Abstract
In modern runtime systems, memory layout calculations are hand-coded in systems languages. Primitives in these languages are not powerful enough to describe a rich set of layouts, leading to reliance on ad-hoc macros, numerous interrelated static constants, and other boilerplate code. Memory management policies must also carefully orchestrate their application of address calculations in order to modify memory cooperatively, a task ill-suited to low-level systems languages at hand which lack proper safety mechanisms.

In this paper we introduce Floorplan, a declarative language for specifying high level memory layouts. Constraints formerly implemented by describing how to compute locations are, in Floorplan, defined declaratively using explicit layout constructs. The challenge here was to discover constructs capable of sufficiently enabling the automatic generation of address calculations. Floorplan is implemented as a compiler for generating a Rust library. In a case study of an existing implementation of the immix garbage collection algorithm, Floorplan eliminates 55 out of the 63 unsafe lines of code: 100% of unsafe lines pertaining to memory safety.

Keywords Memory Management, Runtime Systems

1 Introduction
The design of a memory manager is often hidden away in the runtime system and rarely discussed the way more prominent language features, such as syntax and semantics, are. A number of factors contribute to this state of affairs. First, each implementation of a managed language typically has its own memory manager, built from scratch, resulting in an almost total absence of shared code. Second, runtime system code is difficult to comprehensively understand: low-level and intricate, with a premium placed on performance. Finally, crucial design elements are often buried in the code, such as in simple yet pervasive pointer arithmetic and bitwise manipulations. These operations have ramifications on design elements across the entire system. As a result, these design elements are intrinsically hard to get correct the first time, and hard to diagnose when they are incorrect. Without a specification of these design elements, properties of a memory management algorithm are difficult or impossible to check and reason about formally. Documentation, when present, is in the form of informal and often inaccurate or ambiguous comments. Traditional memory safety tools [17] fall short because they typically assume that the memory allocator is allocating memory correctly in the first place.

In this work we take a first step toward remedying this situation: we present a declarative, domain-specific language (DSL), called Floorplan, for describing the structure of a heap as laid out by a memory manager. Floorplan is inspired by PADS [10], a language for describing ad hoc data file formats. A Floorplan specification looks like a grammar, augmented with memory management specific features. Floorplan provides powerful ways to specify the sizes, alignments, and relationships among chunks of memory, resulting in very compact descriptions. The key idea is that any correct state of the heap can be represented as a string (a sequence of bytes or tokens) derivable from a Floorplan grammar. Grammars are a natural choice because they match the configuration of most modern memory managers, which comprise layers of code that carve up memory into smaller and smaller pieces. Every [1], [2], [5], [6], [8], [11], [12], [13], [15], [16], memory manager we’ve studied exhibits this allocation scheme.

Note that Floorplan does not attempt to capture the policy details of any particular memory management algorithm. The closest Floorplan gets to capturing policy details is in its ability to logically connect multiple pieces of memory, e.g.
a bit map representing allocated cells in a block. The Floorplan compiler generates the low-level mechanisms — pointer calculations, bit masking, etc. — that the developer calls in order to implement some memory management policy. For example, the Floorplan compiler automates the synthesis of constants and pointer calculations for accessing an object liveness bitmap while saying nothing about how liveness or reachability are computed. Ongoing future work aims to leverage Floorplan specifications to debug algorithmic errors resulting in memory corruption. Such temporal errors are not easily detectable with frameworks like Valgrind [17] and PIN [14]. These frameworks can be leveraged more methodically with a layout specification language like Floorplan.

1.1 Contributions

To summarize, this work makes the following contributions:

- A declarative specification language based in part on a novel formalization of union types in Section 5. Floorplan allows users to express a memory layout as a specification, defining the spatial relationships among one or more system-defined types of memory.
- The Floorplan specification of the layout of a state-of-the-art garbage collection algorithm: immix as implemented in Rust.
- Formal rules for translating surface syntax to a core expression language, and a denotational semantics for how to reduce a memory layout to a set of trees with bytes at their leaves.
- A Floorplan compiler targeting Rust.
- Boilerplate reduction and memory safety results from integrating a Floorplan specification with the Rust implementation of immix [13].

2 Motivation

Spatial layout is fundamental to the problem of dynamic memory management. Memory managers employ a variety of layout schemes to carve up raw memory, and each scheme is influenced by the particular algorithm being implemented. Great care goes into designing a layout which permits highly efficient operation of crucial layout operations. For example, a generational garbage collector might be laid out such that the nursery is in a lower part of memory than the older space. This choice allows the write barrier to be implemented exclusively with address comparisons. Similarly, a free-list allocator might divide pages into cells of equal size, like an array, with a bit map of free cells at the start of each page. This design allows the meta-data to be found by simply masking off the low bits of any cell address; the corresponding bit can then be computed easily by dividing the low bits of the address by the cell size. These optimizations improve performance, but are only valid if the layout permits them.

Software maintenance. In all the memory managers we’ve studied, spatial layout is only formally expressed by the code that implements it. Figure 1 is a typical example, taken from MMTk [7], the memory management toolkit. Notice, in particular, the calculation of the hash code mask – clearly, great care is required to write, modify, and maintain such code. While MMTk is among the most meticulously engineered of memory managers, this memory manager consists of boilerplate code in excess of 2,399 lines of address arithmetic calculations as per the following bash command:

```
$ find MMTk/ rvm/ -name *.java -exec egrep \-e "\.(zero|isZero|diff|store|load)\(" \| wc -l
```

2399

Static typing. A common problem in the memory management field occurs when a memory manager is implemented with generic pointer types exhibiting memory-related bugs. Often such generic pointers are distinguishable based on their value. Suspicious pointer values are manually detected based on intrinsic properties, such as alignment checks and assertions pertaining to relationships with other known in-memory structures, e.g. containing blocks and regions.

Complicating matters further, specialized pointer types need not even be distinguishable from one another by value dynamically. For example the Rust code in Figure 2 shows code implementing a block of memory cells. This code operates over memory with raw address types, and consists of numerous address calculations on generic pointer types. By this design, the address of the start of a block is the same as the address of the first cell in that block. Code that uses this class could call either method — it does not matter which. If the layout changed, though, for example by adding a bit
map, then the methods would be different. Code that calls the `block.start()` method expecting a pointer to a cell would now fail at runtime in confusing ways. These failures motivate the approach of generating specialized address types.

Dynamic typing. In a runtime system the configuration of the heap changes over time in highly mechanistic, and largely superficial, ways. For example, the heap’s configuration changes when a piece of addressable memory in the heap changes type. This results in new offset and address calculations being allowed on that address. These calculations are used to implement various allocation schemes which combine, carve up, or interchange pieces of memory.

Some allocation schemes combine multiple operating system level pieces of memory into larger pieces of memory. For example, multiple contiguous pages can be combined to form a single block. This combination is typically implemented with a simple multiplication or bit-shifting operation.

Other allocation schemes carve a single piece of memory into multiple subcomponents. For example, a block may be carved up into cells, with a bitmap at the beginning of the block. Carving up of memory is typically implemented with a simple offset added to an address, and a subsequent bounds check address comparison to detect block overflow.

Finally some allocation schemes define two or more pointer types to be interchangeable. For example, a cell of memory is either allocated or free, with differing internal layouts. A free cell controlled by a doubly-linked list policy typically contains two pointers. Accesses to a free cell must therefore be implemented with an offset addition to the cell’s base address. Such core layout operations are simple in isolation, yet the design choices describing their composition are complex.

Efficiency. Address calculations need to behave such that an amortized analysis of an allocation scheme yields a highly efficient implementation. Existing handwritten calculations exhibit this efficiency, so generating address calculations to semantically and stylistically match handwritten code makes sense. Precise control over the form of generated code ensures efficiency-motivated size, alignment, and padding invariants hold. Generating code also forgoes the manual writing of numerous lines of stylistically similar code.

Existing memory managers lack precise and formal specifications of their memory layouts. Memory managers can benefit from support for various forms of analysis, debugging, and code generation which this work tackles. In this paper we take a generative approach: we describe a specification language, its translation to a core calculus, and a compiler for generating Rust code.

3 Language overview with examples

The most fundamental operation in memory management is to take an unstructured piece of memory and to give it structure through demarcation. Demarcation is the dividing up of a layer of memory into a partitioning of components. Multiple layers of memory form an allocation hierarchy.

In order to allocate a piece of memory, a memory manager tracks metadata distinguishing a free piece from the same allocated piece. The state of this piece of memory, free or allocated, determines its layout. Existing systems written in C model this behavior with unions. For example, the first word of a free-list based allocator’s free piece might contain a pointer, while that same word of memory once allocated might contain an object header. In order to access this allocated object’s payload, a memory manager calculates the payload’s offset from the base of the containing piece of memory. The ordering of fields in this piece of memory, header and payload, define its layout. Existing systems often model the ordering of fields with offset constants. For example, a memory manager computes the location of a payload in terms of the size of its header. In this section, we introduce Floorplan with similarly motivated examples.

Grammar 1, below, through Grammar 4 specify the syntactic constructs of a Floorplan specification in EBNF form. For a quick reference guide on how to read a Floorplan specification, refer to Figure 3. The grammars below are inline.

Figure 2. Abbreviated snippet of Rust code from an implementation of immix [13].

Figure 3. Informal semantics of constructs and operators in Floorplan. Bar and Baz represent arbitrary (demarc-val) values, FOO and BAR represent state flags of an (enum), Foo represents an identifier, and sz is some (size-arith).
figures, which we recommend inspecting in the order they are presented before reading the remainder of this section.

**Grammar 1:** Literal lexemes. Layers & fields are types, forms represent natural numbers, and flags for enums.

\[
\langle \text{layer-id} \rangle ::= \text{[A-Z][a-zA-Z]...} \quad \langle \text{literal} \rangle ::= \langle \text{bin} \rangle | \langle \text{int} \rangle \\
\langle \text{field-id} \rangle ::= \text{[a-z][a-zA-Z]...} \quad \langle \text{bin} \rangle ::= 0b[01]+ \\
\langle \text{formal-id} \rangle ::= \text{[a-zA-Z][a-zA-Z]...} \quad \langle \text{int} \rangle ::= [0-9]+ \\
\langle \text{flag-id} \rangle ::= \text{[A-Z][A-Z]...} \quad \langle \text{prim} \rangle ::= \langle \text{bits} \rangle | \langle \text{bytes} \rangle \\
\quad | \langle \text{words} \rangle | \langle \text{pages} \rangle
\]

**Grammar 2:** Arithmetic language for memory sizes.

\[
\langle \text{lit-arith} \rangle ::= \langle \text{literal} \rangle | (' (\langle \text{lit-arith} \rangle ')') \\
\quad | (\langle \text{lit-arith} \rangle \langle \text{lit-arith-op} \rangle \langle \text{lit-arith} \rangle) \\
\langle \text{lit-arith-op} \rangle ::= \langle + \rangle | \langle - \rangle | \langle * \rangle | \langle / \rangle | \langle ** \rangle \\
\langle \text{size-arith} \rangle ::= \langle \text{lit-arith} \rangle? \langle \text{prim} \rangle \langle (\langle \text{size-arith} \rangle \rangle \langle \langle \text{size-arith} \rangle \rangle) \\
\quad | (\langle \text{size-arith} \rangle \langle \text{size-arith-op} \rangle \langle \text{size-arith} \rangle) \\
\langle \text{size-arith-op} \rangle ::= \langle + \rangle | \langle - \rangle
\]

**Grammar 3:** Layers of memory with annotated magnitudes, alignments, simultaneous annotations (\langle magAlign \rangle), scoped formal parameter declarations, and containment (\langle contains \rangle) compiler annotation hints1.

\[
\langle \text{layer-simple} \rangle ::= \langle \text{layer-id} \rangle？(\langle \text{formal} \rangle)？\langle \langle \text{mag} \rangle \rangle? \langle \langle \text{align} \rangle \rangle? \langle \langle \text{magAlign} \rangle \rangle? \langle \langle \text{formal} \rangle \rangle? \langle \langle \text{contains} \rangle \rangle?
\]

**Grammar 4:** Demarcatable atomic units of memory.

\[
\langle \text{demarc-val} \rangle ::= (\langle \# \rangle | \langle \text{formal} \rangle)? (\langle \langle \text{enum} \rangle | \langle \text{bits} \rangle | \langle \text{union} \rangle \\
\quad | \langle \text{seq} \rangle | \langle \langle \text{ptr} \rangle \rangle | \langle \text{size-arith} \rangle | \langle \langle \text{macro} \rangle \rangle)
\]

\[
\langle \text{seq} \rangle ::= \langle \text{seq} \rangle (\langle \langle \text{demarc} \rangle \rangle | (\langle \langle \text{field} \rangle \rangle | (\langle \text{layer} \rangle | (\langle \text{demarc-val} \rangle)
\]

\[
\langle \text{union} \rangle ::= \langle \text{union} \rangle (\langle \langle \text{field} \rangle \rangle | (\langle \text{layer} \rangle | (\langle \text{demarc} \rangle)
\]

\[
\langle \text{demarc} \rangle ::= \langle \langle \text{field} \rangle \rangle (\langle \langle \text{field} \rangle \rangle | (\langle \text{bits} \rangle | (\langle \text{bits} \rangle | (\langle \langle \text{enum} \rangle | (\langle \langle \text{bits} \rangle | (\langle \langle \text{bits} \rangle | (\langle \langle \text{bits} \rangle | (\langle \langle \text{bits} \rangle)
\]

3.1 What is a Floorplan demarcation

In Grammar 4 we introduced the syntactic form for the notion of a demarcation. A demarcation is a partition2 of a layer of a heap. A boundary position in memory defining the partition of two or more \langle layer \rangle and \langle field \rangle types may (and often does) coincide with another layer’s boundary.

For instance in our block-containing-cells motivating example (Figure 2) the beginning boundary of a block coincides with the boundary of that block’s first cell. We can encode this memory layout as follows:

\[
\text{Cell} \rightarrow \langle \text{seq} \rangle (\langle \text{Header} \rangle \rightarrow 1 \text{\ \\ \text{words}, \ \ \ \text{Payload} \rightarrow 7 \text{\ \ \ \text{words} }) \\
\text{Block} \rightarrow \langle \langle \langle \langle 2 \times 16 \text{\ \ \ \text{bytes} \rangle \rangle \rangle \rangle \rightarrow \# \text{\ \ \ \text{Cell}}
\]

This code declares a block of cells with total size \(2^{16}\) bytes. The "#" operator indicates that the Cell declaration should be repeated as many times as necessary in order to exactly fill the total size. The Cell reference on the last line of F1 parses as a (\langle macro \rangle) expression3 which must reference a top-level (\langle layer-id \rangle) declaration of the specification file (.flp filename extension). A (\langle macro \rangle) expression is syntactically replaced with its corresponding declaration.

From the layout in F1 the compiler generates specialized address types for pointers to a Cell, Header, Payload, and Block respectively. For safety reasons, a memory manager must only be able to cast from a Block address to a Cell address and not to, say, a Payload address. Therefore the compiler generates (simplified here) Rust code identical in purpose to that of Figure 2:

\[
\text{public struct CellAddr(usize)}; \\
\text{public struct HeaderAddr(usize)}; \\
\text{public struct PayloadAddr(usize)}; \\
\text{impl BlockAddr(usize)}; \\
\text{impl BlockAddr} ( \\
\text{pub fn get_first_cell(\&self) \rightarrow CellAddr ( \\
\text{CellAddr::from_usize(\&self.as_usize()) }) })
\]

While this code is implementable by hand, the compiler systematically enforces which conversions are memory-safe. Memory-safety in Floorplan is heavily influenced by where

---

1These instruct the compiler to generate functions for converting to the containing \langle layer-id \rangle and vice-versa when memory alignments permit.

2Including finitely many partitions of size zero.

3Macros are not formally specified: they are a pre-processing pass to the compiler. Recursive macros are forbidden.
coinciding boundaries occur. These occur wherever two (layer) or (field) declarations are nested inside of one another under one condition: the nested path traverses neither the tail of a (seq) nor (demarc-val) annotated with a repetition. Under this condition, Floorplan semantics (Section 5) guides the compiler in generating safe address conversions. Statically unsafe conversions are disallowed by construction.

3.2 Implementing bit-fields and repetitions

A header word on an object in a memory manager typically relies on intricately implemented offset constants to function, like back in Figure 1. For example, we might want to modify the Header portion of Code F1 to support bit-level manipulation in a traditional mark-sweep garbage collector:

```rust
Header @| words| @ -> bits {
    MARK : 1 bits, REF : 7 bits,
    UNUSED : (1 words - 1 bytes) }
```

(F2)

First, Code F2 constrains the alignment of header words to start on a @| words|@ boundary. In addition, the memory manager needs to be able to access (read and write) the contents of the MARK and REF bits in order to mark and record the location of pointers in the payload, respectively. To facilitate this requirement, the compiler generates, e.g., the following constants and accessors:

Offset constants generated from Code F2

```rust
struct HeaderAddr(usize);

impl HeaderAddr {
    pub const MARK_LOW_BIT : usize = 0;
    pub const MARK_NUM_BITS : usize = 1;
    pub const MARK_MASK : u8 = 0b00000001;
    pub const REF_LOW_BIT : usize = 1;
    pub const REF_NUM_BITS : usize = 7;
    pub const REF_MASK : u8 = 0b11111110;
    pub fn set_MARK_bit(&self, val : bool) {
        self.store!:<u8>({val as u8})
    }
    pub fn get_MARK_bit(&self) -> bool {
        (self.load!:<u8>() as bool)
    }
}
```

(R2)

Furthermore, a memory manager must be able to allocate pointers in the payload and mark their location in the REF field. For example, the layout can dictate that pointer fields in an application object comprise the first n words of the payload by replacing the Payload in F1 with:

```rust
Payload ||7 words|| -> seq {
    refs: # (Cell ptr), rem: # (1 words)
}
```

(F3)

Notice here that the two “#” operators act together to fill the necessary space (7 words) available to them. Code F3 denotes 8 distinct layouts: the number of permutations by which two natural numbers can sum to 7. These permutations include (0 pointers, 7 words), (1 pointer, 6 words), and so on until (7 pointers, 0 words). In order to allocate some number of pointers, the compiler needs to give us a way to access the refs field of a Payload, allocate a new pointer to the rem field, and allocate an additional cell pointer. Code R3 below exhibits these functions:

Allocation pattern generated from Code F3

```rust
impl PayloadAddr {
    pub fn cast_payload_to.refs(&self) -> RefsAddr {
        // #1
        RefsAddr(self.as_usize())
    }
    pub fn init_rem_after.refs(p1: RefsAddr, bytes: usize) -> RemAddr {
        // #2
        debug_assert!(bytes%BYTES_IN.Pointer==0);
        p1.plus::<RemAddr>(bytes)
    }
    pub fn bump_new_Cell_ptr(rhs: RemAddr) -> (CellAddr, RemAddr) {
        // #3
        (rhs.plus(0), rhs.plus(BYTES_IN.Pointer))
    }
}
```

Take for granted that we have access to the PayloadAddr of some cell. Function #1 above accesses the refs field of our payload. From this address we can initialize, with #2, the remainder (rem) to start zero bytes after the start of the payload. With #3 we can then allocate a new pointer with our RemAddr returned by #2. To allocate more pointers we iterate as necessary over #3, because #3 returns an updated RemAddr. The compiler knows to generate this allocation pattern because two adjacent fields each contain a repetition.

3.3 Implementing union types

In contrast to Code F3, we might want a more permissive object field layout where pointer fields can appear in any order in the payload. For example:

```rust
Payload ||7 words|| -> # union (Cell ptr | (1 words))
```

(F4)

In F4, the “#” operator acts to fill precisely 7 words of memory. In doing so, this particular “#” operates equivalently to the POSIX Extended Regular Expression (ERE) limited repetition expression (a|b)*. As with this regex, F4 denotes \(2^7 = 128\) distinct layouts: the number of permutations (with repeats) of the elements of the union fitting into 7 words. If instead we made a typo and wrote \((10 \text{ words})\) in place of \((1 \text{ words})\), the compiler reports to us a consistency warning: the \((10 \text{ words})\) branch of the union in F4 is dead code which does not contribute to a valid payload.

3.4 Implementing lookup tables

A memory manager often relies on metadata in lookup tables and byte maps. To indicate the relationship between metadata and memory it describes, the same (formal-id), cnt, can logically link two or more pieces of memory.
Code F5 implements a 16-word size-class block of memory, with a byte map at the end of each block. Note that macro expressions are curried, so only the first argument need be expanded on the last line above. The compiler generates functions capable of translating between a cell and its corresponding byte entry in the map. For example in order to update the byte entry of some cell, we can call the set function in Code R5 on that cell’s address, along with the value we want the map to remember:

Mapping code generated from Code F5

```rust
default immix heap is half a gigabyte of memory: 8000

Dozens more functions are generated alongside set() in Code R5. We struggled to define meaningful naming schemes for generated address-types. For example Cell_16 above comes from the (macro) expressions on the third and fourth lines of Code F5. Code R5 also exemplifies generated debugging assertions. Again, while these assertions can be manually written, formally deriving the largely trivial ones such as these bounds checks is feasible.

4 Study: Immix in Rust

In this section, Figure 4 introduces the notion of a demarcation diagram and Figure 5 shows the Floorplan specification of immix in Rust. For a precise handling of Floorplan semantics, see Section 5. Throughout this section subscripts on words indicate line numbers in Figure 5.

4.1 Immix specification

Figure 5 shows the Floorplan specification for the Rust implementation [13] of the immix garbage collection algorithm. The heap is represented as a Region, parametrized by three formal arguments: the number of blocks, lines, and number of words in the region. Note that once num_blocks is fixed, the other two take on fixed values. This constraint we have made is self-imposed, and not a part of Floorplan semantics. We debated including a version of the union operator which enforces size-equivalence of constituents, but decided against it for simplicity reasons: two flavors of the union operator arguably degrades comprehensibility.

A Region, layer consists of a single Space followed by some metadata fields for marking lines, looking up reference bytes, and setting mark bits. RefBits and MarkBits both represent bit-fields which consume one byte of memory. Note that bit order for a RefBits is defined such that the OBL_START bit occurs at a less significant bit than the REF bit. SHORT_ENCODE is the least significant (ones) bit.

Notice here that a block of memory is annotated with the fact that it contains lines. The annotation indicates to the Floorplan compiler that it should generate code for converting between a Line and its containing Block, and vice versa. The conditions under which this code gets generated relies on the presence of known sizes and alignments for lines and blocks respectively.

In this [13] version of immix, objects do not have a header word. Instead each cell’s corresponding RefBits in the ref slots array tracks which words of memory in the Space correspond to the start of an object. OBJ_START. The implementation of the immix algorithm determines how many heap references are in some cell by looking up the first 4 bits of the corresponding REF field of that cell’s RefBits.
5.1 Concrete value semantics

We represent an instance of a memory layout as a tree, as in Figure 6. Addresses are natural numbers representing locations in a flat addressable sequence of bytes. A value is a rooted binary tree with leaves each representing either zero or one byte. Trees may be interspersed with named "N" components, mapping directly back to named types in a Floorplan specification, as will become apparent by the semantics in the following Section 5.2. A finite set of trees represents a concrete type of memory.

An in-order traversal over a tree defines the order in which bytes at the leaves of the tree occur contiguously in memory. Finally, leaves(v) computes the number of 1-byte leaves in the tree as defined below, equivalent to the number of bytes the tree consumes in memory.

<table>
<thead>
<tr>
<th>leaves(1 bytes)</th>
<th>leaves(0 bytes)</th>
<th>leaves(T v1 v2)</th>
<th>leaves(N ℓ v)</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>0</td>
<td>leaves(v1) + leaves(v2)</td>
<td>leaves(v)</td>
</tr>
</tbody>
</table>

5.1.1 Example: the trees of a specification

Before introducing the core calculus, take the following Floorplan declaration:

\[ K^{<n>} | | 5 \text{ bytes} | \rightarrow \text{seq} \left( \begin{array}{l} \text{hd} : n \ (1 \text{ bytes}), \\ \text{tl} : n \ \text{seq} \ (1f : 1 \text{ bytes}, \ \text{rgt} : \# \text{ bytes}) \end{array} \right) \]

This code represents the three distinct memory layouts as depicted in Figure 7, one for each feasible assignment of natural numbers to \( n \) and the "#". The \( n = 0 \) case is not feasible because that case consumes \( 0 \neq 5 \) bytes. Similarly the \( n = 3 \) case is not feasible because the \( \text{hd} \) consumes 3 bytes and the \( \text{tl} \) consumes at least 5 bytes, one for each copy of \( 1f \), which sums to at least 6 \( \neq 5 \) bytes. Formally, for constants \( n, i \in \mathbb{N} \), memory layout instances must satisfy the following constraint satisfaction \([3]\) equation:

\[ n + \sum_{i=0}^{n-1} n \ast (1 + \#_i) = 5 \quad (5.1) \]

Equation 5.1 above was written by hand, and is not formally synthesized by the compiler. We will see in Section 5.2.1 how to reduce Code F6 to tree \( K_0 \) from Figure 7.

5.2 Abstract expression semantics

Now we define the core expression language as in Figure 8. Each expression \( e \) denotes a memory layout. A memory layout has a corresponding (possibly empty) set of values \( v \) representing a type \( \tau \) computable by the memory layout modeling function \( y \) in Figure 9. A primitive expression (Prim \( n \)) denotes a contiguous (possibly empty) sequence of \( n \) bytes. Similarly, a constrained expression (Con \( n \ e \)) denotes

\[ \text{Subscripts}_1 \text{on}_2 \text{words}_3 \text{correspond to lines in Figure 9} \]
the same fixed value. This feature causes a Floorplan specified multiple times. Each reference must also take on a contiguous sequence of \( n \) bytes, but only for the (possibly non-existent) memory layout instances for which the substructure denoted by \( e \) fits precisely into \( n \) bytes. An aligned expression \( (e \circ \hat{a}) \) denotes a memory layout for which the address of the first byte of memory of the layout must be a natural number multiple of \( \hat{a} \) bytes.

The remaining operators are the concatenation “+” and union “||” binary operators, as well as name binding with \( y := e \). A concatenation of two expressions denotes the contiguous layout of sequence\( \circ \ circ \) of those two expressions. A union of two expressions denotes a left-most aligned instance of either the first or the second expression. A named expression \( y := e \) binds the name \( y \) to the expression \( e \). An existentially quantified expression \( \exists f . e \) brings the variable \( f \) into scope in the subexpression \( e \).

A variable on a repetition, the \( f \) in \((f \# e)\), may be referenced multiple times. Each reference must also take on the same fixed value. This feature causes a Floorplan specification (i.e. grammar) to be non-regular: there exist Floorplan grammars which fail the Pumping Lemma.

\[
\begin{array}{c}
\text{Core calculus} \\
\text{Nats} & n, m, c & \in & \mathbb{N} \\
\text{Alignment} & \hat{a} & \in & \mathbb{N}^+ \\
\text{Exp} & e & ::= & \text{Prim } n \mid \text{Con } n \mid e \circ \hat{a} \\
& & & | e_1 + e_2 \mid e_1 \parallel e_2 \mid y := e \mid \exists f . e \\
& & & | f \# e \\
\text{Size} & \delta & ::= & m \\
\text{Environment} & \theta & ::= & \{ f \mapsto n \} \\
\text{Config} & \chi & ::= & (\alpha, \delta, e)
\end{array}
\]

a contiguous sequence of \( n \) bytes, but only for the (possibly non-existent) memory layout instances for which the substructure denoted by \( e \) fits precisely into \( n \) bytes. An aligned expression \( (e \circ \hat{a}) \) denotes a memory layout for which the address of the first byte of memory of the layout must be a natural number multiple of \( \hat{a} \) bytes.

The remaining operators are the concatenation “+” and union “||” binary operators, as well as name binding with \( y := e \). A concatenation of two expressions denotes the contiguous layout of sequence\( \circ \ circ \) of those two expressions. A union of two expressions denotes a left-most aligned instance of either the first or the second expression. A named expression \( y := e \) binds the name \( y \) to the expression \( e \). An existentially quantified expression \( \exists f . e \) brings the variable \( f \) into scope in the subexpression \( e \).

A variable on a repetition, the \( f \) in \((f \# e)\), may be referenced multiple times. Each reference must also take on the same fixed value. This feature causes a Floorplan specification (i.e. grammar) to be non-regular: there exist Floorplan grammars which fail the Pumping Lemma.

\[
\begin{array}{c}
\text{Memory layout model } \bar{\gamma} \\
1 & \bar{\gamma}(\alpha, m, \theta, e_i + e_2) \\
2 & = \{ T \ r_1 \ r_2 | r_1 \in \bigcup_{i=0}^m \bar{\gamma}(\alpha, i, \theta, e_i) \} \\
3 & \quad r_2 \in \bar{\gamma}(\alpha + \text{leaves}(r_1), \theta, e_2) \} \\
4 & \quad m - \text{leaves}(r_1), \theta, e_2) \} \\
5 & \bar{\gamma}(\alpha, m, \theta, e_1) = \bar{\gamma}(\alpha, m, \theta, e_1) \\
6 & \quad \bar{\gamma}(\alpha, m, \theta, e_2) \\
7 & \bar{\gamma}(\alpha, 0, \theta, \text{Prim } 0) = \{ 0 \text{ bytes} \} \\
8 & \bar{\gamma}(\alpha, m, \theta, \text{Prim } n) \\
9 & | m \equiv n = \{ T (1 \text{ bytes})_1 \cdots T (1 \text{ bytes})_n (0 \text{ bytes}) \} \\
10 & | m \neq n = \emptyset \\
11 & \bar{\gamma}(\alpha, m, \theta, \text{Con } n e) \\
12 & | m \equiv n = \bar{\gamma}(\alpha, m, \theta, e) \\
13 & | m \neq n = \emptyset \\
14 & \bar{\gamma}(\alpha, m, \theta, e \circ \hat{a}) \\
15 & | \alpha \text{ mod } \hat{a} = 0 = \bar{\gamma}(\alpha, m, \theta, e) \\
16 & | \alpha \text{ mod } \hat{a} \neq 0 = \emptyset \\
17 & \bar{\gamma}(\alpha, m, \theta, e :: e) = \{ N \ell \ r | r \in \bar{\gamma}(\alpha, m, \theta, e) \} \\
18 & \bigcup_{i=0}^m \bar{\gamma}(\alpha, m, \theta, f \mapsto i), e) \\
21 & \bar{\gamma}(\alpha, m, \theta, f \# e) \\
22 & | f \notin \text{dom}(\theta) = \emptyset \\
23 & | m \equiv \theta(f) \equiv 0 = \{ T (0 \text{ bytes}) (0 \text{ bytes}) \} \\
24 & | \theta(f) \equiv 0 = \emptyset \\
25 & | \theta(f) > 0 \\
26 & = \{ T \ r_1 \ r_2 \\
27 & | r_1 \in \bigcup_{i=0}^m \bar{\gamma}(\alpha, i, \theta, e) \\
28 & \quad r_2 \in \bar{\gamma}(\alpha + \text{leaves}(r_1), m - \text{leaves}(r_1) \\
29 & \quad \theta(f) \mapsto (\theta(f) - 1), f \# e) \\
30 & \quad m \equiv \text{leaves}(r_1) + \text{leaves}(r_2) \\
31 & \bar{\gamma}(\alpha, m, e) = \bar{\gamma}(\alpha, m, \theta, e) \\
\end{array}
\]

Figure 7. The three layouts for Code F6, with satisfying assignments to Equation 5.1.

Figure 8. Core expression language representing a Floorplan specification. A function \( \bar{\gamma} \) with type \( \chi \to \tau \) models the semantics of a memory layout.

Figure 9. Denotational semantics of Floorplan.
5.2.1 Denotations: reducing Code F6 to core values
Figure 9 shows our core denotational semantics, the first three parameters of which are \( \gamma: \alpha, m, \) and \( \theta. \alpha \) represents the base address of a memory layout, \( m \) represents the precise number of bytes in which the layout must fit, and \( \theta \) represents a name environment. As the compilation rules (upcoming in Section 5.3) are not particularly important to understand core Floorplan semantics, we give Code F6 translated to the core calculus here:

\[
K ::= \exists \ n . \ Con \ 5 (\langle \text{hd} :: n \ # \ (\text{Prim} \ 1) \rangle + \langle \text{tl} :: n \ # ((\text{lt} :: (\text{Prim} \ 1)) + \langle \text{rgt} :: (\exists \ f_0 . \ f_0 \ # \ (\text{Prim} \ 1))\rangle) )
\]

Of note on the fourth line of C6, the existentially bound \( f_0 \) variable materializes by way of Rule (2) of Figure 10. Furthermore, listed below are the steps through the semantics in that figure for reducing Code C6 to the hd sub-branch of the left-most tree \( K_0 \) of Figure 7:

<table>
<thead>
<tr>
<th>Line</th>
<th>Exp</th>
<th>Trees</th>
<th>Step</th>
</tr>
</thead>
<tbody>
<tr>
<td>17,18</td>
<td>( K:: \text{e}_1 )</td>
<td>( \gamma \ # 0.5.0.\text{e}_1 )</td>
<td>Pick ( m = 5 )</td>
</tr>
<tr>
<td>19,20</td>
<td>( \text{e}_1 = \exists n . \text{e}_2 )</td>
<td>( \text{Let} \ \theta_1 = (n \mapsto 1) ) in ( \gamma \ # 0.5.\theta_1.\text{e}_2 )</td>
<td>Pick ( i = 1 )</td>
</tr>
<tr>
<td>11,12</td>
<td>( \text{e}_2 = \text{Con} \ 5 \text{e}_3 )</td>
<td>( \gamma \ # 0.5.\theta_1.\text{e}_3 )</td>
<td>Reduce Con</td>
</tr>
<tr>
<td>1,20</td>
<td>( \text{e}_3 )</td>
<td>( \gamma \ # 0.1.\theta_1.\text{e}_4 )</td>
<td>Pick ( i = 1 )</td>
</tr>
<tr>
<td>17,18</td>
<td>( \text{e}_4 )</td>
<td>( \gamma \ # 0.1.\theta_1.\text{e}_5 )</td>
<td>Reduce name</td>
</tr>
<tr>
<td>21,27</td>
<td>( \text{e}_5 = n \ # \text{e}_6 )</td>
<td>( \gamma \ # 0.1.\theta_1.\text{e}_5 )</td>
<td>Pick ( i = 1 )</td>
</tr>
<tr>
<td>8,9</td>
<td>( \text{e}_7 = \text{Prim} \ 1 )</td>
<td>( T \ # 0 \ \text{bytes} )</td>
<td>Eval tree</td>
</tr>
<tr>
<td>3,4</td>
<td>( \text{e}_8 = n \ # \text{e}_9 )</td>
<td>( \gamma \ # 0 + 1, 1 - 1, \theta_1.\text{e}_4 )</td>
<td>Resume (#)</td>
</tr>
<tr>
<td>23</td>
<td>( \text{e}_9 = n \ # \text{e}_5 )</td>
<td>( T \ # 0 \ \text{bytes} )</td>
<td>Eval tree</td>
</tr>
<tr>
<td>3,4</td>
<td>( \text{e}_{10} )</td>
<td>( \gamma \ # 0 + 1, 1 - 1, \theta_1.\text{e}_11 )</td>
<td>Resume (#)</td>
</tr>
<tr>
<td>17,18</td>
<td>( \text{e}_{11} )</td>
<td>( \gamma \ # 1.4.\theta_1.\text{e}_6 )</td>
<td>Skip ( e_{11} )</td>
</tr>
</tbody>
</table>

We manually picked values for \( m \) and \( i \) in order to derive tree \( K_0 \). These derivation steps compute the first line of the tree in data type form, with \( B_0 \) and \( B_1 \) representing 0 bytes and 1 bytes respectively:

\[
\begin{align*}
\text{N} & \text{ "K" (T (N "hd" (T (T B_1 B_0) (T B_0 B_0)))}) \\
& \text{ (N "tl" (T (N "ltf" (T (T B_1 B_0) \\
& \text{ (N "rgt" (T (T B_1 B_0) (T (T B_1 B_0) (T B_0 B_0))))))})})
\end{align*}
\]

Certain properties of the denotational semantics from Figure 9 have been proved correct in Coq. Such properties include that \( \gamma \) always returns trees with \( m \) one-byte leaves and that \( \gamma \) is a total computable function.

5.3 Compilation rules
Figure 10 shows the rules for compiling a Floorplan surface syntax declaration into a core Floorplan expression. Figure 11 contains the definitions for translating an arithmetic expression into natural numbers.

For the translation \( \langle \text{layer} \rangle \) to be defined, a \( \langle \text{layer} \rangle \) must satisfy a few properties. First, all \( \langle \text{macro} \rangle \) constructs must have been eliminated and syntactically replaced with their top-level declarations. Second, the surface declaration must be validly scoped, meaning every use of a \( \langle \text{formal-id} \rangle \) must be scoped inside a \( \langle \text{layer} \rangle \) defining it. Floorplan is lexically scoped with shadowing.

In Rule (1) of Figure 10 there are three optional constructs. Each construct compiles to an expression wrapping the compilation of the containing value: \( \langle \text{demarc-val} \rangle \) For
brevity we do not show all 9 permutations of the \langle\text{layer-simple}\rangle rule, i.e. Rule (1), which represents cases where:

- If \text{(formals)} is missing, "\exists f_0, \cdots \exists f_n, \" disappears.
- If \text{(mag)} is missing, "\langle\text{mag}\rangle\" disappears.
- If \text{(align)} is missing, "@\langle\text{byte}\rangle\" \langle\text{align}\rangle\" disappears.
- A \langle\text{magAlign}\rangle becomes a \langle\text{mag}\rangle and an \langle\text{align}\rangle.

6 Rust libraries generated and results

The Floorplan language is implemented as a compiler targeting Rust code. This section discusses the mechanics of the Floorplan library interface, i.e. how a Floorplan specification integrates with a memory manager. Curious readers should look at the Floorplan compiler source repository\textsuperscript{11} to see all the library interfaces generated. Throughout this section numbers\textsubscript{12} on\textsubscript{2} refer to line numbers in Figure 12.

6.1 Code generation & library interface

Figure 12 shows a sampling of the Rust library interface generated for the immix memory layout of Figure 5. The compiler generates a struct type for each \langle\text{layer-id}\rangle and \langle\text{field-id}\rangle. Address types\textsubscript{8,18} are wrappers around a word (usize) with no runtime overhead. Each address type implements a Rust trait called Address, providing a number of generic pointer and arithmetic operations such as load\textsubscript{13}, store\textsubscript{15}, plus\textsubscript{22}, and sub\textsubscript{25}, among others\textsuperscript{12}. This trait requires the four deriving\textsubscript{5,17} clauses on each address type.

Offset constants\textsubscript{1−5} are generated with a particular architecture in mind (i.e. 64-bit herein). Offset constants, along with alignment constants\textsubscript{9,19}, are in various places\textsubscript{10,20,23,25} throughout generated Rust code. The Floorplan compiler generates code which mimics the modularity of existing memory management systems\textsubscript{12,15,16} and frameworks\textsubscript{6,7}. This form enables pain-free manual inspection of generated code.

Finally we have the four functions\textsubscript{23,24,22,24} generated in our example of Figure 12. The first function, get\_cell\textsubscript{12}, requires a valid Cell\_1Addr in order to call it and returns the contents of the cell\_1 field of a cell wrapped in a CellAddr. The Floorplan compiler and interface provide behind-the-scenes unwrapping, accessing, and rewrapping of values (with no dynamic runtime overhead) into Rust types. In this paradigm the Rust type system enforces address-level type safety. The abundance of generated Rust address types also provided us with continual syntactic cues, telling us which address types were involved in some computation.

The main cost we see in our approach to integrating a Floorplan specification with an existing garbage collector pertains to how a generated library gets called. Upon modifying the immix specification dozens of lines of GC code would become stale, requiring manual modifications to various library call-sites. Such Rust compiler errors naturally provided us with a task list of places in the GC code to update.

While integrating generated code into the immix code base we had to make a few modest changes. The most extensive change involved modifying type signatures of nearly every functions in the garbage collector to refer to the generated

---

\textsuperscript{11}https://github.com/RedlineResearch/floorplan

\textsuperscript{12}Generic access operations are not programmer-accessible, by default.
In Figure 13, we see that the programmer must write a one-to-one replacement of individual lines. This part was less extensive because there were fewer pointer calculations than type signatures in the code. Nearly every change made involved converting the representation of Rust data structures into Floorplan-constructed ones.

**Benchmarks:** We ran four benchmarks provided with the immix implementation, respectively named exhaust, initobj, gcbench, and trace. All benchmarks had internal parameters modified in order to trigger substantially more GCs than originally written for, and we recorded average runtimes and standard deviations for 100 runs of each benchmark as detailed below. A set of 5 warm-up runs of each benchmark were run prior to the 100 runs, with a 10 second cool-down in-between benchmarks. Benchmarks ran on a 12-core, 2.80 GHz Intel Xeon (X5660) processor running Arch Linux with 12 GB of RAM installed and an immix heap of 400 MB.

The benchmarks are called gcbench, initobj, trace, and exhaust; they respectively (1) construct application-level trees of certain depths, (2) stress test initialization, (3) trace freshly allocated objects, and (4) induce high memory pressure. In all cases Figure 14 shows no discernible difference between Floorplan’s performance and the original benchmarks, with runtimes ranging from 10 – 30 seconds per run. This result agrees with our initial hypothesis: Floorplan generated code abstracts away common memory layout patterns without changing the performance of address computations.

We also manually inspected the assembly code generated for accessing of bitmaps for immix live liveness, reference bytes, and mark bits. Figure 15 shows the segment of code for line marking, extracted from the GC’s object tracing procedure. Importantly, lines 8, 10, 11, and 15 of the original code (highlighted in red) correspond directly to four lines in the Floorplan-generated version. Those four lines respectively compute a byte offset of a cell into the heap, compute the index of the corresponding line, mark the line as live (1 is Live from Figure 5), and mark the nextlive line as conservatively live (3 is ConservLive).
We observe a reduction in code-base size by nearly 20%.

These operations corrupt memory when applied improperly. These calculations can, and we've discovered do, encompass most all unsafe lines of code. Generated code can readily be instrumented by the Floorplan compiler.

In lieu of obviating errors, we intend to develop debugging infrastructure capable of detecting memory corruption at the first sign of layout integrity failure. A layout integrity failure occurs when a load or store operation conflicts with the addressees intended type. The intended type of a piece of memory derives from policy decisions made earlier in a memory manager's execution. For example, after the mark phase of a mark-sweep garbage collector, certain memory cells implicitly have type "free cell". A buggy deallocation scheme can only corrupt memory in generated (unsafe) address calculations. These calculations can, and we've discovered do, encompass most all unsafe lines of code. Generated code can readily be instrumented by the Floorplan compiler.

Figure 15. x86 Intel assembly code for marking immix lines.

Additionally this code detects cells outside the heap1−4, and detectsS12−14 the last line index in the heap. Control-flow instructions2,4,14,16 are highlighted in gray, and the remaining instructions (in blue) load metadata3,5,6 about the heap from a Rust struct. Modulo register allocation and precise instruction ordering, the purpose of each line of assembly is computed with an identical instruction opcode.

6.3 Discussion

We observe a reduction in code-base size by nearly 20% in immix-rust. This alleviates some of the technical debt of maintaining a memory manager: eliminating numerous interrelated offset constants and pointer arithmetic operations. These operations corrupt memory when applied improperly. These errors could eventually be obviated with theorem-proving techniques over Floorplan specifications.

In lieu of obviating errors, we intend to develop debugging infrastructure capable of detecting memory corruption at the first sign of layout integrity failure. A layout integrity failure occurs when a load or store operation conflicts with the addressees intended type. The intended type of a piece of memory derives from policy decisions made earlier in a memory manager’s execution. For example, after the mark phase of a mark-sweep garbage collector, certain memory cells implicitly have type "free cell". A buggy deallocation scheme can only corrupt memory in generated (unsafe) address calculations. These calculations can, and we’ve discovered do, encompass most all unsafe lines of code. Generated code can readily be instrumented by the Floorplan compiler.

7 Related work

7.1 Declarative layout specifications

Our work is inspired by PADS [9, 10], a declarative embedded DSL for describing and parsing ad hoc data structures (PADS). PADS excels at describing log files containing textual data. For example, a PADS description encodes arrays of partitioned data. PADS captures the structure of such an array as a type. Floorplan too declaratively describes arrays of data. In contrast to PADS, Floorplan excels at describing heap layouts containing binary data. A Floorplan specification alone is not sufficient in order to parse raw pages.

The authors of FlashRelate [4] presented work on “a novel domain specific language called Flare that extends traditional regular expressions with [two-dimensional] spatial constraints.” The underlying spatial principle of the Flare language inspired that of Floorplan: a novel domain specific language augmenting a context-free grammar with one-dimensional layout constraints. The work on FlashRelate is motivated by data-cleaning tasks and thus aims to heuristically solve the parsing of semi-structured two-dimensional data. In contrast, this work is motivated by the runtime system development task of implementing a memory manager and thus aims to deductively specify the memory layout of an unstructured one-dimensional virtual address space.

7.2 Memory management frameworks

An imperative heap layout abstraction framework known as Heap Layers [6] tackles the problem of implementing “clean, easy-to-use allocator interfaces” which are “based on C++ templates and inheritance.” Heap Layers’ use of template parameters is very similar to this work’s notion of declaratively specifying the properties of a memory layout. Similarly, the Memory Management Toolkit (MMTk) [7] tackles the problem of implementing garbage collectors where the “resulting system is more robust, easier to maintain, and has fewer defects than monolithic collectors.” As for defects related to memory layout, work on implementing an immix GC in Rust [13] aims to eliminate safety defects with static safety.

8 Conclusion

In this paper we presented a declarative language, Floorplan, for implementing the memory layout of memory managed systems in Rust. We presented a 47 line Floorplan specification for the memory layout of the state-of-the-art garbage collection algorithm immix. The compiler generated 877 lines of Rust code replacing 67 lines of pointer arithmetic, 25 lines of offset constants, and 169 lines of bitmap code.

Acknowledgments

This material is based upon work supported by the National Science Foundation under Grant No. 1717373.
References


