Automated Verification of Practical Garbage Collectors

Garbage collectors are notoriously hard to verify, due to their low-level interaction with the underlying system and the general difficulty in reasoning about reachability in graphs. Several papers have presented verified collectors, but either the proofs were hand-written or the collectors were too simplistic to use on practical applications. In this work, we present two mechanically verified garbage collectors, both practical enough to use for real-world C# benchmarks. The collectors and their associated allocators consist of x86 assembly language instructions and macro instructions, annotated with preconditions, postconditions, invariants, and assertions. We used the Boogie verification generator and the Z3 automated theorem prover to verify this assembly language code mechanically. We provide measurements comparing the performance of the verified collector with that of the standard Bartok collectors on off-the-shelf C# benchmarks, demonstrating their competitiveness

Using Low Level Linear Memory Management for Type-Preserving Mark-Sweep Garbage Collector

Efficient low-level systems such as garbage collectors need more control over memory than safe high-level languages usually provide. Due to this constraint, garbage collectors are typically written in unsafe languages such as C. A collector of this form usually resides as a trusted primitive runtime service outside the model of the programming language. The type safety of these languages depends on the assumption that the garbage collector will not violate any typing invariants. However, no realistic systems provide proof of this assumption. A garbage collector written in a strongly typed language can guarantee not only the safety of the garbage collector and the program being garbage collected (mutator), but also the interaction between the collector and the mutator. Removing the garbage collector from the trusted computing base has many additional benefits: Untrusted code could be given more control over memory management without sacrificing security. Low-level code such as device drivers could interface in a safe way with a garbage collector. For these and the growing prevalence of garbage collectors in the typical programming system necessitate a safe solution. Previous research by Wang et al introduced a safe copying collector based on regions, where the live graph structure of the heap is copied from an old region to a newer region. This paper seeks to improve the efficiency of type-preserving garbage collection with the introduction of a type-preserving mark and sweep garbage collector

Formal Type Soundness for Cyclone's Region System

Cyclone is a polymorphic, type-safe programming language derived from C\@. The primary design goals of Cyclone are to let programmers control data representations and memory management without sacrificing type-safety. In this paper, we focus on the region-based memory management of Cyclone and its static typing discipline. The design incorporates several advancements, including support for region subtyping and a coherent integration with stack allocation and a garbage collector. To support separate compilation, Cyclone requires programmers to write some explicit region annotations, but uses a combination of default annotations, local type inference, and a novel treatment of region effects to reduce this burden. As a result, we integrate C idioms in a region-based framework. In our experience, porting legacy C to Cyclone has required altering about 8\% of the code; of the changes, only 6\% (of the 8\%) were region annotations. This technical report is really two documents in one: The first part is a paper submitted for publication in November, 2001. The second part is the full formal language and type-safety proof mentioned briefly in the first part. If you have already read a version of, ``Region-Based Memory Management in Cyclone'', then you should proceed directly to Section 9

ABSTRACT Principled Scavenging

Proof-carrying code and typed assembly languages aim to minimize the trusted computing base by directly certifying the actual machine code. Unfortunately, these systems cannot get rid of the dependency on a trusted garbage collector. Indeed, constructing a provably type-safe garbage collector is one of the major open problems in the area of certifying compilation. Building on an idea by Wang and Appel, we present a series of new techniques for writing type-safe stop-and-copy garbage collectors. We show how to use intensional type analysis to capture the contract between the mutator and the collector, and how the same method can be applied to support forwarding pointers and generations. Unlike Wang and Appel (which requires whole-program analysis), our new framework directly supports higher-order funtions and is compatible with separate compilation; our collectors are written in provably type-safe languages with rigorous semantics and fully formalized soundness proofs. 1