Efficient Detection of All Pointer and Array Access Errors Todd M.Austin Scott E.Breach Gurindar S.Sohi Computer Sciences Department University of Wisconsin-Madison 1210 W. Dayton Street Madison, WI {austin, breach, December 1, 1993 Presented by Oren Markovitz,
Topics 4 Over View 4 Memory Access errors 4 Motivation 4 What are safe pointers 4 Safe pointers implementation 4 Optimizations 4 Experimental framework 4 Results 4 Related work
Over View 4 Detect Pointer & Array Access errors 4 Complete but not efficient 4 Extended safe pointer representation 4 Implemented in C 4 Supports run-time and compiler optimization 4 With no optimization performance hit 130%-540%, text and data overhead under 100%
Memory Access Errors 4 Spatial access error- dereference of a pointer or subscripted array outside of the referent. 4 Temporal access error- dereference of a pointer or a subscripted array outside of the lifetime of the referent.
Some Statistics - Motivation 4 Miller et al injected random inputs to mature unix applications on six different platforms almost all applications dumped core. 4 Sullivan & Chillarege examined IBM MVS over 4 years - 50% of reported errors were due to access errors.
The difficulty to detect & fix access errors 4 The effects of access errors may not manifest themselves except under exceptional conditions. 4 The exceptional conditions which lead to the program error may be hard to reproduce. 4 Its very hard to correlate memory access error with program error.
Safe pointers 4 The program is transferred to use an extended pointer representation called safe pointers. 4 A safe pointer contains the value of the pointer as well as pointer attributes.
Safe Pointers 4 Value: The safe pointer value. 4 Base and size: referent base address and its size. (detect spatial errors) 4 storageClass: allows detecting errant deallocations (e.g. its illegal to free global or local variables) 4 capability: always exists, never exists, or a unique allocation indicator. Typedef { *value; *base; unsigned size; enum {heap=0, local, global} storageClass; int capability; /* plus FOREVER and NEVER */ } SafePtr ;
Capability 4 Each allocation is assigned a unique number called capability. 4 When the pointer is deallocated the capability is returned to the capability pool. 4 When a pointer is referenced its capability is checked to be legal. 4 The capability pool is associative.
Program transformation 4 Pointer conversion - extend pointer definition 4 Check insertions - detect access errors 4 operator conversions - generate and maintain safe pointer attributes
Check insertions 4 Before each pointer dereference void ValidateAccess( * addr) { if (storageClass != Global && !ValidCapability(capability)) FlagTemporalError(); if ((unsigned)addr - (unsigned)base > size- sizeof( )) FlagSpatialError(); /* valid access !*/ }
Run time support (1) 4 Explicit pointer allocations are extended to support safe pointers: malloc, calloc, realloc, free. 4 Function stack frame Allocation: The frame is allocated on function call and assigned a capability as any malloc operation.
Run time support (2) Void *malloc(unsigned size) { void * p; p.base = p.value = unsafe_malloc(size); p.size = size; p.storageClass = Heap; InsertCapability(p.capability); bzero(p.value, size); return p; } void free(void *p) { if (p.storageClass != Heap) FlagNonHeapFree(); if (!ValidCapability(p.capability)) FlagDuplicateFree(); if (p.value != p.base) FlagNonOriginalFree(); DestroyCapability(p.capability); unsafe_free(p.value); }
Run time support (3) Void Func(int a) { /* procedure prologue */ unsigned frameCapability = NextCapability(); InsertCapability(frameCapability); ZeroFramePointers(); /* Assume capability NEVER == 0 */. /* procedure epilogue, exit point */ DestroyCapability(frameCapability); return; }
Operators conversions 4 Pointers assignment copy the source pointer attributes to the destination pointer. 4 Determine the pointer attributes : –Access path prefix: the address of the pointer referenced. –Access path suffix: the extent of the object being referenced. –Direct reference: The referenced object is local or global. –Indirect reference: The referenced object is temporal.
The Access path P = &f->g->h[3].I->j.k[4] access path last pointer access path prefix dereference suffix p.value = &f->g->h[3].I->j.k[4] p.base = f->g->h[3].I->j.k p.size = sizeof(f->g->h[3].I->j.k) p.storageClass = f->g->h[3].I.storageClass p.capability = f->g->h[3].I.capability
Access checking example
Run time optimization - spatial checks 4 Spatial checks - A dirty bit added to the safe pointer attributes. 4 The dirty bit is set if a there was no dereference check since the last change effective change to the pointer effective address.
Run time optimization - temporal checks 4 A capability counter was adder to count the current allocated capabilities. 4 The last temporal check results are used if the capability counter was not changed.
Compile time (static) checks optimization 4 A tree structure which describes all possible executable paths of the program is built. 4 All the possible paths are scanned. 4 If there are two consecutive checks without a change in between then the later is redundant.
Experimental frame work (1)
Experimental frame work (2) 4 Replace pointer declarations. 4 Replace malloc,free… to safe C calls 4 Change all pointer and array declarations. 4 Add capability to function frames. 4 Overload operations to add checks and maintain safe pointers under references and pointer operations.
Experimental frame work (3) - overloading operations Template class sp { /* safe pointer representation */ Type *value;/* native pointer */ Type *base;/* base address of object */ unsigned long size; /* size of object in bytes */ char storageClass;/* type of allocation */ unsigned short capability;/* capability is always unique */ /* constructor */ sp(void) { value = NULL; base = NULL; size = 0; storageClass = NONE; capability = NEVER; }
Experimental frame work (4) - overloading operations /* dereference */ Type& operator*(void) { if (storageClass != Global && !ValidCpability(capability)) FlagTemporalError(); if ((unsigned)value - (unsigned)base > size - sizeof(type)) FlasgSpatialError(); return *value; } /* pointer addition */ sp operator+(int addend) { sp p = *this; /* no side-effect on *this */ p.value = p.value + addend; return p; }
Lower bound computation 4 When a check and reference are executed they write a stamp. 4 The stamp describes the execution path of the program. 4 Analyzing of the stamp log shows what static and dynamic checks are redundant. 4 The number of required checks may be higher than the lower bound: –The inputs are sample inputs. –Impositions due to the program aliases may force the compiler time optimizer to make conservative assumptions and add redundant checks.
Results (1)
Results(2) - execution overheads
Results(3) - Text overheads
Results (4) - Data overheads
Results(5) - Summery 4 Execution overhead (without compiler optimization) - low enough to be during program development. 4 Main contributors to execution overhead: –safe pointer structures are not register allocated. –Many traditional optimization cant be used. 4 Spatial checks implementation is relatively chip when compared to other methods, and complex program usually include ones anyway. 4 Temporal checks are usually optimized on run-time. 4 Text and Data overhead are generally low: –text overhead 41%-340% (with all but two under 100%) –data overhead 5%-330% (with all but one under 100%)
Related work (1) - Purify 4 Spatial error - by marking and detecting stack access, only allocated zone are safe. 4 Temporal errors - allocated space is safe. 4 Works on object code. 4 Cant detect access errors such as when allocated variable over-runs another allocated variable. 4 The stack is “aged” to detect temporal error - increasing stack size. 4 Cross language but not cross platform.
Related work(2) - RTCC & code center 4 RTCC - uses safe pointers but without temporal checks and optimizations. 4 Code Center - Uses safe pointers: –no temporal checks –supports access type protection. –Works as interpreter!!!
Related Work(3) 4 Integral C : similar to RTCC, detects only spatial errors. 4 VW-Pascal compiler: –Detects both temporal and access errors. –Not cross language (Pascal). –Limited by the expressiveness of the language.