� � � � Tool: Abstract interpretation Definition Abstract interpretation approximates set of reachable states. Interpretation � ς 2 � ς 3 � ς 4 � ς 5 � · · · ς 1 Concrete: � � ς 3 . 1 , 1 � ς 3 . 1 , 2 � � � � � � � � � � � � � � � � � � � � � � � � ς 1 ς 2 ς 3 ς 4 Abstract: � � � � � � � � � ς 3 . 2 , 1 49
Example 258 100 69 71 72 99 66 67 68 76 250 251 252 253 254 255 256 257 70 73 74 98 75 77 78 79 80 81 82 83 85 248 249 88 90 91 65 97 63 64 95 60 62 84 86 87 89 247 92 58 59 61 259 379 49 51 52 53 55 56 260 261 262 264 93 94 96 101 102 48 50 335 336 54 334 57 377 378 47 103 104 43 44 45 46 402 263 395 396 397 399 400 401 415 106 369 371 372 373 374 375 376 105 455 360 361 362 364 367 368 388 545 546 398 403 404 405 406 407 409 410 370 380 381 382 383 384 385 386 394 391 392 411 413 412 145 363 365 366 414 110 387 389 390 454 114 160 112 113 453 111 408 144 107 108 317 451 109 450 452 42 315 268 316 141 312 313 314 267 270 303 307 359 468 140 143 271 272 304 305 306 308 309 310 311 142 333 301 302 273 274 276 328 329 330 331 285 288 289 290 292 293 446 447 448 449 300 469 351 332 467 132 134 135 136 137 138 139 168 40 266 275 277 278 282 283 284 286 287 291 319 320 294 295 296 297 298 299 130 131 133 161 162 163 164 165 166 167 169 181 231 279 280 281 444 445 321 322 323 327 443 127 357 358 324 325 318 180 230 184 228 34 36 37 265 344 346 347 326 269 178 182 214 356 586 428 431 432 434 179 215 32 33 35 38 39 41 337 338 339 340 341 342 343 348 349 354 418 420 421 422 423 424 425 426 183 25 27 28 29 30 31 345 620 621 416 417 442 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 630 933 635 637 638 639 640 350 419 470 471 472 427 429 430 26 622 623 624 625 641 579 580 581 582 583 584 585 626 627 628 632 633 634 352 353 433 435 436 177 629 631 636 928 929 930 931 587 456 457 459 464 465 466 932 437 438 439 440 441 146 147 149 154 155 156 157 158 355 547 548 176 549 550 551 553 577 159 595 927 458 460 461 462 463 174 572 575 576 175 148 150 578 588 589 590 591 592 593 594 603 608 609 610 473 562 564 565 566 567 568 569 570 596 559 600 601 245 151 152 571 573 574 393 602 604 605 606 611 474 173 153 560 561 563 614 615 616 617 618 241 242 243 244 246 118 170 171 172 510 552 557 558 124 125 126 128 129 185 186 188 213 554 555 607 612 115 116 191 192 117 119 120 121 122 123 229 619 926 476 187 189 190 211 227 597 599 225 226 219 224 598 556 197 200 201 202 204 205 206 207 208 209 210 925 477 478 475 212 216 217 480 538 193 194 195 196 198 199 522 239 203 232 233 234 235 236 237 238 218 479 240 481 482 642 523 536 813 483 527 532 533 534 535 537 809 923 924 521 220 918 919 920 921 922 221 222 807 808 810 811 613 812 511 806 543 544 509 805 913 804 814 816 910 911 487 539 540 541 542 496 499 500 501 519 524 525 503 504 505 506 507 508 904 526 528 529 530 223 484 485 531 912 914 915 916 917 486 488 489 490 491 492 493 494 495 497 498 502 518 520 815 512 513 514 515 516 517 817 818 819 821 822 823 824 825 826 827 829 832 833 802 803 834 820 836 837 838 828 830 831 663 666 667 662 835 773 757 643 645 648 649 651 801 664 903 665 702 668 701 758 644 646 647 756 839 840 902 841 650 660 652 653 654 655 656 657 658 791 796 797 798 845 700 659 661 690 703 704 705 706 707 708 709 711 669 671 788 789 799 800 790 792 793 688 794 795 680 681 682 684 687 689 691 692 693 694 695 710 670 672 673 674 676 677 678 679 683 685 686 699 696 697 842 909 698 908 905 906 907 722 852 675 720 843 755 885 887 728 730 731 732 733 752 886 734 735 736 738 741 742 743 745 746 747 748 749 750 751 712 883 884 753 754 718 719 737 739 740 744 882 726 727 729 783 881 723 724 781 774 775 776 777 778 779 780 880 782 784 879 713 714 787 785 786 715 867 877 878 716 901 767 721 764 765 766 717 762 876 861 864 865 866 868 869 870 871 872 873 874 759 725 760 761 875 763 768 769 770 771 900 849 850 851 853 854 855 856 857 858 859 860 862 863 772 846 847 844 892 897 898 899 888 848 889 890 891 893 894 895 896 50
Tool: Continuation-passing style (CPS) Contract ◮ Calls don’t return. ◮ Continuations (procedures) are passed—to receive return values. Definition A continuation encodes the future of computation. Grammar e, f ∈ EXP ::= v | ( λ ( v 1 · · · v n ) call ) call ∈ CALL ::= ( f e 1 · · · e n ) 51
CPS narrows concern λ is universal representation of control & env. Construct encoding fun call call to λ fun return call to λ iteration call to λ sequencing call to λ conditional call to λ exception call to λ coroutine call to λ . . . . . . Advantage Now λ is fine-grained construct. 52
Strategy ◮ Define state machine: ς ⇒ ς ′ . ◮ k -CFA = abstract interpretation of ⇒ . 53
Semantics: Eval states ( , ) , , 54
Semantics: Eval states ([ [ ( f e 1 · · · e n ) ] ] , , , ) Call site 55
Semantics: Eval states ([ [ ( f e 1 · · · e n ) ] ] , β, , ) Var → Time Call site 56
Semantics: Eval states ([ [ ( f e 1 · · · e n ) ] ] , β, ve , ) Var → Time Var × Time → Val Call site = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value 57
Semantics: Eval states ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) Var → Time Var × Time → Val Call site Timestamp = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value 58
Semantics: Eval states ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) ⇒ ( ) , , , = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value 59
Semantics: Eval states Procedure proc = A ( f, β, ve ) ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) ⇒ ( proc , , ) , = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value A ( lam , β, ve ) = ( lam , β ) 60
Semantics: Eval states Procedure Arguments proc = A ( f, β, ve ) d i = A ( e i , β, ve ) ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) ⇒ ( proc , d , ) , = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value A ( lam , β, ve ) = ( lam , β ) 61
Semantics: Eval states Procedure Arguments proc = A ( f, β, ve ) d i = A ( e i , β, ve ) ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) ⇒ ( proc , d , ve , ) Var × Time → Val = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value A ( lam , β, ve ) = ( lam , β ) 62
Semantics: Eval states Procedure Arguments proc = A ( f, β, ve ) d i = A ( e i , β, ve ) ([ [ ( f e 1 · · · e n ) ] ] , β, ve , t ) ⇒ ( proc , d , ve , t + 1) Var × Time → Val Timestamp = β ( v ) let t bound A ( v, β, ve ) = value = ve ( v, t bound ) in value A ( lam , β, ve ) = ( lam , β ) 63
Semantics: Apply states ( , , , ) 64
Semantics: Apply states ] , β ′ ) , d , ve , t ) (([ [ ( λ ( v 1 · · · v n ) call ) ] 65
Semantics: Apply states ] , β ′ ) , d , ve , t ) ⇒ ( (([ [ ( λ ( v 1 · · · v n ) call ) ] , , , ) 66
Semantics: Apply states ] , β ′ ) , d , ve , t ) ⇒ ( call , (([ [ ( λ ( v 1 · · · v n ) call ) ] , , ) 67
Semantics: Apply states ] , β ′ ) , d , ve , t ) ⇒ ( call , β ′ [ v i �→ t ] , (([ [ ( λ ( v 1 · · · v n ) call ) ] , ) 68
Semantics: Apply states ] , β ′ ) , d , ve , t ) ⇒ ( call , β ′ [ v i �→ t ] , ve [( v i , t ) �→ d i ] , ) (([ [ ( λ ( v 1 · · · v n ) call ) ] 69
Semantics: Apply states ] , β ′ ) , d , ve , t ) ⇒ ( call , β ′ [ v i �→ t ] , ve [( v i , t ) �→ d i ] , t ) (([ [ ( λ ( v 1 · · · v n ) call ) ] 70
Eval-state transition proc = A ( f, β, ve ) d i = A ( e i , β, ve ) ([ [ ( f e 1 · · · e n ) ] ] , β, ve, t ) ⇒ ( proc , d , ve , t + 1) Apply-state transition ] , β ′ ) proc = ([ [ ( λ ( v 1 · · · v n ) call ) ] ( proc , d , ve , t ) ⇒ ( call , β ′ [ v i �→ t ] , ve [( v i , t ) �→ d i ] , t ) Domains Lookup function ς ∈ Eval = CALL × BEnv × VEnv × Time + Apply = Proc × D ∗ × VEnv × Time β ∈ BEnv = VAR → Time A ( lam , β, ve ) ve ∈ VEnv = VAR × Time → D = ( lam , β ) proc ∈ Proc = Clo + { halt } clo ∈ Clo = LAM × BEnv A ( v, β, ve ) d ∈ D = Proc = ve ( v, β ( v )) t ∈ Time = infinite set of times (contours) 71
Eval-state transition proc ∈ � A ( f, � d i = � � A ( e i , � � β, � ve ) β, � ve ) ] , � proc , � ve , � succ ( � ([ [ ( f e 1 · · · e n ) ] β, � t ) ≈ > ( � d , � ve , � t )) Apply-state transition ] , � β ′ ) � proc = ([ [ ( λ ( v 1 · · · v n ) call ) ] proc , � > ( call , � t ) �→ � ve , � β ′ [ v i �→ � ve ⊔ [( v i , � d i ] , � ( � d , � t ) ≈ t ] , � t ) Domains Lookup function ς ∈ � = CALL × � BEnv × � VEnv × � � Eval Time D ∗ × � + � Apply = � Proc × � VEnv × � Time β ∈ � � BEnv = VAR → � A ( lam , � � Time β, � ve ) ve ∈ � VEnv = VAR × � Time → � � D = { ( lam , � β ) } proc ∈ � = � � Proc Clo + { halt } A ( v, � � clo ∈ � � = LAM × � β, � ve ) Clo BEnv � = P ( � � d ∈ Proc ) D ve ( v, � = � β ( v )) t ∈ � � Time = finite set of times (contours) 72
Eval-state transition proc ∈ � A ( f, � d i = � � A ( e i , � � β, � ve ) β, � ve ) ] , � proc , � ve , � succ ( � ([ [ ( f e 1 · · · e n ) ] β, � t ) ≈ > ( � d , � ve , � t )) Apply-state transition ] , � β ′ ) � proc = ([ [ ( λ ( v 1 · · · v n ) call ) ] proc , � > ( call , � t ) �→ � ve , � β ′ [ v i �→ � ve ⊔ [( v i , � d i ] , � ( � d , � t ) ≈ t ] , � t ) Domains Lookup function ς ∈ � = CALL × � BEnv × � VEnv × � � Eval Time D ∗ × � + � Apply = � Proc × � VEnv × � Time β ∈ � � BEnv = VAR → � A ( lam , � � Time β, � ve ) ve ∈ � VEnv = VAR × � Time → � � D = { ( lam , � β ) } proc ∈ � = � � Proc Clo + { halt } A ( v, � � clo ∈ � � = LAM × � β, � ve ) Clo BEnv � = P ( � � d ∈ Proc ) D ve ( v, � = � β ( v )) t ∈ � � Time = finite set of times (contours) 73
Environment analysis, Take 1: µ CFA 74
Environment problem refined Input Two abstract environments, � β 1 and � β 2 . 75
Environment problem refined Input Two abstract environments, � β 1 and � β 2 . Output The set of variables on which their concrete counterparts agree. 76
Strategy ◮ Count concrete counterparts to abstract bindings. 77
Strategy ◮ Count concrete counterparts to abstract bindings. ◮ Apply principle: { x } = { y } = ⇒ x = y . 78
Tool: Abstract counting Abstract binding counter, � µ : “Bindings” → { 0 , 1 , ∞} . Eval ] , � � proc , � succ ( � β, � > ( � d , � � ([ [ ( f e 1 · · · e n ) ] ve , t ) ≈ ve , t )) � proc ∈ � A ( f, � � β, � ve ) where � d i = � A ( e i , � β, � ve ) Apply ] , � β b ) , � � > ( call , � ve ′ , � β ′ , � (([ [ ( λ ( v 1 · · · v n ) call ) ] d , � ve , t ) ≈ t ) β ′ = � � β b [ v i �→ � t ] ve ′ = � t ) �→ � ve ⊔ [( v i , � where � d i ] 79
Tool: Abstract counting Abstract binding counter, � µ : “Bindings” → { 0 , 1 , ∞} . Eval ] , � µ, � proc , � succ ( � β, � ve , � > ( � d , � ve , � µ, � ([ [ ( f e 1 · · · e n ) ] t ) ≈ t )) � proc ∈ � A ( f, � � β, � ve ) where � d i = � A ( e i , � β, � ve ) Apply ] , � β b ) , � µ, � > ( call , � ve ′ , � µ ′ , � β ′ , � (([ [ ( λ ( v 1 · · · v n ) call ) ] d , � ve , � t ) ≈ t ) β ′ = � � β b [ v i �→ � t ] ve ′ = � t ) �→ � ve ⊔ [( v i , � where � d i ] µ ′ = � µ ⊕ [( v i , � � t ) �→ 1] 80
µ CFA environment condition Basic Principle If { x } = { y } , then x = y . Theorem (Environment condition) β 1 ( v ) = � � If β 2 ( v ) , µ ( v, � µ ( v, � � β 1 ( v )) = � and β 2 ( v )) = 1 , then β 1 ( v ) = β 2 ( v ) . 81
µ CFA environment condition Basic Principle If { x } = { y } , then x = y . Theorem (Environment condition) β 1 ( v ) = � � If β 2 ( v ) , µ ( v, � µ ( v, � � β 1 ( v )) = � and β 2 ( v )) = 1 , then β 1 ( v ) = β 2 ( v ) , where: ( v, β 1 ( v )) ∈ dom ( ve ) , | β i | ⊑ � and β i , | ve | µ ⊑ � and µ . 82
µ CFA environment condition Basic Principle If { x } = { y } , then x = y . Theorem (Environment condition) β 1 ( v ) = � � If β 2 ( v ) , µ ( v, � µ ( v, � � β 1 ( v )) = � and β 2 ( v )) = 1 , then β 1 ( v ) = β 2 ( v ) , where: ( v, β 1 ( v )) ∈ dom ( ve ) , | β i | ⊑ � and β i , | ve | µ ⊑ � and µ . Problem Most counts hit ∞ : almost every variable bound more than once! 83
Making it feasible: Γ CFA 84
� � � Example: Abstract garbage collection 3-address concrete heap. 2-address abstract counterpart. concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 � ˆ a 3 a 3 85
� � � Example: Abstract garbage collection 3-address concrete heap. 2-address abstract counterpart. concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 � ˆ a 3 a 3 Object Address GC Root GC Root Address Object 86
� � � Example: Abstract garbage collection 3-address concrete heap. 2-address abstract counterpart. concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 � ˆ a 3 a 3 87
� � � Example: Abstract garbage collection Next: Allocate object o 2 to address a 3 . Shift root to a 3 . concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 � ˆ a 3 a 3 88
� � � � � Example: Abstract garbage collection Next: Allocate object o 3 to address a 2 . Point o 2 to a 2 . concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 ���� ���� � ���� ���� o 2 a 3 ˆ | o 2 | a 3 89
� � � � � � � � Example: Abstract garbage collection Uh-oh! Zombie born. Concrete-abstract symmetry broken. concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���� ���� � ���� ���� � � � � � � � � � o 3 a 2 ˆ a 1 , 2 | o 3 | � � ��������� � � � � � � ���� ���� � ���� ���� � � � o 2 a 3 ˆ | o 2 | a 3 90
� � � � � � � � Example: Abstract garbage collection Solution: Rewind and garbage collect first. concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���� ���� � ���� ���� � � � � � � � � � o 3 a 2 ˆ a 1 , 2 | o 3 | � � ��������� � � � � � � ���� ���� � ���� ���� � � � o 2 a 3 ˆ | o 2 | a 3 91
� � � � � Example: Abstract garbage collection As it was: concrete abstract ���� ���� ���� ���� o 1 a 1 | o 1 | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 ���� ���� � ���� ���� o 2 a 3 ˆ | o 2 | a 3 92
� � � Example: Abstract garbage collection After garbage collection: concrete abstract a 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 ���� ���� � ���� ���� o 2 a 3 | o 2 | ˆ a 3 93
� � � Example: Abstract garbage collection Try again: Allocate object o 3 to address a 2 . Point o 2 to a 2 . concrete abstract a 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ˆ a 2 a 1 , 2 ���� ���� � ���� ���� o 2 a 3 | o 2 | ˆ a 3 94
� � � � � � Example: Abstract garbage collection No overapproximation! concrete abstract a 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � ���� ���� ���� � ���� � � � � � � � o 3 a 2 ˆ a 1 , 2 | o 3 | � � ��������� � � � � � � ���� ���� ���� � ���� � � � o 2 a 3 ˆ a 3 | o 2 | 95
� � � � � � � � � � � � � � � Correctness of garbage collection Theorem Garbage collection does not change the meaning of a program: ς 0 ς 1 ς 2 ς 3 ς 4 · · · ≡ ≡ ≡ ≡ ≡ � · · · � ς ′ � ς ′ � ς ′ � ς ′ ς 0 1 2 3 4 Γ Γ Γ Γ Γ 96
� � � � � Soundness of the analysis Theorem (Correctness of Γ CFA) Γ CFA simulates the concrete semantics. |·| ⊑ � � � | ς | ς ς ⇒ ≈ > � | ς ′ | � � ς ′ ς ′ ⊑ |·| 97
Abstract garbage collection & polyvariance Question Consider ( λ (... k) ...) . To where will it return? 0CFA To everywhere called: Flow set for k grows monotonically. Γ CFA with 0CFA contour set To last call, if tail-recursive or leaf procedure. 98
Example: Forking (define (identity x) x) (define mylock (identity lock)) (define myunlock (identity unlock)) (mylock mutex) (myunlock mutex) 99
Example: Forking (define (identity x) x) (define mylock (identity lock)) (define myunlock (identity unlock)) (mylock mutex) (myunlock mutex) Without GC 38 31 33 34 35 37 39 40 41 42 25 27 28 29 30 32 36 19 22 23 24 26 43 44 45 46 47 49 50 51 16 17 18 20 11 13 14 15 21 48 52 1 2 3 4 5 6 7 8 9 10 58 53 54 12 56 57 59 60 61 55 100
Recommend
More recommend
