Semantic Type Qualifiers

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi –
Programming Languages and Paradigms The C Programming Language.
Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
1 Chapter 2 Introduction to Java Applications Introduction Java application programming Display ____________________ Obtain information from the.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Type Checking.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Constants. 2 Objectives Describe ways to create constants –const –readonly –enum.
A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.
Data Abstraction and Object- Oriented Programming CS351 – Programming Paradigms.
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Extending Type Systems in a Library Yuriy Solodkyy Jaakko Järvi Esam Mlaih.
Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:
Overview of program analysis Mooly Sagiv html://
Imperative Programming
Elsa/Oink/Cqual++: Open-Source Static Analysis for C++ Scott McPeak Daniel Wilkerson work with Rob Johnson CodeCon 2006.
C Functions Programmer-defined functions – Functions written by the programmer to define specific tasks. Functions are invoked by a function call. The.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.
410/510 1 of 18 Week 5 – Lecture 1 Semantic Analysis Compiler Construction.
User-defined type checkers for error detection and prevention in Java Michael D. Ernst MIT Computer Science & AI Lab
CSCE 548 Integer Overflows Format String Problem.
Chapter 3 Part II Describing Syntax and Semantics.
Demo of Scalable Pluggable Types Michael Ernst MIT Dagstuhl Seminar “Scalable Program Analysis” April 17, 2008.
Principles of programming languages 6: Types Isao Sasano Department of Information Science and Engineering.
Type soundness In a more formal way. Proving Soundness of Type Systems Goal of a sound type system: –if the program type checks, then it never “crashes”
Variables in C Topics  Naming Variables  Declaring Variables  Using Variables  The Assignment Statement Reading  Sections
CS412/413 Introduction to Compilers Radu Rugina Lecture 11: Symbol Tables 13 Feb 02.
Pointers in C by Dr P.Padmanabham Professor (CSE)&Director Bharat Institute of Engineering &Technology Hyderabad Mobile
Preventing bugs with pluggable type-checking Michael Ernst MIT
Generic Programming and Library Design Brian Bartman
CCSA 221 Programming in C CHAPTER 3 COMPILING AND RUNNING YOUR FIRST PROGRAM 1 ALHANOUF ALAMR.
SCP1103 Basic C Programming SEM1 2010/2011 Arithmetic Expressions Week 5.
University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.
Arithmetic Expressions
Winter 2009 Tutorial #6 Arrays Part 2, Structures, Debugger
User Interaction and Variables
Complex data types Complex data types: a data type made of a complex of smaller pieces. Pascal has four very commonly used complex data types: strings,
Revision Lecture
C Basics.
Programmazione I a.a. 2017/2018.
Data Types.
Threads and Memory Models Hal Perkins Autumn 2011
Pass by Reference, const, readonly, struct
METHODS AND BEHAVIORS AKEEL AHMED.
Variables In programming, we often need to have places to store data. These receptacles are called variables. They are called that because they can change.
Improving Security Using Extensible Lightweight Static Analysis
6 Chapter Functions.
Pointers Call-by-Reference CSCI 230
C++ Data Types Data Type
Threads and Memory Models Hal Perkins Autumn 2009
Introduction C is a general-purpose, high-level language that was originally developed by Dennis M. Ritchie to develop the UNIX operating system at Bell.
Bugs & Debugging - Testing
C Programming Getting started Variables Basic C operators Conditionals
Focus of the Course Object-Oriented Software Development
Programming Introduction to C++.
Arrays Arrays A few types Structures of related data items
C Programming Pointers
Java Modeling Language (JML)
The C Language: Intro.
An Overview of C.
4.1 Introduction Arrays A few types Structures of related data items
Data Types and Arithmetic in C
Presentation transcript:

Semantic Type Qualifiers Chien-Huei Chen Huseyin Sinecan 05.18.2006

Semantic Type Qualifiers Type Systems A natural discipline Specify properties Checking properties Problem: Statically checks properties Augmenting properties of types Program designers cannot estimate evrythng Qualifiers (no need to add many annotations) 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers The Clarity Project A novel framework for user-defined type qualifiers for C programs It provides a declarative language in which users can define new qualifiers An extensible typechecker employs these user-defined rules to automatically check annotated C programs. (University of California, Los Angeles) 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers The Cqual Project A tool for adding type qualifiers to C Same purpose with Clarity Uses a fixed set of type rules across all type refinements Not expressive enough to handle many common situations 5/10/2019 Semantic Type Qualifiers

Where to use qualifiers Deadlock detection Format-String Vulnerability Detection by using a tainted qualifier to mark untrusted data and by requiring that printf-like functions take untainted data const Inference The qualifier const is used in ANSI C programs to state that certain names will not be used to write to a location Ex: foo (const int * x) *additional const annotations* … 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Classes of qualifiers The Clarity framework supports 2 common types of qualifiers Value qualifiers (pertain to the value) pos nonnull - Reference qualifiers (pertain to the address) unique unaliased 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers pos qualifier 1. value qualifier pos(int Expr E) 2. case E of 3. decl int Const C: 4. C, where C > 0 5. | decl int Expr E1, E2: 6. E1 * E2, where pos(E1) && pos(E2) 7. | decl int Expr E1: 8. -E1, where neg(E1) 9. invariant value(E) > 0 A user-defined type qualifier and associated type rules for positive integers. 5/10/2019 Semantic Type Qualifiers

A type qualifier for unaliased variables ref qualifier unaliased(T Var X) ondecl disallow &X invariant forall T** P: *P != location(X) Indicates the variable´s address, not the value ondecl : Can be given at declaration Disallow : Cannot have its address taken 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Sample Example: qualifier nonzero(int Expr E) case E of decl int Const C: C, where C != 0 | decl int Expr E1: E1, where pos(E1) | decl int Expr E1: E1, where neg(E1) | decl int Expr E: -E, where nonzero(E) | decl int Expr E1, E2: E1 * E2, where nonzero(E1) && nonzero(E2) restrict decl int Expr E1, E2: E1 / E2, where nonzero(E2) invariant Value(E) != 0 int y0 = 20; int z0; …………………… …………………… ……………… z0 = x / y0; 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example1: nonnull qualifier nonnull(T* Expr E) case E of decl T LValue X: &X | new restrict decl T* Expr E: *E, where nonnull(E) invariant Value(E) != null 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example1(cont.) In original link_list.c ……………. 158 struct list_head *first = list->next; 159 struct list_head *last = list->prev; 160 struct list_head *at = head->next; compiled with nonnull qualifier Expression list->next breaks rule 'Restricts: Dref(WCExpr(E)) where Qual(nonnull, E)' under qualifier nonnull at examples/link_list.c:158 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example1(cont.) In order to get rid of all the errors, we first try to add a qualifier nonnull to the function. In the function: void list_add( struct list_head *new, struct list_head* __attribute__((nonnull)) head){ __list_add(new, head, head->next); } 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example1(cont.) Mail from one of the author: There is also a notion of "reference qualifiers" for talking about properties of memory locations…..However, reference qualifiers are not very well developed at this point and are very difficult to use in a practical way in the current framework, due to its flow insensitivity. 5/10/2019 Semantic Type Qualifiers

Example2: locked and unlocked Original example file: void f(struct obj* o) { acquire_lock(&o->lock); do_stuff(o); g(o); release_lock(&lock_o->lock); } void g(struct obj* o) { if (1) { acquire_lock(&o->lock); /* bug: deadlock */ release_lock(&o->lock); 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example2(cont.) void f(struct obj* __attribute__((unlocked)) o) { struct obj* __attribute__((locked)) lock_o; acquire_lock(&o->lock); lock_o = castto(o,struct obj* __attribute__((locked))); do_stuff(o); g(lock_o); release_lock(&o->lock); } void g(struct obj* __attribute__((unlocked)) o) { if (1) { acquire_lock(&o->lock); /* bug: deadlock */ 5/10/2019 Semantic Type Qualifiers

Semantic Type Qualifiers Example2(cont.) g(lock_o); do not match with function type void (struct dummy * __attribute__((__unlocked__)) o ) at examples/deadlock.c:32 Total Errors: 1 5/10/2019 Semantic Type Qualifiers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.