dynamically diagnosing type errors in unsafe code
play

Dynamically diagnosing type errors in unsafe code Stephen Kell - PowerPoint PPT Presentation

Dec 12, 2022 •323 likes •626 views

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 A definition ... dynamically type-safe [means] the behavior of any program, correct or not, can be

  1. Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” 2

  3. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment 2

  4. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment 2

  5. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment “Type safety” [at run time] is really about debugging ! 2

  6. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment “Type safety” [at run time] is really about debugging ! � clean error reports are better than corrupting errors � ... would be nice even in unsafe languages , like C 2

  7. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 3

  8. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 3

  9. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � ... for real, idiomatic code in (say) C � reasonable performance 3

  10. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � ... for real, idiomatic code in (say) C � reasonable performance Enter libcrunch , which does the above. 3

  11. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends 4

  12. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally 4

  13. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 4

  14. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 Reminiscent of Valgrind (Memcheck), but different... � not checking memory definedness, in-boundsness, etc.. � ... in fact, assume correct w.r.t. these! � provide & exploit run-time type information 4

  15. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 5

  16. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( CHECK ( is a (obj, ”struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } 5

  17. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( CHECK ( is a (obj, ”struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } Need a runtime which is a() function � provides a fast � ... and a few other flavours of check � by efficiently tracking allocations � ... and attaching reified type info 5

  18. Reified, unique data types (see my Onward! 2015 paper about liballocs ) struct ellipse { double maj, min; struct point { double x, y; } ctr ; } ; “int” 4 0 __uniqtype__int “double” 8 0 __uniqtype__double 0 16 2 0 8 __uniqtype__point “ellipse” 32 3 0 8 16 __uniqtype__ellipse ... � also model: stack frames, functions, pointers, arrays, ... � unique → “exact type” test is a pointer comparison is a() is a short search over containment edges � 6

  19. Is it really that simple? What about...? � untyped malloc() et al. � opaque pointers, a.k.a. void* � conversion of pointers to integers and back � function pointers � pointers to pointers � “simulated subtyping” � { custom, nested } heap allocators � alloca() � “sloppy” (non-standard-compliant) code � unions, varargs, memcpy() 7

  20. Is it really that simple? What about...? � untyped malloc() et al. � opaque pointers, a.k.a. void* � conversion of pointers to integers and back � function pointers � pointers to pointers � “simulated subtyping” � { custom, nested } heap allocators � alloca() � “sloppy” (non-standard-compliant) code � unions, varargs, memcpy() 7

  21. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. 8

  22. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. malloc(sizeof (Blah) + n * sizeof (struct Foo)) 8

  23. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. malloc(sizeof (Blah) + n * sizeof (struct Foo)) Dump typed allocation sites from compiler, for later pick-up source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs 8

  24. Polymorphism via multiply-indirected void void sort eight special ( void ∗∗ pt) { void ∗ tt [8]; register int i ; for ( i=0;i < 8;i++)tt [ i]=pt[ i ]; for ( i=XUP;i < =TUP;i++) { pt[i]=tt[2 ∗ i]; pt[OPP DIR(i)]=tt[2 ∗ i+1]; } } neighbor = ( int ∗∗ )calloc(NDIRS, sizeof ( int ∗ )); sort eight special (( void ∗∗ ) neighbor ); // < −− must allow! � solution: tolerate casts from T** to void** ... � and check writes through void** � ... against the underlying object type (here int *[] ) 9

  25. Performance data: C-language SPEC CPU2006 benchmarks bench normal/ s crunch % nopreload bzip2 +6 . 8 % +1 . 4 % 4 . 95 gcc 0 . 983 +160 % – % gobmk +11 % +2 . 0 % 14 . 6 h264ref 10 . 1 +3 . 9 % +2 . 9 % hmmer 2 . 16 +8 . 3 % +3 . 7 % lbm 3 . 42 +9 . 6 % +1 . 7 % mcf +12 % ( − 0 . 5 %) 2 . 48 milc 8 . 78 +38 % +5 . 4 % sjeng +1 . 5 % ( − 1 . 3 %) 3 . 33 sphinx3 1 . 60 +13 % +0 . 0 % perlbench 10

  26. Experience on “correct” code run-time false positives benchmark compile fixes instances unique (of which...) total unhelpful bzip2 0 48 3 3 3 × 10 5 gcc 1 14 3 gobmk 0 0 0 0 h264ref 2 27 2 0 hmmer 0 0 0 0 5 × 10 7 lbm 0 8 0 mcf 0 0 0 0 milc 0 0 0 0 sjeng 0 0 0 0 sphinx3 0 0 0 0 11

  27. A “helpful” false positive? typedef double LBM Grid[SIZE Z ∗ SIZE Y ∗ SIZE X ∗ N CELL ENTRIES]; typedef LBM Grid ∗ LBM GridPtr; #define MAGIC CAST(v) (( unsigned int ∗ ) (( void ∗ ) (&(v)))) #define FLAG VAR(v) unsigned int ∗ const aux = MAGIC CAST(v) // ... \ #define TEST FLAG(g,x,y,z,f) (( ∗ MAGIC CAST(GRID ENTRY(g, x, y, z, FLAGS))) & (f)) #define SET FLAG(g,x,y,z,f) \ { FLAG VAR(GRID ENTRY(g, x, y, z, FLAGS)); ( ∗ aux ) | = (f); } 12

  28. Future work: shopping list for a safe implementation of C − ǫ � check memcpy() , realloc() , etc.. � add a bounds checker (improve on SoftBound) � add a GC (precise! improve on Boehm) � check unions and varargs � always initialize pointers � check unsafe writes through char* � safely address-takeable union members (!) Good prospects for all of the above! (ask me) 13

  29. Conclusions Checking pointer casts can be made efficient and helpful � source- and binary-compatible � low overhead, convenient to use (e.g. no rebuilds) � good prospects for extension Code is here: http://github.com/stephenrkell/libcrunch/ Thanks for your attention. Questions? 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew C. Myers Cornell University MSR Cambridge PLDI 2015 Distinguished Paper Award Error localization is difficult for ML type systems It is a

577 views • 32 slides
The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers

The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers

ICALL: Part III ICALL: Part III The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers Detmar Meurers Universit at T ubingen Universit at T ubingen Intelligent Computer-Assisted Language

149 views • 11 slides
On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1

On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1

Introduction Basics Type Errors Stronger Encodings Type Sensitivity Conclusion On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1 , Marcus V olp 1 , Tjark Weber 2 1 Technische Universit at

559 views • 40 slides
How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power

How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power

How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power Distribution of means for reference data Distribution of a.k.a. Ho means for my data 5% of the data (the upper tail) is shaded, we will allow the

320 views • 14 slides
Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors

Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors

Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors will prevent compilation Run code - Runtime errors will crash your program - Logic errors will make your program give the wrong output Syntax =

192 views • 15 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY

Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY

Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY &amp; BLIGHT IN MUNCIE, IN Code Enforcement (Building Commissioners Office) Weeds Occupied Housing Meth Labs Trash &amp; Debris in

437 views • 17 slides
Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal

Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal

Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal effects: an illustrative example Workshop UAI 2014 Nicholas Cornia &amp; Joris M. Mooij University of Amsterdam 27/07/2014 Problem Setting 1

284 views • 26 slides
Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size, power, and bootstrapping Statistics 101 Thomas Leininger June 3, 2013 Decision errors Type 1 and Type 2 errors Decision errors Hypothesis tests

468 views • 27 slides
Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size, power, and bootstrapping Statistics 101 Thomas Leininger June 3, 2013 Decision errors Decision errors 1 Type 1 and Type 2 errors Error rates

735 views • 72 slides
Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for

Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for

Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for judgment. Henry Clay (US Senator) Formal hypotheses testing population A Is this a difference due B to random chance? Mean height A B sample

364 views • 7 slides
A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know

A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know

A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know types, for instance in C int x = 3; Type errors are detected at compile-time Type verification removes errors from run-time errors Not

534 views • 36 slides
ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors Strings ex. This is a string Data Structure a particular way of organizing data for computers Dictionary type of data

454 views • 42 slides
Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections

Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections

Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections with viruses infections with viruses infections with viruses infections with viruses (Modular Construction of Bacteriophage for Diagnostic

542 views • 40 slides
Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors

Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors

Advanced Parallel Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors are not fatal - probably dont want your program to crash if a file open fails - always need to check the error code! Many

265 views • 23 slides
Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky University of California, Irvine Derek Bruening Qin Zhao Google, Inc. Profiling Bug detection Program analysis Security SPEC CPU 2006

1.15k views • 85 slides
Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi Liu 1 , Xiaojie Zhang 2 , Paul H. Siegel 1 , Erich F. Haratsch 3 1 Center for Memory and Recording Research, UCSD 2 CNEX Labs, San Jose, CA 3 Seagate

687 views • 47 slides
Target-Specific Compiler Optimizations Oliver Bringmann RESEARCH ON YOUR BEHALF 1 Outline

Target-Specific Compiler Optimizations Oliver Bringmann RESEARCH ON YOUR BEHALF 1 Outline

FZI Forschungszentrum Informatik at the University of Karlsruhe Fast and Accurate Source-Level Simulation Considering Target-Specific Compiler Optimizations Oliver Bringmann RESEARCH ON YOUR BEHALF 1 Outline Embedded Software

656 views • 24 slides
Semaphores and Monitors: High-level Synchronization Constructs 1 Synchronization Constructs

Semaphores and Monitors: High-level Synchronization Constructs 1 Synchronization Constructs

Semaphores and Monitors: High-level Synchronization Constructs 1 Synchronization Constructs Synchronization Coordinating execution of multiple threads that share data structures Past few lectures: Locks: provide mutual

384 views • 27 slides
Course Introduction What this course is about Hardware/Software interface: Compilers,

Course Introduction What this course is about Hardware/Software interface: Compilers,

Course Introduction What this course is about Hardware/Software interface: Compilers, assemblers, linkers, loaders: who does what in terms of getting my program to run? What kind of instructions does the machine understand?

69 views • 5 slides
The Performance of -Kernel Based Systems Hermann Hrtig Michael Hohmuth Jochen Liedtke

The Performance of -Kernel Based Systems Hermann Hrtig Michael Hohmuth Jochen Liedtke

The Performance of -Kernel Based Systems Hermann Hrtig Michael Hohmuth Jochen Liedtke Sebastian Schnberg Jean Wolter The Performance of -Kernel Based Systems p. Introduction -kernels have reputation for being too slow,

392 views • 17 slides
CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day1: January 3, 2000 Architecture and overview Caltech CS184b Winter2001 -- DeHon 1 Today This Quarter What is

341 views • 15 slides
Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Separate chaining Separate chaining takes a different approach to collisions Each entry in the hash table

470 views • 26 slides
Managing the Transition from Complexity to Elegance Charles Moore Senior Research Fellow

Managing the Transition from Complexity to Elegance Charles Moore Senior Research Fellow

Workshop on Complexity-effective Design ISCA 2003 Managing the Transition from Complexity to Elegance Charles Moore Senior Research Fellow Department of Computer Sciences The University of Texas at Austin crmoore@cs.utexas.edu 1 Top 10

591 views • 34 slides

More recommend