Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer Expressions

Arithmetic & BooleanExpressions

Statements

Shape GraphsAbstract Location

Abstract State

Abstract Heaps

Example

Sharing Informations

Complete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel′ ]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

Nicola Corti & Alessandro Baroni

University of PisaStatic Analysis Techniques course

8 May 2014

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Introduction

Semantic

Shape Graphs

The Analysis

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

What is the Shape Analysis?

Shape AnalysisAn intraprocedural analysis aimed to figure out the shape ofan heap-allocated memory.

1. Extend the While language with command for heapmanagement,

2. Present an abstract representation for the heapmemory,

3. Present the analysis like a monotone framework.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Use case of the Shape Analysis

I nil-pointer dereferencing,I Checking field existence (e.g. a.sel := 1, what if a

does not have a sel field?),I Validating properties of data structure shape (e.g. a

non-cyclic structure is still non-cyclic after acomputation).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Selectors and Pointers

Selectorssel ∈ Sel

Pointers

p ∈ PExpp ::= x | x.sel

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Extended Syntax

The extended syntax with pointers

a ::= p | n | a1 opa a2 | nil

while [b]` do S | [malloc p]`

Note that opr now accept two operands of type a, such astwo pointer (for an operation such as are-equals) and theoperator opp accept one pointer operands (think atoperations like is-nil).

The operator [malloc p]` allow to allocate new space in theheap.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Structural Operational Semantics

We add values for locations:

ξ ∈ Loc

From now on a configuration of the semantics will becomposed by a state and a heap

σ ∈ State = Var∗ → (Z + Loc + {�})H ∈ Heap = (Loc× Sel)→fin (Z + Loc + {�})

Note that the heap H need a Loc and a Sel to return avalue. The →fin represent the fact that not all the selectorfields will be defined. The value � represent the nil value.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

ξ ∈ Loc

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

ξ ∈ Loc

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Pointer Expressions

We need to define a new semantic function for pointers

℘ : PExp∗ → (State×Heap)→fin (Z + Loc + {�})

℘JxK(σ,H) = σ(x)

℘Jx.selK(σ,H) =

H(σ(x), sel)if σ(x) ∈ Loc ∧H is defined on (σ(x), sel)

undefif σ(x) 6∈ Loc ∨H is undefined on (σ(x), sel)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Arithmetic & Boolean Expressions

We need to update the older semantic function to work withthe new heap:

A : AExp→ (State×Heap)→fin (Z + Loc + {�})B : BExp→ (State×Heap)→fin T

The new clause for arithmetic function are:

AJpK(σ,H) = ℘JpK(σ,H)AJnK(σ,H) = N JnK

AJa1 opa a2K(σ,H) = AJa1K(σ,H) opa AJa2K(σ,H)AJnilK(σ,H) = �

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Arithmetic & Boolean Expressions

The new clause for boolean function are:

BJa1 opr a2K(σ,H) = AJa1K(σ,H) opr AJa2K(σ,H)BJopp pK(σ,H) = opp (℘JpK(σ,H))

Note that the meaning of opa and opr must be undefined ifthe types are not the same (e.g. two integers or twopointers).

is-nil(v) ={

tt if v = �ff otherwise

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Statements

We extended the statements rules with the heap:

〈[x := a]`, σ,H〉 → 〈σ[x 7→ AJaK(σ,H)],H〉if AJaK(σ,H) is defined

〈[x.sel := a]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ AJaK(σ,H)]〉if σ(x) ∈ Loc and AJaK(σ,H) is defined

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Statements

We extended the statements rules with the heap:

〈[x := a]`, σ,H〉 → 〈σ[x 7→ AJaK(σ,H)],H〉if AJaK(σ,H) is defined

〈[x.sel := a]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ AJaK(σ,H)]〉if σ(x) ∈ Loc and AJaK(σ,H) is defined

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Statements

We add rules for the malloc statement, to allow allocationof new cells.

〈[malloc x]`, σ,H〉 → 〈σ[x 7→ ξ],H〉where ξ is fresh within σ and H

〈[malloc x.sel]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ ξ]〉where ξ is fresh within σ and H and σ(x) ∈ Loc

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Statements

We add rules for the malloc statement, to allow allocationof new cells.

〈[malloc x]`, σ,H〉 → 〈σ[x 7→ ξ],H〉where ξ is fresh within σ and H

〈[malloc x.sel]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ ξ]〉where ξ is fresh within σ and H and σ(x) ∈ Loc

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Why we need shape graphs?Obviously the heap can grow arbitrarily large, but we want away

- to work with a finite representation,- to combine the location of the semantics in a finite

number of abstract locations.

Shape GraphsWe introduce the shape graphs, an abstract representationfor heap and state composed by:

S abstract state,H abstract heap,is sharing informations.

The is component allow us to recover the imprecision due tocombining a set of location into an abstract location.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

How do we proceed

First of all we will define what areI abstract location,I abstract state,I abstract heap,I sharing information.

Then we will present how to go from a couple (σ,H) to ashape graph (S,H, is).

We will do it by introducing Five Invariants.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

How do we proceed

First of all we will define what areI abstract location,I abstract state,I abstract heap,I sharing information.

Then we will present how to go from a couple (σ,H) to ashape graph (S,H, is).

We will do it by introducing Five Invariants.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Location

We define an abstract location such as:

ALoc = {nX | X ⊆ Var∗}

The idea is that if x ∈ X then the abstract location nX willrepresent the location σ(x).

We introduce even the abstract summary location n∅ thatwill represent all the location that we can’t reach directlyfrom σ.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Location

We define an abstract location such as:

ALoc = {nX | X ⊆ Var∗}

The idea is that if x ∈ X then the abstract location nX willrepresent the location σ(x).

We introduce even the abstract summary location n∅ thatwill represent all the location that we can’t reach directlyfrom σ.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Location

Abstract location represent disjoint sets of locations.

If we consider two different abstract locations nX and nY ,they could be the same (X = Y ) or the are disjoint(X ∩Y = ∅). It can be easily proved, considering X 6= Yand taking a z ∈ X ∩Y .

Invariant 1If two abstract location nX and nY occur in the sameshape graph the either X = Y or X ∩Y = ∅.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Location

Abstract location represent disjoint sets of locations.

If we consider two different abstract locations nX and nY ,they could be the same (X = Y ) or the are disjoint(X ∩Y = ∅). It can be easily proved, considering X 6= Yand taking a z ∈ X ∩Y .

Invariant 1If two abstract location nX and nY occur in the sameshape graph the either X = Y or X ∩Y = ∅.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract State

The abstract state S is used to map variables to abstractlocations

S ∈ AState = P(Var∗ ×ALoc)

We shall ensure that

Invariant 2If x is mapped to nX by the abstract state then x ∈ X

From Invariant 1 follows that it will be at most one abstractlocation in the shape graph for each variable in the state.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract State

The abstract state S is used to map variables to abstractlocations

S ∈ AState = P(Var∗ ×ALoc)

Invariant 2If x is mapped to nX by the abstract state then x ∈ X

From Invariant 1 follows that it will be at most one abstractlocation in the shape graph for each variable in the state.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Heaps

The abstract state H is used to specify links within abstractlocations.

H ∈ AHeap = P(ALoc× Sel×ALoc)

The links are specified by triples such as (nX , sel,nY ).The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 arerepresented by nX and nY respectively, then(nX , sel,nY ) ∈ H.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Heaps

The abstract state H is used to specify links within abstractlocations.

H ∈ AHeap = P(ALoc× Sel×ALoc)

The links are specified by triples such as (nX , sel,nY ).The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 arerepresented by nX and nY respectively, then(nX , sel,nY ) ∈ H.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Heaps

Please note that in heap H there will be at most onelocation ξ2 such that H(ξ1, sel) = ξ2.

This is not completely true in abstract heaps: consider thelocation n∅, it will represent several locations pointing toseveral locations (all the not reaching locations).

Invariant 3Whenever (nV , sel,nW ) and (nV , sel,nW ′) are in theabstract heap, then either V = ∅ or W = W ′.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Heaps

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Abstract Heaps

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

[y := nil]1;while [not is-nil(x)]2 do

([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7

ξ1 ξ2 ξ3 ξ4 ξ5

cdr cdr cdr cdr cdr

x n {x} n Øcdr

ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

ξ2 ξ3 ξ4 ξ5

cdr cdr cdr

n {x} n Øcdr

ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

ξ3 ξ4 ξ5

cdr cdr cdr

cdrξ1

n {x} n Øcdr

n {y} n {z}cdr

ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

ξ4 ξ5

cdr cdr

cdrξ2

cdrξ1

n {x} n Øcdr

n {y} n {z}cdr

cdr ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

cdrξ3

cdrξ2

cdrξ1

n {x} n Ø

n {y} n {z}cdr

ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

A little Example

cdrξ4

cdrξ3

cdrξ2

cdrξ1

n {y} n {z}cdr

ShapeGraph

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Heap Representation Shape Graph

x ξ1 ξ2 ξ3

cdr cdr

cdrcdr

n {x} n Øcdr

n {y}cdr

We want to represent a set is of locations that are shareddue to pointers in the heap.The idea is that if an abstract location nX will be includedin is if it is a target of two or more pointer in the heap.

We must assure that the sharing information inside is isconsistent with the information inside the abstract heap H.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

x ξ1 ξ2 ξ3

cdr cdr

cdrcdr

n {x} n Øcdr

n {y}cdr

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

ξ2 ξ3 ξ4

cdr cdr

cdrcdr

n {x} n Ø

n {y}cdr

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

So we impose two different invariants

Invariant 4If nX ∈ is then either(a) (n∅, sel,nX ) is in the abstract heap for some sel, or(b) there exists two distinct triples (nV , sel1,nX ) and

(nW , sel2,nX ) into the abstract heap (that is eithersel1 6= sel2 or V 6= W ).

Invariant 4 imposes that the information in the sharingcomponent is is reflected into the abstract heap.

Case 4(a) takes care of cases where there are links betweenn∅ and nX in the heap; Case 4(b) takes care of cases wherethere are link between different pointers (distinct source orselector) to nX .

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Invariant 5 imposes that the information in the abstractheap H is reflected into the sharing component.

Invariant 5Whenever there are two distinct triples (nV , sel1,nX ) and(nW , sel2,nX ) in the abstract heap and nX 6= n∅ thennX ∈ is.

Note that Invariant 5 is the “inverse” of 4(b). We don’t havean “inverse” of case 4(a), the presence of a pointer from n∅to nX in H does not give information concerning sharing.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Sharing Informations and n∅

Taking in consideration the abstract summary location n∅:

If n∅ ∈ is then it will be at least one locationrepresented by n∅ that is a target by two ormore pointers.

Heap Shape Graph

n {x} n Øsel

selsel

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Sharing Informations and n∅

Taking in consideration the abstract summary location n∅:

If n∅ 6∈ is then all the location represented by n∅ will betarget by at most one pointer (Does not exista location with two incoming edge).

Heap Shape Graph

n {x} n Øsel

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Summarize

To summarize a shape graph is composed by:

S ∈ AState = P(Var∗ ×ALoc)H ∈ AHeap = P(ALoc× Sel×ALoc)is ∈ IsShared = P(ALoc)

ALoc = {nZ | Z ⊆ Var∗}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Compatible Shape Graph

We say that a shape graph is compatible if it fulfil the 5invariants:

1. ∀nV ,nW ∈ ALoc(S) ∪ALoc(H) ∪ is : (V = W ) ∨ (V ∩W = ∅)2. ∀(x,nX) ∈ S : x ∈ X3. ∀(nV , sel,nW ), (nV , sel,nW ′ ) ∈ H : (V = ∅) ∨ (W = W ′)

4.∀nX ∈ is : (∃sel : (n∅, sel,nX) ∈ H) ∨

(∃(nV , sel1,nX), (nW , sel2,nX) ∈ H :sel1 6= sel2 ∨V 6= W )

5. ∀(nV , sel1,nX), (nW , sel2,nX) ∈ H :((sel1 6= sel2 ∨V 6= W ) ∧X 6= ∅)⇒ nX ∈ is

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The sets of compatible shape graphs is denoted by

SG = {(S,H,is) | (S,H,is) is compatible}

Our analysis will work on sets of compatible shape graphs(elements of P(SG)).

P(SG) is trivially a complete lattice, with t being ∪ andv being ⊆.

P(SG) is obviously finite becauseSG ⊆ AState×AHeap× IsShared, and AState,AHeap and IsShared are finite.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

We introduce the analysis Shape as an instance of aMonotone Framework. For every labeled program S∗ weproduce a sets of equations of the form.

Shape◦(`) ={

ι if` = init(S∗)⋃{Shape•(`′) | (`′, `) ∈ flow(S∗)} otherwise

Shape•(`) = f SA` (Shape◦(`))

Where ι ∈ P(SG) is the extremal value at entry of S∗ andf SA` is the transfer function.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

Shape◦(`) ={

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

Shape◦(`) ={

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

The analysis Shape is a forward analysis, because it’sdefined using the set flow(S∗).

It’s also a may analysis since we are using the⋃

operatorfor combining results gathered from the flow(S∗).

The transfer function f SA` : P(SG)→ P(SG) has the

f SA` (SG) =

⋃{φSA

` ((S,H, is)) | (S,H, is) ∈ SG}

The function φSA` has to be developed right now.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

f SA` (SG) =

⋃{φSA

` ((S,H, is)) | (S,H, is) ∈ SG}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The Analysis

f SA` (SG) =

⋃{φSA

` ((S,H, is)) | (S,H, is) ∈ SG}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The function φSA`

The function φSA` : SG→ P(SG) specifies how a single

graph in Shape◦(`) is transformed into a set of graph inShape•(`)

We present the φSA` function for all the different kind of

statements.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The function φSA`

The function φSA` : SG→ P(SG) specifies how a single

graph in Shape◦(`) is transformed into a set of graph inShape•(`)

We present the φSA` function for all the different kind of

statements.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[b]` and [skip]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[b]` and [skip]`

Since [b]` and [skip]` does not modify the heap, the φSA`

function is just the identity functions, remember that we areinterested in the heap shape.

φSA` ((S,H, is)) = {(S,H, is)}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[b]` and [skip]`

Since [b]` and [skip]` does not modify the heap, the φSA`

function is just the identity functions, remember that we areinterested in the heap shape.

φSA` ((S,H, is)) = {(S,H, is)}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

We consider [x := a]` in the case where a is of the form n,a1 opa a2 or nil.

We must remove the binding of x and rename all theabstract location that contains x.

kx(nZ ) = nZ\{x}

So we take

φSA` ((S,H, is)) = {killx(S,H, is)}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

kx(nZ ) = nZ\{x}

So we take

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

kx(nZ ) = nZ\{x}

So we take

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

Where killx(S,H, is) = (S′,H′, is′) is given by

S′ = {(z, kx(nZ )) | (z,nZ ) ∈ S ∧ z 6= x}H′ = {(kx(nV ), sel, kx(nW )) | (nV , sel,nW ) ∈ H}is′ = {(kx(nX )) | nX ∈ is}

It’s easy to prove that if (S,H, is) is compatible, even(S′,H′, is′) is compatible.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

Where killx(S,H, is) = (S′,H′, is′) is given by

S′ = {(z, kx(nZ )) | (z,nZ ) ∈ S ∧ z 6= x}H′ = {(kx(nV ), sel, kx(nW )) | (nV , sel,nW ) ∈ H}is′ = {(kx(nX )) | nX ∈ is}

It’s easy to prove that if (S,H, is) is compatible, even(S′,H′, is′) is compatible.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

If (x , n{x}) is in S?

If (x,n{x}) is in S then the two abstract location n{x} andn∅ will be merged.

From this we can deduce that n∅ will be unshared if bothn{x} and n∅ was unshared.

Garbage CollectionPlease note that our analysis does not provide a garbagecollector, so if n{x} has no heap pointer, it is unreachable.Consider that there will be a pointer from n∅ to the locationthat n{x} might point to.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := a]`

x n {x} n Wsel2

(S,H, is)

n Vsel1

(S′,H′, is′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

if x = y the f SA` is just the identity function.

if x 6= y then we execute the following steps:1. We remove the old binding for x with killx ,2. We update the abstract location that contains y adding{x} to the variable sets.

This can be done with

gyx (nZ ) =

{nZ∪{x} if y ∈ ZnZ otherwise

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

gyx (nZ ) =

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

gyx (nZ ) =

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

So we take

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

Where (S′,H′, is′) = killx((S,H, is)) and

S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}

∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}

H′′ = {(gyx (nV ), sel, gy

x (nW )) | (nV , sel,nW ) ∈ H′}is′′ = {gy

x (nZ ) | nZ ∈ is′}

Again it’s easy to prove that if (S,H, is) is compatible, even(S′′,H′′, is′′) is compatible.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

So we take

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}

∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}

x (nZ ) | nZ ∈ is′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

So we take

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}

∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}

x (nZ ) | nZ ∈ is′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}

∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}

x (nZ ) | nZ ∈ is′}

Please note that the clause in blue is the adding of thebinding of x.The sharing information of nY∪{x} in inherited from nY .

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

A little example when x 6= y.

n Ysel2

(S,H, is)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y]`

A little example when x 6= y.

x n X\{x}

n Y∪{x}sel2

(S′′,H′′, is′′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel ]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

If x = y the assignment is equivalent to:

[t := y.sel]`1 ; [x := t]`2 ; [t := nil]`3 ;

Where t is a fresh variable and `1, `2 and `3 are freshlabels.

We can obtain the transfer function f SA` as a composition:

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`2

and f SA`3

can be computed using the same pattern asbefore. We concentrate on f SA

`1(or similar in the case when

x 6= y).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

[t := y.sel]`1 ; [x := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`2

and f SA`3

x 6= y).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

First of all we remove the old binding for x:

(S′,H′, is′) = killx((S,H, is))

Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:

1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.

2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.

3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]` - Case 1

In the case where there is no abstract location nY such that(y,nY ) ∈ S′ we simply take:

φSA` ((S,H, is)) = killx((S,H, is))

In the case where there is no nZ such that(nY , sel,nZ ) ∈ H′ we again take

In both case there is no binding to add, so we simply removethe old binding for x. The first case is the case ofde-referencing of nil-pointer, the second case is the case ofde-referencing of non-existing fields.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

We consider the case where there is an abstract location nYsuch that (y,nY ) ∈ S′ and there is a nU 6= n∅ such that(nY , sel,nU ) ∈ H′.

We must rename nU to include x into the variable set usingthe function:

hUx (nZ ) =

{nZ∪{x} if Z = UnZ otherwise

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

We consider the case where there is an abstract location nYsuch that (y,nY ) ∈ S′ and there is a nU 6= n∅ such that(nY , sel,nU ) ∈ H′.

We must rename nU to include x into the variable set usingthe function:

hUx (nZ ) =

{nZ∪{x} if Z = UnZ otherwise

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

So we take

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU

x (nU ))}H′′ = {(hU

x (nV ), sel, hUx (nW )) | (nV , sel,nW ) ∈ H′}

is′′ = {hUx (nZ ) | nZ ∈ is′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

So we take

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU

x (nU ))}H′′ = {(hU

x (nV ), sel, hUx (nW )) | (nV , sel,nW ) ∈ H′}

is′′ = {hUx (nZ ) | nZ ∈ is′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU

x (nU ))}

The clause in blue represent the adding of the new bindingfor x.

As before nU∪{x} is shared in (H′′) if and only if nU wasshared in (H′).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]` - Case 2Let’s show this case with a little example when x 6= y, and incase when nU ∈ is.

n Ysel

n Uysel2

(S,H, is)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]` - Case 2Let’s show this case with a little example when x 6= y, and incase when nU ∈ is.

xn X\{x}

n Ysel

n U∪{x}ysel2

(S′′,H′′, is′′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Consider now the case where there is an abstract locationnY such that (y,nY ) ∈ S′ and there is a triple such that(nY , sel,n∅) ∈ H′.

The location for y.sel is represented by n∅ (that representeven other locations). We must materialize an abstractlocation n{x} from n∅, doing so n{x} will represent y.sel andn∅ will represent the remaining locations.

This operation is a bit hard so let’s consider an example

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`

I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

So finallykillx((S′′,H′′, is′′)) = (S′,H′, is′)

Then we can also say that (x,n{x}) ∈ S′′ and that(nY , sel,n{x}) ∈ H′′.

So we can take

φSA` ((S,H, is)) = {(S′′,H′′, is′′) |

(S′′,H′′, is′′) is compatible ∧killx((S′′,H′′, is′′)) = (S′,H′, is′) ∧(x,n{x}) ∈ S′′ ∧ (nY , sel,n{x}) ∈ H′′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

So finallykillx((S′′,H′′, is′′)) = (S′,H′, is′)

Then we can also say that (x,n{x}) ∈ S′′ and that(nY , sel,n{x}) ∈ H′′.

So we can take

φSA` ((S,H, is)) = {(S′′,H′′, is′′) |

(S′′,H′′, is′′) is compatible ∧killx((S′′,H′′, is′′)) = (S′,H′, is′) ∧(x,n{x}) ∈ S′′ ∧ (nY , sel,n{x}) ∈ H′′}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

We are sure that we have included all the possible solutions.So our function is sound.

Is it possible that we have included too much solutions, sowe are losing precision?

We will now argue that the amount of imprecision in notexcessive.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

First we prove that

S′′ = S′ ∪ {(x,n{x})}

ProofS′′ ⊆ S′ ∪ {(x,n{x})} Consider (z,nZ ) ∈ S′′. If z = x then from

compatibility nZ = n{x}. If z 6= x then from(x,n{x}) ∈ S′′ and the compatibility we deduce thatx 6∈ Z and so (z,nZ ) = (z, kx(nZ )) (and kx is used todefine killx).

S′′ ⊇ S′ ∪ {(x,n{x})} Consider (u,nU ) ∈ S′. We know from definitionof S′ and from compatibility that u 6= x and x 6∈ U .There must be a (u,n′U ) ∈ S′′ such that kx(n′U ) = nU ,but since x 6= y we obtain n′U = nU .

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

First we prove that

S′′ = S′ ∪ {(x,n{x})}

ProofS′′ ⊆ S′ ∪ {(x,n{x})} Consider (z,nZ ) ∈ S′′. If z = x then from

compatibility nZ = n{x}. If z 6= x then from(x,n{x}) ∈ S′′ and the compatibility we deduce thatx 6∈ Z and so (z,nZ ) = (z, kx(nZ )) (and kx is used todefine killx).

S′′ ⊇ S′ ∪ {(x,n{x})} Consider (u,nU ) ∈ S′. We know from definitionof S′ and from compatibility that u 6= x and x 6∈ U .There must be a (u,n′U ) ∈ S′′ such that kx(n′U ) = nU ,but since x 6= y we obtain n′U = nU .

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Then we prove that

is′\{n∅} = is′′\{n∅,n{x}}n∅ ∈ is′ iff n∅ ∈ is′′ ∨ n{x} ∈ is′′

Equal as showing thatI Sharing information of location apart n∅ are conserved,I If n∅ is shared then it can rise share to n∅ or to n{x} (or

both),I If n∅ is not shared, we can’t introduce a sharing for n∅

neither for n{x}.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Then we prove that

Equal as showing thatI Sharing information of location apart n∅ are conserved,I If n∅ is shared then it can rise share to n∅ or to n{x} (or

both),I If n∅ is not shared, we can’t introduce a sharing for n∅

neither for n{x}.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Then we prove that

ProofSince (S′,H′, is′) and (S′′,H′′, is′′) are compatible, if nU ∈ is′ thenx 6∈ U and if nU ∈ is′′ then x 6∈ U ∨ {x} = U .

Remember that is′ = {kx(nU ) | nU ∈ is′′}, so we can deduce thatis′\{n∅} = is′′\{n∅,n{x}}, because kx(nU ) = nU 6= n∅ for allnU ∈ is′′\{n∅,n{x}}.

More n∅ ∈ is′′ ∨ n{x} ∈ is′′ ⇒ n∅ ∈ is′ and moren∅ 6∈ is′′ ∧ n{x} 6∈ is′′ ⇒ n∅ 6∈ is′

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Then we prove that

ProofSince (S′,H′, is′) and (S′′,H′′, is′′) are compatible, if nU ∈ is′ thenx 6∈ U and if nU ∈ is′′ then x 6∈ U ∨ {x} = U .

Remember that is′ = {kx(nU ) | nU ∈ is′′}, so we can deduce thatis′\{n∅} = is′′\{n∅,n{x}}, because kx(nU ) = nU 6= n∅ for allnU ∈ is′′\{n∅,n{x}}.

More n∅ ∈ is′′ ∨ n{x} ∈ is′′ ⇒ n∅ ∈ is′ and moren∅ 6∈ is′′ ∧ n{x} 6∈ is′′ ⇒ n∅ 6∈ is′

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Now consider the abstract heap H, we first classify the edgedepending on if the source and the target are either n∅ orn{x}.

(nV , sel ′,nW ) is external iff {nV ,nW} ∩ {n∅,n{x}} = ∅(nV , sel ′,nW ) is internal iff {nV ,nW} ⊆ {n∅,n{x}}

(nV , sel ′,nW ) is going-out iff nV ∈ {n∅,n{x}} ∧ nW 6∈ {n∅,n{x}}(nV , sel ′,nW ) is going-in iff nV 6∈ {n∅,n{x}} ∧ nW ∈ {n∅,n{x}}

We say that two edge (nV , sel ′,nW ) and (n′V , sel ′′,n′W ) are related ifand only if kx(nV ) = kx(n′V ), sel ′ = sel ′′ and kx(nW ) = kx(n′W ).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

We can show thatI H′ and H′′ have the same external edges,

I each internal edge in H′ is related to an internal edge inH′′ and vice versa,

I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,

I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,

Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]` - Case 3Consider the following scenario and let’s see what happensafter [x := y.sel]`.

n Ysel

n Øysel2 n W

(S,H, is)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x := y.sel]` - Case 3We extract the location nX from n∅, and depending on thetriple involving sel2 and sel3 we can have 6 different andcompatible shape graphs.

xn X\{x}

n Ysel

sel2n Ø

n {x}y

n Wn Vsel1

sel3sel2

(S′′,H′′, is′′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

n {x}y

sel2 n Wn Vsel1

(S′′1,H′′1, is′′1)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

n {x}ysel2

n Wn Vsel1

(S′′2,H′′2, is′′2)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

n {x}y

sel2 n Wn Vsel1

(S′′3,H′′3, is′′3)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

sel3n Ø

n {x}ysel2

n Wn Vsel1

(S′′4,H′′4, is′′4)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

n {x}y

sel2 n Wn Vsel1

(S′′5,H′′5, is′′5)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

xn X\{x}

n Ysel

sel3n Ø

n {x}ysel2

n Wn Vsel1

(S′′6,H′′6, is′′6)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

We consider [x.sel := a]` in the case where a is of the formn, a1 opa a2 or nil.

Let’s consider a compatible graph (S,H, is).

The easy case are:I The case where there is no nX such that (x,nX) ∈ S, the

statement will have no effect (x does not point to a cell inthe heap). In this case the transfer function f SA

` is just theidentity.

I The case where there is a nX such that (x,nX) ∈ S, butthere is no nU such that (nX , sel,nU ) ∈ H; even in this casethe statement will have no effect (the cell pointed by seldoes not point to another cell in the heap). In this case thetransfer function f SA

` is again the identity.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Consider the case where there is a nX such that (x,nX ) ∈ Sand there is a unique nU such that (nX , sel,nU ) ∈ H.

The effect will be to remove the triple (nX , sel,nU ):

φSA` ((S,H, is)) = {killx.sel(S,H, is)}

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Consider the case where there is a nX such that (x,nX ) ∈ Sand there is a unique nU such that (nX , sel,nU ) ∈ H.

The effect will be to remove the triple (nX , sel,nU ):

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

where killx.sel(S,H, is) = (S′,H′, is′) is given by

S′ = SH′ = {(nV , sel ′,nW )|(nV , sel ′,nW ) ∈ H ∧

¬(X = V ∧ sel = sel ′)}

is′ =

is\{nU} if nU ∈ is ∧ #into(nU ,H′) ≤ 1 ∧

¬∃sel ′ : (n∅, sel ′,nU ) ∈ H′is otherwise

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

where killx.sel(S,H, is) = (S′,H′, is′) is given by

S′ = SH′ = {(nV , sel ′,nW )|(nV , sel ′,nW ) ∈ H ∧

¬(X = V ∧ sel = sel ′)}

is′ =

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

is′ =

We use #into(nU ,H′) to indicate the number of pointer tonU in H′.

With the first clause we check if it is possible to remove nUfrom is. If the number of pointers to nU is less then 2 andthere is no (n∅, sel ′,nU ) triple in H′ then we can remove it.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

is′ =

We use #into(nU ,H′) to indicate the number of pointer tonU in H′.

With the first clause we check if it is possible to remove nUfrom is. If the number of pointers to nU is less then 2 andthere is no (n∅, sel ′,nU ) triple in H′ then we can remove it.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Let’s view the effect of [x.sel := nil]` when#into(nU ,H′) ≤ 1.

n Xsel

(S,H, is)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := a]`

Let’s view the effect of [x.sel := nil]` when#into(nU ,H′) ≤ 1.

(S′,H′, is′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

[t := y]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

and f SA`3

x 6= y).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

[t := y]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

and f SA`3

x 6= y).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Assume x 6= y and let (S,H, is) be a compatible shape graph.

In the case where there is no nX such that (x,nX ) ∈ S thenthe f SA

` is just the identity function.

Consider the case where there is a nX such that (x,nX ) ∈ S,but there is no nY such that (y,nY ) ∈ S. It’s the casewhere y is an integer value, or the nil value, it can betreated as [x.sel := a]`:

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

In the case where x 6= y, (x,nX ) ∈ S and (y,nY ) ∈ S weproceed with 2 steps.

1. First we remove the binding for x.sel,2. Then we add the new binding.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

In the case where x 6= y, (x,nX ) ∈ S and (y,nY ) ∈ S weproceed with 2 steps.

1. First we remove the binding for x.sel,2. Then we add the new binding.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

where (S′,H′, is′) = killx.sel((S,H, is)) and

S′′ = S′ (= S)H′′ = H′ ∪ {(nX , sel,nY )}

is′′ ={

is′ ∪ {nY } if #into(nY ,H′) ≥ 1is′ otherwise

Note that node nY can become shared if we add a new edgepointing to it.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

φSA` ((S,H, is)) = {(S′′,H′′, is′′)}

where (S′,H′, is′) = killx.sel((S,H, is)) and

S′′ = S′ (= S)H′′ = H′ ∪ {(nX , sel,nY )}

is′′ ={

is′ ∪ {nY } if #into(nY ,H′) ≥ 1is′ otherwise

Note that node nY can become shared if we add a new edgepointing to it.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Let’s view the effect of [x.sel := y]` when#into(nY ,H′) < 1.

x n X n U

(S,H, is)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y]`

Let’s view the effect of [x.sel := y]` when#into(nY ,H′) < 1.

x n X n U

(S′′,H′′, is′′)

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[x .sel := y.sel ′]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

The statement is equivalent to:

[t := y.sel ′]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

, f SA`2

and f SA`3

follow the pattern that we have seenbefore in the other cases.

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[t := y.sel ′]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

, f SA`2

and f SA`3

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x ]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x ]`

We remove the binding for x (using killx) and then weintroduce a new (unshared) location pointed by x.

φSA` ((S,H, is)) = {(S′ ∪ {(x,n{x})},H′, is′)}

where (S′,H′, is′) = killx((S,H, is)).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x ]`

We remove the binding for x (using killx) and then weintroduce a new (unshared) location pointed by x.

φSA` ((S,H, is)) = {(S′ ∪ {(x,n{x})},H′, is′)}

where (S′,H′, is′) = killx((S,H, is)).

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x .sel ]`

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x .sel]`

[malloc t]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

, f SA`2

and f SA`3

Shape Analysis

IntroductionSyntax

Statements

Abstract State

Abstract Heaps

Example

Complete Lattice

[x := a]`

[x := y]`

[x := y.sel]`

Case 1

Case 2

Case 3

[x.sel := a]`

[x.sel := y]`

[malloc x]`

[malloc x.sel]`

[malloc x .sel]`

[malloc t]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;

f SA` = f SA

`3 ◦ f SA`2 ◦ f SA

So f SA`1

, f SA`2

and f SA`3

Shape Analysis

Science

Transcript of Shape Analysis