cyclone safe programming at the c level of abstraction
play

Cyclone: Safe Programming at the C Level of Abstraction Dan - PowerPoint PPT Presentation

Feb 05, 2023 •30 likes •860 views

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang A safe C-level language Cyclone is a

  1. Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang

  2. A safe C-level language Cyclone is a programming language and compiler aimed at safe systems programming • C is not memory safe : void f(int* p, int i, int v) { p[i] = v; } • Address p+i might hold important data or code • Memory safety is crucial for reasoning about programs Spring 2003 Dan Grossman Cyclone

  3. A question of trust • We rely on our C-level software infrastructure to – not crash (or crash gracefully) – preserve data, restrict access, ... – serve customers, protect valuables, ... • Infrastructure is enormous – careful humans not enough • One safety violation breaks all isolation Memory safety is necessary for trustworthy systems Spring 2003 Dan Grossman Cyclone

  4. Safe low-level systems • For a safety guarantee today, use YFHLL Y our F avorite H igh L evel L anguage • YFHLL provides safety in part via: – hidden data fields and run-time checks – automatic memory management • Data representation and resource management are essential aspects of low-level systems • Write or extend your O/S with YFHLL? There are strong reasons for C-like languages Spring 2003 Dan Grossman Cyclone

  5. Some insufficient approaches • Compile C with extra information – type fields, size fields, live-pointer table, … – treats C as a higher-level language • Use static analysis – very difficult – less modular • Ban unsafe features – there are many – you need them Spring 2003 Dan Grossman Cyclone

  6. Cyclone: a combined approach Designed and implemented Cyclone, a safe C-level language • Advanced type system for safety-critical invariants • Flow analysis for tracking state changes • Exposed run-time checks where appropriate • Modern language features for common idioms Today: focus on type system Spring 2003 Dan Grossman Cyclone

  7. Cyclone reality • 130K lines of code, bootstrapped compiler, Linux / Cygwin / OS X, ... • All programs are safe (modulo interfacing to C) • Users control if/where extra fields and checks occur – checks can be needed (e.g., pointer arithmetic) • More annotations than C, but work hard to avoid it • Sometimes slower than C – 1x to 2x slowdown – can performance-tune more than in HLLs Spring 2003 Dan Grossman Cyclone

  8. The plan from here • Goals for the type system • Safe multithreading • Region-based memory management • Evaluation (single-threaded) • Related work • Future directions Spring 2003 Dan Grossman Cyclone

  9. Must be safe void f(int* p, int i, int v) { p[i] = v; 0 i n } ... p i v • All callers must ensure: – p is not NULL – p refers to an array of at least n ints – 0 <= i < n – p does not refer to deallocated storage – no other thread corrupts p or i Spring 2003 Dan Grossman Cyclone

  10. But not too restrictive void f(int* p, int i, int v) { p[i] = v; 0 i n ... } p i v • Different callers can have: – p refer to arrays of different lengths n – i be different integers such that 0 <= i < n – p refer to memory with different lifetimes – p refer to thread-local or thread-shared data Spring 2003 Dan Grossman Cyclone

  11. Design goals 1. Safe – can express necessary preconditions 2. Powerful – parameterized preconditions allow code reuse 3. Scalable – explicit types allow separate compilation 4. Usable – simplicity vs. expressiveness – most convenient for common cases – common framework for locks, lifetimes, array bounds, and abstract types Spring 2003 Dan Grossman Cyclone

  12. The plan from here • Goals for the type system • Safe multithreading • Region-based memory management • Evaluation (single-threaded) • Related work • Future directions Spring 2003 Dan Grossman Cyclone

  13. Safe multithreading: the problem Data race: one thread mutating some memory while another thread accesses it (w/o synchronization) 1. Pointer update must be atomic – possible on many multiprocessors if you’re careful 2. But writing addresses atomically is insufficient... Spring 2003 Dan Grossman Cyclone

  14. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; Spring 2003 Dan Grossman Cyclone

  15. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; change p1->len to 5 change p1->arr Spring 2003 Dan Grossman Cyclone

  16. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; change p1->len to 5 check p1->len > 4 write p1->arr[4] XXX change p1->arr Spring 2003 Dan Grossman Cyclone

  17. Preventing data races Reject at compile-time code that may have data races? • Limited power: problem is undecidable • Trivial if too limited: e.g., don’t allow threads • A structured solution: Require mutual exclusion on all thread-shared data Spring 2003 Dan Grossman Cyclone

  18. Lock types Type system ensures: For each shared data object, there exists a lock that a thread must hold to access the object • Basic approach for Java found many bugs [Flanagan et al] • Extensions allow other locking idioms and code reuse for shared/local data [Boyapati et al] Spring 2003 Dan Grossman Cyclone

  19. Lock-type contributions [TLDI 03] 1. Adapt the approach to a C-level language 2. Integrate parametric polymorphism 3. Integrate region-based memory management 4. Code reuse for thread-local and thread-shared data – simple rule to “keep local data local” 5. Proof for an abstract machine where data races violate safety Spring 2003 Dan Grossman Cyclone

  20. Cyclone multithreading • Multithreading language – terms – types • Limitations • Insight into why it’s safe Spring 2003 Dan Grossman Cyclone

  21. Multithreading terms • spawn( «f» , «p» , «sz» ) run f(p2) in a new thread (where *p2 is a shallow copy of *p and sz is the size of *p ) – thread initially holds no locks – thread terminates when f returns – creates shared data, but *p2 is thread-local • sync( «lk» ){ «s» } acquire lk , run s , release lk • newlock() create a new lock • nonlock a pseudo-lock for thread-local data Spring 2003 Dan Grossman Cyclone

  22. Examples, without types Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks Callee-locks void f(int* p) { void g(int* p, « use *p » lock_t l) { } sync(l){ « use *p » } } void caller() { void caller() { « ... » « ... » sync(lk){f(p1);} g(p1,lk); f(p2); g(p2,nonlock); } } Spring 2003 Dan Grossman Cyclone

  23. Types • Lock names in pointer types and lock types • int*`L is a type for pointers to locations guarded by a lock with type lock_t<`L> • Different locks cannot have the same name – lock_t<`L1> vs. lock_t<`L2> – this invariant will ensure mutual exclusion • Thread-local locations use lock name `loc lock names describe “what locks what” Spring 2003 Dan Grossman Cyclone

  24. Types for locks • nonlock has type lock_t<`loc> • newlock() has type ∃ `L. lock_t<`L> • Removing ∃ requires a fresh lock name – so different locks have different types – using ∃ is an established PL technique [ESOP 02] Spring 2003 Dan Grossman Cyclone

  25. Access rights Assign each program point a set of lock names: • if lk has type lock_t<`L> , sync( «lk» ){ «s» } adds `L • using location guarded by `L requires `L in set • functions have explicit preconditions – default: caller locks lock-name sets ensure code acquires the right locks (Lock names and lock-name sets do not exist at run-time) Spring 2003 Dan Grossman Cyclone

  26. Examples, with types Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks Callee-locks void f(int*`L p void g(int*`L p, ;{`L}) { lock_t<`L> l « use *p » ;{}) { } sync(l){ « use *p » } } void caller() { void caller() { « ... » « ... » sync(lk){f(p1);} g(p1,lk); f(p2); g(p2,nonlock); } } Spring 2003 Dan Grossman Cyclone

  27. Quantified lock types • Functions universally quantify over lock names • Existential types for data structures struct LkInt {<`L> // there exists a lock-name int*`L p; lock_t<`L> lk; }; • Type constructors for coarser locking struct List<`L> { // lock-name parameter int*`L head; struct List<`L>*`L tail; }; Spring 2003 Dan Grossman Cyclone

  28. Lock types so far 1. Safe – lock names describe what locks what – lock-name sets prevent unsynchronized access 2. Powerful – universal quantification for code reuse – existential quantification and type constructors for data with different locking granularities 3. Scalable – type-checking intraprocedural 4. Usable – default caller-locks idiom – bias toward thread-local data Spring 2003 Dan Grossman Cyclone

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone Very Short Introduction, June 2001 Cyclone in One Slide A safe, convenient, and modern language/compiler at the C level of abstraction Safe:

69 views • 6 slides
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&amp;T), Michael Hicks, James Cheney, Yanling Wang Cyclone A safe C-level language Safe: Memory

442 views • 29 slides
Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today Abstraction, especially

167 views • 12 slides
Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of Informatics The University of Edinburgh Monday 17 March 2008 Semester 2 Week 11 Coursework Statistics Total of 30 submissions, with all topics

554 views • 23 slides
Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March

Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March

Programming Languages:Abstraction Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March 2008 Programming Languages:Abstraction Outline 3 Parameters 1 Abstraction 4 Parameter Passing Mechanisms

325 views • 20 slides
CUB: A pattern of collective software design, abstraction, and reuse for kernel-level

CUB: A pattern of collective software design, abstraction, and reuse for kernel-level

CUB: A pattern of collective software design, abstraction, and reuse for kernel-level programming DUANE MERRILL, PH.D. NVIDIA RESEARCH What is CUB ? 1. A design model for collective kernel-level primitives How to make reusable software

1.14k views • 72 slides
Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of capturing only those ideas about a concept that are relevant to the current situation. Irrelevant ideas are left out. Abstraction Control

335 views • 14 slides
The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot; the human level to the physical level? &quot; the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming language is a notation for describing computations Weve created abstractions of actionsfunctionsand of things or processes. classes.

169 views • 4 slides
Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming language, is a notation for describing computations Weve created abstractions of actionsfunctionsand of things or processes. classes.

324 views • 4 slides
Today Higher-level programming languages as an abstraction layer, using compiler or

Today Higher-level programming languages as an abstraction layer, using compiler or

Today Higher-level programming languages as an abstraction layer, using compiler or interpreter i il i t t To understand security problems in software, we may have to To understand security problems in software, we may have to

976 views • 73 slides
Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at storage level? Pierre Matri*, Alexandru Costan , Gabriel Antoniu , Jess Montes*, Mara S. Prez *, Luc Boug * Universidad

822 views • 44 slides
Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to values don t need to know which register or memory location Provides abstraction of underlying hardware operations do not depend on

411 views • 20 slides
Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to values don t need to know which register or memory location Provides abstraction of underlying hardware operations do not depend on

363 views • 10 slides
JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE

JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE

JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE MONI TORI NG I N LAO PDR TOKYO, JAPAN 11 14 March 2014 Ministry of Natural Resource and Environment (MONRE) Department of Meteorology and

225 views • 18 slides
Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming

Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming

Chair of Softw are Engineering Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 9: Abstraction Topics for today Abstraction, especially functional abstraction b

501 views • 29 slides
Operating System Basics CS 111 Operating Systems Peter Reiher Lecture 2 CS 111 Page 1 Fall

Operating System Basics CS 111 Operating Systems Peter Reiher Lecture 2 CS 111 Page 1 Fall

Operating System Basics CS 111 Operating Systems Peter Reiher Lecture 2 CS 111 Page 1 Fall 2015 Outline Important properties for an operating system Critical abstractions for operating systems System services Lecture 2 CS 111

656 views • 64 slides
Compiler Construction Lecture 17: Code Generation III (Implementation of Static Data Structures)

Compiler Construction Lecture 17: Code Generation III (Implementation of Static Data Structures)

Compiler Construction Lecture 17: Code Generation III (Implementation of Static Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

295 views • 25 slides
The Translation of C Saarbrcken + Mnchen 1 Structure of a compiler: Internal representation

The Translation of C Saarbrcken + Mnchen 1 Structure of a compiler: Internal representation

Reinhard Wilhelm + Helmut Seidl The Translation of C Saarbrcken + Mnchen 1 Structure of a compiler: Internal representation Source program Frontend (Syntax tree) Optimizations Internal representation Code Program for generation

1.24k views • 89 slides
Important From Last Time Embedded C Pros and cons Macros and how to avoid them

Important From Last Time Embedded C Pros and cons Macros and how to avoid them

Important From Last Time Embedded C Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Interrupt syntax Inline assembly Today Advanced C What C programs mean How to create C

669 views • 44 slides
Syntax &amp; environments determine meaning Initial state of abstract machine: h e ; ;

Syntax &amp; environments determine meaning Initial state of abstract machine: h e ; ;

Syntax &amp; environments determine meaning Initial state of abstract machine: h e ; ; ; i Syntax &amp; environments determine meaning Initial state of abstract machine: h e ; ; ; i State i is h e ; ;

856 views • 30 slides
Rewriting Part 1. Abstract Reduction Temur Kutsia RISC, JKU Linz Literature Franz Baader

Rewriting Part 1. Abstract Reduction Temur Kutsia RISC, JKU Linz Literature Franz Baader

Rewriting Part 1. Abstract Reduction Temur Kutsia RISC, JKU Linz Literature Franz Baader and Tobias Nipkow. Term Rewriting and All That. Cambridge University Press, 1998. Books home page:

1.61k views • 139 slides
Termination of Abstract Reduction Systems Jeremy E. Dawson and Rajeev Gor e Logic &amp;

Termination of Abstract Reduction Systems Jeremy E. Dawson and Rajeev Gor e Logic &amp;

Termination of Abstract Reduction Systems Jeremy E. Dawson and Rajeev Gor e Logic &amp; Computation Programme Automated Reasoning Group National ICT Australia Computer Sciences Laboratory Res. Sch. of Inf. Sci. and Eng. Australian National

425 views • 21 slides
Seminar Decision Procedures and Applications Background Information: Part II Viorica

Seminar Decision Procedures and Applications Background Information: Part II Viorica

Seminar Decision Procedures and Applications Background Information: Part II Viorica Sofronie-Stokkermans University Koblenz-Landau 25 June 2019 1 Brief Introduction to Term Rewriting Equality is the most important relation in mathematics

687 views • 37 slides

More recommend