Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,

Slides:



Advertisements
Similar presentations
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Advertisements

Cyclone: A Memory-Safe C-Level Programming Language Dan Grossman University of Washington Joint work with: Trevor JimAT&T Research Greg MorrisettHarvard.
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
Cyclone, Regions, and Language-Based Safety CS598e, Princeton University 27 February 2002 Dan Grossman Cornell University.
Run time vs. Compile time
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002.
A Type System for Expressive Security Policies David Walker Cornell University.
Run-time Environment and Program Organization
By: Bryan Dixon.  Performance  Explicit Memory Management  Fine-grained control over assembly level data representation.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.
Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University May 2002 Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael.
Cyclone: Safe C-Level Programming (With Multithreading Extensions) Dan Grossman Cornell University October 2002 Joint work with: Trevor Jim (AT&T), Greg.
CSE341: Programming Languages Lecture 11 Type Inference Dan Grossman Winter 2013.
Chapter TwelveModern Programming Languages1 Memory Locations For Variables.
1 Names, Scopes and Bindings Aaron Bloomfield CS 415 Fall
Chapter 3.5 Memory and I/O Systems. 2 Memory Management Memory problems are one of the leading causes of bugs in programs (60-80%) MUCH worse in languages.
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Storage Management. The stack and the heap Dynamic storage allocation refers to allocating space for variables at run time Most modern languages support.
Experience with Safe Memory Management in Cyclone Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard Dan Grossman.
Basic Semantics Associating meaning with language entities.
1 Records Record aggregate of data elements –Possibly heterogeneous –Elements/slots are identified by names –Elements in same fixed order in all records.
C++ Memory Overview 4 major memory segments Key differences from Java
Cyclone Memory Management Greg Morrisett Cornell University & Microsoft Research.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Implementation and Evaluation of a Safe Runtime in Cyclone Matthew Fluet Cornell University Greg Morrisett Harvard University Daniel Wang Princeton University.
COMP3190: Principle of Programming Languages
Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,
CSE 425: Control Abstraction I Functions vs. Procedures It is useful to differentiate functions vs. procedures –Procedures have side effects but usually.
Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.
Lecture 10 Concepts of Programming Languages Arne Kutzner Hanyang University / Seoul Korea.
11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.
Object-Oriented Programming Chapter Chapter
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Java and C# - Some Commonalities Compile into machine-independent, language- independent code which runs in a managed execution environment Garbage Collection.
Records type city is record -- Ada Name: String (1..10); Country : String (1..20); Population: integer; Capital : Boolean; end record; struct city { --
Automatic Memory Management Without Run-time Overhead Brian Brooks.
Object Lifetime and Pointers
Dynamic Storage Allocation
Data Types In Text: Chapter 6.
Seminar in automatic tools for analyzing programs with dynamic memory
Storage Management.
Cyclone A Very Short Introduction Dan Grossman
CS360 Windows Programming
Names, Binding, and Scope
Programming with Regions
Dan Grossman University of Washington 26 July 2007
Memory Allocation CS 217.
Closure Representations in Higher-Order Programming Languages
Cyclone: A safe dialect of C
Dynamic Memory.
Lecture 10 Concepts of Programming Languages
Implementation and Evaluation of a Safe Runtime in Cyclone
Gradual Memory Management
Presentation transcript:

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks, James Cheney, Yanling Wang

June 2002Cyclone Regions, PLDI2 Cyclone A safe C-level language Safe: Memory safety, abstract data types must forbid dereferencing dangling pointers C-Level: User controlled data representation and resource management cannot always resort to extra tags and checks for legacy and low-level systems

June 2002Cyclone Regions, PLDI3 Dangling pointers unsafe Access after lifetime “undefined” Notorious problem Re-user of memory cannot maintain invariants High-level language solution: Language definition: infinite lifetimes Implementation: sound garbage collection (GC) void bad() { int* x; if(1){ int y; int* z = &y; x = z; } *x = 123; }

June 2002Cyclone Regions, PLDI4 Cyclone memory management Flexible: GC, stack allocation, region allocation Uniform: Same library code regardless of strategy Static: no “has it been deallocated” run-time checks Convenient: few explicit annotations Exposed: users control lifetime of objects Scalable: all analysis intraprocedural Sound: programs never follow dangling pointers

June 2002Cyclone Regions, PLDI5 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

June 2002Cyclone Regions, PLDI6 Regions a.k.a. zones, arenas, … Every object is in exactly one region Allocation via a region handle All objects in a region are deallocated simultaneously (no free on an object) An old idea with recent support in languages and implementations

June 2002Cyclone Regions, PLDI7 Cyclone regions heap region: one, lives forever, conservatively GC’d stack regions: correspond to local-declaration blocks {int x; int y; s} dynamic regions: scoped lifetime, but growable region r {s} allocation: rnew(r,3), where r is a handle handles are first-class –caller decides where, callee decides how much –no handles for stack regions

June 2002Cyclone Regions, PLDI8 The big restriction Annotate all pointer types with a region name a (compile-time) type variable of region kind int*`r means “pointer into the region created by the construct that introduced `r ” –heap introduces `H – L:… introduces `L – region r {s} introduces `r r has type region_t

June 2002Cyclone Regions, PLDI9 So what? Perhaps the scope of type variables suffices void bad() { int*`?? x; if(1){ L:{int y; int*`L z = &y; x = z; } *x = 123; } What region name for type of x? `L is not in scope at allocation point good intuition for now but simple scoping does not suffice in general

June 2002Cyclone Regions, PLDI10 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

June 2002Cyclone Regions, PLDI11 Region polymorphism Use parametric polymorphism just like you would for other type variables void swap (int*`r1 x, int*`r2 y){ int tmp = *x; *x = *y; *y = tmp; } int*`r newsum (region_t r, int x, int y){ return rnew(r) (x+y); }

June 2002Cyclone Regions, PLDI12 Type definitions struct ILst { int*`r1 hd; struct ILst *`r2 tl; };

June 2002Cyclone Regions, PLDI13 Region subtyping If p points to an int in a region with name `r1, is it ever sound to give p type int*`r2 ? If so, let int*`r1 < int*`r2 Region subtyping is the outlives relationship region r1 {… region r2 {…}…} LIFO makes subtyping common Function preconditions can include outlives constraints: void f(int*`r1, int*`r2 :`r1 > `r2);

June 2002Cyclone Regions, PLDI14 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

June 2002Cyclone Regions, PLDI15 Who wants to write all that? Intraprocedural inference –Determine region annotation based on uses –Same for polymorphic instantiation –Based on unification (as usual) –So we don’t need L: Rest is by defaults –Parameter types get fresh region names (default is region-polymorphic with no equalities) –Everything else gets `H (return types, globals, struct fields)

June 2002Cyclone Regions, PLDI16 Example You write: void fact(int* result, int n) { int x = 1; if(n > 1) fact(&x,n-1); *result = x*n; } Which means: void fact (int*`r result, int n) { L:int x = 1; if(n > 1) fact (&x,n-1); *result = x*n; }

June 2002Cyclone Regions, PLDI17 Annotations for equalities void g(int*`r* pp, int*`r p) { *pp = p; } Callee writes the equalities the caller must know Caller writes nothing

June 2002Cyclone Regions, PLDI18 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

June 2002Cyclone Regions, PLDI19 Existential types Programs need first-class abstract types struct T { void (*f)(void*, int); void* env; }; We use an existential type: struct T { //  … void (*f)(`a, int); `a env; }; struct T mkT(); could make a dangling pointer! Same problem occurs with closures or objects

June 2002Cyclone Regions, PLDI20 Our solution “leak a region bound” struct T { :regions(`a) > `r void (*f)(`a, int); `a env; }; Dangling pointers never dereferenced Really we have a powerful effect system, but –Without using , no effect errors –With , use region bounds to avoid effect errors See the paper

June 2002Cyclone Regions, PLDI21 Region-system summary Restrict pointer types via region names Add polymorphism, constructors, and subtyping for expressiveness Well-chosen defaults to make it palatable A bit more work for safe first-class abstract types Validation: –Rigorous proof of type safety –100KLOC of experience…

June 2002Cyclone Regions, PLDI22 Writing libraries Client chooses GC, region, or stack Adapted OCaml libraries (List, Set, Hashtable, …) struct L {`a hd; struct L *`r tl;}; typedef struct L *`r l_t ; l_t rmap(region_t,`b f(`a),l_t ); l_t imp_append(l_t, l_t ); void app(`b f(`a), l_t ); bool cmp(bool f(`a,`b), l_t, l_t );

June 2002Cyclone Regions, PLDI23 Porting code about 1 region annotation per 200 lines regions can work well (mini web server without GC) other times LIFO is a bad match other limitations (e.g., stack pointers in globals)

June 2002Cyclone Regions, PLDI24 Running code No slowdown for networking applications 1x to 3x slowdown for numeric applications –Not our target domain –Largely due to array-bounds checking (and we found bugs) We use the bootstrapped compiler every day –GC for abstract syntax –Regions where natural –Address-of-locals where convenient –Extensive library use

June 2002Cyclone Regions, PLDI25 The plan from here Cyclone regions Basic type system –Restricting pointers –Increasing expressiveness –Avoiding annotations Interaction with abstract types Experience Related and future work

June 2002Cyclone Regions, PLDI26 Related: regions ML Kit [Tofte, Talpin, et al], GC integration [Hallenberg et al] –full inference (no programmer control) –effect variables for  (not at source level) Capability Calculus [Walker et al] –for low-level machine-generated code Vault [DeLine, Fähndrich] –restricted region aliasing allows “must deallocate” Direct control-flow sensitivity [Henglein et al.] –first-order types only RC [Gay, Aiken] –run-time reference counts for inter-region pointers –still have dangling stack, heap pointers

June 2002Cyclone Regions, PLDI27 Related: safer C LCLint [Evans], metal [Engler et al] –sacrifice soundness for fewer false-positives SLAM [Ball et al], ESP [Das et al], Cqual [Foster] –verify user-specified safety policy with little/no annotation –assumes data objects are infinitely far apart CCured [Necula et al] –essentially GC (limited support for stack pointers) –better array-bounds elimination, less support for polymorphism, changes data representation Safe-C, Purify, Stackguard, …

June 2002Cyclone Regions, PLDI28 Future work Beyond LIFO ordering Integrate more dynamic checking (“is this a handle for a deallocated region”) Integrate threads More experience where GC is frowned upon

June 2002Cyclone Regions, PLDI29 Conclusion Sound, static region-based memory management Contributions: –Convenient enough for humans –Integration with GC and stack –Code reuse (write libraries once) –Subtyping via outlives –Novel treatment of abstract types

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.