Verifying the LLVM. Steve Zdancewic DeepSpec Summer School 2017
|
|
- Nathaniel Poole
- 5 years ago
- Views:
Transcription
1 Verifying the LLVM Steve Zdancewic DeepSpec Summer School 2017
2 Vminus OperaAonal SemanAcs Only 5 kinds of instrucaons: Binary arithmeac Memory Load Memory Store Terminators Phi nodes What is the state of a Vminus program?
3 Subtlety of Phi Nodes Phi-Nodes admit cyclic dependencies: pred:... br loop loop: %x = φ[0;pred][y;loop] %y = φ[1;pred][x;loop] %b = %x %y br %b loop exit
4 SemanAcs of Phi Nodes The value of the RHS of a phi-defined uid is relaave to the state at the entry to the block. OpAon 1: Require all phi nodes to be at the beginning of the block Execute them atomically, in parallel (Original Vellvm followed this model) OpAon 2: Keep track of the state upon entry to the block Calculate the RHS of phi nodes relaave to the entry state (Vminus follows this model)
5 VminusOpsem.v VMINUS OPERATIONAL SEMANTICS
6 Key SSA Invariant entry: r 0 =... r 1 =... r 2 =... DefiniAon of r 2. br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit Use of r 2. Uses of r 2. exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9
7 Key SSA Invariant entry: r 0 =... r 1 =... r 2 =... DefiniAon of r 2. br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9 Use of r 2. Uses of r 2. The definiaon of a variable must dominate its uses.
8 Defining SSA Variable Scope Graph: g corresponds to a fine grained CFG Entry e z Nodes: program points (maybe more than one per block) a y Edges: fallthroughs, jump and branch instrucaons c b d Dis3nguished entry
9 Paths Paths: Path g a d [a;b;d] Entry e z a y b c d
10 Reachability Paths: Path g a d [a;b;d] Reachability: Reachable g x iff vs. Path g e x vs Entry e a b z y Unreachable c d Reachable
11 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c d
12 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c one path d
13 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c another path d
14 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y c d Nodes dominated by b.
15 Strict DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Strict DominaAon: SDom g b c Entry e a b z y c d Nodes strictly dominated by b.
16 DominaAon Tree Order the reachable nodes by (immediate) dominators, you get a tree: Entry e a b d c
17 Control-flow Analysis Goal: IdenAfy the loops and nesang structure of the CFG. An edge in the graph is a back edge if the target node dominates the source node. Back Edge A loop contains at least one back edge. 43
18 Dominator Trees DominaAon is transiave: if A dominates B and B dominates C then A dominates C DominaAon is ana-symmetric: if A dominates B and B dominates A then A = B Every flow graph has a dominator tree The Hasse diagram of the dominates relaaon
19 Dominator Dataflow Analysis Let Dom[n] = {m m dominates n} We can define Dom[n] as a forward dataflow analysis. Using the framework we saw earlier: Dom[n] = out[n] where: A node B is dominated by another node A if A dominates all of the predecessors of B. in[n] := n pred[n] out[n ] Every node dominates itself. out[n] := in[n] {n} Formally: L = set of nodes ordered by T = {all nodes} F n (x) = x {n} is Easy to show monotonicity and that F n distributes over meet. Bounded set of variables: so algorithm terminates 45
20 Improving the Algorithm Dom[b] contains just those nodes along the path in the dominator tree from the root to b: 1 e.g. Dom[8] = {1,2,4,8}, Dom[7] = {1,2,4,5,7} There is a lot of sharing among the nodes More efficient way to represent Dom sets is to store the dominator tree. doms[b] = immediate dominator of b doms[8] = 4, doms[7] = 5 To compute Dom[b] walk through doms[b] Need to efficiently compute intersecaons of Dom[a] and Dom[b] Traverse up tree, looking for least common ancestor: Dom[8] Dom[7] = Dom[4] See: A Simple, Fast Dominance Algorithm Cooper, Harvey, and Kennedy
21 CompleAng Control-flow Analysis Dominator analysis idenafies back edges: Edge n à h where h dominates n Each back edge has a natural loop: h is the header All nodes reachable from h that also reach n without going through h For each back edge n à h, find the natural loop: {n n is reachable from n in G {h}} {h} n h h Two loops may share the same header: merge them n m NesAng structure of loops is determined by set inclusion Can be used to build the control tree 47
22 Example Natural Loops 1 Control Tree: Natural Loops 0 The control tree depicts the nesting structure of the program. 48
23 Uses of Control-flow InformaAon Loop nesang depth plays an important role in opamizaaon heurisacs. Deeply nested loops pay off the most for opamizaaon. Need to know loop headers / back edges for doing loop invariant code moaon loop unrolling CIS 341: Compilers 49
24 Dominator Algorithm Tradeoffs Cooper-Harvey-Kennedy (CHK) Extended from AC Nearly as fast as LT in common cases Efficiency Lengauer-Tarjan (LT) (LLVM and GCC) Based on tricky graph theory O(E x log(n)) Although proving its correctness and verifying its running Ame require rather complicated analysis, the algorithm is quite simple to program [LT 79] Allen-Cocke (AC) Based on Kildall s algorithm Large asymptotic complexity Difficulty of Verification
25 Dominator Algorithm Tradeoffs Cooper-Harvey-Kennedy (CHK) Extended from AC Nearly as fast as LT in common cases Efficiency Lengauer-Tarjan (LT) (LLVM and GCC) Based on tricky graph theory O(E x log(n)) ValidaAng Dominator Trees for a Fast, Verified Dominance Test - Blazy, Demange, Pichardie CompCertSSA Vellvm tried both. Allen-Cocke (AC) Based on Kildall s algorithm Large asymptotic complexity Difficulty of Verification
26 Dom.v Kildall.v DomKildall.v DOMINATORS
27 Safety ProperAes A well-formed program never accesses undefined variables. If f and f σ 0 * σ then σ is not stuck. f program f is well formed σ program state f σ * σ evaluaaon of f Ini3aliza3on: If f then wf(f, σ 0 ). Preserva3on: If f and f σ σ and wf(f, σ) then wf(f, σ ) Progress: If f and wf(f, σ) then f σ σ
28 Safety ProperAes A well-formed program never accesses undefined variables. If f and f σ 0 * σ then σ is not stuck. f program f is well formed σ program state f σ * σ evaluaaon of f Ini3aliza3on: If f then wf(f, σ 0 ). Preserva3on: If f and f σ σ and wf(f, σ) then wf(f, σ ) Progress: If f and wf(f, σ) then done(f,σ) or stuck(f,σ) or f σ σ
29 Well-formed States entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit State σ is: pc = program counter δ = local values pc loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9
30 Well-formed States (Roughly) pc entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit State σ is: pc = program counter δ = local values sdom(f,pc) = variable defns. that strictly dominate pc. exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9
31 Well-formed States (Roughly) pc entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9 State σ contains: pc = program counter δ = local values mem = memory sdom(f,pc) = variable defns. that strictly dominate pc. wf(g,σ) = r sdom(f,pc). v. δ(r) = v All variables in scope are iniaalized.
32 VminusStaAcs.v VMINUS STATIC SEMANTICS
CSC D70: Compiler Optimization Dataflow-2 and Loops
CSC D70: Compiler Optimization Dataflow-2 and Loops Prof. Gennady Pekhimenko University of Toronto Winter 2018 The content of this lecture is adapted from the lectures of Todd Mowry and Phillip Gibbons
More informationConstruction of Static Single-Assignment Form
COMP 506 Rice University Spring 2018 Construction of Static Single-Assignment Form Part II source IR IR target code Front End Optimizer Back End code Copyright 2018, Keith D. Cooper & Linda Torczon, all
More informationMIT Loop Optimizations. Martin Rinard
MIT 6.035 Loop Optimizations Martin Rinard Loop Optimizations Important because lots of computation occurs in loops We will study two optimizations Loop-invariant code motion Induction variable elimination
More informationCOSE312: Compilers. Lecture 17 Intermediate Representation (2)
COSE312: Compilers Lecture 17 Intermediate Representation (2) Hakjoo Oh 2017 Spring Hakjoo Oh COSE312 2017 Spring, Lecture 17 May 31, 2017 1 / 19 Common Intermediate Representations Three-address code
More informationLecture 11: Data Flow Analysis III
CS 515 Programming Language and Compilers I Lecture 11: Data Flow Analysis III (The lectures are based on the slides copyrighted by Keith Cooper and Linda Torczon from Rice University.) Zheng (Eddy) Zhang
More informationWhat is SSA? each assignment to a variable is given a unique name all of the uses reached by that assignment are renamed
Another Form of Data-Flow Analysis Propagation of values for a variable reference, where is the value produced? for a variable definition, where is the value consumed? Possible answers reaching definitions,
More informationCSC D70: Compiler Optimization Static Single Assignment (SSA)
CSC D70: Compiler Optimization Static Single Assignment (SSA) Prof. Gennady Pekhimenko University of Toronto Winter 08 The content of this lecture is adapted from the lectures of Todd Mowry and Phillip
More informationSpace-aware data flow analysis
Space-aware data flow analysis C. Bernardeschi, G. Lettieri, L. Martini, P. Masci Dip. di Ingegneria dell Informazione, Università di Pisa, Via Diotisalvi 2, 56126 Pisa, Italy {cinzia,g.lettieri,luca.martini,paolo.masci}@iet.unipi.it
More informationCMSC 631 Program Analysis and Understanding. Spring Data Flow Analysis
CMSC 631 Program Analysis and Understanding Spring 2013 Data Flow Analysis Data Flow Analysis A framework for proving facts about programs Reasons about lots of little facts Little or no interaction between
More informationSPARSE ABSTRACT INTERPRETATION!
PROGRAMMING LANGUAGES LABORATORY! Universidade Federal de Minas Gerais - Department of Computer Science SPARSE ABSTRACT INTERPRETATION! PROGRAM ANALYSIS AND OPTIMIZATION DCC888! Fernando Magno Quintão
More informationData flow analysis. DataFlow analysis
Data flow analysis DataFlow analysis compile time reasoning about the runtime flow of values in the program represent facts about runtime behavior represent effect of executing each basic block propagate
More informationComputing Static Single Assignment (SSA) Form
Computing Static Single Assignment (SSA) Form Overview What is SSA? Advantages of SSA over use-def chains Flavors of SSA Dominance frontiers revisited Inserting φ-nodes Renaming the variables Translating
More informationDataflow Analysis. Chapter 9, Section 9.2, 9.3, 9.4
Dataflow Analysis Chapter 9, Section 9.2, 9.3, 9.4 2 Dataflow Analysis Dataflow analysis is a sub area of static program analysis Used in the compiler back end for optimizations of three address code and
More informationData-Flow Analysis. Compiler Design CSE 504. Preliminaries
Data-Flow Analysis Compiler Design CSE 504 1 Preliminaries 2 Live Variables 3 Data Flow Equations 4 Other Analyses Last modifled: Thu May 02 2013 at 09:01:11 EDT Version: 1.3 15:28:44 2015/01/25 Compiled
More informationBeyond Superlocal: Dominators, Data-Flow Analysis, and DVNT. COMP 506 Rice University Spring target code. source code OpJmizer
COMP 506 Rice University Spring 2017 Beyond Superlocal: Dominators, Data-Flow Analysis, and DVNT source code Front End IR OpJmizer IR Back End target code Copyright 2017, Keith D. Cooper & Linda Torczon,
More informationCS 553 Compiler Construction Fall 2006 Homework #2 Dominators, Loops, SSA, and Value Numbering
CS 553 Compiler Construction Fall 2006 Homework #2 Dominators, Loops, SSA, and Value Numbering Answers Write your answers on another sheet of paper. Homework assignments are to be completed individually.
More informationDataflow analysis. Theory and Applications. cs6463 1
Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows
More informationECE 5775 (Fall 17) High-Level Digital Design Automation. Control Flow Graph
ECE 5775 (Fall 17) High-Level Digital Design Automation Control Flow Graph Announcements ECE colloquium on Monday 9/11 from 4:30pm, PHL 233 Smart Healthcare by Prof. Niraj Jha of Princeton Lab 1 is due
More informationCSC 5170: Theory of Computational Complexity Lecture 4 The Chinese University of Hong Kong 1 February 2010
CSC 5170: Theory of Computational Complexity Lecture 4 The Chinese University of Hong Kong 1 February 2010 Computational complexity studies the amount of resources necessary to perform given computations.
More informationCSE P 501 Compilers. Value Numbering & Op;miza;ons Hal Perkins Winter UW CSE P 501 Winter 2016 S-1
CSE P 501 Compilers Value Numbering & Op;miza;ons Hal Perkins Winter 2016 UW CSE P 501 Winter 2016 S-1 Agenda Op;miza;on (Review) Goals Scope: local, superlocal, regional, global (intraprocedural), interprocedural
More informationDataflow Analysis. A sample program int fib10(void) { int n = 10; int older = 0; int old = 1; Simple Constant Propagation
-74 Lecture 2 Dataflow Analysis Basic Blocks Related Optimizations SSA Copyright Seth Copen Goldstein 200-8 Dataflow Analysis Last time we looked at code transformations Constant propagation Copy propagation
More informationClass 5. Review; questions. Data-flow Analysis Review. Slicing overview Problem Set 2: due 9/3/09 Problem Set 3: due 9/8/09
Class 5 Review; questions Assign (see Schedule for links) Slicing overview Problem Set 2: due 9/3/09 Problem Set 3: due 9/8/09 1 Data-flow Analysis Review Start at slide 21 of Basic Analysis 3 1 Static
More informationLecture 10: Data Flow Analysis II
CS 515 Programming Language and Compilers I Lecture 10: Data Flow Analysis II (The lectures are based on the slides copyrighted by Keith Cooper and Linda Torczon from Rice University.) Zheng (Eddy) Zhang
More information: Advanced Compiler Design Compu=ng DF(X) 3.4 Algorithm for inser=on of φ func=ons 3.5 Algorithm for variable renaming
263-2810: Advanced Compiler Design 3.3.2 Compu=ng DF(X) 3.4 Algorithm for inser=on of φ func=ons 3.5 Algorithm for variable renaming Thomas R. Gross Computer Science Department ETH Zurich, Switzerland
More informationStatic Program Analysis using Abstract Interpretation
Static Program Analysis using Abstract Interpretation Introduction Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible
More informationScalar Optimisation Part 1
calar Optimisation Part 1 Michael O Boyle January, 2014 1 Course tructure L1 Introduction and Recap 4/5 lectures on classical optimisation 2 lectures on scalar optimisation Today example optimisations
More informationSearch and Lookahead. Bernhard Nebel, Julien Hué, and Stefan Wölfl. June 4/6, 2012
Search and Lookahead Bernhard Nebel, Julien Hué, and Stefan Wölfl Albert-Ludwigs-Universität Freiburg June 4/6, 2012 Search and Lookahead Enforcing consistency is one way of solving constraint networks:
More informationScalar Optimisation Part 2
Scalar Optimisation Part 2 Michael O Boyle January 2014 1 Course Structure L1 Introduction and Recap 4-5 lectures on classical optimisation 2 lectures on scalar optimisation Last lecture on redundant expressions
More informationModel Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies
Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies Tom Henzinger EPFL Three Verification Communities Model checking: -automatic, but inefficient
More informationStatic Program Analysis
Static Program Analysis Xiangyu Zhang The slides are compiled from Alex Aiken s Michael D. Ernst s Sorin Lerner s A Scary Outline Type-based analysis Data-flow analysis Abstract interpretation Theorem
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 02, 03 May 2016 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 53 Most Essential Assumptions for Real-Time Systems Upper
More informationDouble Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking
Double Header Model Checking #1 Two Lectures Model Checking SoftwareModel Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationFormal Methods in Software Engineering
Formal Methods in Software Engineering An Introduction to Model-Based Analyis and Testing Vesal Vojdani Department of Computer Science University of Tartu Fall 2014 Vesal Vojdani (University of Tartu)
More informationTAINTED FLOW ANALYSIS!
PROGRAMMING LANGUAGES LABORATORY! Universidade Federal de Minas Gerais - Department of Computer Science TAINTED FLOW ANALYSIS! PROGRAM ANALYSIS AND OPTIMIZATION DCC888! Fernando Magno Quintão Pereira!
More informationCompiler Design. Data Flow Analysis. Hwansoo Han
Compiler Design Data Flow Analysis Hwansoo Han Control Flow Graph What is CFG? Represents program structure for internal use of compilers Used in various program analyses Generated from AST or a sequential
More informationChapter 3 Deterministic planning
Chapter 3 Deterministic planning In this chapter we describe a number of algorithms for solving the historically most important and most basic type of planning problem. Two rather strong simplifying assumptions
More informationVerification of Recursive Programs. Andreas Podelski February 8, 2012
Verification of Recursive Programs Andreas Podelski February 8, 2012 1 m(x) = x 10 if x > 100 m(m(x + 11)) if x 100 2 procedure m(x) returns (res) `0: if x>100 `1: res:=x-10 else `2: x m := x+11 `3: res
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationDataflow Analysis - 2. Monotone Dataflow Frameworks
Dataflow Analysis - 2 Monotone dataflow frameworks Definition Convergence Safety Relation of MOP to MFP Constant propagation Categorization of dataflow problems DataflowAnalysis 2, Sp06 BGRyder 1 Monotone
More informationCDS 270 (Fall 09) - Lecture Notes for Assignment 8.
CDS 270 (Fall 09) - Lecture Notes for Assignment 8. ecause this part of the course has no slides or textbook, we will provide lecture supplements that include, hopefully, enough discussion to complete
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationChapter 4: Computation tree logic
INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification
More informationSoftware Verification
Software Verification Grégoire Sutre LaBRI, University of Bordeaux, CNRS, France Summer School on Verification Technology, Systems & Applications September 2008 Grégoire Sutre Software Verification VTSA
More informationSafety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem
Safety and Liveness Properties defined over an execution of a program Thread Synchronization: Too Much Milk Safety: nothing bad happens holds in every finite execution prefix Windows never crashes No patient
More informationLecture 5 Introduction to Data Flow Analysis
Lecture 5 Introduction to Data Flow Analysis I. Structure of data flow analysis II. III. IV. Example 1: Reaching definition analysis Example 2: Liveness analysis Framework Phillip B. Gibbons 15-745: Intro
More informationTopic-I-C Dataflow Analysis
Topic-I-C Dataflow Analysis 2012/3/2 \course\cpeg421-08s\topic4-a.ppt 1 Global Dataflow Analysis Motivation We need to know variable def and use information between basic blocks for: constant folding dead-code
More informationData Flow Analysis. Lecture 6 ECS 240. ECS 240 Data Flow Analysis 1
Data Flow Analysis Lecture 6 ECS 240 ECS 240 Data Flow Analysis 1 The Plan Introduce a few example analyses Generalize to see the underlying theory Discuss some more advanced issues ECS 240 Data Flow Analysis
More information1/30/2012. Reasoning with uncertainty III
Reasoning with uncertainty III 1 Temporal Models Assumptions 2 Example First-order: From d-separation, X t+1 is conditionally independent of X t-1 given X t No independence of measurements Yt Alternate
More informationAutomatic Verification of Parameterized Data Structures
Automatic Verification of Parameterized Data Structures Jyotirmoy V. Deshmukh, E. Allen Emerson and Prateek Gupta The University of Texas at Austin The University of Texas at Austin 1 Outline Motivation
More informationIncremental Proof-Based Verification of Compiler Optimizations
Incremental Proof-Based Verification of Compiler Optimizations Grigory Fedyukovich joint work with Arie Gurfinkel and Natasha Sharygina 5 of May, 2015, Attersee, Austria counter-example change impact Big
More informationFormal Verification Techniques. Riccardo Sisto, Politecnico di Torino
Formal Verification Techniques Riccardo Sisto, Politecnico di Torino State exploration State Exploration and Theorem Proving Exhaustive exploration => result is certain (correctness or noncorrectness proof)
More informationThis is the published version of a paper presented at Programmiersprachen und Grundlagen der Programmierung KPS 2015.
http://www.diva-portal.org This is the published version of a paper presented at Programmiersprachen und Grundlagen der Programmierung KPS 2015. Citation for the original published paper: Hedenborg, M.,
More informationGeneralizing Data-flow Analysis
Generalizing Data-flow Analysis Announcements PA1 grades have been posted Today Other types of data-flow analysis Reaching definitions, available expressions, reaching constants Abstracting data-flow analysis
More informationPath Testing and Test Coverage. Chapter 9
Path Testing and Test Coverage Chapter 9 Structural Testing Also known as glass/white/open box testing Structural testing is based on using specific knowledge of the program source text to define test
More informationDataflow Analysis. Dragon book, Chapter 9, Section 9.2, 9.3, 9.4
Dataflow Analysis Dragon book, Chapter 9, Section 9.2, 9.3, 9.4 2 Dataflow Analysis Dataflow analysis is a sub-area of static program analysis Used in the compiler back end for optimizations of three-address
More informationPath Testing and Test Coverage. Chapter 9
Path Testing and Test Coverage Chapter 9 Structural Testing Also known as glass/white/open box testing Structural testing is based on using specific knowledge of the program source text to define test
More informationLearning in Depth-First Search: A Unified Approach to Heuristic Search in Deterministic, Non-Deterministic, Probabilistic, and Game Tree Settings
Learning in Depth-First Search: A Unified Approach to Heuristic Search in Deterministic, Non-Deterministic, Probabilistic, and Game Tree Settings Blai Bonet and Héctor Geffner Abstract Dynamic Programming
More informationModule 1: Analyzing the Efficiency of Algorithms
Module 1: Analyzing the Efficiency of Algorithms Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University Jackson, MS 39217 E-mail: natarajan.meghanathan@jsums.edu What is an Algorithm?
More informationCompilation and Program Analysis (#8) : Abstract Interpretation
Compilation and Program Analysis (#8) : Abstract Interpretation Laure Gonnord http://laure.gonnord.org/pro/teaching/capm.html Laure.Gonnord@ens-lyon.fr Master, ENS de Lyon Nov 7 Objective Compilation vs
More informationTableau-based decision procedures for the logics of subinterval structures over dense orderings
Tableau-based decision procedures for the logics of subinterval structures over dense orderings Davide Bresolin 1, Valentin Goranko 2, Angelo Montanari 3, and Pietro Sala 3 1 Department of Computer Science,
More informationGraph-theoretic Problems
Graph-theoretic Problems Parallel algorithms for fundamental graph-theoretic problems: We already used a parallelization of dynamic programming to solve the all-pairs-shortest-path problem. Here we are
More informationMIT Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology
MIT 6.035 Foundations of Dataflow Analysis Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Dataflow Analysis Compile-Time Reasoning About Run-Time Values of Variables
More informationProgram verification
Program verification Data-flow analyses, numerical domains Laure Gonnord and David Monniaux University of Lyon / LIP September 29, 2015 1 / 75 Context Program Verification / Code generation: Variables
More informationDynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics
Dynamic Semantics Operational Semantics Denotational Semantic Dynamic Semantics Operational Semantics Operational Semantics Describe meaning by executing program on machine Machine can be actual or simulated
More informationValue Range Propagation
Value Range Propagation LLVM Adam Wiggs Patryk Zadarnowski {awiggs,patrykz}@cse.unsw.edu.au 17 June 2003 University of New South Wales Sydney MOTIVATION The Problem: X Layout of basic blocks LLVM is bra-dead.
More informationChapter 2: Finite Automata
Chapter 2: Finite Automata 2.1 States, State Diagrams, and Transitions Finite automaton is the simplest acceptor or recognizer for language specification. It is also the simplest model of a computer. A
More informationA Functional Perspective
A Functional Perspective on SSA Optimization Algorithms Patryk Zadarnowski jotly with Manuel M. T. Chakravarty Gabriele Keller 19 April 2004 University of New South Wales Sydney THE PLAN ➀ Motivation an
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 09/10, Jan., 2018 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 43 Most Essential Assumptions for Real-Time Systems Upper
More informationMonotone Data Flow Analysis Framework
Monotone Data Flow Analysis Framework Definition. A relation R on a set S is (a) reflexive iff ( x S)[xRx], (b) antisymmetric iff [xry yrx x=y] (c) transitive iff ( x,y,z S) [xry yrz xrz] Definition. A
More informationCSE. 1. In following code. addi. r1, skip1 xor in r2. r3, skip2. counter r4, top. taken): PC1: PC2: PC3: TTTTTT TTTTTT
CSE 560 Practice Problem Set 4 Solution 1. In this question, you will examine several different schemes for branch prediction, using the following code sequence for a simple load store ISA with no branch
More informationDynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This
More informationTemporal Logic Model Checking
18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 1 Temporal Logic Model Checking Thomas Wahl Computing Laboratory, Oxford University 18 Feb, 2009 Thomas Wahl, Oxford University
More informationP and NP. Or, how to make $1,000,000.
P and NP Or, how to make $1,000,000. http://www.claymath.org/millennium-problems/p-vs-np-problem Review: Polynomial time difference between single-tape and multi-tape TMs Exponential time difference between
More informationReduced Ordered Binary Decision Diagrams
Reduced Ordered Binary Decision Diagrams Lecture #12 of Advanced Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling & Verification E-mail: katoen@cs.rwth-aachen.de December 13, 2016 c JPK
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationLecture Notes on Emptiness Checking, LTL Büchi Automata
15-414: Bug Catching: Automated Program Verification Lecture Notes on Emptiness Checking, LTL Büchi Automata Matt Fredrikson André Platzer Carnegie Mellon University Lecture 18 1 Introduction We ve seen
More informationOn-the-Fly Model Checking for Extended Action-Based Probabilistic Operators
On-the-Fly Model Checking for Extended Action-Based Probabilistic Operators Radu Mateescu and José Ignacio Requeno Inria Grenoble and LIG / Convecs http://convecs.inria.fr SPIN 2016 - Eindhoven, March
More informationUnderstanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55
Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit Middle School Understanding IC3 1/55 Further Reading This presentation is based on Bradley, A. R. Understanding IC3. In SAT, June 2012. http://theory.stanford.edu/~arbrad
More informationCorrectness Discussion of a SIMT-induced Deadlock Elimination Algorithm
Correctness Discussion of a SIMT-induced Deadlock Elimination Algorithm Draft v1.0 Updated 13 August 2016 Ahmed ElTantawy, Tor M. Aamodt University of British Columbia 1. Introduction Current GPUs adapt
More informationClasses of data dependence. Dependence analysis. Flow dependence (True dependence)
Dependence analysis Classes of data dependence Pattern matching and replacement is all that is needed to apply many source-to-source transformations. For example, pattern matching can be used to determine
More informationDependence analysis. However, it is often necessary to gather additional information to determine the correctness of a particular transformation.
Dependence analysis Pattern matching and replacement is all that is needed to apply many source-to-source transformations. For example, pattern matching can be used to determine that the recursion removal
More informationComputation Tree Logic (CTL) & Basic Model Checking Algorithms
Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking
More informationPrinciples of AI Planning
Principles of 5. Planning as search: progression and regression Malte Helmert and Bernhard Nebel Albert-Ludwigs-Universität Freiburg May 4th, 2010 Planning as (classical) search Introduction Classification
More informationChapter 5. Finite Automata
Chapter 5 Finite Automata 5.1 Finite State Automata Capable of recognizing numerous symbol patterns, the class of regular languages Suitable for pattern-recognition type applications, such as the lexical
More informationSecond-Order Abstract Interpretation via Kleene Algebra
Second-Order Abstract Interpretation via Kleene Algebra Łucja Kot lucja@cs.cornell.edu Department of Computer Science Cornell University Ithaca, New York 14853-7501, USA Dexter Kozen kozen@cs.cornell.edu
More informationCSC 1700 Analysis of Algorithms: Warshall s and Floyd s algorithms
CSC 1700 Analysis of Algorithms: Warshall s and Floyd s algorithms Professor Henry Carter Fall 2016 Recap Space-time tradeoffs allow for faster algorithms at the cost of space complexity overhead Dynamic
More informationModule 1: Analyzing the Efficiency of Algorithms
Module 1: Analyzing the Efficiency of Algorithms Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University Jackson, MS 39217 E-mail: natarajan.meghanathan@jsums.edu Based
More informationMechanics of Static Analysis
Escuela 03 III / 1 Mechanics of Static Analysis David Schmidt Kansas State University www.cis.ksu.edu/~schmidt Escuela 03 III / 2 Outline 1. Small-step semantics: trace generation 2. State generation and
More informationComputational Complexity. This lecture. Notes. Lecture 02 - Basic Complexity Analysis. Tom Kelsey & Susmit Sarkar. Notes
Computational Complexity Lecture 02 - Basic Complexity Analysis Tom Kelsey & Susmit Sarkar School of Computer Science University of St Andrews http://www.cs.st-andrews.ac.uk/~tom/ twk@st-andrews.ac.uk
More informationOperational Semantics
Operational Semantics Semantics and applications to verification Xavier Rival École Normale Supérieure Xavier Rival Operational Semantics 1 / 50 Program of this first lecture Operational semantics Mathematical
More informationLecture Notes: Program Analysis Correctness
Lecture Notes: Program Analysis Correctness 15-819O: Program Analysis Jonathan Aldrich jonathan.aldrich@cs.cmu.edu Lecture 5 1 Termination As we think about the correctness of program analysis, let us
More informationTimed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang
Timed Automata Semantics, Algorithms and Tools Zhou Huaiyang Agenda } Introduction } Timed Automata } Formal Syntax } Operational Semantics } Verification Problems } Symbolic Semantics & Verification }
More informationFall 2011 Prof. Hyesoon Kim
Fall 2011 Prof. Hyesoon Kim Add: 2 cycles FE_stage add r1, r2, r3 FE L ID L EX L MEM L WB L add add sub r4, r1, r3 sub sub add add mul r5, r2, r3 mul sub sub add add mul sub sub add add mul sub sub add
More informationProblem-Solving via Search Lecture 3
Lecture 3 What is a search problem? How do search algorithms work and how do we evaluate their performance? 1 Agenda An example task Problem formulation Infrastructure for search algorithms Complexity
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. April 18/ May 2, 2016 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationAutomata-based Verification - III
COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationHarvard CS 121 and CSCI E-207 Lecture 12: General Context-Free Recognition
Harvard CS 121 and CSCI E-207 Lecture 12: General Context-Free Recognition Salil Vadhan October 11, 2012 Reading: Sipser, Section 2.3 and Section 2.1 (material on Chomsky Normal Form). Pumping Lemma for
More informationModel Checking & Program Analysis
Model Checking & Program Analysis Markus Müller-Olm Dortmund University Overview Introduction Model Checking Flow Analysis Some Links between MC and FA Conclusion Apology for not giving proper credit to
More informationDFA of non-distributive properties
DFA of non-distributive properties The general pattern of Dataflow Analysis GA (p)= i if p E { GA (q) q F } otherwise GA (p)= f p ( GA (p) ) where : E is the set of initial/final points of the control-flow
More informationIntroduction to data-flow analysis. Data-flow analysis. Control-flow graphs. Data-flow analysis. Example: liveness. Requirements
Data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Introduction to data-flow analysis Data-flow analysis Example: liveness Data-flow analysis is a global analysis
More information