(/LIBRARY) IS THE COMPILER... (/LIBRARY) IS THE COMPILER... JUST-IN-TIME (JIT) IS COMPILATION AT THE POINT OF NEED JUST-IN-TIME (JIT) IS COMPILATION AT THE POINT OF NEED 3 . 2WHAT IS JITTING? WHAT IS JITTING (/LIBRARY) IS THE COMPILER... (/LIBRARY) IS THE COMPILER... JUST-IN-TIME (JIT) IS COMPILATION AT THE POINT OF NEED JUST-IN-TIME (JIT) IS COMPILATION AT THE POINT OF NEED IT'S LIKE THE APPLICATION (/LIBRARY) IS THE COMPILER... 3 . 2WHY JIT-COMPILE? WHY JIT-COMPILE? 3 . 3WHY JIT-COMPILE? WHY JIT-COMPILE? AOT IS NOT POSSIBLE AOT IS NOT POSSIBLE 3 . 3WHY JIT-COMPILE? WHY JIT-COMPILE? AOT IS NOT POSSIBLE

still today, are actually a continuum.Papers in this talk github.com/jfbastien/jit-talk CppCon Slack channel #sig_jit I’ll cover 20-some papers in this talk, and have collected them on a GitHub repo years. We’ve also got a CppCon Slack channel: SIG_JIT (Special Interest Group). In a way this talk isn’t my usual talk because it’s more of a lecture on JiT compilers, where I’ll outline the papers that spoke than usual, from these papers. First, some definitions.JiT JiT Just-in-Time compilation With some artistic liberty, folks usually think of JIT as: The executable code changes after the program is loaded

Profiler Bar example(Foo&) example+0 pushq example+2 pushq example+4 ...JIT Code jit+0 movabs jit+7 ... jit+n TRAP 1. Inject OI into the target process 2. Wait for a thread to hit our example+0 pushq example+2 pushq example+4 ... Data Buffer TRAP TRAPThread A JIT Code jit+0 movabs jit+7 ... jit+n TRAP 1. Inject OI into the target process 2. Wait for a thread to hit our example+0 pushq example+2 pushq example+4 ... Data Buffer TRAP TRAPThread A JIT Code jit+0 movabs jit+7 ... jit+n TRAP 1. Inject OI into the target process 2. Wait for a thread to hit our

x86_64. The last number stands for the features: 0: No anti-debug, JIT, advanced mode features, high speed 7: Include anti-debug, JIT, advanced mode features, high security It’s possible to obfuscate --list pyarmor download --list windows pyarmor download --list windows.x86_64 pyarmor download --list JIT pyarmor download --list armv7 After pyarmor is upgraded, however these downloaded dynamic libraries Each feature has its own bit 1: Anti-Debug 2: JIT 4: ADV, advanced mode 8: SUPER, super mode For example, windows.x86_64.7 means anti-debug(1), JIT(2) and advanced mode(4) supported, windows.x86_64

x86_64. The last number stands for the features: 0: No anti-debug, JIT, advanced mode features, high speed 7: Include anti-debug, JIT, advanced mode features, high security It’s possible to obfuscate --list pyarmor download --list windows pyarmor download --list windows.x86_64 pyarmor download --list JIT pyarmor download --list armv7 After pyarmor is upgraded, however these downloaded dynamic libraries Each feature has its own bit 1: Anti-Debug 2: JIT 4: ADV, advanced mode 8: SUPER, super mode For example, windows.x86_64.7 means anti-debug(1), JIT(2) and advanced mode(4) supported, windows.x86_64

0: No anti-debug, JIT, advanced mode features, high speed 3.4. Distributing Obfuscated Scripts To Other Platform 13 PyArmor Documentation, Release 6.2.0 • 7: Include anti-debug, JIT, advanced mode features --list pyarmor download --list windows pyarmor download --list windows.x86_64 pyarmor download --list JIT pyarmor download --list armv7 After pyarmor is upgraded, however these downloaded dynamic libraries feature has its own bit • 1: Anti-Debug • 2: JIT • 4: ADV, advanced mode • 8: SUPER, super mode For example, windows.x86_64.7 means anti-debug(1), JIT(2) and advanced mode(4) supported, windows. x86_64

forwarding, encapsula�on, etc. An in-kernel verifier ensures that BPF programs are safe to run and a JIT compiler converts the bytecode to CPU architecture specific instruc�ons for na�ve execu�on efficiency linked, either choice is valid. CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_NET_CLS_BPF=y CONFIG_BPF_JIT=y CONFIG_NET_CLS_ACT=y CONFIG_NET_SCH_INGRESS=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=y through a compiler back end (e.g. LLVM), so that the kernel can later on map them through an in-kernel JIT compiler into na�ve opcodes for op�mal execu�on performance inside the kernel. The advantages for

x86_64. The last number stands for the features: • 0: No anti-debug, JIT, advanced mode features, high speed • 7: Include anti-debug, JIT, advanced mode features, high security It’s possible to obfuscate --list pyarmor download --list windows pyarmor download --list windows.x86_64 pyarmor download --list JIT pyarmor download --list armv7 After pyarmor is upgraded, however these downloaded dynamic libraries own bit • 1: Anti-Debug • 2: JIT • 4: ADV, advanced mode • 8: SUPER, super mode • 16: VM, vm protection mode For example, windows.x86_64.7 means anti-debug(1), JIT(2) and advanced mode(4) supported

forwarding, encapsulation, etc. An in- kernel verifier ensures that BPF programs are safe to run and a JIT compiler converts the bytecode to CPU architecture specific instructions for native execution efficiency linked, either choice is valid. CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_NET_CLS_BPF=y CONFIG_BPF_JIT=y CONFIG_NET_CLS_ACT=y CONFIG_NET_SCH_INGRESS=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=y through a compiler back end (e.g. LLVM), so that the kernel can later on map them through an in-kernel JIT compiler into native opcodes for optimal execution performance inside the kernel. The advantages for

Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous forwarding, encapsulation, etc. An in- kernel verifier ensures that BPF programs are safe to run and a JIT compiler converts the bytecode to CPU architecture specific instructions for native execution efficiency linked, either choice is valid. CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_NET_CLS_BPF=y CONFIG_BPF_JIT=y CONFIG_NET_CLS_ACT=y CONFIG_NET_SCH_INGRESS=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=y