A Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

Size: px

Start display at page:

Download "A Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University"

Pierce Owen
6 years ago
Views:

1 A Behavioral Type System for Memory-Leak Freedom Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

2 Introduction n Memory leaks are very serious problems Ø Applications stop working Ø System crashes 2

3 Memory-leak freedom n All the allocated memory cells are eventually deallocated f() = let x = malloc() in free(x) Example 1: memory-leak free program 3

4 Partial memory-leak freedom n All the allocated memory cells are eventually deallocated if a program terminates f () = let x = malloc() in f (); free(x) Although it is partially memoryleak free, it consumes unbounded number of memory cells Example 2: partial memory-leak freedom 4

5 Total memory-leak freedom n A program consumes bounded number of memory cells even when it does not terminate h() = h () = let x = malloc() in let x = malloc() in let y = malloc() in let y = malloc() in free(x); free(y); h() h ();free(x);free(y) Example 3: both are partially memory-leak free. h() is totally memory-leak free, but h () is not. 5

6 Goal n Verification of total memory-leak freedom h() = h () = let x = malloc() in let x = malloc() in let y = malloc() in let y = malloc() in free(x);free(y);h() h (); free(x); free(y) Example 3 6

7 Idea n Behavioral types to abstract the behavior of a program Ø Sequential processes as types Ø Information about the number and the order of allocations, deallocations, and recursive calls Ø Used to estimate the upper bound of memory consumption of a program 7

8 Explanation of the idea Allocating two cells, freeing them, and then calling recursively h() = let x = malloc() in let y = malloc() in free(x); free(y); h() µα.malloc;malloc;free;free;α Abstracting away statements not related to allocation/deallocation 8

9 Explanation of the idea h () = let x = malloc() in let y = malloc() in h (); free(x); free(y) Allocating two cells, calling recursively, and then freeing them µα.malloc;malloc;α;free;free Abstracting away statements not related to allocation/deallocation 9

10 Overview original programs Behavioral type system µα.malloc;malloc;free;free;α Behavior types h () = let x = malloc() in let y = malloc() in h (); free(x); free(y) Success Model checker Fail totally memoryleak free Unknown 10

11 Outline n Language n Behavioral Type System n Preliminary Experiments n Related Work n Conclusion n Future Work 11

12 Language x,y, z,... (variables) Var s (statements) ::= skip s 1 ; s 2 let x = y in s f(x) *x y let x = *y in s let x = malloc() in s free(x) ifnull(x) then s 1 else s 2 let x = null in s d (proc. defs.) ::= { f (x 1,..., x n )s} D (definitions) ::= d 1... d n P (programs) ::= D, s 12

13 Outline n Language n Behavioral type system Ø Syntax of behavioral types Ø Type judgment Ø Typing rule for programs Ø OK n (P) n Preliminary Experiments n Related Work n Conclusion n Future Work 13

14 Syntax of behavioral types n P (behavioral types) ::= 0 P 1 ;P 2 P 1 +P 2 malloc free α µα.p do-nothing sequential execution of P 1 and P 2 choice between P 1 and P 2 allocation of one memory cell deallocation type variable recursion 14

15 Type judgment Θ; Γ s : P n Under Θ and Γ, the abstracted behavior of s is P Ø Θ (function type environment) ::= {f 1 :P 1,...,f n :P n } Ø Γ (variable type environment) ::= {x 1,x 2,...,x n } n For example Θ; Γ let x = malloc() in free(x) : malloc;free 15

16 Typing rule for programs D : Θ Θ; s : P OK n (P) D, s : n During execution,a program will never allocate more than n cells Ø D, s : n, a program requires at most n memory cells when it is executed Ø P represents the behavioral type of main statement s In order to guarantee D, s : n, we use condition OK n (P) 16

17 OK n (P) σ represents a sequence of actions malloc, free, and other actions τ n Definition: OK n (P) holds if, for any P, if P σ The number of malloc in σ The number of free in σ P then # malloc (σ) - # free (σ) n n Intuitively, at every running step, the number of memory cells a program consumes never exceeds the number of cells it requires. n For example P 1 = µα.malloc;malloc;free;free;α OK 2 (P 1 ) holds, that is,at most two memory cells are consumed 17

18 Outline n Language n Behavioral Type System n Preliminary Experiments Ø Objective Ø Comparison Ø Discussion n Related Work n Conclusion n Future Work 18

19 Objective n Checking whether our approach can verify total memory-leak freedom n Investigating the problems in our current type system 19

20 Two ways to verify total memory-leak freedom original programs (C programs) Model checker (CPAChecker) Success or Fail Manually extracted Behavioral types (encoded as C programs) Success or Fail Model checker (CPAChecker) We expect our approach is faster than model checking on original programs directly 20

21 Comparison original programs abstracted behavioral types s 9.580s 2.700s 3.000s 1.980s 2.060s 2.020s 1.970s poker.c database.c gen_init_cpio.c decompress_unlzo.c Table 1. Time spent by CPAChecker 21

22 Problem: Information in behavioral types is not enough to verify total memory-leak freedom! original programs abstracted behavior Result of verification Result of verification poker.c Success Fail database.c Success Fail gen_init_cpio.c Success Fail decompress_unlzo.c Success Fail Table 2. Result of verification of model checking on original programs and abstracted behavior. 22

23 Discussion n Verification failed,because our type system is not path-sensitive while( ){ if ( /* condition c */){ x = malloc(sizeof(int)); } /* Do something */ if(/* condition equivalent to c */){ free(x); } } µα.malloc;0;α µα.(0 + malloc);(0 + free);α 23

24 Discussion while( ){ if ( /* condition c */){ x = malloc(sizeof(int)); /* Do something */ free(x); } else{ /* Do something */ } } P : µα.((malloc;free) + 0);α OK 1 (P) holds We confirmed that CPAChecker can verify OK n (P) for the abstracted behaviroal type of the rewritten programs without much penalty on CPU time 24

25 Outline n Language n Behavioral type system n Preliminary Experiments n Related work n Conclusion n Future work 25

26 Related work n Static memory-leak freedom verification [Heine&Lam PLDI 03], [Suenaga&Kobayashi APLAS 09], etc Ø Partial memory-leak freedom Ø Lack of illegal accesses n Behavioral types are heavily used in concurrent programs [Kobayashi and Suenaga&Wischik LMCS 06], etc Ø Our type system is inspired by one proposed by Kobayashi et al. 26

27 Conclusion n Verification of memory-leak freedom for (possibly) nonterminating programs n A behavioral type system which abstracts the behavior of programs with allocation and deallocation n Preliminary experiments Ø Applying CPAChecker on abstracted behavioral types 27

28 Future work n Extension with variable-sized cells n Improving our type system Ø to make the verification process automatic Ø to verify programs more precisely 28

An Extended Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

An Extended Behavioral Type System for Memory-Leak Freedom Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University Introduction n Memory leak, forgetting to deallocate an allocated memory cell, is