a type-checked restrict qualifier
DESCRIPTION
A Type-Checked Restrict Qualifier. Jeff Foster OSQ Retreat May 9-10, 2001. Introduction. Aliasing: A long-standing problem Pointers are hard to analyze ...*p = 3 ... what is updated? We need to know for compilers (optimization) software analysis tools (OSQ). Alias Analysis. - PowerPoint PPT PresentationTRANSCRIPT
A Type-CheckedRestrict Qualifier
Jeff Foster
OSQ Retreat
May 9-10, 2001
Jeff Foster, OSQ Retreat, May 9-10, 2001 2
Introduction
• Aliasing: A long-standing problem
– Pointers are hard to analyze...*p = 3 ... what is updated?
– We need to know for• compilers (optimization)• software analysis tools (OSQ)
Jeff Foster, OSQ Retreat, May 9-10, 2001 3
Alias Analysis
• Research: Fully-automatic alias analysis– Type systems
• All aliases have same type
– Points-to analysis• e1 = e2 e1 points to whatever e2 points to
• Results– Type systems work well– May-alias analysis scales to big programs
• Usefulness of results?
Jeff Foster, OSQ Retreat, May 9-10, 2001 4
Too Important for Compiler
• C, C++, Java, ML, etc.– The compiler discovers all aliasing
• FORTRAN– The compiler can assume non-aliasing
• C99– Have the user help the compiler
Jeff Foster, OSQ Retreat, May 9-10, 2001 5
Restrict
• C99 Standardint *restrict p = ...;
– Let p point to object o– Within p’s scope, all access to o are through p
void f(int n, int *restrict p, int *restrict q) {
while (n-- > 0)
*p++ = *q++; // no aliasing
} [ex. from C99 standard]
Jeff Foster, OSQ Retreat, May 9-10, 2001 6
This Work
• C99 does not check restrict– Low-level definition of safe use of restrict
• Goals of this work– Semantics for restrict– Type system for safe restrict– Soundness proof
Jeff Foster, OSQ Retreat, May 9-10, 2001 7
Examples
{ int *restrict p = ...; { int *restrict r = p; ...*r... // valid ...*p... // invalid }}
{ int *restrict p = q; ...*p... // valid ...*q... // invalid}
{ int *restrict p = ...; int *r = p; ...*r... // valid}
Jeff Foster, OSQ Retreat, May 9-10, 2001 8
Source Language
• Lambda-calculus with restricte ::= x | n | ref e | *e | e1 := e2 | \x.e | e1 e2 | restrict x = e1 in e2
• restrict x = e1 in e2– x is in scope only within e2– x is a pointer– x is initialized to e1– within e2, only x can be used to access *x
Jeff Foster, OSQ Retreat, May 9-10, 2001 9
[loc’ error, loc S’’(loc’)] v; S’’
Big-Step Semantics
S e1 loc; S’
, loc errorS’ e2 v; S’’ [loc’ S’(loc) ] [x loc’]
loc’ fresh
S e loc; S’ locdom(S’) S *e S’(loc); S’
S restrict x = e1 in e2
Jeff Foster, OSQ Retreat, May 9-10, 2001 10
Type System
• Type and Effect system
::= base type | ref() pointer to abstract loc | 1L 2 function with effect L
L ::= Ø no effect | access to location | L1 L2 effect union
| L - effect difference
Jeff Foster, OSQ Retreat, May 9-10, 2001 11
Type Rules
• A e : ; L – In environment A, expression e has type – evaluating e has effect L
A e1 : 1L 2; L1 A e2 : 1; L2A e1 e2 : ; L1 L2 L
A e : ref(); LA *e : ; L
Jeff Foster, OSQ Retreat, May 9-10, 2001 12
Restrict Rule
A e1 : ref(); L1
A restrict x = e1 in e2 :
A[x ref’()] e2 : 2; L2 L2 ’A ’
2; L1 (L2 - ’)
Jeff Foster, OSQ Retreat, May 9-10, 2001 13
Soundness
• Theorem: If Ø e : ; L, then S e r; S’ where r is not error
• Proof: Show subject-reduction property
Jeff Foster, OSQ Retreat, May 9-10, 2001 14
Type Inference
• Given program, compute types, locs, effects– Naive algorithm obvious
• Add effect variables ranging over L• Perform type inference, ignore , constraints• Check , at end
– Polynomial-time algorithm– Efficiency in practice?
• Future work: polymorphic recursion– The constraints make things interesting
Jeff Foster, OSQ Retreat, May 9-10, 2001 15
Applications: Optimization
• C99: Restrict used for optimizations– Can treat restricted pointer like stack location
(whose address isn’t taken)– Optimizations sound with checked restrict
• Type system not complete– C99 standard allows hard-to-check uses of restrict
• Dead code that access restricted locations allowed• Strange use of restrict in data structures• Multiple restrict pointers into same array allowed
Jeff Foster, OSQ Retreat, May 9-10, 2001 16
Application: Flow-Sensitive Type Qualifiers
• Apply Alias Types, Vault techniques to type qualifiers for flow-sensitivity
• Problem: Elements of data structuresFILE a[...];spin_lock(a[i]);...spin_unlock(a[i]);
• Goal: Avoid dependent type systems
Jeff Foster, OSQ Retreat, May 9-10, 2001 17
Applications: Strong-Update
• Two rules for assignmentfoo(x) { ... *x = e ...}
– If |PTSet(x)| = 1 [[*x]] = [[e]]
– If |PTSet(x)| > 1 [[*x]] = [[*x]] [[e]]
• Standard Alias Analysis– Points-to sets only grow– Once |PTSet(x)| > 1, lose precision
Jeff Foster, OSQ Retreat, May 9-10, 2001 18
Applications: Strong-Update (2)
• Restrict recovers singleton points-to sets
foo(int *restrict x) { ... }
– Can assume |PTSet(x)| = 1 at beginning of foo– Other aliases of *x cannot be used in foo
• Can recover even from complicated aliasing
foo(a->b[c].d->f->g[h->i])
Jeff Foster, OSQ Retreat, May 9-10, 2001 19
Summary
• Alias analysis too important to leave to the compiler
• Restrict tells compiler where to assume non-aliasing
• Use of restrict can be type checked– Type and effect system– Soundness proof uses standard subject-reduction