talk-2018-11-uppsala/slides.tex

% vim: spell spelllang=en

\documentclass[12pt,xcolor={usenames,dvipsnames}]{beamer}
\usetheme{Warsaw}
\usepackage[utf8]{inputenc}
\usepackage[english]{babel}
\usepackage[T1]{fontenc}
\usepackage{amsmath}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{booktabs}
\usepackage{makecell}
\usepackage{ifthen}
\usepackage{colortbl}
\usepackage{tabularx}
\usepackage{pifont}
\usepackage{multirow}
\usepackage[many]{tcolorbox}
\usepackage[absolute,overlay]{textpos}
\usetikzlibrary{arrows.meta,shapes}

\usepackage{texlib/my_listings}
\usepackage{texlib/specific}
\usepackage{texlib/common}
\usepackage{texlib/todo}

\usepackage{inconsolata}
\lstset{basicstyle=\footnotesize\ttfamily}

\renewcommand\theadalign{c}
\renewcommand\theadfont{\scriptsize\bfseries}

\setbeamertemplate{navigation symbols}{}
\setbeamertemplate{headline}{}

\newcommand{\cmark}{\color{OliveGreen}\ding{52}}
\newcommand{\xmark}{\color{BrickRed}\ding{56}}

\let\tempone\itemize
\let\temptwo\enditemize
\renewenvironment{itemize}{\tempone\addtolength{\itemsep}{0.5\baselineskip}}{\temptwo}



\newcommand{\sectiontitleframe}{
    \begin{frame}
        \vfill
        \centering
        \begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
            \usebeamerfont{title}\insertsectionhead\par%
        \end{beamercolorbox}
        \vfill
\end{frame}}

\lstdefinelanguage{gdb}{
    morekeywords={gdb},
    sensitive=false,
}
\lstdefinelanguage{cfiasm}{
    morekeywords={cfi_startproc,cfi_def_cfa_offset,cfi_offset,cfi_def_cfa_register},
    sensitive=false,
}

\newcommand{\thenalert}[1]{\only<1>{#1}\only<2>{\alert{#1}}}
\newcommand{\slidecountline}{
    \ifthenelse{\theframenumber = 0}
        {}
        {\insertframenumber/\inserttotalframenumber}}

\setbeamertemplate{footline}
{
  \leavevmode%
  \hbox{%
      \hskip0.9\paperwidth
  %\begin{beamercolorbox}[wd=.4\paperwidth,ht=2.25ex,dp=1ex,center]{author in head/foot}%
  %  \usebeamerfont{author in head/foot}\insertshortauthor
  %\end{beamercolorbox}%
      \begin{beamercolorbox}[center, wd=.1\paperwidth,ht=2.25ex,dp=1ex,center]{title in head/foot}%
          \slidecountline{}
  \end{beamercolorbox}}%
  \vskip0pt%
}

\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted
text.fg!75!black}
\setbeamercolor{block title example}{use=example text,fg=white,bg=example
text.fg!75!black}

%\setbeamertemplate{frametitle}{
%  \leavevmode%
%  \hbox{%
%  \begin{beamercolorbox}[wd=\paperwidth,ht=2.25ex,dp=1ex,center]{title in head/foot}%
%    \usebeamerfont{author in head/foot}\insertframetitle
%  \end{beamercolorbox}%
%  }
%  \vskip0pt%
%    %\color{black}\bfseries\insertframetitle\par\vskip-6pt\hrulefill
%}


\newcolumntype{b}{X}
\newcolumntype{s}{>{\hsize=.43\hsize}X}

\newcommand{\lstinl}
{\lstinline[language=C, keepspaces=true, basicstyle=\ttfamily]}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title[] {Reliable and Fast DWARF-based Stack Unwinding}
\author[\slidecountline]{\alert{\textbf{Théophile Bastian}}\\
    \textbf{Stephen Kell} \\
\textbf{Francesco Zappa Nardelli}}
\date{}
%\subject{}
%\logo{}
\institute{ENS Paris, University of Kent, Inria}

\begin{document}

\begin{frame}
    \addtocounter{framenumber}{-1}
	\titlepage{}

    \vspace{-2em}


    \begin{columns}
        \begin{column}{0.55\textwidth}
            \begin{tcolorbox}[halign=center, colframe=blue]
                \textbf{Webpage} (incl. slides)

                \smallskip
                \vspace{0.5em}
                {\small\url{https://huit.re/frdwarf}}\\
                \vspace{0.5em}
            \end{tcolorbox}
        \end{column}

        \begin{column}{0.55\textwidth}
            \begin{tcolorbox}[colframe=blue]
                \begin{center}\textbf{Funding}\end{center}
                \vspace{-1em}

                \smallskip
                ONR VerticA \\
                Google Research Fellowship
            \end{tcolorbox}
        \end{column}
    \end{columns}

    \begin{textblock*}{0.22\textwidth}[0.5,0](0.15\paperwidth,0.38\paperheight)%
        \includegraphics[width=\linewidth]{img/stephen_circ.jpg}
    \end{textblock*}
    \begin{textblock*}{0.22\textwidth}[0.5,0](0.85\paperwidth,0.38\paperheight)%
        \includegraphics[width=\linewidth]{img/fzn_circ.jpg}
    \end{textblock*}
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{DWARF and stack unwinding data}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Introduction}

\begin{frame}[fragile]{}
    \begin{columns}[c]
        \begin{column}{0.65\textwidth}
            \begin{lstlisting}[basicstyle=\tt,language=gdb, numbers=none, escapechar=|]
$ ./a.out
Segmentation fault.

|\pause|(gdb) backtrace
#0   |0x54625| in fct_b
#1   |\color{blue}0x54663| in fct_a
#2   |\color{red}0x54674| in main
            \end{lstlisting}
            \pause{}
            \begin{center}
                \textbf{\Large How does it work?}
            \end{center}
        \end{column}
        \begin{column}{0.35\textwidth}
            \pause{}
            \includegraphics[width=0.95\linewidth]{img/call_stack}
        \end{column}
    \end{columns}
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Stack frames and unwinding}

\begin{frame}
    \begin{columns}[c]
        \begin{column}{0.65\textwidth}
            \begin{center}
                \large\bf
                How do we get\\
                the return address?

                \vspace{2em}

                \onslide<2>{What if we only have \reg{rsp}?}

            \end{center}
        \end{column}
        \begin{column}{0.35\textwidth}
            \includegraphics[width=0.95\linewidth]{img/call_stack}
        \end{column}
    \end{columns}
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{DWARF tables}

\newcolumntype{a}{>{\columncolor{RedOrange}}l}

\begin{frame}{DWARF unwinding data}
    \tt \footnotesize
    \begin{center}
        \begin{tabular}{
                >{\columncolor{YellowGreen}}l
                >{\columncolor{Thistle}}l
                l l l l l l
                >{\columncolor{Apricot}}l}
~PC & CFA & rbx & rbp & r12 & r13 & r14 & r15 & ra \\
0084950 & rsp+8 & u & u & u & u & u & u & c-8 \\
0084952 & rsp+16 & u & u & u & u & u & c-16 & c-8 \\
0084954 & rsp+24 & u & u & u & u & c-24 & c-16 & c-8 \\
0084956 & rsp+32 & u & u & u & c-32 & c-24 & c-16 & c-8 \\
0084958 & rsp+40 & u & u & c-40 & c-32 & c-24 & c-16 & c-8 \\
0084959 & rsp+48 & u & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
\rowcolor{Aquamarine} 008495a & rsp+56 & c-56 & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
0084962 & rsp+64 & c-56 & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
0084a19 & rsp+56 & c-56 & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
0084a1d & rsp+48 & c-56 & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
0084a1e & rsp+40 & c-56 & c-48 & c-40 & c-32 & c-24 & c-16 & c-8 \\
        \end{tabular}
    \end{center}

    \only<1>{\vspace{19mm}}
    \begin{columns}
        \begin{column}{0.50\textwidth}
            \onslide<2->{
                \begin{tcolorbox}[enhanced, halign=center, frame hidden, colback=YellowGreen]
                    \textbf{For each instruction\ldots}\\
                    (identified by its program counter)
                \end{tcolorbox}
            }
        \end{column}
        \begin{column}{0.50\textwidth}
            \onslide<3->{
                \begin{tcolorbox}[enhanced, halign=center, frame hidden,
                        interior style={right color=Apricot, left color=Thistle}]
                        \textbf{\ldots{}an expression to compute its return address
                        location on the stack}
                \end{tcolorbox}
            }
        \end{column}
    \end{columns}
\end{frame}

\begin{frame}[t, fragile]{The real DWARF}
    \begin{lstlisting}[numbers=none, language=]
30 24 34 FDE pc=004020..004040
  DW_CFA_def_cfa_offset: 16
  DW_CFA_advance_loc: 6 to 0000000000004026
  DW_CFA_def_cfa_offset: 24
  DW_CFA_advance_loc: 10 to 0000000000004030
  DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 8; DW_OP_breg16 (rip): 0; DW_OP_lit15; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl; DW_OP_plus)
  [...]
    \end{lstlisting}

    \pause{}
    \vfill

    \begin{itemize}
            \bf
        \item[\textbf{$\longrightarrow$}] \alert{bytecode} for a
            \alert{Turing-complete stack machine}
        \item[\textbf{$\longrightarrow$}] which is \alert{interpreted on
            demand at runtime}\\to reconstruct the table
    \end{itemize}
\end{frame}

\begin{frame}{What does this imply?}
    Your compiler actually generates codes for \alert{two machines}: your
        processor and the DWARF VM\@.

    \vfill{}
    \begin{columns}
        \begin{column}{0.5\textwidth}
            \begin{center}
                \begin{tikzpicture}
                    \begin{scope}[every node/.style={rectangle,thick,draw,scale=0.95}]
                        \node (cmd) at (0, 2.5) {
                            \lstbash{\$ gcc -S foo.c}
                        };
                        \node (asm) at (0, 0) {
                            \lstinputlisting[numbers=none, language=cfiasm]{src/main_cfi.s}
                        };
                    \end{scope}
                    \begin{scope}[>={Stealth[black]},
                        every path/.style={draw=black,very thick}]
                        \path [->] (cmd) -- (asm);
                    \end{scope}
                \end{tikzpicture}
                \medskip{}

                \textbf{The \lstc{.cfi_*} is inline DWARF!}
            \end{center}
        \end{column}

        \begin{column}{0.5\textwidth}
            \begin{center}
                \bf
                $\implies$ if you write inline asm, you must write inline DWARF!
            \end{center}

            In \prog{glibc}, \prog{lowlevellock.h}:
            \alert{off by one error in unwinding data}.

            \lstinputlisting[language=gdb,numbers=none]{src/lowlevellock_backtrace}
        \end{column}
    \end{columns}


    \only<2->{
        \begin{textblock*}{0.90\textwidth}[0.5,0](0.5\paperwidth,0.10\paperheight)%
            \begin{tcolorbox}[halign=center, colframe=red, colback=Lavender]
                \bf \LARGE
                Complex \,\& \,slow
            \end{tcolorbox}
        \end{textblock*}
    }

    \only<3->{
        \begin{textblock*}{0.90\textwidth}[0.5,0](0.5\paperwidth,0.30\paperheight)%
            \begin{tcolorbox}[halign=center, colframe=red, colback=Lavender]
                \LARGE
                \textbf{Pervasive:}\\ relied upon by profilers, debuggers,
                aaand\ldots{}
                \onslide<4->{
                    C++ exceptions. \\
                    \medskip{}
                \textbf{$\leadsto$ not only for debuggers!}}
            \end{tcolorbox}
        \end{textblock*}
    }
\end{frame}

\newcommand{\LinusMailOne}{
    ``Sorry, but last time was too f\dots painful. The whole (and
    only) point of unwinders is to make debugging easy
    when a bug occurs. But \alert{the dwarf unwinder had bugs}
    itself, or \alert{our dwarf information had bugs}, and in either
    case it actually turned several trivial bugs into a \alert{total
    undebuggable hell}.''
}
\newcommand{\LinusMailTwo}{
    ``If you can \alert{mathematically prove that the unwinder is
    correct} — even in the presence of bogus and actively
    incorrect unwinding information — and never ever
    follows a bad pointer, \alert{I’ll reconsider}.''
}
\newcommand{\LinusSource}{
    \hfill ---~Linus Torvalds, 2012
}
\begin{frame}
    \begin{columns}
        \begin{column}{0.75\textwidth}
            \LinusMailOne{}
        \end{column}
        \begin{column}{0.25\textwidth}
            \includegraphics[width=\textwidth]{img/roundtorvalds.png}
        \end{column}
    \end{columns}

    \only<1-2>{
        \vspace{1em}
        \LinusSource{}
    }

    \vspace{1em}
    \only<2>{
        \begin{center}
            \Large\bf
            \alert{This is where we still are!}
        \end{center}
    }

    \only<3>{
        \LinusMailTwo{}

        \vspace{1em}
        \LinusSource{}
    }
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Correctness by construction:\\*\textbf{synthesis of unwinding tables}}
\sectiontitleframe{}

\newcommand{\tblrowval}[4]{#1 & #2 & \only<2->{#3} & \only<2->{#4} \\}
\newcommand{\blknote}[1]
    {\begin{block}{}
            \centering\large
            #1
    \end{block}}
\newcommand{\blklnote}[1]
    {\begin{block}{}
            \large
            #1
    \end{block}}
\newcommand{\tblhl}{\rowcolor{Tan}}

\begin{frame}
    \newcommand{\firsttblrows}{
\tblrowval{\hspace{-2ex}<{\bf foo}>:}{}{\textbf{CFA}}{\textbf{ra}}
\rowonly<4>{\tblhl{}}  \tblrowval{push}{\%r15}{rsp+8}{c-8}
\rowonly<5>{\tblhl{}} \tblrowval{push}{\%r14}{rsp+16}{c-8}
\rowonly<6>{\tblhl{}} \tblrowval{mov}{\$0x3,\%eax}{rsp+24}{c-8}
\rowonly<7>{\tblhl{}} \tblrowval{push}{\%r13}{rsp+24}{c-8}
\tblrowval{push}{\%r12}{rsp+32}{c-8}
\tblrowval{push}{\%rbp}{rsp+40}{c-8}
\tblrowval{push}{\%rbx}{rsp+48}{c-8}
\tblrowval{sub}{\$0x68,\%rsp}{rsp+56}{c-8}
}


    {\only<3>{
		\begin{textblock*}{\textwidth}[0.5,0.5](0.5\paperwidth,0.5\paperheight)%
			\begin{tcolorbox}[halign=center, colframe=red, colback=Lavender]
				\large
				\alert{\bf Assumptions}
                \vspace{0.6em}
                \begin{itemize}
                    \item the compiler generated the unwinding data
                    \item we have a reliable DWARF interpreter
                \end{itemize}

			\end{tcolorbox}
		\end{textblock*}
	}}
    \only<-9>{
        \begin{table}
            \ttfamily\large
            \begin{tabularx}{0.9\linewidth}{
                    l
                    b
                    >{\columncolor{SkyBlue}}s
                    >{\columncolor{SkyBlue}}s
                }
\firsttblrows{}%
\tblrowval{add}{\$0x68,\%rsp}{rsp+160}{c-8}
\tblrowval{pop}{\%rbx}{rsp+56}{c-8}
            \end{tabularx}
        \end{table}
        \blknote{
            \centering
        \begin{overlayarea}{0.9\textwidth}{2.6em}
            \only<4>{Upon function call, \alert{ra = *(\reg{rsp})}}
            \only<5>{\texttt{push} decreases \reg{rsp} by 8: %
                \alert{ra = *(\reg{rsp} + 8)}}
            \only<6>{and again: %
                \alert{ra = *(\reg{rsp} + 16)}}
            \only<7>{This \texttt{mov} leaves \reg{rsp} untouched: \\%
                \alert{ra = *(\reg{rsp} + 16)}}
            \only<8>{The unwinding table captures an \alert{abstract execution}
            of the code\ldots}
            \only<9>{\ldots and thus is \alert{redundant with the binary}.}
        \end{overlayarea}
    }
    }
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Unwinding data synthesis from binaries}

\begin{frame}{Synthesis strategy}
    \begin{itemize}
        \item Upon entering a function, we know
            \[ \cfa = \reg{rsp} - 8
            \qquad \ra = \cfa + 8 \]
        \item The semantics of each instruction specifies \alert{how it changes
            the \cfa}.
            \begin{itemize}
                \item Heuristic to decide whether we index with \reg{rbp} or
                    \reg{rsp}
            \end{itemize}
        \item By performing \alert{symbolic execution} with an abstract
            semantics, we can \alert{synthesize the
            unwinding table} line by line.
        \item Control flow: forward data-flow analysis
        \item The fixpoints are immediate, cf article
    \end{itemize}

    \vspace{1em}
    \begin{tcolorbox}[halign=center, colframe=OliveGreen, colback=YellowGreen]
        \large
        Implemented on top of CMU's \prog{BAP}
    \end{tcolorbox}
\end{frame}

\begin{frame}{}
    \vfill
    \centering
    \begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
        \Large
        Demo time!
    \end{beamercolorbox}
    \vfill
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Unwinding data compilation}

\begin{frame}
    \begin{center}
        \Huge
        Unwinding data is
        \textsc{slo\pause{}o\pause{}o\pause{}o\pause{}o\pause{}o\pause{}o\pause{}o\pause{}w}.
    \end{center}
    \vspace{2em}

    \pause{}

    So much that \prog{perf} doesn't use it by default! You must use
    \lstbash{perf report --call-graph dwarf} explicitly!
\end{frame}

\sectiontitleframe{}

\subsection{Compilation ahead-of-time}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[shrink]
    \vspace{0.5cm}
    \begin{tikzpicture}
        \begin{scope}[every node/.style={rectangle,thick,draw,scale=0.95}]
            \node (dwarf) at (0, 0) {
                \lstinputlisting[basicstyle=\tiny\tt,numbers=none,language=]{src/dw_plt_abbr}
            };

            \onslide<2->{
                \node (table) at (0.5\textwidth, -0.23\textheight) {
                    \tiny\tt
                    \begin{tabular}{
                            >{\columncolor{YellowGreen}}l
                            >{\columncolor{Thistle}}l
                            l l
                        >{\columncolor{Apricot}}l}
                        ~PC & CFA & rbx & rbp & ra \\
                        0084950 & rsp+8 & u & u & c-8 \\
                        0084952 & rsp+16 & u & u & c-8 \\
                        0084954 & rsp+24 & u & u & c-8 \\
                        0084956 & rsp+32 & u & u & c-8 \\
                    \end{tabular}
                };
            }
            \onslide<3->{
                \node (csrc) at (0, -0.6\textheight) {
                    \lstinputlisting[basicstyle=\tiny,numbers=none,language=C]{src/fib7/fib7.eh_elf_basic.c}
                };
                \node (ehelf) at (0.55\textwidth, -0.75\textheight) {
                    ELF file:
                    ``\ehelf{}''
                };
            }
        \end{scope}

        \begin{scope}[>={Stealth[black]},
                every node/.style={fill=white,rectangle},
                every path/.style={draw=black,very thick}]
            \only<2->{\path [->] (dwarf) -| node {runtime} (table);}
            \only<3->{
                \path [->] (dwarf) edge node {ahead of time} (csrc);
                \path [->] (csrc) -| node {gcc, AoT} (ehelf);
            }
        \end{scope}
    \end{tikzpicture}
\end{frame}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\begin{frame}
    \begin{itemize}
        \item \alert{libunwind}: most common library for
            unwinding

            \bigskip{}

        \item \alert{\texttt{libunwind-eh\_elf}}: modified version to support
            \ehelfs{}

        \item[$\leadsto$] Same API, almost \alert{``relink-and-play''} for existing projects!
    \end{itemize}
\end{frame}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Results}

\begin{frame}{Performances}
    \begin{center}
        \Large\bf Unwinding speedup vs.\ libunwind:
        \begin{columns}
            \begin{column}{0.5\textwidth}
                \alert{x15} on gzip
            \end{column}
            \begin{column}{0.5\textwidth}
                \alert{x25} on hackbench
            \end{column}
        \end{columns}
    \end{center}

    \vfill

    \begin{center}
        \Large\bf Space overhead vs. DWARF:\\
        \alert{x2.6 -- x3}
    \end{center}
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section*{Conclusion}
\setcounter{section}{0}

\begin{frame}{}
    \vfill
    \centering
    \begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
        \Large
        What's next?
    \end{beamercolorbox}
    \vfill
\end{frame}

\begin{frame}{}
    \begin{itemize}
        \item{} Synthesis + compare = verification of unwinding data!
        \item{} Integrate synthesis into compilers \& debuggers\\
            $\rightarrow$ support for inline assembly, fallback method, \ldots
        \item{} Integrate into \prog{perf} for online unwinding
        \item{} Probably many more cool projects!
    \end{itemize}

    \vspace{1em}

    \begin{center}
        Come and chat if interested! \texttt{:)}
    \end{center}
\end{frame}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section*{Extra slides}

\begin{frame}[noframenumbering]
\end{frame}

\begin{frame}[noframenumbering]{Fixpoint upon control flow merge}
    \begin{columns}
        \begin{column}{0.3\textwidth}
            \begin{tikzpicture}
                \begin{scope}[every node/.style={rectangle,thick,draw,scale=0.95}]
                    \node (if) at (0, 5) {\lstbash{if cnd}};
                    \node (then) at (-1, 3) { \lstbash{then A} };
                    \node (else) at (1, 3) { \lstbash{else B} };
                    \node (after) at (0, 1) { \lstbash{C} };
                \end{scope}
                \node [circle, thick, draw, minimum size=3em, color=red] (circafter) at (0, 1) {};
                \begin{scope}[>={Stealth[black]}, every path/.style={draw=black,very thick}]
                    \path [->] (if) -- (then);
                    \path [->] (if) -- (else);
                    \path [->] (then) -- (after);
                    \path [->] (else) -- (after);
                \end{scope}
            \end{tikzpicture}
        \end{column}
        \begin{column}{0.6\textwidth}
            \begin{center}
                If eg.
                \[
                    CFA(A) = c-48 \qquad CFA(B) = c-52
                \]
                no possible unwinding data for C, \alert{even for the
                compiler}!

                \vspace{1em}
                Also, \alert{no possible clean function postlude}!

                \vspace{2em}
                $\implies$ $CFA(A) = CFA(B)$ and merge is immediate
            \end{center}
        \end{column}
    \end{columns}
\end{frame}

\begin{frame}[noframenumbering]{Fixpoint upon loop control flow merge}
    \begin{columns}
        \begin{column}{0.3\textwidth}
            \begin{tikzpicture}
                \begin{scope}[every node/.style={rectangle,thick,draw,scale=0.95}]
                    \node (inbound) at (0, 7) {\lstbash{A}};
                    \node (while) at (0, 5) {\lstbash{for i in ...}};
                    \node (do) at (0, 3) { \lstbash{do a = array[i]; B} };
                    \node (done) at (0, 1) { \lstbash{C} };
                \end{scope}
                \node [ellipse, thick, draw, minimum width=10em, minimum height=3em, color=red] (circafter) at (0, 3) {};
                \begin{scope}[>={Stealth[black]}, every path/.style={draw=black,very thick}]
                    \path [->] (inbound) -- (while);
                    \path [->] (while) edge[bend right] (do);
                    \path [->] (do) -- (done);
                    \path [->] (do) edge[bend right] (while);
                \end{scope}
            \end{tikzpicture}
        \end{column}
        \begin{column}{0.6\textwidth}
            \begin{center}
                {\large\alert{Variable stack frame size!}}

                \vspace{1em}

                We cannot hope for a simple invariant\dots\\
                but the compiler cannot
                either.

                \vspace{1em}

                {
                    \large\alert{$\implies$} the compiler will\\
                        \alert{fallback to \reg{rbp}}\\
                }
                even with \lstbash{--fomit-frame-pointer}
            \end{center}
        \end{column}
    \end{columns}
\end{frame}

\end{document}