Typed Memory Management in a Calculus of Capabilities - PowerPoint PPT Presentation

About This Presentation
Title:

Typed Memory Management in a Calculus of Capabilities

Description:

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett) – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 24
Provided by: Stepha147
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Typed Memory Management in a Calculus of Capabilities


1
Typed Memory Managementin aCalculus of
Capabilities
  • David Walker
  • (with Karl Crary and Greg Morrisett)

2
The TAL Project
Verify
Link
Compile
Code
Types
System Interface
Code
Types
Code
GC
Code
Types
3
TAL Goals
  • Security
  • reduce the trusted computing base
  • Software Engineering
  • eliminate dynamic failure modes use static
    checking
  • Flexibility
  • give programmers control over low-level details
  • admit varying compilation strategies

4
TAL Memory Management
  • Garbage Collection behind-the-scenes cleanup
  • Problems
  • Complex code in the trusted computing base
  • Under-specified invariants link client and
    collector (type tags, pointer restrictions, etc)
  • No control over memory management decisions
  • Java, PCC, SPIN, ECC also use GC

5
Regions (Tofte and Talpin)
  • Explicit but provably safe deallocation
  • Static error checking
  • Simple, constant-time routines
  • Regions are allocated on a stack
  • Objects are allocated into regions
  • Topmost regions are deallocated

6
Towards Region-Based TAL
High-level Code
Low-level Code
CALL SITE newrgn ? mov r, RET jmp
f RET freergn ? more code
letrgn ? in f ( ) end ... more code
region lifetime
  • Region lifetimes are unclear in low-level code
  • Optimizations break the LIFO allocation structure

7
Contributions
  • The Capability Calculus
  • A new statically-typed region-based intermediate
    language
  • A syntactic proof of soundness
  • Typed Assembly Language with primitives for
    safely allocating and freeing regions
  • A translation from a variant of the Tofte-Talpin
    framework

8
A New Perspective
Static Capabilities
Regions
?2
?1
?1
?2
x
Free region r1
?2
?2
?1
x
9
The Capability Calculus
  • A continuation-passing style language
  • e let d in e vt1,...,tm(v1,...,vn)
    ...
  • With declarations for separate allocation and
    deallocation of regions
  • d newrgn ? freergn ? xv_at_? ...

10
Types
  • Types ints, tuples, polymorphic functions
  • ltt1,...,tngt _at_ r
  • ?D.(C,t1,...,tn) -gt 0 _at_ r
  • Capabilities the collection of regions currently
    accessible
  • C Ø e ? C1 ? C2 (first try)

11
An Example
  • Initial Capability C Ø
  • let newrgn r1
  • newrgn r2
  • x lt2,3gt_at_r1
  • y ltx,4gt_at_r2
  • freergn r1
  • z p1 y
  • w p1 z
  • in ...

C r1 C r1,r2 r1 ok r2 ok C
r2 r2 ok r1 not ok!
r2
r1
y
2
3
4
r2
y
4
z
12
A Second Example
  • fun fr1,r2(r1,r2, x ltintgt_at_r2, ...).
  • let freergn r1
  • z p1 x
  • in
  • ...
  • C r
  • f r,r(lt3gt_at_r, ...)

C r1,r2 C r2 r2 ok
instantiation causes r1 to alias r2
13
Aliasing
  • Safe revocation requires that all copies of a
    capability be deleted
  • Type instantiation creates aliases
  • No local analysis can detect these aliases

14
Previous Work
  • Linear Type Systems (Girard,Wadler,...)
  • Syntactic Control of Interference (Reynolds)
  • These systems prevent aliasing we need to track
    aliasing.

15
Alias Tracking
  • New Capabilities ?1 and ?
  • ?1 indicates ? is unique
  • ? indicates ? is duplicatable
  • ? ?,? but ?1 ? ?1,?1
  • ?,? is good but ?1,?1 is bad

16
Safe Deallocation
Capability C newrgn ? Capability C ?
?1 Capability C ? ?1 freergn ?
Capability C
17
An Example Revisited
fun fr1,r2(r11,r21, x ltintgt_at_r2, ...). let
freergn r1 z p1 x in ... C
r1 f r,r(lt3gt_at_r, ...) C r31,r41 f
r3,r4(lt3gt_at_r4, )
C r11,r21 r1 unique, C r21 r2
ok No r1 ? r1,r1 Yes!
18
Subcapabilities
  • Duplicatable capabilities necessary to make
    functions sufficiently polymorphic
  • Unique capabilities provide all of the privileges
    of duplicatable capabilities

r1 ? r
19
Using Subcapabilities
fun gr1,r2(r1, r2, x ltintgt_at_r1, y
ltintgt_at_r2, ...). neither region is
deallocated Current Capability r1 let x
lt3gt_at_rin g r,r(x, x, ...) ok
r1 ? r r, r
20
Final Pieces
  • Solution bounded quantification

allocate regions grants unique
capabilities ... jump to f lose some
privileges r1 ? r
... deallocate regions requires unique
capabilities, but weve given them up ...
21
BQ Example
let newrgn r capability C r1 ...
f ?r1, r2, ? ? r1, r2.
(?, ..., (?, ...) -gt 0 _at_ r1) -gt 0 _at_ r ...
cont (r1, ...) -gt 0 _at_ r, frees region
r in f r, r, r1(..., cont) ok
r1 ? r r, r
22
Related Work
  • Region inference
  • Tofte and Talpin (PoPL 94)
  • Aiken et al. (PoPL 95)
  • Birkedal et al. (PoPL 96)
  • ML Kit with regions
  • Effect Systems, Monads
  • Linear Types, Syntactic Control of Interference

23
Summary
  • Capabilities govern access to sensitive data
  • We control capability aliasing by tracking
    uniqueness information
  • The result flexible and provably safe
    deallocation
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Typed Memory Management in a Calculus of Capabilities" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!