dynamically diagnosing type errors in unsafe code
play

Dynamically diagnosing type errors in unsafe code Stephen Kell - PowerPoint PPT Presentation

Dec 12, 2022 •323 likes •626 views

Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 A definition ... dynamically type-safe [means] the behavior of any program, correct or not, can be

  1. Dynamically diagnosing type errors in unsafe code Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” 2

  3. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment 2

  4. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment 2

  5. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment “Type safety” [at run time] is really about debugging ! 2

  6. A definition “... dynamically type-safe [means] the behavior of any program, correct or not, can be easily understood in terms of the source-level language semantics.” —Ungar, Spitz and Ausch, Constructing a Metacircular Virtual Machine in an Exploratory Programming Environment “Type safety” [at run time] is really about debugging ! � clean error reports are better than corrupting errors � ... would be nice even in unsafe languages , like C 2

  7. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 3

  8. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 3

  9. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � ... for real, idiomatic code in (say) C � reasonable performance 3

  10. Tool wanted if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � ... for real, idiomatic code in (say) C � reasonable performance Enter libcrunch , which does the above. 3

  11. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends 4

  12. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally 4

  13. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 4

  14. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 Reminiscent of Valgrind (Memcheck), but different... � not checking memory definedness, in-boundsness, etc.. � ... in fact, assume correct w.r.t. these! � provide & exploit run-time type information 4

  15. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 5

  16. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( CHECK ( is a (obj, ”struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } 5

  17. Sketch of the instrumentation for C if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( CHECK ( is a (obj, ”struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } Need a runtime which is a() function � provides a fast � ... and a few other flavours of check � by efficiently tracking allocations � ... and attaching reified type info 5

  18. Reified, unique data types (see my Onward! 2015 paper about liballocs ) struct ellipse { double maj, min; struct point { double x, y; } ctr ; } ; “int” 4 0 __uniqtype__int “double” 8 0 __uniqtype__double 0 16 2 0 8 __uniqtype__point “ellipse” 32 3 0 8 16 __uniqtype__ellipse ... � also model: stack frames, functions, pointers, arrays, ... � unique → “exact type” test is a pointer comparison is a() is a short search over containment edges � 6

  19. Is it really that simple? What about...? � untyped malloc() et al. � opaque pointers, a.k.a. void* � conversion of pointers to integers and back � function pointers � pointers to pointers � “simulated subtyping” � { custom, nested } heap allocators � alloca() � “sloppy” (non-standard-compliant) code � unions, varargs, memcpy() 7

  20. Is it really that simple? What about...? � untyped malloc() et al. � opaque pointers, a.k.a. void* � conversion of pointers to integers and back � function pointers � pointers to pointers � “simulated subtyping” � { custom, nested } heap allocators � alloca() � “sloppy” (non-standard-compliant) code � unions, varargs, memcpy() 7

  21. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. 8

  22. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. malloc(sizeof (Blah) + n * sizeof (struct Foo)) 8

  23. What data type is being malloc() ’d? Use intraprocedural “sizeofness” analysis size t sz = sizeof (struct Foo); /* ... */ malloc(sz); Sizeofness propagates, a bit like dimensional analysis. malloc(sizeof (Blah) + n * sizeof (struct Foo)) Dump typed allocation sites from compiler, for later pick-up source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs 8

  24. Polymorphism via multiply-indirected void void sort eight special ( void ∗∗ pt) { void ∗ tt [8]; register int i ; for ( i=0;i < 8;i++)tt [ i]=pt[ i ]; for ( i=XUP;i < =TUP;i++) { pt[i]=tt[2 ∗ i]; pt[OPP DIR(i)]=tt[2 ∗ i+1]; } } neighbor = ( int ∗∗ )calloc(NDIRS, sizeof ( int ∗ )); sort eight special (( void ∗∗ ) neighbor ); // < −− must allow! � solution: tolerate casts from T** to void** ... � and check writes through void** � ... against the underlying object type (here int *[] ) 9

  25. Performance data: C-language SPEC CPU2006 benchmarks bench normal/ s crunch % nopreload bzip2 +6 . 8 % +1 . 4 % 4 . 95 gcc 0 . 983 +160 % – % gobmk +11 % +2 . 0 % 14 . 6 h264ref 10 . 1 +3 . 9 % +2 . 9 % hmmer 2 . 16 +8 . 3 % +3 . 7 % lbm 3 . 42 +9 . 6 % +1 . 7 % mcf +12 % ( − 0 . 5 %) 2 . 48 milc 8 . 78 +38 % +5 . 4 % sjeng +1 . 5 % ( − 1 . 3 %) 3 . 33 sphinx3 1 . 60 +13 % +0 . 0 % perlbench 10

  26. Experience on “correct” code run-time false positives benchmark compile fixes instances unique (of which...) total unhelpful bzip2 0 48 3 3 3 × 10 5 gcc 1 14 3 gobmk 0 0 0 0 h264ref 2 27 2 0 hmmer 0 0 0 0 5 × 10 7 lbm 0 8 0 mcf 0 0 0 0 milc 0 0 0 0 sjeng 0 0 0 0 sphinx3 0 0 0 0 11

  27. A “helpful” false positive? typedef double LBM Grid[SIZE Z ∗ SIZE Y ∗ SIZE X ∗ N CELL ENTRIES]; typedef LBM Grid ∗ LBM GridPtr; #define MAGIC CAST(v) (( unsigned int ∗ ) (( void ∗ ) (&(v)))) #define FLAG VAR(v) unsigned int ∗ const aux = MAGIC CAST(v) // ... \ #define TEST FLAG(g,x,y,z,f) (( ∗ MAGIC CAST(GRID ENTRY(g, x, y, z, FLAGS))) & (f)) #define SET FLAG(g,x,y,z,f) \ { FLAG VAR(GRID ENTRY(g, x, y, z, FLAGS)); ( ∗ aux ) | = (f); } 12

  28. Future work: shopping list for a safe implementation of C − ǫ � check memcpy() , realloc() , etc.. � add a bounds checker (improve on SoftBound) � add a GC (precise! improve on Boehm) � check unions and varargs � always initialize pointers � check unsafe writes through char* � safely address-takeable union members (!) Good prospects for all of the above! (ask me) 13

  29. Conclusions Checking pointer casts can be made efficient and helpful � source- and binary-compatible � low overhead, convenient to use (e.g. no rebuilds) � good prospects for extension Code is here: http://github.com/stephenrkell/libcrunch/ Thanks for your attention. Questions? 14

Recommend

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew

Diagnosing Type Errors with Class Danfeng Zhang Dimitrios Vytiniotis Simon Peyton-Jones Andrew C. Myers Cornell University MSR Cambridge PLDI 2015 Distinguished Paper Award Error localization is difficult for ML type systems It is a

577 views • 32 slides
The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers

The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers

ICALL: Part III ICALL: Part III The importance of meaning Diagnosing Diagnosing meaning errors meaning errors Detmar Meurers Detmar Meurers Universit at T ubingen Universit at T ubingen Intelligent Computer-Assisted Language

149 views • 11 slides
On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1

On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1

Introduction Basics Type Errors Stronger Encodings Type Sensitivity Conclusion On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code Hendrik Tews 1 , Marcus V olp 1 , Tjark Weber 2 1 Technische Universit at

559 views • 40 slides
How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power

How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power

How willing are you to be wrong? Type I and Type II Errors Type 1, Type II Errors and Power Distribution of means for reference data Distribution of a.k.a. Ho means for my data 5% of the data (the upper tail) is shaded, we will allow the

320 views • 14 slides
Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors

Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors

Review Ch 1-5 Executing code Compile code (convert from C++ to computer code) - Syntax errors will prevent compilation Run code - Runtime errors will crash your program - Logic errors will make your program give the wrong output Syntax =

192 views • 15 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY

Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY

Code Enforcement, Unsafe Buildings &amp; The Neighborhood Investment Committee COMBATING VACANCY &amp; BLIGHT IN MUNCIE, IN Code Enforcement (Building Commissioners Office) Weeds Occupied Housing Meth Labs Trash &amp; Debris in

437 views • 17 slides
Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal

Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal

Type-II errors of independence tests can lead to arbitrarily large errors in estimated causal effects: an illustrative example Workshop UAI 2014 Nicholas Cornia &amp; Joris M. Mooij University of Amsterdam 27/07/2014 Problem Setting 1

284 views • 26 slides
Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size, power, and bootstrapping Statistics 101 Thomas Leininger June 3, 2013 Decision errors Type 1 and Type 2 errors Decision errors Hypothesis tests

468 views • 27 slides
Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size,

Unit 3: Foundations for inference Lecture 3: Decision errors, significance levels, sample size, power, and bootstrapping Statistics 101 Thomas Leininger June 3, 2013 Decision errors Decision errors 1 Type 1 and Type 2 errors Error rates

735 views • 72 slides
Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for

Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for

Hypotheses testing, p-values, Type I and Type II Errors Statistics are not substitute for judgment. Henry Clay (US Senator) Formal hypotheses testing population A Is this a difference due B to random chance? Mean height A B sample

364 views • 7 slides
A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know

A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know

A short overview of Type Theory Yves Bertot June 2015 1 / 36 Motivation for types You know types, for instance in C int x = 3; Type errors are detected at compile-time Type verification removes errors from run-time errors Not

534 views • 36 slides
ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors Strings ex. This is a string Data Structure a particular way of organizing data for computers Dictionary type of data

454 views • 42 slides
Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections

Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections

Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial Diagnosing bacterial infections with viruses infections with viruses infections with viruses infections with viruses (Modular Construction of Bacteriophage for Diagnostic

542 views • 40 slides
Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors

Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors

Advanced Parallel Programming Miscellaneous MPI-IO topics MPI-IO Errors Unlike the rest of MPI, MPI-IO errors are not fatal - probably dont want your program to crash if a file open fails - always need to check the error code! Many

265 views • 23 slides
Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky University of California, Irvine Derek Bruening Qin Zhao Google, Inc. Profiling Bug detection Program analysis Security SPEC CPU 2006

1.15k views • 85 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Error Coding Transmission process may introduce errors into a message. Single bit errors

Error Coding Transmission process may introduce errors into a message. Single bit errors

Error Coding Transmission process may introduce errors into a message. Single bit errors versus burst errors Detection: Requires a convention that some messages are invalid Hence requires extra bits An (n,k) code has

850 views • 72 slides
Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel, Michael D. Ernst, Kvan Mulu, and Todd W. Schiller 1 Software still has errors 2 Static type systems 0 errors, Crashes 0 warnings Source

624 views • 29 slides
1 Two-Dimensional Parity Internet Checksum Use 1-dimensional parity Idea Add up all

1 Two-Dimensional Parity Internet Checksum Use 1-dimensional parity Idea Add up all

Error Coding Parity 1-bit error detection with parity Transmission process may introduce errors into a message. Add an extra bit to a code to ensure an even (odd) number of 1s Single bit errors versus burst errors Every

284 views • 4 slides
Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors CS-121 Logic errors Syntax Errors Syntax Errors An error in which a C++ grammar rule has been violated. Are flagged at compile time Missing ;

338 views • 5 slides
Baba Inusa Recommendation Lead Consultant, Paediatric Sickle cell and Thalassaemia , GSTT

Baba Inusa Recommendation Lead Consultant, Paediatric Sickle cell and Thalassaemia , GSTT

Diagnosing Osteomyelitis in Sickle Cell Diagnosing Osteomyelitis in Sickle Cell Diagnosing Osteomyelitis in Sickle Cell Diagnosing Osteomyelitis in Sickle Cell Disease Disease Disease Disease Infection and SCD-Pathophysioology Role of

408 views • 4 slides
Plan for Today Finish control-flow code gen from Tuesday Handling shift-reduce errors

Plan for Today Finish control-flow code gen from Tuesday Handling shift-reduce errors

Plan for Today Finish control-flow code gen from Tuesday Handling shift-reduce errors Examples of what they look like Interpreting the javacup.dump output Getting rid of shift-reduce errors CS453 : Handling Shift-Reduce Errors in

267 views • 4 slides
State-of-the-Art ! 30-85 errors are made per 1000 lines of source CS 619 Introduction to OO Design

State-of-the-Art ! 30-85 errors are made per 1000 lines of source CS 619 Introduction to OO Design

State-of-the-Art ! 30-85 errors are made per 1000 lines of source CS 619 Introduction to OO Design code and Development ! extensively tested software contains 0.5-3 errors per 1000 lines of source code Testing ! error distribution: 60%

410 views • 12 slides

More recommend