Type Systems for Region-based Memory Management

Type Systems for Region-based Memory Management

Matthew Fluet

Greg Morrisett & Amal Ahmed

Harvard University

2

Memory Management

Dynamic allocation pervasive in computation

3

Memory Management

Dynamic allocation pervasive in computation Range of methods for managing memory

4

Memory Management


– malloc/free efficient, but tedious and error prone

5

Memory Management



– garbage collection transparent and safe, but (can be) inefficient

6

Memory Management



– regions

– garbage collection transparent and safe, but (can be) inefficient

7

Region-based Memory Management

Operationally– Memory is divided regions (denoted by r, , …)– Objects are individually allocated in a region– All objects in a region are deallocated together

8

Region-based Memory Management

Runtime Organization– Regions are linked lists of pages– Arbitrary intra- and inter-region references– Similar to arena-style allocators

r1

r2

r3

Region handles

9

Application: Cyclone

Cyclone Safe-C Project– type-safety– with the “virtues” of C

low-level interface with manifest cost model

10


Cyclone Safe-C Project– type-safety– with the “virtues” of C

low-level interface with manifest cost model

– range of memory management options regions are an organizing principle

11


MediaNET– TCP benchmark (packet forwarding)– Cyclone v.0.1

High water mark: 840 KB 130 collections Basic throughput: 50 MB/s

– Cyclone v.0.5 High water mark: 8 KB 0 collections Basic throughput: 74MB/s

12

Cyclone: Regions

Region varietyAllocation

(objects)

DeallocationAliasing

(objects)(what) (when)

Stack static

whole region

exit of lexical scope

unrestricted

Lexical

dynamic

Dynamic manual

Heap (`H)

single objects

automatic(BDW GC)

Unique (`U)manual restricted

Ref-counted (`RC)

13

Cyclone: Regions


(objects)



Stack static

whole region


unrestricted

Lexical

dynamic

Dynamic manual

Heap (`H)

single objects

automatic (BDW GC)


Ref-counted (`RC)

Meta-theory of Cyclone is a nightmare!!

14

Cyclone: Regions


(objects)



Stack static

whole region


unrestricted

Lexical

dynamic

Dynamic manual

Heap (`H)

single objects

automatic (BDW GC)


Ref-counted (`RC)

Ultimate Goal: simple model where we can easily encode the key features of Cyclone in a target

language with simpler meta-theory

15

Cyclone: Regions


(objects)



Stack static

whole region


unrestricted

Lexical

dynamic

Dynamic manual

Heap (`H)

single objects

automatic (BDW GC)


Ref-counted (`RC)

Today’s Goal: Three type systems for region-based languages,

culminating with a fairly good approximation of Cyclone’s features

16

Outline

Introduction Type-and-Effect System (Tofte-Talpin) Monadic Type System (FRGN)

– Translation Sketch

Substructural Type System (rgnURAL)– Translation Sketch

Conclusion

17

Type Systems for Regions

Memory is divided into regions– type of handle for region r

hnd r

18

Type Systems for Regions

Memory is divided into regions– type of handle for region r

hnd r

Objects are individually allocated in a region– operations: new, read, write– type of object of type allocated in region r

ref r

19

Tofte-Talpin Region Calculus [’94]

Regions are created and destroyedwith a lexically scoped construct:

letregion ,h in e All objects in region are deallocated

together at the end of ’s scope

20


Regions are created and destroyedwith a lexically scoped construct:

letregion ,h in e All objects in region are deallocated

together at the end of ’s scope

Regions have LIFO lifetimes Live regions can be organized as a stack

21


Regions are created and destroyedwith a lexically scoped construct

22



1

letregion 1,h1 in

let a = new h1 1 in

let c = letregion 2,h2 in

let b = new h2 7 in

new h1 (read a + read b) in

… c …

23



1 a : 1

letregion 1,h1 in

let a = new h1 1 in


let b = new h2 7 in


… c … input allocated in first region

24



1 a : 1

2

letregion 1,h1 in

let a = new h1 1 in


let b = new h2 7 in


… c … input allocated in first region

25



1 a : 1

2 b : 7letregion 1,h1 in

let a = new h1 1 in


let b = new h2 7 in


… c …

temporary allocated in second region

inputallocated in first region

26



1

2

a : 1

c : 8

b : 7letregion 1,h1 in

let a = new h1 1 in


let b = new h2 7 in


… c …


input and outputallocated in first region

27



1 a : 1

c : 8


input and outputallocated in first region

letregion 1,h1 in

let a = new h1 1 in


let b = new h2 7 in


… c …

28

Type-and-Effect System

Track the set of regions accessed by a computation:

` e : ,

Function types include a latent effect:

1 ! 2

The role of is to tell us when it is not safe to deallocate a region

29


Typing rule for letregion is subtle:

,h:hnd ` e : , ∉ frv(,) ` letregion ,h in e : , \ {}

30


Typing rule for letregion is subtle:

,h:hnd ` e : , ∉ frv(,) ` letregion ,h in e : , \ {}

Typing rule for effect weakening:

` e : , µ ’

` e : , ’

31


Effects are pervasive in typing rules:

` e1 : int, 1 ` e2 : int, 2

` e1 + e2 : int, 1 [ 2

` eh : hnd , h ` e : ,

` new eh e : ref , h [ [ {}

32


Type-and-effects system ensures safety

33


Type-and-effects system ensures safety But adds complications:

– Typing rule for letregion is subtle(due to the interplay of dangling pointers and effects)

– Effect weakening and region subtyping– Effects correspond to sets of regions

(term equality no longer suffices for type checking)

34

Monadic Type Systems

Monadic encapsulation of effects [L-PJ 94]– Embed imperative features in pure languages

35



Types

ST s STRef s Operations

returnST :: 8s,. ! ST s thenST :: 8s,, ST s ! ( ! ST s !ST s newSTRef :: 8s,. ! ST s (STRef s )

readSTRef :: 8s,. STRef s ! ST s writeSTRef :: 8s,. STRef s ! ! ST s 1

36



runST :: 8. (8s. ST s ) !

Polymorphism over store index type ensures that the computation (and the result) are independent of the initial (and final) store

37


Monadic encapsulation of effects [L-PJ 94]– Embed imperative features in pure languages– Polymorphic type system ensures safety

Well understood meta-theory Simplicity of System F type system

38

FRGN = System F + RGN monad

System F

Monadic sub-language

39

RGN monad: Types

Monadic types

40

RGN monad: Types

Monadic types

RGN –

computations in stack of regions returning values of type ;a “stack” transformer

41

RGN monad: Types

Monadic types

Hnd –

handles for the region

at the top of the stack of regions

42

RGN monad: Types

Monadic types

Ref –

values of type allocated in region

at the top of the stack of regions

43

RGN monad: Operations

Monadic unit and bind

returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

44



returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

45



returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

46


Create and read region allocated values

new ::

8,. Hnd ! ! RGN (Ref )

read ::

8,. Ref ! RGN

47


Create and read region allocated values

new ::

8,. Hnd ! ! RGN (Ref )

read ::

8,. Ref ! RGN

48

RGN monad: Encapsulation

Encapsulate and run a monadic computation

runRGN ::

8. (8. RGN ) !

49



runRGN ::

8. (8. RGN ) !

50



runRGN ::

8. (8. RGN ) !

“for all stacks” ) no assumptions about

stack of regions

51



runRGN ::

8. (8. RGN ) !


stack of regions

52



runRGN ::

8. (8. RGN ) !

result is independent of stack ) 62 frv() )

region values don’t escape


stack of regions

53

RGN monad: Regions


letRGN ::

81,. (82. Hnd 2 ! RGN 2 ) ! RGN 1

54

RGN monad: Regions


letRGN ::

81,. (82. Hnd 2 ! RGN 2 ) ! RGN 1

result is independent of stack ) 2 62 frv(RGN 1 ) )



stack of regions

55

RGN monad: Regions


letRGN ::

81,. (82. Hnd 2 ! RGN 2 ) ! RGN 1

result is independent of stack ) 2 62 frv(RGN 1 ) )



stack of regions

But, want to assume that 1 · 2 (1:: == 2)

56

RGN monad: Witnesses

Witness type

Pf(1 · 2) –

proof that the stack of regions 1

is a substack of the stack of regions 2

57

RGN monad: Witnesses

Witness operations

coerceRGN ::

81,2,. Pf(1 · 2) ! RGN 1 ! RGN 2

transSub ::

81,2,3. Pf(1 · 2) ! Pf(2 · 3)

! Pf(1 · 3)

58

RGN monad: Regions


letRGN ::

81,. (82. Pf(1 · 2) ! Hnd 2 ! RGN 2 )! RGN 1

59

RGN monad: Regions


letRGN ::

81,. (82. Pf(1 · 2) ! Hnd 2 ! RGN 2 )! RGN 1

60

Translation: TTRC to FRGN

Type- and meaning-preserving translation from Tofte-Talpin Region Calculus to FRGN

61



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !

Ref 1 int ! RGN (Ref 3 int)

{1,2,3}

62



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

63



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

64



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

65



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

?

66



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

67



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 · ) £ Pf(2 · ) £ Pf(3 · )) !


{1,2,3}

68



«letregion ,h in e¬ )

69



«letregion ,h in e¬ )

letRGN (.w.h. «e¬)

70

Limitations of LIFO Regions

Lexical scope is ill-suited for– iterative computations

Conway’s Game of Life; copying GC

– CPS-based computations– event-based computations

71

Limitations of LIFO Regions

Lexical scope is ill-suited for– iterative computations

Conway’s Game of Life; copying GC

– CPS-based computations– event-based computations

But, lexical scope was ensuring thatthe stack of regions was threaded linearly

72

Substructural Type Systems

Provide core mechanisms to restrict the number and order of uses of data and operations– generalization of linear type systems

73

Structural Properties

Conventional type systems satisfy

– Exchange use typing assumptions in any order

– Contraction use typing assumptions more than once

– Weakening use typing assumptions less than once

74


Conventional type systems satisfy


– Contraction – Copy use typing assumptions more than once

– Weakening – Drop use typing assumptions less than once

75


Substructural type systems fail to satisfy




76


Substructural type systems fail to satisfy




77

Substructural Qualifiers

AffineDrop

RelevantCopy

UnrestrictedDrop Copy

Linear

78


AffineDrop

RelevantCopy


Linear

Unique objects – may be “used”at most once

Shared objects –may be “used” more than once

79


AffineDrop

RelevantCopy


Linear



80


AffineDrop

RelevantCopy


Linear



81


AffineDrop

RelevantCopy


Linear



82


AffineDrop

RelevantCopy


Linear

Essential objects – must be “used”at least once

Inessential objects –may be “used” less than once

83


AffineDrop

RelevantCopy


Linear



84


AffineDrop

RelevantCopy


Linear



85


AffineDrop

RelevantCopy


Linear



86

Substructural Type System: URAL

Qualifiers

q ::= U j R j A j L

PreTypes

::= 1 j 1 2 j 1 ( 2 j 8. j 9.

Types

::= q

87


Qualifiers

q ::= U j R j A j L

PreTypes

::= 1 j 1 2 j 1 ( 2 j 8. j 9.

Types

::= q

How maythe value be used?

88


Qualifiers

q ::= U j R j A j L

PreTypes

::= 1 j 1 2 j 1 ( 2 j 8. j 9.

Types

::= q

How maythe value be used?

How often maythe value be used?

89

rgnURAL = URAL + Regions

PreTypes

::= … j cap j hnd j ref j 8. j 9.

“capability” for region

90

rgnURAL: Region Primitives

Regions are created and destroyedwith separate operations

newrgn ::U(U1 ( L(9.L(Lcap Uhnd ))

freergn ::U8.U(L(Lcap Uhnd ) ( U1)

91





92





93





94


new ::U8,.U(L(Lcap Uhnd U) (

L(Lcap Uref U)

read ::U8,.U(L(Lcap Uref U) (

L(Lcap U)

95



L(Lcap Uref U)


L(Lcap U)

96



L(Lcap Uref U)


L(Lcap U)

97





98



newrgn ::U(U1 ( q(9.q(qcap Uhnd ))

freergn ::U8.U(q(qcap Uhnd ) ( U1)

99



newrgn ::U(U1 ( q(9.q(qcap Uhnd ))

freergn :: A ¹qU8.U(q(qcap Uhnd ) ( U1)

100


new ::U8,.U(q(qcap Uhnd U) (

q(qcap Uref U)

read ::U8,.U(q(qcap Uref U) (

q(qcap U)

101

Translation: FRGN to rgnURAL, Types

« RGN ¬ = U( ( L( «¬))

102


« RGN ¬ = U( ( L( «¬))

– operational behavior of monad is store-passing

103


« RGN ¬ = U( ( L( «¬))


104


« RGN ¬ = U( ( L( «¬))


105


« Pf(1 · 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 · 2) ¬ = U(9’. U( U(L(1 ’) ( 2))

– Isomorphism between 2 and L(1 ’), for some “slack” ’

106


« Pf(1 · 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 · 2) ¬ = U(9’. U( U(L(1 ’) ( 2))


– Proof that 1 is a substack of 2 is persistent

– Existence of 1 and 2 is ephemeral

107


« Pf(1 · 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 · 2) ¬ = U(9’. U( U(L(1 ’) ( 2))




108


« Pf(1 · 2) ¬ = U(9’. Iso(2, L(1 ’))) (

« Pf(1 · 2) ¬ = U(9’. U(U(L(1 ’) ( 2))




109


« Hnd ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Hnd ¬ = U(9. U( Uhnd ))

« Ref ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Ref ¬ = U(9. U( Uref «¬))

110




Existential fixes region

111




Existential fixes region Isomorphism witnesses membership of in

112

Translation: FRGN to rgnURAL, Ops

« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi

« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk

113


« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi

« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk

Store-passing

encoding

114


« letRGN [1] [] e ¬ = let f : «82. Pf(1·2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newrgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freergn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

115


« letRGN [1] [] e ¬ = let f : «82. Pf(1·2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newrgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freergn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

116


« letRGN [1] [] e ¬ = let f : «82. Pf(1·2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newrgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freergn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

117



118



119



120


« new [] [] eh e ¬ =let phnd : «Hnd ¬ = «eh¬ in let x : «¬ = «e¬ in Ustk:.let pack(,hpack(’,hprj,inji),hndi) = phnd in Ustk:.let hstk’,capi = prj stk inUstk:.let hcap,refi = new [] [«¬] Lhcap,hnd,xi in Ustk:.let pref = Upack(,UhUpack(’,Uhprj,inji),refi) in Ustk:.let stk = inj Lhstk’,capi inUstk:.Lhstk,prefi

121

Cyclone Features

Dynamic Regions– 1st class regions without LIFO restriction– represented by a linear/affine key:

L/Akey = L/A(L/Acap Uhnd )– must be opened to allocate or access

openDRgn :: 8,,. key ( 8,,. (hnd ( rgn ( cap ) ) ( 8,,. rgn ( key )

122

Cyclone Features

Heap– globally scoped, garbage collected region

Ucap heap Uhnd heap

123

Cyclone Features

Heap– globally scoped, garbage collected region

Ucap heap Uhnd heap

Reaps– regions with individual object deallocation

L/Aref

124

Cyclone Features

Unique Pointers– anonymous dynamic regions without the handle

Luptr = L(9. L(Lcap Uref ))

– or, unique references in the heapLuptr = Lref heap

125

Future Work

In practice, need to phase-split capabilities

Encode results of region analyses– Aiken et.al. [PLDI’95], Henglein et.al. [PPDP’01]

Modeling other language features– Cyclone, Cqual, Vault

126

Final Thoughts

Type-and-effect · Monadic · Substructural– would be a nice story

127

Final Thoughts

Type-and-effect · Monadic · Substructural– would be a nice story– better picture (??)

Type-and effect Monadic

Substructural

Region-basedmemory management

128

Final Thoughts

Advantage of Substructural TS for RBMM– Encode results of region analyses

Aiken et.al. [PLDI’95], Henglein et.al. [PPDP’01]

– Previous work introduced features in type-system exclusively for supporting non-LIFO regions

– This work introduces primitives, but reuses features of type-system to encode non-LIFO regions

129

Final Thoughts

Advantage of Substructural TS for RBMM– Encode results of region analyses

Aiken et.al. [PLDI’95], Henglein et.al. [PPDP’01]

– Previous work introduced features in type-system exclusively for supporting non-LIFO regions

– This work introduces primitives, but reuses features of type-system to encode non-LIFO regions

– Substructural type-systems are good for supporting other features, so it is an economical use

130

Final Thoughts

Scope vs. Lifetime– Lexical scope of region name

universal and existential quantification

– Un-scoped lifetime of region capability late allocation / early deallocation

131

Final Thoughts





132

Final Thoughts




newrgn ::U(U1 ( L(9.L(U1 ( L(Lcap Uhnd )))

133

References

http://www.cs.cornell.edu/People/fluet

– FRGN : ICFP’04, JFP’06

– URAL and refURAL: ICFP’05

– rgnURAL : ESOP’06 (submitted)

Type Systems for Region-based Memory Management

Documents

Transcript of Type Systems for Region-based Memory Management