Presentation is loading. Please wait.

Presentation is loading. Please wait.

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)"— Presentation transcript:

1 Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

2 PoPL '99David Walker, Cornell University2 The TAL Project Verify GC System Interface LinkCompile CodeTypes CodeTypes CodeTypes Code

3 PoPL '99David Walker, Cornell University3 TAL Goals Security –reduce the trusted computing base Software Engineering –eliminate dynamic failure modes; use static checking Flexibility –give programmers control over low-level details –admit varying compilation strategies

4 PoPL '99David Walker, Cornell University4 TAL Memory Management Garbage Collection: behind-the-scenes cleanup Problems: –Complex code in the trusted computing base –Under-specified invariants link client and collector (type tags, pointer restrictions, etc) –No control over memory management decisions Java, PCC, SPIN, ECC also use GC

5 PoPL '99David Walker, Cornell University5 Regions ( Tofte and Talpin ) Explicit but provably safe deallocation Static error checking Simple, constant-time routines Regions are allocated on a stack Objects are allocated into regions Topmost regions are deallocated

6 PoPL '99David Walker, Cornell University6 Towards Region-Based TAL letrgn  in f ( ) end;... more code region lifetime High-level Code:Low-level Code: Region lifetimes are unclear in low-level code Optimizations break the LIFO allocation structure CALL SITE: newrgn  ; mov r, RET; jmp f; RET: freergn  ; more code

7 PoPL '99David Walker, Cornell University7 Contributions The Capability Calculus: –A new statically-typed region-based intermediate language A syntactic proof of soundness Typed Assembly Language with primitives for safely allocating and freeing regions A translation from a variant of the Tofte- Talpin framework

8 PoPL '99David Walker, Cornell University8 A New Perspective Static Capabilities 22 11 22 x 11 Regions 22 Free region  1 x 11 22

9 PoPL '99David Walker, Cornell University9 The Capability Calculus A continuation-passing style language: e ::= let d in e | v[  1,...,  m ](v 1,...,v n ) |... With declarations for separate allocation and deallocation of regions: d ::= newrgn  | freergn  | x=v@  |...

10 PoPL '99David Walker, Cornell University10 Types Types: ints, tuples, polymorphic functions – @  –  [  ].(C,  1,...,  n ) -> 0 @  Capabilities: the collection of regions currently accessible –C ::= Ø |  | {  } | C 1  C 2 (first try)

11 PoPL '99David Walker, Cornell University11 An Example ; Initial Capability C = Ø let newrgn  1 newrgn  2 x = @  1 y = @  2 freergn  1 z =  1 y w =  1 z in... ; C = {  1 } ; C = {  1,  2 } ;  1 ok ;  2 ok ; C = {  2 } ;  2 ok ;  1 not ok! 234 y 22 11 4 y 22 z

12 PoPL '99David Walker, Cornell University12 A Second Example fun f[  1,  2 ]({  1,  2 }, x : @  2,...). let freergn  1 z =  1 x in... ; C = {  } f [ ,  ]( @ ,...) ; C = {  1,  2 } ; C = {  2 } ;  2 ok ; instantiation causes  1 to alias  2 :

13 PoPL '99David Walker, Cornell University13 Aliasing Safe revocation requires that all copies of a capability be deleted Type instantiation creates aliases No local analysis can detect these aliases

14 PoPL '99David Walker, Cornell University14 Previous Work Linear Type Systems (Girard,Wadler,...) Syntactic Control of Interference (Reynolds) These systems prevent aliasing; we need to track aliasing.

15 PoPL '99David Walker, Cornell University15 Alias Tracking New Capabilities: {  1 } and {  + } {  1 } indicates  is unique {  + } indicates  is duplicatable {  + } = {  +,  + } but {  1 }  {  1,  1 } {  +,  + } is good but {  1,  1 } is bad

16 PoPL '99David Walker, Cornell University16 Safe Deallocation ; Capability = C newrgn  ; Capability = C  {  1 } freergn  ; Capability = C

17 PoPL '99David Walker, Cornell University17 An Example Revisited fun f[  1,  2 ]({  1 1,  2 1 }, x : @  2,...). let freergn  1 z =  1 x in... ; C = {   } f [ ,  ]( @ ,...) ; C = {  3 1,  4 1 } f [  3,  4 ]( @  4, …) ; C = {  1 1,  2 1 } ;  1 unique, C = {  2 1 } ;  2 ok ; No: {  1 }  {  1,  1 } ; Yes!

18 PoPL '99David Walker, Cornell University18 Subcapabilities Duplicatable capabilities: necessary to make functions sufficiently polymorphic Unique capabilities provide all of the privileges of duplicatable capabilities: {  1 }  {  + }

19 PoPL '99David Walker, Cornell University19 Using Subcapabilities fun g[  ,   ]({   +,   + }, x: @  , y: @  ,...). … ; neither region is deallocated ; Current Capability = {  1 } let x = @  in g [ ,  ](x, x,...) ; ok: {  1 }  {  + } = {  +,  + }

20 PoPL '99David Walker, Cornell University20 Final Pieces Solution: bounded quantification allocate regions ; grants unique capabilities... | jump to f ; lose some privileges: {  1 }  {  + } |... deallocate regions ; requires unique capabilities, ; but we’ve given them up...

21 PoPL '99David Walker, Cornell University21 BQ Example let newrgn  ; capability C = {  1 }... ; f:  [  ,  ,   {   +,   + }]. ( ,..., ( ,...) -> 0 @   ) -> 0 @ ... ; cont: ({  1 },...) -> 0 @ , frees region  in f [ , , {  1 }](..., cont) ; ok: {  1 }  {  + } = {  +,  + }

22 PoPL '99David Walker, Cornell University22 Related Work Region inference –Tofte and Talpin (PoPL ‘94) –Aiken et al. (PoPL ‘95) –Birkedal et al. (PoPL ‘96) –ML Kit with regions Effect Systems, Monads Linear Types, Syntactic Control of Interference

23 PoPL '99David Walker, Cornell University23 Summary Capabilities govern access to sensitive data We control capability aliasing by tracking uniqueness information The result: flexible and provably safe deallocation

Download ppt "Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)"

Similar presentations

Garbage collection David Walker CS 320. Where are we? Last time: A survey of common garbage collection techniques –Manual memory management –Reference.

Garbage collection David Walker CS 320. Where are we? Last time: A survey of common garbage collection techniques –Manual memory management –Reference.
COS 441 Exam Stuff David Walker. TAL 2 Logistics take-home exam will become available on the course web site Jan 15-18 write down when you download &

COS 441 Exam Stuff David Walker. TAL 2 Logistics take-home exam will become available on the course web site Jan write down when you download &
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.

Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Names and Bindings.

Names and Bindings.
Java™ How to Program, 9/e Presented by: Dr. José M. Reyes Álamo © Copyright 1992-2012 by Pearson Education, Inc. All Rights Reserved.

Java™ How to Program, 9/e Presented by: Dr. José M. Reyes Álamo © Copyright by Pearson Education, Inc. All Rights Reserved.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
5. Memory Management From: Chapter 5, Modern Compiler Design, by Dick Grunt et al.

5. Memory Management From: Chapter 5, Modern Compiler Design, by Dick Grunt et al.
14-1 14 Run-time organization  Data representation  Storage organization: –stack –heap –garbage collection Programming Languages 3 © 2012 David A Watt,

Run-time organization  Data representation  Storage organization: –stack –heap –garbage collection Programming Languages 3 © 2012 David A Watt,
Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.

Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.

Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.
Survey of Typed Assembly Language (TAL) Introduction and Motivation –Conventional untyped compiler < Typed intermediate languages –Typed intermediate language.

Survey of Typed Assembly Language (TAL) Introduction and Motivation –Conventional untyped compiler < Typed intermediate languages –Typed intermediate language.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.

Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
STAL David Walker (joint work with Karl Crary, Neal Glew and Greg Morrisett)

STAL David Walker (joint work with Karl Crary, Neal Glew and Greg Morrisett)
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Similar presentations

Ads by Google