Shape Analysis and Applications 1

Transcription

1 12 Shape Aalysis ad Applicatios 1 Thomas Reps 2 Computer Scieces Departmet, Uiversity of Wiscosi-Madiso, WI reps@cs.wisc.edu Mooly Sagiv Departmet of Computer Sciece, School of Mathematics ad Sciece, Tel Aviv Uiversity, Tel Aviv, Israel Sagiv@math.tau.ac.il Reihard Wilhelm Fachbereich Iformatik, Uiversitaet des Saarlades, Saarbruecke, Germay Wilhelm@cs.ui-sb.de 12.1 Itroductio Structure of the Chapter 12.2 Questios about the Heap Cotets Traditioal Compiler Aalyses Aalyzig Programs for Shapes Aswers as Give by Shape Aalysis 12.3 Shape Aalysis Summarizatio Parametric Shape Aalysis Abstractio Fuctios Desigig a Shape Abstractio 12.4 A Overview of a Shape-Aalysis Framework Represetig Stores via 2-Valued ad 3-Valued Logical Structures Extractio of Store Properties Expressig the Sematics of Program Statemets Abstractio via Truth-Blurrig Embeddigs Coservative Extractio of Store Properties Abstract Iterpretatio of Program Statemets 12.5 Applicatios Idetifyig May- ad Must-Aliases Costructig Program Depedeces Other Applicatios 12.6 Extesios Iterprocedural Aalysis Computig Itersectios of Abstractios Efficiet Heap Abstractios ad Represetatios Abstractig Numeric Values Abstractio Refiemet 12.7 Related Work Coclusios Refereces Abstract A shape-aalysis algorithm statically aalyzes a program to determie iformatio about the heapallocated data structures that the program maipulates. The results ca be used to uderstad programs or to verify properties of programs. Shape aalysis also recovers iformatio that is valuable for debuggig, compile-time garbage collectio, istructio schedulig, ad parallelizatio. 1 Portios of this paper were adapted from [65] ( Spriger-Verlag) ad excerpted from [58] ( ACM). 2 SupportedipartbyNSFGratsCCR ,CCR ,CCF ,adCCF ;byONRGratsN ad N ; by the Alexader vo Humboldt Foudatio; ad by the Joh Simo Guggeheim Memorial Foudatio. Address: Comp. Sci. Dept.; Uiv. of Wiscosi; 1210 W. Dayto St.; Madiso, WI Address: School of Comp. Sci.; Tel Aviv Uiv.; Tel Aviv 69978; Israel. 4 Address: Fachrichtug Iformatik, Uiv. des Saarlades; Saarbrücke; Germay. 12-1

2 12-2 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio 12.1 Itroductio Poiters ad heap-allocated storage are features of all moder imperative programmig laguages. However, they are igored i most formal treatmets of the sematics of imperative programmig laguages because their iclusio complicates the sematics of assigmet statemets: a assigmet through a poiter variable (or through a poiter-valued compoet of a record) may have far-reachig side effects. Works that have treated the sematics of poiters iclude [5, 42, 43, 45]. These far-reachig side effects also make program depedece aalysis harder, because they make it difficult to compute the aliasig relatioships amog differet poiter expressios i a program. Havig less precise program depedece iformatio decreases the opportuities for automatic parallelizatio ad for istructio schedulig. The usage of poiters is error proe. Dereferecig NULL poiters ad accessig previously deallocated storage are two commo programmig mistakes. The usage of poiters i programs is thus a obstacle for program uderstadig, debuggig, ad optimizatio. These activities eed aswers to may questios about the structure of the heap cotets ad the poiter variables poitig ito the heap. By shapes, we mea descriptors of heap cotets. Shape aalysis is a geeric term deotig static program-aalysis techiques that attempt to determie properties of the heap cotets relevat for the applicatios metioed above Structure of the Chapter Sectio 12.2 lists a umber of questios about the cotets of the heap. Figure 12.1 presets a program that will be used as a ruig example, which iserts a elemet ito a sigly liked list. Sectio shows how shape aalysis would aswer the questios about the heap cotets produced by this program. Sectio 12.3 the iformally presets a parametric shape-aalysis framework alog the lies of [58], which provides a geerative way to desig ad implemet shape-aalysis algorithms. The shape sematics plus some additioal properties that idividual storage elemets may or may ot possess are specified i logic, ad the shape-aalysis algorithm is automatically geerated from such a specificatio. Sectio 12.4 shows how the iformal treatmet from Sectio 12.3 ca be made precise by basig it o predicate logic. I particular, it is show how a 2-valued iterpretatio ad a 3-valued iterpretatio of the same set of /* list.h */ typedef struct ode { struct ode *; it data; } *List; (a) / * isert.c */ #iclude ''list.h'' void isert (List x, it d) { List y, t, e; assert(acyclic list (x) && x!= NULL); y = x; while (y->! = NULL &&...) { y = y->; } t = malloc( ); t->data = d; e = y->; t-> = e; y-> = t; } (b) FIGURE 12.1 (a) Declaratio of a liked-list data type i C. (b) A C fuctio that searches a list poited to by parameter x, ad splices i a ew elemet.

3 Shape Aalysis ad Applicatios 12-3 formulas ca be used to defie the cocrete ad abstract sematics, respectively, of poiter-maipulatig statemets. Sectio 12.5 lists some applicatios of shape aalysis. Sectio 12.6 briefly describes several extesios of the shape-aalysis framework that have bee ivestigated. Sectio 12.7 discusses related work. Sectio 12.8 presets some coclusios Questios about the Heap Cotets Shape aalysis has a somewhat costraied view of programs. It is ot cocered with umeric or strig values that programs compute, but exclusively with the liked data structures they build i the heap ad the poiters ito the heap from the stack, from global memory, or from cells i the heap. 5 We will therefore use the term executio state to mea the set of cells i the heap, the coectios betwee them (via poiter compoets of heap cells), ad the values of poiter variables i the store Traditioal Compiler Aalyses We list some questios about executio states that a compiler might ask at poits i a program, together with (potetial) actios eabled by the respective aswers: NULL poiters: Does a poiter variable or a poiter compoet of a heap cell cotai NULL at the etry to a statemet that derefereces the poiter or compoet? Yes (for every state): Issue a error message. No (for every state): Elimiate a check for NULL. Maybe: War about the potetial NULL dereferece. Alias: Do two poiter expressios referece the same heap cell? Yes (for every state): Trigger a prefetch to improve cache performace, predict a cache hit to improve cache-behavior predictio, or icrease the sets of uses ad defiitios for a improved liveess aalysis. No (for every state): Disambiguate memory refereces ad improve program depedece iformatio [11, 55]. 6 Sharig: Is a heap cell shared? 7 Yes (for some state): War about explicit deallocatio, because the memory maager may ru ito a icosistet state. No (for every state): Explicitly deallocate the heap cell whe the last poiter to it ceases to exist. Reachability: Is a heap cell reachable from a specific variable or from ay poiter variable? Yes (for every state): Use this iformatio for program verificatio. No (for every state): Isert code at compile time that collects ureachable cells at rutime. Disjoitess: Do two data structures poited to by two distict poiter variables ever have commo elemets? No (for every state): Distribute disjoit data structures ad their computatios to differet processors [24]. 5 However, the shape-aalysis techiques preseted i Sectios 12.3 ad 12.4 ca be exteded to accout for both umeric values ad heap-allocated objects. See Sectio ad [20, 21, 28]. 6 The aswer yes (for some state) idicates the case of a may-alias. This aswer prevets reorderig or parallelizig trasformatios from beig applied. 7 Later i the chapter, the sharig property that is formalized idicates whether a cell is heap-shared, that is, poited to by two or more poiter compoets of heap cells. Sharig due to two poiter variables or oe poiter variable ad oe heap cell compoet poitig to the same heap cell is also deducible from the results of shape aalysis.

4 12-4 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Cyclicity: Is a heap cell part of a cycle? No (for every state): Perform garbage collectio of data structures by referece coutig. Process all elemets i a acyclic liked list i a doall parallel fashio. Memory leak: Does a procedure or a program leave behid ureachable heap cells whe it returs? Yes (i some state): Issue a warig. The questios i this list are oes for which several traditioal compiler aalyses have bee desiged, motivated by the goal of improvig optimizatio ad parallelizatio methods. The may-alias-aalysis problem, which seeks to fid out whether the aswer to the alias questio is yes (i some state) is of particular importace i compilig. The goal of providig better may-alias iformatio was the motivatio for our work that grew ito shape aalysis. Alias, sharig, ad disjoitess properties are related but differet. To appreciate the differece, it suffices to see that they are defied o differet domais ad used i differet types of compiler tasks. Alias relatios cocer pairs of poiter expressios; they are relevat for disambiguatig memory refereces. Sharig properties cocer the orgaizatio of eighborig heap cells; they are relevat for compile-time memory maagemet. Disjoitess relatios cocer pairs of data structures; they are relevat for determiig whether traversals of two data structures ca be parallelized. The relatios betwee these properties are as follows: Disjoitess-aliasig: Two data structures D 1 ad D 2 are disjoit i every state if there exist o two poiter expressios e 1, referrig to D 1, ad e 2, referrig to D 2, that may be aliased i ay state. Disjoitess-sharig: If two data structures D 1 ad D 2 are ot disjoit i some state, at least oe of the commo elemets of D 1 ad D 2 is shared i this state. Aliasig-sharig: If two differet poiter expressios e 1 ad e 2 referece the same heap cell i some state, the this cell or oe of its predecessors must be shared i this state. However, the opposite eed ot hold because ot all heap cells are ecessarily reachable from a variable. Some of the other questios i the list give earlier cocer memory-cleaess properties [14], for example, o NULL-derefereces, o deallocatio of shared cells, ad o memory leaks Memory Disambiguatio May compiler trasformatios ad their eablig aalyses are based o iformatio about the idepedece of program statemets. Such iformatio is used extesively i compiler optimizatios, automatic program parallelizatios, code schedulig for istructio-level parallel machies, ad i softwareegieerig tools such as code slicers. The cocept of program depedece is based o the otios of defiitio ad use of resources. Such aalyses ca be performed at the source-laguage level, where resources are mostly program variables, as well as at the machie-laguage level, where resources are registers, memory cells, status flags, ad so o. For source-level aalysis, these otios have bee geeralized from scalar variables to array compoets. Defiitios ad uses, i the form of idexed array ames, ow deote resources that are subsectios of a array. Defiitios ad uses, which were uiquely determiig resources i the case of scalar variables, tur ito potetial defiitios (respectively uses) of sets of resources. Usig these sets i the computatio of depedeces may iduce spurious depedeces. May alias tests have bee developed to ascertai whether two sets of potetially refereced resources are actually disjoit, that is, whether two give refereces to the same array ever access the same elemet [66]. The same is overdue for refereces to the heap through poiter expressios. However, poiter expressios may refer to a ubouded amout of storage that is located i the heap. Appropriate aalyses of poiter expressios should fid iformatio about: Must-aliases: Two poiter expressios refer to the same heap cell o all executios that reach a give program poit. May-aliases: Two poiter expressios may refer to the same heap cell o a executio that reaches a give program poit.

5 Shape Aalysis ad Applicatios 12-5 Approaches that attempt to idetify may-aliases ad must-aliases have traditioally used path expressios [27]. I Sectio we provide a ew approach based o shape aalysis, which yields very precise results Aalyzig Programs for Shapes Several of the properties listed above ca be combied to formulate more complex properties of heap cotets: Shape: What is the shape of (some part of) the cotets of the heap? Shapes (or, more precisely, shape descriptors) characterize data structures. A shape descriptor could idicate whether the heap cotais a sigly liked list, potetially with (or defiitely without) a cycle, a doubly liked list, a biary tree, ad so o. The eed to track may of the properties listed above, for example, sharig, cyclicity, reachability, ad disjoitess, is a importat aspect of may shape-aalysis algorithms. Shape aalysis ca be uderstood as a exteded type aalysis; its results ca be used as a aid i program uderstadig ad debuggig [13]. Nostructural properties: I additio to the shape of some portios of the cotets of the heap, what properties hold amog the value compoets of a data structure? These combied properties ca be used to prove the partial correctess of programs [35]. History properties: These track where a heap cell was allocated ad what kids of operatios have bee performed o it. This kid of iformatio ca be used to idetify depedeces betwee poits i the program (see Sectio ) Shape Descriptors ad Data Structures We claimed above that shape descriptors ca characterize data structures. The costituets of shape descriptors that ca be used to characterize a data structure iclude: i. Root poiter variables, that is, iformatio about which poiter variables poit from the stack or from the static memory area ito a data structure stored i the heap ii. The types of the data-structure elemets ad, i particular, which fields hold poiters iii. Coectivity properties, such as: Whether all elemets of the data structure are reachable from a root poiter variable Whether ay data-structure elemets are shared Whether there are cycles i the data structure Whether a elemet v poited to by a forward poiter of aother elemet v has its backward poiter poitig to v iv. Other properties, for istace, whether a elemet of a ordered list is i the correct positio Each data structure ca be characterized by a certai set of such properties. Most sematics track the values of poiter variables ad poiter-valued fields usig a pair of fuctios, ofte called the eviromet ad the store. Costituets i ad ii above are parts of ay such sematics; cosequetly, we refer to them as core properties. Coectivity ad other properties, such as those metioed i iii ad iv, are usually ot explicitly part of the sematics of poiters i a laguage but istead are properties derived from this core sematics. They are essetial igrediets i program verificatio, however, as well as i our approach to shape aalysis of programs. Nocore propertieswill be called istrumetatio properties (for reasos that will become clear shortly). Let us start by takig a Platoic view, amely that ideas exist without regard to their physical realizatio. Cocepts such as is shared, lies o a cycle, ad is reachable ca be defied either i graph-theoretic terms, usig properties of paths, or i terms of the programmig-laguage cocept of poiters. The defiitios of these cocepts ca be stated i a way that is idepedet of ay particular data structure; for istace:

6 12-6 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Example 12.1 A heap cell is heap-shared if it is the target of two poiters either from two differet heap cells or from two differet poiter compoets of the same heap cell. Data structures ca ow be characterized usig sets of such properties, where data structure is still idepedet of a particular implemetatio; for istace: Example 12.2 A acyclic sigly liked list is a set of objects, each with oe poiter field. The objects are reachable from a root poiter either directly or by followig poiter fields. No object lies o a cycle, that is, is reachable from itself by followig poiter fields. To address the problem of verifyig or aalyzig a particular program that uses a certai data structure, we have to leave the Platoic realm ad formulate shape ivariats i terms of the poiter variables ad data-type declaratios from that program. Example 12.3 Figure 12.1a, above, shows the declaratio of a liked-list data type i C, ad Figure 12.1b shows a C program that searches a list ad splices a ew elemet ito the list. The characterizatio of a acyclic sigly liked list i terms of the properties is reachable from a root poiter ad lies o a cycle ca ow be specialized for that data-type declaratio ad that program as follows: Is reachable from a root poiter meas is reachable from x, or is reachable from y, or is reachable from t, or is reachable from e. Lies o a cycle meas is reachable from itself followig oe or more -fields. This chapter deals with aalyses that attempt to determie the shapes of all data structures i the heap. To obtai shape descriptors, these aalyses track may of the properties that have bee discussed above. Lookig at thigs i the other directio, however, oce such shape descriptors have bee obtaied, aswers to may of the above questios ca merely be read off of the shape descriptors Aswers as Give by Shape Aalysis This sectio discusses the results obtaied by aalyzig isert usig a particular shape-aalysis algorithm desiged to aalyze programs that maipulate sigly liked lists. I this case, the aalysis of isert has bee carried out uder the assumptio that the iputs to isert are a oempty, acyclic sigly liked list ad a iteger. The former requiremet is captured by the shape descriptors show i Figure 12.2, which are provided as iput to the shape-aalysis algorithm. x u 0 u x u r x, r x, r x, (a) (b) FIGURE 12.2 Shape descriptors that describe the iput to isert. (a) Represets acyclic lists of legth at least 2. (b) Represets acyclic lists of legth 1.

7 Shape Aalysis ad Applicatios 12-7 x, y x, y r x,, r y, r x,, r y, r x,, r y, r x,, r y, (a) (b) x x r x, y, r x,, r y, r x, y, r x,, r y, r x,, r y, (c) (d) x x r x, r y, r x, x,, r y, r x,, r y, r x, r y, r x, x,, r y, (e) (f) x x r x, r x, y, r x,, r y, r x, r x, y, r x,, r y, (h) r x,, r y, (g) FIGURE 12.3 Figure The eight shape graphs that arise at the begiig of the while-loop body i the program of The shape-aalysis algorithm produces iformatio for each program poit that describes the lists that ca arise there. At the etry to the while-loop body some of the properties are: Poiter variables x ad y poit ito the same list: x always poits to the head; y poits to either the head of the x-list or some tail of the x-list. All other poiter variables of the program have the value NULL. The list is acyclic. No memory leaks occur. I additio, the iformatio obtaied by the shape-aalysis algorithm shows that o attempt to dereferece a NULL-valued poiter is ever made. Figure 12.3 shows the eight shape graphs produced by the aalysis for the program poit at the etry to the loop body. Each shape graph represets a set of cocrete memory cofiguratios. I isert, the loop body is executed whe the argumet list is of legth 2 or greater, ad it advaces variable y alog the list that is poited to by x. The shape-aalysis algorithm is able to discover eight shape graphs that represet all such memory cofiguratios. The graphs represet lists of various legths, with various umbers of list cells betwee the list cells poited to by x ad y: Figure 12.3a ad 12.3b represet lists i which x ad y poit to the same list cell; Figure 12.3c ad 12.3d represet lists i which x ad y poit to list cells that are oe apart; Figure 12.3e ad 12.3f represet lists i which x ad y poit to list cells that are two apart; Figure 12.3g ad 12.3h represet lists i which x ad y poit to list cells that are three or more apart.

8 12-8 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Heap cells ad their properties i the represeted heaps ca be read off from a shape graph i the followig way: The ame p represets poiter variable p. For istace, two of the poiter variables of program isert, amely x ad y, appear i the shape graphs i Figures 12.2 ad The absece of the ame p i a shape graph meas that, i the stores represeted by the shape graph, program variable p defiitely has the value NULL. I Figure 12.3a, the absece of the ame t meas that t defiitely has the value NULL i the stores that the shape graph represets. Circles stad for abstract odes. A solid circle stads for a abstract ode that represets exactly oe heap cell. I Figure 12.2b, the circle u represets the oe cell of a iput list of legth 1. Solid circles could be viewed as abstract odes with the property uiquely represetig. (This is the complemet of the summary property sm that is itroduced later o.) A dotted circle stads for a abstract ode that may represet oe or more heap cells; i Figure 12.2a, the dotted circle u represets the cells i the tail of the iput list. A solid edge labeled c betwee abstract odes m ad m represets the fact that the c-field of the heap cell represeted by m poits to the heap cell represeted by m. Figure 12.3a idicates that the -field of the first list cell poits to the secod list cell. A dotted edge labeled c betwee abstract odes m ad m tells us that the c-field of oe of the heap cells represeted by m may poit to oe of the heap cells represeted by m. Whe m ad m are the same abstract odes, this edge may or may ot represet a cycle. I Figure 12.3b, the dotted self-cycle o the dotted circle represets -fields of heap cells represeted by this abstract ode possibly poitig to other heap cells represeted by the dotted circle. Additioal iformatio about ocyclicity (see below) implies that, i this case, the dotted self-cycle does ot represet a cycle i the heap. A uary property q that holds for all heap cells represeted by a abstract ode is represeted i the graph by havig a solid arrow from the property ame q to that ode. (These ames are typically subscripted, such as r x, or c.) For example, the property reachable-from-x-via-, deoted i the graph by r x,, meas that the heap cells represeted by the correspodig abstract odes are (trasitively) reachable from poiter variable x via -fields.both odes ifigure12.3b are the targets of a solid edge from a istace of property ame r x,. This meas the cocrete cell represeted by the first abstract ode ad all cocrete cells represeted by the secod abstract ode are reachable from x via -fields. A dotted arrow from a property ame p to a abstract ode represets the fact that p maybetrue for some of the heap cells represeted by the abstract ode ad may be false for others. The absece of a arrow from p to a abstract ode meas that oe of the represeted heap cells has property p. (Examples with dotted edges are give i Sectio ) I summary, the shape graphs portray iformatio of three kids: Solid, meaig always holds for properties (icludig uiquely represetig ) Abset, meaig ever holds for properties Dotted, meaig do t kow for properties (icludig uiquely represetig ) Shape aalysis associates sets of shape graphs with each program poit. They describe (a superset of) all the executio states that ca occur wheever executio reaches that program poit. To determie whether a property always (ever) holds at a give program poit, we must check that it holds for all (some) of the shape graphs for that poit. With this iterpretatio i mid, all of the claims about the properties of the heap cotets at the etry to the while-loop body listed at the begiig of this subsectio ca be checked by verifyig that they hold for all of the graphs show i Figure 12.3.

9 Shape Aalysis ad Applicatios Shape Aalysis The example program isert works for lists of arbitrary legths. However, as described i the precedig sectio (at least for oe program poit), the descriptio of the lists that occur durig executio is fiite. As show i Figure 12.3, eight shape graphs are sufficiet to describe all of the executio states that occur at the etry of the loop body i isert. This is a geeral requiremet for shape aalysis. Although the data structures that a program builds or maipulates are i geeral of ubouded size, the shape descriptors, maipulated by a shape-aalysis algorithm, have to have bouded size. This represetatio of the heap cotets has to be coservative i the sese that whoever asks for properties of the heap cotets for example, a compiler, a debugger, or a program-uderstadig system receives a reliable aswer. The claim that poiter variable p or poiter field p->c ever has the value NULL at this program poit may oly be made if this is ideed the case for all executios of the program ad all program paths leadig to the program poit. It may still be the case that i o program executio p (respectively p->c) will be NULL at this poit but that the aalysis will be uable to derive this iformatio. I the field of program aalysis, we say that program aalysis is allowed to (oly) err o the safe side. I short, shape aalysis computes for a give program ad each poit i the program: a fiite, coservative represetatio of the heap-allocated data structures that could arise whe a path to this program poit is executed Summarizatio The costrait that we must work with a bouded represetatio implies a loss of iformatio about the heap cotets. Size iformatio, such as the legths of lists or the depths of trees, will i geeral be lost. However, structural iformatio may also be lost because of the chose represetatio. Thus, a part of the executio state (or some of its properties) is exactly represeted, ad some part of the executio state (or some of its properties) is oly approximately represeted. The process leadig to the latter is called summarizatio. Summarizatio ituitively meas the followig: Some heap cells will lose their idetity, that is, will be represeted together with other heap cells by oe abstract ode. The coectivity amog those joitly represeted heap cells will be represeted coservatively; that is, each poiter i the heap will be represeted, but several such poiters (or the absece of such poiters) may be represeted joitly. Properties of these heap cells will also be represeted coservatively. This meas the followig: A property that holds for all (for oe of the) summarized cells will be foud to hold (ot to hold) for their summary ode. A property that holds for some but ot all of the summarized cells will have the value do t kow for the summary ode Parametric Shape Aalysis Shape aalysis is a geeric term represetig a whole class of algorithms of varyig power ad complexity that try to aswer questios about the structure of heap-allocated storage. I our settig, a particular shape-aalysis algorithm is determied by a set of properties that heap cells may have ad by relatios that may or may ot hold betwee heap cells. First, there are the aforemetioed core properties, for example, the poited-to-by- p property for each program poiter variable p, ad the property coected-through-c, which pairs of heap cells (l 1, l 2 ) possess if the c-field of l 1 poits to l 2 (see Table 12.1). These properties are part of ay poiter sematics. The core properties i the particular shape aalysis of the isert program are

10 12-10 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio TABLE 12.1 Predicates used for represetig the stores maipulated by programs that use the List data-type declaratio from Figure 12.1(a) Predicate Iteded Meaig q(v) Does poiter variable q poit to cells v? (v 1, v 2 ) Does the -field of v 1 poit to v 2? poited-to-by-x, deoted by x, poited-to-by-y, deoted by y, poited-to-by-t, deoted by t, poited-to-by-e, deoted by e, ad coected-through-, deoted by (, ). The istrumetatio properties [58], deoted by I, together with the core properties determie what the aalysis is capable of observig. These are expressed i terms of the core properties. Our example aalysis is desiged to idetify properties of programs that maipulate acyclic sigly liked lists. Reachability properties from specific poiter variables have the effect of keepig disjoit sublists summarized separately. This is particularly importat whe aalyzig a program i which two poiters are advaced alog disjoit sublists. Therefore, the istrumetatio properties i our example aalysis are is-o-a--cycle, deoted by c, reachable-from-x-via-, deoted by r x,, reachable-from-y-via-, deoted by r y,, ad reachablefrom-t-via-, deoted by r t,. For techical reasos, a property that is part of every shape aalysis is summary, deoted by sm( ) Abstractio Fuctios The abstractio fuctio of a particular shape aalysis is determied by a distiguished subset of the set of all uary properties, the so-called abstractio properties, A. Give a set A of abstractio properties, the correspodig abstractio fuctio will be called A-abstractio fuctio (ad the act of applyig it, A-abstractio). If the set W = I A is ot empty, that is, if there are istrumetatio predicates that are ot used as abstractio predicates, we will call the abstractio A-abstractio with W. The priciple of abstractio is that heap cells that have the same defiite values for the abstractio properties are summarized to the same abstract ode. Thus, if we view the set of abstractio properties as our meas of observig the cotets of the heap, the heap cells summarized by oe summary ode have o observable differece. All cocrete heap cells represeted by the same abstract heap cells agree o their abstractio properties; that is, either they all have these abstractio properties, or oe of them have them. Thus, summary odes iherit the values of the abstractio properties from the odes they represet. For oabstractio properties, their values are computed i the followig way: if all summarized cells agree o this property that is, they have the same value the summary ode receives this value. If ot all summarized cells agree o a property, their summary ode will receive the value do t kow. The values of biary properties are computed the same way. From what has bee said above, it is clear that there is a eed for three values: two defiite values, represetig 0 (false) ad 1 (true), ad a additioal value, 1/2, represetig ucertaity. This abstractio process is called truth-blurrig embeddig (see also Sectio ). Example 12.4 The shape graphs i Figure 12.2 ad the oes i Figure 12.3 are obtaied usig the {x, y, t, e, r x,, r y,, r t,, r e,, c }-abstractio fuctio. I Figure 12.2a, all the cells i the tail of a iput list of legth at least 2 are summarized by the abstract ode u, because they all have the property r x, ad do ot have the properties x, y, t, e, r y,, r t,, r e,, ad c. The abstract ode u 0 represets exactly oe cell the first cell of the iput list. It has the properties x ad r x, ad oe of the other properties. Now cosider how the value of the property is computed for the summary ode u. The differet list cells that are summarized by u do ot have the same values for, because at ay oe time a poiter field

11 Shape Aalysis ad Applicatios Name Graphical Represetatio S 0 S 1 x S 2 x u 2 S 3 x u 2 u 3 S 4 x u 2 u 3 u 4 FIGURE 12.4 Cocretelistspoitedtoby x of legth 4. may poit to at most oe heap cell. Thus, the coected-by--field properties of the resultig summary odes have the value 1/ Desigig a Shape Abstractio This sectio presets a sequece of example shape abstractios to demostrate how the precisio of a shape abstractio ca be chaged by chagig the properties used both abstractio ad oabstractio properties. Here precisio refers to the set of cocrete heap structures that each abstract shape descriptor represets; a more precise shape descriptor represets a smaller set of cocrete structures. Oe abstractio is more precise tha aother if it yields more precise shape descriptors. All examples treat sigly liked lists of the type declared i Figure The core properties are x, later also y, ad. Example 12.5 Cosider the case of {x}-abstractio; that is, the oly abstractio property is x. Figure 12.4 depicts four lists of legth 1 to 4 poited to by x ad the empty list. Figure 12.5 shows the shape graphs obtaied by applyig {x}-abstractio to the cocrete lists of Figure I additio to the lists of legth 3 ad 4 from Figure 12.4 (i.e., S 3 ad S4), the shape graph S 3 also represets: The acyclic lists of legth 5, 6, ad so o that are poited to by x The cyclic lists of legth 3 or more that are poited to by x, such that the backpoiter is ot to the head of the list, but to the secod, third, or later elemet Thus, S 3 is a fiite shape graph that captures a ifiite set of (possibly cyclic) cocrete lists. The example shows that a weak abstractio may lose valuable iformatio: eve whe oly acyclic lists are abstracted, the result of the abstractio is a shape graph that also represets cyclic lists. Name S 0 Graphical Represetatio S 1 x S 2 x u S 3 x u FIGURE 12.5 Figure Shape graphs that are obtaied by applyig {x}-abstractio to the cocrete lists that appear i

12 12-12 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Name S acyclic S cyclic Graphical Represetatio x u x u c c FIGURE 12.6 The shape graphs that are obtaied by applyig {x}-abstractio with {c } to acyclic lists (top) ad cyclic lists (bottom). Example 12.6 The ext example uses {x}-abstractio with {c }; that is, it is uses cyclicity properties i additio to the abstractio property x. Figure 12.6 shows two shape graphs: S acyclic, the result of applyig this abstractio to acyclic lists, ad S cyclic, the result of applyig it to cyclic lists. Although S acyclic, which is obtaied by {x}- abstractio with {c }, looks just like S 3 i Figure 12.5, which is obtaied just by {x}-abstractio (without {c }), S acyclic describes a smaller set of lists tha S 3, amely oly acyclic lists of legth at least 3. The absece of a c -arrow to expresses the fact that oe of the heap cells summarized by lie o a cycle. I cotrast, S cyclic describes lists i which the heap cells represeted both by ad by u defiitely lie o a cycle. These are lists i which the last list elemet has a backpoiter to the head of the list. Example 12.7 This example shows what it meas to make a istrumetatio property a abstractio property. {x, c }- abstractio ad {x}-abstractio with {c } are applied to cyclic lists, that is, lists that have a backpoiter ito the middle of the list. Figure 12.7 shows how the additioal abstractio property c causes there to be two differet summary odes. Istrumetatio properties that track iformatio about reachability from poiter variables areparticularly importat for avoidig a loss of precisio, because they permit the abstract represetatios of data structures ad differet parts of the same data structure that are disjoit i the cocrete world to be kept separate [57, p. 38]. A reachability property r q, (v) captures whether a heap cell v is (trasitively) reachable from poiter variable q alog -fields. Example 12.8 The power of reachability iformatio is illustrated i our ext example. Figures 12.8 ad 12.9 show how a cocrete list i which x poits to the head ad y poits ito the middle is mapped to two differet shape graphs, depedig o whether {x, y, r x,, r y, }-abstractio or just {x, y}-abstractio is used. x x c (a) c (b) FIGURE 12.7 (a) {x, c }-abstractio ad (b) {x}-abstractio with {c }. The two abstractios have bee applied to a list of legth at least 5, with a backpoiter ito the middle of the list. The 5 elemets of the lists represeted by shape graph (a) are distributed as follows: at least three of them form the acyclic prefix of the list, ad at least two of them form the cycle.

13 Shape Aalysis ad Applicatios Name S 6 Graphical Represetatio x u u 3 u 4 2 u 5 u 6 y FIGURE 12.8 Acocretelist poited to byx,where y poits ito the middle of the list. Name S reach Graphical Represetatio x u u 2 u S middle x r x, r x, y, r x,, r y, r x,, r y, u u 2 y FIGURE 12.9 The shape graphs that are obtaied by applyig {x, y, r x,, r y, }-abstractio ad {x, y}-abstractio, respectively, to the list S 6 from Figure Note that the situatio depicted i Figure 12.8 occurs i isert as y is advaced dow the list; the reachability abstractio properties play a crucial role i developig a shape-aalysis algorithm that is capable of obtaiig precise shape iformatio for isert A Overview of a Shape-Aalysis Framework This sectio provides a overview of the formal uderpiigs of the shape-aalysis framework preseted i [58]. The framework is parametric; that is, it ca be istatiated i differet ways to create a variety of specific shape-aalysis algorithms. The framework is based o 3-valued logic. I this paper, the presetatio is at a semi-techical level; for a more detailed treatmet of this material, as well as several elaboratios o the ideas covered here, the reader should refer to [58]. To be able to perform shape aalysis, the followig cocepts eed to be formalized: A ecodig (or represetatio) of stores, so that we ca talk precisely about store elemets ad the relatioships amog them. A laguage i which to state properties that store elemets may or may ot possess. A way to extract the properties of stores ad store elemets. A defiitio of the cocrete sematics of the programmig laguage, i particular, oe that makes it possible to track how properties chage as the executio of a program statemet chages the store. A techique for creatig abstractios of stores so that abstract iterpretatio ca be applied. I our approach, the formalizatio of each of these cocepts is based o predicate logic Represetig Stores via 2-Valued ad 3-Valued Logical Structures To represet stores, we work with what logicias call logical structures. A logical structure is associated with a vocabulary of predicate symbols (with give arities). So far we have talked about properties of differet

14 12-14 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio classes, that is, core, istrumetatio, ad abstractio properties. Properties i our specificatio laguage, predicate logic, correspod to predicates. Each logical structure S, deoted by U S, ι S, has a uiverse of idividuals U S. I a 2-valued logical structure, ι S maps each arity-k predicate symbol p ad possible k-tuple of idividuals (,..., u k ), where u i U S, to the value 0 or 1 (i.e., false ad true, respectively). I a 3-valued logical structure, ι S maps p ad (,..., u k )tothevalue0,1,or1/2 (i.e., false, true, ad ukow, respectively). 2-valued logical structures will be used to ecode cocrete stores; 3-valued logical structures will be used to ecode abstract stores; members of these two families of structures will be related by truth-blurrig embeddigs (explaied i Sectio ). 2-valued logical structures are used to ecode cocrete stores as follows: idividuals represet memory locatios i the heap; poiters from the stack ito the heap are represeted by uary poited-to-byvariable-q predicates; ad poiter-valued fields of data structures are represeted by biary predicates. Example 12.9 Table 12.1 lists the predicates used for represetig the stores maipulated by programs that use the List data-type declaratio from Figure 12.1a. I the case of isert, the uary predicates x, y, t, ad e correspod to the program variables x, y, t, ad e, respectively. The biary predicate correspods to the -fields of List elemets. Figure illustrates the 2-valued logical structures that represet lists of legth 4 that are poited to by program variable x. Colum 3 of Figure gives a graphical rederig of these 2-valued logical structures; ote that these graphs are idetical to those depicted i Figure 12.4: Idividuals of the uiverse are represeted by circles with ames iside. A uary predicate p is represeted i the graph by havig a solid arrow from the predicate ame p to ode u for each idividual u for which ι(p)(u) = 1 ad o arrow from predicate ame p to ode u for each idividual u for which ι(p)(u ) = 0. (If ι(p) is 0 for all idividuals, the predicate ame p will ot be show.) A biary predicate q is represeted i the graph by a solid arrow labeled q betwee each pair of idividuals u i ad u j for which ι(q)(u i, u j ) = 1 ad o arrow betwee pairs u i ad u j for which ι(q)(u i, u j ) = 0. Name S 0 S 1 S 2 S 3 S 4 Logical Structure Graphical Represetatio uary preds. biary preds. idiv. x y t e uary preds. biary preds. idiv. x y t e x u uary preds. biary preds. idiv. x y t e u u u 2 uary preds. biary preds. idiv. x y t e u 2 u u u u u uary preds. biary preds. idiv. x y t e u 2 u u u u u u u u x u 2 x u 1 u 2 x u 1 u 2 u 3 u 3 u 4 FIGURE The 2-valued logical structures that represet lists of legth 4.

15 Shape Aalysis ad Applicatios Thus, i structure S 2, poiter variable x poits to idividual, whose -field poits to idividual u 2.The -field of u 2 does ot poit to ay idividual (i.e., u 2 represets a heap cell whose -field has the value NULL) Extractio of Store Properties 2-valued structures offer a systematic way to aswer questios about properties of the cocrete stores they ecode. For example, cosider the formula ϕ is (v) def = v 1, v 2 : (v 1, v) (v 2, v) v 1 v 2 (12.1) which expresses the is-shared property. Do two or more differet heap cells poit to heap cell v via their -fields? For istace, ϕ is (v) evaluates to 0 i S 2 for the assigmet [v u 2 ], because there is o assigmet of the form [v 1 u i, v 2 u j ] such that ι S 2 ()(ui, u 2 ), ι S 2 ()(u j, u 2 ), ad u i u j all hold. As a secod example, cosider the formula ϕ c (v) def = + (v, v) (12.2) which expresses the property of whether a heap cell v appears o a directed -cycle. Here + deotes the trasitive closure of the -relatio. Formula ϕ c (v) evaluates to 0 i S 2 for the assigmet [v u 2 ], because the trasitive closure of the relatio ι S 2 () does ot cotai the pair (u2, u 2 ). The precedig discussio ca be summarized as the followig priciple: Observatio 12.1 (Property-Extractio Priciple). By ecodig stores as logical structures, questios about properties of stores ca be aswered by evaluatig formulas. The property holds or does ot hold, depedig o whether the formula evaluates to 1 or 0, respectively, i the logical structure. The laguage i which queries are posed is stadard first-order logic with a trasitive-closure operator. The otio of evaluatig a formula ϕ i logical structure S with respect to assigmet Z (where Z assigs idividuals to the free variables of ϕ) is completely stadard (e.g., see [17, 58]). We use the otatio [[ϕ]] 2 S (Z) to deote the value of ϕ i S with respect to Z Expressig the Sematics of Program Statemets Our tool for expressig the sematics of program statemets is also based o evaluatig formulas: Observatio 12.2 (Expressig the Sematics of Statemets via Logical Formulas). Suppose that σ is a store that arises before statemet st, that σ is the store that arises after st is evaluated o σ, ad that S is the logical structure that ecodes σ. A collectio of predicate-update formulas oe for each predicate p i the vocabulary of S allows oe to obtai the structure S that ecodes σ. Whe evaluated i structure S, the predicate-update formula for a predicate p idicates what the value of p should be i S. I other words, the set of predicate-update formulas captures the cocrete sematics of st. This process is illustrated i Figure for the statemet y = y->, where the iitial structure S a represets a list of legth 4 that is poited to by both x ad y. Figure shows the predicate-update formulas for the five predicates of the vocabulary used i cojuctio with isert: x, y, t, e, ad ; the symbols x, y, t, e, ad deote the values of the correspodig predicates i the structure that arises after executio of y = y->. Predicates x, t, e, ad are uchaged i value by y = y->. The predicate-update formula y (v) = v 1 : y(v 1 ) (v 1, v) expresses the advacemet of program variable y dow the list.

16 12-16 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Structure Before Statemet Predicate Update Formulae Structure After uary preds. idiv. x y t e u u u S a x u 1 uary preds. idiv. x y t e u u u u 2 y y = y > x (v) = x(v) y (v) = v 1 : y(v 1 ) (v 1, v) t (v) = t(v) e (v) = e(v) (v 1, v 2 ) = (v 1, v 2 ) x u 1 u 2 biary preds. u 2 u 3 u u u u u 3 u 4 biary preds. u 2 u 3 u u u u u 3 u 4 S b y FIGURE The give predicate-update formulas express a trasformatio o logical structures that correspods to the sematics of y = y-> Abstractio via Truth-Blurrig Embeddigs The abstract stores used for shape aalysis are 3-valued logical structures that, by the costructio discussed below, are a priori of bouded size. I geeral, each 3-valued logical structure correspods to a (possibly ifiite) set of 2-valued logical structures. Members of these two families of structures are related by truth-blurrig embeddigs. The priciple behid truth-blurrig embeddig is illustrated i Figure 12.12, which shows how 2-valued structure Sa is abstracted to 3-valued structure S a whe we use {x, y, t, e}-abstractio. Abstractio is drive by the values of the vector of uary predicate values that each idividual u has that is, for Sa, by the values ι(x)(u), ι(y)(u), ι(t)(u), ad ι(e)(u) ad, i particular, by the equivalece uary preds. idiv. x y t e u 2 u 3 u x S a y u 2 biary preds. u 3 u 2 u 4 u 3 u 4 uary preds. biary preds. idiv. x y t e sm u / /2 0 1/ u abstracts u u to 234 u x u u 1 1 S a y u 234 u 234 FIGURE The abstractio of 2-valued structure Sa to 3-valued structure S a whe we use {x, y, t, e}-abstractio. The boxes i the tables of uary predicates idicate how idividuals are grouped ito equivalece classes; the boxes i the tables for predicate idicate how the quotiet of with respect to these equivalece classes is performed.

17 Shape Aalysis ad Applicatios TABLE 12.2 Kleee s 3-valued iterpretatio of the propositioal operators 0 1 1/ / / / /2 0 1/2 1/2 1/2 1/2 1 1/2 1/2 1/2 classes formed from the idividuals that have the same vector for their uary predicate values. I Sa, there are two such equivalece classes: (a) { }, for which x, y, t, ad e are 1, 1, 0, ad 0, respectively, ad (b) {u 2, u 3, u 4 }, for which x, y, t, ad e are all 0. (The boxes i the table of uary predicates for Sa show how idividuals of Sa are grouped ito two equivalece classes.) All members of such equivalece classes are mapped to the same idividual of the 3-valued structure. Thus, all members of {u 2, u 3, u 4 } from Sa are mapped to the same idividual i S a, called u 234 ; 8 similarly, all members of { } from Sa are mapped to the same idividual i S a, called. For each o-uary predicate of the 2-valued structure, the correspodig predicate i the 3-valued structure is formed by a truth-blurrig quotiet. For istace: I Sa, ιs a () evaluates to 0 for the oly pair of idividuals i {u1 } { }. Therefore, i S a the value of ι S a ()(, )is0. I Sa, ιs a () evaluates to 0 for all pairs from {u2, u 3, u 4 } { }. Therefore, i S a the value of ι S a ()(u 234, )is0. I Sa, ιs a () evaluates to 0 for two of the pairs from {u1 } {u 2, u 3, u 4 } (i.e., ι S a ()(u1, u 3 ) = 0 ad ι S a ()(u1, u 4 ) = 0), whereas ι S a () evaluates to 1 for the other pair (i.e., ι Sa ()(u1, u 2 ) = 1); therefore, i S a the value of ι S a ()(, u 234 )is1/2. I Sa, ιs a () evaluates to 0 for some pairs from {u2, u 3, u 4 } {u 2, u 3, u 4 } (e.g., ι S a ()(u2, u 4 ) = 0), whereas ι S a () evaluates to 1 for other pairs (e.g., ι Sa ()(u2, u 3 ) = 1); therefore, i S a the value of ι S a ()(u 234, u 234 )is1/2. I Figure 12.12, the boxes i the tables for predicate idicate these four groupigs of values. Aadditioaluarypredicate,called sm (stadig for summary ), is added to the 3-valued structure to capture whether idividuals of the 3-valued structure represet more tha oe cocrete idividual. For istace, ι S a (sm)( ) = 0 because i S a represets a sigle idividual of S a.however,u 234 represets three idividuals of S a. For techical reasos, sm cabe0or1/2, but ever 1; therefore, ιs a (sm)(u 234 ) = 1/ Coservative Extractio of Store Properties Questios about properties of 3-valued structures ca be aswered by evaluatig formulas usig Kleee s sematics of 3-valued logic (see [58]). The value of a formula is obtaied i almost exactly the same way that it is obtaied i ordiary 2-valued logic, except that the propositioal operators are give the iterpretatios show i Table (The evaluatio rules for,, ad trasitive closure are adjusted accordigly; that is, ad are treated as idexed- ad idexed- operators, respectively.) We use the otatio [[ϕ]] 3 S (Z) to deote the value of ϕ i 3-valued logical structure S with respect to 3-valued assigmet Z. We defie a partial order o truth values to reflect their degree of defiiteess (or iformatio cotet): l 1 l 2 deotes that l 1 is at least as defiite as l 2. 8 The reader should bear i mid that the ames of idividuals are completely arbitrary. u 234 could have bee called 7 or u 99 ad so o; i particular, the subscript 234 is used here oly to remid the reader that, i this example, u 234 of S a is the idividual that represets {u 2, u 3, u 4 } of S a. (I may subsequet examples, u 234 will be amed u.)

18 12-18 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Name Logical Structure Graphical Represetatio S 0 uary preds. biary preds. idiv. x y t e sm uary preds. biary preds. S 1 idiv. x y t e sm x S 2 S 3 uary preds. biary preds. idiv. x y t e sm u u u 0 0 uary preds. idiv. x y t e sm u /2 biary preds. u 0 1/2 u 0 1/2 x u 1 u x u 1 u FIGURE The 3-valued logical structures that are obtaied by applyig truth-blurrig embeddig to the 2-valued structures that appear i Figure Defiitio 12.1 (Iformatio Order). For l 1, l 2 {0, 1/2, 1}, we defie the iformatio order o truth values as follows: l 1 l 2 if l 1 = l 2 or l 2 = 1/2. The symbol deotes the least-upper-boud operatio with respect to : 0 1/ /2 1/2 1/2 1/2 1/2 1/2 1 1/2 1/2 1 The 3-valued sematics is mootoic i the iformatio order (see Table 12.2). I [58] the embeddig theorem states that the 3-valued Kleee iterpretatio i S of every formula is cosistet with (i.e., ) the formula s 2-valued iterpretatio i every cocrete store S that S represets. Cosequetly, questios about properties of stores ca be aswered by evaluatig formulas usig Kleee s sematics of 3-valued logic: If a formula evaluates to 1, the the formula holds i every store represeted by the 3-valued structure S. If a formula evaluates to 0, the the formula does ot hold i ay store represeted by S. If a formula evaluates to 1/2, the we do ot kow if this formula holds i all stores, does ot hold i ay store, or holds i some stores ad does ot hold i some other stores represeted by S. Cosider the formula ϕ c (v) defied i Equatio (Does heap cell v appear o a directed cycle of -fields?) Formula ϕ c (v) evaluatesto0istructures 3 from Figure for the assigmet [v ], because + (, ) evaluates to 0 i Kleee s sematics. Formula ϕ c (v) evaluates to 1/2iS 3 for the assigmet [v u], because ι S 3 ()(u, u) = 1/2, ad thus + (u, u) evaluates to 1/2 i Kleee s sematics. Because of this, we do ot kow whether S 3 represets a cocrete store that has a cycle; this ucertaity implies that (the tail of) the list poited to by x might be cyclic. I may situatios, however, we are iterested i aalyzig the behavior of a program uder the assumptio, for example, that the program s iput is a acyclic list. If a abstractio is ot capable of expressig the distictio betwee cyclic ad acyclic lists, a aalysis algorithm based o that abstractio will usually be able to recover oly very imprecise iformatio about the actios of the program.

19 Shape Aalysis ad Applicatios For this reaso, we are iterested i havig our parametric framework support abstractios i which, for istace, the acyclic lists are distiguished from the cyclic lists. Our framework supports such distictios by usig istrumetatio predicates. The precedig discussio illustrates the followig priciple: Observatio 12.3 (Istrumetatio Priciple). Suppose that S is a 3-valued structure that represets the 2-valued structure S. By explicitly storig i S the values that a formula ϕ has i S, it is sometimes possible to extract more precise iformatio from S tha ca be obtaied just by evaluatig ϕ i S. I our experiece, we have foud three kids of istrumetatio predicates to be useful: Nullary predicates record Boolea iformatio (ad are similar to the predicates i predicate abstractio [3, 22]). For example, to distiguish betwee cyclic ad acyclic lists, we ca defie a istrumetatio predicate c 0 by the formula ϕ c0 def = v : + (v, v) (12.3) which expresses the property that some heap cell v lies o a directed -cycle. Thus, whe ι S (c 0 )is0, we kow that S does ot represet ay memory cofiguratios that cotai cyclic data structures. Uary istrumetatio predicates record iformatio for ubouded sets of objects. Examples of some uary istrumetatio predicates are give i Sectio Notice that the uary cyclicity predicate c (defied by a ope formula [see Equatio 12.2]) allows fier distictios tha are possible with the ullary cyclicity predicate (defied by a closed formula [see Equatio 12.3]). Uarycyclicitypredicatec recordsiformatioaboutthecyclicitypropertiesofidividualodes amely, c (v) records whether ode v lies o a cycle; ullary cyclicity predicate c 0 records a property of the heap as a whole amely, whether the heap cotais ay cycle. Biary istrumetatio predicates record relatioships betwee ubouded sets of objects. For example, the istrumetatio predicate t[](v 1, v 2 ) def = + (v 1, v 2 ) records the existece of -paths from v 1 to v 2. Moreover, istrumetatio predicates that are uary ca also be used as abstractio predicates. I Sectio , we saw how it is possible to chage the shape abstractio i use by chagig the set of istrumetatio predicates i use ad/or by chagig which uary istrumetatio predicates are used as abstractio predicates. By usig the right collectio of istrumetatio predicates ad abstractio predicates, shape-aalysis algorithms ca be created that, i may cases, determie precise shape iformatio for programs that maipulate several (possibly cyclic) data structures simultaeously. The iformatio obtaied is more precise tha that obtaied from previous work o shape aalysis. I Sectio 12.5, several other istrumetatio predicates are itroduced that augmet shape descriptors with auxiliary iformatio that permits flow-depedece iformatio to be read off from the results of shape aalysis Abstract Iterpretatio of Program Statemets The goal of a shape-aalysis algorithm is to associate with each vertex v of cotrol-flow graph G, a fiite set of 3-valued structures that describes all of the 2-valued structures that ca arise atv (ad possibly more). The abstract sematics ca be expressed as the least fixed poit (i terms of set iclusio) of a system of equatios over variables that correspod to vertices i the program. The right-had side of each equatio is a trasformer that represets the abstract sematics for a idividual statemet i the program. The most complex issue we face is the defiitio of the abstract sematics of program statemets. This abstract sematics has to (a) be coservative, that is, must accout for every possible rutime situatio, ad (b) should ot yield too may ukow values.

20 12-20 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio The fact that the cocrete sematics of statemets ca be expressed via logical formulas (Observatio 12.2), together with the fact that the evaluatio of a formula ϕ i a 3-valued structure S is guarateed to be safe with respect to the evaluatio of ϕ i ay 2-valued structure that S represets (the embeddig theorem), meas that oe abstract sematics falls out automatically from the cocrete sematics. Oe merely has to evaluate the predicate-update formulas of the cocrete sematics o 3-valued structures. Observatio 12.4 (Reiterpretatio Priciple). Evaluatio of the predicate-update formulas for a statemet st i 2-valued logic captures the trasfer fuctio for st of the cocrete sematics. Evaluatio of the same formulas i 3-valued logic captures a soud trasfer fuctio for st of the abstract sematics. If st is a statemet, [[st]] 3 deotes the trasformatio o 3-valued structures that is defied by evaluatig i 3-valued logic the predicate-update formulas that represet the cocrete sematics of st. Figure combies Figures ad (see colum 2 ad row 1, respectively, of Figure 12.14). Colum 4 of Figure illustrates how the predicate-update formulas that express the cocrete sematics for y = y-> also express a trasformatio o 3-valued logical structures that is, a abstract sematics that is safe with respect to the cocrete sematics (cf. S a S b versus S a S b ). 9 As we will see, this approach has a umber of good properties: Because the umber of elemets i the 3-valued structures that we work with is bouded, the abstract-iterpretatio process always termiates. The embeddig theorem implies that the results obtaied are coservative. By defiig appropriate istrumetatio predicates, it is possible to emulate some previous shapeaalysis algorithms (e.g., [8, 25, 30, 33]). 10 Ufortuately, there is also bad ews: the method described above ad illustrated i Figure ca be very imprecise. For istace, the statemet y = y-> illustrated i Figure sets y to the value of y->; that is, it makes y poit to the ext elemet i the list. I the abstract sematics, the evaluatio i structure S a of the predicate-update formula y (v) = v 1 : y(v 1 ) (v 1, v) causes ι S b (y)(u 234 )tobesetto 1/2. Whe v 1 : y(v 1 ) (v 1, v) is evaluated i S a,wehaveι S a (y)( ) ι S a ()(, u 234 ) = 1 1/2 = 1/2. 9 The abstractio of S b, as described i Sectio , is S c. Figure illustrates that i the abstract sematics we also work with structures that are eve further blurred. We say that S c embeds ito S b ; i S c maps to i S b ; u 2 ad u 34 i S c both map to u 234 i S b ; the predicate of S b is the truth-blurrig quotiet of i S c uder this mappig. Our otio of the 2-valued structures that a 3-valued structure represets is based o this more geeral otio of embeddig [58]. Note that i Figure 12.13, S 2 ca be embedded ito S 3 ; thus, structure S 3 also represets the acyclic lists of legth 2 that are poited to by x. 10 The discussio above igores the fact that for every statemet ad coditio i the program, we also eed to defie how to update each istrumetatio predicate p. That is, if p is defied by ϕ p, a update formula is eeded for trasformatio [[st]] 3 (S) to produce a appropriate set of values for predicate p. The simplest way is to reevaluate ϕ p o the core predicates produced by [[st]] 3 (S). I practice, however, this approach does ot work very well because iformatio will be lost uder abstractio. As observed elsewhere [58], whe workig i 3-valued logic, Observatio 12.3 implies that it is usually possible to retai more precisio by defiig a special istrumetatio-predicate maiteace formula, μ p,st (v 1,..., v k ), ad evaluatig μ p,st (v 1,..., v k )i structure S. I [37, 50] algorithms are give that create a alterative predicate-maiteace formula μ p,st for p I i terms of two fiite-differecig operators, deoted by st [ ] ad + st [ ], which capture the egative ad positive chages, respectively, that executio of statemet st iduces i a istrumetatio predicate s value. The formula μ p,st is created by combiig p with st [ϕ p ] ad + st [ϕ p ] as follows: μ p,st = p? st [ϕ p ]: + st [ϕ p ].

21 Shape Aalysis ad Applicatios Structure Before Statemet Predicate Update Formulae Structure After uary preds. idiv. x y t e u u u x y u 2 y = y > x (v) = x(v) biary preds. u 2 u 3 u u u u u 3 u 4 y (v) = v 1 : y(v 1 ) (v 1, v) t (v) = t(v) e (v) = t(v) (v 1, v 2 ) = (v 1, v 2 ) uary preds. biary preds. idiv. x y t e u 2 u 3 S a u x S b u 2 y u 2 u 3 u 4 u 2 u u u 3 u 4 abstracts to abstracts to uary preds. biary preds. idiv. x y t e sm u 2 u u u /2 u /2 u /2 x u 1 u 2 u 34 S c y embeds ito uary preds. biary preds. idiv. x y t e u x S a y = y > x (v) = x(v) y (v) = v 1 : y(v 1 ) (v 1, v) t (v) = t(v) e (v) = t(v) (v 1, v 2 ) = (v 1, v 2 ) x S b y u 234 uary preds. biary preds. idiv. x y t e u /2 0 0 sm 0 1/2 sm 0 1/2 u234 y u /2 u /2 u /2 u /2 FIGURE Commutative diagram that illustrates the relatioships amog (i) the trasformatio o 2-valued structures (defied by predicate-update formulas) that represets the cocrete sematics for y = y->, (ii) abstractio, ad (iii) the trasformatio o 3-valued structures (defied by the same predicate-update formulas) that represets the simple abstract sematics fory = y-> obtaied via the reiterpretatio priciple (Observatio 12.4). (I this example, {x, y, t, e}-abstractioisused.)

22 12-22 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Iput Structure x, y u Update Formulas Output Structure S a x r x,, r y, r x,, r y, st y 0 (v) st r,y 0 (v) v 1 : y(v 1 ) (v 1, v) r y, (v) (c (v) y(v)) u S b r x, r y,, r x, y FIGURE A applicatio of the simplified abstract trasformer for statemet st 0 : y = y-> i isert. Cosequetly, all we ca surmise after the executio of y = y-> is that y may poit to oe of the heap cells that summary ode u 234 represets (see S b ). I cotrast, the truth-blurrig embeddig of S b is S c ; thus, colum 4 ad row 4 of Figure show that the abstract sematics obtaied via Observatio 12.4 ca lead to a structure that is ot as precise as what the abstract domai is capable of represetig (cf. structures S c ad S b ). As metioed i Example 12.8, the use of reachability iformatio is very importat for retaiig precisio durig shape aalysis. However, eve this mechaism is ot sufficietly powerful to fix the problem. The same problem still occurs eve if we use {x, y, t, e, is, r x,, r y,, r t,, r e, }-abstractio with {c }. Figure shows the result of applyig the abstract sematics of the statemet st 0 : y = y-> to structure S a oe of the 3-valued structures that arises i the aalysis of isert just before y is advaced dow the list by statemet st 0. Similar to what was illustrated i Figure 12.14, the resultig structure S b show i Figure is ot as precise as what the abstract domai is capable of represetig. For istace, S b does ot cotai a ode that is defiitely poited to by y. This imprecisio leads to problems whe a destructive update is performed. I particular, the first colum i Table 12.3 shows what happes whe the abstract trasformers for the five statemets that follow the search loop i isert are applied to S b. Because y(v) evaluates to 1/2 for the summary ode, we evetually reach the situatio show i the fourth row of structures, i which y, e, r x, r y, r e, r t, ad is are all 1/2 for the summary ode. As a result, with the approach that has bee described thus far, the abstract trasformer for y-> = t sets the value of c for the summary ode to 1/2. Cosequetly, the aalysis fails to determie that the structure retured by isert is a acyclic list. I cotrast, the aalysis that uses the techiques described i the remaider of this sectio is able to determie that at the ed of isert the followig properties always hold: (a) x poits to a acyclic list that has o shared elemets, (b) y poits ito the tail of the x-list, ad (c) the value of e ad y-> are equal. It is worthwhile to ote that the precisio problem becomes eve more acute for shape-aalysis algorithms that, like [8], do ot explicitly track reachability properties. The reaso is that, without reachability, S b represets situatios i which y poits to a elemet that is ot eve part of the x-list Mechaisms for a Improved Abstract Sematics The remaider of this sectio describes the mai ideas behid two mechaisms that provide a more precise way of defiig the abstract sematics of program statemets. I particular, these mechaisms are able to materialize ew osummary odes from summary odes as data structures are traversed. As we will see, these improvemets allow us to determie more precise shape descriptors for the data structures that arise i the isert program. I formulatig a improved approach, our goal is to retai the property that the trasformer for a program statemet falls out automatically from the predicate-update formulas of the cocrete sematics ad the predicate-update formulas supplied for the istrumetatio predicates. Thus, the mai idea

23 Shape Aalysis ad Applicatios TABLE 12.3 Selective applicatios of the abstract trasformers usig the oe-stage ad the multi-stage approaches, for the statemets i isert that come after the search loop. (For brevity, r z is used i place of r z, for all variables z, ad ode ames are ot show.) behid the improved approach is to decompose the trasformer for st ito a compositio of several fuctios, as depicted i Figure ad explaied below, each of which falls out automatically from the predicate-update formulas of the cocrete sematics ad the predicate-update formulas supplied for the istrumetatio predicates: The operatio focus refies 3-valued structures so that the formulas that defie the meaig of st evaluate to defiite values. The focus operatio thus brigs these formulas ito focus. The simple abstract meaig fuctio for statemet st,[[st]] 3, is the applied. The operatio coerce coverts a 3-valued structure ito a more precise 3-valued structure by removig certai kids of icosistecies. (The 10 structures referred to i Figure are depicted i Figure Figure will be used to explai the improved mechaisms that are preseted i Sectios ad ) It is worth otig that both focus ad coerce are sematic-reductio operatios (a cocept origially itroduced i [12]). That is, they covert a set of 3-valued structures ito a more precise set of 3-valued structures that describe the same set of stores. This property, together with the correctess of the structure trasformer [[st]] 3, guaratees that the overall multi-stage sematics is correct. I the cotext of a

24 12-24 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio {S a } focus {S a,f,0, S a,f,1, S a,f,2 } st 0 3 st 0 3 {S b } {S b,1, S b,2 } {S a,o,0, S a,o,1, S a,o,2 } coerce FIGURE Oe-stage vs. multi-stage abstract sematics for statemet st 0 : y = y->. parametric framework for abstract iterpretatio, sematic reductios are valuable because they allow the trasformers of the abstract sematics to be defied i the modular fashio show i Figure The Focus Operatio The operatio focus F geerates a set of structures o which a give set of formulas F have defiite values for all assigmets. (This operatio will be deoted by focus whe F is clear from the cotext or whe we are referrig to a focus operatio for F i the geeric sese.) The focus formulas used i shape aalysis are determied from the left-had side (as a L-value) ad right-had side (as a R-value) of each kid of statemet i the programmig laguage. These are illustrated i the followig example. Example For the statemet st 0 : y = y-> i procedure isert, we focus o the formula ϕ 0 (v) def = v 1 : y(v 1 ) (v 1, v) (12.4) Iput Structure Focus Formulas x, y S a r x,, r y, r x,, r y, def { 0 (v)}, where 0 (v) = u v 1 : y(v 1 ) (v 1, v) Focused Structures S a,f,0 x, y, r x,, r y, 0 = 0 u r x,, r y, S a,f,1 0 = 1 u x, y, r r x,, r x,, r y, y, S a,f,2 0 = 1 0 u.1 u.0 x, y, r x,, r y, r x,, r y, r x,, r y, Update Formulas st 0 y (v) st 0 r,y (v) v 1 : y(v 1 ) (v 1, v) r y, (v) (c (v) y(v)) Output Structures Coerced Structures S a,o,0 S a,o,1 u x, r x, r x,, r y, x, r y, rx,, x, r y, S b,1 u u x, r x, y, r x,, r y, S a,o,2 u.1 u.0 x, r x, y, r x,, r y, r x,, r y, S b,2 u.1 u.0 x, r x, y, r x,, r y, r x,, r y, FIGURE The first applicatio of the improved trasformer for statemet st 0 : y = y-> i isert.

25 Shape Aalysis ad Applicatios which correspods to the R-value of the right-had side of st 0 (the heap cell poited to by y->). The upper part of Figure illustrates the applicatio of focus {ϕ0 } (S a), where S a is the structure show i Figure that occurs i isert just before the first applicatio of statemet st 0 : y = y->. This results i three structures: S a, f,0, S a, f,1, ad S a, f,2 : I S a, f,0,[[ϕ 0 ]] S a, f,0 3 ([v u]) equals 0. This structure represets a situatio i which the cocrete list that x ad y poit to has oly oe elemet, but the store also cotais garbage cells, represeted by summary ode u. (As we will see later, this structure is icosistet because of the values of the r x, ad r y, istrumetatio predicates ad will be elimiated from cosideratio by coerce.) I S a, f,1,[[ϕ 0 ]] S a, f,1 3 ([v u]) equals 1. This covers the case where the list that x ad y poit to has exactly two elemets. For all of the cocrete cells that summary ode u represets, ϕ 0 must evaluate to 1, so u must represet just a sigle list ode. I S a, f,2,[[ϕ 0 ]] S a, f,2 3 ([v u.0]) equals 0 ad [[ϕ 0 ]] S a, f,2 3 ([v u.1]) equals 1. This covers the case where the list that x ad y poit to is a list of three or more elemets. For all of the cocrete cells that u.0 represets, ϕ 0 must evaluate to 0, ad for all of the cells that u.1 represets, ϕ 0 must evaluate to 1. This case captures the essece of ode materializatio as described i [57]: idividual u is bifurcated ito two idividuals. The structures show i Figure are costructed by focus {ϕ0 } (S a) by cosiderig the reasos why [[ϕ 0 ]] S a 3 (Z) evaluates to 1/2 for various assigmets Z. I some cases, [[ϕ 0 ]] S a 3 (Z) already has a defiite value; for istace, [[ϕ 0 ]] S a 3 ([v ]) equals 0, ad therefore ϕ 0 is already i focus at.icotrast, [[ϕ 0 ]] S a 3 ([v u]) equals 1/2. We ca costruct three (maximal) structures S from S a i which [[ϕ 0 ]] 3 S ([v u]) has a defiite value: S a, f,0,iwhichι S a, f,0 ()(, u) is set to 0, ad thus [[ϕ 0 ]] S a, f,0 3 ([v u]) equals 0. S a, f,1,iwhichι S a, f,1 ()(, u) is set to 1, ad thus [[ϕ 0 ]] S a, f,1 3 ([v u]) equals 1. S a, f,2,iwhichu has bee bifurcated ito two differet idividuals, u.0 ad u.1. I S a, f,2, ι S a, f,2 () (, u.0) is set to 0, ad thus [[ϕ 0 ]] S a, f,2 3 ([v u.0]) equals 0, whereas ι S a, f,2 ()(, u.1) is set to 1, ad thus [[ϕ 0 ]] S a, f,2 3 ([v u.1]) equals 1. A algorithm for focus that is based o these ideas is give i [58]. The greater the umber of formulas o which we focus, the greater the umber of distictios that the shape-aalysis algorithm ca make, leadig to improved precisio. However, usig a larger umber of focus formulas ca icrease the umber of structures that arise, thereby icreasig the cost of aalysis. Our prelimiary experiece idicates that i shape aalysis there is a simple way to defie the formulas o which to focus that guaratees that the umber of structures geerated grows oly by a costat factor. The mai idea is that i a statemet of the form lhs = rhs, we oly focus o formulas that defie the heap cells for the L-value of lhs ad the R-value of rhs. Focusig o L-values ad R-values esures that the applicatio of the abstract trasformer does ot set to 1/2 the etries of core predicates that correspod to poiter variables ad fields that are updated by the statemet. This approach exteds aturally to program coditios ad to statemets that maipulate multiple L-values ad R-values. For our simplified laguage ad type List, the target formulas o which to focus ca be defied as show i Table Let us examie a few of the cases from Table 12.4: For the statemet x = NULL, the set of target formulas is the empty set because either the lhs L-value or the rhs R-value is a heap cell. For the statemet x = t->, the set of target formulas is the sigleto set { v 1 : t(v 1 ) (v 1, v)} because the lhs L-value caot be a heap cell, ad the rhs R-value is the cell poited to by t->. For the statemet x-> = t, the set of target formulas is the set {x(v), t(v)} because the lhs L-value is the heap cell poited to by x, ad the rhs R-value is the heap cell poited to by t. For the coditio x == t, the set of target formulas is the set {x(v), t(v)}; the R-values of the two sides of the coditioal expressio are the heap cells poited to by x ad t.

26 12-26 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio TABLE 12.4 The target formulas for focus, for statemets ad coditios of a program that uses type List st Focus Formulae x = NULL x = t {t(v)} x = t-> { v 1 : t(v 1 ) (v 1, v)} x-> = t {x(v), t(v)} x = malloc() x == NULL {x(v)} x!= NULL {x(v)} x == t {x(v), t(v)} x!= t {x(v), t(v)} UiterpretedCoditio The Coerce Operatio The operatio coerce coverts a 3-valued structure ito a more precise 3-valued structure by removig certai kids of icosistecies. The eed for coerce cabemotivatedby thefollowigexample: Example After focus, the simple trasformer [[st]] 3 is applied to each of the structures produced. For istace, i Example 12.10, [[st 0 ]] 3 is applied to structures S a, f,0, S a, f,1, ad S a, f,2 to obtai structures S a,o,0, S a,o,1, ad S a,o,2, respectively (see Figure 12.17). However, this process ca produce structures that are ot as precise as we would like. The ituitive reaso for this state of affairs is that there ca be iterdepedeces betwee differet properties stored i a structure, ad these iterdepedeces are ot ecessarily icorporated i the defiitios of the predicateupdate formulas. I particular, cosider structure S a,o,2. I this structure, the -field of u.0 ca poit to u.1, which suggests that y may be poitig to a heap-shared cell. However, this is icompatible with the fact that ι(is)(u.1) = 0 (i.e., u.1 caot represet a heap-shared cell) ad the fact that ι()(, u.1) = 1 (i.e., it is kow that u.1 defiitely has a icomig -edge from a cell other tha u.0). Also, the structure S a,o,0 describes a impossible situatio: ι(r y, )(u) = 1 ad yet u is ot reachable or eve potetially reachable from a heap cell that is poited to by y. The coerce mechaism is a systematic method that captures iterdepedeces amog the properties stored i 3-valued structures; coerce removes idefiite values that violate certai cosistecy rules, thereby sharpeig the structures that arise durig shape aalysis. This remedies the imprecisio illustrated i Example I particular, whe the sharpeig process is applied to structure S a,o,2 from Figure 12.17, the structure that results is S b,2. I this case, the sharpeig process discovers that (a) two of the -edges with value 1/2 ca be removed from S a,o,2 ad (b) idividual u.1 ca oly ever represet a sigle idividual i each of the structures that S a,o,2 represets, ad hece u.1 should ot be labeled as a summary ode. These facts are ot somethig that the mechaisms that have bee described i earlier sectios are capable of discoverig. Also, the structure S a,o,0 is discarded by the sharpeig process. The sharpeig mechaism thatcoerce provides is crucial to the success of the improved shape-aalysis framework because it allows a more accurate job of materializatio to be performed tha would otherwise be possible. For istace, ote how the sharpeed structure, S b,2, clearly represets a ushared list of legth 3 or more that is poited to by x ad whose secod elemet is poited to by y. I fact, i the domai of {x, y, t, e, is, r x,, r y,, r t,, r e, }-abstractio with {c }, S b,2 is the most precise represetatio possible for the family of ushared lists of legth 3 or more that are poited to by x ad whose secod elemet is poited to by y. Without the sharpeig mechaism, istatiatios of the framework would rarely be

27 Shape Aalysis ad Applicatios able to determie such thigs as The data structure beig maipulated by a certai list-maipulatio program is actually a list. The coerce operatio is based o the observatio that 3-valued structures obey certai cosistecy rules that are a cosequece of truth-blurrig embeddig. These cosistecy rules ca be formalized as a system of compatibility costraits. Moreover, the costrait system ca be obtaied automatically from formulas that express certai global ivariats o cocrete stores. Example Cosider a 2-valued structure S that ca be embedded i a 3-valued structure S, ad suppose that the formula ϕ is for iferrig whether a idividual u is shared evaluates to 1 i S (i.e., [[ϕ is (v)]] 3 S ([v u]) = 1). By the embeddig theorem, ι S (is)(u ) must be 1 for ay idividual u U S that the embeddig fuctio maps to u. Now cosider a structure S that is equal to S except that ι S (is)(u)is1/2. S ca also be embedded i S. However, the embeddig of S i S is a better embeddig oe that preserves more defiite values. This has operatioal sigificace: it is eedlessly imprecise to work with structure S i which ι S (is)(u) has the value 1/2; istead, we should discard S ad work with S. I geeral, the stored predicate is should be at least as precise as its iferred value; cosequetly, if it happes that ϕ is evaluates to a defiite value (1 or 0) i a 3-valued structure, we ca sharpe the stored predicate is. Similar reasoig allows us to determie, i some cases, that a structure is icosistet. I S a,o,0, for istace, ϕ r y, (u) = 0, whereas the value stored i S for r y,, amely ι S a,o,0 (r y, )(u), is 1; cosequetly, S a,o,0 is a 3-valued structure that does ot represet ay cocrete structures at all. Structure S a,o,0 ca therefore be elimiated from further cosideratio by the shape-aalysis algorithm. This reasoig applies to all istrumetatio predicates, ot just is ad r y,, ad to both of the defiite values, 0 ad 1. The reasoig used i Example ca be summarized as the followig priciple: Observatio 12.5 (The Sharpeig Priciple). I ay structure S, the value stored for ι S (p)(,..., u k ) should be at least as precise as the value of p s defiig formula, ϕ p, evaluated at,..., u k (i.e., [[ϕ p ]] S 3 ([v 1,..., v k u k ])). Furthermore, if ι S (p)(,..., u k ) has a defiite value ad ϕ p evaluates to a icomparable defiite value, the S is a 3-valued structure that does ot represet ay cocrete structures at all. This observatio ca be formalized i terms of compatibility costraits, defied as follows: Defiitio 12.2 A compatibility costrait isatermoftheformϕ 1 ϕ 2,whereϕ 1 is a arbitrary 3-valued formula, ad ϕ 2 is either a atomic formula or the egatio of a atomic formula over distict logical variables. We say that a 3-valued structure S ad a assigmet Z satisfy ϕ 1 ϕ 2 if, wheever Z is a assigmet such that [[ϕ 1 ]] 3 S(Z) = 1, wealsohave[[ϕ 2]] 3 S(Z) = 1. (If[[ϕ 1]] 3 S (Z) equals 0 or 1/2, S ad Z satisfy ϕ 1 ϕ 2, regardless of the value of [[ϕ 2 ]] 3 S(Z).) The compatibility costrait that captures the reasoig used i Example is ϕ is (v) is(v). That is, whe ϕ is evaluates to 1 at u, the is must evaluate to 1 at u to satisfy the costrait. The compatibility costrait used to capture the similar case of sharpeig ι(is)(u)from1/2to0is ϕ is (v) is(v). Compatibility costraits ca be geerated automatically from formulas that express certai global ivariats o cocrete stores. We call such formulas compatibility formulas. There are two sources of compatibility formulas: The formulas that defie the istrumetatio predicates Additioal formulas that formalize the properties of stores that are compatible with the sematics of C (i.e., with our ecodig of C stores as 2-valued logical structures)

28 12-28 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio The followig defiitio supplies a way to covert formulas ito compatibility costraits: Defiitio 12.3 Let ϕ be a closed formula ad a be a atomic formula such that (a) a cotais o repetitios of logical variables, ad (b) a sm(v). The the compatibility costrait geerated from ϕ is defied as follows: ϕ 1 a if ϕ v 1,...v k :(ϕ 1 a) (12.5) ϕ 1 a if ϕ v 1,...v k :(ϕ 1 a) (12.6) The ituitio behid Equatios 12.5 ad 12.6 is that for a atomic predicate, a truth-blurrig embeddig is forced to yield 1/2 oly i cases i which a evaluates to 1 o oe tuple of values for v 1,..., v k but evaluates to 0 o a differet tuple of values. I this case, the left-had side will evaluate to 1/2aswell. Our first source of compatibility formulas is the set of formulas that defie the istrumetatio predicates. For every istrumetatio predicate p I defied by a formula ϕ p (v 1,..., v k ), we geerate a compatibility formula of the followig form: v 1,..., v k : ϕ p (v 1,..., v k ) p(v 1,..., v k ) (12.7) So that we ca apply Defiitio 12.3, this is the broke ito two implicatios: v 1,..., v k : ϕ p (v 1,..., v k ) p(v 1,..., v k ) (12.8) v 1,..., v k : ϕ p (v 1,..., v k ) p(v 1,..., v k ) (12.9) For istace, for each program variable x, we have the defiig formula of istrumetatio predicate r x, : ad thus which is the broke ito ϕ rx, (v) def =x(v) v 1 : x(v 1 ) + (v 1, v) (12.10) v : x(v) v 1 : x(v 1 ) + (v 1, v) r x, (v) (12.11) v : x(v) v 1 : x(v 1 ) + (v 1, v) r x, (v) (12.12) v : (x(v) v 1 : x(v 1 ) + (v 1, v)) r x, (v) (12.13) We the use Defiitio 12.3 to geerate the followig compatibility costraits: x(v) v 1 : x(v 1 ) + (v 1, v) r x, (v) (12.14) (x(v) v 1 : x(v 1 ) + (v 1, v)) r x, (v) (12.15) The costrait-geeratio rules defied i Defiitio 12.3 geerate iterestig costraits oly for certai specific sytactic forms, amely implicatios with exactly oe (possibly egated) predicate symbol o the right-had side. Thus, whe we geerate compatibility costraits from formulas writte as implicatios (such as Equatios ad ad those i Table 12.5), the set of costraits geerated depeds o the form i which the compatibility formulas are writte. However, ot all of the may equivalet forms possible for a give compatibility formula lead to useful costraits. For istace, whe Defiitio 12.3 is applied to the formula v 1,...v k :(ϕ 1 a), it geerates the costrait ϕ 1 a; however, Defiitio 12.3 does ot geerate a costrait for the equivalet formula v 1,...v k :( ϕ 1 a). This pheomeo ca prevet a istatiatio of the shape-aalysis framework from havig a suitable compatibility costrait at its disposal that would otherwise allow it to sharpe or discard a structure that arises durig the aalysis ad hece ca lead to a shape-aalysis algorithm that is more coservative tha we would like.

29 Shape Aalysis ad Applicatios TABLE 12.5 The formulas listed above the lie are compatibility formulas for structures that represet a store of acprogramthat operates o values of the type List defied i Figure 12.1(a). The correspodig compatibility costraits are listed below the lie. v : sm(v) (12.22) for each x PVar, v 1, v 2 : x(v 1 ) x(v 2 ) v 1 = v 2 (12.23) v 1, v 2 :( v 3 : (v 3, v 1 ) (v 3, v 2 )) v 1 = v 2 (12.24) ( v : sm(v)) 0 (12.25) for each x PVar, x(v 1 ) x(v 2 ) v 1 = v 2 (12.26) ( v 3 : (v 3, v 1 ) (v 3, v 2 )) v 1 = v 2 (12.27) The way aroud this difficulty is to augmet the costrait-geeratio process to geerate costraits for some of the logical cosequeces of each compatibility formula: Example The defiig formula for istrumetatio predicate is is We obtai the followig formula from Equatio 12.16: which is broke ito the two formulas ϕ is (v) def = v 1, v 2 : (v 1, v) (v 2, v) v 1 v 2 (12.16) v :( v 1, v 2 : (v 1, v) (v 2, v) v 1 v 2 ) is(v) (12.17) v :( v 1, v 2 : (v 1, v) (v 2, v) v 1 v 2 ) is(v) (12.18) v : ( v 1, v 2 : (v 1, v) (v 2, v) v 1 v 2 ) is(v) (12.19) By rewritig the implicatio i Equatio as a disjuctio ad the applyig De Morga s laws, we have v, v 1, v 2 : (v 1, v) (v 2, v) v 1 = v 2 is(v) (12.20) Oe of the logical cosequeces of Equatio is v, v 2 :( v 1 : (v 1, v) v 1 v 2 is(v)) (v 2, v) (12.21) from which we obtai the followig compatibility costrait: ( v 1 : (v 1, v) v 1 v 2 is(v)) (v 2, v) (12.22) (I additio to Equatio 12.22, we obtai a umber of other compatibility costraits from other logical cosequeces of Equatio [58].) As we will see shortly, Equatio allows a more accurate job of materializatio to be performed tha would otherwise be possible: Whe is(u) is 0 ad oe icomig -edge to u is 1, to satisfy Equatio a secod icomig -edge to u caot have the value 1/2. It must have the value 0; that is, the latter edge caot exist (cf. Examples ad 12.15). This allows edges to be removed (safely) that a more aive materializatio process would retai (cf. structures S a,o,2 ad S b,2 i Figure 12.17), ad permits the improved shape-aalysis algorithm to geerate more precise structures for isert tha the oes geerated by the simple shape-aalysis algorithm sketched at the begiig of Sectio

30 12-30 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio Compatibility Costraits from Hygiee Coditios Our secod source of compatibility formulas stems from the fact that ot all structures S STRUCT[P] represet stores that are compatible with the sematics of C. For example, stores have the property that each poiter variable poits to at most oe elemet i heap-allocated storage. Example The set of formulas listed above the lie i Table 12.5 is a set of compatibility formulas that must be satisfied for a structure to represet a store of acprogramthat operates o values of the type List defied i Figure 12.1a. Equatio captures the coditio that cocrete stores ever cotai ay summary odes. Equatio captures the fact that every program variable poits to at most oe list elemet. Equatio captures a similar property of the -fields of List structures: wheever the - field of a list elemet is o-null, it poits to at most oe list elemet. The correspodig compatibility costraits geerated accordig to Defiitio 12.3 are listed below the lie A Example of Coerce i Actio Weareowreadytoshowhowthe coerce operatio uses these compatibility costraits to either sharpe or discard a 3-valued logical structure. The coerce operatio is a costrait-satisfactio procedure that repeatedly searches a structure S for assigmets Z that fail to satisfy ϕ 1 ϕ 2 (i.e., [[ϕ 1 ]] 3 S (Z) = 1 but [[ϕ 2 ]] 3 S (Z) 1). This is used to improve the precisio of shape aalysis by (a) sharpeig the values of predicates stored i S whe the costrait violatio is repairable, ad (b) elimiatig S from further cosideratio whe the costrait violatio is irreparable. (A algorithm for this process is give i [58].) Example The applicatio of coerce to the structures S a,o,0, S a,o,1, ad S a,o,2 yields S b,1 ad S b,2, as show i the bottom block of Figure 12.17: The structure S a,o,0 is discarded because the violatio of Equatio is irreparable. The structure S b,1 was obtaied from S a,o,1 by removig icompatibilities as follows: Cosider the assigmet [v u, v 1, v 2 u]. Because ι()(, u) = 1, u, ad ι(is)(u) = 0, Equatio implies that ι()(u, u) must equal 0. Thus, i S b,1 the (idefiite) -edge from u to u has bee removed. Cosider the assigmet [v 1 u, v 2 u]. Because ι(y)(u) = 1, Equatio implies that [[v 1 = v 2 ]] S b,1 3 ([v 1 u, v 2 u]) must equal 1, which i tur meas that ι S b,1 (sm)(u) must equal 0. Thus, i S b,1 u is o loger a summary ode. The structure S b,2 was obtaied from S a,o,2 by removig icompatibilities as follows: Cosider the assigmet [v u.1, v 1, v 2 u.0]. Because ι()(, u.1) = 1, u.0, ad ι(is)(u.1) = 0, Equatio implies that ι S b,2 ()(u.0, u.1) must equal 0. Thus, i S b,2 the (idefiite) -edge from u.0 to u.1 has bee removed. Cosider the assigmet [v u.1, v 1, v 2 u.1]. Because ι()(, u.1) = 1, u.1, ad ι(is)(u.1) = 0, Equatio implies that ι S b,2 ()(u.1, u.1) must equal 0. Thus, i S b,2 the (idefiite) -edge from u.1 to u.1 has bee removed. Cosider the assigmet [v 1 u.1, v 2 u.1]. Because ι(y)(u.1) = 1, Equatio implies that [[v 1 = v 2 ]] S b,2 3 ([v 1 u.1, v 2 u.1]) must equal 1, which i tur meas that ι S b,2 (sm)(u.1) must equal 0. Thus, i S b,2 u.1 is o loger a summary ode. Importat differeces betwee the structures S b,1 ad S b,2 result from applyig the multi-stage abstract trasformer for statemet st 0 : y = y->, compared with the structure S b that results from applyig the oe-stage abstract trasformer (see Figure 12.15). For istace, y poits to a summary ode i S b, whereas y does ot poit to a summary ode i either S b,1 or S b,2 ; as oted earlier, i the domai of {x, y, t, e, is, r x,, r y,, r t,, r e, }-abstractio with {c }, S b,2 is the most precise represetatio possible for

31 Shape Aalysis ad Applicatios TABLE 12.6 The structures that occur before ad after successive applicatios of the multi-stage abstract trasformer for the statemet y = y-> durig the abstract iterpretatio of isert. (For brevity, ode ames are show.) the family of ushared lists of legth 3 or more that are poited to by x ad whose secod elemet is poited to by y. Example Table 12.6 shows the 3-valued structures that occur before ad after applicatios of the abstract trasformer for the statemet y = y-> durig the abstract iterpretatio of isert. The material i Table 12.3 that appears uder the headig Multi-Stage shows the applicatio of the abstract trasformers for the five statemets that follow the search loop i isert to S b,1 ad S b,2.for

32 12-32 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio space reasos, we do ot show the abstract executio of these statemets o the other structures show i Table 12.6; however, the aalysis is able to determie that at the ed of isert the followig properties always hold: (a) x poits to a acyclic list that has o shared elemets, (b) y poits ito the tail of the x list, ad (c) the value of e ad y-> are equal. The idetificatio of the latter coditio is rather remarkable: the aalysis is capable of showig that e ad y-> are must-aliases at the ed of isert (see also Sectio ) Applicatios The algorithm sketched i Sectio 12.4 produces a set of 3-valued structures for each program poit pt. This set provides a coservative represetatio, that is, it describes a superset of the set of cocrete stores that ca possibly occur i ay executio of the program that eds at pt. Therefore, questios about the stores at pt ca be aswered (coservatively) by posig queries agaist the set of 3-valued structures that the shape-aalysis algorithm associates with pt. The aswers to these questios ca be utilized i a optimizig compiler, as explaied i Sectio Furthermore, the fact that the shape-aalysis framework is based o logic allows queries to be specified i a uiform way usig logical formulas. I this sectio, we discuss several kids of questios. Sectio discusses how istatiatios of the parametric shape-aalysis framework that have bee described i previous sectios ca be applied to the problem of idetifyig may- ad must-aliases. Sectio shows that the shape-aalysis framework ca be istatiated to produce flow-depedece iformatio for programs that maipulate liked data structures. Fially, Sectio sketches some other applicatios for the results of shape aalysis Idetifyig May- ad Must-Aliases We say that two poiter access paths, e 1 ad e 2,aremay-aliases at a program poit pt if there exists a executio sequece edig at pt that produces a store i which both e 1 ad e 2 poit to the same heap cell. We say that e 1 ad e 2 are must-aliases at pt if, for every executio sequece edig at pt, e 1 ad e 2 poit to the same heap cell. 11 Cosider the access paths e 1 x->f 1 -> ->f ad e 2 x->g 1 -> ->g m. To extract aliasig iformatio, we use the formula v 0,..., v, w 0,..., w m : x(v 0 ) f 1 (v 0, v 1 ) f (v 1, v ) al[e 1, e 2 ] def = y(w 0 ) g 1 (w 0, w 1 ) g m (w m 1, w m ) (12.23) v = w m If Equatio evaluates to 0 i every 3-valued structure that the shape-aalysis algorithm associates with program poit pt, we kow that e 1 ad e 2 are ot may-aliases at pt. Similarly, whe al[e 1, e 2 ] evaluates to 1 i every such structure, we kow that e 1 ad e 2 are must-aliases at pt. I all other cases, e 1 ad e 2 are cosidered may-aliases. Note that i some cases, al[e 1, e 2 ] may evaluate to 1/2, i which case e 1 ad e 2 are cosidered may-aliases; this is a coservative result. The aswer ca sometimes be improved by first applyig focus with Equatio This will produce a set of structures i which al[e 1, e 2 ] does ot evaluate to a idefiite value. Fially, oe ca ru coerce o the 3-valued structures produced by focus to elimiate ifeasible 3-valued structures. Example Cosider the 3-valued structure at the bottom right corer of Table The formula al[y->->,e] evaluates to 1 i this structure ad i all of the other structures arisig after y-> = t; thus, y->-> 11 Variats of these defiitios ca be defied that accout for the case whe e 1 or e 2 has the value NULL.

33 Shape Aalysis ad Applicatios it y; List p, q; q = (List) malloc(); p = q; it y; List p, q, t; q = (List) malloc(); p = q; t = p; it y; List p, q; q = (List) malloc(); p = q; l 1 : p >data = 5; l 1.5 : l 2 : y = q >data; l 1 : p >data = 5; l 1.5 : t >data = 7; l 2 : y = q >data; l 1 : p >data = 5; l 1.5 : p = (List) malloc(); l 2 : y = q >data; (a) (b) (c) FIGURE A motivatig example to demostrate the differeces betwee may-aliases ad flow depedeces. ad e are must-aliases at this poit. Also, al[e->,y->] evaluatesto0ithisstructureadiallofthe other structures; thus, e-> ad y-> are ot may-aliases. However, the formula al[e->->,e->] evaluates to 1/2 i this structure. If we focus o the al[e- >->,e->] formula, we obtai several structures; i oe of them, e-> poits to a osummary ode that has a defiite -edge to itself. This structure is elimiated by coerce. I all of the remaiig structures, the formula al[e->->,e->] evaluates to 0, which shows that e->-> ad e-> are ot may-aliases Costructig Program Depedeces This sectio shows how to use iformatio obtaied from shape aalysis to costruct program depedece graphs [19, 31, 46]. To see why the problem of computig flow depedeces is otrivial, cosider the example program fragmets show i Figure A formal defiitio of flow depedece is give i Defiitio 12.4; for the purposes of this discussio, a statemet l b depeds o l a if the value writte to a resource i l a is directly used at l b, that is, without iterveig writes to this resource. A aive (ad usafe) criterio that oe might use to idetify flow depedeces i Figure 12.18a would be to say that l 2 depeds o l 1 if p ad q ca refer to the same locatio at l 2 (i.e., if p ad q are may-aliases at l 2 ). I Figure 12.18a, this would correctly idetify the flow depedece from l 1 to l 2. The aive criterio sometimes idetifies more flow depedeces tha we might like. I Figure 12.18b it would say there is a flow depedece from l 1 to l 2, eve though l 1.5 overwrites the locatio that p poits to. The aive criterio is usafe because it may miss depedeces. I Figure 12.18c, there is a flow depedece from l 1 to l 2 ; this would be missed because statemet l 1.5 overwrites p, ad thus p ad q are ever may-aliases at l 2. Oe safe way to idetify depedeces i a program that uses heap-allocated storage is to itroduce a abstract variable for each allocatio site, use the results of a flow-isesitive poits-to aalysis[1, 18, 23, 61, 62] to determie a safe approximatio of the variables that are possibly defied ad possibly used at each program poit, ad the use a traditioal algorithm for reachig defiitios (where each allocatio site is treated as a use of its associated variable). I this sectio, we utilize the parametric shape-aalysis framework to defie a alterative, ad much more precise, algorithm. This algorithm is based o a idea developed by Horwitz et al. [25]. 12 They itroduced a augmeted sematics for the programmig laguage; i additio to all of the ormal 12 A alterative approach would have bee to use the Ross Sagiv costructio [56], which reduces the problem of computig program depedeces to the problem of computig may-aliases, ad the to apply the method of Sectio The method preseted i this sectio is a more direct costructio for idetifyig program depedeces ad thereby provides a better demostratio of the utility of the parametric shape-aalysis framework for this problem.

34 12-34 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio l1 void Apped() List head, tail, temp; l 1 : head = (List) malloc(); l 2 : scaf( %c, &head >data); l 3 : head > = NULL; l 4 : tail = head; l 5 : if (tail >data == x ) goto l 12 ; l 6 : temp = (List) malloc(); l 7 : scaf( %c, &temp >data); l 8 : temp > = NULL; l 9 : tail > = temp; l 10 : tail = tail >; l 11 : goto l 5 ; l 12 : pritf( %c, head >data); l 13 : pritf( %c, tail >data); l2 l3 l4 l5 l6 l7 l8 l9 l10 l11 l12 l13 FIGURE A program that builds a list by appedig elemets to tail, ad its flow-depedece graph. aspects of the laguage s sematics, the augmeted sematics also records iformatio about the history of resource usage i this case, last-write iformatio for each locatio i the store. As we will see, it is atural to record this extra iformatio usig additioal core predicates. As discussed i more detail below, this istatiatio of the shape-aalysis framework creates a algorithm from which coservative depedece iformatio ca the be extracted. The resultig algorithm is the most precise algorithm kow for idetifyig the data depedeces of programs that maipulate heap-allocated storage. I additio, it does ot eed the artificial cocept of itroducig a abstract variable for each allocatio site. For example, Figure shows a program that builds a list by destructively appedig elemets to tail, together with a graph that shows the flow depedeces that the algorithm idetifies. The rest of this subsectio is orgaized as follows: Depedeces are discussed i Sectio Predicates for recordig history iformatio are itroduced i Sectio , which also illustrates the results obtaied via this depedece-aalysis method Program Depedeces Program depedeces ca be grouped ito flow depedeces (def-use), output depedeces (def-def), ad ati-depedeces (use-def) [19, 31]. I this sectio, we focus o flow depedeces betwee program statemets. Other types ca be hadled i a similar fashio. We allow programs to explicitly modify the store via assigmets through poiters. Because of this, we phrase the defiitio of flow depedece i terms of memory locatios rather tha program variables [25]. Defiitio 12.4 (Flow Depedece). Cosider labeled statemets l i : st i ad l j : st j. We say that l i has a flow depedece o l j if there is a executio path alog which st j writes ito a memory locatio, loc, that st i reads, ad there is o iterveig write ito loc. Example I the program fragmet show i Figure 12.18b, statemet l 2 does ot deped o l 1 because statemet l 2 reads from a locatio that is last writte at statemet l 1.5. I Figure 12.18c, l 1.5 does ot iterrupt the depedece betwee l 2 ad l 1 because it does ot write ito a locatio that is read by l 2.

35 Shape Aalysis ad Applicatios TABLE 12.7 Predicate lst w v[l, z] lst w f [l, ](v) lst w f [l, d](v) Predicates for recordig history iformatio Iteded Meaig Program variable z was last writte ito by the statemet at label l. The-field of list elemet v was last writte ito by the statemet at label l. Thedata-field of list elemet v was last writte ito by the statemet at label l. Example Cosider the program ad graph of flow depedeces show i Figure Notice that l 12 is flow depedet oly o l 1 ad l 2, while l 13 is flow depedet o l 2, l 4, l 7, ad l 10. This iformatio could be used by a slicig tool to determie that the loop eed ot be executed i order to prit head->data i l 12, or by a istructio scheduler to reschedule l 12 to be executed ay time after l 2. Also, l 3, l 8, ad l 11 have o statemets that are depedet o them, makig them cadidates for elimiatio. Thus, eve i this simple example, kowig the flow depedeces would allow several code trasformatios Recordig History Usig Predicates Table 12.7 shows the predicates that are itroduced to implemet the augmeted sematics àlahorwitz et al. [25]. As idicated i the colum labeled Iteded Meaig, the itetio is that these predicates will record the label of the program statemet that last writes ito a give memory locatio. The predicate lst w v[l, z] is similar to the oe used i reachig-defiitios aalysis; it records that program variable z was last writte ito by the statemet at label l. The other two predicates record, for each field of each list elemet, which statemet last wrote ito that locatio. Table 12.8 shows the predicate-update formulas for recordig which statemet last wrote ito a locatio. The defiitios give i Table 12.8 would be used to augmet the istatiatio of the shape-aalysis TABLE 12.8 Predicate-update formulae for recordig last-write iformatio. Here rhs deotes a arbitrary expressio. Statemet Cod. Predicate l 1 : x = rhs ϕlst st w v[l 1,x] = 1 l l 1 ϕlst w v[l,x] = 0 l l 1, z x ϕlst w v[l,z] = lst w v[l, z] ϕlst w f [l,](v) = lst w f [l, ](v) (v) = lst w f [l, d](v) l 1 : x-> = rhs l 1 : x->data =rhs l l 1 l l 1 ϕ st lst w f [l,d] ϕlst st w v[l,z] ϕlst w ϕ st lst w ϕ st lst w = lst w v[l, z] f [l 1,] (v) = (lst w f [l 1, ](v) x(v)) x(v) f [l,](v) = lst w f [l, ](v) x(v) (v) = lst w f [l, d](v) f [l,d] ϕlst st w v[l,z] ϕlst w f [l,] ϕ st lst w ϕ st lst w = lst w v[l, z] (v) = lst w f [l, ](v) f [l 1,d] (v) = lst w f [l 1, d](v) x(v)) x(v) (v) = lst w f [l, d](v) x(v) f [l,d]

36 12-36 The Compiler Desig Hadbook: Optimizatios ad Machie Code Geeratio TABLE 12.9 Formulas that use the last-write iformatio i the structures associated with statemet at l 2 to idetify flow depedeces from statemet l 1. (I this table, c stads for ay costat.) Statemet Formula l 2 : x = NULL 0 l 2 : x = malloc() 0 l 2 : x = y lst w v[l 1, y] l 2 : x = y-> lst w v[l 1, y] v : y(v) lst w f [l 1, ](v) l 2 : x = y->data lst w v[l 1, y] v : y(v) lst w f [l 1, d](v) l 2 : x->f = NULL lst w v[l 1, x] l 2 : x->f = y lst w v[l 1, x] lst w v[l 1, y] l 2 : x->data = c lst w v[l 1, x] lst_w_ v [l 1, head] lst_w_ v [l 10, tail] lst_w_ v [l 6, temp] lst_w_ f [l 2, d], lst_w_ f [l 9, ] lst_w_ f [l 7, d], lst_w_ f [l 9, ] lst_w_ f [l 7, d], lst_w_ f [l 8, ] head r head, r head, temp, tail, r head,, r temp,, r tail, FIGURE The most complex structure that the aalysis yields at l 12. framework that was described i Sectio Whe the shape-aalysis algorithm that we obtai i this way is applied to a program, it produces a set of 3-valued structures for each program poit. The, for each statemet l 2, to determie whether there is a flow depedece from l 1 to l 2, each of the structures associated with l 2 is checked by evaluatig the formulas from the appropriate lie of Table These formulas use the last-write iformatio i the structures associated with l 2 to determie whether there is flow depedece from a statemet l 1. The idea behid Table 12.9 is that for each locatio accessed i the evaluatio of l 2 s left-had side (as a L-value) ad l 2 s right-had side (as a R-value), we eed to check which statemet last wrote ito that locatio. If the formula is potetially satisfied by some 3-valued structure at l 2, there is a flow depedece from l 1 to l 2. Example Figure shows oe of the 3-valued structures that occurs atl 12 whe the program show i Figure is aalyzed. (Three other structures arise at l 12 ; these correspod to simpler cofiguratios of memory tha the oe depicted.) The formula lst w v[l 2, head] v : head(v) lst w f [l 2, d](v) evaluates to 1, which idicates that l 12 depeds o l 2. I cotrast, the formula lst w v[l 7, head] v : head(v) lst w f [l 7, d](v) evaluates to 0 (i this structure ad i all of the other structures that arise at l 12 ). This allows us to coclude that l 12 does ot deped o l It is straightforward to provide similar formulas to extract flow depedeces from the structures that the shapeaalysis algorithm associates with program coditios.