Experience with Safe Memory Management in Cyclone

download Experience with Safe Memory Management in Cyclone

of 36

  • date post

    31-Dec-2015
  • Category

    Documents

  • view

    27
  • download

    1

Embed Size (px)

description

Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard Dan Grossman - UW Trevor Jim - AT&T. Experience with Safe Memory Management in Cyclone. Cyclone. Derived from C, having similar goals - PowerPoint PPT Presentation

Transcript of Experience with Safe Memory Management in Cyclone

  • Experience with Safe Memory Management in CycloneMichael HicksUniversity of Maryland, College Park

    Joint work with Greg Morrisett - HarvardDan Grossman - UWTrevor Jim - AT&T

  • CycloneDerived from C, having similar goalsExposes low-level data representations, provides fine-grained operationsBut safeRestrictions to C (e.g., (int *)1 not allowed)Additions and types to regain flexibility

    Today: balancing safety and flexibility when managing memory

  • Goal: Programmer ControlMany memory management choicesGarbage collectionStack allocationmalloc/freeReference counting (Linux, COM)Arenas (bulk free) (Apache, LCC)Depends on the application

  • Unifying Theme: Region typesConceptually divide memory into regionsDifferent kinds of regions (e.g., not just bulk-free)Associate every pointer with a regionPrevent dereferencing pointers into dead regions

    int *`r x; // x points into region `r *x = 3; // deref allowed if `r is live

    (inference often obviates annotations `r) Liveness by type & effects system (Tofte&Talpin)

  • OutlineMotivation and basic approachRegions descriptionBasics: LIFO arenas, stack and heap regionsUnique and reference-counted pointersDynamic arenasProgramming experienceExperimental measurementsConclusions

  • LIFO ArenasDynamic allocation mechanismLifetime of entire arena is scopedAt conclusion of scope, all data allocated in the arena is freed.

  • LIFO Arena ExampleFILE *infile = Image *i;if (tag(infile) == HUFFMAN) { region h; // region `r created struct hnode *`r huff_tree; huff_tree = read_tree(h,infile); // allocates with h i = decode_image(infile,huff_tree,); // region `r deallocated upon exit of scope} else

  • Stack and Heap RegionsStack regionsDegenerate case of LIFO arena which does not allow dynamic allocationEssentially activation recordsHeap regionA global region `H that is always liveLike a LIFO arena that never dies; objects reclaimed by a garbage collector

  • Scoped Regions SummarySee PLDI `02 paper for more details

  • BenefitsNo runtime access checksArena/stackscosts are constant-timeregion allocationregion deallocationobject creationuseful forTemporary data (e.g., local variables)Callee-allocates data (rprintf)Lots of C-style code

  • LimitationsLack of control over memory usageSpurious retention of regions and their objectsFragmentationExtra space required by the garbage collectorLack of control over CPU usageGarbage collection is one-size-fits-allHard to tuneCannot avoid GC in some cases: LIFO arenas not expressive enoughE.g., objects with overlapping lifetimes

  • Overcoming the LimitationsAllow greater control over lifetimesObject lifetimesUnique pointers and reference-counted pointersArena lifetimesDynamic arenasBut not for nothing ...Restrictions on aliasingPossibility of memory leaks

  • Unique RegionDistinguished region name `UIndividual objects can be freed manuallyAn intraprocedural, flow-sensitive analysisensures that a unique pointer is not used after it is consumed (i.e. freed)treats copies as destructive; i.e. only one usable copy of a pointer to the same memoryLoosely based on affine type systems

  • Unique Pointer Examplevoid foo() { int *`U x = malloc(sizeof(int)); int *`U y = x; // consumes x *x = 5; // disallowed free(y); // consumes y *y = 7;// disallowed}

  • Temporary AliasingProblem: Non-aliasing too restrictivePartial solution: Allow temporary, lexically-scoped aliasing under acceptable conditionsMakes unique pointers easier to useIncreases code reuse

  • Alias constructextern void f(int *`r x); // `r any scoped regionvoid foo() { int *`U x = malloc(sizeof(int)); *x = 3; { alias int *`r y = x; // `r fresh f(y); // y aliasable, but x consumed } // x unconsumed free(x);}

  • Alias inferenceextern void f(int *`r x); // `r any scoped regionvoid foo() { int *`U x = malloc(sizeof(int)); *x = 3; f(x); // alias inserted here automatically free(x);}

  • Reference-counted PointersDistinguished region `RC Objects allocated in `RC have hidden reference-count fieldAliasing tracked as with unique pointers. Explicit aliasing/freeing via

    `a *`RC alias_refptr(`a *`RC);void drop_refptr(`a *`RC);

  • Reference-counting Examplestruct conn * `RC cmd_pasv(struct conn * `RC c) { struct ftran * `RC f; int sock = socket(...); f = alloc_new_ftran(sock,alias_refptr(c)); c->transfer = alias_refptr(f); listen(f->sock, 1); f->state = 1; drop_refptr(f); return c;}

  • Regions Summary

  • Ensuring Uniformity and ReuseMany different idioms could be hard to useDuplicated library functionsHard-to-change application codeWe have solved this problem byUsing region types as a unifying themeRegion polymorphism with kindsE.g., functions independent of arguments regionsAll regions can be treated as if lexicalTemporarily, under correct circumstancesUsing alias and open constructs

  • Programming ExperienceBoa web serverBetaFTPDftp serverEpic image compressionKiss-FFTportable fourier transformMediaNetstreaming overlay networkCycWebweb serverCycSchemescheme interpreter

  • Application Characteristics

  • MediaNet Datastructures

  • Experimental MeasurementsPlatformDual 1.6 GHz AMD Athlon MP 20001 GB RAMSwitched MyrinetLinux 2.4.20 (RedHat)Software C code: gcc 3.2.2Cyclone code: cyclone 0.8GC: BDW conservative collector 6.2a4malloc/free: Lea allocator 2.7.2

  • Bottom LineCPU timeMost applications do not benefit from switching from BDW GC to manual approachMediaNet is the exceptionMemory usageCan reduce memory footprint and working set size by 2 to 10 times by using manual techniques

  • Throughput: Webservers

  • Throughput: MediaNet

  • Memory Usage: Web (I)

  • Memory Usage: Web (II)

  • Memory Usage: Web (III)

  • Memory Usage: MediaNet(4 KB packets)

  • Related WorkRegionsML-Kit (foundation for Cyclones type system)RCReapsWalker/WatkinsUniquenessWadler, Walker/Watkins, CleanAlias types, Calculus of Capabilities, VaultDestructive reads (e.g., Boyland)

  • Future WorkTracked pointers sometimes painful; wantBetter inference (e.g. for alias)Richer API (restrict; autorelease)Prevent leaksunique and reference-counted pointersSpecified aliasingfor doubly-linked lists, etc.Concurrency

  • ConclusionsHigh degree of control, safely:Sound mechanisms for programmer-controlled memory managementRegion-based vs. object-based deallocationManual vs. automatic reclamationRegion-annotated pointers within a simple frameworkScoped regions unifying theme (alias,open)Region polymorphism, for code reuse

  • More InformationCyclone homepagehttp://www.cs.umd.edu/projects/cyclone/

    Has papers, benchmarks from this paper, and free distributionRead about it, write some code!