WCET 2007, Pisa, 2007-07-03 page 1 of 27 Tid rum WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd

Slides:



Advertisements
Similar presentations
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Advertisements

Intermediate Code Generation
Course Outline Traditional Static Program Analysis Software Testing
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Programming Languages and Paradigms
Chapter 10- Instruction set architectures
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Macro Processor.
Program Representations. Representing programs Goals.
Code Generation Mooly Sagiv html:// Chapter 4.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Introduction to Code Generation Mooly Sagiv html:// Chapter 4.
Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.
Code Generation for Basic Blocks Introduction Mooly Sagiv html:// Chapter
Tentative Schedule 20/12 Interpreter+ Code Generation 27/12 Code Generation for Control Flow 3/1 Activation Records 10/1 Program Analysis 17/1 Register.
CS-341 Dick Steflik Introduction. C++ General purpose programming language A superset of C (except for minor details) provides new flexible ways for defining.
1 CS 201 Compiler Construction Lecture 6 Code Optimizations: Constant Propagation & Folding.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Introduction to Code Generation Mooly Sagiv html:// Chapter 4.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Precision Going back to constant prop, in what cases would we lose precision?
System Calls 1.
CIS Computer Programming Logic
Presented By Dr. Shazzad Hosain Asst. Prof., EECS, NSU
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
1 4.2 MARIE This is the MARIE architecture shown graphically.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
Compiler Construction
Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.
Implementing an Interpreter Dan Sugalski
Processes CS 6560: Operating Systems Design. 2 Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode.
1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)
 Control Flow statements ◦ Selection statements ◦ Iteration statements ◦ Jump statements.
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
Lecture 6: Branching CS 2011 Fall 2014, Dr. Rozier.
Lecture 2: Instruction Set Architecture part 1 (Introduction) Mehran Rezaei.
Computer Organization Instructions Language of The Computer (MIPS) 2.
Hello world !!! ASCII representation of hello.c.
CS223: Software Engineering Lecture 26: Software Testing.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
CS501 Advanced Computer Architecture Lecture 29 Dr.Noor Muhammad Sheikh.
Instruction Set Architectures Continued. Expanding Opcodes & Instructions.
1 Chapter10: Code generator. 2 Code Generator Source Program Target Program Semantic Analyzer Intermediate Code Generator Code Optimizer Code Generator.
LECTURE 10 Semantic Analysis. REVIEW So far, we’ve covered the following: Compilation methods: compilation vs. interpretation. The overall compilation.
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
WCET 2008, Prague, slide 1 of 15 Tid rum WCET'2008 Computing Time as a Program Variable: Niklas Holsti Tidorum Ltd a way around.
Lecture 3 Translation.
CS223: Software Engineering
Today’s Agenda Exam 2 Part 2 (11:15am-12:30pm)
Names and Attributes Names are a key programming language feature
Control Flow Testing Handouts
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Compiler Construction (CS-636)
Chapter 12 Variables and Operators
Outline of the Chapter Basic Idea Outline of Control Flow Testing
Structural testing, Path Testing
Control Structures.
CSc 453 Interpreters & Interpretation
A Discussion on Assemblers
Programming Languages
Reverse Assembly Typical problem:
Procedure Linkages Standard procedure linkage Procedure has
Review: What is an activation record?
CSc 453 Interpreters & Interpretation
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Presentation transcript:

WCET 2007, Pisa, page 1 of 27 Tid rum WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd

WCET 2007, Pisa, page 2 of 27 Tid rum From binary file to control-flow graph Binary memory image Start address Control- flow graph WCET analysis Problem: dynamic transfer of control, DTC for example jump via register ? ?

WCET 2007, Pisa, page 3 of 27 Tid rum Overview ● Analysing DTC from a switch-case statement ● When compiled into a switch table interpreted by a switch handler routine ● Partial evaluation (PE) of switch handler ● Example

WCET 2007, Pisa, page 4 of 27 Tid rum Switch tables and switch handlers ● Various forms of switch tables – depending on compiler, index type, dense/sparse,... ● Compiler generates: – switch table T – call or jump to switch handler (Table  T, Index  k) ● Switch handler – looks up Index in Table ● jumps to that case using DTC switch (k) { case 4:... case 8: case 9: case 11:... default:... } A constant table that maps index value to code address: 4  A: 8, 9, 11  B: others  C: Switch-case statement Switch table

WCET 2007, Pisa, page 5 of 27 Tid rum One handler – many switches Code Foo T1 Code T2 Handler Bar DTC Cases in T2 Cases in T1 Call (T1, Ind1) Call (T2, Ind2) Switch Table Switch Table

WCET 2007, Pisa, page 6 of 27 Tid rum A real switch handler IAR compiler for Atmel AVR ● Same handler for many index types (8, 16, 32 bits) ● Complex table structure – entries of variable length DTC

WCET 2007, Pisa, page 7 of 27 Tid rum Partial Evaluation of switch handlers Table Index IndexAddr 4A 8,9,11B defaultC Addresses defined in the Table Switch handler for any Table and any Index Partially evaluate the switch handler with respect to the known switch table T for a given switch-case statement Table T Call DTC ABC Residual switch handler for table T and any Index Call Index else Index? DTC is resolved into static jumps

WCET 2007, Pisa, page 8 of 27 Tid rum Eureka ● The analysis “runs” the switch handler ● The switch handler itself decodes the switch table

WCET 2007, Pisa, page 9 of 27 Tid rum The example ● Here shown on a symbolic level – paper shows AVR machine code ● Partial Evaluation as implemented in Bound-T – on the fly while building flow-graph – data state: some variables bound to constants

WCET 2007, Pisa, page 10 of 27 Tid rum Simple 8-bit switch table & handler switch (k) { case 4:... case 8: case 9: case 11:... default:... } MaskMatchAddress SwHandler parameters: - pointer Tp to switch table - 8-bit Index (k) of switch-case (Index and Tp.Mask) = Tp.Match ? Jump to Tp.Address Advance Tp to next entry ≠ DTC = ?

WCET 2007, Pisa, page 11 of 27 Tid rum 0. Detect invocation of switch handler ● Start PE with initial data-state Tp  T [0] ● Expand SwHandler “in-line” Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Aha! Entering switch handler! Flow graph (1 node so far)

WCET 2007, Pisa, page 12 of 27 Tid rum 1. Add first step in SwHandler, with data state (Index and Tp.Mask) = Tp.Match ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Tp  T [0]

WCET 2007, Pisa, page 13 of 27 Tid rum 2. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp  T [0] Tp

WCET 2007, Pisa, page 14 of 27 Tid rum 3. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to Tp.Address = Advance Tp to next entry ≠ Tp  T [0] Tp DTC

WCET 2007, Pisa, page 15 of 27 Tid rum 4a. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to = Advance Tp to next entry ≠ DTC resolved PE ends on this path CFG building continues (shown later) Tp  T [0] Tp

WCET 2007, Pisa, page 16 of 27 Tid rum 4b. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Tp New data state: Tp  T [1]

WCET 2007, Pisa, page 17 of 27 Tid rum Generate successors: can we loop? Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Cannot create loop because the data state is different New data state: Tp  T [1]

WCET 2007, Pisa, page 18 of 27 Tid rum 5. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Tp  T [1] (Index and Tp.Mask) = Tp.Match ? Loop expands (unrolls) itself

WCET 2007, Pisa, page 19 of 27 Tid rum 6. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Tp  T [1] (Index and 254) = 8 ?

WCET 2007, Pisa, page 20 of 27 Tid rum 7. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Tp  T [1] (Index and 254) = 8 ? Jump to Tp.Address = Tp  T [1] Advance Tp to next entry ≠ Tp  T [1] DTC

WCET 2007, Pisa, page 21 of 27 Tid rum 8. Partially evaluate wrt data state, etc. Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp  T [0] Tp  T [1] (Index and 254) = 8 ? Jump to = Tp := addr (T[2]) ≠ Tp  T [1]... and so on... DTC resolved Tp  T [1]

WCET 2007, Pisa, page 22 of 27 Tid rum n. Add successors for last table entry MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp  T [2] Tp  T [3] (Index and Tp.Mask) = Tp.Match ?

WCET 2007, Pisa, page 23 of 27 Tid rum n+1. Partially evaluate wrt data state MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp  T [2] Tp  T [3] 0 = 0 ?

WCET 2007, Pisa, page 24 of 27 Tid rum n+2. Generate & add feasible successors MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp  T [2] Tp  T [3] 0 = 0 ? Jump to Tp.Address = (true) Tp  T [3] ≠ (false) DTC

WCET 2007, Pisa, page 25 of 27 Tid rum n+3. Partially evaluate wrt data state MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp  T [2] Tp  T [3] 0 = 0 ? Jump to Tp  T [3] ● All paths end with resolved DTC ● Expansion of switch handler completed – for this switch-case statement DTC resolved

WCET 2007, Pisa, page 26 of 27 Tid rum Completed flow-graph Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler Jump to = (Index and 254) = 8 ? Jump to = ≠ Index = 11 ? = ≠ Jump to ≠ residual SwHandler (T, *) Jump to ● Shows execution path to each case ● Shows conditions leading to each case

WCET 2007, Pisa, page 27 of 27 Tid rum Summary ● Traditional flow-graph construction: – enumerate only PC values ● Flow-graph construction with PE: – choose relevant data state components (... but how ?) – enumerate product domain (PC, data state) ● PE applied here to switch handlers – easy to choose the relevant data: ● the switch table and anything derived from it ● Other PE applications in WCET analysis?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.