Changeset 16915b1 for doc


Ignore:
Timestamp:
Aug 11, 2024, 10:52:44 AM (4 months ago)
Author:
Peter A. Buhr <pabuhr@…>
Branches:
master
Children:
f22d100
Parents:
5ca5263
Message:

proofread intro chapter and add citation

Location:
doc/theses/mike_brooks_MMath
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • doc/theses/mike_brooks_MMath/intro.tex

    r5ca5263 r16915b1  
    11\chapter{Introduction}
    22
    3 All modern programming languages provide three high-level containers (collection): array, linked-list, and string.
    4 Often array is part of the programming language, while linked-list is built from pointer types, and string from a combination of array and linked-list.
    5 For all three types, there is some corresponding mechanism for iterating through the structure, where the iterator flexibility varies with the kind of structure and ingenuity of the iterator implementor.
     3All modern programming languages provide three high-level containers (collections): array, linked-list, and string.
     4Often array is part of the programming language, while linked-list is built from (recursive) pointer types, and string from a combination of array and linked-list.
     5For all three types, languages supply varying degrees of high-level mechanism for manipulating these objects at the bulk level and at the component level, such as array copy, slicing and iterating.
     6
     7This work looks at extending these three foundational container types in the programming language \CFA, which is a new dialect of the C programming language.
     8A primary goal of \CFA~\cite{Cforall} is 99\% backward compatibility with C, while maintaining a look and feel that matches with C programmer experience and intuition.
     9This goal requires ``thinking inside the box'' to engineer new features that ``work and play'' with C and its massive legacy code-base.
     10An additional goal is balancing good performance with safety.
    611
    712
    813\section{Array}
    914
    10 An array provides a homogeneous container with $O(1)$ access to elements using subscripting (some form of pointer arithmetic).
     15An array provides a homogeneous container with $O(1)$ access to elements using subscripting.
    1116The array size can be static, dynamic but fixed after creation, or dynamic and variable after creation.
    1217For static and dynamic-fixed, an array can be stack allocated, while dynamic-variable requires the heap.
    13 Because array layout has contiguous components, subscripting is a computation.
    14 However, the computation can exceed the array bounds resulting in programming errors and security violations~\cite{Elliott18, Blache19, Ruef19, Oorschot23}.
    15 The goal is to provide good performance with safety.
     18Because array layout has contiguous components, subscripting is a computation (some form of pointer arithmetic).
    1619
    1720
    1821\section{Linked list}
    1922
    20 A linked-list provides a homogeneous container often with $O(log N)$/$O(N)$ access to elements using successor and predecessor operations.
     23A linked-list provides a homogeneous container often with $O(log N)$/$O(N)$ access to elements using successor and predecessor operations that normally involve pointer chasing.
    2124Subscripting by value is sometimes available, \eg hash table.
    2225Linked types are normally dynamically sized by adding/removing nodes using link fields internal or external to the elements (nodes).
    2326If a programming language allows pointer to stack storage, linked-list types can be allocated on the stack;
    24 otherwise, elements are heap allocated and explicitly/implicitly managed.
     27otherwise, elements are heap allocated with explicitly/implicitly managed.
    2528
    2629
     
    2831
    2932A string provides a dynamic array of homogeneous elements, where the elements are often human-readable characters.
    30 What differentiates a string from other types in that its operations work on blocks of elements for scanning and changing the elements, rather than accessing individual elements, \eg @index@ and @substr@.
     33What differentiates a string from other types in that its operations work on blocks of elements for scanning and changing, \eg @index@ and @substr@.
    3134Subscripting individual elements is often available.
    32 Often the cost of string operations is less important than the power of the operations to accomplish complex text manipulation, \eg search, analysing, composing, and decomposing.
     35Therefore, the cost of string operations is less important than the power of the operations to accomplish complex text manipulation, \eg search, analysing, composing, and decomposing.
    3336The dynamic nature of a string means storage is normally heap allocated but often implicitly managed, even in unmanaged languages.
     37Often string management is separate from heap management, \ie strings roll their own heap.
    3438
    3539
    3640\section{Motivation}
    3741
    38 The goal of this work is to introduce safe and complex versions of array, link lists, and strings into the programming language \CFA~\cite{Cforall}, which is based on C.
    39 Unfortunately, to make C better, while retaining a high level of backwards compatibility, requires a significant knowledge of C's design.
    40 Hence, it is assumed the reader has a medium knowledge of C or \CC, on which extensive new C knowledge is built.
     42The primary motivation for this work is two fold:
     43\begin{enumerate}[leftmargin=*]
     44\item
     45These three aspects of C are extremely difficult to understand, teach, and get right because they are correspondingly extremely low level.
     46Providing higher-level versions of these containers in \CFA is a major component of the primary goal.
     47\item
     48These three aspects of C cause the greatest safety issues because there are few or no safe guards when a programmer misunderstands or misuses these features~\cite{Elliott18, Blache19, Ruef19, Oorschot23}.
     49Estimates suggest 50\%~\cite{Mendio24} of total reported open-source vulnerabilities occur in C resulting from errors using these facilities (memory errors), providing the major hacker attack-vectors.
     50\end{enumerate}
     51Both White House~\cite{WhiteHouse24} and DARPA~\cite{DARPA24} recently released a recommendation to move away from C and \CC, because of cybersecurity threats exploiting vulnerabilities in these older languages.
     52Hardening these three types goes a long way to make the majority of C programs safer.
     53
     54
     55While multiple new languages purport to be systems languages replacing C, the reality is that rewriting massive C code-bases is impractical and a non-starter if the new runtime uses garage collection.
     56Furthermore, these languages must still interact with the underlying C operating system through fragile, type-unsafe, interlanguage-communication.
     57Switching to \CC is equally impractical as its complex and interdependent type-system (\eg objects, inheritance, templates) means idiomatic \CC code is difficult to use from C, and C programmers must expend significant effort learning \CC.
     58Hence, rewriting and retraining costs for these languages can be prohibitive for companies with a large C software-base (Google, Apple, Microsoft, Amazon, AMD, Nvidia).
    4159
    4260
     
    4664However, most programming languages are only partially explained by standard's manuals.
    4765When it comes to explaining how C works, the definitive source is the @gcc@ compiler, which is mimicked by other C compilers, such as Clang~\cite{clang}.
    48 Often other C compilers must mimic @gcc@ because a large part of the C library (runtime) system contains @gcc@ features.
    49 While some key aspects of C need to be explained by quoting from the language reference manual, to illustrate definite program semantics, I devise a program, whose behaviour exercises the point at issue, and shows its behaviour.
     66Often other C compilers must mimic @gcc@ because a large part of the C library (runtime) system (@glibc@ on Linux) contains @gcc@ features.
     67While some key aspects of C need to be explained by quoting from the language reference manual, to illustrate definite program semantics, my approach in this thesis is to devise a program, whose behaviour exercises a point at issue, and shows its behaviour.
    5068These example programs show
    51 \begin{itemize}
    52         \item the compiler accepts or rejects certain syntax,
     69\begin{itemize}[leftmargin=*]
     70        \item if the compiler accepts or rejects certain syntax,
    5371        \item prints output to buttress a claim of behaviour,
    54         \item executes without triggering any embedded assertions testing pre/post-assertions or invariants.
     72        \item or executes without triggering any embedded assertions testing pre/post-assertions or invariants.
    5573\end{itemize}
    5674This work has been tested across @gcc@ versions 8--12 and clang version 10 running on ARM, AMD, and Intel architectures.
    5775Any discovered anomalies among compilers or versions is discussed.
    58 In all case, I do not argue that my sample of major Linux compilers is doing the right thing with respect to the C standard.
    59 
    60 
    61 \subsection{Ill-typed expressions}
    62 
    63 C reports many ill-typed expressions as warnings.
    64 For example, these attempts to assign @y@ to @x@ and vice-versa are obviously ill-typed.
    65 \lstinput{12-15}{bkgd-c-tyerr.c}
    66 with warnings:
    67 \begin{cfa}
    68 warning: assignment to 'float *' from incompatible pointer type 'void (*)(void)'
    69 warning: assignment to 'void (*)(void)' from incompatible pointer type 'float *'
    70 \end{cfa}
    71 Similarly,
    72 \lstinput{17-19}{bkgd-c-tyerr.c}
    73 with warning:
    74 \begin{cfa}
    75 warning: passing argument 1 of 'f' from incompatible pointer type
    76 note: expected 'void (*)(void)' but argument is of type 'float *'
    77 \end{cfa}
    78 with a segmentation fault at runtime.
    79 Clearly, @gcc@ understands these ill-typed case, and yet allows the program to compile, which seems inappropriate.
    80 Compiling with flag @-Werror@, which turns warnings into errors, is often too strong, because some warnings are just warnings, \eg unsed variable.
    81 In the following discussion, ``ill-typed'' means giving a nonzero @gcc@ exit condition with a message that discusses typing.
    82 Note, \CFA's type-system rejects all these ill-typed cases as type mismatch errors.
    83 
    84 % That @f@'s attempt to call @g@ fails is not due to 3.14 being a particularly unlucky choice of value to put in the variable @pi@.
    85 % Rather, it is because obtaining a program that includes this essential fragment, yet exhibits a behaviour other than "doomed to crash," is a matter for an obfuscated coding competition.
    86 
    87 % A "tractable syntactic method for proving the absence of certain program behaviours by classifying phrases according to the kinds of values they compute"*1 rejected the program.
    88 % The behaviour (whose absence is unprovable) is neither minor nor unlikely.
    89 % The rejection shows that the program is ill-typed.
    90 %
    91 % Yet, the rejection presents as a GCC warning.
    92 % *1  TAPL-pg1 definition of a type system
     76In all case, it is never clear whether the \emph{truth} lies in the compiler or the C standard.
    9377
    9478
  • doc/theses/mike_brooks_MMath/string.tex

    r5ca5263 r16915b1  
    11\chapter{String}
    22
    3 \section{String}
     3
     4
     5
    46
    57\subsection{Logical overlap}
  • doc/theses/mike_brooks_MMath/uw-ethesis.bib

    r5ca5263 r16915b1  
    114114    pages       = {53-60},
    115115}
     116
     117
     118@misc{Mendio24,
     119    contributer = {pabuhr@plg},
     120    title       = {What are the most secure programming languages?},
     121    author      = {Mend.io (White Source Ltd.)},
     122    year        = 2024,
     123    howpublished= {\url{https://www.mend.io/most-secure-programming-languages}},
     124}
Note: See TracChangeset for help on using the changeset viewer.