dynamically checking type correctness of whole programs
play

Dynamically checking type-correctness of whole programs (work newly - PowerPoint PPT Presentation

Mar 16, 2024 •21 likes •281 views

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

  1. Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . – p.1/22

  2. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.2/22

  3. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) libcrunch . . . – p.2/22

  4. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary compatible � source compatible � reasonable performance � avoid being C-specific!* * mostly... libcrunch . . . – p.2/22

  5. This talk in one slide I will describe libcrunch , which is � an infrastructure for run-time type checking � encodes type checks as assertions � no guarantee of “safety” (but...) � support idiomatic unsafe code � checks inserted by per-language front-ends � no binary interface changes � no source changes, usually* (* but sometimes out-of-band guidance helps) libcrunch . . . – p.3/22

  6. Introducing libcrunch The user’s view: � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks where � myprog contains type assertions (we’ll see how) � normally “disabled” � enabled when libcrunch is linked in � compiler [wrapper] inserts assertions automatically libcrunch . . . – p.4/22

  7. What is run-time type checking? Check every program operation is “type-correct”, i.e. � program state is a collection of stored values � ... allocated as instances of some “data type” � data types signify meaning � operations consume and produce stored values... More precise definition wanted... � for C, plan to use Cerberus to create formal definition libcrunch . . . – p.5/22

  8. What checks are we interested in? Recall the example: if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } Primitive errors are not our concern � even C compilers check primitive type-correctness First-order and up � all about pointers � first cut: check casts (& implicit strengthenings) in C libcrunch . . . – p.6/22

  9. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.7/22

  10. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), // or something like this ( struct commit ∗ )obj))) return − 1; return 0; } libcrunch . . . – p.7/22

  11. How it works, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), // or something like this ( struct commit ∗ )obj))) return − 1; return 0; } To make this work, we need: � type information on every allocation in program � efficient run-time representation of types is a function � fast � something to write these assertions for us libcrunch . . . – p.7/22

  12. Idealised view of libcrunch operation debugging information deployed binaries (with data-type assertions) (with allocation site information) /bin/ /lib/ /lib/ /bin/foo .debug/ .debug/ .c .f .cc .java libxyz.so foo libxyz.so precompute unique data types /bin/ libcrunch .uniqtyp/ .so foo.so load, link and run (ld.so) program image heap_index 0xdeadbeef, “Widget”? __is_a uniqtypes true libcrunch . . . – p.8/22

  13. Type info for each allocation Type info for allocation is reasonable because � ... to allocate, you need a size � three kinds of allocations: static, stack, heap � assume all heap allocators are instrumented... Assume we have debug info � handles stack and static cases libcrunch . . . – p.9/22

  14. What happens at run time? program image libdl __is_a (0xdeadbeec, “Widget”)? lookup (“Widget”) &__uniqtype_Widget lookup (0xdeadbeec) heap_index allocsite : 0x8901234, offset : 0xc __is_a lookup (0x8901234) allocsites &__uniqtype_Window find ( &__uniqtype_Window, &__uniqtype_Widget, uniqtypes 0xc) true found libcrunch . . . – p.10/22

  15. Looking up object metadata (1) Recall: need info about an arbitrary object’s allocation � ... given an arbitrary pointer Stack case � walk the stack + use debug info for locals/args Static case � use debug info Heap case � hard! might be an interior pointer � use clever virtual memory-based data structure (ask me) libcrunch . . . – p.11/22

  16. is a , containment... is a > 1 way A pointer might satisfy ���������� ���������������� ��� ��� ������������� ��� ��� ������������� ���������������� ��� � �� ���������������� �������� � � � Consider “what is ” � &my ellipse � &my ellipse.ctr � ... (Subclassing is usually implemented this way.) libcrunch . . . – p.12/22

  17. Efficiently reifying data types at run time struct ellipse { double maj, min; struct { double x, y; } ctr ; } ; “int” 4 0 __uniqtype__int “double” 8 0 __uniqtype__double 0 16 2 0 8 __uniqtype__anon0x123 “ellipse” 32 3 0 8 16 __uniqtype__ellipse ... Reify data types uniquely , describing containment � uniqueness → “exact type” test is a pointer comparison is a() is a simple, fast search through this structure � libcrunch . . . – p.13/22

  18. Other flavours of check is a is a nominal check, but we can also write like a – “1-structural” (unwrap one level) � phys a – “*-structural” (unwrap maximally) � refines – may instantiate padding (` a la sockaddr ) � named a – opaque workaround � libcrunch . . . – p.14/22

  19. Notes about memory correctness We (currently) do nothing about memory correctness! E.g. void f () { int a; int bs[2]; for ( int ∗ p = &bs[0]; p < = 2; ++p) { / ∗ ... ∗ / } } � bug-finding, not verification, not security... � faster! avoid per-pointer (cf. per-object) metadata � most memory-incorrect programs are type-incorrect... � could “force a cast” after pointer arithmetic SoftBound + CETS do a pretty good job � we could replicate them... libcrunch . . . – p.15/22

  20. Recap What we’ve just seen is � a runtime system for evaluating type assertions � fast (biggest slowdown seen 20%; often < 10%) � (by design) flexible � a “whole program” language-neutral design � binary compatible What about source compatibility? libcrunch . . . – p.16/22

  21. libcrunch prototype: C front-end Who inserts the assertions? � instrumentation: “one assertion per pointer cast” � analysis: “what data type is being malloc() ’d?” � ... guess from use of sizeof source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs CIL-based compiler front-end dump allocation sites (dumpallocs) instrument pointer casts libcrunch . . . – p.17/22

  22. Complications (1) With metadata � dynamic loading (merge uniqtypes) � non-standard alloc functions (explicit support) With compilers (currently false pos/negs) � address-taken temporaries (fix compiler for debug info) � varargs actuals � alloca() + assert() usually isn’t quite what you want... libcrunch . . . – p.18/22

  23. Complications (2) With the C front end (false pos or “intervention required”) � very weird uses of sizeof � weird avoidance of sizeof � char special case � object re-use � unions (but mostly doable! three cases; ask me) � some cases of multiple indirection cause false pos libcrunch . . . – p.19/22

  24. Brutal honesty moment: a real false positive void sort eight special ( void ∗∗ pt) { void ∗ tt [8]; register int i ; for ( i=0;i < 8;i++)tt [ i]=pt[ i ]; for ( i=XUP;i < =TUP;i++) { pt[i]=tt[2 ∗ i]; pt[OPP DIR(i)]=tt[2 ∗ i+1]; } } Client then does (making libcrunch print a warning) neighbor = ( int ∗∗ )calloc(NDIRS, sizeof ( int ∗ )); / ∗ ... ∗ / sort eight special (( void ∗∗ ) neighbor ); Question: is this valid C? libcrunch . . . – p.20/22

  25. What’s in it for REMS Check “agreement” between libcrunch and cerberus � inclusion, for the relevant subset of complaints Tool for exploring behaviour of real programs � good at turning up “dodgy” code (oft also “correct”!) Representative of a wider set of tools... � insight for bridging between source and run-time worlds � linking tie-in... libcrunch . . . – p.21/22

  26. Recap, conclusions We’ve seen � a runtime infrastructure for fast checking � a prototype C front-end Remaining challenges for the run-time part: � finish the paper... � multi-language story � support more complex specifications (“types”) Code is here: https://github.com/stephenrkell/ Thanks for listening. Questions? libcrunch . . . – p.22/22

Recommend

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1 Type checking message-passing programs

601 views • 25 slides
Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj &gt; type == OBJ

863 views • 29 slides
Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze (protze@itc.rwth-aachen.de) Motivation OpenMP 3 introduced tasks (2008) Several data race detection tools for OpenMP tasks popped up just last year How can

384 views • 16 slides
Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell

Run-time type checking of whole programs and other stories . Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/44 Wanted (naive version): check this! if (obj &gt; type == OBJ

572 views • 55 slides
Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj &gt; type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type Checking Statistic Analysis Requirements definition Inspections, Reviews 15-313 Integration/System/Acceptance/Regression/GUI/Bl

608 views • 45 slides
Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 A definition ... dynamically type-safe [means] the behavior of any program, correct or not, can be

626 views • 29 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the question of type checking and type reconstruction. Given , t and T , check whether t : T Type checking: Given and t , find a type T

518 views • 28 slides
Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications: Verifying Higher-order Functional Programs Luke Ong University of Oxford http://www.cs.ox.ac.uk/people/luke.ong/personal/ http://mjolnir.cs.ox.ac.uk

856 views • 26 slides
Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp . type ) type-exp int type-exp . type := integer type-exp bool type-exp . type := boolean type-exp 1 array type-exp 1 . type := [num] of

613 views • 7 slides
Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universitt Oldenburg February 2017 Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1

354 views • 24 slides
Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y

Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y

Type Systems for Concurrent Programs Na oki Koba ya shi T okyo Institute of T e c hnolog y Type Systems for Programming Languages Guarantee partial correctness of programs fun fact (n) = if n=0 then 1 else n fact(n-1); val fact =

504 views • 38 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type checking in Haskell Epigram language - McBride/McKinna Big-step normalisation for simple types, formalised in Agda Big-step normalisation for

978 views • 36 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
Static program checking and verification Correctness class ArraySet implements Set { class

Static program checking and verification Correctness class ArraySet implements Set { class

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Mller Static program checking and verification Correctness class ArraySet

445 views • 18 slides
Correctness of parallel programs Shaz Qadeer Research in

Correctness of parallel programs Shaz Qadeer Research in

Correctness of parallel programs Shaz Qadeer Research in So7ware Engineering CSEP 506 Spring 2011 Why is correctness important? So7ware development is

565 views • 30 slides
From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT 2017 Allan Blanchard, Fr ed eric Loulergue, Nikolai Kosmatov April 29 th , 2017 From Concurrent Programs to Simulating Sequential Programs

488 views • 37 slides
+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1 Verifying the Correctness of HARPO Programs Presented at NECEC 2018, St. Johns NL Inaam Ahmed Computer Engineering Research Labs, Dept. ECE, MUN

492 views • 23 slides
Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to

Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to

Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to Metaprogramming Metaprogramming is a programming technique for generating and manipulating other programs. MetaML, MetaOCaml, Haskell Templates, C++

556 views • 20 slides

More recommend