Type Quali¯¬¾ers: Lightweight Speci¯¬¾cations to jfoster/papers/...

download Type Quali¯¬¾ers: Lightweight Speci¯¬¾cations to jfoster/papers/ Type Quali¯¬¾ers: Lightweight Speci¯¬¾cations

of 178

  • date post

    17-Jul-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of Type Quali¯¬¾ers: Lightweight Speci¯¬¾cations to jfoster/papers/...

  • Type Qualifiers: Lightweight Specifications to Improve Software Quality

    by

    Jeffrey Scott Foster

    B.S. (Cornell University) 1995 M.Eng. (Cornell University) 1996

    A dissertation submitted in partial satisfaction of the

    requirements for the degree of

    Doctor of Philosophy

    in

    Computer Science

    in the

    GRADUATE DIVISION

    of the

    UNIVERSITY OF CALIFORNIA, BERKELEY

    Committee in charge:

    Professor Alexander S. Aiken, Chair Professor Susan L. Graham Professor Hendrik W. Lenstra

    Fall 2002

  • Type Qualifiers: Lightweight Specifications to Improve Software Quality

    Copyright 2002

    by

    Jeffrey Scott Foster

  • 1

    Abstract

    Type Qualifiers: Lightweight Specifications to Improve Software Quality

    by

    Jeffrey Scott Foster

    Doctor of Philosophy in Computer Science

    University of California, Berkeley

    Professor Alexander S. Aiken, Chair

    Software plays a pivotal role in our daily lives, yet software glitches and security vulner-

    abilities continue to plague us. Existing techniques for ensuring the quality of software

    are limited in scope, suggesting that we need to supply programmers with new tools to

    make it easier to write programs with fewer bugs. In this dissertation, we propose using

    type qualifiers, a lightweight, type-based mechanism, to improve the quality of software.

    In our framework, programmers add a few qualifier annotations to their source code, and

    type qualifier inference determines the remaining qualifiers and checks consistency of the

    qualifier annotations. In this dissertation we develop scalable inference algorithms for flow-

    insensitive qualifiers, which are invariant during execution, and for flow-sensitive qualifiers,

    which may vary from one program point to the next. The latter inference algorithm in-

    corporates flow-insensitive alias analysis, effect inference, ideas from linear type systems,

    and lazy constraint resolution to scale to large programs. We also describe a new language

    construct “restrict” that allows a programmer to specify certain aliasing properties, and

    we give a provably sound system for checking usage of restrict. In our system, restrict is

    used to improve the precision of flow-sensitive type qualifier inference. Finally, we describe

    a tool for adding type qualifiers to the C programming language, and we present several

    experiments using our tool, including finding security vulnerabilities in popular C programs

    and finding deadlocks in the Linux kernel.

  • i

    To my wife Elise

  • ii

    Contents

    List of Figures iv

    1 Introduction 1

    2 Background 8 2.1 Standard Type Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Standard Type Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Partial Orders and Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

    3 Flow-Insensitive Type Qualifiers 21 3.1 Qualifiers and Qualified Types . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.2 Qualifier Assertions and Annotations . . . . . . . . . . . . . . . . . . . . . . 24 3.3 Flow-Insensitive Type Qualifier Checking . . . . . . . . . . . . . . . . . . . 25 3.4 Flow-Insensitive Type Qualifier Inference . . . . . . . . . . . . . . . . . . . 28 3.5 Semantics and Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.6 Subtyping Under Non-Writable Pointer Types . . . . . . . . . . . . . . . . . 35 3.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

    4 Flow-Sensitive Type Qualifiers and Restrict 38 4.1 Designing a Flow-Sensitive Type Qualifier System . . . . . . . . . . . . . . 39

    4.1.1 Abstract Stores, Abstract Locations, and Linearities . . . . . . . . . 40 4.1.2 Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

    4.2 Restrict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.3 Aliasing, Effects, and Restrict . . . . . . . . . . . . . . . . . . . . . . . . . . 46

    4.3.1 A Flow-Insensitive Checking System . . . . . . . . . . . . . . . . . . 48 4.3.2 Semantics and Soundness of Restrict . . . . . . . . . . . . . . . . . . 54 4.3.3 A Flow-Insensitive Inference System . . . . . . . . . . . . . . . . . . 58 4.3.4 Subsumption on Effects . . . . . . . . . . . . . . . . . . . . . . . . . 64

    4.4 Flow-Sensitive Type Qualifier Checking . . . . . . . . . . . . . . . . . . . . 65 4.5 Flow-Sensitive Type Qualifier Inference . . . . . . . . . . . . . . . . . . . . 71

    4.5.1 Flow-Sensitive Constraint Resolution . . . . . . . . . . . . . . . . . . 77 4.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

  • iii

    5 CQual 86 5.1 Syntactic Issues and Partial Order Configuration Files . . . . . . . . . . . . 87 5.2 Modeling C Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.3 Unsafe Features of C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 5.4 Presenting Qualifier Inference Results . . . . . . . . . . . . . . . . . . . . . 100 5.5 Comparison of Restrict to ANSI C . . . . . . . . . . . . . . . . . . . . . . . 103 5.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

    6 Experiments 110 6.1 Const Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

    6.1.1 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 6.2 Format-String Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 115

    6.2.1 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

    6.3 Linux Kernel Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 6.3.1 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

    6.4 File Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 6.4.1 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

    7 Conclusion 131

    A Soundness of Flow-Insensitive Type Qualifiers 133 A.1 Small-Step Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 A.2 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

    B Soundness of Restrict 141

    Bibliography 159

  • iv

    List of Figures

    2.1 Source Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Big-Step Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Big-Step Operational Semantics, Error Rules . . . . . . . . . . . . . . . . . 12 2.4 Standard Type Checking System . . . . . . . . . . . . . . . . . . . . . . . . 13 2.5 Standard Type Inference System . . . . . . . . . . . . . . . . . . . . . . . . 16 2.6 Type Equality Constraint Resolution . . . . . . . . . . . . . . . . . . . . . . 17 2.7 Two-point Partial Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.8 Three-Point Partial Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    3.1 Example Qualifier Partial Order . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2 Subtyping Qualified Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.3 Source Language with Qualifier Annotations and Checks . . . . . . . . . . . 24 3.4 Definitions of strip(·) and embed(·, ·) . . . . . . . . . . . . . . . . . . . . . . 26 3.5 Qualified Type Checking System . . . . . . . . . . . . . . . . . . . . . . . . 27 3.6 Qualified Type Inference System . . . . . . . . . . . . . . . . . . . . . . . . 29 3.7 Subtype Constraint Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.8 Qualifier Constraint Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.9 Big-Step Operational Semantics with Qualifiers . . . . . . . . . . . . . . . . 34 3.10 Subtyping Non-Writable References . . . . . . . . . . . . . . . . . . . . . . . 36

    4.1 Example Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.2 Using Effects at Function Calls . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3 Source Language and Target Language with Location and Effect Annotations 47 4.4 Alias, Effect, and Restrict Checking . . . . . . . . . . . . . . . . . . . . . . 49 4.5 Translation of Example Program in Figure 4.1 . . . . . . . . . . . . . . . . 53 4.6 New Big-Step Operational Semantics Rules for Restrict . . . . . . . . . . . 54 4.7 Alias and Effect Inference and Restrict Checking . . . . . . . . . . . . . . . 60 4.8 Alias and Effect Constraint Resolution . . . . . . . . . . . . . . . . . . . . . 61 4.9 Effect Constraint Normal Form . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.10 Solving Effect Constraint System with respect to Location ρ . . . . . . . . . 63 4.11 Subsumption Rule for Effects . . . . . . . . . . . . . . . . . . . . . . . . . . 64 4.12 Flow-Sensitive Qualified Types . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.13 Subtyping and Store Compatibility Rules . . . . . . . . . . . . . . . . . . . 67

  • v

    4.14 Flow-Sensitive Qualified Type Checking System . . . . . . . . . . . . . . . . 68 4.15 ⊕ Operation on Partial Stores . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.16 Extending a Solution to Constructed Stores . . . . . . . . . . . . . .