Verification of RegionAnnotated Java Bytecodes - PowerPoint PPT Presentation
1 / 50
Title:
Verification of RegionAnnotated Java Bytecodes
Description:
Risk of illegal memory use. Possible solutions. Trust the ... Allocation sites. BYTECODE'05. Verification of Region-Annotated Java Bytecodes Cherem and Rugina ... – PowerPoint PPT presentation
Number of Views:251
Avg rating:3.0/5.0
Title: Verification of RegionAnnotated Java Bytecodes
1
Verification of Region-AnnotatedJava Bytecodes
- Sigmund Cherem and Radu Rugina
- Cornell University
- First Workshop on Bytecode Semantics,
Verification, Analysis and Transformation
2
Region-based Memory Management
- Regions for memory management
- Alternative to garbage collection
- Group objects in memory
- Remove all objects in region at once
- Appealing for real-time programs
- Automatic via Region Inference
3
Motivation
- Explicit deallocation
- Risk of illegal memory use
- Possible solutions
- Trust the region compiler
- Run-time checks
- Verification in the VM
- Want precision, modularity and efficiency
4
System Overview
Standard Java bytecodes
Region- annotated bytecodes
Jreg Compiler
JregVM (Region support)
Standard Verifier
5
System Overview
Certificates
Standard Java bytecodes
Region- annotated bytecodes
Jreg Compiler
Region Verifier
JregVM (Region support)
Standard Verifier
6
Region-Annotated Bytecodes
7
VM and Bytecode extensions
- VM extensions
- Separate region stack and locals
- Bytecode extensions
- Region creation and removal
- CREATE i
- REMOVE i
- Object and array allocation
- NEW_IN_R class_name i
- NEWARRAY_IN_R prim_type i
- ANEWARRAY_IN_R class_name i
- MULTINEWARRAY_IN_R type dim i
- Push region into region-stack
- PUSH_R i
8
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
9
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
r1
10
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
y
r1
11
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
y
r1
r2
12
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
y
r1
z
r2
13
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
y
r1
f
z
r2
14
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
f
z
r2
15
Running Example
class Test Integer f static void
test() create r1 Integer y
new Integer(3) in r1 create r2
Test z new Test() in r2 z.f y
remove r1 int i z.f.intValue()
System.out.println(i) remove r2
_at_!!_at_
f
z
r2
16
Verification Process
17
Verification Process
- Separate from basic verification
- Phase 1 Load-time verification
- Verify a method in isolation
- Check consistency with overridden methods
- Phase 2 Link-time verification
- Check consistency between caller and callee
18
Phase 1 Load Time Verification
- Dataflow analysis
- Abstraction
- Transfer functions
- Use of certificates
- Merge operation
Operand Stack
Frame Locals
Live Regions
19
Transfer functions
- Region bytecodes
- Create and remove
20
Transfer functions
- Region bytecodes
- Create and remove
CREATE r1
r1
21
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
22
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
r1
NEW_IN_R Test r1
r1
r1
23
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
24
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
r2
ASTORE 1
r2
25
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
26
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
r2
r2
GETFIELD Test/f LInteger
r2
27
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
Certificates
? Region points-to information
f
r1
r2
r2
r2
GETFIELD Test/f LInteger
r1
r2
28
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
29
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
Certificates
? Region points-to information
f
r1
r2
r2
r1
r2
PUTFIELD Test/f LInteger
r2
30
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
- Method invocation
31
Transfer functions
- Region bytecodes
- Create and remove
- Allocation sites
- Standard bytecodes
- Load and store
- Field access
- Method invocation
Certificates
? Return-value information
s ? r2
r2
r1
r1
s INVOKEVIRTUAL Test/foo()LTest
r2
r2
r1
32
Merge operation
- Region lattice
- Operands point-wise merge of regions
- Live set must be equal
T
r4
r1
r2
r3
?
r4
?
r4
r2
r3
r3
r3
T
r3
r1
r1
r1
r1
r1
r1
33
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
34
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
r2
r1
r2
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
35
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
r2
r2
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
36
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
r2
r2
r2
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
37
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
r2
r2
r1
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
38
Verification Example
- Accessing dead region
- in bytecodes
remove r1 int i z.f.intValue()
r2
r2
r1
Verification error r1 is not live
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer INVOKEVIRTUAL
java/lang/Integer/intValue()I
39
Verification Example
- What if?
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer CREATE r1 INVOKEVIRTUAL
java/lang/Integer/intValue()I
40
Verification Example
- What if?
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer CREATE r1 INVOKEVIRTUAL
java/lang/Integer/intValue()I
r2
r2
r1
41
Verification Example
- What if?
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer CREATE r1 INVOKEVIRTUAL
java/lang/Integer/intValue()I
r2
r1
r2
r1
42
Verification Example
- What if?
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer CREATE r1 INVOKEVIRTUAL
java/lang/Integer/intValue()I
T
r1
r2
T
43
Verification Example
- What if?
REMOVE r1 ALOAD 1 GETFIELD Test/f
Ljava/lang/Integer CREATE r1 INVOKEVIRTUAL
java/lang/Integer/intValue()I
T
Verification error Accessing a dangling
reference
r1
r2
T
44
Other Verification Details
- Phase 1 Additional load-time checks
- Method overriding
- Match signatures
- Static fields
- Exceptions
- Multithreading
- Phase 2 Link-time verification
- Verification of call sites
- Any region used in callee is live at call site
- Check for expected parameter regions
45
Experimental Results
46
Implementation Details
- Jreg Compiler
- Soot infrastructure
- Bytecode transformation
- Generation of certificates
- JregVM
- Kaffe VM Interpreter
- Region bytecode support
- Region verifier
- Benchmarks
- Olden benchmarks for Java
47
Certification Overhead
Benchmark Orig. Reg Certf Overhead bh 30 Kb
32 Kb 37 Kb 21 bisort 8 Kb 8 Kb 10 Kb
18 em3d 12 Kb 13 Kb 15 Kb 26 health 16
Kb 17 Kb 20 Kb 27 mst 12 Kb 12 Kb 15 Kb
26 perim 16 Kb 16 Kb 18 Kb 16 power 24
Kb 25 Kb 27 Kb 10 treeadd 5 Kb 5 Kb
6 Kb 14 tsp 11 Kb 11 Kb 12 Kb
13 voronoi 26 Kb 27 Kb 31 Kb 20
Average overhead 19 of application size
48
Verification Overhead
- Verification load (average)
- Methods analyzed 252
- Calls analyzed 448
- Time overhead (average)
- Region verification 0.08 s
- Standard verification 0.05 s
- Application runtime 216 s
49
Related Work
- Regions for Memory Management
- Inference
- Tofte and TalpinPOPL04 Henglein et al
PPDP01 - Chin et al PLDI04 Cherem and Rugina ISMM04
- Language support
- RCPLDI01, CyclonePLDI02, RegJava98, RTSJ
AW00 - Verification
- Standard bytecode verification
- GoslingIR95, Lindholm and Yellin AW99
WWW95 - Proof-carrying approach
- Necula POPL97 Rose and Rose OOPSLA98
- Klein and Nipkow CCPE01 Wildmoser et
alTCS04
50
Conclusions
- Region-annotated bytecodes
- Flexible region lifetimes
- Allow dangling references
- Region-verification process
- Guarantees memory safety
- Modular design
- Low run-time overhead
- No need for run-time checks
Recommended
CrystalGraphics Presentations
