Shape Analysis

1. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Shape Analysis Nicola Corti & Alessandro Baroni University of Pisa Static Analysis Techniques course 8 May 2014

2. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Index Introduction Semantic Shape Graphs The Analysis

3. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] What is the Shape Analysis? Shape Analysis An intraprocedural analysis aimed to ﬁgure out the shape of an heap-allocated memory. 1. Extend the While language with command for heap management, 2. Present an abstract representation for the heap memory, 3. Present the analysis like a monotone framework.

4. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Use case of the Shape Analysis nil-pointer dereferencing, Checking ﬁeld existence (e.g. a.sel := 1, what if a does not have a sel ﬁeld?), Validating properties of data structure shape (e.g. a non-cyclic structure is still non-cyclic after a computation).

5. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Selectors and Pointers Selectors sel ∈ Sel Pointers p ∈ PExp p ::= x | x.sel

6. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Extended Syntax The extended syntax with pointers a ::= p | n | a1 opa a2 | nil b ::= true | false | not b | b1 opb b2 | a1 opr a2 | opp p S ::= [p := a] | [skip] | S1; S2 | if [b] then S1 else S2 | while [b] do S | [malloc p] Note that opr now accept two operands of type a, such as two pointer (for an operation such as are-equals) and the operator opp accept one pointer operands (think at operations like is-nil). The operator [malloc p] allow to allocate new space in the heap.

7. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Structural Operational Semantics We add values for locations: ξ ∈ Loc From now on a configuration of the semantics will be composed by a state and a heap σ ∈ State = Var∗ → (Z + Loc + { }) H ∈ Heap = (Loc × Sel) →fin (Z + Loc + { }) Note that the heap H need a Loc and a Sel to return a value. The →fin represent the fact that not all the selector fields will be defined. The value represent the nil value.

10. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Pointer Expressions We need to define a new semantic function for pointers ℘ : PExp∗ → (State × Heap) →fin (Z + Loc + { }) ℘ x (σ, H) = σ(x) ℘ x.sel (σ, H) =    H(σ(x), sel) if σ(x) ∈ Loc ∧ H is defined on (σ(x), sel) undef if σ(x) ∈ Loc ∨ H is undefined on (σ(x), sel)

11. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Arithmetic & Boolean Expressions We need to update the older semantic function to work with the new heap: A : AExp → (State × Heap) →ﬁn (Z + Loc + { }) B : BExp → (State × Heap) →ﬁn T The new clause for arithmetic function are: A p (σ, H) = ℘ p (σ, H) A n (σ, H) = N n A a1 opa a2 (σ, H) = A a1 (σ, H) opa A a2 (σ, H) A nil (σ, H) =

12. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Arithmetic & Boolean Expressions The new clause for boolean function are: B a1 opr a2 (σ, H) = A a1 (σ, H) opr A a2 (σ, H) B opp p (σ, H) = opp (℘ p (σ, H)) Note that the meaning of opa and opr must be undeﬁned if the types are not the same (e.g. two integers or two pointers). is-nil(v) = tt if v = ﬀ otherwise

13. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Statements We extended the statements rules with the heap: [x := a] , σ, H → σ[x → A a (σ, H)], H if A a (σ, H) is deﬁned [x.sel := a] , σ, H → σ, H[(σ(x), sel) → A a (σ, H)] if σ(x) ∈ Loc and A a (σ, H) is deﬁned

14. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Statements We extended the statements rules with the heap: [x := a] , σ, H → σ[x → A a (σ, H)], H if A a (σ, H) is deﬁned [x.sel := a] , σ, H → σ, H[(σ(x), sel) → A a (σ, H)] if σ(x) ∈ Loc and A a (σ, H) is deﬁned

15. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Statements We add rules for the malloc statement, to allow allocation of new cells. [malloc x] , σ, H → σ[x → ξ], H where ξ is fresh within σ and H [malloc x.sel] , σ, H → σ, H[(σ(x), sel) → ξ] where ξ is fresh within σ and H and σ(x) ∈ Loc

16. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Statements We add rules for the malloc statement, to allow allocation of new cells. [malloc x] , σ, H → σ[x → ξ], H where ξ is fresh within σ and H [malloc x.sel] , σ, H → σ, H[(σ(x), sel) → ξ] where ξ is fresh within σ and H and σ(x) ∈ Loc

17. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Why we need shape graphs? Obviously the heap can grow arbitrarily large, but we want a way - to work with a ﬁnite representation, - to combine the location of the semantics in a ﬁnite number of abstract locations. Shape Graphs We introduce the shape graphs, an abstract representation for heap and state composed by: S abstract state, H abstract heap, is sharing informations. The is component allow us to recover the imprecision due to combining a set of location into an abstract location.

20. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] How do we proceed First of all we will deﬁne what are abstract location, abstract state, abstract heap, sharing information. Then we will present how to go from a couple (σ, H) to a shape graph (S, H, is). We will do it by introducing Five Invariants.

21. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] How do we proceed First of all we will deﬁne what are abstract location, abstract state, abstract heap, sharing information. Then we will present how to go from a couple (σ, H) to a shape graph (S, H, is). We will do it by introducing Five Invariants.

22. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Location We deﬁne an abstract location such as: ALoc = {nX | X ⊆ Var∗} The idea is that if x ∈ X then the abstract location nX will represent the location σ(x). We introduce even the abstract summary location n∅ that will represent all the location that we can’t reach directly from σ.

23. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Location We deﬁne an abstract location such as: ALoc = {nX | X ⊆ Var∗} The idea is that if x ∈ X then the abstract location nX will represent the location σ(x). We introduce even the abstract summary location n∅ that will represent all the location that we can’t reach directly from σ.

24. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Location Abstract location represent disjoint sets of locations. If we consider two diﬀerent abstract locations nX and nY , they could be the same (X = Y ) or the are disjoint (X ∩ Y = ∅). It can be easily proved, considering X = Y and taking a z ∈ X ∩ Y . Invariant 1 If two abstract location nX and nY occur in the same shape graph the either X = Y or X ∩ Y = ∅.

25. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Location Abstract location represent disjoint sets of locations. If we consider two diﬀerent abstract locations nX and nY , they could be the same (X = Y ) or the are disjoint (X ∩ Y = ∅). It can be easily proved, considering X = Y and taking a z ∈ X ∩ Y . Invariant 1 If two abstract location nX and nY occur in the same shape graph the either X = Y or X ∩ Y = ∅.

26. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract State The abstract state S is used to map variables to abstract locations S ∈ AState = P(Var∗ × ALoc) We shall ensure that Invariant 2 If x is mapped to nX by the abstract state then x ∈ X From Invariant 1 follows that it will be at most one abstract location in the shape graph for each variable in the state.

27. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract State The abstract state S is used to map variables to abstract locations S ∈ AState = P(Var∗ × ALoc) We shall ensure that Invariant 2 If x is mapped to nX by the abstract state then x ∈ X From Invariant 1 follows that it will be at most one abstract location in the shape graph for each variable in the state.

28. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Heaps The abstract state H is used to specify links within abstract locations. H ∈ AHeap = P(ALoc × Sel × ALoc) The links are speciﬁed by triples such as (nX , sel, nY ). The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 are represented by nX and nY respectively, then (nX , sel, nY ) ∈ H.

29. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Heaps The abstract state H is used to specify links within abstract locations. H ∈ AHeap = P(ALoc × Sel × ALoc) The links are speciﬁed by triples such as (nX , sel, nY ). The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 are represented by nX and nY respectively, then (nX , sel, nY ) ∈ H.

30. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Abstract Heaps Please note that in heap H there will be at most one location ξ2 such that H(ξ1, sel) = ξ2. This is not completely true in abstract heaps: consider the location n∅, it will represent several locations pointing to several locations (all the not reaching locations). We shall ensure that Invariant 3 Whenever (nV , sel, nW ) and (nV , sel, nW ) are in the abstract heap, then either V = ∅ or W = W .

33. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ1 ξ2 ξ3 ξ4 ξ5 cdr cdr cdr cdr cdr Heap x n{x} nØ cdr cdr Shape Graph

34. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ2 ξ3 ξ4 ξ5 cdr cdr cdr ξ1 cdr cdr Heap x y n{x} nØ cdr cdr n{y} Shape Graph

35. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ3 ξ4 ξ5 cdr cdr cdr ξ2 cdr ξ1 cdr Heap x y z n{x} nØ cdr cdr n{y} n{z} cdr Shape Graph

36. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ4 ξ5 cdr cdr ξ3 cdr ξ2 cdr ξ1 cdr Heap x y z n{x} nØ cdr n{y} n{z} cdr cdr Shape Graph

37. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ4 cdr ξ4 cdr ξ3 cdr ξ2 cdr ξ1 cdr Heap x y z n{x} nØ n{y} n{z} cdr cdr cdr Shape Graph

38. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] A little Example [y := nil]1 ; while [not is-nil(x)]2 do ([z := y]3 ; [y := x]4 ; [x := x.cdr]5 ; [y.cdr := z]6 ); [z := nil]7 x y z ξ5 cdr ξ4 cdr ξ3 cdr ξ2 cdr ξ1 cdr Heap y z nØ n{y} n{z} cdr cdr cdr Shape Graph

39. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations Heap Representation Shape Graph x ξ1 ξ2 ξ3 cdr cdr ξ5y ξ4 cdr cdr cdr x y n{x} nØ cdr cdr n{y} cdr We want to represent a set is of locations that are shared due to pointers in the heap. The idea is that if an abstract location nX will be included in is if it is a target of two or more pointer in the heap. We must assure that the sharing information inside is is consistent with the information inside the abstract heap H.

40. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations Heap Representation Shape Graph x ξ1 ξ2 ξ3 cdr cdr y ξ5 cdr cdr ξ4 cdr x y n{x} nØ cdr cdr n{y} cdr We want to represent a set is of locations that are shared due to pointers in the heap. The idea is that if an abstract location nX will be included in is if it is a target of two or more pointer in the heap. We must assure that the sharing information inside is is consistent with the information inside the abstract heap H.

41. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations Heap Representation Shape Graph x ξ2 ξ3 ξ4 cdr cdr y ξ5 cdr cdr ξ1 cdr x y n{x} nØ cdr n{y} cdr cdr We want to represent a set is of locations that are shared due to pointers in the heap. The idea is that if an abstract location nX will be included in is if it is a target of two or more pointer in the heap. We must assure that the sharing information inside is is consistent with the information inside the abstract heap H.

42. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations So we impose two different invariants Invariant 4 If nX ∈ is then either (a) (n∅, sel, nX ) is in the abstract heap for some sel, or (b) there exists two distinct triples (nV , sel1, nX ) and (nW , sel2, nX ) into the abstract heap (that is either sel1 = sel2 or V = W ). Invariant 4 imposes that the information in the sharing component is is reflected into the abstract heap. Case 4(a) takes care of cases where there are links between n∅ and nX in the heap; Case 4(b) takes care of cases where there are link between different pointers (distinct source or selector) to nX .

45. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations Invariant 5 imposes that the information in the abstract heap H is reﬂected into the sharing component. Invariant 5 Whenever there are two distinct triples (nV , sel1, nX ) and (nW , sel2, nX ) in the abstract heap and nX = n∅ then nX ∈ is. Note that Invariant 5 is the “inverse” of 4(b). We don’t have an “inverse” of case 4(a), the presence of a pointer from n∅ to nX in H does not give information concerning sharing.

46. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations and n∅ Taking in consideration the abstract summary location n∅: If n∅ ∈ is then it will be at least one location represented by n∅ that is a target by two or more pointers. Heap Shape Graph x y sel sel ξ1 ξ3 ξ2 ξ4 sel x y n{x} nØ sel n{y} sel sel

47. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Sharing Informations and n∅ Taking in consideration the abstract summary location n∅: If n∅ ∈ is then all the location represented by n∅ will be target by at most one pointer (Does not exist a location with two incoming edge). Heap Shape Graph x y sel sel ξ1 ξ3 ξ2 ξ4 x y n{x} nØ sel n{y} sel

48. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Summarize To summarize a shape graph is composed by: S ∈ AState = P(Var∗ × ALoc) H ∈ AHeap = P(ALoc × Sel × ALoc) is ∈ IsShared = P(ALoc) where ALoc = {nZ | Z ⊆ Var∗}

49. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Compatible Shape Graph We say that a shape graph is compatible if it fulﬁl the 5 invariants: 1. ∀nV , nW ∈ ALoc(S) ∪ ALoc(H) ∪ is : (V = W ) ∨ (V ∩ W = ∅) 2. ∀(x, nX ) ∈ S : x ∈ X 3. ∀(nV , sel, nW ), (nV , sel, nW ) ∈ H : (V = ∅) ∨ (W = W ) 4. ∀nX ∈ is : (∃sel : (n∅, sel, nX ) ∈ H) ∨ (∃(nV , sel1, nX ), (nW , sel2, nX ) ∈ H : sel1 = sel2 ∨ V = W ) 5. ∀(nV , sel1, nX ), (nW , sel2, nX ) ∈ H : ((sel1 = sel2 ∨ V = W ) ∧ X = ∅) ⇒ nX ∈ is

50. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] Compatible Shape Graph The sets of compatible shape graphs is denoted by SG = {(S,H,is) | (S,H,is) is compatible} Our analysis will work on sets of compatible shape graphs (elements of P(SG)). P(SG) is trivially a complete lattice, with being ∪ and being ⊆. P(SG) is obviously ﬁnite because SG ⊆ AState × AHeap × IsShared, and AState, AHeap and IsShared are ﬁnite.

54. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] The Analysis We introduce the analysis Shape as an instance of a Monotone Framework. For every labeled program S∗ we produce a sets of equations of the form. Shape◦( ) = ι if = init(S∗) {Shape•( ) | ( , ) ∈ ﬂow(S∗)} otherwise Shape•( ) = f SA (Shape◦( )) Where ι ∈ P(SG) is the extremal value at entry of S∗ and f SA is the transfer function.

57. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] The Analysis The analysis Shape is a forward analysis, because it’s defined using the set flow(S∗). It’s also a may analysis since we are using the operator for combining results gathered from the flow(S∗). The transfer function f SA : P(SG) → P(SG) has the form: f SA (SG) = {φSA ((S, H, is)) | (S, H, is) ∈ SG} The function φSA has to be developed right now.

60. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] The function φSA The function φSA : SG → P(SG) speciﬁes how a single graph in Shape◦( ) is transformed into a set of graph in Shape•( ) We present the φSA function for all the diﬀerent kind of statements.

61. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] The function φSA The function φSA : SG → P(SG) speciﬁes how a single graph in Shape◦( ) is transformed into a set of graph in Shape•( ) We present the φSA function for all the diﬀerent kind of statements.

62. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [b] and [skip]

63. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [b] and [skip] Since [b] and [skip] does not modify the heap, the φSA function is just the identity functions, remember that we are interested in the heap shape. φSA ((S, H, is)) = {(S, H, is)}

64. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [b] and [skip] Since [b] and [skip] does not modify the heap, the φSA function is just the identity functions, remember that we are interested in the heap shape. φSA ((S, H, is)) = {(S, H, is)}

65. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := a]

66. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := a] We consider [x := a] in the case where a is of the form n, a1 opa a2 or nil. We must remove the binding of x and rename all the abstract location that contains x. kx(nZ ) = nZ{x} So we take φSA ((S, H, is)) = {killx(S, H, is)}

69. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := a] Where killx(S, H, is) = (S , H , is ) is given by S = {(z, kx(nZ )) | (z, nZ ) ∈ S ∧ z = x} H = {(kx(nV ), sel, kx(nW )) | (nV , sel, nW ) ∈ H} is = {(kx(nX )) | nX ∈ is} It’s easy to prove that if (S, H, is) is compatible, even (S , H , is ) is compatible.

70. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := a] Where killx(S, H, is) = (S , H , is ) is given by S = {(z, kx(nZ )) | (z, nZ ) ∈ S ∧ z = x} H = {(kx(nV ), sel, kx(nW )) | (nV , sel, nW ) ∈ H} is = {(kx(nX )) | nX ∈ is} It’s easy to prove that if (S, H, is) is compatible, even (S , H , is ) is compatible.

71. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] If (x, n{x}) is in S? If (x, n{x}) is in S then the two abstract location n{x} and n∅ will be merged. From this we can deduce that n∅ will be unshared if both n{x} and n∅ was unshared. Garbage Collection Please note that our analysis does not provide a garbage collector, so if n{x} has no heap pointer, it is unreachable. Consider that there will be a pointer from n∅ to the location that n{x} might point to.

74. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := a] x n{x} nW sel2 nV sel1 nØ (S, H, is) sel2 nØ nW nV sel1 (S , H , is )

75. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y]

76. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y] if x = y the f SA is just the identity function. if x = y then we execute the following steps: 1. We remove the old binding for x with killx, 2. We update the abstract location that contains y adding {x} to the variable sets. This can be done with gy x (nZ ) = nZ∪{x} if y ∈ Z nZ otherwise

79. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y] So we take φSA ((S, H, is)) = {(S , H , is )} Where (S , H , is ) = killx((S, H, is)) and S = {(z, gy x (nZ )) | (z, nZ ) ∈ S } ∪ {(x, gy x (nY )) | (y , nY ) ∈ S ∧ y = y} H = {(gy x (nV ), sel, gy x (nW )) | (nV , sel, nW ) ∈ H } is = {gy x (nZ ) | nZ ∈ is } Again it’s easy to prove that if (S, H, is) is compatible, even (S , H , is ) is compatible.

82. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y] S = {(z, gy x (nZ )) | (z, nZ ) ∈ S } ∪ {(x, gy x (nY )) | (y , nY ) ∈ S ∧ y = y} H = {(gy x (nV ), sel, gy x (nW )) | (nV , sel, nW ) ∈ H } is = {gy x (nZ ) | nZ ∈ is } Please note that the clause in blue is the adding of the binding of x. The sharing information of nY ∪{x} in inherited from nY .

83. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y] A little example when x = y. x nX nY sel2 sel1 nV nWy (S, H, is)

84. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y] A little example when x = y. x nX{x} nY∪{x} sel2 sel1 nV nWy (S , H , is )

85. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel]

86. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] If x = y the assignment is equivalent to: [t := y.sel] 1 ; [x := t] 2 ; [t := nil] 3 ; Where t is a fresh variable and 1, 2 and 3 are fresh labels. We can obtain the transfer function f SA as a composition: f SA = f SA 3 ◦ f SA 2 ◦ f SA 1 So f SA 2 and f SA 3 can be computed using the same pattern as before. We concentrate on f SA 1 (or similar in the case when x = y).

87. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] If x = y the assignment is equivalent to: [t := y.sel] 1 ; [x := t] 2 ; [t := nil] 3 ; Where t is a fresh variable and 1, 2 and 3 are fresh labels. We can obtain the transfer function f SA as a composition: f SA = f SA 3 ◦ f SA 2 ◦ f SA 1 So f SA 2 and f SA 3 can be computed using the same pattern as before. We concentrate on f SA 1 (or similar in the case when x = y).

88. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] First of all we remove the old binding for x: (S , H , is ) = killx((S, H, is)) Then we must rename the abstract location corresponding to y.sel to include x into the variable set, then we must add the new binding for x. We can have 3 diﬀerent cases: 1. There is no abstract location nY such that (y, nY ) ∈ S , or it exist but there is no nZ such that (nY , sel, nZ ) ∈ H . 2. There is an abstract location nY such that (y, nY ) ∈ S and there is a nU = n∅ such that (nY , sel, nU ) ∈ H . 3. There is an abstract location nY such that (y, nY ) ∈ S and there is a triple such that (nY , sel, n∅) ∈ H .

93. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 1 In the case where there is no abstract location nY such that (y, nY ) ∈ S we simply take: φSA ((S, H, is)) = killx((S, H, is)) In the case where there is no nZ such that (nY , sel, nZ ) ∈ H we again take φSA ((S, H, is)) = killx((S, H, is)) In both case there is no binding to add, so we simply remove the old binding for x. The ﬁrst case is the case of de-referencing of nil-pointer, the second case is the case of de-referencing of non-existing ﬁelds.

96. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 We consider the case where there is an abstract location nY such that (y, nY ) ∈ S and there is a nU = n∅ such that (nY , sel, nU ) ∈ H . We must rename nU to include x into the variable set using the function: hU x (nZ ) = nZ∪{x} if Z = U nZ otherwise

97. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 We consider the case where there is an abstract location nY such that (y, nY ) ∈ S and there is a nU = n∅ such that (nY , sel, nU ) ∈ H . We must rename nU to include x into the variable set using the function: hU x (nZ ) = nZ∪{x} if Z = U nZ otherwise

98. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 So we take φSA ((S, H, is)) = {(S , H , is )} Where (S , H , is ) = killx((S, H, is)) and S = {(z, hU x (nZ )) | (z, nZ ) ∈ S } ∪ {(x, hU x (nU ))} H = {(hU x (nV ), sel, hU x (nW )) | (nV , sel, nW ) ∈ H } is = {hU x (nZ ) | nZ ∈ is }

99. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 So we take φSA ((S, H, is)) = {(S , H , is )} Where (S , H , is ) = killx((S, H, is)) and S = {(z, hU x (nZ )) | (z, nZ ) ∈ S } ∪ {(x, hU x (nU ))} H = {(hU x (nV ), sel, hU x (nW )) | (nV , sel, nW ) ∈ H } is = {hU x (nZ ) | nZ ∈ is }

100. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 S = {(z, hU x (nZ )) | (z, nZ ) ∈ S } ∪ {(x, hU x (nU ))} The clause in blue represent the adding of the new binding for x. As before nU∪{x} is shared in (H ) if and only if nU was shared in (H ).

101. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 Let’s show this case with a little example when x = y, and in case when nU ∈ is. x nX nY sel sel1 nV nUy sel2 nW (S, H, is)

102. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 2 Let’s show this case with a little example when x = y, and in case when nU ∈ is. x nX{x} nY sel sel1 nV nU∪{x}y sel2 nW (S , H , is )

103. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Consider now the case where there is an abstract location nY such that (y, nY ) ∈ S and there is a triple such that (nY , sel, n∅) ∈ H . The location for y.sel is represented by n∅ (that represent even other locations). We must materialize an abstract location n{x} from n∅, doing so n{x} will represent y.sel and n∅ will represent the remaining locations. This operation is a bit hard so let’s consider an example

106. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 x x x We can determinate obviously that [x := nil]···; [x := y.sel] is equivalent to [x := y.sel] (S , H , is ) = killx((S, H, is)) (S , H , is ) = killx((S , H , is )) (S , H , is ) = (S , H , is )

111. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 So ﬁnally killx((S , H , is )) = (S , H , is ) Then we can also say that (x, n{x}) ∈ S and that (nY , sel, n{x}) ∈ H . So we can take φSA ((S, H, is)) = {(S , H , is ) | (S , H , is ) is compatible ∧ killx((S , H , is )) = (S , H , is ) ∧ (x, n{x}) ∈ S ∧ (nY , sel, n{x}) ∈ H }

112. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 So ﬁnally killx((S , H , is )) = (S , H , is ) Then we can also say that (x, n{x}) ∈ S and that (nY , sel, n{x}) ∈ H . So we can take φSA ((S, H, is)) = {(S , H , is ) | (S , H , is ) is compatible ∧ killx((S , H , is )) = (S , H , is ) ∧ (x, n{x}) ∈ S ∧ (nY , sel, n{x}) ∈ H }

113. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 We are sure that we have included all the possible solutions. So our function is sound. Is it possible that we have included too much solutions, so we are losing precision? We will now argue that the amount of imprecision in not excessive.

116. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 First we prove that S = S ∪ {(x, n{x})} Proof S ⊆ S ∪ {(x, n{x})} Consider (z, nZ ) ∈ S . If z = x then from compatibility nZ = n{x}. If z = x then from (x, n{x}) ∈ S and the compatibility we deduce that x ∈ Z and so (z, nZ ) = (z, kx(nZ )) (and kx is used to deﬁne killx). S ⊇ S ∪ {(x, n{x})} Consider (u, nU ) ∈ S . We know from deﬁnition of S and from compatibility that u = x and x ∈ U. There must be a (u, nU ) ∈ S such that kx(nU ) = nU , but since x = y we obtain nU = nU .

117. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 First we prove that S = S ∪ {(x, n{x})} Proof S ⊆ S ∪ {(x, n{x})} Consider (z, nZ ) ∈ S . If z = x then from compatibility nZ = n{x}. If z = x then from (x, n{x}) ∈ S and the compatibility we deduce that x ∈ Z and so (z, nZ ) = (z, kx(nZ )) (and kx is used to deﬁne killx). S ⊇ S ∪ {(x, n{x})} Consider (u, nU ) ∈ S . We know from deﬁnition of S and from compatibility that u = x and x ∈ U. There must be a (u, nU ) ∈ S such that kx(nU ) = nU , but since x = y we obtain nU = nU .

118. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Then we prove that is {n∅} = is {n∅, n{x}} n∅ ∈ is iﬀ n∅ ∈ is ∨ n{x} ∈ is Equal as showing that Sharing information of location apart n∅ are conserved, If n∅ is shared then it can rise share to n∅ or to n{x} (or both), If n∅ is not shared, we can’t introduce a sharing for n∅ neither for n{x}.

119. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Then we prove that is {n∅} = is {n∅, n{x}} n∅ ∈ is iﬀ n∅ ∈ is ∨ n{x} ∈ is Equal as showing that Sharing information of location apart n∅ are conserved, If n∅ is shared then it can rise share to n∅ or to n{x} (or both), If n∅ is not shared, we can’t introduce a sharing for n∅ neither for n{x}.

120. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Then we prove that is {n∅} = is {n∅, n{x}} n∅ ∈ is iﬀ n∅ ∈ is ∨ n{x} ∈ is Proof Since (S , H , is ) and (S , H , is ) are compatible, if nU ∈ is then x ∈ U and if nU ∈ is then x ∈ U ∨ {x} = U. Remember that is = {kx(nU ) | nU ∈ is }, so we can deduce that is {n∅} = is {n∅, n{x}}, because kx(nU ) = nU = n∅ for all nU ∈ is {n∅, n{x}}. More n∅ ∈ is ∨ n{x} ∈ is ⇒ n∅ ∈ is and more n∅ ∈ is ∧ n{x} ∈ is ⇒ n∅ ∈ is

121. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Then we prove that is {n∅} = is {n∅, n{x}} n∅ ∈ is iﬀ n∅ ∈ is ∨ n{x} ∈ is Proof Since (S , H , is ) and (S , H , is ) are compatible, if nU ∈ is then x ∈ U and if nU ∈ is then x ∈ U ∨ {x} = U. Remember that is = {kx(nU ) | nU ∈ is }, so we can deduce that is {n∅} = is {n∅, n{x}}, because kx(nU ) = nU = n∅ for all nU ∈ is {n∅, n{x}}. More n∅ ∈ is ∨ n{x} ∈ is ⇒ n∅ ∈ is and more n∅ ∈ is ∧ n{x} ∈ is ⇒ n∅ ∈ is

122. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Now consider the abstract heap H, we first classify the edge depending on if the source and the target are either n∅ or n{x}. (nV , sel , nW ) is external iff {nV , nW } ∩ {n∅, n{x}} = ∅ (nV , sel , nW ) is internal iff {nV , nW } ⊆ {n∅, n{x}} (nV , sel , nW ) is going-out iff nV ∈ {n∅, n{x}} ∧ nW ∈ {n∅, n{x}} (nV , sel , nW ) is going-in iff nV ∈ {n∅, n{x}} ∧ nW ∈ {n∅, n{x}} We say that two edge (nV , sel , nW ) and (nV , sel , nW ) are related if and only if kx(nV ) = kx(nV ), sel = sel and kx(nW ) = kx(nW ).

125. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 We can show that H and H have the same external edges, each internal edge in H is related to an internal edge in H and vice versa, each going-out edge in H is related to a going-out edge in H and vice versa, each going-in edge in H is related to a going-in edge in H and vice versa, Obviously the edge (nY , sel, n∅) ∈ H must be update with (nY , sel, n{x}) ∈ H . We impose that (nY , sel, n{x}) ∈ H , and because of compatibility we deduce that (nY , sel, n{x}) ∈ H .

130. Shape Analysis Nicola Corti & Alessandro Baroni Introduction Syntax Semantic Pointer Expressions Arithmetic & Boolean Expressions Statements Shape Graphs Abstract Location Abstract State Abstract Heaps Example Sharing Informations Complete Lattice The Analysis [b] and [skip] [x := a] [x := y] [x := y.sel] Case 1 Case 2 Case 3 [x.sel := a] [x.sel := y] [x.sel := y.sel ] [malloc x] [malloc x.sel] [x := y.sel] - Case 3 Consider the following scenario and let’s see what happens after [x := y.sel] . x nX nY sel sel1 nV nØy sel2 nW sel3 (S, H, is)

Shape Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (20)

Similar to Shape Analysis

Similar to Shape Analysis (20)

Recently uploaded

Recently uploaded (20)

Shape Analysis