A general framework for certifying garbage collectors and their mutators

Garbage-collected languages such as Java and C# are becoming more and more widely used in both high-end software and real-time embedded applications. The correctness of the GC implementation is essential to the reliability and security of a large portion of the world's mission-critical software. Unfortunately, garbage collectors--especially incremental and concurrent ones--are extremely hard to implement correctly. In this paper, we present a new uniform approach to verifying the safety of both a mutator and its garbage collector in Hoare-style logic. We define a formal garbage collector interface general enough to reason about a variety of algorithms while allowing the mutator to ignore implementation-specific details of the collector. Our approach supports collectors that require read and write barriers. We have used our approach to mechanically verify assembly implementations of mark-sweep, copying and incremental copying GCs in Coq, as well as sample mutator programs that can be linked with any of the GCs to produce a fully-verified garbage-collected program. Our work provides a foundation for reasoning about complex mutator-collector interaction and makes an important advance toward building fully certified production-quality GCs.

[1]  Andrew W. Appel,et al.  Type-preserving garbage collectors , 2001, POPL '01.

[2]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[3]  Zhong Shao,et al.  Principled scavenging , 2001, PLDI '01.

[4]  Rafael Dueire Lins,et al.  Garbage collection: algorithms for automatic dynamic memory management , 1996 .

[5]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[6]  Georges Gonthier Verifying the Safety of a Practical Concurrent Garbage Collector , 1996, CAV.

[7]  S. L. Graham,et al.  List Processing in Real Time on a Serial Computer , 1978 .

[8]  Louis-Julien Guillemette A type-preserving compiler from system f to typed assembly language , 2009 .

[9]  Zhong Shao,et al.  Verification of safety properties for concurrent assembly code , 2004, ICFP '04.

[10]  Jayadev Misra,et al.  A linear sieve algorithm for finding prime numbers , 1978, CACM.

[11]  Xinyu Feng,et al.  Modular verification of assembly code with stack-based control abstractions , 2006, PLDI '06.

[12]  Mordechai Ben-Ari Algorithms for on-the-fly garbage collection , 1984, TOPL.

[13]  Bjarne Stroustrup,et al.  The C++ programming language (3. ed.) , 1997 .

[14]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[15]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[16]  Peter W. O'Hearn,et al.  Program logic and equivalence in the presence of garbage collection , 2003, Theor. Comput. Sci..

[17]  Henry G. Baker,et al.  List processing in real time on a serial computer , 1978, CACM.

[18]  Leslie Lamport,et al.  On-the-fly garbage collection: an exercise in cooperation , 1975, Language Hierarchies and Interfaces.

[19]  Yu Guo,et al.  Foundational Typed Assembly Language with Certified Garbage Collection , 2007, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE '07).

[20]  Yu Guo,et al.  An open framework for foundational proof-carrying code , 2007, TLDI '07.

[21]  Stefan Monnier Typed Regions , 2002 .

[22]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[23]  Guy L. Steele,et al.  Multiprocessing compactifying garbage collection , 1975, CACM.

[24]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[25]  Klaus Havelund Mechanical Verification of a Garbage Collector , 1999, IPPS/SPDP Workshops.

[26]  David Gries An exercise in proving parallel programs correct , 1977, CACM.

[27]  Taiichi Yuasa,et al.  Real-time garbage collection on general-purpose machines , 1990, J. Syst. Softw..

[28]  Rodney A. Brooks,et al.  Trading data space for reduced time and code space in real-time garbage collection on stock hardware , 1984, LFP '84.

[29]  L. Burdy B vs . Coq to prove a Garbage Collector , 2001 .

[30]  Matthias Felleisen,et al.  Abstract models of memory management , 1995, FPCA '95.

[31]  Karl Crary,et al.  A typed interface for garbage collection , 2003, TLDI '03.

[32]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[33]  Shriram Krishnamurthi A Model of Garbage Collection for OO Languages Rob Hunter and , .

[34]  Javier Esparza,et al.  Verifying Single and Multi-mutator Garbage Collectors with Owicki-Gries in Isabelle/HOL , 2000, MFCS.

[35]  Juan Chen,et al.  A garbage-collecting typed assembly language , 2007, TLDI '07.

[36]  Paul B. Jackson Verifying a Garbage Collection Algorithm , 1998, TPHOLs.

[37]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[38]  David M. Russinoff A mechanically verified incremental garbage collector , 1994, Formal Aspects of Computing.

[39]  Chris J. Cheney A nonrecursive list compacting algorithm , 1970, Commun. ACM.

[40]  Eran Yahav,et al.  Correctness-preserving derivation of concurrent garbage collection algorithms , 2006, PLDI '06.

[41]  Juan Chen,et al.  A simple typed intermediate language for object-oriented languages , 2005, POPL '05.

[42]  Guy L. Steele,et al.  Java Language Specification, Second Edition: The Java Series , 2000 .

[43]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[44]  Lars Birkedal,et al.  Local reasoning about a copying garbage collector , 2004, POPL '04.

[45]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .