Principled scavenging

Stefan Monnier, Bratin Saha, Zhong Shao
2001 SIGPLAN notices  
Proof-carrying code and typed assembly languages aim to minimize the trusted computing base by directly certifying the actual machine code. Unfortunately, these systems cannot get rid of the dependency on a trusted garbage collector. Indeed, constructing a provably type-safe garbage collector is one of the major open problems in the area of certifying compilation. Building on an idea by Wang and Appel, we present a series of new techniques for writing type-safe stop-and-copy garbage collectors.
more » ... garbage collectors. We show how to use intensional type analysis to capture the contract between the mutator and the collector, and how the same method can be applied to support forwarding pointers and generations. Unlike Wang and Appel (which requires whole-program analysis), our new framework directly supports higher-order funtions and is compatible with separate compilation; our collectors are written in provably type-safe languages with rigorous semantics and fully formalized soundness proofs. Motivation and background Why do we want a type-safe garbage collector? Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. Proof-carrying code and typed assembly languages aim to minimize the trusted computing base by directly certifying the actual machine code. Unfortunately, these systems cannot get rid of the dependency on a trusted garbage collector. Indeed, constructing a provably type-safe garbage collector is one of the major open problems in the area of certifying compilation. Building on an idea by Wang and Appel, we present a series of new techniques for writing type-safe stop-and-copy garbage collectors. We show how to use intensional type analysis to capture the contract between the mutator and the collector, and how the same method can be applied to support forwarding pointers and generations. Unlike Wang and Appel (which requires whole-program analysis), our new framework directly supports higher-order funtions and is compatible with separate compilation; our collectors are written in provably type-safe languages with rigorous semantics and fully formalized soundness proofs. 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT 18. NUMBER OF PAGES 21 19a. NAME OF RESPONSIBLE PERSON a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 A. Soundness of λ GC Throughout this section, we assume unique variable names. Our environments are sets with no duplicate occurrences and no ordering. It is easy to show by induction over judgments that extending environments with additional bindings is safe. We will assume this in the rest of the section. The code region cd is always implicitly part of the environment. We treat it as a constant region. Even when the environment is restricted to a particular set, say Ψ| ∆ , the code region is included in the restricted set. Therefore Ψ| ν 1 ,...ν k is equivalent to {cd : Υ cd , ν 1 : Υ ν 1 , . . . ν k : Υ ν k }. And Ψ| cd is equivalent to {cd : Υ cd }. Proof The proof is a straightforward induction over the structure of σ. The lemma is proved by considering the structure of Φ and Γ respectively, and comparing the results in the two cases. Lemma A.3 If Ψ; ∆ , r; Θ; Φ; Γ op : σ, then Ψ; ∆[ν/r]; Θ; Φ[ν/r]; Γ[ν/r] op[ν/r] : σ[ν/r] where ∆ , r = ∆. Proof The proof is by induction over the structure of op. Most of the cases follow directly by induction. We will show only the case for type packages. case α : ∆1 = σ1, v : σ2 : We know that Ψ; ∆ , r; Θ; Φ; Γ α : ∆ 1 = σ 1 , v : σ 2 : ∃α : ∆ 1 .σ 2 This implies that ∆ 1 ; Θ; Φ| ∆ 1 σ 1 and Ψ; ∆ , r; Θ; Φ; Γ v : σ2[σ1/α] Suppose r / ∈ ∆ 1 . Then r does not occur free in σ 1 . Then applying the inductive hypothesis to the derivation for v, we get that Ψ; ∆[ν/r]; Θ; Φ[ν/r]; Γ[ν/r] v[ν/r] : (σ 2 [ν/r])[σ 1 /α] Suppose Φ1 = Φ|∆ 1 . Then we have that Φ[ν/r]|∆ 1 = Φ1, Φ2 and Dom(Φ 1 ) ∩ Dom(Φ 2 ) = ∅. Therefore, we have that ∆1; Θ; Φ|∆ 1 , Φ2 σ1 This implies that ∆1; Θ; Φ[ν/r]|∆ 1 σ1, which leads to the required result. Consider now that r ∈ ∆ 1 . Suppose ∆ 1 = ∆ 2 , r. Then ∆ 2 , r; Θ; Φ| ∆ 2 ,r σ 1 Applying lemmas A.1 and A.2 we get that ∆1[ν/r]; Θ; (Φ[ν/r])|∆ 2 ,ν σ1[ν/r] But ∆ 2 , ν = ∆ 1 [ν/r]. The second subderivation now becomes Ψ; ∆ , r; Θ; Φ; Γ v : σ 2 [σ 1 /α] By applying the inductive hypothesis we get that Ψ; ∆[ν/r]; Θ; Φ[ν/r]; Γ[ν/r] v[ν/r] : (σ2[ν/r])[σ1[ν/r]/α] This leads to the required result. Lemma A.4 If Ψ; ∆ , r; Θ; Φ; Γ e, then Ψ; ∆[ν/r]; Θ; Φ[ν/r]; Γ[ν/r] e[ν/r] where ∆ , r = ∆ Lemma A.9 If ∆; Θ; Φ, α : ∆ σ and ∆ ; Θ; Φ σ , then ∆; Θ; Φ σ[σ /α] Proof The proof is a straighforward induction over the structure of σ. In the case of c'ode types, we use the fact that the argument types σ are fully closed. Lemma A.10 If Ψ; ∆; Θ; Φ, α : ∆ ; Γ op : σ and ∆ ; Θ; Φ σ then Ψ; ∆; Θ; Φ; Γ[σ /α] op[σ /α] : σ[σ /α] Proof The proof is again by induction over the typing derivation for op. We will consider only the case for packages. case β : ∆ = σ1, v : σ2 : By definition, Ψ; ∆; Θ; Φ, α : ∆ 1 ; Γ β : ∆ = σ 1 , v : σ 2 : ∃β : ∆ .σ 2 and · τ i : κ i . From lemma A.4 we get that Ψ| cd ; cd, ν; Θ; ·; x : σ[ ν/ r] e[ ν/ r] From lemma A.8 we get that Ψ| cd ; cd, ν; ·; ·; x : σ[ ν, τ / r, t] e[ ν, τ / r, t] Since Ψ| cd ⊂ Ψ and cd, ν ⊂ Dom(Ψ), we can extend the environment for deriving e. Applying lemma A.15 we get that Ψ; Dom(Ψ); ·; ·; · e[ ν, τ , v/ r, t, x] which leads to the result. case (v τ )[ τ ][ ν]( v): By definition, Ψ; Dom(Ψ); ·; ·; · (v τ )[ τ ][ ν]( v) From the typing rules Ψ; Dom(Ψ); ·; ·; · (v τ ) : ∀ τ [ r]( σ) ν − → 0 for some ν and Ψ; Dom(Ψ); ·; ·; · vi : σi[ ν/ r]. Again from the typing rules we get that Ψ; Dom(Ψ); ·; ·; · v : ∀[ t : κ][ r]( σ ) → 0 at ν where σ i [ τ / t] = σ i and · τ i : κ i . We need to prove that Ψ; Dom(Ψ); ·; ·; · v[ τ ][ ν]( v)
doi:10.1145/381694.378817 fatcat:3ppb2w2dsja4pjtjxcx6y2muje