Project Verona
Project Verona is a research programming language initiated by Microsoft Research in collaboration with Imperial College London and Uppsala University, focused on enabling safe, scalable memory management and compartmentalization for concurrent object-oriented programs in cloud infrastructure.[1] The project addresses critical vulnerabilities in existing systems by designing a concurrency model that supports concurrent ownership—allowing multiple execution contexts to share ownership of data structures without permitting concurrent mutation, thereby preventing data races and ensuring memory safety without traditional locks or garbage collection overhead.[2][3] Verona organizes all program objects into a forest of isolated regions, where memory is managed through linear types and reference capabilities enforced at the language level, enabling efficient sharing within regions while isolating them from external interference. This approach draws inspiration from ownership models in languages like Rust and reference capabilities in Pony, but starts from a clean slate to explore unrestricted innovations in type systems, compilers, and runtime semantics.[3] As an open-source project released under the MIT License, Verona's prototype implementation is hosted on GitHub, with its runtime built in C++ for low-level integration and compatibility with foreign code.[4][3] The project remains in active research, emphasizing academic collaboration and peer-reviewed publications on topics such as dynamic region ownership and behaviour-oriented concurrency, without plans for immediate productization.[5][3]Overview and History
Project Goals and Motivation
Project Verona is an experimental programming language developed by Microsoft Research aimed at enabling safe concurrent programming for infrastructure without relying on garbage collection or manual memory management.[1][4] The project seeks to address longstanding security challenges in cloud-scale systems by providing a robust alternative to traditional systems languages.[1] The primary motivation stems from the prevalence of memory safety vulnerabilities in legacy C and C++ codebases that underpin Microsoft's infrastructure, including operating systems and networking components.[6] These issues, such as use-after-free errors and data races, account for approximately 70% of security vulnerabilities (CVEs) in such systems, despite extensive mitigations like code reviews and static analysis.[6] For instance, use-after-free bugs have been exploited in components like Microsoft Edge, where pointers reference invalid memory post-deallocation, while data races in virtual machine switches have led to out-of-bounds writes due to unsynchronized access.[6] By designing Verona to inherently prevent these classes of errors, Microsoft aims to enhance the trustworthiness and scalability of cloud software.[1][7] Key goals include establishing a concurrency model that prohibits concurrent mutation to ensure thread safety without locks, thereby supporting high-performance systems programming suitable for resource-constrained environments.[1][4] Additionally, the language facilitates gradual adoption in existing ecosystems through a C++ foreign function interface (FFI), allowing interoperability with legacy code while progressively replacing unsafe components.[4] This approach targets the elimination of entire categories of bugs that plague infrastructure, promoting a shift toward memory-safe paradigms.[7] The project's emphasis on safe, OS-level programming draws historical influence from Microsoft's earlier Singularity initiative, which explored dependable systems through innovative language and runtime designs to minimize software failures.[4][8] Building on these foundations, Verona extends the pursuit of secure concurrency to modern cloud infrastructure needs.[1]Development Timeline
Project Verona was initiated around 2019 by Microsoft Research, in collaboration with researchers from Imperial College London and Uppsala University, to explore safe and scalable memory management for cloud infrastructure programming.[1][3] The project received its first public attention in late 2019, followed by an official announcement and open-sourcing of the initial prototype on GitHub in January 2020 under the MIT license, enabling early academic collaboration and feedback.[4][9] From 2021 to 2023, the development team undertook major refactoring efforts to stabilize the language prototype, including restructuring the compiler and runtime components, with the previous version preserved in a dedicated GitHub branch for reference.[4] In 2024, key advancements were documented in publications presented at major conferences, including "BatchIt: Optimizing Message-Passing Allocators for Producer-Consumer Workloads" at ISMM, which introduced optimizations for allocators like snmalloc used in Verona's runtime, and "Concurrent Immediate Reference Counting" in the Proceedings of the ACM on Programming Languages, enhancing safe concurrent memory reclamation.[10][11] In 2025, the project published "Dynamic Region Ownership for Concurrency Safety," which explores dynamic enforcement of region discipline for improved concurrency safety, presented in peer-reviewed venues.[12] As of November 2025, Project Verona remains an active research endeavor, with ongoing commits to its GitHub repository reflecting continued experimentation, though it is still considered experimental and not suitable for production use.[4]Core Design Concepts
Ownership Model
Project Verona's ownership model introduces concurrent ownership to enable safe sharing of data across multiple threads while preventing data races at compile time. Central to this is the concept of "cowning," or co-ownership, where objects can be jointly owned by multiple regions for read-only access, allowing concurrent reads without locks. This extends traditional single-owner models by grouping objects into regions, ensuring that mutable access requires exclusive acquisition to avoid conflicts.[12] Ownership types in Verona enforce linear usage for exclusive mutable access viaiso (isolated) pointers, which provide unique ownership of a region and can only be transferred through move operations, invalidating the source reference. For shared access, cown (concurrent owner) types support co-ownership, where multiple behaviours—Verona's unit of concurrent execution—can acquire cowns atomically to access protected data, but only when no overlapping acquisitions exist, guaranteeing no concurrent mutations. Immutable objects, by contrast, permit unrestricted sharing across owners. These types draw inspiration from Rust's borrow checker but adapt it for group-based ownership in concurrent settings, formalizing semantics that prohibit aliasing of mutable references during active use.[13][14]
The formal semantics for ownership transfer and borrowing emphasize safety in concurrent scenarios. Transfer occurs via explicit moves, such as reassigning an iso pointer to another region, which requires the source region to be closed to ensure no dangling references; this propagates ownership linearly without runtime overhead. Borrowing allows temporary read access within a scope, but for mutable borrowing under cowns, a behaviour must acquire the cown via an atomic operation (e.g., acquire), releasing it upon completion to enable others, preventing deadlocks through ordered acquisition rules. In a producer-consumer pattern, for instance, a producer behaviour might own an iso to a buffer region and spawn consumer behaviours that acquire shared cowns for read-only consumption, ensuring the producer's mutations are isolated until a transfer or explicit share. This model integrates briefly with region-based isolation to compartmentalize memory, but focuses on compile-time enforcement of concurrency invariants.[13][14]
Region-Based Memory Management
In Project Verona, regions serve as first-class entities that encapsulate groups of objects, providing a structured approach to memory management through automatic deallocation upon region exit. These regions organize the program's heap into a forest of isolated scopes, where each region is a set of objects managed collectively, eliminating the need for garbage collection or manual memory operations. By localizing memory management costs to the currently active region, this system enables predictable performance and compile-time verification of deallocation safety.[15] Verona distinguishes between linear regions, which enforce exclusive access via a single mutable reference, and shared regions, which permit immutable sharing across scopes while maintaining temporary immutability when not active. Linear regions operate on a last-in, first-out (LIFO) principle, ensuring a single window of mutability at any time to prevent concurrent modifications. Programmers allocate objects directly within regions without explicit pointers or delete statements, as the language's ownership model—applied within regions—handles reference tracking and cleanup automatically.[15] Region nesting allows hierarchical structures, where child regions can reference parent regions through bridge objects, but access is suspended when a parent becomes active, enforcing isolation. This design prevents aliasing issues by restricting external references to a region's bridge object alone when closed, thereby avoiding unintended data sharing or races without runtime overhead for alias analysis. Immutable objects within regions remain accessible freely, supporting safe read-only operations.[15] Compared to traditional arena allocators, Verona's regions offer similar bulk allocation for short-lived tasks—such as request processing—with reduced costs for allocation and deallocation relative to manual methods. However, regions extend this by providing compile-time guarantees on object lifetimes through an ownership type system with reference capabilities, ensuring static detection of when entire regions can be invalidated and reclaimed, unlike arenas that rely on runtime scoping.[15]Language Features
Concurrency Primitives
Project Verona provides concurrency through a model called Behaviour-Oriented Concurrency (BoC), which uses a single abstraction to express both parallelism and coordination while ensuring causal ordering, implicit parallelism, and freedom from deadlocks and data races.[16] This approach centers on cowns (concurrent owners), which are lightweight, isolated units of state that encapsulate mutable data and enable safe concurrent access without traditional synchronization mechanisms like locks or mutexes.[16] Cowns serve as the foundation for lightweight processes, allowing developers to create concurrent tasks that operate on disjoint or coordinated state without risking data races, as access is strictly controlled by ownership rules.[16] Communication between these tasks occurs primarily through shared immutable data or by triggering state changes in cowns, rather than explicit message passing channels. For instance, a cown can hold immutable references that multiple tasks read concurrently, while mutable operations require exclusive ownership. Ownership transfer enables safe handoff of mutable state: a task can relinquish control of a cown to another, ensuring linear progression of mutations without overlap. This is exemplified in syntax where cowns are created and manipulated, such asvar acc = cown.create(Account{balance: 100});, allowing subsequent behaviours to acquire and transfer ownership atomically.[16] The absence of locks eliminates contention hotspots and deadlocks, as concurrency is governed by the language's ownership discipline rather than manual synchronization.[16]
To spawn concurrent regions, Verona uses the when keyword to define behaviours, which are asynchronous code blocks triggered by access to one or more cowns. A simple behaviour might deduct from an account balance: when (src) { src.balance -= amount; }, spawning a lightweight task that executes concurrently upon invocation. For coordinated operations across multiple cowns, such as a transfer, the syntax extends to when (src, dst) { src.balance -= amount; dst.balance += amount; }, ensuring atomic acquisition and release to prevent races.[16] Joining these regions happens implicitly through a happens-before relation: when behaviours share cowns, the language enforces ordering based on overlapping access, guaranteeing that prior mutations complete before subsequent ones begin. This supports fork-join patterns naturally; for example, a parallel computation can fork multiple nested when blocks on disjoint cowns and join upon their collective completion, as in a divide-and-conquer algorithm where sub-tasks process separate regions and synchronize at the root.[16]
For I/O-bound tasks in cloud environments, Verona integrates async programming seamlessly into its BoC model, allowing behaviours to await non-blocking operations without blocking the entire scheduler. Behaviours can incorporate async I/O calls, such as network requests, within when blocks, leveraging the runtime to schedule them efficiently across cowns while preserving ownership safety. This enables scalable, event-driven concurrency for infrastructure applications, where tasks like data replication across regions can run asynchronously and coordinate via cown state changes. Safety for all these primitives is ensured by Verona's type system, which tracks ownership and isolation at compile time.[16]
Type System and Safety Guarantees
Project Verona's type system is built around reference capabilities that enforce ownership and aliasing discipline, ensuring memory safety and race-freedom without a traditional garbage collector. Ownership types in Verona include iso for exclusive ownership, providing a unique mutable reference to the root of a closed region, preventing any aliasing; imm for shared immutable references, allowing multiple read-only accesses to permanently immutable objects; and borrowed types such as mut for intra-regional mutable access, tmp for temporary mutable references, and paused for immutable access to suspended regions. These capabilities are integrated with effects that track mutation and concurrency, restricting mutable access to a single "window of mutability" per thread at any time, thereby eliminating data races by design.[2] Region polymorphism in Verona enables generic reasoning over regions through these reference capabilities, treating regions as first-class entities in a forest structure where objects are grouped hierarchically. Subtyping rules support safe interactions between regions, such as the adaptation of types based on the observer's viewpoint (e.g., mut C_L <: iso C_L for a closed region C under local observation L), allowing flexible sharing while preserving isolation invariants. Compile-time verification leverages linear types to ensure resources like exclusive references are used exactly once, preventing both data races—through enforced single mutable access—and memory leaks, as region lifetimes are statically bounded by ownership transfer rules.[2] The type system's safety properties are formally proven, including progress (every well-formed term can make a step or is a value) and preservation (steps preserve well-typedness) under concurrent execution, relying on a topology invariant that maintains the acyclic forest of regions and enforces ordering constraints. These proofs, conducted in a core calculus, guarantee that concurrent operations respect region isolation and capability restrictions, ensuring no undefined behavior from aliasing or concurrent mutation. This formal foundation underpins Verona's compile-time guarantees for race-free and leak-free programs.[2]Implementation Details
Compiler Architecture
The Verona compiler is implemented in C++ to enable tight integration with Clang and support high-quality foreign function interfaces (FFI) with existing C++ codebases.[3] This choice facilitates seamless interoperability, with potential for self-hosting in the long term.[3] As of 2023, the prototype is in an early stage, with partial type checking and limited features.[4] The project has investigated using LLVM for the back-end to generate machine code, with MLIR as an intermediate representation for optimizations, targeting platforms including Windows and Linux.[17] [18] Build integration is handled through CMake for cross-platform configuration and Visual Studio for Windows-specific development.[4]Runtime Environment
The Verona runtime is implemented as a C++ library that provides the foundational support for the language's concurrency and memory safety features during execution. It manages the execution of region-based tasks through a lightweight scheduler that avoids creating an OS thread for every process, instead utilizing a thread pool with work-stealing mechanisms to dispatch behaviors—atomic units of work—based on a dependency graph (DAG). This design enables efficient, low-latency coordination without the overhead of traditional thread-per-task models.[19][20] Region boundaries and ownership transfers are enforced at runtime via the concurrent ownership model, where "cowns" (concurrent owners) grant exclusive access to resources within isolated regions. The runtime ensures atomic acquisition of required cowns before executing a behavior, validating isolation to prevent data races and deadlocks; transfers occur only when a region's local reference count reaches zero, confirming closure and safe movement of ownership. This enforcement leverages runtime metadata and write-barriers to track object membership and permissions dynamically, complementing compiler-generated code for seamless integration.[19][3] For legacy integration, the runtime supports foreign function interface (FFI) with C++ through tight coupling with the Clang compiler, facilitating safe marshalling of data across boundaries. This allows Verona code to interoperate with existing C++ libraries while preserving safety guarantees, such as ownership invariants during calls and returns.[3] Performance-wise, the runtime exhibits low overhead for safe concurrency, with the scheduler enabling near-linear scaling on multi-core systems in benchmarks like Savina, where it outperforms actor-based models in 17 out of 22 cases due to minimized synchronization costs. Sequential executions incur negligible runtime checks, primarily untaken branches, while multithreaded scenarios benefit from the region's isolation for efficient resource partitioning.[19] Recent research as of 2024 includes optimizations for message-passing allocators in the runtime.[5]Research Contributions
Key Publications
The foundational concepts of ownership in Project Verona were introduced through its region-based memory management in the 2023 OOPSLA paper "Reference Capabilities for Flexible Memory Management" by Ellen Arvidsson, Elias Castegren, Sylvan Clebsch, Sophia Drossopoulou, James Noble, Matthew J. Parkinson, and Tobias Wrigstad.[21] This work describes Verona's Reggio system, where objects are grouped into a forest of isolated regions, and reference capabilities enforce ownership rules to prevent data races and ensure memory safety in concurrent object-oriented programs without relying on a traditional garbage collector.[21] The paper formalizes how these capabilities control access to regions, enabling flexible sharing while maintaining isolation, and evaluates the approach on an initial prototype implementation.[22] Verona's concurrency model was presented in the 2023 OOPSLA paper "When Concurrency Matters: Behaviour-Oriented Concurrency" by Luke Cheeseman, Sylvan Clebsch, Matthew Johnson, Matthew J. Parkinson, and Sophia Drossopoulou.[23] This work introduces behaviour-oriented concurrency (BoC), which generalizes the actor model by defining concurrency at the level of object behaviours rather than entire objects, allowing fine-grained control over interleavings and ensuring deterministic execution where needed. The paper proves BoC's safety properties, including data-race freedom, and demonstrates its implementation in Verona's runtime, supporting efficient parallel execution without locks.[23] Building on region semantics, the 2025 PLDI paper "Dynamic Region Ownership for Concurrency Safety" by Fridtjof Peer Stoldt, Brandt Bucher, Sylvan Clebsch, Matthew Johnson, Matthew J. Parkinson, and Guido van Rossum extends Verona's model to dynamic languages like Python, introducing runtime mechanisms for ownership transfer and enforcement.[12] It details formal models for dynamic region commitment, allowing safe concurrency by tracking ownership at runtime without static types, and demonstrates practical integration via a prototype extension called Pyrona.[14] The approach ensures data-race freedom through explicit commitment protocols, with evaluations showing minimal overhead for concurrent workloads.[14] These works, spanning ownership foundations, behaviour-oriented concurrency, and dynamic safety guarantees, have appeared in premier venues such as OOPSLA and PLDI, influencing research on safe, scalable concurrency in systems programming.[5]Influences and Comparisons
Project Verona draws inspiration from several prior systems and languages focused on safe concurrency and memory management. Microsoft's Singularity operating system influenced its approach to safe concurrency through isolated components and message-passing primitives, emphasizing runtime isolation to prevent data races. The actor model in Pony provided key ideas for reference capabilities and isolated heaps, enabling Verona to adopt similar mechanisms for concurrency without shared mutable state. Rust's ownership and borrowing system shaped Verona's type system, particularly in enforcing linearity to ensure memory safety at compile time.[24][3][25] In comparison to contemporaries, Verona diverges from Rust by replacing the borrow checker's fine-grained, scope-based restrictions with region-based ownership, which groups objects into isolated subgraphs for automatic, deterministic memory management rather than per-reference borrowing. This allows more flexible aliasing and supports complex data structures without resorting to unsafe code, trading some precision for usability in large-scale systems. Against Pony, Verona prioritizes regions over a pure actor model for infrastructure applications, enabling per-region allocation strategies (such as arenas or reference counting) instead of uniform actor-local tracing garbage collection, thus avoiding asynchronous messaging overhead while maintaining isolation.[25][25][25] Verona connects to broader related work in academic languages through its use of linear types, extending concepts like linear region references to relax per-object linearity while preserving safety, as explored in systems such as those by Fluet et al. for functional languages. It also relates to compartmentalization techniques in secure systems, where region isolation mirrors confinement models to limit aliasing and enable thread-safe access without locks or atomics, drawing from ownership types in works like Clarke's for encapsulation.[25][25] Among its unique aspects, Verona emphasizes seamless integration with C++ via a Clang-based compiler and foreign function interface, allowing incremental adoption in existing codebases without full rewrites. It targets cloud-scale infrastructure by eschewing traditional garbage collection in favor of region-driven, scalable memory management that supports predictable costs and high throughput.[3][1]Current Status
Open-Source Development
Project Verona's source code is hosted on the GitHub repository at github.com/microsoft/verona, where it has been available as an open-source project since its initial release in January 2020. The project is licensed under the MIT License, which permits broad reuse and modification while requiring attribution to Microsoft Research. This licensing choice supports the project's goal of encouraging experimentation and collaboration in programming language research.[4][9] To build and develop Verona, contributors require Visual Studio 2019 or later for Windows-based compilation, along with CMake for generating build files. Additionally, Python 3 is necessary to execute tests after compilation. These requirements reflect the project's C++-based implementation and its emphasis on cross-platform compatibility, though primary development occurs on Windows. The repository includes anold_version branch preserving earlier iterations, allowing developers to reference historical prototypes without disrupting ongoing work.[26][4]
Contribution guidelines emphasize that Verona remains a research-oriented prototype, not suitable for production use, and encourage submissions focused on exploratory features or academic extensions rather than general-purpose enhancements. The project welcomes pull requests through standard GitHub workflows, but maintainers prioritize changes aligned with core research objectives, such as concurrent ownership models. As of 2025, the repository has attracted 31 contributors, indicating steady but specialized community involvement. Current efforts include ongoing refactoring to enhance stability and modularity, addressing the evolving needs of the research prototypes.[4][27]