Backwards Strictness Analysis: Proved and Improved. Kei Davis. Philip Wadler. University of Glasgow. Glasgow G12 8QQ. Abstract

Transcription

1 Backwards Strictness Analysis: Proved and Improved Kei Davis Philip Wadler Dept. of Computing Science University of Glasgow Glasgow G12 8QQ United Kingdom Abstract Given a syntax tree representing an expression, and some information regarding that expression, a backwards analysis will involve propagating the information (with appropriate transformation) towards the leaves of the tree, to yield information about the subexpressions. Here, the information at the root will describe the required denedness of the value of the expression, with the results of the analysis describing the denedness of the values lower in the tree sucient or necessary to meet the condition at the root. In Projections for Strictness Analysis [1], such an analysis is described in which the information at each node is encoded by a special kind of function called a projection, with the results of the analysis revealing strictness information about the expression. This paper describes a more general and powerful technique, and provides proofs that both techniques meet a corresponding generalisation of the safety condition described in [1]. 1 Introduction The theory developed in [1] is prerequisite to the development in this paper. To make our presentation reasonably self-contained, this introduction includes a brief summary of much of the content of [1]. A projection is an idempotent function on domains that removes information from its argument, but does not change its type. Formally, a projection is a continuous function which for every u in its domain, u v u ( u) = u Projections form a complete lattice under the ordering v, with the identity function ID as the greatest element and BOT, dened by BOT u =? for all u, as the least. (The greatest lower bound u of two projections and is dened to be the the greatest projection less than both and ; the greatest such function will not necessarily be a projection.) In this paper, and (sometimes subscripted) will always denote projections. Consider the following projections on pairs, dened for all values u and v. F (u; v) = (u;?) S (u; v) = (?; v) Then (F t S) (u; v) = (u; v) (F u S) (u; v) = (?;?) 1

2 so F t S = ID. A projection may be interpreted as specifying a degree of required denedness of its argument by regarding that part of its argument which is mapped to? as not needed, and that part left unchanged as needed. Suppose that f is a function from pairs to pairs, and that we are only concerned with the rst component of the result of some application of f. Then that instance of f may be safely replaced by F f. Here the composition with F serves to make explicit the requirement (or lack thereof) on the result of f; f is said to be evaluated in context F (the terms context and projection will be used interchangably.) The context in which a function is evaluated may allow its argument to be less dened than in the general case. For example, suppose that f (u; v) = (v; u): Then for f in context F it is safe to apply S to its argument, that is, F f = F f S: If for projections and we have f = f, we write f : ). It is easy to show that f : ) i f v f : Here may be thought of as a conservative estimate of what information may be discarded from the argument of f without aecting the result, assuming some amount of information to be discarded from the result. Note that is is not uniquely determined by f and, since, for example, for any f and, f : ) ID. So far we have shown how projections might be used to specify how much of an argument to a function is sucient in a particular context, but not how much of the argument is necessary, that is, in what part of its argument a function is strict. We wish additionally to encode in a projection the information that a value must have some minimum degree of denedness, that is, that some part of the value must be more dened than?. To specify necessity with projections we extend our domains by the addition of a new element that we will call?. We will interpret u =?to mean that requires a value more dened than u. All functions will be strict in?, that is, that f?=?for all f. Simple strictness is dened with the projection STR, where STR maps? to?, but acts as the identity on all other values. Since STR is a projection we must have STR? v?; since?6=?, it must be that?<?. Thus?is a new bottom element to be added to every domain D; this new domain is just D lifted, written D?. Every function f : D 1! D2 is extended to a function in D1?! D 2? by making f strict in?. We can use STR to dene strictness: Another useful projection is ABS, dened by f : STR ) STR i f is strict: ABS?=? ABS u =?; u 6=? If f makes no use of its argument, then f : STR ) ABS. Also, for all f, f : ABS ) ABS. The least projection FAIL is dened by FAIL u =?; all u Since every function is strict in?, we have that for all f, f : FAIL ) FAIL.

3 For projection, STR u will be called the strict part of ; if is equal to its strict part then will be called strict. The nonstrict form of is t ABS. We need only consider strictness analysis in a strict context, since for all f and, if f : ( u STR) ) then f : ( t ABS) ) ( t ABS) The discussion so far generalises to functions of several arguments, but the notation f : ) is no longer adequate since we will want to consider separate projections to be applied to each of the arguments of f. We dene an operator & to be the same as t except strict in?. That is u & v = u t v; u 6=?and v 6=? =? ; u =?or v =? Each of the operators t and & distributes over the another. Other useful projections are those that require constructor values. For any sum-ofproducts type with constructors c1; : : :; c m, any strict projection on that type can be expressed as the least upper bound of projections P1; : : :; P m, where P i (c j v1 : : : v aj ) =?; i 6= j However, we will restrict our treatment to projections of the form C i 1 : : : mi where C i 1 : : : ai (c j v1 : : : v aj ) = c j (1 v1) : : : ( aj c aj ); i = j =? ; i 6= j and the lub's of sets of these projections. For each type, this restricted set of projections forms a complete lattice, and any element can be expressed as FAIL or F m i=1 C i i;1 : : : i;ai : For all such projection functions C, (C 1 : : : a ) t (C 1 : : : a) v C (1 t 1) : : : ( a t a ) (C 1 : : : a ) & (C 1 : : : a) = C (1 & 1) : : : ( a & a ) and if any of the i is FAIL then C 1 : : : a is FAIL. Also, (C i 1 : : : ai ) & (C j 1 : : : a j ) = FAIL; i 6= j (C i 1 : : : ai ) u (C j 1 : : : a j ) = FAIL; i 6= j As an aside, this restriction excludes exactly those projections that encode an interdependence between values comprising a product type. An example is the projection on pairs of integers dened by P (1; 2) = (1; 2) P (2; 1) = (2; 1) P (x; y) =?; otherwise Finally, we will call unary functions from projections to projections projection transformers.

4 2 Expressions and Programs The analysis will be for a rst-order functional language. The abstract syntax for this language is as follows. Abstract Syntax x 2 Var c 2 Constr f 2 Fv p 2 Pfv e 2 Exp d 2 Dfns e ::= Variables Constructors Function variables Strict primitive function variables Expressions Sets of function denitions x j c e1 : : : e n j f e1 : : : e n j p e1 : : : e n j case e0 of c1 x1;1 : : : x1;a 1. c m x m;1 : : : x m;am ) e1 ) e m d ::= ff i x1 : : : x ni = e i j 1 i ng Nullary primitive functions and nullary constructors will provide constants in the language. The following semantics is given for this language. Semantic Domains Val = Bool + P n i=1(c i Val a i ) fc i j 1 i ng a set of constructors, c i has arity a i LVal = Val? domain for strictness analysis Fun = S 1 i=0 (LVal i! LVal) rst order functions Fenv = Fv! Fun function variable environment Venv = Var! LVal bound variable environment Semantic Functions E E dfns C P :: Exp! Venv! Fenv! LVal :: Dfns! Fenv :: Constr! Fun :: Pfv! Fun In the following and in the rest of the paper, the z will be used as shorthand for z1; : : :; z k, and [x=y] for [x i =y i j 1 i k], where k is implicit from the context. Extension of variable environments is denoted by juxtaposition, for example [x=y] or 12. For reasons to be made clear later, we require that if?is in the range of, then E [e] =?. Assuming that?is not in the range of, E is dened as follows.

5 E [x] = [x] E [c e1 : : : e n ] = C [c] (E [e1 ] ) : : : (E [e n ] ) E [p e1 : : : e n ] = P [p] (E [e1 ] ) : : : (E [e n ] ) E [f e1 : : : e n ] = [f ] (E [e1 ] ) : : : (E [e n ] ) E [case e0 of c1 x1;1 : : : x1;a 1 ) e1. c m x m;1 : : : x m;am ) e m ] = E [e i ] [(sel i;1 v)=x i;1; : : : ; (sel i;ai v)=x i;ai ] ; if isc i v (1 i n) =? ; otherwise where v = E [e0 ] E dfns [ff i x1 : : : x ni = e i j 1 i ng] = x (:[(y1 : : :y ni :E [e i ] [y=x] )=f i j 1 i n]) The function sel i;j for each i and j is the projection from the product type formed by the constructor c i onto its j th component, and isc i, for each i, is the discriminator that for an argument of a sum type for which one of the summands is the product type formed by the constructor c i, yields true if its argument projected onto that product type is not?, and yields false otherwise. Since every function (including the conditional) is strict in?, the least xed point of any recursive function is the constant function returning?. To avoid this we require that x in the denition of E dfns yield the least xed point (a function environment) such that each function in its range yields? rather than?whenever its arguments are all not equal to?. 3 The Semantic Function B Let e be an expression, be a function environment, be a projection transformer, and x be a variable. Then is safe for x with respect to e at if for all projections and variable environments, (E [e] ) v E [e] ([ ([x])=x]) Roughly, this states that is safe for x with respect to e at if, in the evaluation of e, using ([x]) in place of [x] gives at least as dened a result as applying to the value of e. If e were the body of the denition of the function f, and x the name of its only argument, then this condition would be exactly the same as 8:f : )

6 We consider some examples. :ID is safe for x with respect to every expression e. :FAIL is safe for x with respect to no expression e. :ABS is safe for x with respect to every expression e in which x is not free. : is safe for x with respect to x. The rst example states that it is always safe to leave the value of a variable unchanged. For the second example it is helpful to refer to the denition of safety above. The variable environment on the right-hand side of the inequality will always map x to?, so the value of the right-hand side will always be?. However, we can always choose and such that the left-hand side is at least?. The third example states that it is always safe to map variables not present in the expression to?. The fourth is easily interpreted. Our goal is to give another semantics B for expressions that yields such a. Whereas E maps an expression e to a value (an element of LVal), we expect B to map the same expression e to a projection transformer that, with respect to a given variable, is safe for e. We will carry further the idea of replacing occurrences of LVal in the type of E by the type of projection transformers to give the type of B. The variable environment for B will map variables to projection transformers, and the function environment for B will map variables to functions from projection transformers to projection transformers. Just as the function environment for E is dened in terms of E applied to a set of function denitions, the function environment for B will be analogously dened in terms of B applied to the same set of function denitions. This is summarised in the following. Semantic Domains Proj LVal! LVal projections Ptran = Proj! Proj projection transformers Ptfun = S 1 i=0 (Ptran i! Ptran) rst order functions on projection transformers Bfenv = Fv! Ptfun function variable environment Bvenv = Var! Ptran bound variable environment Semantic Functions B B dfns C B P B :: Exp! Bvenv! Bfenv! Ptran :: Prog! Bfenv :: Constr! Ptfun :: Pfv! Ptfun Before giving the denition of B, we make precise the condition that B should satisfy. Let x be a variable and e be an expression with free variables z. In the term E [e], the variable environment maps variables to values. In the corresponding term B [e], the variable environment maps each variable z i to a projection transformer that is safe for x with respect to z i. (As was shown in the examples above, if x = z i, then : is safe, otherwise :ABS is safe.) For such a, we would intend that B [e] be safe for x with respect to e. This is in fact a special case of what we require of B we generalise by requiring to map each variable z i to a projection transformer i that is safe for x with respect to a given expression e i (instead of just z i ), and requiring that B [e] be safe for x with respect to e[e=z] (instead of e[z=z], that is, e.)

7 More precisely, for all projections, expressions e with free variables z, variables x, expressions e and projection transformers such that i is safe for x with respect to e i at for each i, we require that B [e] [=z] be safe for x with respect to e[e=z] at, where for some set of function denitions d, = B dfns [d] and = E dfns [d]. This is the safety condition for B. Given such a B, then for the denition f x1 : : : x n = e dene f B by then f B = 1 : : : n : B [e] [1=x1; : : :; n =x n ] f B (:ABS) : : : (:ABS) (:) (:ABS) : : : (:ABS) is safe for x j, where (:) above is in the j th position: we reason as follows. Let the x i be the subexpressions e i of e as above. For x i 6= x j, (:ABS) is safe for x j with respect to x i, and (:) is safe for x j with respect to x j. Rules for B As shown in the in- We introduce another operator to simplify the denition of B. troduction, it is safe to set B [e] ( t ABS) = ABS t (B[e] ( u STR)) B [e] FAIL = FAIL B [e] ABS = ABS Let be strict and not FAIL, and dene by FAIL = FAIL ABS = ABS (ABS t ) = ABS t = Now the three previous statements may be summarised by the statement that it is always safe to set B [e] = B [e] ( u STR) In the denition of B this rule will be implicit, and arguments like here will be assumed to be strict and not FAIL. The same assumption will be made of all projection transformers, so that, for example, :ABS really means : ABS. We will assume that is the result of applying B dfns to some set of function denitions. We will require that for all in the range of, = ( u STR) for all projections, and that & = ( & ) for all projections and. A projection transformer with these properties will be called well behaved. Later we will show that B is well behaved if the elements of the range of its argument are; in practice this assumption poses no restriction since these elements will be such well behaved projection transformers as :ABS or :, or the results of applying B to these. For the sake of brevity, ABS will denote the environment that maps all variables to :ABS, and for all variables x, x will denote the environment that maps x to : and

8 all other variables to :ABS. B [x] = [x] B [c e1 : : : e n ] = C B [c] (B [e1 ] ) : : : (B [e n ] ) B [p e1 : : : e n ] = P B [p] (B [e1 ] ) : : : (B [e n ] ) B [f e1 : : : e n ] = [f ] (B [e1 ] ) : : : (B [e n ] ) B [case e0 of c1 x1;1 : : : x1;a 1 ) e1. c m x m;1 : : : x m;am ) e m ] = : F m i=1 ( B [e i ] [(:ABS)=x i;j j 1 j a i ] & B [e0 ] (C i (B [e i ] xi;1 ) : : : (B [e i ] xi;ai ))) B dfns [ff i x i;1 : : : x i;ni = e i j 1 i ng] = x ( :[(y1 : : : y ni :B [e i ] [y=x] )=f i j 1 i n]) For strict primitive functions p of arity n, dene P B [p] 1 : : : n = :& n i=1 B [e i ] STR For n = 0, this reduces to :abs. For a constructor c i of arity a i belonging to a sum type of constructors fc i j 1 i mg, dene C B [c] 1 : : : n ( F m j=1 C j j;1 : : : j;aj ) = & ai j=1 B [e j ] i;j Here any of the C j j;1 : : : j;aj, for 1 j m, may be taken to be FAIL. If C i i;1 : : : i;ai is taken to be FAIL, then the result is FAIL. 4 Examples We illustrate the application of the method with a simple example. Let head xs = case xs of y : ys ) y We will assume that is implicit in every lambda abstraction. Then head B = B [case xs of y : ys ) y ] [=xs] [] = : B [xs ] [=xs] [] (CONS (B [y ] y [] ) (B [y ] ys [] ) & B [y ] [=xs; (:ABS)=y; (:ABS)=ys] [] = : (CONS ( ) ( ABS)) = : (CONS ABS)

9 To determine a projection transformer safe for xs with respect to head xs, apply apply head B to (:). Simplifying and removing the lambda-abstraction gives the following. head B (:) = CONS ABS CONS ABS Thus, for example, for head xs in context STR, it is safe to evaluate xs in context head B (:) STR = CONS STR ABS, that is, to require that xs have the value cons x y where x 6=?. Dening tail in an analogous way, we have tail B = : (CONS ABS ). Then the strictness of the expression head (tail xs) with respect to xs is given by Then B [head (tail xs)] [(:)=xs] [head B =head; tail B =tail] = head B (tail B (:)) = :(CONS ABS (CONS ABS)) Next we consider the analysis of a recursive function. Let last B last xs = case xs of y : ys ) case ys of [] ) y z : zs ) last ys = (CONS ( t last B (:ABS)) (NIL t (last B (:) & CONS ABS ABS)))) Here the denition of last B is recursive. Assuming that the domains of projections in which we are working are nite, then the domains of projection transformers and functions from projection transformers to projection transformers are also nite, so such equations may be solved by the usual xedpoint iteration. The construction of such domains is discussed in [1]. In this case we have, for example, last B (:) STR = CONS (STR t ABS) (NIL t (last B (:) STR)) = CONS ID NIL t CONS ID (CONS ID NIL) t CONS ID (CONS ID (CONS ID NIL)) t : : : 5 Safety of B The argument of B maps syntactic objects (function variables) to semantic values: the values given by applying B to the bodies of the (syntactic) denitions of the functions associated with the function variables. We can imagine, however, eliminating function variables from any given expression e to which B is applied by repeated substitution of function variables in e by the bodies of the corresponding functions. In general this process will generate innite `expressions'. This idea can be made sensible by dening a domain Ex

10 of expressions, and redening B in the obvious way, Ex = Var + Pfv Ex : : : Ex + Constr Ex : : : Ex + case Ex of Constr Var : : : Var B 0. Constr Var : : : Var ) Ex ) Ex :: Ex! Bvenv! Proj! Proj An obvious question is whether B [e] has the same value as B 0 [e 0 ], where e 0 is the result of eliminating function variables from e by (possibly innitely) substituting the function denitions from which is derived. The question is explored by Stoy in [2] under the name of syntactic recursion. We state without further justication that the values are the same, as are those produced by E and the analogously redened E 0. This fact will simplify proofs about certain properties of B by allowing the proofs to be cast in terms of B 0 and E A Property of & The following is a useful property of &. Proposition. For all e,,,, and, let = B [e], then ( ) & ( ) = ( & ) Proof. This proof uses the following scheme. Let P be the predicate on expressions P (e) = 8; ; ; :( ) & ( ) = ( & ) where = B [e] The predicate P is recast in terms of B 0. The new predicate P 0 is shown to hold for? Ex, and that for all elements e of Ex dierent from? Ex, P 0 (e) is implied by P 0 holding for all (immediate) subexpressions of e, so that, therefore, P 0 holds for all elements of Ex. From this we conclude that P holds for all elements of Exp and function environments. case? Ex : (B 0 [? Ex ] ) & (B 0 [? Ex ] ) =? Proj &? Proj =? Proj case x : = B 0 [? Ex ] ( & ) B 0 [x] & B 0 [x] = [x] & [x] = [x] ( & ) = B 0 [x] ( & )

11 case p : B 0 [p] & B 0 [p] = (:ABS) & (:ABS) = ABS = (:ABS) ( & ) case p e1 : : : e n : = B 0 [p] ( & ) (B 0 [p e1 : : : e n ] ) & (B 0 [p e1 : : : e n ] ) = (& n i=1 B 0 [e i ] STR) & (& n i=1 B 0 [e i ] STR) = (& n i=1 B 0 [e i ] STR) case c i e1 : : : e ai : = B 0 [p e1 : : : e n ] ( & ) B [c i e1 : : : e ai ] ( 1 t F m j=1 C j j;1 : : : j;nj ) & B [c i e1 : : : e ai ] (2 t F m j=1 C j j;1 : : : j;nj ) = (& ai j=1 B [e j ] i;j ) & (& ni j=1 B [e j ] i;j ) = & ai j=1 (B [e j ] i;j ) & B [e j ] i;j ) f by the induction hypothesis g = & ai j=1 (B [e j ] ( i;j & i;j )) = B [c i e1 : : : e ai ] (1 t 2 t F m j=1 C j ( j;1 & j;1) : : : ( j;nj & j;aj )) case case : : : : B 0 [case : : : ] & B 0 [case : : : ] = F m i=1 ( B 0 [e i ] [(:ABS)=x i;j j 1 j a i ] (1) & B 0 [e0 ] (C i (B 0 [e i ] vi;1 ) : : : (B 0 [e i ] vi;ai ))) & F m i=1 ( B 0 [e i ] [(:ABS)=x i;j j 1 j a i ] & B 0 [e0 ] (C i (B 0 [e i ] vi;1 ) : : : (B 0 [e i ] vi;ai ))) Let and Then i = B 0 [e i ] [(:ABS)=x i;j j 1 j a i ] 0;i = :B 0 [e0 ] (C i (B 0 [e i ] vi;1 ) : : : (B 0 [e i ] vi;ai )); 1 i m: (1) = ( F m i=1( i & 0;i )) & ( F m i=1( i & 0;i )) = F m i=1 F m j=1( i & 0;i & j & 0;j ) (2)

12 Using the induction hypothesis we have that i & i = i ( & ) and 0;i & 0;j = FAIL; i 6= j. So (2) = F m i=1 ( i ( & ) & 0;i ( & )) 5.2 The Substitution Rule Proposition. B [e0[e=z]] v B [e0 ] [(:ABS)=z] & & k i=1 B [e0 ] ABS [B[e i ] =z i ] = B [e0 ] [(:ABS)=z] & & k i=1 B [e i ] (B [e0 ] zi ) Proof. The assertion can be established by repeated application of the simpler rule following. B [e0[e=z]] v B [e0 ] [(:ABS)=z] & B [e0 ] ABS [B [e] =z] The proof is by induction on e0. = B [e0 ] [(:ABS)=z] & B [e] (B [e0 ] z ) case? Ex : B 0 [? Ex [e=z]] = B 0 [? Ex ] =? Proj = B 0 [? Ex ] [(:ABS)=z] & B 0 [? Ex ] ABS [B [e] =z] = B 0 [? Ex ] [(:ABS)=z] & B 0 [e] (B [? Ex ] z )

13 case x; x 6= z: B 0 [x[e=z]] = B 0 [x] = [x] = [x] & ABS (1) = B 0 [x] [(:ABS)=z] & B 0 [x] ABS [B 0 [e] =z] and (1) = B 0 [x] [(:ABS)=z] & B 0 [e] (B 0 [x] z ) case z: B 0 [z[e=z]] = B 0 [e] = ABS & B 0 [e] (1) = B 0 [z ] [(:ABS)=z] & B 0 [z ] ABS [B 0 [e] =z] and case p: (straightforward) (1) = B 0 [z ] [(:ABS)=z] & B 0 [e] (B 0 [z ] z ) case p e1 : : : e n : (straightforward) case c e1 : : : e n : (straightforward) case case : : :: B 0 [(case : : : )[e=z]] = B 0 [case e0[e=z] of c1 x1;1 : : : x1;a 1 ) e1[e=z]. c m x m;1 : : : x m;am ) e m [e=z]] = F m i=1 ( B0 [e i [e=z]] [(:ABS)=x i;j j 1 j a i ] & B 0 [e0[e=z]] (C i (B 0 [e i [e=z]] xi;1 ) : : : (B 0 [e i [e=z]] xi;ai ))) = F m i=1 ( B0 [e i [e=z]] [(:ABS)=x i;j j 1 j a i ] & B 0 [e0[e=z]] (C i (B 0 [e i ] xi;1 ) : : : (B 0 [e i ] xi;ai ))) (1) We have assumed that the x i;j ; 1 i m; 1 j a i, are not free in e, to avoid unintended variable capture. Since B 0 [e] y = (:ABS) for every expression e and variable y if y

14 is not free in e, each subterm B 0 [e i [e=z]] xi;j above is equal to B 0 [e i ] xi;j ; this justies the last equality. Writing i for C i (B 0 [e i ] xi;1 ) : : : (B 0 [e i ] xi;ai ), we have by the induction hypothesis Writing the last expression is (1) v F m i=1 ( B 0 [e i ] [(:ABS)=x i;j j 1 j a i ][(:ABS)=z] & B 0 [e i ] ABS [B 0 [e] =z] & B 0 [e0 ] [(:ABS)=z] i & B 0 [e0 ] ABS [B 0 [e] =z] i ) i for B 0 [e i ] [(:ABS)=x i;j j 1 j a i ][(:ABS)=z]; 1 i m 0 for B 0 [e0 ] [(:ABS)=z] i for B 0 [e i ] ABS [B 0 [e] =z]; 1 i m 0 for B 0 [e0 ] ABS [B 0 [e] =z] F m i=1 ( i & i & 0 i & 0 i ) v F m i=1f n j=1 ( i & i & 0 j & 0 j ) = ( F m i=1 ( i & 0 i )) & ( F n i=1 ( i & 0 i )) = ( F m i=1 ( B 0 [e i ] [(:ABS)=x i;j j 1 j a i ][(:ABS)=z] & B 0 [e0 ] [(:ABS)=z] i )) & ( F m i=1 ( B 0 [e i ] ABS [B 0 [e] =z] & B 0 [e0 ] ABS [B 0 [e] =z] i )) (1) = (B 0 [case : : : ] [(:ABS)=z] ) & (B 0 [case : : : ] ABS [B 0 [e] =z] ) = B 0 [(case : : : )[e=z]] Also, f by the induction hypothesis g (1) = ( F m i=1 (B 0 [e i ] [(:ABS)=x i;j j 1 j a i ][(:ABS)=z] ) & (B 0 [e0 ] [(:ABS)=z] i )) & ( F m i=1 (B 0 [e0 ] (B 0 [e i ] z ) & (B 0 [e0 ] (B 0 [e i ] i )) = ( F m i=1 (B 0 [e i ] ABS [(:ABS)=z] ) & (B 0 [e0 ] [(:ABS)=z] i )) & ( F m i=1 (B0 [e0 ] ((B 0 [e i ] z ) & (B 0 [e i ] i )))) 5.3 Proof of Safety = (B 0 [case : : : ] [(:ABS)=z] ) & (B 0 [e] (B 0 [case : : : ] z )) Proposition. B satises its safety condition, that is, for all projections, expressions e with free variables z, variables x, expressions e and projection transformers such that i is safe for x with respect to e i for each i, 1 i k, and = B [e] [=z], we have (E [e[e=z]] ) v E [e[e=z]] ([ ([x])=x])

15 Proof. Again, the proof is in terms of B 0 and E 0, by syntactic recursion on the expression e. The symbols LHS and RHS will be used to stand for instances of the left-hand and right-hand sides, respectively, of the above inequality. case? Ex : LHS = (E 0 [? Ex [e=z]] ) =? =? v RHS case z i ; 1 i k : (E 0 [z i [e=z]] ) = (E 0 [e i ] ) f by the assumption that i is safe for x with respect to e i g v E 0 [e i ] ([ i ([x])=x]) f = i = B 0 [z i ] [=z] g = E 0 [e i ] ([ ([x])=x]) case p : (E 0 [p[e=z]] ) = (E 0 [p] ) v E 0 [p] [(:ABS) ([x])=x] = E 0 [p] [ ([x])=x] case p w1 : : : w n : LHS = (E 0 [(p w1 : : : w m )[e=z]] ) = (E 0 [p (w1[e=z]) : : : (w m [e=z])] ) = (E 0 [p y1 : : : y m ] [E 0 [w i [e=z]] =y i j 1 i m]) f since p is strict g v E 0 [p y1 : : : y m ] [STR (E 0 [w i [e=z]] )=y i j 1 i m](1) Let i = B 0 [w i [=z]] ; 1 i m. By the induction hypothesis, each i is safe for x with respect to w i [e=z], so (1) v E 0 [p y1 : : : y m ] E 0 [w i [e=z]] [ i STR ([x])=x]=y i j 1 i m] (2)

16 If i STR ([x]) =?for any i, then by the denition of E 0 we have that this last term is equal to?. Suppose then that i STR ([x]) =?for no i. Then for any j, So, by monotonicity, case c w1 : : : w a : ([x]) = B 0 [p w1 : : : w m ] [=z] ([x]) = & m i=1 ( i STR) ([x]) = F m i=1 ( i STR) ([x]) w j STR ([x]) (2) v E 0 [p y1 : : : y m ] E 0 [w i [e=z]] [ ([x])=x]=y i j 1 i m] = RHS LHS = (E 0 [(c w1 : : : w n )[e=z]] ) If (1) 6=?, then can be expressed as = (C [c] (E 0 [w1[e=z]] ) : : : (E 0 [w n [e=z]] )) (1) = ( F m i=1 C i i;1 : : : i;ai ) and C i matches c for some i. Let this C i be denoted by C, a i by a, and i;j by j for 1 j a i. Then (1) = C [c] (1 (E 0 [w1[e=z]] )) : : : ( a (E 0 [w a [e=z]] )) (2) Let i = B 0 [w i ] [=z]; 1 i a. By the induction hypothesis, i is safe for x with respect to w i [e=z] for each i, so (2) v C [c] (E 0 [w1[e=z]] [1 1 ([x])=x]) : : : (E 0 [w a [e=z]] [1 a ([x])=x]) (3) If i i ([x]) =?for some i, then (3) =?v RHS. Otherwise, for any j, So, for = & a i=1 ( i i ), j j ([x]) v F n i=1 i i ([x]) = & n i=1 i i ([x]) (3) v C [c] (E 0 [w1[e=z]] [ ([x])=x]) : : : (E 0 [w n [e=z]] [ ([x])=x]) And by monotonicity we have v B 0 [c e1 : : : e n ] [=z]

17 The case rule We can derive the case rule without reference to the induction hypothesis. Consider the left-hand side of the inequality we wish to show, and the denition of E 0. We may assume that either e0[e=z] has been reduced to head-normal form, or that is has no such form. If it has no such normal form, or if that form does not match one of patterns, then the left-hand side of the inequality is?, and the inequality is satised for any value of the right-hand side. Assuming that e0[e=z] is in head-normal form, we have for some i, Now is certainly safe if = B [case c i e i;1 : : : e i;ai of c1 x1;1 : : : x1;a 1 ) e1. c m x m;1 : : : x m;am ) e m ] (1) w B 0 [e i [e i;1=x i;1 : : : e i;ai =x i;ai ]] (2) By denition, 6 A (1) = F m j=1 ( B 0 [e j ] [(:ABS)=x i;j j 1 j a i ] & B 0 [c j e j;1 : : : e j;aj ] (C i (B 0 [e j ] xj;1 ) : : : (B 0 [e j ] xj;ai )) = (B 0 [e i ] [(:ABS)=x i;j j 1 j a i ] ) & (& ai j=1 B 0 [e j ] xi;j ) f by the substitution rule g = (2) The analysis described in [1] may be recast in terms with the same functionality as B. We will call the analysis in this form A. The analysis in [1] gives separate rules for if and case, such that the rule for if gives a weaker analysis than for the semantically equivalent case expression. We choose therefore to ignore the if rule altogether. The rules for A are exactly the same as for B except that we require that the variable environment for A map no more than a single variable to a value dierent from :ABS. The rules for A may be derived from the rules for B by replacing occurrences of B on the left-hand sides of the rules by A, those on the right-hand sides by A 0, and adding the rule A 0 [e] [=z] = & n i=1 A[e] ABS [ i =z i ] We wish to show that A gives a weaker analysis than B, in the sense that B [e] v A[e] for all appropriate values of e; ; ; and, from which the safety of A is immediate. In fact we show a more general result. By monotonicity of & we have (B [e] 1 ) & (B [e] 2 ) v B [e] ( 1 & 2) where 1 & 2 is dened for 1 and 2 having the same domain, and for every element z of this domain, ( 1 & 2)[z ] = 1 [z ] & 2 [z ]

18 The weakness of A relative to B results from its considering function arguments separately. This may be demonstrated by encapsulating a case expression in a function denition. Suppose that we have the function denition f x y z = case x of true ) y false ) z and analyse strictness with respect to y in the call f x y y. We have f A (:ABS) (:) (:) STR = ID f B (:ABS) (:) (:) STR = STR that is, B shows the call to be strict in y, but A does not. 7 Conclusion The weakness of A relative to B results from the consideration of function arguments individually, rather than jointly as in B. This is exemplied by the if example. Just as for forwards strictness analysis, we may construct a lattice of approximations between A and B (see [3].) In the forwards analysis, the real strength of the computationally dicult analysis (the one corresponding to B) only becomes apparent for higher-order analyses we anticipate the same for backwards analysis. Extension of the backwards analysis to the higher-order case seems to be the next logical step in the development. More information and background on backwards analysis may be found in [4, 5, 6, 7, 8, 9]. References [1] Wadler, P., and Hughes, R.J.M., Projections for Strictness Analysis. Report 35, Programming Methodology Group, Department of Computer Sciences, Chalmers University of Technology and University of Goteborg, Goteborg, Sweden. [2] Stoy, Joseph E. Denotational Semantics: The Scott-Strachey Approach to Programming Language Theory. The MIT Press, Cambridge, Massachusetts, [3] Davis, K. \Trading accuracy for eciency in forwards strictness analysis." Unpublished manuscript, [4] Hughes, R.J.M. \Strictness detection in non-at domains." In Proceedings of the Workshop on Programs a Data Objects (Copenhagen). H. Ganzinger and N. Jones, eds. LNCS 217. Springer-Verlag, Berlin, 1985 [5] Hughes, R.J.M. Backwards Analysis of Functional Programs. Departmental Research Report CSC/87/R3, Department of Computing Science, University of Glasgow, [6] Hughes, R.J.M. \Analysing strictness by abstract interpretation of continuations." Chapter 4 of Abramsky, S. and Hankin, C. (eds.). Abstract Interpretation of Declarative Languages. Ellis-Horwood, [7] Hughes, R.J.M. \Compile-time analysis of functional programs." In Proc. Year of Programming Summer School on Declarative Programming, (Austin, Texas), 1987, David Turner (ed.), Addison-Wesley 1989.

19 [8] Hughes, R.J.M. \Projections for polymorphic strictness analysis." [9] Hughes, R.J.M. and Ferguson, A. \An iterative powerdomain construction." In Draft Proceedings of the 1989 Glasgow Workshop on Functional Programming (Fraserburgh, Scotland)