run time type checking of whole programs
play

Run-time type checking of whole programs and other stories . - PowerPoint PPT Presentation

Jun 16, 2023 •22 likes •572 views

Run-time type checking of whole programs and other stories . Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/44 Wanted (naive version): check this! if (obj > type == OBJ

  1. Run-time type checking of whole programs and other stories . Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . – p.1/44

  2. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.2/44

  3. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) libcrunch . . . – p.2/44

  4. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � reasonable performance � avoid being C-specific!* * mostly... libcrunch . . . – p.2/44

  5. Wanted (naive version): check this! if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � reasonable performance � avoid being C-specific!* * mostly... ... in fact, a general-purpose “dynamic” run-time (ask me) libcrunch . . . – p.2/44

  6. The main part of this talk in one slide I describe libcrunch , which is � an infrastructure for run-time type checking � encodes type checks as assertions over reified data types � per-language front-ends (C; C ++ , Fortran, ...) � support idiomatic unsafe code, unmodified* � target: safe assuming memory safety � no binary interface changes (* but sometimes out-of-band guidance helps) libcrunch . . . – p.3/44

  7. Why care about unsafe languages? � fine control of resource utilisation � talk directly to operating system � talk directly to hardware � freedom to { simulate, violate } abstractions � re-use existing code (a huge investment) � unsafe is the “hard / general” case libcrunch . . . – p.4/44

  8. What is “type-correctness”? “Type” means “data type” � instantiate = allocate � concerns storage � “correct”: reads and writes respect allocated data type � cf. memory- correct (spatial, temporal) Languages can be “safe”; programs can be “correct” libcrunch . . . – p.5/44

  9. The user’s eye view � $ crunchcc -o myprog ... # + other front-ends libcrunch . . . – p.6/44

  10. The user’s eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally libcrunch . . . – p.6/44

  11. The user’s eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks libcrunch . . . – p.6/44

  12. The user’s eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 libcrunch . . . – p.6/44

  13. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } libcrunch . . . – p.7/44

  14. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } libcrunch . . . – p.7/44

  15. How it works for C code, in a nutshell if (obj − > type == OBJ COMMIT) { if (process commit(walker, (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj))) return − 1; return 0; } Want a runtime with magical powers � tracking allocations � with type info � efficiently � → fast is a() function libcrunch . . . – p.7/44

  16. What does a C compiler not check? int a = 1; char ∗ b = ...; void f( double ); f(a); // okay −− compiler adds conversion b = a; // not okay −− compiler tells us // not okay −− compiler tells us f(b); f ( ∗ ( double ∗ )b); // depends... Want to check what the compiler punts on � use of pointers (“distant” accesses) � also (rarer): unions, varargs functions libcrunch . . . – p.8/44

  17. Memory-correctness vs type-correctness (1) Pointer-y things checked by existing tools � spatial m-c – bounds (SoftBound, Asan) � temporal 1 m-c – use-after-free (CETS, Asan) � temporal 2 m-c – initializedness (Memcheck, Msan) � nothing to do with types! Slow! � metadata per { value, pointer } � check on use libcrunch . . . – p.9/44

  18. Memory-correctness vs type-correctness (1) Pointer-y things checked by existing tools � spatial m-c – bounds (SoftBound, Asan) � temporal 1 m-c – use-after-free (CETS, Asan) � temporal 2 m-c – initializedness (Memcheck, Msan) � nothing to do with types! Slow! Faster: � metadata per { value, pointer } allocation � check on use create // a check over object metadata... guards creation of the pointer (assert( is a (obj, ” struct commit”)), ( struct commit ∗ )obj) libcrunch . . . – p.9/44

  19. Memory-correctness vs type-correctness (2) For now, assume memory-correct execution � “also use one of those other tools” Then do only the additional checks s.t. � all memory accesses respect memory’s allocated type ... which, for C, can be done by maintaining an invariant: � every live pointer respects its contract (pointee type) � must also check unsafe loads/stores not via pointers � unions, varargs libcrunch . . . – p.10/44

  20. What data type is being malloc() ’d? � ... guess from use of sizeof � dump typed allocation sites from compiler � guessing is moderately clever � e.g. malloc(sizeof (Blah) + n * sizeof (Foo)) source tree ... main.c widget.c util.c ... main.i widget.i util.i .allocs .allocs .allocs CIL-based compiler front-end dump allocation sites (dumpallocs) libcrunch . . . – p.11/44 instrument pointer casts

  21. Non-difficulties ���������� ���������������� ��� ��� ������������� ��� ��� ������������� ���������������� ��� � �� ���������������� �������� � � � � structure “subtyping” via containment � function pointers (most of the time) � void pointers � char pointers � integer ↔ pointer casts � type-differing aliases � custom allocators, memory pools etc. libcrunch . . . – p.12/44

  22. Hierarchical model of allocations mmap(), sbrk() custom heap (e.g. libc malloc() custom malloc() Hotspot GC) obstack gslice (+ malloc) client code client code client code client code client code libcrunch . . . – p.13/44

  23. Somewhat difficult cases Solved: � opaque types � complex use of sizeof � structure “subtyping” via prefixing Give up: � avoidance of sizeof � address-taken union members � non-procedurally abstracted object allocation/re-use libcrunch . . . – p.14/44

  24. The remaining awkwards � alloca � unions � varargs � generic use of non-generic pointers ( void** , ...) � casts of function pointers to non-supertypes libcrunch . . . – p.15/44

  25. The remaining awkwards � alloca � unions � varargs � generic use of non-generic pointers ( void** , ...) � casts of function pointers to non-supertypes All solved/solvable with some extra instrumentation � supply our own alloca � instrument writes to unions � instrument calls via varargs lvalues; use own va arg � instrument writes through void** (check invariant!) � optionally instr. all indirect calls libcrunch . . . – p.15/44

  26. Idealised view of libcrunch toolchain debugging information deployed binaries (with data-type assertions) (with allocation site information) /bin/ /lib/ /lib/ /bin/foo .debug/ .debug/ .c .f .cc .java libxyz.so foo libxyz.so precompute unique data types /bin/ libcrunch .uniqtyp/ .so foo.so load, link and run (ld.so) program image heap_index 0xdeadbeef, “Widget”? __is_a uniqtypes true libcrunch . . . – p.16/44

  27. A model of data types: D WARF debugging info $ cc -g -o hello hello.c && readelf -wi hello | column <b>:TAG_compile_unit <7ae>:TAG_pointer_type AT_language : 1 (ANSI C) AT_byte_size: 8 AT_name : hello.c AT_type : <0x2af> AT_low_pc : 0x4004f4 <76c>:TAG_subprogram AT_high_pc : 0x400514 AT_name : main <c5>: TAG_base_type AT_type : <0xc5> AT_byte_size : 4 AT_low_pc : 0x4004f4 AT_encoding : 5 (signed) AT_high_pc : 0x400514 AT_name : int <791>: TAG_formal_parameter <2af>:TAG_pointer_type AT_name : argc AT_byte_size: 8 AT_type : <0xc5> AT_type : <0x2b5> AT_location : fbreg - 20 <2b5>:TAG_base_type <79f>: TAG_formal_parameter AT_byte_size: 1 AT_name : argv AT_encoding : 6 (char) AT_type : <0x7ae> AT_name : char AT_location : fbreg - 32 libcrunch . . . – p.17/44

Recommend

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the question of type checking and type reconstruction. Given , t and T , check whether t : T Type checking: Given and t , find a type T

518 views • 28 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications:

Higher-Order Model Checking III: Reducing Model Checking to Type Inference IV: Applications: Verifying Higher-order Functional Programs Luke Ong University of Oxford http://www.cs.ox.ac.uk/people/luke.ong/personal/ http://mjolnir.cs.ox.ac.uk

856 views • 26 slides
Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp . type ) type-exp int type-exp . type := integer type-exp bool type-exp . type := boolean type-exp 1 array type-exp 1 . type := [num] of

613 views • 7 slides
Last time Introduced type inference can write type-safe programs without writing CS 611

Last time Introduced type inference can write type-safe programs without writing CS 611

Last time Introduced type inference can write type-safe programs without writing CS 611 down types explicitly Advanced Programming Languages useful for higher-order functions because types are large, obscure code Andrew Myers

393 views • 3 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type checking in Haskell Epigram language - McBride/McKinna Big-step normalisation for simple types, formalised in Agda Big-step normalisation for

978 views • 36 slides
Run-Time Assertion Checking and Monitoring Java Programs Envisage Bertinoro Summer School June

Run-Time Assertion Checking and Monitoring Java Programs Envisage Bertinoro Summer School June

Run-Time Assertion Checking and Monitoring Java Programs Envisage Bertinoro Summer School June 2014 June 19, 2014 Your Lecturers Today Frank en Stijn What This Talk Is All About Formal Methods in Practice: Theorie ist, wenn man alles weiss

764 views • 40 slides
Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to

Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to

Incremental Type-Checking for Metaprograms Weiyu Miao Weiyu Miao 1 / 20 Introduction to Metaprogramming Metaprogramming is a programming technique for generating and manipulating other programs. MetaML, MetaOCaml, Haskell Templates, C++

556 views • 20 slides
Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages. An Introduction to Compilers and Interpreters, College Publications, 2012. Checking that a program makes sense Traditional notions of type

1.04k views • 68 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types for Object Ownership Ilya Sergey 14 November 2012 Types A type - is a set of data instances and operations on them true , false boolean =

1.27k views • 86 slides
Type checking privacy policies in the

Type checking privacy policies in the

Type checking privacy policies in the -calculus Anna Philippou University of Cyprus Joint work with Dimitrios

572 views • 28 slides
Typing Linear Constraints Types for Moding CLP( R ) Programs Syntax Semantics Checking type

Typing Linear Constraints Types for Moding CLP( R ) Programs Syntax Semantics Checking type

Typing Linear Constraints Salvatore RUGGIERI and Fred MESNARD Introduction Typing Linear Constraints Types for Moding CLP( R ) Programs Syntax Semantics Checking type assertions A linear programming Salvatore RUGGIERI and Fred MESNARD

476 views • 26 slides
15-150 Fall 2020 Lecture 10 Stephen Brookes Type checking Type inference Polymorphism

15-150 Fall 2020 Lecture 10 Stephen Brookes Type checking Type inference Polymorphism

15-150 Fall 2020 Lecture 10 Stephen Brookes Type checking Type inference Polymorphism type benefits ... a static check provides a runtime guarantee static property runtime guarantee e has type t if e =&gt;* v then v : t d

775 views • 49 slides
Modular Type Checking With Decision Procedures Iavor S. Diatchki Galois Inc Iavor S. Diatchki

Modular Type Checking With Decision Procedures Iavor S. Diatchki Galois Inc Iavor S. Diatchki

Modular Type Checking With Decision Procedures Iavor S. Diatchki Galois Inc Iavor S. Diatchki Modular Type Checking With Decision Procedures Question Can we provide a generic mechanism for integrating decision procedures into the type system

581 views • 20 slides
Last time: phantom types type a t = int 1/ 49 This time: GADTs a b 2/ 49 What we gain

Last time: phantom types type a t = int 1/ 49 This time: GADTs a b 2/ 49 What we gain

Last time: phantom types type a t = int 1/ 49 This time: GADTs a b 2/ 49 What we gain : : (Addtionally, some programs become faster!) 3/ 49 What we gain : : (Addtionally, some programs

636 views • 46 slides
Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types &amp; Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1 Type checking message-passing programs

601 views • 25 slides
Type Checking COMP 520: Compiler Design (4 credits) Alexander Krolik

Type Checking COMP 520: Compiler Design (4 credits) Alexander Krolik

COMP 520 Winter 2018 Type Checking (1) Type Checking COMP 520: Compiler Design (4 credits) Alexander Krolik alexander.krolik@mail.mcgill.ca MWF 9:30-10:30, TR 1080 http://www.cs.mcgill.ca/~cs520/2018/ Bob, from Accounting COMP 520 Winter

874 views • 43 slides

More recommend