Region-based memory management is an alternative to standard tracing garbage collection that makes potentially dangerous operations such as memory deallocation explicit but verifiably safe. In this article, we present a new compiler intermediate language, called the Capability Calculus, that supports region-based memory management and enjoys a provably safe type system. Unlike previous region-based type systems, region lifetimes need not be lexically scoped and yet the language may be checked for safety without complex analyses. Therefore, our type system may be deployed in settings such as extensible operating systems where both the performance and safety of untrusted code is important.

Cyclone is a type-safe programming language derived from C. The primary design goal of Cyclone is to let programmers control data representation and memory management without sacrificing type-safety. In this paper, we focus on the region-based memory management of Cyclone and its static typing discipline. The design incorporates several advancements, including support for region subtyping and a coherent integration with stack allocation and a garbage collector. To support separate compilation, Cyclone requires programmers to write some explicit region annotations, but a combination of default annotations, local type inference, and a novel treatment of region e#ects reduces this burden. As a result, we integrate C idioms in a region-based framework. In our experience, porting legacy C to Cyclone has required altering about 8% of the code; of the changes, only 6% (of the 8%) were region annotations.

Object-oriented programming relies on inter-object aliases to implement data structures and other abstractions. Objects have mutable state, but it is when mutable state interacts with aliasing that problems arise. Through aliasing an object's state can be changed without the object being aware of the changes, potentially violating the object's invariants. This problem is fundamentally unresolvable. Many idioms such as the Observer design pattern rely on it. Hence aliasing cannot be eliminated from object-oriented programming, it can only be managed. Various proposals have appeared in the literature addressing the issue of alias management. The most promising are based on alias encapsulation, which limits access to objects to within certain well-defined boundaries. Our approach called ownership types falls into this category. An object can specify the objects it owns, called its representation, and which objects can access its representation. A type system protects the representation by enforcing a well-defined containment invariant. Our approach is a formal one. Ownership types are cast as a type system using an minor extension to Abadi and Cardelli's object calculus with subtyping. With this formalisation we prove the soundness of our ownership types system and demonstrate that well-typed programs satisfy the containment invariant. In addition, we also provide a firm grounding to enable ownership types to be safely added to an objectoriented programming language with inheritance, subtyping, and nested classes, as well as offering a sound basis for future work. Our type system can model aggregate objects with multiple interface objects sharing representation and friendly functions which access multiple objects' private representations, among other examples, thus over...

We show how linear typing can be used to obtain functional programs which modify heap-allocated data structures in place. We present this both as a "design pattern" for writing C-code in a functional style and as a compilation process from linearly typed first-order functional programs into malloc()-free C code. The main technical result is the correctness of this compilation. The crucial innovation over previous linear typing schemes consists of the introduction of a resource type # which controls the number of constructor symbols such as cons in recursive definitions and ensures linear space while restricting expressive power surprisingly little. While the space e#ciency brought about by the new typing scheme and the compilation into C can also be realised by with state-of-the-art optimising compilers for functional languages such as Ocaml [16], the present method provides guaranteed bounds on heap space which will be of use for applications such as languages for embedd...

this paper is to marry effects to monads, writing T for a computation that yields a value in and may have effects delimited by oe. Now we have that ( is

This paper presents a program analysis to estimate uncaught exceptions in ML programs. This analysis relies on unification-based type inference in a non-standard type system, using rows to approximate both the flow of escaping exceptions (a la effect systems) and the flow of result values (a la control-flow analyses). The resulting analysis is efficient and precise; in particular, arguments carried by exceptions are accurately handled.

Abstract. We present a new purity and side effect analysis for Java programs. A method is pure if it does not mutate any location that exists in the program state right before the invocation of the method. Our analysis is built on top of a combined pointer and escape analysis, and is able to determine that methods are pure even when the methods mutate the heap, provided they mutate only new objects. Our analysis provides useful information even for impure methods. In particular, it can recognize read-only parameters (a parameter is readonly if the method does not mutate any objects transitively reachable from the parameter) and safe parameters (a parameter is safe if it is read-only and the method does not create any new externally visible heap paths to objects transitively reachable from the parameter). The analysis can also generate regular expressions that characterize the externally visible heap locations that the method mutates. We have implemented our analysis and used it to analyze several applications. Our results show that our analysis effectively recognizes a variety of pure methods, including pure methods that allocate and mutate complex auxiliary data structures. 1

analysis for multithreaded programs. The algorithm uses a new abstraction called parallel interaction graphs to analyze the interactions between threads and extract precise points-to, escape, and action ordering information for objects accessed by multiple threads. The analysis is compositional, analyzing each method or thread once to extract a parameterized analysis result that can be specialized for use in any context. It is also capable of analyzing programs that use the unstructured form of multithreading present in languages such as Java and standard threads packages such as POSIX threads.

Machine We have described the type constructor language of CL and the typing rules for the main term-level constructs. In fact, the previous section contains all of the ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year. 20 D. Walker, K. Crary, and G. Morrisett #; #;# # h at r : # # # # f : Type #; ## # ; #{f :# f , x 1 :# 1 , . . . , xn :# n}; C # e # # f = #[# # ].(C, # 1 , . . . , #n ) # 0 at r f, x 1 , . . . , xn ## Dom(#) # #; #;# # fix f[# # ](C, x 1 :# 1 , . . . , xn :# n ).e at r : # f (h-fix) #; #;# # v i : # i (for 1 # i # n) # # r : Rgn #; #;# # #v 1 , . . . , vn # at r : ## 1 , . . . , #n # at r (h-tuple) #; #;# # h at r : # # # # # # = # : Type #; #;# # h at r : # (h-eq) #; #;# # v : # #; #;# # x : # (#(x) = #) (v-var) #; #;# # i : int (v-int) #; #;# # v : #[#:#, # # ].(C, # 1 , . . . , #n ) # 0 at r # # c : # #; #;# # v[c] : (#[# # ].(C, # 1 , . . . , #n ) # 0)[c/#] at r (v-type) #; #;# # v : #[# # C ## , # # ].(C # , # 1 , . . . , #n ) # 0 at r # # C # C ## #; #;# # v[C] : (#[# # ].(C # , # 1 , . . . , #n ) # 0)[C/#] at r (v-sub) #; #;# # v : # # # # # # = # : Type #; #;# # v : # (v-eq) Fig. 6. Capability static semantics: Heap and word values. information programmers or compilers require to write type-safe programs in CL. However, in order to prove a type soundness result in the style of Wright and Felleisen [Wright and Felleisen 1994], we must be able to type check programs at every step during their evaluation. In this section, we give the static semantics of the run-time values that are not normally manipulated by programmers, but are nevertheless necessary to prove our soundness result. At first, the formal definition ...

This paper describes a memory discipline that combines region-based memory management and copying garbage collection by extending Cheney's copying garbage collection algorithm to work with regions. The paper presents empirical evidence that region inference very significantly reduces the number of garbage collections; and evidence that the fastest execution is obtained by using regions alone, without garbage collection.