Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Slides:



Advertisements
Similar presentations
Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Advertisements

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Names and Bindings.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Portability and Safety Mahdi Milani Fard Dec, 2006 Java.
Lecture 10: Heap Management CS 540 GMU Spring 2009.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
1 Objects and ClassesStefan Kluth 1.6Objects and Classes 1.6What is an Object? 1.7Objects and Classes 1.8Object Interface, Class Inheritance, Polymorphism.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
CPSC 388 – Compiler Design and Construction
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
© Andy Wellings, 2004 Roadmap  Introduction  Concurrent Programming  Communication and Synchronization  Completing the Java Model  Overview of the.
Ownership Types for Safe Programming: Preventing Data Races and Deadlocks Chandrasekhar Boyapati Robert Lee Martin Rinard Laboratory for Computer Science.
Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Chandrasekhar Boyapati Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Programming.
Ownership Types for Object Encapsulation Barbara Liskov Chandrasekhar Boyapati Liuba Shrira Laboratory for Computer Science Massachusetts Institute of.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
A Type System for Expressive Security Policies David Walker Cornell University.
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,
A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of.
Lecture 9 Concepts of Programming Languages
Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.
Names and Bindings Introduction Names Variables The concept of binding Chapter 5-a.
0wn3rship Types John Whaley CS343 Stanford University May 19, 2004.
Abstract Data Types and Encapsulation Concepts
Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.
Memory Management for Real-Time Java Wes Beebee and Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Supported by: DARPA.
C o n f i d e n t i a l Developed By Nitendra NextHome Subject Name: Data Structure Using C Title: Overview of Data Structure.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
OOPs Object oriented programming. Based on ADT principles  Representation of type and operations in a single unit  Available for other units to create.
Flex Compiler Compiler Case Study By Mee Ka Chang.
An Adaptive, Region-based Allocator for Java Feng Qian, Laurie Hendren {fqian, Sable Research Group School of Computer Science McGill.
Real-Time Java on JOP Martin Schöberl. Real-Time Java on JOP2 Overview RTSJ – why not Simple RT profile Scheduler implementation User defined scheduling.
Chapter 3.5 Memory and I/O Systems. 2 Memory Management Memory problems are one of the leading causes of bugs in programs (60-80%) MUCH worse in languages.
Existential Quantification for Variant Ownership Nicholas Cameron Sophia Drossopoulou Imperial College London (Victoria University of Wellington)‏
Component Composition for Embedded Systems Using Semantic Aspect-Oriented Programming Martin Rinard Laboratory for Computer Science Massachusetts Institute.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,
11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.
Object-Oriented Programming Chapter Chapter
Concepts of programming languages Chapter 5 Names, Bindings, and Scopes Lec. 12 Lecturer: Dr. Emad Nabil 1-1.
ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.
GC Assertions: Using the Garbage Collector To Check Heap Properties Samuel Z. Guyer Tufts University Edward Aftandilian Tufts University.
Introduction to Programming 1 1 2Introduction to Java.
Eliminating External Fragmentation in a Non-Moving Garbage Collector for Java Author: Fridtjof Siebert, CASES 2000 Michael Sallas Object-Oriented Languages.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Automatic Memory Management Without Run-time Overhead Brian Brooks.
Abstract Data Types and Encapsulation Concepts
Compositional Pointer and Escape Analysis for Java Programs
Lecture 9 Concepts of Programming Languages
Abstract Data Types and Encapsulation Concepts
Abstract Data Types and Encapsulation Concepts
Programming with Regions
자바 언어를 위한 정적 분석 (Static Analyses for Java) ‘99 한국정보과학회 가을학술발표회 튜토리얼
Object Encapsulation CSC 422 Dr. Spiegel.
Lecture 9 Concepts of Programming Languages
Presentation transcript:

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar Boyapati Alexandru Salcianu William Beebee Martin Rinard

Ownership types Ownership types  Clarke et al. ( OOPSLA ’98 ) ( OOPSLA ’02 )  Boyapati et al. ( OOPSLA ’01 ) ( OOPSLA ’02 )  Boyapati et al. ( POPL ’03 ) ( OOPSLA ’03 )  Aldrich et al. ( OOPSLA ’02 ) Region types Region types  Tofte, Talpin ( POPL ’94 )  Christiansen et al. ( DIKU ’98 )  Crary et al. ( POPL ’99 )  Grossman et al. ( PLDI ’02 ) Unified type system for OO languages Unified type system for OO languages  Object encapsulation AND Memory safety  Foundation for enforcing other safety properties  Data race and deadlock freedom  Safe software upgrades  Safe real-time programming (Real-Time Java) Contribution (Object encapsulation) (Memory safety)

Talk Overview Type system for OO programs Type system for OO programs  Ownership types  Region types  Similarities  Unified type system Extensions for Real-Time Java Extensions for Real-Time Java Experience Experience

Ownership Types

data next head data next data next … … … Stack Node Data data next … Say Stack s is implemented with linked list Say Stack s is implemented with linked list

Ownership Types s Say Stack s is implemented with linked list Say Stack s is implemented with linked list

Ownership Types s o ~ ~ Say Stack s is implemented with linked list Say Stack s is implemented with linked list Outside objects must not access list nodes Outside objects must not access list nodes

Ownership Types Program can declare s owns list nodes Program can declare s owns list nodes System ensures list is encapsulated in s System ensures list is encapsulated in s s o ~ ~ Say Stack s is implemented with linked list Say Stack s is implemented with linked list Outside objects must not access list nodes Outside objects must not access list nodes

Region-Based Memory Management Region-Based Memory Management

Provides control over memory Provides control over memory  For efficiency  For predictability While ensuring memory safety While ensuring memory safety Region-Based Memory Management Region-Based Memory Management

Programs can create a region Programs can create a region Allocate objects in a region Allocate objects in a region Delete a region & free all objects in it Delete a region & free all objects in it Region-Based Memory Management Region-Based Memory Management

Programs can create a region Programs can create a region Allocate objects in a region Allocate objects in a region Delete a region & free all objects in it Delete a region & free all objects in it Region lifetimes are nested Region lifetimes are nested Region-Based Memory Management Region-Based Memory Management

Ensure memory safety Ensure memory safety Disallow pointers from outside to inside Disallow pointers from outside to inside Region Types Region Types ~ ~

Ownership types ensure object encapsulation Ownership types ensure object encapsulation Disallow pointers from outside to inside Disallow pointers from outside to inside Region types ensure memory safety Region types ensure memory safety Disallow pointers from outside to inside Disallow pointers from outside to inside Similarities

Unified Type System

Disallows pointers from outside to inside Disallows pointers from outside to inside Ensures object encapsulation Ensures object encapsulation Ensures memory safety Ensures memory safety Unified Type System

Every object has an owner Every object has an owner Owner can be another object or a region Owner can be another object or a region Ownership relation forms a forest of trees Ownership relation forms a forest of trees Unified Type System

An object owned by another object An object owned by another object  Is an encapsulated subobject of its owner Unified Type System

An object owned by another object An object owned by another object  Is an encapsulated subobject of its owner An object owned by a region An object owned by a region  Is allocated in that region Unified Type System

An object owned by another object An object owned by another object  Is an encapsulated subobject of its owner  Is allocated in the same region as its owner An object owned by a region An object owned by a region  Is allocated in that region Unified Type System

Programmers specify Programmers specify  Owner of every object  In types of variables pointing to objects Type checker statically verifies Type checker statically verifies  No pointers from outside to inside

class Stack { Node head; Node head; void push(Data data) {…} void push(Data data) {…} Data pop() {…} Data pop() {…}} class Node { Node next; Node next; Data data; Data data; …} Unified Type System data next head data next data next … … … Stack Node Data

class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;}

Unified Type System Classes are parameterized with owners First owner owns the corresponding object class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;}

class Stack  stackOwner, dataOwner  { Node , dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} Unified Type System Stack owns the head Node

class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node , dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} Unified Type System All Nodes have the same owner

Ownership Types for Safe Regions s is an encapsulated stack with encapsulated elements class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} class Client { Stack  this, this  s; Stack  this, this  s;}

Unified Type System class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;}

Unified Type System class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r  h) { …} r is the region name. It is a compile time entity. h is the region handle. It is a runtime value.

Unified Type System Region r2 is nested inside region r1 class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r1  h1) { (RegionHandle  r2  h2) { (RegionHandle  r2  h2) { Stack  r1, r1  s1; Stack  r1, r1  s1; Stack  r2, r1  s2; Stack  r2, r1  s2;}}

Unified Type System class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r1  h1) { (RegionHandle  r2  h2) { (RegionHandle  r2  h2) { Stack  r1, r1  s1; Stack  r1, r1  s1; Stack  r2, r1  s2; Stack  r2, r1  s2;}} Stack and its elements are in the same region

Unified Type System class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r1  h1) { (RegionHandle  r2  h2) { (RegionHandle  r2  h2) { Stack  r1, r1  s1; Stack  r1, r1  s1; Stack  r2, r1  s2; Stack  r2, r1  s2;}} Stack and its elements are in different regions

Unified Type System class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r1  h1) { (RegionHandle  r2  h2) { (RegionHandle  r2  h2) { Stack  r1, r1  s1; Stack  r1, r1  s1; Stack  r2, r1  s2; Stack  r2, r1  s2; Stack  r1, r2  s3; // illegal Stack  r1, r2  s3; // illegal}} Scoping alone does not ensure safety in presence of subtyping First owner must be same as or nested in other owners

Other details Other details  Special regions  Garbage collected heap  Immortal region  Runtime provides  Region handle of most nested region  Region handle of an object  Type checker statically infers  If a region handle is in scope Unified Type System

Enforces object encapsulation Enforces object encapsulation  Boyapati, Liskov, Shrira ( POPL ’03 ) Enable safe region-based memory management Enable safe region-based memory management  Boyapati, Salcianu, Beebee, Rinard ( PLDI ’03 ) Prevents data races and deadlocks Prevents data races and deadlocks  Boyapati, Rinard ( OOPSLA ’01 )  Boyapati, Lee, Rinard ( OOPSLA ’02 ) Enables upgrades in persistent object stores Enables upgrades in persistent object stores  Boyapati, Liskov, Shrira, Moh, Richman ( OOPSLA ’03 ) Unified Type System

Talk Overview Unified type system for OO programs Unified type system for OO programs Extensions for Real-time Java Extensions for Real-time Java  Multithreaded programs  Real-time programs  Real-time Java programs Experience Experience

Regions for Multithreaded Programs Shared regions with reference counting Shared regions with reference counting  Grossman ( TLDI ’01 )

Regions for Multithreaded Programs Shared regions with reference counting Shared regions with reference counting  Grossman ( TLDI ’01 ) Sub regions within shared regions Sub regions within shared regions To avoid memory leaks in shared regions To avoid memory leaks in shared regions

Regions for Multithreaded Programs Shared regions with reference counting Shared regions with reference counting  Grossman ( TLDI ’01 ) Sub regions within shared regions Sub regions within shared regions To avoid memory leaks in shared regions To avoid memory leaks in shared regions ~ ~

Regions for Multithreaded Programs Shared regions with reference counting Shared regions with reference counting  Grossman ( TLDI ’01 ) Sub regions within shared regions Sub regions within shared regions To avoid memory leaks in shared regions To avoid memory leaks in shared regions Typed portal fields in sub regions Typed portal fields in sub regions To start inter-thread communication To start inter-thread communication

Regions for Multithreaded Programs Shared regions with reference counting Shared regions with reference counting  Grossman ( TLDI ’01 ) Sub regions within shared regions Sub regions within shared regions To avoid memory leaks in shared regions To avoid memory leaks in shared regions Typed portal fields in sub regions Typed portal fields in sub regions To start inter-thread communication To start inter-thread communication Region kinds to make it all work Region kinds to make it all work

Talk Overview Unified type system for OO programs Unified type system for OO programs Extensions for Real-time Java Extensions for Real-time Java  Multithreaded programs  Real-time programs  Real-time Java programs Experience Experience

Regions for Real-Time Programs Real-time (RT) threads with real-time constraints Real-time (RT) threads with real-time constraints RT threads cannot use garbage collected heap RT threads cannot use garbage collected heap RT threads can use immortal memory RT threads can use immortal memory RT threads can use regions RT threads can use regions

Regions for Real-Time Programs Real-time (RT) threads with real-time constraints Real-time (RT) threads with real-time constraints RT threads cannot use garbage collected heap RT threads cannot use garbage collected heap RT threads can use immortal memory RT threads can use immortal memory RT threads can use regions RT threads can use regions RT threads cannot read heap references RT threads cannot read heap references RT threads cannot overwrite heap references RT threads cannot overwrite heap references

Regions for Real-Time Programs Real-time (RT) threads with real-time constraints Real-time (RT) threads with real-time constraints RT threads cannot use garbage collected heap RT threads cannot use garbage collected heap RT threads can use immortal memory RT threads can use immortal memory RT threads can use regions RT threads can use regions RT threads cannot read heap references RT threads cannot read heap references RT threads cannot overwrite heap references RT threads cannot overwrite heap references Ownership types augmented with effects clauses Ownership types augmented with effects clauses To statically verify above properties To statically verify above properties

Real-Time Java (RTJ) Extension to Java for real-time programs Extension to Java for real-time programs Java Specification Request (JSR) 1 Java Specification Request (JSR) 1

Real-Time Java (RTJ) Extension to Java for real-time programs Extension to Java for real-time programs Java Specification Request (JSR) 1 Java Specification Request (JSR) Real-time (RT) threads Real-time (RT) threads Region-based memory management Region-based memory management Threads cant violate memory safety Threads cant violate memory safety RT threads cant interact with garbage collector RT threads cant interact with garbage collector

Real-Time Java (RTJ) Uses dynamic checks to ensure Uses dynamic checks to ensure  No pointers from outer to inner regions  Nesting of regions forms a hierarchy  RT threads do not read heap refs  RT threads do not overwrite heap refs Introduces new failure modes Introduces new failure modes Programming model is difficult to use Programming model is difficult to use

Region Types as Front-End for RTJ Typechecker Translator (Removes extra types) (Generates real-time Java) Compiler JVM Real-time Java bytecodes + Extra types types Java

Benefits of Using Region Types Safety Safety Checks errors at compile time Checks errors at compile time Efficiency Efficiency Avoids runtime checking overhead Avoids runtime checking overhead Typechecker Translator (Removes extra types) (Generates real-time Java) Real-time Java + Extra types types Java

Experience

Reducing Programming Overhead Type inference for method local variables Type inference for method local variables Default types for method signatures & fields Default types for method signatures & fields User defined defaults as well User defined defaults as well Significantly reduces programming overhead Significantly reduces programming overhead Approach supports separate compilation Approach supports separate compilation

Programming Overhead Program # Lines of code # Lines annotated HTTP Server Game Server Database Server Image Recognition java.util.Vector java.util.Hashtable Water185031Barnes185016

RTJ Dynamic Checking Overhead Program Execution Time (sec) Speed Up Dynamic Checks Static Checks Water %Barnes % Image Recognition % load load % cross cross thinning thinning % 10% save save %

Related Work

Our work unifies these areas Ownership types Ownership types  Clarke, Potter, Noble ( OOPSLA ’98 ), ( ECOOP ’01 )  Clarke, Drossopoulou ( OOPSLA ’02 )  Boyapati, Lee, Rinard ( OOPSLA ’01 ) ( OOPSLA ’02 )  Boyapati, Liskov, Shrira, Moh, Richman ( POPL ’03 ) ( OOPSLA ’03 )  Aldrich, Kostadinov, Chambers ( OOPSLA ’02 ) Region types Region types  Tofte, Talpin ( POPL ’94 )  Christiansen, Henglein, Niss, Velschow ( DIKU ’98 )  Crary, Walker, Morrisett ( POPL ’99 )  Grossman, Morrisett, Jim, Hicks, Wang, Cheney ( PLDI ’02 )  Grossman ( TLDI ’03 )

Related Work Systems that allow regions to be freed early Systems that allow regions to be freed early  Aiken, Fahndrich, Levien ( PLDI ’95 )  Gay, Aiken ( PLDI ’98 ) ( PLDI ’01 )  Crary, Walker, Morrisett ( POPL ’99 ) Dynamic analysis to infer RTJ regions Dynamic analysis to infer RTJ regions  Deters, Cytron ( ISMM ’02 ) Static analysis to remove RTJ dynamic checks Static analysis to remove RTJ dynamic checks  Salcianu, Rinard ( PPoPP ’01 ) Static analysis to help infer size of RTJ regions Static analysis to help infer size of RTJ regions  Gheorghioiu, Salcianu, Rinard ( POPL ’03 ) Real-time garbage collection Real-time garbage collection  Baker ( CACM ’78 )  Bacon, Cheng, Rajan ( POPL ’03 )

Conclusions Unified type system for OO languages Statically enforces several properties Statically enforces several properties  Object encapsulation  Memory safety  Data race and deadlock freedom  Safe software upgrades  Safe real-time programming Type checking is fast and scalable Type checking is fast and scalable Requires little programming overhead Requires little programming overhead Promising way to make programs reliable Promising way to make programs reliable

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar Boyapati Alexandru Salcianu William Beebee Martin Rinard

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.