Semantic Type Qualifiers

1
Semantic Type Qualifiers

• Chien-Huei Chen
• Huseyin Sinecan
• 05.18.2006

2
Type Systems

• A natural discipline
• Specify properties
• Checking properties

• Problem
• Statically checks properties

• Augmenting properties of types
• Program designers cannot estimate evrythng
• Qualifiers (no need to add many annotations)

3
The Clarity Project

• A novel framework for user-defined type
  qualifiers for C programs
• It provides a declarative language in which users
  can define new qualifiers
• An extensible typechecker employs these
  user-defined rules to automatically check
  annotated C programs.
• (University of California, Los Angeles)

4
The Cqual Project

• A tool for adding type qualifiers to C
• Same purpose with Clarity
• Uses a fixed set of type rules across all type
  refinements
• Not expressive enough to handle many common
  situations

5
Where to use qualifiers

• Deadlock detection
• Format-String Vulnerability Detectionby using a
  tainted qualifier to mark untrusted data and by
  requiring that printf-like functions take
  untainted data
• const InferenceThe qualifier const is used in
  ANSI C programs to state that certain names will
  not be used to write to a location
• Ex foo (const int x)
• additional const annotations

6
Classes of qualifiers

• The Clarity framework supports 2 common types of
  qualifiers
• Value qualifiers (pertain to the value)
• pos
• nonnull

• - Reference qualifiers (pertain to the address)
• unique
• unaliased

7
pos qualifier

• 1. value qualifier pos(int Expr E)
• 2. case E of
• 3. decl int Const C
• 4. C, where C gt 0
• 5. decl int Expr E1, E2
• 6. E1 E2, where pos(E1) pos(E2)
• 7. decl int Expr E1
• 8. -E1, where neg(E1)
• 9. invariant value(E) gt 0
• A user-defined type qualifier and associated type
  rules for positive integers.

8
A type qualifier for unaliased variables

• ref qualifier unaliased(T Var X)
• ondecl
• disallow X
• invariant forall T P P ! location(X)
• Indicates the variables address, not the value
• ondecl Can be given at declaration
• Disallow Cannot have its address taken

9
Sample Example

• qualifier nonzero(int Expr E) case E of decl
  int Const C C, where C ! 0 decl int Expr
  E1 E1, where pos(E1) decl int Expr E1 E1,
  where neg(E1) decl int Expr E -E, where
  nonzero(E) decl int Expr E1, E2 E1 E2,
  where nonzero(E1) nonzero(E2)restrict
  decl int Expr E1, E2 E1 / E2, where
  nonzero(E2)invariant Value(E) ! 0
• int y0 20int z0z0
  x / y0

10
Example1 nonnull

• qualifier nonnull(T Expr E)
• case E of
• decl T LValue X X
• new
• restrict decl T Expr E E, where nonnull(E)
• invariant Value(E) ! null

11
Example1(cont.)

• In original link_list.c .158 struct
  list_head first list-gtnext159 struct
  list_head last list-gtprev160 struct
  list_head at head-gtnextcompiled with
  nonnull qualifierExpression list-gtnext breaks
  rule 'Restricts Dref(WCExpr(E)) where
  Qual(nonnull, E)' under qualifier nonnull at
  examples/link_list.c158

12
Example1(cont.)

• In order to get rid of all the errors, we first
  try to add a qualifier nonnull to the function.
• In the functionvoid list_add(struct list_head
  new, struct list_head __attribute__((nonnull))
  head) __list_add(new, head, head-gtnext)

13
Example1(cont.)

• Mail from one of the authorThere is also a
  notion of "reference qualifiers" for talking
  about properties of memory locations..However,
  reference qualifiers are not very well developed
  at this point and are very difficult to use in a
  practical way in the current framework, due to
  its flow insensitivity.

14
Example2 locked and unlocked

• Original example file
• void f(struct obj o)
• acquire_lock(o-gtlock)
• do_stuff(o)
• g(o)
• release_lock(lock_o-gtlock)
• void g(struct obj o)
• if (1)
• acquire_lock(o-gtlock) / bug deadlock /
• do_stuff(o)
• release_lock(o-gtlock)

15
Example2(cont.)

• void f(struct obj __attribute__((unlocked)) o)
• struct obj __attribute__((locked)) lock_o
• acquire_lock(o-gtlock)
• lock_o castto(o,struct obj
  __attribute__((locked)))
• do_stuff(o)
• g(lock_o)
• release_lock(o-gtlock)
• void g(struct obj __attribute__((unlocked)) o)
• struct obj __attribute__((locked)) lock_o
• if (1)
• acquire_lock(o-gtlock) / bug deadlock /
• lock_o castto(o,struct obj
  __attribute__((locked)))
• do_stuff(o)
• release_lock(o-gtlock)

16
Example2(cont.)

• g(lock_o) do not match with function type
  void (struct dummy __attribute__((__unlocked__))
  o ) at examples/deadlock.c32Total Errors 1