Typed Regions

Standard type systems are not sufficiently expressive when applied to low-level memory-management code. Such code often requires some form of strong update (i.e. assignments that change the type of the affected location) and needs to reason about the relative position of objects in memory. We present a novel type system which, like alias types, provides a form of strong update, but with the advantage that it does not require the aliasing pattern to be statically described. It can also provide operations over sequential memory locations and allows covariant reference casts, both of which are required to implement a type-preserving stop&copy garbage collector that can properly collect cyclic data-structures. Finally, this type system is able to keep track of almost arbitrary properties of values and state, giving it a power formerly reserved to Hoare logic. As the technology of certifying compilation and proof carrying code [16, 1, 8] progresses, the need to ensure the safety of the runtime system increases: if you go through the trouble of writing a foundational proof of safety of your code, you would rather not trust an unverified conservative garbage collector (GC) with your data. For this reason, it is important to be able to write a type-safe GC, but the state of the art in this matter is still completely impractical: it cannot even handle cyclic data-structures. This paper’s main goals are thus: • Argue that, in order to type-check a GC that can collect cyclic data-structures, the type system has to provide a form of assignment that can change the type of a location (i.e. a strong update [3]) even if the set of aliases to this location is unknown. • Present a type system that provides such a facility. This type system allows the programmer to choose any mix of linear or intuitionistic typing of references and to seamlessly change this choice over time to adapt it to the current needs. Traditional type systems are not well-suited to reason about type safety of low-level memory management such as explicit memory allocation, initialization, deallocation, or reuse. Existing solutions to these problems either have a very limited applicability or rely on some form of linearity constraint. Such constraints tend to be inconvenient and a lot of work has gone into relaxing them. For example, the alias-types system [22] is able to cleanly handle several of the points above, even in the presence of arbitrary aliasing, as long as the aliases can be statically tracked by the type system. The reason why it is challenging to show type safety of low-level memory management is that for this kind of code, we end up having to prove some non-trivial properties about the code just to show its type safety. For example, type safety of a generational GC depends on the correct processing of the remembered-set (a data-structure holding the set of pointers from the old generation to the new). An alternative approach would be to use Hoare logic [10] to show the correctness of the low-level code and then provide a typesafe interface to it. But it is not clear how those two parts would interact: the low-level code might be spread in pieces over a lot of code and might need to propagate complex invariants to the various pieces through the type-safe interface, as is the case for the code that maintains the remembered-set in the mutator. Furthermore as we start to encode more properties than basic type safety into our type systems, the difficulties we are seeing here will start to appear for more mundane code as well. This tendency can already be seen in the Vault project which uses an approach taken from alias-types to prove other properties of their code than just type safety. The present work is thus an attempt to provide a middle ground between Hoare logic and traditional type systems. Additionally to the above stated goals, we make the following contributions: • A language that subsumes traditional region calculi as well as alias-types calculi to simultaneously combine the benefits of traditional intuitionistic references and linear references. • We introduce type cast on memory locations and strong update operations that work in the absence of any static aliasing information. • Those operations generalize and enhance the widen operator used in [14] while relying on a much simpler soundness proof. • We show how to use the calculus of inductive constructions (CiC) to track properties of state. This extends the work of Shao et al. [18] where they used CiC as their type language to track arbitrary properties of values. Section 1 gives a quick preview of the basic idea developed in this paper. Section 2 introduces the problem of cyclic data-structures as well as two type systems on which our work is built. Section 3 describes the new language. Section 4 shows some examples of what the language can do. We then discuss related work and conclude.