What is the reason to add this to the standard library as opposed to building a third party package?

Your specification says:

The application explicitly frees an arena and all the objects allocated from the arena using a.Free. After this call, the application should not access the arena again or dereference a pointer to any object allocated from this arena. The implementation is required to cause a run-time erro and terminate the Go program if the application accesses any object whose memory has already been freed.

If I read it correctly, this means that it is permitted to keep pointers into a released arena (i.e. stray pointers) as long as you do not explicitly dereference them. However, this means that the compiler must now be careful not to dereference any pointer it knows not to be nil unless user code explicitly does so, lest it be a pointer into a released arena. This seems like it would significantly reduce the potential for optimisation as otherwise, the compiler seems to be allowed to perform such accesses, knowing that each reachable object can also be dereferenced safely.

If the rules were tightened to say that you have to erase all pointers into an arena before calling Free, not only would these optimisations be enabled, but there would also be a way to reclaim the address space occupied by the arena: the garbage collector could be programmed to check if any pointers into the arena address space remain and if there aren't any, it could allow the address space to be reclaimed. If it finds a stray pointer, it could likewise abort the program in much the same manner as when you dereference a stray pointer.

Another benefit is that it's less likely to have tricky edge cases where stray pointers could remain in some data structures (e.g. as the result of some string manipulation or append operations which may only some times return a pointer to one of their arguments), causing them to be dereferenced later only under specific, hard to reconstruct circumstances. By prohibiting the presence of any stray pointers after a call to Free, this kind of error would be much easier to find.

With this issue addressed, I'm very interested in this proposal. It will be very useful for complex temporary data structures that need to be built step by step and deallocated all at once.

@hherman1 as far as i understood this proposal, there are a lot of troubles for example in appending to slices, e.g. the code could be more readable if you just use append, without calling arena-specific methods.

Even though, the idea to manualy handle memory freeing sounds great for me, cause there are a lot of specific cases, when you don't want to hope on the garbage collector

I'd be curious to understand the problems that an arena solves that can't be solved by either using sync.Pool, allocating a slice of a given type (for example a binary tree allocating a slice of nodes), or a combination of both techniques. It seems to me that Go provides idiomatic ways of addressing at least the specific protobuf use-case mentioned here.

In addition to the above, doesn't the Go allocator already have sizes classes? If the proposal does proceed, I think we need to see a prototype outperform the runtimes allocator and is enough gain to justify the ecosystem complexity.

We don’t think these generic variants of the API can completely replace ....

First, the NewOf function can only allocate objects whose type is specified at compile-time. So, it cannot satisfy our goal to support allocation of objects whose type is computed at run-time (typically via the reflect library).

What's the main usecase for wanting to allocate types created via reflect in arenas? Marshalling & unmarshall?
Are those usecases compelling enough? Honest question.

Second, generics in Go are just arriving in Go 1.18, so we don’t want to force users to make use of generics before they are ready.

Is there a hurry in adding arenas? It can always wait one or two release cycles before been added so that people are ready with generics.
In other words, if hypothetically speaking, the arena-generics design was the better API; we shouldn't shelve it just because generics aren't ready yet.

This proposal sounds really good to me from a user's perspective, but one detail causes concern: wouldn't something like all code eventually end up needing arena support? For example, imagine I have a web service where I want to allocate an arena for each web request. This sounds like a great use case for this, but I'd need encoding/json to have an Arena mode, and maybe text/template/html/template to have Arena modes so their working sets can use the Arena. Probably same for various clients (SQL, http, etc.) Is that what you see as the path forward or am I missing something?

@hherman1

What is the reason to add this to the standard library as opposed to building a third party package?

It's hard to do this safely in a third party package. Consider a struct allocated in the arena that contains pointers to memory allocated outside the arena. The GC must be aware of those pointers, or it may incorrectly free ordinary-memory objects that are still referenced by arena objects. A third party package would have to somehow make the garbage collector aware of those pointers, including as the pointer values change, which is either hard or inefficient.

@clausecker

However, this means that the compiler must now be careful not to dereference any pointer it knows not to be nil unless user code explicitly does so

That is already true. Go code can use pointers that point to memory that was allocated by C, or that was allocated by syscall.Mmap. The compiler already can't casually dereference a pointer.

the garbage collector could be programmed to check if any pointers into the arena address space remain and if there aren't any, it could allow the address space to be reclaimed

I believe that we can already do that. If the garbage collector sees a pointer to a freed arena, it can crash the program. If we have two complete GC cycles after an arena is freed, we can know for sure that there are no remaining pointers into that address space, and we can reclaim the addresses. However, I don't know if the current patches implement that.

@tarndt

I'd be curious to understand the problems that an arena solves that can't be solved by either using sync.Pool, allocating a slice of a given type (for example a binary tree allocating a slice of nodes), or a combination of both techniques. It seems to me that Go provides idiomatic ways of addressing at least the specific protobuf use-case mentioned here.

As you note, sync.Pool only permits allocating a specific type. It's reasonable to use if all allocations are the same type. An arena is when most allocations are different types. That is the case for protobuf allocations: each protobuf is implemented as a different Go struct. It's also the case for many uses of, for example, JSON.

In addition to the above, doesn't the Go allocator already have sizes classes? If the proposal does proceed, I think we need to see a prototype outperform the runtimes allocator and is enough gain to justify the ecosystem complexity.

I'm not sure how size classes are related.

As @danscales mentions, there is already an implementation, which is in use internally at Google. It does overall outperform the runtime allocator for cases like RPC servers that transmit data as protobufs.

First, I feel this should live in the runtime package, or at least in runtime/arena, as it seems fairly runtime specific. Which is my main concern with this, that other implementations might not support it and then packages using it would not be usable on those implementations.

Also, a question for clarification:

It is probably most appropriate that there should only be a few to 10's of arenas in use at any one time.

One of the main usecases mentioned is protobuf decoding. ISTM that, if every call to proto.Unmarshal creates an arena, used until that message is done with, we would very quickly outpace 10's of arenas by orders of magnitude on a loaded gRPC server.

@quenbyako

as far as i understood this proposal, there are a lot of troubles for example in appending to slices, e.g. the code could be more readable if you just use append, without calling arena-specific methods.

AIUI the proposal would not interoperate with append, i.e. you'd indeed have to use arena-specific methods.

@komuw

What's the main usecase for wanting to allocate types created via reflect in arenas? Marshalling & unmarshall?
Are those usecases compelling enough? Honest question.

Yes, marshaling and unmarshaling. These cases are compelling for, for example, network RPC servers that must serialize and unserialize data for every request.

One implementation caveat: a 64-bit address space isn't quite the inexhaustible vastness it first seems because many environments impose tighter restrictions. (I recently used a 4GB mmap as an optimization but found OpenBSD's default ulimit is 1.5GB and some users seem to impose their own limits.)

Which reminds me:

It is not clear if a similar approach can work for 32-bit architectures, where the address space is much more limited.

Does this mean this package would use build-tags to limit itself to 64-bit architectures? And would programs using this then not run on 32-bit platforms, unless they specifically code around that? Also, this seems all the more reason to put this into runtime, to make clear that it's platform dependent.

Hi @Merovius, my interpretation was that the API could be implemented everywhere, but it would not increase efficiency everywhere:

Note that the above arena API may be implemented without actually implementing arenas, but instead just using the standard Go memory allocation primitives. We may implement the API this way for compatibility on some architectures for which a true arena implementation (including safety checks) cannot be implemented efficiently.

@thepudds ah thank you, I missed that, alleviates my concerns around portability. Though I'd find it a bit confusing to provide the API without actual arenas. But, fair enough.

@Merovius raises an interesting question, though, around what the overhead of the non-arena implementation of the arena api would be…

@ianlancetaylor

As you note, sync.Pool only permits allocating a specific type. It's reasonable to use if all allocations are the same type. An arena is when most allocations are different types. That is the case for protobuf allocations: each protobuf is implemented as a different Go struct. It's also the case for many uses of, for example, JSON.

Assuming the problem with protobufs is the actual objects and not some internal buffer, here is how I would naively use sync.Pool.

Today you might see code like this:

book := &pb.AddressBook{}

Rather I would suggest the generated AddressBook code includes a constructor function:

book := NewAddressBook()

The protoc generated code in its package would look something like this:

var addressBookPool sync.Pool = sync.Pool{
	New: func() interface{} {
		return new(AddressBook)
	},
}

func NewAddressBook() *AddressBook {
    return addressBookPool.Get().(*AddressBook)
}

func (ab *AddressBook) Close() error { 
    *ab = AddressBook{}
     addressBookPool.Put(ab)
     return nil
}

I assume if arena existed similar changes to have a constructor that uses it would need to happen as well? If not that burden would fall to the object creator which is in fact how I use sync.Pool with protobufs today (when needed)

Now maybe more is needed say:

func (ab *AddressBook) Close() error {
    ab.closeOnce.Do(func() {
        *ab = AddressBook{}
         addressBookPool.Put(ab)
    })
    return nil
}

Or maybe we need to also generate and use pools/constructors of *structs referenced in AddressBook (or do what some pkgs like gogoproto optionally do and not use pointers for objects nested in proto structs). Lots of nuance that is besides the point of this discussion-

But I would like to understand why the arena approach is better. I'd also be curious to bench an arena prototype against sync.Pool and an approach like the above.

If the rules were tightened to say that you have to erase all pointers into an arena before calling Free, not only would these optimisations be enabled, but there would also be a way to reclaim the address space occupied by the arena: the garbage collector could be programmed to check if any pointers into the arena address space remain and if there aren't any, it could allow the address space to be reclaimed. If it finds a stray pointer, it could likewise abort the program in much the same manner as when you dereference a stray pointer.

In addition to what Ian already said about the compiler not dereferencing stray pointers:

One reason that we would like to able to deal with pointers to objects in the arena staying around after it freed (as long as they are not used) is because it may be quite tricky and disruptive to have to remove them from the stack. A pointer to an object in the arena could have been passed around as an arg and is still on the stack as an argument or local variable, but will not be used again. It would be good to ensure that the programmer does not have to nil out these pointers on the stack just to satisfy arenas, when they will naturally go away later.

We don’t think these generic variants of the API can completely replace ....

Second, generics in Go are just arriving in Go 1.18, so we don’t want to force users to make use of generics before they are ready.

Is there a hurry in adding arenas? It can always wait one or two release cycles before been added so that people are ready with generics. In other words, if hypothetically speaking, the arena-generics design was the better API; we shouldn't shelve it just because generics aren't ready yet.

Yes, I agree. There's no rush to figure out and add arenas, so it may be worth waiting to use the generics API if there's consensus on it being a better API. The first point does remain - which is that we would prefer to have some API that allows for allocating a type that is created/calculated at runtime. However, the generics API could become the main API, and the one that allows for dynamic types could be the secondary API.

This proposal sounds really good to me from a user's perspective, but one detail causes concern: wouldn't something like all code eventually end up needing arena support? For example, imagine I have a web service where I want to allocate an arena for each web request. This sounds like a great use case for this, but I'd need encoding/json to have an Arena mode, and maybe text/template/html/template to have Arena modes so their working sets can use the Arena. Probably same for various clients (SQL, http, etc.) Is that what you see as the path forward or am I missing something?

Yes, that's a good point. If we have a package that is allocating lots of memory (often by doing decoding of wire format) and we want to use arenas with it, then we will have to plumb in a way to send down an optional allocator function that it should use if enabled (in our case, the allocator function would use an arena). That's what we have prototyped for the protobuf unmarshaling library calls (see last section). I don't see any easy way to make packages use arenas, but open to suggestions.

Hi @danscales

If we have a package that is allocating lots of memory (often by doing decoding of wire format) and we want to use arenas with it, then we will have to plumb in a way to send down an optional allocator function that it should use if enabled (in our case, the allocator function would use an arena).

Is there a rough estimate of how many new APIs this might translate to in the standard library, for example?

Also, a question for clarification:

It is probably most appropriate that there should only be a few to 10's of arenas in use at any one time.

One of the main usecases mentioned is protobuf decoding. ISTM that, if every call to proto.Unmarshal creates an arena, used until that message is done with, we would very quickly outpace 10's of arenas by orders of magnitude on a loaded gRPC server.

Yes, that is true. It is possible there is another implementation that could deal with that many arenas simultaneously. But I will note that if you have 100s of requests in flight at one time, then they may not be allocating that much new data while serving each individual request, so arenas may not really be required in that case. Arenas are really more useful/appropriate for unmarshalling large data objects for which you may do a lot of processing. sync.Pool may be more appropriate if the allocated data per request is small (since there may also be only a limited number of known object types).

Yes, I agree. There's no rush to figure out and add arenas, so it may be worth waiting to use the generics API if there's consensus on it being a better API. The first point does remain - which is that we would prefer to have some API that allows for allocating a type that is created/calculated at runtime. However, the generics API could become the main API, and the one that allows for dynamic types could be the secondary API.

Is there any idea of (A) what is the net cost of doing this with reflection and (B) will it be possible to not do it with reflection when using the generics API?

Yes, that is true. It is possible there is another implementation that could deal with that many arenas simultaneously. But I will note that if you have 100s of requests in flight at one time, then they may not be allocating that much new data while serving each individual request, so arenas may not really be required in that case. Arenas are really more useful/appropriate for unmarshalling large data objects for which you may do a lot of processing. sync.Pool may be more appropriate if the allocated data per request is small (since there may also be only a limited number of known object types).

What message sizes/throughputs was the prototype tested at? Many small requests/responses is certainly the norm in my background, but I know google was looking hard (I believe?) a Vitess blog post that mainly dealt with very large data replication messages. Certainly if proto performance gets worse than status quo at high throughput levels, many people wouldn't be thrilled with that.

This proposal sounds really good to me from a user's perspective, but one detail causes concern: wouldn't something like all code eventually end up needing arena support? For example, imagine I have a web service where I want to allocate an arena for each web request. This sounds like a great use case for this, but I'd need encoding/json to have an Arena mode, and maybe text/template/html/template to have Arena modes so their working sets can use the Arena. Probably same for various clients (SQL, http, etc.) Is that what you see as the path forward or am I missing something?

Yes, that's a good point. If we have a package that is allocating lots of memory (often by doing decoding of wire format) and we want to use arenas with it, then we will have to plumb in a way to send down an optional allocator function that it should use if enabled (in our case, the allocator function would use an arena). That's what we have prototyped for the protobuf unmarshaling library calls (see last section). I don't see any easy way to make packages use arenas, but open to suggestions.

Add memory allocator to context? It seems really silly but doing a second round of "context-aware" updates to add context in more places seems better to me than doing a second round of "context-aware" updates that adds an entirely new type of object that ends up needing to be sent everywhere.

Hi all,

One quick thought: could you utilize the write barrier that is currently used by the compiler/GC to detect writes to arena allocated memory outside of the arena. Then on .Free, copy the values that are referenced out to the main heap?

This would let you effectively use an arena as a large scratch area, with the GC assisting in figuring out which values are not just scratch.

Is the code for the experimental protobuf implementation published? The scope of code that needs changing in order to take advantage of per-request arenas seems huge, but I'm eager to see a real world example in hopes I'm wrong!

@tarndt A protobuf message can include many different messages (as they are called) arranged in a complex memory layout. This is all relatively seamless for the program but it means that unmarshaling a protobuf isn't just a matter of allocating a single object type, it can involve dozens of different types. So you would need dozens of different sync.Pool structures. And in order to use the pools effectively you would need a complicated piece of code to release all the data back to the appropriate pools, which is much more complicated, and slower, than releasing an arena.

Frankly an arena sounds a lot simpler. And let's not forget that an arena lets you notify the runtime exactly when the memory is no longer needed. A pool will stick around in a much less predictable fashion.

i think it's impossible to do nested data structures as actual pointers in a thing to be mmapped, but there's a fair bit of prior art for doing nested data structures by storing "pointers" as memory-address-offsets within a block. I think capnproto does something like that.

When is this going to be standard and not experimental?

When is this going to be standard and not experimental?

@kolinfluence
Likely never: "This proposal is on hold indefinitely due to serious API concerns."

Could this API or a similar one be added as an experimental library with the documented limitations, until a safer design is found?

@joaoeinride It has been available via GOEXPERIMENT=arena since Go 1.20, but please note, it

may be changed incompatibly or removed at any time, and we do not recommend its use in production.

Thanks for the prompt reply. I am aware but was curious if it could be released like "https://pkg.go.dev/golang.org/x/exp/arenas"

@joaoeinride I believe we specifically don't want to do that, because it means people would use it and would have to leak it into their API to do so - which is specifically what we want to avoid. Also, FWIW, it is implemented in the runtime, so it's somewhat awkward to put into x/exp.

If you are only using it in internal software, you can add the GOEXPERIMENT to your CI system and get the same effect. If you want to use it in open source code and find this setup too painful, that's basically WAI.

At least, that's my understanding.

Also, there was some recent drama, because several people ignored the warnings and used x/exp/slices in production, and then a function signature changed: #61374 (comment)
(I personally don't want to hear any complaints in case the arena experiment is removed - you all have been warned)

Is there a version of this proposal where arenas aren’t added to the standard library, but instead some important unsafe function is which enables devs to implement something like arenas? Because that would probably satisfy the initial use case and push some of the API experimentation work onto the community

@hherman1 No that unsafe functionalities provided. Personally, I indeed hope the "unsafe" package could provide alloc and free functions to let users manage memory themselves, so that they don't need to use cgo to do this.

Is there some plan to add this feature to the release version

@someview At present there are no plans for putting this into a Go release.

Personally, I indeed hope the "unsafe" package could provide alloc and free functions to let users manage memory themselves, so that they don't need to use cgo to do this.

Are there any current proposals for something similar? There are a few hot paths where this could be very useful

It is exceptionally unlikely that we would ever add functionality for freeing memory.

The discussion is also off-topic on this proposal, so please discuss in some other forum. Thanks.

I recently studied this issue.
Based on my understanding of the proposal, and what the non-standard library can do.
I created https://gitee.com/qiulaidongfeng/arena
It Features

• It can be used in multiple goroutines at the same time
• It can be used in versions younger than go1.20 (>=go1.18)
• not happen use-after-free

Performance is also good, with 32.18n sec/op on a 16-thread benchmark.

goos: windows
goarch: amd64
pkg: gitee.com/qiulaidongfeng/arena
cpu: AMD Ryzen 7 7840HS w/ Radeon 780M Graphics
                │      n      │
                │   sec/op    │
Alloc_int_P1-16   11.41n ± 1%
Alloc_int-16      32.18n ± 3%
geomean           19.17n

                │      n       │
                │     B/s      │
Alloc_int_P1-16   751.9Mi ± 1%
Alloc_int-16      266.7Mi ± 3%
geomean           447.8Mi

                │     n      │
                │    B/op    │
Alloc_int_P1-16   8.000 ± 0%
Alloc_int-16      49.00 ± 8%
geomean           19.80

                │      n       │
                │  allocs/op   │
Alloc_int_P1-16   0.000 ± 0%
Alloc_int-16      0.000 ± 0%
geomean

Although third-party implementations of arena perform well.
But considering that it depends on such as #62483 (comment) the idea here will not become a reality, and the other is no guarantee that do not change the existing implementation details.
An arane addition to the standard library is worthwhile.

This proposal is on hold indefinitely due to serious API concerns

If the concerns is use-after-free , See #63671 Adding implicit alloc and free is probably not a good idea.
Even if use-after-free can occur in the standard library arena, it can be avoided by the structured allocation I describe here
#63671 (comment)
It is I assume that the program has not started to use memory at a certain time node, called A1; At a certain time node, called A2, memory is used; At a certain time node, called A3, the program no longer uses memory.
So if you do NewArena before A2 and Free after A3, use-after-free doesn't happen.
Because using Arena need to explicitly call New, also avoid the #63671 (comment) said, is not convenient to come to the conclusion that when the free memory is safe.

If #18802 is completed later, there may be a way to make the arena perform equally on single goroutine and multi-Goroutine, although since it is not possible to merge the two arenas, Need #18802 (comment) description by using the dynamic pool to manage indices into the static pool, but I believe that performance is better when there are multiple cores because they are not competing for atomic operations on the same piece of memory.

I have noticed that the scene of multi-Goroutine using arena may be rare but there are some.
For example, when creating a new programming language with go, different nodes of the syntax tree can often be free at the same time.

As I review the discussion of this proposal, it appears that the arguments preventing its acceptance center on two points.

1. this introduces the possibility of use-after-free in languages with GC.

There are many solutions, as follows:

1. Such as https://gitee.com/qiulaidongfeng/arena, Arena.Free semantics is to write code mark here Arena allocated memory life cycle is over. True free exists after the GC determines that there are no references.
2. As with go:linkname, you must import unsafe to use it. Its security is similar to that of the C languages malloc and free.
3. Check memory ownership regardless of compilation speed, as rust does.
4. Default behavior after Arena.Free call, free memory after GC confirms no reference. free memory directly after opt-in Arena.Free call. I think such a scheme can even be implemented in go1.23.
5. Restrict the use of arena in the API, and the API cannot pass Pointers outward.
   For example:

// compile pass , because not return Pointer
func New()int{
a:=arena.NewArena()
b:=arena.New[int](a)
a.Free()
return b
}
// compile not pass , because return Pointer
func New()*int{
a:=arena.NewArena()
b:=arena.New[*int](a)
return b
}

2. arena's API is highly contagious.

See #63671 , Implicit modify some heap allocation behavior is not a good idea, the most important objection in the #63671 (comment)

If arena is to be used explicitly, it does not necessarily mean infectivity.
See #51317 (comment) what I said about structured allocation .
One way to implement this idea is to put the arena in the field of the struct and use the arena in the struct's methods (without giving the memory allocated from the arena to the outside world).
The caller is then explicitly told that the behavior of using this struct and its methods is undefined from the time a method of the struct, such as Close, is called.
In this way, the user does not need to know about the arena, and if someone uses the structure and its methods after the structure's Close method is called, it only shows that the code is inherently wrong, regardless of whether there is an arena.

There are many solutions, as follows:

1. Such as https://gitee.com/qiulaidongfeng/arena, Arena.Free semantics is to write code mark here Arena allocated memory life cycle is over. True free exists after the GC determines that there are no references.

The resource wins of arenas come almost entirely from releasing memory early so it doesn't count against the GC, and the frequency of GC cycles goes down. If you have to wait until the GC determines there are no references, this is not much better than just regular heap allocation.

Actually, I'm not sure I really understand what https://gitee.com/qiulaidongfeng/arena does to help improve performance. I see it doesn't free memory in a way that allows for immediate reuse. It appears to group memory by type in 8 MiB blocks and bump-pointer allocates into the blocks. The existing memory allocator in the runtime already allocates in size classes, in P-local buffers, without any map lookups or synchronization on the fast path (except for the publication barrier on weak memory architectures). I don't see how this would be faster. Perhaps writing out heap metadata for pointer-ful allocations in bulk earlier is helpful? The gains seem marginal at best though.

(Bump-pointer allocation is an interesting direction to explore, but I suspect it's unlikely to be worth it if additional synchronization is required. The allocator's fast path is already usually pretty fast.)

(Note: Be careful when comparing with microbenchmarks. By allocating 8 MiB up-front, the minimum total heap size you're going to get is 16 MiB. If you compare this to a microbenchmark that heap-allocates the same type with no ballast or anything, the heap will be, at most, 4 MiB in total size. That means it's not an good comparison because the latter is using half the memory and is going through twice as many GC cycles.)

2. As with go:linkname, you must import unsafe to use it. Its security is similar to that of the C languages malloc and free.

Compromising memory safety really feels like a very last resort, and I think we're very far from exhausting all our options.

3. Check memory ownership regardless of compilation speed, as rust does.

This is an interesting direction, but has a similar kind of virality as const.

4. Default behavior after Arena.Free call, free memory after GC confirms no reference. free memory directly after opt-in Arena.Free call. I think such a scheme can even be implemented in go1.23.

I do not know what you mean by this. A direct memory free without any protections means use-after-free bugs resulting in memory corruption. The implementation currently in the runtime ensures that memory corruption never occurs (only a possible immediate crash) on use-after-free.

5. Restrict the use of arena in the API, and the API cannot pass Pointers outward.

If your point is to bind arenas to the stack frame in which the arena is created, this is basically already what the compiler's escape analysis pass already does automatically. The general idea of emitting a compilation error if a value escapes its stack frame is interesting, but the weird part is that the compilation error depends on how sophisticated the compiler's escape analysis is. Encoding that in the spec is going to be very limiting and changing the analysis algorithm will be hard. I'm no expert on language design, but my impression is that language really has to be designed from the ground up for this sort of thing, like Rust. (Even then, Rust has been steadily expanding in sophistication to allow more flexibility, IIUC.)

If arena is to be used explicitly, it does not necessarily mean infectivity.

Using an arena explicitly at all means that it is going to be infectious to some degree. Lots of packages cannot make use of arena allocation without changing their API to accept an arena. A common example of this is serialization packages like encoding/json. Another example is most tree data structures. math/big could accept an arena. Changing all of these packages' APIs to accept arenas as an option does not seem like the best path forward.

One way to implement this idea is to put the arena in the field of the struct and use the arena in the struct's methods

I do not see how this helps in general. Sure, you can pass around a struct as part of an API that hides the arena, but that's not really that different from just passing around the arena.

https://gitee.com/qiulaidongfeng/arena is mainly used to explain the arena if implemented with third-party libraries, the question is how to interact with GC.
One way to do this is to use syscall.Mmap, but then the problem is to make sure the GC knows that there are go Pointers on the non-Go heap. Any solution depends on the GC implementation.
An alternative approach that does not rely on the GC implementation is to use runtime.mallocgc, but without an API like unsafe.Free, it waits for GC to free the memory.
So implementing arena in the standard library is a better choice.

4. Default behavior after Arena.Free call, free memory after GC confirms no reference. free memory directly after opt-in
   Arena.Free call. I think such a scheme can even be implemented in go1.23.

I do not know what you mean by this. A direct memory free without any protections means use-after-free bugs resulting in
memory corruption. The implementation currently in the runtime ensures that memory corruption never occurs (only a possible > immediate crash) on use-after-free.

I mean the meaning of Arena.Free is
The default free memory occurs after the GC determines that no pointer references the memory allocated from the arena. The purpose of this is to ensure that arena can be used without the risk of use-after-free.
With options like GODEBUG=arenafreenow=1, arena is allowed with the risk of use-after-free for higher performance.
free memory simply means that memory allocated from arena via the return pointer should not be dereferenced again. The runtime can do anything with this memory, including existing implementations.

5. Restrict the use of arena in the API, and the API cannot pass Pointers outward.

If your point is to bind arenas to the stack frame in which the arena is created, this is basically already what the compiler's escape analysis pass already does automatically. The general idea of emitting a compilation error if a value escapes its stack frame is interesting, but the weird part is that the compilation error depends on how sophisticated the compiler's escape analysis is. Encoding that in the spec is going to be very limiting and changing the analysis algorithm will be hard. I'm no expert on language design, but my impression is that language really has to be designed from the ground up for this sort of thing, like Rust. (Even then, Rust has been steadily expanding in sophistication to allow more flexibility, IIUC.)

What I mean specifically is that for functions that use arena, there is no possibility that a pointer created inside the function will survive the return of the function. For structs that use arena in their methods, a pointer created in any way through the struct is not allowed to survive after the struct object is reclaimed by GC.
In this way, although functions cannot write to arguments of type **int32, arena is transparent to callers. As long as Arena.Free is called before the end of the function call or Arena.Free is called with a finalizer before the struct is GC, there will be no use-after-free because subsequent program execution has no pointer to the memory allocated from the Arena.
This is backwards compatible with code that does not use arena.

One way to implement this idea is to put the arena in the field of the struct and use the arena in the struct's methods

I do not see how this helps in general. Sure, you can pass around a struct as part of an API that hides the arena, but that's not really that different from just passing around the arena.

Tie the lifecycle and structure of Arena together. This way, as long as there is no pointer obtained from the struct, it can still be accessed after the structure is GC. The caller does not need to know arena.

Actually, I'm not sure I really understand what https://gitee.com/qiulaidongfeng/arena does to help improve performance. I see it doesn't free memory in a way that allows for immediate reuse. It appears to group memory by type in 8 MiB blocks and bump-pointer allocates into the blocks. The existing memory allocator in the runtime already allocates in size classes, in P-local buffers, without any map lookups or synchronization on the fast path (except for the publication barrier on weak memory architectures). I don't see how this would be faster. Perhaps writing out heap metadata for pointer-ful allocations in bulk earlier is helpful? The gains seem marginal at best though.
(Bump-pointer allocation is an interesting direction to explore, but I suspect it's unlikely to be worth it if additional synchronization is required. The allocator's fast path is already usually pretty fast.)

https://gitee.com/qiulaidongfeng/arena It is possible to free memory before GC determines that there is no reference.
As long as there is a risk of use-after-free, reusing 8 MiB sized blocks through sync.Pool can be achieved.
For the caller, this is indeed free memory.This gives it better Free performance than GC.
Much of its current overhead comes from atomic operations that are used synchronously.
Just by dropping support for multiple goroutine, or using the check-out/check-in model shown in #18802 but with static size and no need to merge the sync.ShardedValue of the method, eliminate synchronization such as atomic manipulation , I believe its Alloc performance can exceed that of calling new. (On my computer, the performance of new(int) is 7+ns, it is 10+ns)
https://gitee.com/qiulaidongfeng/arena performance improvement potential mainly from it using //go:linkname runtime_mallocgc runtime.mallocgc, can customize the behavior of Alloc and Free.
Ways to improve performance that are not implemented:

1. The above mentioned methods to improve Alloc and Free performance.
2. Reduce the overhead of setting to zero value by setting the needzero parameter of runtime.mallocgc to false when zero value is not required.

If arena is to be used explicitly, it does not necessarily mean infectivity.

Using an arena explicitly at all means that it is going to be infectious to some degree. Lots of packages cannot make use of arena allocation without changing their API to accept an arena. A common example of this is serialization packages like encoding/json. Another example is most tree data structures. math/big could accept an arena. Changing all of these packages' APIs to accept arenas as an option does not seem like the best path forward.

What I mean is that requiring explicit use of Arena does not mean that the caller must know Arena.
I want this sentence to be expressed along with my other words, by hiding the use of arena within a function or within a method of a structure, so that the memory allocated through arena cannot be accessed outside of the function or structure and its methods. Use arena to be transparent to the caller.

I noticed this benchmark after these two commits（https://gitee.com/qiulaidongfeng/arena/compare/v0.4.0...v0.5.0 ）

set GOEXPERIMENT=arenas
go test -bench=^*  -benchtime=2s
UseAfterFree(false)
goos: windows
goarch: amd64
pkg: gitee.com/qiulaidongfeng/arena
cpu: AMD Ryzen 7 7840HS w/ Radeon 780M Graphics
BenchmarkAlloc_int_P1-16                273490933                9.637 ns/op     933.90 MB/s           8 B/op          0 allocs/op
BenchmarkAlloc_int-16                   62029608                35.58 ns/op      252.93 MB/s          69 B/op          0 allocs/op
BenchmarkAlloc_int_new-16               281095550                8.432 ns/op    1067.37 MB/s           8 B/op          1 allocs/op
BenchmarkAlloc_intAndFree-16                5997            402418 ns/op           0.02 MB/s     8389042 B/op          7 allocs/op
BenchmarkAlloc_int_stdArena-16          210657051               11.27 ns/op      798.29 MB/s           7 B/op          0 allocs/op
BenchmarkAlloc_intAndFree_arena-16       1825330              1279 ns/op           7.04 MB/s         856 B/op          2 allocs/op
PASS
UseAfterFree(true)
BenchmarkAlloc_int_P1-16                205623828               11.61 ns/op      775.45 MB/s           8 B/op          0 allocs/op
BenchmarkAlloc_int-16                   58220772                36.24 ns/op      248.35 MB/s          50 B/op          0 allocs/op
BenchmarkAlloc_int_new-16               291649136                8.087 ns/op    1112.94 MB/s           8 B/op          1 allocs/op
BenchmarkAlloc_intAndFree-16             2008635              1169 ns/op           7.70 MB/s         511 B/op          6 allocs/op
BenchmarkAlloc_int_stdArena-16          214101681               11.28 ns/op      797.78 MB/s           7 B/op          0 allocs/op
BenchmarkAlloc_intAndFree_arena-16       1847961              1279 ns/op           7.04 MB/s         855 B/op          2 allocs/op
PASS
ok      gitee.com/qiulaidongfeng/arena  40.705s

It seems that the arena implemented outside my standard library supports multi-Goroutine, supports the choice of whether the use-after-free situation can occur, and can be further optimized when #18802 is completed. Scenarios in which int is allocated and 100 ints are allocated Free are comparable to the standard library's arena performance.(need UseAfterFree(true))

It seems that the biggest advantage of the standard library experimental arena is that it doesn't keep use-after-free silent.

I think that many packages, such as encoding/json packages, cannot use arena allocation without changing the API, which is basically unsolved in cases requiring explicit use of arena.

Changing all of these packages' APIs to accept arenas as an option does not seem like the best path forward.

But seems no better way.
After all, it's unlikely that go will ever have an interface like this in the future to decouple where alloc's memory comes from.

type Alloc[T any] interface{
Alloc(*T)
}

Then let the user use gls or something to pick up such an allocator for heap allocation.
This is done without changing the API, but the work becomes code rewriting that the compiler can do.
But as shown in the #63671 (comment), any change implicit heap allocation can use this reason to oppose.（ you would have to deeply inspect its code (and the code of its transitive dependencies) to draw any conclusion about when it is safe to free the memory. And you would have to repeat this exhaustive exercise any time you upgrade anything.）