A Linearly Typed Assembly Language

Today’s type-safe low-level languages rely on garbage collection to recycle heap-allocated objects safely. We present LTAL, a safe, low-level, yet simple language that “stands on its own”: it guarantees safe execution within a fixed memory space, without relying on external run-time support. We demonstrate the expressiveness of LTAL by giving a type-preserving compiler for the functional core of ML. But this independence comes at a steep price: LTAL’s type system imposes a draconian discipline of linearity that ensures that memory can be reused safely, but prohibits any useful kind of sharing. We present the results of experiments with a prototype LTAL system that show just how high the price of linearity can be. 1 Background and Motivation Safety certification systems such as Java or MSIL bytecode verification make it possible to verify the safety of code obtained from an untrusted provider or over an untrusted network [13, 7]. Refinements like proof-carrying code and typed assembly language [19, 18] make it possible to check and execute machine code directly rather than through interpretation. However, all widely used systems for verifying low-level code require a trusted run-time environment to provide safe memory management. Furthermore, each of these systems takes a rather ad hoc approach to initialization of heap-allocated objects. Recently, Wang and Appel [32] and Monnier, Saha, and Shao [16] have shown how to build a type-safe garbage collector based on the ideas of the Capability Calculus [29], thus eliminating most of the memory management from the trusted computing base. However, some trusted code is still required to implement the region primitives, and the region calculi on which these systems are based are relatively complicated. Furthermore, the region-based approaches do not address the initialization problem. In this paper, we step back and examine a more foundational approach to the issues of initialization and memory management for low-level code. In particular, we use a linear type system to provide a clean, elegant solution to both problems. More specifically, we present: 1. A linear type system for a conventional, MIPS-style assembly language called LTAL. 2. Theorems that show every well-typed LTAL program is sound and “leak-free” (i.e., uses bounded memory). 3. An encoding of memory management operations malloc and free within LTAL. 4. Techniques for compiling unrestricted (i.e., non-linear) high-level functional languages to LTAL in a type-preserving fashion. It is important to note that we do not consider the resulting system to be practical. The price of LTAL’s simplicity and elegance is that it does not support shared data structures. At first, such a restriction seems to preclude the use of LTAL as a target for high-level languages. However, we show that there is a type-preserving translation for a high-level ML-like language to LTAL based on explicit copying. Unfortunately, our experiments show that this naive translation is far