\sscli\samples\hello>clix hello.exe Hello World!
you will execute the Rotor CLI instead. clix.cpp is a C++ program written especially for the Rotor CLI – the source code can be found in …/clr/src/tools/clix/clix.cpp. An elided version of the main() program in clix.cpp is shown below. This block of code parses the command line to determine the runtime name, the module name, and the command line image. These 3 arguments are then passed to Launch() which does the real work of starting the EE. int __cdecl main(int argc, char ** argv, char ** envp)
{ WCHAR* pwzCmdLine; … pwzCmdLine = ::GetCommandLineW(); … WCHAR* pRuntimeName; WCHAR* pModuleName; WCHAR* pActualCmdLine; // First, parse the program name.…(algorithm from clr/src/vm/util.cpp) … //[The variable, WCHAR *pRuntimeName, now contains the program name] // Now, load the runtime from the clix directory … // Append runtime library name & zero terminate … //[The variable, pActualCmdLine, now contains the command line] // Parse the first arg - the name of the module to run … //[The variable, pModuleName, now contains the name of the // module to run] … nExitCode = Launch(pRuntimeName, pModuleName, pActualCmdLine); … return nExitCode; }
The Launch() function is also defined in the clix.cpp file. The first task in this function is to open the file and map it into the OS process’ virtual address space, hence this code makes heavy use of the Win32 API functions for memory mapped files (see Chapter 12 of [Nutt, 2004]). Here is an elided version of the first part of Launch(): DWORD Launch(WCHAR* pRunTime, WCHAR* pFileName, WCHAR* pCmdLine) { … // open the file & map it hFile = ::CreateFile(pFileName, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0); if (hFile == INVALID_HANDLE_VALUE) {… error return …} hMapFile = ::CreateFileMapping(hFile, NULL, PAGE_WRITECOPY, 0, 0, NULL); if (hMapFile == NULL) {… error return …} pModule = ::MapViewOfFile(hMapFile, FILE_MAP_COPY, 0, 0, 0); if (pModule == NULL) {… error return …} dwSize = GetFileSize(hFile, &dwSizeHigh); if (check dwSize for errors) {… error return …}
Now that the file has been loaded into the OS process address space, clix checks the PE headers in the file (we will describe these headers in detail in Section Error! Reference source not found.). First it reads the DOS (MZ) header, then the PE header (called the NT header in the code), then the CLI (Common Object Runtime, or COR4) header. These checks basically just read the headers to see if they contain the expected information, to help ensure that the file is really a PE file in the proper format. // check the DOS headers pdosHeader = (IMAGE_DOS_HEADER*) pModule; 4
The Common Language Runtime was initially named the Common Object Runtime, though that name fell by the wayside. Various routines and data structures still use the old COR name.
if (pdosHeader->e_magic != IMAGE_DOS_SIGNATURE || pdosHeader->e_lfanew <= 0 || dwSize <= pdosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS32)) {… error return …} // check the NT headers pNtHeaders = (IMAGE_NT_HEADERS32*) ((BYTE*)pModule + pdosHeader->e_lfanew); if ((pNtHeaders->Signature != IMAGE_NT_SIGNATURE) || (pNtHeaders->FileHeader.SizeOfOptionalHeader != IMAGE_SIZEOF_NT_OPTIONAL32_HEADER) || (pNtHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)) {… error return …} // check the COR headers pSectionHeader = (PIMAGE_SECTION_HEADER) Cor_RtlImageRvaToVa(pNtHeaders, (PBYTE)pModule, pNtHeaders->\ OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER].\ VirtualAddress, dwSize); if (pSectionHeader == NULL) {… error return …}
Part A of the Laboratory Exercise: Explain how clix invokes the CLI EE After you have solved Part A of the exercise, you should be examining the code at CoreExeMain2() in ceemain.cpp. Here is an elided copy of the first part of that code: int32 STDMETHODCALLTYPE _CorExeMain2( …) { … // Strong name validate if necessary. if (!StrongNameSignatureVerification(…) {… error return …} // Before we initialize the EE, make sure we've snooped for all EEspecific // command line arguments that might guide our startup. CorCommandLine::SetArgvW(pCmdLine); … hr = PEFile::Create(pUnmappedPE, cUnmappedPE, pImageNameIn, pLoadersFileName, …); if (SUCCEEDED(hr)) { // Executables are part of the system domain hr = SystemDomain::ExecuteMainMethod(pFile, pImageNameIn); bRetVal = SUCCEEDED(hr); }
CorExeMain2 is passed the virtual address at which the PE file has been mapped into the memory. Even though the PE file has been loaded into the OS process virtual address space, it has not yet been loaded into the app domain. The first task is to check the strongname signature. Next the code looks for any command line arguments that might be used to direct the file execution. After performing other tasks, the code creates an EE PEFile object that will represent the PE file during the loading process (see …/clr/src/vm/pefile.cpp). The call to SystemDomain::ExecuteMainMethod() (found in …/clr/src/vm/appdomain.cpp ) initiates execution of the application assembly.
Part B of the Laboratory Exercise: Explain how the control flows to the Assembly::ExecuteMainMethod(), for which an elided copy is shown below: The Assembly::ExecuteMainMethod() function is defined in …/clr/src/vm/assembly.cpp as shown here in its entirety. This function calls ClassLoader::ExecuteMainMethod(), which is the first step in loading the hello.exe assembly. HRESULT Assembly::ExecuteMainMethod(PTRARRAYREF *stringArgs) { HRESULT hr; if (FAILED(hr = GetEntryPoint(&m_pEntryPoint))) return hr; return GetLoader()->ExecuteMainMethod(m_pEntryPoint, stringArgs); }
After ClassLoader::ExecuteMainMethod() has retrieved the CLI header and a token from the header, it will be able to identify the assembly entry point method to be called. As you will see when we continue to trace this code in Chapters 5 and 6, the call to LoadTypeHandle()will ultimately call the assembly loader. After the assembly has been loaded, RunMain() is called to begin execution at the main entry point.
5
Assemblies
As you have learned in earlier chapters, assemblies are the unit of deployment for a CLI implementation. Source code files are translated into modules composed of metadata, CIL, and other information. An assembly is a collection of one or more modules where at least one of the modules has a main entry point. In traditional compiling terminology, a module is analogous to a relocatable object module, and an assembly is analogous to a load module. (But of course, since the CLI defines a new translation and execution module, the analogy is not exact.) Each CLI compliant language compiler translates a source program into a CLI module containing the CIL and metadata. The CIL defines the procedures in the source program, and the metadata defines the types and other meta information (such as the module manifest and authentication information) relevant to the module. In this chapter, we begin our detailed inspection of Rotor by investigating the characteristics of modules and assemblies. The Rotor distribution includes three translators capable of producing modules and assemblies: The C# compiler (see …/clr/src/csharp/), the JScript compiler (see …/jscript/), and the CIL assembler (see …/clr/src/ilasm/). Each translator has a command line interpreter that can be used (in a UNIX shell or Windows XP command.com window) to compile a program into a module or assembly. Although we will not study language translators in this book, it is essential to understand how the CIL and metadata are organized in order to see how the entire runtime works. If you decide to explore language translation further, you might consider starting with the ilasm assembler, since the frontend of the translator is much simpler than a compiler, yet it still produces modules and assemblies. This chapter focuses on module formats, introduces you to the CIL assembler language, introduces you to metadata, then provide an exercise in which you can experiment by inspecting various parts of an assembly. Before looking in detail at assemblies, let us briefly consider the CLI type system.
5.1
The Type System
ECMA-335 is based on objects and strong typing. As mentioned in Chapter Error! Reference source not found., the standard specifies a Common Type System that has built-in types and an extension mechanism for self-describing types. It is paramount that the CTS provide sufficient information to allow objects to be instantiated using only the information in the assembly, and that the resulting objects conform to the expected behavior of managed software. Let’s consider what happens when an assembly is loaded into the EE. An address space is a sequence of virtual memory locations containing elements that can be referenced when the CLI or its applications are executed. When the Rotor CLI is initialized, a CLI address space is defined and the EE is loaded into the OS address space. All assemblies to be executed by this instance of the CLI are then loaded into the CLI address space. From the OS point of view, there is no distinction between the CLI and its assemblies. Each address space (invocation of the Rotor CLI) can support multiple app domains. The CLI assures that managed code that executes in one app domain cannot interfere with the portion of the address space assigned to a different app domain. We can think of app domains as “mini address spaces” – distinct from the OS address space assigned to a process – in which assemblies execute. The app domain address space isolation mechanism is implemented with user-space software. This means that the CLI does not use any special hardware or privileged mode software to enforce address reference isolation. Instead the base technology is strong type checking – ensuring that each memory reference is consistent with the type definition specified in the source code representation of the program (see Section Error! Reference source not found.). For example, if the programmer writes: int i = foo.f(x);
then when the EE executes the code to perform this assignment, the “foo.f(x)” must evaluate to an integer type. In the context of address space isolation, this becomes critical in managing memory references. For example, if a programmer wrote a source code statement such as: int *i = foo.f(x);
the CLI ensures that foo.f(x) returns the address of an integer (rather than just treating the right hand side of the statement as an address that could point to any type of information). Further, the CLI must ensure that *i specifies an address that is in the current app domain. Classically strong type checking requires that the language be strong typed, and that the compiler be able to analyze all type references to assure that interacting types are consistent. Strong typed programming languages and their associated runtime systems have generally been recognized as “a good thing” for the quality of software. Xerox exploited strong type checking in the Mesa programming language [Geschke, et al., 1977] to build the Pilot OS and other commercial software. Other, more recent languages such as Modula-3 and Java (described earlier) incorporate strong type checking in the language and associated runtime system. Mesa demonstrated a very effective implementation of a strong type-checked environment by doing essentially all of the type checking in the compiler (static type checking). The Rotor CLI approach is to have the compiler perform as much static type checking as it is able, but then to provide the types to the EE so that it can perform dynamic type checks at runtime. Of course this requires that the type definitions be saved by the compiler, emitted into the metadata portion of the .text section, then used by the JIT compiler when it translates the CIL into native machine language. This type check is not exactly at runtime – dynamically at the moment that memory is referenced – but it is conducted “at the beginning” of runtime as opposed to traditional compile time. Provided that a programmer only prepares source code that is processed by a Rotor compiler, and the resulting assembly is delivered without being modified to the CLI, then the JIT compiler can create native machine code that is assured of only referencing objects that are within the app domain’s mini address space. What could go wrong? First, it may be that the assembly was produced by a compiler that does not do strong type checking – because the language is insufficient to support strong type checking, or because a malicious programmer found a loophole in the strong type checking mechanism. The resulting assembly is then effectively unmanaged code: It does not meet its obligation to be type safe. The PEverify tool (see …/clr/src/toosl/peverify for the source code of the tool – it is also installed by the build procedure) is able to analyze assemblies to determine if they are type safe or not. This is possible because even if the language translator does not perform strong type checks, each assembly is required to provide the type definitions for all objects used in the CIL. Another thing that could go wrong is that the program might generate its own classes at runtime, then call the newly generated classes. The class manager will force first references to a class to go through the JIT compiler, where the runtime strong type checking is handled. The CLI will not execute native code that it did not translate from CIL (except as unmanaged code). Suppose that you want to write code to work with managed code, but the language/implementation simply doesn’t support strong type checking? Then your new code is unmanaged code, which is not type checked. It behooves the CLI to place as secure of a barrier between the execution of managed and unmanaged code as possible – which it does. Finally, notice the importance of the developer signature in an assembly. This signature is a message digest of the code, signed with the developer’s private signature. If any bits in the assembly are tampered with (between the time that the assembly was signed and the time the assembly loader links the assembly into an app domain), then the signature verification will fail. This is not foolproof, but it is quite strong. For additional general discussion of the Common Type System and strong type checking as it relates to the Rotor CLI, see [Pietrek, 2002] and Chapter 3 of [Stutz, et al., 2003]. From a practical point of view, the Rotor CLI depends on the existence of certain types. For example, every SSCLI class is assumed to inherit behavior from the System.Object class – see …/clr/src/vm/object.h for the class definition, and the C# class implementation in the base class library (…/clr/src/bcl/system/object.cs). By using this convention (also used in Smalltalk to define the fundamental behavior of every object [Goldberg and Robson, 1983]) the EE can depend on certain behavior from every CLI object – the behavior inherited from System.Object. The System.Object interface contains over 75 public methods as well as the method table for the class.
5.2
Modules and Portable Execution Files
In this section we will consider the file format for a simple C# assembly. Let’s use the C# “hello world” program from …/tools/hello/hello.cs again: … using System; class MainApp { public static void Main() { Console.WriteLine("Hello World!"); } }
This program can be compiled with the following command: % csc hello.cs
The C# command line compiler is invoked with the csc command, creating an assembly named hello.exe. The default arguments to the C# compiler have several options, including: • The –out argument can be used to define the name of the output file – the default being hello.exe for the hello.cs source file • The –t argument defines the type of the output file – the default is to create an assembly (as contrasted with a module). • The –r argument specifies the libraries to be used during link editing – the default is to use MSCorLib.dll (the location of the CLI code). So in the example command, csc produces an assembly named hello.exe using MSCorLib.dll as the library from which to load Console.WriteLine(). 5.2.1 The PE File Format The hello.exe file is stored in the PE format (it is 2KB in length). Chapter 3 of [Lidin, 2002] provides a detailed description of PE file format emitted by the CIL assembler; this section summarizes the description. The tools that the SSCLI uses to parse the PE file are in the class PEFile (defined in …/clr/src/vm/pefile.h). The first block of bytes of the file is the MZ header. The purpose of this header is to cause a DOS loader to reject the file as an executable (it will print “This program cannot be run in DOS mode.”). The next 4 bytes are the PE signature, identifying the file type as “PE.” The COFF header follows the PE signature. This header identifies the target machine type, timestamp, information about the symbol table, and other characteristics [Lidin, 2002]. As suggested by Figure 5-1, the PE/COFF file format can be thought of as an encapsulation mechanism to store CLI specific information. The PE/COFF header is used by the host OS loader. Each PE file is organized as a collection of typed blocks of information referenced by a data directory in the PE/COFF header. That is, data directory entries reference logical parts of the file that the OS loader will be required to handle. The types of the data directory entries, then, are OS specific (rather than CLI specific). However, one of the data directories entries references the CLI header (of course it would reference another data structure if the PE file were for something besides the CLI). The language translator emits information into the PE file into a set of logical, typed blocks called sections. The collection of section contents are mapped into a virtual address space associated with that file (when the file is loaded). The data directory entries use relative virtual addresses from this space to reference elements of the file (such as the CLI header). As mentioned in the previous paragraph, the data directory is in the interior of the PE/COFF header, which is immediately followed by the file’s section headers. Sections have types, meaning that loaders that read the PE file can determine the contents of each sector by inspecting its type. As a result, the order of section headers can be chosen by the translator that builds the PE file. The CLI specific contents – the white blocks in the figure – are stored in sections with the following types:
Host HostOS OS Loader Loader
PE File PE/COFF Header CLI Portion of File CLI Header Text Sect
IL Code Metadata Resources
Assembly Assembly Loader Loader Policy Policy Manager Manager
Data Section Unmanaged Resources
Native Info
Class Class Loader Loader JITter JITter
Figure 5-1: The PE File Format • • • • •
Text section of type .text. Data section of type .sdata. Relocation section for modifying address, of type .reloc. Resource section of type .rsrc. Thread local storage section of type .tls.
The CLI header is stored in the .text section. Since it is a data directory element, it is referenced by an entry in the PE/COFF data directory, even though it contains CLI-specific information. The organization of the CLI header is defined by the struct IMAGE_COR20_HEADER in …/clr/src/inc/corhdr.h (replicated here): // CLR 2.0 header structure. typedef struct IMAGE_COR20_HEADER { // Header versioning ULONG cb; USHORT MajorRuntimeVersion; USHORT MinorRuntimeVersion; // Symbol table and startup information IMAGE_DATA_DIRECTORY MetaData; ULONG Flags; ULONG EntryPointToken; // Binding information IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY
Resources; StrongNameSignature;
// Regular fixup and binding information IMAGE_DATA_DIRECTORY CodeManagerTable; IMAGE_DATA_DIRECTORY VTableFixups; IMAGE_DATA_DIRECTORY ExportAddressTableJumps; // Precompiled image info (internal use only - set to zero) IMAGE_DATA_DIRECTORY ManagedNativeHeader;
} IMAGE_COR20_HEADER;
The first part of the CLI header specifies the size of the CLI header, the runtime version, and other information. Within the .text section CLI information is laid out in a collection of memory blocks containing logical streams of information – metadata, CIL code, and so on. An IMAGE_DATA_DIRECTORY is a CLI data structure that contains an integer offset into the text segment where a logical element is located, as well as the size of that element. You can see from the CLI header struct definition that the header references the metadata, resources, strong name signature, and other information needed to create the execution image for the EE. The Rotor CLI uses tokens to reference different parts of the metadata tables. A token is a 4-byte tuple that identifies the particular metadata table, and provides an offset into the table. Metadata functions use tokens to read and write the metadata information. The EntryPointToken field is a token to specify the metadata description of the entry point into the CIL code (provided that a main entry point has been defined for the file). If the file has no main entry, this field is null. The text section also contains the CIL code, the strong name signature, and the metadata. Again, there is some flexibility in the exact layout of the text segment. The ilasm assembler lays out the text segment as follows (see …/clr/src/ilasm/assem.cpp and Chapter 3 of [Lidin, 2002]): • Import address table • CIL code (including SEH tables) • Optional strong name signature hash • Metadata • Managed resources (unmanaged resources are stored in the data section) • Unmanaged export stubs • Runtime startup stub (the EntryPointToken in the CLI header references this location) The data section (type .sdata) follows the text section. It contains information to define data constants, Vtable organization, and the list of references to unmanaged external code. Thread local storage (TLS) refers to information that is private to each thread (as contrasted with information that is part of the address space and which is shared among all threads in the address space). The TLS is defined by a section of type .tls. Finally, unmanaged resources are kept in the .rsrc segment. Managed resources are allocated within the text segment. 5.2.2 A Closer Look at a PE File Now lets use this information to look at a dump of the hello.exe file. The UNIX hexdump program can be used to perform some rudimentary inspection of the file. The first 128 bytes in the file are: 00000000 00000010 ... 00000040 00000050 00000060 00000070 00000080
4d 5a 90 00 03 00 00 00 b8 00 00 00 00 00 00 00
04 00 00 00 ff ff 00 00 40 00 00 00 00 00 00 00
|MZ..............| |........@.......|
0e 69 74 6d 50
21 61 20 24 d0
|........!..L.!Th| |is program canno| |t be run in DOS | |mode....$.......| |PE..L......<....|
1f 73 20 6f 45
ba 20 62 64 00
0e 70 65 65 00
00 72 20 2e 4c
b4 6f 72 0d 01
09 67 75 0d 02
cd 72 6e 0a 00
b8 6d 69 00 b8
01 20 6e 00 fb
4c 63 20 00 3c
cd 61 44 00 00
21 6e 4f 00 00
54 6e 53 00 00
68 6f 20 00 00
Notice that locations 0x0000 to 0x000c contain “MZ” and locations 0x004e to 0x0073 contain the string “This program cannot be run in DOS mode”; this is the MZ header that is the first information in the PE file.
The “PE” string appears in locations 0x0080-0x0081, indicating that this is a PE file. The COFF header starts at location 0x0084 (0x0084-0x0085 contains the binary number 0x014c in big endian order, indicating that this file is for Intel 386 or later). Bytes 0x0086-0x0087 indicate that the file has 2 entries in the sections table, and so on. The section headers start at location 0x0178 (each is a 40-byte structure): 00000170 00000180 00000190 000001a0 000001b0 000001c0
00 94 00 2e 00 00
00 02 00 72 02 00
00 00 00 65 00 00
00 00 00 6c 00 00
00 00 00 6f 00 40
00 20 00 63 06 00
00 00 00 00 00 00
00 00 00 00 00 42
2e 00 00 0c 00 00
74 04 00 00 00 00
65 00 00 00 00 00
78 00 00 00 00 00
74 00 20 00 00 00
00 02 00 40 00 00
00 00 00 00 00 00
00 00 60 00 00 00
|.........text...| |..... ..........| |............ ..`| |.reloc.......@..| |................| |[email protected]........|
The .text section header begins with the name “.text” (8-character, null-padded) string. Bytes 0x0180-0x0183 indicate that there are 0x00000294 bytes in the .text section. The CLI header is stored in the file at 0x0208 – 0x024f: 00000200 00000210 00000220 00000230 00000240
70 7c 00 00 00
22 20 00 00 00
00 00 00 00 00
00 00 00 00 00
00 c0 00 00 00
00 01 00 00 00
00 00 00 00 00
00 00 00 00 00
48 01 00 00 00
00 00 00 00 00
00 00 00 00 00
00 00 00 00 00
02 01 00 00 00
00 00 00 00 00
00 00 00 00 00
00 06 00 00 00
|p”......H.......| ||...............| |................| |................| |................|
Inspect the 4-byte ULONG at 0x0208: the big endian representation is the number 0x00000048 (7210) bytes. The USHORT in 0x020c – 0x020d is the major version number – 0x0002, and the USHORT minor version number at 0x020e – 0x020f is 0x0000. The metadata relative virtual address and size are packed into bytes 0x0210 – 0x0217 (the relative virtual address – explained in the the next subsection – is 0x00000207c and the size is 0x000001c0). In the Lab Exercise for Chapter 4, we began to trace the code execution for launching the initial assembly. The last action that we traced was when the Assembly::ExecuteMainMethod() function is defined in …/clr/src/vm/assembly.cpp called ClassLoader::ExecuteMainMethod() which is defined in …/clr/src/vm/clsload.cpp). The ClassLoader class is the first part of the CLI to begin loading, by fetching the PE file: HRESULT ClassLoader::ExecuteMainMethod(Module *pModule, PTRARRAYREF *stringArgs) { … MethodDesc *pFD = NULL; HRESULT hr = E_FAIL; IMAGE_COR20_HEADER * Header; … Header = pModule->GetCORHeader(); … // Must have a method def token for the entry point. if (TypeFromToken(Header->EntryPointToken) != mdtMethodDef) {… error exit …} // We have a MethodDef. // We need to get its properties and the class token for it. … if (… //Is MethodDef global or in a class?) { // [MethodDef is in a class]
InitialClass = LoadTypeHandle(&name,&pThrowable).GetClass(); … pFD = InitialClass->FindMethod( (mdMethodDef)Header->EntryPointToken); … } else { //[MethodDef is global] pFD = pModule->FindFunction((mdToken)Header->EntryPointToken); } … //[pFD is the method descriptor] hr = RunMain(pFD, 1, stringArgs); … return hr; }
We will continue tracing this code in Chapter 6.
5.3
The Metadata
The metadata is contained in the .text section. The essential purpose of metadata is to define the types used in a module/assembly. But as mentioned earlier, the metadata tables are also used to pass other information from the compilation environment to the runtime environment such as security evidence). In this section we will see how this is done in the Rotor CLI. There is flexibility in the exact format of the metadata (just as there was flexibility in parts of the PE file format). Compiler writers can create their own software to write the metadata, or they can use the tools in …/clr/src/md/ceefilegen. 5.3.1 Representing Types as Metadata Object oriented languages represent extensible types as classes (the CLI has some built-in types, such as integers, that are agreed upon by the compiler environments and the CLI). The source program is written as a collection of classes, each of which can be instantiated to create objects whose structure and behavior is defined by the class. As a result, all types can be represented by the common agreement of the built-in types along with a specification of the class interfaces (without the member function definitions – those appear in the CIL definition). The metadata mechanism is used by the compilation environment to represent the types used in the compilation module. The EE can then retrieve the type definitions for the module from the module’s metadata. Metadata (and the CIL) use relative addresses to identify bytes within the assembly. The idea is that elements of the assembly that will be referenced by the EE need to be bound to a location that can, ultimately, be bound to a physical memory location when the EE executes the code. Of course the compiler can only generate relative addresses (relative to the beginning of the assembly’s address space) – in the Rotor CLI these addresses are called relative virtual addresses (RVAs). For example, at the end of Section 5.2, we mention that 0x00000207c is the RVA where the metadata will be placed when the assembly is loaded. Variable-length metadata are stored in heaps, and fixed-length metadata are stored in tables. Any specific metadata item is referenced by specifying its record identifier (RID) location in the proper heap or table. Hence logically, we can think of a metadata references as a tuple of the form (tableID, RID). The SSCLI has 44 different heap and table types, ranging from tables to list the type definitions and references, to tables for the assembly manifest [Lidin, 2002].
In the SSCLI, the idea of a (tableID, RID) is represented by a 32-bit token for tables that can be referenced without having detailed knowledge of the metadata organization. The typedef enum CorTokenType in …/clr/src/inc/corhdr.h lists the metadata table types for which tokens are used in the metadata. The tableID is the most significant byte of the token, and the RID is the 3 least significant bytes: For example, a token of the form 0x02000002 refers to an entry in the mdtTypeDef table (tableID is 0x02) at RID 0x000002. The metadata storage structure is summarized in Figure 5-2. Metadata are grouped together into streams of similar data structures. The storage signature provides version information. The storage header specifies the number of streams that are used in the metadata. The stream headers are organized as an array of stream headers, one per stream. Each stream header specifies the offset in the file where the stream begins.
Storage Signature Storage Header Stream Headers String Stream Blob Stream
Metadata Header
GUID Stream
Records/Table
User String Stream
Specific Metadata Table Descriptors
Metadata Stream
Figure 5-2: Metadata Storage A string stream is a heap containing the names used in the metadata descriptions themselves. For example, class names are stored in the string stream heap. The Blob stream is also a heap. Each Blob is a block of storage containing binary information created by the compiler, and to be used by the EE. For example, default values are stored as Blobs. The GUID stream heap contains all globally unique identifiers defined in the module, thus they are similar to strings and Blobs, though they have their own specific format. Referring again to Figure 5-2, each stream header specifies the offset at which that stream starts in the file, size of the stream, and name of the stream. Following all the stream headers, the streams (heaps) are written to the PE file. The metadata tables are all clumped together in a single metadata stream. This stream contains its own index of tables, with offsets into the stream to identify the beginning of each metadata table. Tokens can be used to read the metadata stream by using the tableID as index into the metadata header information, then using the RID as an offset within the target table. 5.3.2 A Logical View at the Metadata Let us reconsider the hello program in order to see how metadata is used to represent the type system: using System; class MainApp { public static void Main() { Console.WriteLine("Hello World!"); } }
The program defines a single class named MainApp. This class has a single member/method named Main (along with the members inherited from System.Object). Like all C# (or C++) classes, there is an implicit constructor member for MainApp (named .ctor in the Rotor CLI) that is called whenever an object is created. Finally, the WriteLine() member function in a System.Console object is referenced to print the message.
You could use hexdump to inspect the raw bit patterns that define the metadata and CIL in the file. However, it is easier to use Rotor tools to view the logical contents of the metadata. The Rotor metainfo tool produces a report describing the metadata in an assembly. Here is the first portion of the output from “metainfo hello.exe”: >metainfo hello.exe Microsoft (R) Shared Source CLI Runtime Meta Data Dump Utility Version 1.0.000 2.0 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved. //////////////////////////////////////////////////////////////// File hello.exe: ScopeName : hello.exe MVID : {ea79a651-6950-f9f5-e9fd-3b9f78fb9028} =========================================================== Global functions ------------------------------------------------------Global fields ------------------------------------------------------Global MemberRefs -------------------------------------------------------
The header information identifies the module being inspected, including the specific version of the file; the MVID is a new 128-bit hash value generated by the compiler each time it compiles a module. Two different compiles of exactly the same source code will result in distinct MVIDs. The next few lines tell us that this assembly does not have any global functions, fields, or member references.
The next fragment of the metainfo output describes the types that are defined in this file: TypeDef #1 ------------------------------------------------------TypDefName: MainApp (02000002) Flags : [NotPublic] [AutoLayout] [Class] [AnsiClass] (00100000) Extends : 01000001 [TypeRef] System.Object Method #1 ------------------------------------------------------MethodName: Main (06000001) Flags : [Public] [Static] [HideBySig] [ReuseSlot] (00000096) RVA : 0x00002050 ImplFlags : [IL] [Managed] (00000000) CallCnvntn: [DEFAULT] ReturnType: Void No arguments. Method #2 ------------------------------------------------------MethodName: .ctor (06000002) Flags : [Public] [HideBySig] [ReuseSlot] [SpecialName] [RTSpecialName] [.ctor] (00001886) RVA : 0x00002068 ImplFlags : [IL] [Managed] (00000000) CallCnvntn: [DEFAULT] HasThis ReturnType: Void No arguments.
There is only one type definition in this assembly – the MainApp class. The type definition name is followed by a token (02000002) indicating the location of the MainApp class metadata. The flags field indicates that MainApp provides miscellaneous information for the class, and the Extends: field provides a token for the external reference to the System.Object, and also indicates that MainApp is a subclass of System.Object. There are two methods/member functions defined for the class. Method #1 is Main (token 06000001), and Method #2 is the constructor .ctor (token 06000002). The report shows that the Main method CIL is stored at RVA 0x00002050, and the constructor is at 0x00002068. Both functions are managed CIL code, using standard calling conventions, passing no arguments, and returning no values. From this metadata information, we could infer the following prototype information: class MainApp { public static void Main(); public void MainApp(); };
Next, the metadata tells us about the type references made from this assembly: TypeRef #1 (01000001) ------------------------------------------------------Token: 0x01000001 ResolutionScope: 0x23000001 TypeRefName: System.Object MemberRef #1 ------------------------------------------------------Member: (0a000003) .ctor: CallCnvntn: [DEFAULT] hasThis ReturnType: Void No arguments. TypeRef #2 (01000002) ------------------------------------------------------… TypeRef #3 (01000003) ------------------------------------------------------Token: 0x01000003 ResolutionScope: 0x23000001 TypeRefName: System.Console MemberRef #1 ------------------------------------------------------Member: (0a000002) WriteLine: CallCnvntn: [DEFAULT] ReturnType: Void 1 Arguments Argument #1: String
The first type references is to the object constructor (inherited from System.Object). The metadata for the type reference provides information about the referent, including the calling convention and return type. The second type reference, which has been elided, is to the debugger, and the third type reference is the WriteLine() procedure call. This procedure call is to a function that is in the System.Console namespace. The call will not return a value, but it will pass a String as its single argument.
The next part of the metadata is the manifest. The essential purpose of the manifest is to represent information that applies to all modules that are in the assembly, particularly the list of module file names that constitute the assembly. The manifest holds the identification information for the assembly, including the assembly name (hello), the public signature (null), the specification of the hash algorithm used to generate hash values for this compilation, the version number (major number, minor number, build, and revision), the locale, flags, and custom attributes. The first entry in this report describes the hello.exe module, itself. The AssemblyRef section describes each module that is part of the assembly, in this case only the mscorlib dll module. (mscorlib is included with all assemblies, as it provides the interface into the EE used by the application code in the assembly.) Assembly ------------------------------------------------------Token: 0x20000001 Name : hello Public Key : Hash Algorithm : 0x00008004 Major Version: 0x00000000 Minor Version: 0x00000000 Build Number: 0x00000000 Revision Number: 0x00000000 Locale: Flags : [SideBySideCompatible] (00000000) CustomAttribute #1 (0c000001) ------------------------------------------------------CustomAttribute Type: 0a000001 CustomAttributeName: System.Diagnostics.DebuggableAttribute :: …
AssemblyRef #1 ------------------------------------------------------Token: 0x23000001 Public Key or Token: b7 7a 5c 56 19 34 e0 89 Name: mscorlib Major Version: 0x00000001 Minor Version: 0x00000000 Build Number: 0x00000ce4 Revision Number: 0x00000000 Locale: HashValue Blob: Flags: [none] (00000000)
Finally the contents of the user string stream is displayed, which is the set of literal strings declared in the program: User Strings ------------------------------------------------------70000001 : (12) L"Hello World!"
Coff symbol name overhead:
0
5.4
The CIL
The metadata defines the types used in an assembly, and CIL defines the behavior of the various types specified in that metadata. The CIL is explicitly designed to describe secure object structure and behavior, rather than to be compiled for any particular execution architecture. As a result, the Rotor CLI never attempts to interpret CIL on-the-fly. Instead, the Rotor JIT compiler analyzes the metadata, then translates the CIL into the platform native machine language at runtime. This approach enables the JIT compiler to implement additional strong type enforcement of the software. It also allows code generation to be optimized for the specific platform on which the code is to execute. In the Rotor CLI, CIL versions of methods are translated on first reference. Once the method behavior has been translated into native machine code, it is cached in the EE for subsequent use. The Rotor CLI will sometimes release the storage for a cached version of the native machine code representation, in which case the CIL version of the method will need to be JIT compiled again if/when it is referenced again. In this section we will not bother with discussion of the CIL file storage format, but instead focus on the CIL design. [Lidin, 2002] provides a comprehensive discussion of CIL. 5.4.1 Value Types: The Data In the ECMA-335 document, value types refer to the contents of type fields – that is, values types are the data that are stored in variables. The variables may be either C-style “automatic variables” that are allocated in a stack frame whenever they come into scope, or as fields in a class definition. Member fields are part of an object, thus these variables are allocated from the heap according to the class definition. Member fields may be referenced from within the class members, or through the class interface (if they happen to be publicly accessible). Since member fields are part of a class definition, the compiler must be able to generate an address (or a procedure that produces an address) to be used when the CIL is translated into native machine language. This is more difficult than might first be imagined, since the fields in data structures for the class are not bound to memory locations until the JIT compiler produces the machine code. This provides the Rotor CLI with another opportunity to enforce typing: The CIL language requires that the appropriate tokens for metadata type references and definitions be used to refer to member field data. The JIT compiler will resolve these to addresses when it lays out the data structure. 5.4.2 The CIL Instruction Set The CIL target machine is a single-address, stack machine. Binary operators are executed by loading operands onto the operand evaluation stack (as opposed to the high level language runtime stack), then by performing the binary operation on the top two operands on the stack. The result of the operation is left on top of the evaluation stack. Operands are loaded from object fields or from local storage. The local storage is the combination of the language runtime stack local variables and arguments to the member function. Instructions can be either 1 or 2 bytes long; there are 282 instructions. Operands can be 0, 1, 4, or 8byte values. 0-byte addresses means that there is no operand. 1-byte operands are used to represent characters and small signed integers. 4-byte operands are used for numeric values and tokens. 8-byte operands are immediate operands of 64-bit value types. The CIL op codes and a summary of their characteristics are provided in …/clr/src/inc/opcode.def. The flow of control instructions include 26 branch instructions, a switch instruction, a break instruction, 4 structured exception handling instructions, and a return instruction. The arithmetical instructions include those to load and store the evaluation stack, add, subtract, multiply, and divide operations, bitwise logical operations, shift operations, data conversion operations, condition check operations, and block transfer operations. There are also specialized instructions for loading and storing arguments and local variables. The Main method of the MainApp class is represented in CIL as: IL_0000: IL_0005: IL_000a:
ldstr call ret
"Hello World!" void [mscorlib]System.Console::WriteLine(string)
Since the C# code is only the call to System.Console.WriteLine(), the 11-byte CIL code to implement this is a ldstr (load string) instruction, a call instruction to an mscorlib function, and a return (ret) instruction. 5.4.3 A Closer Look at CIL Code In this section we will take a closer look at the CIL component of an assembly. The following C# program is a slightly more complex than the “hello world” program (you might recognize it if you solved Part B of the Lab Exercise in Chapter 2): using System; public class Num { private int value; public bool isEven; public Num(int i) { value = i; isEven = ((i % 2) == 0) ? true: false; } public int incr() { isEven = (isEven) ? false: true; return(value++); } public int decr() { isEven = (isEven) ? false: true; return(value--); } } class MainApp { public const int MAX_N = 8; public static void Main() { int i; Num[] number = new Num[MAX_N]; for(i = 0; i < MAX_N; i++) { number[i] = new Num(i); } for(i = 0; i < MAX_N; i++) { if(number[i].isEven) Console.WriteLine("{0} is an even number", number[i].incr()); else Console.WriteLine("{0} is an odd number", number[i].decr()); } for(i = 0; i < MAX_N; i++) { if(number[i].isEven) Console.WriteLine("{0} is an even number", number[i].incr()); else Console.WriteLine("{0} is an odd number", number[i].decr()); } } }
This program generates an 8-element list of integers, checks to see which are odd and which are even, changes their values and then repeats the test. If you compile and run the program, it should produce output similar to:
0 1 2 … 7 1 0 … 6
is an even number is an odd number is an even number is an odd number is an even number is an odd number is an odd number
In this section we will use the CIL disassembler, ildasm, (included in the Rotor distribution). The ildasm tool translates an assembly into symbolic CIL code. Here is the header information produced by ildasm for the program shown above:
// //
Microsoft (R) .NET Framework IL Disassembler. Version 1.0.0002.0 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
.assembly extern mscorlib { .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4.. .ver 1:0:3300:0 } .assembly EG2 { // -- The following custom attribute is added automatically, do not uncomment -// .custom instance void [mscorlib]System.Diagnostics.DebuggableAttribute::.ctor(bool, // bool) = ( 01 00 00 01 00 00 ) .hash algorithm 0x00008004 .ver 0:0:0:0 } .module EG2.exe // MVID: {93a2d926-2d1f-9a41-f781-995590790bcf} .imagebase 0x00400000 .subsystem 0x00000003 .file alignment 512 .corflags 0x00000001
The ildasm indicates that there are two assemblies involved in this package: mscorlib and EG2 (the program was in a file named EG2.CS, and the assembly was placed in EG2.EXE). The constructor for a debugger object is inserted, then the hash algorithm and version number are reported. Next is module information for the code defined in this assembly.
The next part of the output from ildasm describes the class structure declaration and global fields (this program has no global fields). Notice that the only information in this part of the report is the identification of the two classes defined in the program (Num and MainApp): // Image base: 0x06ea0000 // // ============== CLASS STRUCTURE DECLARATION ================== // .class public auto ansi beforefieldinit Num extends [mscorlib]System.Object { } // end of class Num .class private auto ansi beforefieldinit MainApp extends [mscorlib]System.Object { } // end of class MainApp
// =============================================================
// =============== GLOBAL FIELDS AND METHODS ===================
The class member declarations define the fields and member functions. Here is the CIL for the Num function fields and constructor member: .class public auto ansi beforefieldinit Num extends [mscorlib]System.Object { .field private int32 'value' .field public bool isEven .method public hidebysig specialname rtspecialname instance void .ctor(int32 i) cil managed { // Code size 29 (0x1d) .maxstack 3 IL_0000: ldarg.0 IL_0001: call instance void [mscorlib]System.Object::.ctor() IL_0006: ldarg.0 IL_0007: ldarg.1 IL_0008: stfld int32 Num::'value' IL_000d: ldarg.0 IL_000e: ldarg.1 IL_000f: ldc.i4.2 IL_0010: rem IL_0011: brfalse.s IL_0016 IL_0013: IL_0014: IL_0016: IL_0017: IL_001c: } // end of
ldc.i4.0 br.s
IL_0017
ldc.i4.1 stfld bool Num::isEven ret method Num::.ctor
The class has two fields private int value; public bool isEven;
which appear as the first two elements of the class Num class member declaration. This is followed by the CIL code that defines the Num class constructor. The disassembled code is 29 bytes in length. The first thing that the Num constructor does is call the System.Object constructor by loading 16-bit argument 0 onto the evaluation stack and calling the System.Object .ctor member. Next, the first and second arguments are loaded onto the stack; the stfld instruction stores the second argument into the object defined by the first argument. The operand provides information used to define a token for this value. The next code segment is the CIL for the incr member function: .method public hidebysig instance int32 incr() cil managed { // Code size 40 (0x28) .maxstack 3 .locals init (int32 V_0, int32 V_1) IL_0000: ldarg.0 IL_0001: ldarg.0 IL_0002: ldfld bool Num::isEven IL_0007: brtrue.s IL_000c IL_0009: IL_000a:
ldc.i4.1 br.s
IL_000c: IL_000d: IL_0012: IL_0013: IL_0014: IL_0019: IL_001a: IL_001b: IL_001c: IL_001d: IL_0022: IL_0023: IL_0024:
ldc.i4.0 stfld ldarg.0 dup ldfld dup stloc.1 ldc.i4.1 add stfld ldloc.1 stloc.0 br.s
IL_000d
bool Num::isEven
int32 Num::'value'
int32 Num::'value'
IL_0026
IL_0026: ldloc.0 IL_0027: ret } // end of method Num::incr
The incr class is only a few lines of C# code public int incr() { isEven = (isEven) ? false: true; return(value++); }
It compiles into 40 bytes of CIL. The CIL in locations IL 0000 to IL 0008 load and test the value of the isEven integer field. The brtrue.s instruction branches to IL 000c if isEven is true, and continues to the instruction in IL 0009 if it is false. You can correlate the remainder of the CIL code with the C# code. As you would expect, the decr member CIL is very similar to the incr member code. The MainApp class has a Main member and a constructor (similar to the hello.exe program described earlier in this section). An elided version of the MainApp class is shown next:
.method public hidebysig static void { .entrypoint // Code size 169 (0xa9) .maxstack 4 .locals init (int32 V_0, class Num[] V_1) IL_0000: ldc.i4.8 IL_0001: newarr Num IL_0006: stloc.1 IL_0007: ldc.i4.0 IL_0008: stloc.0 IL_0009: br.s IL_0018
Main() cil managed
IL_000b: ldloc.1 IL_000c: ldloc.0 IL_000d: ldloc.0 IL_000e: newobj instance void Num::.ctor(int32) IL_0013: stelem.ref IL_0014: ldloc.0 IL_0015: ldc.i4.1 IL_0016: add IL_0017: stloc.0 IL_0018: ldloc.0 IL_0019: ldc.i4.8 IL_001a: blt.s IL_000b … IL_00a8: ret } // end of method MainApp::Main } // end of class MainApp
Consider the first few lines of code in MainApp::Main: Num[] number = new Num[MAX_N]; for(i = 0; i < MAX_N; i++) { number[i] = new Num(i); }
The value of MAX_N is the constant 8 (see the full C# listing). The CIL instruction set happens to include an instruction that will load the 4-byte integer constant, 8, onto the evaluation stack: that instruction is ldc.i4.8 – the first CIL instruction in the member. The second instruction (newarr Num) allocates a array of type Num scalars. The number of entries in the array is taken from the top of the evaluation stack. The instructions in locations IL 0006 through IL 001a contain the for-loop to initialize the number[] array. Notice that the first time “through the loop”, the preamble code branches to IL 0018 to test the loop termination conditions before executing the body of the code.
5.5
Lab Exercise: Inspecting Assemblies
This exercise revolves around various inspections of metadata and CIL for a few different assembly configurations. In the main part of the chapter you saw the metadata for the …/sample/hello/hello.cs program, and the CIL for a pedagogical program (called eg2.cs) that manipulates a small array of odd and even integers. Part A: Use the metainfo, ilasm, and ildasm tools to explore the associated CIL and metadata for the program …/samples/hello/hello.cs as follows: 1. Create a new directory for your experiments, copy …/samples/hello/hello.cs to this directory, then cd to the new directory. 2. Compile the new copy of hello.cs using the C# compiler. This will create the hello.exe file. 3. Create a CIL version of your program, call it hello1.cil, by passing the hello.exe file to the ildasm disassembler. Store the result in a file named hello1A.cil. 4. Assemble hello1A.cil using ilasm. You should have created a new assembly named hello1A.exe. 5. Run hello1A.exe on the SSCLI. It should behave exactly as your compiled C# version of the program (hello.exe). 6. Use ildasm –MET hello.exe to create a file, hello2A.cil, with the human-readable CIL and metadata. Use Unix diff (or other similar command) to compare hello1A.cil and hello2A.cil. What did you find? 7. Use ildasm –MET=RAW to create a file, hello3A.cil, with the human-readable CIL and metadata. Compare hello3A.cil with hello1A.cil and hello2A.cil. What did you find? 8. Copy hello1A.cil to hello4A.cil. Delete the second .assembly directive (the manifest) in hello4A.cil. 9. Compile hello4A.cil with ilasm to create hello4A.exe. 10. When you try to run hello4A.exe it fails. Why? Part B: Use your solution to Part A of the Lab Exercise for Chapter 3. This will be the code in eg2.cs after it has been split into one file containing the MainApp class (call it eg3-1B.cs), and the other the Num class to one that has number in a different module (eg3-2B.cs). Build eg3.exe using these two C# files. Compile eg3-2B.cs as a module, then build eg3.exe from eg32B.netmodule and eg3-1B.cs. (If you solved the Lab Exercise in Chapter 3, you will have already done this.) Part C: Explore the associated CIL and metadata for your program from Part B as follows: 1. Dump the metadata using whichever tool you prefer, then inspect the manifest for the assembly. Note the multiple modules/files. 2. Compare the class metadata from eg3.exe with the class metadata described in Section 0. 3. Compare the assembly metadata from eg3.exe with the class metadata described in Section 0. 4. Be sure to inspect the user strings for eg3.exe. 5.5.1 Background The primary background information you will need to solve this exercise is in tool documentation. This section points you at the online documentation for relevant tools. Fortunately, there is enough documentation included with the Rotor distribution to generally get you started (and to solve this exercise). Even so, you will find books such as [Richter, 2002] invaluable in providing extensive discussion about how to configure files and arguments for writing C# programs for .NET The metainfo tool was introduced earlier in this chapter. The Rotor distribution includes documentation for metainfo in the …/docs/tools/metainfo.html web page. Notice that you can use options to the tool to look only at selected parts of the metadata, such as just the manifest (by using the –assem option).
The assembler and disassembler are very useful tools for experimenting with the SSCLI source code. It is easy to write a simple C# program, disassemble it with ildasm, modify the CIL code directly, then reassemble it with ilasm. This is sometimes easier to do than to create C# programs to drive some feature in the SSCLI that you are interested in studying. There is online documentation for both the ilasm and ildasm in the …/docs directory. The disassembler effectively includes the metainfo tool, that is you can use ildasm to produce most reports that can be produced by metainfo. 5.5.2 Attacking the Problem Follow the detailed instructions in the problem statement.
6
The Assembly Loader
The assembly loader is the first part of the Rotor CLI to begin processing an assembly (see Error! Reference source not found.). It is responsible for downloading the PE file(s), then binding the assemblies into the app domain. As you saw in the Lab Exercise for Chapter 4, the Rotor clix program loads the CLI, creates an app domain to host the application, then calls the assembly loader to install the target assembly for execution. Also, when executing native code references a field or member in a different assembly, the assembly loader is again invoked to dynamically load the target assembly into the app domain (see Figure 6-1).
Cache Cache
clix clix
App App Directory Directory Assembly Assembly Loader Loader
Other Other Directory Directory Policy Policy Manager Manager
Assembly Assemblyinin App AppDomain Domain
Native NativeCode Code
Figure 6-1: The Assembly Loader Every PE file is accessed within a particular context, or set of assumptions about where related PE files are located. The default context is a directory on a machine; when the first assembly is loaded from that directory, the context for subsequent assemblies is assumed to be the same application directory. If an assembly is requested from the executing code and it is not found in the application directory, the assembly loader checks in various caches on the local machine. If it still does not find the desired file, it begins probing different directories. There is a default policy to control the order and locations where the assembly loader will probe. Finally, the programmer can override the default policy by providing a configuration file (as you did in Parts B and C of Lab Exercise for Chapter 3). Specifically, in the commercial CLR, PE file can be downloaded from various locations: • The application directory from which the CLR was started • The host computer’s Global Assembly Cache (GAC) • Other caches in the host machine • Other directories in the host machine • A network location specified by a URL However, the Rotor CLI implementation does not implement the last option – downloading the file from a network location. Once the file has been downloaded to the local machine, the CLI will determine if it is acceptable to execute it in the local environment, and if the developer of the assembly has authorized its use in this local environment. That is, the authentication mechanism checks that the assembly developer and the consumer agree that the assembly can be used in the current environment. The policy manager part of the SSCLI handles all such authentication chores. Therefore, after the assembly loader has downloaded the file, it requests that the policy manager authenticate the use of the assembly before it is actually made ready to use. We will discuss the policy manager in Chapter Error! Reference source not found..
After the assembly has been downloaded, and the CLI has validated the access within the local CLI environment, the assembly loader copies the file content into OS process address space as a memorymapped file. Thus, the Rotor CLI can easily reference all parts of the assembly with OS virtual addresses when it binds the new assembly into the app domain. In particular, it can reference all the metadata, without further disk operations, as it binds the new assembly into the app domain. Recall that while the assembly is stored in the PE file format – all the assembly’s types are represented by metadata, and the behavior by CIL code. The addresses in the metadata and CIL are all RVAs (virtual addresses that are relative to the beginning of a “micro address space” for the assembly – see Section 6.1), RIDs (offsets into metadata tables), or tokens (metadata table ID and RID). The assembly is bound to the app domain by associating fields and member functions with reference locations in the app domain’s “mini address space,” including relocating the RVAs to be app domain virtual addresses. This is analogous to the task performed by a conventional OS static linker and loader. Once this binding has been completed, there is enough in-memory information for the class loader (see Section Error! Reference source not found.) to build virtual function/data tables (VTables) that will be used to link member references to member definitions. In this chapter we will study this assembly loading procedure in detail. First, we will consider the various address spaces involved in loading. Next we will consider how the target assembly is found and prepared for loading (called “downloading the assembly”), then how the assembly is bound into the app domain. Finally we will briefly consider the class loader’s job of binding all the parts of an assembly so that the JIT compiler and EE can translate/execute the code.
6.1
Address Spaces
The idea of an address space is used in a few different ways in the CLI code and documentation. In most programming languages and operating systems, the address space refers to the set of all references that a process or thread can use. Contemporary operating systems that incorporate memory relocation hardware (and virtual memory) provide each process with a 32-bit (4 GB) virtual address space. This OS virtual address space can have information statically bound to its virtual addresses at load time (by an OS loader, such as Unix exec()), or dynamically with Windows DLL and memory-mapped files [Nutt, 2004]. Process address spaces are an essential part of OS abstract machines, since they define OS/hardware memory protection barriers that can only be bypassed with OS assistance. As a consequence, programmers can write (single-process, multithreaded) applications code with the knowledge that when threads execute in the process address space, they will be unable to reference addresses outside the address space. By extension, no threads from other processes will be able to reference addresses in the subject process address space. The concept of OS process heavily depends on this idea of address space for correct virtual machine operation. The SSCLI notion for address space is summarized in Figure 6-2. The dark cloud in the background represents the OS process address space notion. The Rotor CLI defines its own notion of thread (see Chapter Error! Reference source not found.); a CLI thread has its own, private address space – the gray ellipse in the figure. In Rotor, you can think of the CLI thread address space as exactly corresponding to the OS process address space, though there is no assurance in the ECMA-335 specification that this is necessarily true. Application domains define miniature address spaces inside the SSCLI thread address space – the hexagons in the figure. That is, an app domain address space (referred to as a mini address space in this book) is a set of references that methods in an assembly that has been loaded into the app domain can use when they execute. As you saw in Chapters 2 and 5, the CLI uses the sandbox to enforce the for the app domain mini address space. The assembly loader combines the metadata and CIL in one module with previously loaded modules in an app domain. This means that when the compiler produces a module it must define the CIL code so that it uses relocatable addresses. In Figure 6-2, we refer to the set of all relocatable addresses produced by the compiler as the assembly’s micro address space.
OS Process Address Space CLI Thread Address Space App Domain Mini Address Space Assembly Assembly Micro Micro Assembly Assembly Address Address Micro Micro Space Space Address Address Space Space
Figure 6-2: CLI Virtual Address Spaces How can micro address spaces be generated by a compiler, one assembly at a time, yet be combined to run in an app domain, such that the app domain executes in its own mini address space? Further the code executing in an assembly must not interfere with the other app domains in the CLI thread address space? Figure 6-3 summarizes the work the assembly loader does to bind an assembly into an SSCLI thread address space. Assemblies are relocated by adjusting their RVAs and tokens when they are combined into the app domain mini address space. This is analogous to creating an absolute load module from a series of relocatable object modules in a traditional program translation environment. After the three assemblies (in the figure) are combined, their RVAs and tokens will uniquely reference addresses within the app domain mini address space. Of course external references are still possible because the metadata and CIL for the app domain are still in the general form described in Chapter Error! Reference source not found..
Physical Memory
OS Process Address Space App Domain Address Space
0x0ff100000 Assembly Micro Address Space Assembly Micro Address Space Assembly Micro Address Space
App Domain Address Space
0x0ffa00000
App Domain Address Space
Figure 6-3: Realizing the Address Space Hierarchy As mentioned in the previous paragraphs, each CLI thread can host several app domains, meaning that it can accommodate multiple mini address spaces – the app domain white boxes in the figure. The default domain is used to run normal application assemblies – that is our description of “the app domain” has been of the default domain. There is also a system domain used by the SSCLI to get itself started, meaning that objects that implement the assembly loader are placed in this domain. The shared domain is loaded with domain neutral objects that are strongly named and trusted by all other software. This allows certain assemblies to be shared among app domains. (The type of the default domain allows a programmer to define additional app domains to run ordinary application assemblies.) As you will see in the next chapter, class BaseDomain that defines common tools for these three types of app domains (class AppDomain, class SystemDomain, and class SharedDomain). When an app domain is created, it is bound to a block of virtual addresses belonging to its host CLI thread. That is, the app domain mini address space is bound to a block of CLI thread virtual addresses. The entire CLI thread address space is bound to the OS process address space. (We do not explicitly illustrate this level of binding in the figure, instead showing the app domain mini address spaces being bound to OS process virtual addresses – the dark box in the figure). In the example in Figure 6-3, the process is allocated physical memory addresses 0x0ff1000 to 0xffa0000. Then when an assembly in the app domain executes native machine code, every memory reference is to a physical memory location in this range. Of course a paged virtual memory OS will normally fragment the physical memory allocated to the process, which we have ignored in this figure.
6.2
Overview of the Fusion Assembly Loader
The Rotor CLI assembly loader, fusion, is a version of the production CLR assembly loader. Because of this, the code is much more complicated than is needed to support simple use of Rotor. Our goal in this chapter is to provide enough information for you to have a good insight into the code, though we will only examine parts of the assembly loader execution. Fusion is designed to load assemblies asynchronously, meaning that it accepts requests to download a file, starts the download procedure, then does other work. When the download completes, fusion notices this fact, and updates the state to reflect the completion, and starts the app domain loading procedure (which also executes asynchronously). This has a couple of important consequences: The production CLR has various places where it calls fusion to tell it to try to start a download; the Rotor CLR also uses this strategy. Second, it is difficult to trace through the execution of fusion to see a file loaded because the download completion event code is distinct from the code that started the download. In Section Error! Reference source not found., the GAC was introduced as a local location for storing assemblies. The GAC is a directory where the system administrator can manually store a copy of an assembly that is likely to be used by different applications that execute on that machine. Whenever the CLI begins to search for an assembly to load it, it looks in the GAC early in the procedure. The CLI also maintains a cache for each user. Whenever the CLI downloads an assembly from some location other than the application directory or the GAC, it places a copy of the assembly in the user’s local cache. (You will need to remember this fact when you are debugging the Lab Exercise at the end of this chapter.) If the assembly is not found in the application directory, GAC, or user cache, then the CLI will begin checking various directories, probing for the PE file containing the assembly. There is a default probing pattern, though as you know from the Lab Exercise in Chapter 2, you can also use a configuration file to override the default policy. Next, let’s continue looking at the trace for loading the initial assembly (with clix) that we began in Chapter 4. This part of the trace describes how clix invokes fusion to load the assembly. In that trace, we saw that clix called Launch(),which called CoreExeMain2(). Here is a summary of the call chain to get to the fusion code: • • •
CorExeMain2() SystemDomain::ExecuteMainMethod() Assembly::ExecuteMainMethod()
•
ClassLoader::ExecuteMainMethod()
(in …/src/vm/clsload.cpp)
As you saw in Section Error! Reference source not found., after ClassLoader:: ExecuteMainMethod()retrieves the CLI header and a token from the file header, then identifies the assembly entry point method to be called. It then calls LoadTypeHandle() (found in …/clr/src/vm/clsload.cpp.) As shown below, this code inspects the metadata descriptors to check if the target assembly is loaded, and if it isn’t, to load it. When the hello.exe is loaded and executed, the code will call FindAssemblyByTypeRef(). // Given a class token and a module, look up the class. Load it if it // is not already loaded. Note that the class can be defined in other // modules than 'pModule' (that is 'cl' can be a typeRef as well as a // typeDef // TypeHandle ClassLoader::LoadTypeHandle(NameHandle* pName, OBJECTREF *pThrowable, BOOL dontLoadInMemoryType/*=TRUE*/) { … // First, attempt to find the class if it is already loaded … if (TypeFromToken(…) == mdtTypeRef) { // Not in my module, have to look it up by name … if (SUCCEEDED(pName->GetTypeModule()->GetAssembly()->\ FindAssemblyByTypeRef(pName, &pFoundAssembly, pThrowable))) typeHnd = pFoundAssembly->GetLoader()->\ FindTypeHandle(pName, pThrowable); … } else if (TypeFromToken(…) == mdtTypeSpec) { … } … }
The LoadTypeHandle() code uses Assembly::FindAssemblyByTypeRef()to find the assembly by using the metadata type reference. Assembly::FindAssemblyByTypeRef() is defined in …/clr/src/vm/assembly.cpp. The first several lines of the code (down to the FindExternalAssembly() call) inspect metadata to determine the type of the assembly. For the hello.exe case, the switch statement case will be mdtAssemblyRef, causing the FindExternalAssembly() function to be called. HRESULT Assembly::FindAssemblyByTypeRef(NameHandle* pName, Assembly** ppAssembly, OBJECTREF *pThrowable) { … IMDInternalImport *pImport = pName->GetTypeModule()->GetMDImport(); mdTypeRef tkType = pName->GetTypeToken(); _ASSERTE(TypeFromToken(tkType) == mdtTypeRef);
// If nested, get top level encloser's impl do { tkType = pImport->GetResolutionScopeOfTypeRef(tkType); if (IsNilToken(tkType)) { *ppAssembly = this; return CLDB_S_NULL; // nil-scope TR okay if there's an // ExportedType } } while (TypeFromToken(tkType) == mdtTypeRef); switch (TypeFromToken(tkType)) { case mdtModule: *ppAssembly = pName->GetTypeModule()->GetAssembly(); return S_OK; case mdtModuleRef: Module *pModule; if (SUCCEEDED(hr = FindModuleByModuleRef(pImport, tkType, pName->GetTokenNotToLoad(), &pModule, pThrowable))) *ppAssembly = pModule->GetAssembly(); break; case mdtAssemblyRef: return FindExternalAssembly(pName->GetTypeModule(), tkType, pImport, pName->GetTokenNotToLoad(), ppAssembly, pThrowable); default: // null token okay if there's an ExportedType if (IsNilToken(tkType)) { *ppAssembly = this; return CLDB_S_NULL; } _ASSERTE(!"Invalid token type"); } return hr; }
Like the previous function, FindExternalAssembly() is part of the Assembly class, and is located in the …/clr/src/vm/assembly.cpp file. In the hello.exe trace, the LookupAssemblyRef() will fail, causing Module::GetAssembly() to be called. This will call Assembly::LoadExternalAssembly(). HRESULT Assembly::FindExternalAssembly(Module* pTokenModule, mdAssemblyRef kAssemblyRef, IMDInternalImport *pImport, mdToken mdTokenNotToLoad, Assembly** ppAssembly, OBJECTREF* pThrowable)
{ HRESULT hr = S_OK; Assembly* pFoundAssembly = pTokenModule->LookupAssemblyRef(kAssemblyRef); if(!pFoundAssembly) { // Get the referencing assembly. This is used // as a hint to find the location of the other assembly Assembly* pAssembly = pTokenModule->GetAssembly(); … if (mdTokenNotToLoad != tdAllTypes) { hr = LoadExternalAssembly(kAssemblyRef, pImport, pAssembly, &pFoundAssembly, pThrowable); if(error checking code) {… error exit …} } if(SUCCEEDED(hr) && ppAssembly) *ppAssembly = pFoundAssembly; return hr; }
The Assembly::LoadExternalAssembly()function is found in …/src/vm/assembly.cpp. This function initializes an AssemblySpec object, then passes the load request to it: HRESULT Assembly::LoadExternalAssembly(mdAssemblyRef IMDInternalImport* Assembly* Assembly** OBJECTREF* { AssemblySpec spec; …
kAssemblyRef, pImport, pAssembly, ppAssembly, pThrowable)
if (FAILED(hr = spec.InitializeSpec(kAssemblyRef, pImport, pAssembly))) return hr; … return spec.LoadAssembly(ppAssembly, pThrowable); }
The AssemblySpec class is implemented in …/src/vm/assemblyspec.cpp. This function begins searching for the assembly in local caches, then ultimately determines that the first assembly is in a directory. It calls FusionBind::GetAssemblyFromFusion() to continue downloading. You should read through the full code where you will encounter considerable detail reflecting the asynchronous loading strategy, authentication and authorization, and the different possible ways the assembly may get loaded. HRESULT AssemblySpec::LoadAssembly(Assembly** ppAssembly, OBJECTREF* pThrowable, /*= NULL*/
OBJECTREF* pExtraEvidence, /*= NULL*/ BOOL fPolicyLoad) /*= FALSE*/ { … Assembly *pAssembly = GetAppDomain()->FindCachedAssembly(this); … IfFailGo(GetAppDomain()->BindAssemblySpec(this, &pFile, &pIAssembly, &pAssembly, pExtraEvidence, pThrowable)); // Loaded by AssemblyResolve event handler if (…) { //If loaded by the AssemblyResolve event, check that // the public keys are the same as in the AR. // However, if the found assembly is a dynamically // created one, security has decided to allow it. … *ppAssembly = pAssembly; return S_OK; } … if (…) { IFusionLoadContext *pLoadContext; hr = pIAssembly->GetFusionLoadContext(&pLoadContext); … if (SUCCEEDED(hr)) { if (…) { … pFile->GetMDImport()->GetAssemblyProps(mda, (const void**) &pbPublicKey, &cbPublicKey, NULL, // hash alg &psName, &context, &dwFlags); … IAssemblyName* pFoundAssemblyName; if (FAILED(hr = spec.CreateFusionName(&pFoundAssemblyName, FALSE))) goto exit; AssemblySink* pFoundSink = GetAppDomain()->GetAssemblySink(); … IAssembly *pFoundIAssembly; … hr = FusionBind::GetAssemblyFromFusion( GetAppDomain()->GetFusionContext(), pFoundSink, pFoundAssemblyName, &spec.m_CodeInfo, &pFoundIAssembly);
if(SUCCEEDED(hr)) { … // Get the path to the module containing the manifest … } }
// Create the assembly and delay loading the main module. … return hr; }
The FusionBind class is another CLI class rather than a fusion class – we still have not yet called a function in the fusion directory. FusionBind::GetAssemblyFromFusion() is found in …/src/utilcode/fusionbind.cpp. This code calls CAssemblyDownload::FusionBind::RemoteLoad() : HRESULT FusionBind::GetAssemblyFromFusion(IApplicationContext* pFusionContext, FusionSink* pSink, IAssemblyName* pFusionAssemblyName, CodeBaseInfo* pCodeBase, IAssembly** ppFusionAssembly) { … HRESULT hr = RemoteLoad(pCodeBase, pFusionContext, pFusionAssemblyName, pSink, ppFusionAssembly); … return hr; }
Ultimately, FusionBind::RemoteLoad() CAssemblyName::BindToObject():
calls
the
first
fusion
HRESULT FusionBind::RemoteLoad(CodeBaseInfo* pCodeBase, IApplicationContext* pFusionContext, LPASSEMBLYNAME pName, FusionSink *pSink, IAssembly** ppFusionAssembly) { … // Find the code base if it exists DWORD dwReserved = 0; LPVOID pReserved = NULL; if(pCodeBase->GetParentAssembly() != NULL) { dwReserved = sizeof(IAssembly*); pReserved = (LPVOID) pCodeBase->GetParentAssembly();
function,
dwFlags |= ASM_BINDF_PARENT_ASM_HINT; } … HRESULT hr = pName->BindToObject(IID_IAssembly, pSink, pFusionContext, pCodeBase->m_pszCodeBase, dwFlags, pReserved, dwReserved, (void**) ppFusionAssembly); … return hr; }
The Rotor CLI code uses ClassLoader, Assembly, AssemblySpec, and FusionBind objects to call fusion; here is a summary of the call stack through the FusionBind::RemoteLoad() call: • • • • • • • • • • •
6.3
CorExeMain2() SystemDomain::ExecuteMainMethod() Assembly::ExecuteMainMethod() ClassLoader::ExecuteMainMethod() ClassLoader::LoadTypeHandle() Assembly::FindAssemblyByTypeRef() Assembly::FindExternalAssembly() Assembly::LoadExternalAssembly() AssemblySpec::LoadAssembly() FusionBind::GetAssemblyFromFusion() FusionBind::RemoteLoad()
(in …/src/vm/clsload.cpp) (in …/src/vm/assembly.cpp)
(in …/src/vm/assemblyspec.cpp) (in …/src/utilcode/fusionbind.cpp)
Downloading the Assembly
Fusion is responsible for implementing substantial functionality. It is called to load an assembly, using a filename or URL. It first locates the file – in a directory, cache, or (in the case of the CLR) at a location on the public Internet specified by the URL. After locating the file, fusion downloads the file by placing a copy of the file in the CLI address space, where the CIL and metadata can be read by ordinary primary memory read (memory load) operations. During downloading, fusion also performs some of the authentication and authorization checks. Then it is ready to bind the assembly into the app domain (discussed in the next section). The first task is to bind the name to an object, using CAssemblyName::BindToObject() (which can be found in …/clr/src/fusion/binder/naming.cpp). The first half of the function has been completely elided, but you can see in the latter part that the code prepares to use the caches, then creates a CAsmDownloadMgr (called an adlmgr in the code) and CassemblyDownload (called an adl in the code) objects to supervise the remainder of the download operation. Notice that this code fragment illustrates that there are synchronous and asynchronous downloads, and that the state of the download must be checked in order to know how to proceed with the task at hand. For example, this code calls PreDownload(FALSE, ppv) in preparation for an asynchronous download, then CassemblyDownload ::KickOffDownload(TRUE) to actually start the download. STDMETHODIMP CAssemblyName::BindToObject( /* in */ REFIID /* in */ IUnknown /* in */ IUnknown /* in */ LPCOLESTR /* in */ LONGLONG
refIID, *pUnkBindSink, *pUnkAppCtx, szCodebaseIn, llFlags,
/* in /* in /*
*/ */ out */
LPVOID DWORD VOID
pvReserved, cbReserved, **ppv)
{ HRESULT …
hr = S_OK;
// Setup policy cache in appctx hr = PreparePolicyCache(pAppCtx, NULL); … // Create download objects for the real assembly download hr = CAsmDownloadMgr::Create(&pDLMgr, this, pAppCtx, pCodebaseList, (szCodebase) ? (szCodebase) : (NULL), pdbglog, pvReserved, llFlags); … hr = CAssemblyDownload::Create(&padl, pDLMgr, pDLMgr, pdbglog, llFlags); … // Download app.cfg if we don't already have it hr = pCAppCtx->Lock(); … dwSize = 0; hr = pAppCtx->Get(ACTAG_APP_CFG_DOWNLOAD_ATTEMPTED, NULL, &dwSize, 0); if (hr == HRESULT_FROM_WIN32(ERROR_NOT_FOUND)) { hr = CCache::IsCustom(this) ? S_FALSE : DownloadAppCfg(pAppCtx, padl, pAsmBindSink, pdbglog); } else { hr = S_OK; } pCAppCtx->Unlock(); // // // // // //
If hr==S_OK, then we either had an app.cfg already, or it was on the local hard disk. If hr==S_FALSE, then no app.cfg exists, continue regular download If hr==E_PENDING, then went async.
if (SUCCEEDED(hr)) { hr = padl->PreDownload(FALSE, ppv); if (hr == S_OK) { hr = padl->AddClient(pAsmBindSink, TRUE); if (FAILED(hr)) { ASSERT(0); SAFERELEASE(pDLMgr); SAFERELEASE(padl); goto Exit; } hr = padl->KickOffDownload(TRUE); } else if (hr == S_FALSE) {
// Completed synchronously hr = S_OK; } } … return hr; }
KickOffDownload() is defined in …/clr/src/fusion/download/adl.cpp. The complete definition of the function is given below, including all variable declarations and error handling code. This function reflects the style of asynchronous downloading. As you browse through the code, notice the use of locks for critical sections, and code fragments to detect which part of a download caused a particular call to the function (for example, see the dupe detection code). When KickOffDownload() is called by the clix, bFirstDownload will be TRUE, so focus on the code in the range of the ifstatement that tests this variable. This code enqueues the download reqeuest, then continues. The call to GetNextCodebase() will start any other assembly downloads that could be requested when the assembly begins to execute. Although these files will be downloaded, they will not be loaded unless they are needed. Of course fusion will check caches to see if a required file was downloaded ahead of time when an assembly is actually needed. HRESULT CAssemblyDownload::KickOffDownload(BOOL bFirstDownload) { HRESULT hr = S_OK; LPWSTR pwzUrl = NULL; WCHAR wzFilePath[MAX_PATH]; BOOL bIsFileUrl = FALSE; CCriticalSection cs(&_cs); CCriticalSection csDownload(&g_csDownload); wzFilePath[0] = L'\0'; // If we're aborted, or done, we can't do anything here hr = cs.Lock(); if (FAILED(hr)) { goto Exit; } if (_state == ADLSTATE_DONE) { hr = S_FALSE; goto Exit; } // // // // //
Dupe detection. If we end up hitting a dupe, then the CClientBinding that was keeping a refcount on us, releases us, and adds itself as a client to the duped download. In this case, we'll come back, and this download object could be destroyed--that's why we AddRef/Release around the dupe checking code.
if (bFirstDownload) { // This is a top-level download (ie. not a probe download called // from DownloadNextCodebase AddRef(); hr = CheckDuplicate(); if (hr == E_PENDING) {
cs.Unlock(); Release(); goto Exit; } Release(); // Not a duplicate. Add ourselves to the global download list. hr = csDownload.Lock(); if (FAILED(hr)) { goto Exit; } AddRef(); g_pDownloadList->AddTail(this); csDownload.Unlock(); } // Careful! PrepNextDownload/CompleteAll call the client back! cs.Unlock(); hr = GetNextCodebase(&bIsFileUrl, wzFilePath, MAX_PATH); if (hr == HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS)) { // This must have been a case where all remaining probing URLs were // file://, and none of them existed. That is, we never get here // (KickOffDownload) // unless the codebase list is non-empty, so this return result // from GetNextCodebase could only have resulted because we rejected // all remaining URLs. hr = DownloadComplete(HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND), NULL, NULL, FALSE); // Not really pending, just tell client the result is reported via // bind sink. if (SUCCEEDED(hr)) { hr = E_PENDING; } goto Exit; } else if (FAILED(hr)) { DEBUGOUT1(_pdbglog, 1, ID_FUSLOG_CODEBASE_RETRIEVE_FAILURE, hr); goto Exit; } DEBUGOUT1(_pdbglog, 0, ID_FUSLOG_ATTEMPT_NEW_DOWNLOAD, _pwzUrl); if (bIsFileUrl) { hr = DownloadComplete(S_OK, wzFilePath, NULL, FALSE); // We're not really pending, but E_PENDING means that the client // will get the IAssembly via the bind sink (not the ppv returned // in the call to BindToObject).
if (SUCCEEDED(hr)) { hr = E_PENDING; } goto Exit; } else { hr = HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED); goto Exit; } Exit: SAFEDELETEARRAY(pwzUrl); if (FAILED(hr) && hr != E_PENDING) { LISTNODE listnode; CCriticalSection cs(&g_csDownload); // Fatal error! // If we added ourselves to the download list, we should remove // ourselves immediately! HRESULT hrLock = cs.Lock(); if (FAILED(hrLock)) { return hrLock; } listnode = g_pDownloadList->Find(this); if (listnode) { g_pDownloadList->RemoveAt(listnode); // release ourselves since we are removing from the global dl // list Release(); } cs.Unlock(); } return hr; }
Ultimately, fusion will cause DownloadComplete() (also in …/clr/src/fusion/download/adl.cpp) to be called for the PE file. There is not too much exciting going on here, except that the CLI is now ready to bind the assembly into the app domain. This is detected by changing the state of the download to complete. HRESULT CAssemblyDownload::DownloadComplete(HRESULT hrResult, LPOLESTR pwzFileName, const FILETIME *pftLastMod, BOOL bTerminate) { CCriticalSection cs(&_cs); // Terminate the protocol
_hrResult = cs.Lock(); if (FAILED(_hrResult)) {
goto Exit; } if (_state == ADLSTATE_DONE) { _hrResult = HRESULT_FROM_WIN32(ERROR_CANCELLED); cs.Unlock(); goto Exit; } else if (_state == ADLSTATE_ABORT) { // Only happens from the fatal abort case _hrResult = HRESULT_FROM_WIN32(ERROR_CANCELLED); } else { _state = ADLSTATE_DOWNLOAD_COMPLETE; _hrResult = hrResult; } cs.Unlock(); if (SUCCEEDED(hrResult)) { // Download successful, change to next state. ASSERT(pwzFileName); _hrResult = cs.Lock(); if (FAILED(_hrResult)) { goto Exit; } if (_state != ADLSTATE_ABORT) { _state = ADLSTATE_SETUP; } cs.Unlock(); hrResult = DoSetup(pwzFileName, pftLastMod); if (hrResult == S_FALSE) { hrResult = DownloadNextCodebase(); } } else { // Failed Download. if (_hrResult != HRESULT_FROM_WIN32(ERROR_CANCELLED)) { hrResult = DownloadNextCodebase(); } else { // This is the fatal abort case CompleteAll(NULL); } } Exit: return hrResult; }
HRESULT CAssemblyDownload::DoSetup(LPOLESTR pwzFileName, const FILETIME *pftLastMod) { HRESULT hr = S_OK; IUnknown *pUnk = NULL; CCriticalSection cs(&_cs);
hr = cs.Lock(); if (FAILED(hr)) { goto Exit; } if (_state == ADLSTATE_ABORT) { _hrResult = HRESULT_FROM_WIN32(ERROR_CANCELLED); hr = _hrResult; cs.Unlock(); CompleteAll(NULL); goto Exit; } cs.Unlock(); if (_pDLMgr) { _hrResult = _pDLMgr->DoSetup(_pwzUrl, pwzFileName, pftLastMod, &pUnk); if (_hrResult == S_FALSE) { hr = cs.Lock(); if (FAILED(hr)) { goto Exit; } _state = ADLSTATE_DOWNLOADING; cs.Unlock(); hr = S_FALSE; goto Exit; } } else { _hrResult = S_OK; } if (FAILED(_hrResult)) { DEBUGOUT1(_pdbglog, 1, ID_FUSLOG_ASM_SETUP_FAILURE, _hrResult); _pCodebaseList->RemoveAll(); } // Store _hrResult, since it is possible that after CompleteAll, this // object may be destroyed. See note in CompleteAll code. hr = _hrResult; CompleteAll(pUnk); if (pUnk) { pUnk->Release();
} Exit: return hr; } HRESULT CAssemblyDownload::CompleteAll(IUnknown *pUnk) { HRESULT hr = S_OK; LISTNODE pos = 0; CClientBinding *pclient = NULL; LISTNODE listnode; CCriticalSection cs(&_cs); CCriticalSection csDownload(&g_csDownload); // Remove ourselves from the global download list hr = csDownload.Lock(); if (FAILED(hr)) { goto Exit; } listnode = g_pDownloadList->Find(this); if (listnode) { g_pDownloadList->RemoveAt(listnode); // release ourselves since we are removing from the global dl list Release(); } csDownload.Unlock(); hr = cs.Lock(); if (FAILED(hr)) { goto Exit; } if (_state == ADLSTATE_DONE) { hr = _hrResult; cs.Unlock(); goto Exit; } _state = ADLSTATE_COMPLETE_ALL; cs.Unlock(); // AddRef ourselves because this object may be destroyed after the // following loop. We send the DONE notification to the client, who // will probably release the IBinding. This decreases the ref count on // the CClientBinding to 1, and we will then immediately release the // remaining count on the CClientBinding. This causes us to Release // this CAssemblyDownload. // // It is possible that the only ref count left on the CAssemblyDownload // after this block is held by the download protocol hook // (COInetProtocolHook). If he has already been released, this object // will be gone! // // Under normal circumstances, it seems that this doesn't usually happen.
// // // // // // // // //
That is, the COInetProtocolHook usually is released well after this point, so this object is kept alive, however, better safe than sorry. Also, if this is file://, it's ok because BTO is still on the stack and BTO has a ref count on this obj until BTO retruns (ie. this small scenario won't happen in file:// binds). Need to be careful when we unwind the stack here that we don't touch any member vars.
AddRef(); for (;;) { hr = cs.Lock(); if (FAILED(hr)) { goto Exit; } pos = _clientList.GetHeadPosition(); if (!pos) { _state = ADLSTATE_DONE; cs.Unlock(); break; } pclient = _clientList.GetAt(pos); ASSERT(pclient); ASSERT(pclient->GetBindSink()); _clientList.RemoveAt(pos); cs.Unlock(); // Report bind log available pclient->GetBindSink()->OnProgress(ASM_NOTIFICATION_BIND_LOG, S_OK, NULL, 0, 0, _pdbglog); // Report done notificaton pclient->GetBindSink()->OnProgress(ASM_NOTIFICATION_DONE, _hrResult, NULL, 0, 0, pUnk); pclient->Release(); } if (g_dwForceLog || (_pDLMgr->LogResult() == S_OK && FAILED(_hrResult)) || _pDLMgr->LogResult() == E_FAIL) { if (_pdbglog) { _pdbglog->SetResultCode(_hrResult); } DUMPDEBUGLOG(_pdbglog, g_dwLogLevel, _hrResult); } hr = cs.Lock(); if (FAILED(hr)) {
goto Exit; } _state = ADLSTATE_DONE; cs.Unlock();
// It is possible that we're going to be destroyed here. See note // above. Release(); Exit: return hr; }
6.4
Binding the Assembly to the App Domain
The code we just finished discussing only places a copy of the assembly into the address space (as a memory-mapped file), but it does not bind the assembly into the app domain. In this section we will summarize that part of assembly loading. Let’s look at more of the code in AssemblySpec::LoadAssembly() that was discussed in Section 6.2 (found in …/src/vm/assemblyspec.cpp) – the last part of the function is shown below. Notice that after GetAssemblyFromFusion() returns (it caused the download to start), this code calls BaseDomain::LoadAssembly(). HRESULT AssemblySpec::LoadAssembly(Assembly** ppAssembly, OBJECTREF* pThrowable, /*= NULL*/ OBJECTREF* pExtraEvidence, /*= NULL*/ BOOL fPolicyLoad) /*= FALSE*/ { … hr = FusionBind::GetAssemblyFromFusion( GetAppDomain()->GetFusionContext(), pFoundSink, pFoundAssemblyName, &spec.m_CodeInfo, &pFoundIAssembly); if(SUCCEEDED(hr)) { … // Get the path to the module containing the manifest … } } // Create the assembly and delay loading the main module. Module* pModule; hr = GetAppDomain()->LoadAssembly(pFile, pIAssembly, &pModule, &pAssembly, pExtraEvidence, fPolicyLoad, pThrowable);
… if(SUCCEEDED(hr)) { *ppAssembly = pAssembly; /*HRESULT hrLoose =*/ GetAppDomain()->AddAssemblyToCache( this, pAssembly); } … return hr; }
BaseDomain::LoadAssembly() is defined in …/src/vm/appdomain.cpp. A heavily elided version appears below. Just as the downloader obtains files asynchronously, the assembly loader binds their contents into the app domain asynchronously. This function is the heart of that procedure. We have left TIMELINE _START/END statements in the code to give you a sense of how the loading is accomplished. You will only be to get the idea of how the code works from this version; you will have to dive into the full source code to understand the details. HRESULT BaseDomain::LoadAssembly(PEFile *pFile, IAssembly* pIAssembly, Module** ppModule, Assembly** ppAssembly, OBJECTREF *pExtraEvidence, BOOL fPolicyLoad, OBJECTREF *pThrowable) { … // Always load system files into the system domain. … TIMELINE_START(LOADER, ("LoadAssembly %S", pFile->GetLeafFileName())); … // // It is the responsibility of the caller to detect and handle // circular loading loops. // //_ASSERTE(FindLoadingAssembly(pFile->GetBase()) == NULL); // // See if we have already loaded the module into the // system domain or into the current domain. // … pEntry = (AssemblyLockedListElement*) m_AssemblyLoadLock.Find(pFile->GetBase()); if(pEntry == NULL) { … // Allocate a security descriptor for the assembly. … // Determine whether we are suppose to load the assembly as a shared // assembly or into the base domain. … // // Now, look for a shared module we can use. // … if (fCreateShared) { //
// // // … hr if
Try to find an existing shared version of the assembly which is compatible with our domain.
->pSharedDomain->FindShareableAssembly(…); (hr == S_OK) { TIMELINE_START(LOADER, ("Resolve %S", pFile->GetLeafFileName()));
… if (fCanLoad) { // // Post the fact that we are loading the assembly. // } else { // Go ahead and create new shared version of the assembly if // possible … } } // // Make a new assembly. // if (pAssembly == NULL) { pEntry->m_hrResultCode = CreateAssemblyNoLock(pFile, pIAssembly, &pAssembly); if(FAILED(pEntry->m_hrResultCode)) { pEntry->Leave(); goto Exit; } } … // Create the module // pEntry->m_hrResultCode = Module::Create(pFile, pZapFile, &pModule, CORDebuggerEnCMode(pAssembly->GetDebuggerInfoBits())); if(error) { …; goto Exit;} … } else { … // Wait for it pEntry->Enter(); pEntry->Leave(); if(SUCCEEDED(pEntry->m_hrResultCode)) { pAssembly = pEntry->GetAssembly(); if (pAssembly) pModule = pAssembly->GetManifestModule(); else { // We are in the process of loading policy and have tried to // load // the assembly that is currently being loaded. We return // success
// // // // // //
but set the module and assembly to null. Note: we don't have to check the ref count being zero because the only way we get in this situation is that someone is still in the process of loading the assembly.
_ASSERTE(fPolicyLoad && "A recursive assembly load occurred."); EnterLoadLock(); pEntry->m_dwRefCount--; _ASSERTE( pEntry->m_dwRefCount != 0 ); LeaveLoadLock(); hr = MSEE_E_ASSEMBLYLOADINPROGRESS; goto FinalExit; } } } Exit: … FinalExit: … TIMELINE_END(LOADER, ("LoadAssembly")); … return hr; }
6.5
Lab Exercise: Refining the Rotor Downloader
The production CLR allows an assembly to reference another assembly that is stored on a remote machine [Richter, 2002]. In this case, the assembly’s configuration file contains a element, which specifies a WWW URL for the PE file. This enables running code to reference an assembly that is stored on a remote server, causing the downloader to copy the file to the local computer. It is then installed in the app domain by the assembly loader just as if it were a local file. The Rotor code contains the framework for downloading assemblies using URLs, but it does not implement a downloader for files that are on remote servers. Conceptually, it is a simple task to add the basic functionality of a remote downloader to Rotor: New code must be provided that retrieves the target URL, then HTTP can be used to issue an get command to that URL. The server will respond by sending the file (or by indicating that it does not have the file). This exercise is to implement an assembly downloader that retrieves files from the URI space. This web downloader needs to be integrated into the SSCI code so that it works as a part of the assembly loader. Part A: If you did not solve the Lab Exercise in Chapter 3, do it now. The code is included in the Background section, but you need to experiment with it to be sure you understand how it is supposed to work. Part B: Write a C++ function that, given a URL for a file, will download the file and place it in the current directory. Write a simple main program that calls the function so that you can test your function. You should be able to use this function to download your num.dll from a remote server. Once the file has been downloaded, you should be able to copy it into the application directory containing the main executable and then execute the assembly. Part C: Incorporate the downloader function from Part B into the Rotor code so that you can use the configuration file from Part A to execute the main program on the client when the num.dll file is stored on a server.
6.5.1 Background The concepts in this lab exercise are not complex, but there are many details to think about in solving this exercise. This section provides guidance in addressing the most obscure of those details.
Using HTTP Part B of this lab exercise is to write function that, given the URL for the file, will fetch the file using HTTP. This is, of course, the standard activity that your web browser takes whenever you click on a link. There is considerable documentation available describing how to implement this function, for example, see http://www.w3.org/Protocols/HTTP/AsImplemented.html. The content on this web page is old – 1991 – but it is a useful place to determine what you have to implement. Briefly, your function will: • Setup a TCP connection on port 80 with the server that contains the target assembly. • Send a GET command to the server over the connection • Accept the response as a byte stream file • The server will disconnect after it has transmitted the file.
Adding the Network Downloader to the SSCLI Code The code in …/src/clr/fusion/download/ is used to download the assembly, so the extension to download from a web server will be called by functions in this directory. (It is a good idea for you to put your new code in this directory, perhaps even in an existing file, when you solve Part C of the Lab Exercise.) As described in the main part of this chapter, when the initial assembly is being loaded, the FusionBind::RemoteLoad() function calls CAssembly::BindToObject(), which calls KickOffDownload() (in …/clr/src/fusion/download/adl.cpp). Both the KickOffDownload()and GetNextCodeBase() should call your downloader. Once your downloader has retrieved to the PE file into a temporary directory on the local machine, you can then pass the pathname to the rest of the existing SSCLI code as if it were just a local file. The next section provides more information about how to modify these existing functions in adl.cpp. 6.5.2 Attacking the Problem In our experimentation with early versions of the Rotor code, we were unable to get the FreeBSD implementation of the SSCLI to handle configuration files. Unfortunately, it is not possible to solve this Lab Exercise unless your version of Rotor handles configuration files. If it does not, then you will have to solve this exercise using the Windows XP Rotor CLI implementation.
The Driver Program for Part A Here is the code skeleton for a the odd-even program you will need to solve the remaining parts of the problem (comments are elided for brevity, and to encourage you to read the code): using System; class MainApp { public const int MAX_N = 8; public static void Main() { int i; Num[] number = new Num[MAX_N]; for(i = 0; i < MAX_N; i++) number[i] = new Num(i); } for(i = 0; i < MAX_N; i++) if(number[i].isEven) Console.WriteLine("{0} else Console.WriteLine("{0} } for(i = 0; i < MAX_N; i++) if(number[i].isEven)
{
{ is an even number", number[i].incr()); is an odd number", number[i].decr()); {
Console.WriteLine("{0} is an even number", number[i].incr()); else Console.WriteLine("{0} is an odd number", number[i].decr()); } } }
You will need to write a new C# program to implement class Num. Here is a skeleton with extra information for the resulting DLL (you can find out more about the C# directives from the MSDN documentation): using System; using System.Reflection; //Company identification [assembly:AssemblyKeyFile("blather.keys")] [assembly:AssemblyCompany("blather")] [assembly:AssemblyCopyright("Copyright (c) 2002 blather")] [assembly:AssemblyVersion("1.0.0.0")] [assembly:AssemblyCulture("")]
public class Num { public bool isEven; public Num(int i) {…} public int incr() {…} public int decr() {…} }
Notice that this code skeleton contains information for building the assembly that will be used in the strong name – version and culture. You will also need to read the SSCLI documentation on the sn program to see how to build a strong name for your assembly (see the online MSDN .NET documentation for the sn program). Finally, you will need to compile your calling assembly and the DLL once so that the calling assembly has the strong name information required to permit the download operation.
Modifying the Assembly Loader The only existing SSCLI code you will have to modify is in adl.cpp. Here is a skeleton of the KickOffDownload() function (this fragment is different from the one you studied in the main part of the chapter; you can see the function in its entirety in the adl.cpp): HRESULT CAssemblyDownload::KickOffDownload(BOOL bFirstDownload) { HRESULT hr = S_OK; … WCHAR wzFilePath[MAX_PATH]; BOOL bIsFileUrl = FALSE; … // Dupe detection … if (bFirstDownload) { // This is a top-level download (ie. not a probe download called // from DownloadNextCodebase … } // Careful! PrepNextDownload/CompleteAll call the client back! cs.Unlock();
hr = GetNextCodebase(&bIsFileUrl, wzFilePath, MAX_PATH); if (hr == HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS)) { hr = DownloadComplete(HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND), NULL, NULL, FALSE); … } … if (bIsFileUrl) { hr = DownloadComplete(S_OK, wzFilePath, NULL, FALSE); … } else { hr = HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED); goto Exit; } … }
This code fragment gives you the context for where your code for Part C will get called. The critical part of this code is that the variables bIsFileUrl and wzFilePath get set by the GetNextCodebase() call. The bIsFileUrl variable will be false if the file name in wzFilePath is an http-style URL. That is, you will need to modify the else clause to call your download code. There is another place in adl.cpp where your code may need to be called – in the GetNextCodebase() function (which may be called from somewhere other than the KickOffDownload() code): HRESULT CAssemblyDownload::GetNextCodebase(BOOL *pbIsFileUrl, LPWSTR wzFilePath, DWORD cbLen) { HRESULT hr = S_OK; LPWSTR wzNextCodebase = NULL; … BOOL bIsFileUrl = FALSE; … for (;;) { … wzNextCodebase = NEW(WCHAR[cbCodebase]); … hr = _pCodebaseList->GetCodebase(0, wzNextCodebase, &cbCodebase); if (FAILED(hr)) { goto Exit;} hr = _pCodebaseList->RemoveCodebase(0); if (FAILED(hr)) { goto Exit;} // Check if we are a UNC or file:// URL. If we are, we don't have // to do a download, and can call setup right away. bIsFileUrl = UrlIsW(wzNextCodebase, URLIS_FILEURL); if (bIsFileUrl) { … } else { hr = HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED); goto Exit; } break; }
…; PrepNextDownload(wzNextCodebase); Exit: … return hr; }
This code will report an error when it encounters a codebase that is an http:// URL. You will need to remove this error call, since you will be handling this with your downloader.
A Note About File Caching When you download code, a copy is kept in your own private cache in ~/rotor//assembly/dl//// on FreeBSD, or c:\Documents and Settings\<user_name>\rotor\\ assembly\dl\\\\ on Windows. This means that the first time you get an assembly to download, a copy is made in this directory. If you run your code again, the SSCLI will get the cached copy rather than the one on the net. This can be pretty confusing when you get your code for Part C to work for the first time. You will be debugging, when suddenly you succeed (which will cause the PE file to be loaded in the private cache). The next time you run your downloader, it will find the code in the local cache and will not go to the web server. You need to purge this cache after each download while you are debugging.
7
The Execution Engine
Conventional software uses the virtual machine environment provided by the OS – a process with its address space and potentially a collection of threads (see Chapter 6 of [Nutt, 2004]). The OS scheduler and memory manager exports abstractions of the physical CPU and primary memory for the use of the application programmer. The device and file managers provide complementary abstractions of persistent storage – files. In multiprogramming the computer’s executable memory is space-multiplexed into blocks that are allocated to different processes. Threads that execute in the collection of processes share the CPU (using time-multiplexing) to provide the illusion of multiple virtual machines. The virtual machine is modeled after the underlying physical machine: Native user mode instructions execute directly on the machine, while functions that contain privileged instructions can only be executed via an OS system call. The OS enforces most of the process boundaries using hardware mechanisms (such as memory relocation and privileged instructions). The CLI exports its own virtual machine, one that is implemented on top of the host OS. This virtual machine accommodates distributed programs by providing various mechanisms to support mobile code, IPC, and so on; so it is characterized as a DVM. Whereas the OS virtual machine exports a model intended to resemble the underlying hardware, the CLI EE exports a virtual machine that resembles hardware, but with a higher level of abstraction than is provided by the OS. In this chapter, we will examine several aspects of how the CLI EE implements the DVM that executes assemblies once they have been loaded. Figure 7-1 identifies the logical parts of the EE (compared to those for a CLI compliant VES as in Error! Reference source not found. and Error! Reference source not found.). Assemblies are always loaded on demand (the demand for the first assembly is from clix, and from native code execution for subsequent assemblies). That is, an assembly is loaded when executing code makes a reference to a member of a class in that assembly. This causes the EE to invoke the assembly loader, which subsequently invokes policy management mechanisms and the class loader. File File System System Assembly Assembly Loader Loader
Assemblies Assemblies In InApp App Domain Domain
assembly
Class Class Loader Loader
Policy Policy Manager Manager
class
Vtable Vtable&& Class ClassInfo Info
method
JIT JIT Compiler Compiler
Native NativeCode Code GC GCInfo Info Except ExceptInfo Info
Code Code Manager Manager Class Classinit init Garbage Garbage Collector Collector Exceptions Exceptions … …
Figure 7-1: The Execution Engine If the native code references a method in a class that has already been loaded (such as one in its own class), then the EE will execute the native code if it has already been JIT compiled, or JIT compile the method the first time it is referenced then execute it. If the native code references a member in a distinct class, but in an assembly that has already been loaded, then the EE will invoke the class loader to create the appropriate data structures that are needed whenever the class is used. Again referring to Figure 7-1, note that all external references from the type safe native code will be to external symbols. When the calling code references one of these symbols, it will call a CLI function to resolve the symbol and load the assembly. That is, the EE gains control of the computation on each external reference. This means that the EE will be aware whenever managed code calls unmanaged code.
Would it be possible for a rogue program to simply generate a crazy address and just branch to it, thereby bypassing the EE intervention. No, provided that the executing native code was derived from a verified assembly, such as one generated by a CLI compliant compiler. That is, managed code that was type checked at compile, load, and JIT time cannot behave poorly – it really is managed code. How can the EE be sure that an assembly has been verified? There are a couple of ways: • The assembly was downloaded from a trusted source, and it is ensured of having not been tampered with. • The EE can run a tool (Peverify) on the assembly to ensure that it is type safe. In the lower right portion of Figure 7-1, there are several other parts of the EE that control the native code execution: The code manager that controls class initialization, object garbage collection, and structured exception handling procedures. The garbage collector and structured exception handler also have instrumentation in the execution image (generated by the JIT compiler), as adjunct information for the native code representation. This part of the EE is fundamental to the overall behavior of the actual execution of the native code, but it is not unique to DVMs. We defer more detailed discussion to these aspects of the EE to [Stutz, et al., 2003]. In the remainder of this chapter, we will focus on the means by which the EE gains control of the execution (using stubs), how the class loader prepares code for execution, and how the EE is careful to distinguish managed from unmanaged code.
7.1
Application Domains
App domains have been an important part of our consideration of the CLI in much of the previous discussion. This section provides more details about app domain implementation. Below are some excerpts from …/clr/src/vm/appdomain.h that defines the API to the AppDomain class: class BaseDomain { friend class Assembly; friend class AssemblySpec; friend class AppDomain; friend class AppDomainNative; friend struct MEMBER_OFFSET_INFO(BaseDomain); public: … //********************************************************************** // // Initialization/shutdown routines for every instance of an BaseDomain. HRESULT Init(); void Stop(); void Terminate(); void ShutdownAssemblies(); … //********************************************************************** // Find the first occurence of a module in the domain. The current plan // will allow the same module to be part of different assemblies. // Currently, a module needs to be unique but this requirement will be // relaxed later on. virtual Module* FindModule(BYTE *pBase); virtual Assembly* FindAssembly(BYTE *pBase); // determine if the module has been loaded into the system process and // attached to a module other then the one supplied. This routine is // used to determine if the PE imaged has had its vtable fixed up. Module* FindModuleInProcess(BYTE *pBase, Module* pExcept); // Returns an existing assembly, or creates a new one.
Returns S_FALSE
// if an existing assembly is returned. Returns S_OK if fPolicyLoad is // true and you attempt to load an assembly that is still trying to be // loaded (Note: ppModule and ppAssembly will both point to null). HRESULT LoadAssembly(…); … // Low level assembly creation routine HRESULT CreateAssembly(Assembly** ppAssembly); … //********************************************************************** // Adds an assembly to the domain. void AddAssembly(Assembly* assem); BOOL ContainsAssembly(Assembly *assem); … };
This is a large interface specification to a complex class. The BaseDomain class defines functions to create and stop an app domain (Init(), Stop(), and so on). There are also functions for determining which modules and assemblies are loaded in an app domain. LoadAssembly() and CreateAssembly() add assemblies to an app domain, but there are no corresponding ways to unload the assembly. Instead, the entire app domain must be removed, causing all the entities (classes and objects) that have been bound into the address space to be removed. The next part of AppDomain.h shows that BaseDomain is a superclass for AppDomain, SystemDomain, and SharedDomain. Here we see a constructor and destructor for the AppDomain object, as well as redefined initialization/termination routines. There is also machinery to assign an identification to each AppDomain in the process; this will be used for objects in one app domain to reference objects in another app domain (recall the discussion of remoting in Section Error! Reference source not found.). class AppDomain : public BaseDomain { friend class SystemDomain; friend class AssemblySink; friend class ApplicationSecurityDescriptor; friend class AppDomainNative; friend class AssemblyNative; friend class AssemblySpec; friend class ClassLoader; friend class ThreadNative; friend struct MEMBER_OFFSET_INFO(AppDomain); public: AppDomain(); virtual ~AppDomain(); //********************************************************************** // Initializes an AppDomain. (this functions is not called from the // SystemDomain) HRESULT Init(); //********************************************************************* // Stop deletes all the assemblies but does not remove other resources // like the critical sections void Stop(); // Gets rid of resources void Terminate();
// Remove the Appdomain for the system and cleans up. This call should // not be called from shut down code. HRESULT CloseDomain(); … //********************************************************************** // Reference count. When an appdomain is first created the reference is // bump to one when it is added to the list of domains (see // SystemDomain). An explicit Removal from the list is necessary before // it will be deleted. ULONG AddRef(void); ULONG Release(void); … //********************************************************************* // This can be used to override the binding behavior of the appdomain. // It is overridden in the compilation domain. It is important that all // static binding goes through this path. virtual HRESULT BindAssemblySpec(AssemblySpec *pSpec, PEFile **ppFile, IAssembly** ppIAssembly, Assembly **ppDynamicAssembly, OBJECTREF *pExtraEvidence, OBJECTREF *pThrowable); … // // This checks cached assembly specs directly - it will never perform // an actual bind. // HRESULT LookupAssemblySpec(AssemblySpec *pSpec, PEFile **ppFile, IAssembly **ppIAssembly, OBJECTREF *pThrowable) {…} … //********************************************************************* // Create a domain context rooted at the fileName. The directory // containing the file name is the application base and the // configuration file is the fileName appended with .config. If no name // is passed in then no domain is created. static AppDomain* CreateDomainContext(WCHAR* fileName); … public: // ID to uniquely identify this AppDomain - used by the AppDomain // publishing service (to publish the list of all appdomains present in // the process), which in turn is used by, for eg., the debugger (to // decide which AppDomain(s) to attach to). // This is also used by Remoting for routing cross-appDomain calls. ULONG GetId (void) {…} static USHORT GetOffsetOfId() {…} void Unload(BOOL fForceUnload, Thread *pRequestingThread = NULL); void UnlinkClass(EEClass *pClass); … private: … // When an application domain is created the ref count is artifically // incremented by one. For it to hit zero an explicit close must have // happened. LONG m_cRef; // Ref count. …
// The index of this app domain among existing app domains (starting // from 1) DWORD m_dwIndex; // The creation sequence number of this app domain (starting from 1) DWORD m_dwId; … }; class SystemDomain : public BaseDomain { … }; … class SharedDomain : public BaseDomain { … };
When the CLI is launched and _CorExeMain2() has been called (see Chapter 4), it starts the EE with the call to CoInitializeEE(): __int32 STDMETHODCALLTYPE _CorExeMain2( // PBYTE pUnmappedPE, // DWORD cUnmappedPE, // LPWSTR pImageNameIn, // LPWSTR pLoadersFileName, // LPWSTR pCmdLine) // { … // Strong name validate if necessary. …
Executable exit code. -> memory mapped code Size of memory mapped code -> Executable Name -> Loaders Name -> Command Line
// Before we initialize the EE, make sure we've snooped for all // EE-specific command line arguments that might guide our startup. CorCommandLine::SetArgvW(pCmdLine); … HRESULT result = CoInitializeEE(COINITEE_DEFAULT); if (FAILED(result)) { VMDumpCOMErrors(result); SetLatchedExitCode (-1); goto exit; } … }
CoInitializeEE() is also defined in …/clr/src/vm/ceemain.cpp. SystemDomain::SetupSystemDomain() which creates the app domain: // // // // // // // // // //
It
calls
-----------------------------------------------------------------------%%Function: CoInitializeEE(DWORD fFlags) Parameters: fFlags
Returns: Nothing
- Initialization flags for the engine. See the COINITIEE enumerator for valid values.
// Description: // Must be called by client on shut down in order to free up the system. // -------------------------------------------------------------------------HRESULT STDMETHODCALLTYPE CoInitializeEE(DWORD fFlags) { LOCKCOUNTINCL("CoInitializeEE in Ceemain"); EnterCriticalSection(&g_LockStartup); // Increment RefCount, if it is one then we // need to initialize the EE. g_RefCount++; if(g_RefCount <= 1 && !g_fEEStarted && !g_fEEInit) { g_EEStartupStatus = TryEEStartup(fFlags); // We did not have a Thread structure when we EnterCriticalSection. // Bump the counter now to account for it. INCTHREADLOCKCOUNT(); if(SUCCEEDED(g_EEStartupStatus) && (fFlags & COINITEE_MAIN) == 0) { SystemDomain::SetupDefaultDomain(); } } LeaveCriticalSection(&g_LockStartup); LOCKCOUNTDECL("CoInitializeEE in Ceemain");
return SUCCEEDED(g_EEStartupStatus) ? (SetupThread() ? S_OK : E_OUTOFMEMORY) : g_EEStartupStatus; }
7.2
Managed Threads
Threads provide a mechanism for distinct sequential computations to proceed concurrently within an address space. The host OS or library (such as the POSIX thread library in some Unix systems) defines the thread abstraction that can be used by any application program. The CLI DVM has its own version of a thread: It is a composition of a platform thread along with additional information added by the PAL (see Chapter Error! Reference source not found.) and by the EE that enable the EE to manage the behavior or the CLI thread. Recall from Part B of the Lab Exercise in Chapter Error! Reference source not found., that the System.Threading namespace can be used to create Thread objects: using System; using System.Threading; // The child thread class public class Worker { public Worker(…) {…} public void Launch(…) {…} } class MainApp { public static void Main() { … Worker wt = new Worker(i); wThread = new Thread(new ThreadStart(wt.Launch));
wThread.Start(); // Wait for thread to do its work … // Abort the thread wThread[i].Abort(); wThread[i].Join(); }
Notice that the behavior of the thread is defined by a companion class (instead of a subclass as is done in Java). The companion class is passed to the Thread constructor, which will synthesize the two classes into a working thread. Foundation Thread objects have a set of built-in controls (such as Start(), Abort(), and Join()), that are used to perform fundamental thread operations. In this section the focus is on these managed CLI threads – a system-level schedulable unit of computation that is associated with a CLI Thread object, and is also registered in the CLI’s ThreadStore object. A CLI thread is defined in System.Threading, we would expect to find a definition in the base class library that is delivered with Rotor. If you look in …/src/bcl/system/threading/thread.cs, you will find a C# class to implement base functionality: public sealed class Thread { … /*========================================================================= ** The base implementation of Thread is all native. The following fields ** should never be used in the C# code. They are here to define the proper ** space so the thread object may be allocated. DON'T CHANGE THESE UNLESS ** YOU MODIFY ThreadBaseObject in vm\object.h ** ======================================================================*/ … /*========================================================================= ** Creates a new Thread object which will begin execution at ** start.ThreadStart on a new thread when the Start method is called. ** ** Exceptions: ArgumentNullException if start == null. =========================================================================*/ /// public Thread(ThreadStart start) { if (start == null) { throw new ArgumentNullException("start"); } SetStart(start); }
/*========================================================================= ** Spawns off a new thread which will begin executing at the ThreadStart ** method on the IThreadable interface passed in the constructor. Once the ** thread is dead, it cannot be restarted with another call to Start. ** ** Exceptions: ThreadStateException if the thread has already been started. =========================================================================*/ ///
public void Start() { // Attach current thread's security principal object to the new // thread. Be careful not to bind the current thread to a // principal if it's not already bound. IPrincipal principal = (IPrincipal) CallContext.SecurityData.Principal; StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; StartInternal(principal, ref stackMark); } … }
Here we have elided all of the class definition except a couple of sample methods (ThreadStart() and Start()) and the comment that indicates how this code is tightly bound to the CLI C++ code found in …/src/vm/threads.cpp. The Thread constructor calls SetStart(start), which is defined as follows (in the same file): /*========================================================================= ** PRIVATE Sets the IThreadable interface for the thread. Assumes ** that start != null. =========================================================================*/ [MethodImplAttribute(MethodImplOptions.InternalCall)] private extern void SetStart(ThreadStart start);
This is a method call (with a modifying attribute, explained in Section 7.5), that ultimately calls the following method in the EE (defined in …/clr/src/vm/comsynchronizable.cpp): FCIMPL3(void, ThreadNative::Start, ThreadBaseObject* pThisUNSAFE, …) { … } FCIMPLEND
This code will create a CLI thread (built on top of the PAL-level thread that called it) to support the computation. A CLI thread is distinguished from a PAL thread in that it is associated with a CLI Thread object (that contains information the EE needs to manage the CLI thread), and by being registered with the EE’s ThreadStore object. The ThreadNative object code completes the link into the EE Thread object by calling the CreateNewThread() (in …/clr/src/vm/threads.cpp) from its StartInner() method.
7.3
The Class Loader
Once the PE file has been mapped into the address space, its contents (classes) can be bound into the app domain. At this point, the CIL and metadata are available to the CLI. The method that contains the assembly’s entry point can be translated into native machine code and executed. The combination of the assembly and class loaders of the SSCLI is responsible for translating the metadata and CIL specification into an in-memory representation of each object (recall Section Error! Reference source not found.). That is, the procedure of preparing the code for execution is actually accomplished in part by the assembly loader, in part by the class loader, and in part by the JIT compiler. Of course the PE file specifies classes, but executing code normally references objects (class instances). Before the entry point method can be executed, its encapsulating object must be instantiated, meaning that data structures must be allocated to represent the object’s status. The app domain will then have information about the assembly, class, and object.
In Chapter 4, we saw that ClassLoader::ExecuteMainMethod() causes the assembly to be loaded into the app domain (the details of which you saw in Chapter 6). Finally this method calls RunMain() to begin execution at the assembly’s entry point: HRESULT ClassLoader::ExecuteMainMethod(Module *pModule, PTRARRAYREF *stringArgs) { … if (… //Is MethodDef global or in a class?) { // [MethodDef is in a class] InitialClass = LoadTypeHandle(&name,&pThrowable).GetClass(); … //[pFD is the method descriptor] hr = RunMain(pFD, 1, stringArgs); … return hr; }
RunMain() is defined in …/src/vm/clsload.cpp. This code sets up the stack for a call to the managed code (it is made to be consistent with the Microsoft COM environment). Finally there is a call to MethodDesc::Call(). This calls into the entry point of the assembly. At this point, the assembly is still in the form of CIL and metadata. static HRESULT RunMain(MethodDesc *pFD , short numSkipArgs, PTRARRAYREF *stringArgs = NULL) { … CorEntryPointType EntryType = EntryManagedMain; ValidateMainMethod(pFD, &EntryType); if ((EntryType == EntryManagedMain) && (stringArgs == NULL)) { … wzArgs = CorCommandLine::GetArgvW(&cCommandArgs); … } COMPLUS_TRY { … ARG_SLOT stackVar = 0; // Build the parameter array and invoke the method. if (EntryType == EntryManagedMain) { … if (stringArgs == NULL) { PTRARRAYREF StrArgArray; // Allocate a COM Array object with enough slots for // cCommandArgs - 1 … // Create Stringrefs for each of the args for( arg = numSkipArgs; arg < cCommandArgs; arg++)
{ STRINGREF sref = COMString::NewString(wzArgs[arg]); StrArgArray->SetAt(arg-numSkipArgs, (OBJECTREF) sref); } stackVar = ObjToArgSlot(StrArgArray); … } else { stackVar = ObjToArgSlot(*stringArgs); } } … RetVal = (__int32)(pFD->Call(&stackVar)); … } COMPLUS_CATCH { } COMPLUS_END_CATCH return hr; }
Before we look at MethodDesc::Call(), here are some notes from method.hpp (found in …/src/vm/method.cpp). // NOTE on Call methods // MethodDesc::Call uses a virtual portable calling convention // Arguments are put left-to-right in the ARG_SLOT array, in the // following order: // - this pointer (if any) // - return buffer address (if signature.HasRetBuffArg()) // - all other fixed arguments (left-to-right) // Vararg is not supported yet. // // The args that fit in an ARG_SLOT are inline. The ones that don't fit // in an ARG_SLOT are allocated somewhere else // (usually on the stack) and a pointer to that area is put in the // corresponding ARG_SLOT // ARG_SLOT is guaranteed to be big enough to fit all basic types and // pointer types. Basically, one has // to check only for aggregate value-types and 80-bit floating // point values or greater. // // Not all usages of MethodDesc::CallXXX have been ported to the new // convention. The end goal is to port them all and get // rid of the non-portable BYTE* version. //
An ARG SLOT is an entry in the virtual function table.
MethodDescr::Call() (found MethodDescr::CallDescr():
in
…/src/vm/method.cpp)
is
a
wrapper
for
ARG_SLOT MethodDesc::Call(const ARG_SLOT *pArguments) { // You're not allowed to call a method directly on a MethodDesc that // comes from an Interface. If you do, then you're // calling through the slot in the Interface's vtable instead of through // the slot on the object's vtable. _ASSERTE(!IsComPlusCall()); THROWSCOMPLUSEXCEPTION(); return CallDescr(GetCallTarget(pArguments), GetModule(), GetSig(), IsStatic(), pArguments); }
Assembly Metadata CIL
MethodTable
EEClass
…
EEClass*
VTable
Object
…
SLOT
MethodTable* MethodTable* ObjHeader ObjHeader Instance Instance Data Data
… CLI Heap
SLOT SLOT
MethodTable*
…
… SLOT
SyncBlock Table
… SyncBlock entry
…
Figure 7-2: Loading a Class
Class specific Object specific
When the class is loaded, data structures to represent the class and the object are created (see Figure 7-2). The object reference is to space allocated from the CLI’s heap storage (which is automatically garbage collected). The first field of the object is a pointer to a MethodTable (defined in …/src/vm/class.h) for the class. As you learned in Section Error! Reference source not found., the MethodTable is designed (with some C/C++ hacking) so that the VTable SLOT array is appended to the end of the MethodTable. The VTable corresponds to our normal notion of virtual function table in an OO language, meaning that each SLOT is a reference to a method. The MethodTable object has a sibling EEClass object (also defined in …/src/vm/class.h), each pointing to the other. Information in the MethodTable part of the class representation is referenced frequently, while the fields in the EEClass object contain information that is referenced infrequently (usually at JIT compile time). Stutz et al. refer to information in the MethodTable as being “hot” information, and the information in the EEClass as being “cold.” Per instance data (class variables and the like) are allocated from the heap as part of the object space. Each object also has a reference to a SyncBlock entry that contains additional information (such as synchronization information) that is pertinent to the way the EE manages the object; this data structure is not allocated from the heap, since the EE explicitly manages it. Chapter 5 of [Stutz, et al., 2003] provide a comprehensive discussion of how these tables are created when the class is loaded, and when an object is instantiated. Next we are ready to see how the Rotor CLI uses these data structures for invoking methods, and for JIT compiling the CIL and metadata on the first call to a method.
7.4
Preparing Native Code
Figure 7-3 compares the traditional model for compiling, linking, and loading a program with the technique used in the ECMA-335 CLI. In the traditional model (Part (a) of the figure), a file with a source program is passed to the compiler, which creates a relocatable object file. The link editor takes a collection of relocatable object files, including library functions, and combines them into a single module with a linear address space called an absolute module. In UNIX, the a.out file is an absolute code module, and in Windows, foo.exe is an absolute code module. The compiler normally has two parts, which we have called the frontend and the backend. The frontend’s task is to parse and analyze the source program, independent of the target platform for which the code is being compiled. It creates an intermediate form of the program that contains all the information it derived regarding the structure and semantics of the source program, but in a highly encode internal form – usually a parse tree. The compiler frontend is specific to the source programming language, but relatively independent of the target machine details. The compiler backend is just the opposite: Specific to the target machine, but relatively independent of the source language. The parse tree is the agnostic form of the program – independent of the language and the hardware. The backend reads the intermediate form, then generates native machine code for the target machine. We say that the backend logically binds the source program’s semantics to the target machine model. Figure 7-3(b) represent the ECMA-335 approach. The source program compiler corresponds to a traditional compiler frontend; the CIL and metadata are the intermediate form of the program. From this perspective, the CIL defines the program and instruction semantics, and the metadata represents the types that appear in the program. Rather than binding the program to a hardware platform when the source program is compiled, the intermediate form is deployed, requiring that the work of the compiler backend, link editor, and loader be done by the CLI (instead of by traditional OS tools). That is why the CLI is complicated: It is performing dynamic linking and loading in a type safe programming environment.
Source Source Code Code
Compiler Compiler
Relocatable Relocatable Code Code
Parse ParseTree Tree Intermediate Intermediate Form Form
Compiler Compiler Frontend Frontend
Link Link Editor Editor
Absolute Absolute Code Code
Loader Loader
Native Native Code Code
Compiler Compiler Backend Backend
(a) The Traditional Model
Source Source Code Code
Compiler Compiler Frontend Frontend
CIL CIL&& Metadata Metadata
Assy Assy&&Class Class Loaders Loaders
MethodTable MethodTable Compiler Compiler Backend Backend
Native Native Code Code
(b) The ECMA-335 (CLI) Model Figure 7-3: The Compilation Model
7.4.1 Generic Thunks As we have noted many times, the CLI goes to great lengths to defer all kinds of binding to the last possible moment. The CLI uses a stub mechanism to perform a soft trap to the EE in various cases, for example in the case that it wants the JIT compiler to run on the first call to a method. The basic technique, called “thunking” in the computer science literature, has been around since the early 1960s (it was apparently first used in Algol 60 compilers – see http://info.astrian.net/jargon/terms/t/thunk.html). In general, a thunk is a small piece of code placed in compiled code that is capable of evaluating an expression to generate an address (see Figure 7-4). In some cases (such as for invoking the JIT compiler on the first call to a method), the thunk code is only executed once. When the first call has completed execution, the CLI overwrites the address of the thunk with the address of the function that is to be called on the second and subsequent calls. Of course the address of the thunk can be left in place and executed on each call, potentially generating the same or a different address on each evaluation. Any executing object can invoke a method in another object by “sending it a message.” In the set of OO languages inspired by C++ (including Java, Jscript, and C#) this is done by having one object call a method in another object. References to a member of a distinct class are defined symbolically in the source code, and left as external references in the CIL. The JIT compiler translates the CIL external reference into and internal address suitable for locating the target object and method at runtime. For example, if the target class is in the same module as the class for the calling object, the reference is an index into the target object’s virtual function table (method/member entry table for a class). If the target class is in a different assembly, then the reference is to an assembly that can be loaded by the assembly loader.
First Call Thunk code; goto FirstCall;
myFunc call
FirstCall … 1st-call code; … myFunc = NewAddr; return …;
return
After First Call
NewAddr
myFunc call return
… Normal case code; … return …;
Figure 7-4: Using a Thunk 7.4.2 Rotor Stubs and the JIT Compiler A Rotor stub is a thunk. It is placed in the CIL code by the source language compiler to allow different kinds of initialization procedures to be executed when the corresponding code is executed. There are four different kinds of stubs used to trap code execution in the CLI: • Prestub. Used to call the JIT compiler. • Security stub. Checks permissions of an assembly before calling any code in it (see Section Error! Reference source not found.). • Marshaling stub. Used to call unmanaged code (see Section Error! Reference source not found.). • Remoting stub. Used for references across app domains (see Chapter Error! Reference source not found.). We will describe how each of these stubs are used in the context where they are used, beginning with the prestub in the class loader. When the MethodTable is initialized with the accompanying VTable, each slot is initialized with a prestub – pointers to small fragments of code that can be evaluated at runtime to bind the ref to the JIT compiler entry point (see Figure 7-5). On the first call (from a native code method in an object) to a method within a loaded assembly, the call will invoke the JIT compiler. The JIT compiler determines the method that is being called, translates the CIL into native code, then overwrites the prestub in the VTable entry so that it points at the entry point of the method’s native code. Finally, it branches to the target entry point and continues execution. Refer again to Error! Reference source not found.: Prestubs are used to implement the three dashed lines indicating that native code is able to trap to the JIT compiler for a method call; to run the class loader for a reference to a new, unloaded class; and to run the assembly loader if the native code calls a method in an assembly that has not yet been loaded.
Prestub
IL ILCode Code First Call
Refs
Defs
Refs JIT JIT Compiler Compiler
After NativeCode Code First Call Native
Calling Assembly
Called Assembly Figure 7-5: Using a Prestub
7.5
Invoking EE Features
Managed programs invoke parts of the CLI using the mscorlib interface (appearing in the System and its descendant namespaces). The classes that implement the namespaces are written in C# then defined in the FCL (or base class library, …/clr/src/bcl/, in the Rotor case), and archived in the mscorlib.dll. As a result, when a managed source program is executed, various parts of the mscorlib.dll are linked into the managed executable. As shown in Figure 7-6, when clix.exe begins to run, it first starts the execution engine by calling the mscoree (the Microsoft Common Object Runtime Execution Engine) in the Rotor CLI. Once the mscoree is running, it loads (the class for the entry point of the) managed application. Control is then turned over to the managed native code. The mscoree.dll library contains the EE and its associated helpers (fusion, the class loader, the JIT compiler, and so on). The mscoree.dll functions are not managed code, and they are not normally called from managed applications; instead, classes in the mscorlib call the CLI functions. Of course, the clix.exe call to CorExeMain() is an exception. The mscorlib code could call any function in the mscoree.dll, provided that its calling convention matched the one expected by the mscoree.dll routine. Here is the rub: The JIT compiler uses an abstract machine calling convention in which all arguments are passed on an abstract stack. For example, the Pentium (“i386”) implementation of the abstract stack, registers and the i386 hardware stack are used in the calling convention. The JIT compiler calling convention is not directly compatible with the one used for compiling unmanaged C++ code – the implementation environment in which the mscoree.dll is built. The result is that JIT compiled code does not normally call mscoree.dll code directly (though perhaps the stub mechanism could be used to implement an appropriate translator to make this possible).
Managed App (Native Code)
clix.exe clix.exe
3
mscorlib mscorlib(C#) (C#)
1 mscorlib.h CorExeMain()
4 EE calls & FCalls
mscoree mscoree(C++) (C++)
Call()
2
Figure 7-6: The mscorlib and mscoree.dll Instead, mscorlib code calls EE functions using a call to unmanaged code (see the PInvoke mechanism in Section Error! Reference source not found.) or an fcall calling convention. Whenever mscorlib code calls the mscoree, the method call is explicitly identified as an EE call (with the MethodImplOptions.InternalCall method attribute See Section Error! Reference source not found.for details).. Fcalls (originally called ecalls) are used by the mscorlib.dll functions when they want to invoke mscoree functions. These calls are designed to make the calling sequences be compatible, and also as efficient as possible. If you look at the …/clr/src/bcl/system/threading/thread.cs the following function prototype for the system.threading.thread class: [MethodImplAttribute(MethodImplOptions.InternalCall)] private extern void StartInternal(IPrincipal principal, ref StackCrawlMark stackMark);
When this function is called from within the C# code (for example from the public void Start() function in the same file, an fcall is generated to the function. Now, inspect …/clr/src/vm/ecall.cpp – a file that will define entry points for fcalls (here is an example of where the code refers to ecalls in implementing fcalls). There is a table defined in this function that contains a reference to StartInternal: static ECFunc gThreadFuncs[] = { {FCFuncElement("StartInternal", NULL, (LPVOID)ThreadNative::Start)}, … {NULL, NULL, NULL} };
The entry associates StartInternal with ThreadNative::Start. If you look at the file …/clr/src/vm/comsynchronizable.cpp, you will find the following code declaration: FCIMPL3(void, ThreadNative::Start, ThreadBaseObject* pThisUNSAFE, Object* pPrincipalUNSAFE, StackCrawlMark* pStackMark) { … } FCIMPLEND
The FCIMPL3 and FCIMPLEND macros (defined in …/clr/src/vm/fcall.h) identify this function as one that will be called using the fcall convention, that is, as a function that will be called from mscorlib.dll. Through this use of the indirection table in ecall.cpp and macros, the mscorlib function will now be able to call the mscoree function. Additionally, the call may use various coding tricks in order to make the call execute as efficiently as possible (maybe ecall means “efficient call,” and fcall means “fast call”).
Finally, in Figure 7-6, you can see that the mscoree can also call the mscorlib – these two modules have considerable knowledge about one another. The file …/clr/src/vm/mscorlib.h defines a number of mscorlib classes, methods, and fields that are exposed to the EE. Members that are exposed via mscorlib.h are bound to the mscoree dynamically by a Binder object (see …/clr/src/vm/binder.cpp). We will not follow through the detail for how the binder works, though you can study this class, in conjunction with mscorlib.h, to see how the dynamic links are established and used. Here is an example of how the mscoree code calls a mscorlib method: …/clr/src/vm/mscorlib.h, contains the following macro calls that expose the AppDomain class and one of the CreateDomain() methods defined in the class (found in …/clr/src/bcl/system/threading/appdomain.cs): DEFINE_CLASS(APP_DOMAIN, System, AppDomain) … DEFINE_METHOD(APP_DOMAIN, CREATE_DOMAIN, CreateDomain, SM_Str_Evidence_AppDomainSetup_RetAppDomain) …
If we inspect …/clr/src/vm/appdomain.cpp, we will find the following method declaration: // Create a domain pased on a string name AppDomain* AppDomain::CreateDomainContext(WCHAR* fileName) { … AppDomain* pDomain = NULL; MethodDesc *pMD = g_Mscorlib.GetMethod(METHOD__APP_DOMAIN__VAL_CREATE_DOMAIN); … APPDOMAINREF pDom = (APPDOMAINREF) ArgSlotToObj( pMD->Call(args, METHOD__APP_DOMAIN__VAL_CREATE_DOMAIN)); … }
The macro, METHOD__APP_DOMAIN__VAL_CREATE_DOMAIN, is called twice in this function. The expansion results in a call on the mscorlib CreateDomain() method. Besides implementing the runtime aspects of the sandbox (part of the focus of Chapter Error! Reference source not found.), the mscoree has other important responsibilities in managing the execution of the native code: • The garbage collector deallocates storage for objects that are no longer referenced. To do this, the JIT compiler inserts information into object images that can then be used by the garbage collector. The garbage collector runs asynchronously with the native code execution. As a result, various parts of the mscoree prevent the garbage collector from running during critical sections. See Chapter 7 of [Stutz, et al., 2003] for a detailed discussion. • The CLS incorporates exceptions into its model. Whenever an exception is raised, the EE must step in and direct the exception to the correct handler – one provided by the programmer, the debugger, or other mechanisms. Again, the JIT compiler generates information in the object image to assist the structured exception handler to perform properly. Structured exception handling is described in detail in Chapter 6 of [Stutz, et al., 2003].
7.6
Lab Exercise: EE Data Structures
Part A: Reconsider the program you wrote in Part A of the Lab Exercise for Chapter 3. Modify the Num class from the program so that it implements the following class prototype: public class Num { public const int MAX_N = 8; private int[] val = new int[MAX_N]; public bool isEven(int i); // Return true if val[i] is even
public Num(int i); public int incr(int i, int k); public int decr(int i, int k);
// Create an object with I<MAX_N elts // Add k to val[i] // Subtract k from val[i]
}
Of course you will also have to modify the driver program (shown in the Lab Exercise for Chapter 6) so that it works with this new class interface. Part B: Use the sos extension to a debugger – presumably the UNIX gdb or the Windows windbg debugger – to inspect the Num class from Part A, after you load the Num class, but before you execute any method it. • What re the addresses for the MethodTable and Eeclass for the Num class? • Inspect the Num class. o How many VTable slots are there for the class? o How many total slots are there for the class? • Inspect the MethodTable. o What do the VTable slots reference? o What do the other slots reference? • Inspect the MethodDesc for isEven(). What information does it provide? • Inspect the Module. What information does it provide? Part C: Reinitialize a debugging session. • Execute until the JIT compiler is called to translate the isEven() method. Describe the SLOT information in the MethodTable. • Execute until the JIT compiler is called to translate the incr() method. Compare/contrast the SLOT information in the MethodTable with the previous step. • Execute until the JIT compiler is called to translate the decr() method. Compare/contrast the SLOT information in the MethodTable with the previous step. 7.6.1 Background The background information for this Laboratory Exercise is the body of this chapter and the debugger documentation that is delivered with the shared source CLI code distribution. Your task is to create an interesting example (Part A) by modifying an existing C# program, then to inspect some of the data structures for that program as they are described in the chapter. The SSCLI code distribution includes a debugger that can be used to inspect managed code – the cordbg debugger. You will find it useful to be familiar with that debugger, but for this exercise you need to use a C++ debugger as you are going to inspect CLI internal data structures rather than data structures defined by managed code. Since the CLI is “just another C++ application” from the OS perspective, you can use the host application debugger to solve this exercise. However, the SSCLI code distribution includes a dynamic library, called the SOS library, which has knowledge of the CLI’s data types. It can be combined with a UNIX gdb or Windows debugger (windbg or other) to greatly simplify the solution to this exercise. For the purposes of this exercise, it will not make a difference whether you solve the problem on a machine with UNIX or Windows. The documentation in …\docs\debugging\debugging_index.html describes how to install and use the SOS extension, including step-by-step examples of how to use the debugger. If you want to see how this library is created, you can look at the source code in …/clr/src/tools/sos/.
8
Protection Mechanisms and Security Policy Management
The protection mechanisms and security policies used in the CLI reflect technologists’ growing concern with the proper way to manage mobile code in the WBCC environment. It is recognized that the distributed computing model is based on the idea that objects will be loaded into a client machine to behave as a peer for some server-based distributed computing task. This is a clear opportunity for many kinds of unintended behavior: The mobile code could spread a virus, take advantage of the resources in the host environment, destroy or steal information, and so on. On the other side of the equation, the client machine might be able to exploit a temporary object by spoofing the server. Furthermore, the mobile code could be loaded from any location on the Internet – from trusted server sites, or sites with which the user never intended to interact. In this chapter we will examine the protection mechanisms and security policies that the Rotor CLI uses to address these aspects of correct behavior of mobile code. Following OS nomenclature, the goal of this chapter is to learn about the (policy-independent) protection mechanisms that are built into the CLI and base class libraries. These mechanisms can be used to implement a broad class of specific security policies for a particular computing environment. Computer protection mechanisms are required to authenticate the user, to authorize the user’s access to specific resources according to the particular system’s policy, and to provide barriers that prevent unauthorized access of resources (see Figure 8-1). The security policy defines the type of access that users (called principals in the CLI literature) have to different resources. For example, in a file manager, the protection mechanism permits a principal to read, write, and/or execute a file depending on the identity of the file and the identity of the principal. This allows a file owner to specify a policy that dictates which principals can read this particular file, which can write it, and which can execute it. This kind of file protection mechanism allows a teacher to publish a file with grades that only students in a particular class can read (but not write), and which only the instructor and teaching assistant can write.
Security Policy
Authorization Authorization
User User User User
User User
Principals
ProtectionBarrier Barrier Protection
Authentication Authentication
Assembly Assembly Machine Machine Resource Resource
User’s User’s Resource Resource
Other
Resources
Figure 8-1: Protection and Security The focus of the CLI protection mechanism is on protecting access and use of assemblies, which is the primary resource of interest is an assembly. Nevertheless, parts of the protection mechanisms are also used (primarily by production FCL code) to protect other types of resources. We will focus on the assembly resources in our discussion. In this chapter you will learn more details about the mechanisms used to implement the sandbox, as well as those to implement the general authorization mechanism that controls assembly loading. The CLI policy manager mechanism addresses both the problem of checking a principal’s authority to use an assembly in its computation (referred to as role based security in Rotor), and in determining if the assembly’s code satisfies a particular policy’s constraints (called code access security in Rotor).
8.1
Base Technology
Base technologies are tools and mechanisms that are used as part of the sandbox mechanism, the assembly loading authorization, and barrier implementation. The information in this section is background information for the following two sections on the sandbox implementation and the assembly policy manager. 8.1.1 User Authentication User (principal) authentication is the procedure for ensuring that a human user is the person they claim to be, or that a process/thread is the under the responsibility of user that it claims to be. Rotor relies on the underlying OS to authenticate the user: Both Windows and UNIX machines authenticate a user with a login/password pair for console access, and both use various other mechanisms (such as ssh) to authenticate users that access the computer using a network. The CLI mechanisms rely on this user authentication for their correct operation. 8.1.2 Message Digests (Hashes) Checksums are often used to detect bit errors in files. For example you can compute a 64-bit checksum by opening a file, then treating each byte in the file as a small integer; accumulate the sum of every byte in the file in a 64-bit integer, allowing the result to overflow when the sum is larger than 64 bits. If a network has a propensity to drop bits every now and again, then a file transfer protocol can compute the checksum of the entire file as it writes it to the network, then append the checksum to the end of the file. The receiver computes the checksum for the file upon receipt, comparing the computed checksum with the one it finds at the end of the file. If the two checksums are the same, then it is unlikely that the network dropped (or introduced) any bits. A message digest (called a hash in the Rotor CLI code and the popular literature) bears some similarity to a checksum in that it is a fixed length string of bits (for example, 128 or 256 bits) that is computed as a function of the information in a block of information. It differs from a checksum in that the function is more complicated than addition, and it is encrypted using a key. The cryptographic integrity of the message digest depends on the existence of a “collision-resistant, one-way function” [LaMacchia, et al., 2002]. A function f, is a one-way function if, if is easy to compute f(x), but given y = f(x), it is computationally difficult to determine f -1. A function, f, is collision-resistant if it is computationally difficult to find a pair, x and x’, such that f(x) = f(x’). In general, it is impossible to counterfeit a message digest that is computed using a collision-resistant, one-way function. In the CLI, hashes – message digests – are frequently computed on the contents of an assembly (for example as a component of a strong name). In 1978, Rivest, Shamir, and Adelman published a landmark paper describing a one-way, collisionresistant function that could be used for encryption, for example in a message digest. The algorithm, now know by the authors’ initials – RSA – is the dominant technology for modern encryption algorithms. Briefly, the function depends on the proven computational difficulty of computing prime factors for large numbers. So it is easy to choose two prime numbers and compute their product, but computationally difficult to determine the two prime numbers given their product. MD5 is a message digest algorithm defined in IETF RFC 1321 [Rivest, 1992]. MD5 computes an nbit integer as a function of a file’s contents, then encrypts the integer using a function like the RSA function. The SHA-1 (secure hash algorithm) is a newer hash algorithm the produces a 160-bit message digest [Eastlake, et al., 2001]. The Microsoft production CLR optionally uses MD5, SHA-1, and other hash algorithms. These algorithms are generally implemented outside the EE, for example in the class library. The base class library that is delivered with Rotor does not include support for most of these algorithms. However, only the MD5 algorithm is implemented in Rotor; the implementation uses both its own implementation and the underlying operating system’s cryptographic functions to do this. The Rotor implementation that appears in …/clr/src/utilcode/md5.cpp, is a user-space implementation of the MD5 algorithm. It is used by …/clr/src/utilcode/getuidfromname.cpp. Here is the heart of the implementation (included in its entirety so you can easily see how to implement a hash function): // We have two implementations of the core 'transform' at the heart
// of this hash: one in C, another in x86 assembler. // #define USE_C_MD5_TRANSFORM
//////////////////////////////////////////////////////////////// // // ROTATE_LEFT should be a macro that updates its first operand // with its present value rotated left by the amount of its // second operand, which is always a constant. // // One way to portably do it would be // // #define ROL(x, n) (((x) << (n)) | ((x) >> (32-(n)))) // #define ROTATE_LEFT(x,n) (x) = ROL(x,n) // // but our compiler has an intrinsic! #define ROTATE_LEFT(x,n) (x) = _rotl(x,n) //////////////////////////////////////////////////////////////// // // Constants used in each of the various rounds #define #define #define #define #define #define #define #define #define #define #define #define #define #define #define #define
MD5_S11 MD5_S12 MD5_S13 MD5_S14 MD5_S21 MD5_S22 MD5_S23 MD5_S24 MD5_S31 MD5_S32 MD5_S33 MD5_S34 MD5_S41 MD5_S42 MD5_S43 MD5_S44
7 12 17 22 5 9 14 20 4 11 16 23 6 10 15 21
//////////////////////////////////////////////////////////////// // // The core twiddle functions // #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) per the standard #define F(x, y, z) ((((z) ^ (y)) & (x)) ^ (z)) encoding
// the function
// #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) per the standard #define G(x, y, z) ((((x) ^ (y)) & (z)) ^ (y)) encoding
// the function
#define H(x, y, z) ((x) ^ (y) ^ (z)) #define I(x, y, z) ((y) ^ ((x) | (~z)))
// an alternate
// an alternate
#define AC(ac)
((ULONG)(ac))
//////////////////////////////////////////////////////////////// #define FF(a, b, c, d, x, s, ac) { \ (a) += F (b,c,d) + (x) + (AC(ac)); \ ROTATE_LEFT (a, s); \ (a) += (b); \ } //////////////////////////////////////////////////////////////// #define GG(a, b, c, d, x, s, ac) { \ (a) += G (b,c,d) + (x) + (AC(ac)); \ ROTATE_LEFT (a, s); \ (a) += (b); \ } //////////////////////////////////////////////////////////////// #define HH(a, b, c, d, x, s, ac) { \ (a) += H (b,c,d) + (x) + (AC(ac)); \ ROTATE_LEFT (a, s); \ (a) += (b); \ } //////////////////////////////////////////////////////////////// #define II(a, b, c, d, x, s, ac) { \ (a) += I (b,c,d) + (x) + (AC(ac)); \ ROTATE_LEFT (a, s); \ (a) += (b); \ } void __stdcall MD5Transform(ULONG state[4], const ULONG* data) { ULONG a=state[0]; ULONG b=state[1]; ULONG c=state[2]; ULONG d=state[3]; // FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Round 1 (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a,
d, c, b, a, d, c, b, a, d, c, b, a, d, c, b,
data[ 0], data[ 1], data[ 2], data[ 3], data[ 4], data[ 5], data[ 6], data[ 7], data[ 8], data[ 9], data[10], data[11], data[12], data[13], data[14],
MD5_S11, MD5_S12, MD5_S13, MD5_S14, MD5_S11, MD5_S12, MD5_S13, MD5_S14, MD5_S11, MD5_S12, MD5_S13, MD5_S14, MD5_S11, MD5_S12, MD5_S13,
0xd76aa478); 0xe8c7b756); 0x242070db); 0xc1bdceee); 0xf57c0faf); 0x4787c62a); 0xa8304613); 0xfd469501); 0x698098d8); 0x8b44f7af); 0xffff5bb1); 0x895cd7be); 0x6b901122); 0xfd987193); 0xa679438e);
// // // // // // // // // // // // // // //
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
FF (b, c, d, a, data[15], MD5_S14, 0x49b40821); // 16 // GG GG GG GG GG GG GG GG GG GG GG GG GG GG GG GG
Round 2 (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d,
d, c, b, a, d, c, b, a, d, c, b, a, d, c, b, a,
data[ 1], data[ 6], data[11], data[ 0], data[ 5], data[10], data[15], data[ 4], data[ 9], data[14], data[ 3], data[ 8], data[13], data[ 2], data[ 7], data[12],
MD5_S21, MD5_S22, MD5_S23, MD5_S24, MD5_S21, MD5_S22, MD5_S23, MD5_S24, MD5_S21, MD5_S22, MD5_S23, MD5_S24, MD5_S21, MD5_S22, MD5_S23, MD5_S24,
0xf61e2562); 0xc040b340); 0x265e5a51); 0xe9b6c7aa); 0xd62f105d); 0x2441453); 0xd8a1e681); 0xe7d3fbc8); 0x21e1cde6); 0xc33707d6); 0xf4d50d87); 0x455a14ed); 0xa9e3e905); 0xfcefa3f8); 0x676f02d9); 0x8d2a4c8a);
// // // // // // // // // // // // // // // //
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
// HH HH HH HH HH HH HH HH HH HH HH HH HH HH HH HH
Round 3 (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d,
d, c, b, a, d, c, b, a, d, c, b, a, d, c, b, a,
data[ 5], data[ 8], data[11], data[14], data[ 1], data[ 4], data[ 7], data[10], data[13], data[ 0], data[ 3], data[ 6], data[ 9], data[12], data[15], data[ 2],
MD5_S31, MD5_S32, MD5_S33, MD5_S34, MD5_S31, MD5_S32, MD5_S33, MD5_S34, MD5_S31, MD5_S32, MD5_S33, MD5_S34, MD5_S31, MD5_S32, MD5_S33, MD5_S34,
0xfffa3942); 0x8771f681); 0x6d9d6122); 0xfde5380c); 0xa4beea44); 0x4bdecfa9); 0xf6bb4b60); 0xbebfbc70); 0x289b7ec6); 0xeaa127fa); 0xd4ef3085); 0x4881d05); 0xd9d4d039); 0xe6db99e5); 0x1fa27cf8); 0xc4ac5665);
// // // // // // // // // // // // // // // //
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
// II II II II II II II II II II II II II II II II
Round 4 (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d, (a, b, c, (d, a, b, (c, d, a, (b, c, d,
d, c, b, a, d, c, b, a, d, c, b, a, d, c, b, a,
data[ 0], data[ 7], data[14], data[ 5], data[12], data[ 3], data[10], data[ 1], data[ 8], data[15], data[ 6], data[13], data[ 4], data[11], data[ 2], data[ 9],
MD5_S41, MD5_S42, MD5_S43, MD5_S44, MD5_S41, MD5_S42, MD5_S43, MD5_S44, MD5_S41, MD5_S42, MD5_S43, MD5_S44, MD5_S41, MD5_S42, MD5_S43, MD5_S44,
0xf4292244); 0x432aff97); 0xab9423a7); 0xfc93a039); 0x655b59c3); 0x8f0ccc92); 0xffeff47d); 0x85845dd1); 0x6fa87e4f); 0xfe2ce6e0); 0xa3014314); 0x4e0811a1); 0xf7537e82); 0xbd3af235); 0x2ad7d2bb); 0xeb86d391);
// // // // // // // // // // // // // // // //
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
state[0] += a; state[1] += b;
state[2] += c; state[3] += d; }
There is another hash mechanism implemented in …/clr/src/dlls/mscorsn/strongname.cpp, ComputeHash(). This function systematically reads an assembly (by looking in its manifest file to find the parts), then it computes a message digest using the SN_HASH macro (which uses SN_CryptHashData(), which is defined to be CryptHashData() in a #define statement at the top of the file. CryptHashData() is defined in the #include <wincrypt.h> meaning that it is one of a set of cryptography functions exported by the OS. The MSDN description of the function is that it “…adds data to a specified hash object. This function and CryptHashSessionKey can be called multiple times to compute the hash of long or discontinuous data streams.” Of course in the UNIX implementation, the PAL maps these calls into Unix library and/or system calls. #include <wincrypt.h> … // Compute a hash over the elements of an assembly manifest file that should // remain static (skip checksum, Authenticode signatures and strong name // signature blob). BOOLEAN ComputeHash(SN_LOAD_CTX *pLoadCtx, HCRYPTHASH hHash) { … #define SN_HASH(_start, _length) do { if (!SN_CryptHashData(hHash,(_start),\ (_length), 0)) return FALSE; } while (false) // Hash the DOS header if it exists. if (…) SN_HASH(…); // Add image headers minus the checksum and security data directory. if (…) SN_HASH(…); … // Then the section headers. … // Finally, add data from each section. for (i=0; im_pNtHeaders->FileHeader.NumberOfSections); i++) { … } … return TRUE; }
These cryptography functions are called from various places in the code, for example, …/clr/src/vm/assembly.cpp calls them. 8.1.3 Strong Names Assemblies can use simple names or strong names (see Section Error! Reference source not found.). A simple name is a text name similar to file names used in other computing environments, and a strong name is a 4-component name: • Name. A simple (text) name to identify the assembly to the OS file manager. • Version. This is a 4-part number to identify a version of the assembly. The parts are the major number, the minor number, the build number, and the revision number. • CultureInfo. This part of the name identifies the spoken language and country code for the assembly. For example, “en-US” is the CultureInfo for English in the United States.
•
PublicKey. This is either an 8-byte public key token or a 128-byte public key that uniquely identifies the assembly developer.
Simple names can be used to reference a PE file containing an assembly on the local machine, but if the file is remote, it can only be referenced using a strong name – strong names are in the global namespace used by the DVM (recall Part C of the Lab Exercise for Chapter Error! Reference source not found.). The simple name, version, and culture provide useful information to help associate the correct version of an assembly with its caller. The public key field is used to uniquely identify the developer, and hence is another elementary protection mechanism. The strong name is checked as soon as the SSCLI is started in _CorMainExe2() in …/clr/src/vm/ceemain.cpp: int32 STDMETHODCALLTYPE _CorExeMain2( // Executable exit code. PBYTE pUnmappedPE, // -> memory mapped code DWORD cUnmappedPE, // Size of memory mapped code LPWSTR pImageNameIn, // -> Executable Name LPWSTR pLoadersFileName, // -> Loaders Name LPWSTR pCmdLine) // -> Command Line { BOOL bRetVal = 0; PEFile *pFile = NULL; HRESULT hr = E_FAIL; // Strong name validate if necessary. if (!StrongNameSignatureVerification(pImageNameIn, SN_INFLAG_INSTALL|SN_INFLAG_ALL_ACCESS|SN_INFLAG_RUNTIME, NULL) && StrongNameErrorInfo() != (DWORD) CORSEC_E_MISSING_STRONGNAME) { LOG((LF_ALL, LL_INFO10, "Program exiting due to strong name verification failure\n")); return -1; } … }
The public key is a hash (message digest) as described in the previous subsection. With public key encryption, information can be encrypted using a secure, private key, then it can only be decrypted using a generally available public key [LaMacchia, et al., 2002] (see Figure 8-2). Whenever a party receives the signed assembly, it can first compute its own version of the message digest. Then it uses the public key token to lookup its own public key in its metadata, then to decrypt the encrypted message digest that was included by the developer. If the two message digests are the same, then there is a reasonable assurance that the assembly that was received contains exactly the same bits as the one that was signed by the developer. Notice that this procedure depends on the calling assembly having the public key of the called assembly the public key token in the strong name is used by the calling assembly to identify its full public key token. For example, suppose David created a matching private and public key, then published his public key on his web site. When Joanne requests an assembly from David, he transmits the assembly to her along with an encrypted fixed-size block of data (say 128 bytes); the assembly includes the public key token (and hence access to the public key). If Joanne can decrypt the received information using David’s public key, then she can be almost certain that the information is really from David (he is the only one that can encrypt it in such a manner that the public key can be used to decrypt it).
Strong Named Assembly Assembly Assembly
Hash Hash
Key KeyGenerator Generator
Figure 8-2: Signed Assemblies Now when Joanne receives the assembly, she computes the same message digest as David did when he created the assembly. Next she decrypts the message digest to obtain a clear text message digest. If the information that was received is the same as the information that was transmitted, the two versions of the message digest will be the same. But if someone tampered with the information (since it may be in clear text), the message digests will not match. Thus by using a message digest along with public key encryption, information can be transmitted from one place to another with the receiver having a reasonable assurance that the information is from whom it claims to be from, and that no one has tampered with the information after it was signed. As was pointed out in Chapter Error! Reference source not found., the public key field also disambiguates the rest of the name, by effectively providing each developer (or development organization) with its own unique name space. This is done by having the SSCLI development environment generate public-private key pairs related to the developer or development organization. The developer identification is part of the keys. Recall from Chapter Error! Reference source not found., that KickOffDownload() caused the PE file containing the target assembly to be known to the assembly loader. After the file has been located (and there is a local pathname to the file), KickOffDownload() calls CAssemblyDownload::DownloadComplete(). This function determines whether or not the download was successful. If it was, then CAssemblyDownload::DoSetup() is called to continue loading the file. This function calls CAsmDownloadMgr::DoSetup(), which calls CAsmDownloadMgr::DoSetupRFS(), the setup function for cases where the assembly is to be “run from source.” (This code can be found in …./clr/src/fusion/download/adlmgr.cpp) This function finally begins to look at the strong name: … // Get the hash of this module from manifest hr = pCurModImport->GetHashAlgId(&dwAlgId); if (FAILED(hr)) { break; } cbModHash = MAX_HASH_LEN; hr = pCurModImport->GetHashValue(abCurHash, &cbModHash); if (FAILED(hr)) { break; } // Get the hash of the file itself cbModPath = MAX_PATH; hr = pCurModImport->GetModulePath(wzModPath, &cbModPath); if (FAILED(hr)) { break; } cbFileHash = MAX_HASH_LEN; hr = GetHash(wzModPath, (ALG_ID)dwAlgId, abFileHash, &cbFileHash);
if (FAILED(hr)) { break; } if (!CompareHashs(cbModHash, abCurHash, abFileHash)) { DEBUGOUT(_pdbglog, 1, ID_FUSLOG_MODULE_INTEGRITY_CHECK_FAILURE); bAsmOK = FALSE; SAFERELEASE(pCurModImport); break; } …
This is the code fragment that compares the compares the encrypted message digest with one computed from the file itself. Notice that this code fragment is part of the logical policy manager, yet it is implemented as a function in the fusion downloader. This points out one of the difficulties in studying the protection mechanism code: It is dispersed throughout the other code rather than being in a directory of its own. In the case of the strong name part of the mechanism, there is a DLL that implements the operations equivalent to those used in much of the rest of the SSCLI (see …/clr/src/dlls/mscorsn). This DLL is implemented by a single file named strongname.cpp; this is a good place to look to find how strong names are managed in the SSCLI (the interface is specified in …/clr/src/inc/strongnames.h). There is also a strong name tool, sn (implemented in …/clr/src/tools/strongname). 8.1.4 Platform Structured Exception Handler The CLR’s structured exception handler (SEH) relies on the exception handler that is built into the Windows OS. The Rotor CLI depends on a PAL adaptation of the Windows exception handler functions in the host OS (see Chapters 6 and 9, [Stutz, et al., 2003]). The CLI exception model is an abstraction of the exception model provided by a spectrum of programming languages. The model incorporates mechanisms to throw and catch exceptions, and the exceptions can be thrown from software, the OS, or the hardware. The essential property of the CLI SEH is that it is a mechanism whereby the OS can detect exceptions, then have them be handled by user space code, specifically, the EE. The Windows NT/2000/XP SEH mechanism is intended to allow an application to gain control of the CPU after the system detects an exception caused by the execution of that application [Solomon and Russinovich, 2000]. The application can catch the exception by providing a block of code that recovers from the exception and restarts the application, or pass it back to the OS. If the application handles the exception, it will generally need to unwind the stack to recover – this will be tricky since the stack has been “doctored up” with special frames. If the OS needs to throw the exception to the code that started the application (or to the debugger), then it, too, will need to unwind the stack, again requiring that the CLI cooperate in the stack walk. Since the Windows NT Executive was designed to export its behavior to different subsystems to implement different OS personalities, it is explicitly designed to expect that these subsystems might use the frame-based approach described above for configuring the stack. In particular, the OS can cooperate with the subsystem to determine the identity of exception handlers (kept in the stack) that should be called for different exceptions in different frames. In this sense, the CLI behaves as a subsystem from the operating system’s perspective.
8.2
The Sandbox
The sandbox is a computing environment in which mobile code executes in a host environment. Like a child’s sandbox, the program executing in the sandbox can read/write anything in the sandbox, but it cannot reference resources outside the sandbox (without explicit authorization). In the CLI context, the sandbox is the app domain inside the CLI address space, which is inside the OS process address space. This section focuses on the protection mechanisms that are used to ensure that when mobile code executes in the sandbox, it is not able to reference resources outside the sandbox without appropriate authorization.
The ECMA-335 Common Type System and type safe compilation and linking are the base elements of the sandbox (Section Error! Reference source not found.), but they must be augmented by other runtime mechanisms that use the type safety information to provide additional sandbox code isolation. The EE is a multithreaded, stack-based computing environment. Each phase of a computation is defined within a scope, such as a class, a function, or compound statement (collection of statements surrounded by “{“ and “}”). Whenever a thread enters a scope, the DVM defines the details of that scope by allocating space for the variables within the scope; in the case of managed code, the EE also keeps other state information that it needs to execute code within that scope. Traditionally, virtual machines keep this kind of scope-based information on a stack, hence the CLI DVM is an abstract stack-based machine: When the computation enters the scope, an activation record is defined from a compiler-generated template, and it is used to allocate space for the variables, the return address (if any), and so on. This activation record is pushed onto the OS process’s runtime stack, and then the executing code uses the information in the frame as it executes. When the computation exits a particular scope, the activation record is popped from the stack and discarded. When a computation references information outside the scope, then various mechanisms are used to check the authorization: • If the reference to a target that is within the method, but outside the current scope, then the runtime system reads/writes information from an activation record that has been placed lower on the stack (due to the execution of an encapsulating scope). • If the target is inside the class, but outside the method, then a stub will be used to reference the member (potentially invoking the JIT compiler). • If the target reference is inside the assembly, but outside the class, then the class loader can link the authorized reference with the target. • If the target is inside the app domain, but outside the assembly, then the assembly loader links the authorized reference with the target object. • If the reference is outside the app domain, then the cross-domain communication mechanism is invoked (see Chapter Error! Reference source not found.). In these last two cases, an important aspect of implementing the sandbox is in the part of the CLI that checks authorizations before loading an assembly into an app domain – the Policy Manager (see Section 8.3). These cases refer to the situation when managed code calls managed code. There are other situations that the CLI is also designed to handle: • Managed code is allowed to call unmanaged code, using the Platform Invocation Services (abbreviated to P/Invoke), in addition to the specialized fcall protocol between mscorlib and mscoree code discussed in Section Error! Reference source not found.. • Unmanaged code can call CLI code (of course once it is executing the CLI code, it will behave like managed code). • An external OS thread can be running in a process that is executing the CLI and managed code. We will examine each of these cases in the section, after considering the context in which this all occurs. 8.2.1 Threads and the CLI Stack The CLI is a stack virtual machine model that augments the runtime stack model supported by the underlying platform: Windows and UNIX operating systems support processes and threads using this stack model, and conventional hardware provides additional support by providing a hardware stack – a block of primary memory whose various parts are addressed by the contents of the CPU stack base, top, and limit registers (see Figure 8-3). Whenever a stack hardware instruction is used, the stack base register provides the first location in the stack, the top is an index register that is an offset from the base, and the limit register defines the maximum value the top can use.
Base Base Top Top
… Stack Contents
Figure 8-3: Hardware Stack The stack hardware is designed to support execution contexts that are under the control of the OS, since the stack registers must be changed each time the CPU switches from one context to another using privileged instructions. If the OS supports only single-threaded processes, then the stack registers only need to be changed when the OS scheduler multiplexes from one process to another. If the OS supports kernel threads, then the stack registers need to be changed with each thread multiplex operation. If a user space program intends to manage multiple threads of execution, as in the case of the CLI, that program is required to manage the stack space so that each thread has its own logical stack. There are two obvious ways to do this: • Give each thread its own block of memory for its stack, then save/restore the 3 stack registers (using an OS system call) whenever a new thread is dispatched for execution. • Activation records and supplementary information are kept in stack records that are pushed/popped with one logical stack operation. The stack record template is designed so that it contains information to link together the logically adjoining stack records on the process stack. This allows all threads’ records to be stored on a single process stack (see Figure 8-4). In Rotor, there are multiple app domains per address space (one address space per OS process), and multiple CLI threads per app domain. For security and efficiency reasons, the Rotor CLI supports the implicit multiple stacks for each CLI thread using the second technique: By multiplexing the frames on the hardware stack in such a manner that they can be referenced as a collection of individual logical stacks (refer back to Error! Reference source not found. and Error! Reference source not found.). Of course this means that stack management is a critical issue in CLI security approach: It is used to create CLIspecific protection mechanisms, and supplementary mechanisms are used to ensure that the stack access is secure. To support multiplexed stack records, the CLI references the stack segment as if it were ordinary, directly accessible memory – meaning that the CLI can do normal stack push/pop, or it can jump to any address in the stack segment to reference a specific record (see Figure 8-4). Now the trick is to ensure that both managed and unmanaged software use this collection of logical stacks (instead of the process stack).
Logical Stack1
Logical Stack2
Logical Stack3 Top Base
Top
Top of stack
Frame
Top
Figure 8-4: Multiplexing Logical Stacks on the Hardware Stack The first part of the solution is that the Rotor CLI inserts various kinds of additional information into a frame, then inserts these frames onto the stack to assist in implementing the multiplexed logical stacks, and to save various other pieces of information regarding its execution state. For example, the Rotor CLI uses frames to hold information about exceptions and EE execution state. Within the design, stack records can have an associated frame that describes the stack record. Some stack records are written to the stack without any associated frame, so they are referred to as “frameless” stack records. As noted in the previous subsection, the CLR was implemented with the full knowledge that the target platform supported SEH, and that it is “frame-aware.” The Rotor CLI continues with that assumption, relying on the PAL to implement the requisite SEH mechanisms if the host OS does not (as is the case with FreeBSD and OS X). This means that even though the supporting platform does not know the semantics of various types of frames, it can detect a frame and invoke user-space code to manage its contents. This means that if a process that is running the CLI happens to also be running a thread that has no knowledge of the CLI, then the external thread will not access/harm the CLI logical stack since the OS will uses its SEH mechanism to trap into the CLI frame management code if the external thread should happen to wander into this part of the stack containing managed records. There is a class hierarchy of different frame types, with the base class of all frame classes being the abstract Frame class (see …/clr/src/vm/frames.h and Figure 8-5); read the comments in frames.h for a brief description of each frame types in the hierarchy. Code comments sometimes also refers to frames as EE frames. A quick inspection of the hierarchy suggests that frame multiplexing can be quite complicated. A frame can be used to assist the garbage collector or exception handler, or be used to hold execution state for EE operation (including the implementation of the collection of logical stacks). It is important to recognize that even with all these frame types, the language runtime behavior (managed and unmanaged) is to push activation records onto the stack as required: Managed push/pop operations can either be frameless or use the frame classes, but unmanaged code will use native code push/pop operations. Frame TransitionFrame ExceptionFrame FaultingExceptionFrame FuncEvalFrame HelperMethodFrame
GCFrame UnmanageToManagedFrame UnmanageToManagedCallFrame UMThkCallFrame CtxMarshaledFrame
FramedMethodFrame NDirectMethodFrame NDirectMethodFrameEx PrestubMethodFrame CtxCrossingMethodFrame MulticastFrame
CtxByValueFrame ContextTransitionFrame NativeClientSecurityFrame ComClientSecurityFrame
Figure 8-5: Frame Class Hierarchy Suppose that a thread executing managed and unmanaged code is required to traverse the stack, for example due to an exception, or to access variables in an enclosing scope. The CLI must be prepared to support such stack traversals (also called stack “walks”). Stack traversal is accomplished using the Thread::StackWalkFramesEx(), which is called by StackWalkFrames(), both of which are located in …/clr/src/vm/stackwalk.cpp. Notice that this is a Thread class member rather than a stack function; this is because a stack walk is ordinarily required due to some runtime condition that is incurred by a CLI thread (as opposed to a condition related to static code). It will be helpful to learn a little more about managed threads in order to understand the details of stack traversal. In Section Error! Reference source not found. you saw how threads are created to execute managed code. When a CLI thread is created using the system.threading namespace, it is associated with a PAL thread (which is associated with a thread in the host platform). Each CLI thread has a Thread object associated with it (see …/clr/src/vm/thread.h). This is a complex object that is used as the thread descriptor for CLI thread management. For example, the Thread object contains fields for identifying the platform thread ID, the CLI thread ID, its CLI state, and so on. Each CLI thread is also entered into the CLI’s ThreadStore object (see …/clr/src/vm/threads.h); in general, threads that appear in the ThreadStore are CLI (managed) threads, and those that are not in the ThreadStore are not CLI threads. When a thread that was created outside the CLI begins to use the CLI managed code, the CLI code will call GetThread() (in …/clr/src/vm/threads.h), which returns the Thread object’s record of the platform thread ID. If the field is null, then this is not a managed thread. The CLI code can then manage the thread behavior by first registering it with the CLI using SetupThread() (see …/clr/src/vm/threads.cpp). Each thread that uses the CLI is characterized as being a background thread or not. The fcall-able function, FCIMPL2(void, ThreadNative::SetBackground, ThreadBaseObject* pThisUNSAFE, BYTE isBackground)
can be used to identify a thread as being a background thread. The significance of background threads is that they are not intimately associated with the CLI. In particular, the CLI will terminate if there are only background threads present, but not if there are any foreground (non-background) threads running. The idea is that background threads can use the CLI, but the CLI does not make any commitment to support them, since they are not threads that were started from with managed code. If such a thread “wanders into” the CLI from unmanaged code, it will have a Thread object associated with it (when it is registered), and the Thread object will reflect that it is a background thread. Here is a tiny fragment of the Thread class prototype (it is a huge class prototype – over 1400 lines long) that shows the background/foreground mechanism (we have inserted “[braced, italicized comments]” into the code in a few places): // // // // // // // //
The Thread class represents a managed thread. This thread could be internal or external (i.e. it wandered in from outside the runtime). For internal threads, it could correspond to an exposed System.Thread object or it could correspond to an internal worker thread of the runtime. If there's a physical Win32 thread underneath this object (i.e. it isn't an unstarted System.Thread), then this instance can be found in the TLS of that physical thread.
class Thread
{ … //[This lists a few of the thread states to give you the flavor] enum ThreadState { TS_Unknown = 0x00000000, // threads are initialized this way TS_StopRequested
= 0x00000001, // process stop at next opportunity
… TS_UserSuspendPending = 0x00000004, // user suspension at next opportunity … TS_Background = 0x00000200, // Thread is a background thread TS_Unstarted = 0x00000400, // Thread has never been started TS_Dead = 0x00000800, // Thread is dead TS_WeOwn = 0x00001000, // Exposed object initiated this thread // Some bits that only have meaning for reporting the state to clients. TS_ReportDead = 0x00010000, // in WaitForOtherThreads() … //[Here are a few members related to background operation] DWORD IsBackground() { return (m_State & TS_Background); } DWORD IsUnstarted() { return (m_State & TS_Unstarted); } DWORD IsDead() { return (m_State & TS_Dead); } … };
The CLI’s ThreadStore object is the registry for all threads that the EE has recognized, including both background and foreground threads (see …/clr/src/vm/threads/h). This elided class definition describes the basic silhouette of the class (this is a well-commented class definition, so you can easily read your copy of the code for more information): // -----------------------------------------------------------------------// // The ThreadStore manages all the threads in the system. // // There is one ThreadStore in the system, available through g_pThreadStore. // -----------------------------------------------------------------------… // The ThreadStore is a singleton class #define CHECK_ONE_STORE() _ASSERTE(this == g_pThreadStore); class ThreadStore { … public: ThreadStore(); static BOOL InitThreadStore(); … // Add a Thread to the ThreadStore static void AddThread(Thread *newThread);
// RemoveThread finds the thread in the ThreadStore and discards it. static BOOL RemoveThread(Thread *target); // Transfer a thread from the unstarted to the started list. static void TransferStartedThread(Thread *target); … // We shut down the EE when the last non-background thread terminates. // This event is used to signal the main thread when this condition // occurs. void WaitForOtherThreads(); static void CheckForEEShutdown(); HANDLE m_TerminationEvent; // Have all the foreground threads completed? // release the main thread? BOOL OtherThreadsComplete() {…} … …
In other words, can we
};
Now that you see that the EE manages every thread that uses managed code, we can continue the stack traversal discussion (which follows that in Chapter 6 of [Stutz, et al., 2003]). Thread::StackWalkFramesEx() (in …/clr/src/vm/stackwalk.cpp) is used to traverse the logical stack for a particular thread. Below is an elided version of the function with a few of our [italicized comments in square braces] added. You can think of StackWalkFramesEx() as an iterator for the stack records; it finds a frame, wraps the frame in a CrawlFrame object, then invokes a callback routine (pCallback() in the thread). StackWalkAction Thread::StackWalkFramesEx( PREGDISPLAY pRD, // virtual register set at crawl start PSTACKWALKFRAMESCALLBACK pCallback, [The callback routine] VOID *pData, unsigned flags, Frame *pStartFrame ) { … CrawlFrame cf; [Here is the CrawlFrame object] … Frame * pInlinedFrame = NULL; [Here is the Frame] if (pStartFrame) cf.pFrame = pStartFrame; [Start from this Frame] else cf.pFrame = this->GetFrame(); [Start from this Frame at the top of the stack] … [Initialize various fields in the CrawlFrame] … [This is the stack walk loop] while (cf.isFrameless || (cf.pFrame != FRAME_TOP)) { … if (cf.isFrameless) { // This must be a JITed/managed native method … /* Get rid of the frame (actually, it isn't really popped) */
LOG((LF_CORDB, LL_INFO1000000, "Thread::StackWalkFramesEx: calling UnwindStackFrame\n")); cf.codeMgrInstance->UnwindStackFrame( pRD, methodInfo, &codeInfo, unwindFlags | cf.GetCodeManagerFlags(), &cf.codeManState); LOG((LF_CORDB, LL_INFO1000000, "Thread::StackWalkFramesEx: UnwindStackFrame returned\n")); cf.isFirst = FALSE; cf.isInterrupted = cf.hasFaulted = cf.isIPadjusted = FALSE; /* We might have skipped past some Frames */ /* This happens with InlinedCallFrames and if we unwound * out of a finally in managed code or for * ContextTransitionFrames that are * inserted into the managed call stack */ while (cf.pFrame != FRAME_TOP && (size_t)cf.pFrame < (size_t)GetRegdisplaySP(cf.pRD)) {…} … } else [This is the processing for an EE frame] { … cf.pFunc = cf.pFrame->GetFunction(); … // If the frame is a subclass of ExceptionFrame, // then we know this is interrupted cf.isInterrupted = (cf.pFrame->GetFrameAttribs() & Frame::FRAME_ATTR_EXCEPTION) != 0; … // // Update app domain if this frame caused a transition // AppDomain *pAppDomain = cf.pFrame->GetReturnDomain(); if (pAppDomain != NULL) cf.pAppDomain = pAppDomain; SLOT adr = (SLOT)cf.pFrame->GetReturnAddress(); … if (adr) { /* is caller in managed code ? */ pEEJM = ExecutionManager::FindJitMan(adr, fJitManagerScanFlags); cf.JitManagerInstance = pEEJM; … } if (!pInlinedFrame) {…} }
} … /* If we got here, we either couldn't even start (for whatever reason) or we came to the end of the stack. In the latter case we return SWA_DONE. */ … LOG((LF_CORDB, LL_INFO1000000, "StackWalkFramesEx: returning 0x%x\n", retVal)); return retVal; }
Almost all of the detail has been elided out of this code fragment, but there should be enough remaining for you to get the jist of how StackWalkFramesEx() works. Read your copy of the full code to find the places where this function calls pCallback(&cf, (VOID*)pData)) to return information. 8.2.2 Managed/Unmanaged Thread Transitions In the last subsection you learned how the SEH mechanism prevents CLI sibling threads are prevented from accessing or harming the stack. In this section we will consider the cases where: • Managed code is allowed calls unmanaged code, using either the P/Invoke mechanism or the specialized fcall protocol between mscorlib and mscoree code. • Unmanaged code call managed code (and the thread becomes a managed thread). First we will consider how the stack is handled when managed code calls unmanaged code: In this case, a TransitionFrame object is pushed on the stack with the stack record. Below is the definition of the TransitionFrame class interface (from …/clr/src.vm/frames.h): //-----------------------------------------------------------------------// This frame represents a transition from one or more nested frameless // method calls to either a EE runtime helper function or a framed method. // Because most stackwalks from the EE start with a full-fledged frame, // anything but the most trivial call into the EE has to push this // frame in order to prevent the frameless methods inbetween from // getting lost. //-----------------------------------------------------------------------class TransitionFrame : public Frame { public: virtual void GcScanRoots(promote_func *fn, ScanContext* sc) { // Nothing to protect here. } virtual void UpdateRegDisplay(const PREGDISPLAY) = 0; protected: LPVOID
m_Datum;
// offset +8: contents depend on subclass // type.
friend struct MEMBER_OFFSET_INFO(TransitionFrame); };
If we have a call from a framed method to the EE or to another framed method: Our main concern is to implement the logical stack. The FramedMethodFrame subclass is used in this case, an elided version of the class declaration (from frames.h) is shown below. You can see from this code fragment that this class defines a frame object that knows about activation records (return addresses, arguments, and so on). A FramedMethodFrame (or subclass) is constructed, then pushed onto the stack below the activation record. class FramedMethodFrame : public TransitionFrame { … public: // Retrieves the return address into the code that called the // helper or method. virtual LPVOID* GetReturnAddressPtr(); // FramedMethodFrame must store some fields at negative offset. // This method exposes the size for people needing to allocate // FramedMethodFrame. static UINT32 GetNegSpaceSize() {…} //--------------------------------------------------------------// Expose key offsets and values for stub generation. //--------------------------------------------------------------static int GetOffsetOfArgumentRegisters() {…} CalleeSavedRegisters *GetCalleeSavedRegisters() {…} virtual MethodDesc *GetFunction() {…} virtual void UpdateRegDisplay(const PREGDISPLAY); //-----------------------------------------------------------------// Returns the address of a security object or // null if there is no space for an object on this frame. //-----------------------------------------------------------------virtual OBJECTREF *GetAddrOfSecurityDesc() {…} // Get return value address virtual INT64 *GetReturnValuePtr() {…} … IMDInternalImport *GetMDImport() {…} Module *GetModule() {…} //--------------------------------------------------------------// Get the "this" object. //--------------------------------------------------------------OBJECTREF GetThis() {…} … };
Suppose a class library function fcalls a function in the mscoree.1 In this case, a HelperMethodFrame is pushed onto the stack below printf()’s activation record. This type of frame does a minimum of work since the caller and callee are closely coordinated. The minimum amount of work includes translating the JIT compiled code calling convention into the calling convention used in the C++ CLI code. It also includes adding an explicit addresses of the next frame in the logical stack, and saving the identity of the thread to which this frame belongs: //-----------------------------------------------------------------------// A HelperMethodFrame is created by jit helper (Modified slightly it could 1
It is also possible to use P/Invoke for such calls. Look in …\clr\src\BCL\Microsoft\Win32\Win32Native.cs to find a list of P/Invoke calls from the mscorlib to the mscoree.
// be used for native routines). This frame just does the callee saved // register fixup, it does NOT protect arguments (you can use GCPROTECT or // the HelperMethodFrame subclases) see JitInterface for sample use, YOU // CAN'T RETURN STATEMENT WHILE IN THE PROTECTED STATE! //-----------------------------------------------------------------------class HelperMethodFrame : public TransitionFrame { public: // Lazy initialization of HelperMethodFrame. Need to // call InsureInit to complete initialization // If this is an FCall, the second param is the entry point for the // FCALL. The MethodDesc will be looked up form this (lazily), and // this method will be used in stack reporting, if this is not an // FCall pass a 0 … // If you give the optional MethodDesc parameter, then the frame // will act like the given method for stack tracking purposes. // If you also give regArgs != 0, then the helper frame will // will also promote the arguments for you (Pretty neat, huh?) … protected: unsigned m_Attribs; MachState* m_MachState; // pRetAddr points to the return address // and the stack arguments ArgumentRegisters * m_RegArgs; // if non-zero we also report these as // the register arguments Thread *m_pThread; void* m_FCallEntry; // used to determine our identity for // stack traces … };
P/Invoke is the primary mechanism that is used by managed code to call all other unmanaged code. The P/Invoke mechanisms are located in the system.Runtime.InteropServices namespace. Here is a familiar managed program that uses P/Invoke to call an untrusted system function: // Calling unmanaged code using System.Runtime.InteropServices; class MainApp { [ DllImport( "msvcrt.dll" )] public static extern int printf(string str); public static void Main() { printf("Hello World!\n"); } }
Since printf() is a function in the C runtime library (the multithreaded version of the C runtime DLL is named msvcrt.dll), the example code uses the prototype modifier [ DllImport( “msvcrt.dll” )]
the thread executing the managed main program can then call the unmanaged C runtime function, printf().
The P/Invoke method call uses the NDirectMethodFrame transition frame (actually, it uses the NDirectMethodFrameEx subclass, but we will just look at the superclass version).2 An NDirectMethodFrame is a subclass of a FramedMethodFrame, meaning it has the links described above. The additional functionality manages the transition from managed to unmanaged (including translation of the caller’s calling convention into the callee’s convention – a marshalling stub is used whenever calling convention translation is required.), and sets up information that will be used by the calling method’s stub when it is JIT compiled. The compiler can also insert other kinds of stubs, such as those to cause protection mechanisms to be invoked, causing the EE to push a frame with relevant information onto the stack for use when the stub is encountered. class NDirectMethodFrame : public FramedMethodFrame { public: virtual void GcScanRoots(promote_func *fn, ScanContext* sc) {…} virtual BOOL IsTransitionToNativeFrame() {…} virtual CleanupWorkList *GetCleanupWorkList() {…} //--------------------------------------------------------------// Expose key offsets and values for stub generation. //--------------------------------------------------------------int GetFrameType() {…} void GetUnmanagedCallSite(void **ip, void **returnIP, void **returnSP) = 0; BOOL TraceFrame(Thread *thread, BOOL fromPatch, TraceDestination *trace, REGDISPLAY *regs); friend struct MEMBER_OFFSET_INFO(NDirectMethodFrame); };
The goal of the NDirectMethodFrame is to build a data structure to place on the top of the stack that could be handled by the OS when it manages a process’s stack. The unmanaged code then executes as required, placing the results of the function call on the top of the stack, then returning to the address located in the expected location in the activation record. If the unmanaged function attempts to traverse the stack (for example, because it is trying to handle and exception), it will generally not be able to do this without being able to interpret EE frames. As a consequence, when an unmanaged thread attempts to traverse the stack, it can only do so with knowledge of EE frames (and the implicit cooperation of the EE). 8.2.3 Verification The PEVerify program is specific to Microsoft CLI implementations (including both Rotor and CLR). It is a tool that verifies that the compiled program (the CIL and metadata) are type safe. This is useful since it is possible to produce a PE file containing code that is not type safe, yet still be an assembly. (Recall that a programmer can use a CIL assembler to create assemblies – the CIL assembler does not check types.) This can also occur if the source program overrides the type safety mechanism (for example using the unsafe keyword in C#, writing CIL assembly language, or by creating CIL code on-the-fly). You can read the details of how to use PEVerify in the MSDN online documentation.
2
This is another case where a package got renamed after the software engineers had already written the code: The P/Invoke service is frequently referred to as the “NDirect” mechanism in the code.
8.3
The Policy Manager
This part of the discussion focuses on the policy manager mechanism that is used to ensure that assemblies that are imported into a local environment are safe to execute. Since assemblies are the unit of deployment, it is natural for them to also be the unit at which the policy manager operates. The CLI architecture defines a broad spectrum of tools and mechanisms by which assemblies can be deployed across diverse computing environments with reasonable assurances that the assemblies are from a trusted party, and that they will be used by an authorized party. The policy manager implements the authorization aspects of the model from two different perspectives: • Role-based security. This part of the protection mechanism is concerned with the rights that the user has to execute mobile code. Each user can play different roles at different times. For example, Professor Smith is sometimes an employee, sometimes a teacher, sometimes a member of a bowling team, and so on. In the CLI, each user in a particular role is referred to as a principal. When an assembly is downloaded, the mechanism checks to be sure that the principal that requested the assembly is authorized to use it. • Code access security. This part of the protection mechanism focuses on the protection rights associated with the code. When an assembly is downloaded, the code access mechanism looks at evidence about the assembly (its rights and resource requirements) and host environment to determine if this assembly is authorized to execute in the given host environment. In 1997 Wallach, et al., published a paper suggesting ways that the Java 1 security architecture could be improved [Wallach, et al., 1997]. The criticism of the Java mechanism was that it “…focused on two, separate fixed security policies. Local code, loaded from specific directories on the same machine as the JVM, is completely trusted. Remote code, loaded across a network connection form an arbitrary source, is complete untrusted.” The paper describes how Java 1 checks to see if code is executed as remote or local (untrusted or trusted) code. The key to the approach is that the Java Security Manager class determines if actions are authorized or not, throwing an exception in the case of unauthorized actions. Wallach, et al., point out ways that the mechanism can be circumvented. The paper then describes three approaches to supporting security policies in a mobile code context: • Capabilities. Each principal can only access a resource (represented by a class) if it contains a unique, unforgeable pointer to the resource. Access to resources is then managed by managing these capabilities. • Extended stack introspection. Authorization is explicitly requested and released by DVM calls. Stack frames are annotated to reflect points in execution where authorization has been requested and granted (or denied). When a resource access is attempted, the DVM starts at the top of the stack and begins to search frames for explicit privilege/denial authorization. If it reaches the bottom of the stack, the mechanism can authorize or not, depending on the mechanism implementation. The technology described in Section 8.2 could be used to implement this approach. • Name space management. Resources (classes) are organized in name spaces. Each principal uses a configuration which defines the security policy for how that principal can reference different classes. If a principal does not have authorization to access a particular resource, then the resource is removed from its version of the name space. [Wallach, et al., 1997] explains how they modify a web browser to implement this approach by modifying the Java Class Loader. This is the basic idea used by the Rotor CLI policy manager.
The CLI/CLR policy manager design is based on the idea that different code should have different levels of trust, allowing the code developer to influence the environment in which the code will be executed, and the host environment to decide how much it trusts mobile code that it loads for execution [LaMacchia, et al., 2002]. In the Rotor CLI, information about the code (and its developer) is combined with information about the user to provide evidence about both environments; thus the approach is also referred to as being an evidence based security mechanism in the .NET literature. The policy manager behavior was introduced in Section Error! Reference source not found. (especially see Error! Reference source not found.). In this section we will look more closely at how it is used and implemented. Since you have now studied metadata and assembly loading, we can now refine the earlier figure to more fully illustrate the mechanism (see Figure 8-6). Host and user evidence are collected from the assembly, from the SSCLI environment itself (when it downloads an assembly), and from policy and user information specific to the host. In the SSCLI, the evidence is grouped into containers relating to assembly evidence and host evidence.
Assembly CIL Manifest Resources Metadata Resource Requests •Strong name, •….
SSCLI Environment From Assy Loader •Calling assy info •Download site •….
Admin Security Policy
Host Evidence
Assembly Assembly Evidence Evidence
Policy Resolution
Granted Permission Set
Figure 8-6: A Refined View of the Policy Manager As suggested by Figure 8-6, some of the evidence is packaged with the assembly when it is created and signed by the developer. The policy manager extracts the assembly evidence from the metadata. Thus, the digital signature is a fundamental concept in determining evidence. Normally, assemblies that are fetched from untrusted regions must have a minimum amount of metadata to serve as the basis of the evidence about the source and nature of the assembly. In the interest of speeding up assembly execution, assemblies can also be loaded from trusted regions (such as the application directory), in which case the policy manager does not perform permission authentication.3 The CLI also uses as much other host evidence as the environment is able to provide. For example, when the assembly downloader fetches a file from a remote site, the downloader provides the source site URL and other information to the policy manager. As shown in the figure, part of the host evidence comes from a set of policies for all machines in an enterprise, for the current machine, the current user login, and the current app domain – this evidence is defined by the system administrator.
3
This brings us back to the Laboratory Exercise in Chapter Error! Reference source not found.. Notice that the instructions for the exercise were for you to copy a PE file from a remote server, based on a URL. The strong naming mechanism forced you to compile the calling assembly with the signature of the called assembly. However, your downloader put the file into a trusted directory, which causes the policy manager to trust the source of the file that we copied from an untrusted web server.
[Watkins and Lange, 2002] provide a small example that allows you to inspect the evidence associated with a module. The idea of the code is that it defines a simple assembly that can be executed. When you execute it, it prints evidence about the assembly. This very slight modification to their example code produces less output than Watkins and Lange’s example, yet illustrates the nature of the evidence: // Slight adaptation of a program in [Watkins & Lange, 2002] using System; using System.Collections; using System.Reflection; using System.Security.Policy; namespace AssemblyEvidence { class Class1 { static void Main(string[] args) { Type t = Type.GetType("System.String"); Assembly a = Assembly.GetAssembly(t); Evidence e = a.Evidence; IEnumerator i = e.GetEnumerator(); for(int j=0; j < 3; j++) { i.MoveNext(); Console.WriteLine(i.Current); } } } }
If you compile and run this C# program, you will see output similar to the following. This code was actually run on the CLR rather than the Rotor CLI, but the results are the same in either case (and on either operating system. C:\Rotor\Labs\Lab6>csc sec-demo1.cs Microsoft (R) Visual C# .NET Compiler version 7.00.9466 for Microsoft (R) .NET Framework version 1.0.3705 Copyright (C) Microsoft Corporation 2001. All rights reserved.
C:\Rotor\Labs\Lab8>sec-demo1.exe <System.Security.Policy.Zone version="1"> MyComputer <System.Security.Policy.Url version="1"> file://C:/winnt/microsoft.net/framework/v1.0.3705/mscorlib.dll <StrongName version="1" Key="00000000000000000400000000000000" Name="mscorlib" Version="1.0.3300.0"/>
C:\Rotor\Labs\Lab8>
8.3.1 The Granted Permission Set The granted permission set shown in Figure 8-6 represents an object that indicates that the assembly has been authenticated and is permitted to perform a specific set of protected operations in the context of the assembly-host combination. The granted permission set is selected from a collection of permission sets as a result of the SSCLI policy resolution execution. Each code access permission and identity permission class inherits from System.Security.CodeAccessPermission, so there is some default set of fields and methods that apply to each such class. For example, there are methods to replicate the permission object, to union or intersect another permission object and itself, and so on. Code access permissions provide operations related to assemblies, and identity permissions indicate that an assembly has a specific item of evidence (such as the Zone or ZoneIdentityPermission). There are other potentially other permissions that do not inherit the CodeAccessPermission, though the only permission of this type is System,Security.Permissions.PrincipalPermission which deals with user identity rather than code identity [LaMacchia, et al., 2002]. Here is a small C# program to generate an example permission set (as XML): // Inspect my own PermissionSet -- from [LaMacchia, et al, 2002] using System; using System.Security.Permissions; using System.Security; namespace AssemblyEvidence { class EgClass { [FileIOPermission(SecurityAction.Demand, Write=@"C:\Rotor\Labs\Lab6\foo.txt")] static void Main(string[] args) { // This code fragment form [LaMacchia, et al., 2002] PermissionSet p = new PermissionSet(PermissionState.None); p.AddPermission(new UIPermission(PermissionState.Unrestricted)); p.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read, @"C:\Labs\Lab6\bar.txt")); Console.WriteLine(p.ToString()); } } }
The output from this program is the following:
The C# program contains two imperative permission demands (the p.AddPermission() statements) and one declarative demand (enclosed in “[…]”). The XML representation of the assembly’s permission set shows two objects, one for the unrestricted user interface permission (the first C# AddPermission() statement, but the second ), and the other for the second C# statement. Each declarative security access specification is included in the metadata, but it does not explicitly appear in the permission set. Typically, declarative specifications operate as filters that either allow all access except that from a particular location, or they forbid all access except that from a particular location. Load time checks take place only when the target method is loaded, but runtime checks take place on each invocation of the method. Assembly programmers can also incorporate their own explicit imperative security access specifications. Whereas declarative security is specified by declaring appropriate rules, imperative security involves writing a function (such as the AddPermission() function) to define access authorization. 8.3.2 Strong Names As mentioned earlier, the policy manager code is dispersed throughout the Rotor CLI source rather than being in any single directory. We can get more insight into how the code is designed and implemented by studying the digital signature authentication code. Recall from Section 8.3 that the digital signature is checked as part of the strong name processing in the assembly loader procedure. Ultimately, the function CAsmDownloadMgr::DoSetupRFS() calls the CAssemblyModuleImport members GetHashAlgID(), GetHashValue(), and GetModulePath() (found in …/clr/src/fusion/mparse/modimprt.cpp), as well as the C functions GetHash(), and CompareHash() (in …/clr/src/fusion/asmcache/asmint.cpp). These functions actually perform the designated operations. Here is the complete implementation of CAssemblyModuleImport::GetHashValue(), followed by an elided version of GetHash(): // ------------------------------------------------------------------------// CAssemblyModuleImport::GetHashValue // ------------------------------------------------------------------------STDMETHODIMP CAssemblyModuleImport::GetHashValue(LPBYTE pbHashValue, LPDWORD pcbHashValue) { HRESULT hr = S_OK; if (*pcbHashValue < _cbHashValue) { hr = HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER); goto exit; } memcpy(pbHashValue, _pbHashValue, _cbHashValue); exit: *pcbHashValue = _cbHashValue; return hr; }
HRESULT GetHash(LPCTSTR szFileName, ALG_ID iHashAlg, PBYTE pbHash, DWORD *pdwHash) { … // Open source file. hSourceFile = CreateFile (szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL); if (hSourceFile == INVALID_HANDLE_VALUE) { // error exit }
while ( ReadFile (hSourceFile, pbBuffer, … )) { // Add data to hash object. if(!CryptHashData(hHash, pbBuffer, dwBufferLen, 0)) { // error exit } } if(!CryptGetHashParam(hHash, HP_HASHVAL, pbHash, pdwHash, 0)) goto exit; hr = S_OK; exit: … return hr; }
8.3.3 The Policy Manager Engine The policy manager is implemented in two major classes: Security and SecurityDescriptor (see …/clr/src/vm/security.cpp) There are three other classes ApplicationSecurityDescriptor, AssemblySecurityDescriptor, and SharedSecurityDescriptor that inherit behavior from the SecurityDescriptor base class (see …/clr/src/vm/security.h for their declarations). There should only be one instance of the Security class operating in the Rotor CLI; it is started when the EE is started. That is, the call chain from the EE entry point is: • CorExeMain2() (located in …/clr/src/vm/ceemain.cpp) • CoInitializeEE() • TryEEStartup() • EEStartup() • Security::Start() (located in …/clr/src/vm/security.cpp) The Start() function initializes the policy manager, including the initializing a SecurityHelper object. HRESULT Security::Start() { ApplicationSecurityDescriptor::s_LockForAppwideFlags = ::new Crst( "Appwide Security Flags", CrstPermissionLoad); … SecurityHelper::Init(); CompressedStack::Init(); COMSecurityConfig::Init(); return GetSecuritySettings(&s_dwGlobalSettings); }
The SecurityHelper class (defined in …/clr/src/vm/permset.cpp) is initialized in the Start() call, then uses to load the current settings with GetSecuritySettings(): HRESULT STDMETHODCALLTYPE GetSecuritySettings(DWORD* pdwState) { …
if (pdwState == NULL) return E_INVALIDARG; DWORD val; WCHAR temp[16]; if (PAL_FetchConfigurationString(TRUE, gszGlobalPolicySettings, temp, sizeof(temp) / sizeof(WCHAR))) { LPWSTR endPtr; val = wcstol(temp, &endPtr, 16); // treat it has hex if (endPtr != temp) // success state = val; }
*pdwState = state; return hr; }
Permissions are kept in a file whose name is specified by SECURITY_BOOTSTRAP_DB environment variable. The SecurityDB constructor (in …/clr/src/vm/securitydb.cpp) caches this file into memory, and the destructor writes it back to the file system. Entries in the security DB are either compiled entries or XML blobs. XML blobs are compiled by SecurityHelper::TranslateSecurityAttributes(). Besides the constructor and destructor, the only other public member to the SecurityDB object is Convert(). This function loads the permissions into the EE: BOOL SecurityDB::Convert(BYTE* pXml, DWORD cXml, BYTE** ppAsn, DWORD* pcAsn) { … for (i=0; i
} } // Not found in DB, need to add the xml blob to db. // This is to be compiled later by the Compile utility. retVal = Add(pXml, cXml); goto Cleanup; Error : retVal = FALSE; Cleanup : if (pDBXml) delete [] pDBXml; return retVal; }
At this point, the policy manager (Security, SecurityHelper, and SecurityDB objects) are all ready to be used. The policy manager will not take further action until some part of the CLI invokes the assembly or class loader. Unfortunately, there is no single point in the code where the policy manager is called. Instead, it is invoked from various places, depending on the application/CLI’s activity: In Chapter 12, [LaMacchia, et al, 2002] say: As a program runs within the Runtime [CLI], security demands will generally occur as a result of one of the following three actions: • An explicit call to a permission’s Demand() method • An explicit call to a method protected by a declarative security attribute specifying a demand • Implicitly as part of a platform invoke or COM interop call, because all calls to native code through these mechanisms are automatically protected by security checks For example, when an assembly is being loaded, the Assembly::AddModule() function (in ../clr/src/vm/assembly.cpp), it attempts to check authentication with a call to Security ::EarlyResolve(). Browse through this code fragment from Assembly::AddModule() to get some ideas about how the Security object is used for code access security. HRESULT Assembly::AddModule(Module* module, mdFile kFile, BOOL fNeedSecurity, OBJECTREF *pThrowable) { … COMPLUS_TRY { … AssemblySecurityDescriptor *pSec = GetSecurityDescriptor(); _ASSERTE(pSec); if(fNeedSecurity) pSec->SetSecurity(module->IsSystem() ? true : false); if( module->IsPEFile() ) { // Check to see if the entry token stored in the header is a // token for a MethodDef. If it is then this is the entry point // that is called. We don't want to do this if the module is // InMemory because it will not have a header. if (!m_pEntryPoint) { mdToken tkEntry = VAL32( module->GetCORHeader()->EntryPointToken); if (TypeFromToken(tkEntry) == mdtMethodDef) m_pEntryPoint = module; }
} TIMELINE_START(LOADER, ("EarlyResolve")); // // // if
If explicit permission requests were made we should resolve policy now in case we can't grant the minimal required permissions. (fNeedSecurity && Security::IsSecurityOn() && !module->IsSystem()) { hr = Security::EarlyResolve(this, pSec, pThrowable); if (FAILED(hr)) COMPLUS_LEAVE;
} TIMELINE_END(LOADER, ("EarlyResolve")); … } COMPLUS_CATCH { … } COMPLUS_END_CATCH ENDCANNOTTHROWCOMPLUSEXCEPTION(); return hr; }
As another code access security example, recall that ClassLoader::LoadTypeHandle() (discussed in Section Error! Reference source not found.) is called as part of the steps for loading a file. While loading the assembly, this function calls ClassLoader::LookupTypeHandle(), which calls AppDomainNative::GetSecurityDescriptor(), which calls Assembly::GetSecurityDescriptor(), which calls the security manager function, AssemblySecurityDescriptor *SharedSecurityDescriptor::FindSecDesc(). You can also see various aspects of role-based security in the Security object. Though the security policy information is kept on the disk, it is also cached whenever the information is being used. For example, in SecurityDescriptor::CheckQuickCache() (…/clr/src/vm/security.cpp) you can see how the policy manager collects machine, environment, and user evidence (EarlyResolve(), among others, calls CheckQuickCache()): BOOL SecurityDescriptor::CheckQuickCache( COMSecurityConfig::QuickCacheEntryType all, const COMSecurityConfig::QuickCacheEntryType* zoneTable, DWORD successFlags ) { … BOOL machine, user, enterprise; // First, check the quick cache for the all case. machine = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::MachinePolicyLevel, all ); user = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::UserPolicyLevel, all ); enterprise = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::EnterprisePolicyLevel, all ); if (machine && user && enterprise) { SetProperties( successFlags );
return TRUE; } // If we can't match for all, try for our zone. DWORD zone = GetZone(); if (zone == 0xFFFFFFFF) return FALSE; machine = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::MachinePolicyLevel, zoneTable[zone] ); user = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::UserPolicyLevel, zoneTable[zone] ); enterprise = COMSecurityConfig::GetQuickCacheEntry( COMSecurityConfig::EnterprisePolicyLevel, zoneTable[zone] ); if (machine && user && enterprise) { SetProperties( successFlags ); return TRUE; } return FALSE; }
Finally, we note that a security stub can be used to trap a call to an assembly so that the policy manager can authenticate the call. The policy manager can check the authorization of the call, determine if the assembly is trustworthy, then continue with assembly loading. Notice that the security stub can be removed once any method in any class in the assembly has been called. The policy manager uses security stubs to handle declarative security actions. Here is a code excerpt from Security::DetectDeclActions(), and the full declaration of DoDeclarativeSecurity(): // Here we see // called, and // argument to DeclActionInfo
what declarative actions are needed everytime a method is create a list of these actions, which will be emitted as an DoDeclarativeSecurity [Also defined in this file] *Security::DetectDeclActions(MethodDesc *pMeth, DWORD dwDeclFlags)
{ DeclActionInfo
*pDeclActions = NULL;
EEClass *pCl = pMeth -> GetClass () ; _ASSERTE(pCl && "Should be a EEClass pointer here") ; #ifdef _DEBUG PSecurityProperties psp = pCl -> GetSecurityProperties () ; #endif _ASSERTE(psp && "Should be a PSecurityProperties here") ; Module *pModule = pMeth -> GetModule () ; _ASSERTE(pModule && "Should be a Module pointer here") ; #ifdef _DEBUG AssemblySecurityDescriptor *pMSD = pModule -> GetSecurityDescriptor () ; #endif _ASSERTE(pMSD && "Should be a security descriptor here") ;
IMDInternalImport
*pInternalImport = pModule->GetMDImport();
// Lets check the Ndirect/Interop cases first … // Check if now there are no actions left … // A NDirect/Interop demand is required. … // Look for the other actions … while (loops-- > 0) { … while (pInternalImport->EnumNext(&hEnumDcl, &tkPerm)) { … } // permission enum loop … } // Method and class enum loop return pDeclActions; } // This functions is logically part of the security stub VOID __stdcall DoDeclarativeSecurity(MethodDesc *pMeth, DeclActionInfo *pActions, InterceptorFrame* frame) { THROWSCOMPLUSEXCEPTION(); LPVOID pSecObj = frame->GetAddrOfSecurityDesc(); *((Object**) pSecObj) = NULL; Security::DoDeclarativeActions(pMeth, pActions, pSecObj); }
The policy manager is a complex piece of code. The complexity arises from the task it needs to perform, and from the way that it is invoked. The discussion in this section is not a complete discourse on how it works, but rather, a discussion to help you understand its organization if you decide to dive into the code to study it further.
8.4
Administering the Security Policy
There are various means for specifying different parts of the evidence, depending on which part lies within your responsibilities. As demonstrated in the previous subsection, you can use declarative and imperative access specifications within your source code to define code policy. The system administrator has many other controls over the security policy by defining: • Membership conditions – conditions that apply to a particular collection of assemblies • Code groups – partition of .NET Framework code into classes • Policy Levels – partition of user groups into classes • Default security policy – the security policy that will be used in an environment in the absence of explicit overriding operations
A membership condition is an object that determines whether or not an assembly belongs to a particular class of assemblies. For example, the UrlMembershipCondition class compares the URL host evidence with a URL in the corresponding UrlMembershipCondition object to determine if they are the same or different (see the documentation delivered with the Rotor distribution, particularly the system.security.policy namespace description). If they match, the assembly is a member of the designated collection. Besides the URL membership test, the Rotor distribution supports membership conditions to check to be sure that the assembly is from the application directory, to see if the assembly is from a particular site, to check the strong name, and to check the (Internet) zone from which the assembly was delivered. A code group – the “collection of assemblies” mentioned in the previous paragraph – is an object that establishes a relationship between a permission set and membership conditions. Specific code groups are subclasses of the System.Security.Policy.CodeGroup class. When the object is created, a membership condition and a policy statement are specified for the code group. A policy statement (System.Security.Policy.PolicyStatement) is a container for a granted permission set along with an optional set of code group attributes. Sets of code groups can be organized into hierarchies by using the member conditions (see Figure 8-7 – which could also be represented as a tree). All assemblies are in a code group that satisfies the AllMembershipCondition. Assemblies that have match ZoneMembershipCondition of trusted constitute a code group that is a subset of all assemblies. Assemblies that match the UrlMembershipCondition of http://www.foo.com constitute another subset of all assemblies (whose intersection with the trusted Internet zone code group is nonempty. Similarly, the other membership conditions can be used to classify assemblies into code groups.
All Assemblies
From Trusted Internet Zone
From MyComputer From App Directory
From /usr/bin
From http://www.foo.com
Figure 8-7: Hierarchical Code Groups Each of the code groups has a permission set associate with it – so code groups close to the root of any particular hierarchy (again, which is always the code group whose members each satisfy the AllMembershipCondition) have stronger permission sets than those that are distant from the root. In Figure 8-7, the “From MyComputer” code group contains assemblies that match ZoneMembershipCondition with MyComputer. Within this code group are the code groups that match ApplicationDirectoryMembershipCondition, or that specifies a particular directory. The SSCLI will resolve code groups from the root toward leaves, classifying until membership conditions fail. The optional code group attributes in a PolicyStatement provide control over the traversal of the hierarchy.
System administrators can configure the code access security mechanism by providing policy directives that will be used during policy resolution. (Programmers can further influence the policy with imperative and declarative specifications.) However the policy resolution algorithm is fixed by the SecurityManager class in the bcl and by code in the Rotor CLI.. That is, the policy resolution algorithm is implemented by an object from the System.Security.SecurityManager class. This object uses the administrable policy parameters and the host evidence to determine if the selected permission set should be granted (see Figure 8-8). From the system administrator’s perspective, the policy is influenced by attaching attributes to the different policy levels (there are level for the entire enterprise, for the current machine, the current user, and the current app domain). The SecurityManager object then begins intersecting the permission sets specified as a hierarchy in each policy level to derive the ultimate granted permission set that applies to this assembly in this app domain (for this user, in this machine, in this enterprise) – see [Watkins & Lange, 2002][LaMacchia, et al., 2002]. Microsoft CLR documentation describes how to configure the policy levels. You can get the flavor of this approach by inspecting the XML file stored at /FOOBAR/IN/UNIX/ security.config, (or C:\WINNT\Microsoft.NET\Framework\v1.0.3705\CONFIG\security.config in Windows XP). On a Windows XP machine, you can also view the configuration file by using a cmd.exe to launch MSCorCfg.msc. Enterprise Code CodeGrp Grp Code CodeGrp Grp
Perm. Perm.Set Set Perm. Perm.Set Set
Code CodeGrp Grp
Perm. Set
…
… Perm. Set
Host Host Evidence Evidence
Perm. Perm.Set Set
Policy Resolution
Machine Code CodeGrp Grp
…
…
Granted Granted Permissions Permissions
User Code CodeGrp Grp
…
Perm. Perm.Set Set
…
App Domain Code CodeGrp Grp
…
Perm. Perm.Set Set
…
Figure 8-8: Policy Levels and Policy Resolution
8.5
Lab Exercise: Customizing the Security Policy
Part A: In this lab exercise you will need an application program with at least 3 assemblies so you can compare the interactions of a main assembly with one highly secure assembly and one normal assembly. This first part of the exercise is to construct these assemblies so that you can use them in Parts B and C. The descriptions and prototypes for the assemblies are provided in the Background section.
Part B: This part of the assignment is to instrument the classes in …/clr/src/vm/security.cpp so that they print out a trace of the behavior of the security manager as it checks the permissions for the application program from Part A. This will require that you study the classes in security.cpp to find good places to place printf() statements to report event occurence. The output from these statements will then appear on your console (interleaved with the application’s output). You should be able to trace link time and execution time security checks with your instrumentation. Once you have instrumented the CLI code, obtain traces for at least the following situations: 1. Run the application from Part A using the machine’s default security policy. 2. Save your SecAssy subdirectory by renaming it, then create a new SecAssy subdirectory in your application directory. Copy the SecAssy.dll that is owned by another user into the new SecAssy. The idea is that the new SecAssy.dll could potentially have different permissions than the original SecAssy.dll, since it is owned by a different user. Repeat Step 1. Part C: In this part of the exercise, inspect and modify your machine’s security policy as follows: 1. Determine the differences between the security policy for the enterprise and for the machine. Describe the differences in a report form. 2. Determine the differences between the security policy for the machine and for the user. Describe the differences in a report form. 3. Change the machine level permissions so that the SecAssy.dll that is owned by a different owner is in a different code group from the main application, and it forbids writing of its variables. 4. Repeat Part B. 8.5.1 Background The secure and generic assemblies need not be complex in order to conduct this experiment. Here is the code we used to specify the main program: using System; using Lab8; // Main application for the assembly class MainApp { public static void Main() { … // Test the generic assembly GenClass gen = new GenClass(); gen.genSecFunc(); gen.setVal(…); gen.getVal()); … // Test the secure assembly SecClass sec = new SecClass(); sec.secFunc(); sec.setVal(…); sec.getVal()); … } // End of Main method } // End of MainApp class
The other two assemblies provide elementary services to the first assembly. The secure assembly is in the SecAssy assembly: namespace Lab8 {
public class SecClass { private int myJewel; public int secFunc() { Console.WriteLine("SecClass: …"); return(0); } // end of secFunc method public int setVal(int x) { myJewel = x; return(0); } // end of setVal method public int getVal() { return(myJewel); } // end of getVal method } // End of SecClass class } // End of Lab8 namespace
Define the GenAssy class similarly.
Instrumenting the CLI Code First, note that the essence of this part of the lab exercise is for you to inspect the execution of the security code at various points. This could be done with the debugger, but then you would not have a file to represent your findings. However, you can decide which parts of the code you are going to instrument by using debugger breakpoints, then instrument your chosen breakpoints with printf() statements. Recall from Section 8.3 that once the EE security object has been created, its services are invoked when BCL/CLI functions call a permission’s Demand() function. You can exploit this fact to instrument runtime calls to the security manager.
The caspol Tool Microsoft includes the .NET Framework Configuration tool with its production CLR, but not with the Rotor CLI. This tool is a visual windows tool for managing the security policy. The production system and the Rotor CLI both include a command line tool for managing security policies, named caspol. The caspol tool is well documented in the MSDN online documentation (and to a lesser degree in the Rotor …/docs/tools directory). The caspol tool should be used to solve Part B of the lab exercise. You can add a new permission set using caspol, but you need to use another tool to define the permission set. In the production Windows environment, the .NET Framework Configuration tool can be used for this purpose, but in the Rotor CLI environment, you will need to manually extend the BCL base classes to define new permission sets.
Extending the BCL to Define Policy You can consult the BCL to see the behavior of a permission set (see …/clr/src/bcl/system/security/permissionset.cs and namedpermissionset.cs). You can also use an XML program to extend the PermissionSet base class to define your own permission set. The XML files are in C:\WINNT\Microsoft.NET\Framework\v1.0.3705\CONFIG\security.config on my XP machine.
8.5.2
Attacking the Problem
You will need to store TrustedAssy and UntrustedAssy in their own directories, different from the application directory containing SecPolicyTest. In order to avoid the problem with configuration files on UNIX (see the lab exercise for Chapter 6), if you store TrustedAssy in a subdirectory named TrustedAssy in the application directory, and UntrustedAssy in a subdirectory named UntrustedAssy, then the default machine configuration will find these assemblies.
9
Communicating Across Application Domains
An app domain is the fundamental environment for hosting a managed computation. Assemblies are loaded into an app domain, then objects are able to reference members in the classes in the app domain mini address space (in the assembly’s micro address space). The CLI allows multiple threads to execute in an app domain (see Section Error! Reference source not found.), and for an address space to support multiple app domains. Further, it provides a remoting mechanism (see Section Error! Reference source not found.) to allow an object in one app domain to reference a public member of an object in another app domain – whether or not it is in the same address space, or even the same machine. There are three different kinds of inter app domain communication (see Figure 9-1): 1. Communication between objects in two different app domains in the same address space. 2. Communication between an object in one address space and another object in a different address space, but on the same machine. 3. Communication between objects on different machines. All three of these types of communication use the CLI remoting mechanism. Before diving into the details of CLI remoting, we will consider a broad range of types of communication among entities in different generic address spaces. App Domain Mini Address Space
OS Process Address Space
Assembly Assembly Micro Micro Assembly Assembly Address Address Micro Micro Space Space Address Address Space Space
1 3 CLI Thread 2 Address Space
Machine A
Machine B
Figure 9-1: Inter App Domain Communication
9.1
A Model of Communication Approaches
The communication model is usually the cornerstone of the distributed programming support system, so it is fundamental to a DVM. The communication model defines the means by which threads1 executing on one machine are able to share information with threads operating in a different address space. The characteristics of the communication model influence the ease and efficiency with which different programming paradigms can be employed. Let’s briefly consider what predecessor systems have done to support communication.
1
The term “thread” is used in the section to refer to any schedulable units of computation, including processes, OS threads, CLI threads, tasks, objects, and so on.
BSD sockets, used in conjunction with the host operating system’s file I/O operations, are the basis of Windows and Unix network communication models. Sockets are an OS-level mechanism that support synchronous and asynchronous send, and blocking and nonblocking receive [Nutt, 2004]. Socket implementations that use IPV6 also support (asynchronous) multicast communication. Sockets can be used directly – by writing programs that use the BSD socket library, programmers can implement almost any style of IPC that they desire. Today, sockets are the basis of implementations of many different abstract IPC paradigms (ranging from file transfer to shared memory). At the lowest levels of the implementation, these abstractions generally use the BSD socket API. IP, TCP, and UDP are middle level abstractions of the socket interface (sockets cannot be used directly without an associated protocol such as TCP or UDP). Using TCP, a distributed programmer can create an IPC environment in which constituent threads interact with full duplex byte streams. UDP provides a similar interface, but using datagrams (and hence no built-in delivery reliability). The PVM designers based their DVM around IPC to export asynchronous send, multicast, and broadcast operations (which may or may not have a response), and both the blocking and nonblocking receive. PVM and MPI are generally implemented on top of TCP, though it is possible to implement them directly on the network data link layer. In the HPCC domain, this proved to be the “right” kind of DVM IPC mechanism, since HPCC programmers preferred the freedom to define their own binding, granularity, and synchronization policies. The argument that this is “right” is intuitive, and based on the broad use of PVM and MPI by HPCC programmers, followed by its subsequent use in contemporary Beowulf configurations. The OSF DCE adopted a different approach: Instead of providing a general IPC mechanism, the presumption is that applications will explicitly conform to the client-server model. Further, clients perceive services as functions that are invoked using RPC (as opposed to other patterns of asynchronous interaction). Because parameter passing is not practical for bulk data distribution, a distributed file system is also provided so that information can be shared in large-grained units – files. You can judge for yourself whether or not this is/was the right stuff. JVM is based on the object paradigm, implicitly in conjunction with client-server distribution. Since all information is referenced via a class interface, the essential element of distribution is the ability to distribute objects, then to be able to invoke their methods remotely. RMI is the primary IPC mechanism, and HTTP is the primary bulk data transfer mechanism. JVM is also often used with an underlying OS level remote file system (such as NFS). The first wave of .NET tools is designed to support an application domain with interactive web services built on XML, HTTP, UDDI, WSDL, and SOAP. This suggests that an underlying virtual machine would be “right” if it were well-suited to implementing file transfer (XML and HTTP) and remote objects (WSDL and SOAP). However, .NET is a long-term initiative, so the CLI designers had to be prepared to meet these immediate need as well as new requirements that could appear in the next several years. The CLI design for WBCC communication styles can be thought of as a multi dimensional space, intuitively represented by Figure 9-2. (The figure is a visual aid rather than a concrete model of the space.) The basic idea is that there are multiple dimensions in which one can think about communication. Different approaches exist as regions (points, lines, planes, or volume) in the resulting space. Since the WBCC domain is still evolving, application programmers do not yet know where “the sweet spot” is in this space. The .NET designers are focused on one particular region in the space, but the CLI designers’ goal is to be able to span as much of the space as possible.
Synchronization
Raw bits/bytes Built-in type definitions Global static definitions Encapsulated static definitions
Parameters
Messages
One-way
Files
Asynchronous
File systems
Large-grained Synchronous
Manual exchange
Fine-grained Synchronous
Unit of Exchange
Self-describing data
Binding the Interpretation Figure 9-2: The WBCC Communication Style In the figure, the x-axis is intended to represent the size of the units of data exchange among the parts of the computation, the y-axis addresses the synchronization style, and the z-axis represents the means by which the data interpretation is defined. Here is an informal, intuitive description of various points on the three axes: • Unit of Exchange o Manual exchange: There is no mechanism for exchange. This is the “Adidas Network,” or the case in which files or databases are written to archived media, then the medium is carried from one system to another by a person (wearing running shoes). o File systems: Remotely mounted file systems. Once a file system is mounted, all files in the file system can be shared among its clients. Sun NFS is the most widely-used example of this approach. The OSF DCE relies on this technology for its bulk data transfer. o File: Parties exchange individual files. First generation WBCC virtual machines make heavy use of this approach: Participants use HTTP to share HTML files with a web browser humanuser interface. Earlier examples include FTP and email protocols. o Messages: Copies of information are transferred among address spaces with send/receive operations. PVM/MPI focus on this approach. o Data structures. Programmers can define various data structures as “shared,” allowing different units of the computation to read and write them. The Linda system [Carriero and Gelernter, 1986] is a good example of this form of communication. o Parameters: Remote procedure call or remote method invocation. Sun RPC, Java RMI, and CLI remote objects are examples of this approach. • Synchronization o One-way: The sender transmits information with no form of acknowledgement from the receiver. Broadcast protocols are often one-way. Many web caching and streaming media applications depend on this pattern of operations. o Asynchronous: This represents the asynchronous send, blocking/nonblocking receive paradigm. The sender issues a message, then checks for the response at an arbitrary later time. PVM/MPI provide specific support for this approach. o Large-grained synchronous: The sender synchronizes with the receiver in a regular pattern, but not very frequently. The successive overrelaxation algorithm for Gaussian elimination is an example of this approach [Jamieson, et al., 1987].
Fine-grained synchronous: The sender and receiver operate in close harmony. In the distributed processor case, this might mean that the sender and receiver synchronize at the end of every machine instruction execution (as was done in SIMD processors). In OO systems, RMI is usually regarded as fine-grained synchronous communication. Binding data interpretation o Raw bits/bytes: There is no explicit agreement as to the meaning of the bits/bytes that are transferred. ASCII and Unicode are bare steps above this form of format binding. o Built-in types: All source programs involved in the computation have a set of type definitions determined by the language. All parts agree on the interpretation of the bits/bytes by this type system. o Globally shared static type definitions: In this case, the different parts of the computation use a previously-defined set of extensible data types. For example, C header files are used to define data types that are shared among all parties in the computation. o Encapsulated static definitions: This refers to situations in which the programmer defines a format for the data that is used to marshal data before it is sent, then to unmarshal the data after it is received. This approach is used in the external data representation (XDR) in the Sun RPC package. o Self-describing type system: This term refers to a situation in which one can use a class hierarchy of marshaling/unmarshaling routines, enabling the communication mechanism to choose the binding mechanism at the times the information is transmitted and received. This approach was advocated in Modula-3 [Birrell, et al., 1993], and is supported in the CLI remoting mechanism.
o
•
In this informal representation, the origin of the space is intended to represent systems that do not support IPC that is appropriate for distributed programming. As we move out along each dimension, the system provides more specialized support for that particular category. Various communication systems focus on supporting some point/line/plane/volume in the space. For example, PVM/MPI style communication is intended to support messages as the unit of exchange, using global static definitions for format binding, but with a broad spectrum of synchronization approaches – it might be represented in the visual space as a vertical line (parallel to the y axis). Similarly, RPC might be represented by a single point in the space (parameters, fine-grained synchronous, encapsulates static definitions). .NET WBCC applications are centered around a files as a unit of information exchange. Synchronization can be one-way, asynchronous, or large-grained synchronous. With HTML and XML, computations tend to use global static data type declarations. Sockets could be used to address the entire space, by adding appropriate abstractions. The CLI communication mechanism is designed with a similar purpose in mind, though it provides considerable functionality to socket-level communication.
9.2
Using Remoting
Recall from Section Error! Reference source not found., that remoting allows an object in one address space to invoke a member function in an object in a distinct address space (see Figure 9-3). The idea is that a remote object is represented in the local (“client”) machine by a transparent proxy, and in the remote (“server”) machine by a real proxy. When a local object references a member of a remote target, it interacts with the transparent proxy, which uses a channel to communicate with the real proxy. The channel is a protocol abstraction of a network communication mechanism that can use transport layer protocols for two-way communication. The transparent proxy provides an object interface to the application program, then marshals the remote member reference into a form suitable for export to a different machine. Next the transparent proxy transmits the serialized reference over the channel to the real proxy. The real proxy accepts the RMI request from the transparent proxy, then unmarshals the reference. It then performs a local call on the target method in the target object on the server. The CLI remoting mechanism also uses the real and transparent proxies to support exceptions: If the remote object raises an exception, it is returned back through the real proxy over the channel to the transparent proxy to the local object where the “caller” can handle the exception as it sees fit.
App Domain
App Domain
Result Or Exception Transparent Transparent Proxy Proxy
Channel Channel
Marshaling (Serialization)
RMI
Address Space
Assembly
Real Real Proxy Proxy Unmarshaling (Deserialization)
(Local call)
Remoting call
Assembly
Address Space
Figure 9-3: Remoting (Same as Figure Error! Reference source not found.) These components and structures are shown in Figure 9-3; collectively they represent one design for supporting conventional RPC across app domains (see Section Error! Reference source not found.): The transparent proxy corresponds to the RPC notion of client stub, the real proxy performs many of the same functions as a server stub, and the channel can support various network protocols (the CLR uses various channel protocols including TCP, HTML, and SMTP). The desired remoting configuration (the remote object identification, the channel configuration, and so on) is dynamically established using the CLI API. This allows for very flexible forms of interaction between the client and server. It is not our purpose to provide all the details for programming the CLI (though you will find the online MSDN .NET Framework SDK QuickStart tutorial for Common Tasks (see http://samples.gotdotnet.com/quickstart/howto/) to be helpful in this regard – particularly see the collection of web pages under the “Remoting” category. In order to motivate our discussion of the remoting design and implementation, Figure 9-4 provides a simple example of how to use remoting (almost exactly the same one in the QuickStart tutorials). The example shows the remote object server (class RemoteHello) and the remote object (class HelloService). Figure 9-5 shows a client program that calls HelloService.HelloMethod()in the server. The essential functions performed by any remoting server include: 1. Create a local object to interact with a channel 2. Register the channel object 3. Register the object that will be referenced remotely via the channel 4. Route method invocations to the object 5. Route exceptions back to the client object The client’s responsibility is the complement of the server’s actions: 1. Create a local object to interact with a channel 2. Register the channel object 3. Register the object that will be referenced remotely via the channel 4. Coordinate with the server on RMIs.
using using using using
System; System.Runtime.Remoting; System.Runtime.Remoting.Channels; System.Runtime.Remoting.Channels.Tcp;
namespace RemotingHello { public class RemoteHello { public static int Main(string [] args) { TcpChannel chan = new TcpChannel(8085); ChannelServices.RegisterChannel(chan); RemotingConfiguration.RegisterWellKnownServiceType( GetType("RemotingHello.HelloService"), "SayHello", WellKnownObjectMode.SingleCall); System.Console.WriteLine("Hit <enter> to exit..."); System.Console.ReadLine(); return 0; } } public class HelloService : MarshalByRefObject { public HelloService() { Console.WriteLine("HelloService activated"); } public String HelloMethod(String name) { Console.WriteLine("Hello.HelloMethod : {0}", name); return "Hi there " + name; } } }
Figure 9-4: Remoting Hello Server Class using using using using
System; System.Runtime.Remoting; System.Runtime.Remoting.Channels; System.Runtime.Remoting.Channels.Tcp;
namespace RemotingHello { public class Client { public static int Main(string [] args) { TcpChannel chan = new TcpChannel(); ChannelServices.RegisterChannel(chan); HelloService obj = (HelloService)Activator.GetObject( typeof(RemotingHello.HelloService), "tcp://localhost:8085/SayHello"); if (obj == null) System.Console.WriteLine("Could not locate server"); else Console.WriteLine(obj.HelloMethod("Student")); return 0; } } }
Figure 9-5: The Remoting Hello Client
Next let’s consider the spectrum of mechanisms the programmer has available for controlling the behavior of remoting: • Configuring the Channel. The simple example illustrates this mechanism. In general, the Rotor CLI provides support for two types of channels, TcpChannel and HttpChannel. It is also possible to create custom channels for other transport applications. The channel can be configured to use either a binary or SOAP formatter, meaning that it serializes information into either binary or SOAP form. • Marshaling and Unmarshaling. Before information can be passed across address space boundaries, it needs to be transformed from the client’s in-memory representation into an external form (marshaling). This host-independent form is then transferred over the communication wire to the server where it will again be translated, this time from the external form into the server’s inmemory representation (unmarshaling). The transformation process is also called serializing and unserializing, since marshaling converts a data structure into a byte stream, then unmarshaling reconstitutes the data structure at the receiver’s end. In order to achieve the most general mechanism for binding (in our informal model of communication shown in Figure 9-2), the CLI uses an approach similar to Modula-3 pickling – introduced in Section Error! Reference source not found., and described fully in [Birrell, et al., 1993]. • Remotable Types. The marshaling/unmarshaling tasks require that the target data structure contain enough information for the conversion to work properly. Therefore, classes are divided into those that are remotable and those that are not (“non-remotable” classes). Only remotable objects can be serialized and passed over a channel. There are three sub types of remotable objects: o Context-bound. An Object derived from the ContextBoundObject class is contextbound. It means that the object resides inside a context and that any message sent by objects outside the context will need to be marshaled. By contrast, an object is context-agile if it acts within the context of the calling objects, so message marshaling is not required. If an object is context-bound with context attributes, it operates only in the context that matches these attributes. o Marshal-by-value. When information is marshaled and transmitted to a remote object, it may be passed by value or reference. If the remotable type is marshal-by-value, the remoting mechanism creates a duplicate copy of the information, then transmits the copy to the server. The client and server each interact with their own copy of the information. The configuration does not use the two proxies shown in Figure 9-3. The programmer can declare the information type to be marshal-by-value using the C# Serializable attribute when the data structure (including a class) is declared. Alternatively, a program can serialize an object using the facilities in the System.Runtime.Serialization namespace (implemented in …/clr/src/bcl/system/runtime/serialization/iserializable.cs). A marshal-by-value data structure – object – is also context-agile. When an object in the client app domain wants to interact with the marshal-by-value object located on the server, it interacts with the copy residing in its own app domain instead of the original object in the server domain.
Marshal-by-reference. If an object is to be passed by reference – it is a remotable type marshal-by-reference – the remoting mechanism causes that object to be loaded onto the server. In this case, the proxies will be configured and installed so that when the client references the object, the reference will be directed to the transparent proxy where it will be marshaled and passed to the real proxy on the server. As you probably have guessed, such objects need to incorporate some sophisticated behavior; this is done by inheriting from the MarshalByRefObject base class (see …/clr/src/bcl/system/marshalbyrefobject.cs). When the remote object is instantiated on the server, the remoting mechanism is also instantiated: The server transmits a System.Runtime.Remoting.ObjRef object (see …/clr/src/bcl/system/runtime/remoting/objref.cs) to the client so that it can create the transparent proxy with the appropriate public and channel interfaces. The client’s view of the object is that it is a context-agile in its app domain. Activation is the process of creating an instance of a remotable type. The marshal-by-value objects are duplicated in the serialization process and activated when deserialized, so there is no special activation mechanism needed. There are two different ways for activating a marshal-byreference type: o Server activation. Server must publish the object type at a well-known Uniform Resource Identifier (URI) endpoint/address. The remoting infrastructure activates an instance of the marshal-by-reference type when requested by the client and assigns it the well-known URI published by server. There are two kinds of activation semantics: Singleton. A singleton instance maintains its state between method calls and only one instance of the type is created on the server side. This means that the value of the member variables will persist across method calls. Even though different clients having different transparent proxies representing this instance, all of them reference the same instance on the server. Single call. A new singlecall instance will be activated on each method invocation made by a client. After the method returns, the instance is no longer available and the value of its member variables will be lost. Different invocations create different instances on the server side. o Client activation. When different clients want to create their own dedicated instance of a remotable type on the server side, they can use the client activation model. Client-activated instances maintain their state like singleton instances does, but each client reference maps to its own dedicated instance of the remotable type. When an instance of a client-activated type is activated, the remoting infrastructure generates and assigns a Global Unique Identifier (GUID) to it. The GUID is also mapped to the transparent proxy in the client. A remoting stub is used when an object in one app domain calls a method in an object in a different app domain (see Section Error! Reference source not found. and Chapter 7). Remoting stubs are used to invoke marshalling objects when a remote method is invoked. By using remoting stubs arguments can be translated at the time of the call without writing interface definition language specifications – instead, the SSCLI uses the metadata to translate the data into host compliant format. o
•
•
9.3
Channels
In both the remoting hello client and server programs (see Figure 9-4 and Figure 9-5), a TcpChannel object is created to create a communication channel between the two parts of the distributed program. In the example, the TCP port number is hardwired into the program to be 8085. The TcpChannel class is defined in …/managedlibraries/remoting/channels/tcp/combinedchannel.cs. Here is a heavily elided version of the class definition: public class TcpChannel : IChannelReceiver, IChannelSender { private TcpClientChannel _clientChannel = null; // client channel private TcpServerChannel _serverChannel = null; // server channel
… public TcpChannel() [This version is used by the client] { _clientChannel = new TcpClientChannel(); // server channel will not be activated. } // TcpChannel … public TcpChannel(int port) : this() [This version is used by the server] { _serverChannel = new TcpServerChannel(port); } // TcpChannel … public TcpChannel(IDictionary properties, IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider) { … // divide properties up for respective channels … clientChannel = new TcpClientChannel( clientData, clientSinkProvider); if (portFound) _serverChannel = new TcpServerChannel( serverData, serverSinkProvider); } // TcpChannel … } // class TcpChannel
Notice that the TcpChannel class inherits from the IchannelReceiver and IchannelSender classes, which inherit from the Ichannel class (see …/clr/src/bcl/system/runtime/remoting/ichannel.cs). Watch out for overloaded functions: public interface IChannel { … int ChannelPriority { [SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags=SecurityPermissionFlag.Infrastructure)] get; } … String ChannelName { [SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags=SecurityPermissionFlag.Infrastructure)] get; } … [SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags=SecurityPermissionFlag.Infrastructure)] String Parse(String url, out String objectURI); } public interface IChannelSender : IChannel
{ … } // interface IChannelSender public interface IChannelReceiver : IChannel { … }
The TcpChannel class members also depend on TcpChannelServer (see …/managedlibraries/remoting/channels/tcp/tcpserverchannel.cs) and TcpChannelClient classes (see …/managedlibraries/remoting/channels/tcp/tcpclientchannel.cs), which inherit from IchannelReceiver and IchannelSender classes, respectively. These functions uses the SocketHandler class (see …/managedlibraries/remoting/channels/core/socketmanager.cs) class and the BSD socket library to create the TCP connection over the channel. Next, the both the client and server register the channel with the RegisterChannel() function in the ChannelServices class (see …/clr/src/bcl/system/runtime/remoting/channelservices.cs). This function calls the RegisterChannelInternal(), which keeps track of each channel as it is opened: unsafe internal static void RegisterChannelInternal(IChannel chnl) { // Validate arguments … lock (s_channelLock) { String chnlName = chnl.ChannelName; RegisteredChannelList regChnlList = s_registeredChannels; // Check to make sure that the channel has not been // registered if(…) { [Register the channel in the RegisteredChannel[] array] … if (…) { // This is the first channel being registered. // (we know this since the x-appdmn channel can't // be unregistered). AppDomain.CurrentDomain.DomainUnload += new EventHandler(UnloadHandler); newList[0] = new RegisteredChannel(chnl); } else { // Add the interface to the array in priority order … } } if (perf_Contexts != null) { perf_Contexts->cChannels++; }
if (perf_globalContexts != null) { perf_globalContexts->cChannels++; } s_registeredChannels = new RegisteredChannelList(newList); } else { throw new RemotingException(String.Format( Environment.GetResourceString( "Remoting_ChannelNameAlreadyRegistered"), chnl.ChannelName)); } RefreshChannelData(); } // lock (s_channelLock) } // RegisterChannelInternal
The server then registers the server object using RemotingConfiguration.RegisterWellKnownServiceType ( GetType("RemotingHello.HelloServer"), "SayHello", WellKnownObjectMode.SingleCall );
a function in the System.Runtime.Remoting.RemotingConfiguration namespace (defined in …clr/src/system/runtime/remoting/remotingconfiguration.cs), which ultimately calls the following function: public static void RegisterActivatedServiceType( ActivatedServiceTypeEntry entry) { RemotingConfigHandler.RegisterActivatedServiceType(entry); // make sure we're listening for activation requests // (all registrations for activated service types will come // through here) if (!s_ListeningForActivationRequests) { s_ListeningForActivationRequests = true; ActivationServices.StartListeningForRemoteRequests(); } } // RegisterActivatedServiceType
This code establishes the link between the incoming RMI and the ActivatedServiceTypeEntry (the remotely accessible method).
9.4
Proxies
Marshal-by-reference objects use proxies to pass messages back and forth between the client and the server. As you saw in the remoting hello example, the client and serve establish a channel between them prior to any remote method invocation. Once the channel is in place, the remoting mechanism is set up from the server end. That is, the object that is to be accessed from client machines must be instantiated before a client can invoke one of its methods. From a programmer’s perspective, the server (Figure 9-4) is started before the client, and it creates an app domain in which an object from the remote class can be instantiated, opens the channel, then registers the object that can be invoked remotely: RemotingConfiguration.RegisterWellKnownServiceType( Type, String, WellKnownObjectMode);
This method is defined in the RemotingConfiguration class found in the System.Runtime.Remoting namespace. This method essentially just calls RemotingConfigHandler.RegisterWellKnownServiceType() (which can be found in …/clr/src/system/runtime/remoting/configuration.cs). This code performs the actual work (along with internal void AddWellKnownEntry() by determining whether or not the object has been previously registered, and by storing the current registration information as an entry in its table of well-known services. Once this code has completed, the server is prepared to accept method invocations. As shown in Figure 9-5 the client initializes the channel from its side, using the previously agreedupon port number. Then it is ready to inform the server that it would like to invoke a method on one of its objects by calling GetObject() (see …/clr/src/bcl/system/activator.cs): // This method is a helper method and delegates to the remoting // services to do the actual work. … static public Object GetObject(Type type, String url) { return GetObject(type, url, null); } // This method is a helper method and delegates to the remoting // services to do the actual work. … static public Object GetObject(Type type, String url, Object state) { if (type == null) throw new ArgumentNullException("type"); return RemotingServices.Connect(type, url, state); }
RemotingServices.Connect() is defined …/clr/src/bcl/system/runtime/remoting/remotingservice.cs: public static Object Connect(Type classToProxy, String url) { return Unmarshal(classToProxy, url, null); }
Unmarshal() is defined in the same file; this creates the transparent proxy: internal static Object Unmarshal(Type classToProxy, String url, Object data) {
in
if (null == classToProxy) { … } if (null == url) { … } if (!classToProxy.IsMarshalByRef && !classToProxy.IsInterface) { …} BCLDebug.Trace("REMOTE", "RemotingService::Unmarshal for URL" + url + "and for Type" + classToProxy); … // Create the envoy and channel sinks objectURI = CreateEnvoyAndChannelSinks(url, data, out chnlSink, out envoySink); // ensure that we were able to create a channel sink if (chnlSink == null) { … } // // // // //
Try to find an existing identity or create a new one Note: we create an identity entry hashed with the full url. This means that the same well known object could have multiple identities on the client side if it is connected through urls that have different string representations.
// Also, we are resetting the envoy and channel sinks on an // existing identity as FindOrCreateIdentity can return an // existing identity established by an earlier call Identity idObj = IdentityHolder.FindOrCreateIdentity(objectURI, url, null); // Set the envoy and channel sinks in a thread safe manner SetEnvoyAndChannelSinks(idObj, chnlSink, envoySink); // Get the proxy represented by the identity object proxy = GetOrCreateProxy(classToProxy, idObj); Message.DebugOut("RemotingService::Unmarshal returning "); return proxy; } … private static Object GetOrCreateProxy(Type classToProxy, Identity idObj) { Message.DebugOut("Entering GetOrCreateProxy for given class\n"); Object proxy = idObj.TPOrObject; if (null == proxy) { // Create the proxy proxy = SetOrCreateProxy(idObj, classToProxy, null); } // proxy from idObj may be non-null if we are doing a Connect // under new XXX() ... also if we are connecting to a remote URL // which we previously connected. // If we are in the same domain as the server object then we
// // // //
can check for type compatibility of the proxy with the given type. Otherwise, we will defer this check to method call time. If we do not do this now then we run the risk of returning a proxy which is different from the type given.
ServerIdentity serverID = idObj as ServerIdentity; if (null != serverID) { // Check for type compatibility Type serverType = serverID.ServerType; if (!classToProxy.IsAssignableFrom(serverType)) {…} } // At this point we should have a non-null transparent proxy BCLDebug.Assert(null != proxy && IsTransparentProxy(proxy), "null != proxy && IsTransparentProxy(proxy)"); Message.DebugOut("Leaving GetOrCreateProxy for given class\n"); return proxy; }
The SetOrCreateProxy() method (in the same file) ensures that there is both a transparent and real proxy. When the server receives the request the real proxy transmits an ObjRef back to the client, providing it with the information it needs (as metadata) to create the transparent proxy. The remote object is finally ready to be used by the client. As you can see in following code, the client side can initiate thee real proxy before it creates the transparent proxy. Once both proxies are running, the client side can reference methods in the remote object as if they were local objects (see the remote object call in Figure 9-5): private static MarshalByRefObject SetOrCreateProxy( Identity idObj, Type classToProxy, Object proxy) { Message.DebugOut("Entering SetOrCreateProxy for type \n"); RealProxy realProxy = null; // If a proxy has not been supplied create one if (null == proxy) { // Create a remoting proxy Message.DebugOut("SetOrCreateProxy::Creating Proxy for " + classToProxy.FullName + "\n"); ServerIdentity srvID = idObj as ServerIdentity; if (idObj.ObjectRef != null) { ProxyAttribute pa = ActivationServices.GetProxyAttribute(classToProxy); realProxy = pa.CreateProxy(idObj.ObjectRef, classToProxy, null, // … null); // … } if(null == realProxy) { // The custom proxy attribute does not want to create a // proxy. We create a default proxy in this case.
… } } else { BCLDebug.Assert(IsTransparentProxy(proxy), "IsTransparentProxy(proxy)"); // Extract the remoting proxy from the transparent proxy Message.DebugOut( "SetOrCreateProxy::Proxy already created \n"); realProxy = GetRealProxy(proxy); } BCLDebug.Assert(null != realProxy,"null != realProxy"); // Set the back reference to the identity in the proxy object realProxy.IdentityObject = idObj; // Set the reference to the proxy in the identity object proxy = realProxy.GetTransparentProxy(); proxy = idObj.RaceSetTransparentProxy(proxy); Message.DebugOut("Leaving SetOrCreateProxy\n"); // return the transparent proxy return (MarshalByRefObject)proxy; }
You can trace this code deeper, until it ultimately makes fcalls into the C++ methods in the CRemotingServices class in …/crl/src/vm/remoting.cpp, such as the following three methods: //+------------------------------------------------------------------------// // Method: CRemotingServices::GetRealProxy public // // Synopsis: Returns the real proxy backing the transparent // proxy //+-----------------------------------------------------------------------FCIMPL1(Object*, CRemotingServices::GetRealProxy, Object* objTP) { // Check if the supplied object has transparent proxy method table Object* rv = NULL; if ((NULL != objTP) && IsTransparentProxy(objTP)) { // RemotingServices should have already been initialized by now _ASSERTE(s_fInitializedRemoting); rv = OBJECTREFToObject(CTPMethodTable::GetRP(OBJECTREF(objTP))); } LOG((LF_REMOTING, LL_INFO100, "!GetRealProxy(0x%x) returning 0x%x\n", objTP, rv)); return(rv); } FCIMPLEND //+-----------------------------------------------------------------------//
// Method: CRemotingServices::CreateTransparentProxy public // // Synopsis: Creates a new transparent proxy for the supplied real // proxy //+-----------------------------------------------------------------------FCIMPL4(Object*, CRemotingServices::CreateTransparentProxy, Object* orRPUNSAFE, ReflectClassBaseObject* pClassToProxyUNSAFE, LPVOID pStub, Object* orStubDataUNSAFE) { … // Ensure that the fields of remoting service have been initialized // This is separated from the initialization of the remoting services if (!s_fInitializedRemoting) { if (!InitializeFields()) {…} } // Check if the supplied object has a transparent proxy already if (((DWORD_PTR)gc.orRP->GetPtrOffset(s_dwTPOffset)) != NULL) COMPlusThrow(kArgumentException, L"Remoting_TP_NonNull"); // Create a tranparent proxy that behaves as an object of the desired // class ReflectClass *pRefClass = (ReflectClass *) gc.pClassToProxy->GetData(); EEClass *pEEClass = pRefClass->GetClass(); pTP = CTPMethodTable::CreateTPOfClassForRP(pEEClass, gc.orRP); // Set the stub pointer pTP->SetOffsetPtr(CTPMethodTable::GetOffsetOfStub(), pStub); // Set the stub data pTP->SetOffsetObjectRef(CTPMethodTable::GetOffsetOfStubData(), (size_t)OBJECTREFToObject(gc.orStubData)); COUNTER_ONLY(GetPrivatePerfCounters().m_Context.cProxies++); COUNTER_ONLY(GetGlobalPerfCounters().m_Context.cProxies++); LOG((LF_REMOTING, LL_INFO100, "CreateTransparentProxy returning 0x%x\n", OBJECTREFToObject(pTP))); //-[autocvtepi]------------------------------------------------------… return OBJECTREFToObject(pTP); } FCIMPLEND //+------------------------------------------------------------------------// // Method: CRemotingServices::_InitializeRemoting private // // Synopsis: Initialize the static fields of CTPMethodTable class // //+------------------------------------------------------------------------BOOL CRemotingServices::_InitializeRemoting() { BOOL fReturn = TRUE; if (!CRemotingServices::s_fInitializedRemoting)
{ fReturn = CRemotingServices::InitializeFields(); if (fReturn && !CTPMethodTable::s_fInitializedTPTable) { fReturn = CTPMethodTable::InitializeFields(); } } return fReturn; }
Once the proxies have been setup, the client can issue an RMI by executing a method call in the JIT compiled code. As discussed in Section Error! Reference source not found., the JIT compiler will have written a stub into the MethodTable so that the first call to the method is intercepted. When the method call is to a remote procedure, the stub will be changed to a remoting stub that will be handled by the transparent proxy.
9.5
Lab Exercise: Using Remoting for Code Mobility
Part A. Modify your solution to Part A of the Lab Exercise in Chapter 7 so that the main program executes as a client, and the Num object is executed as a remote object in a server. In this part of the lab exercise, you can compile the Num class into the server code. The client code will then invoke Num class methods using the remoting mechanism. Figure 9-6 is a diagrammatic representation of the desired solution.
class Client { public static int main() { … = myNum.incr(…); } }
Client App Domain
class Num {…}
Ref obj
Num myNum
class Server { public static int main() {…} }
Server App Domain
Figure 9-6: Server-activated Remote Object Part B. Modify your solution to Part A so that the Num class is compiled into the client. It should create a Num object, and then pass the object to the server as an argument. Subsequent calls on the Num object must be to the copy of the object in the server (in principle you should be able to destroy the client’s version of the Num object, using only the remote object). In this part of the lab exercise, the server will have to determine the type of the class, and then load the assembly (from its local file system) that contains the Num class. That is, you will need to store a copy of the assembly containing the Num class in the server’s file system. Figure 9-6 is a diagrammatic representation of the desired solution.
class Num {…} class Client { public static int main() { Num myNum; … RemObjHost(…myNum, …); … = myNum.incr(…); } }
RemoteObjHost hostObj
Create obj Ref obj
Num myNum
class Server { public static int main() {…} }
Figure 9-7: Passing the Object to the Server … Part X [This is a more difficult problem that has not been solved a priori. Your instructor will provide you with background and design advice if he or she wishes for you to solve it]. In this part of the problem, the task is to modify the CLI as well as your C# application from Parts B and/or C. Design and implement client and server applications that work as follows: • The server is created and waits for a service request from a client. • The client uses RMI to request the “number” service (the Num class from Part A) from the server. • The server acknowledges the service request by setting up an instance of Num that can be referenced from the client, and returns a URL from which a proxy assembly can be downloaded. • The proxy assembly exports the method int Shift(int j);
• •
where j is the amount to increment/decrement on incr() and decr() calls. The client application calls Shift() to adjust all the numbers in the Num object array. The proxy uses the Num class interface to direct the server Num object behavior (that is, the proxy remotely invokes the Num object’s methods). The client downloads the proxy assembly, then loads it into its app domain. This means that you will need to reuse your solution to the lab exercise from Chapter 6, and also provide a means for your C# application to invoke the CLI downloader. The client then uses the API to invoke methods on its surrogate (which serves a purpose similar to a transparent proxy). The client surrogate uses the CLI remoting mechanism to invoke the Num class methods implemented in the server.
9.5.1 Background Section 9.2 introduces the model for programming the remoting mechanisms. As such, it provides the essential background information you need to solve this lab exercise. However, most of the details you will need to solve Parts A and B of the exercise appear in the QuickStart tutorials on the MSDN web site (http://samples.gotdotnet.com/quickstart/howto/). Although you will not be changing the CLI C++ code in this exercise, you will find it helpful to read parts of the relevant code in …/clr/src/bcl/runtime/remoting/ and …/clr/src/vm/remoting.cpp. Once you have solved this lab exercise, you will have implemented a facility that serves about the same purpose as a Java applet. In solving the various parts of this lab exercise, you will be making several important assumptions: • You will assume that security is not an issue here. If the client invokes a remote call with arguments encrypted using its private key, the server can verify them using the client’s public key in the very beginning of the asynchronous remote call and decide to execute the code or not. The Rotor CLI provides some security mechanisms like metadata for preventing data spoofing, thus the explicit typecasting of return object may fail if the metadata is not correct. • Interface and modular compilation are not used for simplicity, so the declaration of the same class appears in many files. 9.5.2 Attacking the Problem First, read “Getting an Overview of Remoting” and “How Remoting Works” that are the first two QuickStart tutorials for remoting (see http://samples.gotdotnet.com/quickstart/howto/). You can then explore the remaining topics to find useful documentation and sample code for solving this lab exercise. Here is an example class prototype for Part A: public class Num : MarshalByRefObject { private const int MAX_N = 8; private int N; private int[] val = new int[MAX_N]; public bool[] isEven = new bool[MAX_N]; public Num(); // Create MAX_N elements in the array public Num(int j); // Create j <= MAX_N elements in the array (optional) public int incr(int i); // Increment element i public int decr(int i); // Decerement element i }
10 The CLI’s Execution Environment In the previous chapters you learned about the aspects of the CLI that are most relevant to DVM technology. This final chapter summarizes the environment in which the CLI DVM executes. In the CLR, managed application generally use classes from the .NET namespace to obtain CLR services; these classes are implemented in Microsoft’s Framework Class Library (FCL). In Rotor only a subset of the CLR namespace is available to managed applications, and that subset is implemented in the base class library; Rotor interacts with the base class library to manage application programs (see Figure 10-1). The platform adaptation layer (PAL) enables the Rotor CLI to use the system call functions that are exported from the host operating system. In the case of Window, the PAL is a thin veneer, since the CLR code (from which the CLI is derived) was designed and implemented to run on the Windows NT family of operating systems. In the case of FreeBSD and OS X, the PAL is a substantial software project. The base class library and PAL are reviewed in this chapter. Managed ManagedApplications Applications Rotor RotorBase BaseClass ClassLibrary Library AssyLoader
Policy Manager
ClassLoader MethodTable
AppDomain
JIT Compiler
CLI
EE
Platform PlatformAdaptation AdaptationLayer Layer(PAL) (PAL) Host HostOS OS Hardware Hardware
Figure 10-1: The Environs
10.1 The Base Class Library The mscoree.dll implements the execution engine for the Rotor CLI. As you learned in Chapters 7-9, the operation of the mscoree depends heavily on the behavior of the mscorlib.dll, the compiled version of the base class library. The source code for the base class library is in …/clr/src/bcl/. This directory is organized to reflect the system namespace organization. The directory contains about 150 C# files to define components in the system namespace – ranging from the system.activator class to the system.weakreference class. The directory also contains subdirectories to implement sub namespaces: • collections • configuration o assemblies • diagnostics o symbolstore • globalization • io o isolatedstorage • reflection o cache
• •
•
• •
o emit resources runtime o compilerservices o interopservices expando o remoting o serialization formatters • binary Security o permissions o policy o principal o util Text Threading
By writing the hierarchical names in dotted notation, you can infer which namespaces are included in the base class library. (For example, the “collections” directory contains classes in the system.collections namespace. Similarly, since there is an “assemblies” directory under “configurations,” so the base class library includes classes from the system.configuration.assemblies namespace.) If you intend to use any of these classes, the MSDN CLR documentation describes all FCL classes, including those in the Rotor base class library. The mscorlib code is managed C# code, but the Rotor CLI is unmanaged C++ code. This means that when a mscorlib function calls a CLI function, it would normally need to use the P/Invoke mechanism. However, many of the C# functions in the mscorlib already have intimate knowledge of the CLI, so the CLR designers incorporated the fcall interface (see Chapter 7) to bypass the normal P/Invoke machinery. As you know, the CLI functions that are called with the fcall mechanism use special macros (and the ecall table), so they are easy to identify. Furthermore, the mscorlib functions are the only code that uses fcalls.
10.2 The Platform Adaptation Layer The purpose of the Platform Adaptation Layer (PAL) is to adapt the Rotor CLI code so that it can run on a target OS and hardware (see Figure 10-2). In the Rotor implementation it is interesting to note that all parts of the CLI other than the PAL code are the same for all host OS implementations – a remarkable piece of software design and implementation (even though it is somewhat tangential to DVM technology). As mentioned earlier, the Rotor CLI source code was derived from Microsoft’s production CLR source code. The adaptation generally removed functionality, making it easier for people to study an ECMA-335 implementation without having to have access to all of Microsoft’s proprietary software (such as Internet Explorer). The second aspect of the challenge is to port the Rotor CLI code so that it can be executed on top of different operating systems and different hardware platforms. The Rotor Version 1.0 distribution has been ported to FreeBSD UNIX executing on an Intel 80386 architecture, and to Apple Macintosh computers that have had OS X adapted to their PowerPC hardware and low-level software environment.
Rotor CLI CLR
Windows WindowsXP XP i386 i386
PAL PAL
Rotor CLI
FreeBSD FreeBSD i386 i386
Windows WindowsXP XP i386 i386
Rotor CLI PAL PAL OS OSXX Adaptor Adaptor Apple AppleTools Tools PowerPC PowerPC
Figure 10-2: The Challenge What is involved in such a port of the Rotor CLI to a different OS? Observe that the CLR was designed to execute on top of the Win32 API, a system call interface of over 2,000 functions. This OS interface supports the usual (POSIX-like) process/memory/file/device management functions such as ones to create/destroy processes, to allocate/deallocate resources (including the primary memory), functions to open/close and read/write files, and device functions. However, the Win32 API also exports functions to support kernel threads, memory-mapped files, a diversity of synchronization models, as well as window graphics functions. There are at least two obvious strategies one could take to adapt the Rotor CLI to a different OS, such as FreeBSD (the first port): (1) The Win32 API function calls in the CLI code could be replaced by FreeBSD system calls, or (2) a software module could be built to map Win32 API calls into the FreeBSD system calls. The problem with the first approach is that it requires that the implementation of the CLI be changed, since the adaptation requires that certain features be added to the adaptation software (such as synchronization implementations to allow Win32 API events to be implemented in terms of POSIX thread synchronization primitives). This would add complexity to the CLI code, which is a negative goal of releasing the Rotor CLI code under the shared source agreement. The Rotor team decided to use the second strategy, namely to build a software module that would be inserted between the CLI and the host FreeBSD OS – the PAL. This is a nontrivial software module (you will find it beneficial to read the requirements documentation that comes with the distribution in …/docs/techinfo/pal_guide.html early in your study of the PAL). Due to the difficulty of fully implementing the Win32 API on top of the FreeBSD (POSIX.1) system call interface, the designers note that “The PAL has been specified such that correct implementation will enable the portable subset of the .NET Framework to be run on a variety of non-Microsoft® Windows® operating systems.” (from the PAL documentation Overview). This means that there is no assurance that the PAL actually supplies full Win32 API compatibility, but that it does implement enough of the functionality to enable one to run the Rotor CLI code on top of the PAL. In the remainder of this section, we will examine some of the PAL functionality for the FreeBSD port. The OS X port is generally the same as the FreeBSD port, though there few enough differences to enable us to focus only on the FreeBSD port in this description.
10.2.1 Thread Management When you run clix.exe from a UNIX shell, a new single-threaded OS process is created and it execs the clix.exe code. Rotor CLI is launched, and begins to execute in the single-threaded UNIX process. The default behavior of the CLI is to continue to execute as a single threaded process, though the application can propagate new CLI threads using the System.Threading mscorlib API (see Section Error! Reference source not found., and the class definition in …/src/bcl/system/threading/thread.cs. Summarizing the code fragment from Section Error! Reference source not found., this code ultimately makes an fcall to the CLI: public sealed class Thread { … /*========================================================================= ** Creates a new Thread object which will begin execution at ** start.ThreadStart on a new thread when the Start method is called. … =========================================================================*/ … public Thread(ThreadStart start) { if (start == null) {…} SetStart(start); }
SetStart(start) – in the same file – is defined as follows: … [MethodImplAttribute(MethodImplOptions.InternalCall)] private extern void SetStart(ThreadStart start);
The fcall linkage in …/clr/src/vm/ecall.cpp causes the following mscoree method (defined in …/clr/src/vm/comsynchronizable.cpp) to be called: FCIMPL2(void, ThreadNative::SetStart, ThreadBaseObject* pThisUNSAFE, Object* pDelegateUNSAFE) { … if (pThis->m_InternalThread == NULL) { // if we don't have an internal Thread object associated with this // exposed object, now is our first opportunity to create one. Thread *unstarted = SetupUnstartedThread(); pThis->SetInternal(unstarted); unstarted->SetExposedObject(pThis); } … } FCIMPLEND
The SetupUnstartedThread() function is defined in …/clr/src/vm/threads.cpp. Notice that it creates a new CLI Thread object, then adds it to the ThreadStore object: //------------------------------------------------------------------------// Public function: SetupUnstartedThread() // This sets up a Thread object for an exposed System.Thread that // has not been started yet. This allows us to properly enumerate all // threads in the ThreadStore, so we can report on even unstarted threads. // Clearly there is no physical thread to match, yet. // // When there is, complete the setup with Thread::HasStarted()
//------------------------------------------------------------------------Thread* SetupUnstartedThread() { _ASSERTE(ThreadInited()); Thread* pThread = new Thread(); if (pThread) { FastInterlockOr((ULONG *) &pThread->m_State, (Thread::TS_Unstarted | Thread::TS_WeOwn)); ThreadStore::AddThread(pThread); } return pThread; }
The Thread constructor can be found in …/clr/src/vm/threads.cpp file. Here you can see that a number of CLI-specific fields are initialized to define the CLI thread (in contrast with the platform thread). Thread::Thread() { m_pFrame m_pUnloadBoundaryFrame
= FRAME_TOP; = NULL;
m_fPreemptiveGCDisabled = 0; … m_dwLockCount = 0; // Initialize lock state … m_alloc_context.init(); m_UserInterrupt = 0; m_SafeEvent = m_SuspendEvent = INVALID_HANDLE_VALUE; m_EventWait = INVALID_HANDLE_VALUE; m_WaitEventLink.m_Next = NULL; m_WaitEventLink.m_LinkSB.m_pNext = NULL; m_ThreadHandle = INVALID_HANDLE_VALUE; m_ThreadHandleForClose = INVALID_HANDLE_VALUE; m_ThreadId = 0; m_Priority = INVALID_THREAD_PRIORITY; m_ExternalRefCount = 1; m_State = TS_Unstarted; m_StateNC = TSNC_Unknown; // It can't be a LongWeakHandle because we zero stuff out of the exposed // object as it is finalized. At that point, calls to // GetCurrentThread() had better get a new one,! m_ExposedObject = CreateGlobalShortWeakHandle(NULL); m_StrongHndToExposedObject = CreateGlobalStrongHandle(NULL); m_LastThrownObjectHandle = NULL; // Zeros out both filter CONTEXT* and the extra state flags. m_debuggerWord1 = NULL; m_debuggerCantStop = 0; … m_PreventAsync = 0; m_pDomain = NULL; m_Context = NULL; m_TraceCallCount = 0;
m_ThrewControlForThread = 0; m_OSContext = NULL; m_ThreadTasks = (ThreadTasks)0; Thread *pThread = GetThread(); _ASSERTE(SystemDomain::System()->DefaultDomain()->GetDefaultContext()); InitContext(); _ASSERTE(m_Context); if (pThread) { _ASSERTE(pThread->GetDomain() && pThread->GetDomain()>GetDefaultContext()); // Start off the new thread in the default context of // the creating thread's appDomain. This could be changed by SetDelegate SetKickOffDomain(pThread->GetDomain()); } else SetKickOffDomain(SystemDomain::System()->DefaultDomain()); // The state and the tasks must be 32-bit aligned for atomicity to be guaranteed. _ASSERTE((((size_t) &m_State) & 3) == 0); _ASSERTE((((size_t) &m_ThreadTasks) & 3) == 0); m_dNumAccessOverrides = 0; // Track perf counter for the logical thread object. COUNTER_ONLY(GetPrivatePerfCounters().m_LocksAndThreads.cCurrentThreadsLogic al++); COUNTER_ONLY(GetGlobalPerfCounters().m_LocksAndThreads.cCurrentThreadsLogica l++); … m_pSharedStaticData = NULL; m_pUnsharedStaticData = NULL; m_pStaticDataList = NULL; m_pDLSHash = NULL; m_pCtx = NULL; m_fSecurityStackwalk = FALSE; m_compressedStack = NULL; m_fPLSOptimizationState = TRUE; m_pFusionAssembly = NULL; m_pAssembly = NULL; m_pModuleToken = mdFileNil; … }
GetThread() is a platform-specific function call (see …/clr/src/vm/thread.cpp). After the thread has been created, it is started by the call to the System.Threading Start() function (defined in …/clr/src/bcl/system/threading/thread.cs): public void Start() { // Attach current thread's security principal object to the new // thread. Be careful not to bind the current thread to a // principal if it's not already bound. IPrincipal principal = (IPrincipal) CallContext.SecurityData.Principal; StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; StartInternal(principal, ref stackMark);
}
This code finally calls StartInternal() – another fcall, which is also defined in …/clr/src/vm/comsynchronizable.cpp: FCIMPL3(void, ThreadNative::Start, ThreadBaseObject* pThisUNSAFE, …) { THROWSCOMPLUSEXCEPTION(); HELPER_METHOD_FRAME_BEGIN_NOPOLL(); StartInner(pThisUNSAFE, pPrincipalUNSAFE, pStackMark); HELPER_METHOD_FRAME_END_POLL(); } FCIMPLEND
The essential call here (in tracing the creation of the thread) is the one to StartInner(), which is defined in the comsynchronizable.cpp file. This code makes the thread runnable: // Start up a thread, which by now should be in the ThreadStore's Unstarted // list. void ThreadNative::StartInner(ThreadBaseObject* pThisUNSAFE, Object* pPrincipalUNSAFE, StackCrawlMark* pStackMark) { … Thread *pCurThread = GetThread(); Thread *pNewThread = gc.pThis->GetInternal(); … // Is the thread already started? You can't restart a thread. … // Carry over the state used by security to the new thread … // Generate code-access security stack to carry over to thread. … // // // // //
As soon as we create the new thread, it is eligible for suspension, etc. So it gets transitioned to cooperative mode before this call returns to us. It is our duty to start it running immediately, so that GC isn't blocked.
h = pNewThread->CreateNewThread(0 /*stackSize override*/, KickOffThread, share, &newThreadId); … // After we have established the thread handle, we can check // m_Priority. This ordering is required to eliminate the race // condition on setting the priority of a thread just as it starts // up. ::SetThreadPriority(h, MapToNTPriority(gc.pThis->m_Priority)); // Before we do the resume, we need to take note of the new // ThreadId. This is necessary because -- before the thread starts // executing at KickofThread -- it may perform some DllMain // DLL_THREAD_ATTACH notifications. These could call into managed // code. During the consequent SetupThread, we need to perform // the Thread::HasStarted call instead of going through the normal // 'new thread' pathway. … pNewThread->SetThreadId(newThreadId); share = NULL;
// we have handed off ownership of the shared struct
… ::ResumeThread(h); … }
The PAL thread store is the collection of PAL threads (contrasted with both CLI threads and OS threads). Each CLI thread has an associated Thread object, and appears in the system-wide ThreadStore object. There is not necessarily a one-to-one correspondence between CLI threads and PAL threads. The CLI ThreadpoolMgr object (see …/clr/src/vm/win32threadpool.h for the class specification) manages the binding between a PAL thread and one or more CLI threads. One of the data structures that you see in these code fragments is the ThreadPool. The host platform thread support provides the idea of thread local storage (TLS), meaning a logical block of storage that within the encapsulating OS process’s address space, yet which is private to a particular thread. CLI and PAL threads depend on TLS, so the PAL provides a collection of TLS functions in …/pal/unix/thread/localstorage.c. These functions are generally documented in MSDN OS documentation, and are reimplemented for the UNIX ports so that they provide a uniform TLS facility to the CLI threads. 10.2.2 Synchronization The PAL implements parts of the Win32 API for synchronizing threads (see the …/pal/unix/sync/ directory). These primitives are intended to operate on CLI threads rather than on the host (POSIX) threads. This means that the PAL cannot simply implement the synchronization mechanism directly in terms of POSIX mechanisms; instead, the PAL must provide its own queues to hold CLI threads that are blocked on a synchronization event, and the algorithms to manage competition for those events. The CLI threads use critical sections, events, mutex, semaphore, and wait primitives. These mechanisms are implemented in the sync directory. Some parts of the PAL synchronization implementation do use the POSIX thread synchronization mechanism. For example, the SuspendThread() function (implemented in …/pal/unix/thread/thread.c) uses the POSIX function pthread_mutex_lock(), pthread_mutex_unlock(),and pthread_resume_np(): /*++ Function: SuspendThread See MSDN doc. --*/ DWORD PALAPI SuspendThread( IN HANDLE hThread) { … /* First, we need to retrieve the thread storage for the passed in thread handle */ … /* Next we need to get the thread storage for the current thread. */ … /* Finally, check the validity of the objects retrieved */ … if(lpThread == lpCurrentThread) { /* suspending the current thread */ … if (lpThread->bCreateSuspended) { [This code uses the PAL’s implementation of synchronization rather than the pthread primitives] … }
… /* Block here */ while(1) { pollRet = poll(&fds, 1, INFTIM); if(-1 != pollRet) { break; } if(EINTR != errno) {…} … } … [Here is some code that uses pthread primitives] /* Check out current suspension count. If we are 0, then we need to actually suspend the thread... */ if (lpThread->dwSuspendCount == 0) { TRACE ("Suspending thread handle %p with pthread_suspend_np\n", hThread); #if HAVE_PTHREAD_NP /* pthread_suspend_np returns EINVAL for invalid thread parameter */ if ( pthread_suspend_np( (pthread_t)lpThread->dwThreadId) == EINVAL) #elif HAVE_MACH_THREADS if ( thread_suspend(pthread_mach_thread_np((pthread_t) lpThread>dwThreadId)) == KERN_INVALID_ARGUMENT ) #elif HAVE_SOLARIS_THREADS if (thr_suspend((thread_t) lpThread->dwThreadId) != 0) #endif #if HAVE_PTHREAD_NP || HAVE_MACH_THREADS || HAVE_SOLARIS_THREADS { ERROR("Unable to suspend the thread\n"); SetLastError(ERROR_INVALID_HANDLE); retval = -1; /* release the spinlock */ lpThread->suspend_spinlock = 0; goto SuspendThreadExit; } if(0 != lpThread->critsec_count) { /* eep, suspended thread was holding some internal critical sections. we have to let it release them all */ /* make sure the thread will wait for us to suspend it again */ pthread_mutex_lock(&lpThread->suspension_mutex); pthread_mutex_lock(&lpThread->cond_mutex); /* indicate our intention to suspend this thread */ lpThread->suspend_intent = TRUE; /* let the thread run until it releases all its critical sections */ #if HAVE_PTHREAD_NP pthread_resume_np((pthread_t)lpThread->dwThreadId); #elif HAVE_MACH_THREADS
thread_resume(pthread_mach_thread_np((pthread_t) lpThread>dwThreadId)); #elif HAVE_SOLARIS_THREADS thr_continue((thread_t) lpThread->dwThreadId); #endif /* wait for the thread to tell us it has released all its critical sections */ /* note : this will release the mutex until the condition is signalled, but that's fine, since no one can try to take it in the interval */ pthread_cond_wait(&lpThread->suspender_cond, &lpThread->cond_mutex); /* all critical sections are released, target is now blocked waiting for the suspension mutex (or about to). it is now safe to suspend it */ #if HAVE_PTHREAD_NP pthread_suspend_np((pthread_t)lpThread->dwThreadId); #elif HAVE_MACH_THREADS thread_suspend(pthread_mach_thread_np((pthread_t) lpThread>dwThreadId)); #elif HAVE_SOLARIS_THREADS thr_suspend((thread_t) lpThread->dwThreadId); #endif lpThread->suspend_intent = FALSE; /* allow target thread to acquire the mutex and continue when it gets resumed */ pthread_mutex_unlock(&lpThread->cond_mutex); pthread_mutex_unlock(&lpThread->suspension_mutex); } #else // HAVE_PTHREAD_NP || HAVE_MACH_THREADS || HAVE_SOLARIS_THREADS #error "Don't know how to suspend threads on this platform!" #endif … } else {…} … } SuspendThreadExit: ... return (retval); }
There are many more Win 32 API synchronization primitives than there are UNIX synchronization primitives, or more importantly, POSIX synchronization primitives. This set of functions implements a subset of the Win32 API synchronization mechanisms in terms of POSIX thread synchronization primitives. We finish with an interesting piece of code that implements shared memory (see …/pal/unix/shmemory/shmenory.c). There is an extraordinarily great comment at the beginning of this file that is presented here verbatim. The “I” in the comment is Barry Bond, who implemented most of the Rotor PAL. If only all of the code were this well commented: /*++
Copyright (c) 2002 Microsoft Corporation.
All rights reserved.
The use and distribution terms for this software are contained in the file named license.txt, which can be found in the root of this distribution. By using this software in any fashion, you are agreeing to be bound by the terms of this license. You must not remove this notice, or any other, from this software.
Module Name: shmemory/shmemory.c Abstract: Implementation of shared memory infrastructure for IPC Issues : Interprocess synchronization
There doesn't seem to be ANY synchronization mechanism that will work inter-process AND be pthread-safe. FreeBSD's pthread implementation has no support for inter-process synchronization (PTHREAD_PROCESS_SHARED); "traditionnal" inter-process syncronization functions, on the other hand, are not pthread-aware, and thus will block entire processes instead of only the calling thread. From suggestions and information obtained on the freebsd-hackers mailing list, I have come up with 2 possible strategies to ensure serialized access to our shared memory region Note that the estimates of relative efficiency are wild guesses; my assumptions are that blocking entire processes is least efficient, busy wait somewhat better, and anything that does neither is preferable. However, the overhead of complex solutions is likely to have an important impact on performance Option 1 : very simple; possibly less efficient. in 2 words : "busy wait" Basically, while(InterlockedCompareExchange(spinlock_in_shared_memory, 1, 0) sched_yield(); In other words, if a value is 0, set it to 1; otherwise, try again until we succeed. use shed_yield to give the system a chance to schedule other threads while we wait. (once a thread succeeds at this, it does its work, then sets the value back to 0) One inconvenient : threads will not unblock in the order they are blocked; once a thread releases the mutex, whichever waiting thread is scheduled next will be unblocked. This is what is called the "thundering herd" problem, and in extreme cases, can lead to starvation Update : we'll set the spinlock to our PID instead of 1, that way we can find out if the lock is held by a dead process. Option 2 : possibly more efficient, much more complex, borders on "over-engineered". I'll explain it in stages, in the same way I deduced it. Option 2.1 : probably less efficient, reasonably simple. stop at step 2) 1) The minimal, original idea was to use SysV semaphores for synchronization.
This didn't work, because semaphores block the entire process, which can easily lead to deadlocks (thread 1 takes sem, thread 2 tries to take sem, blocks process, thread 1 is blocked and never releases sem) 2) (this is option 2.1) Protect the use of the semaphores in critical sections. Enter the critical section before taking the semaphore, leave the section after releasing the semaphore. This ensures that 2 threads of the same process will never try to acquire the semaphore at the same time, which avoids deadlocks. However, the entire process still blocks if another process has the semaphore. Here, unblocking order should match blocking order (assuming the semaphores work properly); therefore, no risk of starvation. 3) This is where it gets complicated. To avoid blocking whole processes, we can't use semaphores. One suggestion I got was to use multi-ended FIFOs, here's how it would work. -as in option 1, use InterlockedCompareExchange on a value in shared memory. -if this was not succesful (someone else has locked the shared memory), then : -open a special FIFO for reading; try to read 1 byte. This will block until someone writes to it, and *should* only block the current thread. (note : more than one thread/process can open the same FIFO and block on read(), in this case, only one gets woken up when someone writes to it. *which* one is, again, not predictable; this may lead to starvation) -once we are unblocked, we have the lock. -once we have the lock (either from Interlocked...() or from read()), we can do our work -once the work is done, we open the FIFO for writing. this will fail if no one is listening. -if no one is listening, release the lock by setting the shared memory value back to 0 -if someone is listening, write 1 byte to the FIFO to wake someone, then close the FIFO. the value in shared memory will remain nonzero until a thread tries to wake the next one and sees no one is listening. problem with this option : it is possible for a thread to call Interlocked...() BETWEEN the failed "open for write" attempt and the subsequent restoration of the SHM value back to zero. In this case, that thread will go to sleep and will not wake up until *another* thread asks for the lock, takes it and releases it. so to fix that, we come to step 4) Instead of using InterlockedCompareExchange, use a SysV semaphore : -when taking the lock : -take the semaphore -try to take the lock (check if value is zero, change it to 1 if it is) -if we fail : open FIFO for reading, release the semaphore, read() and block -if we succeed : release the semaphore -when releasing the lock : -take the semaphore -open FIFO for write -if we succeed, release semaphore, then write value -if we fail, reset SHM value to 0, then release semaphore. Yes, using a SysV semaphore will block the whole process, but for a very short time (unlike option 2.1)
problem with this : again, we get deadlocks if 2 threads from a single process try to take the semaphore. So like in option 2.1, we ave to wrap the semaphore usage in a critical section. (complex enough yet?) so the locking sequence becomes SYNCEnterCriticalSection - take semaphore try to lock - open FIFO - release semaphore - SYNCLeaveCriticalSection - read and the unlocking sequence becomes EnterCS - take sem - open FIFO - release sem - LeaveCS - write Once again, the unblocking order probably won't match the blocking order. This could be fixed by using multiple FIFOs : waiting thread open their own personal FIFO, write the ID of their FIFO to another FIFO. The thread that wants to release the lock reads ID from that FIFO, determines which FIFO to open for writing and writes a byte to it. This way, whoever wrote its ID to the FIFO first will be first to awake. How's that for complexity? So to summarize, the options are 1 - busy wait 2.1 - semaphores + critical sections (whole process blocks) 2 - semaphores + critical sections + FIFOs (minimal process blocking) 2.2 - option 2 with multiple FIFOs (minimal process blocking, order preserved) Considering the overhead involved in options 2 & 2.2, it is our guess that option 1 may in fact be more efficient, and this is how we'll implement it for the moment. Note that other platforms may not present the same difficulties (i.e. other pthread implementations may support inter-process mutexes), and may be able to use a simpler, more efficient approach. B] Reliability. It is important for the shared memory implementation to be as foolproof as possible. Since more than one process will be able to modify the shared data, it becomes possible for one unstable process to destabilize the others. The simplest example is a process that dies while modifying shared memory : if it doesn't release its lock, we're in trouble. (this case will be taken care of by using PIDs in the spinlock; this we we can check if the locking process is still alive). --*/