Typing Copyless Message Passing Viviana Bono Chiara Messa Luca - PowerPoint PPT Presentation

Typing Copyless Message Passing Viviana Bono Chiara Messa Luca Padovani Dipartimento di Informatica, Universit` a di Torino BTW 2011 Typing Copyless Message Passing (V. Bono) BTW 2011 1 / 25

Singularity OS: architecture Processes (SIPs) Exchange heap ( µ ) msg queue Typing Copyless Message Passing (V. Bono) BTW 2011 2 / 25

Sing# examples void CLIENT() { void SERVER(f) { (e, f) = open(); a1 = receive(f); spawn { SERVER(f) } a2 = receive(f); send(e, v1); ... send(e, v2); send(f, OP(a1, a2)); res = receive(e); close(f); close(e); } } Typing Copyless Message Passing (V. Bono) BTW 2011 3 / 25

Safety properties 1 no communication errors 2 no memory faults 3 no memory leaks 4 process isolation guaranteed by ownership Typing Copyless Message Passing (V. Bono) BTW 2011 4 / 25

Contracts contract OP_Service { initial state START { Arg! → WAIT_ARG_2 } state WAIT_ARG_2 { Arg! → WAIT_RES } state WAIT_RES { Res? → END } final state END { } } + recursion + branching Typing Copyless Message Passing (V. Bono) BTW 2011 5 / 25

Exposing structures expose (a) { expose (b) { send(*a, b); send(a, *b); } *b = new T(); } + records with named fields (not in the paper) Typing Copyless Message Passing (V. Bono) BTW 2011 6 / 25

Enforcing safety properties 1 no communication errors 2 no memory faults 3 no memory leaks 4 process isolation guaranteed by ownership LINEAR TYPE SYSTEM! • too restrictive in some cases • too permissive in others Typing Copyless Message Passing (V. Bono) BTW 2011 7 / 25

Linearity is too restrictive void CLIENT() { expose (a) { (e, f) = open(); send(a, *b); spawn { SERVER(f) } �� send(e, v1); send(e, v2); res = receive(e); *b = new T(); close(e); } } Typing Copyless Message Passing (V. Bono) BTW 2011 8 / 25

Linearity is too permissive void foo() { (e, f) = open(); send(e, f); close(e); } Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive void foo() e f { (e, f) = open(); send(e, f); close(e); } Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive void foo() e { (e, f) = open(); send(e, f); close(e); } f Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive void foo() { (e, f) = open(); send(e, f); close(e); } f Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Modeling processes open( e , f ) . ( SERVER | void CLIENT() { e ! v1 . (e, f) = open(); e ! v2 . spawn { SERVER(f) } e ?( res ) . send(e, v1); free( e ) . send(e, v2); 0 res = receive(e); ) close(e); } • channel = peer endpoints • explicit channel closure Typing Copyless Message Passing (V. Bono) BTW 2011 10 / 25

Modeling exposures expose (a) { expose( a , x ) . x ! b . send(*a, b); } unexpose( a , x ) . . . . expose( b , x ) . expose (b) { a ! x . send(a, *b); cell( c ) . *b = new T(); } unexpose( b , c ) . . . . • expose/unexpose ∼ dereferentiation/assignment • with type effects Typing Copyless Message Passing (V. Bono) BTW 2011 11 / 25

Modeling contracts contract OP_Service { initial state START { Arg! → WAIT_ARG_2 } state WAIT_ARG_2 { Arg! → WAIT_RES } state WAIT_RES { Res? → END } final state END { } } Client/Import Service/Export ! Arg . ! Arg . ? Res . end ? Arg . ? Arg . ! Res . end Typing Copyless Message Passing (V. Bono) BTW 2011 12 / 25

Types and endpoint types t ::= Type ∗ t (cell type) | ∗• (exposed cell type) | (endpoint type) T T ::= Endpoint Type end (termination) | X (variable) | ! t . T (output) | ? t . T (input) | rec X . T (recursive type) Typing Copyless Message Passing (V. Bono) BTW 2011 13 / 25

Typing message passing (T-Open) ∆ , a : T , b : T ⊢ P ∆ ⊢ open( a , b ) . P (T-Send) (T-Receive) ∆ , u : T ⊢ P ∆ , u : T , x : t ⊢ P ∆ , u : ! t . T , v : t ⊢ u ! v . P ∆ , u : ? t . T ⊢ u ?( x ) . P Typing Copyless Message Passing (V. Bono) BTW 2011 14 / 25

Typing exposures (T-Expose) ∆ , u : ∗• , x : t ⊢ P ∆ , u : ∗ t ⊢ expose( u , x ) . P (T-Unexpose) ∆ , u : ∗ t ⊢ P ∆ , u : ∗• , v : t ⊢ unexpose( u , v ) . P Typing Copyless Message Passing (V. Bono) BTW 2011 15 / 25

Typing exposures: example expose( a , x ) . x ! b . unexpose( a , x ) . . . . Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example { a : ∗ (! s . T ) , b : s } ⊢ expose( a , x ) . x ! b . unexpose( a , x ) . . . . Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example { a : ∗ (! s . T ) , b : s } ⊢ expose( a , x ) . { a : ∗• , x :! s . T , b : s } ⊢ x ! b . unexpose( a , x ) . . . . Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example { a : ∗ (! s . T ) , b : s } ⊢ expose( a , x ) . { a : ∗• , x :! s . T , b : s } ⊢ x ! b . { a : ∗• , x : T } ⊢ unexpose( a , x ) . . . . Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example { a : ∗ (! s . T ) , b : s } ⊢ expose( a , x ) . { a : ∗• , x :! s . T , b : s } ⊢ x ! b . { a : ∗• , x : T } ⊢ unexpose( a , x ) . { a : ∗ T } ⊢ . . . Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typable leak void foo() { open( e , f ) . (e, f) = open(); e ! f . send(e, f); free( e ) . close(e); 0 } T = ! T . end T = rec X . ? X . end Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak void foo() { {} ⊢ open( e , f ) . (e, f) = open(); e ! f . send(e, f); free( e ) . close(e); 0 } T = ! T . end T = rec X . ? X . end Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak void foo() { {} ⊢ open( e , f ) . (e, f) = open(); { e : T , f : T } ⊢ e ! f . send(e, f); free( e ) . close(e); 0 } T = ! T . end T = rec X . ? X . end Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak void foo() { {} ⊢ open( e , f ) . (e, f) = open(); { e : T , f : T } ⊢ e ! f . send(e, f); { e : end } ⊢ free( e ) . close(e); 0 } T = ! T . end T = rec X . ? X . end Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak void foo() { {} ⊢ open( e , f ) . (e, f) = open(); { e : T , f : T } ⊢ e ! f . send(e, f); { e : end } ⊢ free( e ) . close(e); {} ⊢ 0 } T = ! T . end T = rec X . ? X . end Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Understanding the problem “Improper” recursion? T = ! T . end T = rec X . ? X . end No, the following endpoint types are safe = rec X . ! X . end = ? S . end S S It’s a matter of “ownership” Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Understanding the problem “Improper” recursion? T = ! T . end T = rec X . ? X . end No, the following endpoint types are safe = rec X . ! X . end = ? S . end S S It’s a matter of “ownership” Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Understanding the problem “Improper” recursion? T = ! T . end T = rec X . ? X . end No, the following endpoint types are safe = rec X . ! X . end = ? S . end S S It’s a matter of “ownership” Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Type weight In summary • “receive state” = “has type ? T . S ” • only endpoints in “receive state” can have a non-empty queue Solution • � T � = “depth of the queue of an endpoint with type T ” • only endpoint types with finite weight are admitted T = ! T . end T = rec X . ? X . end � T � = 0 � T � = ∞ = rec X . ! X . end = ? S . end S S � S � = 0 � S � = 1 Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

Type weight In summary • “receive state” = “has type ? T . S ” • only endpoints in “receive state” can have a non-empty queue Solution • � T � = “depth of the queue of an endpoint with type T ” • only endpoint types with finite weight are admitted T = ! T . end T = rec X . ? X . end � T � = 0 � T � = ∞ = rec X . ! X . end = ? S . end S S � S � = 0 � S � = 1 Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

Type weight In summary • “receive state” = “has type ? T . S ” • only endpoints in “receive state” can have a non-empty queue Solution • � T � = “depth of the queue of an endpoint with type T ” • only endpoint types with finite weight are admitted T = ! T . end T = rec X . ? X . end � T � = 0 � T � = ∞ = rec X . ! X . end = ? S . end S S � S � = 0 � S � = 1 Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

On weights and reachability Proposition If a : T , b : S and b ∈ reach ( a , µ ) , then � S � < � T � . Finite weight � = bounded queue � T � = 1 T = rec X . ? int . X Finite weight � = acyclic heap ∗ (? ∗• . end) Typing Copyless Message Passing (V. Bono) BTW 2011 20 / 25