Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 22: Shameless Self-Promotion From (Bob Nelson)

Published byNatalia Gajda Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 22: Shameless Self-Promotion From (Bob Nelson)"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans
Lecture 22: Shameless Self-Promotion From (Bob Nelson) Subject Re: NT vs. Linux Date Fri, 5 Jul :11:22 GMT Newsgroups comp.os.linux.advocacy,comp.sys.ibm.pc.hardware, comp.os.ms-windows.win95.misc, comp.os.mswindows.nt.misc, alt.flame,alt.fan.bill-gates,alt.destroy.microsoft Toni Anzlovar wrote: > Why does everybody want to RUN WORD? Why does nobody want to write and edit > text? Simple. A *tremendous* number of documents are written using Microsoft Word. One that is particularly ironic is the guide to LCLint -- a very popular lint tool -- often the lint of choice in the linux world. Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS655: Programming Languages University of Virginia Computer Science David Evans

2 University of Virginia CS 655
Menu Garbage Collection Theory of Type Qualifiers PS3, Question 5 LCLint 17 January 2019 University of Virginia CS 655

3 Static Storage Allocation
All storage allocated at compile time Advantages: Fast Safe (cannot run out of memory) Disadvantages: Limited expressiveness No recursion, no dynamic structures Inefficient (sizes must be known at compile time) FORTRAN 17 January 2019 University of Virginia CS 655

4 University of Virginia CS 655
Stack Allocation Activation records Storage allocated on procedure entrance, deallocated on procedure exit Advantages over static allocation: Supports recursion Local structures size may vary But: storage lifetimes fixed to procedures Algol60 17 January 2019 University of Virginia CS 655

5 University of Virginia CS 655
Heap Allocation Dynamically allocate storage Advantages Storage size and lifetime controlled by programmer Disadvantages Heap fills up with garbage 17 January 2019 University of Virginia CS 655

6 University of Virginia CS 655
What is Garbage? Allocated memory that will never be used again Conservative Predictions: Java, CLU, LISP, ML Objects that are not reachable C/C++ Reachability is much harder because of pointer arithmetic, casting Linda No way to tell 17 January 2019 University of Virginia CS 655

7 University of Virginia CS 655
Reference Counting Every allocated object has an associated reference counter, rc Creating a new object, rc = 0 Assignment (creating a reference), rc++ Losing a reference: rc--; if rc == 0 free object Advantages: Overhead distributed Disadvantages: High overhead on assignments, block exits Can’t reclaim cyclic structures 17 January 2019 University of Virginia CS 655

8 Cyclic structures List x next: 2 next: 1 1 next: x := new List (); 1
Cannot be reclaimed!

9 University of Virginia CS 655
Reachability “Root” is reachable Object is reachable, if there is a reachable reference to it Roots: CLU Every object reference on the stack, own variables Java Every object reference on the stack, static (global) references 17 January 2019 University of Virginia CS 655

10 Mark and Sweep root

11 Mark and Sweep root

12 University of Virginia CS 655
Mark and Sweep Stop everything Mark objects reachable from roots Just follow all references recursively Reclaim everything that isn’t marked Disadvantages Long pauses (what gave GC a bad name) Advantages Simple, no overhead except when GC’ing 17 January 2019 University of Virginia CS 655

13 University of Virginia CS 655
Stop and Copy Divide storage into two spaces Stop everything Start from roots, copy all reachable objects to new space (switching references to point to new space as you go) Advantages: Improves locality – better cache behavior Disadvantages: Have to waste memory (need new space to copy into) Changes references (okay if language has address transparency) 17 January 2019 University of Virginia CS 655

14 Garbage Collecting in C/C++
Problem: what is reachable? Approach 1: Keep table of malloc’ed objects Assume all values that look like pointers (have value in address range) are pointers, and make all pointer-like values on stack, in registers, in static storage the roots Any object not reachable is from roots is garbage 17 January 2019 University of Virginia CS 655

15 University of Virginia CS 655
Test Program 1 char *evil () { char *s = malloc (1000); long int adr1 = (long int) s & 0xFFFF0000; long int adr2 = (long int) s & 0x0000FFFF; s = malloc (1000); s = (char *) (adr1 | adr2); return s; } GC 17 January 2019 University of Virginia CS 655

16 University of Virginia CS 655
Test Fragment 2 char *s = ...; // read a new string int len = 0; while (*s != ‘\0’) { *s = tolower (*s); s++; len++; } s = s – len; // point back to string start 17 January 2019 University of Virginia CS 655

17 University of Virginia CS 655
Boehm [PLDI 96] ANSI limits pointer arithmetic to within an allocated object Source code transformations to explicitly mark live references (put them in GC roots) Check source code for casts from non-pointer to pointer 17 January 2019 University of Virginia CS 655

18 University of Virginia CS 655
GC Summary After 40 years, still an active research area PLDI ‘2000 – 3 GC papers (of 31) Concurrent; generational; dealing with contaminated storage Performance penalty can be low or negative (improved cache behavior) 17 January 2019 University of Virginia CS 655

19 University of Virginia CS 655
Alternatives to GC Never reclaim storage Works fine for most PC applications, but not for embedded systems Loses locality – real reason to GC most programs Manually reclaim storage Buggy, dangerous and time-consuming Support manual reclamation with static checking 17 January 2019 University of Virginia CS 655

20 University of Virginia CS 655
Type Qualifiers q    negative (narrowing) qualifier   q  positive (widening) qualifier Is unsigned (in C) a qualifier? No, neither unsigned int  int int  unsigned int is true. 17 January 2019 University of Virginia CS 655

21 University of Virginia CS 655
Subtyping Rule Q  Q’ i = ’i i  [1..n] [type-constructor] Q c(1 ,..., n )  Q’ c(’1 ,..., ’n ) Why not  ? 17 January 2019 University of Virginia CS 655

22 PS3, Question 5: Subtyping
[monotonic-arrays] array[S]  array[T ] S = T [specialization of type-constructor] array[S]  array[T ] 17 January 2019 University of Virginia CS 655

23 University of Virginia CS 655
PS3, Question 5 Goal: call Scrunch (p) with a p that allows attacker to violate type safety [monotonic-arrays] means typeof(p) must be  array[String], so we can have typeof(p) = array[EvilString] where EvilString  String Method overriding allows attacker to define EvilString.concat  String.concat 17 January 2019 University of Virginia CS 655

24 Overriding String.concat
P1  Q1, ..., Pn  Qn, S  T [monotonic-procs] proc (P1, ..., Pn) returns (S)  proc (Q1, ... , Qn) returns (T) So, String EvilString.concat (EvilString s)  String String.concat (String s) 17 January 2019 University of Virginia CS 655

25 Implementing EvilString
class EvilString extends String { private int hackPointer; String concat (EvilString s) { this.hackPointer = // forge an address return super.concat (s); } ... Can attacker make Scrunch call EvilString.concat (s) where s  EvilString? 17 January 2019 University of Virginia CS 655

26 University of Virginia CS 655
No! Scrunch calls s.concat after initializing, String s = “”; ... s = s.concat ((String) ar[i]); so, EvilString.concat is never called! Attacker loses. If replaced initialization with, String s = a[0]; then, would call EvilString.concat(EvilString) if a[0] is EvilString, and a[1] is String EvilString. 17 January 2019 University of Virginia CS 655

27 University of Virginia CS 655
Real Java Has the [monotonic-array] rule! String [] s; SubString [] t; ... s = t; s[0] = new String (“test”); SubString tt = t[0]; Assignment produces an ArrayStoreException 17 January 2019 University of Virginia CS 655

28 University of Virginia CS 655
const const is a positive qualifier   const   values can be cast to const  const  values cannot be cast to  (Note: ANSI C allows it, but result is implementation dependent) const qualified values can be initialized but not updated From stdlib: char *strcpy (const char *, char *); 17 January 2019 University of Virginia CS 655

29 University of Virginia CS 655
Assign A e1 : ref(2) A e2 : 2 [assign] A e1 := e2 :  unit A e1 :  const ref(2) A e2 : 2 A e1 := e2 :  unit [assign’] 17 January 2019 University of Virginia CS 655

30 University of Virginia CS 655
Call A e1 : 2  A e2 : 2 [call] A e1 (e2) :  No changes necessary:   const  No const    rule means const    So, existing [call] rule disallows passing const  as  parameter. 17 January 2019 University of Virginia CS 655

31 University of Virginia CS 655
LCLint Approach Programmers add annotations (formal specifications) Simple and precise Describe programmers intent: Types, memory management, data hiding, aliasing, modification, nullness, etc. (project group 3: buffer overflows) LCLint detects inconsistencies between annotations and code Simple (fast!) dataflow analyses 17 January 2019 University of Virginia CS 655

32 Sample Annotation: only
extern only char *gptr; extern only out null void *malloc (int); Reference (return value) owns storage No other persistent (non-local) references to it Implies obligation to transfer ownership Transfer ownership by: Assigning it to an external only reference Return it as an only result Pass it as an only parameter: e.g., extern void free (only void *); 17 January 2019 University of Virginia CS 655

33 University of Virginia CS 655
Example extern only out null void *malloc (int); in library 1 int dummy (void) { 2 int *ip= (int *) malloc (sizeof (int)); 3 *ip = 3; 4 return *ip; 5 } LCLint output: dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become null dummy.c:4:14: Fresh storage ip not released before return dummy.c:2:43: Fresh storage ip allocated Note: user didn’t have to write any annotations to discover these bugs! 17 January 2019 University of Virginia CS 655

34 University of Virginia CS 655
only Try: only is a negative qualifier only    From stdlib: only void *malloc (size_t); void free (only void *); Does call rule work? (only pass onlys as onlys) But, after call state is changed: only char *x; ... free (x); free(x); 17 January 2019 University of Virginia CS 655

35 Operational Semantics
After passing as only, becomes dead. Configuration: < Instructions, PC, Store > Store: loc  <value, state  { only, dead, ... } 17 January 2019 University of Virginia CS 655

36 University of Virginia CS 655
Pass as Only Instructions[PC] = f (e) & Store ( f ) = < vf, only    > & Store (e) = < ve, only  > PC = PC + 1; Store’ = Store[e  < , dead  >] 17 January 2019 University of Virginia CS 655

37 University of Virginia CS 655
Assign Only Instructions[PC] = l := r & Store ( l ) = < vl, only  > & Store (r) = < vr, only  > PC = PC + 1 Store’ = Store[l  < vr, only  >] [r  < , dead  >] 17 January 2019 University of Virginia CS 655

38 Still Challenge Problem Remaining
How do you handle declarations? How do you handle block exits? Would denotational semantics work better? What about a combination of static and operational? How do you handle other annotations consistently? 17 January 2019 University of Virginia CS 655

39 University of Virginia CS 655
Summary Theory of Type Qualifiers uses: Static Semantics (Typing Judgments) Subtyping Rules Type Polymorphism Type Inference Lambda Calculus Operational Semantics If you understand everything in this paper, you know 75% of what you need to for the final. 17 January 2019 University of Virginia CS 655

40 University of Virginia CS 655
Charge Next time: Wacky Programming Paradigms Guidelines for Rotunda Presentations Signup for Final Timeslots Project Final Reports due Friday All team members should read complete drafts of your report 17 January 2019 University of Virginia CS 655

Download ppt "Lecture 22: Shameless Self-Promotion From (Bob Nelson)"

Similar presentations

Dynamic Memory Management

Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Names and Bindings.

Names and Bindings.
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Mark and Sweep Algorithm Reference Counting Memory Related PitFalls

Mark and Sweep Algorithm Reference Counting Memory Related PitFalls
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Run time vs. Compile time

Run time vs. Compile time
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Runtime Environments Compiler Construction Chapter 7.

Runtime Environments Compiler Construction Chapter 7.
Basic Semantics Associating meaning with language entities.

Basic Semantics Associating meaning with language entities.
David Evans These slides: Introduction to Static Analysis.

David Evans These slides: Introduction to Static Analysis.
1 Records Record aggregate of data elements –Possibly heterogeneous –Elements/slots are identified by names –Elements in same fixed order in all records.

1 Records Record aggregate of data elements –Possibly heterogeneous –Elements/slots are identified by names –Elements in same fixed order in all records.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.

David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
CSE 425: Control Abstraction I Functions vs. Procedures It is useful to differentiate functions vs. procedures –Procedures have side effects but usually.

CSE 425: Control Abstraction I Functions vs. Procedures It is useful to differentiate functions vs. procedures –Procedures have side effects but usually.
Computer Organization and Design Pointers, Arrays and Strings in C Montek Singh Sep 18, 2015 Lab 5 supplement.

Computer Organization and Design Pointers, Arrays and Strings in C Montek Singh Sep 18, 2015 Lab 5 supplement.

Similar presentations

Ads by Google