Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah."— Presentation transcript:

1 1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah

2 2 Hoist makes it significantly easier to do static analysis of embedded software –E.g. TinyOS Automatically derives transfer functions for analyzing object code –This is new –Hoisted transfer functions are maximally precise –Brute-force approach that works well for small architectures

3 3 SMTWTFS          SMTWTFS Before Hoist:After:

4 4 Use Static Analysis to Eliminate... Concurrency errors Deadline misses Stack overflow Language-level errors –Array bound violations –Null pointer dereferences –Numerical problems Everything else Jim Larus talked about!

5 5 and r0, r1 r0 = ??11?001 r1 = … &01? 0000 101? ?0?? r0 = ??11?001 r1 = ?00110?? r0 = ??11?001 r1 = ?001?00? Transfer Function

6 6 Abstract Transfer Functions Bitwise Interval ??11?001 & ?00110?? = ?001?00? ??11?001 + ?00110?? = … [ 3.. 6] + [36..60] = [39..66] [ 3.. 6] & [36..60] = …

7 7 Transfer Functions can be Hard Domain / operation mismatch Condition codes – input and output Hard to know where precision matters Lots of transfer functions: # domains * # instructions * # architectures Result: Wasted time, bugs, imprecision

8 8 Hoist Contributions Derive transfer functions with –Near-zero developer effort –Maximal precision –Sufficient performance –High confidence in correctness

9 9 Extract complete result table for instruction –Dest register + cond codes Ideas: –No high-level model of instruction –Brute force Extract results Hoist into abstract domain Encode as BDD Generate code Test

10 10 Generate complete abstract transfer function Ideas: –Recursive decomposition of abstract domain –Speedup through dynamic programming Extract results Hoist into abstract domain Encode as BDD Generate code Test

11 11 Binary decision diagrams can compactly represent many functions Encode transfer function as vector of BDDs Ideas: –Variable ordering matters –Operation ordering matters Extract results Hoist into abstract domain Encode as BDD Generate code Test

12 12 Turn BDD into code implementing the transfer function Extract results Hoist into abstract domain Encode as BDD Generate code Test

13 13 Probabilistically or exhaustively verify –Correctness –Maximal precision Original result table is ground-truth Extract results Hoist into abstract domain Encode as BDD Generate code Test

14 14 Hoisting Atmel AVR Architecture Up to 45 minutes to Hoist a bitwise operation Up to 34 hours to Hoist an interval operation Dominated by BDD library Parallelizes trivially across operations

15 15 Performance at Analysis Time Analyze programs that ship with TinyOS for worst-case stack depth –Analysis time increases from 8.3s to 8.9s for the program that takes longest to analyze

16 16 Precision in Bitwise Domain Fed random bitwise values to Hoisted and hand-written operations –59% more known bits in result register –130% more known bits in condition codes Analyzed 26 TinyOS programs –8% more known bits in result register –40% more known bits in condition codes Hand-written operations had been tuned for months

17 17 Twist #1: Pseudo-Unary Ops Problem: –xor 0?10??11, 0?10??11 == 0?00??00 However: –xor r3, r3 == 00000000 –Oops! Maximal precision doesn’t help here Solution: Create a pseudo-unary version of each binary operation –E.g. xor 1, sub 1, and 1, or 1 –Without these, analysis fails miserably –Not fun to implement these by hand

18 18 Twist #2: Interacting Domains If a register contains [160..210] and ???11011 We can show that it actually contains [187..187] and 10111011 In general: Use Hoist to create a reduced product of the interval and bitwise domains –[Cousot & Cousot 79] says this is impossible –For finite domains we can brute-force it –Maximally precise

19 19 Elephant in the Closet Hoist does not scale to machines bigger than 8 bits –8 bit is important: Many architectures, huge sales volume, used in critical systems Current work –Replace BDDs with high-level symbolic representation –Gain scalability but lose many other advantages of Hoist

20 20 Conclusions Reduce barriers to entry for analyzing embedded software Hoist generates transfer functions for interval and bitwise domains –Near-zero specification effort, maximal precision We use Hoisted operations in day-to-day development / use of our static analyzer –Biggest benefit is never wondering if the transfer functions are the problem

Download ppt "1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah."

Similar presentations

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,

Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1  1998 Morgan Kaufmann Publishers Summary:. 2  1998 Morgan Kaufmann Publishers How many cycles will it take to execute this code? lw $t2, 0($t3) lw.

1  1998 Morgan Kaufmann Publishers Summary:. 2  1998 Morgan Kaufmann Publishers How many cycles will it take to execute this code? lw $t2, 0($t3) lw.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
CHIMAERA: A High-Performance Architecture with a Tightly-Coupled Reconfigurable Functional Unit Kynan Fraser.

CHIMAERA: A High-Performance Architecture with a Tightly-Coupled Reconfigurable Functional Unit Kynan Fraser.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)
6.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Extensible Processors. 2 ASIP Gain performance by:  Specialized hardware for the whole application (ASIC). −  Almost no flexibility. −High cost.  Use.

Extensible Processors. 2 ASIP Gain performance by:  Specialized hardware for the whole application (ASIC). −  Almost no flexibility. −High cost.  Use.
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.

1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
Random Testing of Interrupt-Driven Software John Regehr University of Utah.

Random Testing of Interrupt-Driven Software John Regehr University of Utah.
Lock Inference for Systems Software John Regehr Alastair Reid University of Utah March 17, 2003.

Lock Inference for Systems Software John Regehr Alastair Reid University of Utah March 17, 2003.

Similar presentations

Ads by Google