# A type system for safe memory management and its proof of correctness

## Summary (2 min read)

### 1 Introduction

- Most functional languages abstract the programmer from the memory management done by programs at run time.
- Well known problems are dangling references, undesired sharing with complex side effects, and polluting memory with garbage.
- A small difference with these approaches is that, in Safe, region allocation and deallocation are synchronized with function calls instead of being introduced by a special language construct.
- Inside the function, data structures may be built but they can also be destroyed by using a destructive pattern matching denoted by !.
- The type system shown in this paper copes with all these features to avoid dangling pointers.

### 3 Operational Semantics

- In Figure 2 the authors show the big-step operational semantics of the core language expressions.
- This action may create dangling pointers in the live heap, as some cells may contain free occurrences of p. Rule App shows when a new region is allocated.
- In functional types returning a DS, where there may be several region arguments ρl, these are a subset of the result’s regions ρm.
- Inside a condemned type, type variables may be instatiated with safe or condemned types.
- The operators on type environments used in the typing rules are shown in Fig.

### 5.1 Absence of Dangling Pointers due to Cell Destruction

- The intuitive idea of a variable x being typed with a safe type s is that all the cells in h reachable from E(x) are also safe and they should be disjoint of unsafe cells.
- The idea behind a condemned variable x is that all variables (including itself) and all live cells sharing any of its recursive descendants are unsafe.
- The correctness of the sharing analysis mentioned in Section 4 has been proved elsewhere and it is not the subject of this paper, but the authors need it in order to prove the correctness of the whole type system.
- By analogy, a final configuration (s, v, h′) is good whenever closed(v, h′) holds.
- The authors conclude then that all well-typed Safe program never produce dangling pointers at runtime.

### 5.2 Correctness of Region Deallocation

- This section proves that the structure returned by the function call does not reside in self .
- The union of region instantiations (denoted by ∪) is defined only if they bind common type region variables to the same region, that is, they do not contradict each other.
- Dangling pointers are never accessed by a program (Sec 5.1).
- Now the authors define a notion of consistency between the variables belonging to a variable environment E. Intuitively it means that the correspondences between region type variables and concrete regions of each element of dom(E) do not contradict each other.
- Since the type system (see rule [FUNB] in Fig. 5) enforces that the variable ρself does not occur in the type of the function result, then every data structure returned by the function call does not have cells in self .

### 6 Examples

- Now the authors shall consider the concatD , treesort and treesortD functions defined in Sec. 2.
- The desugared versions of their definitions are shown in Fig.
- The first column is the result of the region inference phase, which inserts the @r annotations into the code.
- Temporary structures are assigned the working region self .
- To type its body, rule [LET2] is now applied, since xs′ is destroyed in the treesortD call.

Did you find this useful? Give us your feedback

##### Citations

21 citations

### Cites methods from "A type system for safe memory manag..."

...Safe [25, 26] suggests a simpler region inference algorithm by restricting the language to a first-order functional language....

[...]

20 citations

### Cites background from "A type system for safe memory manag..."

...More interesting is the definition of a type system [6, 7] guaranteeing that destruction facilities can be used in a safe way....

[...]

...The main correctness requirement is that the annotated type of each function can be assigned to the corresponding annotated function in the type system defined in [6]....

[...]

...Some of its analyses have been presented elsewhere [4, 6, 7]....

[...]

...This feature and the type system allowing to use it in a safe way have been explained in previous papers [6, 7]....

[...]

...Intuitively, it means that the correspondences between region type variables and concrete regions of each element of dom(E) do not contradict each other, that is, the results of each build(h,E(x),Γ (x)), where x ∈ dom(E) are well-defined, and also is their union, which we call the witness of this consistency relation (see [6] for a formal definition)....

[...]

15 citations

14 citations

13 citations

##### References

2,964 citations

### "A type system for safe memory manag..." refers methods in this paper

...Isabelle/HOL....

[...]

...We are also working in the code generation and certification phases, trying to express the correctness proofs of our analyses as certificates which could be mechanically proof-checked by the proof assistant Isabelle [16]....

[...]

...We are also working in the code generation and certi.cation phases, trying to express the correctness proofs of our analyses as certi.cates which could be mechanically proof-checked by the proof assistant Isabelle [16]....

[...]

[...]

1,799 citations

### "A type system for safe memory manag..." refers background in this paper

...The language is targeted to mobile code applications with limited resources in a Proof Carrying Code framework [14, 15]....

[...]

640 citations

### Additional excerpts

...Tofte and Talpin [20] introduced in ML-Kit a variant of ML the use of nested regions by means of a letregion construct....

[...]

...Tofte and Talpin [20] introduced in ML-Kit —a variant of ML— the use of nested regions by means of a letregion construct....

[...]

...A dif.culty with the original Tofte and Talpin s system is the fact that regions have nested lifetimes....

[...]

...[20] M. Tofte and J.-P. Talpin....

[...]

519 citations

### "A type system for safe memory manag..." refers background in this paper

...Our safety type system has some characteristics of linear types (see [21] as a basic reference)....

[...]

397 citations

### "A type system for safe memory manag..." refers background in this paper

...The language is targeted to mobile code applications with limited resources in a Proof Carrying Code framework [14, 15]....

[...]