Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti - - PowerPoint PPT Presentation

analysing switch case tables by partial evaluation
SMART_READER_LITE
LIVE PREVIEW

Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti - - PowerPoint PPT Presentation

Dec 01, 2022 11 likes •287 views

WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd www.tidorum.fi Tid rum WCET 2007, Pisa, 2007-07-03 page 1 of 27 From binary file to control-flow graph Binary Control- memory flow image graph

slide-1
SLIDE 1

WCET 2007, Pisa, 2007-07-03 page 1 of 27

Tid rum

WCET'2007

Analysing Switch-Case Tables by Partial Evaluation

Niklas Holsti Tidorum Ltd

www.tidorum.fi

slide-2
SLIDE 2

WCET 2007, Pisa, 2007-07-03 page 2 of 27

Tid rum

From binary file to control-flow graph

Binary memory image Start address Control- flow graph WCET analysis

Problem: dynamic transfer of control, DTC

for example jump via register

?

?

slide-3
SLIDE 3

WCET 2007, Pisa, 2007-07-03 page 3 of 27

Tid rum

Overview

  • Analysing DTC from a switch-case statement
  • When compiled into a switch table

interpreted by a switch handler routine

  • Partial evaluation (PE) of switch handler
  • Example
slide-4
SLIDE 4

WCET 2007, Pisa, 2007-07-03 page 4 of 27

Tid rum

Switch tables and switch handlers

  • Various forms of switch tables

– depending on compiler, index type, dense/sparse, ...

  • Compiler generates:

– switch table T – call or jump to switch handler (Table ⇒ T, Index ⇒ k)

  • Switch handler

– looks up Index in Table

  • jumps to that case using DTC

switch (k) { case 4: ... case 8: case 9: case 11: ... default: ... } A constant table that maps index value to code address: 4 → A: <case 4> 8, 9, 11 → B: <case 8, 9, 11>

  • thers → C: <default>

Switch-case statement Switch table

slide-5
SLIDE 5

WCET 2007, Pisa, 2007-07-03 page 5 of 27

Tid rum

One handler – many switches

Code Foo

T1

Code Code

T2

Handler Bar DTC Cases in T2 Cases in T1 Call (T1, Ind1) Call (T2, Ind2) Switch Table Switch Table

slide-6
SLIDE 6

WCET 2007, Pisa, 2007-07-03 page 6 of 27

Tid rum

A real switch handler

IAR compiler for Atmel AVR

  • Same handler for many index

types (8, 16, 32 bits)

  • Complex table structure

– entries of variable length

DTC

slide-7
SLIDE 7

WCET 2007, Pisa, 2007-07-03 page 7 of 27

Tid rum

Partial Evaluation of switch handlers

Table Index Index Addr 4 A 8,9,11 B default C Addresses defined in the Table Switch handler for any Table and any Index Partially evaluate the switch handler with respect to the known switch table T for a given switch-case statement Table T Call DTC A B C Residual switch handler for table T and any Index Call Index 4 8 9 11 else Index? DTC is resolved into static jumps

slide-8
SLIDE 8

WCET 2007, Pisa, 2007-07-03 page 8 of 27

Tid rum

Eureka

  • The analysis “runs” the switch handler
  • The switch handler itself decodes the switch table
slide-9
SLIDE 9

WCET 2007, Pisa, 2007-07-03 page 9 of 27

Tid rum

The example

  • Here shown on a symbolic level

– paper shows AVR machine code

  • Partial Evaluation as implemented in Bound-T

– on the fly while building flow-graph – data state: some variables bound to constants

slide-10
SLIDE 10

WCET 2007, Pisa, 2007-07-03 page 10 of 27

Tid rum

Simple 8-bit switch table & handler

switch (k) { case 4: ... case 8: case 9: case 11: ... default: ... } Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

SwHandler parameters:

  • pointer Tp to switch table
  • 8-bit Index (k) of switch-case

(Index and Tp.Mask) = Tp.Match ? Jump to Tp.Address Advance Tp to next entry ≠

DTC

=

?

slide-11
SLIDE 11

WCET 2007, Pisa, 2007-07-03 page 11 of 27

Tid rum

  • 0. Detect invocation of switch handler
  • Start PE with initial data-state

Tp→T [0]

  • Expand SwHandler “in-line”

Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Aha! Entering switch handler! Flow graph (1 node so far)

slide-12
SLIDE 12

WCET 2007, Pisa, 2007-07-03 page 12 of 27

Tid rum

  • 1. Add first step in SwHandler, with data state

(Index and Tp.Mask) = Tp.Match ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Tp→T [0]

slide-13
SLIDE 13

WCET 2007, Pisa, 2007-07-03 page 13 of 27

Tid rum

  • 2. Partially evaluate wrt data state

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp→T [0] Tp

slide-14
SLIDE 14

WCET 2007, Pisa, 2007-07-03 page 14 of 27

Tid rum

  • 3. Generate successors (PC, data state) & add

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Jump to Tp.Address = Advance Tp to next entry ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp

DTC

slide-15
SLIDE 15

WCET 2007, Pisa, 2007-07-03 page 15 of 27

Tid rum

  • 4a. Partially evaluate wrt data state

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Jump to <case 4> = Advance Tp to next entry ≠

DTC resolved

PE ends on this path CFG building continues (shown later) Tp→T [0] Tp→T [0] Tp→T [0] Tp

slide-16
SLIDE 16

WCET 2007, Pisa, 2007-07-03 page 16 of 27

Tid rum

  • 4b. Partially evaluate wrt data state

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp New data state: Tp→T [1]

slide-17
SLIDE 17

WCET 2007, Pisa, 2007-07-03 page 17 of 27

Tid rum

Generate successors: can we loop?

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Cannot create loop because the data state is different New data state: Tp→T [1]

slide-18
SLIDE 18

WCET 2007, Pisa, 2007-07-03 page 18 of 27

Tid rum

  • 5. Generate successors (PC, data state) & add

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp→T [1] (Index and Tp.Mask) = Tp.Match ? Loop expands (unrolls) itself

slide-19
SLIDE 19

WCET 2007, Pisa, 2007-07-03 page 19 of 27

Tid rum

  • 6. Partially evaluate wrt data state

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp→T [1] (Index and 254) = 8 ?

slide-20
SLIDE 20

WCET 2007, Pisa, 2007-07-03 page 20 of 27

Tid rum

  • 7. Generate successors (PC, data state) & add

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp→T [1] (Index and 254) = 8 ? Jump to Tp.Address = Tp→T [1] Advance Tp to next entry ≠ Tp→T [1]

DTC

slide-21
SLIDE 21

WCET 2007, Pisa, 2007-07-03 page 21 of 27

Tid rum

  • 8. Partially evaluate wrt data state, etc.

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Jump to <case 4> = Tp := addr (T[1]) ≠ Tp→T [0] Tp→T [0] Tp→T [0] Tp→T [1] (Index and 254) = 8 ? Jump to <case 8,9,11> = Tp := addr (T[2]) ≠ Tp→T [1] ... and so on ...

DTC resolved

Tp→T [1]

slide-22
SLIDE 22

WCET 2007, Pisa, 2007-07-03 page 22 of 27

Tid rum

  • n. Add successors for last table entry

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Tp := addr (T[3]) ≠ Tp→T [2] Tp→T [3] (Index and Tp.Mask) = Tp.Match ?

slide-23
SLIDE 23

WCET 2007, Pisa, 2007-07-03 page 23 of 27

Tid rum

n+1. Partially evaluate wrt data state

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Tp := addr (T[3]) ≠ Tp→T [2] Tp→T [3] 0 = 0 ?

slide-24
SLIDE 24

WCET 2007, Pisa, 2007-07-03 page 24 of 27

Tid rum

n+2. Generate & add feasible successors

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Tp := addr (T[3]) ≠ Tp→T [2] Tp→T [3] 0 = 0 ? Jump to Tp.Address = (true) Tp→T [3] ≠ (false)

DTC

slide-25
SLIDE 25

WCET 2007, Pisa, 2007-07-03 page 25 of 27

Tid rum

n+3. Partially evaluate wrt data state

Mask Match Address 255 4 <case 4> 254 8 <case 8,9,11> 255 11 <case 8,9,11> <default>

Tp Tp := addr (T[3]) ≠ Tp→T [2] Tp→T [3] 0 = 0 ? Jump to <default> Tp→T [3]

  • All paths end with resolved DTC
  • Expansion of switch handler completed

– for this switch-case statement

DTC resolved

slide-26
SLIDE 26

WCET 2007, Pisa, 2007-07-03 page 26 of 27

Tid rum

Completed flow-graph

Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler Jump to <case 4>

=

(Index and 254) = 8 ? Jump to <case 8,9,11>

= ≠

Index = 11 ?

= ≠

Jump to <default>

≠ residual SwHandler (T, *)

<case 4> <case 8,9,11> Jump to <case 8,9,11> <default>

  • Shows execution path to each case
  • Shows conditions leading to each case
slide-27
SLIDE 27

WCET 2007, Pisa, 2007-07-03 page 27 of 27

Tid rum

Summary

  • Traditional flow-graph construction:

– enumerate only PC values

  • Flow-graph construction with PE:

– choose relevant data state components (... but how ?) – enumerate product domain (PC, data state)

  • PE applied here to switch handlers

– easy to choose the relevant data:

  • the switch table and anything derived from it
  • Other PE applications in WCET analysis?