quantifying dataflow analysis with gradients in llvm
play

Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 - PowerPoint PPT Presentation

Dec 02, 2022 •353 likes •786 views

Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 1 Dataflow Analysis 2 Dataflow Analysis Is there a dataflow

  1. Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 1

  2. Dataflow Analysis 2

  3. Dataflow Analysis Is there a dataflow between variables x and z? 3

  4. Dataflow Analysis Is there a dataflow between variables x and z? Vulnerability Analysis 4

  5. Dataflow Analysis Common building block for program analysis 5

  6. Dynamic Taint Analysis (DTA) 6

  7. Dynamic Taint Analysis (DTA) Dataflow Encoding - Boolean labels represent absence or presence of taint 7

  8. Dynamic Taint Analysis (DTA) Dataflow Encoding - Boolean labels represent absence or presence of taint Per-operation rules propagate taint - Example Rule for Add/Subtract operation: - If input operands carry taint, output operand carries taint too 8

  9. Limitation 1: Imprecise Rules 9

  10. Limitation 1: Imprecise Rules Subtraction rule introduces false positives - z is incorrectly tainted as x - x is zero (i.e. no dataflow from x to z) 10

  11. Limitation 2: Boolean Taint Labels Boolean taint labels cannot - Quantify dataflows between x and z - Order amount of influence of each dataflow 11

  12. Gradients 12

  13. New Approach to Dataflow Analysis Key Insight - Gradients track influence of inputs on outputs 13

  14. New Approach to Dataflow Analysis Key Insight - Gradients track influence of inputs on outputs Why gradients? - Gradients quantify dataflows - Precise composition and rules over differentiable operations due to chain rule of calculus 14

  15. Problem: Nondifferentiable Operator Programs contain nondifferentiable operators - int f(int x) { Bitwise And return x & 4 } 15

  16. Problem: Nondifferentiable Operator Programs contain nondifferentiable operators - int f(int x) { Bitwise And return x & 4 } 16

  17. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 17

  18. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 18

  19. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 19

  20. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient Why Proximal Gradients? - Region can be bounded to make computation tractable 20

  21. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool 21

  22. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool 22

  23. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool Main idea 1 (instrumentation) - Instrument operations to propagate gradients 23

  24. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool Main idea 1 (instrumentation) - Instrument operations to propagate gradients Main idea 2 (gradient storage) - Store gradients for each variable in shadow memory 24

  25. Example LLVM IR int x; int z; z = x + x; 25

  26. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; z = x + x; 26

  27. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 27

  28. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 28

  29. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 29

  30. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 30

  31. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 31

  32. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode 32

  33. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode What if operations cannot be instrumented? - Create wrapper for original function that propagates dataflow - Instrumentation inserts a call to wrapper instead of original function 33

  34. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode What if operations cannot be instrumented? - Create wrapper for original function that propagates dataflow - Instrumentation inserts a call to wrapper instead of original function Similarly instrument functions and their arguments 34

  35. Instrumentation: Runtime Dynamically propagate dataflow - Bitwise And operation instrumentation finds proximal gradient with concrete values 35

  36. Instrumentation: Runtime Dynamically propagate dataflow - Bitwise And operation instrumentation finds proximal gradient with concrete values Minimal runtime overhead - Based on compile-time instrumentation vs runtime instrumentation 36

  37. Gradient Storage: Shadow Memory 37

  38. Gradient Storage: Shadow Memory 38

  39. Gradient Storage: Shadow Memory Gradient sharing with indirection - Every variable has associated shadow memory with label - Label indexes into a table holding data structure - Enables sharing gradients across multiple variables 39

  40. Evaluation: Accuracy Better accuracy on 7 real-world parser programs - Our tool (grsan) achieves up to 33% better dataflow accuracy than DataFlowSanitizer (dfsan) 40

  41. Evaluation: Bug Finding We find 23 previously undiscovered bugs - Track gradients for arguments to known vulnerable operations such as bitwise and memory copy operators - As an example, we altered an input byte with high gradient to a shift operator to trigger an overflow 41

  42. Key Takeaways DataflowSanitizer enables many dynamic analyses - Our dynamic analysis propagates gradients with minimal changes Nonsmooth optimization and program analysis connections 42

  43. Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot,

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot,

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot, AS+ Groupe Eolen G. Bayle Des Courchamps T. Goubier CEA List /DACLE /LCE Benoit Da Mota Anger University Donnons de la suite vos ides

337 views • 17 slides
CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

Static analysis CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to exploits 2. Pointer analysis for JavaScript 3. Private data management languages 4. Programming robots to assemble IKEA furniture

897 views • 57 slides
LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

A unique processor architecture meeting LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM devroom Compiling with LLVM High-Level Programming Language LLVM LLVM Front-end LLVM Assembly / IR LLVM

434 views • 22 slides
Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008

Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008

Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008 IDE Dataflow Analysis in the Presence of Large Object-Oriented Libraries Problem Interprocedural analyses are usually too slow can take

576 views • 26 slides
Dataflow Analysis

Dataflow Analysis

Dataflow Analysis Jonathan Aldrich

1.19k views • 93 slides
Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced

Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced

Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced compiler construction, 2008-05-09 Common subexp. elimination Available expressions The following C program fragment sets r to x y for y > 0. How can

672 views • 10 slides
llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1 February 3, 2019 1 eush77@gmail.com Introduction llvm.mix Binding-Time Analysis Dynamic Control Examples Summary Interpreters and Compilers

1.33k views • 62 slides
Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM There are two possible goals Run LLVM tools on OS Generate code for OS / CPU architecture Mission is to run LLVM on previously unsupported

603 views • 11 slides
Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate

Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate

Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate giles@comlab.ox.ac.uk Oxford University Computing Laboratory Quantifying Uncertainty p. 1/18 Motivation Engineering analysis assumes perfect knowledge of the

500 views • 18 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1 Optimization And Analysis Improving efficiency of generated code Correctness: optimized code must preserve meaning of the original program

467 views • 31 slides
The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are LLVM, Clang, and Flang? How is LLVM Being Improved for HPC. What Facilities for Tooling Exist in LLVM? Opportunities for the Future!

572 views • 38 slides
More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons

More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons

More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons Summary LaAce Sets of defini=ons represented by bit-vectors Transfer func=on OUT[B] =

670 views • 39 slides
Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor Braun, Sebastian Pokutta, Steve Wright Dan Tu 1/9 CONDITIONAL GRADIENTS: PROJECTION-FREE Given a polytope ! , solve the optimization problem: min

109 views • 9 slides
Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich Overview: Analyses Weve

397 views • 24 slides
LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it? LLVM Architecture Compiler Simple case study Conclusion 2 What is LLVM? Low Level Virtual Machine Modern Compiler

1.34k views • 19 slides
Using the DMM to unde r stand and r e spond to De ve lopme ntal T r auma in Child Pr ote c

Using the DMM to unde r stand and r e spond to De ve lopme ntal T r auma in Child Pr ote c

Using the DMM to unde r stand and r e spond to De ve lopme ntal T r auma in Child Pr ote c tion Se r vic e s Aoife Bair e ad, Soc ial Wor ke r Unde r standing de ve lopme ntal tr auma De ve lo pme nta l tra uma o c c urs in the

133 views • 10 slides
Asymmetric Proximal Point Algorithms with Moving Proximal Centers Deren Han

Asymmetric Proximal Point Algorithms with Moving Proximal Centers Deren Han

Asymmetric Proximal Point Algorithms with Moving Proximal Centers Deren Han (handeren@njnu.edu.cn) School of Mathematical Sciences, Nanjing Normal University Nanjing, 210023, China. September 2, 2014 Deren Han (NJNU) Asymmetric PPA September

707 views • 43 slides
Complexity of a quadratic penalty accelerated inexact proximal point method W. Kong 1 J.G. Melo 2

Complexity of a quadratic penalty accelerated inexact proximal point method W. Kong 1 J.G. Melo 2

The Main Problem Penalty Problem and Approach AIPP Method For Solving the Penalty Subproblem(s) Complexity of the Penalty Complexity of a quadratic penalty accelerated inexact proximal point method W. Kong 1 J.G. Melo 2 R.D.C. Monteiro 1 1

741 views • 46 slides
Convergence of perturbed Proximal Gradient algorithms Gersende Fort Institut de Math ematiques

Convergence of perturbed Proximal Gradient algorithms Gersende Fort Institut de Math ematiques

Convergence of perturbed Proximal Gradient algorithms Convergence of perturbed Proximal Gradient algorithms Gersende Fort Institut de Math ematiques de Toulouse CNRS and Univ. Paul Sabatier Toulouse, France Convergence of perturbed Proximal

1.17k views • 55 slides
On Corson and Valdivia compact spaces* Reynaldo Rojas Hern andez Centro de Ciencias Matem

On Corson and Valdivia compact spaces* Reynaldo Rojas Hern andez Centro de Ciencias Matem

On Corson and Valdivia compact spaces* Reynaldo Rojas Hern andez Centro de Ciencias Matem aticas Universidad Nacional Aut onoma de M exico Valdivia compact spaces In this talk we deal with several classes of nonmetrizable compact

1.3k views • 126 slides
NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web

NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web

NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web Athanasios N. Nikolakopoulos John D. Garofalakis Computer Engineering and Informatics Department, University of Patras Computer Technology Institute and

648 views • 9 slides
CS 4803 / 7643: Deep Learning Topics: Application: PointGoal Navigation Trust Region

CS 4803 / 7643: Deep Learning Topics: Application: PointGoal Navigation Trust Region

CS 4803 / 7643: Deep Learning Topics: Application: PointGoal Navigation Trust Region Policy Optimization (TRPO) Proximal Policy Optimization (PPO) Erik Wijmans Georgia Tech Who Am I? Research Interests Computer Vision

1.52k views • 132 slides
On Adaptive Interventions and SMART Daniel Almirall; Inbal (Billie) Nahum-Shani IES 2015 Principal

On Adaptive Interventions and SMART Daniel Almirall; Inbal (Billie) Nahum-Shani IES 2015 Principal

On Adaptive Interventions and SMART Daniel Almirall; Inbal (Billie) Nahum-Shani IES 2015 Principal Investigators Meeting 1 Outline Adaptive Intervention (AIs) What they are Components Motivation Sequential Multiple

1.02k views • 47 slides

More recommend