Eliminating Stack Overflow by Abstract Interpretation

Similar documents
Static Analysis of Embedded C

Static Analysis of Embedded C Code

Random Testing of Interrupt-Driven Software. John Regehr University of Utah

Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code

Data-flow Analysis for Interruptdriven Microcontroller Software

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

StackAnalyzer Proving the Absence of Stack Overflows

The CPU and Memory. How does a computer work? How does a computer interact with data? How are instructions performed? Recall schematic diagram:

Static WCET Analysis: Methods and Tools

Automated thread stack management for resourceconstrained

ME 4447/6405. Microprocessor Control of Manufacturing Systems and Introduction to Mechatronics. Instructor: Professor Charles Ume LECTURE 6

Computer Systems Lecture 9

Fixed-Point Math and Other Optimizations

FMCAD 2011 (Austin, Texas) Jonathan Kotker, Dorsa Sadigh, Sanjit Seshia University of California, Berkeley

Today s Topics. u Thread implementation. l Non-preemptive versus preemptive threads. l Kernel vs. user threads

In examining performance Interested in several things Exact times if computable Bounded times if exact not computable Can be measured

AVR Microcontrollers Architecture

Last Time. Think carefully about whether you use a heap Look carefully for stack overflow Especially when you have multiple threads

UNIT 3

Towards a Resilient Operating System for Wireless Sensor Networks

EMBEDDED Systems. Functions. MODULE- 1 C programming with data Structure Introduction to C. Array and String. Control Flow Statements In C

Microcomputer Architecture and Programming

Name, Scope, and Binding. Outline [1]

FreeRTOS. A Brief Overview. Christopher Kenna. October 1, Avionics. FreeRTOS 1 / 34

Examples of Code Roaches. First Draft List Cem Kaner September 11, 2005

Lecture 9 Dynamic Compilation

COMP2121: Microprocessors and Interfacing. Instruction Set Architecture (ISA)

6.1 Motivation. Fixed Priorities. 6.2 Context Switch. Real-time is about predictability, i.e. guarantees. Real-Time Systems

Unit I. Introduction Microcontrollers and Embedded processors Overview of the 8051 Inside the 8051 Addressing Modes

Fig 1. Block diagram of a microcomputer

Older geometric based addressing is called CHS for cylinder-head-sector. This triple value uniquely identifies every sector.

About this exam review

ASSEMBLY LANGUAGE MACHINE ORGANIZATION

WCET-Aware C Compiler: WCC

Interprocedural Analysis. CS252r Fall 2015

G Programming Languages - Fall 2012

Numerical Static Analysis of Interrupt-Driven Programs via Sequentialization

Adding Preemption to TinyOS

A First Look at Microprocessors

Problem with Scanning an Infix Expression

Example. program sort; var a : array[0..10] of integer; procedure readarray; : function partition (y, z :integer) :integer; var i, j,x, v :integer; :

A Time-Triggered View. Peter PUSCHNER

8051/8052/8031 Microcontroller

Registers. Registers

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Chapter 7 Subroutines. Richard P. Paul, SPARC Architecture, Assembly Language Programming, and C

Run-time Environments

QUIZ How do we implement run-time constants and. compile-time constants inside classes?

CSE 504. Expression evaluation. Expression Evaluation, Runtime Environments. One possible semantics: Problem:

Run-time Environments


Qualifying Exam in Programming Languages and Compilers

! Those values must be stored somewhere! Therefore, variables must somehow be bound. ! How?

Programming Languages

PC Interrupt Structure and 8259 DMA Controllers

Random Testing of Interrupt-Driven Software

INTERRUPTS in microprocessor systems

Finding Firmware Defects Class T-18 Sean M. Beatty

Recursion. Comp Sci 1575 Data Structures. Introduction. Simple examples. The call stack. Types of recursion. Recursive programming

Chap. 8 :: Subroutines and Control Abstraction

Interrupt response times on Arduino and Raspberry Pi. Tomaž Šolc

Newbie s Guide to AVR Interrupts

Notos: Efficient Emulation of Wireless Sensor Networks with Binary-to-Source Translation

Lecture Notes on Garbage Collection

Embedded System Curriculum

Programming Languages Third Edition. Chapter 9 Control I Expressions and Statements

Control Abstraction. Hwansoo Han

ARM7 TDMI Microcontroller

INDUSTRIAL TRAINING:6 MONTHS PROGRAM TEVATRON TECHNOLOGIES PVT LTD

CSc 453 Interpreters & Interpretation

FROM TIME-TRIGGERED TO TIME-DETERMINISTIC REAL-TIME SYSTEMS

CPU: SOFTWARE ARCHITECTURE INSTRUCTION SET (PART

Instruction Set Architecture (ISA)

Green Hills Software, Inc.

Problem with Scanning an Infix Expression

NanoRK. EECE 494 Sathish Gopalakrishnan

Microcontrollers. Microcontroller

Embedded Systems. Software Development & Education Center. (Design & Development with Various µc)

Parallel Execution of Kahn Process Networks in the GPU

Automation Engineers AB Pvt Ltd, NOIDA Job-Oriented Course on Embedded Microcontrollers & Related Software Stack

Chapter 14 - Processor Structure and Function

CS1101: Lecture 34. The ISA Level. Instruction Sets. Lecture Outline. Introduction. Data Movement Instructions. Instruction Types

Lecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution

CSE332: Data Abstractions Lecture 7: B Trees. James Fogarty Winter 2012

Embed Release Notes

Interrupt/Timer/DMA 1

What s An OS? Cyclic Executive. Interrupts. Advantages Simple implementation Low overhead Very predictable

SOME ASSEMBLY REQUIRED

Binding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill

Compiler Construction

CS 61C: Great Ideas in Computer Architecture Lecture 2: Introduction to C, Part I

Have difficulty identifying any products Not incorporating embedded processor FPGA or CPLD In one form or another

INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS

COMP3221: Microprocessors and. and Embedded Systems. Instruction Set Architecture (ISA) What makes an ISA? #1: Memory Models. What makes an ISA?

9/29/2016. Chapter 4 Trees. Introduction. Terminology. Terminology. Terminology. Terminology

Ch. 11: References & the Copy-Constructor. - continued -

Organization of Programming Languages (CSE452) Why are there so many programming languages? What makes a language successful?

For more notes of DAE

CSE 501 Midterm Exam: Sketch of Some Plausible Solutions Winter 1997

Transcription:

Eliminating Stack Overflow by Abstract Interpretation Paper by John Regehr, Alastair Reid, and Kirk Webb ACM Transactions on Embedded Computing Systems, Nov 005 Truong Nghiem nghiem@seas.upenn.edu Outline Introduction Static Analysis Approach Dataflow Analysis Stack Depth Analysis Evaluation Reducing Stack Depth Conclusion

Introduction: Static Analysis Embedded software on inexpensive microprocessors: Used in safety critical applications, hard to upgrade Undesirable to overprovision resources due to strict constraints on cost, size, power Static analysis of software is important! Worst-case resource requirements (e.g. memory) should be determined statically & accurately! Why statically (but not dynamically)? Lack of resources and power on inexpensive microprocessors; real-time requirements 3 Introduction: Stack Safety Stack safety = not run out of stack memory at runtime Why is stack safety important? Stack overflow causes memory corruption system crash / incorrect behavior + safety critical applications = disaster Dynamic stack checking/expansion/sharing (see Wei s presentation) is infeasible on small real-time embedded systems. 4

Introduction: Testing-based Approach Offline testing using as many cases as possible Typical procedure: Set sufficiently large stack size Run many tests. If stack overflow occurs, increase stack size. Finally, use larger stack size for safety (hopefully) Disadvantages: Some executable paths are missed (esp. in interruptdriven systems) possibility of stack overflow not eliminated Programmers usually use larger stack size than needed waste of limited, valuable memory resources Little feedback to help optimize memory usage 5 Introduction: Static Analysis Approach Statically analyze the software to find stack bound Never underestimate the true worst-case stack depth ensure stack safety Sufficiently precise: try to be as close to the true worst-case stack depth as possible, but Fast enough Informative: to help improve memory usage Current: experimental tool for Atmel AVR microcontrollers. 6 3

Static Analysis Approach Stack requirement analysis: Sequential code: rather straightforward Interrupt-driven code: challenging An interrupt can fire at virtually any time, when: The event (interrupt source) occurs Typically: the master interrupt enable bit is set The interrupt is enabled Processor has just finished executing an instruction Finding stack depth bound: with n interrupts Only one interrupt at a time underestimate, not practical All interrupts at a time overestimate since not all interrupts are enabled at a time (consider interrupt masks) 7 Static Analysis Approach Two-part analysis: Context-sensitive dataflow analysis: identify unexecutable branches, compute state of interrupt mask at each point, compute worst-case stack depth of sequential code (main code, interrupt handlers) Compute interrupt preemption graph (IPG) IPG: weighted, directed graph of possible interrupt preemptions Edges: potential preemptions Weights: stack memory requirements int 7 0 main 5 0 int int 3 int 4 0 5 int 3 int int 4 compute stack depth bound by searching through the IPG 8 4

Static Analysis Approach Analyze object code instead of source code: Separated from compilers: we can use any compiler Independent of languages (Asm, C, Pascal, ADA, ) Don t need source code of libraries 9 Dataflow Analysis Two challenges: Compute the stack requirement of each interrupt handler and the main code: call-graph can be constructed because indirect calls and recursion are uncommon in embedded systems [Engblom] Compute the interrupt masks (master and individual) at each program point to construct the IPG Tracking the interrupt masks: Model the effects of arithmetic and logical operations Model partially unknown data Follow the control-flow: conditional instructions The more precise the interrupt mask tracking is, the better the computed stack bound is 0 5

Dataflow Analysis Main idea: Abstracting the machine state Abstract necessary part of the machine state (registers, memory, ) Interpret the object code to approximate the machine state with sufficient precision in reasonable time Abstract interpreter design questions: What should be modeled? Program counter, generalpurpose registers, several SFRs, probably values on the stack (experimental). Main memory and most SFRs are not modeled. How to model? Model at the bit-level to capture bitwise operations on interrupt masks and condition code register. Dataflow Analysis Bit-level modeling of machine state Model each bit by set of three values 0: bit is 0 : bit is : unknown value Unknown values External input, e.g. sensor reading Data from unmodeled part, e.g. main memory Mergence of control flow paths, e.g. ifthen-else 6

Dataflow Analysis Operations in the bit-wise domain Results of abstract operators should be as precise as possible, considering the unknown value of bits. Two special cases: Add-with-carry instruction: consider carry bit, if applied to same register then it is rotate left through carry adc r4, r4 ; MSB of r4 to carry bit Exclusive OR (XOR): if applied to same register then it clears the register. Example: {,,0,,,0,,0} AND {0,,,,,0,, } = {0,,0,,,0,,0} 3 Dataflow Analysis Managing abstract machine state Create a copy of abstract state at points of conditional instructions (if unable to determine) Question: when to merge two abstract states? Too infrequently resource & time consuming Too frequently imprecise results Trade-off between resource & accuracy Criteria for merging states: Context-sensitive & -insensitive: each invocation of same function is analyzed separately or not Path-sensitive & -insensitive: each control-flow path is analyzed separately or not (always merge at joint points) Authors tool: path- and context-sensitive (more precise interrupt masks leading to more precise results) 4 7

Dataflow Analysis Assumptions Indirect stores to memory do not modify return addresses and registers mapped into memory space. No self-modifying code (discouraged in embedded systems). If found, raise error. Explicit stack pointer modification: recognized by macro instructions (with observation that instructions changing SP come in several patterns). If not recognized, raise error. Indirect branches: indirect call, changing return address, e.g. in preemptive RTOS, is currently not considered. However, it is analogous to the case of interrupt handlers. Recursion: developers must explicitly specify maximum iteration count. Treated to maximum depth in analysis. Modeling stack frames: model the values on stack to improve accuracy (experimental) 5 Stack Depth Analysis Assumptions Acyclic IPG: usually interrupt handlers are not re-entrant (i.e. at most one instance of it at one time), leading to acyclic IPG. If cyclic, max number of re-entrances must be specified. Machine state before interrupt is saved and is restored properly on return Compute stack depth: traverse the (acyclic) IPG depth(i): stack depth bound of interrupt handler i depth(i,j): max stack depth of interrupt handler i at program points where interrupt handler j is enabled, or - if j is never enabled by i. Worst-case stack depth (wcsd) of interrupt handler i wcsd(i) = max{depth(i),max j=..n {depth(i,j)+wcsd(j)}} Global stack depth bound is wcsd(0) of reset interrupt vector. 6 8

Evaluation of Technique & Tool Used simulator to validate the abstract interpreter Validating stack bounds: it must be true that worst-observed (testing-based) true worst estimated worst Good stack bound result (from a TinyOS example): Observed worst-case depths Int 0 = 7 (not supported) Int 5 = 9 Int 7 = 9 (not supported) (not supported) Int = 30 Stack bound results Int 0 = 9 Int = Int 5 = 9 Int 7 = 9 Int 8 = Int 0 = 3 Int = 30 The tool also provides bounds for interrupts not supported by the simulator (testing-based approach) 7 Evaluation of Technique & Tool The global analysis Analyzed 75 embedded applications: TinyOS applications (old version with C, new version with nesc), several control programs (self-balancing scooter, autonomous helicopter) Some results (figure) Quite fast: On Pen4, 3 GHz Only 3 required more than s Worst: 9s 8 9

Reducing Stack Depth Useful to free memory, allow to use cheaper CPU. Utilize feedback information from the analysis tool. Way #: reduce stack requirement of each edge in IPG Currently implement function inlining Use cost-function to balance between stack depth & code size Rather effective but quite slow (80 minutes for an example!!!) More advanced algorithms and support from compilation techniques may help Way #: eliminating unnecessary preemption Simplify the shape of the IPG by removing unnecessary edges Developers explicitly specify edges to be removed (based on understanding of the system with the help of the tool). 9 Reducing Stack Depth Example of way # Example of way # (TinyOS s RfmToLeds example) Stack depth bound reduces from 8 bytes to 9 bytes 0 0

Conclusion Stack safety is important in embedded systems, but hard to verify by testing. Authors have developed techniques and experimental tools for static analysis of embedded software to find stack depth bound. Two novel methods have been developed for reducing stack memory requirement, utilizing the analysis tool. Design of the analyzer is more of an art than a science, with various tradeoffs. Source code: Analyzer: http://www.cs.utah.edu/~regehr/stacktool/ Global inliner for GCC: http://www.cs.utah.edu/flux/knit/cmi.html References J. Regehr, A. Reid, K. Webb. Eliminating stack overflow by abstract interpretation. ACM Trans. Emb. Comp. Sys., Nov 005. J. Engblom. Static properties of commercial embedded real-time programs, and their implication for worst-case execution time analysis. IEEE Real-time Technology and Application Symp., 999. D. Brylow, N. Damgaard, J. Palsberg. Static checking of interrupt-driven software. Intl. Conf. on Software Engineering, 00.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback