Deriving abstract transfer functions for analyzing embedded software

This paper addresses the problem of creating abstract transfer functions supporting dataflow analyses. Writing these functions by hand is problematic: transfer functions are difficult to understand, difficult to make precise, and difficult to debug. Bugs in transfer functions are particularly serious since they defeat the soundness of any program analysis running on top of them. Furthermore, implementing transfer functions by hand is wasteful because the resulting code is often difficult to reuse in new analyzers and to analyze new languages. We have developed algorithms and tools for deriving transfer functions for the bitwise and unsigned interval abstract domains. The interval domain is standard; in the bitwise domain, values are vectors of three-valued bits. For both domains, important challenges are to derive transfer functions that are sound in the presence of integer overflow, and to derive precise transfer functions for operations whose semantics are a mismatch for the domain (i.e., bit-vector operations in the interval domain and arithmetic operations in the bitwise domain). We can derive transfer functions, and execute them, in time linear in the bitwidth of the operands. These functions are maximally precise in most cases. Our generated transfer functions are parameterized by a bitwidth and are independent of the language being analyzed, and also of the language in which the analyzer is written. Currently, we generate interval and bitwise transfer functions in C and OCaml for analyzing C source code, ARM object code, and AVR object code. We evaluate our derived functions by using them in an interprocedural dataflow analyzer.

[1]  Jens Palsberg,et al.  Avrora: scalable sensor network simulation with precise timing , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[2]  Michael D. Smith,et al.  A high-performance microarchitecture with hardware-programmable functional units , 1994, Proceedings of MICRO-27. The 27th Annual IEEE/ACM International Symposium on Microarchitecture.

[3]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[4]  Thomas W. Reps,et al.  Semantic minimization of 3-valued propositional formulae , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[5]  Sorin Lerner,et al.  Automatically Inferring Sound Dataflow Functions from Dataflow Fact Schemas , 2005 .

[6]  Henry G. Dietz,et al.  Compiling for SIMD Within a Register , 1998, LCPC.

[7]  John Regehr,et al.  Eliminating stack overflow by abstract interpretation , 2003, TECS.

[8]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[9]  Koen De Bosschere,et al.  Link-time optimization of ARM binaries , 2004, LCTES '04.

[10]  Mark Stephenson,et al.  Bidwidth analysis with application to silicon compilation , 2000, PLDI '00.

[11]  Jack W. Davidson,et al.  Machine Descriptions to Build Tools for Embedded Systems , 1998, LCTES.

[12]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[13]  John Regehr,et al.  HOIST: a system for automatically deriving static analyzers for embedded systems , 2004, ASPLOS XI.

[14]  Per Stenström,et al.  An Integrated Path and Timing Analysis Method based on Cycle-Level Symbolic Execution , 1999, Real-Time Systems.

[15]  Jan Gustafsson,et al.  Worst-case execution-time analysis for embedded real-time systems , 2003, International Journal on Software Tools for Technology Transfer.

[16]  Anthony C. J. Fox,et al.  Formal Specification and Verification of ARM6 , 2003, TPHOLs.