cyclone safe programming at the c level of abstraction
play

Cyclone: Safe Programming at the C Level of Abstraction Dan - PowerPoint PPT Presentation

Feb 05, 2023 •30 likes •860 views

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang A safe C-level language Cyclone is a

  1. Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang

  2. A safe C-level language Cyclone is a programming language and compiler aimed at safe systems programming • C is not memory safe : void f(int* p, int i, int v) { p[i] = v; } • Address p+i might hold important data or code • Memory safety is crucial for reasoning about programs Spring 2003 Dan Grossman Cyclone

  3. A question of trust • We rely on our C-level software infrastructure to – not crash (or crash gracefully) – preserve data, restrict access, ... – serve customers, protect valuables, ... • Infrastructure is enormous – careful humans not enough • One safety violation breaks all isolation Memory safety is necessary for trustworthy systems Spring 2003 Dan Grossman Cyclone

  4. Safe low-level systems • For a safety guarantee today, use YFHLL Y our F avorite H igh L evel L anguage • YFHLL provides safety in part via: – hidden data fields and run-time checks – automatic memory management • Data representation and resource management are essential aspects of low-level systems • Write or extend your O/S with YFHLL? There are strong reasons for C-like languages Spring 2003 Dan Grossman Cyclone

  5. Some insufficient approaches • Compile C with extra information – type fields, size fields, live-pointer table, … – treats C as a higher-level language • Use static analysis – very difficult – less modular • Ban unsafe features – there are many – you need them Spring 2003 Dan Grossman Cyclone

  6. Cyclone: a combined approach Designed and implemented Cyclone, a safe C-level language • Advanced type system for safety-critical invariants • Flow analysis for tracking state changes • Exposed run-time checks where appropriate • Modern language features for common idioms Today: focus on type system Spring 2003 Dan Grossman Cyclone

  7. Cyclone reality • 130K lines of code, bootstrapped compiler, Linux / Cygwin / OS X, ... • All programs are safe (modulo interfacing to C) • Users control if/where extra fields and checks occur – checks can be needed (e.g., pointer arithmetic) • More annotations than C, but work hard to avoid it • Sometimes slower than C – 1x to 2x slowdown – can performance-tune more than in HLLs Spring 2003 Dan Grossman Cyclone

  8. The plan from here • Goals for the type system • Safe multithreading • Region-based memory management • Evaluation (single-threaded) • Related work • Future directions Spring 2003 Dan Grossman Cyclone

  9. Must be safe void f(int* p, int i, int v) { p[i] = v; 0 i n } ... p i v • All callers must ensure: – p is not NULL – p refers to an array of at least n ints – 0 <= i < n – p does not refer to deallocated storage – no other thread corrupts p or i Spring 2003 Dan Grossman Cyclone

  10. But not too restrictive void f(int* p, int i, int v) { p[i] = v; 0 i n ... } p i v • Different callers can have: – p refer to arrays of different lengths n – i be different integers such that 0 <= i < n – p refer to memory with different lifetimes – p refer to thread-local or thread-shared data Spring 2003 Dan Grossman Cyclone

  11. Design goals 1. Safe – can express necessary preconditions 2. Powerful – parameterized preconditions allow code reuse 3. Scalable – explicit types allow separate compilation 4. Usable – simplicity vs. expressiveness – most convenient for common cases – common framework for locks, lifetimes, array bounds, and abstract types Spring 2003 Dan Grossman Cyclone

  12. The plan from here • Goals for the type system • Safe multithreading • Region-based memory management • Evaluation (single-threaded) • Related work • Future directions Spring 2003 Dan Grossman Cyclone

  13. Safe multithreading: the problem Data race: one thread mutating some memory while another thread accesses it (w/o synchronization) 1. Pointer update must be atomic – possible on many multiprocessors if you’re careful 2. But writing addresses atomically is insufficient... Spring 2003 Dan Grossman Cyclone

  14. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; Spring 2003 Dan Grossman Cyclone

  15. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; change p1->len to 5 change p1->arr Spring 2003 Dan Grossman Cyclone

  16. Data-race example struct SafeArr { int len; int* arr; }; p1 3 p2 5 if(p1->len > 4) *p1 = *p2; (p1->arr)[4] = 42; change p1->len to 5 check p1->len > 4 write p1->arr[4] XXX change p1->arr Spring 2003 Dan Grossman Cyclone

  17. Preventing data races Reject at compile-time code that may have data races? • Limited power: problem is undecidable • Trivial if too limited: e.g., don’t allow threads • A structured solution: Require mutual exclusion on all thread-shared data Spring 2003 Dan Grossman Cyclone

  18. Lock types Type system ensures: For each shared data object, there exists a lock that a thread must hold to access the object • Basic approach for Java found many bugs [Flanagan et al] • Extensions allow other locking idioms and code reuse for shared/local data [Boyapati et al] Spring 2003 Dan Grossman Cyclone

  19. Lock-type contributions [TLDI 03] 1. Adapt the approach to a C-level language 2. Integrate parametric polymorphism 3. Integrate region-based memory management 4. Code reuse for thread-local and thread-shared data – simple rule to “keep local data local” 5. Proof for an abstract machine where data races violate safety Spring 2003 Dan Grossman Cyclone

  20. Cyclone multithreading • Multithreading language – terms – types • Limitations • Insight into why it’s safe Spring 2003 Dan Grossman Cyclone

  21. Multithreading terms • spawn( «f» , «p» , «sz» ) run f(p2) in a new thread (where *p2 is a shallow copy of *p and sz is the size of *p ) – thread initially holds no locks – thread terminates when f returns – creates shared data, but *p2 is thread-local • sync( «lk» ){ «s» } acquire lk , run s , release lk • newlock() create a new lock • nonlock a pseudo-lock for thread-local data Spring 2003 Dan Grossman Cyclone

  22. Examples, without types Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks Callee-locks void f(int* p) { void g(int* p, « use *p » lock_t l) { } sync(l){ « use *p » } } void caller() { void caller() { « ... » « ... » sync(lk){f(p1);} g(p1,lk); f(p2); g(p2,nonlock); } } Spring 2003 Dan Grossman Cyclone

  23. Types • Lock names in pointer types and lock types • int*`L is a type for pointers to locations guarded by a lock with type lock_t<`L> • Different locks cannot have the same name – lock_t<`L1> vs. lock_t<`L2> – this invariant will ensure mutual exclusion • Thread-local locations use lock name `loc lock names describe “what locks what” Spring 2003 Dan Grossman Cyclone

  24. Types for locks • nonlock has type lock_t<`loc> • newlock() has type ∃ `L. lock_t<`L> • Removing ∃ requires a fresh lock name – so different locks have different types – using ∃ is an established PL technique [ESOP 02] Spring 2003 Dan Grossman Cyclone

  25. Access rights Assign each program point a set of lock names: • if lk has type lock_t<`L> , sync( «lk» ){ «s» } adds `L • using location guarded by `L requires `L in set • functions have explicit preconditions – default: caller locks lock-name sets ensure code acquires the right locks (Lock names and lock-name sets do not exist at run-time) Spring 2003 Dan Grossman Cyclone

  26. Examples, with types Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks Callee-locks void f(int*`L p void g(int*`L p, ;{`L}) { lock_t<`L> l « use *p » ;{}) { } sync(l){ « use *p » } } void caller() { void caller() { « ... » « ... » sync(lk){f(p1);} g(p1,lk); f(p2); g(p2,nonlock); } } Spring 2003 Dan Grossman Cyclone

  27. Quantified lock types • Functions universally quantify over lock names • Existential types for data structures struct LkInt {<`L> // there exists a lock-name int*`L p; lock_t<`L> lk; }; • Type constructors for coarser locking struct List<`L> { // lock-name parameter int*`L head; struct List<`L>*`L tail; }; Spring 2003 Dan Grossman Cyclone

  28. Lock types so far 1. Safe – lock names describe what locks what – lock-name sets prevent unsynchronized access 2. Powerful – universal quantification for code reuse – existential quantification and type constructors for data with different locking granularities 3. Scalable – type-checking intraprocedural 4. Usable – default caller-locks idiom – bias toward thread-local data Spring 2003 Dan Grossman Cyclone

Recommend

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone

Cyclone A Very Short Introduction Dan Grossman Cornell University Computer Science Cyclone Very Short Introduction, June 2001 Cyclone in One Slide A safe, convenient, and modern language/compiler at the C level of abstraction Safe:

69 views • 6 slides
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&amp;T), Michael Hicks, James Cheney, Yanling Wang Cyclone A safe C-level language Safe: Memory

442 views • 29 slides
Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today Abstraction, especially

167 views • 12 slides
Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of Informatics The University of Edinburgh Monday 17 March 2008 Semester 2 Week 11 Coursework Statistics Total of 30 submissions, with all topics

554 views • 23 slides
Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March

Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March

Programming Languages:Abstraction Programming Languages: Abstraction Onur Tolga S ehito glu Computer Engineering 18 March 2008 Programming Languages:Abstraction Outline 3 Parameters 1 Abstraction 4 Parameter Passing Mechanisms

325 views • 20 slides
CUB: A pattern of collective software design, abstraction, and reuse for kernel-level

CUB: A pattern of collective software design, abstraction, and reuse for kernel-level

CUB: A pattern of collective software design, abstraction, and reuse for kernel-level programming DUANE MERRILL, PH.D. NVIDIA RESEARCH What is CUB ? 1. A design model for collective kernel-level primitives How to make reusable software

1.14k views • 72 slides
Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of capturing only those ideas about a concept that are relevant to the current situation. Irrelevant ideas are left out. Abstraction Control

335 views • 14 slides
The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot; the human level to the physical level? &quot; the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #24: Programming Languages and Programs Metalinguistic Abstraction A programming language is a notation for describing computations Weve created abstractions of actionsfunctionsand of things or processes. classes.

169 views • 4 slides
Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming

Lecture #25: Programming Languages and Programs Metalinguistic Abstraction A programming language, is a notation for describing computations Weve created abstractions of actionsfunctionsand of things or processes. classes.

324 views • 4 slides
Today Higher-level programming languages as an abstraction layer, using compiler or

Today Higher-level programming languages as an abstraction layer, using compiler or

Today Higher-level programming languages as an abstraction layer, using compiler or interpreter i il i t t To understand security problems in software, we may have to To understand security problems in software, we may have to

976 views • 73 slides
Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at storage level? Pierre Matri*, Alexandru Costan , Gabriel Antoniu , Jess Montes*, Mara S. Prez *, Luc Boug * Universidad

822 views • 44 slides
Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to values don t need to know which register or memory location Provides abstraction of underlying hardware operations do not depend on

411 views • 20 slides
Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to values don t need to know which register or memory location Provides abstraction of underlying hardware operations do not depend on

363 views • 10 slides
JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE

JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE

JMA/ WMO WORKSHOP ON EFFECTI VE TROPI CAL CYCLONE WARNI NG I N SOUTHEAST ASI A TROPI CAL CYCLONE MONI TORI NG I N LAO PDR TOKYO, JAPAN 11 14 March 2014 Ministry of Natural Resource and Environment (MONRE) Department of Meteorology and

225 views • 18 slides
Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming

Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming

Chair of Softw are Engineering Einfhrung in die Programmierung Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 9: Abstraction Topics for today Abstraction, especially functional abstraction b

501 views • 29 slides
Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D

Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D

Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D visualisation 2. High: insight at high abstraction level Link visualisation to model: 1. entity relationships (structure) 2. entity attributes

1.1k views • 7 slides
NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

Meta-message today powerful high-level abstraction boils down to specific, simple low-level mechanisms each detail has significant implications Shared Memory Multiprocessors Topic: THE MEMORY ABSTRACTION sequence of reads and

388 views • 10 slides
Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention of:

Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention of:

Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention of: assemblers, compilers, interpreters, first high- CSCI: 4500/6500 Programming level languages, structured programming , abstraction, formal syntax,

202 views • 7 slides
Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention

Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention

Review Last Time: Programming Language History 50s, 60s: Exciting Time Invention of: assemblers, compilers, interpreters, first high- CSCI: 4500/6500 Programming level languages, structured programming , abstraction, formal syntax,

267 views • 7 slides
Java By Abstraction: Chapter 2 Programming by Delegation Some examples and/or figures were

Java By Abstraction: Chapter 2 Programming by Delegation Some examples and/or figures were

Java By Abstraction: Chapter 2 Programming by Delegation Some examples and/or figures were borrowed (with permission) from slides prepared by Prof. H. Roumani Object Oriented Programming (OOP) Encapsulate real-world entities in a class

793 views • 24 slides
Abstraction refinement and plan revision for control synthesis under high level specifications

Abstraction refinement and plan revision for control synthesis under high level specifications

Abstraction refinement and plan revision for control synthesis under high level specifications Pierre-Jean Meyer Dimos V. Dimarogonas KTH, Royal Institute of Technology July 12 th 2017 Outline Abstraction-based synthesis Global framework

603 views • 34 slides
DaMPL What is DaMPL? &quot;Data Manipulation Programming Language High-level

DaMPL What is DaMPL? &quot;Data Manipulation Programming Language High-level

DaMPL What is DaMPL? &quot;Data Manipulation Programming Language High-level abstraction language Features tools to read, process and write data Translator generates efficient C code Quick-start guide Variables /* No need to

433 views • 19 slides
CS 1331 Introduction to Object Oriented Programming Data Abstraction Christopher Simpkins

CS 1331 Introduction to Object Oriented Programming Data Abstraction Christopher Simpkins

CS 1331 Introduction to Object Oriented Programming Data Abstraction Christopher Simpkins chris.simpkins@gatech.edu Chris Simpkins (Georgia Tech) CS 1331 Data Abstraction 1 / 10 Data Abstraction An abstraction of a concept attempts to

362 views • 10 slides

More recommend