A Tail-Recursive Semantics for Stack Inspections

  • John Clements
  • Matthias Felleisen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2618)


Security folklore holds that a security mechanism based on stack inspection is incompatible with a global tail call optimization policy. An implementation of such a language may have to allocate memory for a source-code tail call, and a program that uses only tail calls (and no other memory-allocating construct) may nevertheless exhaust the available memory. In this paper, we prove this widely held belief wrong. We exhibit an abstract machine for a language with security stack inspection whose space consumption function is equivalent to that of the canonical tail call optimizing abstract machine. Our machine is surprisingly simple and suggests that tail-calls are as easy to implement in a security setting as they are in a conventional one.


Garbage Collection Reduction Rule Source Language Abstract Machine Runtime System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    Nick Benton, Andrew Kennedy, and George Russell. Compiling standard ML to Java bytecodes. In ACM SIGPLAN International Conference on Functional Programming, pages 129–140, 1998.Google Scholar
  2. [2]
    Don Box. Essential.NET, Volume I: The Common Language Runtime. Addison-Wesley, To Appear.Google Scholar
  3. [3]
    John Clements, Matthew Flatt, and Matthias Felleisen. Modeling an algebraic stepper. Lecture Notes in Computer Science, 2028:320–334, 2001.Google Scholar
  4. [4]
    William D. Clinger. Proper tail recursion and space efficiency. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 174–185, 1998.Google Scholar
  5. [5]
    Matthias Felleisen and Matthew Flatt. Programming languages and their calculi. Unpublished Manuscript. Online at>, 1989–2002.
  6. [6]
    Matthew Flatt. PLT MzScheme: Language manual. Online at>, 1995-2002.
  7. [7]
    Cedric Fournet and Andrew D. Gordon. Stack inspection: theory and variants. In Symposium on Principles of Programming Languages, pages 307–318, 2002.Google Scholar
  8. [8]
    Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design Patterns. Addison-Wesley, 1995.Google Scholar
  9. [9]
    Guy Lewis Steele Jr. Debunking the “expensive procedure call” myth. In ACM Conference, pages 153–162, 1977.Google Scholar
  10. [10]
    Günter Karjoth. An operational semantics of Java 2 access control. In The Computer Security Foundations Workshop, pages 224–232, 2000.Google Scholar
  11. [11]
    Richard Kelsey, William D. Clinger, and Jonathan Rees. Revised5 report on the algorithmic language scheme. SIGPLAN Notices, 33(9):26–76, 1998.CrossRefGoogle Scholar
  12. [13]
    Gordon D. Plotkin. Call-by-name, call-by-value and the λ-calculus. Theoretical Computer Science, pages 125–159, 1975.Google Scholar
  13. [14]
    F. Pottier, Christian Skalka, and Scott Smith. A systematic approach to static access control. Lecture Notes in Computer Science, 2028:30–45, 2001.Google Scholar
  14. [15]
    Michel Schinz and Martin Odersky. Tail call elimination on the Java virtual machine. In SIGPLAN BABEL Workshop on Multi-Language Infrastructure and Interoperability, pages 155–168, 2001.Google Scholar
  15. [16]
    Christian Skalka and Scott Smith. Static enforcement of security with types. ACM SIGPLAN Notices, 35(9):34–45, 2000.CrossRefGoogle Scholar
  16. [17]
    Dan Wallach, Dirk Balfanz, Drew Dean, and Ed Felten. Extensible security architectures for Java. In The 16th Symposium on Operating Systems Principles, pages 116–128, october 1997.Google Scholar
  17. [18]
    Dan Wallach, Edward Felten, and Andrew Appel. The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology, 9(4):341–378, October 2000.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • John Clements
    • 1
  • Matthias Felleisen
    • 1
  1. 1.Northeastern UniversityBostonMassachusetts

Personalised recommendations