Native Runtime Profiles And Memory Control

Native runtime profiles define which runtime services may appear in native

artifacts. They are the production boundary for no-GC, freestanding,

bare-metal, no-allocation, arena, manual, ownership, and optional-GC behavior.

The authoritative evidence files are:

• runtime/native-runtime-profiles.tsv;
• runtime/native-allocation-modes.tsv;
• runtime/native-memory-ops.tsv;
• runtime/native-memory-sections.tsv;
• runtime/native-dependency-manifest.tsv;
• runtime/native-failure-semantics.tsv;
• runtime/native-memory-verification-cases.tsv;
• compat/native-runtime-memory-contract.tsv.

Profiles

The supported profile names are:

• hosted: may opt into OS, libc, dynamic-loader, and syscall services;
• freestanding: denies implicit OS, libc, dynamic-loader, syscall, and

default GC dependencies;

• bare-metal: starts through a reset/vector contract and uses explicit memory

sections;

• no-alloc: permits only static and stack storage;
• arena: permits explicit arena allocation and requires release evidence;
• manual: permits explicit manual allocation and requires free/destructor

evidence;

• ownership: permits ownership-based allocation and requires transfer/drop

evidence;

• optional-gc: enables GC only as an explicit feature-gated runtime profile.

No-GC is the default for native performance and freestanding profiles. Optional

GC must appear in release metadata and must be absent from no-GC artifacts.

Memory Control

Memory control covers:

• static allocation;
• stack allocation;
• arena allocation;
• hosted heap allocation;
• manual allocation;
• ownership transfer;
• address-of;
• dereference;
• pointer arithmetic;
• pointer casts;
• destructor/finalizer calls;
• panic/abort behavior.

Pointer operations must carry provenance, bounds, alignment, source spans, and

lifetime evidence. Pointer arithmetic that escapes the allocation extent is

rejected.

Freestanding Sections

Freestanding and bare-metal artifacts use explicit section records:

• .vectors;
• .text;
• .rodata;
• .data;
• .bss;
• .stack;
• .heap.

Sections must have valid alignment and must not overlap. .bss is explicitly

zeroed. .data is initialized during startup. Stack and arena/heap regions are

reserved explicitly.

Dependency Contract

Freestanding and bare-metal artifacts report zero unexpected dynamic

dependencies:

• no implicit OS syscalls;
• no implicit libc;
• no dynamic loader;
• no default GC;
• no unexpected dependency rows.

Hosted artifacts may opt into OS services, but the dependency must be explicit.

Gates

Run the minimal runtime dependency/profile gate:

make minimal-runtime-check

Run the memory-control gate:

make native-memory-control-check

Both gates are bounded. They validate source-owned profile and fixture evidence;

they do not run release packaging, self-hosting, broad benchmarks, or emulator

matrices.

Stable diagnostics include:

• NATIVE_RUNTIME_GC_DEFAULT: GC was enabled by default for a no-GC profile;
• NATIVE_RUNTIME_DEPENDENCY: freestanding/bare-metal artifact used an

unexpected OS/libc/loader/syscall/GC dependency;

• NATIVE_MEMORY_ALLOC: malformed allocation evidence;
• NATIVE_MEMORY_DEPENDENCY: allocation mode is not allowed in the profile;
• NATIVE_MEMORY_POINTER: invalid pointer provenance or pointer identity;
• NATIVE_MEMORY_BOUNDS: pointer operation escapes allocation bounds;
• NATIVE_MEMORY_SECTION: section alignment or overlap violation;
• NATIVE_MEMORY_LEAK: allocation that requires release/drop was not closed;
• NATIVE_MEMORY_OWNERSHIP: invalid ownership transfer;
• NATIVE_RUNTIME_FAILURE: stable panic/abort path.

Current Boundary

Milestone 2 implements the source-owned runtime profile and memory-control

contract with positive and negative fixtures. Later milestones integrate these

profiles into monomorphization, optimizer analyses, machine-code emission,

bare-metal execution, tiny binaries, and release benchmark evidence.