Airs - Ian Lance Taylor

When I was in grade school we were taught that monotheism was a historical advance, comparable to agriculture or other notable inventions. For example, we learned that Akenhaten was a significant figure because he was the first historical figure to advocate monotheism, although it was later repudiated by his successor Tutankhaten aka Tutankhamun aka King Tut. (Akenhaten lived about two centuries before the first historical evidence of Judaism; Freud suggested that Moses was actually a monotheistic priest during the reign of Akenhaten). Even in grade school this argument seemed vaguely suspect to me. The advantages of agriculture seem clear, the advantages of monotheism less so.

These days I do see monotheism as something of an advance. The earliest cultures we know of believed in gods who were much like people, albeit people who were both powerful and sometimes unpredictable. In some cases the gods were simply ancestors. I think this is a natural consequence of our tendency to attribute events to causes. When we want to understand the weather, our impulse is to give it a personality and motivations. It’s only a small step to think that there is a powerful person–a god–who controls the weather.

This then becomes an obstacle to actually understanding what is happening. If you already have an explanation for the weather, and your explanation inherently incorporates unpredictability, there is little purpose to looking for a deeper explanation. Since I do think that scientific thought is an advance in human culture, it follows that these early religions prevented advances.

Monotheism reduces the mass of gods to just one. This god still controls the weather, but now there is just one entity that you have to understand. It becomes possible to seriously think about god’s will and hope to reach some conclusions about it. As thinking progresses, the god becomes more abstract—created the whole world, pays attention to everything—and it becomes easier to think in terms of fixed laws rather than whims. It’s still a big step to get to science, but it’s more feasible, and monotheism may be a necessary stopping point.

I was reminded of this line of thought while reading about the Gospel of Judas. Today I don’t see how it’s possible to see Judas as anything but a patsy—hence his lyric from Jesus Christ Superstar “I only did what you wanted me to.” The Gospel of Judas doesn’t really present him that way, but it does suggest that Judas was himself a human sacrifice to Christ. This was, after all, a time when animal sacrifices to the gods were routine, though not a practice of the Christians. The Gospel of Judas was an alternate view of the Christ story, one that was suppressed by the early church as they coalesced on a single view of the religion. Ditching the Gospel of Judas was a good move, since it seems pretty complicated. Anyhow, reading about it reminded me that there is a lot of contingency in the religions that we have today. Monotheism may have been an advance in retrospect, but, unlike agriculture, it wasn’t an advance at the time. I don’t see any reason to think that things could not have gone otherwise.

Many programs today are written at a very high level. They are run in an interpreted environment, not a compiler. Often many different components running in different interpreted environments are hooked together. HTML and XML, for example, started out as markup languages, but now they are often also used as components of programs hooking together the output of different servers.

Computer programming has always been based on layering and abstraction. The processor abtracts the transistor, the traditional programming language abstracts the processor, the kernel abstracts the hardware. What seems fairly new to me is the speed at which these layers change and their complexity. New ideas are implemented in the form of extensive libraries. Each library can be learned in isolation, but there is no unifying principle across libraries.

It is becoming increasingly difficult to be a systems expert. When I learned to program, it was possible to understand your entire program from the source code, in whatever language, down to the machine code. When writing a modern Ajax application, that is simply impossible. There are too many different interpreters. There is too much code involved. Even fixing on a new base level above the processor–perhaps the browser–doesn’t help. This all leads to decreased performance, which is sometimes important, and decreased security, which is often important.

We can’t go back. What I wonder is whether we will again cohere to a programming model which can be understood at all relevant layers. Or whether things are just going to get increasingly complicated.

Peer review can be a useful technique when programming. It ensures that at least one other person has read the code. It can catch dumb bugs and help ensure that the code is not unnecessarily obscure. Several popular programming methodologies use it. (Pair programming has the same benefits.)

Peer review has one obvious disadvantage: it slows down coding. In order for peer review to be meaningful, you have to present digestible chunks for review. And that
mean waiting for the review, or using some sort of patch management to permit continued coding until the review is complete and to incorporate changes suggested by the review.

I generally have not worked on project that require peer review. The gcc project requires maintainer approval of all changes, but maintainers are permitted to commit their own changes without review. I can see the advantages of a peer review system, provided there is some mechanism to ensure that reviews happen quickly. If reviews can linger, then projects can stall very quickly.

gcc has a difficult enough time getting patches reviewed as it is. It’s hard to recommend anything which would make it slower. One approach that might make it more acceptable would be to say that if a maintainer writes a patch, the peer review can be done by anybody–it would not have to be another maintainer. That is, require a reviewer for every patch, but only require that either the author or the reviewer be a maintainer.

I’m not sure whether this would be a good idea or not. It would be good to improve the quality of the gcc code base, but the quality is not so bad that drastic measures are required. Only a small additional cost would be acceptable.

I’ve always liked Iron Man. Tony Stark has a simple comic book story: a smart guy, who doesn’t think very much about what he’s doing, is nearly killed. The experience changes him–but not all that much. He’s a superhero because he’s addicted to action, because he feels the need to justify his survival, and because he needs the armor to keep himself alive. He doesn’t have any special powers–he’s just very inventive.

Tony Stark’s alcoholism wasn’t introduced until the character had been around for a long time. Stan Lee created Iron Man in 1963 (script by his brother, Larry Leiber, and art by Don Heck and Jack Kirby). The alcoholism was introduced in the 1980s by David Michelinie and Bob Layton. However, even though it came so much later, it fit the character so well that it has never been forgotten. Denny O’Neill later picked it up for a long run on the character in which Stark loses everything and his friend Rhodey takes over as Iron Man.

Iron Man is a natural hero for an engineer: a smart, intuitive guy who succeeds entirely on his own wits. He’s also, of course, handsome, suave, ultra wealthy, self confident–in fact, overly confident. I don’t think anybody could really identify with Tony Stark, which probably hurts his sales. But he’s a believable character at the core, more believable than many superheroes.

I didn’t have high hopes for the movie which just came out, but I’m happy to say that it captures the character very well and was also a very good movie. They changed the details of the comic book story, but kept all the essential elements. In fact, it’s early days yet, but right now I think it was one of the best superhero movies that’s been made, right up there with the first Tim Burton Batman movie. Unusually, the ordinary life sequences were better than the action sequences–something which only works because Iron Man is such a plausible character at the core. That said, the special effects were excellent, and really conveyed the power of the armored suit.

If you’re a comic book fan, sit through all the credits until the very end, to see the short setup for the sequel (if you’re not a comic book fan, though, the setup probably won’t make any sense).

gcc, the GNU linker, and the glibc dynamic linker cooperate to implement an idea called read-only relocations, or relro. This permits the linker to designate a part of an executable or (more commonly) a shared library as being read-only after dynamic relocations have been applied.

This may be used for read-only global variables which are initialized to something which requires a relocation, such as the address of a function or a different global variable. Because the global variable requires a runtime initialization in the form of a dynamic relocation, it can not be placed in a read-only segment. However, because it is declared to be constant, and therefore may not be changed by the program, the dynamic linker can mark it as read-only after the dynamic relocation has been applied.

For some targets this technique may also be used for the PLT or parts of the GOT.

Making these pages read-only helps catch some cases of memory corruption, and making the PLT in particular read-only helps prevent some types of buffer overflow exploits.

The first step is in gcc. When gcc sees a variable which is constant but requires a dynamic relocation, it puts it into a section named .data.rel.ro (this functionality unfortunately relies on magic section names). A variable which requires a dynamic relocation against a local symbol is put into a .data.rel.ro.local section; this helps group such variables together, so that the dynamic linker may apply the relocations, which will always be RELATIVE relocations, more efficiently, especially when using combreloc.

The linker groups .data.rel.ro and .data.rel.ro.local sections as usual. The new step is that the linker then emits a PT_GNU_RELRO program segment which covers these sections. If the PLT and/or GOT can be read-only after dynamic relocations, they are put next to the .data.rel.ro sections and also become part of the new segment. This segment will enclosed within a PT_LOAD segment. The p_vaddr field of the PT_GNU_RELRO segment gives the virtual address of the start of the read-only after dynamic relocations code, and the p_memsz field gives its length.

When the dynamic linker sees a PT_GNU_RELRO segment, it uses mprotect to mark the pages as read-only after the dynamic relocations have been applied. Of course this only works if the segment does in fact cover an entire page. The linker will try to force this to happen.

Note that the current dynamic linker code will only work correctly if the PT_GNU_RELRO segment starts on a page boundary. This is because the dynamic linker rounds the p_vaddr field down to the previous page boundary. If there is anything on the page which should not be read-only, the program is likely to fail at runtime. So in effect the linker must only emit a PT_GNU_RELRO segment if it ensures that it starts on a page boundary.

I see this as a relatively minor security benefit. It is not an optimization as far as I can see. I am documenting it here as part of my general documentation of obscure linker features. The current description of this feature in the GNU linker manual is rather obscure.