1 / 92

This One Time, at PL Camp ...

This One Time, at PL Camp. Summer School on Language-Based Techniques for Integrating with the External World University of Oregon Eugene, Oregon July 2007. Checking Type Safety of Foreign Function Calls. Jeff Foster University of Maryland

brede
Download Presentation

This One Time, at PL Camp ...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. This One Time, at PL Camp ... Summer School on Language-Based Techniques for Integrating with the External World University of Oregon Eugene, Oregon July 2007

  2. Checking Type Safety of Foreign Function Calls Jeff Foster University of Maryland • Ensure type safety across languages • OCaml/JNI – C • Multi-lingual type inference system • Representational types • SAFFIRE • Multi-lingual type inference system

  3. Dangers of FFIs • In most FFIs, programmers write “glue code” • Translates data between host and foreign languages • Typically written in one of the languages • Unfortunately, FFIs are often easy to misuse • Little or no checking done at language boundary • Mistakes can silently corrupt memory • One solution: interface generators

  4. Example: “Pattern Matching” if (Is_long(x)) { if (Int_val(x) == 0) /* B */ ... if (Int_val(x) == 1) /* D */ ... } else { if (Tag_val(x) == 0) /* A */ Field(x, 0) = Val_int(0) if (Tag_val(x) == 1) /* C */ Field(x, 1) = Val_int(0) } type t = A of int | B | C of int * int | D

  5. Garbage Collection • C FFI functions need to play nice with the GC • Pointers from C to the OCaml heap must be registered value bar(value list) { CAMLparam1(list); CAMLlocal1(temp); temp = alloc_tuple(2); CAMLreturn(Val_unit); } • Easy to forget • Difficult to find this error with testing

  6. Multi-Lingual Types • Representational Types • Embed OCaml types in C types and vice versa

  7. SAFFIRE • Static Analysis of Foreign Function InteRfacEs

  8. Programming Models for Distributed Computing Yannis Smaragdakis University of Oregon • NRMI: Natural programming model for distributed computing. • J-Orchestra: Execute unsuspecting programs over a network, using program rewriting. • Morphing: High-level language facility for safe program transformation.

  9. Network NRMI • Identify all reachable t tree 4 alias2 4 alias1 9 7 9 7 1 3 1 3 Client side Server side

  10. Network NRMI • Execute remote procedure tmp t tree 4 alias2 4 2 alias1 9 7 0 9 1 3 1 8 Client side Server side

  11. NRMI • Send back all reachable t tree 4 alias2 4 2 alias1 9 7 0 9 1 3 1 8 Network Client side

  12. NRMI • Match reachable maps t tree 4 alias2 4 2 alias1 9 7 0 9 1 3 1 8 Network

  13. NRMI • Update original objects t tree 4 alias2 4 2 alias1 0 9 0 9 1 8 1 8 Network

  14. NRMI • Adjust links out of original objects t tree 4 alias2 4 2 alias1 0 9 0 9 1 8 1 8 Network

  15. NRMI • Adjust links out of new objects t tree 4 alias2 4 2 alias1 0 9 0 9 1 8 1 8 Network

  16. NRMI • Garbage collect t 4 alias2 2 alias1 0 9 1 8 Network

  17. J-Orchestra • Automatic partition system • Works as bytecode compiler • lots of indirection using proxies, interfaces, local and remote objects • Partitioned program equivalent to original

  18. Morphing • Ensure program generators are safe • Statically check the generator to determine the safety of any generated program, under All inputs • ensure that genrated programs compile • Early approach – SafeGen • Using theorem provers • MJ • Using types

  19. Fault Tolerant Computing David August and David WalkerPrinceton University • Processors are becoming more susceptible to intermittent faults. • Moore’s Law, radiation • Alter computation or state, resulting in incorrect program execution. • Goal: Build reliable systems from unreliable components.

  20. Topics • Transient faults and mechanisms designed to protect against them (HW). • The role of languages and compilers may play in creating radiation hardened programs. • New opportunities made possible by languages which embrace potentially incorrect behavior.

  21. Causes

  22. Software/Compiler • Duplicate instructions and check at important locations (store) [SWIFT, EDDI]

  23. λzap • λ calculus with fault tolerance • Intermediate language for compilers • Models single fault • Based on replication • Semantics model type of faults let x1 = 2 inlet x2 = 2 inlet x3 = 2 inlet y1 = x1 + x1 inlet y2 = x2 + x2 inlet y3 = x3 + x3 inout [y1,y2,y3] let x = 2 inlet y = x + x inout y

  24. Testing

  25. Typing Ad Hoc Data Kathleen Fisher AT&T Labs • PADS project* • Data Description Language (DDL) • Data Description Calculus (DDC) • Automatic inference of PADS descriptions *http://padsproj.org

  26. PADS • Declarative description of data source: • Physical format information • Semantic constraints Pstruct webRecord { Pip ip; " - - ["; Pdate(’:’) date; ":"; Ptime(’]’) time; "]"; httpMeth meth; " "; Puint8 code; " "; Puint8 size; " "; }; Parray webLog { webRecord[] }; type responseCode = { x : Int | 99 < x < 600}

  27. Learning • Problem: Producing useful tools for ad hoc data takes a lot of time. • Solution: A learning system to generate data descriptions and tools automatically. Visual Information End-user tools Email struct { ........ ...... ........... } ASCII log files Binary Traces Raw Data Data Description CSV XML Standard formats & schema;

  28. Format Inference Engine Chunked Data Tokenization IR to PADSPrinter PADSDescription Input File(s) StructureDiscovery FormatRefinement ScoringFunction

  29. Multi-Staged Programming Walid Taha Rice University • Writing generic program that do not pay a runtime overhead. • Use program generators • Ensure syntactic well-formed, well-typed • MetaOCaml

  30. I2 P Batch The Abstract View I1 I2 P1 P2 I2

  31. MetaOCaml • Brackets (.< >.) • delay execution of an expression • Escape (.~ ) • Combine smaller delayed values to construct larger ones • Run (.! ) • Compile and execute the dynamically generated code

  32. Power Example let rec power (n , x) = match n with 0 → 1 | n → x * (power (n-1, x));; let power2 (x) = power (2, x);;let power2 = fun x → power (2, x);; let power2 (x) = 1*x*x; let rec power (n, x) = match n with 0 → .<1>. | n → .<.~x * ~(power (n-1, x))>.;;let power2 = .! .<fun x → .~(power (2, .<x>.))>.;;

  33. Scalable Defect Detection Manuvir Das, Daniel Wang, Zhe Yang, Microsoft Research • Program analysis at Microsoft scale • scalability, accuracy • Combination of weak global analysis and slow local one (for some regions of code) • Programmers are requires to add interface annotations • some automatic inference is available

  34. Web and Database Application Security Zhendong Su University of California-Davis • Static analyses for enforcing correctness of dynamically generated database queries. • Runtime checking mechanisms for detecting SQL injection attacks; • Static analyses for detecting SQL injection and cross-site scripting vulnerabilities.

  35. XML and Web Application Programming Anders Møller University of Aarhus • Formal models of XML schemas • Expressiveness of DTD, XML Schema, Relax NG • Type checking XML transformation languages • “Assuming that X is valid according to Sin is T(x) valid according to Sout?” • Web application frameworks • Java Servlets and JSP, JWIG, GWT

  36. Types for Safe C-Level Programming Dan Grossman University of Washington • Cyclone, a safe dialect for C • Designed to prevent safety violations (buffer overflow, memory management, …) • Mostly underlying theory • Types, expression, memory regions

  37. Analyzing and Debugging Software • Understanding Multilingual Software [Foster] • Parlez vous OCaml? • Statistical Debugging [Liblit] • you are my beta tester, and there’s lots of you • Scalable Defect Detection [Das, Wang, Yang] • Microsoft programs have no bugs

  38. Programming Models • Types for Safe C-Level Programming [Grossman] • C without the ick factor • Staged Programming [Taha] • Programs that produce programs that produce programs... • Prog. Modles for Dist. Comp. [Smaragdakis] • We’ve secretly replaced your centralized program with a distributed application. can you tell the difference?

  39. The Web • Web and Database Application Security [Su] • How not to be pwn3d by 1337 haxxors • XML and Web Application Programming [Møller] • X is worth 8 points in scrabble...let’s use it a lot

  40. Other Really Important Stuff • Fault Tolerant Computing [August, Walker] • Help, I’ve been hit by a cosmic ray! • Typing Ad Hoc Data [Fisher] • Data, data, everywhere, but what does it mean?

  41. Statistical Debugging Ben Liblit University Of Wisconsin-Madison

  42. What’s This All About? • Statistical Debugging & Cooperative Bug Isolation • Observe deployed software in the hands of real end users • Build statistical models of success & failure • Guide programmers to the root causes of bugs • Make software suck less

  43. Motivation “There are no significantbugs in our released softwarethat any significant numberof users want fixed.” Bill Gates, quoted in FOCUS Magazine

  44. Software Releases in the Real World [Disclaimer: this may be a caricature.]

  45. Software Releases in the Real World Coders & testers in tight feedback loop Detailed monitoring, high repeatability Testing approximates reality Testers & management declare “Ship it!” Perfection is not an option Developers don’t decide when to ship

  46. Software Releases in the Real World Everyone goes on vacation Congratulate yourselves on a job well done! What could possibly go wrong? Upon return, hide from tech support Much can go wrong, and you know it Users define reality, and it’s not pretty Where “not pretty” means “badly approximated by testing”

  47. Testing as Approximation of Reality • Microsoft’s Watson error reporting system • Crash report from 500,000 separate programs • x% of software causes 50% of bugs • Care to guess what x is? • 1% of software errors causes 50% of user crashes • Small mismatch ➙ big problems (sometime) • Big mismatch ➙small problem? (sometime!) • Perfection is not an economically viable option

  48. Real Engineers Measure Things;Are Software Engineers Real Engineers?

  49. Instrumentation Framework “The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong, it usually turns out to be impossible to get at or repair.” Douglas Adams, Mostly Harmless

  50. Bug Isolation Architecture  € ƒ ‚ ƒ €  Predicates ShippingApplication ProgramSource Sampler Compiler StatisticalDebugging Counts& J/L Top bugs withlikely causes

More Related