Tutorial overview: understanding dynamic memory management in safety critical java

HILT '12 Pub Date : 2012-11-29 DOI:10.1145/2402676.2402685

K. Nilsen

{"title":"Tutorial overview: understanding dynamic memory management in safety critical java","authors":"K. Nilsen","doi":"10.1145/2402676.2402685","DOIUrl":null,"url":null,"abstract":"In spite of the high-level abstraction benefits of automatic tracing garbage collection, current prevailing sentiment within the safety certification community is that a simpler memory model is required for the most rigorous levels of software safety certification. Thus, the draft JSR-302 specification for safety critical Java relies on scope-based memory allocation rather than tracing garbage collection. The scoped memory model for JSR-302 is a simplification of the RTSJ model. JSR-302 enforces a strict hierarchy of scopes and distinguishes private scopes, which can be seen only by one thread, from mission scopes, which can be accessed by all the threads that comprise a mission, including threads running within inner-nested sub-missions. The hierarchical memory structure allows implementations to guarantee the absence of memory fragmentation for scope management, unlike the Real-Time Specification for Java from which the JSR-302 specification was derived.\n In the absence of block structure, it is more difficult in Java to safely manage references to stack-allocated objects than in Ada. While the simplified hierarchical management of scoped memory that is part of JSR-302 addresses memory fragmentation concerns, it does not guarantee the absence of dangling pointers. As with the Real-Time Specification for Java, JSR-302 requires a run-time check to enforce that no reference assignment creates a relationship whereby an outer-nested object is allowed to point to an inner-nested object. This rule assures the absence of dangling pointers, but it introduces a different problem: every assignment to a reference field must be accompanied by a run-time check to validate the appropriate scope nesting relationship. This run-time check will throw a run-time exception if the assignment is deemed inappropriate.\n The safety certification evidence for a given safety-critical Java program must therefore include an argument for every reference assignment that it will not cause the program to abort with a run-time exception. Furthermore, the certification evidence must prove that sufficient memory is available to reliably execute each safety-critical task in the system.\n This tutorial provides an overview of dynamic memory management in Safety Critical Java and describes two annotation systems that have been designed to support static (compile-time) enforcement of memory safety properties. The first annotation system is described in an appendix to the draft JSR-302 standard. This relatively simple annotation system, which is not considered normative, serves to demonstrate that memory safety can be statically proven without requiring extensive annotations throughout existing library code. The second annotation system is the system implemented in Perc Pico. This annotation system, which is much richer than the draft JSR-302 annotation, has been in experimental use for over five years. During that time, tens of thousands of lines of experimental application code have been developed, with the experience motivating a variety of refinements to the original design.","PeriodicalId":402438,"journal":{"name":"HILT '12","volume":"63 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"HILT '12","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2402676.2402685","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

In spite of the high-level abstraction benefits of automatic tracing garbage collection, current prevailing sentiment within the safety certification community is that a simpler memory model is required for the most rigorous levels of software safety certification. Thus, the draft JSR-302 specification for safety critical Java relies on scope-based memory allocation rather than tracing garbage collection. The scoped memory model for JSR-302 is a simplification of the RTSJ model. JSR-302 enforces a strict hierarchy of scopes and distinguishes private scopes, which can be seen only by one thread, from mission scopes, which can be accessed by all the threads that comprise a mission, including threads running within inner-nested sub-missions. The hierarchical memory structure allows implementations to guarantee the absence of memory fragmentation for scope management, unlike the Real-Time Specification for Java from which the JSR-302 specification was derived. In the absence of block structure, it is more difficult in Java to safely manage references to stack-allocated objects than in Ada. While the simplified hierarchical management of scoped memory that is part of JSR-302 addresses memory fragmentation concerns, it does not guarantee the absence of dangling pointers. As with the Real-Time Specification for Java, JSR-302 requires a run-time check to enforce that no reference assignment creates a relationship whereby an outer-nested object is allowed to point to an inner-nested object. This rule assures the absence of dangling pointers, but it introduces a different problem: every assignment to a reference field must be accompanied by a run-time check to validate the appropriate scope nesting relationship. This run-time check will throw a run-time exception if the assignment is deemed inappropriate. The safety certification evidence for a given safety-critical Java program must therefore include an argument for every reference assignment that it will not cause the program to abort with a run-time exception. Furthermore, the certification evidence must prove that sufficient memory is available to reliably execute each safety-critical task in the system. This tutorial provides an overview of dynamic memory management in Safety Critical Java and describes two annotation systems that have been designed to support static (compile-time) enforcement of memory safety properties. The first annotation system is described in an appendix to the draft JSR-302 standard. This relatively simple annotation system, which is not considered normative, serves to demonstrate that memory safety can be statically proven without requiring extensive annotations throughout existing library code. The second annotation system is the system implemented in Perc Pico. This annotation system, which is much richer than the draft JSR-302 annotation, has been in experimental use for over five years. During that time, tens of thousands of lines of experimental application code have been developed, with the experience motivating a variety of refinements to the original design.

查看原文本刊更多论文

教程概述:了解安全关键java中的动态内存管理

尽管自动跟踪垃圾收集具有高级抽象的好处，但安全认证社区中目前流行的观点是，对于最严格的软件安全认证级别，需要更简单的内存模型。因此，安全关键型Java的JSR-302规范草案依赖于基于作用域的内存分配，而不是跟踪垃圾收集。JSR-302的作用域内存模型是RTSJ模型的简化。JSR-302强制执行严格的作用域层次结构，并区分私有作用域和任务作用域。私有作用域只能由一个线程看到，而任务作用域可以由组成任务的所有线程访问，包括在内部嵌套子任务中运行的线程。分层内存结构允许实现保证没有用于范围管理的内存碎片，这与派生出JSR-302规范的Java实时规范不同。在没有块结构的情况下，在Java中安全管理对堆栈分配对象的引用要比在Ada中困难得多。虽然JSR-302对作用域内存的简化分层管理解决了内存碎片问题，但它并不能保证没有悬空指针。与Java的实时规范一样，JSR-302要求进行运行时检查，以确保没有引用赋值会创建一种关系，从而允许外部嵌套对象指向内部嵌套对象。该规则确保没有悬空指针，但它引入了一个不同的问题:对引用字段的每次赋值都必须伴随着运行时检查，以验证适当的作用域嵌套关系。如果认为赋值不合适，此运行时检查将抛出一个运行时异常。因此，给定的安全关键型Java程序的安全认证证据必须为每个引用赋值包含一个参数，这样才不会导致程序因运行时异常而中止。此外，认证证据必须证明有足够的内存可用来可靠地执行系统中的每个安全关键任务。本教程概述了Safety Critical Java中的动态内存管理，并描述了两个旨在支持静态(编译时)强制执行内存安全属性的注释系统。第一个注释系统在JSR-302标准草案的附录中进行了描述。这个相对简单的注释系统(不被认为是规范的)用于演示可以静态地证明内存安全性，而不需要在现有库代码中进行大量注释。第二个注释系统是用Perc Pico实现的系统。这个注释系统比JSR-302注释草案丰富得多，已经在实验中使用了五年多。在此期间，开发了数万行实验性应用程序代码，这些经验激发了对原始设计的各种改进。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

HILT '12

自引率

0.00%

发文量