Thursday, December 23, The attack model: Static Program Analysis
|
|
- Grace Miller
- 5 years ago
- Views:
Transcription
1 The attack model: Static Program Analysis
2
3
4
5 How making SPA? DFA - Data Flow Analysis CFA - Control Flow Analysis Proving invariance: theorem proving Checking models: model checking Giaco & Ranzato
6 DFA: The people Gary Kildall Ken Kennedy Jeffrey D. Ullman Giaco & Ranzato
7 The source Flemming Nielson, Hanne Riis Nielson, Chris Hankin: Principles of Program Analysis. Springer (Corrected 2 nd printing, 452 pages, Alfred V. Aho, Ravi Sethi and Jefferey D. Ullman: Compilers: Principles, Techniques, and Tools. Addison-Wesley Giaco & Ranzato
8 DFA Giaco & Ranzato
9 Data Flow Analysis in history Scanner Parser Semantic analysis Optimizer Code generator CFA DFA Improve ment We start from a program representation: CFG The semantics is given by recursive equations specifying the i/o behavior at each program point Giaco & Ranzato
10 CFG Giaco & Ranzato
11 What is DFA Wiki: Data-flow analysis is a technique for gathering information about the possible set of values calculated at various points in a computer program. A better definition? Data-flow analysis is a technique for gathering information about the how data flows at run time in at various points in a computer program. Giaco & Ranzato
12 Example: Live Variable Analysis Essential for register allocation: two contemporary alive variables cannot be stored into the same register! x and y cannot be stored into the same location n if they are both in use! Useful for SW watermarking (the QP algorithm) Giaco & Ranzato
13 Example a and b are never in use at the same time: they can be substituted with x Giaco & Ranzato
14 Live variables x is live at the exit of C if x holds a value that will be used after (will be read: right-hand side) x is not live after C if before its future use it will be reassigned (x := exp and x exp) If x is not live, it is dead! dead-code elimination: if x is dead after x:=exp then we can erase x:=exp dead code is undecidable!! Giaco & Ranzato
15 Live variables The last use of b as r-value is in 4 b used in 4 and it is live in the arc 3 4 No assignment to b in 3: it is live in 2 3 b is assigned in 2: no one will use b before 1after 2 Live range of b: {2 3, 3 4} Giaco & Ranzato
16 Live variables a is live in 4 5 and 5 2 a is live in 1 2 a is not live in 2 3 and 3 4 even if in 3 variable a is defined, this value will not be used until a will be assigned a new value in 4 Giaco & Ranzato
17 Live variables c is live in all arcs liveness can be used to deduce that if c is a local variable, then c is used without being initialized! (warning!!!!) Giaco & Ranzato
18 Live variables It is enough to have 2 registers: a and b are never alive together! Giaco & Ranzato
19 Live variables a and b are never alive along the same arcs! we can optimize P: new register ab Giaco & Ranzato
20 Basic notation CFG with out-edges and in-edges pre[n] & post[n] denote predecessors nodes and successors nodes of n. Example: post[5]={2,6} because 5 6 and 5 2 pre[2]={1,5} because 5 2 and 1 2 Giaco & Ranzato
21 Notation A variable is defined when it is the L-value of assignment: x :=... A variable is used when it is a R- value in an expression:... :=.. x.. def[n] are the variables defined in n use[n] are the variables used in n Example: def[3]={c}, def[5]= use[3]={b,c}, use[5]={a} Giaco & Ranzato
22 Formalizing liveness Definition x is live on e f if there exists and execution path C from e to n such that: e f is the first arc in C x use[n] For any n' e and n' n in C, x def[n']. x is live-in in a node n if x is live on all in-edges of n. x è live-out (or simply live) in a node n if it is live on at least one of the out-edges of n. Example: a is live on 1 2, 4 5 e 5 2 b is live on 2 3, 3 4 c is live on all arcs a is live-in at 2, BUT it is not live-out at 2 a is live-out at 5 Giaco & Ranzato
23 Computing Liveness Liveness information (i.e., live-in and live-out for all nodes) can be over approximated as follows: 1. If a variable x use[n], then x is live-in at n. Namely, if a node n uses x as R-value then x è live for any incoming arc in n. 2. If a variable x is live-out at n and x def[n], then the variable x is also live-in at n Namely, if x is live for some arc outgoing n and x is not defined in n then x is live for all arcs incoming in n. 3. If a variable x is live-in at m, then x is live-out for all nodes c pre[m]. Correctness: If x is truly live-in (live-out) at n then the static analysis will find that x is live-in (live-out) at n. Giaco & Ranzato
24 Approximating Liveness Liveness analysis is approximate: the assumption is that all paths in the CFG are possible!!! The analysis determines that a is live-in in 5, and therefore a is live-out in 3. BUT there is no true execution path from 3 to 5 and therefore a is not concretely live at the exit of 3! Giaco & Ranzato
25 Data-Flow equations Define: in[n] the set of variables that are classified as live-in at the node n out[n] the set of variables that are classified as live-out at the node n This can be expressed with 2 equations (or a system of equations): 1. in[n] = use[n] (out[n] - def[n]) 2. out[n] = {in[m] m post[n]} Giaco & Ranzato
26 Least fixpoint Least fix-point of the system of equations: n nodes(cfg(p)): in[n] = use[n] (out[n] - def[n]) out[n] = {in[m] m post[n]} Formally: Let Vars(P) < ω and nodes(cfg(p)) = N then live : (2 Vars(P) X 2 Vars(P) ) N (2 Vars(P) X 2 Vars(P) ) N (2 Vars(P) X 2 Vars(P) ) N is a finite complete lattice! live is a monotone function such that: live( in1,out1,...,inn,outn ) = in[1] = use[1] (out[1] - def[1]),out[1] = {in[m] m post[1]},..., in[n] = use[n] (out[n] - def[n]),out[n] = {in[m] m post[n]} Giaco & Ranzato
27 Correctness Theorem n nodes(p): live-in[n] in[n] and live-out[n] out[n]. Proof idea: Both in[n] and out[n] compute over the CFG statically, i.e. following possibly non-real executions!! Giaco & Ranzato
28 Approximation soundness How can we read the answer of a static analysis? If x will be live in n in some program execution path then x out[n] If x will not be live in n in some program computation it may well happen that x out[n] For liveness sound approximation means: we can erroneously derive that x is live, BUT we CANNOT erroneously derive that a variable is dead!! If x out[n] then x may be live at program point n If x out[n] then x is definitively dead at program point n. Giaco & Ranzato
29 Giaco & Ranzato
30 Giaco & Ranzato
31 Giaco & Ranzato
32 The approximation is complete!! out[1]={a,c}, out[2]={b,c}, out[3]={b,c}, out[4]={a,c}, out[5]={a,c} Giaco & Ranzato
33 Backward analysis Live variable analysis is indeed backward: information propagates backward from out to in I can compute in[n] if I know out[n]; I can compute out[n] if I know in[m] for all successors of n Giaco & Ranzato
34 Backward analysis Giaco & Ranzato
35 Reaching definitions Given a program point n, what are the definitions (assignments) that are available and not overwritten, when program execution reaches this point along some path? And what definitions are available after n? A program point n may kill a definition: if the command in n is an assignment x:=exp. In this case we kill definitions for x which are available in entry at n. We can generate new definitions by assignments. We are interested in entry and exit reaching definitions for any program point in CFG.... it is one of the simplest data-flow analysis in compilers! Giaco & Ranzato
36 Forward analysis Giaco & Ranzato
37 Formal definition Definitions are pairs of variable-program-point: {(x,p) x Vars, p is a program point} 2 (Vars Points) where (x,p) means that x is assigned at point p. The analysis computes the set of reaching definitions for each program point: definition chains. If (x,p) is computed at point q then the assignement to x at point p is available in q.? is a special symbol in Points, which is used for uninstantiated variables The value ι = {(x,?) x Vars} denotes uninstantiated variables Giaco & Ranzato
38 Formal definition The analysis is given by the following system of fix-point equations for any program point in CFG: ι if p is a program entry point RD entry (p) {RD exit (q) q pre[p]} otherwise RD exit (p) (RD entry (p) \ kill RD [p] ) gen RD [p] RD is a possible analysis: if x:=a in program point q is really available at the entry of point p then (x,q) RD entry (p) (the converse may not hold) Giaco & Ranzato
39 Formal definition {(x,q) q Points, x def[q]} {(x,?)} if x def[p] kill RD [p] if x def[p] {(x,p)} if x def[p] gen RD [p] if x def[p] As usual: def[p] = {x} if the instruction at program point p is x:=exp Otherwise def[p]=?. The analysis is forward with least fixpoint. Giaco & Ranzato
40 RD entry (1)= {(n,?),(m,?)} RD exit (1) = {(n,?),(m,?)} 1 input n; RD entry (2)= {(n,?),(m,?)} RD exit (2)= {(n,?),(m,2)} 6 2 m:= 1; 3 n>1; output m; 4 m:= m*n; 5 n:= n-1; RD entry (3)= RD exit (2) U RD exit (5) ={(n,?),(n,5),(m,2),(m,4)} RD exit (3)= {(n,?),(n,5),(m,2),(m,4)} RD entry (4)= {(n,?),(n,5),(m,2),(m,4)} RD exit (4)= {(n,?),(n,5),(m,4)} RD entry (5)= {(n,?),(n,5),(m,4)} RD exit (5)= {(n,5),(m,4)} RD entry (6)= {(n,?),(n,5),(m,2),(m,4)} RD exit (6)= {(n,?),(n,5),(m,2),(m,4)} Giaco & Ranzato
41 DFA training On-line analyzer: it implements standard DFA with an intuitive interface! Giaco & Ranzato
42 Giaco & Ranzato
43 Giaco & Ranzato
44 Giaco & Ranzato
45 Giaco & Ranzato
46 DFA Framework Is there a common structure in DFA? Having a framework allows the design of a common algorithm and specification (correctness proofs, complexity evaluation etc) Giaco & Ranzato
47 A common structure? Forward in[n]! out[n] pre! post Backward out[n]! in[n] post! pre Possible Analysis Semantics Analysis Reaching definitions Live variables Definite Analysis Analysis Semantics Available expressions Very busy expressions Giaco & Ranzato
48 A common pattern ι if p E GA (p) { GA (q) (q,p) F } otherwise GA (p) f p (GA (p)) where: E are the initial/terminal points in CFG ι is the initial/final information F are the arcs or inverse arcs in CFG is the either or f p is a transfer function associated with node p Giaco & Ranzato
49 Forward vs Backward ι if p E GA (p) = { GA (q) (q,p) F } otherwise GA (p) = f p (GA (p)) In forward analysis E are the initial points, F = {(q,p) q" p}, GA is GA entry and GA is GA exit In backward analysis E are the final points, F = {(q,p) p" q}, GA is GA exit and GA is GA entry Giaco & Ranzato
50 Possible vs Definite ι if p E GA (p) = { GA (q) (q,p) F } otherwise GA (p) = f p (GA (p)) When = we look for the largest set satisfying the equations on all possible computation paths entering (exiting) a node: This is a definite (or must) analysis! Quando = we look for the least set satisfying the equations on at least one possible computation path entering (exiting) a node: This is a possible (or may) analysis! Giaco & Ranzato
51 Distributive Dataflow Analysis Assume transfer functions monotone and = A dataflow analysis problem is distributive if all transfer functions are additive, namely for any f we have that for any x,y C: f(x y) = f(x) f(y) Note that by f monotonicity: f(x y) f(x) f(y) Giaco & Ranzato
52 A distributive transfer function Giaco & Ranzato
53 A non-distributive transfer function Giaco & Ranzato
54 An example f g h k(h(f(0) U g(0))) = k(h(f(0)) U h(g(0))) = k(h(f(0))) U k(h(g(0))) k The analysis is equivalent to combine the result of the analysis along all separate paths Giaco & Ranzato
55 DFA of a distributive problem If a problem is distributive then the minimal solution to its system of equations is equivalent to the combination of the separate analysis applied to all program execution paths (including infinite ones). does not cause a loss of precision! Giaco & Ranzato
56 What problems are distributive? Distributive problems are easy. DFA concerning the structure of code are typically distributive! Example: live variables, available expressions, reaching definitions, very busy expressions are all distributive problems. These are properties concerning HOW the program executes. Giaco & Ranzato
57 Non-distributive problems Typical non-distributive problems concern WHAT programs compute. Example: the output is a constant, a positive value, belongs to an interval, is bounded etc. Example: Constant Propagation Analysis For every program point p determine whether a variable always has the same constant value whenever the execution reach p. Giaco & Ranzato
58 Constant Propagation Analysis The domain of properties is (Var # Z ) where: Var is the set of variables in P Z is the dual CPO to Z T Giaco & Ranzato
59 Constant Propagation Analysis Var # Z are the states evaluating variables in Z with meaning dont know. Var # Z is a CPO under the usual point-wise order : If σ,σ' Var # Z then σ σ' iff x Var. σ(x) Z % σ(x) Z σ'(x). is a bottom state (totally undefined function) in (Var # Z ). Giaco & Ranzato
60 ({x,y} # Z ) T= {(x, ), (y, )} {(x, ), (y,4)} {(x,1), (y,4)} {(x,1), (y,2)} {(y,4)} {(x,1)} {(y,7)} Giaco & Ranzato
61 Analyzing expressions In order to specify transfer functions we need to be able to evaluate (integer) expressions in Aexp in a state σ (Var! Z ) : A:(Aexp " (Var! Z ) ) " Z, A x σ = A n σ = if σ = or σ(x) = undef σ(x) otherwise if se σ = n otherwise A a 1 op a 2 σ = A a 1 σ op A a 2 σ where op is the interpretation of op on Z, defined as follows: let opz :Z 2 " Z an arithmetic operation on Z: (A) if z 1,z 2 Z then z 1 op z 2 = z 1 opz z 2 ; (B) op z = z op = ; (C) z 1 op z 2 = otherwise. Giaco & Ranzato
62 The transfer functions The transfer functions for constant propagation are: f p : (Var & Z ) ' (Var & Z ) and defined as follows: if p is a node containing an assignment [x:=a]p then f p (σ) σ[x A a σ] if p is a node containing a non assignment command: f p (σ) σ This is a possible/forward analysis Giaco & Ranzato
63 Example Consider the program [x:=10] 1 ; [y:=x+10] 2 ; ([while x<y] 3 [y:=y-1] 4 ); [z:=x-1] 5 The minimal solution of Constant Propagation Analysis is: CP entry (1) = CP exit (1) = {(x 10)} CP entry (2) = {(x 10)} CP exit (2) = {(x 10), (y 20)} CP entry (3) = CP exit (3) = CP entry (4) = CP exit (4) = {(x 10), (y )} CP entry (5) = {(x 10), (y )} CP exit (5) = {(x 10), (y ), (z 9)} Giaco & Ranzato
64 Non-distributivity Constant Propagation Analysis is not distributive: consider the transfer function for the command line [y:= x * x] p We consider two states σ 1 and σ 2 such that σ 1 (x) = 1 e σ 2 (x) = -1. In this case: (σ 1 σ 2 )(x) = and therefore f p (σ 1 σ 2 )(y) = while f p (σ 1 )(y) = 1 = f p (σ 2 )(y) Giaco & Ranzato
65 Abstract Interpretation
66 The people Patrick Cousot Radhia Cousot Made in France Giaco & Ranzato
67 Applications Developed in 77 for generalizing DFA Successful model for: DFA, Model Checking, Types, Program transformation, etc. Successfully used in concrete analysis systems since Y2000 analyzed ~2M lines of safety critical C code with no false alarms! Giaco & Ranzato
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
Principles of Program Analysis: Data Flow Analysis
Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag
More informationRegister allocation. Register allocation: ffl have value in a register when used. ffl limited resources. ffl changes instruction choices
Register allocation IR instruction selection register allocation machine code errors Register allocation: have value in a register when used limited resources changes instruction choices can move loads
More informationCompiler Structure. Data Flow Analysis. Control-Flow Graph. Available Expressions. Data Flow Facts
Compiler Structure Source Code Abstract Syntax Tree Control Flow Graph Object Code CMSC 631 Program Analysis and Understanding Fall 2003 Data Flow Analysis Source code parsed to produce AST AST transformed
More informationFoundations of Dataflow Analysis
Foundations of Dataflow Analysis 15-745 Optimizing Compilers Spring 2006 Peter Lee Ingredients of a dataflow analysis direction: forward or backward flow/transfer function combining ( meet ) operator dataflow
More informationCompiler Design. Fall Data-Flow Analysis. Sample Exercises and Solutions. Prof. Pedro C. Diniz
Compiler Design Fall 2015 Data-Flow Analysis Sample Exercises and Solutions Prof. Pedro C. Diniz USC / Information Sciences Institute 4676 Admiralty Way, Suite 1001 Marina del Rey, California 90292 pedro@isi.edu
More informationLecture 6 Foundations of Data Flow Analysis
Lecture 6 Foundations of Data Flow Analysis I. Meet operator II. Transfer functions III. Correctness, Precision, Convergence IV. Efficiency ALSU 9.3 Phillip B. Gibbons 15-745: Foundations of Data Flow
More informationIntroduction to Machine-Independent Optimizations - 4
Introduction to Machine-Independent Optimizations - 4 Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of
More informationData-flow Analysis. Y.N. Srikant. Department of Computer Science and Automation Indian Institute of Science Bangalore
Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Data-flow analysis These are techniques that derive information about the flow
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationStatic Program Analysis
Static Program Analysis Lecture 1: Introduction to Program Analysis Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ws-1415/spa/
More informationLecture 6 Foundations of Data Flow Analysis
Review: Reaching Definitions Lecture 6 Foundations of Data Flow Analysis I. Meet operator II. Transfer functions III. Correctness, Precision, Convergence IV. Efficiency [ALSU 9.3] Phillip B. Gibbons 15-745:
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationFlow Analysis. Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program
More informationCS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014
CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014 1 Introduction to Abstract Interpretation At this point in the course, we have looked at several aspects of programming languages: operational
More informationDataflow analysis (ctd.)
Dataflow analysis (ctd.) Available expressions Determine which expressions have already been evaluated at each point. A expression x+y is available at point p if every path from the entry to p evaluates
More informationLecture 5. Data Flow Analysis
Lecture 5. Data Flow Analysis Wei Le 2014.10 Abstraction-based Analysis dataflow analysis: combines model checking s fix point engine with abstract interpretation of data values abstract interpretation:
More informationLive Variable Analysis. Work List Iterative Algorithm Rehashed
Putting Data Flow Analysis to Work Last Time Iterative Worklist Algorithm via Reaching Definitions Why it terminates. What it computes. Why it works. How fast it goes. Today Live Variable Analysis (backward
More informationMIT Introduction to Dataflow Analysis. Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology
MIT 6.035 Introduction to Dataflow Analysis Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Dataflow Analysis Used to determine properties of program that involve multiple
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationPrinciples of Program Analysis: A Sampler of Approaches
Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis Springer Verlag
More informationPROGRAM ANALYSIS & SYNTHESIS
Lecture 02 Structural Operational Semantics (SOS) PROGRAM ANALYSIS & SYNTHESIS EranYahav 1 Previously static analysis over-approximation of program behavior abstract interpretation abstraction, transformers,
More informationCompiler Optimization and Code Generation
Compiler Optimization and Code Generation Professor: Sc.D., Professor Vazgen Melikyan 1 Course Overview Introduction: Overview of Optimizations 1 lecture Intermediate-Code Generation 2 lectures Machine-Independent
More informationCompiler Optimisation
Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2018 Introduction This lecture:
More informationSemantics with Applications 3. More on Operational Semantics
Semantics with Applications 3. More on Operational Semantics Hanne Riis Nielson, Flemming Nielson (thanks to Henrik Pilegaard) [SwA] Hanne Riis Nielson, Flemming Nielson Semantics with Applications: An
More informationCompiler Design. Fall Control-Flow Analysis. Prof. Pedro C. Diniz
Compiler Design Fall 2015 Control-Flow Analysis Sample Exercises and Solutions Prof. Pedro C. Diniz USC / Information Sciences Institute 4676 Admiralty Way, Suite 1001 Marina del Rey, California 90292
More informationData Flow Analysis using Program Graphs
Data Flow Analysis using Program Graphs Michal Terepeta Supervised by Professor Hanne Riis Nielson Professor Andrzej Napieralski Kongens Lyngby 2010 Technical University of Denmark Informatics and Mathematical
More informationData Flow Information. already computed
Data Flow Information Determine if Determine if a constant in loop modifies Determine if expression already computed Determine if not used later in program Data Flow Equations Local Information: Gen(B):
More information3.7 Denotational Semantics
3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These
More informationSymbolic Solver for Live Variable Analysis of High Level Design Languages
Symbolic Solver for Live Variable Analysis of High Level Design Languages Debasish Das Department of EECS Northwestern University, USA dda902@ece.northwestern.edu ABSTRACT This paper presents an efficient
More informationPage # 20b -Advanced-DFA. Reading assignment. State Propagation. GEN and KILL sets. Data Flow Analysis
b -Advanced-DFA Reading assignment J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 977, pp. 3-5. Sections -4 State Propagation For reference only M. Pezzè, R. N. Taylor and M. Young,
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationExample of Global Data-Flow Analysis
Example of Global Data-Flow Analysis Reaching Definitions We will illustrate global data-flow analysis with the computation of reaching definition for a very simple and structured programming language.
More information20b -Advanced-DFA. J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 1977, pp
State Propagation Reading assignment J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 1977, pp. 223-252. Sections 1-4 For reference only M. Pezzè, R. N. Taylor and M. Young, Graph Models
More informationLecture Compiler Middle-End
Lecture 16-18 18 Compiler Middle-End Jianwen Zhu Electrical and Computer Engineering University of Toronto Jianwen Zhu 2009 - P. 1 What We Have Done A lot! Compiler Frontend Defining language Generating
More informationLecture 4 Introduction to Data Flow Analysis
Lecture 4 Introduction to Data Flow Analysis I. Structure of data flow analysis II. Example 1: Reaching definition analysis III. Example 2: Liveness analysis IV. Generalization What is Data Flow Analysis?
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 12: Interprocedural Analysis + Numerical Analysis Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav 1 Procedural program void main()
More informationRegister allocation. CS Compiler Design. Liveness analysis. Register allocation. Liveness analysis and Register allocation. V.
Register allocation CS3300 - Compiler Design Liveness analysis and Register allocation V. Krishna Nandivada IIT Madras Copyright c 2014 by Antony L. Hosking. Permission to make digital or hard copies of
More informationIntro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 1 Tuesday, January 29, 2013 1 Intro to semantics What is the meaning of a program? When we write a program, we use
More informationCS422 - Programming Language Design
1 CS422 - Programming Language Design Denotational Semantics Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 Denotational semantics, alsoknownasfix-point semantics,
More informationChapter 1 Introduction
Chapter 1 Course INF5906 / autum 2017 Chapter 1 Learning Targets of Chapter. Apart from a motivational introduction, the chapter gives a high-level overview over larger topics covered in the lecture. They
More informationIterative Program Analysis Abstract Interpretation
Iterative Program Analysis Abstract Interpretation Summary by Ben Riva & Ofri Ziv Soundness Theorem Theorem: If a computation fixed-point is sound, then its least-fixed-point is sound. More precisely,
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More information(How Not To Do) Global Optimizations
(How Not To Do) Global Optimizations #1 One-Slide Summary A global optimization changes an entire method (consisting of multiple basic blocks). We must be conservative and only apply global optimizations
More informationWe can express this in dataflow equations using gen and kill sets, where the sets are now sets of expressions.
Available expressions Suppose we want to do common-subexpression elimination; that is, given a program that computes x y more than once, can we eliminate one of the duplicate computations? To find places
More informationaxiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.
CS 6110 S18 Lecture 18 Denotational Semantics 1 What is Denotational Semantics? So far we have looked at operational semantics involving rules for state transitions, definitional semantics involving translations
More informationLecture Notes: Dataflow Analysis Examples
Lecture Notes: Dataflow Analysis Examples 15-819O: Program Analysis Jonathan Aldrich jonathan.aldrich@cs.cmu.edu Lecture 3 1 Constant Propagation While zero analysis was useful for simply tracking whether
More informationPlan for Today. Concepts. Next Time. Some slides are from Calvin Lin s grad compiler slides. CS553 Lecture 2 Optimizations and LLVM 1
Plan for Today Quiz 2 How to automate the process of performance optimization LLVM: Intro to Intermediate Representation Loops as iteration spaces Data-flow Analysis Intro Control-flow graph terminology
More informationData Flow Analysis. Agenda CS738: Advanced Compiler Optimizations. 3-address Code Format. Assumptions
Agenda CS738: Advanced Compiler Optimizations Data Flow Analysis Amey Karkare karkare@cse.iitk.ac.in http://www.cse.iitk.ac.in/~karkare/cs738 Department of CSE, IIT Kanpur Static analysis and compile-time
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationMiddle End. Code Improvement (or Optimization) Analyzes IR and rewrites (or transforms) IR Primary goal is to reduce running time of the compiled code
Traditional Three-pass Compiler Source Code Front End IR Middle End IR Back End Machine code Errors Code Improvement (or Optimization) Analyzes IR and rewrites (or transforms) IR Primary goal is to reduce
More informationCS153: Compilers Lecture 17: Control Flow Graph and Data Flow Analysis
CS153: Compilers Lecture 17: Control Flow Graph and Data Flow Analysis Stephen Chong https://www.seas.harvard.edu/courses/cs153 Announcements Project 5 out Due Tuesday Nov 13 (14 days) Project 6 out Due
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationData-flow Analysis - Part 2
- Part 2 Department of Computer Science Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Data-flow analysis These are techniques that derive information about the flow of data
More informationNote that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.
CS 6110 S18 Lecture 8 Structural Operational Semantics and IMP Today we introduce a very simple imperative language, IMP, along with two systems of rules for evaluation called small-step and big-step semantics.
More informationLecture 2. Introduction to Data Flow Analysis
Lecture 2 Introduction to Data Flow Analysis I II III Example: Reaching definition analysis Example: Liveness Analysis A General Framework (Theory in next lecture) Reading: Chapter 9.2 Advanced Compilers
More informationCompiler Optimizations. Chapter 8, Section 8.5 Chapter 9, Section 9.1.7
Compiler Optimizations Chapter 8, Section 8.5 Chapter 9, Section 9.1.7 2 Local vs. Global Optimizations Local: inside a single basic block Simple forms of common subexpression elimination, dead code elimination,
More informationToward Abstract Interpretation of Program Transformations
Abstract Toward Abstract Interpretation of Program Transformations Developers of program transformations often reason about transformations to assert certain properties of the generated code. We propose
More informationData Flow Analysis. Suman Jana. Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006)
Data Flow Analysis Suman Jana Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006) Data flow analysis Derives informa=on about the dynamic behavior of a program by only
More informationAPA Interprocedural Dataflow Analysis
APA Interprocedural Dataflow Analysis Jurriaan Hage e-mail: J.Hage@uu.nl homepage: http://www.cs.uu.nl/people/jur/ Department of Information and Computing Sciences, Universiteit Utrecht May 1, 2014 The
More informationCMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics
Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End
More informationCompiler Construction 2009/2010 SSA Static Single Assignment Form
Compiler Construction 2009/2010 SSA Static Single Assignment Form Peter Thiemann March 15, 2010 Outline 1 Static Single-Assignment Form 2 Converting to SSA Form 3 Optimization Algorithms Using SSA 4 Dependencies
More informationCompiler Optimizations. Chapter 8, Section 8.5 Chapter 9, Section 9.1.7
Compiler Optimizations Chapter 8, Section 8.5 Chapter 9, Section 9.1.7 2 Local vs. Global Optimizations Local: inside a single basic block Simple forms of common subexpression elimination, dead code elimination,
More informationData Flow Analysis. Program Analysis
Program Analysis https://www.cse.iitb.ac.in/~karkare/cs618/ Data Flow Analysis Amey Karkare Dept of Computer Science and Engg IIT Kanpur Visiting IIT Bombay karkare@cse.iitk.ac.in karkare@cse.iitb.ac.in
More informationMore Dataflow Analysis
More Dataflow Analysis Steps to building analysis Step 1: Choose lattice Step 2: Choose direction of dataflow (forward or backward) Step 3: Create transfer function Step 4: Choose confluence operator (i.e.,
More informationGlobal Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization
Lecture Outline Global Optimization Global flow analysis Global constant propagation Liveness analysis Compiler Design I (2011) 2 Local Optimization Recall the simple basic-block optimizations Constant
More informationait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS
ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS Christian Ferdinand and Reinhold Heckmann AbsInt Angewandte Informatik GmbH, Stuhlsatzenhausweg 69, D-66123 Saarbrucken, Germany info@absint.com
More informationIntroduction to Machine-Independent Optimizations - 6
Introduction to Machine-Independent Optimizations - 6 Machine-Independent Optimization Algorithms Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course
More informationSemantics of COW. July Alex van Oostenrijk and Martijn van Beek
Semantics of COW /; ;\ \\ // /{_\_/ `'\ \ (o) (o } / :--',-,'`@@@@@@@@ @@@@@@ \_ ` \ ;:( @@@@@@@@@ @@@ \ (o'o) :: ) @@@@ @@@@@@,'@@( `====' Moo! :: : @@@@@: @@@@ `@@@: :: \ @@@@@: @@@@@@@) ( '@@@' ;; /\
More informationLECTURE NOTES ON COMPILER DESIGN P a g e 2
LECTURE NOTES ON COMPILER DESIGN P a g e 1 (PCCS4305) COMPILER DESIGN KISHORE KUMAR SAHU SR. LECTURER, DEPARTMENT OF INFORMATION TECHNOLOGY ROLAND INSTITUTE OF TECHNOLOGY, BERHAMPUR LECTURE NOTES ON COMPILER
More informationFunctions. How is this definition written in symbolic logic notation?
functions 1 Functions Def. Let A and B be sets. A function f from A to B is an assignment of exactly one element of B to each element of A. We write f(a) = b if b is the unique element of B assigned by
More informationIntra-procedural Data Flow Analysis Introduction
The Setting: Optimising Compilers The Essence of Program Analysis Reaching Definitions Analysis Intra-procedural Data Flow Analysis Introduction Hanne Riis Nielson and Flemming Nielson email: {riis,nielson}@immdtudk
More informationLecture 21 CIS 341: COMPILERS
Lecture 21 CIS 341: COMPILERS Announcements HW6: Analysis & Optimizations Alias analysis, constant propagation, dead code elimination, register allocation Available Soon Due: Wednesday, April 25 th Zdancewic
More informationEECS 583 Class 6 Dataflow Analysis
EECS 583 Class 6 Dataflow Analysis University of Michigan September 26, 2011 Announcements & Reading Material Today s class» Compilers: Principles, Techniques, and Tools, A. Aho, R. Sethi, and J. Ullman,
More informationStatic analysis and all that
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule,
More informationConstructing Control Flow Graph for Java by Decoupling Exception Flow from Normal Flow
Constructing Control Flow Graph for Java by Decoupling Exception Flow from Normal Flow Jang-Wu Jo 1 and Byeong-Mo Chang 2 1 Department of Computer Engineering Pusan University of Foreign Studies Pusan
More informationA main goal is to achieve a better performance. Code Optimization. Chapter 9
1 A main goal is to achieve a better performance Code Optimization Chapter 9 2 A main goal is to achieve a better performance source Code Front End Intermediate Code Code Gen target Code user Machineindependent
More informationCS553 Lecture Generalizing Data-flow Analysis 3
Generalizing Data-flow Analysis Announcements Project 2 writeup is available Read Stephenson paper Last Time Control-flow analysis Today C-Breeze Introduction Other types of data-flow analysis Reaching
More informationCSCE 548 Building Secure Software Data Flow Analysis
CSCE 548 Building Secure Software Data Flow Analysis Professor Lisa Luo Spring 2018 Previous Class Why we need reverse engineering? Tools for reverse engineering Debugger Disassembler System monitoring
More informationWhy Global Dataflow Analysis?
Why Global Dataflow Analysis? Answer key questions at compile-time about the flow of values and other program properties over control-flow paths Compiler fundamentals What defs. of x reach a given use
More informationOptimizing Compilers. Vineeth Kashyap Department of Computer Science, UCSB. SIAM Algorithms Seminar, 2014
Optimizing Compilers Vineeth Kashyap Department of Computer Science, UCSB SIAM Algorithms Seminar, 2014 Warning!! Optimizing compiler is a misnomer My Background Worked on a compiler team for 2 years at
More informationComposing Dataflow Analyses and Transformations
Composing Dataflow Analyses and Transformations Technical Report UW-CSE-01-11-01 Sorin Lerner David Grove Craig Chambers Univ. of Washington IBM T.J. Watson Research Center Univ. of Washington lerns@cs.washington.edu
More informationLecture Notes: Widening Operators and Collecting Semantics
Lecture Notes: Widening Operators and Collecting Semantics 15-819O: Program Analysis (Spring 2016) Claire Le Goues clegoues@cs.cmu.edu 1 A Collecting Semantics for Reaching Definitions The approach to
More informationCode Optimization. Code Optimization
161 Code Optimization Code Optimization 162 Two steps: 1. Analysis (to uncover optimization opportunities) 2. Optimizing transformation Optimization: must be semantically correct. shall improve program
More informationLogic-Flow Analysis of Higher-Order Programs
Logic-Flow Analysis of Higher-Order Programs Matt Might http://matt.might.net/ POPL 2007 Why? Tim Sweeney, POPL 2006 Static array-bounds checking. Example... a[i]... Will 0 i < a.length always hold? 3
More informationCOMP80 Lambda Calculus Programming Languages Slides Courtesy of Prof. Sam Guyer Tufts University Computer Science History Big ideas Examples:
COMP80 Programming Languages Slides Courtesy of Prof. Sam Guyer Lambda Calculus Formal system with three parts Notation for functions Proof system for equations Calculation rules called reduction Idea:
More informationControl Flow Analysis. Reading & Topics. Optimization Overview CS2210. Muchnick: chapter 7
Control Flow Analysis CS2210 Lecture 11 Reading & Topics Muchnick: chapter 7 Optimization Overview Control Flow Analysis Maybe start data flow analysis Optimization Overview Two step process Analyze program
More informationCIS 890: Safety Critical Systems
CIS 890: Safety Critical Systems Lecture: SPARK -- Analysis Tools Copyright 2007, John Hatcliff. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course
More informationCA Compiler Construction
CA4003 - Compiler Construction David Sinclair Overview This module will cover the compilation process, reading and parsing a structured language, storing it in an appropriate data structure, analysing
More informationCS202 Compiler Construction
S202 ompiler onstruction pril 15, 2003 S 202-32 1 ssignment 11 (last programming assignment) Loop optimizations S 202-32 today 2 ssignment 11 Final (necessary) step in compilation! Implement register allocation
More informationABSTRACT INTERPRETATION
Master of Science in Engineering ABSTRACT INTERPRETATION Pascal Roman Artho, partho@hsr.ch Seminar Program Analysis and Transformation Rapperswil, January 7, 2015 Agenda Informal Example What is the idea
More informationEECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization
EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Dataflow Lecture: SDF, Kahn Process Networks Stavros Tripakis University of California, Berkeley Stavros Tripakis: EECS
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationCS577 Modern Language Processors. Spring 2018 Lecture Optimization
CS577 Modern Language Processors Spring 2018 Lecture Optimization 1 GENERATING BETTER CODE What does a conventional compiler do to improve quality of generated code? Eliminate redundant computation Move
More informationProgram analysis for determining opportunities for optimization: 2. analysis: dataow Organization 1. What kind of optimizations are useful? lattice al
Scalar Optimization 1 Program analysis for determining opportunities for optimization: 2. analysis: dataow Organization 1. What kind of optimizations are useful? lattice algebra solving equations on lattices
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationCompiler Construction 2010/2011 Loop Optimizations
Compiler Construction 2010/2011 Loop Optimizations Peter Thiemann January 25, 2011 Outline 1 Loop Optimizations 2 Dominators 3 Loop-Invariant Computations 4 Induction Variables 5 Array-Bounds Checks 6
More information