A Verified Generational Garbage Collector for CakeML

  • Adam Sandberg Ericsson
  • Magnus O. MyreenEmail author
  • Johannes Åman Pohjola
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10499)


This paper presents the verification of a generational copying garbage collector for the CakeML runtime system. The proof is split into an algorithm proof and an implementation proof. The algorithm proof follows the structure of the informal intuition for the generational collector’s correctness, namely, a partial collection cycle in a generational collector is the same as running a full collection on part of the heap, if one views pointers to old data as non-pointers. We present a pragmatic way of dealing with ML-style mutable state, such as references and arrays, in the proofs. The development has been fully integrated into the in-logic bootstrapped CakeML compiler, which now includes command-line arguments that allow configuration of the generational collector. All proofs were carried out in the HOL4 theorem prover.



We thank Ramana Kumar for comments on drafts of this text. This work was partly supported by the Swedish Research Council and the Swedish Foundation for Strategic Research.


  1. 1.
    Anand, A., Appel, A., Morrisett, G., Paraskevopoulou, Z., Pollack, R., Belanger, O.S., Sozeau, M., Weaver, M.: CertiCoq: a verified compiler for Coq. In: Coq for Programming Languages (CoqPL) (2017)Google Scholar
  2. 2.
    Davis, J., Myreen, M.O.: The reflective Milawa theorem prover is sound (down to the machine code that runs it). J. Autom. Reason. 55(2), 117–183 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Dijkstra, E.W., Lamport, L., Martin, A.J., Scholten, C.S., Steffens, E.F.M.: On-the-fly garbage collection: an exercise in cooperation. Commun. ACM 21(11), 966–975 (1978)CrossRefzbMATHGoogle Scholar
  4. 4.
    Gammie, P., Hosking, A.L., Engelhardt, K.: Relaxing safely: verified on-the-fly garbage collection for x86-TSO. In: Grove, D., Blackburn, S. (eds.) Programming Language Design and Implementation (PLDI). ACM (2015)Google Scholar
  5. 5.
    Gonthier, G.: Verifying the safety of a practical concurrent garbage collector. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 462–465. Springer, Heidelberg (1996). doi: 10.1007/3-540-61474-5_103 CrossRefGoogle Scholar
  6. 6.
    Havelund, K.: Mechanical verification of a garbage collector. In: Rolim, J., et al. (eds.) IPPS 1999. LNCS, vol. 1586, pp. 1258–1283. Springer, Heidelberg (1999). doi: 10.1007/BFb0098007 CrossRefGoogle Scholar
  7. 7.
    Hawblitzel, C., Howell, J., Lorch, J.R., Narayan, A., Parno, B., Zhang, D., Zill, B.: Ironclad apps: end-to-end security via automated full-system verification. In: Operating Systems Design and Implementation (OSDI), pp. 165–181. USENIX Association, Broomfield (2014)Google Scholar
  8. 8.
    Hawblitzel, C., Petrank, E.: Automated verification of practical garbage collectors. In: ACM SIGPLAN Notices, vol. 44, no. 1, pp. 441–453 (2009).
  9. 9.
    McCreight, A.: The Mechanized Verification of Garbage Collector Implementations. Ph.D. thesis, Yale University, December 2008Google Scholar
  10. 10.
    Myreen, M.O.: Reusable verification of a copying collector. In: Leavens, G.T., O’Hearn, P., Rajamani, S.K. (eds.) VSTTE 2010. LNCS, vol. 6217, pp. 142–156. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15057-9_10 CrossRefGoogle Scholar
  11. 11.
    Myreen, M.O., Davis, J.: A verified runtime for a verified theorem prover. In: Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 265–280. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22863-6_20 CrossRefGoogle Scholar
  12. 12.
    Nieto, L.P., Esparza, J.: Verifying single and multi-mutator garbage collectors with Owicki-Gries in Isabelle/HOL. In: Nielsen, M., Rovan, B. (eds.) MFCS 2000. LNCS, vol. 1893, pp. 619–628. Springer, Heidelberg (2000). doi: 10.1007/3-540-44612-5_57 CrossRefGoogle Scholar
  13. 13.
    Pavlovic, D., Pepper, P., Smith, D.R.: Formal derivation of concurrent garbage collectors. In: Bolduc, C., Desharnais, J., Ktari, B. (eds.) MPC 2010. LNCS, vol. 6120, pp. 353–376. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13321-3_20 CrossRefGoogle Scholar
  14. 14.
    Russinoff, D.M.: A mechanically verified incremental garbage collector. Formal Aspects Comput. 6(4), 359–390 (1994)CrossRefzbMATHGoogle Scholar
  15. 15.
    Tan, Y.K., Myreen, M.O., Kumar, R., Fox, A., Owens, S., Norrish, M.: A new verified compiler backend for CakeML. In: Garrigue, J., Keller, G., Sumii, E. (eds.) International Conference on Functional Programming (ICFP). ACM (2016)Google Scholar
  16. 16.
    Yang, J., Hawblitzel, C.: Safe to the last instruction: automated verification of a type-safe operating system. In: Programming Language Design and Implementation (PLDI), pp. 99–110. ACM, New York (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Adam Sandberg Ericsson
    • 1
  • Magnus O. Myreen
    • 1
    Email author
  • Johannes Åman Pohjola
    • 1
  1. 1.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations