skip to main content
research-article
Open Access

Permchecker: a toolchain for debugging memory managers with typestate

Published:15 October 2021Publication History
Skip Abstract Section

Abstract

Dynamic memory managers are a crucial component of almost every modern software system. In addition to implementing efficient allocation and reclamation, memory managers provide the essential abstraction of memory as distinct objects, which underpins the properties of memory safety and type safety. Bugs in memory managers, while not common, are extremely hard to diagnose and fix. One reason is that their implementations often involve tricky pointer calculations, raw memory manipulation, and complex memory state invariants. While these properties are often documented, they are not specified in any precise, machine-checkable form. A second reason is that memory manager bugs can break the client application in bizarre ways that do not immediately implicate the memory manager at all. A third reason is that existing tools for debugging memory errors, such as Memcheck, cannot help because they rely on correct allocation and deallocation information to work.

In this paper we present Permchecker, a tool designed specifically to detect and diagnose bugs in memory managers. The key idea in Permchecker is to make the expected structure of the heap explicit by associating typestates with each piece of memory. Typestate captures elements of both type (e.g., page, block, or cell) and state (e.g., allocated, free, or forwarded). Memory manager developers annotate their implementation with information about the expected typestates of memory and how heap operations change those typestates. At runtime, our system tracks the typestates and ensures that each memory access is consistent with the expected typestates. This technique detects errors quickly, before they corrupt the application or the memory manager itself, and it often provides accurate information about the reason for the error.

The implementation of Permchecker uses a combination of compile-time annotation and instrumentation, and dynamic binary instrumentation (DBI). Because the overhead of DBI is fairly high, Permchecker is suitable for a testing and debugging setting and not for deployment. It works on a wide variety of existing systems, including explicit malloc/free memory managers and garbage collectors, such as those found in JikesRVM and OpenJDK. Since bugs in these systems are not numerous, we developed a testing methodology in which we automatically inject bugs into the code using bug patterns derived from real bugs. This technique allows us to test Permchecker on hundreds or thousands of buggy variants of the code. We find that Permchecker effectively detects and localizes errors in the vast majority of cases; without it, these bugs result in strange, incorrect behaviors usually long after the actual error occurs.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a presentation of our talk at OOPSLA 2021 about debugging memory errors observed in memory managers. Dynamic memory managers are a crucial component of almost every modern software system. Bugs in memory managers are extremely hard to diagnose and fix. One reason is that their implementations often involve tricky pointer calculations, raw memory manipulation, and complex memory state invariants. A second reason is that memory manager bugs can break the client application in bizarre ways. In this talk we present Permchecker, a tool designed to detect and diagnose bugs in memory managers. The key idea in Permchecker is to make the structure of the heap explicit by associating typestates with each piece of memory. Typestate captures both type (e.g., page, block, or cell) and state (e.g., allocated, free, or forwarded). Memory manager developers annotate their code with information about the expected typestates of memory and how heap operations change those typestates.

References

  1. Karl Cronburg and Samuel Z. Guyer. 2019. Floorplan: Spatial Layout in Memory Management Systems. In Proceedings of the 18th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences (GPCE 2019). Association for Computing Machinery, New York, NY, USA. 81–93. isbn:9781450369800 https://doi.org/10.1145/3357765.3359519 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA. 110–121. https://doi.org/10.1109/SP.2016.15 Google ScholarGoogle ScholarCross RefCross Ref
  3. John Ellis, Pete Kovac, and Hans Boehm. 2014. https://hboehm.info/gc/gc_bench/ Accessed: 2021-04-13Google ScholarGoogle Scholar
  4. Jason Evans. 2006. A Scalable Concurrent malloc(3) Implementation for FreeBSD.Google ScholarGoogle Scholar
  5. IBM. 2005. Jikes RVM. http://www.jikesrvm.org/ Accessed: 2018-09-28Google ScholarGoogle Scholar
  6. Doug Lea. 1991. A Memory Allocator. http://g.oswego.edu/dl/html/malloc.html Accessed: 2021-04-13Google ScholarGoogle Scholar
  7. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’07). ACM, New York, NY, USA. 89–100. isbn:978-1-59593-633-2 https://doi.org/10.1145/1250734.1250746 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Robert O’Callahan, Chris Jones, Nathan Froyd, Kyle Huey, Albert Noll, and Nimrod Partush. 2017. Engineering Record And Replay For Deployability: Extended Technical Report. CoRR, abs/1705.05937 (2017), 20 pages. arxiv:1705.05937. arxiv:1705.05937Google ScholarGoogle Scholar
  9. Oracle. 2006. OpenJDK Hotspot Division. http://openjdk.java.net/groups/hotspot/ Accessed: 2021-04-13Google ScholarGoogle Scholar
  10. Andrew Rice, Edward Aftandilian, Ciera Jaspan, Emily Johnston, Michael Pradel, and Yulissa Arroyo-Paredes. 2017. Detecting Argument Selection Defects. Proc. ACM Program. Lang., 1, OOPSLA (2017), Article 104, Oct., 22 pages. https://doi.org/10.1145/3133928 Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Subhajit Roy, Awanish Pandey, Brendan Dolan-Gavitt, and Yu Hu. 2018. Bug Synthesis: Challenging Bug-Finding Tools with Deep Faults. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 224–234. isbn:9781450355735 https://doi.org/10.1145/3236024.3236084 Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In 2012 USENIX Annual Technical Conference (USENIX ATC 12). USENIX Association, Boston, MA. 309–318. isbn:978-931971-93-5 https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryanyGoogle ScholarGoogle Scholar
  13. R. E. Strom and S. Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, SE-12, 1 (1986), 157–171.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Michael Vollmer, Chaitanya Koparkar, Mike Rainey, Laith Sakka, Milind Kulkarni, and Ryan R. Newton. 2019. LoCal: A Language for Programs Operating on Serialized Data. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2019). Association for Computing Machinery, New York, NY, USA. 48–62. isbn:9781450367127 https://doi.org/10.1145/3314221.3314631 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and A. Ahmed. 2019. Oxide: The Essence of Rust. ArXiv, abs/1903.00982 (2019).Google ScholarGoogle Scholar

Index Terms

  1. Permchecker: a toolchain for debugging memory managers with typestate

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Article Metrics

          • Downloads (Last 12 months)89
          • Downloads (Last 6 weeks)6

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!