Jinn:SynthesizingDynamicBugDetectorsfor ForeignLanguageInterfaces - PowerPoint PPT Presentation

Jinn:
Synthesizing
Dynamic
Bug
Detectors
for
 Foreign
Language
Interfaces
 Byeongcheol
Lee
 Ben
Wiedermann
 Mar>n
Hirzel
 Robert
Grimm
 Kathryn
S.
McKinley
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 1

Mul>lingual
programs
are
ubiquitous
 Python Java Python Ruby Java Java Python C/C++ C/C++ C/C++ C Standard libraries Multilingual bindings Plug-in extensions B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 2

All
mul>lingual
programs
use
foreign
func>on
interfaces
(FFIs)
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 3

FFIs
have
many
dangerous
piKalls
 …. B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 4

FFIs
are
complex
and
hard
to
program
 FFI
bugs
are
rampant
 – 716
[Li
&
Tan
’09]
 – 

86
[Kondoh
&
Onodera
’08]
 – 155
[Furr
&
Foster
’06]
 …. B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 5

Mul>lingual
programmers
need
dynamic
bug
detectors
 • Sta>c
compile‐>me
verifica>on
is
hard
 • A
rule
of
no
more
than
16
local
references
in
JNI
 • False
alarms
in
sta>c
bug
finders
 • Dynamic
FFI
checking
is
complementary
 • No
false
alarms
 • Bugs
in
a
single
program
run
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 6

FFI
specifica>ons
are
not
friendly
to
dynamic
checking
 303 pages B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 7

FFI
specifica>ons
are
not
friendly
to
dynamic
checking
 Constraint
1
 Constraint
2
 Constraint
3.
 ….
 303 pages 1,500+ constraints on 229+ JNI function B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 8

FFI
specifica>ons
are
not
friendly
to
dynamic
checking
 JNI Constraint
1
 Constraint
2
 Java
 C
 Constraint
3.
 ….
 Every language transition 303 pages 1,500+ constraints requires bookkeeping & on 229+ JNI function checking 1,500+ constraints Time-consuming and error-prone 9 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 9

Our
insight:
FFI
constraints
have
hierarchy
 New
 Language
difference
 Constraint
1
 Constraint
2
 Thread
 Type
 Resource
 Constraint
3.
 ….
 1,500+ constraints B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 10

Our
insight:
FFI
constraints
have
hierarchy
 New
 Language
difference
 Constraint
1
 Constraint
2
 Thread
 Type
 Resource
 Constraint
3.
 ….
 1,500+ constraints 11 state machines represent 1,500+ constraints B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 11

Our
insight:
state
machines
change
states
at
language
transi>ons
 New
 JNI JNI JNI Java
 C
 Java
 C
 Bookkeeping and checking at language boundary B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 12

Our
insight:
state
machines
change
states
at
language
transi>ons
 New
 Run S0
 JNI JNI Java C S1
 Error
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 13

Synthesizing
dynamic
bug
detectors
 State machine description Synthesizer JNI JNI JNI
bug
 detector
 Java C (Jinn)
 Jinn Our synthesis approach applies to other FFIs including Python/C B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 14

Outline
 I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines
 III. State
machines
 A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons
 IV. Jinn:
a
dynamic
JNI
bug
detector

 A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 15

The
GNOME
bug
576111
uses
an
invalid
JNI
reference
 Call:Java  C void Bug_producer( 
 JNIEnv *env, 
 jobject lref){ global = lref; } B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

The
GNOME
bug
576111
uses
an
invalid
JNI
reference
 Call:Java  C void Bug_producer( 
 JNIEnv *env, 
 jobject lref){ global = lref; Return:C  Java } B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

The
GNOME
bug
576111
uses
an
invalid
JNI
reference
 Call:Java  C void Bug_producer( 
 JNIEnv *env, 
 jobject lref){ global = lref; Return:C  Java } Call: Java  C void Bug_consumer( JVM
crashes
 JNIEnv *env){ Call: C  Java env->CallJ(global); B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley

Outline
 I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines
 III. State
machines
 A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons
 IV. Jinn:
a
dynamic
JNI
bug
detector

 A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 19

Map
a
state
machine
to
an
en>ty
 Before
 Acquire
 Call:Java  C acquire void Bug_producer( 
 JNIEnv *env, 
 Acquired
 jobject lref){ global = lref; } B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 20

Map
a
state
machine
to
an
en>ty
 Before
 Acquire
 Call:Java  C acquire void Bug_producer( 
 JNIEnv *env, 
 Acquired
 jobject lref){ global = lref; release Return:C  Java } Released
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 21

Map
a
state
machine
to
an
en>ty
 Before
 Acquire
 Call:Java  C acquire void Bug_producer( 
 JNIEnv *env, 
 Acquired
 jobject lref){ global = lref; release Return:C  Java } Call: Java  C Released
 void Bug_consumer( JNIEnv *env){ use Call: C  Java env->CallJ(global); Error:
 Dangling
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 22

Outline
 I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines
 III. State
machines
 A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons
 IV. Jinn:
a
dynamic
JNI
bug
detector

 A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 23

Map
state
transi>ons
to
language
transi>ons
 Before
 State
 Language
 Examples
 Acquire
 transi*on
 transi*on
 acquire Acquire
 Call:Java  C
 Na>ve
methods
 taking
references
 Acquired
 Return:Java  C
 GetObjectField
 Release
 Return:
C  Java
 Any
na>ve
method
 release Return:
Java  C
 DeleteLocalRef
 Released
 Use
 Call:
C  
Java
 CallVoidMethod
 use Return:
C  Java
 Na>ve
methods
 returning
 Error:
 reference
 Dangling
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 24

Outline
 I. Classifica>on
of
language
seman>c
mismatch
in
FFIs
 II. Synthesis
of
FFI
bug
detectors
with
state
machines
 III. State
machines
 A. An
example
JNI
bug
 B. Mapping
state
machines
to
en>>es
 C. Mapping
state
transi>ons
to
language
transi>ons
 IV. Jinn:
a
dynamic
JNI
bug
detector

 A. Finds
more
bugs
than
sta>c
checkers
&
other
dynamic
checkers
 B. Adds
modest
execu>on
>me
overhead
 C. Finds
lots
of
real‐world
bugs
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 25

Jinn
covers
more
bugs
than
JVM
internal
checkers
 JNI
PiKall
 JVM
checking
 J inn Hotspot
 J9
 Error
checking
 Warning Error Excep*on
 Invalid
Arguments
to
JNI
func>ons
 Excep*on
 Running Crash Confusing
jclass
with
jobject
 Error Error Excep*on
 Confusing
IDs
with
references
 Excep*on
 Error Error Viola>ng
access
control
rules
 NPE NPE Excep*on
 Retaining
virtual
machine
resources
 Excep*on
 Crash Error Excessive
local
reference
crea>on
 Running Error Excep*on
 Using
invalid
local
references
 Excep*on
 Error Error Using
the
JNIEnv
across
threads
 Error Crash Excep*on
 B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley 26