Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)

Published byCeleste Britt Modified over 10 years ago

Similar presentations

Presentation on theme: "1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)"— Presentation transcript:

1 1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)

2 2/17 Downloading safe code x86 Java bytecode /.NET bytecode / JavaScript / ActionScript exception handling garbage collector threads run-time system Web browser JIT compiler

3 3/17 From: Apple Product Security Date: Fri, 11 Jul 2008... Available for: iPhone v1.0 through v1.1.4,iPod touch v1.1 through v1.1.4 Description: A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. GC vulnerabilities Mozilla Firefox Bug in JavaScript Garbage Collector Lets Remote Users Deny Service Advisory: Mozilla Foundation Security Advisory Date: Apr 16 2008 A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the JavaScript garbage collector code and cause the target user's browser to crash.... The vendor indicates that similar crashes have been exploitable in the past, so arbitrary code execution may be possible... MS07-057: Cumulative security update for Internet Explorer Date: October 2007...Internet Explorer 6 may exit with an access violation when the JavaScript garbage collector runs and you have dynamically removed a TBODY, THEAD, or TFOOT HTML tag from a table in Windows XP...

4 4/17 GC verification Earlier work  Small GCs  Interactive proofs New work: realistic GCs  Runs real Bartok-compiled C# real memory layouts  Automated verification annotated GCs in BoogiePL assemble BoogiePL to x86 specifications in BoogiePL Z3 automated SMT prover

5 5/17 Challenges to automated verification 1.Reasoning about graphs 2.Undecidable logic 3.Large formulas

6 6/17 Outline Background Simple verified GC – miniature mark-sweep collector – quantifiers Practical verified GCs

7 7/17 Mark-sweep and copying collectors A (root) C mark-sweepcopying fromcopying to A B C A B C abstract graph A B B

8 8/17 Garbage collector properties A (root) C A B B Verified: – isomorphism (McCreight, Shao et al 2007) – effectiveness – after gc, unreached objects reclaimed Not verified: – Termination – Efficiency C

9 9/17 Verifying Mark procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black }

10 10/17 Verifying Mark: abstract concrete procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } A B A B $toAbs Mem $AbsMem forall i:int ::{T(i)} T(i) && memAddr(i) ==> $toAbs[Mem[i, field]] == $AbsMem[$toAbs[i], field]

11 11/17 Verifying Mark: no black-->white procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } forall i:int::{T(i)} T(i) && memAddr(i) ==> Black(Color[i]) ==> !White(Color[Mem[i,field]])

12 12/17 “trigger” quantifier instantiation i =e when T(e) seen Quantifiers and triggers procedure Mark(ptr:int) requires GcInv(Color, $toAbs, $AbsMem, Mem); requires memAddr(ptr) && T(ptr); requires $toAbs[ptr] != NO_ABS; modifies Color; ensures GcInv(Color, $toAbs, $AbsMem, Mem); ensures (forall i:int::{T(i)} T(i) && !Black(Color[i]) ==> Color[i] == old(Color)[i]); ensures !White(Color[ptr]); { if (White(Color[ptr])) { Color[ptr] := 2; // make gray (equivalent to “Color := Color[ptr := 2];” call Mark(Mem[ptr,0]); call Mark(Mem[ptr,1]); Color[ptr] := 3; // make black } T is a dummy function: T(e) true explicit introductions of T(...) to provoke quantifier instantiations forall i:int::{$toAbs[i]}{$toAbs’[i]}... $toAbs[i] != NO_ABS ==> $toAbs[i] == $toAbs’[i]... also trigger on old, new $toAbs (and split $toAbs into “regions”)

13 13/17 Outline Background Simple verified GC Practical verified GCs – Object layouts, GC tags, static data, stacks, interior pointers,... – Mark-sweep collector Free list + cache Mark stack Table of color bits (2 bits per color) – Copying collector Simple (non-generational) 2-space Cheney queue algorithm – Mutator-GC interface: Initialize read, write AllocateObject, AllocateString, AllocateVector, AllocateArray

14 14/17 Practical, verified copying collector code procedure CopyAndForward($ptr:int, $_tj:int) requires ecx == $ptr; requires CopyGcInv(...); requires Pointer($r1, $ptr, $r1[$ptr]);... { call edx := GcRead(ecx + 4); esp := esp - 4; call GetSize($ptr, edx, $r1, $r1); ebp := eax;... edi := 0; edx := 0; loop: assert 4 * edi == edx; assert CopyGcInv(...);... if (edx >= ebp) { goto loopEnd; } call copyWord($ptr, $_tj, esi, edi, ebp); call edi := Add(edi, 1); call edx := Add(edx, 4); goto loop; loopEnd: call eax := Lea(esi + 4); call GcWrite(ecx + 4, eax);... mov edi, 0 mov edx, 0 CopyAndForward$loop: cmp edx, ebp jae CopyAndForward$loopEnd automatic translation

15 15/17 Performance (2 of 10 benchmarks) execution time (seconds) available memory(MB) BartokAsmlc execution time (seconds) available memory (MB) caveat: Bartok collectors support more features (e.g. threads, pinning) than verified collectors

16 16/17 Code size, verification time BoogiePL lines of code x86 instructions Time to verify (seconds) Trusted defs 546 Shared code 77917712 Copying 2398802115 Mark-sweep 303886570 lines of proof script: 0

17 17/17 Conclusions Verified run-time status: two practical GCs 1.Reasoning about graphs ==> isomorphism 2.Undecidable logic ==> triggers 3.Large formulas ==> modern automated prover (Z3) Original mutator-GC interface specification had two bugs, so: – Copying collector: crashed 1 st time (spec bug: Initialize not asked to save ebp) crashed 2 nd time (spec bug: preheader vs. header confusion) worked 3 rd time – Mark-sweep (with corrected spec): worked 1 st time http://www.codeplex.com/singularity Source Code: base/Imported/Bartok/runtime/verified/GCs

Download ppt "1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)"

Similar presentations

An Implementation of Mostly- Copying GC on Ruby VM Tomoharu Ugawa The University of Electro-Communications, Japan.

An Implementation of Mostly- Copying GC on Ruby VM Tomoharu Ugawa The University of Electro-Communications, Japan.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 12 Introduction to ASP.NET.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 12 Introduction to ASP.NET.
Ahead of Time Dynamic Translation PreJit/NGEN by any other name George Bosworth Microsoft MRE04 March 21, 2004.

Ahead of Time Dynamic Translation PreJit/NGEN by any other name George Bosworth Microsoft MRE04 March 21, 2004.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Software Transactional Objects Guy Eddon Maurice Herlihy TRAMP 2007.

Software Transactional Objects Guy Eddon Maurice Herlihy TRAMP 2007.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Security of JavaCard smart card applets Erik Poll University of Nijmegen

Security of JavaCard smart card applets Erik Poll University of Nijmegen
JUST-IN-TIME COMPILATION

JUST-IN-TIME COMPILATION
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
Garbage collection David Walker CS 320. Where are we? Last time: A survey of common garbage collection techniques –Manual memory management –Reference.

Garbage collection David Walker CS 320. Where are we? Last time: A survey of common garbage collection techniques –Manual memory management –Reference.
1 © 1999 Citrix Systems Inc Using type information in garbage collection Tim Harris.

1 © 1999 Citrix Systems Inc Using type information in garbage collection Tim Harris.
1 Write Barrier Elision for Concurrent Garbage Collectors Martin T. Vechev Cambridge University David F. Bacon IBM T.J.Watson Research Center.

1 Write Barrier Elision for Concurrent Garbage Collectors Martin T. Vechev Cambridge University David F. Bacon IBM T.J.Watson Research Center.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
Will You Still Compile Me Tomorrow

Will You Still Compile Me Tomorrow

Similar presentations

Ads by Google