Click here to load reader

Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis Thomas Reps University of Wisconsin GrammaTech, Inc. Joint work with

  • View
    214

  • Download
    2

Embed Size (px)

Text of Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis Thomas Reps...

  • Weighted Pushdown Systemsand their Application toInterprocedural Dataflow AnalysisThomas RepsUniversity of WisconsinGrammaTech, Inc.Joint work with S. Schwoon, S. Jha, and D. Melski

  • Weighted Pushdown Systemsand their Application toInterprocedural Dataflow AnalysisInterprocedural Dataflow AnalysisApplicationWeighted Pushdown SystemsDataflow AnalysisPushdown Systems

  • Weighted Pushdown Systemsand their Application toInterprocedural Dataflow AnalysisInterprocedural Dataflow AnalysisApplicationWeighted Pushdown SystemsDataflow AnalysisPushdown Systems

  • Intraprocedural AnalysisenternV0MOP(n) = pfp(V0) pPathsTo[n]pfp = fk fk-1 f2 f1f1f2fk-1fk

  • if . . .

  • Context-Sensitive Interprocedural AnalysisstartnV0retf1f2fk-1fkf3f4f5fk-2fk-3callqenterqexitqMOVP(n) = pfp(V0) pMatchedPathsTo[n]

  • An Expanded Set of Queriesvoid p() { if (...) { x = x + 1; p(); // p_calls_p1 x = x - 1; } if (...) { x = x - 1; p(); // p_calls_p2 x = x + 1; } return;}int x;

    void main() { x = 5; p(); //main_calls_p return;}5

  • An Expanded Set of Queriesx = 5x = 5x = x + 1x = x - 1

  • An Expanded Set of Queriesint x;

    void main() { x = 5; p(); //main_calls_p return;}void p() { if (...) { x = x + 1; p(); // p_calls_p1 x = x - 1; } if (...) { x = x - 1; p(); // p_calls_p2 x = x + 1; } return;}5

  • An Expanded Set of Queriesint x;

    void main() { x = 5; p(); //main_calls_p return;}void p() { if (...) { x = x + 1; p(); // p_calls_p1 x = x - 1; } if (...) { x = x - 1; p(); // p_calls_p2 x = x + 1; } return;}5 4 =

    54

  • An Expanded Set of Queriesint x;

    void main() { x = 5; p(); //main_calls_p return;}void p() { if (...) { x = x + 1; p(); // p_calls_p1 x = x - 1; } if (...) { x = x - 1; p(); // p_calls_p2 x = x + 1; } return;}5 4 =

    54

  • An Expanded Set of QueriesL1 = L2 = L3 = L4 = MOVP(L) = pfp(V0) c L, p MatchedPathsTo[c] MOVP(n) = pfp(V0) pMatchedPathsTo[n]MOVP(L3) = MOVP(L4) = MOVP(enterp)

  • So What? Who Cares? [Yawn] Virtual inline expansionValue for x in configurations with an even # of calls to p: MOVP()Value for x in configurations with an odd # of calls to p : MOVP()

    Stack-constrained queriesat breakpoint at n, fetch stack from debugger (say S)stack-constrained slicing:

    What are the program elements that could have affected the values used at n, given that we have reached n with stack S?

  • So What? Who Cares? [Yawn] Software model checking: Check properties by model checking a CFG encoded as a PDSSLAM [Ball & Rajamani]MOPS [Chen & Wagner]Meta-Compliation [Engler et al.]PDS WPDSGrammaTech software model checker implemented on top of the WPDS++ library

  • So What? Who Cares? [Yawn] Convenient framework for implementing interprocedural dataflow analysesCreate weighted PDS from interprocedural CFGEither exhaustive or demand-driven dataflow analysisUsed to solve subproblem needed for recovering the organization of stack-frames in x86 executables [Balakrishnan & Reps CC 04]

  • Unrolled Program = Transition Systembgachjfip:

  • Unrolled Program = Transition Systemabdfcep:

  • Pushdown System (PDS)States: { 1, 2, 3, 4 }Stack symbols: { A, B, C, D }Transition rules:

  • Pushdown System (PDS)States: { 1, 2, 3, 4 }Stack symbols: { A, B, C, D }Transition rules:

  • Pushdown System (PDS)States: { 1, 2, 3, 4 }Stack symbols: { A, B, C, D }Transition rules:

  • Pushdown System (PDS)States: { 1, 2, 3, 4 }Stack symbols: { A, B, C, D }Transition rules:

  • Rules Define a Transition Relation

  • Pushdown System (PDS)PDS = Pushdown automaton without an input tapeMechanism for defining a class of infinite-state transition systems

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Supergraph as a PDSdebgachjfip:q:

  • Unrolled Program = Transition Systemabdfcep:

  • PDS TerminologyConfiguration c c (transition relation) c follows from c by a transition rule c predecessor of c c successor of cc0 c1 . . . cn (a run)c * c reflexive transitive closure of

  • A Runabdfcep:abdfcep:abdfcep:abdfcep:

  • A Runabdfcep:abdfcep:abdfcep:abdfcep:

  • A Runabdfcep:abdfcep:abdfcep:abdfcep:

  • Representing Distributive Functions[POPL 95]Identity FunctionConstant Functionabcabcf({a,b}) = {a,b}f = V.Vf({a,b}) = {b}f = V.{b}

  • Representing Distributive Functions[POPL 95]Gen/Kill FunctionNon-Gen/Kill Functionabcabcf({a,b}) = {a,c}f({a,b}) = {a,b}f = V.(V {b}) {c}f = V. if aV then V {b} else V {b}

  • if . . ., [start] , [x = 3] , [start] x, [x = 3], [start] y, [x = 3], [x = 3] , [p(x,y)] y, [x = 3] y, [p(x,y)]

  • Mpre*(M)

  • Mpost*(M)

  • Representation IssueThe set of configurations pre*(S) can be infiniteExample pre* ( {}) = { Ai | i 1 }Solution in the PDS literature: Represent a set of configurations with an automaton

  • From M to Pre*(M)

  • ObservationFor IFDS problems (Reps, Horwitz, & Sagiv [POPL 95]), PDS literature provides solution to MOVP problemBouajjani, Esparza, & Maler [Concur 97]Esparza et al. [CAV 00]

    But . . . some problems are not IFDSlinear constants [Sagiv, Reps, & Horwitz 96]affine relations [Mller-Olm & Seidl 03]

  • Interprocedural Dataflow AnalysisApplicationWeighted Pushdown SystemsDataflow AnalysisPushdown Systems

  • Weighted Pushdown System (WPDS)States: { 1, 2, 3, 4 }Stack symbols: { A, B, C, D }Transition rules: w1w2w3

  • Idempotent Semiring (D, , , 0, 1)[= Meet Semilattice (D, , ..., , ...)]a 0 = aa b = b aa (b c) = (a b) ca a = aa 1 = aa (b c) = (a b) ca (b c) = (a b) (a c)(a b) c = (a c) (b c)a 0 = 0 a = 0a b iff a b = a = = R

  • Mrootpost*(Mroot)

  • npost*(Mroot)nWW

  • npost*(Mroot)n0

  • From M to Pre*(M)V (w X)Ak

  • An Expanded Set of Queriesvoid p() { if (...) { x = x + 1; p(); // p_calls_p1 x = x - 1; } if (...) { x = x - 1; p(); // p_calls_p2 x = x + 1; } return;}int x;

    void main() { x = 5; p(); //main_calls_p return;}Demo

  • Correctness ArgumentCharacterize certain sequences of PDS transitions using grammar flow analysis (GFA)Pop sequence net pop of one symbolPS(p,A,q) ::= PS(p,A,q)pAqPS(p,A,q) ::= PS(p,A,q)[x.w x]( )wE.g., for each rule p,A p,A Automaton construction finding the productive nonterminals coincidence theorem for GFA correct weights

  • An ApplicationAnalysis of x86 codeno use of debugging informationSubgoal: discover affine relations on registers

  • Difficulties with Object Codeint main(){int i,j, a[10];j=0;for(i=0;i
  • Problems with WideningRest of stack0ffffhint j (4 bytes)int a[10] (40 bytes)0hesp + 40; ebx corresponds to variable isub esp, 44 mov [esp+40],0 ; j = 0 xor ebx, ebx ; i = 0 lea ecx, [esp] loc_9:mov [ecx], ebx ; a[i]=iinc ebx ; i++add ecx, 4 cmp ebx, 10 ; i
  • Problems with Wideningecx = esp + 4*ebx + 4Rest of stack0ffffhint j (4 bytes)int a[10] (40 bytes)0hesp + 40; ebx corresponds to variable isub esp, 44 mov [esp+40],0 ; j = 0 xor ebx, ebx ; i = 0 lea ecx, [esp] loc_9:mov [ecx], ebx ; a[i]=iinc ebx ; i++add ecx, 4 cmp ebx, 10 ; i
  • Affine-Relation AnalysisAffine-relationr1, r2, , rn: variables, a0,a1, , an: integer constantsa0 +i=1..n(airi) = 0Interprocedural affine-relation analysis [Mller-Olm & Seidl 04]Flow-sensitive and context-sensitive problemAlgorithm: Solve a constraint systemOur application:r1, r2, , r8: x86 registersConstraint system WPDS

  • Problems with Wideningecx = esp + 4*ebx + 4; ebx corresponds to variable isub esp, 44 mov [esp+40],0 ; j = 0 xor ebx, ebx ; i = 0 lea ecx, [esp] loc_9:mov [ecx], ebx ; a[i]=iinc ebx ; i++add ecx, 4 cmp ebx, 10 ; i
  • PerformanceRunning time: linear in program sizeConstant of proportionality: k8Only 8 registers operations on 9 x 9matrices

    ProgramnInstsnProcsTime (s)print75539697.77finger961238937.13winhlp32157634649117.32regsvr32225857962537.15cmd230481231752.38notepad239408291141.85

  • ContributionsAlgorithms for the generalized pushdown reachability problem:

    MOVP(L) = pfp(V0) c L, p MatchedPathsTo[c]

    Running time: O(|Q|2 x |PDS| x H)[Sound solutions for non-distributive dataflow problems]Differential propagation algorithms, tooConstruction of witness trees (optional)

  • Second TopicProgram analysisT. Reps, S. Schwoon, and S. Jha, Weighted pushdown systems and their application to interprocedural dataflow analysis, SAS 03Authorization problemsS. J