CSCE 548 Building Secure Software Data Flow Analysis
|
|
- Coral Garrett
- 5 years ago
- Views:
Transcription
1 CSCE 548 Building Secure Software Data Flow Analysis Professor Lisa Luo Spring 2018
2 Previous Class Why we need reverse engineering? Tools for reverse engineering Debugger Disassembler System monitoring tools Reverse engineering tool examples Java disassembler Java decompiler Debugger Tracing Reverse engineering Malware Static analysis Dynamic analysis 2
3 What is Dataflow Analysis? Static analysis reasoning about flow of data in program Different kinds of data: constants, variables, expressions Used by bug-finding tools and compilers
4 Control-Flow Graphs entry y=x*y x = 5 y = 1 (x!= 1)? exit x = 5; y = 1; while (x!= 1) { y = x * y; x = x - 1 } x=x-1
5 QUIZ: Control-Flow Graphs entry x = 5 x!= 0 exit y = x x = x - 1 y!= 0? y = y -1
6 QUIZ: Control-Flow Graphs entry x = 5 exit x!= 0 y = x x = x - 1 x = 5; while (x!= 0) { y = x; x = x - 1; while (y!= 0) { y = y - 1 } } y!= 0? y = y -1
7 Applications of Dataflow Analysis Reaching Definitions Analysis Find usage of uninitialized variables Live Variables Analysis Allocate registers efficiently Very Busy Expressions Analysis Reduce code size
8 Reaching Definitions Analysis 8
9 Abstracting Control-Flow Conditions Abstracts away control-flow conditions with nondeterministic choice (*) Non-deterministic choice => assumes condition can evaluate to or Considers all paths possible in actual runs, and maybe paths that are never possible (unsound). y=x*y x=x-1 entry x = 5 y = 1 (x!= 1)? exit
10 Reaching Definitions Analysis Goal: Determine, for each program point, which assignments have been made and not overwritten, when execution reaches that point along some path entry x = y y = 1 (x!= 1)? P1 Ø Assignment == Definition y=x*y exit x=x-1 P2
11 Reaching Definitions Analysis A definition of a variable x is a statement that may modify the value of variable x. A definition of a variable x at node k reaches node n if there is a definition-free path from k to n. 11
12 QUIZ: Reaching Definitions Analysis entry 1. The assignment y = 1 reaches P1 2. The assignment y = 1 reaches P2 x = y y = 1 (x!= 1)? P1 3. The assignment y = x * y reaches P1 y=x*y x=x-1 P2 exit
13 Result of Dataflow Analysis Set of facts at each program point For reaching definitions analysis, fact is a pair of the form: <defined variable name, defining node label> Examples: <x,2>, <y,5> 5: 6: 4: 1: 2: 3: y=x*y x=x-1 entry x = y y = 1 (x!= 1)? 7: exit
14 Dataflow Analysis Process Give distinct label n to each node 1: entry IN[n] = set of facts at entry of node n 2: x = y OUT[n] = set of facts at exit of node n Dataflow analysis computes IN[n] and OUT[n] for each node Repeat two operations until IN[n] and OUT[n] stop changing Called fixed point 5: 6: 4: 3: y=x*y x=x-1 y = 1 (x!= 1)? 7: exit
15 RD Analysis: Operation #1 n1 n2 n3 IN[n] = OUT[n ] n predecessors(n) n IN[n] = OUT[n1] OUT[n2] OUT[n3]
16 RD Analysis: Operation #2 IN[n] OUT[n] = (IN[n] - KILL[n]) GEN[n] n: OUT[n] n: b? GEN[n] = KILL[n] = n: x = a GEN[n] = { <x, n> } KILL[n] = { <x, m> : m!= n }
17 RD Analysis Example n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} : 4: 2: 3: x = y y = 1 (x!= 1)? y=x*y 7: exit : x=x-1
18 RD Analysis Example n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 5 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit : x=x-1
19 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>, OUT[6] } {<x,2>,<y,3>, OUT[6] } 5 {<x,2>,<y,3>, OUT[6] } {<x,2>, <y,5>, OUT[6] } 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit : x=x-1
20 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>, OUT[6] } {<x,2>,<y,3>, OUT[6] } 5 {<x,2>,<y,3>, OUT[6] } {<x,2>, <y,5>, OUT[6] } 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>, <y,5>, OUT[6] } {<y,5>,<x,6>} : x=x-1
21 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,3>,<y,5>,<x,6>} 5 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,5>,<x,6>} 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>,<y,5>,<x,6>} {<y,5>,<x,6>} : x=x-1
22 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,3>,<y,5>,<x,6>} 5 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,5>,<x,6>} 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>,<y,5>,<x,6>} {<y,5>,<x,6>} 7 {<x,2>,<y,3>,<y,5>,<x,6>} -- 6: x=x-1
23 Bug Finding: Null Pointer Exception public String badcode(int x) { String y = null; if (x > 0) { y = "more"; } else if (x < 0) { y = "less"; } return y.touppercase(); } Goal: Whether there are any possible null-pointer exceptions. 23
24 Bug Finding: Null Pointer Exception Solution: Determine whether the definition at node 1 may reach node 6. If it can, we have a possible null-pointer exception. 24
25 Bug Finding: Null Pointer Exception n IN[n] OUT[n] entry -- {<y,?>} 1 {<y,?>} {<y,1>} 2 {<y,1>} {<y,1>} 3 {<y,1>} {<y,3>} 4 {<y,1>} {<y,1>} 5 {<y,1>} {<y,5>} 6 {<y,1>, <y,3>}, <y,5>} -- 25
26 Live Variables Analysis 26
27 Live Variables Analysis Goal: Determine for each program point which variables could be live at the point s exit A variable is live if there is a path to a use of the variable that doesn t redefine the variable z=y entry y = 4 x = 2 (y!=x)? z = y*y x=z exit P
28 Live Variables Analysis A variable x is live at node k if x is NOT redefined from n to k. k x = n = x 28
29 Live Variables Analysis: Operation #1 OUT[n] = IN[n ] n n successors(n) n1 n2 n3 OUT[n] = IN[n1] IN[n2] IN[n3]
30 Live Variables Analysis: Operation #2 IN[n] IN[n] = (OUT[n] - KILL[n]) GEN[n] n: OUT[n] n: x? GEN[n] = { <x, n> } KILL[n] = n: y = x GEN[n] = { <x, n> } KILL[n] = { <y, m> : m!= n }
31 Live Variables Analysis Example n IN[n] OUT[n] 1: entry : y = 4 3: x = 2 4: (y!=x)? 5: z=y 6: 7: x=z 8: exit z = y*y
32 Live Variables Analysis Example n IN[n] OUT[n] 1: entry { y } 3 { y } { x, y } 4 { x, y } { y } 5 { y } { z } 6 { y } { z } 7 { z } : y = 4 3: x = 2 4: (y!=x)? 5: z=y 6: 7: x=z 8: exit z = y*y
33 Result Analysis Even this program has 3 variables x, y, and z, at no point are more than two of these three variables simultaneously live. This information can be used by compilers to generate assembly code that uses only two registers instead of three registers for storing the contents of these variables. Using fewer registers can generate more efficient assembly code, by avoiding the need to store the contents of these variables in memory. 33
34 Classifying Dataflow Analyses Match each analysis with its characteristics. Forward analysis Backward analysis Reaching Definitions Live Variables
35 What Have We Learned? What is dataflow analysis Reasoning about flow of data using control-flow graphs Classification: forward vs. backward Two classical dataflow analyses Reaching definition analysis Live variables analysis
MIT Introduction to Dataflow Analysis. Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology
MIT 6.035 Introduction to Dataflow Analysis Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Dataflow Analysis Used to determine properties of program that involve multiple
More informationWe can express this in dataflow equations using gen and kill sets, where the sets are now sets of expressions.
Available expressions Suppose we want to do common-subexpression elimination; that is, given a program that computes x y more than once, can we eliminate one of the duplicate computations? To find places
More informationWe can express this in dataflow equations using gen and kill sets, where the sets are now sets of expressions.
Available expressions Suppose we want to do common-subexpression elimination; that is, given a program that computes x y more than once, can we eliminate one of the duplicate computations? To find places
More informationFoundations of Dataflow Analysis
Foundations of Dataflow Analysis 15-745 Optimizing Compilers Spring 2006 Peter Lee Ingredients of a dataflow analysis direction: forward or backward flow/transfer function combining ( meet ) operator dataflow
More informationCSCE 548 Building Secure Software Software Analysis Basics
CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to
More informationPrinciples of Program Analysis: Data Flow Analysis
Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag
More informationCompiler Design. Fall Data-Flow Analysis. Sample Exercises and Solutions. Prof. Pedro C. Diniz
Compiler Design Fall 2015 Data-Flow Analysis Sample Exercises and Solutions Prof. Pedro C. Diniz USC / Information Sciences Institute 4676 Admiralty Way, Suite 1001 Marina del Rey, California 90292 pedro@isi.edu
More informationData Flow Analysis. CSCE Lecture 9-02/15/2018
Data Flow Analysis CSCE 747 - Lecture 9-02/15/2018 Data Flow Another view - program statements compute and transform data So, look at how that data is passed through the program. Reason about data dependence
More informationData Flow Information. already computed
Data Flow Information Determine if Determine if a constant in loop modifies Determine if expression already computed Determine if not used later in program Data Flow Equations Local Information: Gen(B):
More informationCS577 Modern Language Processors. Spring 2018 Lecture Optimization
CS577 Modern Language Processors Spring 2018 Lecture Optimization 1 GENERATING BETTER CODE What does a conventional compiler do to improve quality of generated code? Eliminate redundant computation Move
More informationWorksheet 2.2: Partial Derivatives
Boise State Math 275 (Ultman) Worksheet 2.2: Partial Derivatives From the Toolbox (what you need from previous classes) Be familiar with the definition of a derivative as the slope of a tangent line (the
More informationWhy Data Flow Models? Dependence and Data Flow Models. Learning objectives. Def-Use Pairs (1) Models from Chapter 5 emphasized control
Why Data Flow Models? Dependence and Data Flow Models Models from Chapter 5 emphasized control Control flow graph, call graph, finite state machines We also need to reason about dependence Where does this
More informationDependence and Data Flow Models. (c) 2007 Mauro Pezzè & Michal Young Ch 6, slide 1
Dependence and Data Flow Models (c) 2007 Mauro Pezzè & Michal Young Ch 6, slide 1 Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call graph, finite state machines We
More informationFlow Propagation Algorithm
SOMA Flow Propagation Algorithm Univ.Prof. Dr. Franz Wotawa, Birgit Hofer Institut für Softwaretechnologie {wotawa, hofer}@ist.tugraz.at Institute for Software Technology Agenda Flow Propagation Algorithm
More informationLecture 21 CIS 341: COMPILERS
Lecture 21 CIS 341: COMPILERS Announcements HW6: Analysis & Optimizations Alias analysis, constant propagation, dead code elimination, register allocation Available Soon Due: Wednesday, April 25 th Zdancewic
More informationCSC 1052 Algorithms & Data Structures II: Linked Lists Revisited
CSC 1052 Algorithms & Data Structures II: Linked Lists Revisited Professor Henry Carter Spring 2018 Recap Recursion involves defining a solution based on smaller versions of the same solution Three components:
More informationDependence and Data Flow Models. (c) 2007 Mauro Pezzè & Michal Young Ch 6, slide 1
Dependence and Data Flow Models (c) 2007 Mauro Pezzè & Michal Young Ch 6, slide 1 Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call graph, finite state machines We
More informationCMSC 330: Organization of Programming Languages. OCaml Imperative Programming
CMSC 330: Organization of Programming Languages OCaml Imperative Programming CMSC330 Spring 2018 1 So Far, Only Functional Programming We haven t given you any way so far to change something in memory
More informationThursday, December 23, The attack model: Static Program Analysis
The attack model: Static Program Analysis How making SPA? DFA - Data Flow Analysis CFA - Control Flow Analysis Proving invariance: theorem proving Checking models: model checking Giaco & Ranzato DFA:
More informationCS553 Lecture Generalizing Data-flow Analysis 3
Generalizing Data-flow Analysis Announcements Project 2 writeup is available Read Stephenson paper Last Time Control-flow analysis Today C-Breeze Introduction Other types of data-flow analysis Reaching
More informationData Flow Analysis. Suman Jana. Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006)
Data Flow Analysis Suman Jana Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006) Data flow analysis Derives informa=on about the dynamic behavior of a program by only
More informationCompiler Optimizations. Chapter 8, Section 8.5 Chapter 9, Section 9.1.7
Compiler Optimizations Chapter 8, Section 8.5 Chapter 9, Section 9.1.7 2 Local vs. Global Optimizations Local: inside a single basic block Simple forms of common subexpression elimination, dead code elimination,
More informationStatic Program Analysis Part 9 pointer analysis. Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University
Static Program Analysis Part 9 pointer analysis Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Agenda Introduction to points-to analysis Andersen s analysis Steensgaards s
More informationRegister allocation. Register allocation: ffl have value in a register when used. ffl limited resources. ffl changes instruction choices
Register allocation IR instruction selection register allocation machine code errors Register allocation: have value in a register when used limited resources changes instruction choices can move loads
More informationCIS 341 Final Examination 4 May 2017
CIS 341 Final Examination 4 May 2017 1 /14 2 /15 3 /12 4 /14 5 /34 6 /21 7 /10 Total /120 Do not begin the exam until you are told to do so. You have 120 minutes to complete the exam. There are 14 pages
More informationSpecifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus
Specifications Prof. Clarkson Fall 2015 Today s music: Nice to know you by Incubus Question Would you like a tiny bonus to your final grade for being here on time today? A. Yes B. Sí C. Hai D. Haan E.
More informationBinary logic. Dr.Abu-Arqoub
Binary logic Binary logic deals with variables like (a, b, c,, x, y) that take on two discrete values (, ) and with operations that assume logic meaning ( AND, OR, NOT) Truth table is a table of all possible
More informationProgram Optimizations using Data-Flow Analysis
Program Optimizations using Data-Flow Analysis!Last time! Lattice theoretic framework for data-flow analysis!today! Dead-code elimination! Common sub-expression elimination (CSE)! Copy propagation! Constant
More informationWhy Global Dataflow Analysis?
Why Global Dataflow Analysis? Answer key questions at compile-time about the flow of values and other program properties over control-flow paths Compiler fundamentals What defs. of x reach a given use
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/ collberg
More informationInformation Security CS526
Information Security CS 526 Topic 20: Non-interference and Nondeducibility 1 Optional Readings for This Lecture Security Policies and Security Models. J.A.Goguen and J.Meseguer. Oakland 1982 Non-deducibility
More informationMenu. Algebraic Simplification - Boolean Algebra EEL3701 EEL3701. MSOP, MPOS, Simplification
Menu Minterms & Maxterms SOP & POS MSOP & MPOS Simplification using the theorems/laws/axioms Look into my... 1 Definitions (Review) Algebraic Simplification - Boolean Algebra Minterms (written as m i ):
More informationBranch Addressing. Jump Addressing. Target Addressing Example. The University of Adelaide, School of Computer Science 28 September 2015
Branch Addressing Branch instructions specify Opcode, two registers, target address Most branch targets are near branch Forward or backward op rs rt constant or address 6 bits 5 bits 5 bits 16 bits PC-relative
More informationPartial Derivatives. Partial Derivatives. Partial Derivatives. Partial Derivatives. Partial Derivatives. Partial Derivatives
In general, if f is a function of two variables x and y, suppose we let only x vary while keeping y fixed, say y = b, where b is a constant. By the definition of a derivative, we have Then we are really
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationSection 4.2 selected answers Math 131 Multivariate Calculus D Joyce, Spring 2014
4. Determine the nature of the critical points of Section 4. selected answers Math 11 Multivariate Calculus D Joyce, Spring 014 Exercises from section 4.: 6, 1 16.. Determine the nature of the critical
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationBoolean Algebra. P1. The OR operation is closed for all x, y B x + y B
Boolean Algebra A Boolean Algebra is a mathematical system consisting of a set of elements B, two binary operations OR (+) and AND ( ), a unary operation NOT ('), an equality sign (=) to indicate equivalence
More informationProgram Analysis And Its Support in Software Development
Program Analysis And Its Support in Software Development Qing Yi class web site: www.cs.utsa.edu/~qingyi/cs6463 cs6463 1 A little about myself Qing Yi B.S. Shandong University, China. Ph.D. Rice University,
More informationCompiler Optimizations. Chapter 8, Section 8.5 Chapter 9, Section 9.1.7
Compiler Optimizations Chapter 8, Section 8.5 Chapter 9, Section 9.1.7 2 Local vs. Global Optimizations Local: inside a single basic block Simple forms of common subexpression elimination, dead code elimination,
More informationLecture 20 CIS 341: COMPILERS
Lecture 20 CIS 341: COMPILERS Announcements HW5: OAT v. 2.0 records, function pointers, type checking, array-bounds checks, etc. Due: TOMORROW Wednesday, April 11 th Zdancewic CIS 341: Compilers 2 A high-level
More informationName: CIS 341 Final Examination 10 December 2008
Name: CIS 341 Final Examination 10 December 2008 1 /8 2 /12 3 /18 4 /18 5 /14 Total /70 Do not begin the exam until you are told to do so. You have 120 minutes to complete the exam. There are 11 pages
More informationGlobal Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization
Lecture Outline Global Optimization Global flow analysis Global constant propagation Liveness analysis Compiler Design I (2011) 2 Local Optimization Recall the simple basic-block optimizations Constant
More informationMore Dataflow Analysis
More Dataflow Analysis Steps to building analysis Step 1: Choose lattice Step 2: Choose direction of dataflow (forward or backward) Step 3: Create transfer function Step 4: Choose confluence operator (i.e.,
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationWritten by John Bell for CS 342, Spring 2018
Advanced OO Concepts Written by John Bell for CS 342, Spring 2018 Based on chapter 3 of The Object-Oriented Thought Process by Matt Weisfeld, with additional material from other sources. Constructors Constructors
More informationPipelining and Exploiting Instruction-Level Parallelism (ILP)
Pipelining and Exploiting Instruction-Level Parallelism (ILP) Pipelining and Instruction-Level Parallelism (ILP). Definition of basic instruction block Increasing Instruction-Level Parallelism (ILP) &
More informationRun-Time Data Structures
Run-Time Data Structures Static Structures For static structures, a fixed address is used throughout execution. This is the oldest and simplest memory organization. In current compilers, it is used for:
More informationMIT Introduction to Program Analysis and Optimization. Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology
MIT 6.035 Introduction to Program Analysis and Optimization Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Program Analysis Compile-time reasoning about run-time behavior
More informationUML for Embedded Systems IV. Validation
UML for Embedded Systems IV. Validation Ludovic Apvrille ludovic.apvrille@telecom-paristech.fr Eurecom, Office 470 Memo on Methodology III. Detailed design Behavior of the system IV. Validation of the
More information(1) Tangent Lines on Surfaces, (2) Partial Derivatives, (3) Notation and Higher Order Derivatives.
Section 11.3 Partial Derivatives (1) Tangent Lines on Surfaces, (2) Partial Derivatives, (3) Notation and Higher Order Derivatives. MATH 127 (Section 11.3) Partial Derivatives The University of Kansas
More informationProgram Syntax; Operational Semantics
9/5 Solved Program Syntax; Operational Semantics CS 536: Science of Programming, Fall 2018 A. Why Our simple programming language is a model for the kind of constructs seen in actual languages. Step-by-step
More informationReview: Classes and Object Instances. Review: Creating an Object. Using Multiple Objects. DrawingGizmo pencil; pencil = new DrawingGizmo();
Review: Classes and Object Instances ; = new (); Class #05: Objects, Memory, & Program Traces Software Engineering I (CS 120): M. Allen, 12/13 Sept. 17 We are working with both a class () and an object
More informationENGINEERS ACADEMY. 7. Given Boolean theorem. (a) A B A C B C A B A C. (b) AB AC BC AB BC. (c) AB AC BC A B A C B C.
Digital Electronics Boolean Function QUESTION BANK. The Boolean equation Y = C + C + C can be simplified to (a) (c) A (B + C) (b) AC (d) C. The Boolean equation Y = (A + B) (A + B) can be simplified to
More informationSemantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End
Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors
More informationThis test is not formatted for your answers. Submit your answers via to:
Page 1 of 7 Computer Science 320: Final Examination May 17, 2017 You have as much time as you like before the Monday May 22 nd 3:00PM ET deadline to answer the following questions. For partial credit,
More informationCS202 Compiler Construction
CS202 Compiler Construction April 17, 2003 CS 202-33 1 Today: more optimizations Loop optimizations: induction variables New DF analysis: available expressions Common subexpression elimination Copy propogation
More informationCS4215 Programming Language Implementation
CS4215 Programming Language Implementation You have 45 minutes to complete the exam. Use a B2 pencil to fill up the provided MCQ form. Leave Section A blank. Fill up Sections B and C. After finishing,
More informationCS164: Midterm Exam 2
CS164: Midterm Exam 2 Fall 2004 Please read all instructions (including these) carefully. Write your name, login, and circle the time of your section. Read each question carefully and think about what
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationProgram Representations
Program Representations 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Representing Programs To analyze software automatically, we must be able to represent it precisely Some representations
More informationIntroduction to Programming
Introduction to Programming Chapter 2 Microcontrollers Objectives Describe the difference between source code and machine code. Define opcode, operand, and address of an operand. Explain the purpose of
More informationCompiler Optimisation
Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2018 Introduction This lecture:
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationExtended Static Checking for Haskell (ESC/Haskell)
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge Program Errors Give Headache! Module UserPgm where f ::
More informationCompiler Optimization Techniques
Compiler Optimization Techniques Department of Computer Science, Faculty of ICT February 5, 2014 Introduction Code optimisations usually involve the replacement (transformation) of code from one sequence
More informationThe basic operations defined on a symbol table include: free to remove all entries and free the storage of a symbol table
SYMBOL TABLE: A symbol table is a data structure used by a language translator such as a compiler or interpreter, where each identifier in a program's source code is associated with information relating
More informationVerification Various Testing Techniques
1 / 22 Verification Various Testing Techniques Miaoqing Huang University of Arkansas Spring 2010 2 / 22 Outline 1 Other Techniques in Testing in the Small Testing Boundary Conditions 2 Testing in the Large
More informationAbstracting Symbolic Execution with String Analysis
Abstracting Symbolic Execution with String Analysis Daryl Shannon Alison Lee Sukant Hajra Daiqian Zhan Sarfraz Khurshid (The University of Texas at Austin) Outline Example Background Approach Conclusion
More informationIntroduction A Tiny Example Language Type Analysis Static Analysis 2009
Introduction A Tiny Example Language Type Analysis 2009 Michael I. Schwartzbach Computer Science, University of Aarhus 1 Questions About Programs Does the program terminate? How large can the heap become
More informationAbstract Interpretation Continued
Abstract Interpretation Continued Height of Lattice: Length of Max. Chain height=5 size=14 T height=2 size = T -2-1 0 1 2 Chain of Length n A set of elements x 0,x 1,..., x n in D that are linearly ordered,
More informationCSE P 501 Compilers. SSA Hal Perkins Spring UW CSE P 501 Spring 2018 V-1
CSE P 0 Compilers SSA Hal Perkins Spring 0 UW CSE P 0 Spring 0 V- Agenda Overview of SSA IR Constructing SSA graphs Sample of SSA-based optimizations Converting back from SSA form Sources: Appel ch., also
More informationCost of Your Programs
Department of Computer Science and Engineering Chinese University of Hong Kong In the class, we have defined the RAM computation model. In turn, this allowed us to define rigorously algorithms and their
More informationBBM 201 DATA STRUCTURES
BBM 201 DATA STRUCTURES Lecture 8: Dynamically Allocated Linked Lists 2017-2018 Fall int x; x = 8; int A[4]; An array is stored as one contiguous block of memory. How can we add a fifth element to the
More informationLecture 1: Course Overview
Lecture 1: Course Overview Computer Systems Organization (Spring 2017) CSCI-UA 201, Section 3 Instructor: Joanna Klukowska Slides adapted from Randal E. Bryant and David R. O Hallaron (CMU) Mohamed Zahran
More informationCSE 401 Final Exam. March 14, 2017 Happy π Day! (3/14) This exam is closed book, closed notes, closed electronics, closed neighbors, open mind,...
CSE 401 Final Exam March 14, 2017 Happy π Day! (3/14) Name This exam is closed book, closed notes, closed electronics, closed neighbors, open mind,.... Please wait to turn the page until everyone has their
More informationCS 242. Fundamentals. Reading: See last slide
CS 242 Fundamentals Reading: See last slide Syntax and Semantics of Programs Syntax The symbols used to write a program Semantics The actions that occur when a program is executed Programming language
More informationInterpreters. Prof. Clarkson Fall Today s music: Step by Step by New Kids on the Block
Interpreters Prof. Clarkson Fall 2017 Today s music: Step by Step by New Kids on the Block Review Previously in 3110: functional programming modular programming data structures Today: new unit of course:
More information1 A Brief Introduction To GDB
1 A Brief Introduction To GDB GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes or what another program was doing at the moment it crashed. GDB
More informationLecture 23 CIS 341: COMPILERS
Lecture 23 CIS 341: COMPILERS Announcements HW6: Analysis & Optimizations Alias analysis, constant propagation, dead code elimination, register allocation Due: Wednesday, April 25 th Zdancewic CIS 341:
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationByte Ordering. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Byte Ordering Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationC++ Tutorial AM 225. Dan Fortunato
C++ Tutorial AM 225 Dan Fortunato Anatomy of a C++ program A program begins execution in the main() function, which is called automatically when the program is run. Code from external libraries can be
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationProgram Analysis. CSCE Lecture 16-03/03/2016
Program Analysis CSCE 747 - Lecture 16-03/03/2016 Axiom of Testing Program testing can be used to show the presence of bugs, but never their absence. - Dijkstra Gregory Gay CSCE 747 - Spring 2016 2 Holy
More informationCMSC 330: Organization of Programming Languages. OCaml Expressions and Functions
CMSC 330: Organization of Programming Languages OCaml Expressions and Functions CMSC330 Spring 2018 1 Lecture Presentation Style Our focus: semantics and idioms for OCaml Semantics is what the language
More informationChapter 15 Debugging
Chapter 15 Debugging Known, but unfixed errors Just ignore errors at this point. There is nothing we can do except to try to keep going. -A comment in XFS (xfs_vnodeops.c, line 1785) Error, skip block
More informationThe role of semantic analysis in a compiler
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors
More informationC & Data Structures syllabus
syllabus Overview: C language which is considered the mother of all languages, is and will be the most sought after programming language for any beginner to jump start his career in software development.
More information9/5/17. The Design and Implementation of Programming Languages. Compilation. Interpretation. Compilation vs. Interpretation. Hybrid Implementation
Language Implementation Methods The Design and Implementation of Programming Languages Compilation Interpretation Hybrid In Text: Chapter 1 2 Compilation Interpretation Translate high-level programs to
More informationLearning from Executions
Learning from Executions Dynamic analysis for program understanding and software engineering Michael D. Ernst and Jeff H. Perkins November 7, 2005 Tutorial at ASE 2005 Outline What is dynamic analysis?
More informationCS 31: Intro to Systems Operating Systems Overview. Kevin Webb Swarthmore College March 31, 2015
CS 31: Intro to Systems Operating Systems Overview Kevin Webb Swarthmore College March 31, 2015 Reading Quiz OS: Turn undesirable into desirable Turn undesirable inconveniences: reality Complexity of hardware
More informationCS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri
CS356: Discussion #6 Assembly Procedures and Arrays Marco Paolieri (paolieri@usc.edu) Procedures Functions are a key abstraction in software They break down a problem into subproblems. Reusable functionality:
More informationCS 457/557: Functional Languages
CS 457/557: Functional Languages Lists and Algebraic Datatypes Mark P Jones Portland State University 1 Why Lists? Lists are a heavily used data structure in many functional programs Special syntax is
More informationSection 1.8. Simplifying Expressions
Section 1.8 Simplifying Expressions But, first Commutative property: a + b = b + a; a * b = b * a Associative property: (a + b) + c = a + (b + c) (a * b) * c = a * (b * c) Distributive property: a * (b
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationPlan for Today. Concepts. Next Time. Some slides are from Calvin Lin s grad compiler slides. CS553 Lecture 2 Optimizations and LLVM 1
Plan for Today Quiz 2 How to automate the process of performance optimization LLVM: Intro to Intermediate Representation Loops as iteration spaces Data-flow Analysis Intro Control-flow graph terminology
More informationPROGRAM ANALYSIS & SYNTHESIS
Lecture 02 Structural Operational Semantics (SOS) PROGRAM ANALYSIS & SYNTHESIS EranYahav 1 Previously static analysis over-approximation of program behavior abstract interpretation abstraction, transformers,
More informationMonday, November 7, Structures and dynamic memory
Monday, November 7, 2016 Topics for today Structures Structures and dynamic memory Grammars and Languages (Chapter 7) String generation Parsing Regular languages Structures We have seen one composite data
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More information