Title: Typed Memory Management in a Calculus of Capabilities
1Typed Memory Managementin aCalculus of
Capabilities
- David Walker
- (with Karl Crary and Greg Morrisett)
2The TAL Project
Verify
Link
Compile
Code
Types
System Interface
Code
Types
Code
GC
Code
Types
3TAL Goals
- Security
- reduce the trusted computing base
- Software Engineering
- eliminate dynamic failure modes use static
checking - Flexibility
- give programmers control over low-level details
- admit varying compilation strategies
4TAL Memory Management
- Garbage Collection behind-the-scenes cleanup
- Problems
- Complex code in the trusted computing base
- Under-specified invariants link client and
collector (type tags, pointer restrictions, etc) - No control over memory management decisions
- Java, PCC, SPIN, ECC also use GC
5Regions (Tofte and Talpin)
- Explicit but provably safe deallocation
- Static error checking
- Simple, constant-time routines
- Regions are allocated on a stack
- Objects are allocated into regions
- Topmost regions are deallocated
6Towards Region-Based TAL
High-level Code
Low-level Code
CALL SITE newrgn ? mov r, RET jmp
f RET freergn ? more code
letrgn ? in f ( ) end ... more code
region lifetime
- Region lifetimes are unclear in low-level code
- Optimizations break the LIFO allocation structure
7Contributions
- The Capability Calculus
- A new statically-typed region-based intermediate
language - A syntactic proof of soundness
- Typed Assembly Language with primitives for
safely allocating and freeing regions - A translation from a variant of the Tofte-Talpin
framework
8A New Perspective
Static Capabilities
Regions
?2
?1
?1
?2
x
Free region r1
?2
?2
?1
x
9The Capability Calculus
- A continuation-passing style language
- e let d in e vt1,...,tm(v1,...,vn)
... - With declarations for separate allocation and
deallocation of regions - d newrgn ? freergn ? xv_at_? ...
10Types
- Types ints, tuples, polymorphic functions
- ltt1,...,tngt _at_ r
- ?D.(C,t1,...,tn) -gt 0 _at_ r
- Capabilities the collection of regions currently
accessible - C Ø e ? C1 ? C2 (first try)
11An Example
- Initial Capability C Ø
- let newrgn r1
- newrgn r2
- x lt2,3gt_at_r1
- y ltx,4gt_at_r2
- freergn r1
- z p1 y
- w p1 z
- in ...
C r1 C r1,r2 r1 ok r2 ok C
r2 r2 ok r1 not ok!
r2
r1
y
2
3
4
r2
y
4
z
12A Second Example
- fun fr1,r2(r1,r2, x ltintgt_at_r2, ...).
- let freergn r1
- z p1 x
- in
- ...
- C r
- f r,r(lt3gt_at_r, ...)
C r1,r2 C r2 r2 ok
instantiation causes r1 to alias r2
13Aliasing
- Safe revocation requires that all copies of a
capability be deleted - Type instantiation creates aliases
- No local analysis can detect these aliases
14Previous Work
- Linear Type Systems (Girard,Wadler,...)
- Syntactic Control of Interference (Reynolds)
- These systems prevent aliasing we need to track
aliasing.
15Alias Tracking
- New Capabilities ?1 and ?
- ?1 indicates ? is unique
- ? indicates ? is duplicatable
- ? ?,? but ?1 ? ?1,?1
- ?,? is good but ?1,?1 is bad
16Safe Deallocation
Capability C newrgn ? Capability C ?
?1 Capability C ? ?1 freergn ?
Capability C
17An Example Revisited
fun fr1,r2(r11,r21, x ltintgt_at_r2, ...). let
freergn r1 z p1 x in ... C
r1 f r,r(lt3gt_at_r, ...) C r31,r41 f
r3,r4(lt3gt_at_r4, )
C r11,r21 r1 unique, C r21 r2
ok No r1 ? r1,r1 Yes!
18Subcapabilities
- Duplicatable capabilities necessary to make
functions sufficiently polymorphic - Unique capabilities provide all of the privileges
of duplicatable capabilities
r1 ? r
19Using Subcapabilities
fun gr1,r2(r1, r2, x ltintgt_at_r1, y
ltintgt_at_r2, ...). neither region is
deallocated Current Capability r1 let x
lt3gt_at_rin g r,r(x, x, ...) ok
r1 ? r r, r
20Final Pieces
- Solution bounded quantification
allocate regions grants unique
capabilities ... jump to f lose some
privileges r1 ? r
... deallocate regions requires unique
capabilities, but weve given them up ...
21BQ Example
let newrgn r capability C r1 ...
f ?r1, r2, ? ? r1, r2.
(?, ..., (?, ...) -gt 0 _at_ r1) -gt 0 _at_ r ...
cont (r1, ...) -gt 0 _at_ r, frees region
r in f r, r, r1(..., cont) ok
r1 ? r r, r
22Related Work
- Region inference
- Tofte and Talpin (PoPL 94)
- Aiken et al. (PoPL 95)
- Birkedal et al. (PoPL 96)
- ML Kit with regions
- Effect Systems, Monads
- Linear Types, Syntactic Control of Interference
23Summary
- Capabilities govern access to sensitive data
- We control capability aliasing by tracking
uniqueness information - The result flexible and provably safe
deallocation