shape analysis
TRANSCRIPT
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Shape Analysis
Nicola Corti & Alessandro Baroni
University of PisaStatic Analysis Techniques course
8 May 2014
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Index
Introduction
Semantic
Shape Graphs
The Analysis
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
What is the Shape Analysis?
Shape AnalysisAn intraprocedural analysis aimed to figure out the shape ofan heap-allocated memory.
1. Extend the While language with command for heapmanagement,
2. Present an abstract representation for the heapmemory,
3. Present the analysis like a monotone framework.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Use case of the Shape Analysis
I nil-pointer dereferencing,I Checking field existence (e.g. a.sel := 1, what if a
does not have a sel field?),I Validating properties of data structure shape (e.g. a
non-cyclic structure is still non-cyclic after acomputation).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Selectors and Pointers
Selectorssel ∈ Sel
Pointers
p ∈ PExpp ::= x | x.sel
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Extended Syntax
The extended syntax with pointers
a ::= p | n | a1 opa a2 | nil
b ::= true | false | not b | b1 opb b2 | a1 opr a2 | opp pS ::= [p := a]` | [skip]` | S1; S2 | if [b]` then S1 else S2 |
while [b]` do S | [malloc p]`
Note that opr now accept two operands of type a, such astwo pointer (for an operation such as are-equals) and theoperator opp accept one pointer operands (think atoperations like is-nil).
The operator [malloc p]` allow to allocate new space in theheap.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Structural Operational Semantics
We add values for locations:
ξ ∈ Loc
From now on a configuration of the semantics will becomposed by a state and a heap
σ ∈ State = Var∗ → (Z + Loc + {�})H ∈ Heap = (Loc× Sel)→fin (Z + Loc + {�})
Note that the heap H need a Loc and a Sel to return avalue. The →fin represent the fact that not all the selectorfields will be defined. The value � represent the nil value.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Structural Operational Semantics
We add values for locations:
ξ ∈ Loc
From now on a configuration of the semantics will becomposed by a state and a heap
σ ∈ State = Var∗ → (Z + Loc + {�})H ∈ Heap = (Loc× Sel)→fin (Z + Loc + {�})
Note that the heap H need a Loc and a Sel to return avalue. The →fin represent the fact that not all the selectorfields will be defined. The value � represent the nil value.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Structural Operational Semantics
We add values for locations:
ξ ∈ Loc
From now on a configuration of the semantics will becomposed by a state and a heap
σ ∈ State = Var∗ → (Z + Loc + {�})H ∈ Heap = (Loc× Sel)→fin (Z + Loc + {�})
Note that the heap H need a Loc and a Sel to return avalue. The →fin represent the fact that not all the selectorfields will be defined. The value � represent the nil value.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Pointer Expressions
We need to define a new semantic function for pointers
℘ : PExp∗ → (State×Heap)→fin (Z + Loc + {�})
℘JxK(σ,H) = σ(x)
℘Jx.selK(σ,H) =
H(σ(x), sel)if σ(x) ∈ Loc ∧H is defined on (σ(x), sel)
undefif σ(x) 6∈ Loc ∨H is undefined on (σ(x), sel)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Arithmetic & Boolean Expressions
We need to update the older semantic function to work withthe new heap:
A : AExp→ (State×Heap)→fin (Z + Loc + {�})B : BExp→ (State×Heap)→fin T
The new clause for arithmetic function are:
AJpK(σ,H) = ℘JpK(σ,H)AJnK(σ,H) = N JnK
AJa1 opa a2K(σ,H) = AJa1K(σ,H) opa AJa2K(σ,H)AJnilK(σ,H) = �
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Arithmetic & Boolean Expressions
The new clause for boolean function are:
BJa1 opr a2K(σ,H) = AJa1K(σ,H) opr AJa2K(σ,H)BJopp pK(σ,H) = opp (℘JpK(σ,H))
Note that the meaning of opa and opr must be undefined ifthe types are not the same (e.g. two integers or twopointers).
is-nil(v) ={
tt if v = �ff otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Statements
We extended the statements rules with the heap:
〈[x := a]`, σ,H〉 → 〈σ[x 7→ AJaK(σ,H)],H〉if AJaK(σ,H) is defined
〈[x.sel := a]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ AJaK(σ,H)]〉if σ(x) ∈ Loc and AJaK(σ,H) is defined
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Statements
We extended the statements rules with the heap:
〈[x := a]`, σ,H〉 → 〈σ[x 7→ AJaK(σ,H)],H〉if AJaK(σ,H) is defined
〈[x.sel := a]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ AJaK(σ,H)]〉if σ(x) ∈ Loc and AJaK(σ,H) is defined
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Statements
We add rules for the malloc statement, to allow allocationof new cells.
〈[malloc x]`, σ,H〉 → 〈σ[x 7→ ξ],H〉where ξ is fresh within σ and H
〈[malloc x.sel]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ ξ]〉where ξ is fresh within σ and H and σ(x) ∈ Loc
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Statements
We add rules for the malloc statement, to allow allocationof new cells.
〈[malloc x]`, σ,H〉 → 〈σ[x 7→ ξ],H〉where ξ is fresh within σ and H
〈[malloc x.sel]`, σ,H〉 → 〈σ,H[(σ(x), sel) 7→ ξ]〉where ξ is fresh within σ and H and σ(x) ∈ Loc
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Why we need shape graphs?Obviously the heap can grow arbitrarily large, but we want away
- to work with a finite representation,- to combine the location of the semantics in a finite
number of abstract locations.
Shape GraphsWe introduce the shape graphs, an abstract representationfor heap and state composed by:
S abstract state,H abstract heap,is sharing informations.
The is component allow us to recover the imprecision due tocombining a set of location into an abstract location.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Why we need shape graphs?Obviously the heap can grow arbitrarily large, but we want away
- to work with a finite representation,- to combine the location of the semantics in a finite
number of abstract locations.
Shape GraphsWe introduce the shape graphs, an abstract representationfor heap and state composed by:
S abstract state,H abstract heap,is sharing informations.
The is component allow us to recover the imprecision due tocombining a set of location into an abstract location.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Why we need shape graphs?Obviously the heap can grow arbitrarily large, but we want away
- to work with a finite representation,- to combine the location of the semantics in a finite
number of abstract locations.
Shape GraphsWe introduce the shape graphs, an abstract representationfor heap and state composed by:
S abstract state,H abstract heap,is sharing informations.
The is component allow us to recover the imprecision due tocombining a set of location into an abstract location.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
How do we proceed
First of all we will define what areI abstract location,I abstract state,I abstract heap,I sharing information.
Then we will present how to go from a couple (σ,H) to ashape graph (S,H, is).
We will do it by introducing Five Invariants.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
How do we proceed
First of all we will define what areI abstract location,I abstract state,I abstract heap,I sharing information.
Then we will present how to go from a couple (σ,H) to ashape graph (S,H, is).
We will do it by introducing Five Invariants.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Location
We define an abstract location such as:
ALoc = {nX | X ⊆ Var∗}
The idea is that if x ∈ X then the abstract location nX willrepresent the location σ(x).
We introduce even the abstract summary location n∅ thatwill represent all the location that we can’t reach directlyfrom σ.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Location
We define an abstract location such as:
ALoc = {nX | X ⊆ Var∗}
The idea is that if x ∈ X then the abstract location nX willrepresent the location σ(x).
We introduce even the abstract summary location n∅ thatwill represent all the location that we can’t reach directlyfrom σ.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Location
Abstract location represent disjoint sets of locations.
If we consider two different abstract locations nX and nY ,they could be the same (X = Y ) or the are disjoint(X ∩Y = ∅). It can be easily proved, considering X 6= Yand taking a z ∈ X ∩Y .
Invariant 1If two abstract location nX and nY occur in the sameshape graph the either X = Y or X ∩Y = ∅.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Location
Abstract location represent disjoint sets of locations.
If we consider two different abstract locations nX and nY ,they could be the same (X = Y ) or the are disjoint(X ∩Y = ∅). It can be easily proved, considering X 6= Yand taking a z ∈ X ∩Y .
Invariant 1If two abstract location nX and nY occur in the sameshape graph the either X = Y or X ∩Y = ∅.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract State
The abstract state S is used to map variables to abstractlocations
S ∈ AState = P(Var∗ ×ALoc)
We shall ensure that
Invariant 2If x is mapped to nX by the abstract state then x ∈ X
From Invariant 1 follows that it will be at most one abstractlocation in the shape graph for each variable in the state.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract State
The abstract state S is used to map variables to abstractlocations
S ∈ AState = P(Var∗ ×ALoc)
We shall ensure that
Invariant 2If x is mapped to nX by the abstract state then x ∈ X
From Invariant 1 follows that it will be at most one abstractlocation in the shape graph for each variable in the state.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Heaps
The abstract state H is used to specify links within abstractlocations.
H ∈ AHeap = P(ALoc× Sel×ALoc)
The links are specified by triples such as (nX , sel,nY ).The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 arerepresented by nX and nY respectively, then(nX , sel,nY ) ∈ H.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Heaps
The abstract state H is used to specify links within abstractlocations.
H ∈ AHeap = P(ALoc× Sel×ALoc)
The links are specified by triples such as (nX , sel,nY ).The idea is that if H(ξ1, sel) = ξ2 and ξ1 and ξ2 arerepresented by nX and nY respectively, then(nX , sel,nY ) ∈ H.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Heaps
Please note that in heap H there will be at most onelocation ξ2 such that H(ξ1, sel) = ξ2.
This is not completely true in abstract heaps: consider thelocation n∅, it will represent several locations pointing toseveral locations (all the not reaching locations).
We shall ensure that
Invariant 3Whenever (nV , sel,nW ) and (nV , sel,nW ′) are in theabstract heap, then either V = ∅ or W = W ′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Heaps
Please note that in heap H there will be at most onelocation ξ2 such that H(ξ1, sel) = ξ2.
This is not completely true in abstract heaps: consider thelocation n∅, it will represent several locations pointing toseveral locations (all the not reaching locations).
We shall ensure that
Invariant 3Whenever (nV , sel,nW ) and (nV , sel,nW ′) are in theabstract heap, then either V = ∅ or W = W ′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Abstract Heaps
Please note that in heap H there will be at most onelocation ξ2 such that H(ξ1, sel) = ξ2.
This is not completely true in abstract heaps: consider thelocation n∅, it will represent several locations pointing toseveral locations (all the not reaching locations).
We shall ensure that
Invariant 3Whenever (nV , sel,nW ) and (nV , sel,nW ′) are in theabstract heap, then either V = ∅ or W = W ′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ1 ξ2 ξ3 ξ4 ξ5
cdr cdr cdr cdr cdr
Heap
x n {x} n Øcdr
cdr
ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ2 ξ3 ξ4 ξ5
cdr cdr cdr
ξ1
cdr
cdr
Heap
x
y
n {x} n Øcdr
cdr
n {y}
ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ3 ξ4 ξ5
cdr cdr cdr
ξ2
cdrξ1
cdr
Heap
x
y
z
n {x} n Øcdr
cdr
n {y} n {z}cdr
ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ4 ξ5
cdr cdr
ξ3
cdrξ2
cdrξ1
cdr
Heap
x
y
z
n {x} n Øcdr
n {y} n {z}cdr
cdr ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ4
cdr
ξ4
cdrξ3
cdrξ2
cdrξ1
cdr
Heap
x
y
z
n {x} n Ø
n {y} n {z}cdr
cdr
cdr
ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
A little Example
[y := nil]1;while [not is-nil(x)]2 do
([z := y]3; [y := x]4; [x := x.cdr]5; [y.cdr := z]6);[z := nil]7
x
y
z
ξ5
cdrξ4
cdrξ3
cdrξ2
cdrξ1
cdr
Heap
y
z
n Ø
n {y} n {z}cdr
cdr
cdr
ShapeGraph
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
Heap Representation Shape Graph
x ξ1 ξ2 ξ3
cdr cdr
ξ5y
ξ4
cdr
cdrcdr
x
y
n {x} n Øcdr
cdr
n {y}cdr
We want to represent a set is of locations that are shareddue to pointers in the heap.The idea is that if an abstract location nX will be includedin is if it is a target of two or more pointer in the heap.
We must assure that the sharing information inside is isconsistent with the information inside the abstract heap H.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
Heap Representation Shape Graph
x ξ1 ξ2 ξ3
cdr cdr
y
ξ5
cdrcdr
ξ4
cdrx
y
n {x} n Øcdr
cdr
n {y}cdr
We want to represent a set is of locations that are shareddue to pointers in the heap.The idea is that if an abstract location nX will be includedin is if it is a target of two or more pointer in the heap.
We must assure that the sharing information inside is isconsistent with the information inside the abstract heap H.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
Heap Representation Shape Graph
x
ξ2 ξ3 ξ4
cdr cdr
y
ξ5
cdrcdr
ξ1
cdrx
y
n {x} n Ø
cdr
n {y}cdr
cdr
We want to represent a set is of locations that are shareddue to pointers in the heap.The idea is that if an abstract location nX will be includedin is if it is a target of two or more pointer in the heap.
We must assure that the sharing information inside is isconsistent with the information inside the abstract heap H.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
So we impose two different invariants
Invariant 4If nX ∈ is then either(a) (n∅, sel,nX ) is in the abstract heap for some sel, or(b) there exists two distinct triples (nV , sel1,nX ) and
(nW , sel2,nX ) into the abstract heap (that is eithersel1 6= sel2 or V 6= W ).
Invariant 4 imposes that the information in the sharingcomponent is is reflected into the abstract heap.
Case 4(a) takes care of cases where there are links betweenn∅ and nX in the heap; Case 4(b) takes care of cases wherethere are link between different pointers (distinct source orselector) to nX .
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
So we impose two different invariants
Invariant 4If nX ∈ is then either(a) (n∅, sel,nX ) is in the abstract heap for some sel, or(b) there exists two distinct triples (nV , sel1,nX ) and
(nW , sel2,nX ) into the abstract heap (that is eithersel1 6= sel2 or V 6= W ).
Invariant 4 imposes that the information in the sharingcomponent is is reflected into the abstract heap.
Case 4(a) takes care of cases where there are links betweenn∅ and nX in the heap; Case 4(b) takes care of cases wherethere are link between different pointers (distinct source orselector) to nX .
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
So we impose two different invariants
Invariant 4If nX ∈ is then either(a) (n∅, sel,nX ) is in the abstract heap for some sel, or(b) there exists two distinct triples (nV , sel1,nX ) and
(nW , sel2,nX ) into the abstract heap (that is eithersel1 6= sel2 or V 6= W ).
Invariant 4 imposes that the information in the sharingcomponent is is reflected into the abstract heap.
Case 4(a) takes care of cases where there are links betweenn∅ and nX in the heap; Case 4(b) takes care of cases wherethere are link between different pointers (distinct source orselector) to nX .
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations
Invariant 5 imposes that the information in the abstractheap H is reflected into the sharing component.
Invariant 5Whenever there are two distinct triples (nV , sel1,nX ) and(nW , sel2,nX ) in the abstract heap and nX 6= n∅ thennX ∈ is.
Note that Invariant 5 is the “inverse” of 4(b). We don’t havean “inverse” of case 4(a), the presence of a pointer from n∅to nX in H does not give information concerning sharing.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations and n∅
Taking in consideration the abstract summary location n∅:
If n∅ ∈ is then it will be at least one locationrepresented by n∅ that is a target by two ormore pointers.
Heap Shape Graph
x
y
sel
sel
ξ1
ξ3
ξ2
ξ4
sel
x
y
n {x} n Øsel
n {y}
selsel
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Sharing Informations and n∅
Taking in consideration the abstract summary location n∅:
If n∅ 6∈ is then all the location represented by n∅ will betarget by at most one pointer (Does not exista location with two incoming edge).
Heap Shape Graph
x
y
sel
sel
ξ1
ξ3
ξ2
ξ4
x
y
n {x} n Øsel
n {y}
sel
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Summarize
To summarize a shape graph is composed by:
S ∈ AState = P(Var∗ ×ALoc)H ∈ AHeap = P(ALoc× Sel×ALoc)is ∈ IsShared = P(ALoc)
where
ALoc = {nZ | Z ⊆ Var∗}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Compatible Shape Graph
We say that a shape graph is compatible if it fulfil the 5invariants:
1. ∀nV ,nW ∈ ALoc(S) ∪ALoc(H) ∪ is : (V = W ) ∨ (V ∩W = ∅)2. ∀(x,nX) ∈ S : x ∈ X3. ∀(nV , sel,nW ), (nV , sel,nW ′ ) ∈ H : (V = ∅) ∨ (W = W ′)
4.∀nX ∈ is : (∃sel : (n∅, sel,nX) ∈ H) ∨
(∃(nV , sel1,nX), (nW , sel2,nX) ∈ H :sel1 6= sel2 ∨V 6= W )
5. ∀(nV , sel1,nX), (nW , sel2,nX) ∈ H :((sel1 6= sel2 ∨V 6= W ) ∧X 6= ∅)⇒ nX ∈ is
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Compatible Shape Graph
The sets of compatible shape graphs is denoted by
SG = {(S,H,is) | (S,H,is) is compatible}
Our analysis will work on sets of compatible shape graphs(elements of P(SG)).
P(SG) is trivially a complete lattice, with t being ∪ andv being ⊆.
P(SG) is obviously finite becauseSG ⊆ AState×AHeap× IsShared, and AState,AHeap and IsShared are finite.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Compatible Shape Graph
The sets of compatible shape graphs is denoted by
SG = {(S,H,is) | (S,H,is) is compatible}
Our analysis will work on sets of compatible shape graphs(elements of P(SG)).
P(SG) is trivially a complete lattice, with t being ∪ andv being ⊆.
P(SG) is obviously finite becauseSG ⊆ AState×AHeap× IsShared, and AState,AHeap and IsShared are finite.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Compatible Shape Graph
The sets of compatible shape graphs is denoted by
SG = {(S,H,is) | (S,H,is) is compatible}
Our analysis will work on sets of compatible shape graphs(elements of P(SG)).
P(SG) is trivially a complete lattice, with t being ∪ andv being ⊆.
P(SG) is obviously finite becauseSG ⊆ AState×AHeap× IsShared, and AState,AHeap and IsShared are finite.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
Compatible Shape Graph
The sets of compatible shape graphs is denoted by
SG = {(S,H,is) | (S,H,is) is compatible}
Our analysis will work on sets of compatible shape graphs(elements of P(SG)).
P(SG) is trivially a complete lattice, with t being ∪ andv being ⊆.
P(SG) is obviously finite becauseSG ⊆ AState×AHeap× IsShared, and AState,AHeap and IsShared are finite.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
We introduce the analysis Shape as an instance of aMonotone Framework. For every labeled program S∗ weproduce a sets of equations of the form.
Shape◦(`) ={
ι if` = init(S∗)⋃{Shape•(`′) | (`′, `) ∈ flow(S∗)} otherwise
Shape•(`) = f SA` (Shape◦(`))
Where ι ∈ P(SG) is the extremal value at entry of S∗ andf SA` is the transfer function.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
We introduce the analysis Shape as an instance of aMonotone Framework. For every labeled program S∗ weproduce a sets of equations of the form.
Shape◦(`) ={
ι if` = init(S∗)⋃{Shape•(`′) | (`′, `) ∈ flow(S∗)} otherwise
Shape•(`) = f SA` (Shape◦(`))
Where ι ∈ P(SG) is the extremal value at entry of S∗ andf SA` is the transfer function.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
We introduce the analysis Shape as an instance of aMonotone Framework. For every labeled program S∗ weproduce a sets of equations of the form.
Shape◦(`) ={
ι if` = init(S∗)⋃{Shape•(`′) | (`′, `) ∈ flow(S∗)} otherwise
Shape•(`) = f SA` (Shape◦(`))
Where ι ∈ P(SG) is the extremal value at entry of S∗ andf SA` is the transfer function.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
The analysis Shape is a forward analysis, because it’sdefined using the set flow(S∗).
It’s also a may analysis since we are using the⋃
operatorfor combining results gathered from the flow(S∗).
The transfer function f SA` : P(SG)→ P(SG) has the
form:
f SA` (SG) =
⋃{φSA
` ((S,H, is)) | (S,H, is) ∈ SG}
The function φSA` has to be developed right now.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
The analysis Shape is a forward analysis, because it’sdefined using the set flow(S∗).
It’s also a may analysis since we are using the⋃
operatorfor combining results gathered from the flow(S∗).
The transfer function f SA` : P(SG)→ P(SG) has the
form:
f SA` (SG) =
⋃{φSA
` ((S,H, is)) | (S,H, is) ∈ SG}
The function φSA` has to be developed right now.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The Analysis
The analysis Shape is a forward analysis, because it’sdefined using the set flow(S∗).
It’s also a may analysis since we are using the⋃
operatorfor combining results gathered from the flow(S∗).
The transfer function f SA` : P(SG)→ P(SG) has the
form:
f SA` (SG) =
⋃{φSA
` ((S,H, is)) | (S,H, is) ∈ SG}
The function φSA` has to be developed right now.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The function φSA`
The function φSA` : SG→ P(SG) specifies how a single
graph in Shape◦(`) is transformed into a set of graph inShape•(`)
We present the φSA` function for all the different kind of
statements.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
The function φSA`
The function φSA` : SG→ P(SG) specifies how a single
graph in Shape◦(`) is transformed into a set of graph inShape•(`)
We present the φSA` function for all the different kind of
statements.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[b]` and [skip]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[b]` and [skip]`
Since [b]` and [skip]` does not modify the heap, the φSA`
function is just the identity functions, remember that we areinterested in the heap shape.
φSA` ((S,H, is)) = {(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[b]` and [skip]`
Since [b]` and [skip]` does not modify the heap, the φSA`
function is just the identity functions, remember that we areinterested in the heap shape.
φSA` ((S,H, is)) = {(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
We consider [x := a]` in the case where a is of the form n,a1 opa a2 or nil.
We must remove the binding of x and rename all theabstract location that contains x.
kx(nZ ) = nZ\{x}
So we take
φSA` ((S,H, is)) = {killx(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
We consider [x := a]` in the case where a is of the form n,a1 opa a2 or nil.
We must remove the binding of x and rename all theabstract location that contains x.
kx(nZ ) = nZ\{x}
So we take
φSA` ((S,H, is)) = {killx(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
We consider [x := a]` in the case where a is of the form n,a1 opa a2 or nil.
We must remove the binding of x and rename all theabstract location that contains x.
kx(nZ ) = nZ\{x}
So we take
φSA` ((S,H, is)) = {killx(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
Where killx(S,H, is) = (S′,H′, is′) is given by
S′ = {(z, kx(nZ )) | (z,nZ ) ∈ S ∧ z 6= x}H′ = {(kx(nV ), sel, kx(nW )) | (nV , sel,nW ) ∈ H}is′ = {(kx(nX )) | nX ∈ is}
It’s easy to prove that if (S,H, is) is compatible, even(S′,H′, is′) is compatible.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
Where killx(S,H, is) = (S′,H′, is′) is given by
S′ = {(z, kx(nZ )) | (z,nZ ) ∈ S ∧ z 6= x}H′ = {(kx(nV ), sel, kx(nW )) | (nV , sel,nW ) ∈ H}is′ = {(kx(nX )) | nX ∈ is}
It’s easy to prove that if (S,H, is) is compatible, even(S′,H′, is′) is compatible.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
If (x , n{x}) is in S?
If (x,n{x}) is in S then the two abstract location n{x} andn∅ will be merged.
From this we can deduce that n∅ will be unshared if bothn{x} and n∅ was unshared.
Garbage CollectionPlease note that our analysis does not provide a garbagecollector, so if n{x} has no heap pointer, it is unreachable.Consider that there will be a pointer from n∅ to the locationthat n{x} might point to.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
If (x , n{x}) is in S?
If (x,n{x}) is in S then the two abstract location n{x} andn∅ will be merged.
From this we can deduce that n∅ will be unshared if bothn{x} and n∅ was unshared.
Garbage CollectionPlease note that our analysis does not provide a garbagecollector, so if n{x} has no heap pointer, it is unreachable.Consider that there will be a pointer from n∅ to the locationthat n{x} might point to.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
If (x , n{x}) is in S?
If (x,n{x}) is in S then the two abstract location n{x} andn∅ will be merged.
From this we can deduce that n∅ will be unshared if bothn{x} and n∅ was unshared.
Garbage CollectionPlease note that our analysis does not provide a garbagecollector, so if n{x} has no heap pointer, it is unreachable.Consider that there will be a pointer from n∅ to the locationthat n{x} might point to.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := a]`
x n {x} n Wsel2
n V
sel1
n Ø
(S,H, is)
sel2
n Ø
n W
n Vsel1
(S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
if x = y the f SA` is just the identity function.
if x 6= y then we execute the following steps:1. We remove the old binding for x with killx ,2. We update the abstract location that contains y adding{x} to the variable sets.
This can be done with
gyx (nZ ) =
{nZ∪{x} if y ∈ ZnZ otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
if x = y the f SA` is just the identity function.
if x 6= y then we execute the following steps:1. We remove the old binding for x with killx ,2. We update the abstract location that contains y adding{x} to the variable sets.
This can be done with
gyx (nZ ) =
{nZ∪{x} if y ∈ ZnZ otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
if x = y the f SA` is just the identity function.
if x 6= y then we execute the following steps:1. We remove the old binding for x with killx ,2. We update the abstract location that contains y adding{x} to the variable sets.
This can be done with
gyx (nZ ) =
{nZ∪{x} if y ∈ ZnZ otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
So we take
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
Where (S′,H′, is′) = killx((S,H, is)) and
S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}
∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}
H′′ = {(gyx (nV ), sel, gy
x (nW )) | (nV , sel,nW ) ∈ H′}is′′ = {gy
x (nZ ) | nZ ∈ is′}
Again it’s easy to prove that if (S,H, is) is compatible, even(S′′,H′′, is′′) is compatible.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
So we take
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
Where (S′,H′, is′) = killx((S,H, is)) and
S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}
∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}
H′′ = {(gyx (nV ), sel, gy
x (nW )) | (nV , sel,nW ) ∈ H′}is′′ = {gy
x (nZ ) | nZ ∈ is′}
Again it’s easy to prove that if (S,H, is) is compatible, even(S′′,H′′, is′′) is compatible.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
So we take
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
Where (S′,H′, is′) = killx((S,H, is)) and
S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}
∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}
H′′ = {(gyx (nV ), sel, gy
x (nW )) | (nV , sel,nW ) ∈ H′}is′′ = {gy
x (nZ ) | nZ ∈ is′}
Again it’s easy to prove that if (S,H, is) is compatible, even(S′′,H′′, is′′) is compatible.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
S′′ = {(z, gyx (nZ )) | (z,nZ ) ∈ S′}
∪ {(x, gyx (nY )) | (y′,nY ) ∈ S′ ∧ y′ = y}
H′′ = {(gyx (nV ), sel, gy
x (nW )) | (nV , sel,nW ) ∈ H′}is′′ = {gy
x (nZ ) | nZ ∈ is′}
Please note that the clause in blue is the adding of thebinding of x.The sharing information of nY∪{x} in inherited from nY .
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
A little example when x 6= y.
x n X
n Ysel2
sel1
n V
n Wy
(S,H, is)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y]`
A little example when x 6= y.
x n X\{x}
n Y∪{x}sel2
sel1
n V
n Wy
(S′′,H′′, is′′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel ]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
If x = y the assignment is equivalent to:
[t := y.sel]`1 ; [x := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`2
and f SA`3
can be computed using the same pattern asbefore. We concentrate on f SA
`1(or similar in the case when
x 6= y).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
If x = y the assignment is equivalent to:
[t := y.sel]`1 ; [x := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`2
and f SA`3
can be computed using the same pattern asbefore. We concentrate on f SA
`1(or similar in the case when
x 6= y).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
First of all we remove the old binding for x:
(S′,H′, is′) = killx((S,H, is))
Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:
1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.
2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.
3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
First of all we remove the old binding for x:
(S′,H′, is′) = killx((S,H, is))
Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:
1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.
2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.
3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
First of all we remove the old binding for x:
(S′,H′, is′) = killx((S,H, is))
Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:
1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.
2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.
3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
First of all we remove the old binding for x:
(S′,H′, is′) = killx((S,H, is))
Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:
1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.
2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.
3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]`
First of all we remove the old binding for x:
(S′,H′, is′) = killx((S,H, is))
Then we must rename the abstract location correspondingto y.sel to include x into the variable set, then we must addthe new binding for x. We can have 3 different cases:
1. There is no abstract location nY such that(y,nY ) ∈ S′, or it exist but there is no nZ such that(nY , sel,nZ ) ∈ H′.
2. There is an abstract location nY such that (y,nY ) ∈ S′and there is a nU 6= n∅ such that (nY , sel,nU ) ∈ H′.
3. There is an abstract location nY such that (y,nY ) ∈ S′and there is a triple such that (nY , sel,n∅) ∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 1
In the case where there is no abstract location nY such that(y,nY ) ∈ S′ we simply take:
φSA` ((S,H, is)) = killx((S,H, is))
In the case where there is no nZ such that(nY , sel,nZ ) ∈ H′ we again take
φSA` ((S,H, is)) = killx((S,H, is))
In both case there is no binding to add, so we simply removethe old binding for x. The first case is the case ofde-referencing of nil-pointer, the second case is the case ofde-referencing of non-existing fields.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 1
In the case where there is no abstract location nY such that(y,nY ) ∈ S′ we simply take:
φSA` ((S,H, is)) = killx((S,H, is))
In the case where there is no nZ such that(nY , sel,nZ ) ∈ H′ we again take
φSA` ((S,H, is)) = killx((S,H, is))
In both case there is no binding to add, so we simply removethe old binding for x. The first case is the case ofde-referencing of nil-pointer, the second case is the case ofde-referencing of non-existing fields.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 1
In the case where there is no abstract location nY such that(y,nY ) ∈ S′ we simply take:
φSA` ((S,H, is)) = killx((S,H, is))
In the case where there is no nZ such that(nY , sel,nZ ) ∈ H′ we again take
φSA` ((S,H, is)) = killx((S,H, is))
In both case there is no binding to add, so we simply removethe old binding for x. The first case is the case ofde-referencing of nil-pointer, the second case is the case ofde-referencing of non-existing fields.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2
We consider the case where there is an abstract location nYsuch that (y,nY ) ∈ S′ and there is a nU 6= n∅ such that(nY , sel,nU ) ∈ H′.
We must rename nU to include x into the variable set usingthe function:
hUx (nZ ) =
{nZ∪{x} if Z = UnZ otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2
We consider the case where there is an abstract location nYsuch that (y,nY ) ∈ S′ and there is a nU 6= n∅ such that(nY , sel,nU ) ∈ H′.
We must rename nU to include x into the variable set usingthe function:
hUx (nZ ) =
{nZ∪{x} if Z = UnZ otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2
So we take
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
Where (S′,H′, is′) = killx((S,H, is)) and
S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU
x (nU ))}H′′ = {(hU
x (nV ), sel, hUx (nW )) | (nV , sel,nW ) ∈ H′}
is′′ = {hUx (nZ ) | nZ ∈ is′}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2
So we take
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
Where (S′,H′, is′) = killx((S,H, is)) and
S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU
x (nU ))}H′′ = {(hU
x (nV ), sel, hUx (nW )) | (nV , sel,nW ) ∈ H′}
is′′ = {hUx (nZ ) | nZ ∈ is′}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2
S′′ = {(z, hUx (nZ )) | (z,nZ ) ∈ S′} ∪ {(x, hU
x (nU ))}
The clause in blue represent the adding of the new bindingfor x.
As before nU∪{x} is shared in (H′′) if and only if nU wasshared in (H′).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2Let’s show this case with a little example when x 6= y, and incase when nU ∈ is.
x n X
n Ysel
sel1
n V
n Uysel2
n W
(S,H, is)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 2Let’s show this case with a little example when x 6= y, and incase when nU ∈ is.
xn X\{x}
n Ysel
sel1
n V
n U∪{x}ysel2
n W
(S′′,H′′, is′′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Consider now the case where there is an abstract locationnY such that (y,nY ) ∈ S′ and there is a triple such that(nY , sel,n∅) ∈ H′.
The location for y.sel is represented by n∅ (that representeven other locations). We must materialize an abstractlocation n{x} from n∅, doing so n{x} will represent y.sel andn∅ will represent the remaining locations.
This operation is a bit hard so let’s consider an example
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Consider now the case where there is an abstract locationnY such that (y,nY ) ∈ S′ and there is a triple such that(nY , sel,n∅) ∈ H′.
The location for y.sel is represented by n∅ (that representeven other locations). We must materialize an abstractlocation n{x} from n∅, doing so n{x} will represent y.sel andn∅ will represent the remaining locations.
This operation is a bit hard so let’s consider an example
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Consider now the case where there is an abstract locationnY such that (y,nY ) ∈ S′ and there is a triple such that(nY , sel,n∅) ∈ H′.
The location for y.sel is represented by n∅ (that representeven other locations). We must materialize an abstractlocation n{x} from n∅, doing so n{x} will represent y.sel andn∅ will represent the remaining locations.
This operation is a bit hard so let’s consider an example
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
x x x
We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`
I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
x x x
We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`
I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
x x x
We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`
I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
x x x
We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`
I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
x x x
We can determinate obviously thatI [x := nil]···; [x := y.sel]` is equivalent to [x := y.sel]`
I (S′,H′, is′) = killx((S,H, is))I (S′′′,H′′′, is′′′) = killx((S′′,H′′, is′′))I (S′′′,H′′′, is′′′) = (S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
So finallykillx((S′′,H′′, is′′)) = (S′,H′, is′)
Then we can also say that (x,n{x}) ∈ S′′ and that(nY , sel,n{x}) ∈ H′′.
So we can take
φSA` ((S,H, is)) = {(S′′,H′′, is′′) |
(S′′,H′′, is′′) is compatible ∧killx((S′′,H′′, is′′)) = (S′,H′, is′) ∧(x,n{x}) ∈ S′′ ∧ (nY , sel,n{x}) ∈ H′′}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
So finallykillx((S′′,H′′, is′′)) = (S′,H′, is′)
Then we can also say that (x,n{x}) ∈ S′′ and that(nY , sel,n{x}) ∈ H′′.
So we can take
φSA` ((S,H, is)) = {(S′′,H′′, is′′) |
(S′′,H′′, is′′) is compatible ∧killx((S′′,H′′, is′′)) = (S′,H′, is′) ∧(x,n{x}) ∈ S′′ ∧ (nY , sel,n{x}) ∈ H′′}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We are sure that we have included all the possible solutions.So our function is sound.
Is it possible that we have included too much solutions, sowe are losing precision?
We will now argue that the amount of imprecision in notexcessive.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We are sure that we have included all the possible solutions.So our function is sound.
Is it possible that we have included too much solutions, sowe are losing precision?
We will now argue that the amount of imprecision in notexcessive.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We are sure that we have included all the possible solutions.So our function is sound.
Is it possible that we have included too much solutions, sowe are losing precision?
We will now argue that the amount of imprecision in notexcessive.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
First we prove that
S′′ = S′ ∪ {(x,n{x})}
ProofS′′ ⊆ S′ ∪ {(x,n{x})} Consider (z,nZ ) ∈ S′′. If z = x then from
compatibility nZ = n{x}. If z 6= x then from(x,n{x}) ∈ S′′ and the compatibility we deduce thatx 6∈ Z and so (z,nZ ) = (z, kx(nZ )) (and kx is used todefine killx).
S′′ ⊇ S′ ∪ {(x,n{x})} Consider (u,nU ) ∈ S′. We know from definitionof S′ and from compatibility that u 6= x and x 6∈ U .There must be a (u,n′U ) ∈ S′′ such that kx(n′U ) = nU ,but since x 6= y we obtain n′U = nU .
�
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
First we prove that
S′′ = S′ ∪ {(x,n{x})}
ProofS′′ ⊆ S′ ∪ {(x,n{x})} Consider (z,nZ ) ∈ S′′. If z = x then from
compatibility nZ = n{x}. If z 6= x then from(x,n{x}) ∈ S′′ and the compatibility we deduce thatx 6∈ Z and so (z,nZ ) = (z, kx(nZ )) (and kx is used todefine killx).
S′′ ⊇ S′ ∪ {(x,n{x})} Consider (u,nU ) ∈ S′. We know from definitionof S′ and from compatibility that u 6= x and x 6∈ U .There must be a (u,n′U ) ∈ S′′ such that kx(n′U ) = nU ,but since x 6= y we obtain n′U = nU .
�
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Then we prove that
is′\{n∅} = is′′\{n∅,n{x}}n∅ ∈ is′ iff n∅ ∈ is′′ ∨ n{x} ∈ is′′
Equal as showing thatI Sharing information of location apart n∅ are conserved,I If n∅ is shared then it can rise share to n∅ or to n{x} (or
both),I If n∅ is not shared, we can’t introduce a sharing for n∅
neither for n{x}.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Then we prove that
is′\{n∅} = is′′\{n∅,n{x}}n∅ ∈ is′ iff n∅ ∈ is′′ ∨ n{x} ∈ is′′
Equal as showing thatI Sharing information of location apart n∅ are conserved,I If n∅ is shared then it can rise share to n∅ or to n{x} (or
both),I If n∅ is not shared, we can’t introduce a sharing for n∅
neither for n{x}.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Then we prove that
is′\{n∅} = is′′\{n∅,n{x}}n∅ ∈ is′ iff n∅ ∈ is′′ ∨ n{x} ∈ is′′
ProofSince (S′,H′, is′) and (S′′,H′′, is′′) are compatible, if nU ∈ is′ thenx 6∈ U and if nU ∈ is′′ then x 6∈ U ∨ {x} = U .
Remember that is′ = {kx(nU ) | nU ∈ is′′}, so we can deduce thatis′\{n∅} = is′′\{n∅,n{x}}, because kx(nU ) = nU 6= n∅ for allnU ∈ is′′\{n∅,n{x}}.
More n∅ ∈ is′′ ∨ n{x} ∈ is′′ ⇒ n∅ ∈ is′ and moren∅ 6∈ is′′ ∧ n{x} 6∈ is′′ ⇒ n∅ 6∈ is′
�
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Then we prove that
is′\{n∅} = is′′\{n∅,n{x}}n∅ ∈ is′ iff n∅ ∈ is′′ ∨ n{x} ∈ is′′
ProofSince (S′,H′, is′) and (S′′,H′′, is′′) are compatible, if nU ∈ is′ thenx 6∈ U and if nU ∈ is′′ then x 6∈ U ∨ {x} = U .
Remember that is′ = {kx(nU ) | nU ∈ is′′}, so we can deduce thatis′\{n∅} = is′′\{n∅,n{x}}, because kx(nU ) = nU 6= n∅ for allnU ∈ is′′\{n∅,n{x}}.
More n∅ ∈ is′′ ∨ n{x} ∈ is′′ ⇒ n∅ ∈ is′ and moren∅ 6∈ is′′ ∧ n{x} 6∈ is′′ ⇒ n∅ 6∈ is′
�
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Now consider the abstract heap H, we first classify the edgedepending on if the source and the target are either n∅ orn{x}.
(nV , sel ′,nW ) is external iff {nV ,nW} ∩ {n∅,n{x}} = ∅(nV , sel ′,nW ) is internal iff {nV ,nW} ⊆ {n∅,n{x}}
(nV , sel ′,nW ) is going-out iff nV ∈ {n∅,n{x}} ∧ nW 6∈ {n∅,n{x}}(nV , sel ′,nW ) is going-in iff nV 6∈ {n∅,n{x}} ∧ nW ∈ {n∅,n{x}}
We say that two edge (nV , sel ′,nW ) and (n′V , sel ′′,n′W ) are related ifand only if kx(nV ) = kx(n′V ), sel ′ = sel ′′ and kx(nW ) = kx(n′W ).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Now consider the abstract heap H, we first classify the edgedepending on if the source and the target are either n∅ orn{x}.
(nV , sel ′,nW ) is external iff {nV ,nW} ∩ {n∅,n{x}} = ∅(nV , sel ′,nW ) is internal iff {nV ,nW} ⊆ {n∅,n{x}}
(nV , sel ′,nW ) is going-out iff nV ∈ {n∅,n{x}} ∧ nW 6∈ {n∅,n{x}}(nV , sel ′,nW ) is going-in iff nV 6∈ {n∅,n{x}} ∧ nW ∈ {n∅,n{x}}
We say that two edge (nV , sel ′,nW ) and (n′V , sel ′′,n′W ) are related ifand only if kx(nV ) = kx(n′V ), sel ′ = sel ′′ and kx(nW ) = kx(n′W ).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
Now consider the abstract heap H, we first classify the edgedepending on if the source and the target are either n∅ orn{x}.
(nV , sel ′,nW ) is external iff {nV ,nW} ∩ {n∅,n{x}} = ∅(nV , sel ′,nW ) is internal iff {nV ,nW} ⊆ {n∅,n{x}}
(nV , sel ′,nW ) is going-out iff nV ∈ {n∅,n{x}} ∧ nW 6∈ {n∅,n{x}}(nV , sel ′,nW ) is going-in iff nV 6∈ {n∅,n{x}} ∧ nW ∈ {n∅,n{x}}
We say that two edge (nV , sel ′,nW ) and (n′V , sel ′′,n′W ) are related ifand only if kx(nV ) = kx(n′V ), sel ′ = sel ′′ and kx(nW ) = kx(n′W ).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We can show thatI H′ and H′′ have the same external edges,
I each internal edge in H′ is related to an internal edge inH′′ and vice versa,
I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,
I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,
Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We can show thatI H′ and H′′ have the same external edges,
I each internal edge in H′ is related to an internal edge inH′′ and vice versa,
I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,
I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,
Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We can show thatI H′ and H′′ have the same external edges,
I each internal edge in H′ is related to an internal edge inH′′ and vice versa,
I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,
I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,
Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We can show thatI H′ and H′′ have the same external edges,
I each internal edge in H′ is related to an internal edge inH′′ and vice versa,
I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,
I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,
Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
We can show thatI H′ and H′′ have the same external edges,
I each internal edge in H′ is related to an internal edge inH′′ and vice versa,
I each going-out edge in H′ is related to a going-out edgein H′′ and vice versa,
I each going-in edge in H′ is related to a going-in edge inH′′ and vice versa,
Obviously the edge (nY , sel,n∅) ∈ H′ must be update with(nY , sel,n{x}) ∈ H′′. We impose that (nY , sel,n{x}) ∈ H′′,and because of compatibility we deduce that(nY , sel,n{x}) 6∈ H′.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3Consider the following scenario and let’s see what happensafter [x := y.sel]`.
x n X
n Ysel
sel1
n V
n Øysel2 n W
sel3
(S,H, is)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3We extract the location nX from n∅, and depending on thetriple involving sel2 and sel3 we can have 6 different andcompatible shape graphs.
xn X\{x}
n Ysel
sel2n Ø
n {x}y
n Wn Vsel1
sel3sel2
sel3
(S′′,H′′, is′′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3
n Ø
n {x}y
sel2 n Wn Vsel1
(S′′1,H′′1, is′′1)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3
n Ø
n {x}ysel2
n Wn Vsel1
(S′′2,H′′2, is′′2)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3
n Ø
n {x}y
sel2 n Wn Vsel1
(S′′3,H′′3, is′′3)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3n Ø
n {x}ysel2
n Wn Vsel1
(S′′4,H′′4, is′′4)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3
n Ø
n {x}y
sel2 n Wn Vsel1
sel3
(S′′5,H′′5, is′′5)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x := y.sel]` - Case 3
xn X\{x}
n Ysel
sel3n Ø
n {x}ysel2
n Wn Vsel1
sel3
(S′′6,H′′6, is′′6)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
We consider [x.sel := a]` in the case where a is of the formn, a1 opa a2 or nil.
Let’s consider a compatible graph (S,H, is).
The easy case are:I The case where there is no nX such that (x,nX) ∈ S, the
statement will have no effect (x does not point to a cell inthe heap). In this case the transfer function f SA
` is just theidentity.
I The case where there is a nX such that (x,nX) ∈ S, butthere is no nU such that (nX , sel,nU ) ∈ H; even in this casethe statement will have no effect (the cell pointed by seldoes not point to another cell in the heap). In this case thetransfer function f SA
` is again the identity.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
We consider [x.sel := a]` in the case where a is of the formn, a1 opa a2 or nil.
Let’s consider a compatible graph (S,H, is).
The easy case are:I The case where there is no nX such that (x,nX) ∈ S, the
statement will have no effect (x does not point to a cell inthe heap). In this case the transfer function f SA
` is just theidentity.
I The case where there is a nX such that (x,nX) ∈ S, butthere is no nU such that (nX , sel,nU ) ∈ H; even in this casethe statement will have no effect (the cell pointed by seldoes not point to another cell in the heap). In this case thetransfer function f SA
` is again the identity.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
We consider [x.sel := a]` in the case where a is of the formn, a1 opa a2 or nil.
Let’s consider a compatible graph (S,H, is).
The easy case are:I The case where there is no nX such that (x,nX) ∈ S, the
statement will have no effect (x does not point to a cell inthe heap). In this case the transfer function f SA
` is just theidentity.
I The case where there is a nX such that (x,nX) ∈ S, butthere is no nU such that (nX , sel,nU ) ∈ H; even in this casethe statement will have no effect (the cell pointed by seldoes not point to another cell in the heap). In this case thetransfer function f SA
` is again the identity.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
Consider the case where there is a nX such that (x,nX ) ∈ Sand there is a unique nU such that (nX , sel,nU ) ∈ H.
The effect will be to remove the triple (nX , sel,nU ):
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
Consider the case where there is a nX such that (x,nX ) ∈ Sand there is a unique nU such that (nX , sel,nU ) ∈ H.
The effect will be to remove the triple (nX , sel,nU ):
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
where killx.sel(S,H, is) = (S′,H′, is′) is given by
S′ = SH′ = {(nV , sel ′,nW )|(nV , sel ′,nW ) ∈ H ∧
¬(X = V ∧ sel = sel ′)}
is′ =
is\{nU} if nU ∈ is ∧ #into(nU ,H′) ≤ 1 ∧
¬∃sel ′ : (n∅, sel ′,nU ) ∈ H′is otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
where killx.sel(S,H, is) = (S′,H′, is′) is given by
S′ = SH′ = {(nV , sel ′,nW )|(nV , sel ′,nW ) ∈ H ∧
¬(X = V ∧ sel = sel ′)}
is′ =
is\{nU} if nU ∈ is ∧ #into(nU ,H′) ≤ 1 ∧
¬∃sel ′ : (n∅, sel ′,nU ) ∈ H′is otherwise
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
is′ =
is\{nU} if nU ∈ is ∧ #into(nU ,H′) ≤ 1 ∧
¬∃sel ′ : (n∅, sel ′,nU ) ∈ H′is otherwise
We use #into(nU ,H′) to indicate the number of pointer tonU in H′.
With the first clause we check if it is possible to remove nUfrom is. If the number of pointers to nU is less then 2 andthere is no (n∅, sel ′,nU ) triple in H′ then we can remove it.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
is′ =
is\{nU} if nU ∈ is ∧ #into(nU ,H′) ≤ 1 ∧
¬∃sel ′ : (n∅, sel ′,nU ) ∈ H′is otherwise
We use #into(nU ,H′) to indicate the number of pointer tonU in H′.
With the first clause we check if it is possible to remove nUfrom is. If the number of pointers to nU is less then 2 andthere is no (n∅, sel ′,nU ) triple in H′ then we can remove it.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
Let’s view the effect of [x.sel := nil]` when#into(nU ,H′) ≤ 1.
n Ø
n Xsel
sel1
n V
n Ux
(S,H, is)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := a]`
Let’s view the effect of [x.sel := nil]` when#into(nU ,H′) ≤ 1.
n Ø
n X
sel1
n V
n Ux
(S′,H′, is′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
If x = y the assignment is equivalent to:
[t := y]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
and f SA`3
can be computed using the same pattern asbefore. We concentrate on f SA
`2(or similar in the case when
x 6= y).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
If x = y the assignment is equivalent to:
[t := y]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
and f SA`3
can be computed using the same pattern asbefore. We concentrate on f SA
`2(or similar in the case when
x 6= y).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Assume x 6= y and let (S,H, is) be a compatible shape graph.
In the case where there is no nX such that (x,nX ) ∈ S thenthe f SA
` is just the identity function.
Consider the case where there is a nX such that (x,nX ) ∈ S,but there is no nY such that (y,nY ) ∈ S. It’s the casewhere y is an integer value, or the nil value, it can betreated as [x.sel := a]`:
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Assume x 6= y and let (S,H, is) be a compatible shape graph.
In the case where there is no nX such that (x,nX ) ∈ S thenthe f SA
` is just the identity function.
Consider the case where there is a nX such that (x,nX ) ∈ S,but there is no nY such that (y,nY ) ∈ S. It’s the casewhere y is an integer value, or the nil value, it can betreated as [x.sel := a]`:
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Assume x 6= y and let (S,H, is) be a compatible shape graph.
In the case where there is no nX such that (x,nX ) ∈ S thenthe f SA
` is just the identity function.
Consider the case where there is a nX such that (x,nX ) ∈ S,but there is no nY such that (y,nY ) ∈ S. It’s the casewhere y is an integer value, or the nil value, it can betreated as [x.sel := a]`:
φSA` ((S,H, is)) = {killx.sel(S,H, is)}
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
In the case where x 6= y, (x,nX ) ∈ S and (y,nY ) ∈ S weproceed with 2 steps.
1. First we remove the binding for x.sel,2. Then we add the new binding.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
In the case where x 6= y, (x,nX ) ∈ S and (y,nY ) ∈ S weproceed with 2 steps.
1. First we remove the binding for x.sel,2. Then we add the new binding.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
where (S′,H′, is′) = killx.sel((S,H, is)) and
S′′ = S′ (= S)H′′ = H′ ∪ {(nX , sel,nY )}
is′′ ={
is′ ∪ {nY } if #into(nY ,H′) ≥ 1is′ otherwise
Note that node nY can become shared if we add a new edgepointing to it.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
φSA` ((S,H, is)) = {(S′′,H′′, is′′)}
where (S′,H′, is′) = killx.sel((S,H, is)) and
S′′ = S′ (= S)H′′ = H′ ∪ {(nX , sel,nY )}
is′′ ={
is′ ∪ {nY } if #into(nY ,H′) ≥ 1is′ otherwise
Note that node nY can become shared if we add a new edgepointing to it.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Let’s view the effect of [x.sel := y]` when#into(nY ,H′) < 1.
x n X n U
n Yy
sel
(S,H, is)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y]`
Let’s view the effect of [x.sel := y]` when#into(nY ,H′) < 1.
x n X n U
n Yy
sel
(S′′,H′′, is′′)
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y.sel ′]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y.sel ′]`
The statement is equivalent to:
[t := y.sel ′]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
, f SA`2
and f SA`3
follow the pattern that we have seenbefore in the other cases.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[x .sel := y.sel ′]`
The statement is equivalent to:
[t := y.sel ′]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
, f SA`2
and f SA`3
follow the pattern that we have seenbefore in the other cases.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x ]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x ]`
We remove the binding for x (using killx) and then weintroduce a new (unshared) location pointed by x.
φSA` ((S,H, is)) = {(S′ ∪ {(x,n{x})},H′, is′)}
where (S′,H′, is′) = killx((S,H, is)).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x ]`
We remove the binding for x (using killx) and then weintroduce a new (unshared) location pointed by x.
φSA` ((S,H, is)) = {(S′ ∪ {(x,n{x})},H′, is′)}
where (S′,H′, is′) = killx((S,H, is)).
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x .sel ]`
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x .sel]`
The statement is equivalent to:
[malloc t]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
, f SA`2
and f SA`3
follow the pattern that we have seenbefore in the other cases.
Shape Analysis
Nicola Corti &Alessandro Baroni
IntroductionSyntax
SemanticPointer Expressions
Arithmetic & BooleanExpressions
Statements
Shape GraphsAbstract Location
Abstract State
Abstract Heaps
Example
Sharing Informations
Complete Lattice
The Analysis[b]` and [skip]`
[x := a]`
[x := y]`
[x := y.sel]`
Case 1
Case 2
Case 3
[x.sel := a]`
[x.sel := y]`
[x.sel := y.sel′ ]`
[malloc x]`
[malloc x.sel]`
[malloc x .sel]`
The statement is equivalent to:
[malloc t]`1 ; [x.sel := t]`2 ; [t := nil]`3 ;
Where t is a fresh variable and `1, `2 and `3 are freshlabels.
We can obtain the transfer function f SA` as a composition:
f SA` = f SA
`3 ◦ f SA`2 ◦ f SA
`1
So f SA`1
, f SA`2
and f SA`3
follow the pattern that we have seenbefore in the other cases.