Changeset 8614140 for doc/theses/mike_brooks_MMath/array.tex

Timestamp:

Jan 8, 2026, 1:26:42 PM (4 weeks ago)

Author:

Michael Brooks <mlbrooks@…>

Branches:

master

Children:

fb7c9168

Parents:

79ba50c (diff), 4904b05 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge branch 'master' of plg.uwaterloo.ca:software/cfa/cfa-cc

File:

• doc/theses/mike_brooks_MMath/array.tex (modified) (53 diffs)

doc/theses/mike_brooks_MMath/array.tex

@@ -2 +2 @@
 \label{c:Array}
 
-Arrays in C are possibly the single most misunderstood and incorrectly used feature in the language, resulting in the largest proportion of runtime errors and security violations.
+Arrays in C are possibly the single most misunderstood and incorrectly used feature in the language \see{\VRef{s:Array}}, resulting in the largest proportion of runtime errors and security violations.
 This chapter describes the new \CFA language and library features that introduce a length-checked array type, @array@, to the \CFA standard library~\cite{Cforall}.
 
@@ -13 +13 @@
 \label{s:ArrayIntro}
 
-The new \CFA array is declared by instantiating the generic @array@ type,
-much like instantiating any other standard-library generic type (such as \CC @vector@),
-though using a new style of generic parameter.
+The new \CFA array is declared by instantiating the generic @array@ type, much like instantiating any other standard-library generic type (such as \CC @vector@), using a new style of generic parameter.
 \begin{cfa}
 @array( float, 99 )@ x;                                 $\C[2.5in]{// x contains 99 floats}$
@@ -24 +22 @@
 void f( @array( float, 42 )@ & p ) {}   $\C{// p accepts 42 floats}$
 f( x );                                                                 $\C{// statically rejected: type lengths are different, 99 != 42}$
+
 test2.cfa:3:1 error: Invalid application of existing declaration(s) in expression.
 Applying untyped:  Name: f ... to:  Name: x
@@ -37 +36 @@
 g( x, 0 );                                                              $\C{// T is float, N is 99, dynamic subscript check succeeds}$
 g( x, 1000 );                                                   $\C{// T is float, N is 99, dynamic subscript check fails}$
+
 Cforall Runtime error: subscript 1000 exceeds dimension range [0,99) $for$ array 0x555555558020.
 \end{cfa}
@@ -92 +92 @@
 is a sufficient postcondition.
 In an imperative language like C and \CFA, it is also necessary to discuss side effects, for which an even heavier formalism, like separation logic, is required.
-Secondly, TODO: bash Rust.
-% TODO: cite the crap out of these claims.
+Secondly: ... bash Rust.
+... cite the crap out of these claims.
 \end{comment}
 
@@ -110 +110 @@
 forall( T & | sized(T) )
 T * alloc() {
-        return @(T *)@malloc( @sizeof(T)@ );
+        return @(T *)@malloc( @sizeof(T)@ );    // C malloc
 }
 \end{cfa}
@@ -132 +132 @@
 The loops follow the familiar pattern of using the variable @dim@ to iterate through the arrays.
 Most importantly, the type system implicitly captures @dim@ at the call of @f@ and makes it available throughout @f@ as @N@.
-The example shows @dim@ adapting into a type-system managed length at the declarations of @x@, @y@, and @result@, @N@ adapting in the same way at @f@'s loop bound, and a pass-thru use of @dim@ at @f@'s declaration of @ret@.
+The example shows @dim@ adapting into a type-system managed length at the declarations of @x@, @y@, and @result@; @N@ adapting in the same way at @f@'s loop bound; and a pass-thru use of @dim@ at @f@'s declaration of @ret@.
 Except for the lifetime-management issue of @result@, \ie explicit @free@, this program has eliminated both the syntactic and semantic problems associated with C arrays and their usage.
 The result is a significant improvement in safety and usability.
@@ -148 +148 @@
 \end{itemize}
 
-\VRef[Figure]{f:TemplateVsGenericType} shows @N@ is not the same as a @size_t@ declaration in a \CC \lstinline[language=C++]{template}.
+\VRef[Figure]{f:TemplateVsGenericType} shows @N@ is not the same as a @size_t@ declaration in a \CC \lstinline[language=C++]{template}.\footnote{
+The \CFA program requires a snapshot declaration for \lstinline{n} to compile, as described at the end of \Vref{s:ArrayTypingC}.}
 \begin{enumerate}[leftmargin=*]
 \item
 The \CC template @N@ can only be a compile-time value, while the \CFA @N@ may be a runtime value.
 \item
-\CC does not allow a template function to be nested, while \CFA lets its polymorphic functions to be nested.
+\CC does not allow a template function to be nested, while \CFA allows polymorphic functions be nested.
 Hence, \CC precludes a simple form of information hiding.
 \item
@@ -176 +177 @@
 % mycode/arrr/thesis-examples/check-peter/cs-cpp.cpp, v10
 \end{enumerate}
-The \CC template @array@ type mitigates points \VRef[]{p:DimensionPassing} and \VRef[]{p:ArrayCopy}, but it is also trying to accomplish a similar mechanism to \CFA @array@.
+The \CC template @std::array@ tries to accomplish a similar mechanism to \CFA @array@.
+It is an aggregate type with the same semantics as a @struct@ holding a C-style array \see{\VRef{s:ArraysCouldbeValues}}, which mitigates points \VRef[]{p:DimensionPassing} and \VRef[]{p:ArrayCopy}.
 
 \begin{figure}
-\begin{tabular}{@{}l@{\hspace{20pt}}l@{}}
+\begin{tabular}{@{}ll@{}}
 \begin{c++}
 
@@ -187 +189 @@
 }
 int main() {
-
-        int ret[10], x[10];
-        for ( int i = 0; i < 10; i += 1 ) x[i] = i;
-        @copy<int, 10 >( ret, x );@
-        for ( int i = 0; i < 10; i += 1 )
+        const size_t  n = 10;   // must be constant
+        int ret[n], x[n];
+        for ( int i = 0; i < n; i += 1 ) x[i] = i;
+        @copy<int, n >( ret, x );@
+        for ( int i = 0; i < n; i += 1 )
                 cout << ret[i] << ' ';
         cout << endl;
@@ -203 +205 @@
                 for ( i; N ) ret[i] = x[i];
         }
-
-        const int n = promptForLength();
+        size_t  n;
+        sin | n;
         array( int, n ) ret, x;
         for ( i; n ) x[i] = i;
@@ -228 +230 @@
 When the argument lengths themselves are statically unknown,
 the static check is conservative and, as always, \CFA's casting lets the programmer use knowledge not shared with the type system.
-\begin{tabular}{@{\hspace{0.5in}}l@{\hspace{1in}}l@{}}
-\lstinput{90-97}{hello-array.cfa}
-&
-\lstinput{110-117}{hello-array.cfa}
-\end{tabular}
-
-\noindent
-This static check's full rules are presented in \VRef[Section]{s:ArrayTypingC}.
+\lstinput{90-96}{hello-array.cfa}
+This static check's rules are presented in \VRef[Section]{s:ArrayTypingC}.
 
 Orthogonally, the \CFA array type works within generic \emph{types}, \ie @forall@-on-@struct@.
 The same argument safety and the associated implicit communication of array length occurs.
 Preexisting \CFA allowed aggregate types to be generalized with type parameters, enabling parameterizing of element types.
-This has been extended to allow parameterizing by dimension.
-Doing so gives a refinement of C's ``flexible array member''~\cite[\S~6.7.2.1.18]{C11}.
+This feature is extended to allow parameterizing by dimension.
+Doing so gives a refinement of C's ``flexible array member''~\cite[\S~6.7.2.1.18]{C11}:
 \begin{cfa}
 struct S {
@@ -264 +260 @@
 \end{cfa}
 This ability to avoid casting and size arithmetic improves safety and usability over C flexible array members.
-Finally, inputs and outputs are given at the bottom for different sized schools.
+Finally, inputs and outputs are given on the right for different sized schools.
 The example program prints the courses in each student's preferred order, all using the looked-up display names.
 
 \begin{figure}
-\begin{cquote}
-\lstinput{50-55}{hello-accordion.cfa}
+\begin{lrbox}{\myboxA}
+\begin{tabular}{@{}l@{}}
+\lstinput{50-55}{hello-accordion.cfa} \\
 \lstinput{90-98}{hello-accordion.cfa}
-\ \\
-@$ cat school1@
-\lstinput{}{school1}
-
-@$ ./a.out < school1@
-\lstinput{}{school1.out}
-
-@$ cat school2@
-\lstinput{}{school2}
-
-@$ ./a.out < school2@
-\lstinput{}{school2.out}
-\end{cquote}
+\end{tabular}
+\end{lrbox}
+
+\begin{lrbox}{\myboxB}
+\begin{tabular}{@{}l@{}}
+@$ cat school1@ \\
+\lstinputlisting{school1} \\
+@$ ./a.out < school1@ \\
+\lstinputlisting{school1.out} \\
+@$ cat school2@ \\
+\lstinputlisting{school2} \\
+@$ ./a.out < school2@ \\
+\lstinputlisting{school2.out}
+\end{tabular}
+\end{lrbox}
+
+\setlength{\tabcolsep}{10pt}
+\begin{tabular}{@{}ll@{}}
+\usebox\myboxA
+&
+\usebox\myboxB
+\end{tabular}
 
 \caption{\lstinline{School} Example, Input and Output}
@@ -290 +296 @@
 
 When a function operates on a @School@ structure, the type system handles its memory layout transparently.
-\lstinput{30-37}{hello-accordion.cfa}
+\lstinput{30-36}{hello-accordion.cfa}
 In the example, function @getPref@ returns, for the student at position @is@, what is the position of their @pref@\textsuperscript{th}-favoured class?
 
@@ -296 +302 @@
 \section{Dimension Parameter Implementation}
 
-The core of the preexisting \CFA compiler already had the ``heavy equipment'' needed to provide the feature set just reviewed (up to bugs in cases not yet exercised).
+The core of the preexisting \CFA compiler already has the ``heavy equipment'' needed to provide the feature set just reviewed (up to bugs in cases not yet exercised).
 To apply this equipment in tracking array lengths, I encoded a dimension (array's length) as a type.
 The type in question does not describe any data that the program actually uses at runtime.
@@ -323 +329 @@
 \begin{itemize}[leftmargin=*]
 \item
-        Resolver provided values for a used declaration's type-system variables, gathered from type information in scope at the usage site.
-\item
-        The box pass, encoding information about type parameters into ``extra'' regular parameters/arguments on declarations and calls.
+        Resolver provided values for a declaration's type-system variables, gathered from type information in scope at the usage site.
+\item
+        The box pass, encoding information about type parameters into ``extra'' regular parameters and arguments on declarations and calls.
         Notably, it conveys the size of a type @foo@ as a @__sizeof_foo@ parameter, and rewrites the @sizeof(foo)@ expression as @__sizeof_foo@, \ie a use of the parameter.
 \end{itemize}
@@ -331 +337 @@
 The rules for resolution had to be restricted slightly, in order to achieve important refusal cases.
 This work is detailed in \VRef[Section]{s:ArrayTypingC}.
-However, the resolution--boxing scheme, in its preexisting state, was already equipped to work on (desugared) dimension parameters.
+However, the resolution--boxing scheme, in its preexisting state, is equipped to work on (desugared) dimension parameters.
 The following discussion explains the desugaring and how correctly lowered code results.
 
@@ -357 +363 @@
 \end{enumerate}
 The chosen solution is to encode the value @N@ \emph{as a type}, so items 1 and 2 are immediately available for free.
-Item 3 needs a way to recover the encoded value from a (valid) type (and to reject invalid types occurring here).
+Item 3 needs a way to recover the encoded value from a (valid) type and to reject invalid types.
 Item 4 needs a way to produce a type that encodes the given value.
 
@@ -416 +422 @@
         The type @thing(N)@ is (replaced by @void *@, but thereby effectively) gone.
 \item
-        The @sout...@ expression (being an application of the @?|?@ operator) has a regular variable (parameter) usage for its second argument.
+        The @sout...@ expression has a regular variable (parameter) usage for its second argument.
 \item
         Information about the particular @thing@ instantiation (value 10) is moved, from the type, to a regular function-call argument.
@@ -455 +461 @@
 \begin{cfa}
 enum { n = 42 };
-float x[@n@];   // or just 42
-float (*xp1)[@42@] = &x;    // accept
-float (*xp2)[@999@] = &x;   // reject
+float x[@n@];   $\C{// or just 42}$
+float (*xp1)[@42@] = &x;    $\C{// accept}$
+float (*xp2)[@999@] = &x;   $\C{// reject}$
 warning: initialization of 'float (*)[999]' from incompatible pointer type 'float (*)[42]'
 \end{cfa}
 When a variable is involved, C and \CFA take two different approaches.
-Today's C compilers accept the following without warning.
+Today's C compilers accept the following without a warning.
 \begin{cfa}
 static const int n = 42;
@@ -482 +488 @@
 The way the \CFA array is implemented, the type analysis for this case reduces to a case similar to the earlier C version.
 The \CFA compiler's compatibility analysis proceeds as:
-\begin{itemize}[parsep=0pt]
+\begin{itemize}[leftmargin=*,parsep=0pt]
 \item
         Is @array( float, 999 )@ type-compatible with @array( float, n )@?
@@ -510 +516 @@
         in order to preserve the length information that powers runtime bound-checking.}
 Therefore, the need to upgrade legacy C code is low.
-Finally, if this incompatibility is a problem onboarding C programs to \CFA, it is should be possible to change the C type check to a warning rather than an error, acting as a \emph{lint} of the original code for a missing type annotation.
+Finally, if this incompatibility is a problem onboarding C programs to \CFA, it should be possible to change the C type check to a warning rather than an error, acting as a \emph{lint} of the original code for a missing type annotation.
 
 To handle two occurrences of the same variable, more information is needed, \eg, this is fine,
@@ -516 +522 @@
 int n = 42;
 float x[@n@];
-float (*xp)[@n@] = x;   // accept
+float (*xp)[@n@] = x;   $\C{// accept}$
 \end{cfa}
 where @n@ remains fixed across a contiguous declaration context.
-However, intervening dynamic statement cause failures.
+However, intervening dynamic statements can cause failures.
 \begin{cfa}
 int n = 42;
 float x[@n@];
-@n@ = 999; // dynamic change
-float (*xp)[@n@] = x;   // reject
-\end{cfa}
-However, side-effects can occur in a contiguous declaration context.
+@n@ = 999; $\C{// dynamic change}$
+float (*xp)[@n@] = x;   $\C{// reject}$
+\end{cfa}
+As well, side-effects can even occur in a contiguous declaration context.
 \begin{cquote}
 \setlength{\tabcolsep}{20pt}
@@ -536 +542 @@
 void f() {
         float x[@n@] = { g() };
-        float (*xp)[@n@] = x;   // reject
+        float (*xp)[@n@] = x;                   // reject
 }
 \end{cfa}
@@ -544 +550 @@
 int @n@ = 42;
 void g() {
-        @n@ = 99;
+        @n@ = 999;              // accept
 }
 
@@ -553 +559 @@
 The issue here is that knowledge needed to make a correct decision is hidden by separate compilation.
 Even within a translation unit, static analysis might not be able to provide all the information.
-However, if the example uses @const@, the check is possible.
+However, if the example uses @const@, the check is possible even though the value is unknown.
 \begin{cquote}
 \setlength{\tabcolsep}{20pt}
@@ -563 +569 @@
 void f() {
         float x[n] = { g() };
-        float (*xp)[n] = x;   // reject
+        float (*xp)[n] = x;             // accept
 }
 \end{cfa}
@@ -571 +577 @@
 @const@ int n = 42;
 void g() {
-        @n = 99@; // allowed
+        @n = 999@;              // reject
 }
 
@@ -692 +698 @@
 An expression-compatibility question is a new addition to the \CFA compiler, and occurs in the context of dimension expressions, and possibly enumerations assigns, which must be unique.
 
-% TODO: ensure these compiler implementation matters are treated under \CFA compiler background: type unification, cost calculation, GenPoly.
+% ... ensure these compiler implementation matters are treated under \CFA compiler background: type unification, cost calculation, GenPoly.
 
 The relevant technical component of the \CFA compiler is the standard type-unification within the type resolver.
@@ -726 +732 @@
 \end{cfa}
 when resolving a function call to @g@, the first unification stage compares the type @T@ of the parameter with @array( float, n + 1 )@, of the argument.
-\PAB{TODO: finish.}
 
 The actual rules for comparing two dimension expressions are conservative.
@@ -732 +737 @@
 is to imply, ``all else being equal, allow an array with length calculated by $e_1$
 to be passed to a function expecting a length-$e_2$ array.''\footnote{
-        TODO: Deal with directionality, that I'm doing exact-match, no ``at least as long as,'' no subtyping.
+        ... Deal with directionality, that I'm doing exact-match, no ``at least as long as,'' no subtyping.
         Should it be an earlier scoping principle?  Feels like it should matter in more places than here.}
 So, a ``yes'' answer must represent a guarantee that both expressions evaluate the
@@ -746 +751 @@
 So, a variable and a literal can never match.
 
-TODO: Discuss the interaction of this dimension hoisting with the challenge of extra unification for cost calculation
+... Discuss the interaction of this dimension hoisting with the challenge of extra unification for cost calculation
 \end{comment}
 
-The conservatism of the new rule set can leave a programmer needing a recourse, when needing to use a dimension expression whose stability argument is more subtle than current-state analysis.
+The conservatism of the new rule set can leave a programmer requiring a recourse, when needing to use a dimension expression whose stability argument is more subtle than current-state analysis.
 This recourse is to declare an explicit constant for the dimension value.
 Consider these two dimension expressions, whose uses are rejected by the blunt current-state rules:
@@ -755 +760 @@
 void f( int @&@ nr, @const@ int nv ) {
         float x[@nr@];
-        float (*xp)[@nr@] = &x;   // reject: nr varying (no references)
+        float (*xp)[@nr@] = &x;                 // reject: nr varying (no references)
         float y[@nv + 1@];
-        float (*yp)[@nv + 1@] = &y;   // reject: ?+? unpredictable (no functions)
+        float (*yp)[@nv + 1@] = &y;             // reject: ?+? unpredictable (no functions)
 }
 \end{cfa}
 Yet, both dimension expressions are reused safely.
-The @nr@ reference is never written, not volatile meaning no implicit code (load) between declarations, and control does not leave the function between the uses.
+The @nr@ reference is never written, no implicit code (load) between declarations, and control does not leave the function between the uses.
 As well, the build-in @?+?@ function is predictable.
 To make these cases work, the programmer must add the follow constant declarations (cast does not work):
@@ -768 +773 @@
         @const int nx@ = nr;
         float x[nx];
-        float (*xp)[nx] = & x;   // accept
+        float (*xp)[nx] = & x;                  // accept
         @const int ny@ = nv + 1;
         float y[ny];
-        float (*yp)[ny] = & y;   // accept
+        float (*yp)[ny] = & y;                  // accept
 }
 \end{cfa}
@@ -808 +813 @@
 \end{cfa}
 Dimension hoisting already existed in the \CFA compiler.
-But its was buggy, particularly with determining, ``Can hoisting the expression be skipped here?'', for skipping this hoisting is clearly desirable in some cases.
+However, it was buggy, particularly with determining, ``Can hoisting the expression be skipped here?'', for skipping this hoisting is clearly desirable in some cases.
 For example, when a programmer has already hoisted to perform an optimization to prelude duplicate code (expression) and/or expression evaluation.
 In the new implementation, these cases are correct, harmonized with the accept/reject criteria.
@@ -820 +825 @@
 \item
 Flexible-stride memory:
-this model has complete independence between subscripting ordering and memory layout, offering the ability to slice by (provide an index for) any dimension, \eg slice a plane, row, or column, \eg @c[3][*][*]@, @c[3][4][*]@, @c[3][*][5]@.
+this model has complete independence between subscript ordering and memory layout, offering the ability to slice by (provide an index for) any dimension, \eg slice a row, column, or plane, \eg @c[3][4][*]@, @c[3][*][5]@, @c[3][*][*]@.
 \item
 Fixed-stride memory:
@@ -839 +844 @@
 Style 3 is the inevitable target of any array implementation.
 The hardware offers this model to the C compiler, with bytes as the unit of displacement.
-C offers this model to its programmer as pointer arithmetic, with arbitrary sizes as the unit.
+C offers this model to programmers as pointer arithmetic, with arbitrary sizes as the unit.
 Casting a multidimensional array as a single-dimensional array/pointer, then using @x[i]@ syntax to access its elements, is still a form of pointer arithmetic.
 
-Now stepping into the implementation of \CFA's new type-1 multidimensional arrays in terms of C's existing type-2 multidimensional arrays, it helps to clarify that even the interface is quite low-level.
-A C/\CFA array interface includes the resulting memory layout.
-The defining requirement of a type-2 system is the ability to slice a column from a column-finest matrix.
-The required memory shape of such a slice is fixed, before any discussion of implementation.
-The implementation presented here is how the \CFA array-library wrangles the C type system, to make it do memory steps that are consistent with this layout while not affecting legacy C programs.
+To step into the implementation of \CFA's new type-1 multidimensional arrays in terms of C's existing type-2 multidimensional arrays, it helps to clarify that the interface is low-level, \ie a C/\CFA array interface includes the resulting memory layout.
+Specifically, the defining requirement of a type-2 system is the ability to slice a column from a column-finest matrix.
+Hence, the required memory shape of such a slice is fixed, before any discussion of implementation.
+The implementation presented here is how the \CFA array-library wrangles the C type system to make it do memory steps that are consistent with this layout while not affecting legacy C programs.
 % TODO: do I have/need a presentation of just this layout, just the semantics of -[all]?
 
@@ -874 +878 @@
 \lstinput[aboveskip=0pt]{145-145}{hello-md.cfa}
 The nontrivial slicing in this example now allows passing a \emph{noncontiguous} slice to @print1d@, where the new-array library provides a ``subscript by all'' operation for this purpose.
-In a multi-dimensional subscript operation, any dimension given as @all@ is a placeholder, \ie ``not yet subscripted by a value'', waiting for such a value, implementing the @ar@ trait.
+In a multi-dimensional subscript operation, any dimension given as @all@ is a placeholder, \ie ``not yet subscripted by a value'', waiting for a value implementing the @ar@ trait.
 \lstinput{150-151}{hello-md.cfa}
 
@@ -948 +952 @@
 A column is almost ready to be arranged into a matrix;
 it is the \emph{contained value} of the next-level building block, but another lie about size is required.
-At first, an atom needs to be arranged as if it were bigger, but now a column needs to be arranged as if it is smaller (the left diagonal above it, shrinking upward).
+At first, an atom needs to be arranged as if it is bigger, but now a column needs to be arranged as if it is smaller (the left diagonal above it, shrinking upward).
 These lying columns, arranged contiguously according to their size (as announced) form the matrix @x[all]@.
 Because @x[all]@ takes indices, first for the fine stride, then for the coarse stride, it achieves the requirement of representing the transpose of @x@.
@@ -1020 +1024 @@
 
 
-\section{Bound Checks, Added and Removed}
-
+\section{Zero Overhead}
+
+At runtime, the \CFA array is exactly a C array.
 \CFA array subscripting is protected with runtime bound checks.
-The array dependent-typing provides information to the C optimizer allowing it remove many of the bound checks.
-This section provides a demonstration of the effect.
-
-The experiment compares the \CFA array system with the padded-room system [TODO:xref] most typically exemplified by Java arrays, but also reflected in the \CC pattern where restricted vector usage models a checked array.
-The essential feature of this padded-room system is the one-to-one correspondence between array instances and the symbolic bounds on which dynamic checks are based.
-The experiment compares with the \CC version to keep access to generated assembly code simple.
+The array dependent-typing provides information to the C optimizer, allowing it remove many of the bound checks.
+This section provides a demonstration of these effects.
+
+The experiment compares the \CFA array system with the simple-safety system most typically exemplified by Java arrays (\VRef[Section]{JavaCompare}), but also reflected in the \CC pattern where restricted vector usage models a checked array (\VRef[Section]{CppCompare}).
+The essential feature of this simple system is the one-to-one correspondence between array instances and the symbolic bounds on which dynamic checks are based.
+The experiment uses the \CC version to simplify access to generated assembly code.
+While ``\CC'' labels a participant, it is really the simple-safety system (of @vector@ with @.at@) whose limitations are being explained, and not limitations of \CC optimization.
 
 As a control case, a simple loop (with no reused dimension sizes) is seen to get the same optimization treatment in both the \CFA and \CC versions.
-When the programmer treats the array's bound correctly (making the subscript ``obviously fine''), no dynamic bound check is observed in the program's optimized assembly code.
-But when the bounds are adjusted, such that the subscript is possibly invalid, the bound check appears in the optimized assembly, ready to catch an occurrence the mistake.
-
-TODO: paste source and assembly codes
-
-Incorporating reuse among dimension sizes is seen to give \CFA an advantage at being optimized.
-The case is naive matrix multiplication over a row-major encoding.
-
-TODO: paste source codes
+Firstly, when the programmer treats the array's bound correctly (making the subscript ``obviously fine''), no dynamic bound check is observed in the program's optimized assembly code.
+But when the bounds are adjusted, such that the subscript is possibly invalid, the bound check appears in the optimized assembly, ready to catch a mistake.
+
+\VRef[Figure]{f:ovhd-ctl} gives a control-case example of summing values in an array, where each column shows the program in languages C (a,~d,~g), \CFA (b,~e,~h), and \CC (c,~f,~i).
+The C code has no bounds checking, while the \CFA and \CC can have bounds checking.
+The source-code functions in (a, b, c) can be compiled to have either correct or incorrect uses of bounds.
+When compiling for correct bound use, the @BND@ macro passes its argument through, so the loops cover exactly the passed array sizes.
+When compiling for possible incorrect bound use (a programming error), the @BND@ macro hardcodes the loops for 100 iterations, which implies out-of-bound access attempts when the passed array has fewer than 100 elements.
+The assembly code excerpts show optimized translations for correct-bound mode in (d, e, f) and incorrect-bound mode in (g, h, i).
+Because incorrect-bound mode hardcodes 100 iterations, the loop always executes a first time, so this mode does not have the @n == 0@ branch seen in correct-bound mode.
+For C, this difference is the only (d--g) difference.
+For correct bounds, the \CFA translation equals the C translation, \ie~there is no (d--e) difference, while \CC has an additional indirection to dereference the vector's auxiliary allocation.
+
+\begin{figure}
+\setlength{\tabcolsep}{10pt}
+\begin{tabular}{llll@{}}
+\multicolumn{1}{c}{C} &
+\multicolumn{1}{c}{\CFA} &
+\multicolumn{1}{c}{\CC (nested vector)}
+\\[1em]
+\lstinput{20-28}{ar-bchk/control.c} &
+\lstinput{20-28}{ar-bchk/control.cfa} &
+\lstinput{20-28}{ar-bchk/control.cc}
+\\
+\multicolumn{1}{c}{(a)} &
+\multicolumn{1}{c}{(b)} &
+\multicolumn{1}{c}{(c)}
+\\[1em]
+\multicolumn{4}{l}{
+        \includegraphics[page=1,trim=0 9.125in 2in 0,clip]{ar-bchk}
+}
+\\
+\multicolumn{1}{c}{(d)} &
+\multicolumn{1}{c}{(e)} &
+\multicolumn{1}{c}{(f)}
+\\[1em]
+\multicolumn{4}{l}{
+        \includegraphics[page=2,trim=0 8.75in 2in 0,clip]{ar-bchk}
+}
+\\
+\multicolumn{1}{c}{(g)} &
+\multicolumn{1}{c}{(h)} &
+\multicolumn{1}{c}{(i)}
+\end{tabular}
+\caption{Overhead comparison, control case.
+All three programs/compilers generate equally performant code when the programmer ``self-checks'' bounds via a loop's condition.
+Yet both \CFA and \CC versions generate code that is slower and safer than C's when the programmer might overrun the bounds.}
+\label{f:ovhd-ctl}
+\end{figure}
+
+Differences arise when the bound-incorrect programs are passed an array shorter than 100.
+The C version, (g), proceeds with undefined behaviour, reading past the end of the array.
+The \CFA and \CC versions, (h, i), flag the mistake with the runtime check, the @i >= n@ branch.
+This check is provided implicitly by the library types @array@ and @vector@, respectively.
+The significant result is the \emph{absence} of runtime checks from the bound-correct translations, (e, f).
+The code optimizer has removed them because, at the point where they would occur (immediately past @.L28@/@.L3@), it knows from the surrounding control flow either @i == 0 && 0 < n@ or @i < n@ (directly), \ie @i < n@ either way.
+So any repeated checks, \ie the branch and its consequent code (raise error), are removable.
+
+% Progressing from the control case, a deliberately bound-incorrect mode is no longer informative.
+% Rather, given a (well-typed) program that does good work on good data, the issue is whether it is (determinably) bound-correct on all data.
+
+When dimension sizes get reused, \CFA has an advantage over \CC-vector at getting simply written programs well optimized.
+The example case of \VRef[Figures]{f:ovhd-treat-src} and \VRef[]{f:ovhd-treat-asm} is a simple matrix multiplication over a row-major encoding.
+Simple means coding directly to the intuition of the mathematical definition without trying to optimize for memory layout.
+In the assembly code of \VRef[Figure]{f:ovhd-treat-asm}, the looping pattern of \VRef[Figure]{f:ovhd-ctl} (d, e, f), ``Skip ahead on zero; loop back for next,'' occurs with three nesting levels.
+Simultaneously, the dynamic bound-check pattern of \VRef[Figure]{f:ovhd-ctl} (h,~i), ``Get out on invalid,'' occurs, targeting @.L7@, @.L9@ and @.L8@ (bottom right).
+Here, \VRef[Figures]{f:ovhd-treat-asm} shows the \CFA solution optimizing into practically the C solution, while the \CC solution shows added runtime bound checks.
+Like in \VRef[Figure]{f:ovhd-ctl} (e), the significance is the \emph{absence} of library-imposed runtime checks, even though the source code is working through the the \CFA @array@ library.
+The optimizer removed the library-imposed checks because the data structure @array@-of-@array@ is constrained by its type to be shaped correctly for the intuitive looping.
+In \CC, the same constraint does not apply to @vector@-of-@vector@.
+Because every individual @vector@ carries its own size, two types of bound mistakes are possible.
+
+\begin{figure}
+\setlength{\tabcolsep}{10pt}
+\begin{tabular}{llll@{}}
+\multicolumn{1}{c}{C} &
+\multicolumn{1}{c}{\CFA} &
+\multicolumn{1}{c}{\CC (nested vector)}
+\\
+\lstinput{20-37}{ar-bchk/treatment.c} &
+\lstinput{20-37}{ar-bchk/treatment.cfa} &
+\lstinput{20-37}{ar-bchk/treatment.cc}
+\end{tabular}
+\caption{Overhead comparison, differentiation case, source.}
+\label{f:ovhd-treat-src}
+\end{figure}
+
+\begin{figure}
+\newcolumntype{C}[1]{>{\centering\arraybackslash}p{#1}}
+\begin{tabular}{C{1.5in}C{1.5in}C{1.5in}p{1in}}
+C &
+\CFA &
+\CC (nested vector)
+\\[1em]
+\multicolumn{4}{l}{
+        \includegraphics[page=3,trim=0 4in 2in 0,clip]{ar-bchk}
+}
+\end{tabular}
+\caption{Overhead comparison, differentiation case, assembly.
+}
+\label{f:ovhd-treat-asm}
+\end{figure}
+
+In detail, the three structures received may not be matrices at all, per the obvious/dense/total interpretation; rather, any one might be ragged-right in its rows.
+The \CFA solution guards against this possibility by encoding the minor length (number of columns) in the major element (row) type.
+In @res@, for example, each of the @M@ rows is @array(float, N)@, guaranteeing @N@ cells within it.
+Or more technically, guaranteeing @N@ as the basis for the imposed bound check \emph{of every row.}
+As well, the \CC type does not impose the mathematically familiar constraint of $(M \times P) (P \times N) \rightarrow (M \times N)$.
+Even assuming away the first issue, \eg that in @lhs@, all minor/cell counts agree, the data format allows the @rhs@ major/row count to disagree.
+Or, the possibility that the row count @res.size()@ disagrees with the row count @lhs.size()@ illustrates this bound-mistake type in isolation.
+The \CFA solution guards against this possibility by keeping length information separate from the array data, and therefore eligible for sharing.
+This capability lets \CFA escape the one-to-one correspondence between array instances and symbolic bounds, where this correspondence leaves a \CC-vector programmer stuck with a matrix representation that repeats itself.
+
+It is important to clarify that the \CFA solution does not become unsafe (like C) in losing its dynamic checks, even though it becomes fast (as C) in losing them.
+The dynamic checks are dismissed as unnecessary \emph{because} the program is safe to begin with.
+To achieve the same performance, a \CC programmer must state appropriate assertions or assumptions, to allow the optimizer to dismiss the runtime checks.
+% Especially considering that two of them are in the inner-most loop.
+The solution requires doing the work of the inner-loop checks as a \emph{preflight step}.
+But this step requires looping and doing it upfront gives too much separation for the optimizer to see ``has been checked already'' in the deep loop.
+So, the programmer must restate the preflight observation within the deep loop, but this time as an unchecked assumption.
+Such assumptions are risky because they introduce further undefined behaviour when misused.
+Only the programmer's discipline remains to ensure this work is done without error.
+
+In summary, the \CFA solution lets a simply stated program have dynamic guards that catch bugs, while letting a simply stated bug-free program run as fast as the unguarded C equivalent.
+
+\begin{comment}
+The ragged-right issue brings with it a source-of-truth difficulty: Where, in the \CC version, is one to find the value of $N$?  $M$ can come from either @res@'s or @lhs@'s major/row count, and checking these for equality is straightforward.  $P$ can come from @rhs@'s major/row count.  But $N$ is only available from columns, \ie minor/cell counts, which are ragged.  So any choice of initial source of truth, \eg 
+\end{comment}
 
 
@@ -1209 +1334 @@
 However, it only needs @float@'s default constructor, as the other operations are never used.
 Current work by the \CFA team aims to improve this situation.
-Therefore, I had to construct a workaround.
-
 My workaround moves from otype (value) to dtype (pointer) with a default-constructor assertion, where dtype does not generate any constructors but the assertion claws back the default otype constructor.
 \begin{cquote}
@@ -1408 +1531 @@
 
 \subsection{Java}
+\label{JavaCompare}
 
 Java arrays are references, so multi-dimension arrays are arrays-of-arrays \see{\VRef{toc:mdimpl}}.
@@ -1496 +1620 @@
 
 \subsection{\CC}
+\label{CppCompare}
 
 Because C arrays are difficult and dangerous, the mantra for \CC programmers is to use @std::vector@ in place of the C array.
-While the vector size can grow and shrink dynamically, \vs a fixed-size dynamic size with VLAs, the cost of this extra feature is mitigated by preallocating the maximum size (like the VLA) at the declaration (one dynamic call) to avoid using @push_back@.
+While the vector size can grow and shrink dynamically, \vs an unchanging dynamic size with VLAs, the cost of this extra feature is mitigated by preallocating the maximum size (like the VLA) at the declaration.
+So, it costs one upfront dynamic allocation and avoids growing the array through pushing.
 \begin{c++}
 vector< vector< int > > m( 5, vector<int>(8) ); // initialize size of 5 x 8 with 6 dynamic allocations
 \end{c++}
 Multidimensional arrays are arrays-of-arrays with associated costs.
-Each @vector@ array has an array descriptor contain the dimension, which allows bound checked using @x.at(i)@ in place of @x[i]@.
-Used with these restrictions, out-of-bound accesses are caught, and in-bound accesses never exercise the vector's ability to grow, preventing costly reallocate and copy, and never invalidate references to contained values.
-This scheme matches Java's safety and expressiveness exactly, but with the inherent costs.
-
-
+Each @vector@ array has an array descriptor containing the dimension, which allows bound checked using @x.at(i)@ in place of @x[i]@.
+Used with these restrictions, out-of-bound accesses are caught, and in-bound accesses never exercise the vector's ability to grow, preventing costly reallocate-and-copy, and never invalidating references to contained values.
+
+This scheme matches a Java array's safety and expressiveness exactly, with the same inherent costs.
+Notably, a \CC vector of vectors does not provide contiguous element storage (even when upfront allocation is done carefully) because a vector puts its elements in an auxiliary allocation.
+So, in spite of @vector< vector< int > >@ appearing to be ``everything by value,'' it is still a first array whose elements include pointers to further arrays.
+
+\CC has options for working with memory-adjacent data in desirable ways, particularly in recent revisions.
+But none makes an allocation with a dynamically given fixed size less awkward than the vector arrangement just described.
+
+\CC~26 adds @std::inplace_vector@, which provides an interesting vector--array hybrid,\footnote{
+  Like a vector, it lets a user construct elements in a loop, rather than imposing uniform construction.
+  Yet it preserves \lstinline{std::array}'s ability to be entirely stack-allocated, by avoiding an auxiliary elements' allocation.
+} but does not change the fundamental limit of \lstinline{std::array}, that the length, being a template parameter, must be a static value.
+
+\CC~20's @std::span@ is a view that unifies true arrays, vectors, static sizes and dynamic sizes, under a common API that adds bounds checking.
+When wrapping a vector, bounds checking occurs on regular subscripting, \ie one need not remember to use @.at@.
+When wrapping a locally declared fixed-size array, bound communication is implicit.
+But it has a soundness gap by offering construction from pointer and user-given length.
+
+\CC~23's @std::mdspan@ adds multidimensional indexing and reshaping capabilities analogous to those built into \CFA's @array@.
+Like @span@, it works over multiple underlying container types.
+But neither @span@ nor @mdspan@ augments the available allocation options.
+
+Thus, these options do not offer an allocation with a dynamically given fixed size.
+And furthermore, they do not provide any improvement to the C flexible array member pattern, for making a dynamic amount of storage contiguous with its header, as do \CFA's accordions.
+
+
+\begin{comment}
 \subsection{Levels of Dependently Typed Arrays}
 
+TODO: fix the position; checked c does not do linear types
 \CFA's array is the first lightweight application of dependently-typed bound tracking to an extension of C.
 Other extensions of C that apply dependently-typed bound tracking are heavyweight, in that the bound tracking is part of a linearly-typed ownership-system, which further helps guarantee statically the validity of every pointer deference.
@@ -1543 +1694 @@
 it can also do these other cool checks, but watch how I can mess with its conservativeness and termination
 
-Two current, state-of-the-art array languages, Dex\cite{arr:dex:long} and Futhark\cite{arr:futhark:tytheory}, offer novel contributions concerning similar, restricted dependent types for tracking array length.
+Two contemporary array-centric languages, Dex\cite{arr:dex:long} and Futhark\cite{arr:futhark:tytheory}, contribute similar, restricted dependent types for tracking array length.
 Unlike \CFA, both are garbage-collected functional languages.
 Because they are garbage-collected, referential integrity is built-in, meaning that the heavyweight analysis, that \CFA aims to avoid, is unnecessary.
@@ -1554 +1705 @@
 There is a particular emphasis on an existential type, enabling callee-determined return shapes.
 
-
-Dex uses a novel conception of size, embedding its quantitative information completely into an ordinary type.
-
-Futhark and full-strength dependently typed languages treat array sizes are ordinary values.
+Dex uses an Ada-style conception of size, embedding quantitative information completely into an ordinary type.
+
+Futhark and full-strength dependently typed languages treat array sizes as ordinary values.
 Futhark restricts these expressions syntactically to variables and constants, while a full-strength dependent system does not.
 
-\CFA's hybrid presentation, @forall( [N] )@, has @N@ belonging to the type system, yet has no instances.
+\CFA's hybrid presentation, @forall( [N] )@, has @N@ belonging to the type system, yet no objects of type @[N]@ occur.
 Belonging to the type system means it is inferred at a call site and communicated implicitly, like in Dex and unlike in Futhark.
 Having no instances means there is no type for a variable @i@ that constrains @i@ to be in the range for @N@, unlike Dex, [TODO: verify], but like Futhark.
@@ -1569 +1719 @@
 
 In Ada and Dex, an array is conceived as a function whose domain must satisfy only certain structural assumptions, while in C, \CC, Java, Futhark and \CFA today, the domain is a prefix of the natural numbers.
-The generality has obvious aesthetic benefits for programmers working on scheduling resources to weekdays, and for programmers who prefer to count from an initial number of their own choosing.
+The Ada--Dex generality has aesthetic benefits for certain programmers.  For those working on scheduling resources to weekdays:
+For those who prefer to count from an initial number of their own choosing:
 
 This change of perspective also lets us remove ubiquitous dynamic bound checks.
@@ -1605 +1756 @@
 (unsafe_from_ordinal a (idiv o bs), unsafe_from_ordinal b (rem o bs))
 \end{cfa}
+% fix mike's syntax highlighter
 and by a user-provided adapter expression at the call site that shows how to indexing with a tuple is backed by indexing each dimension at a time
 \begin{cfa}
@@ -1616 +1768 @@
 
 \subsection{Static Safety in C Extensions}
+\end{comment}
 
 
 \section{Future Work}
 
-\subsection{Array Syntax}
-
-An important goal is to recast @array(...)@ syntax into C-style @[]@.
-The proposal (which is partially implemented) is an alternate dimension and subscript syntax.
-C multi-dimension and subscripting syntax uses multiple brackets.
-\begin{cfa}
-int m@[2][3]@;  // dimension
-m@[0][1]@ = 3;  // subscript
-\end{cfa}
-Leveraging this syntax, the following (simpler) syntax should be intuitive to C programmers with only a small backwards compatibility issue.
-\begin{cfa}
-int m@[2, 3]@;  // dimension
-m@[0, 1]@ = 3;  // subscript
-\end{cfa}
-However, the new subscript syntax is not backwards compatible, as @0, 1@ is a comma expression.
-Interestingly, disallowed the comma expression in this context eliminates an unreported error: subscripting a matrix with @m[i, j]@ instead of @m[i][j]@, which selects the @j@th row not the @i, j@ element.
-Hence, a comma expression in this context is rare.
-Finally, it is possible to write @m[(i, j)]@ in the new syntax to achieve the equivalent of the old @m[i, j]@.
-Note, the new subscript syntax can easily be internally lowered to @[-][-]...@ and handled as regular subscripting.
-The only ambiguity with C syntax is for a single dimension array, where the syntax for old and new are the same.
-\begin{cfa}
-int m[2@,@];  // single dimension
-m[0] = 3;  // subscript
-\end{cfa}
-The solution for the dimension is to use a terminating comma to denote a new single-dimension array.
-This syntactic form is also used for the (rare) singleton tuple @[y@{\color{red},}@]@.
+% \subsection{Array Syntax}
+
+An important goal is to recast \CFA-style @array(...)@ syntax into C-style array syntax.
+The proposal (which is partially implemented) is an alternate dimension and subscript syntax for multi-dimension arrays.
+C multi-dimension and subscripting syntax uses multiple bracketed constants/expressions.
+\begin{cfa}
+int m@[2][3]@;   // dimension
+m@[0][1]@ = 3;   // subscript
+\end{cfa}
+The alternative \CFA syntax is a comma separated list:
+\begin{cfa}
+int m@[2, 3]@;   // dimension
+m@[0, 1]@ = 3;   // subscript
+\end{cfa}
+which should be intuitive to C programmers and is used in mathematics $M_{i,j}$ and other programing languages, \eg PL/I, Fortran.
+With respect to the dimension expressions, C only allows an assignment expression, not a comma expression.
+\begin{cfa}
+        a[i, j];
+test.c:3:16: error: expected ']' before ',' token
+\end{cfa}
+However, there is an ambiguity for a single dimension array, where the syntax for old and new arrays are the same, @int ar[10]@.
+The solution is to use a terminating comma to denote a \CFA-style single-dimension array.
+\begin{cfa}
+int ar[2$\Huge\color{red},$];  // single dimension new array
+\end{cfa}
+This syntactic form is also used for the (rare) singleton tuple @[y@{\Large\color{red},}@]@.
 The extra comma in the dimension is only mildly annoying, and acts as eye-candy differentiating old and new arrays.
-The subscript operator is not an issue as overloading selects the correct single-dimension operation for old/new array types.
-The ultimately goal is to replace all C arrays with \CFA arrays, establishing a higher level of safety in C programs, and eliminating the need for the terminating comma.
-
-
+Hence, \CFA can repurpose the comma expression in this context for a list of dimensions.
+The ultimate goal is to replace all C arrays with \CFA arrays, establishing a higher level of safety in C programs, and eliminating the need for the terminating comma.
+With respect to the subscript expression, the comma expression is allowed.
+However, a comma expression in this context is rare, and is most commonly a (silent) mistake: subscripting a matrix with @m[i, j]@ instead of @m[i][j]@ selects the @j@th row not the @i, j@ element.
+It is still possible to write @m[(i, j)]@ in the new syntax to achieve the equivalent of the old @m[i, j]@.
+Internally, the compiler must de-sugar @[i, j, k]@ into @[i][j][k]@ to match with three calls to subscript operators.
+Note, there is no ambiguity for subscripting a single dimensional array, as the subscript operator selects the correct form from the array type.
+Currently, @array@ supports the old and new subscript syntax \see{\VRef[Figure]{f:ovhd-treat-src}}, including combinations of new and old, @arr[1, 2][3]@.
+The new subscript syntax can be extended to C arrays for uniformity, but requires the non-compatible removal of the (rare) comma-expression as a subscript.
+
+
+\begin{comment}
 \subsection{Range Slicing}
 
@@ -1659 +1820 @@
 
 
-\begin{comment}
 \section{\texorpdfstring{\CFA}{Cforall}}
 
@@ -1697 +1857 @@
 Using a compiler-produced value eliminates an opportunity for user error.
 
-TODO: fix in following: even the alloc call gives bad code gen: verify it was always this way; walk back the wording about things just working here; assignment (rebind) seems to offer workaround, as in bkgd-cfa-arrayinteract.cfa
+...someday... fix in following: even the alloc call gives bad code gen: verify it was always this way; walk back the wording about things just working here; assignment (rebind) seems to offer workaround, as in bkgd-cfa-arrayinteract.cfa
 
 Bringing in another \CFA feature, reference types, both resolves a sore spot of the last example, and gives a first example of an array-interaction bug.
@@ -1706 +1866 @@
 (*ar2)[5];
 \end{cfa}
-Using ``reference to array'' works at resolving this issue.  TODO: discuss connection with Doug-Lea \CC proposal.
+Using ``reference to array'' works at resolving this issue.  ...someday... discuss connection with Doug-Lea \CC proposal.
 \begin{cfa}
 tm (&ar3)[10] = *alloc();
@@ -1714 +1874 @@
 
 Using proper array types (@ar2@ and @ar3@) addresses a concern about using raw element pointers (@ar1@), albeit a theoretical one.
-TODO xref C standard does not claim that @ar1@ may be subscripted,
+...someday...  xref C standard does not claim that @ar1@ may be subscripted,
 because no stage of interpreting the construction of @ar1@ has it be that ``there is an \emph{array object} here.''
 But both @*ar2@ and the referent of @ar3@ are the results of \emph{typed} @alloc@ calls,
@@ -1720 +1880 @@
 
 The ``reference to array'' type has its sore spots too.
-TODO see also @dimexpr-match-c/REFPARAM_CALL@ (under @TRY_BUG_1@)
-
-TODO: I fixed a bug associated with using an array as a T.  I think.  Did I really?  What was the bug?
+...someday...  see also @dimexpr-match-c/REFPARAM_CALL@ (under @TRY_BUG_1@)
+
+...someday... I fixed a bug associated with using an array as a T.  I think.  Did I really?  What was the bug?
 \end{comment}