Safe programming languages are readily available, but many applications continue to be written in unsafe languages because of efficiency. As a consequence, many applications continue to have exploitable memory safety bugs. Since garbage collection is a major source of inefficiency in the implementation of safe languages, replacing it with safe manual memory management would be an important step towards solving this problem. Previous approaches to safe manual memory management use programming models based on regions, unique pointers, borrowing of references, and ownership types.
We propose a much simpler programming model that does not require any of these concepts. We propose an efficient implementation of this programming model that guarantees type safety. Experimental results from our implementation based on the C# native compiler show that this design achieves up to 3x reduction in peak working set and run time. An extreme but conceptually useful model is that of pure linear languages where each object is constructed once and read, being consumed, once. We see more realistic programming languages as relaxing this to allow multiple references to an object or multiple sequenced operations on a single live reference before the object is deallocated.
Concurrency complicates things because spatial aliasing may only happen under certain scheduling conditions. We argue that this view of aliasing is closely related to that of type tags in low-level implementations of dynamic types. Similarly, we argue that ownership corresponds to a higher-level structured view of the net of objects and references, analogous to higher-level types in programming languages.
We conclude by arguing for a more holistic approach to the topic of aliasing and ownership. In this thesis, we define the general purpose, automatically parallel programming language funkyImp. This is achieved by restricting aliasing and side-effects in such a way that the analysis becomes intra-procedural and allows to identify all static task-parallelism precisely on the function level.
In addition, we introduce sub-arrays, e.g. the diagonal or upper triangle of a matrix, as language primitives using a novel type system based on array index sets defined via linear constraints. Furthermore, we present a static scheduling algorithm that realistically models thread coordination overhead. It enables optimization of automatically extracted task-parallelism for specific target systems and guarantees a real world speedup. Finally, we present the implementation of the funkyImp compiler and run-time system along with benchmarks to show the effectiveness of our approach. Given a sequential application and a specification describing the intended parallelization, the analysis finds unprotected shared resources.
We present a method that uses such specifications in order reduce the amount of code that must be analyzed by specializing existing whole-program analyses. We successfully applied the method on a large, industrial C++ code base. Programming languages should have 'use-once' variables in addition to the usual 'multiple-use' variables. 'Use-once' variables are bound to linear (unshared, unaliased, or singly-referenced) objects. Linear objects are cheap to access and manage, because they require no synchronization or tracing garbage collection. Linear objects can elegantly and efficiently solve otherwise difficult problems of functional/mostly-functional systems---e.g., in-place updating and the efficient initialization of functional objects.
Use-once variables are bound only to linear objects, which may reference other linear or non-linear objects. 'Use-once' variables are bound to linear ( unshared, unaliased, or singly-referenced ) objects. Capability Key Capability Description AUDIT_CONTROL Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. AUDIT_READ Allow reading the audit log via multicast netlink socket. BPF Allow creating BPF maps, loading BPF Type Format data, retrieve JITed code of BPF programs, and more. CHECKPOINT_RESTORE Allow checkpoint/restore related operations.
DAC_READ_SEARCH Bypass file read permission checks and directory read and execute permission checks. IPC_OWNER Bypass permission checks for operations on System V IPC objects. LINUX_IMMUTABLE Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. Implemented for the Smack LSM. MAC_OVERRIDE Override Mandatory Access Control .
NET_BROADCAST Make socket broadcasts, and listen to multicasts. PERFMON Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems SYS_ADMIN Perform a range of system administration operations. SYS_BOOT Use reboot and kexec_load, reboot and load a new kernel for later execution.
SYS_NICE Raise process nice value (nice, setpriority) and change the nice value for arbitrary processes. SYS_PACCT Use acct, switch process accounting on or off. SYS_RAWIO Perform I/O port operations (iopl and ioperm).
SYS_TIME Set system clock (settimeofday, stime, adjtimex); set real-time clock. SYS_TTY_CONFIG Use vhangup; employ various privileged ioctl operations on virtual terminals. WAKE_ALARM Trigger something that will wake up the system. Further reference information is available on the capabilities - Linux man page, and in the Linux kernel source code. Aliasing is a known source of challenges in the context of imperative object-oriented languages, which have led to important advances in type systems for aliasing control. However, their large-scale adoption has turned out to be a surprisingly difficult challenge.
While new language designs show promise, they do not address the need of aliasing control in existing languages. This paper presents a new approach to isolation and uniqueness in an existing, widely-used language, Scala. The approach is unique in the way it addresses some of the most important obstacles to the adoption of type system extensions for aliasing control. First, adaptation of existing code requires only a minimal set of annotations. Only a single bit of information is required per class. Surprisingly, the paper shows that this information can be provided by the object-capability discipline, widely-used in program security.
We formalize our approach as a type system and prove key soundness theorems. The type system is implemented for the full Scala language, providing, for the first time, a sound integration with Scala's local type inference. Finally, we empirically evaluate the conformity of existing Scala open-source code on a corpus of over 75,000 LOC. This paper presents a static analysis tool that can automatically find memory leaks and deletions of dangling pointers in large C and C++ applications.
We have developed a type system to formalize a practical ownership model of memory management. In this model, every object is pointed to by one and only one owning pointer, which holds the exclusive right and obligation to either delete the object or to transfer the right-to another owning pointer. In addition, a pointer-typed class member field-is required to either always or never own its pointee at public method boundaries. Programs satisfying this model do not leak memory or delete the same object more than once. Also developed a flow-sensitive and context-sensitive algorithm to automatically infer the likely ownership interfaces of methods-in a program.
7 It identifies statements inconsistent with the model as sources of potential leaks or double deletes. The algorithm is sound with respect to a large subset of the C and C++ language in that it will report all possible errors. It is also practical and,,useful as it identifies those warnings-likely to correspond to errors and-helps the user understand the reported errors by showing them the assumed method interfaces. Our techniques are validated with an implementation of a tool we call Clouseau.
We applied Clouseau to a suite of applications, two web servers, a chat client, secure shell tools, executable object manipulation tools, and a compiler. The tool analyzes over 50K lines of C++ code in about 9 minutes on a 2 GHz Pentium 4 machine and over 70K lines of C code in just over a minute. Is, a language whose object model, type system, and runtime are all co-designed with permissions in mind. We sketch the design of the permission-based programming language Plaid and argue that the approach promises significant software engineering benefits. Cyclone is a type-safe language intended for applications re-quiring control over memory management. Initial work on Cyclone sup-ported stack allocation, lexical region allocation, and a garbage-collected heap.
In this paper, we describe added support for unique pointers and reference-counted objects. These idioms are crucial for supporting overlapping, non-nested object lifetimes and safe manual deallocation. A region-based type-and-effects system ensures that dangling pointers cannot be dereferenced. Novel lin-guistic mechanisms leverage the region system to make it easier to use unique pointers.
In particular, region polymorphism and a scoped con-struct for temporarily aliasing unique pointers let us write programs that can manipulate either unique or nonunique pointers. In our experience, our new constructs can significantly improve application performance, while adding a modest programming overhead. Traditionally, semantic models of imperative languages use an auxiliary structure which mimics memory. In this way, ownership and other encapsulation properties need to be reconstructed from the graph structure of such global memory. We present an alternative "syntactic" model where memory is encoded as part of the program rather than as a separate resource. This means that execution can be modelled by just rewriting source code terms, as in semantic models for functional programs.
Formally, this is achieved by the block construct, introducing local variable declarations, which play the role of memory when their initializing expressions have been evaluated. In this way, we obtain a language semantics which directly represents at the syntactic level constraints on aliasing, allowing simpler reasoning about related properties. To illustrate this advantage, we consider the issue, widely studied in the literature, of characterizing an isolated portion of memory, which cannot be reached through external references. In this thesis we study state isolation and efficient message-passing in the context of concurrent object-oriented programming. The 'ownership' and 'reference uniqueness' techniques have been extensively employed to address concurrency safety in the past. We present the formal semantic of SIAAM, along with a machine-checked proof of isolation.
An implementation of the model has been realized in a state-of-the-art Java virtual-machine and a set of custom static analyses automatically reduce the runtime overhead. We present an imperative object calculus where types are annotated with qualifiers for aliasing and mutation control. There are two key novelties with respect to similar proposals. This is achieved by rules which restrict the use of such other references in the portion of code which is recovered.
Formally, this is achieved by the block construct, introducing local variable declarations, which, when evaluated, play the role of store. Finding simple, yet expressive, verification techniques to reason about both aliasing and mutable state has been a major challenge for static program verification. One such approach, of practical relevance, is centered around a lightweight typing discipline where types denote abstract object states, known as typestates. In this paper, we show how key typestate concepts can be precisely captured by a substructural type-and-effect system, exploiting ideas from linear and separation logic. By exploring the relationship between two mainstream modularity concepts, state abstraction and hiding, we also provide new insights on how they naturally fit together and complement one another.
Technically, our results are based on a typed lambda calculus with mutable references, location-dependent types, and second-order polymorphism. The soundness of our type system is shown through progress and preservation theorems. We also describe a prototype implementation of a type checker for our system, which is available on the web and can be used to experiment with the examples in the paper.
Programs operating "close to the metal" necessarily handle memory directly. Because of this, they must be written in languages like C or C++. These languages lack any kind of guarantee on memory or race safety, often leading to security vulnerabilities and unreliable software. Ideally, we would like a practical language that gives programmers direct control over memory and aliasing while also offering race and memory safety guarantees. We present Rusty Types and an accompanying type system, inspired by the Rust language, that enable memory-safe and race-free references through ownership and restricted aliasing in the type system. In this paper, we formally describe a small subset of the syntax, semantics, and type system of Metal, our Rust-based language that enjoys Rusty Types.
Our type system models references and ownership as capabilities, where bindings have indirect capabilities on value locations. We also present speculative extensions to Rusty Types that allow greater flexibility in single threaded programs while maintaining the same guarantees. Ownership types were devised nearly 15 years ago to provide a stronger notion of protection to object-oriented programming languages. Furthermore, this notion is statically enforced by now-standard type-checking techniques.
This article surveys the various flavours of ownership types that have been developed over the years, along with the many applications and other developments. The chapter concludes by suggesting some directions for future work. For example, Cyclone integrates a garbage collector with safe manual memory management based on regions. Several languages propose using unique pointers to objects using concepts from linear types ; and borrowing of references for temporary use . Languages with ownership types and alias types can express complex restrictions on object graphs. Previous approaches to safe manual memory management use programming models based on regions , unique pointers , borrowing of references , and ownership types .
For example, Rust is a recent programming language that incorporates several aspects of the Cyclone design, including unique pointers, and lexically-scoped borrowing. We introduce a new program abstraction for escape analysis, the connection graph, that is used to establish reachability relationships between objects and object references. We show that the connection graph can be summarized for each method such that the same summary information may be used effectively in different calling contexts. We present an interprocedural algorithm that uses the above property to efficiently compute the connection graph and identify the non-escaping objects for methods and threads. The experimental results, from a prototype implementation of our framework in the IBM High Performance Compiler for Java, are very promising. In on-going work, we are exploring reference capabilities for arrays, with the intention of carrying over previous results on statically guaranteed data-race freedom to parallel array algorithms.
Reference capabilities typically restrict incoming pointers to an object to one , or restrict operations via multiple pointer to a single object (e.g., to only read). Extending such a design to arrays involve operations such as logically partitioning an array so that even though there are multiple pointers to a single array, these pointers cannot access the same elements. Using our prototype implementation, we translate several existing array algorithms into using array capabilities and qualitatively study the result. We end by discussing a possible design for a more performant implementation once the API is fixed.
We present an imperative object calculus where types are annotated with two modifiers for aliasing control. The \(\) modifier prevents objects to be aliased, whereas the \(\) modifier characterizes expressions that will reduce to isolated portions of store. First, the expressivity of the type system is greatly enhanced by promotion and swapping rules. The former recognizes as \(\) an expression which only uses external references as \(\). The latter allows a \(\) reference to be freely aliased, if all the other references are regarded as \(\). Second, execution is modeled in a pure setting, where it is simpler to understand alias control.
That is, properties of modifiers can be directly expressed on source terms, rather than as invariants on an auxiliary structure which mimics physical memory. Formally, this is achieved by the block construct, introducing local variable declarations, which play the role of store when evaluated. Programming language-design and run-time-implementation require detailed knowledge about the programs that users want to implement. Acquiring this knowledge is hard, and there is little tool support to effectively estimate whether a proposed tradeoff actually makes sense in the context of real world applications.
Ideally, knowledge about behaviour of "typical" programs is 1) easily obtainable, 2) easily reproducible, and 3) easily sharable. We present Spencer, a web service and API framework for dynamic analysis of a continuously growing set of traces of standard program corpora. Users do not obtain traces on their own, but can instead send queries to the web service that will be executed on a set of program traces. Queries are built in terms of a set of query combinators that present a high level interface for working with trace data.
