limit check insertion
Stephen Weeks
MLton@sourcelight.com
Mon, 22 Oct 2001 17:06:03 -0700
> How about:
>
> V ([], n) = n
> V (l :: p, n) = V (p, n - m) if at(l) = Alloc(m)
> V (p, max(n, m)) if at(l) = LimitCheck(m)
Good.
> > Theorem: If A is correct for f, then f is limit check correct.
>
> This is where I lose you. What's the definition of limit check correct?
Sorry. Replace "limit check correct" with "sound".
> So, the annotations are just a witness to the fact that the inserted
> limit-checks produce a sound function.
Yes.
> Overall comments: The one aspect I don't like is the fact that going from
> a function without limit checks to one with limit checks seems to require
> inserting new labels and changing the next function. You need some
> additional requirement that the control-flow isn't significantly altered.
Agreed. I would prefer to have limit checks as an annotation on the
function as well.
> You might also have simply have alloc : Label -> Nat and
> limitCheck: Label -> Nat and define
> V ([], n) = n
> V (l :: p, n) = V (p, max(n, limitCheck(l)) - alloc(l))
> That is, every block does a limit check (possibly zero) and then some
> allocation.
>
> To get a limit check from ls, alloc, next, you need to produce a
> limitCheck that makes the function f = (ls, limitCheck, alloc, next)
> sound.
I like this, and would add one more thing, at least to the safety
part, and have the limit check insertion return
limitCheck: label -> Nat option
available: label -> Nat
so that we can easily check that limit check insertion has produced a
safe, and hence sound function.
> I also think that the next function needs to be carefully constructed.
> Note, I don't think that it is the "normal" control-flow function. If a
> function does a limitCheck(m), then does a non-tail call, should the
> continuation be allowed to think that m bytes are available? I wouldn't
> think so.
Agreed.
> So, either there are a set of start labels (corresponding to
> the "real" start label and then all continuation and handler labels) or
> the start label is a dummy label with next(ls) being the real start label
> and all continuation and handler labels.
I prefer the latter, keeping the framework simple, and slightly
complicating how the IL is translated to a problem within the
framework.
I agree that there are other things that we need to worry about for
threads, space safety, etc., but would like to push them to the todo
for now.
I would still like to hear opinions on the short term fix of
restricting limit check coalescing to basic blocks.