Presentation is loading. Please wait.

Presentation is loading. Please wait.

Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison.

Published byDelphia Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison."— Presentation transcript:

1 Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison

2 Overview 1 - C C: weak static typing permits bugs –unions (write one field, read another) –casting (pointer with non-pointer value, pointer points to object with wrong type) –pointer arithmetic (array out-of- bounds) Run-Time Type Checking

3 Overview 2 - goal Goal: help programmers find these bugs via run-time type checking –flag errors –track down their cause (fault localization) Run-Time Type Checking

4 Overview - Approach Tag each memory location with its dynamic type –in ‘mirror’ of memory On use, verify that current dynamic type is appropriate On assignment, verify that assigned type is consistent with static type Approach: Track Types Dynamically

5 Tracking run-time types: Use Use of a location: dynamic type verified –wrong type: generate error message Example uses: –int *p; –*p + 5; => error if p not a pointer => error if *p not an integer Tracking Run-Time Types

6 Tracking run-time types: Assignment Assignment: dynamic type propagated. –different type: generate warning message helpful in tracking down root cause Example assignment: –int x, *q; –x = *q; => tag of x set to tag of *q => warn if *q not an integer Tracking Run-Time Types

7 Purify, Safe C... Purify [Hastings + ] –array out-of-bounds, bad pointer dereferences, use of uninitialized data –memory leaks Safe C [Austin + ] –stale pointer uses, unions Our Approach –run-time type violations –some ability to track down logical errors (not just flag symptoms) Where we fit in

8 Introduction Examples Implementation Results from Initial Tests Future Work Conclusion Talk Overview

9 union U { int u1; int *u2; } u; int *p; u.u1 = 8; p = u.u2; *p = 0; (0x08) (u) (p) (tags) : :::: :::: unalloc uninit Ex1: Unions 1 Example 1: Unions (memory) : :::: :::: FE232F10 00000000 int 00000008

10 union U { int u1; int *u2; } u; int *p; u.u1 = 8; p = u.u2; *p = 0; (0x08) (u) (p) (tags) : :::: :::: unalloc uninit Ex1: Unions 2 Example 1: Unions (memory) : :::: :::: FE232F10 00000008 00000000 int 00000008 int warning

11 union U { int u1; int *u2; } u; int *p; u.u1 = 8; p = u.u2; *p = 0; (0x08) (u) (p) (tags) : :::: :::: unalloc uninit Ex1: Unions 3 Example 1: Unions (memory) : :::: :::: FE232F10 00000008 int error!

12 union U { int u1; int *u2; } u; int *p; u.u1 = 8; p = u.u2; *p = 0; (0x08) (u) (p) (tags) : :::: :::: unalloc uninit Ex1: Unions 4 Example 1: Unions (memory) : :::: :::: FE232F10 00000008 int error!

13 Ex 2: Array (heap) 1 int *intArray = (int *) malloc(15 * sizeof(int)); int **ptrArray = (int **) malloc(15 * sizeof(int *)); Example 2: Bad Pointer Access intArrayptrArray memory

14 Ex 2: Array (heap) 2 int *i, sumEven = 0; for(i = intArray;...; i += 2) sumEven += *i; DTC i intArrayptrArray intArrayptrArray padding PURIFY i memory Example 2: Bad Pointer Access

15 Ex 3: Array (stack) 1 Example 3: Bad Pointer Access (stack) int intArray[10]; int *ptrArray[10]; for(i = intArray;...; i += 2)... intArrayptrArray stack PURIFY DTC intArrayptrArray stack i i

16 Ex 3: MyMalloc 1 void * myMalloc(int nbytes) { static char myMemory[BLOCKSIZE]; int i;... //book-keeping return &myMemory[i]; } Example 3: User Memory Management myMemory

17 Ex 3: MyMalloc 2 DTC intArrayptrArray i myMemory PURIFY memory Example 3: User Memory Management myMemory memory i int *intArray = (int *) myMalloc(10 * sizeof(int)); int **ptrArray = (int **) myMalloc(10 * sizeof(int *));

18 Ex 4: Sim Inherit 1 struct Sub { int b1; int b2; char b3; } sub; struct Sup { int a1; int a2; } sup; Example 4: Simulated Inheritance a1 a2 int b1 b2 b3 int char subsup

19 Ex 4: Sim Inherit 2 Example 4: Simulated Inheritance a1 a2 int b1 b2 b3 int char subsup void f(struct Sup *s) { printInt(s->a1); printInt(s->a2); } f(&sup); s f(&sub); s

20 Ex 4: Sim Inherit 3 struct Sub { int b1; float f1; int b2; char b3; } sub; struct Sup { int a1; int a2; } sup; Example 4: Simulated Inheritance a1 a2 int b1 f1 b2 b3 float int char int

21 Ex 4: Sim Inherit 4 Example 4: Simulated Inheritance a1 a2 int b1 f1 b2 b3 float int char int void f(struct Sup *s) { printInt(s->a1); printInt(s->a2); } f(&sub); s f(&sup); s error!

22 Introduction Examples Implementation Results from Initial Tests Future Work Conclusion Talk Overview

23 Overview of Tool Instrumentation –preprocessed source file  instrumented C file Compilation Execution –tracks types in “mirror” of memory –writes error/warning messages, sends signal signal can be intercepted by GDB for further debugging Overview of Tool

24 Impl: Mirror and Tags 0 1 00 1 continuation bits type bits: {unalloc, uninit, integral, real, pointer} size bits (log 2 ) 0 0 0 01 1 (currently unused bits) USER MEM MIRROR Mirror and Tags

25 Impl: Tags (examples) integral 0 0 0 size=2 1 0 real 0 size=4 1 0 0 0 01 1 uninit 0 unalloc 0 0 integral 0 0 char short float char [3] (third element uninitialized) Mirror and Tags

26 Source Level X-lation: C to C C source  C source –Using Lucent’s Ckit front end –syntax-directed transformations –instruments statements and expressions to set, verify, and propagate tags –preserves expression values, types, side-effects makes extensive use of “comma” operator introduces many temporary variables –separate (partial) instrumentation Source Level Translation

27 Instr Example: x = *p (1) x = *p *(tmp2 = &x) * *(tmp3 = (verifyTag(&p, ptr_type), p), verifyPtr(tmp3, sizeof(int)), tmp3) (verifyTag(&p, ptr_type), p) int x; int *p;

28 Instr Example: x = *p (2) *(tmp2 = &x) *(tmp3 = (verifyTag(&p, ptr_type), p), verifyPtr(tmp3, sizeof(int)), tmp3) *(tmp2 = &x) = *(tmp3 = (verifyTag(&p, ptr_type), p), verifyPtr(tmp3, sizeof(int)), tmp3) x = *p

29 Instr Example: x = *p (3) x = *p *(tmp2 = &x) = *(tmp3 = (verifyTag(&p, ptr_type), p), verifyPtr(tmp3, sizeof(int)), tmp3) (tmp1 = copyTag(tmp2, tmp3, int_type), tmp1)

30 Introduction Examples Implementation Results from Initial Tests Future Work Conclusion Talk Overview

31 Effectiveness of Tool Bugs identified in: –Solaris utilities (nroff, plot, ul,...) –Olden benchmarks (health, voronoi) Output usually succinct –Error messages pinpoint bug symptoms –Warning messages help track down logical error Effectiveness of Tool

32 Sample bug descriptions stray pointer corrupts return address on stack –error: pointer dereference incorrectly typed stray pointer corrupts _iob array (stdin, stdout, stderr) –error: referencing unallocated memory treats malloc ’ed memory as zero- initialized –error: use of uninitialized memory Sample Bugs and Errors Reported

33 Alterations in Behavior Hard to preserve behavior of non- portable programs Purify affects go, nroff, others –modified memory layout Our tool affects ul, units, col –local variable addition –register variable demotion Behavior sometimes altered but cause of error is the same Alterations in Behavior

34 Performance – by slowdown (table) Performance run-time (sec) Solaris utils Olden SPECint95 Mean = 43.8 Median = 23.9

35 Areas for Improvement: overhead, spurious errors Overhead –current slowdown: 6x - 130x can improve instrumentation and macro definitions no attempt yet made to identify and remove unnecessary checks Spurious errors and warnings –abundant in a few benchmarks due to memset, calloc, etc. incomplete extern types ( __ctype[] ) Areas for Improvement

36 Optimization: no intervening write Remove redundant checks –when there are no intervening writes (of a different type) to a given location int x, y, z; if (x < 0){ y = (x > 5) ? x : 0; } x += 10; Planned Optimizations

37 Optimization: static analysis Remove redundant instrumentation –use static analysis to find variables that need no instrumentation i.e. variables that can be statically determined to be type-safe –has potential to drastically reduce overhead Planned Optimizations

38 Conclusion Run-time type checking works –identified pointer and array access errors –warnings help find root cause of error Potential for finding subtler type-bugs –no “real” examples found in preliminary testing Slowdown is relatively high –potential for significant speedup untapped

Download ppt "Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison."

Similar presentations

CSE 105 Structured Programming Language (C)

CSE 105 Structured Programming Language (C)
Recitation By yzhuang, sseshadr. Agenda Debugging practices – GDB – Valgrind – Strace Errors and Wrappers – System call return values and wrappers – Uninitialization.

Recitation By yzhuang, sseshadr. Agenda Debugging practices – GDB – Valgrind – Strace Errors and Wrappers – System call return values and wrappers – Uninitialization.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Programming Languages and Paradigms The C Programming Language.

Programming Languages and Paradigms The C Programming Language.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
1 C++ Syntax and Semantics The Development Process.

1 C++ Syntax and Semantics The Development Process.
This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.

This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
The Environment of a UNIX Process. Introduction How is main() called? How are arguments passed? Memory layout? Memory allocation? Environment variables.

The Environment of a UNIX Process. Introduction How is main() called? How are arguments passed? Memory layout? Memory allocation? Environment variables.
Malloc Recitation Section K (Kevin Su) November 5 th, 2012.

Malloc Recitation Section K (Kevin Su) November 5 th, 2012.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Informática II Prof. Dr. Gustavo Patiño MJ 16- 18 24-09-2013.

Informática II Prof. Dr. Gustavo Patiño MJ
1 Day 03 Introduction to C. 2 Memory layout and addresses 5 10 12.5 9. 8 r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’; 430043044308431243164317.

1 Day 03 Introduction to C. 2 Memory layout and addresses r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’;
ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.

ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.

1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

Similar presentations

Ads by Google