Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software.

Published byEmmeline Simmons Modified over 7 years ago

Similar presentations

Presentation on theme: "Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software."— Presentation transcript:

1 Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software

2 2 Goal Aggressive static analysis of embedded C programs Use compiler technology Perform optimizations Code size reduction Reducing duty cycle RAM compression

3 3 Solution Conditional X propagation (cXprop) X is a pluggable abstract value domain Handles all of C Interprocedural dataflow analysis Analyzes concurrent programs Multiple code transformations Example benefit: 9.2% average code size reduction in TinyOS applications

4 4 Contributions Clean domain interface for pluggable domains Quantitative comparison of abstract domains New method for analyzing interrupt-driven concurrency Pointer analysis intermixed with dataflow analysis

5 5 Results of abstract interpretation opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a= x= y= z= a= x= y= z= a= x= y= z= a= x= y= z= T F T F F T

6 6 Parity domain opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a={&x} x= ⊥ y= ⊥ z= ⊥ a={&y} x=odd y=even z= ⊥ a={&y} x=odd y=even z= ⊥ a={&y} x=odd y= ⊥ z= ⊥ T F T F F T

7 7 Constant domain opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a={&x} x= ⊥ y= ⊥ z= ⊥ a={&y} x= ⊥ y= ⊥ z= ⊥ a={&y} x= ⊥ y= ⊥ z= ⊥ a={&y} x= ⊥ y= ⊥ z= ⊥ T F T F F T

8 8 Value-set domain opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a={&x} x= ⊥ y= ⊥ z= ⊥ a={&y} x={13,77 } y={42} z={1} a={&y} x={13,77 } y={42} z={2,5} a={&y} x={13,77 } y= ⊥ z={2,5} T F T F F T

9 9 Bitwise domain opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a={&x} x= ⊥⊥⊥⊥⊥⊥⊥ ⊥ y= ⊥⊥⊥⊥⊥⊥⊥ ⊥ z= ⊥⊥⊥⊥⊥⊥⊥ ⊥ a={&y} x= 0 ⊥ 001101 y= 00101010 z= 0000000 ⊥ a={&y} x= 0 ⊥ 001101 y= 00101010 z= 00000 ⊥⊥⊥ a={&y} x= 0 ⊥ 001101 y= ⊥⊥⊥⊥⊥⊥⊥ ⊥ z =00000 ⊥⊥⊥ T F T F F T

10 10 Interval domain opa que x z a=&x z=5 *a=77 z=2 *a=13 a=&y *a=42 *a=26 z=1 z=0 a={&x} x= ⊥ y= ⊥ z= ⊥ a={&y} x= ⊥ y=[26,42 ] z=[1,1] a={&y} x= ⊥ y=[26,42 ] z=[2,5] a={&y} x= ⊥ y= ⊥ z=[2,5] T F T F F T

11 11 cXprop components CIL Core cXprop Abstract domain CIL's feature interface cXprop's domain interface

12 12 Constant and value-set domains Constant domain Transfer functions Special cases Handle ⊥ Call CIL's constant folder Value-set domain User-defined set size Quadratic-time transfer functions using brute force

13 13 Bitwise and interval domains Bitwise domain Vectors of three-valued bits 0,1, ⊥ Regehr and Duongsaa's transfer functions Interval domain Upper and lower bound on range of values Regehr and Duongsaa's transfer functions

14 14 Sensor network programming Component-based Block-box reuse Interrupt-driven Very constrained environment cXprop features added for sensor network application analysis Concurrency analysis Interrupt bit modeling Atomic section removal

15 15 Modeling concurrency in cXprop Analysis of interrupt-driven concurrency Three types of program data Unshared data Unprotected shared data Protected shared data

16 16 Concurrency

17 17 cXprop's transformations Three primary transformation modes Normal conditional constant propagation Assert program state Dynamic dataflow information x = 1; if (flag == 0) x++; y = x + 1; x = 1; if (flag == 0) x=2; y = x + 1; x = 1; if (flag == 0) x++; y = x + 1; x = 1; assert (x==1); if (flag == 0) { assert(x==1); x++; } assert (x==1 || x==2); y = x + 1; x = 1; if (flag == 0) x++; y = x + 1; x = 1; cXprop_dynamic_meet(& cxp_glob_var_0, x); if (flag == 0) { x++; cXprop_dynamic_meet(& cxp_glob_var_1, x);} y = x + 1; cXprop_dynamic_meet(& cxp_glob_var_2, y);

18 18 Validation of cXprop Specific test cases Benchmarks SPEC 2000: gzip, mcf, bzip2 MiBench: basicmath, patricia, FFT TinyOS 1.x: blink, cnttoledsandrfm, hfs, rfmtoleds, surge, taskapp, acoustic, agilla, ecc TinyOS 2.x: null, basestation Miscellaneous: rc4, dhrystone, yacr2 Random program generator

19 19 Analysis times Analysis time contributors Size of concretization sets Transfer functions Dataflow representation

20 20 Code size reduction results

21 21 Comparing abstract domains Goal: Apples-to-apples comparison across domains Information known metric total information known for a program= total # of information bits / total # of bits possible # of information bits ≝ log 2 j – log 2 k j = total # of representable values k = # of possible values

22 22 Example information bit computation Consider a 32-bit int with abstract value of {4,17,19,312} There are 2 32 representable values There are 4 possible values log 2 2 32 – log 2 4 = 30 information bits

23 23 Comparison of information known

24 24 Conclusion Interprocedural dataflow analysis based on abstract interpretation Clean domain interface for pluggable domains Quantitative comparison of abstract domains No universal winner Additions to handle concurrency in interrupt-driven embedded systems You can download cXprop here: http://www.cs.utah.edu/~coop/research/cxprop

25 Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software

26 26 Necessary assumptions for cXprop Precise and sound dataflow analysis of C is nearly impossible Assumptions about Memory model External calls Floating point Inline assembly Order of evaluation Concurrency Consider store to array where index is indeterminate big_array[ ⊥ ] = 42; Sound analysis must drop all dataflow facts Could overwrite return address

27 27 Uses of cXprop Compare abstract domains Optimize C code Reduce code size Lower duty cycle Identify unused bits Clean up after CCured Facilitate other analyses

28 28 cXprop's abstract domain interface Ocaml Do not need to know CIL internals Parity domain implemented in under an hour 32 transfer functions 6 backwards functions 11 utility functions widen, concretize, abstract, meet,... shiftrt(abstract value, abstract value, type) ➔ abstract value backwards_eq (abstract value, abstract value, type, abstraction function) ➔ (boolean * (abstract value * abstract value) * (abstract value * abstract value)) mult(abstract value, abstract value, type) ➔ abstract value

29 29 FLID removal

Download ppt "Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Computer Architecture

Computer Architecture
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.
IntroductionIntroduction  Computer program: an ordered sequence of statements whose objective is to accomplish a task.  Programming: process of planning.

IntroductionIntroduction  Computer program: an ordered sequence of statements whose objective is to accomplish a task.  Programming: process of planning.
Chapter 13 Embedded Systems

Chapter 13 Embedded Systems
Chapter 13 Embedded Systems Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 13 Embedded Systems Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Telescoping Languages: A Compiler Strategy for Implementation of High-Level Domain-Specific Programming Systems Ken Kennedy Rice University.

Telescoping Languages: A Compiler Strategy for Implementation of High-Level Domain-Specific Programming Systems Ken Kennedy Rice University.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 TinyOS 2.1: Deploying Memory Safety Nathan Cooprider Yang Chen Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing †

1 TinyOS 2.1: Deploying Memory Safety Nathan Cooprider Yang Chen Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing †
Random Testing of Interrupt-Driven Software John Regehr University of Utah.

Random Testing of Interrupt-Driven Software John Regehr University of Utah.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Static Analysis of Embedded C John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C John Regehr University of Utah Joint work with Nathan Cooprider.
Lock Inference for Systems Software John Regehr Alastair Reid University of Utah March 17, 2003.

Lock Inference for Systems Software John Regehr Alastair Reid University of Utah March 17, 2003.

Similar presentations

Ads by Google