control flow analysis
play

Control-flow analysis ? ? ? ? ? Discovering information about - PowerPoint PPT Presentation

Jul 11, 2023 •759 likes •1.3k views

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single

  1. Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program.

  2. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single procedure. We may repeat it many times (i.e. once per procedure), but information is only propagated within the boundaries of each procedure, not between procedures. One example of an intra-procedural control-flow optimisation (an analysis and an accompanying transformation) is unreachable-code elimination .

  3. Dead vs. unreachable code int f(int x, int y) { int z = x * y; DEAD return x + y; } Dead code computes unused values. (Waste of time.)

  4. Dead vs. unreachable code int f(int x, int y) { return x + y; int z = x * y; UNREACHABLE } Unreachable code cannot possibly be executed. (Waste of space.)

  5. Dead vs. unreachable code Deadness is a data-flow property: “May this data ever arrive anywhere?” int f(int x, int y) { int z = x * y; … ? ? ?

  6. Dead vs. unreachable code Unreachability is a control-flow property: “May control ever arrive here?” ? ? ? … int z = x * y; }

  7. Safety of analysis int f(int x, int y) { if (g(x)) { int z = x * y; UNREACHABLE? } return x + y; } ✓ bool g(int x) { return false; }

  8. Safety of analysis int f(int x, int y) { if (g(x)) { int z = x * y; UNREACHABLE? } return x + y; } ? bool g(int x) { return ...x...; }

  9. Safety of analysis int f(int x, int y) { if (g(x)) { int z = x * y; UNREACHABLE? } return x + y; } In general, this is undecidable. (Arithmetic is undecidable; cf. halting problem.)

  10. Safety of analysis • Many interesting properties of programs are undecidable and cannot be computed precisely... • ...so they must be approximated . • A broken program is much worse than an inefficient one... • ...so we must err on the side of safety .

  11. Safety of analysis • If we decide that code is unreachable then we may do something dangerous (e.g. remove it!)... • ...so the safe strategy is to overestimate reachability. • If we can’t easily tell whether code is reachable, we just assume that it is. (This is conservative.) • For example, we assume • that both branches of a conditional are reachable • and that loops always terminate.

  12. Safety of analysis Naïvely, if (false) { int z = x * y; } this instruction is reachable, while (true) { ... } int z = x * y; and so is this one.

  13. Safety of analysis Another source of uncertainty is encountered when constructing the original flowgraph: the presence of indirect branches (also known as “computed jumps”).

  14. Safety of analysis … … MOV t32,r1 MOV t32,r1 JMP lab1 … ADD r0,r1,r2 lab1: ADD r0,r1,r2 … …

  15. Safety of analysis … MOV t33,#&lab1 MOV t34,#&lab2 MOV t35,#&lab3 lab1: ADD r0,r1,r2 ? … … JMPI t32 lab2: MUL r3,r4,r5 ? … lab3: MOV r0,r1 ? …

  16. Safety of analysis MOV t33,#&lab1 MOV t34,#&lab2 MOV t35,#&lab3 … ADD r0,r1,r2 MUL r3,r4,r5 MOV r0,r1 … … …

  17. Safety of analysis Again, this is a conservative overestimation of reachability. In the worst-case scenario in which branch-address computations are completely unrestricted (i.e. the target of a jump could be absolutely anywhere), the presence of an indirect branch forces us to assume that all instructions are potentially reachable in order to guarantee safety.

  18. Safety of analysis program instructions sometimes never executed executed

  19. Safety of analysis “reachable” imprecision

  20. Safety of analysis “reachable” Safe but imprecise.

  21. Unreachable code This naïve reachability analysis is simplistic, but has the advantage of corresponding to a very straightforward operation on the flowgraph of a procedure: 1. mark the procedure’s entry node as reachable; 2. mark every successor of a marked node as reachable and repeat until no further marking is required.

  22. Unreachable code ENTRY f ? ? ? ? ? EXIT

  23. Unreachable code ENTRY f ? ? EXIT

  24. Unreachable code Programmers rarely write code which is completely unreachable in this naïve sense. Why bother with this analysis? • Naïvely unreachable code may be introduced as a result of other optimising transformations. • With a little more effort, we can do a better job.

  25. Unreachable code Obviously, if the conditional expression in an if statement is literally the constant “ false ”, it’s safe to assume that the statements within are unreachable. if (false) { int z = x * y; UNREACHABLE } But programmers never write code like that either.

  26. Unreachable code However, other optimisations might produce such code. For example, copy propagation : bool debug = false; … if (debug) { int z = x * y; }

  27. Unreachable code However, other optimisations might produce such code. For example, copy propagation : … if (false) { int z = x * y; UNREACHABLE }

  28. Unreachable code We can try to spot (slightly) more subtle things too. • if (!true) {... } • if (false && ...) {... } • if (x != x) {... } • while (true) {... } ... • ...

  29. Unreachable code Note, however, that the reachability analysis no longer consists simply of checking whether any paths to an instruction exist in the flowgraph, but whether any of the paths to an instruction are actually executable . With more effort we may get arbitrarily clever at spotting non-executable paths in particular cases, but in general the undecidability of arithmetic means that we cannot always spot them all.

  30. Unreachable code Although unreachable-code elimination can only make a program smaller , it may enable other optimisations which make the program faster .

  31. Unreachable code For example, straightening is an optimisation which can eliminate jumps between basic blocks by coalescing them: ENTRY f ? ? ? ? ? EXIT

  32. Unreachable code For example, straightening is an optimisation which can eliminate jumps between basic blocks by coalescing them: ENTRY f ? ? ? EXIT

  33. Unreachable code For example, straightening is an optimisation which can eliminate jumps between basic blocks by coalescing them: ENTRY f Straightening has removed a branch ? instruction, so the new program will execute faster. ? EXIT

  34. Inter-procedural analysis An inter-procedural analysis collects information about an entire program. Information is collected from the instructions of each procedure and then propagated between procedures. One example of an inter-procedural control-flow optimisation (an analysis and an accompanying transformation) is unreachable-procedure elimination .

  35. Unreachable procedures Unreachable- procedure elimination is very similar in spirit to unreachable- code elimination, but relies on a different data structure known as a call graph .

  36. Call graphs main g f j h i

  37. Call graphs Again, the precision of the graph is compromised in the presence of indirect calls . main g h f And as before, this is a safe overestimation of reachability.

  38. Call graphs In general, we assume that a procedure containing an indirect call has all address-taken procedures as successors in the call graph — i.e., it could call any of them. This is obviously safe ; it is also obviously imprecise . As before, it might be possible to do better by application of more careful methods (e.g. tracking data-flow of procedure variables).

  39. Unreachable procedures The reachability analysis is virtually identical to that used in unreachable- code elimination, but this time operates on the call graph of the entire program (vs. the flowgraph of a single procedure): 1. mark procedure main as callable; 2. mark every successor of a marked node as callable and repeat until no further marking is required.

  40. Unreachable procedures main g f j h i

  41. Unreachable procedures main g f h

  42. Safety of transformations • All instructions/procedures to which control may flow at execution time will definitely be marked by the reachability analyses... • ...but not vice versa, since some marked nodes might never be executed. • Both transformations will definitely not delete any instructions/procedures which are needed to execute the program... • ...but they might leave others alone too.

  43. If simplication Empty then in if - then if (f(x)) { } (Assuming that f has no side effects.)

  44. If simplication Empty else in if - then - else if (f(x)) { z = x * y; } else { }

  45. If simplication Empty then in if - then - else if (f(x)) { } else { z = x * y; }

  46. If simplication Empty then in if - then - else if (!f(x)) { } else { z = x * y; }

  47. If simplication Empty then and else in if - then - else if (f(x)) { } else { }

  48. If simplication Constant condition if (true) { z = x * y; }

  49. If simplication Nested if with common subexpression if (x > 3 && t) { … if (x > 3) { z = x * y; } else { z = y - x; } }

  50. Loop simplification int x = 0; int i = 0; while (i < 4) { i = i + 1; x = x + i; }

  51. Loop simplification int x = 0; int i = 0; i = i + 1; x = x + i; i = i + 1; x = x + i; i = i + 1; x = x + i; i = i + 1; x = x + i;

  52. Loop simplification int x = 10; int i = 4;

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow analysis Loops Identifying loops using dominators Reducibility Using loop identification to identify induction

270 views • 15 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows of control Useful for

679 views • 39 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs (and pseudo-code) are often used as prototypes because they represent high-level descriptions of system behavior However, C is sequential and cannot

572 views • 15 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Control Flow Analysis for WCET Analysis Bjrn Lisper School of Innovation, Design, and

Control Flow Analysis for WCET Analysis Bjrn Lisper School of Innovation, Design, and

Control Flow Analysis for WCET Analysis Bjrn Lisper School of Innovation, Design, and Engineering Mlardalen University bjorn.lisper@mdh.se 2017-07-18 Dagstuhl Seminar on Resource Bound Analysis Standard Scheme for WCET Analysis WCET

514 views • 30 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Terminology: Program Representation e o ogy: og a ep ese tat o Control Flow Graph: Control Flow Graph: Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of

591 views • 17 slides
PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda

PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda

PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda Grses CITP , Princeton University COSIC, University of Leuven getting privacy engineering right? getting privacy engineering right? software

471 views • 20 slides
Joint Probability Distributions In many random experiments, more than one quantity is measured,

Joint Probability Distributions In many random experiments, more than one quantity is measured,

ST 370 Probability and Statistics for Engineers Joint Probability Distributions In many random experiments, more than one quantity is measured, meaning that there is more than one random variable. Example: Cell phone flash unit A flash unit is

558 views • 21 slides
Emulating Goliath Storage Systems with David Nitin Agrawal, NEC Labs Leo Arulraj, Andrea C.

Emulating Goliath Storage Systems with David Nitin Agrawal, NEC Labs Leo Arulraj, Andrea C.

Emulating Goliath Storage Systems with David Nitin Agrawal, NEC Labs Leo Arulraj, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau ADSL Lab, UW Madison 1 The Storage Researchers Dilemma Innovate Create the future of storage Measure

649 views • 63 slides
The Quest for Average Response Time Tom Henzinger IST Austria Joint work with Krishnendu

The Quest for Average Response Time Tom Henzinger IST Austria Joint work with Krishnendu

The Quest for Average Response Time Tom Henzinger IST Austria Joint work with Krishnendu Chatterjee and Jan Otop Observations r request g grant t tick x neither = {r,g,t,x} Behaviors = Observation Sequences x t t x x r x x t x x x r

827 views • 47 slides
15-411: LLVM Jan Ho ff mann Substantial portions courtesy of Deby Katz and Gennady Pekhimenko,

15-411: LLVM Jan Ho ff mann Substantial portions courtesy of Deby Katz and Gennady Pekhimenko,

15-411: LLVM Jan Ho ff mann Substantial portions courtesy of Deby Katz and Gennady Pekhimenko, Olatunji Ruwase,Chris Lattner, Vikram Adve, and David Koes Carnegie What is LLVM? A collection of modular and reusable compiler and toolchain

893 views • 38 slides
Tail call elimination Michel Schinz Tail calls and their elimination Loops in functional

Tail call elimination Michel Schinz Tail calls and their elimination Loops in functional

Tail call elimination Michel Schinz Tail calls and their elimination Loops in functional languages Several functional programming languages do not have an explicit looping statement. Instead, programmers resort to recursion to loop. For

338 views • 33 slides
CONSTANT EXPRESSIONS IN C++ CS4414 Lecture 9 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY

CONSTANT EXPRESSIONS IN C++ CS4414 Lecture 9 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY

Professor Ken Birman CONSTANT EXPRESSIONS IN C++ CS4414 Lecture 9 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY In Lecture 8 we learned that C++ can Even without those long lists of advice, this same issue automatically compile to

738 views • 60 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides

More recommend