An Extended Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

Size: px

Start display at page:

Download "An Extended Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University"

Rolf Stafford
5 years ago
Views:

1 An Extended Behavioral Type System for Memory-Leak Freedom Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

2 Introduction n Memory leak, forgetting to deallocate an allocated memory cell, is a serious problem Ø Decreasing the performance of computer Ø Unexpected termination of an application Ø System crash n Verification of memory-leak freedom is important 2

3 Partial memory-leak freedom n All the allocated memory cells are eventually deallocated if a program terminates Consumes unbounded number of memory cells f() = let x = malloc() in /* do something */ free(x) f () = let x = malloc() in f (); free(x) 3

4 Total memory-leak freedom n A program consumes bounded number of memory cells even when it does not terminate h() = let x = malloc() in let y = malloc() in free(x); free(y); h() h () = let x = malloc() in let y = malloc() in h ();free(x);free(y) Both are partially memory-leak free. h() is totally memory-leak free, but h () is not. 4

5 Goal n Verification of total memory-leak freedom n Important for nonterminating software such as Web servers and OS h() = h () = let x = malloc() in let x = malloc() in let y = malloc() in let y = malloc() in free(x);free(y);h() h (); free(x); free(y) 5

6 Previous work [Tan&Suenaga&Igarashi PPL2015] n Behavioral type system Ø Type system for abstracting the behavior of a program Ø Sequential processes are used as types Ø Types describe the number and the order of allocations, deallocations, and recursive calls n Estimating an upper bound of memory cells consumed by a program based on an inferred type 6

Overview of previous work Input programs h

in free(x); free(y); h (); Behavioral type

Model Checker n Fail Unknown Check whether

7 Overview of previous work Input programs h () = let x = malloc() in let y = malloc() in free(x); free(y); h (); Behavioral type system Encode types with n as C program Success Totally memoryleak free µα.malloc;malloc;free;free;α Behavioral types Model Checker n Fail Unknown Check whether the number of memory consumption exceeds n or not 7

8 Problem in previous work Imprecise abstraction due to branches ifnull (*x) then s 1 else s 2 : Executes s 1 if *x is null, s 2 otherwise h1(x) = let y = malloc() in ifnull(*x) then let x1 = malloc() in *y çx1 else skip; ifnull(*x) then free(*y) else skip; free(y); previous behavioral type system malloc;(malloc+0);(free+0); free malloc+0: Executing malloc at most once 8

9 Problem in previous work Although function h1 is a memory-leak free program, we cannot conclude it from this type malloc;malloc;0;free malloc;(malloc+0);(free+0); free This type loses information about if-guard part 9

10 Our solution Introducing path-sensitive behavioral types to deal with branch statements Ø (*x)(p 1, P 2 ) means execution of P 1 or P 2 depending on *x is null or not h1(x) = let y = malloc() in ifnull(*x) then let x1 = malloc() in *y çx1 else skip; ifnull(*x) then free(*y) else skip; free(y); path-sensitive behavioral type system malloc;(*x)(malloc, 0);(*x)(free, 0);free 10

11 Our solution We can conclude h1 is a memory-leak free program from this type if *x is a null pointer, behaves like malloc;malloc;free;free otherwise like malloc;0;0;free malloc;(*x)(malloc, 0);(*x)(free, 0);free Requires *x not to change between two branches 11

Overview of current work Current work Input programs Type soundness proof and

system malloc;(*x)(malloc, 0);(*x)(free, 0);free Path-sensitive behavioral

çx1 else skip ; ifnull(*x) then free(*y) else skip; free(y); Future work

12 Overview of current work Current work Input programs Type soundness proof and type inference algorithm are left for future work Extended behavioral type system malloc;(*x)(malloc, 0);(*x)(free, 0);free Path-sensitive behavioral types n h1(x) = let y = malloc() in ifnull(*x) then let x1 = malloc() in *y çx1 else skip ; ifnull(*x) then free(*y) else skip; free(y); Future work Encode types with n as C program Success Totally memoryleak free Model Checker Fail Unknown 12

13 Outline n Language n Extended behavioral type system n Overview of verification n Related work n Conclusion n Future work 13

14 Language x,y, z,... (variables) Var s (statements) ::= skip s 1 ;s 2 *x y f(x) let x = y in s let x = *y in s let x = null in s let x = malloc() in s free(x) const(*x)s ifnull(*x) then s 1 else s 2 d (proc. defs.) ::= { f (x 1,..., x n )s} D (definitions) ::= d 1... d n P (programs) ::= D, s 14

15 Outline n Language n Extended behavioral type system Ø Syntax of types Ø Type judgment Ø Typing rule for a program Ø OK n (P) n Overview of verification n Related Work n Conclusion n Future Work 15

16 Syntax of extended behavioral types n P (behavioral types) ::= 0 do-nothing P 1 ;P 2 malloc free (*x)(p 1, P 2 ) const(*x)p α µα.p sequential execution of P 1 and P 2 allocation of one memory cell deallocation execution of P 1 or P 2 depends on *x execution of P under constantness (*x) type variable recursion 16

17 Type judgment Θ; Γ s : P n Under Θ and Γ, the extracted behavior of s is P Ø Θ (function type environment) ::= {f 1 :ψ 1,...,f n :ψ n } Ø Γ (variable type environment) ::= {x 1,x 2,...,x n } Ø ψ (dependent function type) ::= (x)p 17

18 Example Θ; Γ, x s : P Θ; Γ let x = malloc() in s : malloc;p (T-Malloc) Θ; Γ, x let x1 = malloc() in *x ß x1 : malloc;0 Θ; Γ skip : 0 Θ; Γ, x, y ifnull(*y) then let x1 = malloc() in *x ß x1 else skip: (*y)(malloc,0) Θ; Γ, x s 1 : P 1 Θ; Γ, x s 2 : P 2 Θ; Γ, x ifnull(*x) then s 1 else s 2 : (*x)(p 1, P 2 ) (T-IfNull) 18

19 Typing rule for a program D : Θ Θ; D, s : P s : P Ø P represents the behavioral type of main statement s Ø In order to guarantee D, s, is totally memory-leak free, we use the predicate OK n (P) 19

20 OK n (P) n Definition: σ represents a sequence of actions such as malloc, free and other actions σ relation means P can perform actions σ and turn into P OK n (P) holds, if P P implies # malloc (σ) - # free (σ) n where # ρ (σ) is the number of ρ in σ. n Intuitively, at every running step, the number of memory cells a program consumes cannot exceed the number of cells it requires. 20

21 Outline n Language n Extended behavioral type system n Overview of verification n Related work n Conclusion n Future work 21

22 Overview of current work Insert constantness annotation Input programs Type soundness proof and type inference algorithm are left for future work Extended behavioral type system Future work Encode types with n as C program Success Totally memoryleak free Path-sensitive behavioral types Model Checker Current work n Fail Unknown 22

23 overview of verification let x = malloc() in let y = malloc() in ifnull(*y) then let x1 = malloc() in *x ß x1 else skip; /* do-something but not change the value of *y */ ifnull(*y) then free(*x) else skip free(x); free(y) let x = malloc() in let y = malloc() in const(*y) /* inserted by a programer */ ( ifnull(*y) then let x1 = malloc() in *x ß x1 else skip; /* do-something but not change the value of *y */ ifnull(*y) then free(*x) else skip ); free(x); free(y) Manually inserted by a programmer Future work: automated insertion 23

24 Overview of verification let x = malloc() in let y = malloc() in const(*y) ( ifnull(*y) then let x1 = malloc() in *x ß x1 else skip; /* do-something but not change the value of *y */ ifnull(*y) then free(*x) else skip ); free(x); free(y) Type inference of our type system P = malloc; malloc; const(*y)((*y)(malloc, 0); (*y)(free, 0)); free; free automatically abstracted by our current type system 24

F(); } else{ ; } F(); F(); int M() { n = n - 1; assert(n >= 0); } int randv() {

25 Overview of verification P = malloc; malloc; const(*y)((*y)(malloc, 0); (*y)(free, 0)); free; free with n Encoding by C Future work int y; M(); M(); y = randv(); if(y) { M(); } else { ; } if(y) { F(); } else{ ; } F(); F(); int M() { n = n - 1; assert(n >= 0); } int randv() { srand((unsigned)time(null)); return rand()%2; } Sucess Model Checker Fail void F() { n = n + 1 ; } OK n (P) holds Unknown 25

26 Outline n Language n Extended behavioral type system n Overview of verification n Related work n Conclusion n Future work 26

27 Related work n Behavioral type system are widely used for Ø Static verification of resource-usage [Igarashi&Kobayashi ACMTPLS 05],etc Ø Static verification of deadlock-freedom [Kobayashi Acta inf 05] n Static memory-leak freedom verification [Heine&Lam PLDI 03], [Suenaga&Kobayashi APLAS 09], etc Ø Partial memory-leak freedom Ø Lack of illegal accesses n Our previous behavioral type system[tan&suenaga&igarashi PPL2015] Ø Total memory-leak freedom 27

28 Conclusion n Path-sensitive behavioral type: describes more information of the behavior of a program 28

29 Future work n Type inference algorithm for our extended type system n Experiments n Automated insertion of constantness annotation 29

A Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University

A Behavioral Type System for Memory-Leak Freedom Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University Introduction n Memory leaks are very serious problems Ø Applications stop working Ø System