Page 1
Deriving Pre-Condition for ABCE 1
Deriving Preconditions for Array
Bound Check Elimination
Dana N. XUDana N. XU
Joint work with W.N. CHIN and S.C. KHOO Joint work with W.N. CHIN and S.C. KHOO
Dept of Computer ScienceDept of Computer Science
School of ComputingSchool of Computing
National University of SingaporeNational University of Singapore
Page 2
Deriving Pre-Condition for ABCE 2
enen-1en-2…e4e3e2e1
0 1 2 3 n-3 n-2 n-1
sub arr i = if (0 i < n)then primeSub (arr, i);else error “out of bound”
arr
i =
Array Bound ChecksArray Bound Checks
Page 3
Deriving Pre-Condition for ABCE 3
enen-1en-2…e4e3e2e1
0 1 2 3 n-3 n-2 n-1
sub arr i = if (0 i < n)then primeSub(A, i);else error “out of bound”
arr
i =
Array Bound Checks EliminationArray Bound Checks Elimination
Page 4
Deriving Pre-Condition for ABCE 4
Motivation Motivation
• Checks are expensive.
• Precise Exception + Unsafe Checks => Less Optimisation
• Main difficulties • recursive procedures• partial redundancy
Page 5
Deriving Pre-Condition for ABCE 5
Our Solutions Our Solutions
• Base on Sized Typing
• Presburger Constraint Solving
• Partial Redundancy via Pre-conditions Derivation
• Utilize Recursive Invariants
Page 6
Deriving Pre-Condition for ABCE 6
Outline of Talk Outline of Talk
• Motivation• Language, Sized Types & Presburger Solver• Key Idea• Bound Checks Elimination Procedure
• Context Synthesis• Deriving Weakest Pre-Condition• Converting Preconditions to Checks• Bound Check Specialisation
Page 7
Deriving Pre-Condition for ABCE 7
Language Language
Page 8
Deriving Pre-Condition for ABCE 8
Sized Type and Presburger Arithmetic Sized Type and Presburger Arithmetic
Page 9
Deriving Pre-Condition for ABCE 9
Binary Search Example Binary Search Example
Page 10
Deriving Pre-Condition for ABCE 10
Example:
getmid(arr,lo,hi)
= let m=(lo+hi)/2 in
let x=L@H@sub(arr,m) in (m,x)
Polymorphic type:
getmid :: (Arr ,Int,Int) (Int,)
sub :: (Arr ,Int)
Page 11
Deriving Pre-Condition for ABCE 11
Example:
getmid(arr,lo,hi)
= let m=(lo+hi)/2 in
let x=L@H@sub(arr,m) in (m,x)
Sized type
sub :: (Arra ,Inti) ()
SizeSize
getmid :: (Arra ,Intl,Inth) (Intm,)
Size Size (a>=0) (2m<=l+h) (1+2m>=l+h)
(a>=0)
Page 12
Deriving Pre-Condition for ABCE 12
Key Idea Key Idea
f(v1,..,vn) = … L@e …
ctx(L) chk(L)
Weakest pre-condition that can ensure that chk is safe under given context ctx is:
pre = ctx chk
Page 13
Deriving Pre-Condition for ABCE 13
f a x = if (x>=5) then a!x
else 0
It is safe to remove lower bound check under the condition
: (x>=5) Ç x¸0
It is safe to remove higher bound check under the condition
: (x>=5) Ç x<(length a -1)
pre = ctx chk pre = ctx chk
Page 14
Deriving Pre-Condition for ABCE 14
Example:
newsub :: (Arra ,Inti,Intj) Intr
newsub(arr,i,j) = if (0<=i<=j) then L1@H1@sub(arr,i)
else -1
We have:
ctx(L1) = (a>=0) (0<=i<=j)
chk(L1) = (i>=0)
pre(L1) = ctx(L1) chk(L1)
= (a>=0 0<=i<=j) (i>=0) = True
Page 15
Deriving Pre-Condition for ABCE 15
Example:
newsub :: (Arra ,Inti,Intj) Intr
newsub(arr,i,j) = if (0<=i<=j) then L1@H1@sub(arr,i)
else -1
We have:
ctx(H1) = (a>=0 0<=i<=j)
chk(H1) = (i<a)
pre(H1) = ctx(H1) chk(H1)
= (a>=0 0<=i<=j) (i<a) = (i<=-1) (j<i 0<=i) (i<a)
checkavoidance
Page 16
Deriving Pre-Condition for ABCE 16
Check Classification Check Classification
• Totally redundant
• Unsafe/unknown
• Partially redundant
pre(L) = True
pre(L) = False
pre(L) ctx(L) chk(L)
Page 17
Deriving Pre-Condition for ABCE 17
Example:
getmid(arr,lo,hi) = let m=(lo+hi)/2 in
let x=L@H@sub(arr,m) in (m,x)
Sized type
sub :: (Arra ,Inti)
Size Size (a>=0)
getmid :: (Arra ,Intl,Inth) (Intm,)
Size Size (a>=0) (2m<=l+h) (1+2m>=l+h)
Req Req L : (i>=0), H : (i < a)
(1) Required Checks
ctx(L) = ctx(H)
= (2m<=l+h) (1+2m>=l+h)
(2) Context Synthesis
Req Req pre(L) : (0<= l+h), pre(H) : (l+h < 2a)
(3) Derived Precondition
Page 18
Deriving Pre-Condition for ABCE 18
Check Elimination : Steps Check Elimination : Steps
1. Context Synthesis
2. Pre-condition Derivation
3. From Pre-condition to Check
4. Bound Check Specialisation
Page 19
Deriving Pre-Condition for ABCE 19
Context Synthesis Algorithm Context Synthesis Algorithm
Page 20
Deriving Pre-Condition for ABCE 20
Check Elimination : Steps Check Elimination : Steps
1. Context Synthesis
2. Pre-condition Derivation
3. From Pre-condition to Check
4. Bound Check Specialisation
Page 21
Deriving Pre-Condition for ABCE 21
Precondition of Recursion Precondition of Recursion
• Make use of size invariant
• Separate analyses for
• first recursive call
• other recursive calls
Page 22
Deriving Pre-Condition for ABCE 22
Sized Invariantlook(arr,lo,hi,key) = if (lo<=hi) then
let (m,x)=L4@H4@getmid(arr,lo,hi) in
let t=cmp(key,x0) inif (t<0) then look(arr,lo,m-1,key)
else if (t==0) then m
else look(arr,m+1,hi,key)
else -1
sized type:
look :: (Arra Int,Intl,Inth ,Int) Intr
size size (a>=0) ( (l<=h) ((l>h) (r = -1)) )
invinv (a* = a) (l <= h,l*) (h* <=h)
(2+2h+2h* <= l+3l*) (l+2h* <= h+2l*)
Page 23
Deriving Pre-Condition for ABCE 23
Recursive Procedure Recursive Procedure
Two Checks chkFst(L4) = 0<=l+h
chkRec(L4) = 0<=l*+h*
Two Contexts ctxFst(L4) = (l<=h)
ctxRec(L4) = (l*<=h*) (a*=a) (l<=h,l*) (h*<=h) (2+2h+2h*<=l+3l*) (l+2h*<=h+2l*)
Combined Precondition
Two Preconditions preFst(L4) = ctxFst(L4) chkFst(L4)
= (h<l) (0<=l+h) preRec(L4) = ctxRec(L4) chkRec(L4)
= (h<=l) (0<=l<h) (l=-1 h=0)
pre(L4) = preFst(L4) preRec(L4) = (h<l) (0<=l+h 0<=l)
Page 24
Deriving Pre-Condition for ABCE 24
Check Elimination : Steps Check Elimination : Steps
1. Context Synthesis
2. Pre-condition Derivation
3. From Pre-condition to Check
4. Bound Check Specialisation
Page 25
Deriving Pre-Condition for ABCE 25
• Interprocedural propagation of safety pre-condition to become check.
• Conversion Formulae used: chk(C)= X. pre(L) subs(C)
Converting Preconditions to Checks Converting Preconditions to Checks
Page 26
Deriving Pre-Condition for ABCE 26
Converting Preconditions to Checks Converting Preconditions to Checks
chk(L5) = l,h. pre(L4) subs(L5) = (v<=0) (1<=v)
chk(H5) = l,h. pre(H4) subs(H5) = (v<=0) (v<=a,2a)
look(arr,lo,hi,k) = … L4@H4@getmid(arr,lo,hi)…
pre(L4) = (h<l) (0<=l+h 0<=l)pre(H4) = (h<=l) (h<a l+h<2a)
bsearch(arr,key) = let v=length(arr) in
L5@H5@look(arr,0,v-1,key)
subs(L5) = subs(H5) = (l=0) (h=v-1)
Page 27
Deriving Pre-Condition for ABCE 27
Interprocedural Propagation Interprocedural Propagation
chk(L5) = (v<=0 1<=v)chk(H5) = (v<=0 v<=a,2a)
bsearch(arr,key) = let v=length(arr) in
L5@H5@look(arr,0,v-1,key)
ctx(L5) = ctx(H5) = (a>=0 v=a)
pre(L5) = ctx(L5) chk(L5) = v (a>=0 v=a) (v<=0 1<=v)
= Truepre(H5) = ctx(H5) chk(H5)
= v (a>=0 v=a) (v<=0 v<=a,2a) = True
Page 28
Deriving Pre-Condition for ABCE 28
Check Elimination : Steps Check Elimination : Steps
1. Context Synthesis
2. Pre-condition Derivation
3. From Pre-condition to Check
4. Bound Check Specialisation
Page 29
Deriving Pre-Condition for ABCE 29
Bound Check SpecialisationBound Check Specialisation
bsearch(arr,key) = let v=length(arr) in
L5@H5@look(arr,0,v-1,key)
pre(L5) = Truepre(H5) = True
Guided by each set of Satisfiable Pre-Conditions
lookL4H4(arr,l,h,k) = look(arr,l,h,k) st pre(L4) pre(H4)
= … getmidLH(arr,lo,hi)…
look(arr,lo,hi,k) = … L4@H4@getmid(arr,lo,hi)…
getmidLH(arr,l,h) = getmid(arr,l,h) st pre(L) pre(H)
= … subLH(arr,m)…
getmid(arr,l,h) = … L@H@sub(arr,m)…
Page 30
Deriving Pre-Condition for ABCE 30
Bound Check Specialization Bound Check Specialization
• Space-Time Trade-Off
• Polyvariant (a version for each context of use)
• Monovariant (a common minimal version)
• Duovariant (a minimal and a maximal version)
Page 31
Deriving Pre-Condition for ABCE 31
Cost of Analysis (Constraint Solving)
Cost of Analysis (Constraint Solving)
Page 32
Deriving Pre-Condition for ABCE 32
Contributions Contributions
• Combined Analysis•Forward Analysis for Context•Backward Analysis for Pre-condition
• Recursive Procedures
• Partial Redundancy without Code Motion.
• Guided Bound Check Specialisation.
Page 33
Deriving Pre-Condition for ABCE 33
Future WorkFuture Work
• Higher-order and polymorphic extension
• Other Safety Checks.
• Component Analysis.
• Imperative Languages
Page 34
Deriving Pre-Condition for ABCE 34
Previous Approaches Previous Approaches
• Dataflow Analysis fast but inaccurate
• Verification Methodrequires theorem proving or checker
• Abstract Interpretationfocused on total redundancy