A Type-CheckedRestrict Qualifier

Jeff Foster

OSQ Retreat

May 9-10, 2001

Jeff Foster, OSQ Retreat, May 9-10, 2001 2

Introduction

• Aliasing: A long-standing problem

– Pointers are hard to analyze...*p = 3 ... what is updated?

– We need to know for• compilers (optimization)• software analysis tools (OSQ)

Jeff Foster, OSQ Retreat, May 9-10, 2001 3

Alias Analysis

• Research: Fully-automatic alias analysis– Type systems

• All aliases have same type

– Points-to analysis• e1 = e2 e1 points to whatever e2 points to

• Results– Type systems work well– May-alias analysis scales to big programs

• Usefulness of results?

Jeff Foster, OSQ Retreat, May 9-10, 2001 4

Too Important for Compiler

• C, C++, Java, ML, etc.– The compiler discovers all aliasing

• FORTRAN– The compiler can assume non-aliasing

• C99– Have the user help the compiler

Jeff Foster, OSQ Retreat, May 9-10, 2001 5

Restrict

• C99 Standardint *restrict p = ...;

– Let p point to object o– Within p’s scope, all access to o are through p

void f(int n, int *restrict p, int *restrict q) {

while (n-- > 0)

*p++ = *q++; // no aliasing

} [ex. from C99 standard]

Jeff Foster, OSQ Retreat, May 9-10, 2001 6

This Work

• C99 does not check restrict– Low-level definition of safe use of restrict

• Goals of this work– Semantics for restrict– Type system for safe restrict– Soundness proof

Jeff Foster, OSQ Retreat, May 9-10, 2001 7

Examples

{ int *restrict p = ...; { int *restrict r = p; ...*r... // valid ...*p... // invalid }}

{ int *restrict p = q; ...*p... // valid ...*q... // invalid}

{ int *restrict p = ...; int *r = p; ...*r... // valid}

Jeff Foster, OSQ Retreat, May 9-10, 2001 8

Source Language

• Lambda-calculus with restricte ::= x | n | ref e | *e | e1 := e2 | \x.e | e1 e2 | restrict x = e1 in e2

• restrict x = e1 in e2– x is in scope only within e2– x is a pointer– x is initialized to e1– within e2, only x can be used to access *x

Jeff Foster, OSQ Retreat, May 9-10, 2001 9

[loc’ error, loc S’’(loc’)] v; S’’

Big-Step Semantics

S e1 loc; S’

, loc errorS’ e2 v; S’’ [loc’ S’(loc) ] [x loc’]

loc’ fresh

S e loc; S’ locdom(S’) S *e S’(loc); S’

S restrict x = e1 in e2

Jeff Foster, OSQ Retreat, May 9-10, 2001 10

Type System

• Type and Effect system

::= base type | ref() pointer to abstract loc | 1L 2 function with effect L

L ::= Ø no effect | access to location | L1 L2 effect union

| L - effect difference

Jeff Foster, OSQ Retreat, May 9-10, 2001 11

Type Rules

• A e : ; L – In environment A, expression e has type – evaluating e has effect L

A e1 : 1L 2; L1 A e2 : 1; L2A e1 e2 : ; L1 L2 L

A e : ref(); LA *e : ; L

Jeff Foster, OSQ Retreat, May 9-10, 2001 12

Restrict Rule

A e1 : ref(); L1

A restrict x = e1 in e2 :

A[x ref’()] e2 : 2; L2 L2 ’A ’

2; L1 (L2 - ’)

Jeff Foster, OSQ Retreat, May 9-10, 2001 13

Soundness

• Theorem: If Ø e : ; L, then S e r; S’ where r is not error

• Proof: Show subject-reduction property

Jeff Foster, OSQ Retreat, May 9-10, 2001 14

Type Inference

• Given program, compute types, locs, effects– Naive algorithm obvious

• Add effect variables ranging over L• Perform type inference, ignore , constraints• Check , at end

– Polynomial-time algorithm– Efficiency in practice?

• Future work: polymorphic recursion– The constraints make things interesting

Jeff Foster, OSQ Retreat, May 9-10, 2001 15

Applications: Optimization

• C99: Restrict used for optimizations– Can treat restricted pointer like stack location

(whose address isn’t taken)– Optimizations sound with checked restrict

• Type system not complete– C99 standard allows hard-to-check uses of restrict

• Dead code that access restricted locations allowed• Strange use of restrict in data structures• Multiple restrict pointers into same array allowed

Jeff Foster, OSQ Retreat, May 9-10, 2001 16

Application: Flow-Sensitive Type Qualifiers

• Apply Alias Types, Vault techniques to type qualifiers for flow-sensitivity

• Problem: Elements of data structuresFILE a[...];spin_lock(a[i]);...spin_unlock(a[i]);

• Goal: Avoid dependent type systems

Jeff Foster, OSQ Retreat, May 9-10, 2001 17

Applications: Strong-Update

• Two rules for assignmentfoo(x) { ... *x = e ...}

– If |PTSet(x)| = 1 [[*x]] = [[e]]

– If |PTSet(x)| > 1 [[*x]] = [[*x]] [[e]]

• Standard Alias Analysis– Points-to sets only grow– Once |PTSet(x)| > 1, lose precision

Jeff Foster, OSQ Retreat, May 9-10, 2001 18

Applications: Strong-Update (2)

• Restrict recovers singleton points-to sets

foo(int *restrict x) { ... }

– Can assume |PTSet(x)| = 1 at beginning of foo– Other aliases of *x cannot be used in foo

• Can recover even from complicated aliasing

foo(a->b[c].d->f->g[h->i])

Jeff Foster, OSQ Retreat, May 9-10, 2001 19

Summary

• Alias analysis too important to leave to the compiler

• Restrict tells compiler where to assume non-aliasing

• Use of restrict can be type checked– Type and effect system– Soundness proof uses standard subject-reduction