The need for a formal model of Java Safety guarantees of Java - - PowerPoint PPT Presentation

Making the Java Memory Model Safe∗

Andreas Lochbihler

Institute for Information Security ETH Zurich

∗supported by DFG Sn11/10-1,2

The need for a formal model of Java

Safety guarantees of Java

◮ definedness ◮ type safety ◮ security architecture (sandbox)

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

The need for a formal model of Java

Safety guarantees of Java

◮ definedness ◮ type safety ◮ security architecture (sandbox)

KeY-System Krakatoa / Why3 Java Path Finder Joana

rely on

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

The need for a formal model of Java

Concurrency in Java

◮ threads ◮ synchronisation primitives ◮ memory model

Safety guarantees of Java

◮ definedness ◮ type safety ◮ security architecture (sandbox)

KeY-System Krakatoa / Why3 Java Path Finder Joana

rely on

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

The need for a formal model of Java

Concurrency in Java

◮ threads ◮ synchronisation primitives ◮ memory model

Safety guarantees of Java

◮ definedness ◮ type safety ◮ security architecture (sandbox)

KeY-System Krakatoa / Why3 Java Path Finder Joana

rely on

Implications?

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0;

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics √

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics √ √

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics √ √ √

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics √ √ √ X

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

interleaving semantics √ √ √ X compiler and hardware reorder statements

j = y; x = 1; i = x; y = 2; i == 0 i == 1 j == 0 j == 2

√

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

Java memory model √ √ √ √ compiler and hardware reorder statements

j = y; x = 1; i = x; y = 2; i == 0 i == 1 j == 0 j == 2

√

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Why do we need a memory model?

x = 1; j = y; y = 2; i = x; initially: x = y = 0; i == 0 i == 1 j == 0 j == 2

Java memory model √ √ √ √ compiler and hardware reorder statements

j = y; x = 1; i = x; y = 2; i == 0 i == 1 j == 0 j == 2

√ data races

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• perational

semantics shared memory

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• perational

semantics shared memory allocation & type information

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• perational

semantics t : α shared memory allocation & type information

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• perational

semantics t : α shared memory allocation & type information thread communication

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• perational

semantics t : α

t

1

: α

1

t

′ 1

: α

′ 1

. . . . . . . . .

transition system shared memory allocation & type information thread communication

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α

t

1

: α

1

t

′ 1

: α

′ 1

. . . . . . . . .

paths in the transition system shared memory allocation & type information thread communication

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model legality constraints pair read and write ops set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α

t

1

: α

1

t

′ 1

: α

′ 1

. . . . . . . . .

paths in the transition system shared memory allocation & type information thread communication legal

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Semantics in layers

Java memory model legality constraints pair read and write ops need set of candidate executions

• cf. [Batty et al.’15]

set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α

t

1

: α

1

t

′ 1

: α

′ 1

. . . . . . . . .

paths in the transition system shared memory allocation & type information thread communication legal

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

Type safety for method calls Dynamic method lookup finds a unique method.

r1 = x; if (r1 != null) r1.m(); y = new A(); r2 = y; x = r2; initially: x = y = null; class A { void m() {} }

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

Type safety for method calls Dynamic method lookup finds a unique method.

JMM allows reordering with allocations.

r1 = x; if (r1 != null) r1.m(); y = new A(); r2 = y; x = r2; initially: x = y = null; class A { void m() {} }

reorder

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

Type safety for method calls Dynamic method lookup finds a unique method.

JMM allows reordering with allocations.

r1 = x; if (r1 != null) r1.m(); y = new A(); r2 = y; x = r2; initially: x = y = null; class A { void m() {} }

reorder

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

Type safety for method calls Dynamic method lookup finds a unique method.

JMM allows reordering with allocations.

r1 = x; if (r1 != null) r1.m(); y = new A(); r2 = y; x = r2; initially: x = y = null; class A { void m() {} }

reorder

• bject accessed

before allocated

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

Type safety for method calls Dynamic method lookup finds a unique method.

JMM allows reordering with allocations.

r1 = x; if (r1 != null) r1.m(); y = new A(); r2 = y; x = r2; initially: x = y = null; class A { void m() {} }

reorder

• bject accessed

before allocated Separate type information of addresses from their allocation! Index addresses by dynamic type!

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress subject reduction

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress subject reduction

Java memory model legality constraints pair read and write ops set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress subject reduction

Java memory model legality constraints pair read and write ops set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α Subject reduction fails, when read op returns value of wrong type.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress subject reduction

Java memory model legality constraints pair read and write ops set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α Subject reduction fails, when read op returns value of wrong type. Show that reads in legal executions are type-correct.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for fields Accessed fields exist and contain only type-conform values.

progress subject reduction

Java memory model legality constraints pair read and write ops set of well-formed candidate executions

• [t1 : α1, t2 : α2, . . .],

[t′

1 : α′ 1, t′ 2 : α′ 2, . . .],

[t′′

1 : α′′ 1, t′′ 2 : α′′ 2, . . .], . . .

• perational

semantics t : α Subject reduction fails, when read op returns value of wrong type. Show that reads in legal executions are type-correct. Subject reduction may assume type-correct reads

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Type safety for allocation No statement about allocation!

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 8 / 9

Type safety for allocation No statement about allocation!

There are legal executions in which some objects are never allocated . . . r1 = x; r2 = y; b = true; if (!b) r1 = new C(); x = r2 y = r1; initially: b = false; x = y = null; allowed: x,y != null, if condition is false. . . . because the allocation happened in another execution.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 8 / 9

Type safety for allocation No statement about allocation!

There are legal executions in which some objects are never allocated . . . r1 = x; r2 = y; b = true; if (!b) r1 = new C(); x = r2 y = r1; initially: b = false; x = y = null; allowed: x,y != null, if condition is false. . . . because the allocation happened in another execution.

Variations on this program allow you to forge (type-correct) references.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 8 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references Semantics for all Java program achieved. Main reason for technical complexity

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references Semantics for all Java program achieved. Main reason for technical complexity Security architecture (sandboxing) compromised by forged references

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references Semantics for all Java program achieved. Main reason for technical complexity Security architecture (sandboxing) compromised by forged references DRF guarantee Interleaving semantics for programs without data races proved.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references Semantics for all Java program achieved. Main reason for technical complexity Security architecture (sandboxing) compromised by forged references DRF guarantee Interleaving semantics for programs without data races proved. Compiler optimisations [ˇ

Sevˇ c´ ık et al.]

JMM fails to allow common optimisations.

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9

Beyond type safety [TOPLAS 2014]

Goals of the Java memory model:

λ → ∀

=

Isabelle

β α

H O L

Type safety holds despite forging of references Semantics for all Java program achieved. Main reason for technical complexity Security architecture (sandboxing) compromised by forged references DRF guarantee Interleaving semantics for programs without data races proved. Compiler optimisations [ˇ

Sevˇ c´ ık et al.]

JMM fails to allow common optimisations.

Work on another JMM revision has started (JEP 188).

Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 9 / 9