WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd www.tidorum.fi Tid rum WCET 2007, Pisa, 2007-07-03 page 1 of 27
From binary file to control-flow graph Binary Control- memory flow image graph Start address WCET analysis ? ? Problem: dynamic transfer of control, DTC for example jump via register Tid rum WCET 2007, Pisa, 2007-07-03 page 2 of 27
Overview ● Analysing DTC from a switch-case statement ● When compiled into a switch table interpreted by a switch handler routine ● Partial evaluation (PE) of switch handler ● Example Tid rum WCET 2007, Pisa, 2007-07-03 page 3 of 27
Switch tables and switch handlers Switch-case statement Switch table switch (k) { A constant table that maps case 4: ... index value to code address: case 8: case 9: case 11: ... 4 → A: <case 4> default: ... } 8, 9, 11 → B: <case 8, 9, 11> others → C: <default> Various forms of switch tables ● – depending on compiler, index type, dense/sparse, ... Compiler generates: ● – switch table T – call or jump to switch handler (Table ⇒ T, Index ⇒ k) Switch handler ● – looks up Index in Table ● jumps to that case using DTC Tid rum WCET 2007, Pisa, 2007-07-03 page 4 of 27
One handler – many switches Code Code Code Foo Bar Call Call (T1, Ind1) (T2, Ind2) Handler Switch Switch T1 T2 Table Table Cases Cases DTC in T1 in T2 Tid rum WCET 2007, Pisa, 2007-07-03 page 5 of 27
A real switch handler IAR compiler for Atmel AVR Same handler for many index ● types (8, 16, 32 bits) Complex table structure ● – entries of variable length DTC Tid rum WCET 2007, Pisa, 2007-07-03 page 6 of 27
Partial Evaluation of switch handlers Switch handler Residual switch Partially evaluate for any Table handler for table T the switch handler and any Index and any Index with respect to the known Call Call switch table T for a given switch-case Table statement Index Index? Index else 8 4 9 Table T 11 DTC Index Addr 4 A A B C 8,9,11 B Addresses default C DTC is resolved defined in into static jumps the Table Tid rum WCET 2007, Pisa, 2007-07-03 page 7 of 27
Eureka ● The analysis “runs” the switch handler ● The switch handler itself decodes the switch table Tid rum WCET 2007, Pisa, 2007-07-03 page 8 of 27
The example ● Here shown on a symbolic level – paper shows AVR machine code ● Partial Evaluation as implemented in Bound-T – on the fly while building flow-graph – data state: some variables bound to constants Tid rum WCET 2007, Pisa, 2007-07-03 page 9 of 27
Simple 8-bit switch table & handler Mask Match Address switch (k) { 255 4 <case 4> case 4: ... 254 8 <case 8,9,11> case 8: case 9: case 11: ... 255 11 <case 8,9,11> default: ... } 0 0 <default> SwHandler parameters: - pointer Tp to switch table - 8-bit Index (k) of switch-case DTC = ? (Index and Tp.Mask) = Tp.Match ? Jump to Tp.Address ≠ Advance Tp to next entry Tid rum WCET 2007, Pisa, 2007-07-03 page 10 of 27
0. Detect invocation of switch handler Flow graph (1 node so far) Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Aha! Entering switch handler! Start PE with initial data-state ● Tp → T [0] Expand SwHandler “in-line” ● Tid rum WCET 2007, Pisa, 2007-07-03 page 11 of 27
1. Add first step in SwHandler , with data state Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] (Index and Tp.Mask) = Tp.Match ? Tid rum WCET 2007, Pisa, 2007-07-03 page 12 of 27
2. Partially evaluate wrt data state Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Index = 4 ? Tid rum WCET 2007, Pisa, 2007-07-03 page 13 of 27
3. Generate successors (PC, data state) & add Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = DTC Index = 4 ? Jump to Tp.Address ≠ Tp → T [0] Advance Tp to next entry Tid rum WCET 2007, Pisa, 2007-07-03 page 14 of 27
4a. Partially evaluate wrt data state Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = DTC resolved Index = 4 ? Jump to <case 4> PE ends on this path ≠ CFG building continues Tp → T [0] (shown later) Advance Tp to next entry Tid rum WCET 2007, Pisa, 2007-07-03 page 15 of 27
4b. Partially evaluate wrt data state Mask Match Address Tp 255 4 <case 4> Tp := addr (T[0]) 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Tp := addr (T[1]) New data state: Tp → T [1] Tid rum WCET 2007, Pisa, 2007-07-03 page 16 of 27
Generate successors: can we loop? Mask Match Address 255 4 <case 4> Tp := addr (T[0]) Tp 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Cannot create loop because Tp := addr (T[1]) the data state is different New data state: Tp → T [1] Tid rum WCET 2007, Pisa, 2007-07-03 page 17 of 27
5. Generate successors (PC, data state) & add Mask Match Address 255 4 <case 4> Tp := addr (T[0]) Tp 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Tp := addr (T[1]) Tp → T [1] Loop expands (unrolls) itself (Index and Tp.Mask) = Tp.Match ? Tid rum WCET 2007, Pisa, 2007-07-03 page 18 of 27
6. Partially evaluate wrt data state Mask Match Address 255 4 <case 4> Tp := addr (T[0]) Tp 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Tp := addr (T[1]) Tp → T [1] (Index and 254) = 8 ? Tid rum WCET 2007, Pisa, 2007-07-03 page 19 of 27
7. Generate successors (PC, data state) & add Mask Match Address 255 4 <case 4> Tp := addr (T[0]) Tp 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Tp := addr (T[1]) Tp → T [1] Tp → T [1] = DTC (Index and 254) = 8 ? Jump to Tp.Address ≠ Tp → T [1] Advance Tp to next entry Tid rum WCET 2007, Pisa, 2007-07-03 page 20 of 27
8. Partially evaluate wrt data state, etc. Mask Match Address 255 4 <case 4> Tp := addr (T[0]) Tp 254 8 <case 8,9,11> Index := k invoke SwHandler 255 11 <case 8,9,11> 0 0 <default> Tp → T [0] Tp → T [0] = Index = 4 ? Jump to <case 4> ≠ Tp → T [0] Tp := addr (T[1]) Tp → T [1] Tp → T [1] = DTC resolved (Index and 254) = 8 ? Jump to <case 8,9,11> ≠ Tp → T [1] Tp := addr (T[2]) ... and so on ... Tid rum WCET 2007, Pisa, 2007-07-03 page 21 of 27
n. Add successors for last table entry Mask Match Address 255 4 <case 4> ≠ 254 8 <case 8,9,11> Tp → T [2] 255 11 <case 8,9,11> Tp Tp := addr (T[3]) 0 0 <default> Tp → T [3] (Index and Tp.Mask) = Tp.Match ? Tid rum WCET 2007, Pisa, 2007-07-03 page 22 of 27
n+1. Partially evaluate wrt data state Mask Match Address 255 4 <case 4> ≠ 254 8 <case 8,9,11> Tp → T [2] 255 11 <case 8,9,11> Tp Tp := addr (T[3]) 0 0 <default> Tp → T [3] 0 = 0 ? Tid rum WCET 2007, Pisa, 2007-07-03 page 23 of 27
n+2. Generate & add feasible successors Mask Match Address 255 4 <case 4> ≠ 254 8 <case 8,9,11> Tp → T [2] 255 11 <case 8,9,11> Tp Tp := addr (T[3]) 0 0 <default> = Tp → T [3] Tp → T [3] (true) DTC 0 = 0 ? Jump to Tp.Address ≠ (false) Tid rum WCET 2007, Pisa, 2007-07-03 page 24 of 27
n+3. Partially evaluate wrt data state Mask Match Address 255 4 <case 4> ≠ 254 8 <case 8,9,11> Tp → T [2] 255 11 <case 8,9,11> Tp Tp := addr (T[3]) 0 0 <default> Tp → T [3] Tp → T [3] DTC resolved 0 = 0 ? Jump to <default> All paths end with resolved DTC ● Expansion of switch handler completed ● – for this switch-case statement Tid rum WCET 2007, Pisa, 2007-07-03 page 25 of 27
Recommend
More recommend