1. Implementation and Evaluation of a Safe Runtime in Cyclone
Matthew Fluet

2. Introduction Web-based applications Application servers
Written in high-level, safe languages
C#, Java, Perl, PHP, Phython, Tcl
Automatic memory management
Application servers
Written in unsafe languages
Host applications via interpreters (written in C)

3. Introduction
Long-term goal: a complete web-application server written in a safe language
Short-term goal: a complete interpreter written in a safe language
Implementing the core of an interpreter is not in itself a significant challenge
Implementing the runtime system is a challenge

4. Outline A Scheme interpreter in Cyclone Performance Evaluation
Why Scheme
Key Features of Cyclone
Core Scheme Interpreter
Garbage Collector
Performance Evaluation
Conclusion

5. Why Scheme? Ease of implementation
Core interpreter loop is only ~500 lines
Rely on an external Scheme front-end to expand the full Scheme language into a core Scheme subset
Features desirable for web programming

6. Key Features of Cyclone
Pointers
Nullable: t*
Non-null:
Fat:
Regions
Region names: `r
Pointers: t*`r
Polymorphism: <`r::R>

7. Cyclone: Regions Region variety Allocation (objects) Deallocation
Aliasing
(what)
(when)
Stack
static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamic
manual
Heap (`H)
single objects
automatic (BDW GC)
Unique (`U)
restricted
Ref-counted (`RC)

8. Cyclone: Regions Region variety Allocation (objects) Deallocation
Aliasing
(what)
(when)
Stack
static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamic
manual
Heap (`H)
single objects
automatic (BDW GC)
Unique (`U)
restricted
Ref-counted (`RC)

9. Cyclone: Regions Region variety Allocation (objects) Deallocation
Aliasing
(what)
(when)
Stack
static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamic
manual
Heap (`H)
single objects
automatic (BDW GC)
Unique (`U)
restricted
Ref-counted (`RC)

10. Cyclone: Regions Region variety Allocation (objects) Deallocation
Aliasing
(what)
(when)
Stack
static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamic
manual
Heap (`H)
single objects
automatic (BDW GC)
Unique (`U)
restricted
Ref-counted (`RC)

11. Cyclone: Regions Region variety Allocation (objects) Deallocation
Aliasing
(what)
(when)
Stack
static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamic
manual
Heap (`H)
single objects
automatic (BDW GC)
Unique (`U)
restricted
Ref-counted (`RC)

12. Cyclone: Dynamic Regions
typedef struct
uregion_key_t<`r::R>
struct NewDReg { <`r::R>
uregion_key_t<`r> key; }
struct NewDReg new_ukey();
void free_ukey(uregion_key_t<`r> k);
{ region r = open(k);
. . . }

13. Core Scheme Interpreter
Simplified expression language
Variables given as deBruijn indices
Values – heap allocated data
Small-step operational semantics:
<H,S,ρ,r> → <H’,S’,ρ’,r’>

14. Core Scheme Interpreter: Values
struct Value<`r::R>;
typedef struct Value<`r>*`r value_t<`r::R>;
datatype ValueD<`r> {
Const_v(const_t<`r> K);
Primop_v(primop_t p);
Closure_v(unsigned int n,
env_t<`r> rho, exp_t<`r> e);
ls); };
struct Value<`r::R> {
datatype ValueD<`r> value;

15. Heap Allocated Interpreter
void scheme(exp_t<`r> prog<`r>(region_t<`r>)) {
// load the program into the Cyclone heap
exp_t<`H> e = prog(heap_region);
// load the initial environment
env_t<`H> env = initial_env(heap_region);
// construct the initial state
state_t<`H> state = State{NULL,env,{.expr = e}};
// take an unbounded number of steps
bool done = stepi(-1,heap_region,&state); }

16. Simple Stop-and-Copy Collector

17. GC and Regions
Separation of From-space and To-space suggests a natural correspondence with Cyclone’s regions
LIFO discipline of lexical regions insufficient
Dynamic regions appear to be sufficient

18. GC in Spirit . . . // create the to-space’s key
let NewDynamicRegion {<`to> to_key} = new_ukey();
state_t<`to> = to_state;
// open the from-space’s key
{ region from_r = open(from_key)
// open the to-space’s key
{ region to_r = open(to_key);
// copy the state and reachable data
to_state = copy_state(to_r, from_state); } }
// free the from-space
free_ukey(from_key);

19. GC and Forwarding Pointers
What is the type of a forwarding pointer?

20. GC and Forwarding Pointers
What is the type of a forwarding pointer?
A pointer to a struct Value in To-space

21. GC and Forwarding Pointers
What is the type of a forwarding pointer?
A pointer to a struct Value in To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space

22. GC and Forwarding Pointers
What is the type of a forwarding pointer?
A pointer to a struct Value in To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a struct Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space …

23. Dynamic Region Sequences
Need a name for all the unwindings
Type constructor mapping region names to region names
typedef _::R next_rgn<`r::R>
Forwarding pointers
value_t<next_rgn<`r>>
Although the region names `r and next_rgn<`r> are related, the lifetimes of their corresponding regions are not.

24. Dynamic Region Sequences
Have an infinite supply of region names
Need to ensure an infinite linear supply
Use Cyclone’s unique pointers
struct DRGen<`r::R>;
typedef struct uregion_gen_t<`r>;

25. Dynamic Region Sequences
struct DRSeq<`r> {
uregion_key_t<`r> key;
uregion_gen_t<`r> gen; }
typedef struct DRSeq<`r> drseq_t<`r>;
struct NewDRSeq { <`r::R>
drseq_t<`r> drseq; }
struct NewDRSeq new_drseq();
drseq_t<next_rgn<`r>> next_drseq(uregion_gen_t<`r> gen);

26. GC and Dynamic Region Sequences
gcstate_t doGC(gcstate_t gcs) {
// unpack the gc state
let GCState{<`r> DRSeq {from_key, from_gen},
from_state} = gcs;
// generate the to-space
let DRS{to_key, to_gen} = next_drseq(from_gen);
state_t<next_rgn<`r>> to_state;
{ region from_r = open(from_key);
{ region to_r = open(to_key);
to_state = copy_state(to_r, from_state); }
// pack the new gc state
gcs = GCState{DRS{to_key, to_gen}, to_state}; }
free_ukey(from_key);
return gcs; }

27. GC and Dynamic Region Sequesces
Comparison with type-preserving GCs
Interpreter can be written in a trampoline, rather than continuation passing, style
Intuitive typing of forwarding pointers

28. Performance Evaluation
Interpreter
Runtime
Cyclone (Safe GC)
Safe
Cyclone (BDW GC)
Unsafe
SISC (Sun JVM)
MzScheme (BDW GC)

29. Performance Evaluation

30. Performance Evaluation

31. Size of Unsafe Code Interpreter (lines of code) Runtime System Cyclone
(Safe GC)
1800
(BDW GC)
9000
SISC
(Sun JVM)
229,100
MzScheme
31,000

32. Conclusion
Significantly reduce amount of unsafe code needed to implement an interpreter
May incur a performance penalty for extra degree of safety
Future Work
Reduce performance penalty
Per thread regions providing customization