Static Program Analysis of Embedded Software
description
Transcript of Static Program Analysis of Embedded Software
![Page 1: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/1.jpg)
Static Program Analysis of Embedded Software
Ramakrishnan Venkitaraman
Graduate Student, Computer Science
Advisor: Dr. Gopal Gupta
![Page 2: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/2.jpg)
Software Reuse & System Integration
But, the Integrated System does not
work
Cost of ProjectCompanies
![Page 3: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/3.jpg)
Outline
• Importance of Software Standards.
• Static Analysis based tool developed by us to enforce software standard compliance.
• How the marriage between industry and university research increases software reuse.
![Page 4: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/4.jpg)
Why Software Standard?
• Incompatibilities make integration difficult.
• Complexity in software reuse.
• COTS Marketplace.
• Time to Market.
![Page 5: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/5.jpg)
TI XDAIS Standard
• Contains 35 rules and 15 guidelines.
• SIX General Programming Rules. • No tool currently exists to check for compliance.
• We want to build a tool to ENFORCE software compliance for these rules.
![Page 6: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/6.jpg)
Problem and Solution
• Problem: Detection of hard coded addresses in programs without accessing source code.
• Solution: “Static Program Analysis”
![Page 7: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/7.jpg)
Interest in Static Analysis
• “We actually went out and bought for 30 million dollars, a company that was in the business of building static analysis tools and now we want to focus on applying these tools to large-scale software systems”• Remarks by Bill Gates, 17th Annual ACM Conference on
Object-Oriented Programming, Systems, Languages and Application, November 2002.
![Page 8: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/8.jpg)
Static Analysis
• Defined as any analysis of a program carried out without completely executing the program.
• Un-decidability: Impossible to build a tool that will precisely detect hard coding.
![Page 9: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/9.jpg)
Hard Coded Addresses
• Bad Programming Practice.
• Results in non relocatable code.
• Results in non reusable code.
![Page 10: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/10.jpg)
Overview Of Our Approach
• Input: Object Code of the Software
• Output: Compliant or Not Compliant status
Activity Diagram for our Static Analyzer
Disassemble Object Code
Split Into Functions
Obtain Basic Blocks
Obtain Flow Graph
Static Analysis
Output the Result
![Page 11: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/11.jpg)
Basic Aim Of Analysis
• Find a path to trace pointer origin.
• Problem: Exponential Complexity • Static Analysis approximation makes it linear
![Page 12: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/12.jpg)
Analyzing Source Code – Easy#include<stdio.h>
void main(){ int *p, *q;
//some code
p = (int*)8000;
//some code
q = p;
//some code
*q = 5;}
{ { q } }
{ { p } }
P IS HARD CODED
So, the program is not compliant with the standard
![Page 13: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/13.jpg)
Analyzing Assembly – Hard
000007A0 main:000007A0 07BD09C2 SUB.D2 SP,0x8,SP000007A4 020FA02A MVK.S2 0x1f40,B4000007A8 023C22F6 STW.D2T2 B4,*+SP[0x1]000007AC 00002000 NOP 2000007B0 023C42F6 STW.D2T2 B4,*+SP[0x2]000007B4 00002000 NOP 2000007B8 0280A042 MVK.D2 5,B5000007BC 029002F6 STW.D2T2 B5,*+B4[0x0]000007C0 00002000 NOP 2000007C4 008C8362 BNOP.S2 B3,4000007C8 07BD0942 ADD.D2 SP,0x8,SP000007CC 00000000 NOP 000007D0 00000000 NOP
{{ }}
{ { B4 } }
{{ B4 }}
B4 = 0x1f40
So, B4 is HARD CODED
Code is NOT Compliant
![Page 14: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/14.jpg)
Phases In Analysis
• Phase 1: Find the set of dereferenced pointers.
• Phase 2: Check the safety of dereferenced pointers.
![Page 15: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/15.jpg)
Building Unsafe Sets (Phase 1)
• The first element is added to the unsafe set during pointer dereferencing.• E.g. If “*Reg” in the disassembled code, the unsafe set is
initialized to {Reg}.
• ‘N’ Pointers Dereferenced ‘N’ Unsafe sets
• Maintained as SOUS (Set Of Unsafe Sets)
![Page 16: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/16.jpg)
Populating Unsafe Sets (Phase 2)
• For e.g., if• Reg = reg1 + reg2, the element “Reg” is deleted
from the unsafe set, and the elements “reg1”, “reg2”, are inserted into the unsafe set.
• Contents of the unsafe set will now become {reg1, reg2}.
![Page 17: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/17.jpg)
Handling Loops
• Complex: # iterations of loop may not be known until runtime.
• Cycle the loop until the unsafe set reaches a “fixed point”.• No new information is added to the unsafe set
during successive iterations.
![Page 18: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/18.jpg)
Merging Information
• If no merging, then exponential complexity.
• Mandatory when loops
• Information loss.
If (Cond)
ThenBlock B
ElseBlock C
Block D
Block A
Block E
![Page 19: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/19.jpg)
Extensive Compliance Checking
• Handle all cases occurring in programs.
• Single pointer, double pointer, triple pointer…
• Global pointer variables.
• Static and Dynamic arrays.
![Page 20: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/20.jpg)
Extensive Compliance Checking
• Loops – all forms (e.g. for, while…)
• Function calls.
• Pipelining and Parallelism.
• Merging information from multiple paths.
![Page 21: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/21.jpg)
Analysis Stops when…
• Compliance of all the pointers are established.
• Errors and warnings are reported.
• Log file containing statistics of the analysis is created.
![Page 22: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/22.jpg)
Analysis Results
Program # Lines # * Ptrs # Hard Coded
Chain Length
Running Time (ms)
t_read 80 3 0 0 1280
timer1 126 17 6 1 1441
mcbsp1 196 0 0 0 1270
figtest 292 19 10 2 1521
m_hdrv 345 6 2 1 2262
dat 949 10 8 12 2512
gui_codec 1139 109 28 1 3063
codec 1188 109 28 1 3043
stress 1203 105 0 1 4505
demo 1350 82 47 9 4716
![Page 23: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/23.jpg)
Current Status and Future Work
• Prototype Implementation done • But, context insensitive, intra-procedural
• Extend to context sensitive, inter-procedural.
• Extend compliance check for other rules.
![Page 24: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/24.jpg)
So…
• Hard Coding is a bad programming practice. • Non relocatable/reusable code.
• A Static Analysis based technique is useful and practical.
![Page 25: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/25.jpg)
Software Reuse & System Integration
WOW!!!! It works…
Select ONLY Compliant Software
![Page 26: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/26.jpg)
Questions…
More Information: Ramakrishnan Venkitaraman
[email protected]/~ramakrishnan/
www.utdallas.edu/~gupta/alps/
![Page 27: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/27.jpg)
• Click to continue• Extra slides
![Page 28: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/28.jpg)
General Programming Rules• No tool currently exists to check for
compliance.• SIX rules.
1) All programs should follow the runtime conventions of TI’s C programming language.
2) Algorithms must be re-entrant.
3) No hard coded data memory locations.4) No hard coded program memory locations.
5) Algorithms must characterize their ROM-ability.
6) No peripheral device accesses.
![Page 29: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/29.jpg)
Some examples showing hardcoding
void main(){ int * p = 0x8800;
// Some code
*p = …;}
Example1:Directly Hardcoded
void main(){ int *p = 0x80;
int *q = p;
//Some code
*q = …;}
Example2:Indirectly Hardcoded
void main(){ int *p, val;
p = ….;val = …;
if(val) p = 0x900;else p = malloc(…);
*p;}
Example3:Conditional Hardcoding
NOTE: We don’t care ifa pointer is hard coded and is never dereferenced.
![Page 30: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/30.jpg)
Sample Code
![Page 31: Static Program Analysis of Embedded Software](https://reader036.fdocuments.in/reader036/viewer/2022062519/56815162550346895dbf8c2a/html5/thumbnails/31.jpg)
Fig. Flow Graph