Reference Capabilities for Flexible Memory Management: Extended Version

Verona is a concurrent object-oriented programming language that organises all the objects in a program into a forest of isolated regions. Memory is managed locally for each region, so programmers can control a program's memory use by adjusting objects' partition into regions, and by setting each region's memory management strategy. A thread can only mutate (allocate, deallocate) objects within one active region -- its "window of mutability". Memory management costs are localised to the active region, ensuring overheads can be predicted and controlled. Moving the mutability window between regions is explicit, so code can be executed wherever it is required, yet programs remain in control of memory use. An ownership type system based on reference capabilities enforces region isolation, controlling aliasing within and between regions, yet supporting objects moving between regions and threads. Data accesses never need expensive atomic operations, and are always thread-safe.Comment: 87 pages, 10 figures, 5 listings, 4 tables. Extended version of paper to be published at OOPSLA 202

Confidential Consortium Framework: Secure Multiparty Applications with Confidentiality, Integrity, and High Availability

Confidentiality, integrity protection, and high availability, abbreviated to CIA, are essential properties for trustworthy data systems. The rise of cloud computing and the growing demand for multiparty applications however means that building modern CIA systems is more challenging than ever. In response, we present the Confidential Consortium Framework (CCF), a general-purpose foundation for developing secure stateful CIA applications. CCF combines centralized compute with decentralized trust, supporting deployment on untrusted cloud infrastructure and transparent governance by mutually untrusted parties. CCF leverages hardware-based trusted execution environments for remotely verifiable confidentiality and code integrity. This is coupled with state machine replication backed by an auditable immutable ledger for data integrity and high availability. CCF enables each service to bring its own application logic, custom multiparty governance model, and deployment scenario, decoupling the operators of nodes from the consortium that governs them. CCF is open-source and available now at https://github.com/microsoft/CCF.Comment: 16 pages, 9 figures. To appear in the Proceedings of the VLDB Endowment, Volume 1

Pony: co-designing a type system and a runtime

We have developed a new programming language, called Pony, that allows the user to easily write fast, safe, parallel programs. The focus of this work is using a powerful and novel static type system to guarantee properties of a program in order to eliminate many runtime checks. This includes eliminating all forms of locking, as well as enabling a novel fully concurrent garbage collection protocol for both objects and actors that has no stop-the-world step, while also having no read or write barriers. Essentially, the type system is used to enable not just safer computation but faster computation. The core type system feature that enables this is reference capabilities. These are a system of type annotations that guarantee data-race freedom even in the presence of asynchronous messages that can contain mutable data. Reference capabilities show that concepts such as isolation and immutability can be derived rather than being treated as fundamental. Properties of the type system and operational semantics, such as atomic behaviours and data-race freedom are leveraged to allow actors themselves to be garbage collected when it can be proved they will never again have messages in their queue. Message-based Actor Collection (MAC) achieves this using only message passing, without the need for any other form of thread synchronisation or coordination, using a system of deferred, distributed, weighted reference counting in which reference counts do not re ect the number of reachable paths in a heap. This requires a cycle detection actor to be able to collect isolated cyclic graphs of actors. To do this with no stop-the-world step, a novel and inexpensive CNF-ACK protocol is used to determine that the cycle detector's view of the actor topology was the true actor topology when the cycle was detected. Guaranteeing data-race freedom allows the language to use a novel fully concurrent garbage collection protocol. This protocol allows each actor to collect its own heap independently and concurrently, while still allowing objects to be sent by reference in asynchronous messages (zero-copy message passing). This is achieved using Ownership and Reference Counting for Actors (ORCA), a protocol derived from MAC that allows passive objects shared across actor-local heaps to be garbage collected with no stop-the-world step. Guaranteeing data-race freedom allows the language to use a novel fully concurrent garbage collection protocol. This protocol allows each actor to collect its own heap independently and concurrently, while still allowing objects to be sent by reference in asynchronous messages (zero-copy message passing). This is achieved using Ownership and Reference Counting for Actors (ORCA), a protocol derived from MAC that allows passive objects shared across actor- local heaps to be garbage collected with no stop-the-world step. To validate these ideas, we have written a complete runtime (including a work-stealing scheduler, garbage collector, memory allocator, message queuing, asynchronous I/O, and more) and an ahead-of-time optimising compiler. The language is open source.Open Acces

Reference Counting Deeply Immutable Data Structures with Cycles : An Intellectual Abstract

Immutable data structures are a powerful tool for building concurrent programs. They allow the sharing of data without the need for locks or other synchronisation mechanisms. This makes it much easier to reason about the correctness of the program. In this paper, we focus on what we call deep immutability from freeze, that is, objects are initially mutable, and then can be frozen, and from that point on the object and everything it refers to (transitively) can no longer be mutated. A key challenge with this form of immutability is "how to manage the memory of cyclic data structures?" The standard approach is to use a garbage collector (GC), or a back-up cycle detector. These approaches sacrifice the promptness of memory reclamation, and the determinism of memory usage. In this paper, we argue that memory underlying an immutable data structure can be efficiently managed using reference counting even in the presence of cycles, based on the observation that the cycles are themselves immutable. Our approach takes a classic algorithm for calculating strongly connected components (SCCs) and managing equivalence classes with union-find (UF), and combines them so that the liveness of each SCC can be tracked efficiently using only a single reference counter. The key observation is that since the graph is unchanging, we can calculate the SCCs once, in time that is almost linear in the size of the graph, and then use the result to reference count at the level of the SCCs. This gives precise reachability information, and does not require any backup mechanism to detect or handle cycles

Orca : GC and Type System Co-design for Actor Languages

ORCA is a concurrent and parallel garbage collector for actor programs, which does not require any STW steps, or synchronization mechanisms, and that has been designed to support zero-copy message passing and sharing of mutable data. ORCA is part of a runtime for actor-based languages, which was co-designed with the Pony programming language, and in particular, with its data race free type system. By co-designing an actor language with its runtime, it was possible to exploit certain language properties in order to optimize performance of garbage collection. Namely, ORCA relies on the guarantees of absence of race conditions in order to avoid read/write barriers, and it leverages the actor message passing, for synchronization among actors. In this paper we briefly describe Pony and its type system. We use pseudo-code in order to introduce how ORCA allocates and deallocates objects, how it shares mutable data without requiring barriers upon data mutation, and how can immutability be used to further optimize garbage collection. Moreover, we discuss the advantages of co-designing an actor language with its runtime, and we demonstrate that ORCA can be implemented in a performant and scalable way through a set of micro-benchmarks, including a comparison with other well-known collectors.UPMAR

When Concurrency Matters : Behaviour-Oriented Concurrency

Expressing parallelism and coordination is central for modern concurrent programming. Many mechanisms exist for expressing both parallelism and coordination. However, the design decisions for these two mechanisms are tightly intertwined. We believe that the interdependence of these two mechanisms should be recognised and achieved through a single, powerful primitive. We are not the first to realise this: the prime example is actor model programming, where parallelism arises through fine-grained decomposition of a program’s state into actors that are able to execute independently in parallel. However, actor model programming has a serious pain point: updating multiple actors as a single atomic operation is a challenging task. We address this pain point by introducing a new concurrency paradigm: Behaviour-Oriented Concurrency (BoC). In BoC, we are revisiting the fundamental concept of a behaviour to provide a more transactional concurrency model. BoC enables asynchronously creating atomic and ordered units of work with exclusive access to a collection of independent resources. In this paper, we describe BoC informally in terms of examples, which demonstrate the advantages of exclusive access to several independent resources, as well as the need for ordering. We define it through a formal model. We demonstrate its practicality by implementing a C++ runtime. We argue its applicability through the Savina benchmark suite: benchmarks in this suite can be more compactly represented using BoC in place of Actors, and we observe comparable, if not better, performance