Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)

Similar presentations


Presentation on theme: "1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)"— Presentation transcript:

1 1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)

2 2/17 Downloading safe code x86 Java bytecode /.NET bytecode / JavaScript / ActionScript exception handling garbage collector threads run-time system Web browser JIT compiler

3 3/17 From: Apple Product Security Date: Fri, 11 Jul Available for: iPhone v1.0 through v1.1.4,iPod touch v1.1 through v1.1.4 Description: A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. GC vulnerabilities Mozilla Firefox Bug in JavaScript Garbage Collector Lets Remote Users Deny Service Advisory: Mozilla Foundation Security Advisory Date: Apr A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the JavaScript garbage collector code and cause the target user's browser to crash.... The vendor indicates that similar crashes have been exploitable in the past, so arbitrary code execution may be possible... MS07-057: Cumulative security update for Internet Explorer Date: October Internet Explorer 6 may exit with an access violation when the JavaScript garbage collector runs and you have dynamically removed a TBODY, THEAD, or TFOOT HTML tag from a table in Windows XP...

4 4/17 GC verification Earlier work  Small GCs  Interactive proofs New work: realistic GCs  Runs real Bartok-compiled C# real memory layouts  Automated verification annotated GCs in BoogiePL assemble BoogiePL to x86 specifications in BoogiePL Z3 automated SMT prover

5 5/17 Challenges to automated verification 1.Reasoning about graphs 2.Undecidable logic 3.Large formulas

6 6/17 Outline Background Simple verified GC – miniature mark-sweep collector – quantifiers Practical verified GCs

7 7/17 Mark-sweep and copying collectors A (root) C mark-sweepcopying fromcopying to A B C A B C abstract graph A B B

8 8/17 Garbage collector properties A (root) C A B B Verified: – isomorphism (McCreight, Shao et al 2007) – effectiveness – after gc, unreached objects reclaimed Not verified: – Termination – Efficiency C

9 9/17 Verifying Mark procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black }

10 10/17 Verifying Mark: abstract concrete procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } A B A B $toAbs Mem $AbsMem forall i:int ::{T(i)} T(i) && memAddr(i) ==> $toAbs[Mem[i, field]] == $AbsMem[$toAbs[i], field]

11 11/17 Verifying Mark: no black-->white procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } forall i:int::{T(i)} T(i) && memAddr(i) ==> Black(Color[i]) ==> !White(Color[Mem[i,field]])

12 12/17 “trigger” quantifier instantiation i =e when T(e) seen Quantifiers and triggers procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray (equivalent to “Color := Color[ptr := 2];” call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } T is a dummy function: T(e) true explicit introductions of T(...) to provoke quantifier instantiations forall i:int::{$toAbs[i]}{$toAbs’[i]}... $toAbs[i] != NO_ABS ==> $toAbs[i] == $toAbs’[i]... also trigger on old, new $toAbs (and split $toAbs into “regions”)

13 13/17 Outline Background Simple verified GC Practical verified GCs – Object layouts, GC tags, static data, stacks, interior pointers,... – Mark-sweep collector Free list + cache Mark stack Table of color bits (2 bits per color) – Copying collector Simple (non-generational) 2-space Cheney queue algorithm – Mutator-GC interface: Initialize read, write AllocateObject, AllocateString, AllocateVector, AllocateArray

14 14/17 Practical, verified copying collector code procedure CopyAndForward($ptr:int, $_tj:int) requires ecx == $ptr; requires CopyGcInv(...); requires Pointer($r1, $ptr, $r1[$ptr]);... { call edx := GcRead(ecx + 4); esp := esp - 4; call GetSize($ptr, edx, $r1, $r1); ebp := eax;... edi := 0; edx := 0; loop: assert 4 * edi == edx; assert CopyGcInv(...);... if (edx >= ebp) { goto loopEnd; } call copyWord($ptr, $_tj, esi, edi, ebp); call edi := Add(edi, 1); call edx := Add(edx, 4); goto loop; loopEnd: call eax := Lea(esi + 4); call GcWrite(ecx + 4, eax);... mov edi, 0 mov edx, 0 CopyAndForward$loop: cmp edx, ebp jae CopyAndForward$loopEnd automatic translation

15 15/17 Performance (2 of 10 benchmarks) execution time (seconds) available memory(MB) BartokAsmlc execution time (seconds) available memory (MB) caveat: Bartok collectors support more features (e.g. threads, pinning) than verified collectors

16 16/17 Code size, verification time BoogiePL lines of code x86 instructions Time to verify (seconds) Trusted defs 546 Shared code Copying Mark-sweep lines of proof script: 0

17 17/17 Conclusions Verified run-time status: two practical GCs 1.Reasoning about graphs ==> isomorphism 2.Undecidable logic ==> triggers 3.Large formulas ==> modern automated prover (Z3) Original mutator-GC interface specification had two bugs, so: – Copying collector: crashed 1 st time (spec bug: Initialize not asked to save ebp) crashed 2 nd time (spec bug: preheader vs. header confusion) worked 3 rd time – Mark-sweep (with corrected spec): worked 1 st time Source Code: base/Imported/Bartok/runtime/verified/GCs


Download ppt "1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)"

Similar presentations


Ads by Google