streamlining control flow graph construction with dcflow
play

Streamlining Control-Flow Graph Construction with DCFlow Mark Hills - PowerPoint PPT Presentation

Jan 10, 2024 •217 likes •512 views

Streamlining Control-Flow Graph Construction with DCFlow Mark Hills 7th International Conference on Software Language Engineering (SLE 2014) September 15-16, 2014 Vsters, Sweden http://www.rascal-mpl.org 1 Say you need a control flow

  1. Streamlining Control-Flow Graph Construction 
 with DCFlow Mark Hills 7th International Conference on Software Language Engineering (SLE 2014) September 15-16, 2014 Västerås, Sweden http://www.rascal-mpl.org 1

  2. Say you need a control flow graph… entry entry 3 x true false 3 x := 3 x := 3 10 15 x false true y := 10 y := 15 15 10 y := 15 y := 10 exit exit 2

  3. First, define the basics! entry 3 x • Nodes true false x := 3 10 15 y := 10 y := 15 exit 3

  4. 
 First, define the basics! entry 3 x • Nodes true false x := 3 10 15 • Edges 
 y := 10 y := 15 exit 4

  5. 
 First, define the basics! entry 3 x • Nodes true false x := 3 10 15 • Edges 
 (maybe with labels) y := 10 y := 15 exit 5

  6. 
 First, define the basics! entry 3 x • Nodes true false x := 3 10 15 • Edges 
 (maybe with labels) y := 10 y := 15 • Graphs (maybe with extra info, 
 exit not just nodes and edges) 6

  7. CFG basics, for Pico (example from Rascal library) • Four types of nodes: entry, exit, choice, and statement nodes • Implicit edges based on graph over nodes, no labels • Explicit tracking of entry and exit nodes public data CFNode = entry(loc location) | exit() | choice(loc location, EXP exp) | statement(loc location, STATEMENT stat); alias CFGraph = tuple[set[CFNode] entry, Graph[CFNode] graph, set[CFNode] exit]; 7

  8. Second, define the control flow • Flow based on semantics of each construct • May have a lot of boilerplate code CFGraph cflowStat(s:asgStat(PicoId Id, EXP Exp)) { S = statement(s@location, s); return <{S}, {}, {S}>; } CFGraph cflowStat(ifElseStat(EXP Exp, list[STATEMENT] Stats1, list[STATEMENT] Stats2)){ CF1 = cflowStats(Stats1); CF2 = cflowStats(Stats2); E = {choice(Exp@location, Exp)}; return < E, (E * CF1.entry) + (E * CF2.entry) + CF1.graph + CF2.graph, CF1.exit + CF2.exit >; } 8

  9. Third (optional), do something useful with it! public rel[stat, def] reachingDefinitions( rel[stat,var] DEFS, rel[stat,stat] PRED) { set[stat] STATEMENT = carrier(PRED); rel[stat,def] DEF = definition(DEFS); rel[stat,def] KILL = kill(DEFS); rel[stat,def] IN = {}; rel[stat,def] OUT = DEF; solve (IN, OUT) { IN = {<S, D> | int S <- STATEMENT, stat P <- predecessors(PRED,S), def D <- OUT[P]}; OUT = {<S, D> | int S <- STATEMENT, def D <- DEF[S] + (IN[S] - KILL[S])}; }; return IN; } 9

  10. What if we want to work with another language? • May be able to reuse base CFG definition (but maybe not) • Cannot reuse flow definition (unless CFG def is the same and feature has identical semantics) • Cannot easily reuse analysis (since CFG definition and semantics di ff er) 10

  11. 
 What if we want to work with another language? • May be able to reuse base CFG definition (but maybe not) • Cannot reuse flow definition (unless CFG def is the same and feature has identical semantics) • Cannot easily reuse analysis (since CFG definition and semantics di ff er) 
 So, we write the entire thing over again 
 (and again, and again…) 11

  12. Motivating Questions • Can we create a DSL to make this process easier? • Provide uniform definition of control-flow graphs • Generate CFG extraction code, including all the boilerplate • Provide a declarative definition that should be easier to keep up to date as the language evolves • What shouldn’t the DSL do? • Don’t try to do everything, give an “escape hatch” into Rascal 12

  13. DCFlow: Declarative Control Flow • Declarative DSL for defining control flow rules • Generates Rascal code to build intraprocedural control flow graphs with reusable library of CFG concepts • Provides basic visualization to allow graphs to be rendered in GraphViz dot • Provides ignore mechanism to indicate which language constructs we are not trying to define • IDE provides basic checking to aid user (with more coming) 13

  14. DCFlow Architecture DCFlow CFG Builder DCFlow Language-Specific Translator Modules Definition Functions (Rascal) (Rascal) (Rascal) Source Program DCFlow Libraries CFG Construction (Input Language) (Rascal) (Rascal) GraphViz CFG Visualization Control Flow Visualizations (Rascal) Graphs (Rascal) (GraphViz,dot) 14

  15. Design Decisions • Focus on abstract syntax trees (should 
 almost work on Rascal concrete syntax, 
 but there are some di ff erences) • Leverage reified types for generation and checking • Try to ensure added features are general — don’t want to add something just because PHP or Java needs it • Make sure generated code is understandable — it should look close to what you would write yourself 15

  16. The basics: entries, exits, and basic flow module Pico ast demo::lang::Pico::Abstract; import lang::pico::CFGBase; context PROGRAM::program; astType PROGRAM; rule PROGRAM::program = entry(stats), exit(stats); rule EXP::add = entry(left) --> right --> exit(self); rule EXP::sub = entry(left) --> right --> exit(self); rule EXP::conc = entry(left) --> right --> exit(self); rule EXP::id = entry(self), exit(self); rule EXP::strCon = entry(self), exit(self); rule EXP::natCon = entry(self), exit(self); rule STATEMENT::asgStat = entry(exp) --> exit(self); 16

  17. Reified types in Rascal cons( public data EXP = label( id(PicoId name) "add", | natCon(int iVal) adt( | strCon(str sVal) "EXP", | add(EXP left, EXP right) [])), | sub(EXP left, EXP right) [ | conc(EXP left, EXP right) label( ; "left", adt( "EXP", [])), label( "right", adt( "EXP", [])) ], [], (), {}), 17

  18. Introducing some useful shorthands module Pico ast demo::lang::Pico::Abstract; import lang::pico::CFGBase; context PROGRAM::program; rule PROGRAM::program = ^$stats; rule PROGRAM::program = entry(stats), exit(stats); rule EXP::add EXP::sub EXP::conc = ^left -> right -> $self; rule EXP::add = entry(left) --> right --> exit(self); rule EXP::id EXP::strCon EXP::natCon = ^$self; rule STATEMENT::asgStat = ^exp -> $self; rule STATEMENT::asgStat = entry(exp) --> exit(self); 18

  19. Creating nodes and labeling edges rule STATEMENT::ifElseStat = ^exp, exp -conditionTrue-> exit(thenpart,exp), exp -conditionFalse-> exit(elsepart,exp); rule STATEMENT::whileStat = ^$exp -conditionTrue-> body -backedge-> exp, exp -conditionFalse-> create(footer); 19

  20. Structured and unstructured jumps context Script::script ClassItem::method Stmt::function; structured target \break \continue; unstructured target goto; rule Stmt::goto = jump(\label),^$self; rule Stmt::\while = create(footer), jumpTarget(cond,\continue), jumpTarget(footer,\break), ^$cond -conditionTrue-> body -backedge-> cond, cond -conditionFalse-> footer; rule Stmt::\break = entry(breakExpr,self) --> $self, jump(breakExpr,\break); rule Stmt::\continue = entry(continueExpr,$self) --> self, jump(continueExpr,\continue); 20

  21. How does the generated code look? tuple[FlowEdges,LabelState] internalFlow(EXP item:add(EXP left,EXP right), LabelState ls) { FlowEdges edges = { }; < edges, ls > = addEdges(edges, ls, left); < edges, ls > = addEdges(edges, ls, right); for(exlab <- exit(left,ls)) { < edges, ls > = linkItemsLabelLabel(edges, ls, exlab, entry(right,ls) ); } for(exlab <- exit(right,ls)) { < edges, ls > = linkItemsLabelLabel(edges, ls, exlab, item@lab ); } return < edges, ls >; } 21

  22. Evaluation: Comparing to Custom Tools • Hand-built CFG extractor for Pico: 45 lines of code, 11 for headers and declarations, 34 for extraction rules • DC-Flow Pico definition: 4 header lines, 6 rules — but generates 408 lines of Rascal • PHP: 1583 lines of Rascal for hand-built, currently 85 lines of code (fewer rules, some of these are for rules on multiple lines), generates 2714 lines of Rascal, plus around 230 lines for parts written directly in Rascal 22

  23. Evaluation: Comparing to DeFacto • Very similar required e ff ort for small languages • Hard to tell for larger languages with more involved control flow, need to resurrect DeFacto to perform comparison • DeFacto works over concrete syntax, DCFlow works over abstract syntax • DeFacto is more general fact extraction language, DCFlow is more focused on control flow, has more tailored syntax, has access to Rascal features 23

  24. Evaluation: Can we use it in an analysis? • Implemented reaching defs analysis to show this works in theory (code given in paper) • Should be able to evaluate soon in PHP to verify it works in practice 24

  25. Current limitations • Exceptions • Adding try/catch is the easy part • Adding exception flow edges in a generic way is harder • No current support for interprocedural control flow graphs • Current implementation needs more convenience functions to be easily usable as a black box 25

  26. Future work • Add support for exceptions (if this can be added generically) • Merge generated CFG code into PHP AiR framework • Integrate DC-Flow generation with Rascal Resources framework • Add improved support for visualization 26

  27. Discussion Thank you! Any Questions? • Rascal: http://www.rascal-mpl.org • Me: http://www.cs.ecu.edu/hillsma 27

Recommend

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows of control Useful for

679 views • 39 slides
Representing the control flow of a program P3 / 2003 Control forms a graph Loop

Representing the control flow of a program P3 / 2003 Control forms a graph Loop

Representing the control flow of a program P3 / 2003 Control forms a graph Loop Optimizations A very large graph Observation lot of straight-line connections simplify the graph by grouping some instructions Kostis

535 views • 7 slides
More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG overspecify evaluation Program dependence graph (PDG): order data dependence graph + control dependence graph (CDG) [Ferrante, Ottenstein, &amp; Warren,

260 views • 5 slides
Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop Optimizations A very large graph Observation lot of straight-line connections simplify the graph by grouping some instructions Spring 2004

223 views • 7 slides
Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Terminology: Program Representation e o ogy: og a ep ese tat o Control Flow Graph: Control Flow Graph: Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of

591 views • 17 slides
Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call

Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call

Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call graph, finite state machines We also need to reason about dependence Dependence and Data Flow Models Where does this value of x come from?

369 views • 9 slides
Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

10/31/2012 Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including control transfer Directed Acyclic Graphs instructions. Eliminate storage and calculation redundancy * Labeling or numbering IR statements

290 views • 3 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a subset of

682 views • 24 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a subset of

743 views • 47 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a

557 views • 31 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Universit` a degli Studi di Milano { bruschi,martign,monga } @dico.unimi.it

356 views • 23 slides
A TOOL FOR FREQUENCY-ANNOTATED CONTROL FLOW GRAPH GENERATION EuroLLVM 2017 Universit della

A TOOL FOR FREQUENCY-ANNOTATED CONTROL FLOW GRAPH GENERATION EuroLLVM 2017 Universit della

Georgios Zacharopoulos Laura Pozzi ClrFreqCFGPrinter : A TOOL FOR FREQUENCY-ANNOTATED CONTROL FLOW GRAPH GENERATION EuroLLVM 2017 Universit della Svizzera italiana (USI Lugano), Mar 28, 2017 Faculty of Informatics Saarbrcken, Germany

642 views • 30 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for

Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for

Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for IT Security 23. November 2017 C. Jonischkeit 1 / 13 Motivation Technische Universitt Mnchen I just wasted 3 hours of my life. . . . .

539 views • 29 slides
Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code cs5363 1 Intermediate Code Generation Intermediate language between source and target Multiple machines can be targeted Attaching a

400 views • 19 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
Control-Flow Graph and Local Optimizations - Part 2 Y.N. Srikant Department of Computer Science

Control-Flow Graph and Local Optimizations - Part 2 Y.N. Srikant Department of Computer Science

Control-Flow Graph and Local Optimizations - Part 2 Y.N. Srikant Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Y.N. Srikant Local Optimizations

665 views • 23 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides

More recommend