Embed Size (px)
Citation preview
WCET 2007, Pisa, 2007-07-03 page 1 of 27
Tidrum
WCET'2007
Analysing Switch-Case Tables
by
Partial Evaluation
Niklas Holsti
Tidorum Ltd
www.tidorum.fi
WCET 2007, Pisa, 2007-07-03 page 2 of 27
Tidrum
From binary file to control-flow graph
Binarymemoryimage
Startaddress
Control-flow
graph
WCETanalysis
Problem: dynamic transfer of control, DTC
for example jump via register
? ?
WCET 2007, Pisa, 2007-07-03 page 3 of 27
Tidrum
Overview
● Analysing DTC from a switch-case statement
● When compiled into a switch table
interpreted by a switch handler routine
● Partial evaluation (PE) of switch handler
● Example
WCET 2007, Pisa, 2007-07-03 page 4 of 27
Tidrum
Switch tables and switch handlers
● Various forms of switch tables– depending on compiler, index type, dense/sparse, ...
● Compiler generates:– switch table T– call or jump to switch handler (Table T, Index k)
● Switch handler– looks up Index in Table
● jumps to that case using DTC
switch (k) {case 4: ...case 8: case 9: case 11: ...default: ... }
A constant table that mapsindex value to code address: 4 A: <case 4> 8, 9, 11 B: <case 8, 9, 11> others C: <default>
Switch-case statement Switch table
WCET 2007, Pisa, 2007-07-03 page 5 of 27
Tidrum
One handler – many switches
Code
Foo
T1
Code Code
T2Handler
Bar
DTCCasesin T2
Casesin T1
Call(T1, Ind1)
Call(T2, Ind2)
SwitchTable
SwitchTable
WCET 2007, Pisa, 2007-07-03 page 6 of 27
Tidrum
A real switch handler
IAR compiler for Atmel AVR
● Same handler for many index types (8, 16, 32 bits)
● Complex table structure– entries of variable length
DTC
WCET 2007, Pisa, 2007-07-03 page 7 of 27
Tidrum
Partial Evaluation of switch handlers
TableIndex
Index Addr4 A8,9,11 Bdefault CAddresses
defined inthe Table
Switch handlerfor any Tableand any Index
Partially evaluatethe switch handlerwith respect tothe knownswitch table Tfor a givenswitch-casestatement
Table T
Call
DTC
A B C
Residual switchhandler for table T
and any Index
Call
Index
4 89
11
else
Index?
DTC is resolvedinto static jumps
WCET 2007, Pisa, 2007-07-03 page 8 of 27
Tidrum
Eureka
● The analysis “runs” the switch handler
● The switch handler itself decodes the switch table
WCET 2007, Pisa, 2007-07-03 page 9 of 27
Tidrum
The example
● Here shown on a symbolic level
– paper shows AVR machine code
● Partial Evaluation as implemented in Bound-T
– on the fly while building flow-graph
– data state: some variables bound to constants
WCET 2007, Pisa, 2007-07-03 page 10 of 27
Tidrum
Simple 8-bit switch table & handler
switch (k) {case 4: ...case 8: case 9: case 11: ...default: ... }
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
SwHandlerparameters:- pointer Tp to switch table- 8-bit Index (k) of switch-case
(Index and Tp.Mask) = Tp.Match ? Jump to Tp.Address
Advance Tp to next entry
≠
DTC=
?
WCET 2007, Pisa, 2007-07-03 page 11 of 27
Tidrum
0. Detect invocation of switch handler
● Start PE with initial data-state
TpT [0]
● Expand SwHandler “in-line”
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Aha!Entering switch handler!
Flow graph (1 node so far)
WCET 2007, Pisa, 2007-07-03 page 12 of 27
Tidrum
1. Add first step in SwHandler, with data state
(Index and Tp.Mask) = Tp.Match ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
TpT [0]
WCET 2007, Pisa, 2007-07-03 page 13 of 27
Tidrum
2. Partially evaluate wrt data state
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
TpT [0]
Tp
WCET 2007, Pisa, 2007-07-03 page 14 of 27
Tidrum
3. Generate successors (PC, data state) & add
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Jump to Tp.Address=
Advance Tp to next entry
≠
TpT [0] TpT [0]
TpT [0]
Tp
DTC
WCET 2007, Pisa, 2007-07-03 page 15 of 27
Tidrum
4a. Partially evaluate wrt data state
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Jump to <case 4>=
Advance Tp to next entry
≠
DTC resolvedPE ends on this pathCFG building continues(shown later)
TpT [0] TpT [0]
TpT [0]
Tp
WCET 2007, Pisa, 2007-07-03 page 16 of 27
Tidrum
4b. Partially evaluate wrt data state
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]
Tp
New data state: TpT [1]
WCET 2007, Pisa, 2007-07-03 page 17 of 27
Tidrum
Generate successors: can we loop?
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]Cannot create loop becausethe data state is different
New data state: TpT [1]
WCET 2007, Pisa, 2007-07-03 page 18 of 27
Tidrum
5. Generate successors (PC, data state) & add
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]
TpT [1]
(Index and Tp.Mask) = Tp.Match ? Loop expands (unrolls) itself
WCET 2007, Pisa, 2007-07-03 page 19 of 27
Tidrum
6. Partially evaluate wrt data state
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]
TpT [1]
(Index and 254) = 8 ?
WCET 2007, Pisa, 2007-07-03 page 20 of 27
Tidrum
7. Generate successors (PC, data state) & add
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]
TpT [1]
(Index and 254) = 8 ? Jump to Tp.Address=
TpT [1]
Advance Tp to next entry
≠TpT [1]
DTC
WCET 2007, Pisa, 2007-07-03 page 21 of 27
Tidrum
8. Partially evaluate wrt data state, etc.
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>
Tp
Jump to <case 4>=
Tp := addr (T[1])
≠
TpT [0] TpT [0]
TpT [0]
TpT [1]
(Index and 254) = 8 ? Jump to <case 8,9,11>=
Tp := addr (T[2])
≠TpT [1]
... and so on ...
DTC resolved
TpT [1]
WCET 2007, Pisa, 2007-07-03 page 22 of 27
Tidrum
n. Add successors for last table entry
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>TpTp := addr (T[3])
≠TpT [2]
TpT [3]
(Index and Tp.Mask) = Tp.Match ?
WCET 2007, Pisa, 2007-07-03 page 23 of 27
Tidrum
n+1. Partially evaluate wrt data state
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>TpTp := addr (T[3])
≠TpT [2]
TpT [3]
0 = 0 ?
WCET 2007, Pisa, 2007-07-03 page 24 of 27
Tidrum
n+2. Generate & add feasible successors
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>TpTp := addr (T[3])
≠TpT [2]
TpT [3]
0 = 0 ? Jump to Tp.Address
=(true)
TpT [3]
≠(false)
DTC
WCET 2007, Pisa, 2007-07-03 page 25 of 27
Tidrum
n+3. Partially evaluate wrt data state
Mask Match Address255 4 <case 4>254 8 <case 8,9,11>255 11 <case 8,9,11>0 0 <default>TpTp := addr (T[3])
≠TpT [2]
TpT [3]
0 = 0 ? Jump to <default>
TpT [3]
● All paths end with resolved DTC
● Expansion of switch handler completed– for this switch-case statement
DTC resolved
WCET 2007, Pisa, 2007-07-03 page 26 of 27
Tidrum
Completed flow-graph
Index = 4 ?
Tp := addr (T[0])Index := kinvoke SwHandler
Jump to <case 4>=
(Index and 254) = 8 ? Jump to <case 8,9,11>=
≠
Index = 11 ?=
≠
Jump to <default>≠
residual SwHandler (T, *)
<case 4>
<case 8,9,11>
Jump to <case 8,9,11>
<default>
● Shows execution path to each case
● Shows conditions leading to each case
WCET 2007, Pisa, 2007-07-03 page 27 of 27
Tidrum
Summary
● Traditional flow-graph construction:– enumerate only PC values
● Flow-graph construction with PE:– choose relevant data state components (... but how ?)– enumerate product domain (PC, data state)
● PE applied here to switch handlers– easy to choose the relevant data:
● the switch table and anything derived from it
● Other PE applications in WCET analysis?
