monadic and substructural type systems for region-based memory management
DESCRIPTION
Monadic and Substructural Type Systems for Region-based Memory Management. Matthew Fluet Cornell University. The Problem with Resources. Resources in a program are essential file handles, DB connections, locks, memory, …. The Problem with Resources. Resources in a program are essential - PowerPoint PPT PresentationTRANSCRIPT
Monadic and SubstructuralType Systems for
Region-based Memory Management
Matthew Fluet
Cornell University
July 27, 2006 2
The Problem with Resources
Resources in a program are essential– file handles, DB connections, locks, memory, …
July 27, 2006 3
The Problem with Resources
Resources in a program are essential– file handles, DB connections, locks, memory, …
Resources need to be managed– state of a resource changes over time– using a resource in an incorrect state is WRONG
July 27, 2006 4
A Solution with Type Systems
Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG
July 27, 2006 5
A Solution with Type Systems
Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG
While today’s type systems are effective,they have limitations:– limited notion of WRONG– cannot express some resource-conscious programs
July 27, 2006 6
Memory Management
One of the most difficult resources to handle
Dynamic allocation and deallocation of data
July 27, 2006 7
Memory Management
One of the most difficult resources to handle
Dynamic allocation and deallocation of data– programs acquire and release memory as needed
July 27, 2006 8
Memory Management
Dynamic allocation and deallocation of data Range of schemes for managing memory
July 27, 2006 9
Memory Management
Dynamic allocation and deallocation of data Range of schemes for managing memory
– malloc/free explicit and efficient, but tedious and error prone
July 27, 2006 10
Memory Management
Dynamic allocation and deallocation of data Range of schemes for managing memory
– malloc/free explicit and efficient, but tedious and error prone
– garbage collection convenient and safe, but carries overheads
July 27, 2006 11
Memory Management
Dynamic allocation and deallocation of data Range of schemes for managing memory
– malloc/free explicit and efficient, but tedious and error prone
– garbage collection convenient and safe, but carries overheads
– region-based memory management
July 27, 2006 12
Region-based Memory Management
r1 r2
A region (denoted by r, , …) is a collectionof allocated data objects
July 27, 2006 13
Region-based Memory Management
r1 r2
Arbitrary intra- and inter-region references– data objects in one region may have pointers
to data objects in the same region and in other regions
July 27, 2006 14
Region-based Memory Management
r1 r2
A program creates and destroys regions to acquire and release memory
July 27, 2006 15
Region-based Memory Management
r1 r2 r3
Creating a region yields an empty region
July 27, 2006 16
Data objects may be allocated in and read from a region
Region-based Memory Management
r1 r2 r3
July 27, 2006 17
Region-based Memory Management
r1 r3
Destroying a region deallocates all objects in the region
July 27, 2006 18
Region-based Memory Management
r1 r3
Destroying a region deallocates all objects in the region
Existence of these pointers is O.K.
Dereferencing these pointers is WRONG.
July 27, 2006 19
Region-based Memory Management
Advantages
Disadvantages
July 27, 2006 20
Region-based Memory Management
Advantages– efficient implementations of mem. mgmt. operations– supports bulk deallocation of data objects– allows dangling pointers
Disadvantages
July 27, 2006 21
Region-based Memory Management
Advantages– efficient implementations of mem. mgmt. operations– supports bulk deallocation of data objects– allows dangling pointers
Disadvantages– allows various WRONG behaviors
dereferencing dangling pointers allocating in destroyed regions destroying region more than once
July 27, 2006 22
A Solution with Type Systems
Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG– well-typed programs are region safe
July 27, 2006 23
A Solution with Type Systems
Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG– well-typed programs are region safe
Previous work: type-and-effect systems
July 27, 2006 24
A Solution with Type Systems
Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG– well-typed programs are region safe
Previous work: type-and-effect systems– complicated, for programmer and language designer– limited expressiveness, nested regions only
July 27, 2006 25
Type Systems for Region-based Memory Management
I have developed type systems for managing and enforcing the correct usage of regions– monadic type system– substructural type system
These type systems – are simpler than previous work– are more expressive than previous work– unify seemingly different language features
July 27, 2006 26
Type Systems for Region-based Memory Management
Type-and-effect system– effects pervasive in type system– complicated proof of soundness
Monadic type system– exploit parametric polymorphism (System F)– simple type system; well-understood theory
Substructural type system– exploit linearity to control access to region– supports richer programming idioms
July 27, 2006 27
Type-and-Effect Systems
Provide core mechanisms to describe computational effects of a program– Type: what the expression computes– Effect: how the expression computes
Languages– Lucassen-Gifford-Jouvelot: FX-89, FX-91– Tofte-Talpin: region calculus, MLKit
July 27, 2006 28
Type-and-Effect Systems
Provide core mechanisms to describe computational effects of a program– Type: what the expression computes– Effect: how the expression computes
Languages– Lucassen-Gifford-Jouvelot: FX-89, FX-91– Tofte-Talpin: region calculus, MLKit
July 27, 2006 29
Type-and-Effect System for Regions
ref
– object of type allocated in region ;newRef, readRef, writeRef, …
hnd
– handle for region r;the run-time value for allocating in a region
July 27, 2006 30
Type-and-Effect System for Regions
Regions are created and destroyed with syntax:
letregion h in {
…
}
Region is created at the start of scope and destroyed at the end of scope
July 27, 2006 31
Type-and-Effect System for Regions
Regions have nested lifetimes
letregion 1 h1 in {
letregion 2 h2 in {
…
}
}
July 27, 2006 32
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
July 27, 2006 33
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
July 27, 2006 34
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
2
July 27, 2006 35
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
2
x “a”
July 27, 2006 36
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
2
x “a”
July 27, 2006 37
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
July 27, 2006 38
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
…
}
… readRef x …
} 0
1
July 27, 2006 39
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef (h2,“a”) …
… f = (z. … readRef x …) …
}
… f 2 …
} 0
1
July 27, 2006 40
Type-and-Effect System for Regions
Type-and-effect system ensures safety
– Track the set of regions used by an expression:
` e : ,
– Function types include a latent effect:
1 ! 2
July 27, 2006 41
Type-and-Effect System for Regions
Typing rule for letregion syntax:
,,h:hnd ` e : , ∉ frv(,) ` letregion ,h in { e } : , \ {}
July 27, 2006 42
Type-and-Effect System for Regions
Typing rule for function application:
` e : ’ ! , ` e’ : ’, ’
` e e’ : , [ ’ [ f
Type of ref operations:
newRef :: 8.8. (hnd £ ) ! ref
readRef :: 8.8. ref !
f
{}
{}
July 27, 2006 43
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef h2 “a” …
…
}
… readRef x …
} 2 2 {1}
{}
{1}
{1,2}
{1,2}
{1,2}
{1,2}
{1}
{}
2 2 {1,2}
July 27, 2006 44
Type-and-Effect System for Regions
letregion 1 h1 in {
letregion 2 h2 in {
… x = newRef h2 “a” …
… f = (z. … readRef x …) …
}
… f 2 …
}
{}
{1}
{1,2}
{1,2}
{1,2}
{1,2}
{1}
{}
2 2 {1,2}
2 2 {1}
July 27, 2006 45
Type-and-Effect System for Regions
Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle
(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],
[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]
– Effects are pervasive in typing rules – Effect weakening and region subtyping
Cyclone, [Grossman et.al. ’01]
– Effects correspond to sets of region names (term equality no longer suffices for type checking)
July 27, 2006 46
Type-and-Effect System for Regions
Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle
(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],
[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]
– Effects are pervasive in typing rules – Effect weakening and region subtyping
Cyclone, [Grossman et.al. ’01]
– Effects correspond to sets of region names (term equality no longer suffices for type checking)
July 27, 2006 47
Type-and-Effect System for Regions
Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle
(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],
[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]
– Effects are pervasive in typing rules – Effect weakening and region subtyping
Cyclone, [Grossman et.al. ’01]
– Effects correspond to sets of region names (term equality no longer suffices for type checking)
July 27, 2006 48
Type-and-Effect System for Regions
Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle
(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],
[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]
– Effects are pervasive in typing rules – Effect weakening and region subtyping
[Grossman et.al. ’01]
– Effects correspond to sets of region names (term equality no longer suffices for type checking)
Programming with and proving soundness of type-and-effect
systems is challenging.
July 27, 2006 49
Type-and-Effect System for Regions
Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle
(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],
[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]
– Effects are pervasive in typing rules – Effect weakening and region subtyping
[Grossman et.al. ’01]
– Effects correspond to sets of names (term equality no longer suffices for type checking)
Is there a simpler type system that provides the same safety
and expressiveness?
July 27, 2006 50
Monadic Type System for Regions
Exploit parametric polymorphism (System F)and monadic encapsulation
Key insights:– Effects map to an indexed monadic type– Effect weakening and membership witnessed by types– Sufficient for encoding type-and-effect systems
July 27, 2006 51
Monadic Type Systems
Exploit parametric polymorphism (System F)and monadic encapsulation
Embed imperative features in pure languages– Distinguish pure values from stateful computations– Polymorphic type system ensures safety
Simple type system Well-understood theory
Language: Haskell– Launchbury-Peyton Jones: ST monad
July 27, 2006 52
Monadic Type System for Regions
RGN
– computations in stack of regions returning values of type
July 27, 2006 53
Monadic Type System for Regions
Hnd
– handle for the regionat the top of the stack of regions
Ref
– object of type allocated in some regionin the stack of regions
July 27, 2006 54
Monadic Type System for Regions
Pf(1 µ 2)
– proof that the stack of regions 1
is a substack of the stack of regions 2
July 27, 2006 55
Monadic Type System for Regions
Pf(1 µ 2) ¼ 8. RGN 1 ! RGN 2
– proof that the stack of regions 1
is a substack of the stack of regions 2
July 27, 2006 56
Monadic Type System for Regions
Pf(1 µ 2) ¼ 8. Ref 1 ! Ref 2
– proof that the stack of regions 1
is a substack of the stack of regions 2
July 27, 2006 57
Monadic Type System for Regions
RGN
Hnd
Ref
Pf(1 µ 2)
is always a variable;never deal with “real” stacks
July 27, 2006 58
Monadic Type System for Regions
Regions are created/destroyed with a primitive:
letRGN :: …
Region is created and destroyed automatically. Regions have nested lifetimes
July 27, 2006 59
Monadic Type System for Regions
Regions are created/destroyed with a primitive:
letRGN ::
81.8. (82. Pf(1 µ 2)
! Hnd 2
! RGN 2 )
! RGN 1
July 27, 2006 60
Monadic Type System for Regions
Regions are created/destroyed with a primitive:
letRGN ::
81.8. (82. Pf(1 µ 2)
! hnd 2
! RGN 2 )
! RGN 1
Despite appearances, this is a boring polymorphic type – and that’s the win:leverage a well-known type system.
July 27, 2006 61
Monadic Type System for Regions
Adopt type system of System F
– simple type structure
::= Int | 1 £ 2 | 1 ! 2 | 8.
RGN | Ref | Hnd | Pf(1 µ 2) | 8.
– simple type judgment
` e :
July 27, 2006 62
RGN monad: Operations
Monadic unit and bind
returnRGN ::
8,. ! RGN
thenRGN ::
8,,. RGN ! ( ! RGN ) ! RGN
July 27, 2006 63
RGN monad: Operations
Monadic unit and bind
returnRGN ::
8,. ! RGN
thenRGN ::
8,,. RGN ! ( ! RGN ) ! RGN
July 27, 2006 64
RGN monad: Operations
Monadic unit and bind
returnRGN ::
8,. ! RGN
thenRGN ::
8,,. RGN ! ( ! RGN ) ! RGN
July 27, 2006 65
RGN monad: Operations
Create and read region allocated values
newRef ::
8,. Hnd £ ! RGN (Ref )
readRef ::
8,. Ref ! RGN
July 27, 2006 66
RGN monad: Operations
Create and read region allocated values
newRef ::
8,. Hnd £ ! RGN (Ref )
readRef ::
8,. Ref ! RGN
July 27, 2006 67
RGN monad: Encapsulation
Encapsulate and run a monadic computation
runRGN ::
8. (8. RGN ) !
July 27, 2006 68
RGN monad: Encapsulation
Encapsulate and run a monadic computation
runRGN ::
8. (8. RGN ) !
“for all stacks” ) no assumptions about
stack of regions
July 27, 2006 69
RGN monad: Encapsulation
Encapsulate and run a monadic computation
runRGN ::
8. (8. RGN ) !
result type cannot mention )cannot return a computation
depending on dangling pointers
“for all stacks” ) no assumptions about
stack of regions
July 27, 2006 70
RGN monad: Regions
Regions are created and destroyedwith a lexically scoped construct
letRGN ::
81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1
July 27, 2006 71
RGN monad: Regions
Regions are created and destroyedwith a lexically scoped construct
letRGN ::
81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1
specify assumptions about newly created region
result type cannot mention 2 )cannot return a computation
depending on newly created region
July 27, 2006 72
RGN monad: Regions
Regions are created and destroyedwith a lexically scoped construct
letRGN ::
81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1
specify assumptions about newly created region
result type cannot mention 2 )cannot return a computation
depending on newly created region
Is the monadic type systemas expressive as
the type-and-effect system?
July 27, 2006 73
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
July 27, 2006 74
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 75
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 76
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 77
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 78
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
?
July 27, 2006 79
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 80
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
« (ref 1 int) ! (ref 3 int) ¬ )
8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !
Ref 1 int ! RGN (Ref 3 int)
{1,2,3}
July 27, 2006 81
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
Theorems:
If ; ` e : , then «¬;«¬ ` «e¬ : RGN «¬ «¬.
If `prog e and ({};e) ({};v}, then ({};«e¬) ({};«v¬).
July 27, 2006 82
Monadic Type System for Resources
Technique extends beyond regions to many other kinds of resources.
July 27, 2006 83
Monadic Type System for Resources
Technique extends beyond regions to many other kinds of resources.
The technique statically guarantees that neither a file handle nor any computation involving the handle can leak outside of the region that created it. Therefore, the handle can be safely closed (and its resources disposed of) whenever control leaves the corresponding withFile block. Many handles can be open simultaneously, the type system enforces the proper nesting of their regions. … It trivially generalizes to database IO and other kinds of IO.
[Kiselyov ’06, Haskell Mailing List]
July 27, 2006 84
Monadic Type System for Resources
Technique extends beyond regions to many other kinds of resources.
The technique statically guarantees that neither a file handle nor any computation involving the handle can leak outside of the region that created it. Therefore, the handle can be safely closed (and its resources disposed of) whenever control leaves the corresponding withFile block. Many handles can be open simultaneously, the type system enforces the proper nesting of their regions. … It trivially generalizes to database IO and other kinds of IO.
[Kiselyov ’06, Haskell Mailing List]
July 27, 2006 85
Limitations of Nested Lifetimes
Nested lifetimes are ill-suited for– iterative computations
Conway’s Game of Life; copying GC
– CPS-based computations– event-based computations
July 27, 2006 86
Limitations of Nested Lifetimes
fun loop (d) =
…
d’ = next (d) // create new data
…
loop (d’) // never access old data
July 27, 2006 87
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
…
d’ = next [] (d) // create new data
…
loop [] (d’) // never access old data
July 27, 2006 88
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
…
d’ = next [] (d) // create new data
…
loop [] (d’) // never access old dataAll versions of data in the same region
July 27, 2006 89
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
letregion ’ in {
d’ = next [’] (d) // create new data
…
loop [’] (d’) // never access old data
}
July 27, 2006 90
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
letregion ’ in {
d’ = next [’] (d) // create new data
…
loop [’] (d’) // never access old data
}
Data in different regions, but can’t
deallocate any region until loop completes
July 27, 2006 91
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
’ = newRgn
d’ = next [’] (d) // create new data
freeRgn loop [’] (d’) // never access old data
July 27, 2006 92
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
’ = newRgn
d’ = next [’] (d) // create new data
freeRgn loop [’] (d’) // never access old data
Must ensure that is not accessed after
freeRgn
July 27, 2006 93
Limitations of Nested Lifetimes
fun loop [] (d :: ref data) =
’ = newRgn
d’ = next [’] (d) // create new data
freeRgn loop [’] (d’) // never access old data
Must ensure that is not accessed after
freeRgn
Is there a more expressivetype system
that supports these idioms?
July 27, 2006 94
Substructural Type System for Regions
Exploit linearity to control access to region Key insights:
– Separate region name from region liveness– Region liveness witnessed by types– Sufficient for encoding monadic type system
July 27, 2006 95
Substructural Type Systems
Exploit linearity to control access to region Provide core mechanisms to manage the number
of uses of data and operations– linear (L) : used exactly one time
no other copies or aliases
– unrestricted (U) : used an arbitrary number of times possibly other copies or aliases
Languages: Clean, Vault, Sing#
July 27, 2006 96
Substructural Type System for Regions
cap
– proof that the region is live;capability to destroy region andto allocate in and read from region
July 27, 2006 97
Substructural Type System for Regions
cap
– proof that the region is live;capability to destroy region andto allocate in and read from region;treated linearly: exactly one capability per region
July 27, 2006 98
Substructural Type System for Regions
Adopt substructural type system
– type structure
q::=U | L
::= Int | 1 2 | 1 ( 1 | 8. | 9. |
cap | ref | hnd | 8. | 9. ::= q
– type judgment
` e :
July 27, 2006 99
Substructural Type System for Regions
Adopt substructural type system
– type structure
q::=U | L
::= Int | 1 2 | 1 ( 1 | 8. | 9. |
cap | ref | hnd | 8. | 9. ::= q
– type judgment
` e :
How maythe value be used?
July 27, 2006 100
Substructural Type System for Regions
Adopt substructural type system
– type structure
q::=U | L
::= Int | 1 2 | 1 ( 1 | 8. | 9. |
cap | ref | hnd | 8. | 9. ::= q
– type judgment
` e :
How maythe value be used?
How often maythe value be used?
July 27, 2006 101
Substructural Type System for Regions
Regions are created and destroyedwith separate operations
newRgn ::U(U1 ( L(9.L(Lcap Uhnd ))
freeRgn ::U8.U(L(Lcap Uhnd ) ( U1)
July 27, 2006 102
Substructural Type System for Regions
Regions are created and destroyedwith separate operations
newRgn ::U(U1 ( L(9.L(Lcap Uhnd ))
freeRgn ::U8.U(L(Lcap Uhnd ) ( U1)
Produces a new capability.
Consumes a capability.
July 27, 2006 103
Substructural Type System for Regions
Regions are created and destroyedwith separate operations
newRgn ::U(U1 ( L(9.L(Lcap Uhnd ))
freeRgn ::U8.U(L(Lcap Uhnd ) ( U1)
July 27, 2006 104
Substructural Type System for Regions
Regions are created and destroyedwith separate operations
newRgn ::U(U1 ( L(9.L(Lcap Uhnd ))
freeRgn ::U8.U(L(Lcap Uhnd ) ( U1)
July 27, 2006 105
Substructural Type System for Regions
newRef ::U8,.U(L(Lcap Uhnd U) (
L(Lcap Uref U)
readRef ::U8,.U(L(Lcap Uref U) (
L(Lcap U)
Returns a capability.
Requires a capability.
July 27, 2006 106
Substructural Type System for Regions
newRef ::U8,.U(L(Lcap Uhnd U) (
L(Lcap Uref U)
readRef ::U8,.U(L(Lcap Uref U) (
L(Lcap U)
July 27, 2006 107
Substructural Type System for Regions
newRef ::U8,.U(L(Lcap Uhnd U) (
L(Lcap Uref U)
readRef ::U8,.U(L(Lcap Uref U) (
L(Lcap U)
July 27, 2006 108
Substructural Type System for Regions
fun loop [] (ca::Lcap ,h::Uhnd ,d::ref data) =
h’,(c’z::Lcap ’, h’::Uhnd ’)i = newRgn
(cb::Lcap ,c’y ::Lcap ,d’)
= next [’] (ca,c’z,h’,d)
freeRgn [] (cb,h)
loop [’] (c’y,h’,d’)
July 27, 2006 109
Substructural Type System for Regions
fun loop [] (ca::Lcap ,h::Uhnd ,d::ref data) =
h’,(c’z::Lcap ’, h’::Uhnd ’)i = newRgn
(cb::Lcap ,c’y ::Lcap ,d’)
= next [’] (ca,c’z,h’,d)
freeRgn [] (cb,h)
loop [’] (c’y,h’,d’)
July 27, 2006 110
Substructural Type System for Regions
fun loop [] (ca::Lcap ,h::Uhnd ,d::ref data) =
h’,(c’z::Lcap ’, h’::Uhnd ’)i = newRgn
(cb::Lcap ,c’y ::Lcap ,d’)
= next [’] (ca,c’z,h’,d)
freeRgn [] (cb,h)
loop [’] (c’y,h’,d’)
July 27, 2006 111
Substructural Type System for Regions
fun loop [] (ca::Lcap ,h::Uhnd ,d::ref data) =
h’,(c’z::Lcap ’, h’::Uhnd ’)i = newRgn
(cb::Lcap ,c’y ::Lcap ,d’)
= next [’] (ca,c’z,h’,d)
freeRgn [] (cb,h)
loop [’] (c’y,h’,d’)
Is the substructural type systemas expressive as
the monadic type system?
July 27, 2006 112
Translation: Monadic to Substruct, Types
« RGN ¬ = U( ( L( «¬))
July 27, 2006 113
Translation: Monadic to Substruct, Types
« RGN ¬ = U( ( L( «¬))
– operational behavior of monad is store-passing;stack of regions represented by tuple of capabilities
July 27, 2006 114
Translation: Monadic to Substruct, Types
« RGN ¬ = U( ( L( «¬))
– operational behavior of monad is store-passing;stack of regions represented by tuple of capabilities
July 27, 2006 115
Translation: Monadic to Substruct, Types
« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))
« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))
– Isomorphism between 2 and L(1 ’), for some “slack” ’
July 27, 2006 116
Translation: Monadic to Substruct, Types
« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))
« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))
– Isomorphism between 2 and L(1 ’), for some “slack” ’
– Proof that 1 is a substack of 2 is persistent
– Existence of 1 and 2 is ephemeral
July 27, 2006 117
Translation: Monadic to Substruct, Types
« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))
« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))
– Isomorphism between 2 and L(1 ’), for some “slack” ’
– Proof that 1 is a substack of 2 is persistent
– Existence of 1 and 2 is ephemeral
July 27, 2006 118
Translation: Monadic to Substruct, Types
« Pf(1 µ 2) ¬ = U(9’. Iso(2, L(1 ’))) (
« Pf(1 µ 2) ¬ = U(9’. U(U(L(1 ’) ( 2))
– Isomorphism between 2 and L(1 ’), for some “slack” ’
– Proof that 1 is a substack of 2 is persistent
– Existence of 1 and 2 is ephemeral
July 27, 2006 119
Translation: Monadic to Substruct, Types
« Pf(1 µ 2) ¬ = U(9’. Iso(2, L(1 ’))) (
« Pf(1 µ 2) ¬ = U(9’. U(U(L(1 ’) ( 2))
– Isomorphism between 2 and L(1 ’), for some “slack” ’
– Proof that 1 is a substack of 2 is persistent
– Existence of 1 and 2 is ephemeral
“Subtyping” in a substructural setting needs to handle what is being “forgotten”.
July 27, 2006 120
Translation: Monadic to Substruct
Type- and meaning-preserving translation from monadic to substruct
Theorems:
If ; ` e : then «¬;«¬ ` «e¬ : U«¬.
If `prog e and ({};e) ({};v}, then ({};«e¬) ({};«v¬).
July 27, 2006 121
Type Systems for Region-based Memory Management
Type-and-effect system– effects pervasive in type system– complicated proof of soundness
Monadic type system– exploit parametric polymorphism (System F)– simple type system; well-understood theory
Substructural type system– exploit linearity to control access to region– supports richer programming idioms
July 27, 2006 122
Application: Cyclone
Cyclone Safe-C Project– http://cyclone.thelanguage.net/
– type-safe language no buffer overflows, dangling pointers, format string attacks
– with the “virtues” of C low-level interface with manifest cost model
– range of memory management options regions are an organizing principle
July 27, 2006 123
Application: Cyclone, Regions
Region varietyAllocation
(objects)
DeallocationAliasing
(objects)(what) (when)
Stack static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamicmanual
Dynamic seq.
Heap (`H)
single objects
automatic(BDW GC)
Unique (`U)
manual restrictedRef-counted (`RC)
July 27, 2006 124
Application: Cyclone, Regions
Region varietyAllocation
(objects)
DeallocationAliasing
(objects)(what) (when)
Stack static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamicmanual
Dynamic seq.
Heap (`H)
single objects
automatic(BDW GC)
Unique (`U)
manual restrictedRef-counted (`RC)
Proving type safety of Cyclone is a nightmare!!
July 27, 2006 125
Application: Cyclone, Regions
Region varietyAllocation
(objects)
DeallocationAliasing
(objects)(what) (when)
Stack static
whole region
exit of lexical scope
unrestricted
Lexical
dynamic
Dynamicmanual
Dynamic seq.
Heap (`H)
single objects
automatic(BDW GC)
Unique (`U)
manual restrictedRef-counted (`RC)
My contribution: encode and unify the key features of Cyclone in a target
language with simpler type system.
July 27, 2006 126
Future Work
For practical languages, witnesses and capabilities need to be less burdensome.
Encode results of region analyses– Aiken et.al. [PLDI’95], Henglein et.al. [PPDP’01]
Modeling other language features– Cyclone, CQual, Vault
July 27, 2006 127
Conclusion
Type-and-effect
Monadic
SubstructuralType systems for
region-basedmemory management
Resource conscious type systems
July 27, 2006 128
Conclusion
Region-based memory managementcan be handled by novel uses of type systems– Previous work introduced heavy-weight features in the
type system exclusively for supporting regions– This work introduces light-weight primitives, and
reuses features of the type system to encode proper region behavior
Many insights apply to other resources– encodings integrate features in language design
July 27, 2006 129
July 27, 2006 130
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
«letregion ,h in e¬ )
July 27, 2006 131
Translation: Type-and-effect to Monadic
Type- and meaning-preserving translation from type-and-effect to monadic
«letregion ,h in e¬ )
letRGN (.pf.h. «e¬)
July 27, 2006 132
July 27, 2006 133
Translation: Monadic to Substruct, Types
« Hnd ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Hnd ¬ = U(9. U( Uhnd ))
« Ref ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Ref ¬ = U(9. U( Uref «¬))
July 27, 2006 134
Translation: Monadic to Substruct, Types
« Hnd ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Hnd ¬ = U(9. U( Uhnd ))
« Ref ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Ref ¬ = U(9. U( Uref «¬))
Existential fixes region
July 27, 2006 135
Translation: Monadic to Substruct, Types
« Hnd ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Hnd ¬ = U(9. U( Uhnd ))
« Ref ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Ref ¬ = U(9. U( Uref «¬))
Existential fixes region Isomorphism witnesses membership of in
July 27, 2006 136
Translation: Monadic to Substruct, Prims
« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi
« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk
July 27, 2006 137
Translation: Monadic to Substruct, Prims
« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi
« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk
Store-passing
encoding
July 27, 2006 138
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 139
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 140
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 141
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 142
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 143
Translation: Monadic to Substruct, Prims
« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi
July 27, 2006 144
Translation: Monadic to Substruct, Prims
« new [] [] eh e ¬ =let phnd : «Hnd ¬ = «eh¬ in let x : «¬ = «e¬ in Ustk:.let pack(,hpack(’,hprj,inji),hndi) = phnd in Ustk:.let hstk’,capi = prj stk inUstk:.let hcap,refi = new [] [«¬] Lhcap,hnd,xi in Ustk:.let pref = Upack(,UhUpack(’,Uhprj,inji),refi) in Ustk:.let stk = inj Lhstk’,capi inUstk:.Lhstk,prefi
July 27, 2006 145
July 27, 2006 146
Type Systems for Regions
Polymorphic(System F)
Monadic
Type-and-Effect
Linear Substructural