reconstructing control flow from predicated assembly code
play

Reconstructing Control Flow from Predicated Assembly Code Bjrn - PowerPoint PPT Presentation

Aug 19, 2022 •304 likes •612 views

Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University Daniel Kstner, AbsInt GmbH Motivation Many contemporary microprocessors use instruction-level parallelism to achieve high performance.

  1. Reconstructing Control Flow from Predicated Assembly Code Björn Decker, Saarland University Daniel Kästner, AbsInt GmbH

  2. Motivation • Many contemporary microprocessors use instruction-level parallelism to achieve high performance. • Predicated instructions provide better performance due to the elimination of branches and better utilization of hardware resources: the issue slots of long instruction words can be filled with (sub-) operations from different control paths. • However: predicated instructions make postpass optimizations more difficult, since the control dependences have been transformed to data dependences. • Goal: Precise reconstruction of control flow from assembly / executable files for processors with predicated instructions in a retargetable way.

  3. The PROPAN System • Retargetable framework for high-quality postpass optimizations and machine-dependent program analyses

  4. Advantage of Postpass Approach • Easy integration into existing tool chains. • Appropriate format for doing processor-specific optimizations. This is especially important for processors with irregular hardware architectures, a feature typical for embedded processors and DSPs. • Enhanced optimization potential compared to standard compiler techniques: – cross-file optimizations – optimizations across inline assembly

  5. Control Flow Reconstruction • Many postpass optimizations requires the control flow graph of the input program to be known. Examples: transformations based on dataflow analysis like postpass instruction scheduling, register renaming, ... • In order to enable high quality optimizations the CFG has to be very precise. • Control flow must be reconstructed from the assembly code: – Phase 1: Explicit control flow reconstruction: computing the call graph, determining targets of direct and indirect jumps. In our framework based on extended program slicing of [Kästner,Wilhelm:LCTES02]. – Phase 2: Implicit control flow reconstruction: This article.

  6. Control Flow Reconstruction • This control flow graph has to be safe: all control paths of the input program) must be represented in the reconstructed graph. • Due to information not statically computable, the reconstructed control flow graph may contain too many control flow edges: conservative approximation. (If the target of a branch is unknown, edges to all potential targets are inserted.) • However, the reconstructed graph should be as precise as possible, i.e. the number of control paths that actually cannot occur in the input program should be minimized.

  7. Predicated Instructions Guarded (predicated) Code: • Each assembly operation is associated with a guard that determines whether the operation is executed or not. • Example: IF r39 iaddi(0x4) r5 -> r34 Adds the immediate value 0x4 to register r5 and stores results in r34, but only if register r39 evaluates to TRUE, otherwise, a nop is executed. • Advantages: – Improved code density by enabling to fill more issue slots of the same instruction. – Reduced number of conditional branch operations.

  8. Predicated Instructions issue issue CFG slot 1 slot 2 i 0 if-conversion + optimizations i 1 i 0 i 1 T F if (e) (e) i 2 (!e) i 4 control flow reconstruction (e) i 3 (!e) i 4 i 2 i 4 i 3 i 5

  9. Precision of Control Flow Reconstruction for Predicated Code • Consider two successive long instructions: (i1) IF r39 iaddi(0x4) r5 -> r34; (i2) IF !r39 iaddi(0x4) r34 -> r37; • If the predicates are ignored: – A data dependence between i1 and i2 wrt r34 has to be assumed: i1 and i2 cannot be parallelized. – Assume r5= 2, r34= 7,r39= 1,r37= 9 immediately before i1. After i2, constant propagation yields r34= unknown, r37= unknown. • If the implicit control flow is reconstructed: – The conditions r39 and !r39 are disjoint. – No data dependence between i1 and i2. – Assume r5= 2, r34= 7,r39= 1,r37= 9 immediately before i1. After i2, constant propagation yields r34= 6, r37= 9.

  10. Reconstructing Explicit Control Flow • Input: Assembly code • Program slicing and value analysis are used to – reconstruct procedures – reconstruct intraprocedural control flow via call, return, jump and branch operations • Output: roughly reconstructed CFG representing procedures and explicit control flow

  11. Reconstructing Explicit Control Flow 1. For each jump, call, and branch operation assembly slices are computed containing exactly those operations influencing the target operand of the jump operation. 2. Assembly slices are evaluated in an abstract manner yielding an abstract value of the target address. 3. Abstract values of address targets represent sets of addresses of possible successor operations. Thus, edges in the CFG are introduced from the jump operation to all operations residing at addresses of possible successor operations.

  12. Reconstructing Implicit Control Flow • Input: Assembly code of basic blocks in prereconstructed CFG. • Examining boolean relations between guard registers. • Refining control flow graph by arranging operations according to the relation of their guard registers.

  13. Reconstructing Implicit Control Flow evaluation of evaluation of operation semantics operation semantics operation + updated environment environment tree representing forks fork join fork join reconstruction reconstruction reconstruction reconstruction basic block b partial CFG for replacing b prereconstructed reconstructed prereconstructed reconstructed driver driver CFG CFG CFG CFG

  14. Fork Reconstruction (Input) • Input: basic block. • From now on: TriMedia TM1000 as example processor. (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 • Instructions have five issue slots (r1) r7 := r1 + r0 filled with so-called operations. (r1) nop (r1) nop • Registers r1 and r0 are hardwired (r6) r8 := r7 + r0 to 1 resp. 0. (r9) r8 := r7 + r0 (r1) nop • Processor implements the least- (r1) nop (r1) nop significant-bit truth-value (r8) r5 := r0 + r1 representation, i.e. the least (r1) nop significant bit of register contents (r1) nop (r1) nop indicate whether it is interpreted as (r1) nop true or false.

  15. Fork Reconstruction • During fork reconstruction a block tree is created representing forks of the control flow of the input block. • Successively arrange instructions in leaf blocks of the tree: – Examine whether each guard of the instruction uniformly evaluates to true or false in a certain leaf block. – Whenever a guard register does not uniformly evaluate: introduce two new successors for this block and restrict their environments. In one of them the violating guard register has to evaluate to true; in the other it must be false. Then the new blocks are considered for instruction arrangement. – Otherwise, the instruction is placed into the block. Operations whose guard evaluates to false are replaced by nop-operations.

  16. Fork Reconstruction Example (1) Input block Block tree (r1) r9 := r8 > r0 (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 (r1) r6 := r8 <= r0 (r1) r7 := r1 + r0 (r1) r7 := r1 + r0 (r1) nop (r1) nop (r1) nop (r1) nop (r6) r8 := r7 + r0 (r9) r8 := r7 + r0 (r1) nop (r1) nop (r1) nop (r8) r5 := r0 + r1 (r1) nop (r1) nop (r1) nop (r1) nop

  17. Fork Reconstruction Example (2) (r1) r9 := r8 > r0 (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 (r1) r6 := r8 <= r0 (r1) r7 := r1 + r0 (r1) r7 := r1 + r0 (r1) nop (r1) nop (r1) nop (r1) nop r6 is neither (r6) r8 := r7 + r0 true nor false (r9) r8 := r7 + r0 (r1) nop (r1) nop (r1) nop (r8) r5 := r0 + r1 (r1) nop (r1) nop (r1) nop (r1) nop

  18. Fork Reconstruction Example (3) (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 (r1) r9 := r8 > r0 (r1) r7 := r1 + r0 (r1) r6 := r8 <= r0 (r1) nop (r1) r7 := r1 + r0 (r1) nop (r1) nop (r1) nop r6 true r6 false (r6) r8 := r7 + r0 (r9) r8 := r7 + r0 (r1) nop (r1) nop (r1) nop (r8) r5 := r0 + r1 (r1) nop (r1) nop (r1) nop (r1) nop

  19. Fork Reconstruction Example (4) (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 (r1) r7 := r1 + r0 (r1) r9 := r8 > r0 (r1) nop (r1) r6 := r8 <= r0 (r1) nop (r1) r7 := r1 + r0 (r1) nop r6 true r6 false (r1) nop (r6) r8 := r7 + r0 (r6) r8 := r7 + r0 (r1) nop (r9) r8 := r7 + r0 (r1) nop (r9) r8 := r7 + r0 (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r8) r5 := r0 + r1 (r1) nop (r1) nop (r1) nop (r1) nop

  20. Fork Reconstruction Example (5) (r1) r9 := r8 > r0 (r1) r6 := r8 <= r0 (r1) r7 := r1 + r0 (r1) r9 := r8 > r0 (r1) nop (r1) r6 := r8 <= r0 (r1) nop (r1) r7 := r1 + r0 (r1) nop r6 true r6 false (r1) nop (r6) r8 := r7 + r0 (r6) r8 := r7 + r0 (r1) nop (r9) r8 := r7 + r0 (r1) nop (r9) r8 := r7 + r0 (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r8) r5 := r0 + r1 (r8) r5 := r0 + r1 (r8) r5 := r0 + r1 (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop (r1) nop

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Directives and Control Flow 2 Directives Pseudo-instructions ASSEMBLERS 3 Writing Assembly

Directives and Control Flow 2 Directives Pseudo-instructions ASSEMBLERS 3 Writing Assembly

1 EE 109 Unit 10 Assembler Directives and Control Flow 2 Directives Pseudo-instructions ASSEMBLERS 3 Writing Assembly Code written at the assembly level needs some additional help for specifying certain things Global variables

858 views • 52 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

10/31/2012 Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including control transfer Directed Acyclic Graphs instructions. Eliminate storage and calculation redundancy * Labeling or numbering IR statements

290 views • 3 slides
CSE*351:*The*Hardware/So9ware*Interface * * Sec/on*3:*Control*flow,*assembly,*and*Lab*2 *

CSE*351:*The*Hardware/So9ware*Interface * * Sec/on*3:*Control*flow,*assembly,*and*Lab*2 *

University*of* Washington * CSE*351:*The*Hardware/So9ware*Interface * * Sec/on*3:*Control*flow,*assembly,*and*Lab*2 * University*of* Washington * Control*Flow* ! do?while:*a*useful*variaBon*on*the*while*loop* int value; do { value = value

384 views • 15 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
x86 Assembly Programming under Linux 1 2 Control Flow Instructions Data Movement

x86 Assembly Programming under Linux 1 2 Control Flow Instructions Data Movement

x86 Assembly Programming under Linux 1 2 Control Flow Instructions Data Movement Instructions jmp Jump mov Move cmp Compare push Push stack j condition Conditional Jump pop Pop stack call , ret Subroutine

412 views • 13 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code cs5363 1 Intermediate Code Generation Intermediate language between source and target Multiple machines can be targeted Attaching a

400 views • 19 slides
x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow Jump instructions Call instructions Function A unit of code we can call Similar to a jump, except it can return Must

2.43k views • 50 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs (and pseudo-code) are often used as prototypes because they represent high-level descriptions of system behavior However, C is sequential and cannot

572 views • 15 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
CS 451 Software Engineering Winter 2009 Yuanfang Cai Room 104, University Crossings

CS 451 Software Engineering Winter 2009 Yuanfang Cai Room 104, University Crossings

CS 451 Software Engineering Winter 2009 Yuanfang Cai Room 104, University Crossings 215.895.0298 yfcai@cs.drexel.edu 1 Drexel University Software Testing Techniques FUNDAMENTALS The goal of testing is to find errors. A good test

253 views • 23 slides
SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel

SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel

SMT-Style Program Analysis SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel Kr oning NSV-3 July 15, 2010 SMT-Style Program Analysis Outline Imprecision and Refinement in Abstract

1.71k views • 108 slides
Data Screening and Missing Value Analysis James H. Steiger Theorem (The Fundamental Theorem of

Data Screening and Missing Value Analysis James H. Steiger Theorem (The Fundamental Theorem of

Data Screening and Missing Value Analysis James H. Steiger Theorem (The Fundamental Theorem of Modern Data Analysis). Storage media are cheap. Data are expensive. Corollary 1. In some cases, the data are priceless. Corollary 2. You will suffer

579 views • 27 slides
Boundary Value Testing Chapter 5 BVT1 Introduction Input domain testing is the most

Boundary Value Testing Chapter 5 BVT1 Introduction Input domain testing is the most

Boundary Value Testing Chapter 5 BVT1 Introduction Input domain testing is the most commonly taught (and perhaps the most commonly used) software testing technique There are a number of approaches to boundary value analysis We

433 views • 20 slides
SQL Workshop Data Types Doug Shook Data Types Four categories String Numeric

SQL Workshop Data Types Doug Shook Data Types Four categories String Numeric

SQL Workshop Data Types Doug Shook Data Types Four categories String Numeric Temporal Other 26 types total 2 Numeric Types The integer data types The decimal data types Type Bytes Type Bytes decimal[(p[,s])]

1.03k views • 62 slides
Off-policy methods with approximation Recall off-policy learning involves two policies One

Off-policy methods with approximation Recall off-policy learning involves two policies One

Chapter 11 Off-policy methods with approximation Recall off-policy learning involves two policies One policy whose value function we are learning the target policy Another policy that is used to select actions the behavior

1.04k views • 35 slides
Sequential Decision Making AIMA Chapters: 17.1, 17.2, 17.3. Sutton and Barto, Reinforcement

Sequential Decision Making AIMA Chapters: 17.1, 17.2, 17.3. Sutton and Barto, Reinforcement

Sequential Decision Making Sequential Decision Making AIMA Chapters: 17.1, 17.2, 17.3. Sutton and Barto, Reinforcement Learning: an Introduction, 2nd Edition: Chapters 3 and 4 Outline Sequential Decision Making Sequential decision

690 views • 41 slides
Reinforcement Learning Part 2 Yingyu Liang yliang@cs.wisc.edu Computer Sciences Department

Reinforcement Learning Part 2 Yingyu Liang yliang@cs.wisc.edu Computer Sciences Department

Reinforcement Learning Part 2 Yingyu Liang yliang@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison [Based on slides from David Page, Mark Craven] Goals for the lecture you should understand the following concepts

314 views • 16 slides

More recommend