process wide type and bounds checking
play

Process-wide type and bounds checking (via an alliance of many - PowerPoint PPT Presentation

Mar 09, 2024 •135 likes •849 views

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Join me, and together we can rule all the languages

  1. Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. “Join me, and together we can rule all the languages” (illustration: sirustalcelion) 2

  3. Problems � retains boundary between “native” and “managed” � requires buy-in � ... whereas diversity is inevitable 3

  4. An alternative to the Empire 4 (photo: brionv)

  5. Rebels’ manifesto � accommodate diversity of language � accommodate diversity of implementations � support interoperability across languages � no boundary between “native” and “managed” � compatibility � support from below 5

  6. Founders of the alliance 6

  7. Introducing liballocs � extending Unix processes with in(tro)spection � via a whole-process meta-level protocol � protocol is implemented by each allocator � VMs’ heap allocators � native allocators ( malloc() , custom allocators...) � stack allocators � “static” allocators, mmap() etc. � → abstraction ≈ “typed allocations” � ... covering entire process Advertisement: see my paper at Onward! later this year. 7

  8. What is “managed”? [“native”?] 1. [lack of] garbage collector(s) 2. [un]checked errors 3. [lack of] reflection 8

  9. What is “managed”? [“native”?] 1. [lack of] garbage collector(s) 2. [un]checked errors (clean [vs corrupting] failure) 3. [lack of] reflection Most of this talk: � how to do 2 and 3 embracing native code � focus on C as the “hard + important” case � so far, the most developed use-case of liballocs 8

  10. How to implement “unsafe” languages safely if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 9

  11. How to implement “unsafe” languages safely if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 9

  12. How to implement “unsafe” languages safely if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) ... while being � binary-compatible � source-compatible � reasonably fast � using a mostly-generic (not C-specific) infrastructure 9

  13. libcrunch: the user’s-eye view � $ crunchcc -o myprog ... # calls host cc 10

  14. libcrunch: the user’s-eye view � $ crunchcc -o myprog ... # calls host cc � $ ./myprog # runs normally 10

  15. libcrunch: the user’s-eye view � $ crunchcc -o myprog ... # calls host cc � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 10

  16. libcrunch: the user’s-eye view � $ crunchcc -o myprog ... # calls host cc � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 10

  17. libcrunch: the user’s-eye view � $ crunchcc -o myprog ... # calls host cc � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // check passes int ∗ y1 = ( int ∗ ) &z.y; // check fails ! int ∗ y2 = &((&z.x )[1]); // need bounds check return &z; // need GC − alike 10

  18. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 11

  19. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } 11

  20. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } Want a runtime with the power to � tracking allocations � with type info � efficiently → fast is a() function ... i.e. what liballocs does! 11

  21. Type info for each allocation What is an allocation? � static memory � stack memory � heap memory � returned by malloc() – “level 1” allocation � returned by mmap() – “level 0” allocation � (maybe) memory issued by user allocators... Runtime keeps indexes for each kind of memory... 12

  22. Hierarchical model of allocations mmap(), sbrk() custom heap (e.g. libc malloc() custom malloc() Hotspot GC) obstack gslice (+ malloc) client code client code client code client code client code 13

  23. Representation of data types struct ellipse { double maj, min; struct { double x, y; } ctr ; } ; “int” 4 0 __uniqtype__int “double” 8 0 __uniqtype__double 0 16 2 0 8 __uniqtype__point “ellipse” 32 3 0 8 16 __uniqtype__ellipse ... � use the linker to keep them unique � → “exact type” test is a pointer comparison is a() is a short search � 14

  24. A language-agnostic model of data types: D WARF debugging info $ cc -g -o hello hello.c && readelf -wi hello | column <b>:TAG_compile_unit <7ae>:TAG_pointer_type AT_language : 1 (ANSI C) AT_byte_size: 8 AT_name : hello.c AT_type : <0x2af> AT_low_pc : 0x4004f4 <76c>:TAG_subprogram AT_high_pc : 0x400514 AT_name : main <c5>: TAG_base_type AT_type : <0xc5> AT_byte_size : 4 AT_low_pc : 0x4004f4 AT_encoding : 5 (signed) AT_high_pc : 0x400514 AT_name : int <791>: TAG_formal_parameter <2af>:TAG_pointer_type AT_name : argc AT_byte_size: 8 AT_type : <0xc5> AT_type : <0x2b5> AT_location : fbreg - 20 <2b5>:TAG_base_type <79f>: TAG_formal_parameter AT_byte_size: 1 AT_name : argv AT_encoding : 6 (char) AT_type : <0x7ae> AT_name : char AT_location : fbreg - 32 15

  25. What data type is being malloc() ’d? � ... infer from use of sizeof � dump typed allocation sites from compiler Inference: intraprocedural “sizeofness” analysis � e.g. size t sz = sizeof (struct Foo); /* ... */; malloc(sz); � some subtleties: e.g. malloc(sizeof (Blah) + n * sizeof (Foo)) source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs 16 CIL-based compiler front-end

  26. Solved problems � typed stack storage � typed heap storage � support { custom, nested } heap allocators � fast run-time metadata � polymorphic allocation sites (e.g. sizeof (void*) ) � subtler C features (function pointers, varargs, unions) is a() ) � non-standard C idiom (too sloppy for � understanding the invariant (“no bad pointers, if ...”) � relating to C standard 17

  27. Metadata queries are difficult Native objects are trees; no descriptive headers! ���������� ���������������� ��� ��� ������������� ��� ��� ������������� ���������������� ��� � �� ���������������� �������� � � � VM-style objects: “no interior pointers” 18

  28. To query heap pointers... � use malloc() hooks... � which keep an index of the heap � in a memtable � efficient address-keyed associative map � must support (some) range queries � storing object’s metadata Memtables make aggressive use of virtual memory � libcrunch contains many memtables � not all populated by hooking allocator 19

  29. Big picture of our heap memtable entries are one byte, each covering 512B index by high-order interior pointer lookups may bits of virtual address require backward search of heap 0 0 0 0 0 0 0 0 0 ... pointers encoded compactly as local offsets (6 bits) instrumentation adds a trailer to each heap chunk 20

  30. Performance data: C-language SPEC CPU2006 benchmarks bench normal/ s crunch % nopreload onlymeta 4 . 95 +6 . 8 % +1 . 4 % +2 . 6 % bzip2 0 . 983 +160 % +14 . 9 % gcc – % 14 . 6 +11 % +2 . 0 % +4 . 1 % gobmk h264ref 10 . 1 +3 . 9 % +2 . 9 % +0 . 9 % hmmer 2 . 16 +8 . 3 % +3 . 7 % +3 . 7 % lbm 3 . 42 +9 . 6 % +1 . 7 % +2 . 0 % mcf 2 . 48 +12 % ( − 0 . 5 %) +3 . 6 % milc 8 . 78 +38 % +5 . 4 % +0 . 5 % sjeng 3 . 33 +1 . 5 % ( − 1 . 3 %) +2 . 4 % sphinx3 1 . 60 +13 % +0 . 0 % +8 . 7 % perlbench 21

  31. Not only types, but also bounds � libcrunch is now pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � what about bounds checks? (+ temporal checks?) 22

  32. Not only types, but also bounds � libcrunch is now pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � what about bounds checks? (+ temporal checks?) struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // check passes int ∗ y1 = ( int ∗ ) &z.y; // check fails ! int ∗ y2 = &((&z.x )[1]); // need bounds check // need GC − alike return &z; 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj &gt; type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj &gt; type == OBJ

863 views • 29 slides
Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the question of type checking and type reconstruction. Given , t and T , check whether t : T Type checking: Given and t , find a type T

518 views • 28 slides
Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp . type ) type-exp int type-exp . type := integer type-exp bool type-exp . type := boolean type-exp 1 array type-exp 1 . type := [num] of

613 views • 7 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type checking in Haskell Epigram language - McBride/McKinna Big-step normalisation for simple types, formalised in Agda Big-step normalisation for

978 views • 36 slides
Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages. An Introduction to Compilers and Interpreters, College Publications, 2012. Checking that a program makes sense Traditional notions of type

1.04k views • 68 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types for Object Ownership Ilya Sergey 14 November 2012 Types A type - is a set of data instances and operations on them true , false boolean =

1.27k views • 86 slides
Type checking privacy policies in the

Type checking privacy policies in the

Type checking privacy policies in the -calculus Anna Philippou University of Cyprus Joint work with Dimitrios

572 views • 28 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Generalization Bounds of Stochastic Gradient Descent for Wide and Deep Neural Networks Yuan Cao

Generalization Bounds of Stochastic Gradient Descent for Wide and Deep Neural Networks Yuan Cao

Generalization Bounds of Stochastic Gradient Descent for Wide and Deep Neural Networks Yuan Cao and Quanquan Gu Computer Science Department 1 / 14 Learning Over-parameterized DNNs Empirical observation on extremely wide deep neural networks

631 views • 14 slides
Ray Tracing Sung-Eui Yoon ( ) Course URL: http://sglab.kaist.ac.kr/~sungeui/CG/ Class

Ray Tracing Sung-Eui Yoon ( ) Course URL: http://sglab.kaist.ac.kr/~sungeui/CG/ Class

CS380: Computer Graphics Ray Tracing Sung-Eui Yoon ( ) Course URL: http://sglab.kaist.ac.kr/~sungeui/CG/ Class Objectives Understand overall algorithm of recursive ray tracing Ray generations Intersection tests and

1.1k views • 48 slides
How to give a good research talk Simon Peyton Jones Microsoft Research, Cambridge 1993 paper

How to give a good research talk Simon Peyton Jones Microsoft Research, Cambridge 1993 paper

How to give a good research talk Simon Peyton Jones Microsoft Research, Cambridge 1993 paper joint with John Hughes (Chalmers), John Launchbury (Oregon Graduate Institute) Research is communication The greatest ideas are worthless if you keep

762 views • 36 slides
use social cues to learn words for new objects? Dr. Charlotte Field Lecturer in Developmental

use social cues to learn words for new objects? Dr. Charlotte Field Lecturer in Developmental

Do children with autism and developmental disorders use social cues to learn words for new objects? Dr. Charlotte Field Lecturer in Developmental Disorders Email: cfield2@uclan.ac.uk Talk presented at DCN School Liaison Event Saturday 25

275 views • 11 slides
Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob, Dept. of Mathematics, bjacob@math.toronto.edu NA seminar, University of Toronto 23 january 2009 Eigen is co-developed with Ga el Guennebaud

490 views • 28 slides
Pastor Patrick Owens Luke 10:2 :25-29 29 25 On one occasion an expert in the law stood up

Pastor Patrick Owens Luke 10:2 :25-29 29 25 On one occasion an expert in the law stood up

Pastor Patrick Owens Luke 10:2 :25-29 29 25 On one occasion an expert in the law stood up to test Jesus. Teacher, he asked, what must I do to inherit eternal life? Luke 10:2 :25-29 29 26 What is written in the Law?

420 views • 21 slides
Making an ILean 2 Vertical iPad mount 3 1 2/19/2020 Portable scan and read station for a

Making an ILean 2 Vertical iPad mount 3 1 2/19/2020 Portable scan and read station for a

2/19/2020 Creating Assistive Technology for Reading and Writing Therese Willkomm theresew@unh.edu 603-491-6555 1 Making an ILean 2 Vertical iPad mount 3 1 2/19/2020 Portable scan and read station for a cell phone 4 Protective

463 views • 18 slides
Newspeak &amp; its Children: Avarice and Sloth Gilad Bracha Ministry of Truth Thursday, June

Newspeak &amp; its Children: Avarice and Sloth Gilad Bracha Ministry of Truth Thursday, June

Newspeak &amp; its Children: Avarice and Sloth Gilad Bracha Ministry of Truth Thursday, June 11, 2009 1 Functional Object- Oriented Programming No contradiction FP is computational paradigm OO is an organizational one Thursday, June 11,

873 views • 38 slides
Crowdsourcing and Human Computer Interaction Design Crowdsourcing and Human Computation

Crowdsourcing and Human Computer Interaction Design Crowdsourcing and Human Computation

Crowdsourcing and Human Computer Interaction Design Crowdsourcing and Human Computation Instructor: Chris Callison-Burch Website: crowdsourcing-class.org Wizard of Oz in HCI Wizard of Oz in HCI Oz-like HCI in SciFi AI is lacking compared to

1.36k views • 54 slides

More recommend