Identifying Use-After-Free Variables in Fire-and-Forget Tasks Jyothi - - PowerPoint PPT Presentation

identifying use after free variables in fire and forget
SMART_READER_LITE
LIVE PREVIEW

Identifying Use-After-Free Variables in Fire-and-Forget Tasks Jyothi - - PowerPoint PPT Presentation

Jul 16, 2023 111 likes •470 views

Identifying Use-After-Free Variables in Fire-and-Forget Tasks Jyothi Krishna V S & Vassily Litvinov jkrishna@cse.iitm.ac.in IIT Madras & Cray Inc. June 2, 2017 begin construct in Chapel Creates a dynamic task with an unstructured

slide-1
SLIDE 1

Identifying Use-After-Free Variables in Fire-and-Forget Tasks

Jyothi Krishna V S & Vassily Litvinov jkrishna@cse.iitm.ac.in

IIT Madras & Cray Inc. June 2, 2017

slide-2
SLIDE 2

begin construct in Chapel

  • Creates a dynamic task with an unstructured lifetime.
  • Fire-and-forget
  • Low synchronization and scheduling cost.

1/26

slide-3
SLIDE 3

begin construct in Chapel

  • Creates a dynamic task with an unstructured lifetime.
  • Fire-and-forget
  • Low synchronization and scheduling cost.

... begin write("hello "); write (" world "); ... Either

  • utputs:

hello world world hello

1/26

slide-4
SLIDE 4

Use-After-Free Variables

1 x SP begin reference

{ var x = 1; begin (ref x) { if x == 0 then writeln (" chaos "); } } ... { var y = 0; }

begin task has a reference to variable x (outer variable).

2/26

slide-5
SLIDE 5

Use-After-Free Variables

begin reference SP

{ var x = 1; begin (ref x) { if x == 0 then writeln (" chaos "); } } ... { var y = 0; }

End of scope of variable x and is removed from the Stack.

3/26

slide-6
SLIDE 6

Use-After-Free Variables

y SP begin reference

{ var x = 1; begin (ref x) { if x == 0 then writeln (" chaos "); } } ... { var y = 0; }

New variable y added.

4/26

slide-7
SLIDE 7

Use-After-Free Variables

y SP begin reference

{ var x = 1; begin (ref x) { if x == 0 then writeln("chaos"); } } .... { var y = 0; }

Incorrect value of x seen by begin task. We need to avoid these in our programs.

5/26

slide-8
SLIDE 8

Use-After-Free Access: Sources

  • Lack of synchronization.
  • Programs written for older versions of Chapel.
  • Improper synchronization.
  • Programmer skills/ Programming speed / Complexity of

the Program.

1image source:shuttershock.com

6/26

slide-9
SLIDE 9

Use-After-Free Access: Sources

  • Lack of synchronization.
  • Programs written for older versions of Chapel.
  • Improper synchronization.
  • Programmer skills/ Programming speed / Complexity of

the Program.

1

1image source:shuttershock.com

6/26

slide-10
SLIDE 10

Talk Overview

  • Extract relevant constructs and outer variables access into

CCFG.

  • Subset Representation of execution time states: Parallel

Program States (PPS).

  • Identify possible Use-After-Free variable accesses.
  • Results and Conclusions

2image source:dreamstime.com

7/26

slide-11
SLIDE 11

Talk Overview

  • Extract relevant constructs and outer variables access into

CCFG.

  • Subset Representation of execution time states: Parallel

Program States (PPS).

  • Identify possible Use-After-Free variable accesses.
  • Results and Conclusions

2

2image source:dreamstime.com

7/26

slide-12
SLIDE 12

Synchronization Constructs in Chapel

  • sync variable: One-to-one synchronization
  • single variable: One-to-many synchronization
  • sync block: Many-to-one synchronization.
  • atomic variables.

8/26

slide-13
SLIDE 13

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 proc outerVarUse( ) { var x: int = 10; var doneA$: sync bool; begin with (ref x) { // A writeln(x); var doneB$: sync bool; begin with (ref x){ // B writeln(x); doneB$ = true; } writeln(x); doneA$ = true; doneB$; } doneA$; begin with (in x){ // C writeln(x); } }

  • Task A Line 4.
  • Task B: nested task, at

Line 7.

  • Task C: at Line 16. Pass

by value.

  • sync variables:
  • doneA$: Task A and Root

Task.

  • doneB$: Task B and Task

A.

  • Outer variable: x.

9/26

slide-14
SLIDE 14

Concurrent Control Flow Graph (CCFG)

  • CCFG Node bounded by a Concurrent Control Flow event.
  • Encounter begin statement.
  • Read/Write on a synchronization variable.
  • Control Flow event
  • A CCFG Node
  • Outer Variable Set: OV.
  • Synchronization type.
  • Synchronization variable.
  • Sub graph of nested functions expanded at call site.
  • A live set of sync block scope is maintained.
  • Safe OV accesses are removed.

10/26

slide-15
SLIDE 15

CCFG

proc outerVarUse( ) { var x: int = 10; var doneA$: sync bool; begin with (ref x) { // A writeln(x++); var doneB$: sync bool; begin with (ref x){ // B writeln(x); doneB$ = true; } writeln(x); doneA$ = true; doneB$; } doneA$; begin with (in x){ // C writeln(x); }}

7

doneA$

9 10 Root Task Task C 8 10 1 4 5

OV={x} OV={x} doneB$

2 3

OV={x} doneB$

Task A Task B

doneA$

6 11/26

slide-16
SLIDE 16

CCFG pruning

1

Remove empty nodes at the end of each task. Eg: Node 10.

2

A begin task that does not contain any nested task or does not refers to any outer variable.

  • Eg. Task C.

3

A begin task, in which the scope of all outer variables accessed by the task is protected by a sync block. Eg: sync begin ( r e f x ) { . . . }

12/26

slide-17
SLIDE 17

CCFG pruning

1

Remove empty nodes at the end of each task. Eg: Node 10.

2

A begin task that does not contain any nested task or does not refers to any outer variable.

  • Eg. Task C.

3

A begin task, in which the scope of all outer variables accessed by the task is protected by a sync block. Eg: sync begin ( r e f x ) { . . . }

  • Recursively apply these three rules.

12/26

slide-18
SLIDE 18

Pruned CCFG

7

doneA$

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

  • Active sync nodes: 2,

4, 7

  • State Table

var state doneA$ empty doneB$ empty

13/26

slide-19
SLIDE 19

PPS

  • A program state that captures a possible relationship between

synchronization nodes.

  • A Parallel Program State (PPS):
  • Active Sync Node (ASN): Set of nodes which are next in line to

be executed.

  • State Table (ST): State of all live synchronization variables.
  • Safe access set(SV): A set of outer variable accesses which are

safe.

  • Live access set (LA): A set of OV accesses which must have

happened before reaching the current PPS, excluding the set of

  • uter variable accesses in SV.
  • SV ∩ LA = φ.

14/26

slide-20
SLIDE 20

PPS 0

7

doneA$

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 0:

  • ASN = {2, 4, 7 }
  • State Table

var state doneA$ empty doneB$ empty

  • SV = φ
  • LA = φ

15/26

slide-21
SLIDE 21

Parallel Frontier

  • Checking for Use-After-Free Variable in each PPS is costly.
  • Parallel Frontier: The last sync node encountered in a path in

parent scope.

  • Defined for every OV, x: PF(x).
  • Multiple paths could lead to Multiple PF.
  • The safety checks limited at PF.

Theorem A statement that accesses an outer variable x is potentially unsafe if there exists an execution path serialization where the corresponding Parallel Frontier node is executed before the statement.

16/26

slide-22
SLIDE 22

Next PPS ?

  • Design a set of rules to travel in CCFG to generate next PPS.
  • Rules designed based on synchronization variables’ behaviour.
  • Priority : Non-blocking > blocking.

17/26

slide-23
SLIDE 23

Next PPS ?

  • Design a set of rules to travel in CCFG to generate next PPS.
  • Rules designed based on synchronization variables’ behaviour.
  • Priority : Non-blocking > blocking.

Rule (SINGLE-READ (Non blocking)) A read on a single variable is visited if the current state of the variable is full.

17/26

slide-24
SLIDE 24

Next PPS ?

  • Design a set of rules to travel in CCFG to generate next PPS.
  • Rules designed based on synchronization variables’ behaviour.
  • Priority : Non-blocking > blocking.

Rule (SINGLE-READ (Non blocking)) A read on a single variable is visited if the current state of the variable is full. Rule (READ (blocking)) A read of a sync variable can be visited if the current state of the variable is full. The state of the variable is changed to empty.

17/26

slide-25
SLIDE 25

Next PPS ?

  • Design a set of rules to travel in CCFG to generate next PPS.
  • Rules designed based on synchronization variables’ behaviour.
  • Priority : Non-blocking > blocking.

Rule (SINGLE-READ (Non blocking)) A read on a single variable is visited if the current state of the variable is full. Rule (READ (blocking)) A read of a sync variable can be visited if the current state of the variable is full. The state of the variable is changed to empty. Rule (WRITE (blocking) ) A write on single or sync variable can be visited if the current state

  • f the variable is empty. The state of the variable is changed to full.

17/26

slide-26
SLIDE 26

PPS 0

7

doneA$

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 0:

  • ASN = {2, 4, 7 }
  • State Table

var state doneA$ empty doneB$ empty

  • SV = φ
  • LA = φ

18/26

slide-27
SLIDE 27

Execute Node 4

7

doneA$ PF={x}

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 1:

  • ASN = {2, 5, 7}
  • State Table

var state doneA$ full doneB$ empty

  • SV = φ
  • LA = {x1, x4 }

19/26

slide-28
SLIDE 28

Execute Node 7

7

doneA$ PF={x}

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 2:

  • ASN = {2, 5 }
  • State Table

var state doneA$ empty doneB$ empty

  • SV = {x1, x4 }
  • LA = φ

20/26

slide-29
SLIDE 29

Execute Node 2

7

doneA$ PF={x}

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 3:

  • ASN = { 5 }
  • State Table

var state doneA$ empty doneB$ full

  • SV = {x1, x4 }
  • LA = {x2 }

21/26

slide-30
SLIDE 30

Execute Node 5

7

doneA$ PF={x}

Root Task 1 4

OV={x} OV={x}

2

OV={x} doneB$

Task A Task B

doneA$

5

doneB$

PPS 4:

  • ASN = φ
  • State Table

var state doneA$ empty doneB$ empty

  • SV = {x1, x4 }
  • LA = { x2 }
  • Report x2.

22/26

slide-31
SLIDE 31

Conditional Nodes , Loops

  • Conditional Nodes: Both branches are explored separately.
  • Loops:
  • Just OV accesses: treated as single node with OV access

Source with Conditional Node

var x: int = 10; var done$: sync bool; begin with (ref x) { // A if(flag) begin with (ref x) { // B writeln(x); done$ = true; done$; } done$ = true; } done$;

7

done$

PF={x}

else edge

2 1

done$

5

done$

3

OV={x}

4

done$ Task A Task B

23/26

slide-32
SLIDE 32

Optimizations & Limitations

Optimizations

  • Run algorithm only for functions containing begin tasks.
  • Merging multiple PPS:
  • Requirement: Identical State table & ASN set.
  • Resultant PPS: SV : SVi ∩ SVj, LA : LAi ∪ LAj.
  • Combine same variable accesses inside node.

24/26

slide-33
SLIDE 33

Optimizations & Limitations

Optimizations

  • Run algorithm only for functions containing begin tasks.
  • Merging multiple PPS:
  • Requirement: Identical State table & ASN set.
  • Resultant PPS: SV : SVi ∩ SVj, LA : LAi ∪ LAj.
  • Combine same variable accesses inside node.

Limitations: Not Handled

  • Non blocking sync events: atomic
  • Recursion
  • Loops containing begin or synchronization node.

24/26

slide-34
SLIDE 34

Results

Table : Results of running use-after-free check over Chapel test suite (version 1.11).

Total test cases 5127 Test cases with begin tasks 218 Test cases with Use-After-Free warnings 38 Number of warnings reported 437 True positives 63 Percentage of true positives 14.4% Source Code: https://github.com/jkrishnavs/chapel

25/26

slide-35
SLIDE 35

Conclusions

  • Partial inter-procedural analysis to identify and report

potentially dangerous Outer Variable accesses to the user.

  • Results reported on chapel test suite.
  • More test cases on

https://github.com/jkrishnavs/chapel_workspace Future Work

  • Atomic variable synchronization
  • Loops & recursion

26/26