Pointer analysis

Flow insensitive loss of precision S1: l := new Cons p := l S2: t := new Cons *p := t p := t l t S1 p S2 l t S1 p S2 l t S1 p S2 l t S1 p S2 Flow-sensitive Soln Flow-insensitive Soln (Andersen) l t S1 p S2

Flow insensitive loss of precision Flow insensitive analysis leads to loss of precision! main() { x := &y;... x := &z; } Flow insensitive analysis tells us that x may point to z here! However: –uses less memory (memory can be a big bottleneck to running on large programs) –runs faster

Worst case complexity of Andersen *x = y x abc y def x abc y def Worst case: N 2 per statement, so at least N 3 for the whole program. Andersen is in fact O(N 3 )

New idea: one successor per node Make each node have only one successor. This is an invariant that we want to maintain. x a,b,c y d,e,f *x = y x a,b,c y d,e,f

x *x = y y More general case for *x = y

x *x = y yxyxy More general case for *x = y

x x = *y y Handling: x = *y

x x = *y yxyxy Handling: x = *y

x x = y y x = &y xy Handling: x = y (what about y = x?) Handling: x = &y

x x = y yxyxy x = &y xyx y,… xy Handling: x = y (what about y = x?) Handling: x = &y get the same for y = x

Our favorite example, once more! S1: l := new Cons p := l S2: t := new Cons *p := t p := t

Our favorite example, once more! S1: l := new Cons p := l S2: t := new Cons *p := t p := t l S1 t S2 p l S1 l p l t S2 p l S1,S2 tp l S1 t S2 p 4 5

Flow insensitive loss of precision S1: l := new Cons p := l S2: t := new Cons *p := t p := t l t S1 p S2 l t S1 p S2 l t S1 p S2 l t S1 p S2 Flow-sensitive Subset-based Flow-insensitive Subset-based l t S1 p S2 l S1,S2 tp Flow-insensitive Unification- based

bar() { i := &a; j := &b; foo(&i); foo(&j); // i pnts to what? *i :=...; } void foo(int* p) { printf(“%d”,*p); } Another example

bar() { i := &a; j := &b; foo(&i); foo(&j); // i pnts to what? *i :=...; } void foo(int* p) { printf(“%d”,*p); } i a j b p i a i a j b i a j b p i,j a,b p Another example 4 3

Steensgaard & beyond A well engineered implementation of Steensgaard ran on Word97 (2.1 MLOC) in 1 minute. One Level Flow (Das PLDI 00) is an extension to Steensgaard that gets more precision and runs in 2 minutes on Word97.

Correctness

Compilers have many bugs [Bug middle-end/19650] New: miscompilation of correct code [Bug c++/19731] arguments incorrectly named in static member specialization [Bug rtl-optimization/13300] Variable incorrectly identified as a biv [Bug rtl-optimization/16052] strength reduction produces wrong code [Bug tree-optimization/19633] local address incorrectly thought to escape [Bug target/19683] New: MIPS wrong-code for 64-bit multiply [Bug c++/19605] Wrong member offset in inherited classes Bug java/19295] [4.0 regression] Incorrect bytecode produced for bitwise AND … Searched for “incorrect” and “wrong” in the gcc- bugs mailing list. Some of the results: Total of 545 matches… And this is only for one month! On a mature compiler!

Compiler bugs cause problems if (…) { x := …; } else { y := …; } …; Exec Compiler They lead to buggy executables They rule out having strong guarantees about executables

The focus: compiler optimizations A key part of any optimizing compiler Original program Optimization Optimized program

The focus: compiler optimizations A key part of any optimizing compiler Hard to get optimizations right –Lots of infrastructure-dependent details –There are many corner cases in each optimization –There are many optimizations and they interact in unexpected ways –It is hard to test all these corner cases and all these interactions

Goals Make it easier to write compiler optimizations –student in an undergrad compiler course should be able to write optimizations Provide strong guarantees about the correctness of optimizations –automatically (no user intervention at all) –statically (before the opts are even run once) Expressive enough for realistic optimizations

The Rhodium work A domain-specific language for writing optimizations: Rhodium A correctness checker for Rhodium optimizations An execution engine for Rhodium optimizations Implemented and checked the correctness of a variety of realistic optimizations

Broader implications Many other kinds of program manipulators: code refactoring tools, static checkers –Rhodium work is about program analyses and transformations, the core of any program manipulator Enables safe extensible program manipulators –Allow end programmers to easily and safely extend program manipulators –Improve programmer productivity

Outline Introduction Overview of the Rhodium system Writing Rhodium optimizations Checking Rhodium optimizations Discussion

Rhodium system overview Checker Written by programmer Written by the Rhodium team Rhodium Execution engine Rdm Opt Rdm Opt Rdm Opt

Rhodium system overview Checker Written by programmer Written by the Rhodium team Rhodium Execution engine Rdm Opt Rdm Opt Rdm Opt

Rhodium system overview Rdm Opt Rdm Opt Rdm Opt Checker

Rhodium system overview Exec Compiler Rhodium Execution engine Rdm Opt Rdm Opt Rdm Opt if (…) { x := …; } else { y := …; } …; Checker

The technical problem Tension between: –Expressiveness –Automated correctness checking Challenge: develop techniques –that will go a long way in terms of expressiveness –that allow correctness to be checked

Solution: three techniques Automatic Theorem Prover Rdm Opt Verification Task Checker Show that for any original program: behavior of original program = behavior of optimized program Verification Task

Solution: three techniques Automatic Theorem Prover Rdm Opt Verification Task

Solution: three techniques Automatic Theorem Prover Rdm Opt Verification Task

Solution: three techniques 1.Rhodium is declarative –declare intent using rules –execution engine takes care of the rest Automatic Theorem Prover Rdm Opt

Solution: three techniques Automatic Theorem Prover Rdm Opt 1.Rhodium is declarative –declare intent using rules –execution engine takes care of the rest

Solution: three techniques 1.Rhodium is declarative 2.Factor out heuristics –legal transformations –vs. profitable transformations Automatic Theorem Prover Rdm Opt Heuristics not affecting correctness Part that must be reasoned about

Solution: three techniques Automatic Theorem Prover 1.Rhodium is declarative 2.Factor out heuristics –legal transformations –vs. profitable transformations Heuristics not affecting correctness Part that must be reasoned about

Solution: three techniques 1.Rhodium is declarative 2.Factor out heuristics 3.Split verification task –opt-dependent –vs. opt-independent Automatic Theorem Prover opt- dependent opt- independent

Solution: three techniques 1.Rhodium is declarative 2.Factor out heuristics 3.Split verification task –opt-dependent –vs. opt-independent Automatic Theorem Prover

Solution: three techniques Automatic Theorem Prover 1.Rhodium is declarative 2.Factor out heuristics 3.Split verification task –opt-dependent –vs. opt-independent

Solution: three techniques Automatic Theorem Prover 1.Rhodium is declarative 2.Factor out heuristics 3.Split verification task Result: Expressive language Automated correctness checking

Outline Introduction Overview of the Rhodium system Writing Rhodium optimizations Checking Rhodium optimizations Discussion

MustPointTo analysis c = a a = &b d = *c ab c ab d = b

MustPointTo info in Rhodium c = a a = &b mustPointTo ( a, b ) c ab mustPointTo ( c, b ) ab d = *c

MustPointTo info in Rhodium c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) mustPointTo ( a, b ) abab

MustPointTo info in Rhodium define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) mustPointTo ( a, b ) ab Fact correct on edge if: whenever program execution reaches edge, meaning of fact evaluates to true in the program state

Propagating facts c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬

a = &b Propagating facts c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) if currStmt == [X = &Y] then mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬

Propagating facts c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ if currStmt == [X = &Y] then

c = a Propagating facts a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) if Æ currStmt == [Z = X] then mustPointTo ( c, b ) mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ if currStmt == [X = &Y] then

Propagating facts c = a a = &b d = *c c ab mustPointTo ( a, b ) mustPointTo ( c, b ) mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ if Æ currStmt == [Z = X] then if currStmt == [X = &Y] then

d = *c Transformations c = a a = &b c ab mustPointTo ( a, b ) mustPointTo ( c, b ) if Æ currStmt == [Z = *X] then transform to [Z = Y] mustPointTo ( c, b ) d = b mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ if Æ currStmt == [Z = X] then if currStmt == [X = &Y] then

d = *c Transformations c = a a = &b c ab mustPointTo ( a, b ) mustPointTo ( c, b ) if Æ currStmt == [Z = *X] then transform to [Z = Y] d = b mustPointTo ( a, b ) ab define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ if Æ currStmt == [Z = X] then if currStmt == [X = &Y] then

Profitability heuristics Legal transformations Subset of legal transformations (identified by the Rhodium rules) (actually performed) Profitability Heuristics

Profitability heuristic example 1 Inlining Many heuristics to determine when to inline a function –compute function sizes, estimate code-size increase, estimate performance benefit –maybe even use AI techniques to make the decision However, these heuristics do not affect the correctness of inlining They are just used to choose which of the correct set of transformations to perform

Profitability heuristic example 2 a :=...; b :=...; if (...) { a :=...; x := a + b; } else {... } x := a + b; Partial redundancy elimination (PRE)

Profitability heuristic example 2 Code duplication a :=...; b :=...; if (...) { a :=...; x := a + b; } else {... } x := a + b; PRE as code duplication followed by CSE

Profitability heuristic example 2 Code duplication CSE a :=...; b :=...; if (...) { a :=...; x := a + b; } else {... } x := x := a + b; a + b; x; PRE as code duplication followed by CSE

Profitability heuristic example 2 Code duplication CSE self-assignment removal a :=...; b :=...; if (...) { a :=...; x := a + b; } else {... } x := x := a + b; x; PRE as code duplication followed by CSE

a :=...; b :=...; if (...) { a :=...; x := a + b; } else {... } x := a + b; Profitability heuristic example 2 Legal placements of x := a + b Profitable placement

Semantics of a Rhodium opt Run propagation rules in a loop until there are no more changes (optimistic iterative analysis) Then run transformation rules to identify the set of legal transformations Then run profitability heuristics to determine set of transformations to perform

More facts define fact mustNotPointTo(X:Var,Y:Var) with meaning « X  &Y ¬ define fact hasConstantValue(X:Var,C:Const) with meaning « X == C ¬ define fact doesNotPointIntoHeap(X:Var) with meaning « X == null Ç 9 Y:Var. X == &Y ¬

More rules if currStmt == [X = *A] Æ Æ 8 B:Var. ) mustNotPointTo(B,Y) then if currStmt == [Y = I + BE ] Æ Æ Æ : mayDef(X) Æ : mayDefArray(A) Æ unchanged(BE) then

More in Rhodium More powerful pointer analyses –Heap summaries Analyses across procedures –Interprocedural analyses Analyses that don’t care about the order of statements –Flow-insensitive analyses

Outline Introduction Overview of the Rhodium system Writing Rhodium optimizations Checking Rhodium optimizations Discussion

Exec Compiler Rhodium Execution engine Rdm Opt Rdm Opt if (…) { x := …; } else { y := …; } …; Checker Rhodium correctness checker Rdm Opt Checker

Rhodium correctness checker Checker Rdm Opt

Checker Rhodium correctness checker Automatic theorem prover Rdm Opt Checker

Rhodium correctness checker Automatic theorem prover define fact … if … then transform … if … then … Checker Profitability heuristics Rhodium optimization

Rhodium correctness checker Automatic theorem prover Rhodium optimization define fact … if … then transform … if … then … Checker

Rhodium correctness checker Automatic theorem prover Rhodium optimization define fact … VCGen Local VC Lemma For any Rhodium opt: If Local VCs are true Then opt is correct Proof   «  ¬   $  \ r t  l Checker Opt- dependent Opt- independent VCGen if … then … if … then transform …

Local verification conditions define fact mustPointTo(X,Y) with meaning « X == &Y ¬ if Æ currStmt == [Z = X] then if Æ currStmt == [Z = *X] then transform to [Z = Y] Assume: Propagated fact is correct Show: All incoming facts are correct Assume: Original stmt and transformed stmt have same behavior Show: All incoming facts are correct Local VCs (generated and proven automatically)

Local correctness of prop. rules currStmt == [Z = X] then Local VC (generated and proven automatically) if Æ define fact mustPointTo(X,Y) with meaning « X == &Y ¬ Assume: Propagated fact is correct Show: All incoming facts are correct Show: « Z == &Y ¬ (  out ) « X == &Y ¬ (  in ) Æ  out  = step (  in, [Z = X] ) Assume: mustPointTo ( X, Y ) mustPointTo ( Z, Y ) Z := X

Local correctness of prop. rules Show: « Z == &Y ¬ (  out ) « X == &Y ¬ (  in ) Æ  out  = step (  in, [Z = X] ) Assume: Local VC (generated and proven automatically) define fact mustPointTo(X,Y) with meaning « X == &Y ¬ currStmt == [Z = X] then if Æ mustPointTo ( X, Y ) mustPointTo ( Z, Y ) Z := X XY  in  out ZY ?    

Local correctness of trans. rules Local VC (generated and proven automatically) define fact mustPointTo(X,Y) with meaning « X == &Y ¬ mustPointTo ( X, Y ) Z := *X Z := Y if Æ currStmt = [Z = *X] then transform to [Z = Y] Assume: Original stmt and transformed stmt have same behavior Show: All incoming facts are correct step (  in, [Z = Y] ) « X == &Y ¬ (  in ) Show: step (  in, [Z = *X] ) = Assume:

Local correctness of trans. rules step (  in, [Z = Y] ) « X == &Y ¬ (  in ) Show: step (  in, [Z = *X] ) = Assume: Local VC (generated and proven automatically) define fact mustPointTo(X,Y) with meaning « X == &Y ¬ if Æ currStmt = [Z = *X] then transform to [Z = Y] mustPointTo ( X, Y ) Z := *X Z := Y Z := *X XY  in  out ? Z := Y XY  in  out

Outline Introduction Overview of the Rhodium system Writing Rhodium optimizations Checking Rhodium optimizations Discussion

Topics of Discussion Correctness guarantees Usefulness of the checker Expressiveness

Correctness guarantees Once checked, optimizations are guaranteed to be correct Caveat: trusted computing base –execution engine –checker implementation –proofs done by hand once Adding a new optimization does not increase the size of the trusted computing base Guarantees Usefulness Expressiveness

Usefulness of the checker Found subtle bugs in my initial implementation of various optimizations define fact equals(X:Var, E:Expr) with meaning « X == E ¬ if currStmt == [X = E] then x := x + 1x = x + 1 equals ( x, x + 1 ) Guarantees Usefulness Expressiveness

if currStmt == [X = E] then if currStmt == [X = E] Æ “X does not appear in E” then Usefulness of the checker Found subtle bugs in my initial implementation of various optimizations define fact equals(X:Var, E:Expr) with meaning « X == E ¬ x := x + 1x = x + 1 equals ( x, x + 1 ) Guarantees Usefulness Expressiveness

x = x + 1 x = *y + 1 Usefulness of the checker Found subtle bugs in my initial implementation of various optimizations define fact equals(X:Var, E:Expr) with meaning « X == E ¬ if currStmt == [X = E] Æ “X does not appear in E” then equals ( x, x + 1 ) equals ( x, *y + 1 ) if currStmt == [X = E] Æ “E does not use X” then Guarantees Usefulness Expressiveness

Rhodium expressiveness Traditional optimizations: –const prop and folding, branch folding, dead assignment elim, common sub-expression elim, partial redundancy elim, partial dead assignment elim, arithmetic invariant detection, and integer range analysis. Pointer analyses –must-point-to analysis, Andersen's may-point-to analysis with heap summaries Loop opts –loop-induction-variable strength reduction, code hoisting, code sinking Array opts –constant propagation through array elements, redundant array load elimination Guarantees Usefulness Expressiveness

Expressiveness limitations May not be able to express your optimization in Rhodium –opts that build complicated data structures –opts that perform complicated many-to-many transformations (e.g.: loop fusion, loop unrolling) A correct Rhodium optimization may be rejected by the correctness checker –limitations of the theorem prover –limitations of first-order logic Guarantees Usefulness Expressiveness

Lessons learned (discussion)

Lessons learned (my answers) Capture structure of problem –Rhodium: flow functions, rewrite rules, prof. heuristics –Restricts the programmer, but can lead to better reasoning abilities –Split correctness-critical code from rest Split verification task –meta-level vs. per-verification –between analysis tool and theorem prover –between human and theorem prover

Lessons learned (my answers) DSL design is an iterative process –Hard to see best design without trying something first Previous version of Rhodium was called Cobalt –Cobalt was based on temporal logic –Stepping stone towards Rhodium

Lessons learned (my answers) One of the gotchas is efficient execution –easier to reason about automatically does not always mean easier to execute efficiently –can possibly recover efficiency with hints from users –how can you trust a complex execution engine? Rely on annotations? –meanings in Rhodium –May be ok, especially if annotations simply state what the programmer is already thinking

Conclusion Rhodium system –makes it easier to write optimizations –provides correctness guarantees –is expressive enough for realistic optimizations Rhodium is an example of using a DSL to allow more precise reasoning