HN
Today

A simplified model of Fil-C

This post meticulously breaks down a simplified model of Fil-C, a system designed to bring memory safety to C/C++. It details how Fil-C achieves this through source code transformations, instrumenting pointers with metadata for bounds checking and introducing a garbage collector. The article's technical depth and focus on core C/C++ challenges make it a compelling read for those interested in systems programming and memory management.

33
Score
1
Comments
#2
Highest Rank
7h
on Front Page
First Seen
Apr 17, 10:00 PM
Last Seen
Apr 18, 4:00 AM
Rank Over Time
3222224

The Lowdown

Fil-C proposes a method to make C/C++ memory-safe, addressing common issues like buffer overflows and use-after-free errors. This article presents a simplified model to demystify its core mechanisms, transforming C/C++ code to include runtime checks and memory management features typically found in higher-level languages.

  • Pointer Instrumentation: Every local pointer variable gains an accompanying AllocationRecord* variable, storing metadata about the allocated memory block.
  • AllocationRecord Structure: This struct holds visible_bytes (the actual data pointer), invisible_bytes (a parallel array storing AllocationRecord* for heap-stored pointers), and length.
  • Rewritten Operations: Trivial pointer assignments and arithmetic operations are modified to also propagate their associated AllocationRecord*.
  • Custom Memory Management: Calls to malloc are replaced with filc_malloc, which allocates not only the requested visible_bytes but also invisible_bytes and the AllocationRecord itself.
  • Bounds Checking: Pointer dereferences are augmented with assert statements that use the AllocationRecord to verify the pointer is within allocated bounds.
  • Heap Pointer Tracking: For pointers stored on the heap, invisible_bytes acts as a shadow memory, storing the corresponding AllocationRecord* values alongside the data.
  • Garbage Collection: While filc_free releases visible_bytes and invisible_bytes, the AllocationRecord itself is managed by a garbage collector. This enables memory to be freed even if free is forgotten and allows for safe handling of local variables whose addresses escape their scope.
  • memmove Handling: Special attention is given to memmove to ensure that alongside the visible_bytes movement, the corresponding invisible_bytes (containing pointer metadata) are also moved for aligned blocks.
  • Production System Complexities: The article briefly touches upon further challenges in a real-world Fil-C implementation, such as thread safety, function pointer validation, and various performance and memory optimizations.
  • Potential Use Cases: Fil-C could be used to make existing C/C++ code memory-safe (at a performance cost), as a memory bug-finding tool (similar to ASan), for safe compile-time evaluation in languages like Zig, or as a concrete system for exploring pointer provenance.

The simplified model provides a clear conceptual understanding of how Fil-C imbues C/C++ with memory safety features, primarily through comprehensive code transformation and the introduction of a garbage collector, albeit with performance and memory overheads.