Date: Sat, 8 Dec 2012 15:24:47 +0200 From: Aleksandr Rybalko <ray@freebsd.org> To: Jung-uk Kim <jkim@FreeBSD.org> Cc: svn-src-projects@freebsd.org, Roman Divacky <rdivacky@freebsd.org>, src-committers@freebsd.org Subject: Re: svn commit: r243914 - projects/bpfjit Message-ID: <20121208152447.5b2958d2.ray@freebsd.org> In-Reply-To: <50C0DFB0.6030007@FreeBSD.org> References: <201212052312.qB5NC2Hn056351@svn.freebsd.org> <20121206084936.GA58940@freebsd.org> <50C0DFB0.6030007@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 06 Dec 2012 13:10:56 -0500 Jung-uk Kim <jkim@FreeBSD.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2012-12-06 03:49:36 -0500, Roman Divacky wrote: > > Hi, > > > > David Chisnall started bpf jitter based on llvm. You can check it > > out here: > > > > http://people.freebsd.org/~theraven/bpfjit/ > > > > > > It's based on the idea of jitting the code in userspace and > > passing the resulting code to the kernel via some interface (this > > part is not done yet). > > Long time ago (about 10 years ago), I implemented something like that > (i.e., compile BPF program to native machine code in userspace, then > upload to kernel space) for my $job but I quickly replace it with > BPF_JITTER for several reasons. First of all, there is a big security > risk. A BPF filter program can be easily validated by kernel with > bpf_validate(9). We cannot do that for native machine code and we > must not allow uploading arbitrary code to kernel space. You may say > it is well protected by /dev/bpf permissions but it is not good > enough, i.e., all you need is read permission to inject code to kernel > space. > Second, LLVM is too heavy for BPF filter machine. For example, +1 Embedded FreeBSD will lost BPF if LLVM will be used for compilation :) > libtrace did that long ago: > > http://www.wand.net.nz/trac/libtrace/changeset/1586 > > Someone actually benchmarked it with other JIT implementations: > > http://carnivore.it/2011/12/28/bpf_performance > > LLVM compilation took too much time to be useful: > > engine filter cycles compile cycles > - ---------------+---------------+---------------- > jit-linux 106468 33126+72796 > jit-freebsd 113958 48292+72796 > llvm 157394 380843640+72796 > pcap 276910 72796 > linux 351391 9245+72796 > > I haven't tried theraven's implementation but I am afraid the result > may be similar. On top of that, it cannot be easily embedded in > kernel. > > BTW, NetBSD actually imported my BPF_JITTER first, then it was > replaced by bpfjit: > > http://mail-index.netbsd.org/tech-net/2012/08/19/msg003619.html > http://mail-index.netbsd.org/source-changes/2012/10/27/msg038310.html > > I wanted to try it out because I think it has great potential. ;-) > > Jung-uk Kim > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (FreeBSD) > > iQEcBAEBAgAGBQJQwN+wAAoJECXpabHZMqHObcIH/0VN0ssRB9nNPwKq0WnxYZdO > 7rnhymuYh8gRIGXkcHAu1ma/egJFk7tFTx37fm1q9iT/f+1TB2U5ZNi+6h9pnxSl > W7U+yrEFvE4FkI6xnHq26amLTAQv3xdmNhB67M+glXj+emRuFfckgShnvgd4brRy > ZJnaqJ3frCXld/1WG7dSmq1OIN4mT/7stw6BwwtzrkbdtcTQRgukNIFEyObMmReE > RNligaB0l2Yj0S+6lI+6VQTyDc7NhSHMAUw32F385EuKYcJwkrj24eYxbCcWyP+g > +9lGAYhLUOXUfM+7IISwdguWnQnIcpOxvo4I2shAglJYygnN+hSXZWn9IzTU5Gw= > =4Ov6 > -----END PGP SIGNATURE----- -- Aleksandr Rybalko <ray@freebsd.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121208152447.5b2958d2.ray>