Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions


1
Symbolic Bounds Analysis of Pointers, Array
Indices, and Accessed Memory Regions
  • Radu Rugina and Martin Rinard
  • Laboratory for Computer Science
  • Massachusetts Institute of Technology

2
Outline
  • Examples
  • Key Problem Extracting Symbolic Bounds for
    Accessed Memory Regions
  • Key Technology Formulating and Solving Systems
    of Symbolic Inequality Constraints
  • Results
  • Conclusion

3
Example - Divide and Conquer Sort
4
7
6
1
5
3
8
2
4
Example - Divide and Conquer Sort
4
7
6
1
5
3
8
2
Divide
5
Example - Divide and Conquer Sort
4
7
6
1
5
3
8
2
Divide
2
8
5
3
1
6
7
4
Conquer
6
Example - Divide and Conquer Sort
4
7
6
1
5
3
8
2
Divide
2
8
5
3
1
6
7
4
Conquer
4
1
6
7
3
2
5
8
Combine
7
Example - Divide and Conquer Sort
4
7
6
1
5
3
8
2
Divide
2
8
5
3
1
6
7
4
Conquer
4
1
6
7
3
2
5
8
Combine
2
1
3
4
6
5
7
8
8
Sort n Items in d, Using t as Temporary Storage
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
9
Sort n Items in d, Using t as Temporary Storage
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
Motivating Problem Exploit parallelism in this
code
10
Recursively Sort Four Quarters of d
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
Divide array into subarrays and recursively sort
subarrays
11
Recursively Sort Four Quarters of d
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
Subproblems Identified Using Pointers Into
Middle of Array
d
dn/4
dn/2
d3(n/4)
12
Recursively Sort Four Quarters of d
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
d
dn/4
dn/2
d3(n/4)
13
Recursively Sort Four Quarters of d
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
Sorted Results Written Back Into Input Array
d
dn/4
dn/2
d3(n/4)
14
Merge Sorted Quarters of d Into Halves of t
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
d
t
tn/2
15
Merge Sorted Halves of t Back Into d
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
d
t
tn/2
16
Use a Simple Sort for Small Problem Sizes
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
d
dn
17
Use a Simple Sort for Small Problem Sizes
void sort(int d, int t, int n) if (n gt
CUTOFF) sort(d,t,n/4) sort(dn/4,tn/4,n/4
) sort(d2(n/2),t2(n/2),n/4) sort(d3(n/4)
,t3(n/4),n-3(n/4)) merge(d,dn/4,dn/2,t) m
erge(dn/2,d3(n/4),dn,tn/2) merge(t,tn/2,t
n,d) else insertionSort(d,dn)
d
dn
18
Parallel Sort
void sort(int d, int t, int n) if (n gt
CUTOFF) spawn sort(d,t,n/4) spawn
sort(dn/4,tn/4,n/4) spawn sort(d2(n/2),t2(
n/2),n/4) spawn sort(d3(n/4),t3(n/4),n-3(n/
4)) sync spawn merge(d,dn/4,dn/2,t) spawn
merge(dn/2,d3(n/4),dn,tn/2) sync merge(t,
tn/2,tn,d) else insertionSort(d,dn)
19
What Do You Need To Know To Exploit This Form of
Parallelism?
20
What Do You Need To Know To Exploit This Form of
Parallelism?
Symbolic Information About Accessed Memory Regions
21
Information Needed To Exploit Parallelism
  • Calls to sort access disjoint parts of d and t
  • Together, calls access d,dn-1 and t,tn-1
  • sort(d,t,n/4)
  • sort(dn/4,tn/4,n/4)
  • sort(dn/2,tn/2,n/4)
  • sort(d3(n/4),t3(n/4),
  • n-3(n/4))

d
dn-1
t
tn-1
d
dn-1
t
tn-1
d
dn-1
t
tn-1
d
dn-1
t
tn-1
22
Information Needed To Exploit Parallelism
  • First two calls to merge access disjoint parts of
    d,t
  • Together, calls access d,dn-1 and t,tn-1
  • merge(d,dn/4,dn/2,t)
  • merge(dn/2,d3(n/4),
  • dn,tn/2)
  • merge(t,tn/2,tn,d)

d
dn-1
t
tn-1
d
dn-1
t
tn-1
d
dn-1
t
tn-1
23
Information Needed To Exploit Parallelism
Calls to insertionSort access d,dn-1
insertionSort(d,dn)
d
dn-1
t
tn-1
24
What Do You Need To Know To Exploit This Form of
Parallelism?
Symbolic Information About Accessed Memory
Regions
sort(p,n) accesses p,pn-1 insertionSort(p,n)
accesses p,pn-1 merge(l,m,h,d) accesses
l,h-1, d,d(h-l)-1
25
How Hard Is It To Figure These Things Out?
26
How Hard Is It To Figure These Things Out?
Challenging
27
How Hard Is It To Figure These Things Out?
  • void insertionSort(int l, int h)
  • int p, q, k
  • for (p l1 p lt h p)
  • for (k p, q p-1 l lt q k lt q q--)
  • (q1) q
  • (q1) k
  • Not immediately obvious that
  • insertionSort(l,h) accesses l,h-1

28
How Hard Is It To Figure These Things Out?
void merge(int l1, intm, int h2, int d)
int h1 m int l2 m while ((l1 lt h1)
(l2 lt h2)) if (l1 lt l2) d l1 else
d l2 while (l1 lt h1) d
l1 while (l2 lt h2) d l2 Not
immediately obvious that merge(l,m,h,d) accesses
l,h-1 and d,d(h-l)-1
29
Issues
  • Heavy Use of Pointers
  • Pointers into Middle of Arrays
  • Pointer Arithmetic
  • Pointer Comparison
  • Multiple Procedures
  • sort(int d, int t, n)
  • insertionSort(int l, int h)
  • merge(int l, int m, int h, int t)
  • Recursion

30
How the Compiler Does It
31
Compiler Structure
Pointer Analysis
Disambiguate References at Granularity of
Allocation Blocks
Symbolic Upper and Lower Bounds for Each Memory
Access in Each Procedure
Bounds Analysis
Symbolic Regions Accessed By Execution of Each
Procedure
Region Analysis
Parallelization
Independent Procedure Calls That Can Execute in
Parallel
32
Example Array Increment
  • void f(char p, int n)
  • if (n gt CUTOFF)
  • f(p, n/2) / increment first half /
  • f(pn/2, n/2) / increment second half /
  • else
  • / base case initialize small array /
  • int i 0
  • while (i lt n) (pi) 1 i

33
Intra-procedural Bounds Analysis
  • For each integer variable at each program point,
    derive lower and upper bounds
  • Bounds are symbolic expressions
  • variables represent initial values of parameters
    of enclosing procedure
  • bounds are linear combinations of variables
  • Example expression for f(p,n) pn-1

34
Bounds Analysis
  • What are upper and lower bounds for region
    accessed by while loop in base case?
  • int i 0
  • while (i lt n) (pi) 1 i

35
Bounds Analysis, Step 1
Build control flow graph
i 0
i lt n

(pi) 1 i i1
36
Bounds Analysis, Step 2
Set up bounds at beginning of basic blocks
l1 ? i ? u1
i 0
l2 ? i ? u2
i lt n

l3 ? i ? u3
(pi) 1 i i1
37
Bounds Analysis, Step 3
Compute transfer functions
l1 ? i ? u1
i 0
0 ? i ? 0
l2 ? i ? u2
i lt n

l3 ? i ? u3
(pi) 1 i i1
l3 ? i ? u3
l31 ? i ? u31
38
Bounds Analysis, Step 3
Compute transfer functions
l1 ? i ? u1
i 0
0 ? i ? 0
l2 ? i ? u2
i lt n

l2 ? i ? n-1 l2 ? i ? u2
l3 ? i ? u3
(pi) 1 i i1
l3 ? i ? u3
l31 ? i ? u31
39
Bounds Analysis, Step 4
Set up constraints for bounds
l1 ? i ? u1
i 0
l2 ? 0 l2 ? l31 l3 ? l2
0 ? i ? 0
l2 ? i ? u2
i lt n

l2 ? i ? n-1 l2 ? i ? u2
0 ? u2 u21 ? u2 n-1 ? u3
l3 ? i ? u3
(pi) 1 i i1
l3 ? i ? u3
l31 ? i ? u31
40
Bounds Analysis, Step 4
Set up constraints for bounds
-? ? i ??
i 0
l2 ? 0 l2 ? l31 l3 ? l2
0 ? i ? 0
l2 ? i ? u2
i lt n

l2 ? i ? n-1 l2 ? i ? u2
0 ? u2 u21 ? u2 n-1 ? u3
l3 ? i ? u3
(pi) 1 i i1
l3 ? i ? u3
l31 ? i ? u31
41
Bounds Analysis, Step 5
Generate symbolic expressions for bounds Goal
express bounds in terms of parameters
l2 c1p c2n c3 l3 c4p c5n c6
u2 c7p c8n c9 u3 c10p c11n c12
42
Bounds Analysis, Step 6
Substitute expressions into constraints
c1p c2n c3 ? 0 c1p c2n c3 ? c4p c5n
c6 1 c4p c5n c6 ? c1p c2n c3
0 ? c7p c8n c9 c10p c11n c12 1 ? c7p
c8n c9 c7p c8n c9 ? c10p c11n c12
43
GoalSolve Symbolic Constraint Systemfind
values for constraint variables c1, ..., c12 that
satisfy the inequality constraintsMaximize
Lower BoundsMinimize Upper Bounds
44
Bounds Analysis, Step 7
Reduce symbolic inequalities to linear
inequalities c1p c2n c3 ? c4p c5n c6 if
c1 ? c4, c2 ? c5, and c3 ? c6
45
Bounds Analysis, Step 7
Apply reduction and generate a linear program
0 ? c7 0 ? c8 0 ? c9 c10 ? c7 c11 ? c8 c121
? c9 c7 ? c10 c8 ? c11 c9 ? c12
c1 ? 0 c2 ? 0 c3 ? 0 c1 ? c4 c2 ? c5
c3 ? c61 c4 ? c1 c5 ? c2 c6 ? c3
Objective Function max (c1 c6) - (c7
c12)
lower bounds
upper bounds
46
Bounds Analysis, Step 7
  • Apply reduction and generate a linear program
  • This is a linear program (LP), not an integer
    linear program (ILP)
  • The coefficients in the symbolic expressions are
    rational numbers
  • Rational coefficients are needed for expressions
    like middle of an array low(high - low)/2

47
Bounds Analysis, Step 8
Solve linear program to extract bounds
c10 c2 0 c3 0 c40 c5 0 c6 0 c70 c8 1 c9
0 c100 c111 c12-1
-? ? i ??
i 0
0 ? i ? 0
l2 ? i ? u2
i lt n

l2 ? i ? n-1 l2 ? i ? u2
l2 0 l3 0
l3 ? i ? u3
(pi) 1 i i1
u2 0 u3 n-1
l3 ? i ? u3
l31 ? i ? u31
48
Bounds Analysis, Step 8
Solve linear program to extract bounds
c10 c2 0 c3 0 c40 c5 0 c6 0 c70 c8 1 c9
0 c100 c111 c12-1
-? ? i ??
i 0
0 ? i ? 0
0 ? i ? n
i lt n

0 ? i ? n-1 0 ? i ? n
l2 0 l3 0
0 ? i ? n-1
(pi) 1 i i1
u2 0 u3 n-1
0 ? i ? n-1
1 ? i ? n
49
Bounds Analysis, Step 8
Solve linear program to extract bounds
c10 c2 0 c3 0 c40 c5 0 c6 0 c70 c8 1 c9
0 c100 c111 c12-1
-? ? i ??
i 0
0 ? i ? 0
0 ? i ? n
i lt n

0 ? i ? n-1 0 ? i ? n
l2 0 l3 0
0 ? i ? n-1
(pi) 1 i i1
u2 0 u3 n-1
0 ? i ? n-1
1 ? i ? n
50
Region Analysis
  • Goal Compute Accessed Regions of Memory
  • Intra-Procedural
  • Use bounds at each load or store
  • Compute accessed region
  • Inter-Procedural
  • Use intra-procedural results
  • Set up another symbolic constraint system
  • Solve to find regions accessed by entire
    execution of the procedure

51
Basic Principle of Inter-Procedural Region
Analysis
  • For each procedure
  • Generate symbolic expressions for upper and lower
    bounds of accessed regions
  • Constraint System
  • Accessed regions include regions accessed by
    statements in procedure
  • Accessed regions include regions accessed by
    invoked procedures

52
Inter-Procedural Constraints in Example
Accesses l(f,p,n), u(f,p,n)
  • void f(char p, int n)
  • if (n gt CUTOFF)
  • f(p, n/2)
  • f(pn/2, n/2)
  • else
  • int i 0
  • while (i lt n)
  • (pi) 1 i

l(f,p,n) ? l(f,p,n/2) u(f,p,n) ? u(f,p,n/2)
l(f,p,n) ? l(f,pn/2,n/2) u(f,p,n) ?
u(f,pn/2,n/2)
l(f,p,n) ? p u(f,p,n) ? pn-1
53
Derive Constraint System
  • Generate symbolic expressions
  • l(f,p,n) C1p C2n C3
  • u(f,p,n) C4p C5n C6
  • Build constraint system
  • C1p C2n C3 ? p
  • C4p C5n C6 ? p n -1
  • C1p C2n C3 ? C1p C2(n/2) C3
  • C4p C5n C6 ? C4p C5(n/2) C6
  • C1p C2n C3 ? C1(pn/2) C2(n/2) C3
  • C4p C5n C6 ? C4(pn/2) C5(n/2) C6

54
Solve Constraint System
  • Simplify Constraint System
  • C1p C2n C3 ? p
  • C4p C5n C6 ? p n -1
  • C2n ? C2(n/2)
  • C5n ? C5(n/2)
  • C2(n/2) ? C1(n/2)
  • C5(n/2) ? C4(n/2)
  • Generate and Solve Linear Program
  • l(f,p,n) p
  • u(f,p,n) pn-1
  • Access region p, pn-1

55
Parallelization
  • Dependence Testing of Two Calls
  • Do accessed regions intersect?
  • Based on comparing upper and lower bounds of
    accessed regions
  • Parallelization
  • Find sequences of independent calls
  • Execute independent calls in parallel

56
Details
  • Inter-procedural positivity analysis
  • Verify that variables are positive
  • Required for correctness of reduction
  • Correlation analysis
  • Integer division
  • Basic idea (n-1)/2 ? ?n/2? ? n/2
  • Generalized (n-m1)/m ? ?n/m? ? n/m
  • Linear system decomposition

57
Comparison to Dataflow Analysis
  • Dataflow analysis
  • Uses iterative algorithms
  • Cannot handle lattices with infinite ascending
    chains, because termination is not guaranteed
  • Our framework
  • Reduces the analysis to a linear program
  • Works for lattices with infinite ascending chains
    like integers, rational numbers or polynomials
  • No possibility of non-termination

58
Uses of Symbolic Bounds Information
Transformations
Verifications
Automatic Parallelization Of Sequential Programs
Data Race Detection For Parallel Programs
Bounds Checks Elimination For Safe Programs
Array Bounds Checking For Unsafe Programs
59
Application of Analysis Framework
  • Bitwidth Analysis
  • Computes minimum number of bits to represent
    computed values
  • Important for hardware synthesis from high level
    languages
  • For our framework
  • Bitwidth analysis is a special case Compute
    precise numeric bounds
  • Constraint system linear program

60
Experimental Results
  • Implementation - SUIF, lp_solve, Cilk
  • Parallelization speedups

Application Number of Processors Number of Processors Number of Processors Number of Processors Number of Processors
Application 1 2 4 6 8
Fibonacci 0.76 1.52 3.03 4.55 6.04
Quicksort 1.00 1.99 3.89 5.68 7.36
Mergesort 1.00 2.00 3.90 5.70 7.41
Heat 1.03 2.02 3.89 5.53 6.83
BlockMul 0.97 1.86 3.84 5.70 7.54
NoTempMul 1.02 2.01 4.03 6.02 8.02
LU 0.98 1.95 3.89 5.66 7.39
61
Experimental Results
  • Implementation - SUIF, lp_solve, Cilk
  • Parallelization speedups
  • Close to linear speedups
  • Most of parallelism detected

62
Experimental Results
  • Implementation - SUIF, lp_solve, Cilk
  • Parallelization speedups
  • Close to linear speedups
  • Most of parallelism detected
  • Compiler also verified that
  • Parallel versions were free of data races
  • Benchmarks do not violate the array bounds

63
Experimental Results
  • Implementation - SUIF, lp_solve
  • Bitwidth reduction

64
Context
  • Mainstream parallelizing compilers
  • Loop nests, dense matrices
  • Affine access functions
  • Our framework focuses on
  • Recursion, dynamically allocated arrays
  • Pointers, pointer arithmetic
  • Key problems pointer analysis, symbolic region
    analysis, solving linear programs

65
Conclusion
  • Novel framework for symbolic bounds analysis
  • Uses symbolic constraint systems
  • Reduces problem to linear programs
  • More powerful than iterative approaches
  • Analysis uses
  • Parallelization, data race detection
  • Detecting array bounds violations
  • Array bounds check elimination
  • Bitwidth analysis
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!