Context Navigation

← Previous Change
Next Change →

array.tex

Timestamp:

Nov 23, 2024, 8:28:37 PM (11 months ago)

Author:

JiadaL <j82liang@…>

Branches:

master

Children:

956b389

Parents:

b006c51e (diff), de7b7a5 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge branch 'master' of plg.uwaterloo.ca:software/cfa/cfa-cc

File:

: 1 edited

doc/theses/mike_brooks_MMath/array.tex (modified) (48 diffs)

Legend:

: Unmodified
: Added
: Removed

doc/theses/mike_brooks_MMath/array.tex

-              rb006c51e
+              r10a9479d
 \label{c:Array}
+Arrays in C are possibly the single most misunderstood and incorrectly used feature in the language, resulting in the largest proportion of runtime errors and security violations.
+This chapter describes the new \CFA language and library features that introduce a length-checked array type, @array@, to the \CFA standard library~\cite{Cforall}.
+Offering the @array@ type, as a distinct alternative to the C array, is consistent with \CFA's goal of backwards compatibility, \ie virtually all existing C (@gcc@) programs can be compiled by \CFA with only a small number of changes, similar to \CC (@g++@).
+However, a few compatibility-breaking changes to the behaviour of the C array are necessary, both as an implementation convenience and to fix C's lax treatment of arrays.
+Hence, the @array@ type is an opportunity to start from a clean slate and show a cohesive selection of features, making it unnecessary to deal with every inherited complexity of the C array.
 \section{Introduction}
 \label{s:ArrayIntro}
+Arrays in C are possibly the single most misunderstood and incorrectly used feature in the language, resulting in the largest proportion of runtime errors and security violations.
+This chapter describes the new \CFA language and library features that introduce a length-checked array type to the \CFA standard library~\cite{Cforall}.
+Specifically, a new \CFA array is declared by instantiating the generic @array@ type,
+much like instantiating any other standard-library generic type (such as @dlist@),
+The new \CFA array is declared by instantiating the generic @array@ type,
+much like instantiating any other standard-library generic type (such as \CC @vector@),
 though using a new style of generic parameter.
 \begin{cfa}
 …
 \end{cfa}
 Here, the arguments to the @array@ type are @float@ (element type) and @99@ (length).
 When this type is used as a function parameter, the type-system requires that a call's argument matches, down to the length.
+When this type is used as a function parameter, the type-system requires that a call's argument is a perfect match.
 \begin{cfa}
 void f( @array( float, 42 )@ & p ) {}   $\C{// p accepts 42 floats}$
 f( x );                                                                 $\C{// statically rejected: types are different, 99 != 42}$
+f( x );                                                                 $\C{// statically rejected: type lengths are different, 99 != 42}$
 test2.cfa:3:1 error: Invalid application of existing declaration(s) in expression.
 …
 \end{cfa}
 Here, the function @f@'s parameter @p@ is declared with length 42.
+The call @f( x )@, with the argument being the previously-declared object, is invalid, because the @array@ lengths @99@ and @42@ do not match.
+A function declaration can be polymorphic over these @array@ arguments by using the @forall@ declaration prefix.
+This function @g@'s takes arbitrary type parameter @T@ (familiar) and \emph{dimension parameter} @N@ (new).
+A dimension paramter represents a to-be-determined count of elements, managed by the type system.
+However, the call @f( x )@ is invalid, because @x@'s length is @99@, which does not match @42@.
+A function declaration can be polymorphic over these @array@ arguments by using the \CFA @forall@ declaration prefix.
 \begin{cfa}
 forall( T, @[N]@ )
 …
 Cforall Runtime error: subscript 1000 exceeds dimension range [0,99) $for$ array 0x555555558020.
 \end{cfa}
+Function @g@ takes an arbitrary type parameter @T@ and a \emph{dimension parameter} @N@.
+A dimension parameter represents a to-be-determined count of elements, managed by the type system.
 The call @g( x, 0 )@ is valid because @g@ accepts any length of array, where the type system infers @float@ for @T@ and length @99@ for @N@.
 Inferring values for @T@ and @N@ is implicit, without programmer involvement.
+Inferring values for @T@ and @N@ is implicit.
 Furthermore, in this case, the runtime subscript @x[0]@ (parameter @i@ being @0@) in @g@ is valid because 0 is in the dimension range $[0,99)$ of argument @x@.
 The call @g( x, 1000 )@ is also accepted through compile time;
+However, the call @g( x, 1000 )@ is also accepted through compile time;
 however, this case's subscript, @x[1000]@, generates an error, because @1000@ is outside the dimension range $[0,99)$ of argument @x@.
+In general, the @forall( ..., [N] )@ participates in the user-relevant declaration of the name @N@, which becomes usable in parameter/return declarations and within a function.
+The syntactic form is chosen to parallel other @forall@ forms:
+\begin{cfa}
+forall( @[N]@ ) ...     $\C[1.5in]{// dimension}$
+forall( T ) ...         $\C{// value datatype (formerly, "otype")}$
+forall( T & ) ...       $\C{// opaque datatype (formerly, "dtype")}\CRT$
+\end{cfa}
+% The notation @array(thing, N)@ is a single-dimensional case, giving a generic type instance.
 The generic @array@ type is comparable to the C array type, which \CFA inherits from C.
 Their runtime characteristics are often identical, and some features are available in both.
 For example, assume a caller instantiates @N@ with 42 (discussion about how to follow) in:
+For example, assume a caller has an argument that instantiates @N@ with 42.
 \begin{cfa}
 forall( [N] )
 void declDemo() {
+void declDemo( ... ) {
         float x1[N];                                            $\C{// built-in type ("C array")}$
         array(float, N) x2;                                     $\C{// type from library}$
 …
 The two variables have identical size and layout; they both encapsulate 42-float stack allocations, with no additional ``bookkeeping'' allocations or headers.
 Providing this explicit generic approach requires a significant extension to the \CFA type system to support a full-feature, safe, efficient (space and time) array-type, which forms the foundation for more complex array forms in \CFA.
+Admittedly, the @array@ library type (type for @x2@) is syntactically different from its C counterpart.
+A future goal (TODO xref) is to provide the new features upon a built-in type whose syntax approaches C's (declaration style of @x1@).
+In all following discussion, ``C array'' means the types like that of @x@ and ``\CFA array'' means the standard-library @array@ type (instantiations), like the type of @x2@.
+Admittedly, the @array@ library type for @x2@ is syntactically different from its C counterpart.
+A future goal (TODO xref) is to provide the new @array@ features with syntax approaching C's (declaration style of @x1@).
 Then, the library @array@ type could be removed, giving \CFA a largely uniform array type.
 At present, the C-syntax array gets partial support for the new features, so the generic @array@ is used exclusively when introducing features;
+At present, the C-syntax @array@ is only partially supported, so the generic @array@ is used exclusively in the thesis;
 feature support and C compatibility are revisited in Section ? TODO.
-Offering the @array@ type, as a distinct alternative to the C array, is consistent with \CFA's goal of backwards compatibility, \ie virtually all existing C (@gcc@) programs can be compiled by \CFA with only a small number of changes, similar to \CC (@g++@).
-However, a few compatibility-breaking changes to the behaviour of the C array are necessary, both as an implementation convenience and to fix C's lax treatment of arrays.
-Hence, the @array@ type is an opportunity to start from a clean slate and show a cohesive selection of features, making it unnecessary to deal with every inherited complexity of the C array.
-In all discussion following, ``C array'' means the types like that of @x@ and ``\CFA array'' means the standard-library @array@ type (instantiations), like the type of @x2@.
 My contributions in this chapter are:
 …
+\section{Definitions and design considerations}
+\subsection{Dependent typing}
+General dependent typing allows the type system to encode arbitrary predicates (e.g. behavioural specifications for functions),
+\section{Dependent typing}
+General dependent typing allows the type system to encode arbitrary predicates (\eg behavioural specifications for functions),
 which is an anti-goal for my work.
 Firstly, this application is strongly associated with pure functional languages,
 …
 \section{Features added}
 …
 By declaring type variables at the front of object declarations, an array dimension is lexically referenceable where it is needed.
 For example, a declaration can share one length, @N@, among a pair of parameters and the return,
 meaning that it requires both input arrays to be of the same length, and guarantees that the result with be of that length as well.
+meaning that it requires both input arrays to be of the same length, and guarantees that the result is of that length as well.
 \lstinput{10-17}{hello-array.cfa}
+This function @f@ does a pointwise comparison of its two input arrays, checking if each pair of numbers is within half a percent of each other, returning the answers in a newly allocated @bool@ array.
+The dynamic allocation of the @ret@ array by preexisting @alloc@ uses the parameterized dimension information implicitly within its @sizeof@ determination, and casts the return type.
+Note that alloc only sees one whole type for its @T@ (which is @f@'s @array(bool, N)@); this type's size is a computation based on @N@.
+\begin{cfa}
+// simplification
+static inline forall( T & | sized(T) )
+Function @f@ does a pointwise comparison of its two input arrays, checking if each pair of numbers is within half a percent of each other, returning the answers in a newly allocated @bool@ array.
+The dynamic allocation of the @ret@ array, by the library @alloc@ function,
+\begin{cfa}
+forall( T & | sized(T) )
 T * alloc() {
+        return (T *)malloc( sizeof(T) );
+}
+\end{cfa}
+This example illustrates how the new @array@ type plugs into existing \CFA behaviour by implementing necessary @sized@ assertions needed by other types.
+(@sized@ implies a concrete \vs abstract type with a runtime-available size, exposed as @sizeof@.)
+        return @(T *)@malloc( @sizeof(T)@ );
+}
+\end{cfa}
+uses the parameterized dimension information implicitly within its @sizeof@ determination, and casts the return type.
+Note that @alloc@ only sees one whole type for its @T@ (which is @f@'s @array(bool, N)@); this type's size is a computation based on @N@.
+This example illustrates how the new @array@ type plugs into existing \CFA behaviour by implementing necessary \emph{sized} assertions needed by other types.
+(\emph{sized} implies a concrete \vs abstract type with a runtime-available size, exposed as @sizeof@.)
 As a result, there is significant programming safety by making the size accessible and implicit, compared with C's @calloc@ and non-array supporting @memalign@, which take an explicit length parameter not managed by the type system.
 …
 The result is a significant improvement in safety and usability.
-In general, the @forall( ..., [N] )@ participates in the user-relevant declaration of the name @N@, which becomes usable in parameter/return declarations and within a function.
-The syntactic form is chosen to parallel other @forall@ forms:
-\begin{cfa}
-forall( @[N]@ ) ...     $\C[1.5in]{// dimension}$
-forall( T & ) ...       $\C{// opaque datatype (formerly, "dtype")}$
-forall( T ) ...         $\C{// value datatype (formerly, "otype")}\CRT$
-\end{cfa}
-% The notation @array(thing, N)@ is a single-dimensional case, giving a generic type instance.
 In summary:
 \begin{itemize}
 …
 % agreed, though already said
 \item
 \CC does not allow a template function to be nested, while \CFA lests its polymorphic functions to be nested.
+\CC does not allow a template function to be nested, while \CFA lets its polymorphic functions to be nested.
 % why is this important?
 \item
 …
 \end{cfa}
 \end{tabular}
 \caption{\lstinline{N}-style paramters, for \CC template \vs \CFA generic type }
+\caption{\lstinline{N}-style parameters, for \CC template \vs \CFA generic type }
 \label{f:TemplateVsGenericType}
 \end{figure}
 Just as the first example in \VRef[Section]{s:ArrayIntro} shows a compile-time rejection of a length mismatch,
 so are length mismatches stopped when they invlove dimension parameters.
+so are length mismatches stopped when they involve dimension parameters.
 While \VRef[Figure]{f:fHarness} shows successfully calling a function @f@ expecting two arrays of the same length,
 \begin{cfa}
 array( bool, N ) & f( array( float, N ) &, array( float, N ) & );
 \end{cfa}
 a static rejection occurs when attempting to call @f@ with arrays of potentially differing lengths.
+a static rejection occurs when attempting to call @f@ with arrays of differing lengths.
 \lstinput[tabsize=1]{70-74}{hello-array.cfa}
 When the argument lengths themselves are statically unknown,
 …
 Orthogonally, the \CFA array type works within generic \emph{types}, \ie @forall@-on-@struct@.
 The same argument safety and the associated implicit communication of array length occurs.
 Preexisting \CFA allowed aggregate types to be generalized with type parameters, enabling parameterizing for element types.
+Preexisting \CFA allowed aggregate types to be generalized with type parameters, enabling parameterizing of element types.
 Now, \CFA also allows parameterizing them by length.
 Doing so gives a refinement of C's ``flexible array member'' pattern[TODO: cite ARM 6.7.2.1 pp18]\cite{arr:gnu-flex-mbr}.
 …
 This flexibility, in turn, allows for multiple array members.
 \lstinput{10-15}{hello-accordion.cfa}
+This structure's layout has the starting offset of @studentIds@ varying according to the generic parameter @C@, and the offset of @preferences@ varying according to both generic parameters.
+The school example has the data structure capturing many students' course-preference forms.
+It has course- and student-level metadata (their respective display names) and a position-based preferecens' matrix.
+The input files in \VRef[Figure]{f:checkHarness} give example data.
+When a function operates on a @School@ structure, the type system handles its memory layout transparently.
+\lstinput{30-37}{hello-accordion.cfa}
+In the running example, this @getPref@ function answers,
+for the student at position @sIx@, what is the position of its @pref@\textsuperscript{th}-favoured class?
+\VRef[Figure]{f:checkHarness} shows the @School@ harness and results with different array sizes.
+This example program prints the courses in each student's preferred order, all using the looked-up display names.
+Note the declaration of the @school@ variable.
+The structure has course- and student-level metatdata (their respective field names) and a position-based preferences' matrix.
+Its layout has the starting offset of @studentIds@ varying according to the generic parameter @C@, and the offset of @preferences@ varying according to both generic parameters.
+\VRef[Figure]{f:checkHarness} shows a program main using @School@ and results with different array sizes.
+The @school@ variable holds many students' course-preference forms.
 It is on the stack and its initialization does not use any casting or size arithmetic.
 Both of these points are impossible with a C flexible array member.
 …
 \end{cfa}
 This ability to avoid casting and size arithmetic improves safety and usability over C flexible array members.
+Finally, inputs and outputs are given at the bottom for different sized schools.
+The example program prints the courses in each student's preferred order, all using the looked-up display names.
 \begin{figure}
+% super hack to get this to line up
+\begin{tabular}{@{}ll@{\hspace{25pt}}l@{}}
+\begin{tabular}{@{}p{3.25in}@{}}
+\begin{cquote}
 \lstinput{50-55}{hello-accordion.cfa}
-\vspace*{-3pt}
 \lstinput{90-98}{hello-accordion.cfa}
+\end{tabular}
+&
+\raisebox{0.32\totalheight}{%
+}%
+&
+\end{tabular}
+TODO: Get Peter's layout help
+\$ cat school1
+\ \\
+@$ cat school1@
 \lstinput{}{school1}
+\$ ./a.out < school1
+@$ ./a.out < school1@
 \lstinput{}{school1.out}
+\$ cat school2
+@$ cat school2@
 \lstinput{}{school2}
+\$ ./a.out < school2
+@$ ./a.out < school2@
 \lstinput{}{school2.out}
+\end{cquote}
 \caption{\lstinline{School} harness, input and output}
 \label{f:checkHarness}
 \end{figure}
+When a function operates on a @School@ structure, the type system handles its memory layout transparently.
+\lstinput{30-37}{hello-accordion.cfa}
+In the example, this @getPref@ function answers, for the student at position @is@, what is the position of its @pref@\textsuperscript{th}-favoured class?
 …
 But simplifications close enough for the present discussion are:
 \begin{cfa}
         forall( [N] )
         struct array_1d_float {
                 float items[N];
         };
         forall( T, [N] )
         struct array_1d {
                 T items[N];
         };
 \end{cfa}
 This structure pattern, plus a subscript operator, is all that @array@ provides.
+forall( [N] )
+struct array_1d_float {
+        float items[N];
+};
+forall( T, [N] )
+struct array_1d_T {
+        T items[N];
+};
+\end{cfa}
+These two structure patterns, plus a subscript operator, is all that @array@ provides.
 My main work is letting a programmer define
 such a structre (one whose type is parameterized by @[N]@)
+such a structure (one whose type is parameterized by @[N]@)
 and functions that operate on it (these being similarly parameterized).
 …
 \begin{itemize}
 \item
         The resolver, providing values for a used declaration's type-system variables,
+        Resolver provided values for a used declaration's type-system variables,
         gathered from type information in scope at the usage site.
 \item
         The box pass, encoding information about type parameters
         into ``extra'' regular parameters/arguments on declarations and calls.
         Notably, it conveys the size of a type @foo@ as a @__sizeof_foo@ parameter,
         and rewrites the @sizeof(foo)@ expression as @__sizeof_foo@, i.e. a use of the parameter.
+        and rewrites the @sizeof(foo)@ expression as @__sizeof_foo@, \ie a use of the parameter.
 \end{itemize}
 …
 This work is detailed in \VRef[Section]{s:ArrayTypingC}.
 However, the resolution--boxing scheme, in its preexisting state, was already equipped to work on (desugared) dimension parameters.
 The discussion following explains the desugaring and how correct lowered code results.
 An even simpler structure, and a toy function on it, demonstrate what's needed for the encoding.
 \begin{cfa}
+        forall( [@N@] ) { // [1]
                 struct thing {};
                 void f( thing(@N@) ) { sout | @N@; } // [2], [3]
+        }
         int main() {
                 thing( @10@ ) x;  f(x);  // prints 10, [4]
                 thing( 100 ) y;  f(y);  // prints 100
                 return 0;
+        }
+The following discussion explains the desugaring and how correctly lowered code results.
+A simpler structure, and a toy function on it, demonstrate what is needed for the encoding.
+\begin{cfa}
+forall( [@N@] ) { $\C{// [1]}$
+        struct thing {};
+        void f( thing(@N@) ) { sout | @N@; } $\C{// [2], [3]}$
+}
+int main() {
+        thing( @10@ ) x;  f( x );  $\C{// prints 10, [4]}$
+        thing( 100 ) y;  f( y );  $\C{// prints 100}$
+        return 0;
+}
 \end{cfa}
 This example has:
 …
         A value like 10 being used as an argument to the parameter @N@.
 \end{enumerate}
 The chosen solution being to encode the value @N@ \emph{as a type}, items 1 and 2 are immediately available for free.
+The chosen solution is to encode the value @N@ \emph{as a type}, so items 1 and 2 are immediately available for free.
 Item 3 needs a way to recover the encoded value from a (valid) type (and to reject invalid types occurring here).
 Item 4 needs a way to produce a type that encodes the given value.
 …
 \item
         Given a dimension expression $e$, produce type @char[@$e$@]@ to represent it.
         If $e$ evaluates to $n$ then the endoded type has size $n$.
+        If $e$ evaluates to $n$ then the encoded type has size $n$.
 \item
         Given a type $T$ (produced by these rules), recover the value that it represents with the expression @sizeof(@$T$@)@.
 …
 The running example is lowered to:
 \begin{cfa}
+        forall( @N*@ ) { // [1]
                 struct thing {};
                 void f( thing(@N@) ) { sout | @sizeof(N)@; } // [2], [3]
+        }
         int main() {
                 thing( char[@10@] ) x;  f(x);  // prints 10, [4]
                 thing( char[100] ) y;  f(y);  // prints 100
                 return 0;
+        }
+forall( @N *@ ) { $\C{// [1]}$
+        struct thing {};
+        void f( thing(@N@) ) { sout | @sizeof(N)@; } $\C{// [2], [3]}$
+}
+int main() {
+        thing( char[@10@] ) x;  f( x );  $\C{// prints 10, [4]}$
+        thing( char[100] ) y;  f( y );  $\C{// prints 100}$
+        return 0;
+}
 \end{cfa}
 Observe:
 …
         The @sout...@ expression (being an application of the @?|?@ operator) has a second argument that is an ordinary expression.
 \item
         The type of variable @x@ is another @thing(-)@ type;  the argument to the generic @thing@ is a type (array type).
+        The type of variable @x@ is another @thing(-)@ type; the argument to the generic @thing@ is a type (array type of bytes, @char@).
 \end{enumerate}
 From this point, preexisting \CFA compilation takes over lowering it the rest of the way to C.
+Inspecting the result shows what the above translation achieves.
+A form that shows only the relevant changes of the box pass (as informed by the resolver), leaving the rest unadulterated, is:
+\begin{cfa}
+        // [1]
+        void f( size_t __sizeof_N, @void *@ ) { sout | @__sizeof_N@; } // [2], [3]
+        int main() {
+                struct __conc_thing_10 {} x;  f(@10@, &x);  // prints 10, [4]
+                struct __conc_thing_100 {} y;  f(@100@, &y);  // prints 100
+                return 0;
+        }
+Here the result shows only the relevant changes of the box pass (as informed by the resolver), leaving the rest unadulterated:
+\begin{cfa}
+// [1]
+void f( size_t __sizeof_N, @void *@ ) { sout | @__sizeof_N@; } $\C{// [2], [3]}$
+int main() {
+        struct __conc_thing_10 {} x;  f( @10@, &x );  $\C{// prints 10, [4]}$
+        struct __conc_thing_100 {} y;  f( @100@, &y );  $\C{// prints 100}$
+        return 0;
+}
 \end{cfa}
 Observe:
 …
         The type @thing(N)@ is (replaced by @void *@, but thereby effectively) gone.
 \item
         The @sout...@ expression (being an application of the @?|?@ operator) has a second argument that is a regular variable (parameter) usage.
+        The @sout...@ expression (being an application of the @?|?@ operator) has a regular variable (parameter) usage for its second argument.
 \item
         Information about the particular @thing@ instantiation (value 10) has moved, from the type, to a regular function-call argument.
 \end{enumerate}
 At the end of the desugaring and downstream processing, the original C idiom of ``pass both a pointer and a length parameter'' has been reconstructed.
 In the programmer-written form, only the thing is passed.
+At the end of the desugaring and downstream processing, the original C idiom of ``pass both a length parameter and a pointer'' has been reconstructed.
+In the programmer-written form, only the @thing@ is passed.
 The compiler's action produces the more complex form, which if handwritten, would be error-prone.
 Back at the very front end, the parsing changes, AST schema extensions, and validation rules for enabling the sugared user input are:
+Back at the compiler front end, the parsing changes AST schema extensions and validation rules for enabling the sugared user input.
 \begin{itemize}
 \item
 …
         Have the new brand of type-variable, \emph{Dimension}, in the AST form of a type-variable, to represent one parsed from @[-]@.
 \item
         Allow a type variable to occur in expression position.  Validate (after parsing) that only dimension-branded type variables are used here.
+        Allow a type variable to occur in an expression.  Validate (after parsing) that only dimension-branded type variables are used here.
 \item
         Allow an expression to occur in type-argument position.  Brand the resulting type argument as a dimension.
 …
         Validate (after parsing), on a generic-type usage, \eg the type part of the declaration
         \begin{cfa}
                 @array_1d( foo, bar ) x;@
+        array_1d( foo, bar ) x;
         \end{cfa}
+        \vspace*{-10pt}
         that the brands on the generic arguments match the brands of the declared type variables.
         Here, that @foo@ is a type and @bar@ is a dimension.
 …
 from one party who knows it, to another who is willing to work with any given length.
 For scenarios where the concern is a mishandled length,
+the interaction is between two parties who both claim to know (something about) it.
+Such a scenario occurs in this pure C fragment, wich today's C compilers accept:
+\begin{cfa}
+        int n = @42@;
+        float x[n];
+        float (*xp)[@999@] = &x;
+        (*xp)[@500@];  // in "bound"?
+\end{cfa}
+the interaction is between two parties who both claim to know something about it.
+Such a scenario occurs in this pure C fragment, which today's C compilers accept:
+\begin{cfa}
+int n = @42@;
+float x[n];
+float (*xp)[@999@] = &x;
+(*xp)[@500@]; $\C{// in "bound"?}$
+\end{cfa}
 Here, the array @x@ has length 42, while a pointer to it (@xp@) claims length 999.
 So, while the subscript of @xp@ at position 500 is out of bound of its referent @x@,
 …
 The \CFA new-array rejects the analogous case:
 \begin{cfa}
+        int n = @42@;
+        array(float, n) x;
+        array(float, 999) * xp = x; // static rejection here
+        (*xp)[@500@]; // runtime check vs len 999
+\end{cfa}
+% TODO: kill the vertical whitespace around these lists
+% nothing from https://stackoverflow.com/questions/1061112/eliminate-space-before-beginitemize is working
+The way the \CFA array is implemented,
+the type analysis of this \CFA case reduces to a case similar to the earlier C version.
+int n = @42@;
+array(float, n) x;
+array(float, 999) * xp = x; $\C{// static rejection here}$
+(*xp)[@500@]; $\C{// runtime check vs len 999}$
+\end{cfa}
+The way the \CFA array is implemented, the type analysis of this case reduces to a case similar to the earlier C version.
 The \CFA compiler's compatibility analysis proceeds as:
 \begin{itemize}[noitemsep,partopsep=-\parskip,parsep=0pt,leftmargin=4em]
+\begin{itemize}[parsep=0pt]
 \item
         Is @array(float, 999)@ type-compatible with @array(float, n)@?
 \item
         Is @arrayX(float, char[999])@ type-compatible with @arrayX(float, char[n])@?
         \footnote{Here, \lstinline{arrayX} represents the type that results
+        Is @arrayX(float, char[999])@ type-compatible with @arrayX(float, char[n])@?\footnote{
+                Here, \lstinline{arrayX} represents the type that results
                 from desugaring the \lstinline{array} type
                 into a type whose generic parameters are all types.
 …
         Is @char[999]@ type-compatible with @char[n]@?
 \end{itemize}
+I chose to achieve the necessary rejection of the \CFA case
+by adding a rejection of the corresponding C case.
+This decision is not backward compatible.
+To achieve the necessary \CFA rejections meant rejecting the corresponding C case, which is not backward compatible.
 There are two complementary mitigations for this incompatibility.
 …
 This situation might arise if @n@ were known to be 999,
 rather than 42, as in the introductory examples.
 The programmer can add a cast, as in:
 \begin{cfa}
         xp = ( float (*)[999] ) & x;
 \end{cfa}
 This addition causes \CFA to accept, beacause now, the programmer has accepted blame.
+The programmer can add a cast in the \CFA code.
+\begin{cfa}
+xp = @(float (*)[999])@ &x;
+\end{cfa}
+This addition causes \CFA to accept, because now, the programmer has accepted blame.
 This addition is benign in plain C, because the cast is valid, just unnecessary there.
 Moreover, the addition can even be seen as appropriate ``eye candy,''
 …
 Second, the incompatibility only affects types like pointer-to-array,
 which are are infrequently used in C.
+The more common C idiom for aliasing an array is to use the pointer-to-first-element type,
+which does not participate in the \CFA array's length checking.
+\footnote{Notably, the desugaring of the \lstinline{array@} type,
+        avoids letting any \lstinline{-[-]} type decay,
+        in order to preserve the length information that powers runtime bound checking.}
+Therefore, the frequency of needing to upgrade wild C code (as discussed in the first mitigation)
+The more common C idiom for aliasing an array is to use a pointer-to-first-element type,
+which does not participate in the \CFA array's length checking.\footnote{
+        Notably, the desugaring of the \lstinline{array} type avoids letting any \lstinline{-[-]} type decay,
+        in order to preserve the length information that powers runtime bound-checking.}
+Therefore, the frequency of needing to upgrade legacy C code (as discussed in the first mitigation)
 is anticipated to be low.
 Because the incompatibility represents a low cost to a \CFA onboarding effort
 (with a plausible side benefit of linting the original code for a missing annotation),
 I elected not to add special measures to retain the compatibility.
+no special measures were added to retain the compatibility.
 It would be possible to flag occurrences of @-[-]@ types that come from @array@ desugaring,
 treating those with stricter \CFA rules, while treating others with classic C rules.
 …
 Having allowed that both the initial C example's check
 \begin{itemize}[noitemsep,partopsep=-\parskip,parsep=0pt,leftmargin=4em]
+\begin{itemize}
         \item
                 Is @float[999]@ type-compatible with @float[n]@?
 \end{itemize}
 and the second \CFA exmple's induced check
 \begin{itemize}[noitemsep,partopsep=-\parskip,parsep=0pt,leftmargin=4em]
+and the second \CFA example's induced check
+\begin{itemize}
         \item
                 Is @char[999]@ type-compatible with @char[n]@?
 …
 To implement the new \CFA rules, I took the syntactic recursion a step further, obtaining,
 in both cases:
 \begin{itemize}[noitemsep,partopsep=-\parskip,parsep=0pt,leftmargin=4em]
+\begin{itemize}
         \item
                 Is @999@ TBD-compatible with @n@?
+                Is @999@ compatible with @n@?
 \end{itemize}
 This compatibility question applies to a pair of expressions, where the earlier ones were to types.
+This compatibility question applies to a pair of expressions, where the earlier implementation were to types.
 Such an expression-compatibility question is a new addition to the \CFA compiler.
 These questions only arise in the context of dimension expressions on (C) array types.
+Note, these questions only arise in the context of dimension expressions on (C) array types.
 TODO: ensure these compiler implementation matters are treated under \CFA compiler background:
 …
 GenPoly.
+The relevant technical component of the \CFA compiler is,
+within the type resolver, the type unification procedure.
+The relevant technical component of the \CFA compiler is the type unification procedure within the type resolver.
 I added rules for continuing this unification into expressions that occur within types.
 It is still fundamentally doing \emph{type} unification
 …
 and not participating in binding any variables that stand in for expression fragments
 (for there is no such sort of variable in \CFA's analysis.)
 An unfortunate fact about the \CFA compiler's preexisting implementation is that
 type unification suffers from two forms of duplication.
 …
 The first duplication has (many of) the unification rules stated twice.
 As a result, my additions for dimension expressions are stated twice.
 The extra statement of the rules occurs in the GenPoly module,
+The extra statement of the rules occurs in the @GenPoly@ module,
 where concrete types like @array(int, 5)@\footnote{
         Again, the presentation is simplified
         by leaving the \lstinline{array} macro unexpanded}
+        by leaving the \lstinline{array} macro unexpanded.}
 are lowered into corresponding C types @struct __conc_array_1234@ (the suffix being a generated index).
+In this case, the struct's definition gives fields that hardcode the argument values of @float@ and @5@.
+The next time an @array(-,-)@ concrete instance is encountered,
+is the previous @struct __conc_array_1234@ suitable for it?
+Yes, for another occurrance of @array(int, 5)@;
+In this case, the struct's definition contains fields that hardcode the argument values of @float@ and @5@.
+The next time an @array(-,-)@ concrete instance is encountered, it checks if the previous @struct __conc_array_1234@ is suitable for it.
+Yes, for another occurrence of @array(int, 5)@;
 no, for either @array(rational(int), 5)@ or @array(int, 42)@.
 By the last example, this phase must ``reject''
 …
 In the program
 \begin{cfa}
         void f( double );
         forall( T & ) void f( T & );
         void g( int n ) {
                 array( float, n + 1 ) x;
                 f(x);
+        }
 \end{cfa}
 when resolving the function call, the first unification stage
 compares the types @T@, of the parameter, with @array( float, n + 1 )@, of the argument.
+void @f@( double );
+forall( T & ) void @f@( T & );
+void g( int n ) {
+        array( float, n + 1 ) x;
+        f(x);   // overloaded
+}
+\end{cfa}
+when resolving the function call, @g@, the first unification stage
+compares the type @T@ of the parameter with @array( float, n + 1 )@, of the argument.
 TODO: finish.
 …
         TODO: Deal with directionality, that I'm doing exact-match, no ``at least as long as,'' no subtyping.
         Should it be an earlier scoping principle?  Feels like it should matter in more places than here.}
 So, a ``yes'' answer must represent a guarantee that both expressions will evaluate the
 same result, while a ``no'' can tolerate ``they might, but we're not sure,'
+So, a ``yes'' answer must represent a guarantee that both expressions evaluate the
+same result, while a ``no'' can tolerate ``they might, but we're not sure'',
 provided that practical recourses are available
 to let programmers express their better knowledge.
 The specific rule-set that I offer with the current release is, in fact, extremely conservative.
+to let programmers express better knowledge.
+The new rule-set in the current release is, in fact, extremely conservative.
 I chose to keep things simple,
+and allow real future needs do drive adding additional complexity,
+within the framework that I laid out.
+and allow future needs to drive adding additional complexity, within the new framework.
 For starters, the original motivating example's rejection
 …
 Rather, the analysis assumes a variable's value can be anything,
 and so there can be no guarantee that its value is 999.
 So, a variable use and a literal can never match.
+So, a variable and a literal can never match.
 Two occurrences of the same literal value are obviously a fine match.
 For two occurrences of the same varialbe, more information is needed.
+For two occurrences of the same variable, more information is needed.
 For example, this one is fine
 \begin{cfa}
         void f( const int n ) {
                 float x[n];
                 float (*xp)[n] = x; // accept
+        }
+void f( const int n ) {
+        float x[n];
+        float (*xp)[n] = x;   // accept
+}
 \end{cfa}
 while this one is not:
 \begin{cfa}
         void f() {
                 int n = 42;
                 float x[n];
                 n = 999;
                 float (*xp)[n] = x; // reject
+        }
+void f() {
+        int n = 42;
+        float x[n];
+        n = 999;
+        float (*xp)[n] = x;   // reject
+}
 \end{cfa}
 Furthermore, the fact that the first example sees @n@ as @const@
 is not actually a sufficent basis.
+is not actually sufficient.
 In this example, @f@'s length expression's declaration is as @const@ as it can be,
 yet its value still changes between the two invocations:
+\begin{cfa}
+        // compile unit 1
+        void g();
+        void f( const int & const nr ) {
+                float x[nr];
+                g();
+                float (*xp)[nr] = x; // reject
+        }
+        // compile unit 2
+        static int n = 42;
+        void g() {
+                n = 99;
+        }
+        void f( const int & );
+        int main () {
+                f(n);
+                return 0;
+        }
+\end{cfa}
+The issue in this last case is,
+just because you aren't able to change something doesn't mean someone else can't.
+My rule set also respects a feature of the C tradition.
+In spite of the several limitations of the C rules
+\begin{cquote}
+\setlength{\tabcolsep}{15pt}
+\begin{tabular}{@{}ll@{}}
+\begin{cfa}
+// compile unit 1
+void g();
+void f( const int & const nr ) {
+        float x[nr];
+        g();    // change n
+        @float (*xp)[nr] = x;@   // reject
+}
+\end{cfa}
+&
+\begin{cfa}
+// compile unit 2
+static int n = 42;
+void g() {
+        n = 99;
+}
+f( n );
+\end{cfa}
+\end{tabular}
+\end{cquote}
+The issue here is that knowledge needed to make a correct decision is hidden by separate compilation.
+Even within a translation unit, static analysis might not be able to provide all the information.
+My rule set also respects a traditional C feature: In spite of the several limitations of the C rules
 accepting cases that produce different values, there are a few mismatches that C stops.
 C is quite precise when working with two static values:
 \begin{cfa}
         enum { fortytwo = 42 };
         float x[fortytwo];
         float (*xp1)[42] = &x; // accept
         float (*xp2)[999] = &x; // reject
+C is quite precise when working with two static values.
+\begin{cfa}
+enum { fortytwo = 42 };
+float x[fortytwo];
+float (*xp1)[42] = &x;    // accept
+float (*xp2)[999] = &x;   // reject
 \end{cfa}
 My \CFA rules agree with C's on these cases.
 My rules classify expressions into three groups:
+In summary, the new rules classify expressions into three groups:
 \begin{description}
 \item[Statically Evaluable]
         Expressions for which a specific value can be calculated (conservatively)
         at compile-time.
         A preexisting \CFA compiler module defines which expressions qualify,
+        A preexisting \CFA compiler module defines which literals, enumerators, and expressions qualify,
         and evaluates them.
-        Includes literals and enumeration values.
 \item[Dynamic but Stable]
+        The value of a variable declared as @const@.
+        Includes a @const@ parameter.
+        The value of a variable declared as @const@, including a @const@ parameter.
 \item[Potentially Unstable]
         The catch-all category.  Notable examples include:
         any function-call result (@float x[foo()];@),
         the particular function-call result that is a pointer dereference (@void f(const int * n) { float x[*n]; }@), and
+        any function-call result, @float x[foo()];@,
+        the particular function-call result that is a pointer dereference, @void f(const int * n)@ @{ float x[*n]; }@, and
         any use of a reference-typed variable.
 \end{description}
+My \CFA rules are:
+Within these groups, my \CFA rules are:
 \begin{itemize}
 \item
 …
         Notably, this rule allows a literal to match with an enumeration value, based on the value.
 \item
         Accept a Dynamic but Stable pair, if both expressions are written out the same, e.g. refers to same variable declaration.
+        Accept a Dynamic but Stable pair, if both expressions are written out the same, \eg refers to the same variable declaration.
 \item
         Otherwise, reject.
+        Notably, reject all pairs from the Potentially Unstable group.
+        Notably, reject all pairs that cross groups.
+        Notably, reject all pairs from the Potentially Unstable group and all pairs that cross groups.
 \end{itemize}
 The traditional C rules are:
 \begin{itemize}
 …
 \end{itemize}
-\newcommand{\falsealarm}{{\color{orange}\small{*}}}
-\newcommand{\allowmisuse}{{\color{red}\textbf{!}}}
-\newcommand{\cmark}{\ding{51}} % from pifont
-\newcommand{\xmark}{\ding{55}}
 \begin{figure}
+        \newcommand{\falsealarm}{{\color{blue}\small{*}}}
+        \newcommand{\allowmisuse}{{\color{red}\textbf{!}}}
+        \newcommand{\cmark}{\ding{51}} % from pifont
+        \newcommand{\xmark}{\ding{55}}
         \begin{tabular}{@{}l@{\hspace{16pt}}c@{\hspace{8pt}}c@{\hspace{16pt}}c@{\hspace{8pt}}c@{\hspace{16pt}}c}
          & \multicolumn{2}{c}{\underline{Values Equal}}
 …
         \end{tabular}
         \vspace{12pt}
         \noindent\textbf{Legend:}
         \begin{itemize}
+        \medskip
+        \noindent\textbf{Legend}
+        \begin{itemize}[leftmargin=*]
         \item
                 Each row gives the treatment of a test harness of the form
                 \begin{cfa}
                         float x[ expr1 ];
                         float (*xp)[ expr2 ] = &x;
+                float x[ expr1 ];
+                float (*xp)[ expr2 ] = &x;
                 \end{cfa}
+                where \lstinline{expr1} and \lstinline{expr2} are metavariables varying according to the row's Case.
+                \vspace*{-10pt}
+                where \lstinline{expr1} and \lstinline{expr2} are meta-variables varying according to the row's Case.
                 Each row's claim applies to other harnesses too, including,
                 \begin{itemize}
                 \item
                         calling a function with a paramter like \lstinline{x} and an argument of the \lstinline{xp} type,
+                        calling a function with a parameter like \lstinline{x} and an argument of the \lstinline{xp} type,
                 \item
                         assignment in place of initialization,
 …
         \item
                 Each case's claim is symmetric (swapping \lstinline{expr1} with \lstinline{expr2} has no effect),
                 even though most test harnesses are asymetric.
+                even though most test harnesses are asymmetric.
         \item
                 The table treats symbolic identity (Same/Different on rows)
                 apart from value eqality (Equal/Unequal on columns).
+                apart from value equality (Equal/Unequal on columns).
                 \begin{itemize}
                 \item
 …
                 while every Accept under Values Unequal is an allowed misuse (\allowmisuse).
         \end{itemize}
+        \caption{Case comparison for array type compatibility, given pairs of dimension expressions.
                 TODO: get Peter's LaTeX help on overall appearance, probably including column spacing/centering and bullet indentation.}
+        \caption{Case comparison for array type compatibility, given pairs of dimension expressions.}
         \label{f:DimexprRuleCompare}
 \end{figure}
 …
 Figure~\ref{f:DimexprRuleCompare} gives a case-by-case comparison of the consequences of these rule sets.
 It demonstrates that the \CFA false alarms occur in the same cases as C treats unsafely.
 It also shows that C-incompatibilities only occur in cases that C treats unsafely.
+It demonstrates that the \CFA false alarms occur in the same cases as C treats unsafe.
+It also shows that C-incompatibilities only occur in cases that C treats unsafe.
 …
 whose reuses are rejected by the blunt current-state rules:
 \begin{cfa}
         void f( int & nr, const int nv ) {
                 float x[nr];
                 float (*xp)[nr] = & x; // reject: nr varying (no references)
                 float y[nv + 1];
                 float (*yp)[nv + 1] = & y; // reject: ?+? unpredicable (no functions)
+        }
+void f( int & nr, const int nv ) {
+        float x[nr];
+        float (*xp)[nr] = &x;   // reject: nr varying (no references)
+        float y[nv + 1];
+        float (*yp)[nv + 1] = &y;   // reject: ?+? unpredictable (no functions)
+}
 \end{cfa}
 Yet, both dimension expressions are reused safely.
 (The @nr@ reference is never written, not volatile
+The @nr@ reference is never written, not volatile
 and control does not leave the function between the uses.
 The name @?+?@ resolves to a function that is quite predictable.)
 The programmer here can add the constant declarations:
 \begin{cfa}
         void f( int & nr, const int nv ) {
                 @const int nx@ = nr;
                 float x[nx];
                 float (*xp)[nx] = & x; // acept
                 @const int ny@ = nv + 1;
                 float y[ny];
                 float (*yp)[ny] = & y; // accept
+        }
+The name @?+?@ resolves to a function that is quite predictable.
+Here, the programmer can add the constant declarations (cast does not work):
+\begin{cfa}
+void f( int & nr, const int nv ) {
+        @const int nx@ = nr;
+        float x[nx];
+        float (*xp)[nx] = & x;   // accept
+        @const int ny@ = nv + 1;
+        float y[ny];
+        float (*yp)[ny] = & y;   // accept
+}
 \end{cfa}
 The result is the originally intended semantics,
 …
 The snapshotting trick is also used by the translation, though to achieve a different outcome.
 Rather obviously, every array must be subscriptable, even a bizzarre one:
 \begin{cfa}
         array( float, rand(10) ) x;
         x[0];  // 10% chance of bound-check failure
+Rather obviously, every array must be subscriptable, even a bizarre one:
+\begin{cfa}
+array( float, rand(10) ) x;
+x[0];  // 10% chance of bound-check failure
 \end{cfa}
 Less obvious is that the mechanism of subscripting is a function call,
 …
 Adjusting the example to make the function's use of length more explicit:
 \begin{cfa}
         forall ( T * )
         void f( T * x ) { sout | sizeof(*x); }
         float x[ rand(10) ];
         f( x );
+forall ( T * )
+void f( T * x ) { sout | sizeof(*x); }
+float x[ rand(10) ];
+f( x );
 \end{cfa}
 Considering that the partly translated function declaration is, loosely,
 \begin{cfa}
+        void f( size_t __sizeof_T, void * x ) { sout | __sizeof_T; }
+\end{cfa}
+the translated call must not go like:
+\begin{cfa}
+        float x[ rand(10) ];
+        f( rand(10), &x );
+\end{cfa}
+Rather, its actual translation is like:
+\begin{cfa}
+        size_t __dim_x = rand(10);
+        float x[ __dim_x ];
+        f( __dim_x, &x );
+\end{cfa}
+The occurrence of this dimension hoisting during translation was present in the preexisting \CFA compiler.
+But its cases were buggy, particularly with determining, ``Can hoisting be skipped here?''
+For skipping this hoisting is clearly desirable in some cases,
+not the least of which is when the programmer has already done so manually.
+My work includes getting these cases right, harmonized with the accept/reject criteria, and tested.
+void f( size_t __sizeof_T, void * x ) { sout | __sizeof_T; }
+\end{cfa}
+the translation must call the dimension argument twice:
+\begin{cfa}
+float x[ rand(10) ];
+f( rand(10), &x );
+\end{cfa}
+Rather, the translation is:
+\begin{cfa}
+size_t __dim_x = rand(10);
+float x[ __dim_x ];
+f( __dim_x, &x );
+\end{cfa}
+The occurrence of this dimension hoisting during translation was in the preexisting \CFA compiler.
+But its cases were buggy, particularly with determining, ``Can hoisting the expression be skipped here?'', for skipping this hoisting is clearly desirable in some cases.
+For example, when the programmer has already done so manually. \PAB{I don't know what this means.}
+In the new implementation, these cases are correct, harmonized with the accept/reject criteria.
 TODO: Discuss the interaction of this dimension hoisting with the challenge of extra unification for cost calculation
+\section{Multidimensional Arrays}
+\label{toc:mdimpl}
+% TODO: introduce multidimensional array feature and approaches
+When working with arrays, \eg linear algebra, array dimensions are referred to as ``rows'' and ``columns'' for a matrix, adding ``planes'' for a cube.
+(There is little terminology for higher dimensional arrays.)
+For example, an acrostic poem\footnote{A type of poetry where the first, last or other letters in a line spell out a particular word or phrase in a vertical column.}
+can be treated as a grid of characters, where the rows are the text and the columns are the embedded keyword(s).
+Within a poem, there is the concept of a \newterm{slice}, \eg a row is a slice for the poem text, a column is a slice for a keyword.
+In general, the dimensioning and subscripting for multidimensional arrays has two syntactic forms: @m[r,c]@ or @m[r][c]@.
+Commonly, an array, matrix, or cube, is visualized (especially in mathematics) as a contiguous row, rectangle, or block.
+This conceptualization is reenforced by subscript ordering, \eg $m_{r,c}$ for a matrix and $c_{p,r,c}$ for a cube.
+Few programming languages differ from the mathematical subscript ordering.
+However, computer memory is flat, and hence, array forms are structured in memory as appropriate for the runtime system.
+The closest representation to the conceptual visualization is for an array object to be contiguous, and the language structures this memory using pointer arithmetic to access the values using various subscripts.
+This approach still has degrees of layout freedom, such as row or column major order, \ie juxtaposed rows or columns in memory, even when the subscript order remains fixed.
+For example, programming languages like MATLAB, Fortran, Julia and R store matrices in column-major order since they are commonly used for processing column-vectors in tabular data sets but retain row-major subscripting.
+In general, storage layout is hidden by subscripting, and only appears when passing arrays among different programming languages or accessing specific hardware.
+\VRef[Figure]{f:FixedVariable} shows two C90 approaches for manipulating a contiguous matrix.
+Note, C90 does not support VLAs.
+The fixed-dimension approach (left) uses the type system;
+however, it requires all dimensions except the first to be specified at compile time, \eg @m[][6]@, allowing all subscripting stride calculations to be generated with constants.
+Hence, every matrix passed to @fp1@ must have exactly 6 columns but the row size can vary.
+The variable-dimension approach (right) ignores (violates) the type system, \ie argument and parameters types do not match, and subscripting is performed manually using pointer arithmetic in the macro @sub@.
+\begin{figure}
+\begin{tabular}{@{}l@{\hspace{40pt}}l@{}}
+\multicolumn{1}{c}{\textbf{Fixed Dimension}} & \multicolumn{1}{c}{\textbf{Variable Dimension}} \\
+\begin{cfa}
+void fp1( int rows, int m[][@6@] ) {
+        ...  printf( "%d ", @m[r][c]@ );  ...
+}
+int fm1[4][@6@], fm2[6][@6@]; // no VLA
+// initialize matrixes
+fp1( 4, fm1 ); // implicit 6 columns
+fp1( 6, fm2 );
+\end{cfa}
+&
+\begin{cfa}
+#define sub( m, r, c ) *(m + r * sizeof( m[0] ) + c)
+void fp2( int rows, int cols, int *m ) {
+        ...  printf( "%d ", @sub( m, r, c )@ );  ...
+}
+int vm1[@4@][@4@], vm2[@6@][@8@]; // no VLA
+// initialize matrixes
+fp2( 4, 4, vm1 );
+fp2( 6, 8, vm2 );
+\end{cfa}
+\end{tabular}
+\caption{C90 Fixed \vs Variable Contiguous Matrix Styles}
+\label{f:FixedVariable}
+\end{figure}
+Many languages allow multidimensional arrays-of-arrays, \eg in Pascal or \CC.
+\begin{cquote}
+\begin{tabular}{@{}ll@{}}
+\begin{pascal}
+var m : array[0..4, 0..4] of Integer;  (* matrix *)
+type AT = array[0..4] of Integer;  (* array type *)
+type MT = array[0..4] of AT;  (* array of array type *)
+var aa : MT;  (* array of array variable *)
+m@[1][2]@ := 1;   aa@[1][2]@ := 1 (* same subscripting *)
+\end{pascal}
+&
+\begin{c++}
+int m[5][5];
+typedef vector< vector<int> > MT;
+MT vm( 5, vector<int>( 5 ) );
+m@[1][2]@ = 1;  aa@[1][2]@ = 1;
+\end{c++}
+\end{tabular}
+\end{cquote}
+The language decides if the matrix and array-of-array are laid out the same or differently.
+For example, an array-of-array may be an array of row pointers to arrays of columns, so the rows may not be contiguous in memory nor even the same length (triangular matrix).
+Regardless, there is usually a uniform subscripting syntax masking the memory layout, even though a language could differentiated between the two forms using subscript syntax, \eg @m[1,2]@ \vs @aa[1][2]@.
+Nevertheless, controlling memory layout can make a difference in what operations are allowed and in performance (caching/NUMA effects).
+C also provides non-contiguous arrays-of-arrays.
+\begin{cfa}
+int m[5][5];                                                    $\C{// contiguous}$
+int * aa[5];                                                    $\C{// non-contiguous}$
+\end{cfa}
+both with different memory layout using the same subscripting, and both with different degrees of issues.
+The focus of this work is on the contiguous multidimensional arrays in C.
+The reason is that programmers are often forced to use the more complex array-of-array form when a contiguous array would be simpler, faster, and safer.
+Nevertheless, the C array-of-array form is still important for special circumstances.
+\VRef[Figure]{f:ContiguousNon-contiguous} shows the extensions made in C99 for manipulating contiguous \vs non-contiguous arrays.\footnote{C90 also supported non-contiguous arrays.}
+First, VLAs are supported.
+Second, for contiguous arrays, C99 conjoins one or more of the parameters as a downstream dimension(s), \eg @cols@, implicitly using this parameter to compute the row stride of @m@.
+If the declaration of @fc@ is changed to:
+\begin{cfa}
+void fc( int rows, int cols, int m[@rows@][@cols@] ) ...
+\end{cfa}
+it is possible for C to perform bound checking across all subscripting, but it does not.
+While this contiguous-array capability is a step forward, it is still the programmer's responsibility to manually manage the number of dimensions and their sizes, both at the function definition and call sites.
+That is, the array does not automatically carry its structure and sizes for use in computing subscripts.
+While the non-contiguous style in @faa@ looks very similar to @fc@, the compiler only understands the unknown-sized array of row pointers, and it relies on the programmer to traverse the columns in a row correctly with a correctly bounded loop index.
+Specifically, there is no requirement that the rows are the same length, like a poem with different length lines.
+\begin{figure}
+\begin{tabular}{@{}ll@{}}
+\multicolumn{1}{c}{\textbf{Contiguous}} & \multicolumn{1}{c}{\textbf{ Non-contiguous}} \\
+\begin{cfa}
+void fc( int rows, @int cols@, int m[ /* rows */ ][@cols@] ) {
+        ...  printf( "%d ", @m[r][c]@ );  ...
+}
+int m@[5][5]@;
+for ( int r = 0; r < 5; r += 1 ) {
+        for ( int c = 0; c < 5; c += 1 )
+                m[r][c] = r + c;
+}
+fc( 5, 5, m );
+\end{cfa}
+&
+\begin{cfa}
+void faa( int rows, int cols, int * m[ @/* cols */@ ] ) {
+        ...  printf( "%d ", @m[r][c]@ );  ...
+}
+int @* aa[5]@;  // row pointers
+for ( int r = 0; r < 5; r += 1 ) {
+        @aa[r] = malloc( 5 * sizeof(int) );@ // create rows
+        for ( int c = 0; c < 5; c += 1 )
+                aa[r][c] = r + c;
+}
+faa( 5, 5, aa );
+\end{cfa}
+\end{tabular}
+\caption{C99 Contiguous \vs Non-contiguous Matrix Styles}
+\label{f:ContiguousNon-contiguous}
+\end{figure}
+\subsection{Multidimensional array implementation}
+\section{Multidimensional array implementation}
 \label{s:ArrayMdImpl}
 …
         S & | sized(S),                 $\C{// masquerading-as}$
         Timmed &,                               $\C{// immediate element, often another array}$
         Tbase &                                 $\C{// base element, e.g. float, never array}$
+        Tbase &                                 $\C{// base element, \eg float, never array}$
 ) { // distribute forall to each element
         struct arpk {
 …
+\section{Array lifecycle}
+An array is an aggregate, like a structure;
+both are containers wrapping subordinate objects.
+Any arbitrary object type, like @string@, can be an array element or structure member.
+A consequence is that the lifetime of the container must match with its subordinate objects: all elements and members must be initialized/uninitialized implicitly as part of the container's allocation/deallocation.
+Modern programming languages implicitly perform these operations via a type's constructor and destructor.
+Therefore, \CFA must assure that an array's subordinate objects' lifetime operations are called.
+Preexisting \CFA mechanisms achieve this requirement, but with poor performance.
+Furthermore, advanced array users need an exception to the basic mechanism, which does not occur with other aggregates.
+Hence, arrays introduce subleties in supporting an element's lifecycle.
+The preexisting \CFA support for contained-element lifecycle is based on recursive occurrences of the object-type (@otype@) pseudo-trait.
+A type is an @otype@, if it provides a default (parameterless) constructor, copy constructor, assignment operator, and destructor (like \CC).
+When declaring a structure with @otype@ members, the compiler implicitly generates implementations of the four @otype@ functions for the outer structure.
+Then the generated default constructor for the outer structure calls the default constructor for each member, and the other @otype@ functions work similarly.
+For a member that is a C array, these calls occur in a loop for each array element, which even works for VLAs.
+This logic works the same, whether the member is a concrete type (that happens to be an @otype@) or if the member is a polymorphic type asserted to be an @otype@ (which is implicit in the syntax, @forall(T)@).
+The \CFA array has the simplified form (similar to one seen before):
+\begin{cfa}
+forall( T * )   // non-otype element, no lifecycle functions
+// forall( T )  // otype element, lifecycle functions asserted
+struct array5 {
+        T __items[ 5 ];
+};
+\end{cfa}
+Being a structure with a C-array member, using the otype-form declaration for @T@ causes @array5(float)@ to implement @otype@ too.
+But this @otype@-recursion pattern has a performance issue.
+For example, in a cube of @float@:
+\begin{cfa}
+array5( array5( array5( float ) ) )
+\end{cfa}
+the first few steps of the compiler's work to find the lifecycle functions, under the @otype@-recursion pattern, are shown in \VRef[Figure]{f:OtypeRecursionBlowup}.
+All the work needed for the full @float@-cube would have 256 leaves.
+%array5(T) offers
+%1 parameterless ctor, which asks for T to have
+%       1 parameterless ctor
+%       2 copy ctor
+%       3 asgt
+%       4 dtor
+%2 copy ctor, which asks for T to have
+%       1 parameterless ctor
+%       2 copy ctor
+%       3 asgt
+%       4 dtor
+%3 asgt, which asks for T to have
+%       1 parameterless ctor
+%       2 copy ctor
+%       3 asgt
+%       4 dtor
+%4 dtor, which asks for T to have
+%       1 parameterless ctor
+%       2 copy ctor
+%       3 asgt
+%       4 dtor
+\begin{figure}
+\centering
+\setlength{\tabcolsep}{15pt}
+\begin{tabular}{@{}lll@{}}
+\begin{cfa}[deletekeywords={default}]
+float offers
+default ctor
+copy ctor
+asgt
+dtor
+\end{cfa}
+&
+\begin{cfa}[deletekeywords={default}]
+array5(float) has
+default ctor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+copy ctor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+asgt, using float's
+default ctor
+copy ctor
+asgt
+dtor
+dtor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+\end{cfa}
+&
+\begin{cfa}[deletekeywords={default}]
+array5(array5(float)) has
+default ctor, using array5(float)'s
+default ctor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+copy ctor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+asgt, using float's
+default ctor
+copy ctor
+asgt
+dtor
+dtor, using float's
+default ctor
+copy ctor
+asgt
+dtor
+copy ctor, using array5(float)'s
+        ... 4 children, 16 leaves
+asgt, using array5(float)'s
+        ... 4 children, 16 leaves
+dtor, using array5(float)'s
+        ... 4 children, 16 leaves
+(64 leaves)
+\end{cfa}
+\end{tabular}
+\caption{Exponential thunk generation under the otype-recursion pattern.
+        Each time that one type's function (\eg ctor) uses another type's function, the \CFA compiler generates a thunk, to capture the used function's dependencies, presented according to the using function's need.
+        So, each non-leaf line represents a generated thunk and every line represents a search request for the resolver to find a satisfying function.}
+\label{f:OtypeRecursionBlowup}
+\end{figure}
+So the @otype@-recursion pattern seeks a quantity of helper functions, and generates a quantity of thunks, that are exponential in the number of dimensions.
+Anecdotal experience with this solution found the resulting compile times annoyingly slow at three dimensions, and unusable at four.
+The issue is that the otype-recursion pattern uses more assertions than needed.
+Consider how @array5(float)@'s default constructor is getting all four lifecycle assertions about the element type, @float@.
+It only needs @float@'s default constructor;
+the full set of operations is never used.
+Current work by the \CFA team aims to improve this situation.
+Therefore, a workaround is needed for now.
+The workaround is to provide a default constructor, copy constructor and destructor, defined with lean, bespoke assertions:
+\begin{cquote}
+\begin{tabular}{@{}l@{\hspace{0.5in}}l@{}}
+\begin{cfa}
+// autogenerated for otype-recursion:
+forall( T )
+void ?{}( array5(T) & this ) {
+        for (i; 5) { ( this[i] ){}; }
+}
+forall( T )
+void ?{}( array5(T) & this, array5(T) & src ) {
+        for (i; 5) { ( this[i] ){ src[i] }; }
+}
+forall( T )
+void ^?{}( array5(T) & this ) {
+        for (i; 5) { ^( this[i] ){}; }
+}
+\end{cfa}
+&
+\begin{cfa}
+// lean, bespoke:
+forall( T* | { void @?{}( T & )@; } )
+void ?{}( array5(T) & this ) {
+        for (i; 5) { ( this[i] ){}; }
+}
+forall( T* | { void @?{}( T &, T )@; } )
+void ?{}( array5(T) & this, array5(T) & src ) {
+        for (i; 5) { ( this[i] ){ src[i] }; }
+}
+forall( T* | { void @?{}( T & )@; } )
+void ^?{}( array5(T) & this ) {
+        for (i; 5) { ^( this[i] ){}; }
+}
+\end{cfa}
+\end{tabular}
+\end{cquote}
+Moreover, the assignment operator is skipped, to avoid hitting a lingering growth case.
+Skipping assignment is tolerable because array assignment is not a common operation.
+With this solution, the critical lifecycle functions are available, with no growth in thunk creation.
+Finally, the intuition that a programmer using an array always wants the elements' default constructor called \emph{automatically} is simplistic.
+Arrays exist to store different values at each position.
+So, array initialization needs to let the programmer provide different constructor arguments to each element.
+\begin{cfa}
+thread worker { int id; };
+void ?{}( worker & ) = void; // remove default constructor
+void ?{}( worker &, int id );
+array( worker, 5 ) ws = @{}@; // rejected; but desire is for no initialization yet
+for (i; 5) (ws[i]){ @i@ }; // explicitly initialize each thread, giving id
+\end{cfa}
+Note the use of the \CFA explicit constructor call, analogous to \CC's placement-@new@.
+This call is where initialization is desired, and not at the declaration of @ws@.
+The attempt to initialize from nothing (equivalent to dropping @= {}@ altogether) is invalid because the @worker@ type removes the default constructor.
+The @worker@ type is designed this way to work with the threading system.
+A thread type forks a thread at the end of each constructor and joins with it at the start of each destructor.
+But a @worker@ cannot begin its forked-thead work without knowing its @id@.
+Therefore, there is a conflict between the implicit actions of the builtin @thread@ type and a user's desire to defer these actions.
+Another \CFA feature may, at first, seem viable for initializing the array @ws@, though on closer inspection, it is not.
+C initialization, \lstinline|array(worker, 5) ws @= {};|, ignores all \CFA lifecycle management and uses C empty initialization.
+This option does achieve the desired semantics on the construction side.
+But on destruction side, the desired semantics is for implicit destructor calls to continue, to keep the join operation tied to lexical scope.
+C initialization disables \emph{all} implicit lifecycle management, but the goal is to disable only the implicit construction.
+To fix this problem, I enhanced the \CFA standard library to provide the missing semantics, available in either form:
+\begin{cfa}
+array( @uninit@(worker), 5 ) ws1;
+array( worker, 5) ws2 = { @delay_init@ };
+\end{cfa}
+Both cause the @ws@-construction-time implicit call chain to stop before reaching a @worker@ constructor, while leaving the implicit destruction calls intact.
+Two forms are available, to parallel the development of this feature in \uCpp.
+Originally \uCpp offered only the @ws1@ form, using the class-template @uNoCtor@ equivalent to \CFA's @uninit@.
+More recently, \uCpp was extended with the declaration macro, @uArray@, with usage similar to the @ws2@ case.
+Based on experience piloting @uArray@ as a replacement of @uNoCtor@, it might be possible to remove the first option.
+% note to Mike, I have more fragments on some details available in push24\fragments\uNoCtor.txt
 \section{Comparison with other arrays}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 10a9479d for doc/theses/mike_brooks_MMath/array.tex

Legend:

doc/theses/mike_brooks_MMath/array.tex

Download in other formats: