quantifying dataflow analysis with gradients in llvm
play

Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 - PowerPoint PPT Presentation

Dec 02, 2022 •353 likes •786 views

Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 1 Dataflow Analysis 2 Dataflow Analysis Is there a dataflow

  1. Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 1

  2. Dataflow Analysis 2

  3. Dataflow Analysis Is there a dataflow between variables x and z? 3

  4. Dataflow Analysis Is there a dataflow between variables x and z? Vulnerability Analysis 4

  5. Dataflow Analysis Common building block for program analysis 5

  6. Dynamic Taint Analysis (DTA) 6

  7. Dynamic Taint Analysis (DTA) Dataflow Encoding - Boolean labels represent absence or presence of taint 7

  8. Dynamic Taint Analysis (DTA) Dataflow Encoding - Boolean labels represent absence or presence of taint Per-operation rules propagate taint - Example Rule for Add/Subtract operation: - If input operands carry taint, output operand carries taint too 8

  9. Limitation 1: Imprecise Rules 9

  10. Limitation 1: Imprecise Rules Subtraction rule introduces false positives - z is incorrectly tainted as x - x is zero (i.e. no dataflow from x to z) 10

  11. Limitation 2: Boolean Taint Labels Boolean taint labels cannot - Quantify dataflows between x and z - Order amount of influence of each dataflow 11

  12. Gradients 12

  13. New Approach to Dataflow Analysis Key Insight - Gradients track influence of inputs on outputs 13

  14. New Approach to Dataflow Analysis Key Insight - Gradients track influence of inputs on outputs Why gradients? - Gradients quantify dataflows - Precise composition and rules over differentiable operations due to chain rule of calculus 14

  15. Problem: Nondifferentiable Operator Programs contain nondifferentiable operators - int f(int x) { Bitwise And return x & 4 } 15

  16. Problem: Nondifferentiable Operator Programs contain nondifferentiable operators - int f(int x) { Bitwise And return x & 4 } 16

  17. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 17

  18. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 18

  19. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient 19

  20. Solution: Proximal Gradients How to compute gradient of nondifferentiable operator? - Proximal gradients find local minima in region to approximate the gradient Why Proximal Gradients? - Region can be bounded to make computation tractable 20

  21. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool 21

  22. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool 22

  23. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool Main idea 1 (instrumentation) - Instrument operations to propagate gradients 23

  24. Implementation Proximal Gradient Analysis implemented in LLVM - Based on DataFlowSanitizer, LLVM’s state-of-the-art DTA tool Main idea 1 (instrumentation) - Instrument operations to propagate gradients Main idea 2 (gradient storage) - Store gradients for each variable in shadow memory 24

  25. Example LLVM IR int x; int z; z = x + x; 25

  26. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; z = x + x; 26

  27. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 27

  28. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 28

  29. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 29

  30. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 30

  31. Example LLVM IR /* variable allocation */ int x; %0 = alloca i16 // x_shadow %x = alloca i32, align 4 // int x; int z; %1 = alloca i16 // z_shadow %z = alloca i32, align 4 // int z; /* load operations */ z = x + x; %2 = load i16, i16* %0 %3 = load i32, i32* %x, align 4 %4 = load i16, i16* %0 %5 = load i32, i32* %x, align 4 /* add instruction */ %6 = call zeroext i16 @__dfsan_union(...%2, %3, %4, %5…) %add = add nsw i32 %3, %5 // z = x + x; store i16 %6, i16* %1 store i32 %add, i32* %z, align 4 31

  32. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode 32

  33. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode What if operations cannot be instrumented? - Create wrapper for original function that propagates dataflow - Instrumentation inserts a call to wrapper instead of original function 33

  34. Instrumentation: Compile-time Instrument operations with InstVisitor class - For example, visitBinaryOperator () inserts a call to runtime library that computes gradient dynamically based on opcode What if operations cannot be instrumented? - Create wrapper for original function that propagates dataflow - Instrumentation inserts a call to wrapper instead of original function Similarly instrument functions and their arguments 34

  35. Instrumentation: Runtime Dynamically propagate dataflow - Bitwise And operation instrumentation finds proximal gradient with concrete values 35

  36. Instrumentation: Runtime Dynamically propagate dataflow - Bitwise And operation instrumentation finds proximal gradient with concrete values Minimal runtime overhead - Based on compile-time instrumentation vs runtime instrumentation 36

  37. Gradient Storage: Shadow Memory 37

  38. Gradient Storage: Shadow Memory 38

  39. Gradient Storage: Shadow Memory Gradient sharing with indirection - Every variable has associated shadow memory with label - Label indexes into a table holding data structure - Enables sharing gradients across multiple variables 39

  40. Evaluation: Accuracy Better accuracy on 7 real-world parser programs - Our tool (grsan) achieves up to 33% better dataflow accuracy than DataFlowSanitizer (dfsan) 40

  41. Evaluation: Bug Finding We find 23 previously undiscovered bugs - Track gradients for arguments to known vulnerable operations such as bitwise and memory copy operators - As an example, we altered an input byte with high gradient to a shift operator to trigger an overflow 41

  42. Key Takeaways DataflowSanitizer enables many dynamic analyses - Our dynamic analysis propagates gradients with minimal changes Nonsmooth optimization and program analysis connections 42

  43. Quantifying Dataflow Analysis with Gradients in LLVM Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1: Columbia University 2: Vrije Universiteit 43

Recommend

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot,

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot,

LLVM-based dynamic dataflow compila6on for heterogeneous targets V. Ducrot, K. Juilly, S.Monot, AS+ Groupe Eolen G. Bayle Des Courchamps T. Goubier CEA List /DACLE /LCE Benoit Da Mota Anger University Donnons de la suite vos ides

337 views • 17 slides
CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

Static analysis CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to exploits 2. Pointer analysis for JavaScript 3. Private data management languages 4. Programming robots to assemble IKEA furniture

897 views • 57 slides
LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

A unique processor architecture meeting LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM devroom Compiling with LLVM High-Level Programming Language LLVM LLVM Front-end LLVM Assembly / IR LLVM

434 views • 22 slides
Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008

Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008

Modular Dataflow Analysis Aivar Annamaa Feb. 23 rd , 2010 Based on: Rountev, Sharp, Xu, 2008 IDE Dataflow Analysis in the Presence of Large Object-Oriented Libraries Problem Interprocedural analyses are usually too slow can take

576 views • 26 slides
Dataflow Analysis

Dataflow Analysis

Dataflow Analysis Jonathan Aldrich

1.19k views • 93 slides
Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced

Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced

Dataflow analysis First example (analysis #1) Available expressions Michel Schinz Advanced compiler construction, 2008-05-09 Common subexp. elimination Available expressions The following C program fragment sets r to x y for y > 0. How can

672 views • 10 slides
llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1 February 3, 2019 1 eush77@gmail.com Introduction llvm.mix Binding-Time Analysis Dynamic Control Examples Summary Interpreters and Compilers

1.33k views • 62 slides
Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM There are two possible goals Run LLVM tools on OS Generate code for OS / CPU architecture Mission is to run LLVM on previously unsupported

603 views • 11 slides
Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate

Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate

Quantifying Uncertainty in Engineering Analysis Mike Giles and Devendra Ghate giles@comlab.ox.ac.uk Oxford University Computing Laboratory Quantifying Uncertainty p. 1/18 Motivation Engineering analysis assumes perfect knowledge of the

500 views • 18 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1 Optimization And Analysis Improving efficiency of generated code Correctness: optimized code must preserve meaning of the original program

467 views • 31 slides
The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are LLVM, Clang, and Flang? How is LLVM Being Improved for HPC. What Facilities for Tooling Exist in LLVM? Opportunities for the Future!

572 views • 38 slides
More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons

More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons

More dataflow analysis CSE 501 Spring 15 Reaching Defini=ons Summary LaAce Sets of defini=ons represented by bit-vectors Transfer func=on OUT[B] =

670 views • 39 slides
Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor Braun, Sebastian Pokutta, Steve Wright Dan Tu 1/9 CONDITIONAL GRADIENTS: PROJECTION-FREE Given a polytope ! , solve the optimization problem: min

109 views • 9 slides
Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

Dataflow Analysis 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich Overview: Analyses Weve

397 views • 24 slides
LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi & Manel Grichi 1 Plan What is LLVM? How will you be using it? LLVM Architecture Compiler Simple case study Conclusion 2 What is LLVM? Low Level Virtual Machine Modern Compiler

1.34k views • 19 slides
LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan

LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan

LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan Rupprecht (Google) Introduction LLVM binary utilities (aka binutils) include: llvm-readobj/llvm-readelf llvm-objdump llvm-objcopy

352 views • 8 slides
Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk

Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk

Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2019 Introduction This lecture: Data flow termination

622 views • 40 slides
Dataflow analysis Discovering Global Live Ranges of Variables cs4713 1 Optimization and

Dataflow analysis Discovering Global Live Ranges of Variables cs4713 1 Optimization and

Dataflow analysis Discovering Global Live Ranges of Variables cs4713 1 Optimization and analysis Requirement for optimizations Correctness (safety) must preserve the meaning of the input computation Profitability must

251 views • 10 slides
Naiad (Timely Dataflow) & Streaming Systems CS 848: Models and Applications of Distributed

Naiad (Timely Dataflow) & Streaming Systems CS 848: Models and Applications of Distributed

Naiad (Timely Dataflow) & Streaming Systems CS 848: Models and Applications of Distributed Data Systems Mon, Nov 7th 2016 Amine Mhedhbi What is Timely Dataflow ?! What is its significance? Dataflow ?! Dataflow?! Dataflow?!

1.08k views • 70 slides
Outline Last time Image gradients Seam carving gradients as energy Edges

Outline Last time Image gradients Seam carving gradients as energy Edges

CS 376 Spring 2018 - Lecture 4 1/30/2018 Outline Last time Image gradients Seam carving gradients as energy Edges and binary images Today Tues Jan 30, 2018 Gradients edges and contours Kristen Grauman

647 views • 20 slides
CS453 INTRODUCTION TO DATAFLOW ANALYSIS CS453 Lecture Register allocation using liveness

CS453 INTRODUCTION TO DATAFLOW ANALYSIS CS453 Lecture Register allocation using liveness

CS453 INTRODUCTION TO DATAFLOW ANALYSIS CS453 Lecture Register allocation using liveness analysis 1 Introduction to Data-flow analysis Last Time Register allocation for expression trees and local and param vars Today Register

412 views • 19 slides
Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p < 10) i =10

Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p < 10) i =10

Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p < 10) i =10 x = 1 Is the DU pair involving variables I real? if(p > 10) No, because the path is infeasible. x=x+1 j = i+1 1 Outline Background

462 views • 12 slides
Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Terminology: Program Representation Control Flow Graph: P3 / 2006 Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis succ(n) = set

377 views • 12 slides

More recommend