monadic and substructural type systems for region-based memory management

Monadic and SubstructuralType Systems for

Region-based Memory Management

Matthew Fluet

Cornell University

July 27, 2006 2

The Problem with Resources

Resources in a program are essential– file handles, DB connections, locks, memory, …

July 27, 2006 3

The Problem with Resources

Resources in a program are essential– file handles, DB connections, locks, memory, …

Resources need to be managed– state of a resource changes over time– using a resource in an incorrect state is WRONG

July 27, 2006 4

A Solution with Type Systems

Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG

July 27, 2006 5


Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG

While today’s type systems are effective,they have limitations:– limited notion of WRONG– cannot express some resource-conscious programs

July 27, 2006 6

Memory Management

One of the most difficult resources to handle

Dynamic allocation and deallocation of data

July 27, 2006 7

Memory Management

One of the most difficult resources to handle

Dynamic allocation and deallocation of data– programs acquire and release memory as needed

July 27, 2006 8

Memory Management

Dynamic allocation and deallocation of data Range of schemes for managing memory

July 27, 2006 9

Memory Management


– malloc/free explicit and efficient, but tedious and error prone

July 27, 2006 10

Memory Management



– garbage collection convenient and safe, but carries overheads

July 27, 2006 11

Memory Management



– garbage collection convenient and safe, but carries overheads

– region-based memory management

July 27, 2006 12


r1 r2

A region (denoted by r, , …) is a collectionof allocated data objects

July 27, 2006 13


r1 r2

Arbitrary intra- and inter-region references– data objects in one region may have pointers

to data objects in the same region and in other regions

July 27, 2006 14


r1 r2

A program creates and destroys regions to acquire and release memory

July 27, 2006 15


r1 r2 r3

Creating a region yields an empty region

July 27, 2006 16

Data objects may be allocated in and read from a region


r1 r2 r3

July 27, 2006 17


r1 r3

Destroying a region deallocates all objects in the region

July 27, 2006 18


r1 r3

Destroying a region deallocates all objects in the region

Existence of these pointers is O.K.

Dereferencing these pointers is WRONG.

July 27, 2006 19


Advantages

Disadvantages

July 27, 2006 20


Advantages– efficient implementations of mem. mgmt. operations– supports bulk deallocation of data objects– allows dangling pointers

Disadvantages

July 27, 2006 21


Advantages– efficient implementations of mem. mgmt. operations– supports bulk deallocation of data objects– allows dangling pointers

Disadvantages– allows various WRONG behaviors

dereferencing dangling pointers allocating in destroyed regions destroying region more than once

July 27, 2006 22


Static type systems for programming languages(Java, C#, Standard ML)– well-typed programs don’t go WRONG– well-typed programs are region safe

July 27, 2006 23



Previous work: type-and-effect systems

July 27, 2006 24



Previous work: type-and-effect systems– complicated, for programmer and language designer– limited expressiveness, nested regions only

July 27, 2006 25

Type Systems for Region-based Memory Management

I have developed type systems for managing and enforcing the correct usage of regions– monadic type system– substructural type system

These type systems – are simpler than previous work– are more expressive than previous work– unify seemingly different language features

July 27, 2006 26


Type-and-effect system– effects pervasive in type system– complicated proof of soundness

Monadic type system– exploit parametric polymorphism (System F)– simple type system; well-understood theory

Substructural type system– exploit linearity to control access to region– supports richer programming idioms

July 27, 2006 27

Type-and-Effect Systems

Provide core mechanisms to describe computational effects of a program– Type: what the expression computes– Effect: how the expression computes

Languages– Lucassen-Gifford-Jouvelot: FX-89, FX-91– Tofte-Talpin: region calculus, MLKit

July 27, 2006 28

Type-and-Effect Systems

Provide core mechanisms to describe computational effects of a program– Type: what the expression computes– Effect: how the expression computes

Languages– Lucassen-Gifford-Jouvelot: FX-89, FX-91– Tofte-Talpin: region calculus, MLKit

July 27, 2006 29

Type-and-Effect System for Regions

ref

– object of type allocated in region ;newRef, readRef, writeRef, …

hnd

– handle for region r;the run-time value for allocating in a region

July 27, 2006 30


Regions are created and destroyed with syntax:

letregion h in {

…

}

Region is created at the start of scope and destroyed at the end of scope

July 27, 2006 31


Regions have nested lifetimes

letregion 1 h1 in {

letregion 2 h2 in {

…

}

}

July 27, 2006 32


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

July 27, 2006 33


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

July 27, 2006 34


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

2

July 27, 2006 35


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

2

x “a”

July 27, 2006 36


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

2

x “a”

July 27, 2006 37


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

July 27, 2006 38


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

…

}

… readRef x …

} 0

1

July 27, 2006 39


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef (h2,“a”) …

… f = (z. … readRef x …) …

}

… f 2 …

} 0

1

July 27, 2006 40


Type-and-effect system ensures safety

– Track the set of regions used by an expression:

` e : ,

– Function types include a latent effect:

1 ! 2

July 27, 2006 41


Typing rule for letregion syntax:

,,h:hnd ` e : , ∉ frv(,) ` letregion ,h in { e } : , \ {}

July 27, 2006 42


Typing rule for function application:

` e : ’ ! , ` e’ : ’, ’

` e e’ : , [ ’ [ f

Type of ref operations:

newRef :: 8.8. (hnd £ ) ! ref

readRef :: 8.8. ref !

f

{}

{}

July 27, 2006 43


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef h2 “a” …

…

}

… readRef x …

} 2 2 {1}

{}

{1}

{1,2}

{1,2}

{1,2}

{1,2}

{1}

{}

2 2 {1,2}

July 27, 2006 44


letregion 1 h1 in {

letregion 2 h2 in {

… x = newRef h2 “a” …

… f = (z. … readRef x …) …

}

… f 2 …

}

{}

{1}

{1,2}

{1,2}

{1,2}

{1,2}

{1}

{}

2 2 {1,2}

2 2 {1}

July 27, 2006 45


Type-and-effect system ensures safety,but, adds complications:– Typing rule for letregion syntax is quite subtle

(interplay of dangling pointers and effects) [Tofte & Talpin ’94],[Crary et.al. ’99],[Banerjee et.al. ’99],[Helsen & Thiemann ’00],

[Calcagno ’01],[Grossman et.al. ’01],[Calcagno et.al. ’02],[Henglein et.al. ’05],[Ganz ’05]

– Effects are pervasive in typing rules – Effect weakening and region subtyping

Cyclone, [Grossman et.al. ’01]

– Effects correspond to sets of region names (term equality no longer suffices for type checking)

July 27, 2006 46








July 27, 2006 47








July 27, 2006 48






[Grossman et.al. ’01]


Programming with and proving soundness of type-and-effect

systems is challenging.

July 27, 2006 49






[Grossman et.al. ’01]

– Effects correspond to sets of names (term equality no longer suffices for type checking)

Is there a simpler type system that provides the same safety

and expressiveness?

July 27, 2006 50

Monadic Type System for Regions

Exploit parametric polymorphism (System F)and monadic encapsulation

Key insights:– Effects map to an indexed monadic type– Effect weakening and membership witnessed by types– Sufficient for encoding type-and-effect systems

July 27, 2006 51

Monadic Type Systems

Exploit parametric polymorphism (System F)and monadic encapsulation

Embed imperative features in pure languages– Distinguish pure values from stateful computations– Polymorphic type system ensures safety

Simple type system Well-understood theory

Language: Haskell– Launchbury-Peyton Jones: ST monad

July 27, 2006 52


RGN

– computations in stack of regions returning values of type

July 27, 2006 53


Hnd

– handle for the regionat the top of the stack of regions

Ref

– object of type allocated in some regionin the stack of regions

July 27, 2006 54


Pf(1 µ 2)

– proof that the stack of regions 1

is a substack of the stack of regions 2

July 27, 2006 55


Pf(1 µ 2) ¼ 8. RGN 1 ! RGN 2



July 27, 2006 56


Pf(1 µ 2) ¼ 8. Ref 1 ! Ref 2



July 27, 2006 57


RGN

Hnd

Ref

Pf(1 µ 2)

is always a variable;never deal with “real” stacks

July 27, 2006 58


Regions are created/destroyed with a primitive:

letRGN :: …

Region is created and destroyed automatically. Regions have nested lifetimes

July 27, 2006 59



letRGN ::

81.8. (82. Pf(1 µ 2)

! Hnd 2

! RGN 2 )

! RGN 1

July 27, 2006 60



letRGN ::

81.8. (82. Pf(1 µ 2)

! hnd 2

! RGN 2 )

! RGN 1

Despite appearances, this is a boring polymorphic type – and that’s the win:leverage a well-known type system.

July 27, 2006 61


Adopt type system of System F

– simple type structure

::= Int | 1 £ 2 | 1 ! 2 | 8.

RGN | Ref | Hnd | Pf(1 µ 2) | 8.

– simple type judgment

` e :

July 27, 2006 62

RGN monad: Operations

Monadic unit and bind

returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

July 27, 2006 63



returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

July 27, 2006 64



returnRGN ::

8,. ! RGN

thenRGN ::

8,,. RGN ! ( ! RGN ) ! RGN

July 27, 2006 65


Create and read region allocated values

newRef ::

8,. Hnd £ ! RGN (Ref )

readRef ::

8,. Ref ! RGN

July 27, 2006 66


Create and read region allocated values

newRef ::

8,. Hnd £ ! RGN (Ref )

readRef ::

8,. Ref ! RGN

July 27, 2006 67

RGN monad: Encapsulation

Encapsulate and run a monadic computation

runRGN ::

8. (8. RGN ) !

July 27, 2006 68



runRGN ::

8. (8. RGN ) !

“for all stacks” ) no assumptions about

stack of regions

July 27, 2006 69



runRGN ::

8. (8. RGN ) !

result type cannot mention )cannot return a computation

depending on dangling pointers

“for all stacks” ) no assumptions about

stack of regions

July 27, 2006 70

RGN monad: Regions

Regions are created and destroyedwith a lexically scoped construct

letRGN ::

81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1

July 27, 2006 71

RGN monad: Regions


letRGN ::

81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1

specify assumptions about newly created region

result type cannot mention 2 )cannot return a computation

depending on newly created region

July 27, 2006 72

RGN monad: Regions


letRGN ::

81,. (82. Pf(1 µ 2) ! Hnd 2 ! RGN 2 )! RGN 1

specify assumptions about newly created region

result type cannot mention 2 )cannot return a computation

depending on newly created region

Is the monadic type systemas expressive as

the type-and-effect system?

July 27, 2006 73

Translation: Type-and-effect to Monadic

Type- and meaning-preserving translation from type-and-effect to monadic

July 27, 2006 74



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !

Ref 1 int ! RGN (Ref 3 int)

{1,2,3}

July 27, 2006 75



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

July 27, 2006 76



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

July 27, 2006 77



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

July 27, 2006 78



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

?

July 27, 2006 79



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

July 27, 2006 80



« (ref 1 int) ! (ref 3 int) ¬ )

8. (Pf(1 µ ) £ Pf(2 µ ) £ Pf(3 µ )) !


{1,2,3}

July 27, 2006 81



Theorems:

If ; ` e : , then «¬;«¬ ` «e¬ : RGN «¬ «¬.

If `prog e and ({};e) ({};v}, then ({};«e¬) ({};«v¬).

July 27, 2006 82

Monadic Type System for Resources

Technique extends beyond regions to many other kinds of resources.

July 27, 2006 83



The technique statically guarantees that neither a file handle nor any computation involving the handle can leak outside of the region that created it. Therefore, the handle can be safely closed (and its resources disposed of) whenever control leaves the corresponding withFile block. Many handles can be open simultaneously, the type system enforces the proper nesting of their regions. … It trivially generalizes to database IO and other kinds of IO.

[Kiselyov ’06, Haskell Mailing List]

July 27, 2006 84



The technique statically guarantees that neither a file handle nor any computation involving the handle can leak outside of the region that created it. Therefore, the handle can be safely closed (and its resources disposed of) whenever control leaves the corresponding withFile block. Many handles can be open simultaneously, the type system enforces the proper nesting of their regions. … It trivially generalizes to database IO and other kinds of IO.

[Kiselyov ’06, Haskell Mailing List]

July 27, 2006 85

Limitations of Nested Lifetimes

Nested lifetimes are ill-suited for– iterative computations

Conway’s Game of Life; copying GC

– CPS-based computations– event-based computations

July 27, 2006 86


fun loop (d) =

…

d’ = next (d) // create new data

…

loop (d’) // never access old data

July 27, 2006 87


fun loop [] (d :: ref data) =

…

d’ = next [] (d) // create new data

…

loop [] (d’) // never access old data

July 27, 2006 88



…

d’ = next [] (d) // create new data

…

loop [] (d’) // never access old dataAll versions of data in the same region

July 27, 2006 89



letregion ’ in {

d’ = next [’] (d) // create new data

…

loop [’] (d’) // never access old data

}

July 27, 2006 90



letregion ’ in {


…

loop [’] (d’) // never access old data

}

Data in different regions, but can’t

deallocate any region until loop completes

July 27, 2006 91



’ = newRgn


freeRgn loop [’] (d’) // never access old data

July 27, 2006 92



’ = newRgn



Must ensure that is not accessed after

freeRgn

July 27, 2006 93



’ = newRgn



Must ensure that is not accessed after

freeRgn

Is there a more expressivetype system

that supports these idioms?

July 27, 2006 94

Substructural Type System for Regions

Exploit linearity to control access to region Key insights:

– Separate region name from region liveness– Region liveness witnessed by types– Sufficient for encoding monadic type system

July 27, 2006 95

Substructural Type Systems

Exploit linearity to control access to region Provide core mechanisms to manage the number

of uses of data and operations– linear (L) : used exactly one time

no other copies or aliases

– unrestricted (U) : used an arbitrary number of times possibly other copies or aliases

Languages: Clean, Vault, Sing#

July 27, 2006 96


cap

– proof that the region is live;capability to destroy region andto allocate in and read from region

July 27, 2006 97


cap

– proof that the region is live;capability to destroy region andto allocate in and read from region;treated linearly: exactly one capability per region

July 27, 2006 98


Adopt substructural type system

– type structure

q::=U | L

::= Int | 1 2 | 1 ( 1 | 8. | 9. |

cap | ref | hnd | 8. | 9. ::= q

– type judgment

` e :

July 27, 2006 99



– type structure

q::=U | L

::= Int | 1 2 | 1 ( 1 | 8. | 9. |

cap | ref | hnd | 8. | 9. ::= q

– type judgment

` e :

How maythe value be used?

July 27, 2006 100



– type structure

q::=U | L

::= Int | 1 2 | 1 ( 1 | 8. | 9. |

cap | ref | hnd | 8. | 9. ::= q

– type judgment

` e :

How maythe value be used?

How often maythe value be used?

July 27, 2006 101


Regions are created and destroyedwith separate operations

newRgn ::U(U1 ( L(9.L(Lcap Uhnd ))

freeRgn ::U8.U(L(Lcap Uhnd ) ( U1)

July 27, 2006 102





Produces a new capability.

Consumes a capability.

July 27, 2006 103





July 27, 2006 104





July 27, 2006 105


newRef ::U8,.U(L(Lcap Uhnd U) (

L(Lcap Uref U)

readRef ::U8,.U(L(Lcap Uref U) (

L(Lcap U)

Returns a capability.

Requires a capability.

July 27, 2006 106



L(Lcap Uref U)


L(Lcap U)

July 27, 2006 107



L(Lcap Uref U)


L(Lcap U)

July 27, 2006 108


fun loop [] (ca::Lcap ,h::Uhnd ,d::ref data) =

h’,(c’z::Lcap ’, h’::Uhnd ’)i = newRgn

(cb::Lcap ,c’y ::Lcap ,d’)

= next [’] (ca,c’z,h’,d)

freeRgn [] (cb,h)

loop [’] (c’y,h’,d’)

July 27, 2006 109






freeRgn [] (cb,h)


July 27, 2006 110






freeRgn [] (cb,h)


July 27, 2006 111






freeRgn [] (cb,h)


Is the substructural type systemas expressive as

the monadic type system?

July 27, 2006 112

Translation: Monadic to Substruct, Types

« RGN ¬ = U( ( L( «¬))

July 27, 2006 113


« RGN ¬ = U( ( L( «¬))

– operational behavior of monad is store-passing;stack of regions represented by tuple of capabilities

July 27, 2006 114


« RGN ¬ = U( ( L( «¬))

– operational behavior of monad is store-passing;stack of regions represented by tuple of capabilities

July 27, 2006 115


« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))

– Isomorphism between 2 and L(1 ’), for some “slack” ’

July 27, 2006 116


« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))


– Proof that 1 is a substack of 2 is persistent

– Existence of 1 and 2 is ephemeral

July 27, 2006 117


« Pf(1 µ 2) ¬ = U(9’. U(U(2 ( L(1 ’))

« Pf(1 µ 2) ¬ = U(9’. U( U(L(1 ’) ( 2))




July 27, 2006 118


« Pf(1 µ 2) ¬ = U(9’. Iso(2, L(1 ’))) (

« Pf(1 µ 2) ¬ = U(9’. U(U(L(1 ’) ( 2))




July 27, 2006 119


« Pf(1 µ 2) ¬ = U(9’. Iso(2, L(1 ’))) (

« Pf(1 µ 2) ¬ = U(9’. U(U(L(1 ’) ( 2))




“Subtyping” in a substructural setting needs to handle what is being “forgotten”.

July 27, 2006 120

Translation: Monadic to Substruct

Type- and meaning-preserving translation from monadic to substruct

Theorems:

If ; ` e : then «¬;«¬ ` «e¬ : U«¬.

If `prog e and ({};e) ({};v}, then ({};«e¬) ({};«v¬).

July 27, 2006 121


Type-and-effect system– effects pervasive in type system– complicated proof of soundness

Monadic type system– exploit parametric polymorphism (System F)– simple type system; well-understood theory

Substructural type system– exploit linearity to control access to region– supports richer programming idioms

July 27, 2006 122

Application: Cyclone

Cyclone Safe-C Project– http://cyclone.thelanguage.net/

– type-safe language no buffer overflows, dangling pointers, format string attacks

– with the “virtues” of C low-level interface with manifest cost model

– range of memory management options regions are an organizing principle

July 27, 2006 123

Application: Cyclone, Regions

Region varietyAllocation

(objects)

DeallocationAliasing

(objects)(what) (when)

Stack static

whole region

exit of lexical scope

unrestricted

Lexical

dynamic

Dynamicmanual

Dynamic seq.

Heap (`H)

single objects

automatic(BDW GC)

Unique (`U)

manual restrictedRef-counted (`RC)

July 27, 2006 124



(objects)



Stack static

whole region


unrestricted

Lexical

dynamic

Dynamicmanual

Dynamic seq.

Heap (`H)

single objects

automatic(BDW GC)

Unique (`U)


Proving type safety of Cyclone is a nightmare!!

July 27, 2006 125



(objects)



Stack static

whole region


unrestricted

Lexical

dynamic

Dynamicmanual

Dynamic seq.

Heap (`H)

single objects

automatic(BDW GC)

Unique (`U)


My contribution: encode and unify the key features of Cyclone in a target

language with simpler type system.

July 27, 2006 126

Future Work

For practical languages, witnesses and capabilities need to be less burdensome.

Encode results of region analyses– Aiken et.al. [PLDI’95], Henglein et.al. [PPDP’01]

Modeling other language features– Cyclone, CQual, Vault

July 27, 2006 127

Conclusion

Type-and-effect

Monadic

SubstructuralType systems for

region-basedmemory management

Resource conscious type systems

July 27, 2006 128

Conclusion

Region-based memory managementcan be handled by novel uses of type systems– Previous work introduced heavy-weight features in the

type system exclusively for supporting regions– This work introduces light-weight primitives, and

reuses features of the type system to encode proper region behavior

Many insights apply to other resources– encodings integrate features in language design

July 27, 2006 129

July 27, 2006 130



«letregion ,h in e¬ )

July 27, 2006 131



«letregion ,h in e¬ )

letRGN (.pf.h. «e¬)

July 27, 2006 132

July 27, 2006 133


« Hnd ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Hnd ¬ = U(9. U( Uhnd ))

« Ref ¬ = U(9. U(U(9’. Iso(, L(’ Lcap )))« Ref ¬ = U(9. U( Uref «¬))

July 27, 2006 134




Existential fixes region

July 27, 2006 135




Existential fixes region Isomorphism witnesses membership of in

July 27, 2006 136

Translation: Monadic to Substruct, Prims

« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi

« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk

July 27, 2006 137


« returnRGN [] [] e ¬ =let res : «¬ = «e¬ inUstk:. Lhstk,resi

« thenRGN [] [a] [b] e1 e2 ¬ =let f : «RGN a¬= «e1¬ inlet g : «a ! RGN b¬ = «e2¬ inUstk:. let hstk,resi = f stk in g res stk

Store-passing

encoding

July 27, 2006 138


« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

July 27, 2006 139


« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Lhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

July 27, 2006 140


« letRGN [1] [] e ¬ = let f : «82. Pf(1µ2) ! Hnd 2 ! RGN 2 ¬ = «e¬ inUstk1:1.let pack(,hcap,hndi) = newRgn Uhi inUstk1:1.let stk2 = Lhstk1,capi inUstk1:1.let id = Ustk: L(1 Lcap ).stk inUstk1:1.let pwit = Upack(Lcap ,Uhid,idi) inUstk1:1.let phnd = Upack(,UhUpack(1,Uhid,idi),hndi) inUstk1:1.let hstk2,resi = f [L(1 Lcap )] pwit phnd stk2 inUstk1:1.let hstk1,capi = stk2 inUstk1:1.let hi = freeRgn [] Lhcap,hndi inUstk1:1.Lhstk1,resi

July 27, 2006 141



July 27, 2006 142



July 27, 2006 143



July 27, 2006 144


« new [] [] eh e ¬ =let phnd : «Hnd ¬ = «eh¬ in let x : «¬ = «e¬ in Ustk:.let pack(,hpack(’,hprj,inji),hndi) = phnd in Ustk:.let hstk’,capi = prj stk inUstk:.let hcap,refi = new [] [«¬] Lhcap,hnd,xi in Ustk:.let pref = Upack(,UhUpack(’,Uhprj,inji),refi) in Ustk:.let stk = inj Lhstk’,capi inUstk:.Lhstk,prefi

July 27, 2006 145

July 27, 2006 146

Type Systems for Regions

Polymorphic(System F)

Monadic

Type-and-Effect

Linear Substructural

monadic and substructural type systems for region-based memory management

Documents

memory mallocfreeexplicit

regionsdestroying region

deallocation of datarange

deallocation of dataprograms

handledynamic allocation

wrongwhile todays type

programming languages

substructuraltype systems