Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Representations Xiangyu Zhang. CS590F Software Reliability Why Program Representations  Initial representations Source code (across languages).

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Representations Xiangyu Zhang. CS590F Software Reliability Why Program Representations  Initial representations Source code (across languages)."— Presentation transcript:

1 Program Representations Xiangyu Zhang

2 CS590F Software Reliability Why Program Representations  Initial representations Source code (across languages). Binaries (across machines and platforms). Source code / binaries + test cases.  They are hard for machines to analyze.

3 CS590F Software Reliability Program Representations  Static program representations Abstract syntax tree; Control flow graph; Program dependence graph; Call graph; Points-to relations.  Dynamic program representations Control flow trace, address trace and value trace; Dynamic dependence graph; Whole execution trace;

4 CS590F Software Reliability (1) Abstract syntax tree  An abstract syntax tree (AST) is a finite, labeled, directed tree, where the internal nodes are labeled by operators, and the leaf nodes represent the operands of the operators. Program chipping.

5 CS590F Software Reliability (2) Control Flow Graph (CFG)  Consists of basic blocks and edges A maximal sequence of consecutive instructions such that inside the basic block an execution can only proceed from one instruction to the next (SESE). Edges represent potential flow of control between BBs. Program path. B1 B2B3 B4  CFG =  V = Vertices, nodes (BBs)  E = Edges, potential flow of control E  V × V  Entry, Exit  V, unique entry and exit

6 CS590F Software Reliability (2) An Example of CFG 1: sum=0 2: i=1 3: while ( i<N) do 4:i=i+1 5:sum=sum+i endwhile 6: print(sum) 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) BB- A maximal sequence of consecutive instructions such that inside the basic block an execution can only proceed from one instruction to the next (SESE).

7 CS590F Software Reliability (3) Program Dependence Graph (PDG)– Data Dependence  S data depends T if there exists a control flow path from T to S and a variable is defined at T and then used at S. 123123 456456 789789 10

8 CS590F Software Reliability (3) PDG – Control Dependence  X dominates Y if every possible program path from the entry to Y has to pass X. Strict dominance, dominator, immediate dominator. 1: sum=0 2: i=1 3: while ( i<N) do 4:i=i+1 5:sum=sum+i endwhile 6: print(sum) 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) DOM(6)={1,2,3,6} IDOM(6)=3

9 CS590F Software Reliability (3) PDG – Control Dependence  X post-dominates Y if every possible program path from Y to EXIT has to pass X. Strict post-dominance, post-dominator, immediate post- dominance. 1: sum=0 2: i=1 3: while ( i<N) do 4:i=i+1 5:sum=sum+i endwhile 6: print(sum) 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) PDOM(5)={3,5,6} IPDOM(5)=3

10 CS590F Software Reliability (3) PDG – Control Dependence  Intuitively, Y is control-dependent on X iff X directly determines whether Y executes (statements inside one branch of a predicate are usually control dependent on the predicate) there exists a path from X to Y s.t. every node in the path other than X and Y is post-dominated by Y X is not strictly post-dominated by Y Sorin Lerner X Y Not post-dominated by Y Every node is post-dominated by Y

11 CS590F Software Reliability (3) PDG – Control Dependence 1: sum=0 2: i=1 3: while ( i<N) do 4:i=i+1 5:sum=sum+i endwhile 6: print(sum) 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) CD(5)=3 CD(3)=3, tricky! A node (basic block) Y is control-dependent on another X iff X directly determines whether Y executes there exists a path from X to Y s.t. every node in the path other than X and Y is post-dominated by Y X is not strictly post-dominated by Y

12 CS590F Software Reliability (3) PDG – Control Dependence is not Syntactically Explicit 1: sum=0 2: i=1 3: while ( i<N) do 4:i=i+1 5:if (i%2==0) 6: continue; 7:sum=sum+i endwhile 8: print(sum) 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: if (i%2==0) 8: print (sum) 7: print (sum) A node (basic block) Y is control-dependent on another X iff X directly determines whether Y executes there exists a path from X to Y s.t. every node in the path other than X and Y is post-dominated by Y X is not strictly post-dominated by Y

13 CS590F Software Reliability (3) PDG – Control Dependence is Tricky! A node (basic block) Y is control-dependent on another X iff X directly determines whether Y executes there exists a path from X to Y s.t. every node in the path other than X and Y is post-dominated by Y X is not strictly post-dominated by Y  Can a statement control depends on two predicates?

14 CS590F Software Reliability (3) PDG – Control Dependence is Tricky! A node (basic block) Y is control-dependent on another X iff X directly determines whether Y executes there exists a path from X to Y s.t. every node in the path other than X and Y is post-dominated by Y X is not strictly post-dominated by Y 1: if ( p1 || p2 ) 2: s1; 3: s2; 1: ? p1  Can one statement control depends on two predicates? 1: ? p2 2: s1 3: s2 What if ? 1: if ( p1 && p2 ) 2: s1; 3: s2; Interprocedural CD, CD in case of exception,…

15 CS590F Software Reliability (3) PDG  A program dependence graph consists of control dependence graph and data dependence graph  Why it is so important to software reliability? In debugging, what could possibly induce the failure? In security p=getpassword( ); … if (p==“zhang”) { send (m); }

16 CS590F Software Reliability (4) Points-to Graph  Aliases: two expressions that denote the same memory location.  Aliases are introduced by: pointers call-by-reference array indexing C unions

17 CS590F Software Reliability (4) Points-to Graph  Aliases: two expressions that denote the same memory location.  Aliases are introduced by: pointers call-by-reference array indexing C unions

18 CS590F Software Reliability (4) Why Do We Need Points-to Graphs  Debugging x.lock();... y.unlock(); // same object as x?  Security F(x,y) { x.f=password; … print (y.f); } F(a,a); disaster!

19 CS590F Software Reliability (4) Points-to Graph  Points-to Graph at a program point, compute a set of pairs of the form p -> x, where p MAY/MUST points to x. m(p) { r = new C(); p->f = r; t = new C(); if (…) q=p; r->f = t; } r

20 CS590F Software Reliability (4) Points-to Graph  Points-to Graph at a program point, compute a set of pairs of the form p->x, where p MAY/MUST points to x. m(p) { r = new C(); p->f = r; t = new C(); if (…) q=p; r->f = t; } p r f

21 CS590F Software Reliability (4) Points-to Graph  Points-to Graph at a program point, compute a set of pairs of the form p->x, where p MAY/MUST points to x. m(p) { r = new C(); p->f = r; t = new C(); if (…) q=p; r->f = t; } p r f t

22 CS590F Software Reliability (4) Points-to Graph  Points-to Graph at a program point, compute a set of pairs of the form p->x, where p MAY/MUST points to x. m(p) { r = new C(); p->f = r; t = new C(); if (…) q=p; r->f = t; } p q r f t

23 CS590F Software Reliability (4) Points-to Graph  Points-to Graph at a program point, compute a set of pairs of the form p->x, where p MAY/MUST points to x. m(p) { r = new C(); p->f = r; t = new C(); if (…) q=p; r->f = t; } p q r f t f p->f->f and t are aliases

24 CS590F Software Reliability (5) Call Graph  Call graph nodes are procedures edges are calls  Hard cases for building call graph calls through function pointers Can the password acquired at A be leaked at G?

25 CS590F Software Reliability How to acquire and use these representations?  Will be covered by later lectures.

26 CS590F Software Reliability Program Representations  Static program representations Abstract syntax tree; Control flow graph; Program dependence graph; Call graph; Points-to relations.  Dynamic program representations Control flow trace; Address trace, Value trace; Dynamic dependence graph; Whole execution trace;

27 CS590F Software Reliability (1) Control Flow Trace 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) 1 1 : sum=0 3 1 : while ( i<N) do 5 1 : sum=sum+i 3 2 : while ( i<N) do 4 2 : i=i+1 3 3 : while ( i<N) do 6 1 : print (sum) N=2: 2 1 : i=1 4 1 : i=i+1 5 2 : sum=sum+i x is a program point, x i is an execution point

28 CS590F Software Reliability (1) Control Flow Trace 3: while ( i<N) do 1: sum=0 2: i=1 4: i=i+1 5: sum=sum+i 6: print (sum) 1 1 : sum=0 i=1 3 1 : while ( i<N) do 4 1 : i=i+1 sum=sum+i 3 2 : while ( i<N) do 4 2 : i=i+1 sum=sum+i 3 3 : while ( i<N) do 6 1 : print (sum) N=2: A More Compact CFT: 1 1 2 1 3 1 4 1 5 1 3 2 4 2 5 2 3 3 6 1 1 1 3 1 4 1 3 2 4 2 3 3 6 1

29 CS590F Software Reliability (2) Dynamic Dependence Graph (DDG) Input: N=2 5 1 : for i=1 to N do 6 1 : if (i%2==0) then 8 1 : a=a+1 1 1 : z=0 2 1 : a=0 3 1 : b=2 4 1 : p=&b 1: z=0 2: a=0 3: b=2 4: p=&b 5: for i = 1 to N do 6: if ( i %2 == 0) then 7: p=&a endif endfor 8: a=a+1 9: z=2*(*p) 10: print(z)

30 CS590F Software Reliability (2) Dynamic Dependence Graph (DDG) Input: N=2 5 1 : for i=1 to N do 6 1 : if (i%2==0) then 7 1 : p=&a 8 1 : a=a+1 9 1 : z=2*(*p) 10 1 : print(z) 1 1 : z=0 2 1 : a=0 3 1 : b=2 4 1 : p=&b 5 2 : for I=1 to N do 6 2 : if (i%2==0) then 8 2 : a=a+1 9 2 : z=2*(*p) 1: z=0 2: a=0 3: b=2 4: p=&b 5: for i = 1 to N do 6: if ( i %2 == 0) then 7: p=&a endif endfor 8: a=a+1 9: z=2*(*p) 10: print(z) One use has only one definition at runtime; One statement instance control depends on only one predicate instance.

31 CS590F Software Reliability (3) Whole Execution Trace 5:for i=1 to N 6:if (i%2==0) then 7: p=&a 8: a=a+1 9: z=2*(*p) 10: print(z) T F 1: z=0 2: a=0 3: b=2 4: p=&b T Input: N=2 1 1 : z=0 2 1 : a=0 3 1 : b=2 4 1 : p=&b 5 1 : for i = 1 to N do 6 1 : if ( i %2 == 0) then 8 1 : a=a+1 9 1 : z=2*(*p) 5 2 : for i = 1 to N do 6 2 : if ( i %2 == 0) then 7 1 : p=&a 8 2 : a=a+1 9 2 : z=2*(*p) 10 1 : print(z) T 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (3,8) (2,7) (7,12) (11,13) (13,14) (4,8) (12,13) (5,6)(9,10) (10,11) (5,7)(9,12) (5,8)(9,13) 1 2 3 4 5,9 6,10 11 7,12 8,13 14 F &b &a 0 0 2 1,2 F,T 1,2 4,4 4

32 CS590F Software Reliability (3) Whole Execution Trace S1S1 Multiple streams of numbers.

33 CS590F Software Reliability Program Representations  Static program representations Abstract syntax tree; Control flow graph; Program dependence graph; Call graph; Points-to relations.  Dynamic program representations Control flow trace, address trace and value trace; Dynamic dependence graph; Whole execution trace;

34 CS590F Software Reliability Next Lecture – Program Analysis  Static analysis  Dynamic analysis

Download ppt "Program Representations Xiangyu Zhang. CS590F Software Reliability Why Program Representations  Initial representations Source code (across languages)."

Similar presentations

Overview Structural Testing Introduction – General Concepts

Overview Structural Testing Introduction – General Concepts
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
Data Flow Analysis. Goal: make assertions about the data usage in a program Use these assertions to determine if and when optimizations are legal Local:

Data Flow Analysis. Goal: make assertions about the data usage in a program Use these assertions to determine if and when optimizations are legal Local:
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Intermediate Representations Saumya Debray Dept. of Computer Science The University of Arizona Tucson, AZ 85721.

Intermediate Representations Saumya Debray Dept. of Computer Science The University of Arizona Tucson, AZ
Components of representation Control dependencies: sequencing of operations –evaluation of if & then –side-effects of statements occur in right order Data.

Components of representation Control dependencies: sequencing of operations –evaluation of if & then –side-effects of statements occur in right order Data.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.

Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
1 Cost Effective Dynamic Program Slicing Xiangyu Zhang Rajiv Gupta The University of Arizona.

1 Cost Effective Dynamic Program Slicing Xiangyu Zhang Rajiv Gupta The University of Arizona.
CS590F Software Reliability What is a slice? S: …. = f (v)  Slice of v at S is the set of statements involved in computing v’s value at S. [Mark Weiser,

CS590F Software Reliability What is a slice? S: …. = f (v)  Slice of v at S is the set of statements involved in computing v’s value at S. [Mark Weiser,
Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.

Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Course project presentations No midterm project presentation Instead of classes, next week I’ll meet with each group individually, 30 mins each Two time.

Course project presentations No midterm project presentation Instead of classes, next week I’ll meet with each group individually, 30 mins each Two time.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
1 Intermediate representation Goals: –encode knowledge about the program –facilitate analysis –facilitate retargeting –facilitate optimization scanning.

1 Intermediate representation Goals: –encode knowledge about the program –facilitate analysis –facilitate retargeting –facilitate optimization scanning.

Similar presentations

Ads by Google