OK. Here's a *completely* different form of memory safety to kick around. GC, regions, ARC, and unique pointers provide several guarantees, some of which we take for granted and fail to consider:
- No object is reclaimed while an outstanding pointer exists. - At the moment of allocation, no pointer exists to the object. - Space, once reclaimed, can be coalesced so as to support very cheap allocation (not true for ARC). - Space, once reclaimed, can be reused to implement an object having a different size. So these mechanisms are both "memory safe" and "alias safe" (to coin a term) - there are no outstanding aliases at allocation time. Some time back, Vikram Adve was looking at ways to do safe deallocation in C. One of his ideas was to impose a constraint on the allocator subsystem: any memory chunk having an outstanding live pointer is not permitted to change type. The result is type safe and memory safe, but not alias safe. The behavior of free() changes as follows: - The target of free(T*) causes the target object to be placed in the pool of available objects of type T, from which it can be reallocated. - The runtime makes no attempt to ensure that the target memory is unreferenced. This preserves memory safety, but it has unfortunate implications for aliases. Still, for certain kinds of programs this might be a reasonable model. We can imagine (for debugging purposes) embedding a small version number in the pointers and the target object header, and using a continuous incremental background mark pass that would nullify invalid pointers of this kind. Alternatively, we could imagine using fat pointers for such objects, and *always* checking the version number on dereference. shap
_______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
