M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), pages 180--198. Springer-Verlag, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....can reason about casts between various structure types by considering the physical layout of memory. Our example in Section 2 would fail to type check in their system for the same reason that we must mark some of the pointers DYNAMIC: its safety cannot be guaranteed at compile time. Si et al. [24] identify that many casts in C programs are safe upcasts and present a tool to check such casts. The programming languages CLU [17] Cedar Mesa [16] and Modula f2 ,3g [5] include similar notions of a dynamic type and a typecase statement. This idea can also be seen in CAML s exception type [22] ....

M. Si, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In

.... y p but we do not have y p x p, so our deductions are unsound. We leave as future work the solution to these problems. We believe that the best solution will be to combine techniques that attempt to recover the semantic behavior of casts with conservative alias analysis for ill behaved casts [12, 36, 37]. 4.3 Variable Argument Functions C allows functions to have a variable number of arguments, through the varargs language feature. However, there is no obvious way of specifying constraints on the individual varargs: even their type is not fixed. For example, in the expression sprintf(s, s , ....

Michael Siff, Satish Chandra, Thomas Ball, Thomas Reps, and Krishna Kunchithapadam. "Coping With Type Casts in C." In ACM Conference on Foundations of Software Engineering (FSE), September 1999.

....PCC automatically, but only for programs written in certain safe source languages. The main contributions of the paper are: An improved typestate checking system that allows us to perform safety checking on untrusted machine code that implements inheritance polymorphism via physical subtyping [24]. This work introduces a new method for coping with subtyping in the presence of mutable pointers (Section 3) A mechanism for summarizing the effects of function calls via safety pre and post conditions. These summaries allow our analysis to stop at trusted boundaries. They form a first step ....

....int(24:1:7) to g2 after the execution of the load instruction. This preserves the fact that the lowest 8 bits of g2 store a signed character (i.e. an int(0:1:7) 3. 2 A Subtyping Relation We now introduce a notion of subtyping on type expressions, adopted from the physical subtyping system of [24], which takes into account the layout of aggregate fields in memory. Figure 3 lists the rules that define when a type t is a physical subtype of t (denoted by t : t ) 1 In Figure 3, the rules [Top] Bottom] Ground] Pointer] and [Array] are our additions to the physical subtyping system ....

[Article contains additional citation context not shown here]

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. Seventh European Software Engineering Conference and Seventh ACM SIGSOFT Symposium on the Foundations of Software Engineering. Toulouse, France. (September 1999).

No context found.

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. Seventh European Software Engineering Conference and Seventh ACM SIGSOFT Symposium on the Foundations of Software Engineering. Toulouse, France (September 1999).

....is tagged with run time type int while its value is being assigned to a pointer (tmp) 2.3 Using Structures to Simulate Inheritance C is not an object oriented language, and therefore has no classes. However, programmers often try to simulate some of the features of classes using structures [4]. For example, the following declarations might be used to simulate the declaration of a superclass Sup and a subclass Sub: struct Sup int a1; int a2; struct Sub int b1; int b2; char b3; A function might be written to perform some operation on objects of the superclass: void f ( ....

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In Proc. of ESEC/FSE '99: Seventh European Softw. Eng. Conf. and Seventh ACM SIGSOFT Symp. on the Found. of Softw. Eng., pages 180--198, September 1999.

....to using typestates to distinguish initialized values from uninitialized ones, we also use typestates to track pointers. 4. We propose a typestate checking system that allows us to perform safetychecking on untrusted machine code that implements inheritance polymorphism via physical subtyping [76]. This work introduces a new method for coping with subtyping in the presence of mutable pointers. 5. We introduce a mechanism for summarizing the effects of function calls via safety pre and post conditions. These summaries allow our analysis to stop at trusted boundaries. They form a first ....

....With this approach, each use of a register or memory location at a given occurrence of an instruction is resolved to a polymorphic type (i.e. a supertype of the acceptable values) 4.1.1.1 Type Expressions. The type component of our type system is based on the physical type system of Siff et al. [76]. Figure 4.1 shows the language of type expressions used in the typestate system. Compared with the type system of Siff et al., our typestate system additionally includes (i) bit level representations of integer types, ii) top and bottom types that are parameterized with a size parameter, iii) ....

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. Seventh European Software Engineering Conference and Seventh ACM SIGSOFT Symposium on the Foundations of Software Engineering. Toulouse, France (September 1999).

....as if it were an int. This type inconsistency would be detected by our tool (but not by either Purify or Safe Pointers) This programming style is common, for example, in networking code, where message headers for di#erent kinds of packet formats are handled in a manner similar to the above example[7]. 3 Implementation Our debugging tool comprises two major components: a compiler front end that instruments the program, and a run time system that tracks the dynamic type associated with each memory location. The run time component is currently implemented by storing type information in a ....

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, T. Reps. Coping with type casts in C. In Proceedings of ESEC/FSE '99: Seventh European Software Engineering Conference and Seventh ACM SIGSOFT Symposium on the Foundations of Software Engineering (Toulouse, France, Sept. 6-10, 1999), pp. 180-198.

....is annotated with run time type int, and its value is being assigned to a pointer (tmp) 2.3 Using Structures to Simulate Inheritance C is not an object oriented language, and therefore has no classes. However, programmers often try to simulate some of the features of classes using structures[16]. For example, the following declarations might be used to simulate the declaration of a superclass Sup and a subclass Sub: struct Sup int a1; int a2; struct Sub int b1; int b2; char b3; A function might be written to perform some operation on objects of the superclass: void f( ....

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In Proc. of ESEC/FSE '99: Seventh European Softw. Eng. Conf. and Seventh ACM SIGSOFT Symp. on the Found. of Softw. Eng., pages 180--198, September 1999.

....the same size as Point. This idiom is prevalent in several large systems that we have analyzed with our tools (described in Sect. 4) most notably telephone and gcc. Due to space limitations, another interesting inheritance idiom flattening is not discussed here. The reader is directed to [10] for more details. typedef struct f . g Point; typedef struct f color c; g AuxColor; typedef struct f Point p; AuxColor aux; g ColorPoint; typedef struct f char name[10] g AuxName; typedef struct f Point p; AuxColor aux; AuxName aux2; g NamedColorPoint; Fig. 2. A class hierarchy in ....

....limitations, another interesting inheritance idiom flattening is not discussed here. The reader is directed to [10] for more details. typedef struct f . g Point; typedef struct f color c; g AuxColor; typedef struct f Point p; AuxColor aux; g ColorPoint; typedef struct f char name[10]; g AuxName; typedef struct f Point p; AuxColor aux; AuxName aux2; g NamedColorPoint; Fig. 2. A class hierarchy in C 2.2 Class hierarchies It is not uncommon to find implicit class hierarchies in C programs using one or more of the inheritance idioms discussed above. One interesting ....

M. Siff, S. Chandra, T. Ball K. Kunchithapadam, and T. Reps. Coping with type casts in c. Technical Report BL0113590-990202-03, Lucent Technologies, Bell Laboratories, February 1999.

.... c points to a region in memory that contains a Clock structure followed by a Radio structure (and the fact that the size of Clock is such that no padding is required between fields clock and radio) Although this usage appears contrived, we have found it used frequently in production code (see [15]) These examples show that C programmers implicitly rely on the physical layout of structs in memory. This makes type checking difficult: a type checker that is based only on manifest types in the program would either be too conservative, or, like a C compiler, would permit potential run time ....

....and maintenance. Program kLOC Void Struct Struct Struct binutils 516 1109 188 xemacs 288 1662 70 gcc 208 410 137 telephone 110 126 430 bash 76 123 47 vortex 67 592 50 ijpeg 31 74 601 perl 27 101 15 xkernel 37 1882 179 Total 1360 6079 1717 Table 1: Count of casts in a suite of C programs [15] SPEC95 benchmarks gcc, ijpeg, perl, vortex, GNU utilities bash, binutils, xemacs, networking code xkernel, and portions from a Lucent Technologies s product code telephone. kLOC is the number of source lines (in thousands) The VoidStruct column gives the total number of casts in which a ....

[Article contains additional citation context not shown here]

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. Technical Report BL0113590-990202-03, Lucent Technologies, Bell Laboratories, February 1999. Available at http://www.bell-labs.com/~schandra/pubs/coping-tr.ps.

....Neither cc nor lint issues a warning for this program. An overly conservative type checker for C could disallow the cast from a value of type Point to a ColorPoint , regardless of whether the field color is dereferenced from pcp. Unfortunately, C programs contain casts with surprising frequency[SCKR99], and a type checker that disallows all casts would, in practice, outlaw too many programs. Example 2. Consider the code fragment in Figure 2. In this code, the cast (Radio ) converts a type Clock (the type of c 1 as the same as the type of c) to type Radio . This program would be declared ....

.... to a region in memory that contains a Clock structure followed by a Radio structure (and also on the fact that the size of Clock is such that no padding is required between the fields clock and radio) Although this usage appears contrived, we have found it used frequently in production code (see [SCKR99]) These examples show that C programmers implicitly rely on the physical layout of structs in memory. This makes type checking difficult: a type checker that is based only on manifest types in the program would either be too conservative, or, like a C compiler, would permit potential run time ....

[Article contains additional citation context not shown here]

M. Siff, S. Chandra, T. Ball K. Kunchithapadam, and T. Reps. Coping with type casts in C. Technical Report BL0113590-990202-03, Lucent Technologies, Bell Laboratories, February 1999. Available at http://www.bell-labs.com/~schandra/pubs/coping-tr.ps.

No context found.

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), pages 180--198. Springer-Verlag, 1999.

No context found.

M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), pages 180--198. Springer-Verlag, 1999.

No context found.

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In 1999.

No context found.

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In 1999.

No context found.

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In 1999.

No context found.

M. Si#, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In Proc. of ESEC/FSE '99: Seventh European Softw. Eng. Conf. and Seventh ACM SIGSOFT Symp. on the Found. of Softw. Eng., pages 180--198, September 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC