RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://www.cs.washington.edu/homes/djg/slides/grossman_cyclone_jpl_05.ppt below:

ÐÏà¡±á��>��þÿ ��Þ��5��þÿÿÿ��Ü��Ý��ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ�èÎ��é(��à��8��Ø�� òú��/�È ��0�Ò��Õ0��·D��T�i�m�e�s� �N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��·D��A�r�i�a�l��N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�" �·D��C�o�u�r�i�e�r� �N�e�w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�10�·D��W�i�n�g�d�i�n�g�s��w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��¤ ��`��ÿÿÿÿ��¥ ��.��© �� @�£n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ�� @@��``�� ðü��ð��@��~��6��/�� /��7��Z��M��)��@��2��8��0��c�� /��/��2�� 0��/��,��+��*��)��(��$��3��'��)��&��%�� :��4��"��$��3��#��!��.��2��-�� ð0��A��¿��À��ÅA��ÿ��p�ñ��ÿ3��Ìf�Ì�f�ÿÿ�ÿf�ÿ��@�ñ��÷��ð8��ó��ó��ÐÑ��ððn�Ê;Ç�Ê;��úg��þ��ý4��X��d��X��d��ì 0��¨Õ��ÿÿÿ¦ÿÿÿ��p�û��p��p�û��@��<��ý4��!��d��!��d��® 0dÙ��ªÑ��<��ý4��d��d��d��d��® 0dÙ��ªÑ��<��ý4��B��d��B��d��® 0dÙ��ªÑ��ÿ�� N��0��º��_�_�_�P�P�T�1�0�� À��À��º��_�_�_�P�P�T�9��ð��®è��¯��¬`��ÿÿ��ÿÿ��ÿÿ��¯��¬X��ÿÿ��?�Ùd��Ú��-��º��1�1� �J�a�n�u�a�r�y� �2�0�0�5� �º*��D�a�n� �G�r�o�s�s�m�a�n�:� �C�y�c�l�o�n�e�O�Ù ��Ú��=��ðßz��ó��¨4��Cyclone: A Memory-Safe C-Level Programming Language ��¡"��5��3�� Ì�fþ��¨¬��Dan Grossman University of Washington Joint work with: Trevor Jim AT&T Research Greg Morrisett Harvard University Michael Hicks University of Maryland��¡:��'��(��&��Ì�fþ��ó��Â��¨��A safe C-level language��¨ �� Cyclone is a programming language and compiler aimed at safe systems programming C is not memory safe: void f(int* p, int i, int v) { p[i] = v; } Address p+i might hold important data or code Memory safety is crucial for reasoning about programs ��¡��S��9��h��:��ÿ3�þ��ÿ3�þ�� þ��þ��þ��þ�� $�� 6��ó��Ã�� "��C�a�l�l�e�r� s� �p�r�o�b�l�e�m�?��ª��¨Ã�� void g(void**, void*); int y = 0; int *z = &y; g(&z,0xBAD); *z = 123; Might be safe, but not if g does *x=y Type of g enough for code generation Type of g not enough for safety checking��¡$��N�� v�� þ��þ ��þ!��%��ª>�� s��&�� ó��ë��'��¨��Safe low-level systems��¨8��For a safety guarantee today, use YFHLL Your Favorite High Level Language YFHLL provides safety in part via: hidden data fields and run-time checks automatic memory management Data representation and resource management are essential aspects of low-level systems There are strong reasons for C-like languages��¡��(��#��#��D��$��Y��.��(��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��#��ÿ3�þ!�� ÿ3�þ��0�� ÿ3�þ��-��ó��ì��(��¨��Some insufficient approaches�� ®��C�o�m�p�i�l�e� �C� �w�i�t�h� �e�x�t�r�a� �i�n�f�o�r�m�a�t�i�o�n� �t�y�p�e� �f�i�e�l�d�s�,� �s�i�z�e� �f�i�e�l�d�s�,� �l�i�v�e�-�p�o�i�n�t�e�r� �t�a�b�l�e�,� �& �t�r�e�a�t�s� �C� �a�s� �a� �h�i�g�h�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e� � �U�s�e� �s�t�a�t�i�c� �a�n�a�l�y�s�i�s� �v�e�r�y� �d�i�f�f�i�c�u�l�t� �l�e�s�s� �m�o�d�u�l�a�r� � �B�a�n� �u�n�s�a�f�e� �f�e�a�t�u�r�e�s� �t�h�e�r�e� �a�r�e� �m�a�n�y� �y�o�u� �n�e�e�d� �t�h�e�m��¡��!��U��!��T�� ó��Ç��¨��Cyclone in brief�� *��A� �s�a�f�e�,� �c�o�n�v�e�n�i�e�n�t�,� �a�n�d� �m�o�d�e�r�n� �l�a�n�g�u�a�g�e� � �a�t� �t�h�e� �C� �l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� �S�a�f�e�:� �m�e�m�o�r�y� �s�a�f�e�t�y�,� �a�b�s�t�r�a�c�t� �t�y�p�e�s�,� �n�o� �c�o�r�e� �d�u�m�p�s� � �C�-�l�e�v�e�l�:� �u�s�e�r�-�c�o�n�t�r�o�l�l�e�d� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �a�n�d� �r�e�s�o�u�r�c�e� �m�a�n�a�g�e�m�e�n�t�,� �e�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y�,� � m�a�n�i�f�e�s�t� �c�o�s�t� � �C�o�n�v�e�n�i�e�n�t�:� �m�a�y� �n�e�e�d� �m�o�r�e� �t�y�p�e� �a�n�n�o�t�a�t�i�o�n�s�,� �b�u�t� �w�o�r�k� �h�a�r�d� �t�o� �a�v�o�i�d� �i�t� � �M�o�d�e�r�n�:� �a�d�d� �f�e�a�t�u�r�e�s� �t�o� �c�a�p�t�u�r�e� �c�o�m�m�o�n� �i�d�i�o�m�s� � � N�e�w� �c�o�d�e� �f�o�r� �l�e�g�a�c�y� �o�r� �i�n�h�e�r�e�n�t�l�y� �l�o�w�-�l�e�v�e�l� �s�y�s�t�e�m�s� ��¡ô��G��Z��Z�6��Z��Z�F��ÿ��þ��ÿ��þ��.�� e�� ;�� '��6��ó��È��¨��The plan from here�� ê��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �B�e�n�c�h�m�a�r�k�s�,� �p�o�r�t�s�,� �s�y�s�t�e�m�s�,� �c�o�m�p�i�l�e�r�,� �& �A�l�l� �o�n� �E�a�r�t�h� �s�o� �f�a�r� �Jð �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� � �R�e�a�l�l�y� � j�u�s�t� �a� �t�a�s�t�e� �o�f� �C�y�c�l�o�n�e��¡Â��Z�>��Z�)��Z�(��Z�-��Z�"��Z��<�� (��-��"��ó��É��¨��Status�� ®�� C�y�c�l�o�n�e� �r�e�a�l�l�y� �e�x�i�s�t�s� �(�e�x�c�e�p�t� �m�e�m�o�r�y�-�s�a�f�e� �t�h�r�e�a�d�s�)� � �>�1�5�0�K� �l�i�n�e�s� �o�f� �C�y�c�l�o�n�e� �c�o�d�e�,� �i�n�c�l�u�d�i�n�g� �t�h�e� �c�o�m�p�i�l�e�r� � �g�c�c� �b�a�c�k�-�e�n�d� �(�L�i�n�u�x�,� �C�y�g�w�i�n�,� �O�S�X�,� �M�i�n�d�s�t�o�r�m�,� �& )� � �U�s�e�r� s� �m�a�n�u�a�l�,� �m�a�i�l�i�n�g� �l�i�s�t�s�,� �& � �S�t�i�l�l� �a� �r�e�s�e�a�r�c�h� �v�e�h�i�c�l�e� � � ��¡À��4��¢��3��4�� 0�� ª�� ?��ó��Ê��¨ ��Evaluation��¨æ�� Is Cyclone like C? port code, measure source differences interface with C code (extend systems) What is the performance cost? port code, measure slowdown Is Cyclone good for low-level systems? write systems, ensure scalability ��¡Ê��" ��N��" ��'��" ��"��N�� '��"��ó��Ë�� ¨��Code differences��¨��Porting not automatic, but quite similar Many changes identify arrays and lengths Some changes incidental (absent prototypes, new keywords)��¡��ó��Ì�� ¨��Run-time performance��¨Ð��RHLinux 7.1 (2.4.9), 1.0GHz PIII, 512MRAM, gcc2.96 -O3, glibc 2.2.4 Comparable to other safe languages to start C level provides important optimization opportunities Understanding the applications could help��¡L��E��D��,��6��*��ó��Í��¨��Larger program: the compiler��¨Ö�� Scalable compiler + libraries (80K lines) build in < 30secs Generic libraries (e.g., lists, hashtables) clients have no syntactic/performance cost Static safety helps exploit the C-level I use &x more than in C ��¡¼�� 4��,��,��(�� 3�� ,��+�� (�� ó��Î�� ¨��Other projects��¨o��Open Kernel Environment [Bos/Samwel, OPENARCH 02] MediaNet [Hicks et al, OPENARCH 03]: RBClick [Patel/Lepreau, OPENARCH 03] STP [Patel et al., SOSP 03] FPGA synthesis [Teifel/Manohar, ISACS 04] Maryland undergrad O/S course (geekOS) [2004] Windows device driver (6K lines) Only 100 lines left in C But unrecoverable failures & other kernel corruptions remain ��¡��P�W��P��P�� '�� !��W��ªt�� =��,��ó��Ò��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡z��A��(��-��(��-��ó��Ó��¨��Not-null pointers��ª ��ó��Ô��¨��Example�� Ì��F�I�L�E�*� �f�o�p�e�n�(�c�o�n�s�t� �c�h�a�r�@�,� �c�o�n�s�t� �c�h�a�r�@�)�;� �i�n�t� �f�g�e�t�c�(�F�I�L�E�@�)�;� �i�n�t� �f�c�l�o�s�e�(�F�I�L�E�@�)�;� �v�o�i�d� �g�(�)� �{� � � �F�I�L�E�*� �f� �=� �f�o�p�e�n�(� f�o�o� ,� � r� )�;� � � �w�h�i�l�e�(�f�g�e�t�c�(�f�)� �!�=� �E�O�F�)� �{�& }� � � �f�c�l�o�s�e�(�f�)�;� �}� � �G�i�v�e�s� �w�a�r�n�i�n�g� �a�n�d� �i�n�s�e�r�t�s� �o�n�e� �n�u�l�l�-�c�h�e�c�k� �E�n�c�o�u�r�a�g�e�s� �a� �h�o�i�s�t�e�d� �c�h�e�c�k��¡Ü��¢��Z�E��Z��þ ��þ ��þ��þ ��þB��D��ªP�� z��ó��Õ��¨��A classic moral��¨L��FILE* fopen(const char@, const char@); int fgetc(FILE@); int fclose(FILE@); ��¡��M��þ ��þ ��þ �� ª,��1�� ó��Ö��!��¨��Key Design Principles in Action��¨S��Use types to express invariants Preconditions for arguments Properties of values in memory Use flow analysis where helpful Lets users control explicit checks Soundness + aliasing limits usefulness Users control data representation Pointers are addresses unless user allows otherwise Often can interoperate with C more safely just via types��¡°�� Z�;��Z� ��Z�J��Z�"��Z�4��Z�9��Z� ��;�� #��'��"��4��9��ó��ò��.�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ó��/�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ñ��-��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��*��(��-��ó��Ø�� (�� C�h�a�n�g�e� �v�o�i�d�*� �t�o� �`�a� ��¡:��¨��struct Lst { void* hd; struct Lst* tl; }; struct Lst* map( void* f(void*), struct Lst*); struct Lst* append( struct Lst*, struct Lst*);��¡\�� ;��þ1��þ!��ó��Ù��¨��Not much new here��¨��Closer to C than C++, Java generics, ML, etc. Unlike functional languages, data representation may restrict `a to pointers, int why not structs? why not float? why int? Unlike templates, no code duplication or leaking implementations Unlike objects, no need to tag data��¡Ú��/��S��)��f��/��"��N��"��c��"��"��c��"��c��"�� "�� f��"��ª��¦��i��ó��Ú��¨��Existential types�� P�r�o�g�r�a�m�s� �n�e�e�d� �a� �w�a�y� �f�o�r� � c�a�l�l�-�b�a�c�k� �t�y�p�e�s�:� � � � � � �s�t�r�u�c�t� �T� �{� � � � � � �v�o�i�d� �(�*�f�)�(�v�o�i�d�*�,� �i�n�t�)�;� � � � � � �v�o�i�d�*� �e�n�v�;� � � �}�;� � �W�e� �u�s�e� �a�n� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e� �(�s�i�m�p�l�i�f�i�e�d�)�:� � � � � � � �s�t�r�u�c�t� �T� �{� �<�`�a�>� � � � � � �v�o�i�d� �(�@�f�)�(�`�a�,� �i�n�t�)�;� � � � � � �`�a� �e�n�v�;� � � �}�;� � �m�o�r�e� �C�-�l�e�v�e�l� �t�h�a�n� �b�a�k�e�d�-�i�n� �c�l�o�s�u�r�e�s�/�o�b�j�e�c�t�s� ��¡��+��Z�A��0��Z��Z�*��Z�A��0��Z��,��8��Z��Z�+��>��"�� ÿ��þ��g��ÿ��þ��G��ÿ��þ��g��ÿ3�þ ��g��ÿ3�þ��,�� "��ó��Û��¨��Regions�� a�.�k�.�a�.� �z�o�n�e�s�,� �a�r�e�n�a�s�,� �& � �E�v�e�r�y� �o�b�j�e�c�t� �i�s� �i�n� �e�x�a�c�t�l�y� �o�n�e� �r�e�g�i�o�n� � �A�l�l�o�c�a�t�i�o�n� �v�i�a� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �D�e�a�l�l�o�c�a�t�e� �a�n� �e�n�t�i�r�e� �r�e�g�i�o�n� � �s�i�m�u�l�t�a�n�e�o�u�s�l�y� � � �(�c�a�n�n�o�t� �f�r�e�e� �a�n� �o�b�j�e�c�t�)� � �O�l�d� �i�d�e�a� �w�i�t�h� �r�e�c�e�n�t� �s�u�p�p�o�r�t� �i�n� �l�a�n�g�u�a�g�e�s� �(�e�.�g�.�,� �R�C�,� �R�T�S�J�)� � �a�n�d� �i�m�p�l�e�m�e�n�t�a�t�i�o�n�s� �(�e�.�g�.�,� �M�L� �K�i�t�)��¡²��|��Z�*��Z��Z�_��Z��&��7�� _��ª>��`��F��.�� %��ó��Ü��¨��Cyclone regions [PLDI 02]��¡�� h�e�a�p� �r�e�g�i�o�n�:� �o�n�e�,� �l�i�v�e�s� �f�o�r�e�v�e�r�,� �c�o�n�s�e�r�v�a�t�i�v�e�l�y� �G�C� d� �s�t�a�c�k� �r�e�g�i�o�n�s�:� �c�o�r�r�e�s�p�o�n�d� �t�o� �l�o�c�a�l�-�d�e�c�l�a�r�a�t�i�o�n� �b�l�o�c�k�s�:� � �{�i�n�t� �x�;� �i�n�t� �y�;� �s�}� �g�r�o�w�a�b�l�e� �r�e�g�i�o�n�s�:� �s�c�o�p�e�d� �l�i�f�e�t�i�m�e�,� �b�u�t� �g�r�o�w�a�b�l�e�:� � � � �{�r�e�g�i�o�n� �r�;� �s�}� � �a�l�l�o�c�a�t�i�o�n� �r�o�u�t�i�n�e�s� �t�a�k�e� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �h�a�n�d�l�e�s� �a�r�e� �f�i�r�s�t�-�c�l�a�s�s� �c�a�l�l�e�r� �d�e�c�i�d�e�s� �w�h�e�r�e�,� �c�a�l�l�e�e� �d�e�c�i�d�e�s� �h�o�w� �m�u�c�h� �n�o� �h�a�n�d�l�e�s� �f�o�r� �s�t�a�c�k� �r�e�g�i�o�n�s��¡��m��4��B�� K�� (��*��þ��þ��#��þ��"��.��ÿ3�þ��ªb��,��1��\��ó��Ý�� (��T�h�a�t� s� �t�h�e� �e�a�s�y� �p�a�r�t��¨c��The implementation is really simple because the type system statically prevents dangling pointers ��¡h��d�� ÿ��þ��ó��Þ��¨��The big restriction�� Î��A�n�n�o�t�a�t�e� �a�l�l� �p�o�i�n�t�e�r� �t�y�p�e�s� �w�i�t�h� �a� �r�e�g�i�o�n� �n�a�m�e� �(�a� �t�y�p�e� �v�a�r�i�a�b�l�e� �o�f� �r�e�g�i�o�n� �k�i�n�d�)� � �i�n�t�@�`�r� �m�e�a�n�s� � p�o�i�n�t�e�r� �i�n�t�o� �t�h�e� �r�e�g�i�o�n� �c�r�e�a�t�e�d� �b�y� �t�h�e� �c�o�n�s�t�r�u�c�t� �t�h�a�t� �i�n�t�r�o�d�u�c�e�s� �`�r� �h�e�a�p� �i�n�t�r�o�d�u�c�e�s� �`�H� � �L�:�& �i�n�t�r�o�d�u�c�e�s� �`�L� �{�r�e�g�i�o�n� �r�;� �s�}� �i�n�t�r�o�d�u�c�e�s� �`�r� � �r� �h�a�s� �t�y�p�e� �r�e�g�i�o�n�_�t�<�`�r�>� � �c�o�m�p�i�l�e�-�t�i�m�e� �c�h�e�c�k�:� �o�n�l�y� �l�i�v�e� �r�e�g�i�o�n�s� �a�r�e� �a�c�c�e�s�s�e�d� �b�y� �d�e�f�a�u�l�t�,� �f�u�n�c�t�i�o�n� �a�r�g�u�m�e�n�t�s� �p�o�i�n�t� �t�o� �l�i�v�e� �r�e�g�i�o�n�s� ��¡��P��S��$��B��²�� 3��5��"��"�� G��g��I��"��c��"��b��c��"��c�� "��c��g��þ��c�� "��c��"�� "�� c� �� "�� c� �� c� �� 3��b��5��b��c��ªP��¡��'��'��j��ó��ß��¨��Region polymorphism�� ø��A�p�p�l�y� �w�h�a�t� �w�e� �d�i�d� �f�o�r� �t�y�p�e� �v�a�r�i�a�b�l�e�s� �t�o� �r�e�g�i�o�n� �n�a�m�e�s� �(�o�n�l�y� �i�t� s� �m�o�r�e� �i�m�p�o�r�t�a�n�t� �a�n�d� �c�o�u�l�d� �b�e� �m�o�r�e� �o�n�e�r�o�u�s�)� � �v�o�i�d� �s�w�a�p�(�i�n�t� �@�`�r�1� �x�,� �i�n�t� �@�`�r�2� �y�)�{� � � �i�n�t� �t�m�p� �=� �*�x�;� � � �*�x� �=� �*�y�;� � � �*�y� �=� �t�m�p�;� �}� � �i�n�t�@�`�r� �s�u�m�p�t�r�(�r�e�g�i�o�n�_�t�<�`�r�>� �r�,�i�n�t� �x�,�i�n�t� �y�)�{� � � �r�e�t�u�r�n� �r�n�e�w�(�r�)� �(�x�+�y�)�;� �}��¡B��k��M�� E��k��C��G��þ��C��g��c��g��þ��c��g��c��g��þ ��c��g��þ ��c��C��C�� g� ��ÿ��þ�� c� �� g� ��þ �� c� �� g� ��ÿ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� ��ª,��Ó��ó��à��¨��Type definitions��¨K��struct ILst<`r1,`r2> { int@`r1 hd; struct ILst<`r1,`r2> *`r2 tl; }; ��¡ ��L�� C��g��ÿ��þ��C�� g� ��ÿ��þ��C��g��ÿ��þ��C��g��ÿ��þ�� C� ��$g�$��ÿ��þ��(C�(��,g�,��ÿ��þ ��0C�0��0��0��ó��á�� ¨��Region subtyping�� Ò��I�f� �p� �p�o�i�n�t�s� �t�o� �a�n� �i�n�t� �i�n� �a� �r�e�g�i�o�n� �w�i�t�h� �n�a�m�e� �`�r�1�,� �i�s� �i�t� �e�v�e�r� �s�o�u�n�d� �t�o� �g�i�v�e� �p� �t�y�p�e� �i�n�t�*�`�r�2�?� � �I�f� �s�o�,� �l�e�t� � �i�n�t�*�`�r�1� �<� �i�n�t�*�`�r�2� � �R�e�g�i�o�n� �s�u�b�t�y�p�i�n�g� �i�s� �t�h�e� �o�u�t�l�i�v�e�s� �r�e�l�a�t�i�o�n�s�h�i�p� � � �{�r�e�g�i�o�n� �r�1�;� �& �{�r�e�g�i�o�n� �r�2�;� �& }� �& �}� � �L�I�F�O� �m�a�k�e�s� �s�u�b�t�y�p�i�n�g� �c�o�m�m�o�n� � ��¡$��[��M��!��g��ÿ��þ�� g� ��ÿ��þ�� C��g��ÿ��þ��o��ÿ��þçÿ��G��C��g��ÿ��þ��n��ÿ��þçÿ��o��ÿ��þçÿ�� B�� F�� B�� $�� C� �� B�� C� �� ª>��ª�� ó��â��"��¨��Regions evaluation��ª�� Æ��L�I�F�O� �r�e�g�i�o�n�s� �g�o�o�d� �f�o�r� �s�o�m�e� �i�d�i�o�m�s� �a�w�k�w�a�r�d� �i�n� �C� �R�e�g�i�o�n�s� �g�e�n�e�r�a�l�i�z�e� �s�t�a�c�k� �v�a�r�i�a�b�l�e�s� �a�n�d� �t�h�e� �h�e�a�p� �D�e�f�a�u�l�t�s� �a�n�d� �i�n�f�e�r�e�n�c�e� �m�a�k�e� �i�t� �s�u�r�p�r�i�s�i�n�g�l�y� �p�a�l�a�t�a�b�l�e� �W�o�r�s�t� �p�a�r�t�:� �d�e�f�i�n�i�n�g� �r�e�g�i�o�n�-�a�l�l�o�c�a�t�e�d� �d�a�t�a� �s�t�r�u�c�t�u�r�e�s� �C�y�c�l�o�n�e� �a�c�t�u�a�l�l�y� �h�a�s� �m�u�c�h� �m�o�r�e� �[�I�S�M�M� �0�4�]� �N�o�n�-�L�I�F�O� �r�e�g�i�o�n�s� � U�n�i�q�u�e� �p�o�i�n�t�e�r�s� �E�x�p�l�i�c�i�t�l�y� �r�e�f�e�r�e�n�c�e�-�c�o�u�n�t�e�d� �p�o�i�n�t�e�r�s� �A� � u�n�i�f�i�e�d� �s�y�s�t�e�m� ,� �n�o�t� �n� �s�u�b�l�a�n�g�a�g�e�s� ��¡��/��x�f��6��)��p��/��f��6�� a�� ª��W��ó��ã��#��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��A��(�� ó��ä��$��¨��Other safety holes�� J��A�r�r�a�y�s� �(�w�h�a�t� �o�r� �w�h�e�r�e� �i�s� �t�h�e� �s�i�z�e�)� �O�p�t�i�o�n�s�:� �d�y�n�a�m�i�c� �b�o�u�n�d�,� �i�n� �a� �f�i�e�l�d�/�v�a�r�i�a�b�l�e�,� �c�o�m�p�i�l�e�-�t�i�m�e� �b�o�u�n�d�,� �s�p�e�c�i�a�l� �s�t�r�i�n�g� �s�u�p�p�o�r�t� �T�h�r�e�a�d�s� �(�a�v�o�i�d�i�n�g� �r�a�c�e�s�)� �v�a�p�o�r�w�a�r�e� �t�y�p�e� �s�y�s�t�e�m� �t�o� �e�n�f�o�r�c�e� �l�o�c�k�-�b�a�s�e�d� �m�u�t�u�a�l� �e�x�c�l�u�s�i�o�n� �C�a�s�t�s� �A�l�l�o�w� �o�n�l�y� � u�p� �c�a�s�t�s� �a�n�d� �c�a�s�t�s� �t�o� �n�u�m�b�e�r�s� �U�n�i�o�n�s� �C�h�e�c�k�e�d� �t�a�g�s� �o�r� �b�i�t�s�-�o�n�l�y� �f�i�e�l�d�s� �U�n�i�n�i�t�i�a�l�i�z�e�d� �d�a�t�a� �F�l�o�w� �a�n�a�l�y�s�i�s� �(�s�a�f�e�r� �a�n�d� �e�a�s�i�e�r� �t�h�a�n� �d�e�f�a�u�l�t� �i�n�i�t�i�a�l�i�z�e�r�s�)� �V�a�r�a�r�g�s� �(�s�a�f�e� �v�i�a� �c�h�a�n�g�e�d� �c�a�l�l�i�n�g� �c�o�n�v�e�n�t�i�o�n�)��¡î��#��X��=��+��!��;��.��#��X��=��+�� !�� ;��.��ª>�� A��'��ó��å��%��¨��And modern conveniences�� æ��3�0� �y�e�a�r�s� �a�f�t�e�r� �C�,� �s�o�m�e� �t�h�i�n�g�s� �a�r�e� �w�o�r�t�h� �a�d�d�i�n�g�& � �T�a�g�g�e�d� �u�n�i�o�n�s� �a�n�d� �p�a�t�t�e�r�n� �m�a�t�c�h�i�n�g� �o�n� �t�h�e�m� �I�n�t�r�a�p�r�o�c�e�d�u�r�a�l� �t�y�p�e� �i�n�f�e�r�e�n�c�e� �T�u�p�l�e�s� �(�l�i�k�e� �a�n�o�n�y�m�o�u�s� �s�t�r�u�c�t�s�)� �E�x�c�e�p�t�i�o�n�s� �S�t�r�u�c�t� �a�n�d� �a�r�r�a�y� �i�n�i�t�i�a�l�i�z�e�r�s� �N�a�m�e�s�p�a�c�e�s� �n�e�w� �f�o�r� �a�l�l�o�c�a�t�i�o�n� �+� �i�n�i�t�i�a�l�i�z�a�t�i�o�n� ��¡Z��0��x�Ã��0�� "��ª>��{�� H��ó��ê��&��¨��Plenty of work remains��¨Ó��Common limitations: Aliasing Arithmetic Unportable assumptions (But interoperating with C is much simpler than in a HLL) Big challenge for next generation: guarantees beyond fail-safe (i.e., graceful abort)��¡X��,��:��Y��^��r��ª��(�� ¢��ó��Ï��¨��Related work: making C safer�� Ê��C�o�m�p�i�l�e� �t�o� �m�a�k�e� �d�y�n�a�m�i�c� �c�h�e�c�k�s� �p�o�s�s�i�b�l�e� �S�a�f�e�-�C� �[�A�u�s�t�i�n� �e�t� �a�l�.�]�,� �R�T�C� �[�Y�o�n�g�/�H�o�r�w�i�t�z�]�,� �.�.�.� �P�u�r�i�f�y�,� �S�t�a�c�k�g�u�a�r�d�,� �E�l�e�c�t�r�i�c� �F�e�n�c�e�,� �& �C�C�u�r�e�d� �[�N�e�c�u�l�a� �e�t� �a�l�.�]� �p�e�r�f�o�r�m�a�n�c�e� �v�i�a� �w�h�o�l�e�-�p�r�o�g�r�a�m� �a�n�a�l�y�s�i�s� �l�e�s�s� �u�s�e�r� �b�u�r�d�e�n� �l�e�s�s� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t�,� �s�i�n�g�l�e�-�t�h�r�e�a�d�e�d� � �C�o�n�t�r�o�l�-�C� �[�A�d�v�e� �e�t� �a�l�.�]� �w�e�a�k�e�r� �g�u�a�r�a�n�t�y�,� �l�e�s�s� �b�u�r�d�e�n� � �S�F�I� �[�W�a�h�b�e�,� �S�m�a�l�l�,� �.�.�.�]�:� �s�a�n�d�b�o�x�i�n�g� �v�i�a� �b�i�n�a�r�y� �r�e�w�r�i�t�i�n�g� ��¡ð��(��Z�m��Z�`��Z�p��Z��Z�(��1��`�� #�� ª>��@��a��ó��í��*��¨��Related Work: Checking C code�� f��M�o�d�e�l�-�c�h�e�c�k�i�n�g� �C� �c�o�d�e� �(�S�L�A�M�,� �B�L�A�S�T�,� �& )� �L�e�v�e�r�a�g�e�s� �s�c�a�l�a�b�i�l�i�t�y� �o�f� �M�C� �K�e�y� �i�s� �a�u�t�o�m�a�t�i�c� �b�u�i�l�d�i�n�g� �a�n�d� �r�e�f�i�n�i�n�g� �o�f� �m�o�d�e�l� �T�h�e�y� �a�s�s�u�m�e� �(�w�e�a�k�)� �m�e�m�o�r�y� �s�a�f�e�t�y� �L�i�n�t�-�l�i�k�e� �t�o�o�l�s� �(�S�p�l�i�n�t�,� �M�e�t�a�l�,� �P�r�e�F�I�X�,� �& )� �G�o�o�d� �a�t� �r�e�d�u�c�i�n�g� �f�a�l�s�e� �p�o�s�i�t�i�v�e�s� �C�a�n�n�o�t� �e�n�s�u�r�e� �a�b�s�e�n�c�e� �o�f� �b�u�g�s� �M�e�t�a�l� �p�a�r�t�i�c�u�l�a�r�l�y� �g�o�o�d� �f�o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� �C�q�u�a�l� �(�u�s�e�r�-�d�e�f�i�n�e�d� �q�u�a�l�i�f�i�e�r�s�,� �l�o�t�s� �o�f� �i�n�f�e�r�e�n�c�e�)� �B�e�t�t�e�r� �f�o�r� �u�n�c�h�a�n�g�e�a�b�l�e� �c�o�d�e� �o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� � �(�i�.�e�.�,� �t�h�e�y� r�e� �c�o�m�p�l�e�m�e�n�t�a�r�y�)��¡Â��'��m��+��o��3��S��'��Q��+��!��H��2�� S��ª,��´��t��ó��ð��,��¨��Related work: higher and lower�� ¸��A�d�a�p�t�e�d�/�e�x�t�e�n�d�e�d� �i�d�e�a�s�:� �p�o�l�y�m�o�r�p�h�i�s�m� �[�M�L�,� �H�a�s�k�e�l�l�,� �& ]� �r�e�g�i�o�n�s� �[�T�o�f�t�e�/�T�a�l�p�i�n�,� �W�a�l�k�e�r� �e�t� �a�l�.�,� �& ]� �s�a�f�e�t�y� �v�i�a� �d�a�t�a�f�l�o�w� �[�J�a�v�a�,� �& ]� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e�s� �[�M�i�t�c�h�e�l�l�/�P�l�o�t�k�i�n�,� �& ]� �c�o�n�t�r�o�l�l�i�n�g� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �[�A�d�a�,� �M�o�d�u�l�a�-�3�,� �& ]� � �S�a�f�e� �l�o�w�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e�s� �[�T�A�L�,� �P�C�C�,� �& ]� �e�n�g�i�n�e�e�r�e�d� �f�o�r� �m�a�c�h�i�n�e�-�g�e�n�e�r�a�t�e�d� �c�o�d�e� � �V�a�u�l�t�:� �s�t�r�o�n�g�e�r� �p�r�o�p�e�r�t�i�e�s� �v�i�a� �r�e�s�t�r�i�c�t�e�d� �a�l�i�a�s�i�n�g� ��¡��Á��)��'��4��À��)��&��4��ó��Ñ��¨��Summary�� ò��C�y�c�l�o�n�e�:� �a� �s�a�f�e� �l�a�n�g�u�a�g�e� �a�t� �t�h�e� �C�-�l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� � �S�y�n�e�r�g�i�s�t�i�c� �c�o�m�b�i�n�a�t�i�o�n� �o�f� �t�y�p�e�s�,� �f�l�o�w� �a�n�a�l�y�s�i�s�,� �a�n�d� �r�u�n�-�t�i�m�e� �c�h�e�c�k�s� � �A� �r�e�a�l� �c�o�m�p�i�l�e�r� �a�n�d� �p�r�o�t�o�t�y�p�e� �a�p�p�l�i�c�a�t�i�o�n�s� � �P�r�o�p�e�r�t�i�e�s� �l�i�k�e� � n�o�t� �N�U�L�L� ,� � h�a�s� �l�o�n�g�e�r� �l�i�f�e�t�i�m�e� ,� � h�a�s� �a�r�r�a�y� �l�e�n�g�t�h� & �n�o�w� �i�n� �t�h�e� �l�a�n�g�u�a�g�e� �a�n�d� �c�h�e�c�k�e�d� � �E�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y� �w�i�t�h� �C� �a�l�l�o�w� �s�m�o�o�t�h� �a�n�d� �i�n�c�r�e�m�e�n�t�a�l� �m�o�v�e� �t�o�w�a�r�d� �m�e�m�o�r�y� �s�a�f�e�t�y� � �i�n� �t�h�e�o�r�y� �a�t� �l�e�a�s�t��¡z��g��7�� E�� +�� g�� U��ó��î��)��¨ ��Availability�� L�i�k�e� �a�n�y� �l�a�n�g�u�a�g�e�,� �y�o�u� �h�a�v�e� �t�o� � k�i�c�k� �t�h�e� �t�i�r�e�s� :� �w�w�w�.�r�e�s�e�a�r�c�h�.�a�t�t�.�c�o�m�/�p�r�o�j�e�c�t�s�/�c�y�c�l�o�n�e� � �A�l�s�o� �s�e�e�:� �J�a�n�.� �2�0�0�5� �C�/�C�+�+� �U�s�e�r� s� �J�o�u�r�n�a�l� �U�S�E�N�I�X� �2�0�0�2� � �C�o�n�v�e�r�s�e�l�y�,� �I� �w�a�n�t� �t�o� �k�n�o�w� �N�A�S�A� s� �C�-�l�e�v�e�l� �c�o�d�e� �n�e�e�d�s� �M�a�y�b�e� �i�d�e�a�s� �f�r�o�m� �C�y�c�l�o�n�e� �w�i�l�l� �h�e�l�p� �M�a�y�b�e� �n�o�t� �E�i�t�h�e�r� �w�a�y� �w�o�u�l�d� �b�e� �f�a�s�c�i�n�a�t�i�n�g� ��¡¢��1��'�� +��5��-��!��1��%��Ì�fþ�� +��ª��1��Ì��ó��æ��¨�� r��[�P�r�e�s�e�n�t�a�t�i�o�n� �e�n�d�s� �h�e�r�e� � � � �s�o�m�e� �a�u�x�i�l�i�a�r�y� �s�l�i�d�e�s� �f�o�l�l�o�w�]��¡��:��:��ó��ç��¨��Example in Cyclone��¨��void f(int@{`j} p, tag_t<`i> i, int v ; `i < `j){ p[i] = v; } Note: regions and locks use implicit defaults (live and accessible)��¡Ì��I��E��þ��ÿ3�þ ��ÿ3�þ�� ÿ3�þ��F��ª,��"��R��ó��ô��0��¨��Some other problems�� \��O�n�e� �s�a�f�e�t�y� �v�i�o�l�a�t�i�o�n� �t�y�p�i�c�a�l�l�y� �r�e�n�d�e�r�s� �a�l�l� �p�r�o�g�r�a�m� �p�r�o�p�e�r�t�i�e�s� �p�o�t�e�n�t�i�a�l�l�y� �i�r�r�e�l�e�v�a�n�t� � �S�o� �p�r�o�h�i�b�i�t�:� � � � �i�n�c�o�r�r�e�c�t� �c�a�s�t�s�,� �a�r�r�a�y�-�b�o�u�n�d�s� �v�i�o�l�a�t�i�o�n�s�,� �m�i�s�u�s�e�d� �u�n�i�o�n�s�,� �u�n�i�n�i�t�i�a�l�i�z�e�d� �p�o�i�n�t�e�r�s�,� �d�a�n�g�l�i�n�g� �p�o�i�n�t�e�r�s�,� �n�u�l�l�-�p�o�i�n�t�e�r� �d�e�r�e�f�e�r�e�n�c�e�s�,� �d�a�n�g�l�i�n�g� �l�o�n�g�j�m�p�,� �v�a�r�a�r�g� �m�i�s�m�a�t�c�h�,� �n�o�t� �r�e�t�u�r�n�i�n�g� �p�o�i�n�t�e�r�s�,� �d�a�t�a� �r�a�c�e�s�,� �& ��¡,��d��Z�Ë��Z�d��Ë��/�ð¨��ó��^��ó��Å��%��ó��Ð��&��ó��è��'��ó��é��(��ó��ï��)��P��ÿÿÿ��ê��øÈ ��ï�� `�ð ��ÿ�ÿÿÿ��ÿÿ��ÿ��ÿÿ�ÿ��`�ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²�`�ð ��ÿÿÿ��333��ÝÝÝ��MMM�êêê�`�ð ��ÿÿÌ��ff3��33��3Ì�ÿÌf�`�ð ��ÿÿÿ��ÿÌf��ÿ�Ì�Ì�ÀÀÀ�`�ð ��ÿÿÿ��ÀÀÀ��fÿ�ÿ��`�ð ��ÿÿÿ��3ÿ�ÿÌ�Ì�Ì�²²²��£>��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ$��£z��ÿý?��" ��d��d��Ø��@��ÿÿï��ÿÿÿÿÿÿ�� Ô ��" Ð@�� ð`��»�� £n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ �� @@��``��P�£V�� @�� `�� `�£ ��p�£>��£>��ù��P�� 0� Þ��ðÖ��ð�� ðn��ð(�� ð�� ð�� ðà�� ð�� ð6��PäÑ��¿��À��ÿ� ��"ñ��¿��ð��À�°Ð�ð��Ã��Ñ�� ðT��¨ ��Click to edit Master title style��¢��!��ª ��!��ð$�� ð�� ð0��çÑ��¿��À��ÿ� ��"ñ��¿��ð��ð°Ð��ð��Ã��Ñ�� ð��¨R��Click to edit Master text styles Second level Third level Fourth level Fifth level��¢��!�� ª ��S��ðâ�� ð�� ð0��ÜëÑ��¿��À��ÿ� ��"ñ��¿��ð��À°`à�ð��Ã��Ñ�� ð\�� *��¡��ø��ª��ðä�� ð�� ð0��ñÑ��¿��À��ÿ� ��"ñ��¿��ð��À� @à�ð��Ã�� Ñ�� ð^�� *� ��¡��ú��ª��ð`��B ð�� s�ð*��D��¿��À��ËÔ��ÿ��"ñ��¿��ð��0àp0�ðä�� ð�� ð0��$õÑ��¿��À��ÿ� ��"ñ��¿��ð��´Ðà�ð��Ã��Ñ�� ð^�� *��¡��Ø��ª��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²� �º&��d�a�n�_�d�e�s�i�g�n�_�t�e�m�p�l�a�t�e��î[��ï�� ù��P��Ø�� ó��ðë��@�ð��ð��ð(�� ð�� ð��ðà�� ð�� ð6��tár��¿��À��ÿ� ��"ñ��¿��ð�� °Ðp�ð��Ã��r� ðT��¨ ��Click to edit Master title style��¢��!��ª ��!��ðÝ�� ð�� ð0��Ýr��¿��À��ÿ� ��"ñ��¿��ð�� ` à �ð��Ã��r� ðW��¨#��Click to edit Master subtitle style��¢��$��ª ��$��ðÞ�� ð�� ð0�� s��¿��À��ÿ� ��"ñ��¿��ð��`°`�ð��Ã��r� ðX�� *��¡��ø��ª��ðà�� ð�� ð0��0%s��¿��À��ÿ� ��"ñ��¿��ð��`°Ð�ð��Ã�� s� ðZ�� *��¡��ú��ª��ðà�� ð�� ð0��¸(s��¿��À��ÿ� ��"ñ��¿��ð��` Ð�ð��Ã��s� ðZ�� *��¡��Ø��ª��ð`��B ð�� s�ð*��D��¿��À��ËÔ��ÿ��"ñ��¿��ð��0àp0�ð`��B ð�� s�ð*��D��¿��À��ËÔ��ÿ��"ñ��¿��ð��@àp@�ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ð��ñ�� 0� ��ð��`�ð��0��ð��ð(�� ð�� ð��0��ð�� ð��0�� Ó�ðN��xs�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��v$�ð��Ã�� s� ðn�� *��¡�� ù��ª ��¦��ñ��J%%JJoo�ð�� ð��0�� Ó�ðN��üs�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��Â 8$�ð��Ã��s� ðp�� *��¡�� ø��ª ��¦��ñ��J%%JJoo�ðd�� ð��0�� c�ð$��¿��ÿ� �?��ð��·æRH �ð��Ã��s�ð4�� ð��0�� Ó�ðN��`s�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��Ú Lì!�ð��Ã��s� ð��¨R��Click to edit Master text styles Second level Third level Fourth level Fifth level��¢��!�� ª ��S��ð �� ð��0�� ã�ðT�� ¢s�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��´��vØ�ð��Ã�� s� ðn�� *��¡�� ú��ª ��¦��ñ��J%%JJoo�ð �� ð��0�� ã�ðT��p¢s�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��´Â 8Ø�ð��Ã��s� ðp�� *��¡�� Ø��ª ��¦��ñ��J%%JJoo�ðH�� ð��0�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��ÚñÄPÿc_�Ép�� ðø��@ð��ð��ð(�� ð�� ð��ð �� ð�� Ó�ðN��(g�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��v$�ð��Ã�� {� ðv�� *��¡�� ù��ª��¦��ñ��J%%JJoo�ð�� ð�� Ó�ðN��Th�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��Â 8$�ð��Ã��{� ðx�� *��¡�� ø��ª��¦��ñ��J%%JJoo�ð�� ð�� ã�ðT��]�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��´��vØ�ð��Ã�� {� ðv�� *��¡�� ú��ª��¦��ñ��J%%JJoo�ð�� ð�� ã�ðT��øE�gk��´µ��gk��´µ��¿��¿��À��ÿ� ��ð��´Â 8Ø�ð��Ã��{� ðx�� *��¡�� Ø��ª��¦��ñ��J%%JJoo�ðH�� ð�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��ÚñÄÜ±`�î��ï��ù��P��ç�� ð��0�ð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��2s¿��ÿ��ð��ð°ÐÀ�ð��Ã��s� ð ��ðx�� ð�� c�ð$��P3s¿��ÿ��ð��PPÐ �ð��Ã��s� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� %��ù��P��ÿÿÿ� ®��ð¦��ð��T��ð>��ð(�� ð�� ð��T��ðx�� ð��T� ��c�ð$��(¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��T� ��c�ð$��Ô¿��ÿ�� ð��ð°0��ð��Ã�� ð��¦��ðH�� ð��T�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ç�� ð��ðð��`��ð0��ð(�� ð�� ð��`��ðx�� ð��`� ��c�ð$��¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��`� ��c�ð$��T¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��`�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� )��ù��P��ÿÿÿ� ��ð��àð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$�� ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��X¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ÿÿÿ� ��ð��Ðð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��ð¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��x¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ��ð��Àð��l��ð0��ð(�� ð�� ð��l��ðx�� ð��l� ��c�ð$��èÜ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��l� ��c�ð$��¤Ý¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��l�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ��ð��°ð��p��ð0��ð(�� ð�� ð��p��ðx�� ð��p� ��c�ð$��ÐÉ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��p� ��c�ð$��Ê¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��p�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ÿÿÿ� ��ð�� ð��t��ð0��ð(�� ð�� ð��t��ðx�� ð��t� ��c�ð$��¨Á¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��t� ��c�ð$��dÂ¿��ÿ�� ð��°` �ð��Ã�� ð ��ðH�� ð��t�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ÿÿÿ� ¶��ð®��ð��x��ðF��ð(�� ð�� ð��x��ðx�� ð��x� ��c�ð$��lo¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��x� ��c�ð$��Dô¿��ÿ�� ð��ð°Ð��ð��Ã�� ð"��¦��ø�� @08X�ðH�� ð��x�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��îõ��ï�� &��ù��P��ÿÿÿ� ��ð��ð��#��#|��ð��ð(�� ð�� ð��|��ðx�� ð��|� ��c�ð$��¸=¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��|� ��c�ð$��t>¿��ÿ�� ð�� Ð�ð��Ã�� ð ��ðå��ðv�� ð��p�� ð��|��#�ð ��#�"ñ"�� Ã�� à��à��p��ð��@�ð¿�� ð��|� ��£�ð<��4¿��¿��À��ÿ��?��ð��@�� ðK��¨��0��¡�� ¦��ø�� @`�ðÍ�� ð��|� ��£�ð<�� ¿��¿��À��ÿ��?��ð��` �� @�� ðY��¨�� 2 (32=5.5%)��¡�� ¦��ø�� @`�ð�� ð��|� ��£�ð<�� ¿��¿��À��ÿ��?��ð�� ` �� ð�� (��+� � � �3�4� �(�5�.�8�%�)� � � � �2�9��¡2�� "��¦��ø�� @`�ðÃ�� ð��|� ��£�ð<��è¿��¿��À��ÿ��?��ð��ã�� ðO��¨�� 584��¡�� ¦��ø�� @`�ð×�� ð�� |� ��£�ð<��¸¿��¿��À��ÿ��?��ð��p�� ã�� ðc��¨��ccured-olden-mst (1 of 4)��¡�� ¦��ø�� @`�ðÎ�� ð�� |� ��£�ð<��D)¿��¿��À��ÿ��?��ð��@��)�� ðZ��¨��1 ��¡&�� ÿ3�þ��¦��ø�� @`�ðË�� ð��|� ��£�ð<��´1¿��¿��À��ÿ��?��ð��` ��)��@�� ðW��¨ ��12 (261=8.7%)��¡�� ¦��ø�� @`�ðü�� ð�� |� ��£�ð<��43¿��¿��À��ÿ��?��ð��)��` �� ð�� $��+� �2�7�3� �(�9�.�1�%�)� � �2�4�5��¡2�� "��¦��ø�� @`�ðÂ�� ð�� |� ��£�ð<��À5¿��¿��À��ÿ��?��ð��ã��)�� ðN��¨��3005��¡�� ¦��ø�� @`�ðÑ�� ð��|� ��£�ð<��àJ¿��¿��À��ÿ��?��ð��p��)��ã�� ð]��¨��mini-httpd (1 of 6)��¡�� ¦��ø�� @`�ðî�� ð��|� ��£�ð<��pT¿��¿��À��ÿ��?��ð��@��I�� )�� ðz��¨��1 (half of examples)��¡4�� ÿ3�þ��ÿ3�þ��¦��ø�� @`�ðË�� ð��|� ��£�ð<��\¿��¿��À��ÿ��?��ð��` ��I��@��)�� ðW��¨ ��41 (216=6.6%)��¡�� ¦��ø�� @`�ðü�� ð��|� ��£�ð<��f¿��¿��À��ÿ��?��ð��I��` ��)�� ð�� $��+� �2�5�7� �(�7�.�9�%�)� � �1�9�0��¡2�� "��¦��ø�� @`�ðÂ�� ð��|� ��£�ð<��Pn¿��¿��À��ÿ��?��ð��ã��I��)�� ðN��¨��3260��¡�� ¦��ø�� @`�ðÏ�� ð��|� ��£�ð<�� v¿��¿��À��ÿ��?��ð��p��I��ã��)�� ð[��¨��grobner (1 of 4)��¡�� ¦��ø�� @`�ðÈ�� ð��|� ��£�ð<��x¿��¿��À��ÿ��?��ð��@�� I�� ðT��¨ ��bugs found��¡�� ¦��ø�� @`�ðÈ�� ð��|� ��£�ð<��Ü¿��¿��À��ÿ��?��ð��` ��@��I�� ðT��¨ ��incidental��¡�� ¦��ø�� @`�ðÈ�� ð��|� ��£�ð<�� ¿��¿��À��ÿ��?��ð��` ��I�� ðT��¨ ��diff total��¡�� ¦��ø�� @`�ðÈ�� ð��|� ��£�ð<��ø¿��¿��À��ÿ��?��ð��ã��I�� ðT��¨ ��Lines of C��¡�� ¦��ø�� @`�ðÅ�� ð��|� ��£�ð<��x¿��¿��À��ÿ��?��ð��p��ã��I�� ðQ��¨��Example��¡�� ¦��ø�� @`�ð`��B ð��|� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��p�� ðZ��B ð��|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��p��I�� I��ðZ��B ð��|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��p��)�� )��ðZ��B ð��|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��p�� ð`��B ð��|� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��p�� ð`��B ð��|� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��p��p��ðZ��B ð��|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��ã��ã��ðZ��B ð�� |� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��ðZ��B ð��!|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��` ��` ��ðZ��B ð��"|� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��@��@��ð`��B ð��#|� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð�� ðH�� ð��|�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î¬��ï�� ù��P��ç�� D��ð<��pð��(��(��ðÔ��ð(�� ð�� ð��ðx�� ð�� c�ð$��¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��Ô¿��ÿ�� ð��p0ð�ð��Ã�� ð ��ð��ðv�� ð��°�� ð��#�ð ��#�"ñ"�� Ã��°��á��à��p��ð��p�ðü�� ð�� £�ð<��¨ ¿��¿��À��ÿ��?��ð�� À�� ð�� $��+� � � �3�5� � � � �3�0� �n�o�g�c��¡2�� "��¦��ø�� @`�ðß�� ð�� £�ð<��¬+¿��¿��À��ÿ��?��ð�� *��À�� ðk��¨�� ¡2�� "�� "��¦��ø�� @`�ðî�� ð�� £�ð<��h3¿��¿��À��ÿ��?��ð�� I��À��*�� ðz�� +� �3�3�6� � �1�9�6��¡2�� "��¦��ø�� @`�ðÄ�� ð�� £�ð<��h=¿��¿��À��ÿ��?��ð�� À��I�� ðP��¨��faster��¡�� ¦��ø�� @`�ðÃ�� ð�� £�ð<��¸C¿��¿��À��ÿ��?��ð��À�� °�� ðO��¨��1.39x��¡�� ¦��ø�� @`�ðÃ�� ð�� £�ð<��ÈF¿��¿��À��ÿ��?��ð��ð �� ðO��¨��1.93x��¡�� ¦��ø�� @`�ðò�� ð�� £�ð<��`U¿��¿��À��ÿ��?��ð��°�� ð �� ð~�� +� � � �3�4� � � � �2�9��¡2�� "��¦��ø�� @`�ðÃ�� ð�� £�ð<��HP¿��¿��À��ÿ��?��ð�� °�� ðO��¨�� 584��¡�� ¦��ø�� @`�ð×�� ð�� £�ð<��0e¿��¿��À��ÿ��?��ð�� ðc��¨��ccured-olden-mst (1 of 4)��¡�� ¦��ø�� @`�ðÕ�� ð�� £�ð<��Hón¿��¿��À��ÿ��?��ð��À��*��°�� ða��¨ �� ¡&�� "�� "��¦��ø�� @`�ðÇ�� ð�� £�ð<�� h¿��¿��À��ÿ��?��ð��ð ��*�� ðS��¨��1.02x��¡�� ÿ3�þ��¦��ø�� @`�ðî�� ð�� £�ð<��Ð~¿��¿��À��ÿ��?��ð��°��*��ð �� ðz�� +� �2�7�3� � �2�4�5��¡2�� "��¦��ø�� @`�ðÂ�� ð�� £�ð<��¿��¿��À��ÿ��?��ð�� *��°�� ðN��¨��3005��¡�� ¦��ø�� @`�ðÑ�� ð�� £�ð<��Ø¿��¿��À��ÿ��?��ð��*�� ð]��¨��mini-httpd (1 of 6)��¡�� ¦��ø�� @`�ðÃ�� ð�� £�ð<��¿��¿��À��ÿ��?��ð��À��I��°��*�� ðO��¨��1.51x��¡�� ¦��ø�� @`�ðÃ�� ð�� £�ð<��X¿��¿��À��ÿ��?��ð��ð ��I�� *�� ðO��¨��1.94x��¡�� ¦��ø�� @`�ðî�� ð�� £�ð<�� ¿��¿��À��ÿ��?��ð��°��I��ð ��*�� ðz�� +� �2�5�7� � �1�9�0��¡2�� "��¦��ø�� @`�ðÂ�� ð�� £�ð<��À¯¿��¿��À��ÿ��?��ð�� I��°��*�� ðN��¨��3260��¡�� ¦��ø�� @`�ðÏ�� ð�� £�ð<��ð·¿��¿��À��ÿ��?��ð��I�� *�� ð[��¨��grobner (1 of 4)��¡�� ¦��ø�� @`�ðÌ�� ð�� £�ð<��äÀ¿��¿��À��ÿ��?��ð��À��°��I�� ðX��¨��execution time��¡�� ¦��ø�� @`�ðÌ�� ð�� £�ð<��dÉ¿��¿��À��ÿ��?��ð��ð �� I�� ðX��¨��execution time��¡�� ¦��ø�� @`�ðÈ�� ð�� £�ð<��äÊ¿��¿��À��ÿ��?��ð��°��ð ��I�� ðT��¨ ��diff total��¡�� ¦��ø�� @`�ðÈ�� ð�� £�ð<��øÙ¿��¿��À��ÿ��?��ð�� °��I�� ðT��¨ ��Lines of C��¡�� ¦��ø�� @`�ðÅ�� ð�� £�ð<��¬á¿��¿��À��ÿ��?��ð�� I�� ðQ��¨��Example��¡�� ¦��ø�� @`�ð`��B ð�� ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��°��ðZ��B ð�� s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��I��°��I��ðZ��B ð�� s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��*��°��*��ðZ��B ð�� s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð�� °�� ð`��B ð��!� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��°��ð`��B ð��"� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��ðZ��B ð��#� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð�� ðZ��B ð��$� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��°��°��ðZ��B ð��%� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��ð ��ð ��ðZ��B ð��&� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��À��À��ð`��B ð��'� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��°��°��ðZ��B ð��(� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð�� ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ç�� ð��`ð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��`¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ÿÿÿ� ��ð��Pð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��ð¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��¬¿��ÿ�� ð�� °�0�ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ��ð��@ð��´��ð0��ð(�� ð�� ð��´��ðx�� ð��´� ��c�ð$��ð¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��´� ��c�ð$��¬¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��´�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� '��ù��P��ÿÿÿ� !��ð�� ð��&��9¤��ð±��ð(�� ð�� ð��¤��ðÍ�� ð��¤�� ð0��lÊr��¿��À��ÿ�� ð��°°Ð0 � ðm��¨c��Subtyping: t@ < t* but t@@ < t*@ but Downcast via run-time check, often avoided via flow analysis��¡¶��!�� 2�� 2��(��2�� 2�=��! ��2��=��ª��>��¦��ø��Ø�ÔÐð�ð~�� ð��¤� ��s�ð*��(Ër¿��ÿ�� ð��À�°Ð�ð��Ã�� r� ð ��ð��ðn�� ð�� @��P �� ð��¤��#�ð ��#�"ñ�� Ã��Q��ð��ð @À�ðä�� ð��¤� ��£�ð<��Ôr¿��¿��À��ÿ��?��ð��Ñ��@��P �� ðp��¨��pointer to a t value��¡*�� ¦��ø�� @`�ðÖ�� ð��¤� ��£�ð<��ØÛr¿��¿��À��ÿ��?��ð�� Ñ��P �� ðb��¨��t@��¡.��¦��ø�� @`�ðø�� ð��¤� ��£�ð<��äàr¿��¿��À��ÿ��?��ð��@��Ñ�� ð��¨��pointer to a t value or NULL��¡6�� ¦��ø�� @`�ðÖ�� ð��¤� ��£�ð<��0ër¿��¿��À��ÿ��?��ð�� Ñ�� ðb��¨��t*��¡.��¦��ø�� @`�ð`��B ð�� ¤� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð�� @��ðZ��B ð�� ¤� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð�� Ñ��@��Ñ��ð`��B ð��¤� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð�� P ��@��P ��ð`��B ð�� ¤� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð�� P ��ðZ��B ð�� ¤� ��s�ð*��¿��À��Ë1��ÿ� ��?��¿��ð��P ��ð`��B ð��¤� ��ð0��¿��À��Ëo��×��ÿ� ��?��¿��ð��@��@��P ��ð±�� ð��¤�� ð6��4îr��ÿÿ��¿��À��ÿ��ð��0 à` ð � ðK��¨��<��¡��ª ��ð^�� ð��¤�� ð6��¿��À��Ë>��ÿ��ð��À p` �ðX��B ð��¤� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð�� à �ð^�� ð��¤�� ð6��¿��À��Ë>��ÿ��ð��À àÐ �ð��¢ ð��¤�� ð0��ðr¿��¿��À��ÿ��ð�� àÐ° � ð1��¨��v��¡�� 2��ð^�� ð��¤�� ð6��¿��À��Ë>��ÿ��ð��Ðp` �ð^��B ð�� ¤� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��0 �à0 �ð^�� ð��!¤�� ð6��¿��À��Ë>��ÿ��ð��ÐàÐ �ð��¢ ð��"¤�� ð0��\ôr¿��¿��À��ÿ��ð�� àÐÀ � ð1��¨��v��¡�� 2��ð·��¢ ð��$¤�� £�ð<��ô÷r��¿��¿��À��ÿ��ð��X ×� ðK��¨��/��¡��ª ��ð±�� ð��%¤�� ð6��¬ûr��ÿÿ��¿��À��ÿ��ð��0 Pð � ðK��¨��<��¡��ª ��ð^�� ð��&¤�� ð6��¿��À��Ë>��ÿ��ð��À `P �ð^�� ð��(¤�� ð6��¿��À��Ë>��ÿ��ð��À ÐÀ �ð��¢ ð��)¤�� ð0��ð�s¿��¿��À��ÿ��ð�� ÐÀ° � ð1��¨��v��¡�� 2��ð^�� ð��.¤�� ð6��¿��À��Ë>��ÿ��ð��À �ðX��B ð��/¤� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð�� ` �ðX��B ð��2¤� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð�� ðÐ �ð·��¢ ð��3¤�� £�ð<��\s��¿��¿��À��ÿ��ð��u ¡S¼� ðK��¨��/��¡��ª ��ð^�� ð��4¤�� ð6��¿��À��Ë>��ÿ��ð�� `P` �ð^�� ð��5¤�� ð6��¿��À��Ë>��ÿ��ð�� ÐÀ` �ð��¢ ð��6¤�� ð0��4 s¿��¿��À��ÿ��ð��pÐÀ � ð1��¨��v��¡�� 2��ð^�� ð��7¤�� ð6��¿��À��Ë>��ÿ��ð�� ` �ðX��B ð��8¤� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð�� ` �ð^��B ð��9¤� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð�� ðÐ �ðH�� ð��¤�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ît��ï�� ù��P��ç�� ð��0ð��¬��ð��ð(�� ð�� ð��¬��ð~�� ð��¬� ��s�ð*��ä¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��¬� ��s�ð*��Të¿��ÿ�� ð��ð@`��ð��Ã�� ð ��ðX�� ð��¬�� ð0��¿��À��ÿ��ð��`@°Ð�ðH�� ð��¬�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� Ô��ðÌ�� ð��°��ðd��ð(�� ð�� ð��°��ð~�� ð��°� ��s�ð*��ôÕ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��°� ��£�ð<��°Ö¿��À��Ä��Ë1��ÿ� � ��ð��ðààb�ð��Ã�� ð ��ð��¢ ð��°�� ð0��@Ü¿��¿��À��ÿ��ð��p°Ð � ð®�� z�� R�i�c�h�e�r� �t�y�p�e�s� �m�a�k�e� �i�n�t�e�r�f�a�c�e� �s�t�r�i�c�t�e�r� � �S�t�r�i�c�t�e�r� �i�n�t�e�r�f�a�c�e� �m�a�k�e� �i�m�p�l�e�m�e�n�t�a�t�i�o�n� �e�a�s�i�e�r�/�f�a�s�t�e�r� � �E�x�p�o�s�i�n�g� �c�h�e�c�k�s� �t�o� �u�s�e�r� �l�e�t�s� �t�h�e�m� �o�p�t�i�m�i�z�e� � �C�a�n� t� �c�h�e�c�k� �e�v�e�r�y�t�h�i�n�g� �s�t�a�t�i�c�a�l�l�y� �(�e�.�g�.�,� �c�l�o�s�e�-�o�n�c�e�)��¡��¾�� 2�¾��ðH�� ð��°�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��ð��ø��ð$��ð(�� ð�� ð��ø��ðr�� ð��ø� ��S�ð��4Ã¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð��ø� ��S�ð��ðÃ¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��ø�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��âñÄ0¼A#�î®��ï�� ù��P��ÿÿÿ� ��ðþ��ð�� 0��ð��ð(�� ð�� ð��0��ðr�� ð��0� ��S�ð��¤¤¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð7�� ð��0�� ð6��Ø¥¿��¿��À��ÿ��ð��ðàÐ � ðÑ��¨W��void f(int*@p) { if(*p != NULL) { g(); **p = 42;//inserted check even w/o g() } }��¡2��X��þR��ª$��K��ð�� ð��0� ��£�ð<��´«��¿��À��ÿ�� ð�� Ppð�ð��Ã�� ð ��ð¨�� ð�� 0�� ð6��¯��ÿÿ��¿��À��ÿ��ð��ð� À`� ðB��¡��ª ��ð^�� ð��0�� ð6��¿��À��Ë>��ÿ��ð��ÐÀ@�ð^�� ð�� 0�� ð6��¿��À��Ë>��ÿ��ð��@0@�ð®��¢ ð�� 0�� ð0��D¹¿��¿��À��ÿ��ð��P@`J� ðN��¨��37��¡�� 2��ª��ð^�� ð��0�� ð6��¿��À��Ë>��ÿ��ð�� @�ðX��B ð��0� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð��àð Ðà�ð^��B ð��0� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��à`@à�ð¯��¢ ð��0�� £�ð<��4.q��¿��¿��À��ÿ��ð��` 4 0� ðC��¨��p��¡��ª ��ðH�� ð��0�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��õÄS¼S�îh ��ï�� ù��P��ç�� À��ð¸��ðð��4��ðP��ð(�� ð�� ð��4��ðx�� ð��4� ��c�ð$��¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðh�� ð��4�� ð6��¿��¿��À��ÿ��ð��ðàÐt � ð��¨R��void f(int**p) { int* x = *p; if(x != NULL) { g(); *x = 42;//no check } }��¡N��S��þ��þ;��ª>��/��ð�� ð��4� ��£�ð<��°��¿��À��ÿ�� ð�� Ppð�ð��Ã�� ð ��ð¨�� ð��4�� ð6��ô��ÿÿ��¿��À��ÿ��ð��P� Àp� ðB��¡��ª ��ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��àÐÀ �ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��à@0 �ð®��¢ ð�� 4�� ð0��Pæq¿��¿��À��ÿ��ð��°@`ª� ðN��¨��37��¡�� 2��ª��ð^�� ð�� 4�� ð6��¿��À��Ë>��ÿ��ð��à �ðX��B ð��4� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð��@ð ÐA�ð^��B ð�� 4� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��@`@A�ð¯��¢ ð�� 4�� £�ð<��¬Cq��¿��¿��À��ÿ��ð��p` 4 � ðC��¨��p��¡��ª ��ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��ÐÀP�ð^��B ð��4� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��Ð`@ñ�ð¯��¢ ð��4�� £�ð<��7q��¿��¿��À��ÿ��ð�� pD@� ðC��¨��x��¡��ª ��ðH�� ð��4�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��õÄS¼S�î��ï�� ù��@��ÿÿÿ� ��ð��àð��,��ð0��ð(�� ð�� ð��,��ðx�� ð��,� ��c�ð$��du¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��,� ��c�ð$�� v¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��,�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��îK��ï�� ù��@��ÿÿÿ� ã��ðÛ��Ðð��¼��ðs��ð(�� ð�� ð��¼��ð~�� ð��¼� ��s�ð*��°a¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��¼� ��c�ð$��lb¿��ÿ�� ð�� P ��ð��Ã�� ð ��ðR��B ð��¼�� s�ð*��D��¿��À��ËÔ��ÿ��ð�� p�ð��¢ ð��¼�� ð0��Te¿��¿��À��ÿ��ð��ÀPà� ð:��¡�� 2��ª ��ð��¢ ð��¼�� ð0��h¿��¿��À��ÿ��ð��À°à� ð:��¡�� 2��ª ��ð��¢ ð��¼�� £�ð<��°Qq��¿��¿��À��ÿ��ð��P � ð+��¨©��struct Lst<`a> { `a hd; struct Lst<`a>* tl; }; struct Lst<`b>* map( `b f(`a), struct Lst<`a> *); struct Lst<`a>* append( struct Lst<`a>*, struct Lst<`a>*);��¡f��ª�� ÿ3�þ��ÿ3�þ��ÿ3�þ��ÿ3�þ��þ��ÿ3�þ��ÿ3�þ��ÿ3�þ��ÿ3�þ��þ��ÿ3�þ��ÿ3�þ��ðH�� ð��¼�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î$��ï�� (��ù��@��ç�� ¼��ð´��Àð��À��ðL��ð(�� ð�� ð��À��ð~�� ð��À� ��s�ð*��_¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��À� ��c�ð$��pNq¿��ÿ�� ð��°à��ð��Ã�� ð"��¦��8��¹�+s�ðH�� ð��À�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ¬��ð¤��°ð��È��ð<��ð(�� ð�� ð��È��ð~�� ð��È� ��s�ð*��,3¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��È� ��s�ð*��Ô3¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��È�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î"��ï�� ù��@��ÿÿÿ� º��ð²�� ð��"��"Ü��ð��ð(�� ð�� ð��Ü��ð~�� ð��Ü� ��s�ð*��¬8¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��Ü� ��s�ð*��h9¿��ÿ�� ð��ðP��ð��Ã�� ð ��ðX�� ð��Ü�� ð0��ÿÿ��¿��À��ÿ��ð��ÐpP �ð^��2� ð��Ü�� ð6��¿��À��ËÑV��ÿ��ð��ÀPP�ðR�� ð��Ü�� s�ð*��¿��À��ÿ��ð��P°p�ðÒ�� ð��Ü�� ã�ðª��B(��C8��D��EÁ4��FÁ��¿��À��ËjJ��ÿ�� ðÿ(È�à��8h�(8��h��8�p��À��è�0�ø�8�� @� � � � �¬��ð��xX°�ðR��B ð��Ü�� s�ð*��D��¿��À��Ñ��ÿ��ð��°Pà�ðX�� ð�� Ü�� ð0��¿��À��ÿ��ð��°p�ðX�� ð�� Ü�� ð0��¿��À��ÿ��ð��p@ Ð�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��à0@�ð^��2� ð�� Ü�� ð6��¿��À��ËÑV��ÿ��ð��ðPPÀ �ðR�� ð�� Ü�� s�ð*��¿��À��ÿ��ð��@P° �ðÒ�� ð��Ü�� ã�ðª��B(��C8��D��EÁ4��FÁ��¿��À��ËjJ��ÿ�� ðÿ(È�à��8h�(8��h��8�p��À��è�0�ø�8�� @� � � � �¬��ð��¨Xà�ðR��B ð��Ü�� s�ð*��D��¿��À��Ñ��ÿ��ð��àP�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��àp@�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð�� @ � �ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��p0Ð�ð^��2� ð��Ü�� ð6��¿��À��ËÑV��ÿ��ð�� PPð �ðR�� ð��Ü�� s�ð*��¿��À��ÿ��ð��pP°Ð�ðÒ�� ð��Ü�� ã�ðª��B(��C8��D��EÁ4��FÁ��¿��À��ËjJ��ÿ�� ðÿ(È�à��8h�(8��h��8�p��À��è�0�ø�8�� @� � � � �¬��ð��Ø X �ðR��B ð��Ü�� s�ð*��D��¿��À��Ñ��ÿ��ð��P@�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��pp�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��Ð@ 0 �ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��@ � �ðX�� ð��Ü�� ð0��¿��À��ÿ��ð�� Ð0��ðX�� ð��Ü�� ð0��¿��À��ÿ��ð��° `À�ðX�� ð��Ü�� ð0��¿��À��ÿ��ð�� ð` �ð¾�� ð��Ü�� ð��Bð��C@��D��EÁ��FÁ��¿��À��ËjJ��Ð��Ñ��ÿ��ðÿ��@x�Hð�Pð�pð�(�h��@� � �¬��ð��Ððà�ð^��B ð��Ü�� ð6��D��¿��À��ËjJ��Ð��Ñ��ÿ��ð��0``�ð^��B ð��Ü�� ð6��D��¿��À��ËjJ��Ð��Ñ��ÿ��ð��0 `` �ðÐ��2 ð�� Ü�@ ��ð¨��BÀ¨��CÀ¨��EÁ$��H>lÿI`T��QÁ��¿��À��ËjJ��Ñ��ÿ�� ðÿ��À¨À¨`T�� \'��À¨À¨`T�� \'`T`T��`T�� \'��`T��`T��ð��ðp!�ðÐ��2 ð��!Ü�@ ��ð¨��BÀ¨��CÀ¨��EÁ$��H>lÿI`T��QÁ��¿��À��ËjJ��Ñ��ÿ�� ðÿ��À¨À¨`T�� \'��À¨À¨`T�� \'`T`T��`T�� \'��`T��`T��ð�� p!È�ðÐ��2 ð��"Ü�@ ��ð¨��BÀ¨��CÀ¨��EÁ$��H>lÿI`T��QÁ��¿��À��ËjJ��Ñ��ÿ�� ðÿ��À¨À¨`T�� \'��À¨À¨`T�� \'`T`T��`T�� \'��`T��`T��ð��P p!ø �ðH�� ð��Ü�� ð0��Þ½h�¿��ÿ�� ?��?�ð0��ð�� Ü��ð��!Ü��ð��"Ü��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ç�� ¬��ð¤��ð��à��ð<��ð(�� ð�� ð��à��ð~�� ð��à� ��s�ð*��l+¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��à� ��s�ð*��¸¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��à�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��îÃ��ï�� ù��@��ÿÿÿ� [��ðS��ð��ä��ðë��ð(�� ð�� ð��ä��ð~�� ð��ä� ��s�ð*�� ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��ä� ��s�ð*��È¿��ÿ�� ð��à�T�ð��Ã�� ð ��ð§��¢ ð��ä�� ð0��Ü¿��¿��À��ÿ��ð�� ððà� ðG��¨��void f() { int* x; { int y = 0; x = &y; // x not dangling } // x dangling { int* z = NULL; *x = 123; ... } } ��¡��Z��5��&��ª��ðH�� ð��ä�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ¦��ð��pð��è��ð6��ð(�� ð�� ð��è��ð~�� ð��è� ��s�ð*��ð¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��è� ��c�ð$��¬¿��ÿ�� ð��°`��ð��Ã�� ð ��ðH�� ð��è�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ¦��ð��`ð��ì��ð6��ð(�� ð�� ð��ì��ð~�� ð��ì� ��s�ð*��pá¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��ì� ��c�ð$��,â¿��ÿ�� ð��ð�`�ð��Ã�� ð ��ðH�� ð��ì�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î/��ï�� ù��@��ÿÿÿ� Ç��ð¿��Pð��ð��ðW��ð(�� ð�� ð��ð��ðX�� ð��ð�� ð0��ÿÿ��¿��À��ÿ��ð��@P�ð~�� ð��ð� ��s�ð*��üË¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��ð� ��s�ð*��¸Ì¿��ÿ�� ð��ð°Ð0 �ð��Ã�� ð ��ðx��2� ð��ð�� ³�ðB��¿��¿ ��À��ÿ��?��"ñ��¿��ð��À `P �ð��2� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��?��"ñ��¿��ð��Ñm] a�ð~��2� ð��ð�� Ã�ðH��¿��¿ ��À��ËjJ��ÿ��?��"ñ��¿��ð�� à Ð0�ð�� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��ð � ° �ð�� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��ð ° `�ð�� ð�� ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� P �@�ð�� ð�� ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� °@�ð�� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� @À �ð�� ð�� ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� @ðÀ �ð�� ð�� ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� Àp@�ðÌ��¢ ð��ð�� ó�ðZ��ÀÓ��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��0 ðJP� ð4��¨��10��¡��ð�� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��@ À`�ðÌ��¢ ð��ð�� ó�ðZ��¸×��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��P @p� ð4��¨��81��¡��ð�� ð��ð�� ã�ðT��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��À Ðà �ðÌ��¢ ð��ð�� ó�ðZ��Û��¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð��ÐPªð � ð4��¨��11��¡��ð��B ð��ð�@ ��Ó�ðN��¿��D��¿��À��ËjJ��Ñ��ÿ��?��¿��ÿ��"ñ��¿��ð�� pÀ �ð��B ð��ð�@ ��Ó�ðN��¿��D��¿��À��ËjJ��Ñ��ÿ��?��¿��ÿ��"ñ��¿��ð�� Ð�ð��B ð��ð�@ ��Ó�ðN��¿��D��¿��À��ËjJ��Ñ��ÿ��?��¿��ÿ��"ñ��¿��ð��0 0 �ðÁ��¢ ð��ð�� Ó�ðN��Ì)r¿��¿ ��À��ËjJ��ÿ��?��¿��ÿ��"ñ��¿��ð�� `°@� ð5��¨��0��¡�� 2��ð��B ð��ð�@ ��Ó�ðN��¿��D��¿��À��ËjJ��Ñ��ÿ��?��¿��ÿ��"ñ��¿��ð��0 ÐP 1 �ð��B ð��ð�@ ��Ó�ðN��¿��D��¿��À��ËjJ��Ñ��ÿ��?��¿��ÿ��"ñ��¿��ð��° Àà à �ðH�� ð��ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î ��ï�� ù��@��ç�� ¸��ð°��@ð��ô��ðH��ð(�� ð�� ð��ô��ð~�� ð��ô� ��s�ð*��³¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��ô� ��ð6��ø¿¿��À��Ä��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��ô�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��0ð��ü��ð$��ð(�� ð�� ð��ü��ðr�� ð��ü� ��S�ð��¨¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð��ü� ��S�ð��|®¿��ÿ�� ð��°Ð �ð��Ã�� ð ��ðH�� ð��ü�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��âñÄ°4�î��ï�� ù��@��ÿÿÿ� ��ð�� ð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$�� ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��H¡¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��ð��ð$��ð(�� ð�� ð��ðr�� ð�� S�ð��ä¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð�� ¿��ÿ�� ð��ð°`��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��âñÄ0ÖjS�î<��ï�� ù��P��ÿÿÿ� ��ð��ð��ð$��ð(�� ð�� ð��ðr�� ð�� S�ð��T¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð��¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��âñÄè�î<��ï�� ù��P��ÿÿÿ� ��ð��ð�ð�� ð$��ð(�� ð�� ð�� ðr�� ð�� S�ð��¬}¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð��h~¿��ÿ�� ð��ð°0��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��ãñÄ¼!�î��ï�� ù��P��ÿÿÿ� ��ð��à�ð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��Ôk¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��l¿��ÿ�� ð��ð°`��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��Ð�ð�� ð$��ð(�� ð�� ð�� ðr�� ð�� S�ð��´\¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð��p]¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��óñÄ`Ö¦Á�î��ï�� ù��@��ç�� ð��À�ð��(��ð0��ð(�� ð�� ð��(��ðx�� ð��(� ��c�ð$��ÄH¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð��(� ��c�ð$��I¿��ÿ�� ð��ð°0��ð��Ã�� ð ��ðH�� ð��(�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��°�ð��ð$��ð(�� ð�� ð��ðr�� ð�� S�ð��àB¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð��C¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��áñÄ°Ó�îN��ï�� ù��P��ÿÿÿ� ¦��ð�� ð��ð6��ð(�� ð�� ð��ðr�� ð�� S�ð��À,¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð�� S�ð��¤9¿��ÿ�� ð��ð°Ð��ð��Ã�� ð��¦ ��Ù�Õ!�ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��óñÄP©_P�î��ï�� ù��P��ÿÿÿ� ��ð��ð��ð0��ð(�� ð�� ð��ðx�� ð�� c�ð$��\'¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��(¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��P��ÿÿÿ� ��ð��ð�� ð0��ð(�� ð�� ð�� ðx�� ð�� c�ð$��¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðx�� ð�� c�ð$��À¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î��ï�� ù��@��ÿÿÿ� ®��ð¦��p�ð��8��ð>��ð(�� ð�� ð��8��ðx�� ð��8� ��c�ð$�� ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��8� ��c�ð$��¿��ÿ�� ð��ð°Ð��ð��Ã�� ð��¦�� ðH�� ð��8�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ðØ��ñ�� 0� ��ð��P�ð��x��ð(��ð(�� ð�� ð��x��ð^�� ð��x� ��S�ð��¿��ÿ��0��ð��·æRH �ð��Ã��s�ð�� ð��x� ��c�ð$��µs¿��ÿ��0��ð��Ú Lì!�ð��Ã�� s� ð��ª ��ðH�� ð��x�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ðä��ñ�� 0� ¤��ð��ð��X��ð4��ð(�� ð�� ð��X��ðd�� ð��X� ��c�ð$��¿��ÿ��0��ð��·æRH �ð��Ã��{�ð�� ð��X� ��s�ð*�� 7{¿��ÿ��0��ð��Ú Lì!�ð��Ã�� {� ð��ª ��ðH�� ð��X�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ðä��ñ�� 0� ¤��ð��0ð��ð4��ð(�� ð�� ð��ðd�� ð�� c�ð$��¿��ÿ��0��ð��·æRH �ð��Ã��{�ð�� ð�� s�ð*��ì {¿��ÿ��0��ð��Ú Lì!�ð��Ã�� {� ð��ª ��ðH�� ð�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ðF��ñ�� 0� ��ðþ��Pð��¨��ð��ð(�� ð�� ð��¨��ðd�� ð��¨� ��c�ð$��¿��ÿ��0��ð��·æRH �ð��Ã��ðò�� ð��¨� ��3ðr��¬Ö�²e��Ù²��²e��Ù²��¿��¿��ÿ��0��ð��Ú Lì!�ð��Ã�� ð8��¨$��EXAMPLE OF SUBTYPING AS BACKUP SLIDE�ðH�� ð��¨�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ð,��ñ�� 0� ì��ðä��`ð��Ä��ð|��ð(�� ð�� ð��Ä��ðd�� ð��Ä� ��c�ð$��¿��ÿ��0��ð��·æRH �ð��Ã��ðØ�� ð��Ä� ��3ðr��¼ô�²e��Ù²��²e��Ù²��¿��¿��ÿ��0��ð��Ú Lì!�ð��Ã�� ð��ª ��ðH�� ð��Ä�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��ðä��ñ��'�� 0� ¤��ð�� ð��ð4��ð(�� ð�� ð��ðd�� ð�� c�ð$��¿��ÿ��0��ð��·æRH �ð��Ã��{�ð�� ð�� s�ð*��Ì<{¿��ÿ��0��ð��Ú Lì!�ð��Ã�� {� ð��ª ��ðH�� ð�� ð0��ßj�BÁ�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��rø��P�� Ö��¦��§��^��y��¢��Â� �¡©��¿«��Å��d{�Ç��ï±��ÿ³��¶��¸��Eº��BÒ��öí��ð��Hh�P}�¬n�ò��&ô��· �3 �w�Ø�Ðñ%�D,�p.�0�¶A�ÒC�G�³I�ÉK��[�(]�l_�|a�Àc�Fs�Vu�<��f�Ï��ß¯��Xj�ðp�¾�l�á#�»�q�fw��õ��í��ª��ô��C��èF��é(��à��8��Ø�� òú��/�È ��0�Ò��Õ0��·D��T�i�m�e�s� �N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��·D��A�r�i�a�l��N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�" �·D��C�o�u�r�i�e�r� �N�e�w��m�a�n��©Ñ�´Õ�Õ�ì 0��.��Times New Roman��Arial� ��Courier New� ��Wingdings��dan_design_template�5��Cyclone: A Memory-Safe C-Level Programming Language ��A safe C-level language��Callers problem?��Safe low-level systems��Some insufficient approaches��Cyclone in brief��The plan from here��Status��Evaluation��Code differences��Run-time performance��Larger program: the compiler��Other projects��The plan from here��Not-null pointers��Example��A classic moral� ��Key Design Principles in Action��Its always aliasing��Its always aliasing��The plan from here��Change void* to `a��Not much new here��Existential types��Regions��Cyclone regions [PLDI 02]��Thats the easy part��The big restriction��Region polymorphism��Type definitions��Region subtyping��Regions evaluation��The plan from here��Other safety holes��And modern conveniences��Plenty of work remains��Related work: making C safer��Related Work: Checking C code��Related work: higher and lower��Summary� ��Availability� ��Fonts Used��Design Template�� Slide Titles��)��sign Template��ö$��_ÀãÜÈ� �ô�yDan Grossman��D�a�n� �G�r�o�s�s�m�a�n�$��_ÀãÄ¼� �ô�Ñ�Dan Grossman��D�a�n� �G�r�o�s�s�m�a�n� Memory�� #��#��.�� Ì�f��.�� 2 ×��-��.�� Ì�f��.��2 ×�w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�10�·D��W�i�n�g�d�i�n�g�s��w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��¤ ��`��ÿÿÿÿ��¥ ��.��© �� @�£n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ�� @@��``�� ðü��ð��@��~��6��/�� /��7��Z��M��)��@��2��8��0��c�� /��/��2�� 0��/��,��+��*��)��(��$��3��'��)��&��%�� :��4��"��$��3��#��!��.��2��-�� ð0��A��¿��À��ÅA��ÿ��p�ñ��ÿ3��Ìf�Ì�f�ÿÿ�ÿf�ÿ��@�ñ��÷��ð8��ó��ó��ÐÑ��ððn�Ê;Ç�Ê;��úg��þ��ý4��X��d��X��d��ì 0��¨Õ��ÿÿÿ¦ÿÿÿ��p�û��p��p�û��@��<��ý4��!��d��!��d��® 0dÙ��ªÑ��<��ý4��d��d��d��d��® 0dÙ��ªÑ��<��ý4��B��d��B��d��® 0dÙ��ªÑ��ÿ�� N��0��º��_�_�_�P�P�T�1�0�� À��À��º��_�_�_�P�P�T�9��ð��®è��¯��¬`��ÿÿ��ÿÿ��ÿÿ��¯��¬X��ÿÿ��?�Ùd��Ú��-��º��1�1� �J�a�n�u�a�r�y� �2�0�0�5� �º*��D�a�n� �G�r�o�s�s�m�a�n�:� �C�y�c�l�o�n�e�O�Ù ��Ú��=��ð{��ó��¨4��Cyclone: A Memory-Safe C-Level Programming Language ��¡"��5��3�� Ì�fþ��¨¬��Dan Grossman University of Washington Joint work with: Trevor Jim AT&T Research Greg Morrisett Harvard University Michael Hicks University of Maryland��¡:��'��(��&��Ì�fþ��ó��Â��¨��A safe C-level language��¨ �� Cyclone is a programming language and compiler aimed at safe systems programming C is not memory safe: void f(int* p, int i, int v) { p[i] = v; } Address p+i might hold important data or code Memory safety is crucial for reasoning about programs ��¡��S��9��h��:��ÿ3�þ��ÿ3�þ�� þ��þ��þ��þ�� $�� 6��ó��Ã�� "��C�a�l�l�e�r� s� �p�r�o�b�l�e�m�?��ª��¨Ã�� void g(void**, void*); int y = 0; int *z = &y; g(&z,0xBAD); *z = 123; Might be safe, but not if g does *x=y Type of g enough for code generation Type of g not enough for safety checking��¡$��N�� v�� þ��þ ��þ!��%��ª>�� s��&�� ó��ë��'��¨��Safe low-level systems��¨8��For a safety guarantee today, use YFHLL Your Favorite High Level Language YFHLL provides safety in part via: hidden data fields and run-time checks automatic memory management Data representation and resource management are essential aspects of low-level systems There are strong reasons for C-like languages��¡��(��#��#��D��$��Y��.��(��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��#��ÿ3�þ!�� ÿ3�þ��0�� ÿ3�þ��-��ó��ì��(��¨��Some insufficient approaches�� ®��C�o�m�p�i�l�e� �C� �w�i�t�h� �e�x�t�r�a� �i�n�f�o�r�m�a�t�i�o�n� �t�y�p�e� �f�i�e�l�d�s�,� �s�i�z�e� �f�i�e�l�d�s�,� �l�i�v�e�-�p�o�i�n�t�e�r� �t�a�b�l�e�,� �& �t�r�e�a�t�s� �C� �a�s� �a� �h�i�g�h�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e� � �U�s�e� �s�t�a�t�i�c� �a�n�a�l�y�s�i�s� �v�e�r�y� �d�i�f�f�i�c�u�l�t� �l�e�s�s� �m�o�d�u�l�a�r� � �B�a�n� �u�n�s�a�f�e� �f�e�a�t�u�r�e�s� �t�h�e�r�e� �a�r�e� �m�a�n�y� �y�o�u� �n�e�e�d� �t�h�e�m��¡��!��U��!��T�� ó��Ç��¨��Cyclone in brief�� *��A� �s�a�f�e�,� �c�o�n�v�e�n�i�e�n�t�,� �a�n�d� �m�o�d�e�r�n� �l�a�n�g�u�a�g�e� � �a�t� �t�h�e� �C� �l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� �S�a�f�e�:� �m�e�m�o�r�y� �s�a�f�e�t�y�,� �a�b�s�t�r�a�c�t� �t�y�p�e�s�,� �n�o� �c�o�r�e� �d�u�m�p�s� � �C�-�l�e�v�e�l�:� �u�s�e�r�-�c�o�n�t�r�o�l�l�e�d� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �a�n�d� �r�e�s�o�u�r�c�e� �m�a�n�a�g�e�m�e�n�t�,� �e�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y�,� � m�a�n�i�f�e�s�t� �c�o�s�t� � �C�o�n�v�e�n�i�e�n�t�:� �m�a�y� �n�e�e�d� �m�o�r�e� �t�y�p�e� �a�n�n�o�t�a�t�i�o�n�s�,� �b�u�t� �w�o�r�k� �h�a�r�d� �t�o� �a�v�o�i�d� �i�t� � �M�o�d�e�r�n�:� �a�d�d� �f�e�a�t�u�r�e�s� �t�o� �c�a�p�t�u�r�e� �c�o�m�m�o�n� �i�d�i�o�m�s� � � N�e�w� �c�o�d�e� �f�o�r� �l�e�g�a�c�y� �o�r� �i�n�h�e�r�e�n�t�l�y� �l�o�w�-�l�e�v�e�l� �s�y�s�t�e�m�s� ��¡ô��G��Z��Z�6��Z��Z�F��ÿ��þ��ÿ��þ��.�� e�� ;�� '��6��ó��È��¨��The plan from here�� ê��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �B�e�n�c�h�m�a�r�k�s�,� �p�o�r�t�s�,� �s�y�s�t�e�m�s�,� �c�o�m�p�i�l�e�r�,� �& �A�l�l� �o�n� �E�a�r�t�h� �s�o� �f�a�r� �Jð �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� � �R�e�a�l�l�y� � j�u�s�t� �a� �t�a�s�t�e� �o�f� �C�y�c�l�o�n�e��¡Â��Z�>��Z�)��Z�(��Z�-��Z�"��Z��<�� (��-��"��ó��É��¨��Status�� ®�� C�y�c�l�o�n�e� �r�e�a�l�l�y� �e�x�i�s�t�s� �(�e�x�c�e�p�t� �m�e�m�o�r�y�-�s�a�f�e� �t�h�r�e�a�d�s�)� � �>�1�5�0�K� �l�i�n�e�s� �o�f� �C�y�c�l�o�n�e� �c�o�d�e�,� �i�n�c�l�u�d�i�n�g� �t�h�e� �c�o�m�p�i�l�e�r� � �g�c�c� �b�a�c�k�-�e�n�d� �(�L�i�n�u�x�,� �C�y�g�w�i�n�,� �O�S�X�,� �M�i�n�d�s�t�o�r�m�,� �& )� � �U�s�e�r� s� �m�a�n�u�a�l�,� �m�a�i�l�i�n�g� �l�i�s�t�s�,� �& � �S�t�i�l�l� �a� �r�e�s�e�a�r�c�h� �v�e�h�i�c�l�e� � � ��¡À��4��¢��3��4�� 0�� ª�� ?��ó��Ê��¨ ��Evaluation��¨æ�� Is Cyclone like C? port code, measure source differences interface with C code (extend systems) What is the performance cost? port code, measure slowdown Is Cyclone good for low-level systems? write systems, ensure scalability ��¡Ê��" ��N��" ��'��" ��"��N�� '��"��ó��Ë�� ¨��Code differences��¨��Porting not automatic, but quite similar Many changes identify arrays and lengths Some changes incidental (absent prototypes, new keywords)��¡��ó��Ì�� ¨��Run-time performance��¨Ð��RHLinux 7.1 (2.4.9), 1.0GHz PIII, 512MRAM, gcc2.96 -O3, glibc 2.2.4 Comparable to other safe languages to start C level provides important optimization opportunities Understanding the applications could help��¡L��E��D��,��6��*��ó��Í��¨��Larger�� !��"��#��$��%��&��'��(��)��*��+��,��-��.��/��0��1��2��3��4��5��6��7��8��9��:��;��<��=��>��?��@��A��B��C��D��E��F��G��H��I��J��K��L��M��N��O��P��Q��R��S��T��U��V��W��X��Y��Z��[��\��]��^��_��`��a��b��c��d��e��f��g��h��i��j��k��l��m��n��o��p��q��r��s��t��u��v��w��x��y��z��{��|��}��~�� ¡��¢��£��¤��¥��¦��§��¨��©��ª��«��¬��®��¯��°��±��²��³��´��µ��¶��·��¸��¹��º��»��¼��½��¾��¿��À��Á��Â��Ã��à��Å��Æ��þÿÿÿÈ��É��Ê��Ë��Ì��Í��Î��Ï��Ð��Ñ��Ò��Ó��Ô��Õ��Ö��×��Ø��Ù��Ú��Û��=��ýÿÿÿýÿÿÿß��þÿÿÿá��â��ã��ä��å��æ��ç��è��é��ê��ë��ì��í��î��ï��ð��ñ��ò��ó��ô��õ��ö��÷��ø��ù��ú��û��ü��ý��þ��ÿ��R�o�o�t� �E�n�t�r�y��ÿÿÿÿÿÿÿÿ��dOÏê�ª�¹)è�� ÖÛìÑøÄ6��@��C�u�r�r�e�n�t� �U�s�e�r��ÿÿÿÿÿÿÿÿÿÿÿÿ��K��D��S�u�m�m�a�r�y�I�n�f�o�r�m�a�t�i�o�n��(��ÿÿÿÿÿÿÿÿ�� P�o�w�e�r�P�o�i�n�t� �D�o�c�u�m�e�n�t��(��ÿÿÿÿ��É��D�o�c�u�m�e�n�t�S�u�m�m�a�r�y�I�n�f�o�r�m�a�t�i�o�n��8�ÿÿÿÿÿÿÿÿÿÿÿÿ��3��è��ÿÿÿÿÿÿÿÿÿÿÿÿ��ÿÿÿÿÿÿÿÿÿÿÿÿ��ÿÿÿÿÿÿÿÿÿÿÿÿ��´Õ�Wo 0�10�·D��W�i�n�g�d�i�n�g�s��w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��¤ ��`��ÿÿÿÿ��¥ ��.��© �� @�£n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ�� @@��``�� ðü��ð��@��~��6��/�� /��7��Z��M��)��@��2��8��0��c�� /��/��2�� 0��/��,��+��*��)��(��$��3��'��)��&��%�� :��4��"��$��3��#��!��.��2��-�� ð0��A��¿��À��ÅA��ÿ��p�ñ��ÿ3��Ìf�Ì�f�ÿÿ�ÿf�ÿ��@�ñ��÷��ð8��ó��ó��ÐÑ��ððn�Ê;Ç�Ê;��úg��þ��ý4��X��d��X��d��ì 0��¨Õ��ÿÿÿ¦ÿÿÿ��p�û��p��p�û��@��<��ý4��!��d��!��d��® 0dÙ��ªÑ��<��ý4��d��d��d��d��® 0dÙ��ªÑ��<��ý4��B��d��B��d��® 0dÙ��ªÑ��ÿ�� N��0��º��_�_�_�P�P�T�1�0�� À��À��º��_�_�_�P�P�T�9��ð��®è��¯��¬`��ÿÿ��ÿÿ��ÿÿ��¯��¬X��ÿÿ��?�Ùd��Ú��-��º��1�1� �J�a�n�u�a�r�y� �2�0�0�5� �º*��D�a�n� �G�r�o�s�s�m�a�n�:� �C�y�c�l�o�n�e�O�Ù ��Ú��=��ðW{��ó��¨4��Cyclone: A Memory-Safe C-Level Programming Language ��¡"��5��3�� Ì�fþ��¨¬��Dan Grossman University of Washington Joint work with: Trevor Jim AT&T Research Greg Morrisett Harvard University Michael Hicks University of Maryland��¡:��'��(��&��Ì�fþ��ó��Â��¨��A safe C-level language��¨ �� Cyclone is a programming language and compiler aimed at safe systems programming C is not memory safe: void f(int* p, int i, int v) { p[i] = v; } Address p+i might hold important data or code Memory safety is crucial for reasoning about programs ��¡��S��9��h��:��ÿ3�þ��ÿ3�þ�� þ��þ��þ��þ�� $�� 6��ó��Ã�� "��C�a�l�l�e�r� s� �p�r�o�b�l�e�m�?��ª��¨Ã�� void g(void**, void*); int y = 0; int *z = &y; g(&z,0xBAD); *z = 123; Might be safe, but not if g does *x=y Type of g enough for code generation Type of g not enough for safety checking��¡$��N�� v�� þ��þ ��þ!��%��ª>�� s��&�� ó��ë��'��¨��Safe low-level systems��¨8��For a safety guarantee today, use YFHLL Your Favorite High Level Language YFHLL provides safety in part via: hidden data fields and run-time checks automatic memory management Data representation and resource management are essential aspects of low-level systems There are strong reasons for C-like languages��¡��(��#��#��D��$��Y��.��(��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��#��ÿ3�þ!�� ÿ3�þ��0�� ÿ3�þ��-��ó��ì��(��¨��Some insufficient approaches�� ®��C�o�m�p�i�l�e� �C� �w�i�t�h� �e�x�t�r�a� �i�n�f�o�r�m�a�t�i�o�n� �t�y�p�e� �f�i�e�l�d�s�,� �s�i�z�e� �f�i�e�l�d�s�,� �l�i�v�e�-�p�o�i�n�t�e�r� �t�a�b�l�e�,� �& �t�r�e�a�t�s� �C� �a�s� �a� �h�i�g�h�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e� � �U�s�e� �s�t�a�t�i�c� �a�n�a�l�y�s�i�s� �v�e�r�y� �d�i�f�f�i�c�u�l�t� �l�e�s�s� �m�o�d�u�l�a�r� � �B�a�n� �u�n�s�a�f�e� �f�e�a�t�u�r�e�s� �t�h�e�r�e� �a�r�e� �m�a�n�y� �y�o�u� �n�e�e�d� �t�h�e�m��¡��!��U��!��T�� ó��Ç��¨��Cyclone in brief�� *��A� �s�a�f�e�,� �c�o�n�v�e�n�i�e�n�t�,� �a�n�d� �m�o�d�e�r�n� �l�a�n�g�u�a�g�e� � �a�t� �t�h�e� �C� �l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� �S�a�f�e�:� �m�e�m�o�r�y� �s�a�f�e�t�y�,� �a�b�s�t�r�a�c�t� �t�y�p�e�s�,� �n�o� �c�o�r�e� �d�u�m�p�s� � �C�-�l�e�v�e�l�:� �u�s�e�r�-�c�o�n�t�r�o�l�l�e�d� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �a�n�d� �r�e�s�o�u�r�c�e� �m�a�n�a�g�e�m�e�n�t�,� �e�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y�,� � m�a�n�i�f�e�s�t� �c�o�s�t� � �C�o�n�v�e�n�i�e�n�t�:� �m�a�y� �n�e�e�d� �m�o�r�e� �t�y�p�e� �a�n�n�o�t�a�t�i�o�n�s�,� �b�u�t� �w�o�r�k� �h�a�r�d� �t�o� �a�v�o�i�d� �i�t� � �M�o�d�e�r�n�:� �a�d�d� �f�e�a�t�u�r�e�s� �t�o� �c�a�p�t�u�r�e� �c�o�m�m�o�n� �i�d�i�o�m�s� � � N�e�w� �c�o�d�e� �f�o�r� �l�e�g�a�c�y� �o�r� �i�n�h�e�r�e�n�t�l�y� �l�o�w�-�l�e�v�e�l� �s�y�s�t�e�m�s� ��¡ô��G��Z��Z�6��Z��Z�F��ÿ��þ��ÿ��þ��.�� e�� ;�� '��6��ó��È��¨��The plan from here�� ê��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �B�e�n�c�h�m�a�r�k�s�,� �p�o�r�t�s�,� �s�y�s�t�e�m�s�,� �c�o�m�p�i�l�e�r�,� �& �A�l�l� �o�n� �E�a�r�t�h� �s�o� �f�a�r� �Jð �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� � �R�e�a�l�l�y� � j�u�s�t� �a� �t�a�s�t�e� �o�f� �C�y�c�l�o�n�e��¡Â��Z�>��Z�)��Z�(��Z�-��Z�"��Z��<�� (��-��"��ó��É��¨��Status�� ®�� C�y�c�l�o�n�e� �r�e�a�l�l�y� �e�x�i�s�t�s� �(�e�x�c�e�p�t� �m�e�m�o�r�y�-�s�a�f�e� �t�h�r�e�a�d�s�)� � �>�1�5�0�K� �l�i�n�e�s� �o�f� �C�y�c�l�o�n�e� �c�o�d�e�,� �i�n�c�l�u�d�i�n�g� �t�h�e� �c�o�m�p�i�l�e�r� � �g�c�c� �b�a�c�k�-�e�n�d� �(�L�i�n�u�x�,� �C�y�g�w�i�n�,� �O�S�X�,� �M�i�n�d�s�t�o�r�m�,� �& )� � �U�s�e�r� s� �m�a�n�u�a�l�,� �m�a�i�l�i�n�g� �l�i�s�t�s�,� �& � �S�t�i�l�l� �a� �r�e�s�e�a�r�c�h� �v�e�h�i�c�l�e� � � ��¡À��4��¢��3��4�� 0�� ª�� ?��ó��Ê��¨ ��Evaluation��¨æ�� Is Cyclone like C? port code, measure source differences interface with C code (extend systems) What is the performance cost? port code, measure slowdown Is Cyclone good for low-level systems? write systems, ensure scalability ��¡Ê��" ��N��" ��'��" ��"��N�� '��"��ó��Ë�� ¨��Code differences��¨��Porting not automatic, but quite similar Many changes identify arrays and lengths Some changes incidental (absent prototypes, new keywords)��¡��ó��Ì�� ¨��Run-time performance��¨Ð��RHLinux 7.1 (2.4.9), 1.0GHz PIII, 512MRAM, gcc2.96 -O3, glibc 2.2.4 Comparable to other safe languages to start C level provides important optimization opportunities Understanding the applications could help��¡L��E��D��,��6��*��ó��Í��¨��Larger program: the compiler��¨Ö�� Scalable compiler + libraries (80K lines) build in < 30secs Generic libraries (e.g., lists, hashtables) clients have no syntactic/performance cost Static safety helps exploit the C-level I use &x more than in C ��¡¼�� 4��,��,��(�� 3�� ,��+�� (�� ó��Î�� ¨��Other projects��¨o��Open Kernel Environment [Bos/Samwel, OPENARCH 02] MediaNet [Hicks et al, OPENARCH 03]: RBClick [Patel/Lepreau, OPENARCH 03] STP [Patel et al., SOSP 03] FPGA synthesis [Teifel/Manohar, ISACS 04] Maryland undergrad O/S course (geekOS) [2004] Windows device driver (6K lines) Only 100 lines left in C But unrecoverable failures & other kernel corruptions remain ��¡��P�W��P��P�� '�� !��W��ªt�� =��,��ó��Ò��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡z��A��(��-��(��-��ó��Ó��¨��Not-null pointers��ª ��ó��Ô��¨��Example�� ê��F�I�L�E�*� �f�o�p�e�n�(�c�o�n�s�t� �c�h�a�r�@�,� �c�o�n�s�t� �c�h�a�r�@�)�;� �i�n�t� �f�g�e�t�c�(�F�I�L�E�@�)�;� �i�n�t� �f�c�l�o�s�e�(�F�I�L�E�@�)�;� �v�o�i�d� �g�(�)� �{� � � �F�I�L�E�*� �f� �=� �f�o�p�e�n�(� f�o�o� ,� � r� )�;� � � �i�n�t� �c�;� � � �w�h�i�l�e�(�(�c� �=� �f�g�e�t�c�(�f�)�)� �!�=� �E�O�F�)� �{�& }� � � �f�c�l�o�s�e�(�f�)�;� �}� � �G�i�v�e�s� �w�a�r�n�i�n�g� �a�n�d� �i�n�s�e�r�t�s� �o�n�e� �n�u�l�l�-�c�h�e�c�k� �E�n�c�o�u�r�a�g�e�s� �a� �h�o�i�s�t�e�d� �c�h�e�c�k��¡Ü��±��Z�E��Z��þ ��þ ��þ��þ ��þQ��D��ª�� a��ó��Õ��¨��A classic moral��¨L��FILE* fopen(const char@, const char@); int fgetc(FILE@); int fclose(FILE@); ��¡��M��þ ��þ ��þ �� ª,��1�� ó��Ö��!��¨��Key Design Principles in Action��¨K��Types to express invariants Preconditions for arguments Properties of values in memory Flow analysis where helpful Lets users control explicit checks Soundness + aliasing limits usefulness Users control data representation Pointers are addresses unless user allows otherwise Often can interoperate with C more safely just via types��¡°��Z�;��Z��Z�J��Z�"��Z�4��Z�9��Z��;��#��'��"��4��9��ª$��R��ñ��ó��ò��.�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ó��/�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ñ��-��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��*��(��-��ó��Ø�� (�� C�h�a�n�g�e� �v�o�i�d�*� �t�o� �`�a� ��¡:��¨��struct Lst { void* hd; struct Lst* tl; }; struct Lst* map( void* f(void*), struct Lst*); struct Lst* append( struct Lst*, struct Lst*);��¡\�� ;��þ1��þ!��ó��Ù��¨��Not much new here��¨��Closer to C than C++, Java generics, ML, etc. Unlike funcýÿÿÿ�� !��"��#��$��%��&��'��(��)��*��+��,��-��.��/��0��1��2��3��4��Ç��þÿÿÿ7��8��9��:��;��<��Ä��>��?��@��A��B��C��D��E��F��G��H��I��J��K��L��M��N��O��P��Q��R��S��T��U��V��W��X��Y��Z��[��\��]��^��_��`��a��b��c��d��e��f��g��h��i��j��k��l��m��n��o��p��q��r��s��t��u��v��w��x��y��z��{��|��}��~��ýÿÿÿtional languages, data representation may restrict `a to pointers, int why not structs? why not float? why int? Unlike templates, no code duplication or leaking implementations Unlike objects, no need to tag data��¡Ú��/��S��)��f��/��"��N��"��c��"��"��c��"��c��"�� "�� f��"��ª��¦��i��ó��Ú��¨��Existential types�� P�r�o�g�r�a�m�s� �n�e�e�d� �a� �w�a�y� �f�o�r� � c�a�l�l�-�b�a�c�k� �t�y�p�e�s�:� � � � � � �s�t�r�u�c�t� �T� �{� � � � � � �v�o�i�d� �(�*�f�)�(�v�o�i�d�*�,� �i�n�t�)�;� � � � � � �v�o�i�d�*� �e�n�v�;� � � �}�;� � �W�e� �u�s�e� �a�n� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e� �(�s�i�m�p�l�i�f�i�e�d�)�:� � � � � � � �s�t�r�u�c�t� �T� �{� �<�`�a�>� � � � � � �v�o�i�d� �(�@�f�)�(�`�a�,� �i�n�t�)�;� � � � � � �`�a� �e�n�v�;� � � �}�;� � �m�o�r�e� �C�-�l�e�v�e�l� �t�h�a�n� �b�a�k�e�d�-�i�n� �c�l�o�s�u�r�e�s�/�o�b�j�e�c�t�s� ��¡��+��Z�A��0��Z��Z�*��Z�A��0��Z��,��8��Z��Z�+��>��"�� ÿ��þ��g��ÿ��þ��G��ÿ��þ��g��ÿ3�þ ��g��ÿ3�þ��,�� "��ó��Û��¨��Regions�� a�.�k�.�a�.� �z�o�n�e�s�,� �a�r�e�n�a�s�,� �& � �E�v�e�r�y� �o�b�j�e�c�t� �i�s� �i�n� �e�x�a�c�t�l�y� �o�n�e� �r�e�g�i�o�n� � �A�l�l�o�c�a�t�i�o�n� �v�i�a� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �D�e�a�l�l�o�c�a�t�e� �a�n� �e�n�t�i�r�e� �r�e�g�i�o�n� � �s�i�m�u�l�t�a�n�e�o�u�s�l�y� � � �(�c�a�n�n�o�t� �f�r�e�e� �a�n� �o�b�j�e�c�t�)� � �O�l�d� �i�d�e�a� �w�i�t�h� �r�e�c�e�n�t� �s�u�p�p�o�r�t� �i�n� �l�a�n�g�u�a�g�e�s� �(�e�.�g�.�,� �R�C�,� �R�T�S�J�)� � �a�n�d� �i�m�p�l�e�m�e�n�t�a�t�i�o�n�s� �(�e�.�g�.�,� �M�L� �K�i�t�)��¡²��|��Z�*��Z��Z�_��Z��&��7�� _��ª>��`��F��.�� %��ó��Ü��¨��Cyclone regions [PLDI 02]��¡�� h�e�a�p� �r�e�g�i�o�n�:� �o�n�e�,� �l�i�v�e�s� �f�o�r�e�v�e�r�,� �c�o�n�s�e�r�v�a�t�i�v�e�l�y� �G�C� d� �s�t�a�c�k� �r�e�g�i�o�n�s�:� �c�o�r�r�e�s�p�o�n�d� �t�o� �l�o�c�a�l�-�d�e�c�l�a�r�a�t�i�o�n� �b�l�o�c�k�s�:� � �{�i�n�t� �x�;� �i�n�t� �y�;� �s�}� �g�r�o�w�a�b�l�e� �r�e�g�i�o�n�s�:� �s�c�o�p�e�d� �l�i�f�e�t�i�m�e�,� �b�u�t� �g�r�o�w�a�b�l�e�:� � � � �{�r�e�g�i�o�n� �r�;� �s�}� � �a�l�l�o�c�a�t�i�o�n� �r�o�u�t�i�n�e�s� �t�a�k�e� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �h�a�n�d�l�e�s� �a�r�e� �f�i�r�s�t�-�c�l�a�s�s� �c�a�l�l�e�r� �d�e�c�i�d�e�s� �w�h�e�r�e�,� �c�a�l�l�e�e� �d�e�c�i�d�e�s� �h�o�w� �m�u�c�h� �n�o� �h�a�n�d�l�e�s� �f�o�r� �s�t�a�c�k� �r�e�g�i�o�n�s��¡��m��4��B�� K�� (��*��þ��þ��#��þ��"��.��ÿ3�þ��ªb��,��1��\��ó��Ý�� (��T�h�a�t� s� �t�h�e� �e�a�s�y� �p�a�r�t��¨c��The implementation is really simple because the type system statically prevents dangling pointers ��¡h��d�� ÿ��þ��ó��Þ��¨��The big restriction�� Î��A�n�n�o�t�a�t�e� �a�l�l� �p�o�i�n�t�e�r� �t�y�p�e�s� �w�i�t�h� �a� �r�e�g�i�o�n� �n�a�m�e� �(�a� �t�y�p�e� �v�a�r�i�a�b�l�e� �o�f� �r�e�g�i�o�n� �k�i�n�d�)� � �i�n�t�@�`�r� �m�e�a�n�s� � p�o�i�n�t�e�r� �i�n�t�o� �t�h�e� �r�e�g�i�o�n� �c�r�e�a�t�e�d� �b�y� �t�h�e� �c�o�n�s�t�r�u�c�t� �t�h�a�t� �i�n�t�r�o�d�u�c�e�s� �`�r� �h�e�a�p� �i�n�t�r�o�d�u�c�e�s� �`�H� � �L�:�& �i�n�t�r�o�d�u�c�e�s� �`�L� �{�r�e�g�i�o�n� �r�;� �s�}� �i�n�t�r�o�d�u�c�e�s� �`�r� � �r� �h�a�s� �t�y�p�e� �r�e�g�i�o�n�_�t�<�`�r�>� � �c�o�m�p�i�l�e�-�t�i�m�e� �c�h�e�c�k�:� �o�n�l�y� �l�i�v�e� �r�e�g�i�o�n�s� �a�r�e� �a�c�c�e�s�s�e�d� �b�y� �d�e�f�a�u�l�t�,� �f�u�n�c�t�i�o�n� �a�r�g�u�m�e�n�t�s� �p�o�i�n�t� �t�o� �l�i�v�e� �r�e�g�i�o�n�s� ��¡��P��S��$��B��²�� 3��5��"��"�� G��g��I��"��c��"��b��c��"��c�� "��c��g��þ��c�� "��c��"�� "�� c� �� "�� c� �� c� �� 3��b��5��b��c��ªP��¡��'��'��j��ó��ß��¨��Region polymorphism�� ø��A�p�p�l�y� �w�h�a�t� �w�e� �d�i�d� �f�o�r� �t�y�p�e� �v�a�r�i�a�b�l�e�s� �t�o� �r�e�g�i�o�n� �n�a�m�e�s� �(�o�n�l�y� �i�t� s� �m�o�r�e� �i�m�p�o�r�t�a�n�t� �a�n�d� �c�o�u�l�d� �b�e� �m�o�r�e� �o�n�e�r�o�u�s�)� � �v�o�i�d� �s�w�a�p�(�i�n�t� �@�`�r�1� �x�,� �i�n�t� �@�`�r�2� �y�)�{� � � �i�n�t� �t�m�p� �=� �*�x�;� � � �*�x� �=� �*�y�;� � � �*�y� �=� �t�m�p�;� �}� � �i�n�t�@�`�r� �s�u�m�p�t�r�(�r�e�g�i�o�n�_�t�<�`�r�>� �r�,�i�n�t� �x�,�i�n�t� �y�)�{� � � �r�e�t�u�r�n� �r�n�e�w�(�r�)� �(�x�+�y�)�;� �}��¡B��k��M�� E��k��C��G��þ��C��g��c��g��þ��c��g��c��g��þ ��c��g��þ ��c��C��C�� g� ��ÿ��þ�� c� �� g� ��þ �� c� �� g� ��ÿ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� ��ª,��Ó��ó��à��¨��Type definitions��¨K��struct ILst<`r1,`r2> { int@`r1 hd; struct ILst<`r1,`r2> *`r2 tl; }; ��¡ ��L�� C��g��ÿ��þ��C�� g� ��ÿ��þ��C��g��ÿ��þ��C��g��ÿ��þ�� C� ��$g�$��ÿ��þ��(C�(��,g�,��ÿ��þ ��0C�0��0��0��ó��á�� ¨��Region subtyping�� Ò��I�f� �p� �p�o�i�n�t�s� �t�o� �a�n� �i�n�t� �i�n� �a� �r�e�g�i�o�n� �w�i�t�h� �n�a�m�e� �`�r�1�,� �i�s� �i�t� �e�v�e�r� �s�o�u�n�d� �t�o� �g�i�v�e� �p� �t�y�p�e� �i�n�t�*�`�r�2�?� � �I�f� �s�o�,� �l�e�t� � �i�n�t�*�`�r�1� �<� �i�n�t�*�`�r�2� � �R�e�g�i�o�n� �s�u�b�t�y�p�i�n�g� �i�s� �t�h�e� �o�u�t�l�i�v�e�s� �r�e�l�a�t�i�o�n�s�h�i�p� � � �{�r�e�g�i�o�n� �r�1�;� �& �{�r�e�g�i�o�n� �r�2�;� �& }� �& �}� � �L�I�F�O� �m�a�k�e�s� �s�u�b�t�y�p�i�n�g� �c�o�m�m�o�n� � ��¡$��[��M��!��g��ÿ��þ�� g� ��ÿ��þ�� C��g��ÿ��þ��o��ÿ��þçÿ��G��C��g��ÿ��þ��n��ÿ��þçÿ��o��ÿ��þçÿ�� B�� F�� B�� $�� C� �� B�� C� �� ª>��ª�� ó��â��"��¨��Regions evaluation��ª�� Æ��L�I�F�O� �r�e�g�i�o�n�s� �g�o�o�d� �f�o�r� �s�o�m�e� �i�d�i�o�m�s� �a�w�k�w�a�r�d� �i�n� �C� �R�e�g�i�o�n�s� �g�e�n�e�r�a�l�i�z�e� �s�t�a�c�k� �v�a�r�i�a�b�l�e�s� �a�n�d� �t�h�e� �h�e�a�p� �D�e�f�a�u�l�t�s� �a�n�d� �i�n�f�e�r�e�n�c�e� �m�a�k�e� �i�t� �s�u�r�p�r�i�s�i�n�g�l�y� �p�a�l�a�t�a�b�l�e� �W�o�r�s�t� �p�a�r�t�:� �d�e�f�i�n�i�n�g� �r�e�g�i�o�n�-�a�l�l�o�c�a�t�e�d� �d�a�t�a� �s�t�r�u�c�t�u�r�e�s� �C�y�c�l�o�n�e� �a�c�t�u�a�l�l�y� �h�a�s� �m�u�c�h� �m�o�r�e� �[�I�S�M�M� �0�4�]� �N�o�n�-�L�I�F�O� �r�e�g�i�o�n�s� � U�n�i�q�u�e� �p�o�i�n�t�e�r�s� �E�x�p�l�i�c�i�t�l�y� �r�e�f�e�r�e�n�c�e�-�c�o�u�n�t�e�d� �p�o�i�n�t�e�r�s� �A� � u�n�i�f�i�e�d� �s�y�s�t�e�m� ,� �n�o�t� �n� �s�u�b�l�a�n�g�a�g�e�s� ��¡��/��x�f��6��)��p��/��f��6�� a�� ª��W��ó��ã��#��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��A��(�� ó��ä��$��¨��Other safety holes�� J��A�r�r�a�y�s� �(�w�h�a�t� �o�r� �w�h�e�r�e� �i�s� �t�h�e� �s�i�z�e�)� �O�p�t�i�o�n�s�:� �d�y�n�a�m�i�c� �b�o�u�n�d�,� �i�n� �a� �f�i�e�l�d�/�v�a�r�i�a�b�l�e�,� �c�o�m�p�i�l�e�-�t�i�m�e� �b�o�u�n�d�,� �s�p�e�c�i�a�l� �s�t�r�i�n�g� �s�u�p�p�o�r�t� �T�h�r�e�a�d�s� �(�a�v�o�i�d�i�n�g� �r�a�c�e�s�)� �v�a�p�o�r�w�a�r�e� �t�y�p�e� �s�y�s�t�e�m� �t�o� �e�n�f�o�r�c�e� �l�o�c�k�-�b�a�s�e�d� �m�u�t�u�a�l� �e�x�c�l�u�s�i�o�n� �C�a�s�t�s� �A�l�l�o�w� �o�n�l�y� � u�p� �c�a�s�t�s� �a�n�d� �c�a�s�t�s� �t�o� �n�u�m�b�e�r�s� �U�n�i�o�n�s� �C�h�e�c�k�e�d� �t�a�g�s� �o�r� �b�i�t�s�-�o�n�l�y� �f�i�e�l�d�s� �U�n�i�n�i�t�i�a�l�i�z�e�d� �d�a�t�a� �F�l�o�w� �a�n�a�l�y�s�i�s� �(�s�a�f�e�r� �a�n�d� �e�a�s�i�e�r� �t�h�a�n� �d�e�f�a�u�l�t� �i�n�i�t�i�a�l�i�z�e�r�s�)� �V�a�r�a�r�g�s� �(�s�a�f�e� �v�i�a� �c�h�a�n�g�e�d� �c�a�l�l�i�n�g� �c�o�n�v�e�n�t�i�o�n�)��¡î��#��X��=��+��!��;��.��#��X��=��+�� !�� ;��.��ª>�� A��'��ó��å��%��¨��And modern conveniences�� æ��3�0� �y�e�a�r�s� �a�f�t�e�r� �C�,� �s�o�m�e� �t�h�i�n�g�s� �a�r�e� �w�o�r�t�h� �a�d�d�i�n�g�& � �T�a�g�g�e�d� �u�n�i�o�n�s� �a�n�d� �p�a�t�t�e�r�n� �m�a�t�c�h�i�n�g� �o�n� �t�h�e�m� �I�n�t�r�a�p�r�o�c�e�d�u�r�a�l� �t�y�p�e� �i�n�f�e�r�e�n�c�e� �T�u�p�l�e�s� �(�l�i�k�e� �a�n�o�n�y�m�o�u�s� �s�t�r�u�c�t�s�)� �E�x�c�e�p�t�i�o�n�s� �S�t�r�u�c�t� �a�n�d� �a�r�r�a�y� �i�n�i�t�i�a�l�i�z�e�r�s� �N�a�m�e�s�p�a�c�e�s� �n�e�w� �f�o�r� �a�l�l�o�c�a�t�i�o�n� �+� �i�n�i�t�i�a�l�i�z�a�t�i�o�n� ��¡Z��0��x�Ã��0�� "��ª>��{�� H��ó��ê��&��¨��Plenty of work remains��¨Ó��Common limitations: Aliasing Arithmetic Unportable assumptions (But interoperating with C is much simpler than in a HLL) Big challenge for next generation: guarantees beyond fail-safe (i.e., graceful abort)��¡X��,��:��Y��^��r��ª��(�� ¢��ó��Ï��¨��Related work: making C safer�� Ê��C�o�m�p�i�l�e� �t�o� �m�a�k�e� �d�y�n�a�m�i�c� �c�h�e�c�k�s� �p�o�s�s�i�b�l�e� �S�a�f�e�-�C� �[�A�u�s�t�i�n� �e�t� �a�l�.�]�,� �R�T�C� �[�Y�o�n�g�/�H�o�r�w�i�t�z�]�,� �.�.�.� �P�u�r�i�f�y�,� �S�t�a�c�k�g�u�a�r�d�,� �E�l�e�c�t�r�i�c� �F�e�n�c�e�,� �& �C�C�u�r�e�d� �[�N�e�c�u�l�a� �e�t� �a�l�.�]� �p�e�r�f�o�r�m�a�n�c�e� �v�i�a� �w�h�o�l�e�-�p�r�o�g�r�a�m� �a�n�a�l�y�s�i�s� �l�e�s�s� �u�s�e�r� �b�u�r�d�e�n� �l�e�s�s� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t�,� �s�i�n�g�l�e�-�t�h�r�e�a�d�e�d� � �C�o�n�t�r�o�l�-�C� �[�A�d�v�e� �e�t� �a�l�.�]� �w�e�a�k�e�r� �g�u�a�r�a�n�t�y�,� �l�e�s�s� �b�u�r�d�e�n� � �S�F�I� �[�W�a�h�b�e�,� �S�m�a�l�l�,� �.�.�.�]�:� �s�a�n�d�b�o�x�i�n�g� �v�i�a� �b�i�n�a�r�y� �r�e�w�r�i�t�i�n�g� ��¡ð��(��Z�m��Z�`��Z�p��Z��Z�(��1��`�� #�� ª>��@��a��ó��í��*��¨��Related Work: Checking C code�� f��M�o�d�e�l�-�c�h�e�c�k�i�n�g� �C� �c�o�d�e� �(�S�L�A�M�,� �B�L�A�S�T�,� �& )� �L�e�v�e�r�a�g�e�s� �s�c�a�l�a�b�i�l�i�t�y� �o�f� �M�C� �K�e�y� �i�s� �a�u�t�o�m�a�t�i�c� �b�u�i�l�d�i�n�g� �a�n�d� �r�e�f�i�n�i�n�g� �o�f� �m�o�d�e�l� �T�h�e�y� �a�s�s�u�m�e� �(�w�e�a�k�)� �m�e�m�o�r�y� �s�a�f�e�t�y� �L�i�n�t�-�l�i�k�e� �t�o�o�l�s� �(�S�p�l�i�n�t�,� �M�e�t�a�l�,� �P�r�e�F�I�X�,� �& )� �G�o�o�d� �a�t� �r�e�d�u�c�i�n�g� �f�a�l�s�e� �p�o�s�i�t�i�v�e�s� �C�a�n�n�o�t� �e�n�s�u�r�e� �a�b�s�e�n�c�e� �o�f� �b�u�g�s� �M�e�t�a�l� �p�a�r�t�i�c�u�l�a�r�l�y� �g�o�o�d� �f�o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� �C�q�u�a�l� �(�u�s�e�r�-�d�e�f�i�n�e�d� �q�u�a�l�i�f�i�e�r�s�,� �l�o�t�s� �o�f� �i�n�f�e�r�e�n�c�e�)� �B�e�t�t�e�r� �f�o�r� �u�n�c�h�a�n�g�e�a�b�l�e� �c�o�d�e� �o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� � �(�i�.�e�.�,� �t�h�e�y� r�e� �c�o�m�p�l�e�m�e�n�t�a�r�y�)��¡Â��'��m��+��o��3��S��'��Q��+��!��H��2�� S��ª,��´��t��ó��ð��,��¨��Related work: higher and lower�� ¸��A�d�a�p�t�e�d�/�e�x�t�e�n�d�e�d� �i�d�e�a�s�:� �p�o�l�y�m�o�r�p�h�i�s�m� �[�M�L�,� �H�a�s�k�e�l�l�,� �& ]� �r�e�g�i�o�n�s� �[�T�o�f�t�e�/�T�a�l�p�i�n�,� �W�a�l�k�e�r� �e�t� �a�l�.�,� �& ]� �s�a�f�e�t�y� �v�i�a� �d�a�t�a�f�l�o�w� �[�J�a�v�a�,� �& ]� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e�s� �[�M�i�t�c�h�e�l�l�/�P�l�o�t�k�i�n�,� �& ]� �c�o�n�t�r�o�l�l�i�n�g� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �[�A�d�a�,� �M�o�d�u�l�a�-�3�,� �& ]� � �S�a�f�e� �l�o�w�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e�s� �[�T�A�L�,� �P�C�C�,� �& ]� �e�n�g�i�n�e�e�r�e�d� �f�o�r� �m�a�c�h�i�n�e�-�g�e�n�e�r�a�t�e�d� �c�o�d�e� � �V�a�u�l�t�:� �s�t�r�o�n�g�e�r� �p�r�o�p�e�r�t�i�e�s� �v�i�a� �r�e�s�t�r�i�c�t�e�d� �a�l�i�a�s�i�n�g� ��¡��Á��)��'��4��À��)��&��4��ó��Ñ��¨��Summary�� ò��C�y�c�l�o�n�e�:� �a� �s�a�f�e� �l�a�n�g�u�a�g�e� �a�t� �t�h�e� �C�-�l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� � �S�y�n�e�r�g�i�s�t�i�c� �c�o�m�b�i�n�a�t�i�o�n� �o�f� �t�y�p�e�s�,� �f�l�o�w� �a�n�a�l�y�s�i�s�,� �a�n�d� �r�u�n�-�t�i�m�e� �c�h�e�c�k�s� � �A� �r�e�a�l� �c�o�m�p�i�l�e�r� �a�n�d� �p�r�o�t�o�t�y�p�e� �a�p�p�l�i�c�a�t�i�o�n�s� � �P�r�o�p�e�r�t�i�e�s� �l�i�k�e� � n�o�t� �N�U�L�L� ,� � h�a�s� �l�o�n�g�e�r� �l�i�f�e�t�i�m�e� ,� � h�a�s� �a�r�r�a�y� �l�e�n�g�t�h� & �n�o�w� �i�n� �t�h�e� �l�a�n�g�u�a�g�e� �a�n�d� �c�h�e�c�k�e�d� � �E�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y� �w�i�t�h� �C� �a�l�l�o�w� �s�m�o�o�t�h� �a�n�d� �i�n�c�r�e�m�e�n�t�a�l� �m�o�v�e� �t�o�w�a�r�d� �m�e�m�o�r�y� �s�a�f�e�t�y� � �i�n� �t�h�e�o�r�y� �a�t� �l�e�a�s�t��¡z��g��7�� E�� +�� g�� U��ó��î��)��¨ ��Availability�� L�i�k�e� �a�n�y� �l�a�n�g�u�a�g�e�,� �y�o�u� �h�a�v�e� �t�o� � k�i�c�k� �t�h�e� �t�i�r�e�s� :� �w�w�w�.�r�e�s�e�a�r�c�h�.�a�t�t�.�c�o�m�/�p�r�o�j�e�c�t�s�/�c�y�c�l�o�n�e� � �A�l�s�o� �s�e�e�:� �J�a�n�.� �2�0�0�5� �C�/�C�+�+� �U�s�e�r� s� �J�o�u�r�n�a�l� �U�S�E�N�I�X� �2�0�0�2� � �C�o�n�v�e�r�s�e�l�y�,� �I� �w�a�n�t� �t�o� �k�n�o�w� �N�A�S�A� s� �C�-�l�e�v�e�l� �c�o�d�e� �n�e�e�d�s� �M�a�y�b�e� �i�d�e�a�s� �f�r�o�m� �C�y�c�l�o�n�e� �w�i�l�l� �h�e�l�p� �M�a�y�b�e� �n�o�t� �E�i�t�h�e�r� �w�a�y� �w�o�u�l�d� �b�e� �f�a�s�c�i�n�a�t�i�n�g� ��¡¢��1��'�� +��5��-��!��1��%��Ì�fþ�� +��ª��1��Ì��ó��æ��¨�� r��[�P�r�e�s�e�n�t�a�t�i�o�n� �e�n�d�s� �h�e�r�e� � � � �s�o�m�e� �a�u�x�i�l�i�a�r�y� �s�l�i�d�e�s� �f�o�l�l�o�w�]��¡��:��:��ó��ç��¨��Example in Cyclone��¨��void f(int@{`j} p, tag_t<`i> i, int v ; `i < `j){ p[i] = v; } Note: regions and locks use implicit defaults (live and accessible)��¡Ì��I��E��þ��ÿ3�þ ��ÿ3�þ�� ÿ3�þ��F��ª,��"��R��ó��ô��0��¨��Some other problems�� \��O�n�e� �s�a�f�e�t�y� �v�i�o�l�a�t�i�o�n� �t�y�p�i�c�a�l�l�y� �r�e�n�d�e�r�s� �a�l�l� �p�r�o�g�r�a�m� �p�r�o�p�e�r�t�i�e�s� �p�o�t�e�n�t�i�a�l�l�y� �i�r�r�e�l�e�v�a�n�t� � �S�o� �p�r�o�h�i�b�i�t�:� � � � �i�n�c�o�r�r�e�c�t� �c�a�s�t�s�,� �a�r�r�a�y�-�b�o�u�n�d�s� �v�i�o�l�a�t�i�o�n�s�,� �m�i�s�u�s�e�d� �u�n�i�o�n�s�,� �u�n�i�n�i�t�i�a�l�i�z�e�d� �p�o�i�n�t�e�r�s�,� �d�a�n�g�l�i�n�g� �p�o�i�n�t�e�r�s�,� �n�u�l�l�-�p�o�i�n�t�e�r� �d�e�r�e�f�e�r�e�n�c�e�s�,� �d�a�n�g�l�i�n�g� �l�o�n�g�j�m�p�,� �v�a�r�a�r�g� �m�i�s�m�a�t�c�h�,� �n�o�t� �r�e�t�u�r�n�i�n�g� �p�o�i�n�t�e�r�s�,� �d�a�t�a� �r�a�c�e�s�,� �& ��¡,��d��Z�Ë��Z�d��Ë��/�ð¨��ó��^��ó��Å��%��ó��Ð��&��ó��è��'��ó��é��(��ó��ï��)��P��ÿÿÿ��ê��ît��ï�� ù��P��Ø�� ð��0ð��¬��ð��ð(�� ð�� ð��¬��ð~�� ð��¬� ��s�ð*��ä¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��¬� ��s�ð*��Të¿��ÿ�� ð��ð@`��ð��Ã�� ð ��ðX�� ð��¬�� ð0��¿��À��ÿ��ð��`@°ð �ðH�� ð��¬�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î<��ï�� ù��P��ÿÿÿ� ��ð��ð��ø��ð$��ð(�� ð�� ð��ø��ðr�� ð��ø� ��S�ð��4Ã¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð��ø� ��S�ð��ðÃ¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��ø�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��âñÄ0¼A#�îÊ��ï�� ù��P��ÿÿÿ� "��ð��ð�� 0��ð²��ð(�� ð�� ð��0��ðr�� ð��0� ��S�ð��¤¤¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðS�� ð��0�� ð6��Ø¥¿��¿��À��ÿ��ð��ðàÐ � ðí��¨W��void f(int*@p) { if(*p != NULL) { g(); **p = 42;//inserted check even w/o g() } }��¡N��X��þ��þK��ª$��K��ð�� ð��0� ��£�ð<��´«��¿��À��ÿ�� ð�� Ppð�ð��Ã�� ð ��ð¨�� ð�� 0�� ð6��¯��ÿÿ��¿��À��ÿ��ð��ð� À`� ðB��¡��ª ��ð^�� ð��0�� ð6��¿��À��Ë>��ÿ��ð��ÐÀ@�ð^�� ð�� 0�� ð6��¿��À��Ë>��ÿ��ð��@0@�ð®��¢ ð�� 0�� ð0��D¹¿��¿��À��ÿ��ð��P@`J� ðN��¨��37��¡�� 2��ª��ð^�� ð��0�� ð6��¿��À��Ë>��ÿ��ð�� @�ðX��B ð��0� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð��àð Ðà�ð^��B ð��0� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��à`@à�ð¯��¢ ð��0�� £�ð<��4.q��¿��¿��À��ÿ��ð��` 4 0� ðC��¨��p��¡��ª ��ðH�� ð��0�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��õÄS¼S�î ��ï�� ù��P��ÿÿÿ� Ü��ðÔ��ðð��4��ðl��ð(�� ð�� ð��4��ðx�� ð��4� ��c�ð$��¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð�� ð��4�� ð6��¿��¿��À��ÿ��ð��ðàÐt � ð��¨R��void f(int**p) { int* x = *p; if(x != NULL) { g(); *x = 42;//no check } }��¡j��S��þ��þ ��þ;��ª>��/��ð�� ð��4� ��£�ð<��°��¿��À��ÿ�� ð�� Ppð�ð��Ã�� ð ��ð¨�� ð��4�� ð6��ô��ÿÿ��¿��À��ÿ��ð��P� Àp� ðB��¡��ª ��ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��àÐÀ �ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��à@0 �ð®��¢ ð�� 4�� ð0��Pæq¿��¿��À��ÿ��ð��°@`ª� ðN��¨��37��¡�� 2��ª��ð^�� ð�� 4�� ð6��¿��À��Ë>��ÿ��ð��à �ðX��B ð��4� ��ð0��D��¿��À��ËÑV��Ñ��ÿ��ð��@ð ÐA�ð^��B ð�� 4� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��@`@A�ð¯��¢ ð�� 4�� £�ð<��¬Cq��¿��¿��À��ÿ��ð��p` 4 � ðC��¨��p��¡��ª ��ð^�� ð��4�� ð6��¿��À��Ë>��ÿ��ð��ÐÀP�ð^��B ð��4� ��ð6��D��¿��À��ËÑV��Î��Ñ��ÿ��ð��Ð`@ñ�ð¯��¢ ð��4�� £�ð<��7q��¿��¿��À��ÿ��ð�� pD@� ðC��¨��x��¡��ª ��ðH�� ð��4�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��õÄS¼S�î��ï�� ù��@�� ¬��ð¤��ð��à��ð<��ð(�� ð�� ð��à��ð~�� ð��à� ��s�ð*��l+¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��à� ��s�ð*��¸¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð��à�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��î6��ï�� ù��@��ÿÿÿ� Î��ðÆ��ð��ä��ð^��ð(�� ð�� ð��ä��ð~�� ð��ä� ��s�ð*�� ¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ð~�� ð��ä� ��s�ð*��È¿��ÿ�� ð��à�T�ð��Ã�� ð ��ð��¢ ð��ä�� ð0��Ü¿��¿��À��ÿ��ð�� ððà� ðº��¨��void f() { int* x; { int y = 0; x = &y; // x not dangling } // x dangling { int* z = NULL; *x = 123; ... } } ��¡ø��Z��þ ��þ��þ�� þ��ª��ðH�� ð��ä�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��r0��Î�Ô��Ö��Ü� �:(�V*�ò� �Ü�®��õ��í�ª�.��ô��C��èp��é(��à��8��Ø�� òú��/�È ��0�Ò��Õ0��·D��T�i�m�e�s� �N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��·D��A�r�i�a�l��N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�" �·D��C�o�u�r�i�e�r� �N�e�� !��"��#��$��%��&��'��(��)��*��+��,��-��.��/��0��1��2��þÿÿÿ4��5��6��7��8��9��:��;��<��=��>��?��@��A��B��C��D��E��F��G��H��I��J��þÿÿÿL��þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿ��àòùOh«�+'³Ù0��\ �� h��p��°��È��ô�� 8�� D�� P��\��d��ä��8��Cyclone: Safe Programming at the C Level of Abstraction�� Dan Grossman� Pr��!��T:\talks\dan_design_template.pot�C L�� Dan Grossman�des��307��Microsoft PowerPoint�emp@��0«M��@��0ÅtÂ@��`®ÒìÑøÄ��G��î ��ÿÿÿÿ��g �� o��1��&��ÿÿÿÿ��À��Ð�� &��ÿÿÿÿ��&�#�ÿÿÿÿ��TNPP� Ñ�2��ÿÿO��M�i�� &� �TNPP��ô ��&��ÿÿÿÿ��&��TNPP� �� ÐÀ�� ü��ÿÿÿ��-��ú��-��-�� !�ð�ÐÀ��-��ü��ÿÿÿ��-��ð��ú��-��&��ÿÿÿÿ��M��l��-��ü��33Ì��-�� $�P��P��h�h��-��-��ð��&��ÿÿÿÿ��&��ÿÿÿÿ��M��]��l��d��-��ü��33Ì��-�� $�P�^P�bhbh^��-��-��ð��&��ÿÿÿÿ��ü��-��-��!y¨�H��-��-��û��Üñw@��± ÜÌñ�Øówáów õw fÍ��-�� ûÕÿ��@�"Arial��- Êë�Øówáów õw fÍ��-��ð�� Ì�f��.��!��2 ×�¤��Cyclone: A Memory�� #��#��.�� Ì�f��.�� 2 ×��-��.�� Ì�f��.��2 ×�&��Safe C�� .�� Ì�f��.�� 2 ×�©��-��.�� Ì�f��.��2 ×�·��Level �� .�� Ì�f��.��%��2 û��Programming Language��$�#� �� .��-��-��ñy88��-��-�� Ì�f��ûàÿ��@�"Arial��± çë�Øówáów õw fÍ��-��ð�� Ì�f��.��2 \m ��Dan Grossman�� .�� Ì�f��.��+��2 (��University of Washington�� .�� 33Ì��.��1��2 òK��Joint work with: Trevor Jim�� .�� 33Ì��.��2 ò" ��AT&T Research�� .�� 33Ì��.��2 8��Greg Morrisett�� .�� 33Ì��.��"��2 "��Harvard University�� .�� 33Ì��.��2 >8 ��Michael Hicks�� .�� 33Ì��.��(��2 >"��University of Maryland�� .��-��-��û��¼��"System�Í fÍ�� !��Àõ��-��ð��&��TNPP� �� &��ÿÿÿÿ��þÿ��ÕÍÕ.�+,ù®0��¸��¨��¸��À��È��Ð�� Ø�� à��è��ð��ø�� V��ä��On-screen Show��CUCS�ree��É��)��í �� program: the compiler��¨Ö�� Scalable compiler + libraries (80K lines) build in < 30secs Generic libraries (e.g., lists, hashtables) clients have no syntactic/performance cost Static safety helps exploit the C-level I use &x more than in C ��¡¼�� 4��,��,��(�� 3�� ,��+�� (�� ó��Î�� ¨��Other projects��¨o��Open Kernel Environment [Bos/Samwel, OPENARCH 02] MediaNet [Hicks et al, OPENARCH 03]: RBClick [Patel/Lepreau, OPENARCH 03] STP [Patel et al., SOSP 03] FPGA synthesis [Teifel/Manohar, ISACS 04] Maryland undergrad O/S course (geekOS) [2004] Windows device driver (6K lines) Only 100 lines left in C But unrecoverable failures & other kernel corruptions remain ��¡��P�W��P��P�� '�� !��W��ªt�� =��,��ó��Ò��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡z��A��(��-��(��-��ó��Ó��¨��Not-null pointers��ª ��ó��Ô��¨��Example�� ê��F�I�L�E�*� �f�o�p�e�n�(�c�o�n�s�t� �c�h�a�r�@�,� �c�o�n�s�t� �c�h�a�r�@�)�;� �i�n�t� �f�g�e�t�c�(�F�I�L�E�@�)�;� �i�n�t� �f�c�l�o�s�e�(�F�I�L�E�@�)�;� �v�o�i�d� �g�(�)� �{� � � �F�I�L�E�*� �f� �=� �f�o�p�e�n�(� f�o�o� ,� � r� )�;� � � �i�n�t� �c�;� � � �w�h�i�l�e�(�(�c� �=� �f�g�e�t�c�(�f�)�)� �!�=� �E�O�F�)� �{�& }� � � �f�c�l�o�s�e�(�f�)�;� �}� � �G�i�v�e�s� �w�a�r�n�i�n�g� �a�n�d� �i�n�s�e�r�t�s� �o�n�e� �n�u�l�l�-�c�h�e�c�k� �E�n�c�o�u�r�a�g�e�s� �a� �h�o�i�s�t�e�d� �c�h�e�c�k��¡Ü��±��Z�E��Z��þ ��þ ��þ��þ ��þQ��D��ª�� a��ó��Õ��¨��A classic moral��¨L��FILE* fopen(const char@, const char@); int fgetc(FILE@); int fclose(FILE@); ��¡��M��þ ��þ ��þ �� ª,��1�� ó��Ö��!��¨��Key Design Principles in Action��¨K��Types to express invariants Preconditions for arguments Properties of values in memory Flow analysis where helpful Lets users control explicit checks Soundness + aliasing limits usefulness Users control data representation Pointers are addresses unless user allows otherwise Often can interoperate with C more safely just via types��¡°��Z�;��Z��Z�J��Z�"��Z�4��Z�9��Z��;��#��'��"��4��9��ª$��R��ñ��ó��ò��.�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ó��/�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ñ��-��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��*��(��-��ó��Ø�� (�� C�h�a�n�g�e� �v�o�i�d�*� �t�o� �`�a� ��¡:��¨��struct Lst { void* hd; struct Lst* tl; }; struct Lst* map( void* f(void*), struct Lst*); struct Lst* append( struct Lst*, struct Lst*);��¡\�� ;��þ1��þ!��ó��Ù��¨��Not much new here��¨��Closer to C than C++, Java generics, ML, etc. Unlike functional languages, data representation may restrict `a to pointers, int why not structs? why not float? why int? Unlike templates, no code duplication or leaking implementations Unlike objects, no need to tag data��¡Ú��/��S��)��f��/��"��N��"��c��"��"��c��"��c��"�� "�� f��"��ª��¦��i��ó��Ú��¨��Existential types�� P�r�o�g�r�a�m�s� �n�e�e�d� �a� �w�a�y� �f�o�r� � c�a�l�l�-�b�a�c�k� �t�y�p�e�s�:� � � � � � �s�t�r�u�c�t� �T� �{� � � � � � �v�o�i�d� �(�*�f�)�(�v�o�i�d�*�,� �i�n�t�)�;� � � � � � �v�o�i�d�*� �e�n�v�;� � � �}�;� � �W�e� �u�s�e� �a�n� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e� �(�s�i�m�p�l�i�f�i�e�d�)�:� � � � � � � �s�t�r�u�c�t� �T� �{� �<�`�a�>� � � � � � �v�o�i�d� �(�@�f�)�(�`�a�,� �i�n�t�)�;� � � � � � �`�a� �e�n�v�;� � � �}�;� � �m�o�r�e� �C�-�l�e�v�e�l� �t�h�a�n� �b�a�k�e�d�-�i�n� �c�l�o�s�u�r�e�s�/�o�b�j�e�c�t�s� ��¡��+��Z�A��0��Z��Z�*��Z�A��0��Z��,��8��Z��Z�+��>��"�� ÿ��þ��g��ÿ��þ��G��ÿ��þ��g��ÿ3�þ ��g��ÿ3�þ��,�� "��ó��Û��¨��Regions�� a�.�k�.�a�.� �z�o�n�e�s�,� �a�r�e�n�a�s�,� �& � �E�v�e�r�y� �o�b�j�e�c�t� �i�s� �i�n� �e�x�a�c�t�l�y� �o�n�e� �r�e�g�i�o�n� � �A�l�l�o�c�a�t�i�o�n� �v�i�a� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �D�e�a�l�l�o�c�a�t�e� �a�n� �e�n�t�i�r�e� �r�e�g�i�o�n� � �s�i�m�u�l�t�a�n�e�o�u�s�l�y� � � �(�c�a�n�n�o�t� �f�r�e�e� �a�n� �o�b�j�e�c�t�)� � �O�l�d� �i�d�e�a� �w�i�t�h� �r�e�c�e�n�t� �s�u�p�p�o�r�t� �i�n� �l�a�n�g�u�a�g�e�s� �(�e�.�g�.�,� �R�C�,� �R�T�S�J�)� � �a�n�d� �i�m�p�l�e�m�e�n�t�a�t�i�o�n�s� �(�e�.�g�.�,� �M�L� �K�i�t�)��¡²��|��Z�*��Z��Z�_��Z��&��7�� _��ª>��`��F��.�� %��ó��Ü��¨��Cyclone regions [PLDI 02]��¡�� h�e�a�p� �r�e�g�i�o�n�:� �o�n�e�,� �l�i�v�e�s� �f�o�r�e�v�e�r�,� �c�o�n�s�e�r�v�a�t�i�v�e�l�y� �G�C� d� �s�t�a�c�k� �r�e�g�i�o�n�s�:� �c�o�r�r�e�s�p�o�n�d� �t�o� �l�o�c�a�l�-�d�e�c�l�a�r�a�t�i�o�n� �b�l�o�c�k�s�:� � �{�i�n�t� �x�;� �i�n�t� �y�;� �s�}� �g�r�o�w�a�b�l�e� �r�e�g�i�o�n�s�:� �s�c�o�p�e�d� �l�i�f�e�t�i�m�e�,� �b�u�t� �g�r�o�w�a�b�l�e�:� � � � �{�r�e�g�i�o�n� �r�;� �s�}� � �a�l�l�o�c�a�t�i�o�n� �r�o�u�t�i�n�e�s� �t�a�k�e� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �h�a�n�d�l�e�s� �a�r�e� �f�i�r�s�t�-�c�l�a�s�s� �c�a�l�l�e�r� �d�e�c�i�d�e�s� �w�h�e�r�e�,� �c�a�l�l�e�e� �d�e�c�i�d�e�s� �h�o�w� �m�u�c�h� �n�o� �h�a�n�d�l�e�s� �f�o�r� �s�t�a�c�k� �r�e�g�i�o�n�s��¡��m��4��B�� K�� (��*��þ��þ��#��þ��"��.��ÿ3�þ��ªb��,��1��\��ó��Ý�� (��T�h�a�t� s� �t�h�e� �e�a�s�y� �p�a�r�t��¨c��The implementation is really simple because the type system statically prevents dangling pointers ��¡h��d�� ÿ��þ��ó��Þ��¨��The big restriction�� Î��A�n�n�o�t�a�t�e� �a�l�l� �p�o�i�n�t�e�r� �t�y�p�e�s� �w�i�t�h� �a� �r�e�g�i�o�n� �n�a�m�e� �(�a� �t�y�p�e� �v�a�r�i�a�b�l�e� �o�f� �r�e�g�i�o�n� �k�i�n�d�)� � �i�n�t�@�`�r� �m�e�a�n�s� � p�o�i�n�t�e�r� �i�n�t�o� �t�h�e� �r�e�g�i�o�n� �c�r�e�a�t�e�d� �b�y� �t�h�e� �c�o�n�s�t�r�u�c�t� �t�h�a�t� �i�n�t�r�o�d�u�c�e�s� �`�r� �h�e�a�p� �i�n�t�r�o�d�u�c�e�s� �`�H� � �L�:�& �i�n�t�r�o�d�u�c�e�s� �`�L� �{�r�e�g�i�o�n� �r�;� �s�}� �i�n�t�r�o�d�u�c�e�s� �`�r� � �r� �h�a�s� �t�y�p�e� �r�e�g�i�o�n�_�t�<�`�r�>� � �c�o�m�p�i�l�e�-�t�i�m�e� �c�h�e�c�k�:� �o�n�l�y� �l�i�v�e� �r�e�g�i�o�n�s� �a�r�e� �a�c�c�e�s�s�e�d� �b�y� �d�e�f�a�u�l�t�,� �f�u�n�c�t�i�o�n� �a�r�g�u�m�e�n�t�s� �p�o�i�n�t� �t�o� �l�i�v�e� �r�e�g�i�o�n�s� ��¡��P��S��$��B��²�� 3��5��"��"�� G��g��I��"��c��"��b��c��"��c�� "��c��g��þ��c�� "��c��"�� "�� c� �� "�� c� �� c� �� 3��b��5��b��c��ªP��¡��'��'��j��ó��ß��¨��Region polymorphism�� ø��A�p�p�l�y� �w�h�a�t� �w�e� �d�i�d� �f�o�r� �t�y�p�e� �v�a�r�i�a�b�l�e�s� �t�o� �r�e�g�i�o�n� �n�a�m�e�s� �(�o�n�l�y� �i�t� s� �m�o�r�e� �i�m�p�o�r�t�a�n�t� �a�n�d� �c�o�u�l�d� �b�e� �m�o�r�e� �o�n�e�r�o�u�s�)� � �v�o�i�d� �s�w�a�p�(�i�n�t� �@�`�r�1� �x�,� �i�n�t� �@�`�r�2� �y�)�{� � � �i�n�t� �t�m�p� �=� �*�x�;� � � �*�x� �=� �*�y�;� � � �*�y� �=� �t�m�p�;� �}� � �i�n�t�@�`�r� �s�u�m�p�t�r�(�r�e�g�i�o�n�_�t�<�`�r�>� �r�,�i�n�t� �x�,�i�n�t� �y�)�{� � � �r�e�t�u�r�n� �r�n�e�w�(�r�)� �(�x�+�y�)�;� �}��¡B��k��M�� E��k��C��G��þ��C��g��c��g��þ��c��g��c��g��þ ��c��g��þ ��c��C��C�� g� ��ÿ��þ�� c� �� g� ��þ �� c� �� g� ��ÿ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� ��ª,��Ó��ó��à��¨��Type definitions��¨K��struct ILst<`r1,`r2> { int@`r1 hd; struct ILst<`r1,`r2> *`r2 tl; }; ��¡ ��L�� C��g��ÿ��þ��C�� g� ��ÿ��þ��C��g��ÿ��þ��C��g��ÿ��þ�� C� ��$g�$��ÿ��þ��(C�(��,g�,��ÿ��þ ��0C�0��0��0��ó��á�� ¨��Region subtyping�� Ò��I�f� �p� �p�o�i�n�t�s� �t�o� �a�n� �i�n�t� �i�n� �a� �r�e�g�i�o�n� �w�i�t�h� �n�a�m�e� �`�r�1�,� �i�s� �i�t� �e�v�e�r� �s�o�u�n�d� �t�o� �g�i�v�e� �p� �t�y�p�e� �i�n�t�*�`�r�2�?� � �I�f� �s�o�,� �l�e�t� � �i�n�t�*�`�r�1� �<� �i�n�t�*�`�r�2� � �R�e�g�i�o�n� �s�u�b�t�y�p�i�n�g� �i�s� �t�h�e� �o�u�t�l�i�v�e�s� �r�e�l�a�t�i�o�n�s�h�i�p� � � �{�r�e�g�i�o�n� �r�1�;� �& �{�r�e�g�i�o�n� �r�2�;� �& }� �& �}� � �L�I�F�O� �m�a�k�e�s� �s�u�b�t�y�p�i�n�g� �c�o�m�m�o�n� � ��¡$��[��M��!��g��ÿ��þ�� g� ��ÿ��þ�� C��g��ÿ��þ��o��ÿ��þçÿ��G��C��g��ÿ��þ��n��ÿ��þçÿ��o��ÿ��þçÿ�� B�� F�� B�� $�� C� �� B�� C� �� ª>��ª�� ó��â��"��¨��Regions evaluation��ª�� Æ��L�I�F�O� �r�e�g�i�o�n�s� �g�o�o�d� �f�o�r� �s�o�m�e� �i�d�i�o�m�s� �a�w�k�w�a�r�d� �i�n� �C� �R�e�g�i�o�n�s� �g�e�n�e�r�a�l�i�z�e� �s�t�a�c�k� �v�a�r�i�a�b�l�e�s� �a�n�d� �t�h�e� �h�e�a�p� �D�e�f�a�u�l�t�s� �a�n�d� �i�n�f�e�r�e�n�c�e� �m�a�k�e� �i�t� �s�u�r�p�r�i�s�i�n�g�l�y� �p�a�l�a�t�a�b�l�e� �W�o�r�s�t� �p�a�r�t�:� �d�e�f�i�n�i�n�g� �r�e�g�i�o�n�-�a�l�l�o�c�a�t�e�d� �d�a�t�a� �s�t�r�u�c�t�u�r�e�s� �C�y�c�l�o�n�e� �a�c�t�u�a�l�l�y� �h�a�s� �m�u�c�h� �m�o�r�e� �[�I�S�M�M� �0�4�]� �N�o�n�-�L�I�F�O� �r�e�g�i�o�n�s� � U�n�i�q�u�e� �p�o�i�n�t�e�r�s� �E�x�p�l�i�c�i�t�l�y� �r�e�f�e�r�e�n�c�e�-�c�o�u�n�t�e�d� �p�o�i�n�t�e�r�s� �A� � u�n�i�f�i�e�d� �s�y�s�t�e�m� ,� �n�o�t� �n� �s�u�b�l�a�n�g�a�g�e�s� ��¡��/��x�f��6��)��p��/��f��6�� a�� ª��W��ó��ã��#��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��A��(�� ó��ä��$��¨��Other safety holes�� J��A�r�r�a�y�s� �(�w�h�a�t� �o�r� �w�h�e�r�e� �i�s� �t�h�e� �s�i�z�e�)� �O�p�t�i�o�n�s�:� �d�y�n�a�m�i�c� �b�o�u�n�d�,� �i�n� �a� �f�i�e�l�d�/�v�a�r�i�a�b�l�e�,� �c�o�m�p�i�l�e�-�t�i�m�e� �b�o�u�n�d�,� �s�p�e�c�i�a�l� �s�t�r�i�n�g� �s�u�p�p�o�r�t� �T�h�r�e�a�d�s� �(�a�v�o�i�d�i�n�g� �r�a�c�e�s�)� �v�a�p�o�r�w�a�r�e� �t�y�p�e� �s�y�s�t�e�m� �t�o� �e�n�f�o�r�c�e� �l�o�c�k�-�b�a�s�e�d� �m�u�t�u�a�l� �e�x�c�l�u�s�i�o�n� �C�a�s�t�s� �A�l�l�o�w� �o�n�l�y� � u�p� �c�a�s�t�s� �a�n�d� �c�a�s�t�s� �t�o� �n�u�m�b�e�r�s� �U�n�i�o�n�s� �C�h�e�c�k�e�d� �t�a�g�s� �o�r� �b�i�t�s�-�o�n�l�y� �f�i�e�l�d�s� �U�n�i�n�i�t�i�a�l�i�z�e�d� �d�a�t�a� �F�l�o�w� �a�n�a�l�y�s�i�s� �(�s�a�f�e�r� �a�n�d� �e�a�s�i�e�r� �t�h�a�n� �d�e�f�a�u�l�t� �i�n�i�t�i�a�l�i�z�e�r�s�)� �V�a�r�a�r�g�s� �(�s�a�f�e� �v�i�a� �c�h�a�n�g�e�d� �c�a�l�l�i�n�g� �c�o�n�v�e�n�t�i�o�n�)��¡î��#��X��=��+��!��;��.��#��X��=��+�� !�� ;��.��ª>�� A��'��ó��å��%��¨��And modern conveniences�� æ��3�0� �y�e�a�r�s� �a�f�t�e�r� �C�,� �s�o�m�e� �t�h�i�n�g�s� �a�r�e� �w�o�r�t�h� �a�d�d�i�n�g�& � �T�a�g�g�e�d� �u�n�i�o�n�s� �a�n�d� �p�a�t�t�e�r�n� �m�a�t�c�h�i�n�g� �o�n� �t�h�e�m� �I�n�t�r�a�p�r�o�c�e�d�u�r�a�l� �t�y�p�e� �i�n�f�e�r�e�n�c�e� �T�u�p�l�e�s� �(�l�i�k�e� �a�n�o�n�y�m�o�u�s� �s�t�r�u�c�t�s�)� �E�x�c�e�p�t�i�o�n�s� �S�t�r�u�c�t� �a�n�d� �a�r�r�a�y� �i�n�i�t�i�a�l�i�z�e�r�s� �N�a�m�e�s�p�a�c�e�s� �n�e�w� �f�o�r� �a�l�l�o�c�a�t�i�o�n� �+� �i�n�i�t�i�a�l�i�z�a�t�i�o�n� ��¡Z��0��x�Ã��0�� "��ª>��{�� H��ó��ê��&��¨��Plenty of work remains��¨Ó��Common limitations: Aliasing Arithmetic Unportable assumptions (But interoperating with C is much simpler than in a HLL) Big challenge for next generation: guarantees beyond fail-safe (i.e., graceful abort)��¡X��,��:��Y��^��r��ª��(�� ¢��ó��Ï��¨��Related work: making C safer�� Ê��C�o�m�p�i�l�e� �t�o� �m�a�k�e� �d�y�n�a�m�i�c� �c�h�e�c�k�s� �p�o�s�s�i�b�l�e� �S�a�f�e�-�C� �[�A�u�s�t�i�n� �e�t� �a�l�.�]�,� �R�T�C� �[�Y�o�n�g�/�H�o�r�w�i�t�z�]�,� �.�.�.� �P�u�r�i�f�y�,� �S�t�a�c�k�g�u�a�r�d�,� �E�l�e�c�t�r�i�c� �F�e�n�c�e�,� �& �C�C�u�r�e�d� �[�N�e�c�u�l�a� �e�t� �a�l�.�]� �p�e�r�f�o�r�m�a�n�c�e� �v�i�a� �w�h�o�l�e�-�p�r�o�g�r�a�m� �a�n�a�l�y�s�i�s� �l�e�s�s� �u�s�e�r� �b�u�r�d�e�n� �l�e�s�s� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t�,� �s�i�n�g�l�e�-�t�h�r�e�a�d�e�d� � �C�o�n�t�r�o�l�-�C� �[�A�d�v�e� �e�t� �a�l�.�]� �w�e�a�k�e�r� �g�u�a�r�a�n�t�y�,� �l�e�s�s� �b�u�r�d�e�n� � �S�F�I� �[�W�a�h�b�e�,� �S�m�a�l�l�,� �.�.�.�]�:� �s�a�n�d�b�o�x�i�n�g� �v�i�a� �b�i�n�a�r�y� �r�e�w�r�i�t�i�n�g� ��¡ð��(��Z�m��Z�`��Z�p��Z��Z�(��1��`�� #�� ª>��@��a��ó��í��*��¨��Related Work: Checking C code�� `��M�o�d�e�l�-�c�h�e�c�k�i�n�g� �C� �c�o�d�e� �(�S�L�A�M�,� �B�L�A�S�T�,� �& )� �L�e�v�e�r�a�g�e�s� �s�c�a�l�a�b�i�l�i�t�y� �o�f� �M�C� �K�e�y� �i�s� �a�u�t�o�m�a�t�i�c� �b�u�i�l�d�i�n�g� �a�n�d� �r�e�f�i�n�i�n�g� �o�f� �m�o�d�e�l� �A�s�s�u�m�e�s� �(�w�e�a�k�)� �m�e�m�o�r�y� �s�a�f�e�t�y� �L�i�n�t�-�l�i�k�e� �t�o�o�l�s� �(�S�p�l�i�n�t�,� �M�e�t�a�l�,� �P�r�e�F�I�X�,� �& )� �G�o�o�d� �a�t� �r�e�d�u�c�i�n�g� �f�a�l�s�e� �p�o�s�i�t�i�v�e�s� �C�a�n�n�o�t� �e�n�s�u�r�e� �a�b�s�e�n�c�e� �o�f� �b�u�g�s� �M�e�t�a�l� �p�a�r�t�i�c�u�l�a�r�l�y� �g�o�o�d� �f�o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� �C�q�u�a�l� �(�u�s�e�r�-�d�e�f�i�n�e�d� �q�u�a�l�i�f�i�e�r�s�,� �l�o�t�s� �o�f� �i�n�f�e�r�e�n�c�e�)� � �B�e�t�t�e�r� �f�o�r� �u�n�c�h�a�n�g�e�a�b�l�e� �c�o�d�e� �o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� � �(�i�.�e�.�,� �t�h�e�y� r�e� �c�o�m�p�l�e�m�e�n�t�a�r�y�)��¡Î��'��Z�i��Z�+��Z�o��Z�4��Z�S��Z�'��L��+��!��H��3�� S��ªP��s��6��t��,��T��ó��ð��,��¨��Related work: higher and lower�� ¸��A�d�a�p�t�e�d�/�e�x�t�e�n�d�e�d� �i�d�e�a�s�:� �p�o�l�y�m�o�r�p�h�i�s�m� �[�M�L�,� �H�a�s�k�e�l�l�,� �& ]� �r�e�g�i�o�n�s� �[�T�o�f�t�e�/�T�a�l�p�i�n�,� �W�a�l�k�e�r� �e�t� �a�l�.�,� �& ]� �s�a�f�e�t�y� �v�i�a� �d�a�t�a�f�l�o�w� �[�J�a�v�a�,� �& ]� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e�s� �[�M�i�t�c�h�e�l�l�/�P�l�o�t�k�i�n�,� �& ]� �c�o�n�t�r�o�l�l�i�n�g� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �[�A�d�a�,� �M�o�d�u�l�a�-�3�,� �& ]� � �S�a�f�e� �l�o�w�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e�s� �[�T�A�L�,� �P�C�C�,� �& ]� �e�n�g�i�n�e�e�r�e�d� �f�o�r� �m�a�c�h�i�n�e�-�g�e�n�e�r�a�t�e�d� �c�o�d�e� � �V�a�u�l�t�:� �s�t�r�o�n�g�e�r� �p�r�o�p�e�r�t�i�e�s� �v�i�a� �r�e�s�t�r�i�c�t�e�d� �a�l�i�a�s�i�n�g� ��¡��Á��)��'��4��À��)��&��4��ó��Ñ��¨��Summary�� ò��C�y�c�l�o�n�e�:� �a� �s�a�f�e� �l�a�n�g�u�a�g�e� �a�t� �t�h�e� �C�-�l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� � �S�y�n�e�r�g�i�s�t�i�c� �c�o�m�b�i�n�a�t�i�o�n� �o�f� �t�y�p�e�s�,� �f�l�o�w� �a�n�a�l�y�s�i�s�,� �a�n�d� �r�u�n�-�t�i�m�e� �c�h�e�c�k�s� � �A� �r�e�a�l� �c�o�m�p�i�l�e�r� �a�n�d� �p�r�o�t�o�t�y�p�e� �a�p�p�l�i�c�a�t�i�o�n�s� � �P�r�o�p�e�r�t�i�e�s� �l�i�k�e� � n�o�t� �N�U�L�L� ,� � h�a�s� �l�o�n�g�e�r� �l�i�f�e�t�i�m�e� ,� � h�a�s� �a�r�r�a�y� �l�e�n�g�t�h� & �n�o�w� �i�n� �t�h�e� �l�a�n�g�u�a�g�e� �a�n�d� �c�h�e�c�k�e�d� � �E�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y� �w�i�t�h� �C� �a�l�l�o�w� �s�m�o�o�t�h� �a�n�d� �i�n�c�r�e�m�e�n�t�a�l� �m�o�v�e� �t�o�w�a�r�d� �m�e�m�o�r�y� �s�a�f�e�t�y� � �i�n� �t�h�e�o�r�y� �a�t� �l�e�a�s�t��¡z��g��7�� E�� +�� g�� U��ó��î��)��¨ ��Availability�� L�i�k�e� �a�n�y� �l�a�n�g�u�a�g�e�,� �y�o�u� �h�a�v�e� �t�o� � k�i�c�k� �t�h�e� �t�i�r�e�s� :� �w�w�w�.�r�e�s�e�a�r�c�h�.�a�t�t�.�c�o�m�/�p�r�o�j�e�c�t�s�/�c�y�c�l�o�n�e� � �A�l�s�o� �s�e�e�:� �J�a�n�.� �2�0�0�5� �C�/�C�+�+� �U�s�e�r� s� �J�o�u�r�n�a�l� �U�S�E�N�I�X� �2�0�0�2� � �C�o�n�v�e�r�s�e�l�y�,� �I� �w�a�n�t� �t�o� �k�n�o�w� �N�A�S�A� s� �C�-�l�e�v�e�l� �c�o�d�e� �n�e�e�d�s� �M�a�y�b�e� �i�d�e�a�s� �f�r�o�m� �C�y�c�l�o�n�e� �w�i�l�l� �h�e�l�p� �M�a�y�b�e� �n�o�t� �E�i�t�h�e�r� �w�a�y� �w�o�u�l�d� �b�e� �f�a�s�c�i�n�a�t�i�n�g� ��¡¢��1��'�� +��5��-��!��1��%��Ì�fþ�� +��ª��1��Ì��ó��æ��¨�� r��[�P�r�e�s�e�n�t�a�t�i�o�n� �e�n�d�s� �h�e�r�e� � � � �s�o�m�e� �a�u�x�i�l�i�a�r�y� �s�l�i�d�e�s� �f�o�l�l�o�w�]��¡��:��:��ó��ç��¨��Example in Cyclone��¨��void f(int@{`j} p, tag_t<`i> i, int v ; `i < `j){ p[i] = v; } Note: regions and locks use implicit defaults (live and accessible)��¡Ì��I��E��þ��ÿ3�þ ��ÿ3�þ�� ÿ3�þ��F��ª,��"��R��ó��ô��0��¨��Some other problems�� \��O�n�e� �s�a�f�e�t�y� �v�i�o�l�a�t�i�o�n� �t�y�p�i�c�a�l�l�y� �r�e�n�d�e�r�s� �a�l�l� �p�r�o�g�r�a�m� �p�r�o�p�e�r�t�i�e�s� �p�o�t�e�n�t�i�a�l�l�y� �i�r�r�e�l�e�v�a�n�t� � �S�o� �p�r�o�h�i�b�i�t�:� � � � �i�n�c�o�r�r�e�c�t� �c�a�s�t�s�,� �a�r�r�a�y�-�b�o�u�n�d�s� �v�i�o�l�a�t�i�o�n�s�,� �m�i�s�u�s�e�d� �u�n�i�o�n�s�,� �u�n�i�n�i�t�i�a�l�i�z�e�d� �p�o�i�n�t�e�r�s�,� �d�a�n�g�l�i�n�g� �p�o�i�n�t�e�r�s�,� �n�u�l�l�-�p�o�i�n�t�e�r� �d�e�r�e�f�e�r�e�n�c�e�s�,� �d�a�n�g�l�i�n�g� �l�o�n�g�j�m�p�,� �v�a�r�a�r�g� �m�i�s�m�a�t�c�h�,� �n�o�t� �r�e�t�u�r�n�i�n�g� �p�o�i�n�t�e�r�s�,� �d�a�t�a� �r�a�c�e�s�,� �& ��¡,��d��Z�Ë��Z�d��Ë��/�ð¨��ó��^��ó��Å��%��ó��Ð��&��ó��è��'��ó��é��(��ó��ï��)��P��ÿÿÿ��ê��î<��ï�� ù��P��Ø�� ð��Ð�ð�� ð$��ð(�� ð�� ð�� ðr�� ð�� S�ð��´\¿��ÿ�� ð��À�°Ð�ð��Ã�� ð ��ðr�� ð�� S�ð��p]¿��ÿ�� ð��ð°Ð��ð��Ã�� ð ��ðH�� ð�� ð0��Þ½h�¿��ÿ�� ?��ð ��ÿÿÿ��Ì�33Ì�ÌÌÿ�²²²��8��0��º��_�_�_�P�P�T�1�0��ë.��óñÄ`Ö¦Á��r��ð.�í��hº��õ��)��í�Ì.�¬¼��ô��C��èÊ��é(��à��8��Ø�� òú��/�È ��0�Ò��Õ0��·D��T�i�m�e�s� �N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��·D��A�r�i�a�l��N�e�w� �R�o�m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�" �·D��C�o�u�r�i�e�r� �N�e�w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0�10�·D��W�i�n�g�d�i�n�g�s��w��m�a�n��©Ñ�´Õ�Õ�ì 0��´Õ�Wo 0��¤ ��`��ÿÿÿÿ��¥ ��.��© �� @�£n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ�� @@��``�� ðü��ð��@��u��.��/�� /��7��Z��M��)��*��@��1��8��0��c�� /��/��2�� $��3��)��-��0��:��1��3�� !��#��"��#��$��%��&��'��(��)��*��+��,�� 2�� .��/��ð0��A��¿��À��ÅA��ÿ��p�ñ��ÿ3��Ìf�Ì�f�ÿÿ�ÿf�ÿ��@�ñ��÷��ð8��ó��ó��ÐÑ��ððn�Ê;Ç�Ê;��úg��þ��ý4��O��d��O��d��ì 0��¨Õ��¤þÿÿ¬ÿÿÿ��p�û��p��p�û��@��<��ý4��!��d��!��d��® 0dÙ��ªÑ��<��ý4��d��d��d��d��® 0dÙ��ªÑ��<��ý4��B��d��B��d��® 0dÙ��ªÑ��ÿ�� N��0��º��_�_�_�P�P�T�1�0�� À��À��º��_�_�_�P�P�T�9��ð��®è��¯��¬`��ÿÿ��ÿÿ��ÿÿ��¯��¬X��ÿÿ��?�Ùd��Ú��-��º��1�1� �J�a�n�u�a�r�y� �2�0�0�5� �º*��D�a�n� �G�r�o�s�s�m�a�n�:� �C�y�c�l�o�n�e�O�Ù ��Ú��=��ðÛu��ó��¨4��Cyclone: A Memory-Safe C-Level Programming Language ��¡"��5��3�� Ì�fþ��¨¬��Dan Grossman University of Washington Joint work with: Trevor Jim AT&T Research Greg Morrisett Harvard University Michael Hicks University of Maryland��¡:��'��(��&��Ì�fþ��ó��Â��¨��A safe C-level language��¨ �� Cyclone is a programming language and compiler aimed at safe systems programming C is not memory safe: void f(int* p, int i, int v) { p[i] = v; } Address p+i might hold important data or code Memory safety is crucial for reasoning about programs ��¡��S��9��h��:��ÿ3�þ��ÿ3�þ�� þ��þ��þ��þ�� $�� 6��ó��Ã�� "��C�a�l�l�e�r� s� �p�r�o�b�l�e�m�?��ª��¨Ã�� void g(void**, void*); int y = 0; int *z = &y; g(&z,0xBAD); *z = 123; Might be safe, but not if g does *x=y Type of g enough for code generation Type of g not enough for safety checking��¡$��N�� v�� þ��þ ��þ!��%��ª>�� s��&�� ó��ë��'��¨��Safe low-level systems��¨8��For a safety guarantee today, use YFHLL Your Favorite High Level Language YFHLL provides safety in part via: hidden data fields and run-time checks automatic memory management Data representation and resource management are essential aspects of low-level systems There are strong reasons for C-like languages��¡��(��#��#��D��$��Y��.��(��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��#��ÿ3�þ!�� ÿ3�þ��0�� ÿ3�þ��-��ó��ì��(��¨��Some insufficient approaches�� ®��C�o�m�p�i�l�e� �C� �w�i�t�h� �e�x�t�r�a� �i�n�f�o�r�m�a�t�i�o�n� �t�y�p�e� �f�i�e�l�d�s�,� �s�i�z�e� �f�i�e�l�d�s�,� �l�i�v�e�-�p�o�i�n�t�e�r� �t�a�b�l�e�,� �& �t�r�e�a�t�s� �C� �a�s� �a� �h�i�g�h�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e� � �U�s�e� �s�t�a�t�i�c� �a�n�a�l�y�s�i�s� �v�e�r�y� �d�i�f�f�i�c�u�l�t� �l�e�s�s� �m�o�d�u�l�a�r� � �B�a�n� �u�n�s�a�f�e� �f�e�a�t�u�r�e�s� �t�h�e�r�e� �a�r�e� �m�a�n�y� �y�o�u� �n�e�e�d� �t�h�e�m��¡��!��U��!��T�� ó��Ç��¨��Cyclone in brief�� *��A� �s�a�f�e�,� �c�o�n�v�e�n�i�e�n�t�,� �a�n�d� �m�o�d�e�r�n� �l�a�n�g�u�a�g�e� � �a�t� �t�h�e� �C� �l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� �S�a�f�e�:� �m�e�m�o�r�y� �s�a�f�e�t�y�,� �a�b�s�t�r�a�c�t� �t�y�p�e�s�,� �n�o� �c�o�r�e� �d�u�m�p�s� � �C�-�l�e�v�e�l�:� �u�s�e�r�-�c�o�n�t�r�o�l�l�e�d� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �a�n�d� �r�e�s�o�u�r�c�e� �m�a�n�a�g�e�m�e�n�t�,� �e�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y�,� � m�a�n�i�f�e�s�t� �c�o�s�t� � �C�o�n�v�e�n�i�e�n�t�:� �m�a�y� �n�e�e�d� �m�o�r�e� �t�y�p�e� �a�n�n�o�t�a�t�i�o�n�s�,� �b�u�t� �w�o�r�k� �h�a�r�d� �t�o� �a�v�o�i�d� �i�t� � �M�o�d�e�r�n�:� �a�d�d� �f�e�a�t�u�r�e�s� �t�o� �c�a�p�t�u�r�e� �c�o�m�m�o�n� �i�d�i�o�m�s� � � N�e�w� �c�o�d�e� �f�o�r� �l�e�g�a�c�y� �o�r� �i�n�h�e�r�e�n�t�l�y� �l�o�w�-�l�e�v�e�l� �s�y�s�t�e�m�s� ��¡ô��G��Z��Z�6��Z��Z�F��ÿ��þ��ÿ��þ��.�� e�� ;�� '��6��ó��È��¨��The plan from here�� ê��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �B�e�n�c�h�m�a�r�k�s�,� �p�o�r�t�s�� ¡��¢��£��¤��¥��¦��§��¨��©��ª��«��¬��®��¯��°��±��²��³��´��µ��¶��·��¸��¹��º��»��¼��½��¾��¿��À��Á��Â��Ã��Ä��Å��Æ��Ç��È��É��Ê��Ë��Ì��Í��Î��Ï��Ð��Ñ��Ò��Ó��Ô��Õ��Ö��×��Ø��Ù��Ú��Û��Ü��Ý��Þ��ß��à��á��â��ã��ä��å��æ��ç��è��é��ê��ë��ì��í��î��ï��ð��ñ��ò��ó��ô��õ��þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ�,� �s�y�s�t�e�m�s�,� �c�o�m�p�i�l�e�r�,� �& �A�l�l� �o�n� �E�a�r�t�h� �s�o� �f�a�r� �Jð �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� � �R�e�a�l�l�y� � j�u�s�t� �a� �t�a�s�t�e� �o�f� �C�y�c�l�o�n�e��¡Â��Z�>��Z�)��Z�(��Z�-��Z�"��Z��<�� (��-��"��ó��É��¨��Status�� ®�� C�y�c�l�o�n�e� �r�e�a�l�l�y� �e�x�i�s�t�s� �(�e�x�c�e�p�t� �m�e�m�o�r�y�-�s�a�f�e� �t�h�r�e�a�d�s�)� � �>�1�5�0�K� �l�i�n�e�s� �o�f� �C�y�c�l�o�n�e� �c�o�d�e�,� �i�n�c�l�u�d�i�n�g� �t�h�e� �c�o�m�p�i�l�e�r� � �g�c�c� �b�a�c�k�-�e�n�d� �(�L�i�n�u�x�,� �C�y�g�w�i�n�,� �O�S�X�,� �M�i�n�d�s�t�o�r�m�,� �& )� � �U�s�e�r� s� �m�a�n�u�a�l�,� �m�a�i�l�i�n�g� �l�i�s�t�s�,� �& � �S�t�i�l�l� �a� �r�e�s�e�a�r�c�h� �v�e�h�i�c�l�e� � � ��¡À��4��¢��3��4�� 0�� ª�� ?��ó��Ê��¨ ��Evaluation��¨æ�� Is Cyclone like C? port code, measure source differences interface with C code (extend systems) What is the performance cost? port code, measure slowdown Is Cyclone good for low-level systems? write systems, ensure scalability ��¡Ê��" ��N��" ��'��" ��"��N�� '��"��ó��Ë�� ¨��Code differences��¨��Porting not automatic, but quite similar Many changes identify arrays and lengths Some changes incidental (absent prototypes, new keywords)��¡��ó��Ì�� ¨��Run-time performance��¨Ð��RHLinux 7.1 (2.4.9), 1.0GHz PIII, 512MRAM, gcc2.96 -O3, glibc 2.2.4 Comparable to other safe languages to start C level provides important optimization opportunities Understanding the applications could help��¡L��E��D��,��6��*��ó��Í��¨��Larger program: the compiler��¨Ö�� Scalable compiler + libraries (80K lines) build in < 30secs Generic libraries (e.g., lists, hashtables) clients have no syntactic/performance cost Static safety helps exploit the C-level I use &x more than in C ��¡¼�� 4��,��,��(�� 3�� ,��+�� (�� ó��Î�� ¨��Other projects��¨o��Open Kernel Environment [Bos/Samwel, OPENARCH 02] MediaNet [Hicks et al, OPENARCH 03]: RBClick [Patel/Lepreau, OPENARCH 03] STP [Patel et al., SOSP 03] FPGA synthesis [Teifel/Manohar, ISACS 04] Maryland undergrad O/S course (geekOS) [2004] Windows device driver (6K lines) Only 100 lines left in C But unrecoverable failures & other kernel corruptions remain ��¡��P�W��P��P�� '�� !��W��ªt�� =��,��ó��Ò��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡z��A��(��-��(��-��ó��Ó��¨��Not-null pointers��ª ��ó��Ô��¨��Example�� ê��F�I�L�E�*� �f�o�p�e�n�(�c�o�n�s�t� �c�h�a�r�@�,� �c�o�n�s�t� �c�h�a�r�@�)�;� �i�n�t� �f�g�e�t�c�(�F�I�L�E�@�)�;� �i�n�t� �f�c�l�o�s�e�(�F�I�L�E�@�)�;� �v�o�i�d� �g�(�)� �{� � � �F�I�L�E�*� �f� �=� �f�o�p�e�n�(� f�o�o� ,� � r� )�;� � � �i�n�t� �c�;� � � �w�h�i�l�e�(�(�c� �=� �f�g�e�t�c�(�f�)�)� �!�=� �E�O�F�)� �{�& }� � � �f�c�l�o�s�e�(�f�)�;� �}� � �G�i�v�e�s� �w�a�r�n�i�n�g� �a�n�d� �i�n�s�e�r�t�s� �o�n�e� �n�u�l�l�-�c�h�e�c�k� �E�n�c�o�u�r�a�g�e�s� �a� �h�o�i�s�t�e�d� �c�h�e�c�k��¡Ü��±��Z�E��Z��þ ��þ ��þ��þ ��þQ��D��ª�� a��ó��Õ��¨��A classic moral��¨L��FILE* fopen(const char@, const char@); int fgetc(FILE@); int fclose(FILE@); ��¡��M��þ ��þ ��þ �� ª,��1�� ó��Ö��!��¨��Key Design Principles in Action��¨K��Types to express invariants Preconditions for arguments Properties of values in memory Flow analysis where helpful Lets users control explicit checks Soundness + aliasing limits usefulness Users control data representation Pointers are addresses unless user allows otherwise Often can interoperate with C more safely just via types��¡°��Z�;��Z��Z�J��Z�"��Z�4��Z�9��Z��;��#��'��"��4��9��ª$��R��ñ��ó��ò��.�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ó��/�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ñ��-��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��*��(��-��ó��Ø�� (�� C�h�a�n�g�e� �v�o�i�d�*� �t�o� �`�a� ��¡:��¨��struct Lst { void* hd; struct Lst* tl; }; struct Lst* map( void* f(void*), struct Lst*); struct Lst* append( struct Lst*, struct Lst*);��¡\�� ;��þ1��þ!��ó��Ù��¨��Not much new here��¨��Closer to C than C++, Java generics, ML, etc. Unlike functional languages, data representation may restrict `a to pointers, int why not structs? why not float? why int? Unlike templates, no code duplication or leaking implementations Unlike objects, no need to tag data��¡Ú��/��S��)��f��/��"��N��"��c��"��"��c��"��c��"�� "�� f��"��ª��¦��i��ó��Ú��¨��Existential types�� P�r�o�g�r�a�m�s� �n�e�e�d� �a� �w�a�y� �f�o�r� � c�a�l�l�-�b�a�c�k� �t�y�p�e�s�:� � � � � � �s�t�r�u�c�t� �T� �{� � � � � � �v�o�i�d� �(�*�f�)�(�v�o�i�d�*�,� �i�n�t�)�;� � � � � � �v�o�i�d�*� �e�n�v�;� � � �}�;� � �W�e� �u�s�e� �a�n� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e� �(�s�i�m�p�l�i�f�i�e�d�)�:� � � � � � � �s�t�r�u�c�t� �T� �{� �<�`�a�>� � � � � � �v�o�i�d� �(�@�f�)�(�`�a�,� �i�n�t�)�;� � � � � � �`�a� �e�n�v�;� � � �}�;� � �m�o�r�e� �C�-�l�e�v�e�l� �t�h�a�n� �b�a�k�e�d�-�i�n� �c�l�o�s�u�r�e�s�/�o�b�j�e�c�t�s� ��¡��+��Z�A��0��Z��Z�*��Z�A��0��Z��,��8��Z��Z�+��>��"�� ÿ��þ��g��ÿ��þ��G��ÿ��þ��g��ÿ3�þ ��g��ÿ3�þ��,�� "��ó��Û��¨��Regions�� a�.�k�.�a�.� �z�o�n�e�s�,� �a�r�e�n�a�s�,� �& � �E�v�e�r�y� �o�b�j�e�c�t� �i�s� �i�n� �e�x�a�c�t�l�y� �o�n�e� �r�e�g�i�o�n� � �A�l�l�o�c�a�t�i�o�n� �v�i�a� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �D�e�a�l�l�o�c�a�t�e� �a�n� �e�n�t�i�r�e� �r�e�g�i�o�n� � �s�i�m�u�l�t�a�n�e�o�u�s�l�y� � � �(�c�a�n�n�o�t� �f�r�e�e� �a�n� �o�b�j�e�c�t�)� � �O�l�d� �i�d�e�a� �w�i�t�h� �r�e�c�e�n�t� �s�u�p�p�o�r�t� �i�n� �l�a�n�g�u�a�g�e�s� �(�e�.�g�.�,� �R�C�,� �R�T�S�J�)� � �a�n�d� �i�m�p�l�e�m�e�n�t�a�t�i�o�n�s� �(�e�.�g�.�,� �M�L� �K�i�t�)��¡²��|��Z�*��Z��Z�_��Z��&��7�� _��ª>��`��F��.�� %��ó��Ü��¨��Cyclone regions [PLDI 02]��¡�� h�e�a�p� �r�e�g�i�o�n�:� �o�n�e�,� �l�i�v�e�s� �f�o�r�e�v�e�r�,� �c�o�n�s�e�r�v�a�t�i�v�e�l�y� �G�C� d� �s�t�a�c�k� �r�e�g�i�o�n�s�:� �c�o�r�r�e�s�p�o�n�d� �t�o� �l�o�c�a�l�-�d�e�c�l�a�r�a�t�i�o�n� �b�l�o�c�k�s�:� � �{�i�n�t� �x�;� �i�n�t� �y�;� �s�}� �g�r�o�w�a�b�l�e� �r�e�g�i�o�n�s�:� �s�c�o�p�e�d� �l�i�f�e�t�i�m�e�,� �b�u�t� �g�r�o�w�a�b�l�e�:� � � � �{�r�e�g�i�o�n� �r�;� �s�}� � �a�l�l�o�c�a�t�i�o�n� �r�o�u�t�i�n�e�s� �t�a�k�e� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �h�a�n�d�l�e�s� �a�r�e� �f�i�r�s�t�-�c�l�a�s�s� �c�a�l�l�e�r� �d�e�c�i�d�e�s� �w�h�e�r�e�,� �c�a�l�l�e�e� �d�e�c�i�d�e�s� �h�o�w� �m�u�c�h� �n�o� �h�a�n�d�l�e�s� �f�o�r� �s�t�a�c�k� �r�e�g�i�o�n�s��¡��m��4��B�� K�� (��*��þ��þ��#��þ��"��.��ÿ3�þ��ªb��,��1��\��ó��Ý�� (��T�h�a�t� s� �t�h�e� �e�a�s�y� �p�a�r�t��¨c��The implementation is really simple because the type system statically prevents dangling pointers ��¡h��d�� ÿ��þ��ó��Þ��¨��The big restriction�� Î��A�n�n�o�t�a�t�e� �a�l�l� �p�o�i�n�t�e�r� �t�y�p�e�s� �w�i�t�h� �a� �r�e�g�i�o�n� �n�a�m�e� �(�a� �t�y�p�e� �v�a�r�i�a�b�l�e� �o�f� �r�e�g�i�o�n� �k�i�n�d�)� � �i�n�t�@�`�r� �m�e�a�n�s� � p�o�i�n�t�e�r� �i�n�t�o� �t�h�e� �r�e�g�i�o�n� �c�r�e�a�t�e�d� �b�y� �t�h�e� �c�o�n�s�t�r�u�c�t� �t�h�a�t� �i�n�t�r�o�d�u�c�e�s� �`�r� �h�e�a�p� �i�n�t�r�o�d�u�c�e�s� �`�H� � �L�:�& �i�n�t�r�o�d�u�c�e�s� �`�L� �{�r�e�g�i�o�n� �r�;� �s�}� �i�n�t�r�o�d�u�c�e�s� �`�r� � �r� �h�a�s� �t�y�p�e� �r�e�g�i�o�n�_�t�<�`�r�>� � �c�o�m�p�i�l�e�-�t�i�m�e� �c�h�e�c�k�:� �o�n�l�y� �l�i�v�e� �r�e�g�i�o�n�s� �a�r�e� �a�c�c�e�s�s�e�d� �b�y� �d�e�f�a�u�l�t�,� �f�u�n�c�t�i�o�n� �a�r�g�u�m�e�n�t�s� �p�o�i�n�t� �t�o� �l�i�v�e� �r�e�g�i�o�n�s� ��¡��P��S��$��B��²�� 3��5��"��"�� G��g��I��"��c��"��b��c��"��c�� "��c��g��þ��c�� "��c��"�� "�� c� �� "�� c� �� c� �� 3��b��5��b��c��ªP��¡��'��'��j��ó��ß��¨��Region polymorphism�� ø��A�p�p�l�y� �w�h�a�t� �w�e� �d�i�d� �f�o�r� �t�y�p�e� �v�a�r�i�a�b�l�e�s� �t�o� �r�e�g�i�o�n� �n�a�m�e�s� �(�o�n�l�y� �i�t� s� �m�o�r�e� �i�m�p�o�r�t�a�n�t� �a�n�d� �c�o�u�l�d� �b�e� �m�o�r�e� �o�n�e�r�o�u�s�)� � �v�o�i�d� �s�w�a�p�(�i�n�t� �@�`�r�1� �x�,� �i�n�t� �@�`�r�2� �y�)�{� � � �i�n�t� �t�m�p� �=� �*�x�;� � � �*�x� �=� �*�y�;� � � �*�y� �=� �t�m�p�;� �}� � �i�n�t�@�`�r� �s�u�m�p�t�r�(�r�e�g�i�o�n�_�t�<�`�r�>� �r�,�i�n�t� �x�,�i�n�t� �y�)�{� � � �r�e�t�u�r�n� �r�n�e�w�(�r�)� �(�x�+�y�)�;� �}��¡B��k��M�� E��k��C��G��þ��C��g��c��g��þ��c��g��c��g��þ ��c��g��þ ��c��C��C�� g� ��ÿ��þ�� c� �� g� ��þ �� c� �� g� ��ÿ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� ��ª,��Ó��ó��à��¨��Type definitions��¨K��struct ILst<`r1,`r2> { int@`r1 hd; struct ILst<`r1,`r2> *`r2 tl; }; ��¡ ��L�� C��g��ÿ��þ��C�� g� ��ÿ��þ��C��g��ÿ��þ��C��g��ÿ��þ�� C� ��$g�$��ÿ��þ��(C�(��,g�,��ÿ��þ ��0C�0��0��0��ó��á�� ¨��Region subtyping�� Ò��I�f� �p� �p�o�i�n�t�s� �t�o� �a�n� �i�n�t� �i�n� �a� �r�e�g�i�o�n� �w�i�t�h� �n�a�m�e� �`�r�1�,� �i�s� �i�t� �e�v�e�r� �s�o�u�n�d� �t�o� �g�i�v�e� �p� �t�y�p�e� �i�n�t�*�`�r�2�?� � �I�f� �s�o�,� �l�e�t� � �i�n�t�*�`�r�1� �<� �i�n�t�*�`�r�2� � �R�e�g�i�o�n� �s�u�b�t�y�p�i�n�g� �i�s� �t�h�e� �o�u�t�l�i�v�e�s� �r�e�l�a�t�i�o�n�s�h�i�p� � � �{�r�e�g�i�o�n� �r�1�;� �& �{�r�e�g�i�o�n� �r�2�;� �& }� �& �}� � �L�I�F�O� �m�a�k�e�s� �s�u�b�t�y�p�i�n�g� �c�o�m�m�o�n� � ��¡$��[��M��!��g��ÿ��þ�� g� ��ÿ��þ�� C��g��ÿ��þ��o��ÿ��þçÿ��G��C��g��ÿ��þ��n��ÿ��þçÿ��o��ÿ��þçÿ�� B�� F�� B�� $�� C� �� B�� C� �� ª>��ª�� ó��â��"��¨��Regions evaluation��ª�� Æ��L�I�F�O� �r�e�g�i�o�n�s� �g�o�o�d� �f�o�r� �s�o�m�e� �i�d�i�o�m�s� �a�w�k�w�a�r�d� �i�n� �C� �R�e�g�i�o�n�s� �g�e�n�e�r�a�l�i�z�e� �s�t�a�c�k� �v�a�r�i�a�b�l�e�s� �a�n�d� �t�h�e� �h�e�a�p� �D�e�f�a�u�l�t�s� �a�n�d� �i�n�f�e�r�e�n�c�e� �m�a�k�e� �i�t� �s�u�r�p�r�i�s�i�n�g�l�y� �p�a�l�a�t�a�b�l�e� �W�o�r�s�t� �p�a�r�t�:� �d�e�f�i�n�i�n�g� �r�e�g�i�o�n�-�a�l�l�o�c�a�t�e�d� �d�a�t�a� �s�t�r�u�c�t�u�r�e�s� �C�y�c�l�o�n�e� �a�c�t�u�a�l�l�y� �h�a�s� �m�u�c�h� �m�o�r�e� �[�I�S�M�M� �0�4�]� �N�o�n�-�L�I�F�O� �r�e�g�i�o�n�s� � U�n�i�q�u�e� �p�o�i�n�t�e�r�s� �E�x�p�l�i�c�i�t�l�y� �r�e�f�e�r�e�n�c�e�-�c�o�u�n�t�e�d� �p�o�i�n�t�e�r�s� �A� � u�n�i�f�i�e�d� �s�y�s�t�e�m� ,� �n�o�t� �n� �s�u�b�l�a�n�g�a�g�e�s� ��¡��/��x�f��6��)��p��/��f��6�� a�� ª��W��ó��ã��#��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��A��(�� ó��ä��$��¨��Other safety holes�� J��A�r�r�a�y�s� �(�w�h�a�t� �o�r� �w�h�e�r�e� �i�s� �t�h�e� �s�i�z�e�)� �O�p�t�i�o�n�s�:� �d�y�n�a�m�i�c� �b�o�u�n�d�,� �i�n� �a� �f�i�e�l�d�/�v�a�r�i�a�b�l�e�,� �c�o�m�p�i�l�e�-�t�i�m�e� �b�o�u�n�d�,� �s�p�e�c�i�a�l� �s�t�r�i�n�g� �s�u�p�p�o�r�t� �T�h�r�e�a�d�s� �(�a�v�o�i�d�i�n�g� �r�a�c�e�s�)� �v�a�p�o�r�w�a�r�e� �t�y�p�e� �s�y�s�t�e�m� �t�o� �e�n�f�o�r�c�e� �l�o�c�k�-�b�a�s�e�d� �m�u�t�u�a�l� �e�x�c�l�u�s�i�o�n� �C�a�s�t�s� �A�l�l�o�w� �o�n�l�y� � u�p� �c�a�s�t�s� �a�n�d� �c�a�s�t�s� �t�o� �n�u�m�b�e�r�s� �U�n�i�o�n�s� �C�h�e�c�k�e�d� �t�a�g�s� �o�r� �b�i�t�s�-�o�n�l�y� �f�i�e�l�d�s� �U�n�i�n�i�t�i�a�l�i�z�e�d� �d�a�t�a� �F�l�o�w� �a�n�a�l�y�s�i�s� �(�s�a�f�e�r� �a�n�d� �e�a�s�i�e�r� �t�h�a�n� �d�e�f�a�u�l�t� �i�n�i�t�i�a�l�i�z�e�r�s�)� �V�a�r�a�r�g�s� �(�s�a�f�e� �v�i�a� �c�h�a�n�g�e�d� �c�a�l�l�i�n�g� �c�o�n�v�e�n�t�i�o�n�)��¡î��#��X��=��+��!��;��.��#��X��=��+�� !�� ;��.��ª>�� A��'��ó��å��%��¨��And modern conveniences�� æ��3�0� �y�e�a�r�s� �a�f�t�e�r� �C�,� �s�o�m�e� �t�h�i�n�g�s� �a�r�e� �w�o�r�t�h� �a�d�d�i�n�g�& � �T�a�g�g�e�d� �u�n�i�o�n�s� �a�n�d� �p�a�t�t�e�r�n� �m�a�t�c�h�i�n�g� �o�n� �t�h�e�m� �I�n�t�r�a�p�r�o�c�e�d�u�r�a�l� �t�y�p�e� �i�n�f�e�r�e�n�c�e� �T�u�p�l�e�s� �(�l�i�k�e� �a�n�o�n�y�m�o�u�s� �s�t�r�u�c�t�s�)� �E�x�c�e�p�t�i�o�n�s� �S�t�r�u�c�t� �a�n�d� �a�r�r�a�y� �i�n�i�t�i�a�l�i�z�e�r�s� �N�a�m�e�s�p�a�c�e�s� �n�e�w� �f�o�r� �a�l�l�o�c�a�t�i�o�n� �+� �i�n�i�t�i�a�l�i�z�a�t�i�o�n� ��¡Z��0��x�Ã��0�� "��ª>��{�� H��ó��ê��&��¨��Plenty of work remains��¨Ó��Common limitations: Aliasing Arithmetic Unportable assumptions (But interoperating with C is much simpler than in a HLL) Big challenge for next generation: guarantees beyond fail-safe (i.e., graceful abort)��¡X��,��:��Y��^��r��ª��(�� ¢��ó��Ï��¨��Related work: making C safer�� Ê��C�o�m�p�i�l�e� �t�o� �m�a�k�e� �d�y�n�a�m�i�c� �c�h�e�c�k�s� �p�o�s�s�i�b�l�e� �S�a�f�e�-�C� �[�A�u�s�t�i�n� �e�t� �a�l�.�]�,� �R�T�C� �[�Y�o�n�g�/�H�o�r�w�i�t�z�]�,� �.�.�.� �P�u�r�i�f�y�,� �S�t�a�c�k�g�u�a�r�d�,� �E�l�e�c�t�r�i�c� �F�e�n�c�e�,� �& �C�C�u�r�e�d� �[�N�e�c�u�l�a� �e�t� �a�l�.�]� �p�e�r�f�o�r�m�a�n�c�e� �v�i�a� �w�h�o�l�e�-�p�r�o�g�r�a�m� �a�n�a�l�y�s�i�s� �l�e�s�s� �u�s�e�r� �b�u�r�d�e�n� �l�e�s�s� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t�,� �s�i�n�g�l�e�-�t�h�r�e�a�d�e�d� � �C�o�n�t�r�o�l�-�C� �[�A�d�v�e� �e�t� �a�l�.�]� �w�e�a�k�e�r� �g�u�a�r�a�n�t�y�,� �l�e�s�s� �b�u�r�d�e�n� � �S�F�I� �[�W�a�h�b�e�,� �S�m�a�l�l�,� �.�.�.�]�:� �s�a�n�d�b�o�x�i�n�g� �v�i�a� �b�i�n�a�r�y� �r�e�w�r�i�t�i�n�g� ��¡ð��(��Z�m��Z�`��Z�p��Z��Z�(��1��`�� #�� ª>��@��a��ó��í��*��¨��Related Work: Checking C code�� `��M�o�d�e�l�-�c�h�e�c�k�i�n�g� �C� �c�o�d�e� �(�S�L�A�M�,� �B�L�A�S�T�,� �& )� �L�e�v�e�r�a�g�e�s� �s�c�a�l�a�b�i�l�i�t�y� �o�f� �M�C� �K�e�y� �i�s� �a�u�t�o�m�a�t�i�c� �b�u�i�l�d�i�n�g� �a�n�d� �r�e�f�i�n�i�n�g� �o�f� �m�o�d�e�l� �A�s�s�u�m�e�s� �(�w�e�a�k�)� �m�e�m�o�r�y� �s�a�f�e�t�y� �L�i�n�t�-�l�i�k�e� �t�o�o�l�s� �(�S�p�l�i�n�t�,� �M�e�t�a�l�,� �P�r�e�F�I�X�,� �& )� �G�o�o�d� �a�t� �r�e�d�u�c�i�n�g� �f�a�l�s�e� �p�o�s�i�t�i�v�e�s� �C�a�n�n�o�t� �e�n�s�u�r�e� �a�b�s�e�n�c�e� �o�f� �b�u�g�s� �M�e�t�a�l� �p�a�r�t�i�c�u�l�a�r�l�y� �g�o�o�d� �f�o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� �C�q�u�a�l� �(�u�s�e�r�-�d�e�f�i�n�e�d� �q�u�a�l�i�f�i�e�r�s�,� �l�o�t�s� �o�f� �i�n�f�e�r�e�n�c�e�)� � �B�e�t�t�e�r� �f�o�r� �u�n�c�h�a�n�g�e�a�b�l�e� �c�o�d�e� �o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� � �(�i�.�e�.�,� �t�h�e�y� r�e� �c�o�m�p�l�e�m�e�n�t�a�r�y�)��¡Î��'��Z�i��Z�+��Z�o��Z�4��Z�S��Z�'��L��+��!��H��3�� S��ªP��s��6��t��,��T��ó��ð��,��¨��Related work: higher and lower�� ¸��A�d�a�p�t�e�d�/�e�x�t�e�n�d�e�d� �i�d�e�a�s�:� �p�o�l�y�m�o�r�p�h�i�s�m� �[�M�L�,� �H�a�s�k�e�l�l�,� �& ]� �r�e�g�i�o�n�s� �[�T�o�f�t�e�/�T�a�l�p�i�n�,� �W�a�l�k�e�r� �e�t� �a�l�.�,� �& ]� �s�a�f�e�t�y� �v�i�a� �d�a�t�a�f�l�o�w� �[�J�a�v�a�,� �& ]� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e�s� �[�M�i�t�c�h�e�l�l�/�P�l�o�t�k�i�n�,� �& ]� �c�o�n�t�r�o�l�l�i�n�g� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �[�A�d�a�,� �M�o�d�u�l�a�-�3�,� �& ]� � �S�a�f�e� �l�o�w�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e�s� �[�T�A�L�,� �P�C�C�,� �& ]� �e�n�g�i�n�e�e�r�e�d� �f�o�r� �m�a�c�h�i�n�e�-�g�e�n�e�r�a�t�e�d� �c�o�d�e� � �V�a�u�l�t�:� �s�t�r�o�n�g�e�r� �p�r�o�p�e�r�t�i�e�s� �v�i�a� �r�e�s�t�r�i�c�t�e�d� �a�l�i�a�s�i�n�g� ��¡��Á��)��'��4��À��)��&��4��ó��Ñ��¨��Summary�� ò��C�y�c�l�o�n�e�:� �a� �s�a�f�e� �l�a�n�g�u�a�g�e� �a�t� �t�h�e� �C�-�l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� � �S�y�n�e�r�g�i�s�t�i�c� �c�o�m�b�i�n�a�t�i�o�n� �o�f� �t�y�p�e�s�,� �f�l�o�w� �a�n�a�l�y�s�i�s�,� �a�n�d� �r�u�n�-�t�i�m�e� �c�h�e�c�k�s� � �A� �r�e�a�l� �c�o�m�p�i�l�e�r� �a�n�d� �p�r�o�t�o�t�y�p�e� �a�p�p�l�i�c�a�t�i�o�n�s� � �P�r�o�p�e�r�t�i�e�s� �l�i�k�e� � n�o�t� �N�U�L�L� ,� � h�a�s� �l�o�n�g�e�r� �l�i�f�e�t�i�m�e� ,� � h�a�s� �a�r�r�a�y� �l�e�n�g�t�h� & �n�o�w� �i�n� �t�h�e� �l�a�n�g�u�a�g�e� �a�n�d� �c�h�e�c�k�e�d� � �E�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y� �w�i�t�h� �C� �a�l�l�o�w� �s�m�o�o�t�h� �a�n�d� �i�n�c�r�e�m�e�n�t�a�l� �m�o�v�e� �t�o�w�a�r�d� �m�e�m�o�r�y� �s�a�f�e�t�y� � �i�n� �t�h�e�o�r�y� �a�t� �l�e�a�s�t��¡z��g��7�� E�� +�� g�� U��ó��î��)��¨ ��Availability�� L�i�k�e� �a�n�y� �l�a�n�g�u�a�g�e�,� �y�o�u� �h�a�v�e� �t�o� � k�i�c�k� �t�h�e� �t�i�r�e�s� :� �w�w�w�.�r�e�s�e�a�r�c�h�.�a�t�t�.�c�o�m�/�p�r�o�j�e�c�t�s�/�c�y�c�l�o�n�e� � �A�l�s�o� �s�e�e�:� �J�a�n�.� �2�0�0�5� �C�/�C�+�+� �U�s�e�r� s� �J�o�u�r�n�a�l� �U�S�E�N�I�X� �2�0�0�2� � �C�o�n�v�e�r�s�e�l�y�,� �I� �w�a�n�t� �t�o� �k�n�o�w� �N�A�S�A� s� �C�-�l�e�v�e�l� �c�o�d�e� �n�e�e�d�s� �M�a�y�b�e� �i�d�e�a�s� �f�r�o�m� �C�y�c�l�o�n�e� �w�i�l�l� �h�e�l�p� �M�a�y�b�e� �n�o�t� �E�i�t�h�e�r� �w�a�y� �w�o�u�l�d� �b�e� �f�a�s�c�i�n�a�t�i�n�g� ��¡¢��1��'�� +��5��-��!��1��%��Ì�fþ�� +��ª��1��Ì��/�ð¨��ó��^��ó��Å��%��ó��Ð��&��ó��è��'��ó��é��(��ó��ï��)��P��ÿÿÿ��ê��r��è¼��õ��í�Ä¼�ºB��ô��C��èÖ��é(��à��8��Ø�� òú��/�È ��0�Ò��Õ0��·D��T�i�m�e�s� �N�e�w� �R�o�m�a�n��äÓy´Õ�Õ�ì 0��´Õ�Wo 0��·D��A�r�i�a�l��N�e�w� �R�o�m�a�n��äÓy´Õ�Õ�ì 0��´Õ�Wo 0�" �·D��C�o�u�r�i�e�r� �N�e�w��m�a�n��äÓy´Õ�Õ�ì 0��´Õ�Wo 0�10�·D��W�i�n�g�d�i�n�g�s��w��m�a�n��äÓy´Õ�Õ�ì 0��´Õ�Wo 0��¤ ��`��ÿÿÿÿ��¥ ��.��© �� @�£n��ÿý?��" ��d��d��@��ÿÿï��ÿÿÿÿÿÿ�� @@��``�� ðü��ð��@��u��-��/�� /��7��Z��M��)�� @��-��8��0��c�� /��/��2�� +�� $��3�� )��:��1��3��#�� 2��ð0��A��¿��À��ÅA��ÿ��p�ñ��ÿ3��Ìf�Ì�f�ÿÿ�ÿf�ÿ��@�ñ��÷��ð8��ó��ó��ÐÝ��ððn�Ê;Ç�Ê;��úg��þ��ý4��O��d��O��d��ì 0��¨Õ��¤þÿÿ¬ÿÿÿ��p�û��p��p�û��@��<��ý4��!��d��!��d��® 0dÙ��ÐÔy��<��ý4��d��d��d��d��® 0dÙ��ÐÔy��<��ý4��B��d��B��d��® 0dÙ��ÐÔy��ÿ�� Z��0��º��_�_�_�P�P�T�1�0�� À��À��º��_�_�_�P�P�T�9��ü��®ô��¯��¬l��ÿÿ��ÿÿ��ÿÿ��¯��¬X��ÿÿ��?�Ùd��Ú��-��º��1�1� �J�a�n�u�a�r�y� �2�0�0�5� �º*��D�a�n� �G�r�o�s�s�m�a�n�:� �C�y�c�l�o�n�e�O�Ù ��Ú��=��ðÛu��ó��¨4��Cyclone: A Memory-Safe C-Level Programming Language ��¡"��5��3�� Ì�fþ��¨¬��Dan Grossman University of Washington Joint work with: Trevor Jim AT&T Research Greg Morrisett Harvard University Michael Hicks University of Maryland��¡:��'��(��&��Ì�fþ��ó��Â��¨��A safe C-level language��¨ �� Cyclone is a programming language and compiler aimed at safe systems programming C is not memory safe: void f(int* p, int i, int v) { p[i] = v; } Address p+i might hold important data or code Memory safety is crucial for reasoning about programs ��¡��S��9��h��:��ÿ3�þ��ÿ3�þ�� þ��þ��þ��þ�� $�� 6��ó��Ã�� "��C�a�l�l�e�r� s� �p�r�o�b�l�e�m�?��ª��¨Ã�� void g(void**, void*); int y = 0; int *z = &y; g(&z,0xBAD); *z = 123; Might be safe, but not if g does *x=y Type of g enough for code generation Type of g not enough for safety checking��¡$��N�� v�� þ��þ ��þ!��%��ª>�� s��&�� ó��ë��'��¨��Safe low-level systems��¨8��For a safety guarantee today, use YFHLL Your Favorite High Level Language YFHLL provides safety in part via: hidden data fields and run-time checks automatic memory management Data representation and resource management are essential aspects of low-level systems There are strong reasons for C-like languages��¡��(��#��#��D��$��Y��.��(��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��Ì�fþ��#��ÿ3�þ!�� ÿ3�þ��0�� ÿ3�þ��-��ó��ì��(��¨��Some insufficient approaches�� ®��C�o�m�p�i�l�e� �C� �w�i�t�h� �e�x�t�r�a� �i�n�f�o�r�m�a�t�i�o�n� �t�y�p�e� �f�i�e�l�d�s�,� �s�i�z�e� �f�i�e�l�d�s�,� �l�i�v�e�-�p�o�i�n�t�e�r� �t�a�b�l�e�,� �& �t�r�e�a�t�s� �C� �a�s� �a� �h�i�g�h�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e� � �U�s�e� �s�t�a�t�i�c� �a�n�a�l�y�s�i�s� �v�e�r�y� �d�i�f�f�i�c�u�l�t� �l�e�s�s� �m�o�d�u�l�a�r� � �B�a�n� �u�n�s�a�f�e� �f�e�a�t�u�r�e�s� �t�h�e�r�e� �a�r�e� �m�a�n�y� �y�o�u� �n�e�e�d� �t�h�e�m��¡��!��U��!��T�� ó��Ç��¨��Cyclone in brief�� *��A� �s�a�f�e�,� �c�o�n�v�e�n�i�e�n�t�,� �a�n�d� �m�o�d�e�r�n� �l�a�n�g�u�a�g�e� � �a�t� �t�h�e� �C� �l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� �S�a�f�e�:� �m�e�m�o�r�y� �s�a�f�e�t�y�,� �a�b�s�t�r�a�c�t� �t�y�p�e�s�,� �n�o� �c�o�r�e� �d�u�m�p�s� � �C�-�l�e�v�e�l�:� �u�s�e�r�-�c�o�n�t�r�o�l�l�e�d� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �a�n�d� �r�e�s�o�u�r�c�e� �m�a�n�a�g�e�m�e�n�t�,� �e�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y�,� � m�a�n�i�f�e�s�t� �c�o�s�t� � �C�o�n�v�e�n�i�e�n�t�:� �m�a�y� �n�e�e�d� �m�o�r�e� �t�y�p�e� �a�n�n�o�t�a�t�i�o�n�s�,� �b�u�t� �w�o�r�k� �h�a�r�d� �t�o� �a�v�o�i�d� �i�t� � �M�o�d�e�r�n�:� �a�d�d� �f�e�a�t�u�r�e�s� �t�o� �c�a�p�t�u�r�e� �c�o�m�m�o�n� �i�d�i�o�m�s� � � N�e�w� �c�o�d�e� �f�o�r� �l�e�g�a�c�y� �o�r� �i�n�h�e�r�e�n�t�l�y� �l�o�w�-�l�e�v�e�l� �s�y�s�t�e�m�s� ��¡ô��G��Z��Z�6��Z��Z�F��ÿ��þ��ÿ��þ��.�� e�� ;�� '��6��ó��È��¨��The plan from here�� ê��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �B�e�n�c�h�m�a�r�k�s�,� �p�o�r�t�s�,� �s�y�s�t�e�m�s�,� �c�o�m�p�i�l�e�r�,� �& �A�l�l� �o�n� �E�a�r�t�h� �s�o� �f�a�r� �Jð �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� � �R�e�a�l�l�y� � j�u�s�t� �a� �t�a�s�t�e� �o�f� �C�y�c�l�o�n�e��¡Â��Z�>��Z�)��Z�(��Z�-��Z�"��Z��<�� (��-��"��ó��É��¨��Status�� ®�� C�y�c�l�o�n�e� �r�e�a�l�l�y� �e�x�i�s�t�s� �(�e�x�c�e�p�t� �m�e�m�o�r�y�-�s�a�f�e� �t�h�r�e�a�d�s�)� � �>�1�5�0�K� �l�i�n�e�s� �o�f� �C�y�c�l�o�n�e� �c�o�d�e�,� �i�n�c�l�u�d�i�n�g� �t�h�e� �c�o�m�p�i�l�e�r� � �g�c�c� �b�a�c�k�-�e�n�d� �(�L�i�n�u�x�,� �C�y�g�w�i�n�,� �O�S�X�,� �M�i�n�d�s�t�o�r�m�,� �& )� � �U�s�e�r� s� �m�a�n�u�a�l�,� �m�a�i�l�i�n�g� �l�i�s�t�s�,� �& � �S�t�i�l�l� �a� �r�e�s�e�a�r�c�h� �v�e�h�i�c�l�e� � � ��¡À��4��¢��3��4�� 0�� ª�� ?��ó��Ê��¨ ��Evaluation��¨æ�� Is Cyclone like C? port code, measure source differences interface with C code (extend systems) What is the performance cost? port code, measure slowdown Is Cyclone good for low-level systems? write systems, ensure scalability ��¡Ê��" ��N��" ��'��" ��"��N�� '��"��ó��Ë�� ¨��Code differences��¨��Porting not automatic, but quite similar Many changes identify arrays and lengths Some changes incidental (absent prototypes, new keywords)��¡��ó��Ì�� ¨��Run-time performance��¨Ð��RHLinux 7.1 (2.4.9), 1.0GHz PIII, 512MRAM, gcc2.96 -O3, glibc 2.2.4 Comparable to other safe languages to start C level provides important optimization opportunities Understanding the applications could help��¡L��E��D��,��6��*��ó��Í��¨��Larger program: the compiler��¨Ö�� Scalable compiler + libraries (80K lines) build in < 30secs Generic libraries (e.g., lists, hashtables) clients have no syntactic/performance cost Static safety helps exploit the C-level I use &x more than in C ��¡¼�� 4��,��,��(�� 3�� ,��+�� (�� ó��Î�� ¨��Other projects��¨o��Open Kernel Environment [Bos/Samwel, OPENARCH 02] MediaNet [Hicks et al, OPENARCH 03]: RBClick [Patel/Lepreau, OPENARCH 03] STP [Patel et al., SOSP 03] FPGA synthesis [Teifel/Manohar, ISACS 04] Maryland undergrad O/S course (geekOS) [2004] Windows device driver (6K lines) Only 100 lines left in C But unrecoverable failures & other kernel corruptions remain ��¡��P�W��P��P�� '�� !��W��ªt�� =��,��ó��Ò��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡z��A��(��-��(��-��ó��Ó��¨��Not-null pointers��ª ��ó��Ô��¨��Example�� ê��F�I�L�E�*� �f�o�p�e�n�(�c�o�n�s�t� �c�h�a�r�@�,� �c�o�n�s�t� �c�h�a�r�@�)�;� �i�n�t� �f�g�e�t�c�(�F�I�L�E�@�)�;� �i�n�t� �f�c�l�o�s�e�(�F�I�L�E�@�)�;� �v�o�i�d� �g�(�)� �{� � � �F�I�L�E�*� �f� �=� �f�o�p�e�n�(� f�o�o� ,� � r� )�;� � � �i�n�t� �c�;� � � �w�h�i�l�e�(�(�c� �=� �f�g�e�t�c�(�f�)�)� �!�=� �E�O�F�)� �{�& }� � � �f�c�l�o�s�e�(�f�)�;� �}� � �G�i�v�e�s� �w�a�r�n�i�n�g� �a�n�d� �i�n�s�e�r�t�s� �o�n�e� �n�u�l�l�-�c�h�e�c�k� �E�n�c�o�u�r�a�g�e�s� �a� �h�o�i�s�t�e�d� �c�h�e�c�k��¡Ü��±��Z�E��Z��þ ��þ ��þ��þ ��þQ��D��ª�� a��ó��Õ��¨��A classic moral��¨L��FILE* fopen(const char@, const char@); int fgetc(FILE@); int fclose(FILE@); ��¡��M��þ ��þ ��þ �� ª,��1�� ó��Ö��!��¨��Key Design Principles in Action��¨K��Types to express invariants Preconditions for arguments Properties of values in memory Flow analysis where helpful Lets users control explicit checks Soundness + aliasing limits usefulness Users control data representation Pointers are addresses unless user allows otherwise Often can interoperate with C more safely just via types��¡°��Z�;��Z��Z�J��Z�"��Z�4��Z�9��Z��;��#��'��"��4��9��ª$��R��ñ��ó��ò��.�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ó��/�� (��I�t� s� �a�l�w�a�y�s� �a�l�i�a�s�i�n�g��¨¿��But can avoid checks when compiler knows all aliases. Can know by: Types: precondition checked at call site Flow: new objects start unaliased Else user should use a temporary (the safe thing)��¡ ��C��}��À��ª�� 3��ó��ñ��-��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��*��(��-��ó��Ø�� (�� C�h�a�n�g�e� �v�o�i�d�*� �t�o� �`�a� ��¡:��¨��struct Lst { void* hd; struct Lst* tl; }; struct Lst* map( void* f(void*), struct Lst*); struct Lst* append( struct Lst*, struct Lst*);��¡\�� ;��þ1��þ!��ó��Ù��¨��Not much new here��¨��Closer to C than C++, Java generics, ML, etc. Unlike functional languages, data representation may restrict `a to pointers, int why not structs? why not float? why int? Unlike templates, no code duplication or leaking implementations Unlike objects, no need to tag data��¡Ú��/��S��)��f��/��"��N��"��c��"��"��c��"��c��"�� "�� f��"��ª��¦��i��ó��Ú��¨��Existential types�� P�r�o�g�r�a�m�s� �n�e�e�d� �a� �w�a�y� �f�o�r� � c�a�l�l�-�b�a�c�k� �t�y�p�e�s�:� � � � � � �s�t�r�u�c�t� �T� �{� � � � � � �v�o�i�d� �(�*�f�)�(�v�o�i�d�*�,� �i�n�t�)�;� � � � � � �v�o�i�d�*� �e�n�v�;� � � �}�;� � �W�e� �u�s�e� �a�n� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e� �(�s�i�m�p�l�i�f�i�e�d�)�:� � � � � � � �s�t�r�u�c�t� �T� �{� �<�`�a�>� � � � � � �v�o�i�d� �(�@�f�)�(�`�a�,� �i�n�t�)�;� � � � � � �`�a� �e�n�v�;� � � �}�;� � �m�o�r�e� �C�-�l�e�v�e�l� �t�h�a�n� �b�a�k�e�d�-�i�n� �c�l�o�s�u�r�e�s�/�o�b�j�e�c�t�s� ��¡��+��Z�A��0��Z��Z�*��Z�A��0��Z��,��8��Z��Z�+��>��"�� ÿ��þ��g��ÿ��þ��G��ÿ��þ��g��ÿ3�þ ��g��ÿ3�þ��,�� "��ó��Û��¨��Regions�� a�.�k�.�a�.� �z�o�n�e�s�,� �a�r�e�n�a�s�,� �& � �E�v�e�r�y� �o�b�j�e�c�t� �i�s� �i�n� �e�x�a�c�t�l�y� �o�n�e� �r�e�g�i�o�n� � �A�l�l�o�c�a�t�i�o�n� �v�i�a� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �D�e�a�l�l�o�c�a�t�e� �a�n� �e�n�t�i�r�e� �r�e�g�i�o�n� � �s�i�m�u�l�t�a�n�e�o�u�s�l�y� � � �(�c�a�n�n�o�t� �f�r�e�e� �a�n� �o�b�j�e�c�t�)� � �O�l�d� �i�d�e�a� �w�i�t�h� �r�e�c�e�n�t� �s�u�p�p�o�r�t� �i�n� �l�a�n�g�u�a�g�e�s� �(�e�.�g�.�,� �R�C�,� �R�T�S�J�)� � �a�n�d� �i�m�p�l�e�m�e�n�t�a�t�i�o�n�s� �(�e�.�g�.�,� �M�L� �K�i�t�)��¡²��|��Z�*��Z��Z�_��Z��&��7�� _��ª>��`��F��.�� %��ó��Ü��¨��Cyclone regions [PLDI 02]��¡�� h�e�a�p� �r�e�g�i�o�n�:� �o�n�e�,� �l�i�v�e�s� �f�o�r�e�v�e�r�,� �c�o�n�s�e�r�v�a�t�i�v�e�l�y� �G�C� d� �s�t�a�c�k� �r�e�g�i�o�n�s�:� �c�o�r�r�e�s�p�o�n�d� �t�o� �l�o�c�a�l�-�d�e�c�l�a�r�a�t�i�o�n� �b�l�o�c�k�s�:� � �{�i�n�t� �x�;� �i�n�t� �y�;� �s�}� �g�r�o�w�a�b�l�e� �r�e�g�i�o�n�s�:� �s�c�o�p�e�d� �l�i�f�e�t�i�m�e�,� �b�u�t� �g�r�o�w�a�b�l�e�:� � � � �{�r�e�g�i�o�n� �r�;� �s�}� � �a�l�l�o�c�a�t�i�o�n� �r�o�u�t�i�n�e�s� �t�a�k�e� �a� �r�e�g�i�o�n� �h�a�n�d�l�e� � �h�a�n�d�l�e�s� �a�r�e� �f�i�r�s�t�-�c�l�a�s�s� �c�a�l�l�e�r� �d�e�c�i�d�e�s� �w�h�e�r�e�,� �c�a�l�l�e�e� �d�e�c�i�d�e�s� �h�o�w� �m�u�c�h� �n�o� �h�a�n�d�l�e�s� �f�o�r� �s�t�a�c�k� �r�e�g�i�o�n�s��¡��m��4��B�� K�� (��*��þ��þ��#��þ��"��.��ÿ3�þ��ªb��,��1��\��ó��Ý�� (��T�h�a�t� s� �t�h�e� �e�a�s�y� �p�a�r�t��¨c��The implementation is really simple because the type system statically prevents dangling pointers ��¡h��d�� ÿ��þ��ó��Þ��¨��The big restriction�� Î��A�n�n�o�t�a�t�e� �a�l�l� �p�o�i�n�t�e�r� �t�y�p�e�s� �w�i�t�h� �a� �r�e�g�i�o�n� �n�a�m�e� �(�a� �t�y�p�e� �v�a�r�i�a�b�l�e� �o�f� �r�e�g�i�o�n� �k�i�n�d�)� � �i�n�t�@�`�r� �m�e�a�n�s� � p�o�i�n�t�e�r� �i�n�t�o� �t�h�e� �r�e�g�i�o�n� �c�r�e�a�t�e�d� �b�y� �t�h�e� �c�o�n�s�t�r�u�c�t� �t�h�a�t� �i�n�t�r�o�d�u�c�e�s� �`�r� �h�e�a�p� �i�n�t�r�o�d�u�c�e�s� �`�H� � �L�:�& �i�n�t�r�o�d�u�c�e�s� �`�L� �{�r�e�g�i�o�n� �r�;� �s�}� �i�n�t�r�o�d�u�c�e�s� �`�r� � �r� �h�a�s� �t�y�p�e� �r�e�g�i�o�n�_�t�<�`�r�>� � �c�o�m�p�i�l�e�-�t�i�m�e� �c�h�e�c�k�:� �o�n�l�y� �l�i�v�e� �r�e�g�i�o�n�s� �a�r�e� �a�c�c�e�s�s�e�d� �b�y� �d�e�f�a�u�l�t�,� �f�u�n�c�t�i�o�n� �a�r�g�u�m�e�n�t�s� �p�o�i�n�t� �t�o� �l�i�v�e� �r�e�g�i�o�n�s� ��¡��P��S��$��B��²�� 3��5��"��"�� G��g��I��"��c��"��b��c��"��c�� "��c��g��þ��c�� "��c��"�� "�� c� �� "�� c� �� c� �� 3��b��5��b��c��ªP��¡��'��'��j��ó��ß��¨��Region polymorphism�� ø��A�p�p�l�y� �w�h�a�t� �w�e� �d�i�d� �f�o�r� �t�y�p�e� �v�a�r�i�a�b�l�e�s� �t�o� �r�e�g�i�o�n� �n�a�m�e�s� �(�o�n�l�y� �i�t� s� �m�o�r�e� �i�m�p�o�r�t�a�n�t� �a�n�d� �c�o�u�l�d� �b�e� �m�o�r�e� �o�n�e�r�o�u�s�)� � �v�o�i�d� �s�w�a�p�(�i�n�t� �@�`�r�1� �x�,� �i�n�t� �@�`�r�2� �y�)�{� � � �i�n�t� �t�m�p� �=� �*�x�;� � � �*�x� �=� �*�y�;� � � �*�y� �=� �t�m�p�;� �}� � �i�n�t�@�`�r� �s�u�m�p�t�r�(�r�e�g�i�o�n�_�t�<�`�r�>� �r�,�i�n�t� �x�,�i�n�t� �y�)�{� � � �r�e�t�u�r�n� �r�n�e�w�(�r�)� �(�x�+�y�)�;� �}��¡B��k��M�� E��k��C��G��þ��C��g��c��g��þ��c��g��c��g��þ ��c��g��þ ��c��C��C�� g� ��ÿ��þ�� c� �� g� ��þ �� c� �� g� ��ÿ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� �� g� ��þ�� c� ��ª,��Ó��ó��à��¨��Type definitions��¨K��struct ILst<`r1,`r2> { int@`r1 hd; struct ILst<`r1,`r2> *`r2 tl; }; ��¡ ��L�� C��g��ÿ��þ��C�� g� ��ÿ��þ��C��g��ÿ��þ��C��g��ÿ��þ�� C� ��$g�$��ÿ��þ��(C�(��,g�,��ÿ��þ ��0C�0��0��0��ó��á�� ¨��Region subtyping�� Ò��I�f� �p� �p�o�i�n�t�s� �t�o� �a�n� �i�n�t� �i�n� �a� �r�e�g�i�o�n� �w�i�t�h� �n�a�m�e� �`�r�1�,� �i�s� �i�t� �e�v�e�r� �s�o�u�n�d� �t�o� �g�i�v�e� �p� �t�y�p�e� �i�n�t�*�`�r�2�?� � �I�f� �s�o�,� �l�e�t� � �i�n�t�*�`�r�1� �<� �i�n�t�*�`�r�2� � �R�e�g�i�o�n� �s�u�b�t�y�p�i�n�g� �i�s� �t�h�e� �o�u�t�l�i�v�e�s� �r�e�l�a�t�i�o�n�s�h�i�p� � � �{�r�e�g�i�o�n� �r�1�;� �& �{�r�e�g�i�o�n� �r�2�;� �& }� �& �}� � �L�I�F�O� �m�a�k�e�s� �s�u�b�t�y�p�i�n�g� �c�o�m�m�o�n� � ��¡$��[��M��!��g��ÿ��þ�� g� ��ÿ��þ�� C��g��ÿ��þ��o��ÿ��þçÿ��G��C��g��ÿ��þ��n��ÿ��þçÿ��o��ÿ��þçÿ�� B�� F�� B�� $�� C� �� B�� C� �� ª>��ª�� ó��â��"��¨��Regions evaluation��ª�� Æ��L�I�F�O� �r�e�g�i�o�n�s� �g�o�o�d� �f�o�r� �s�o�m�e� �i�d�i�o�m�s� �a�w�k�w�a�r�d� �i�n� �C� �R�e�g�i�o�n�s� �g�e�n�e�r�a�l�i�z�e� �s�t�a�c�k� �v�a�r�i�a�b�l�e�s� �a�n�d� �t�h�e� �h�e�a�p� �D�e�f�a�u�l�t�s� �a�n�d� �i�n�f�e�r�e�n�c�e� �m�a�k�e� �i�t� �s�u�r�p�r�i�s�i�n�g�l�y� �p�a�l�a�t�a�b�l�e� �W�o�r�s�t� �p�a�r�t�:� �d�e�f�i�n�i�n�g� �r�e�g�i�o�n�-�a�l�l�o�c�a�t�e�d� �d�a�t�a� �s�t�r�u�c�t�u�r�e�s� �C�y�c�l�o�n�e� �a�c�t�u�a�l�l�y� �h�a�s� �m�u�c�h� �m�o�r�e� �[�I�S�M�M� �0�4�]� �N�o�n�-�L�I�F�O� �r�e�g�i�o�n�s� � U�n�i�q�u�e� �p�o�i�n�t�e�r�s� �E�x�p�l�i�c�i�t�l�y� �r�e�f�e�r�e�n�c�e�-�c�o�u�n�t�e�d� �p�o�i�n�t�e�r�s� �A� � u�n�i�f�i�e�d� �s�y�s�t�e�m� ,� �n�o�t� �n� �s�u�b�l�a�n�g�a�g�e�s� ��¡��/��x�f��6��)��p��/��f��6�� a�� ª��W��ó��ã��#��¨��The plan from here�� ,��E�x�p�e�r�i�e�n�c�e� �w�i�t�h� �C�y�c�l�o�n�e� �N�o�t�-�N�U�L�L� �p�o�i�n�t�e�r�s� �T�y�p�e�-�v�a�r�i�a�b�l�e� �e�x�a�m�p�l�e�s� �g�e�n�e�r�i�c�s� �r�e�g�i�o�n�-�b�a�s�e�d� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t� �B�r�i�e�f� �v�i�e�w� �o�f� � e�v�e�r�y�t�h�i�n�g� �e�l�s�e� �R�e�l�a�t�e�d� �w�o�r�k� ��¡p��A��(��-��A��(�� ó��ä��$��¨��Other safety holes�� J��A�r�r�a�y�s� �(�w�h�a�t� �o�r� �w�h�e�r�e� �i�s� �t�h�e� �s�i�z�e�)� �O�p�t�i�o�n�s�:� �d�y�n�a�m�i�c� �b�o�u�n�d�,� �i�n� �a� �f�i�e�l�d�/�v�a�r�i�a�b�l�e�,� �c�o�m�p�i�l�e�-�t�i�m�e� �b�o�u�n�d�,� �s�p�e�c�i�a�l� �s�t�r�i�n�g� �s�u�p�p�o�r�t� �T�h�r�e�a�d�s� �(�a�v�o�i�d�i�n�g� �r�a�c�e�s�)� �v�a�p�o�r�w�a�r�e� �t�y�p�e� �s�y�s�t�e�m� �t�o� �e�n�f�o�r�c�e� �l�o�c�k�-�b�a�s�e�d� �m�u�t�u�a�l� �e�x�c�l�u�s�i�o�n� �C�a�s�t�s� �A�l�l�o�w� �o�n�l�y� � u�p� �c�a�s�t�s� �a�n�d� �c�a�s�t�s� �t�o� �n�u�m�b�e�r�s� �U�n�i�o�n�s� �C�h�e�c�k�e�d� �t�a�g�s� �o�r� �b�i�t�s�-�o�n�l�y� �f�i�e�l�d�s� �U�n�i�n�i�t�i�a�l�i�z�e�d� �d�a�t�a� �F�l�o�w� �a�n�a�l�y�s�i�s� �(�s�a�f�e�r� �a�n�d� �e�a�s�i�e�r� �t�h�a�n� �d�e�f�a�u�l�t� �i�n�i�t�i�a�l�i�z�e�r�s�)� �V�a�r�a�r�g�s� �(�s�a�f�e� �v�i�a� �c�h�a�n�g�e�d� �c�a�l�l�i�n�g� �c�o�n�v�e�n�t�i�o�n�)��¡î��#��X��=��+��!��;��.��#��X��=��+�� !�� ;��.��ª>�� A��'��ó��å��%��¨��And modern conveniences�� æ��3�0� �y�e�a�r�s� �a�f�t�e�r� �C�,� �s�o�m�e� �t�h�i�n�g�s� �a�r�e� �w�o�r�t�h� �a�d�d�i�n�g�& � �T�a�g�g�e�d� �u�n�i�o�n�s� �a�n�d� �p�a�t�t�e�r�n� �m�a�t�c�h�i�n�g� �o�n� �t�h�e�m� �I�n�t�r�a�p�r�o�c�e�d�u�r�a�l� �t�y�p�e� �i�n�f�e�r�e�n�c�e� �T�u�p�l�e�s� �(�l�i�k�e� �a�n�o�n�y�m�o�u�s� �s�t�r�u�c�t�s�)� �E�x�c�e�p�t�i�o�n�s� �S�t�r�u�c�t� �a�n�d� �a�r�r�a�y� �i�n�i�t�i�a�l�i�z�e�r�s� �N�a�m�e�s�p�a�c�e�s� �n�e�w� �f�o�r� �a�l�l�o�c�a�t�i�o�n� �+� �i�n�i�t�i�a�l�i�z�a�t�i�o�n� ��¡Z��0��x�Ã��0�� "��ª>��{�� H��ó��ê��&��¨��Plenty of work remains��¨Ó��Common limitations: Aliasing Arithmetic Unportable assumptions (But interoperating with C is much simpler than in a HLL) Big challenge for next generation: guarantees beyond fail-safe (i.e., graceful abort)��¡X��,��:��Y��^��r��ª��(�� ¢��ó��Ï��¨��Related work: making C safer�� Ê��C�o�m�p�i�l�e� �t�o� �m�a�k�e� �d�y�n�a�m�i�c� �c�h�e�c�k�s� �p�o�s�s�i�b�l�e� �S�a�f�e�-�C� �[�A�u�s�t�i�n� �e�t� �a�l�.�]�,� �R�T�C� �[�Y�o�n�g�/�H�o�r�w�i�t�z�]�,� �.�.�.� �P�u�r�i�f�y�,� �S�t�a�c�k�g�u�a�r�d�,� �E�l�e�c�t�r�i�c� �F�e�n�c�e�,� �& �C�C�u�r�e�d� �[�N�e�c�u�l�a� �e�t� �a�l�.�]� �p�e�r�f�o�r�m�a�n�c�e� �v�i�a� �w�h�o�l�e�-�p�r�o�g�r�a�m� �a�n�a�l�y�s�i�s� �l�e�s�s� �u�s�e�r� �b�u�r�d�e�n� �l�e�s�s� �m�e�m�o�r�y� �m�a�n�a�g�e�m�e�n�t�,� �s�i�n�g�l�e�-�t�h�r�e�a�d�e�d� � �C�o�n�t�r�o�l�-�C� �[�A�d�v�e� �e�t� �a�l�.�]� �w�e�a�k�e�r� �g�u�a�r�a�n�t�y�,� �l�e�s�s� �b�u�r�d�e�n� � �S�F�I� �[�W�a�h�b�e�,� �S�m�a�l�l�,� �.�.�.�]�:� �s�a�n�d�b�o�x�i�n�g� �v�i�a� �b�i�n�a�r�y� �r�e�w�r�i�t�i�n�g� ��¡ð��(��Z�m��Z�`��Z�p��Z��Z�(��1��`�� #�� ª>��@��a��ó��í��*��¨��Related Work: Checking C code�� `��M�o�d�e�l�-�c�h�e�c�k�i�n�g� �C� �c�o�d�e� �(�S�L�A�M�,� �B�L�A�S�T�,� �& )� �L�e�v�e�r�a�g�e�s� �s�c�a�l�a�b�i�l�i�t�y� �o�f� �M�C� �K�e�y� �i�s� �a�u�t�o�m�a�t�i�c� �b�u�i�l�d�i�n�g� �a�n�d� �r�e�f�i�n�i�n�g� �o�f� �m�o�d�e�l� �A�s�s�u�m�e�s� �(�w�e�a�k�)� �m�e�m�o�r�y� �s�a�f�e�t�y� �L�i�n�t�-�l�i�k�e� �t�o�o�l�s� �(�S�p�l�i�n�t�,� �M�e�t�a�l�,� �P�r�e�F�I�X�,� �& )� �G�o�o�d� �a�t� �r�e�d�u�c�i�n�g� �f�a�l�s�e� �p�o�s�i�t�i�v�e�s� �C�a�n�n�o�t� �e�n�s�u�r�e� �a�b�s�e�n�c�e� �o�f� �b�u�g�s� �M�e�t�a�l� �p�a�r�t�i�c�u�l�a�r�l�y� �g�o�o�d� �f�o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� �C�q�u�a�l� �(�u�s�e�r�-�d�e�f�i�n�e�d� �q�u�a�l�i�f�i�e�r�s�,� �l�o�t�s� �o�f� �i�n�f�e�r�e�n�c�e�)� � �B�e�t�t�e�r� �f�o�r� �u�n�c�h�a�n�g�e�a�b�l�e� �c�o�d�e� �o�r� �u�s�e�r�-�d�e�f�i�n�e�d� �c�h�e�c�k�s� � �(�i�.�e�.�,� �t�h�e�y� r�e� �c�o�m�p�l�e�m�e�n�t�a�r�y�)��¡Î��'��Z�i��Z�+��Z�o��Z�4��Z�S��Z�'��L��+��!��H��3�� S��ªP��s��6��t��,��T��ó��ð��,��¨��Related work: higher and lower�� ¸��A�d�a�p�t�e�d�/�e�x�t�e�n�d�e�d� �i�d�e�a�s�:� �p�o�l�y�m�o�r�p�h�i�s�m� �[�M�L�,� �H�a�s�k�e�l�l�,� �& ]� �r�e�g�i�o�n�s� �[�T�o�f�t�e�/�T�a�l�p�i�n�,� �W�a�l�k�e�r� �e�t� �a�l�.�,� �& ]� �s�a�f�e�t�y� �v�i�a� �d�a�t�a�f�l�o�w� �[�J�a�v�a�,� �& ]� �e�x�i�s�t�e�n�t�i�a�l� �t�y�p�e�s� �[�M�i�t�c�h�e�l�l�/�P�l�o�t�k�i�n�,� �& ]� �c�o�n�t�r�o�l�l�i�n�g� �d�a�t�a� �r�e�p�r�e�s�e�n�t�a�t�i�o�n� �[�A�d�a�,� �M�o�d�u�l�a�-�3�,� �& ]� � �S�a�f�e� �l�o�w�e�r�-�l�e�v�e�l� �l�a�n�g�u�a�g�e�s� �[�T�A�L�,� �P�C�C�,� �& ]� �e�n�g�i�n�e�e�r�e�d� �f�o�r� �m�a�c�h�i�n�e�-�g�e�n�e�r�a�t�e�d� �c�o�d�e� � �V�a�u�l�t�:� �s�t�r�o�n�g�e�r� �p�r�o�p�e�r�t�i�e�s� �v�i�a� �r�e�s�t�r�i�c�t�e�d� �a�l�i�a�s�i�n�g� ��¡��Á��)��'��4��À��)��&��4��ó��Ñ��¨��Summary�� ò��C�y�c�l�o�n�e�:� �a� �s�a�f�e� �l�a�n�g�u�a�g�e� �a�t� �t�h�e� �C�-�l�e�v�e�l� �o�f� �a�b�s�t�r�a�c�t�i�o�n� � �S�y�n�e�r�g�i�s�t�i�c� �c�o�m�b�i�n�a�t�i�o�n� �o�f� �t�y�p�e�s�,� �f�l�o�w� �a�n�a�l�y�s�i�s�,� �a�n�d� �r�u�n�-�t�i�m�e� �c�h�e�c�k�s� � �A� �r�e�a�l� �c�o�m�p�i�l�e�r� �a�n�d� �p�r�o�t�o�t�y�p�e� �a�p�p�l�i�c�a�t�i�o�n�s� � �P�r�o�p�e�r�t�i�e�s� �l�i�k�e� � n�o�t� �N�U�L�L� ,� � h�a�s� �l�o�n�g�e�r� �l�i�f�e�t�i�m�e� ,� � h�a�s� �a�r�r�a�y� �l�e�n�g�t�h� & �n�o�w� �i�n� �t�h�e� �l�a�n�g�u�a�g�e� �a�n�d� �c�h�e�c�k�e�d� � �E�a�s�y� �i�n�t�e�r�o�p�e�r�a�b�i�l�i�t�y� �w�i�t�h� �C� �a�l�l�o�w� �s�m�o�o�t�h� �a�n�d� �i�n�c�r�e�m�e�n�t�a�l� �m�o�v�e� �t�o�w�a�r�d� �m�e�m�o�r�y� �s�a�f�e�t�y� � �i�n� �t�h�e�o�r�y� �a�t� �l�e�a�s�t��¡z��g��7�� E�� +�� g�� U��ó��î��)��¨ ��Availability�� L�i�k�e� �a�n�y� �l�a�n�g�u�a�g�e�,� �y�o�u� �h�a�v�e� �t�o� � k�i�c�k� �t�h�e� �t�i�r�e�s� :� �w�w�w�.�r�e�s�e�a�r�c�h�.�a�t�t�.�c�o�m�/�p�r�o�j�e�c�t�s�/�c�y�c�l�o�n�e� � �A�l�s�o� �s�e�e�:� �J�a�n�.� �2�0�0�5� �C�/�C�+�+� �U�s�e�r� s� �J�o�u�r�n�a�l� �U�S�E�N�I�X� �2�0�0�2� � �C�o�n�v�e�r�s�e�l�y�,� �I� �w�a�n�t� �t�o� �k�n�o�w� �N�A�S�A� s� �C�-�l�e�v�e�l� �c�o�d�e� �n�e�e�d�s� �M�a�y�b�e� �i�d�e�a�s� �f�r�o�m� �C�y�c�l�o�n�e� �w�i�l�l� �h�e�l�p� �M�a�y�b�e� �n�o�t� �E�i�t�h�e�r� �w�a�y� �w�o�u�l�d� �b�e� �f�a�s�c�i�n�a�t�i�n�g� ��¡¢��1��'�� +��5��-��!��1��%��Ì�fþ�� +��ª��1��Ì��/�ð¨��ó��^��ó��Å��%��ó��Ð��&��ó��è��'��ó��é��(��ó��ï��)��P��ÿÿÿ��ê��r��îB��õ��í�ÊB�ÌÈ��ô��C��

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4