Implementation and Evaluation of a Safe Runtime in Cyclone Matthew Fluet Cornell University Greg Morrisett Harvard University Daniel Wang Princeton University.

Slides:



Advertisements
Similar presentations
Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Advertisements

Topic 10 Java Memory Management. 1-2 Memory Allocation in Java When a program is being executed, separate areas of memory are allocated for each class.
Garbage Collection What is garbage and how can we deal with it?
Implementation and Evaluation of a Safe Runtime in Cyclone Matthew Fluet Cornell University Daniel Wang Princeton University.
5. Memory Management From: Chapter 5, Modern Compiler Design, by Dick Grunt et al.
Garbage Collection CSCI 2720 Spring Static vs. Dynamic Allocation Early versions of Fortran –All memory was static C –Mix of static and dynamic.
Memory Management. History Run-time management of dynamic memory is a necessary activity for modern programming languages Lisp of the 1960’s was one of.
1 The Compressor: Concurrent, Incremental and Parallel Compaction. Haim Kermany and Erez Petrank Technion – Israel Institute of Technology.
MOSTLY PARALLEL GARBAGE COLLECTION Authors : Hans J. Boehm Alan J. Demers Scott Shenker XEROX PARC Presented by:REVITAL SHABTAI.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Runtime The optimized program is ready to run … What sorts of facilities are available at runtime.
Run-Time Storage Organization
Run time vs. Compile time
JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.
An Adaptive, Region-based Allocator for Java Feng Qian & Laurie Hendren 2002.
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,
Reference Types. 2 Objectives Introduce reference types –class –array Discuss details of use –declaration –allocation –assignment –null –parameter –aggregation.
Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.
UniProcessor Garbage Collection Techniques Paul R. Wilson University of Texas Presented By Naomi Sapir Tel-Aviv University.
Garbage Collection Memory Management Garbage Collection –Language requirement –VM service –Performance issue in time and space.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#
1 Overview Assignment 6: hints  Living with a garbage collector Assignment 5: solution  Garbage collection.
Embedded Java Research Geoffrey Beers Peter Jantz December 18, 2001.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.
Compiler Construction Lecture 17 Mapping Variables to Memory.
CSCI 224 Introduction to Java Programming. Course Objectives  Learn the Java programming language: Syntax, Idioms Patterns, Styles  Become comfortable.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
Lecture 10 : Introduction to Java Virtual Machine
1 Comp 104: Operating Systems Concepts Java Development and Run-Time Store Organisation.
1 Names, Scopes and Bindings Aaron Bloomfield CS 415 Fall
Experience with Safe Memory Management in Cyclone Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard Dan Grossman.
Basic Semantics Associating meaning with language entities.
1 Records Record aggregate of data elements –Possibly heterogeneous –Elements/slots are identified by names –Elements in same fixed order in all records.
Compiler Construction Dr. Noam Rinetzky and Orr Tamir School of Computer Science Tel Aviv University
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. C H A P T E R F I V E Memory Management.
C++ Memory Overview 4 major memory segments Key differences from Java
COMP3190: Principle of Programming Languages
RUN-Time Organization Compiler phase— Before writing a code generator, we must decide how to marshal the resources of the target machine (instructions,
Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,
UniProcessor Garbage Collection Techniques Paul R. Wilson University of Texas Presented By Naomi Sapir Tel-Aviv University.
Object Oriented Software Development 4. C# data types, objects and references.
Runtime The optimized program is ready to run … What sorts of facilities are available at runtime.
Introduction to Garbage Collection. Garbage Collection It automatically reclaims memory occupied by objects that are no longer in use It frees the programmer.
RUNTIME ENVIRONMENT AND VARIABLE BINDINGS How to manage local variables.
Smart Pointers. Dumb Pointers Pointers Necessary – Dynamic memory – Sharing memory.
CS412/413 Introduction to Compilers and Translators April 21, 1999 Lecture 30: Garbage collection.
Introduction to Programming 1 1 2Introduction to Java.
Runtime Environments Chapter 7. Support of Execution  Activation Tree  Control Stack  Scope  Binding of Names –Data object (values in storage) –Environment.
Eliminating External Fragmentation in a Non-Moving Garbage Collector for Java Author: Fridtjof Siebert, CASES 2000 Michael Sallas Object-Oriented Languages.
Automatic Memory Management Without Run-time Overhead Brian Brooks.
Dynamic Allocation in C
Data Types In Text: Chapter 6.
Core Java Garbage Collection LEVEL – PRACTITIONER.
Java Memory Management
Topic: Java Garbage Collection
Java Memory Management
Unit-2 Objects and Classes
Seminar in automatic tools for analyzing programs with dynamic memory
Smart Pointers.
Programming with Regions
Closure Representations in Higher-Order Programming Languages
Linear Regions Are All You Need
.Net Framework Details Imran Rashid CTO at ManiWeber Technologies.
Created By: Asst. Prof. Ashish Shah, J.M.Patel College, Goregoan West
(Computer fundamental Lab)
Implementation and Evaluation of a Safe Runtime in Cyclone
Implementation and Evaluation of a Safe Runtime in Cyclone
Presentation transcript:

Implementation and Evaluation of a Safe Runtime in Cyclone Matthew Fluet Cornell University Greg Morrisett Harvard University Daniel Wang Princeton University

Introduction Web-based services and applications Require secure and robust implementations Often written in high-level languages C#, Java, Perl, PHP, Python, Tcl Provide memory safety Immune to common security problems Provide automatic memory management Immune to memory leaks But ……

Introduction Web-based services and applications are hosted on servers and executed by interpreters, both written in low-level languages

Introduction Web-based services and applications are hosted on servers and executed by interpreters, both written in low-level languages Application

Introduction Web-based services and applications are hosted on servers and executed by interpreters, both written in low-level languages Interpreter Application

Introduction Web-based services and applications are hosted on servers and executed by interpreters, both written in low-level languages Web-server Interpreter Application

Web-server Interpreter Runtime system Introduction Web-based services and applications are hosted on servers and executed by interpreters, both written in low-level languages Application Memory Management

Introduction Long-term goal a complete web-application platform written in a high-level language Short-term goal a complete interpreter written in a high-level language Implementing the core of an interpreter is not in itself a significant challenge Implementing the runtime system is a challenge

Technical achievement Advances in type systems have made it possible to implement a runtime system that provides garbage-collection services using a programming language that guarantees memory safety. Significantly reduces the TCB necessary to support web-application platforms Incurs an acceptable performance penalty

Outline A Scheme interpreter in Cyclone Why Scheme Key Features of Cyclone Core Scheme Interpreter Garbage Collector Performance Evaluation Conclusion

Why Scheme? Ease of implementation Core interpreter loop is only ~500 lines Use an external Scheme front-end to expand the full Scheme language into a core Scheme subset Features desirable for web programming But, no technical results depend on Scheme as the interpreted language

Key Features of Cyclone Safe, C-like language Static type- and control-flow analysis Intended for systems programming Data representation Resource management Region-based memory management Static, lexical, dynamic, heap, unique, …

Key Features of Cyclone Pointers Nullable: t* Non-null: Fat: Regions Region names: `r Pointers: t*`r Polymorphism:

Cyclone: Regions Region variety Allocation (objects) Deallocation Aliasing (objects) (what)(when) Stackstatic whole region exit of lexical scope unrestricted Lexical dynamic Dynamicmanual Heap ( `H ) single objects automatic (BDW GC) Unique ( `U ) manualrestricted Ref-counted ( `RC )

Cyclone: Regions Region variety Allocation (objects) Deallocation Aliasing (objects) (what)(when) Stackstatic whole region exit of lexical scope unrestricted Lexical dynamic Dynamicmanual Heap ( `H ) single objects automatic (BDW GC) Unique ( `U ) manualrestricted Ref-counted ( `RC )

Cyclone: Regions Region variety Allocation (objects) Deallocation Aliasing (objects) (what)(when) Stackstatic whole region exit of lexical scope unrestricted Lexical dynamic Dynamicmanual Heap ( `H ) single objects automatic (BDW GC) Unique ( `U ) manualrestricted Ref-counted ( `RC )

Cyclone: Regions Region variety Allocation (objects) Deallocation Aliasing (objects) (what)(when) Stackstatic whole region exit of lexical scope unrestricted Lexical dynamic Dynamicmanual Heap ( `H ) single objects automatic (BDW GC) Unique ( `U ) manualrestricted Ref-counted ( `RC )

Cyclone: Regions Region variety Allocation (objects) Deallocation Aliasing (objects) (what)(when) Stackstatic whole region exit of lexical scope unrestricted Lexical dynamic Dynamicmanual Heap ( `H ) single objects automatic (BDW GC) Unique ( `U ) manualrestricted Ref-counted ( `RC )

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); }

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); }

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H

H Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } exp H

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Core Scheme Interpreter void scheme(prog_t prog) { heap_t H = new_heap (); // load the program into the GC-ed heap exp_t exp = initial_exp(prog, H); while (true) { // take a step bool done = step(H, &exp); // check for termination if (done) { goto Finished; } // allow a garbage collection maybeGC(&H, &exp); } Finished: // free the final heap destroy_heap(H); } H exp

Simple Copying Collector From-space and To-space Forwarding pointers

Simple Copying Collector From-space and To-space Natural correspondence with regions LIFO discipline of lexical regions insufficient Dynamic regions appear to be sufficient Forwarding pointers

Dynamic Regions Non-nested lifetimes Manual creation and deallocation Represented by unique pointer ( key ) Unique pointer ≡ Capability Access the region

Dynamic Regions Operations new : create a fresh dynamic region Produces unique key open : open a dynamic region for allocation Temporarily consumes key free : deallocate a dynamic region Permanently consumes key

GC and Dynamic Regions... // create the to-space’s key let NewDynamicRegion { to_key} = new_ukey(); state_t to_state; // open the from-space’s key { region from_r = open_ukey(from_key); // open the to-space’s key { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } } // free the from-space free_ukey(from_key);...

GC and Dynamic Regions... // create the to-space’s key let NewDynamicRegion { to_key} = new_ukey(); state_t to_state; // open the from-space’s key { region from_r = open_ukey(from_key); // open the to-space’s key { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } } // free the from-space free_ukey(from_key);...

GC and Dynamic Regions... // create the to-space’s key let NewDynamicRegion { to_key} = new_ukey(); state_t to_state; // open the from-space’s key { region from_r = open_ukey(from_key); // open the to-space’s key { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } } // free the from-space free_ukey(from_key);...

GC and Dynamic Regions... // create the to-space’s key let NewDynamicRegion { to_key} = new_ukey(); state_t to_state; // open the from-space’s key { region from_r = open_ukey(from_key); // open the to-space’s key { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } } // free the from-space free_ukey(from_key);...

GC and Dynamic Regions... // create the to-space’s key let NewDynamicRegion { to_key} = new_ukey(); state_t to_state; // open the from-space’s key { region from_r = open_ukey(from_key); // open the to-space’s key { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } } // free the from-space free_ukey(from_key);...

Forwarding Pointers What is the type of a forwarding pointer?

Forwarding Pointers What is the type of a forwarding pointer? A pointer to a Value in To-space

Forwarding Pointers What is the type of a forwarding pointer? A pointer to a Value in To-space, whose forwarding pointer is a pointer to a Value in To- space’s To-space

Forwarding Pointers What is the type of a forwarding pointer? A pointer to a Value in To-space, whose forwarding pointer is a pointer to a Value in To- space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To- space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To- space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space’s To- space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space, whose forwarding pointer is a pointer to a Value in To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To-space’s To- space’s To-space’s To-space’s To-space, …

Dynamic Region Sequences Introduce a new type constructor mapping region names to region names typedef _::R next_rgn Although the region names ρ and next_rgn are related, the lifetimes of their corresponding regions are not

Dynamic Region Sequences Operations new, open, free : as for dynamic regions next : create next_rgn from ρ

Dynamic Region Sequences Operations next : create next_rgn from ρ Have an infinite supply of region names next will create a fresh dynamic region key Need a linear supply of keys Use Cyclone’s unique pointers

Dynamic Region Sequences Operations next : create next_rgn from ρ A dynamic region sequence is a pair key : a dynamic region key gen : a unique pointer Unique pointer ≡ Capability Produce the next_rgn key and gen Consumed by next

Dynamic Region Sequences Operations new : create a fresh dynamic region sequence Produces unique key and gen next : creates next dynamic region sequence Produces unique key and gen Permanently consumes gen

GC and Dynamic Region Sequences gcstate_t doGC(gcstate_t gcs) { // unpack the gc state let GCState{ DRSeq {from_key, from_gen}, from_state} = gcs; // generate the to-space let DRSeq{to_key, to_gen} = next_drseq(from_gen); state_t > to_state; // open the from-space { region from_r = open_ukey(from_key); // open the to-space { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } // pack the new gc state gcs = GCState{DRSeq{to_key, to_gen}, to_state}; } // free the from space free_ukey(from_key); return gcs; }

GC and Dynamic Region Sequences gcstate_t doGC(gcstate_t gcs) { // unpack the gc state let GCState{ DRSeq {from_key, from_gen}, from_state} = gcs; // generate the to-space let DRSeq{to_key, to_gen} = next_drseq(from_gen); state_t > to_state; // open the from-space { region from_r = open_ukey(from_key); // open the to-space { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } // pack the new gc state gcs = GCState{DRSeq{to_key, to_gen}, to_state}; } // free the from space free_ukey(from_key); return gcs; }

GC and Dynamic Region Sequences gcstate_t doGC(gcstate_t gcs) { // unpack the gc state let GCState{ DRSeq {from_key, from_gen}, from_state} = gcs; // generate the to-space let DRSeq{to_key, to_gen} = next_drseq(from_gen); state_t > to_state; // open the from-space { region from_r = open_ukey(from_key); // open the to-space { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } // pack the new gc state gcs = GCState{DRSeq{to_key, to_gen}, to_state}; } // free the from space free_ukey(from_key); return gcs; }

GC and Dynamic Region Sequences gcstate_t doGC(gcstate_t gcs) { // unpack the gc state let GCState{ DRSeq {from_key, from_gen}, from_state} = gcs; // generate the to-space let DRSeq{to_key, to_gen} = next_drseq(from_gen); state_t > to_state; // open the from-space { region from_r = open_ukey(from_key); // open the to-space { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } // pack the new gc state gcs = GCState{DRSeq{to_key, to_gen}, to_state}; } // free the from space free_ukey(from_key); return gcs; }

GC and Dynamic Region Sequences gcstate_t doGC(gcstate_t gcs) { // unpack the gc state let GCState{ DRSeq {from_key, from_gen}, from_state} = gcs; // generate the to-space let DRSeq{to_key, to_gen} = next_drseq(from_gen); state_t > to_state; // open the from-space { region from_r = open_ukey(from_key); // open the to-space { region to_r = open_ukey(to_key); // copy the state and reachable data to_state = copy_state(to_r, from_state); } // pack the new gc state gcs = GCState{DRSeq{to_key, to_gen}, to_state}; } // free the from space free_ukey(from_key); return gcs; }

GC and Dynamic Region Sequences Comparison with type-preserving GCs Interpreter can be written in a trampoline, rather than continuation passing, style Intuitive typing of forwarding pointers

Performance Evaluation InterpreterRuntime Cyclone (Copying GC) Checked Cyclone (BDW GC) CheckedUnchecked SISC (Sun JVM) CheckedUnchecked MzScheme (BDW GC) Unchecked

Performance Evaluation

Size of Unchecked Code Interpreter (lines of code) Runtime System (lines of code) Cyclone (Copying GC) Cyclone (BDW GC) SISC (Sun JVM) 0229,100 MzScheme (BDW GC) 31,

Conclusion Significantly reduce amount of unchecked code needed to implement an interpreter May incur a performance penalty for extra degree of security Future Work Reduce performance penalty Per thread regions providing customization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.