dynamically checking type correctness of whole programs
play

Dynamically checking type-correctness of whole programs (work newly - PowerPoint PPT Presentation

Mar 16, 2024 •21 likes •281 views

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

  1. Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . – p.1/22

  2. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.2/22

  3. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) libcrunch . . . – p.2/22

  4. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary compatible � source compatible � reasonable performance � avoid being C-specific!* * mostly... libcrunch . . . – p.2/22

  5. This talk in one slide I will describe libcrunch , which is � an infrastructure for run-time type checking � encodes type checks as assertions � no guarantee of “safety” (but...) � support idiomatic unsafe code � checks inserted by per-language front-ends � no binary interface changes � no source changes, usually* (* but sometimes out-of-band guidance helps) libcrunch . . . – p.3/22

  6. Introducing libcrunch The user’s view: � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks where � myprog contains type assertions (we’ll see how) � normally “disabled” � enabled when libcrunch is linked in � compiler [wrapper] inserts assertions automatically libcrunch . . . – p.4/22

  7. What is run-time type checking? Check every program operation is “type-correct”, i.e. � program state is a collection of stored values � ... allocated as instances of some “data type” � data types signify meaning � operations consume and produce stored values... More precise definition wanted... � for C, plan to use Cerberus to create formal definition libcrunch . . . – p.5/22

  8. What checks are we interested in? Recall the example: if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } Primitive errors are not our concern � even C compilers check primitive type-correctness First-order and up � all about pointers � first cut: check casts (& implicit strengthenings) in C libcrunch . . . – p.6/22

  9. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.7/22

  10. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), // or something like this ( struct commit ∗ )obj))) return − 1; return 0; } libcrunch . . . – p.7/22

  11. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), // or something like this ( struct commit ∗ )obj))) return − 1; return 0; } To make this work, we need: � type information on every allocation in program � efficient run-time representation of types is a function � fast � something to write these assertions for us libcrunch . . . – p.7/22

  12. Idealised view of libcrunch operation debugging information deployed binaries (with data-type assertions) (with allocation site information) /bin/ /lib/ /lib/ /bin/foo .debug/ .debug/ .c .f .cc .java libxyz.so foo libxyz.so precompute unique data types /bin/ libcrunch .uniqtyp/ .so foo.so load, link and run (ld.so) program image heap_index 0xdeadbeef, “Widget”? __is_a uniqtypes true libcrunch . . . – p.8/22

  13. Type info for each allocation Type info for allocation is reasonable because � ... to allocate, you need a size � three kinds of allocations: static, stack, heap � assume all heap allocators are instrumented... Assume we have debug info � handles stack and static cases libcrunch . . . – p.9/22

  14. What happens at run time? program image libdl __is_a (0xdeadbeec, “Widget”)? lookup (“Widget”) &__uniqtype_Widget lookup (0xdeadbeec) heap_index allocsite : 0x8901234, offset : 0xc __is_a lookup (0x8901234) allocsites &__uniqtype_Window find ( &__uniqtype_Window, &__uniqtype_Widget, uniqtypes 0xc) true found libcrunch . . . – p.10/22

  15. Looking up object metadata (1) Recall: need info about an arbitrary object’s allocation � ... given an arbitrary pointer Stack case � walk the stack + use debug info for locals/args Static case � use debug info Heap case � hard! might be an interior pointer � use clever virtual memory-based data structure (ask me) libcrunch . . . – p.11/22

  16. is a , containment... is a > 1 way A pointer might satisfy ���������� ���������������� ��� ��� ������������� ��� ��� ������������� ���������������� ��� � �� ���������������� �������� � � � Consider “what is ” � &my ellipse � &my ellipse.ctr � ... (Subclassing is usually implemented this way.) libcrunch . . . – p.12/22

  17. Efficiently reifying data types at run time struct ellipse { double maj, min; struct { double x, y; } ctr ; } ; “int” 4 0 __uniqtype__int “double” 8 0 __uniqtype__double 0 16 2 0 8 __uniqtype__anon0x123 “ellipse” 32 3 0 8 16 __uniqtype__ellipse ... Reify data types uniquely , describing containment � uniqueness → “exact type” test is a pointer comparison is a() is a simple, fast search through this structure � libcrunch . . . – p.13/22

  18. Other flavours of check is a is a nominal check, but we can also write like a – “1-structural” (unwrap one level) � phys a – “*-structural” (unwrap maximally) � refines – may instantiate padding (` a la sockaddr ) � named a – opaque workaround � libcrunch . . . – p.14/22

  19. Notes about memory correctness We (currently) do nothing about memory correctness! E.g. void f () { int a; int bs[2]; for ( int ∗ p = &bs[0]; p < = 2; ++p) { / ∗ ... ∗ / } } � bug-finding, not verification, not security... � faster! avoid per-pointer (cf. per-object) metadata � most memory-incorrect programs are type-incorrect... � could “force a cast” after pointer arithmetic SoftBound + CETS do a pretty good job � we could replicate them... libcrunch . . . – p.15/22

  20. Recap What we’ve just seen is � a runtime system for evaluating type assertions � fast (biggest slowdown seen 20%; often < 10%) � (by design) flexible � a “whole program” language-neutral design � binary compatible What about source compatibility? libcrunch . . . – p.16/22

  21. libcrunch prototype: C front-end Who inserts the assertions? � instrumentation: “one assertion per pointer cast” � analysis: “what data type is being malloc() ’d?” � ... guess from use of sizeof source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs CIL-based compiler front-end dump allocation sites (dumpallocs) instrument pointer casts libcrunch . . . – p.17/22

  22. Complications (1) With metadata � dynamic loading (merge uniqtypes) � non-standard alloc functions (explicit support) With compilers (currently false pos/negs) � address-taken temporaries (fix compiler for debug info) � varargs actuals � alloca() + assert() usually isn’t quite what you want... libcrunch . . . – p.18/22

  23. Complications (2) With the C front end (false pos or “intervention required”) � very weird uses of sizeof � weird avoidance of sizeof � char special case � object re-use � unions (but mostly doable! three cases; ask me) � some cases of multiple indirection cause false pos libcrunch . . . – p.19/22

  24. Brutal honesty moment: a real false positive void sort eight special ( void ∗∗ pt) { void ∗ tt [8]; register int i ; for ( i=0;i < 8;i++)tt [ i]=pt[ i ]; for ( i=XUP;i < =TUP;i++) { pt[i]=tt[2 ∗ i]; pt[OPP DIR(i)]=tt[2 ∗ i+1]; } } Client then does (making libcrunch print a warning) neighbor = ( int ∗∗ )calloc(NDIRS, sizeof ( int ∗ )); / ∗ ... ∗ / sort eight special (( void ∗∗ ) neighbor ); Question: is this valid C? libcrunch . . . – p.20/22

  25. What’s in it for REMS Check “agreement” between libcrunch and cerberus � inclusion, for the relevant subset of complaints Tool for exploring behaviour of real programs � good at turning up “dodgy” code (oft also “correct”!) Representative of a wider set of tools... � insight for bridging between source and run-time worlds � linking tie-in... libcrunch . . . – p.21/22

  26. Recap, conclusions We’ve seen � a runtime infrastructure for fast checking � a prototype C front-end Remaining challenges for the run-time part: � finish the paper... � multi-language story � support more complex specifications (“types”) Code is here: https://github.com/stephenrkell/ Thanks for listening. Questions? libcrunch . . . – p.22/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1 Type checking message-passing programs

601 views • 25 slides
Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj &gt; type == OBJ

863 views • 29 slides
Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze (protze@itc.rwth-aachen.de) Motivation OpenMP 3 introduced tasks (2008) Several data race detection tools for OpenMP tasks popped up just last year How can

384 views • 16 slides
Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/44 Wanted (naive version): check this! if (obj &gt; type == OBJ

572 views • 55 slides
Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj &gt; type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type Checking Statistic Analysis Requirements definition Inspections, Reviews 15-313 Integration/System/Acceptance/Regression/GUI/Bl

608 views • 45 slides
Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 A definition ... dynamically type-safe [means] the behavior of any program, correct or not, can be

626 views • 29 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the question of type checking and type reconstruction. Given , t and T , check whether t : T Type checking: Given and t , find a type T

518 views • 28 slides
Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications: Verifying Higher-order Functional Programs Luke Ong University of Oxford http://www.cs.ox.ac.uk/people/luke.ong/personal/ http://mjolnir.cs.ox.ac.uk

856 views • 26 slides
Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp . type ) type-exp int type-exp . type := integer type-exp bool type-exp . type := boolean type-exp 1 array type-exp 1 . type := [num] of

613 views • 7 slides
Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universitt Oldenburg February 2017 Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1

354 views • 24 slides
Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y

Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y

Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y Type Systems for Programming Languages Guarantee partial correctness of programs fun fact (n) = if n=0 then 1 else n fact(n-1); val fact =

504 views • 38 slides
Sound and Quasi-Complete Detection of Infeasible Test Requirements S ebastien Bardin CEA

Sound and Quasi-Complete Detection of Infeasible Test Requirements S ebastien Bardin CEA

Sound and Quasi-Complete Detection of Infeasible Test Requirements S ebastien Bardin CEA LIST, Software Safety Lab (Paris-Saclay, France) joint work with: Micka el Delahaye, Robin David, Nikolai Kosmatov, Mike Papadakis, Yves Le Traon,

680 views • 50 slides
Iterators basic list example Basic list trade-offs current refers to most recently

Iterators basic list example Basic list trade-offs current refers to most recently

Iterators basic list example Basic list trade-offs current refers to most recently accessed item Abstraction sacrifices efficiency To manipulate other parts of list (not just first, last) Function calls instead of direct

166 views • 3 slides
1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

Assertions assertions communicate assumptions about the state of the program, and stop processing if they turn out to be false very often comments are statements about the state Assertions the program should be in but assertions can

61 views • 3 slides
CS 2334 Lab 8 Exceptions Exceptions provide a means of handling error conditions that arise

CS 2334 Lab 8 Exceptions Exceptions provide a means of handling error conditions that arise

CS 2334 Lab 8 Exceptions Exceptions provide a means of handling error conditions that arise in the course of program execution Example: The program prompts the user for a filename, and the use provides a nonexistent file Should

693 views • 36 slides
English Language Development Jessica Apland Haga clic aqu para ver la pgina en espaol Key

English Language Development Jessica Apland Haga clic aqu para ver la pgina en espaol Key

English Language Development Jessica Apland Haga clic aqu para ver la pgina en espaol Key Learning Outcomes In order to pass this class, students need to be able to... Technology Help Learning outcome one - - All assignments/quizzes

928 views • 69 slides
Context-free grammars (CFGs) Roadmap Last time RegExp == DFA Jlex: a tool for generating

Context-free grammars (CFGs) Roadmap Last time RegExp == DFA Jlex: a tool for generating

Context-free grammars (CFGs) Roadmap Last time RegExp == DFA Jlex: a tool for generating (Java code for) a lexer/scanner Mainly a collection of regexp, action pairs This time CFGs, the underlying abstraction for parsers

807 views • 62 slides
CSE130: Programming Languages Winter 2017 Mon&amp;Wed 6:30-7:50 PM Deian Stefan Who am I?

CSE130: Programming Languages Winter 2017 Mon&amp;Wed 6:30-7:50 PM Deian Stefan Who am I?

CSE130: Programming Languages Winter 2017 Mon&amp;Wed 6:30-7:50 PM Deian Stefan Who am I? Assistant Professor in CSE First time teaching undergrad class at UCSD Prior to UCSD: PhD at Stanford Research: building secure systems

492 views • 36 slides
Homework Assignment #6 (Due 10/27) From textbook CFLs and Regular Languages

Homework Assignment #6 (Due 10/27) From textbook CFLs and Regular Languages

Homework Assignment #6 (Due 10/27) From textbook CFLs and Regular Languages Exercise 7.1.5 a d Exercise 7.2.1 b,e Exercise 7.3.2 a Other problems Find a regular grammar that generates the language accepted by

464 views • 8 slides

More recommend