VIOLATING THE CODE

and other things testers do

  • Security State and NGEN

    NGEN images are not guaranteed to be used by the runtime. There’s a tradeoff with NGen that is always being evaluated where robustness of images is balanced against better performance when images are used. At one extreme, NGEN images are very robust and will always be used. In this case, however, a huge number of the minor (and not-so-minor) perf enhancements are not possible. At the other extreme NGen images are highly tuned for performance, but become increasingly fragile in the face of a changing environment. To be clear, “fragile” in this case means “might not be used by the runtime”. When we have made design decisions trending towards the latter option, it has been justified with the following:

     1)      NGen is all about performance.

     2)      We always have the JIT to fall back to if NGEN images become unusable.

    With Whidbey, we also have a third mitigating factor:

     3)      The NGen tool provides new features (ngen update) which start to help with image invalidation by being able to re-generate all the images for an application which might have been invalidated.

    One particular case where native images can be fragile has to do with the managed security system, particularly with link and inheritance demands. These types of demands are typically evaluated when the JIT tries to compile a method which calls another method with a link demand. (or alternatively we build a type which inherits from another type with an inheritance demand). The evaluation of the demand triggers the managed security system to make a decision based on the current policy state of the machine and the evidence on the assembly being executed.

    As with many runtime features, NGEN introduces some interesting complications to this system. Evaluating these security demands at the point where they are needed can be expensive both in terms of actually performing the demand evaluation as well as lost opportunities to provide optimizations. For example, a call to a method with a LinkDemand could have been inlined. Evaluating the LinkDemand at runtime would mean that the call cannot be inlined. It seems reasonable that at NGEN time the evidence on the assembly could be evaluated and the result of the evaluation recorded into the native image. This means that at run time the security system would not have to be invoked to process the demand; instead the code would execute as if the demand had not even existed. Essentially we're burning an assumption about the security state into the native image.

    But what if the security policy state had changed since the assembly was NGEN’ed? Consider a case with an assembly, A.dll, which calls a method in another assembly which is protected with a link demand for a permission in the “Intranet” permission set. A.dll is in the “Intranet” zone, and is NGEN’ed, which means NGEN creates code which executes as if the link demands succeeded. Some time later the security policy is changed such that A.dll now belongs to the “Internet” zone, which does not have the permission it previously had. Now, if you run the code in A.dll, you would not want that NGEN image code to assume the link demand succeeded, because that would be a violation of the current security policy.

    To correct this problem, NGEN has to keep a list of all the “security assumptions” made in the code in a native image. Essentially this can be considered a list of permissions the native image requires to run. When the CLR loader tries to load a native image for an assembly, one of the steps it must take is to make sure the assembly currently has all the permissions in that list. If any one of these permission checks fails, then the loader simply rejects the native image and falls back to JIT compilation of the code in the assembly.

    What’s the point here? There are plenty of cases where NGEN images work in partial trust. But realize that changing the security state of the system can potentially be a factor in invalidating native images. With Whidbey, running “ngen.exe update” command after making security policy changes is insurance against native images being unusable.

    Posted Thursday, March 03, 2005 12:14 PM by REIDLW | 4 Comments

  • NGEN Article

    I've been working a little on the side lately to put together an article on NGEN for MSDN magazine. We finished with the final changes a few days ago, and just three days later I was suprised to see it already published on the website! MSDN Mag is running my article as a preview for the April issue. Take a look here: http://msdn.microsoft.com/msdnmag/issues/05/04/NGen/default.aspx. I'd be interested in getting feedback (if anyone is reading this) as to what other topics around NGen would be interesting.


    Posted Saturday, February 19, 2005 7:52 PM by REIDLW | 12 Comments

  • Post #2

    In my last blog entry I said I would have another entry up by the end of the long weekend. Of course, that means that I will scramble to put something together late Sunday evening. Unfortunately I was waylaid (once again) by Tivo and the fact that it recorded several more episodes from last season's Sopranos which I was obligated to watch. We did not have HBO until recently but have rented all the DVD's from past seasons in the last year or so and once we finish the previous season we'll be completely caught up. The hard part about watching the older episodes is avoiding plot spoilers - it was impossible for us not to find out about Adriana's fate last year, although we have not yet got to that episode and are prentending we don't know about it (aside from yelling at her through the TV to stop talking to the feds!). At any rate, a slow Monday morning the week between Christmas and New Years provides a good chance to catch up on the blog.

    Last time I talked about how I am a tester for the CLR team. The CLR test team is divided into teams roughly along feature sets. For instance, the test team for the Managed Services area includes COM Interop and reflection. Developer Services includes things like debuggers and profilers. For the two years I have worked here I have been on the Loader Type System (LTS) test team. We are one of the larger test teams and own a wide array of features including metadata and metadata API set, the CLR shim (mscoree) and all API's exported from it, the managed Assembly and AppDomain classes, and all the plumbing inside the runtime which deals with the loading of assemblies and layout of types. We also own the NGEN tool, which is what I specifically work on.

    For the uninitiated, NGEN is a tool which runs the JIT over an assembly and creates native code for the entire assembly and then saves all that native code in a PE file which gets stuffed away in a private cache. The CLR will then automatically load and use this pre-compiled code rather than invoking the JIT at run time. The core reason for doing all this is to improve performance. This point may seem obvious but in my experience the reasons why this improves performance are not obvious to many people. Here are some links to some good (accurate!) information on NGEN. I've found various things in Google (oops... I meant MSN) searches which are, well, less than accurate. Maybe I'll make another blog out of pointing some of those out.

    Good explanation of NGEN priniciple from the guy who runs the CLR product team; but a little out of date: http://blogs.msdn.com/jasonz/archive/2003/09/24/53574.aspx

    NGEN Performance: go to http://msdn.microsoft.com/perf and select Chapter 5. Select the "NGEN" topic therein.

    More NGEN Performance: http://blogs.msdn.com/ricom/archive/2004/10/18/244242.aspx

     

    Posted Monday, December 27, 2004 10:14 AM by REIDLW | 2 Comments

  • Nowhere to start but the beginning

    0.

    That's how many blog posts I have written before. It also happens to be the expected readership of this blog. Having no idea how to do this and suspecting that no one will ever care, I'll just say a few things about myself and what I do and some of the things I think I'd like to write about in this blog.

    I work on the test team for the Common Language Runtime product at Microsoft. Officially my title is "Software Design Engineer/Test" but I'm pretty comfortable just sticking with "tester". Microsoft was my first employer out of undergraduate five years ago, and testing is my second job at the company. My first was working in the support department, known as PSS. There I supported SQL Server and MDAC products for the big money spending professional support customers, and the even bigger money spending premier customers. I even wrote a nice little paper for MSDN on MDAC installation which was quite well received; maybe you've read -  no? okay, nevermind.

    My undergraduate degree was in computer science (what else?) from the University of Oklahoma. I've since taken advantage of a terrific evening degree program to get my Master's in computer science over the last couple years here in Seattle. For the last 2 1/2 years I've been a tester for the CLR.

    Going forward I hope to use this blog to focus mainly on the technology I test within the CLR. Now the real acid test is whether this is the only blog I ever write or not. One of the things I don't like so much about the supercharged fast paced culture in this industry (and company) is that the values of sticking with things and seeing things through to completion are sometimes chucked in favor of hypermultitasking. I'm more than a little guilty of this myself. So here we are... it's the start of a 4 day Christmas weekend holiday... I will write one more post before going back to work next Monday. Right. Sure. Let's see what happens.

    Posted Thursday, December 23, 2004 1:39 AM by REIDLW | 4 Comments

This Blog

Syndication

Tags

No tags have been created or used yet.

© 2008 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker