Jinn:SynthesizingDynamicBugDetectorsfor ForeignLanguageInterfaces - - PowerPoint PPT Presentation

jinn synthesizing dynamic bug detectors for foreign
SMART_READER_LITE
LIVE PREVIEW

Jinn:SynthesizingDynamicBugDetectorsfor ForeignLanguageInterfaces - - PowerPoint PPT Presentation

Nov 14, 2023 255 likes •581 views

Jinn:SynthesizingDynamicBugDetectorsfor ForeignLanguageInterfaces ByeongcheolLee BenWiedermann Mar>nHirzel RobertGrimm KathrynS.McKinley B. Lee, B. Wiedermann, M. Hirzel, R.

slide-1
SLIDE 1
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Jinn:
Synthesizing
Dynamic
Bug
Detectors
for
 Foreign
Language
Interfaces


Byeongcheol
Lee
 Ben
Wiedermann
 Mar>n
Hirzel
 Robert
Grimm
 Kathryn
S.
McKinley


1

slide-2
SLIDE 2
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

2

Mul>lingual
programs
are
ubiquitous


Plug-in extensions Standard libraries Multilingual bindings Java C/C++ Python Ruby Java C/C++ C/C++ Java Python C Python

slide-3
SLIDE 3
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

3

All
mul>lingual
programs
use
foreign
func>on
interfaces
(FFIs)


slide-4
SLIDE 4
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

4

FFIs
have
many
dangerous
piKalls


….

slide-5
SLIDE 5
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

5

FFIs
are
complex
and
hard
to
program


….

FFI
bugs
are
rampant
 – 716
[Li
&
Tan
’09]
 – 

86
[Kondoh
&
Onodera
’08]
 – 155
[Furr
&
Foster
’06]


slide-6
SLIDE 6
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

6

Mul>lingual
programmers
need
dynamic
bug
detectors


  • Sta>c
compile‐>me
verifica>on
is
hard

  • A
rule
of
no
more
than
16
local
references
in
JNI

  • False
alarms
in
sta>c
bug
finders

  • Dynamic
FFI
checking
is
complementary

  • No
false
alarms

  • Bugs
in
a
single
program
run

slide-7
SLIDE 7
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

FFI
specifica>ons
are
not
friendly
to
dynamic
checking


7

303 pages

slide-8
SLIDE 8
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

FFI
specifica>ons
are
not
friendly
to
dynamic
checking


8

Constraint
1
 Constraint
2
 Constraint
3.
 ….


303 pages 1,500+ constraints

  • n 229+ JNI function
slide-9
SLIDE 9
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

FFI
specifica>ons
are
not
friendly
to
dynamic
checking


9

Constraint
1
 Constraint
2
 Constraint
3.
 ….


303 pages 1,500+ constraints

  • n 229+ JNI function

Every language transition requires bookkeeping & checking 1,500+ constraints

9

Time-consuming and error-prone

Java
 C
 JNI

slide-10
SLIDE 10
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Our
insight:
FFI
constraints
have
hierarchy


10

Constraint
1
 Constraint
2
 Constraint
3.
 ….


1,500+ constraints

New
 Language
difference
 Thread
 Type
 Resource


slide-11
SLIDE 11
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Our
insight:
FFI
constraints
have
hierarchy


11

Constraint
1
 Constraint
2
 Constraint
3.
 ….


1,500+ constraints

New
 Language
difference
 Thread
 Type
 Resource


11 state machines represent 1,500+ constraints

slide-12
SLIDE 12
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Our
insight:
state
machines
change
states
at
language
transi>ons


12

Java
 C
 JNI Java
 C
 JNI JNI

New


Bookkeeping and checking at language boundary

slide-13
SLIDE 13
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

13

Our
insight:
state
machines
change
states
at
language
transi>ons


Error
 JNI

Java C Run New


JNI S0
 S1


slide-14
SLIDE 14
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

14

Synthesizing
dynamic
bug
detectors
 Synthesizer State machine description

JNI
bug
 detector
 (Jinn)
 JNI

Java C

JNI Our synthesis approach applies to other FFIs including Python/C

Jinn

slide-15
SLIDE 15
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

15

Outline


I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines


  • III. State
machines


A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons


  • IV. Jinn:
a
dynamic
JNI
bug
detector



A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs


slide-16
SLIDE 16
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

The
GNOME
bug
576111
uses
an
invalid
JNI
reference


void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

Call:JavaC

slide-17
SLIDE 17
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

The
GNOME
bug
576111
uses
an
invalid
JNI
reference


void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

Call:JavaC Return:CJava

slide-18
SLIDE 18
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

The
GNOME
bug
576111
uses
an
invalid
JNI
reference


void Bug_consumer( JNIEnv *env){ env->CallJ(global); void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

Call:JavaC Return:CJava Call: JavaC Call: CJava

JVM
crashes


slide-19
SLIDE 19
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

19

Outline


I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines


  • III. State
machines


A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons


  • IV. Jinn:
a
dynamic
JNI
bug
detector



A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs


slide-20
SLIDE 20
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Map
a
state
machine
to
an
en>ty


Before
 Acquire
 Acquired
 void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

20

Call:JavaC

acquire

slide-21
SLIDE 21
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Map
a
state
machine
to
an
en>ty


Before
 Acquire
 Acquired
 Released
 void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

21

Call:JavaC Return:CJava

acquire release

slide-22
SLIDE 22
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Map
a
state
machine
to
an
en>ty


Before
 Acquire
 Acquired
 Released
 Error:
 Dangling
 void Bug_consumer( JNIEnv *env){ env->CallJ(global); void Bug_producer(
 JNIEnv *env,
 jobject lref){ global = lref; }

22

Call:JavaC Return:CJava Call: JavaC Call: CJava

acquire release use

slide-23
SLIDE 23
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

23

Outline


I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines


  • III. State
machines


A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons


  • IV. Jinn:
a
dynamic
JNI
bug
detector



A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs


slide-24
SLIDE 24
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Map
state
transi>ons
to
language
transi>ons


Before
 Acquire
 Acquired
 Released
 Error:
 Dangling
 acquire release use State
 transi*on
 Language
 transi*on
 Examples
 Acquire
 Call:JavaC
 Na>ve
methods
 taking
references
 Return:JavaC
 GetObjectField
 Release
 Return:
CJava
 Any
na>ve
method
 Return:
JavaC
 DeleteLocalRef
 Use
 Call:
C
Java
 CallVoidMethod
 Return:
CJava
 Na>ve
methods
 returning
 reference


24

slide-25
SLIDE 25
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

25

Outline


I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines


  • III. State
machines


A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons


  • IV. Jinn:
a
dynamic
JNI
bug
detector



A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs


slide-26
SLIDE 26
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Jinn
covers
more
bugs
than
JVM
internal
checkers


JNI
PiKall


JVM
checking
 Jinn

Hotspot
 J9
 Error
checking


Warning Error

Excep*on
 Invalid
Arguments
to
JNI
func>ons


Running Crash

Excep*on
 Confusing
jclass
with
jobject


Error Error

Excep*on
 Confusing
IDs
with
references


Error Error

Excep*on
 Viola>ng
access
control
rules


NPE NPE

Excep*on
 Retaining
virtual
machine
resources


Crash Error

Excep*on
 Excessive
local
reference
crea>on


Running Error

Excep*on
 Using
invalid
local
references


Error Error

Excep*on
 Using
the
JNIEnv
across
threads


Error Crash

Excep*on


26

slide-27
SLIDE 27
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Jinn
adds
modest
>me
overhead


27

14%


1
 1.1
 1.2
 1.3
 1.4


antlr
 bloat
 chart
 eclipse
 fop
 hsqldb
 jython
 lunidex
 luserach
 pmd
 xalan
 compress
 jess
 raytrace
 db
 javac
 mpegaudio
 mtrt
 jack
 GeoMean


slide-28
SLIDE 28
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

28

Jinn
finds
JNI
bugs
in
real
world
applica>ons


Programs
 bug
reports
 Community
response
 1
 Confirmed:
bug
69510896
 1
 To
be
reported
 5
 Fixed:
r949842,
r946181,

 r944525,
r947006,
r946518
 2
 Fixed:
r676
 Confirmed:
bug
576111


slide-29
SLIDE 29
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

29

Related
work


Safe interface languages Hirzel & Grimm ’07 Tan et al. ’06

How
about
legacy
JNI
programs?


slide-30
SLIDE 30
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

30

Related
work


Safe interface languages Static bug finders Hirzel & Grimm ’07 Tan et al. ’06 Furr & Foster ’06 Kondoh & Onodera ’08 Li & Tan ’09

How
about
false
alarms?


slide-31
SLIDE 31
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

31

Related
work


Safe interface languages Static bug finders Dynamic checking in JVMs Hirzel & Grimm ’07 Tan et al. ’06 Furr & Foster ’06 Kondoh & Onodera ’08 Li & Tan ’09 Hotspot J9

How
about
low
 
coverage?


slide-32
SLIDE 32
  • B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

32

Summary


  • FFI
has
many
programming
constraints
and
bugs.


  • Synthesis
of

dynamic
FFI
bug
detectors

  • Classifica>on
system
for
characterizing
language
seman>c


mismatches



  • State
machine
transi>ons
in
terms
of
language
transi>ons.

  • Jinn:
An
effec>ve
dynamic
bug
detector
for
JNI

  • High
coverage


  • Modest
overhead

  • Finds
bugs
in
real‐world
JNI
programs