Presentation is loading. Please wait.

Presentation is loading. Please wait.

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,"— Presentation transcript:

1 Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks, James Cheney, Yanling Wang

2 June 2002Cyclone Regions, PLDI2 Cyclone A safe C-level language Safe: Memory safety, abstract data types must forbid dereferencing dangling pointers C-Level: User controlled data representation and resource management cannot always resort to extra tags and checks for legacy and low-level systems

3 June 2002Cyclone Regions, PLDI3 Dangling pointers unsafe Access after lifetime “undefined” Notorious problem Re-user of memory cannot maintain invariants High-level language solution: Language definition: infinite lifetimes Implementation: sound garbage collection (GC) void bad() { int* x; if(1){ int y; int* z = &y; x = z; } *x = 123; }

4 June 2002Cyclone Regions, PLDI4 Cyclone memory management Flexible: GC, stack allocation, region allocation Uniform: Same library code regardless of strategy Static: no “has it been deallocated” run-time checks Convenient: few explicit annotations Exposed: users control lifetime of objects Scalable: all analysis intraprocedural Sound: programs never follow dangling pointers

5 June 2002Cyclone Regions, PLDI5 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

6 June 2002Cyclone Regions, PLDI6 Regions a.k.a. zones, arenas, … Every object is in exactly one region Allocation via a region handle All objects in a region are deallocated simultaneously (no free on an object) An old idea with recent support in languages and implementations

7 June 2002Cyclone Regions, PLDI7 Cyclone regions heap region: one, lives forever, conservatively GC’d stack regions: correspond to local-declaration blocks {int x; int y; s} dynamic regions: scoped lifetime, but growable region r {s} allocation: rnew(r,3), where r is a handle handles are first-class –caller decides where, callee decides how much –no handles for stack regions

8 June 2002Cyclone Regions, PLDI8 The big restriction Annotate all pointer types with a region name a (compile-time) type variable of region kind int*`r means “pointer into the region created by the construct that introduced `r ” –heap introduces `H – L:… introduces `L – region r {s} introduces `r r has type region_t

9 June 2002Cyclone Regions, PLDI9 So what? Perhaps the scope of type variables suffices void bad() { int*`?? x; if(1){ L:{int y; int*`L z = &y; x = z; } *x = 123; } What region name for type of x? `L is not in scope at allocation point good intuition for now but simple scoping does not suffice in general

10 June 2002Cyclone Regions, PLDI10 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

11 June 2002Cyclone Regions, PLDI11 Region polymorphism Use parametric polymorphism just like you would for other type variables void swap (int*`r1 x, int*`r2 y){ int tmp = *x; *x = *y; *y = tmp; } int*`r newsum (region_t r, int x, int y){ return rnew(r) (x+y); }

12 June 2002Cyclone Regions, PLDI12 Type definitions struct ILst { int*`r1 hd; struct ILst *`r2 tl; }; 10 81 11 0

13 June 2002Cyclone Regions, PLDI13 Region subtyping If p points to an int in a region with name `r1, is it ever sound to give p type int*`r2 ? If so, let int*`r1 < int*`r2 Region subtyping is the outlives relationship region r1 {… region r2 {…}…} LIFO makes subtyping common Function preconditions can include outlives constraints: void f(int*`r1, int*`r2 :`r1 > `r2);

14 June 2002Cyclone Regions, PLDI14 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

15 June 2002Cyclone Regions, PLDI15 Who wants to write all that? Intraprocedural inference –Determine region annotation based on uses –Same for polymorphic instantiation –Based on unification (as usual) –So we don’t need L: Rest is by defaults –Parameter types get fresh region names (default is region-polymorphic with no equalities) –Everything else gets `H (return types, globals, struct fields)

16 June 2002Cyclone Regions, PLDI16 Example You write: void fact(int* result, int n) { int x = 1; if(n > 1) fact(&x,n-1); *result = x*n; } Which means: void fact (int*`r result, int n) { L:int x = 1; if(n > 1) fact (&x,n-1); *result = x*n; }

17 June 2002Cyclone Regions, PLDI17 Annotations for equalities void g(int*`r* pp, int*`r p) { *pp = p; } Callee writes the equalities the caller must know Caller writes nothing

18 June 2002Cyclone Regions, PLDI18 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

19 June 2002Cyclone Regions, PLDI19 Existential types Programs need first-class abstract types struct T { void (*f)(void*, int); void* env; }; We use an existential type: struct T { //  … void (*f)(`a, int); `a env; }; struct T mkT(); could make a dangling pointer! Same problem occurs with closures or objects

20 June 2002Cyclone Regions, PLDI20 Our solution “leak a region bound” struct T { :regions(`a) > `r void (*f)(`a, int); `a env; }; Dangling pointers never dereferenced Really we have a powerful effect system, but –Without using , no effect errors –With , use region bounds to avoid effect errors See the paper

21 June 2002Cyclone Regions, PLDI21 Region-system summary Restrict pointer types via region names Add polymorphism, constructors, and subtyping for expressiveness Well-chosen defaults to make it palatable A bit more work for safe first-class abstract types Validation: –Rigorous proof of type safety –100KLOC of experience…

22 June 2002Cyclone Regions, PLDI22 Writing libraries Client chooses GC, region, or stack Adapted OCaml libraries (List, Set, Hashtable, …) struct L {`a hd; struct L *`r tl;}; typedef struct L *`r l_t ; l_t rmap(region_t,`b f(`a),l_t ); l_t imp_append(l_t, l_t ); void app(`b f(`a), l_t ); bool cmp(bool f(`a,`b), l_t, l_t );

23 June 2002Cyclone Regions, PLDI23 Porting code about 1 region annotation per 200 lines regions can work well (mini web server without GC) other times LIFO is a bad match other limitations (e.g., stack pointers in globals)

24 June 2002Cyclone Regions, PLDI24 Running code No slowdown for networking applications 1x to 3x slowdown for numeric applications –Not our target domain –Largely due to array-bounds checking (and we found bugs) We use the bootstrapped compiler every day –GC for abstract syntax –Regions where natural –Address-of-locals where convenient –Extensive library use

25 June 2002Cyclone Regions, PLDI25 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

26 June 2002Cyclone Regions, PLDI26 Related: regions ML Kit [Tofte, Talpin, et al], GC integration [Hallenberg et al] –full inference (no programmer control) –effect variables for  (not at source level) Capability Calculus [Walker et al] –for low-level machine-generated code Vault [DeLine, Fähndrich] –restricted region aliasing allows “must deallocate” Direct control-flow sensitivity [Henglein et al.] –first-order types only RC [Gay, Aiken] –run-time reference counts for inter-region pointers –still have dangling stack, heap pointers

27 June 2002Cyclone Regions, PLDI27 Related: safer C LCLint [Evans], metal [Engler et al] –sacrifice soundness for fewer false-positives SLAM [Ball et al], ESP [Das et al], Cqual [Foster] –verify user-specified safety policy with little/no annotation –assumes data objects are infinitely far apart CCured [Necula et al] –essentially GC (limited support for stack pointers) –better array-bounds elimination, less support for polymorphism, changes data representation Safe-C, Purify, Stackguard, …

28 June 2002Cyclone Regions, PLDI28 Future work Beyond LIFO ordering Integrate more dynamic checking (“is this a handle for a deallocated region”) Integrate threads More experience where GC is frowned upon

29 June 2002Cyclone Regions, PLDI29 Conclusion Sound, static region-based memory management Contributions: –Convenient enough for humans –Integration with GC and stack –Code reuse (write libraries once) –Subtyping via outlives –Novel treatment of abstract types http://www.cs.cornell.edu/projects/cyclone http://www.research.att.com/projects/cyclone

Download ppt "Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,"

Similar presentations

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Cyclone: A Memory-Safe C-Level Programming Language Dan Grossman University of Washington Joint work with: Trevor JimAT&T Research Greg MorrisettHarvard.

Cyclone: A Memory-Safe C-Level Programming Language Dan Grossman University of Washington Joint work with: Trevor JimAT&T Research Greg MorrisettHarvard.
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.

Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-

Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.

Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
Cyclone, Regions, and Language-Based Safety CS598e, Princeton University 27 February 2002 Dan Grossman Cornell University.

Cyclone, Regions, and Language-Based Safety CS598e, Princeton University 27 February 2002 Dan Grossman Cornell University.
Run time vs. Compile time

Run time vs. Compile time
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.

Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002.

Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.

Similar presentations

Ads by Google