Pluggable Domains for C Dataflow Analysis Nathan Cooprider and John Regehr {coop, School of Computing, University of Utah.

Slides:



Advertisements
Similar presentations
PHP I.
Advertisements

CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.
Control Structures Any mechanism that departs from straight-line execution: –Selection: if-statements –Multiway-selection: case statements –Unbounded iteration:
Can You Trust Your Computer? CS365 – Mathematics of Computer Science Spring 2007 David Uhrig Tiffany Sharrard.
Symbolic execution © Marcelo d’Amorim 2010.
Program Representations. Representing programs Goals.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Management Support Systems A Hierarchy and a Guide.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
C. Varela; Adapted w/permission from S. Haridi and P. Van Roy1 Declarative Computation Model Defining practical programming languages Carlos Varela RPI.
Intermediate code generation. Code Generation Create linear representation of program Result can be machine code, assembly code, code for an abstract.
COMP171 Data Structure & Algorithm Tutorial 1 TA: M.Y.Chan.
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
November 29, 2005Christopher Tuttle1 Linear Scan Register Allocation Massimiliano Poletto (MIT) and Vivek Sarkar (IBM Watson)
Advanced Compilers CSE 231 Instructor: Sorin Lerner.
Reasons to study concepts of PL
Lock Inference for Systems Software John Regehr Alastair Reid University of Utah March 17, 2003.
RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.
CS 280 Data Structures Professor John Peterson. Lexer Project Questions? Must be in by Friday – solutions will be posted after class The next project.
A Static Analysis Framework For Embedded Systems Nathan Cooprider John Regehr's Embedded Systems Group.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Building An Interpreter After having done all of the analysis, it’s possible to run the program directly rather than compile it … and it may be worth it.
Procedure Optimizations and Interprocedural Analysis Chapter 15, 19 Mooly Sagiv.
Language Evaluation Criteria
Starting Chapter 4 Starting. 1 Course Outline* Covered in first half until Dr. Li takes over. JAVA and OO: Review what is Object Oriented Programming.
Compiler Construction Lecture 16 Data-Flow Analysis.
Week 2 CS 361: Advanced Data Structures and Algorithms
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
CSC 338: Compiler design and implementation
1 Names, Scopes and Bindings Aaron Bloomfield CS 415 Fall
Chapter 6 Programming Languages (2) Introduction to CS 1 st Semester, 2015 Sanghyun Park.
1 CS232: Computer Architecture II Fall 2011 Intel i7 Quad-core.
An Investigation into ROTOR and C-Sharp(C#) Zunaid Jogee Supervisors: Prof. P. Wentworth T. Stakemire.
Control Flow Deobfuscation via Abstract Interpretation © Rolf Rolles, 2010.
Synthesis with the Sketch System D AY 1 Armando Solar-Lezama.
C++ crash course Class 8 statements, sort, flight times program.
Module 3: Steering&Arrays #1 2000/01Scientific Computing in OOCourse code 3C59 Module 3: Algorithm steering elements If, elseif, else Switch and enumerated.
Towards the better software metrics tool motivation and the first experiences Gordana Rakić Zoran Budimac.
The course. Description Computer systems programming using the C language – And possibly a little C++ Translation of C into assembly language Introduction.
Computer Architecture
Data-Flow Analysis (Chapter 8). Outline What is Data-Flow Analysis? Structure of an optimizing compiler An example: Reaching Definitions Basic Concepts:
CPSC 873 John D. McGregor Session 9 Testing Vocabulary.
CPSC 871 John D. McGregor Module 8 Session 1 Testing.
 Software Development Life Cycle  Software Development Tools  High Level Programming:  Structures  Algorithms  Iteration  Pseudocode  Order of.
1 CS232: Computer Architecture II Fall 2010 AMD dual-core Opteron.
PLC '06 Experience in Testing Compiler Optimizers Using Comparison Checking Masataka Sassa and Daijiro Sudo Dept. of Mathematical and Computing Sciences.
CSC 243 – Java Programming, Spring, 2014 Week 4, Interfaces, Derived Classes, and Abstract Classes.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
CPSC 372 John D. McGregor Module 8 Session 1 Testing.
WCET 2007, Pisa, page 1 of 27 Tid rum WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd
Pluggable Domains for C Dataflow Analysis Nathan Cooprider and John Regehr {coop, School of Computing, University of Utah.
Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)
Nathan Cooprider and John Regehr University of Utah School of Computing Pluggable Abstract Domains for Analyzing Embedded Software.
CSC 533: Programming Languages Spring 2016
CSC 533: Programming Languages Spring 2015
Software Development Expansion of topics page 28 in Zelle
John D. McGregor Session 9 Testing Vocabulary
Session 3 Memory Management
John D. McGregor Session 9 Testing Vocabulary
Chapter 10 The Stack.
Symbolic Implementation of the Best Transformer
John D. McGregor Session 9 Testing Vocabulary
Introduction to Programming
The Metacircular Evaluator
The Metacircular Evaluator (Continued)
3.5 Polynomial and Rational Inequalities
Dynamic Binary Translators and Instrumenters
Presentation transcript:

Pluggable Domains for C Dataflow Analysis Nathan Cooprider and John Regehr {coop, School of Computing, University of Utah

What it is all about ● We read texts on static analysis, program analysis, and abstract interpretation ● Covered lattices, fixpoints, partial evaluation, symbolic execution, transfer functions, CFGs ● ⊤ (no possible values), ┴ (all possible values) ● So what? ● This paper is about cXprop, our implementation of these ideas with an eye towards pluggable abstract domains

Shameless plug: I will give a presentation about Fernando J. Corbató and the talk he gave when receiving his Turing award: On Building Systems That Will Fail 3:05 pm tomorrow (Friday) here (LCR)

A few other static analysis tools: ● Program Analyzer Generator (PAG) – Needs from the user: ● lattice ● transfer functions ● language description ● fixpoint solution method ● McCAT – Generalized Constant Propagation (GCP) ● Machine SUIF – based on – different interface

CIL ● C Intermediate Language – developed at UCB ● Cleans up C to a few core constructs – removes syntactic sugar (like “->” notation) – arrays become pointers – all loops become while loops ● Works on real programs – handles ANSI-C, C, and GNU C – SPEC 95, linux kernel,, bzip

C : A million and one ways... ● To shoot yourself (and our analysis) in the foot – Stack manipulations – External calls – Floating point – Order of evaluation – Concurrency – Missing returns

cXpropcXprop

Two important pieces: ● Write sets – in figure, x is ┴ inside foo – but what if foo does not use x? ● Pointer analysis – what to do with reading or writing pointers – function pointer calls

Constant let mult d1 d2 tp = match d1, d2 with Constant(z), _ | _, Constant(z) when (isZero z) -> Constant (zero) | Bottom, _ | _, Bottom -> Bottom | Constant(e1), Constant(e2) -> conc_to_abs (BinOp(Mult,e1,e2,tp)) 1 int tricky () { 2 int x = 1; 3 int count = 0; 4 do { 5 int b = x; 6 if (b != 1) 7 x = 2; 8 count += x; 9 } while (count < 10); 10 return x; 11 }

Parity 1 int tricky () { 2 int x = 1; 3 int count = 0; 4 do { 5 int b = x; 6 if (b != 1) 7 x = 2; 8 count += x; 9 } while (count < 10); 10 return x; 11 } let plusa (d1:t) (d2:t) tp = match d1, d2 with Bottom, _ | _, Bottom -> Bottom | Even, Even | Odd, Odd -> Even | Even, Odd | Odd, Even -> Odd

Bitwise 1 int tricky () { 2 int x = 1; 3 int count = 0; 4 do { 5 int b = x; 6 if (b != 1) 7 x = 2; 8 count += x; 9 } while (count < 10); 10 return x; 11 } let lnot (d, dk) tp = if ((dk = no_bottoms)&&(d = I.zero)) then TbTrue else if (I.logand d dk) <> I.zero then TbFalse else TbBottom

Information ● entropy in information theory (not physics) ● Information – = # of possible values that can be represented – = # of values that might be represented ● Information bits known – = # of information bits – = # of information bits unknown – = # of information bits known

Domain Comparison

Conclusion ● cXprop performs abstract interpretation ● Convenient interface for new abstract domains ● Five domains already implemented: – parity, constant, value set, interval, bitwise ● Not all programs analyze the same way ● Pick the right domain for the program ● May be downloaded at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.