dynamically checking types and bounds with libcrunch
play

Dynamically checking types and bounds with libcrunch Stephen Kell - PowerPoint PPT Presentation

Feb 29, 2024 •21 likes •641 views

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj > type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

  1. Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 2

  3. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 2

  4. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � reasonable performance � avoid being C-specific!* * mostly... 2

  5. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends 3

  6. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally 3

  7. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 3

  8. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 3

  9. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // check passes int ∗ y1 = ( int ∗ ) &z.y; // check fails ! int ∗ y2 = &((&z.x )[1]); // use SoftBound return &z; // use CETS 3

  10. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 4

  11. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } 4

  12. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } Want a runtime with the power to � tracking allocations � with type info � efficiently � → fast is a() function 4

  13. The invariant for C To enforce “all memory accesses respect allocated type”: � every live pointer respects its contract (pointee type) � must also check unsafe loads/stores not via pointers � unions, varargs Most contracts are just “points to declared pointee” � void** and family are subtler (not void* ) 5

  14. Type info for each allocation What is an allocation? � static memory � stack memory � heap memory � returned by malloc() – “level 1” allocation � returned by mmap() – “level 0” allocation � (maybe) memory issued by user allocators... Runtime keeps indexes for each kind of memory... 6

  15. Hierarchical model of allocations mmap(), sbrk() custom heap (e.g. libc malloc() custom malloc() Hotspot GC) obstack gslice (+ malloc) client code client code client code client code client code 7

  16. A small departure from standard C 6 The effective type of an object for an access to its stored value is the declared type of the object, if any. 87) If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove , or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access. 8

  17. A small departure from standard C 6 The effective type of an object for an access to its stored value is the declared type of the object, if any. 87) If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove , or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access. Instead: � all allocations have ≤ 1 effective type � stack, locals / actuals: use declared types � heap, alloca() : use allocation site (+ finesse) � trap memcpy() and reassign type 8

  18. What data type is being malloc() ’d? � ... infer from use of sizeof � dump typed allocation sites from compiler Inference: intraprocedural “sizeofness” analysis � e.g. size t sz = sizeof (struct Foo); /* ... */; malloc(sz); � some subties: e.g. malloc(sizeof (Blah) + n * sizeof (Foo)) source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs 9 CIL-based compiler front-end

  19. Challenges � typed stack storage � typed heap storage � support custom heap allocators � support nested heap allocators � fast run-time metadata � robustness to basic C idiom e.g. integer ↔ pointer � polymorphic allocation sites (e.g. sizeof (void*) ) � subtler C features (function pointers, varargs, unions) � understanding the invariant (“no bad pointers, if ...”) � relating to C standard 10

  20. Performance data: C-language SPEC CPU2006 benchmarks bench normal/ s crunch % nopreload onlymeta 4 . 95 +6 . 8 % +1 . 4 % +2 . 6 % bzip2 0 . 983 +160 % +14 . 9 % gcc – % 14 . 6 +11 % +2 . 0 % +4 . 1 % gobmk h264ref 10 . 1 +3 . 9 % +2 . 9 % +0 . 9 % hmmer 2 . 16 +8 . 3 % +3 . 7 % +3 . 7 % lbm 3 . 42 +9 . 6 % +1 . 7 % +2 . 0 % mcf 2 . 48 +12 % ( − 0 . 5 %) +3 . 6 % milc 8 . 78 +38 % +5 . 4 % +0 . 5 % sjeng 3 . 33 +1 . 5 % ( − 1 . 3 %) +2 . 4 % sphinx3 1 . 60 +13 % +0 . 0 % +8 . 7 % perlbench 11

  21. State of play � libcrunch is now pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness 12

  22. State of play � libcrunch is now pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // check passes int ∗ y1 = ( int ∗ ) &z.y; // check fails ! int ∗ y2 = &((&z.x )[1]); // use SoftBound return &z; // use CETS 12

  23. State of play � libcrunch is now pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // check passes int ∗ y1 = ( int ∗ ) &z.y; // check fails ! int ∗ y2 = &((&z.x )[1]); // ∗∗∗ return &z; // use CETS 12

  24. Plenty of existing tools do bounds checking Memcheck (coarse), ASan (fine-ish), SoftBound (fine) ... � detect out-of-bounds pointer/array use � first two also catch some temporal errors � can run under libcrunch and [then] ... Problems remaining: � overhead at best 50–100% (ASan & SoftBound) � problems mixing uninstrumented code (libraries) � false positives for some idiomatic code! 13

  25. Existing bounds checkers use per-pointer metadata p_base x 3.5 ctr y 8.0 maj 2 min 7 p_e = &my_ellipses[1] x 1.0 ctr y 1.5 ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; p_limit 14

  26. Existing bounds checkers use per-pointer metadata struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ d = &p_e->ctr.x x 1.0 double double min; ctr p_limit y 1.5 } my_ellipses[3]; maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 14

  27. Without type information, pointer bounds lose precision struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ f = (ellipse*) p_d x 1.0 double min; ctr p_limit y 1.5 } my_ellipses[3]; ellipse maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj > type == OBJ

863 views • 29 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/44 Wanted (naive version): check this! if (obj > type == OBJ

572 views • 55 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types & Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Join me, and together we can rule all the languages

849 views • 70 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would like to talk about how to use types for complexity-checking; how to do this in an expressive programming language, such as ML (with

615 views • 57 slides
Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Code checking tools Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized Comp Sci 1585 values Invalid read / write Data Structures Lab: Mis-used delete Tools for Computer Scientists Memory leaks

447 views • 17 slides
Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types for Object Ownership Ilya Sergey 14 November 2012 Types A type - is a set of data instances and operations on them true , false boolean =

1.27k views • 86 slides
BitTorrent-based credit systems BitTorrent - reminder tracker: keeps a record of every

BitTorrent-based credit systems BitTorrent - reminder tracker: keeps a record of every

On the sustainability of BitTorrent-based credit systems BitTorrent - reminder tracker: keeps a record of every transaction, peer and swarm private communities: own incentive policies sharing ratio enforcement, credit amount checking

576 views • 13 slides
Crunch: Search-based Hierarchy Genera4on for State Machines

Crunch: Search-based Hierarchy Genera4on for State Machines

Crunch: Search-based Hierarchy Genera4on for State Machines Mathew Hall University of Sheffield Background State machines Reverse engineered

597 views • 15 slides
Simplifying Big Data with Apache Crunch Micah Whitacre @mkwhit Semantic Chart Search Medical

Simplifying Big Data with Apache Crunch Micah Whitacre @mkwhit Semantic Chart Search Medical

Simplifying Big Data with Apache Crunch Micah Whitacre @mkwhit Semantic Chart Search Medical Alerting System Cloud Based EMR Population Health Management Problem moves from scaling architecture ... Problem moves from not only scaling

1.25k views • 86 slides
Tips for Facilitating Conversations Bonner Consulting MAKING NONPROFITS STRONGER Welcome How

Tips for Facilitating Conversations Bonner Consulting MAKING NONPROFITS STRONGER Welcome How

Around the Table South Tips for Facilitating Conversations Bonner Consulting MAKING NONPROFITS STRONGER Welcome How many of you have hosted a similar conversation? What are your biggest concerns or questions that you hope I will address

491 views • 12 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations, Variables Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala Lets Write a Compiler! Our goal is to write a compiler which

658 views • 18 slides
You Dont Have to Crunch How to avoid Crunch, and how to Crunch well if you didnt. Crunch!

You Dont Have to Crunch How to avoid Crunch, and how to Crunch well if you didnt. Crunch!

You Dont Have to Crunch How to avoid Crunch, and how to Crunch well if you didnt. Crunch! An ugly monster that eats time, money, and energy; then spits out buggy games and unhappy employees! Why Crunch Happens Because you suck,

492 views • 14 slides
March 12-14 ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

March 12-14 ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

32 nd International Conference on Technology in Collegiate Mathematics ORLANDO, FL March 12-14 ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate Mathematics ORLANDO, FL | MARCH 12-14 #ICTCM MyLab Stats &

317 views • 20 slides
BiqCrunch: a semidefinite-based solver for binary quadratic problems Nathan Krislock PIMS

BiqCrunch: a semidefinite-based solver for binary quadratic problems Nathan Krislock PIMS

BiqCrunch: a semidefinite-based solver for binary quadratic problems Nathan Krislock PIMS Postdoctoral Fellow, Computer Science University of British Columbia, Canada Pacific Institute for the Mathematical Sciences Canadian Discrete and

690 views • 26 slides

More recommend