Control Flow Analysis

Tim Blazytko @mr_phrazer [email protected] https://synthesis.to Why? Motivation

• high-level structure of a function

• detect branches and loops

• pattern matching to spot interesting code parts

• foundation for automated program analysis

2 Basic Block • single entry: only first instruction can be target of a branch

• single exit: only last instruction can branch to other basic blocks

Basic Block

• sequence of ordered instructions

4 • single exit: only last instruction can branch to other basic blocks

Basic Block

• sequence of ordered instructions

• single entry: only first instruction can be target of a branch

4 Basic Block

• sequence of ordered instructions

• single entry: only first instruction can be target of a branch

• single exit: only last instruction can branch to other basic blocks

4 Basic Block Identification Rules: Leader Instruction Identification

1. first instruction is a leader

2. target of a control flow transfer is a leader

3. instruction that immediately follows a control flow transfer is a leader

6 • many tools handle it differently due to readability reasons

• most calls return to the next instruction

Know how your tool handles it.

Split on calls?

• strict basic block definition: yes

• calls interrupt the control flow

7 Know how your tool handles it.

Split on calls?

• strict basic block definition: yes

• calls interrupt the control flow

• many tools handle it differently due to readability reasons

• most calls return to the next instruction

7 Split on calls?

• strict basic block definition: yes

• calls interrupt the control flow

• many tools handle it differently due to readability reasons

• most calls return to the next instruction

Know how your tool handles it.

7 Basic Blocks

; leader: first instruction 0x170A0: cmpedi , 26h 0x170A3: jzshort 0x170C0

; leader: follows a control flow transfer 0x170A5: jgshort 0x170B8

; leader: follows a control flow transfer 0x170A7: xoreax , eax 0x170A9: cmpedi , 10h 0x170AC: jzshort 0x170C2

; leader: follows a control flow transfer 0x170AE: cmpedi , 16h 0x170B1: setnzal 0x170B4: retn

; leader: target of control flow transfer 0x170B8: cmpedi , 5Fh 0x170BB: setnzal 0x170BE: retn

; leader: target of control flow transfer 0x170C0: xoreax , eax

; leader: target of control flow transfer 0x170C2: retn

8 Control Flow Graph

loc_170a0 CMP EDI, 0x26 JZ loc_170c0

loc_170c0 loc_170a5 XOR EAX, EAX JG loc_170b8

loc_170b8 loc_170a7 CMP EDI, 0x5F XOR EAX, EAX SETNZ AL CMP EDI, 0x10 RET JZ loc_170c2

loc_170ae loc_170c2 CMP EDI, 0x16 RET SETNZ AL RET

9 Control Flow Graph Control Flow Graph

• directed

• nodes are basic blocks

• edges represent control flow between basic blocks

• represents all program paths that might be traversed

11 Exit A node that has no outgoing edges.

Path A chain of transition between nodes.

Control Flow Graph

Entry A node that has no incoming edges.

12 Path A chain of transition between nodes.

Control Flow Graph

Entry A node that has no incoming edges.

Exit A node that has no outgoing edges.

12 Control Flow Graph

Entry A node that has no incoming edges.

Exit A node that has no outgoing edges.

Path A chain of transition between nodes.

12 • a is a entry node • f and g are exists • a → c → d → f is a path between a and f

Control Flow Graph

a

b c

d e

f g

13 Control Flow Graph

a

b c

d e

f g

• a is a entry node • f and g are exists • a → c → d → f is a path between a and f 13 Dominance Relations • analyze relations between basic blocks

• provide guarantees that a basic block x is always executed before y

detection and analysis

• foundation for many compiler optimizations and other analysis techniques

Motivation

• graph-theoretic concept

15 • provide guarantees that a basic block x is always executed before y

• loop detection and analysis

• foundation for many compiler optimizations and other analysis techniques

Motivation

• graph-theoretic concept

• analyze relations between basic blocks

15 • loop detection and analysis

• foundation for many compiler optimizations and other analysis techniques

Motivation

• graph-theoretic concept

• analyze relations between basic blocks

• provide guarantees that a basic block x is always executed before y

15 • foundation for many compiler optimizations and other analysis techniques

Motivation

• graph-theoretic concept

• analyze relations between basic blocks

• provide guarantees that a basic block x is always executed before y

• loop detection and analysis

15 Motivation

• graph-theoretic concept

• analyze relations between basic blocks

• provide guarantees that a basic block x is always executed before y

• loop detection and analysis

• foundation for many compiler optimizations and other analysis techniques

15 Dominator • x is a dominator of y:(x ≤ y)

• y is dominated by x:(y ≥ x)

• dom(y) is the set of all dominators of y (dominator set)

• each node dominates itself: y ∈ dom(y)

• entry node dominates all nodes in the graph

Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

17 • y is dominated by x:(y ≥ x)

• dom(y) is the set of all dominators of y (dominator set)

• each node dominates itself: y ∈ dom(y)

• entry node dominates all nodes in the graph

Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

• x is a dominator of y:(x ≤ y)

17 • dom(y) is the set of all dominators of y (dominator set)

• each node dominates itself: y ∈ dom(y)

• entry node dominates all nodes in the graph

Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

• x is a dominator of y:(x ≤ y)

• y is dominated by x:(y ≥ x)

17 • each node dominates itself: y ∈ dom(y)

• entry node dominates all nodes in the graph

Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

• x is a dominator of y:(x ≤ y)

• y is dominated by x:(y ≥ x)

• dom(y) is the set of all dominators of y (dominator set)

17 • entry node dominates all nodes in the graph

Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

• x is a dominator of y:(x ≤ y)

• y is dominated by x:(y ≥ x)

• dom(y) is the set of all dominators of y (dominator set)

• each node dominates itself: y ∈ dom(y)

17 Dominator

• a node x dominates a node y if every path from the entry node to y goes through x

• x is a dominator of y:(x ≤ y)

• y is dominated by x:(y ≥ x)

• dom(y) is the set of all dominators of y (dominator set)

• each node dominates itself: y ∈ dom(y)

• entry node dominates all nodes in the graph

17 • dom(a) = {a} • dom(b) = {a, b} • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

a

b c

d e

f g

18 • dom(b) = {a, b} • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a

b c

d e

f g

18 • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c

d e

f g

18 • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c}

d e

f g

18 • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d}

d e

f g

18 • dom(f) = {a, f} • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e}

f g

18 • dom(g) = {a, c, e, g}

Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g

18 Dominator Sets

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}

18 Immediate Dominator • x is an immediate dominator of y if

1. x < y

2. ∄c : x < c < y

• x is the closest dominator to y with x ≠ y

• every node (except entry) has an immediate dominator

Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

20 1. x < y

2. ∄c : x < c < y

• x is the closest dominator to y with x ≠ y

• every node (except entry) has an immediate dominator

Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

• x is an immediate dominator of y if

20 2. ∄c : x < c < y

• x is the closest dominator to y with x ≠ y

• every node (except entry) has an immediate dominator

Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

• x is an immediate dominator of y if

1. x < y

20 • x is the closest dominator to y with x ≠ y

• every node (except entry) has an immediate dominator

Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

• x is an immediate dominator of y if

1. x < y

2. ∄c : x < c < y

20 • every node (except entry) has an immediate dominator

Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

• x is an immediate dominator of y if

1. x < y

2. ∄c : x < c < y

• x is the closest dominator to y with x ≠ y

20 Immediate Dominator

• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y

• x is an immediate dominator of y if

1. x < y

2. ∄c : x < c < y

• x is the closest dominator to y with x ≠ y

• every node (except entry) has an immediate dominator

20 Immediate Dominators

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}

21 Immediate Dominators

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}

21 Immediate Dominators

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}

21 Immediate Dominators

{ } a • dom(a) = a • dom(b) = {a, b}

b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}

21 Dominator • build from immediate dominators

• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree

• start node: graph entry

• each node dominates its descendants in the tree

Dominator Tree

• compact representation of dominance relations

23 • x is an immediate dominator of y ⇔ (x, y) is an edge in the tree

• start node: graph entry

• each node dominates its descendants in the tree

Dominator Tree

• compact representation of dominance relations

• build from immediate dominators

23 • start node: graph entry

• each node dominates its descendants in the tree

Dominator Tree

• compact representation of dominance relations

• build from immediate dominators

• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree

23 • each node dominates its descendants in the tree

Dominator Tree

• compact representation of dominance relations

• build from immediate dominators

• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree

• start node: graph entry

23 Dominator Tree

• compact representation of dominance relations

• build from immediate dominators

• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree

• start node: graph entry

• each node dominates its descendants in the tree

23 ⇒ root ⇒ (a, b) ⇒ (a, c) ⇒ (a, d) ⇒ (c, e) ⇒ (a, f) ⇒ (e, g)

Dominator Tree

dom(a) = {a} dom(b) = {a, b} dom(c) = {a, c} dom(d) = {a, d} dom(e) = {a, c, e} dom(f) = {a, f} dom(g) = {a, c, e, g}

24 Dominator Tree

dom(a) = {a} ⇒ root dom(b) = {a, b} ⇒ (a, b) dom(c) = {a, c} ⇒ (a, c) dom(d) = {a, d} ⇒ (a, d) dom(e) = {a, c, e} ⇒ (c, e) dom(f) = {a, f} ⇒ (a, f) dom(g) = {a, c, e, g} ⇒ (e, g)

24 Dominator Tree

a dom(a) = {a} ⇒ root dom(b) = {a, b} ⇒ (a, b) b c d f dom(c) = {a, c} ⇒ (a, c) dom(d) = {a, d} ⇒ (a, d) dom(e) = {a, c, e} ⇒ (c, e) e dom(f) = {a, f} ⇒ (a, f) dom(g) = {a, c, e, g} ⇒ (e, g) g

24 Loops • easy to spot in control flow graphs

• graph-theoretical properties that facilitate many kinds of analysis

• automated loop analysis fundamental for many reverse engineering tasks

What are loops and how can we find them?

Motivation

• common construct on function level

26 • graph-theoretical properties that facilitate many kinds of analysis

• automated loop analysis fundamental for many reverse engineering tasks

What are loops and how can we find them?

Motivation

• common construct on function level

• easy to spot in control flow graphs

26 • automated loop analysis fundamental for many reverse engineering tasks

What are loops and how can we find them?

Motivation

• common construct on function level

• easy to spot in control flow graphs

• graph-theoretical properties that facilitate many kinds of analysis

26 What are loops and how can we find them?

Motivation

• common construct on function level

• easy to spot in control flow graphs

• graph-theoretical properties that facilitate many kinds of analysis

• automated loop analysis fundamental for many reverse engineering tasks

26 Motivation

• common construct on function level

• easy to spot in control flow graphs

• graph-theoretical properties that facilitate many kinds of analysis

• automated loop analysis fundamental for many reverse engineering tasks

What are loops and how can we find them?

26 • natural loops

• compiler generated • strong mathematical properties

• irreducible loops

• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)

We focus only on natural loops.

Loops

Strongly Connected Component A subgraph in which each node is reachable from every other node.

27 • irreducible loops

• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)

We focus only on natural loops.

Loops

Strongly Connected Component A subgraph in which each node is reachable from every other node.

• natural loops

• compiler generated • strong mathematical properties

27 We focus only on natural loops.

Loops

Strongly Connected Component A subgraph in which each node is reachable from every other node.

• natural loops

• compiler generated • strong mathematical properties

• irreducible loops

• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)

27 Loops

Strongly Connected Component A subgraph in which each node is reachable from every other node.

• natural loops

• compiler generated • strong mathematical properties

• irreducible loops

• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)

We focus only on natural loops.

27 Natural and Irreducible Loop

1 1

2 2

3 3

4 4

natural loop irreducible loop

28 Natural Loop • generated by compilers

• loop header: single entry point that dominates a loop

• back edge: edge to a dominator

• loop body: set of nodes within a loop

Natural Loop

• strong mathematical properties

30 • loop header: single entry point that dominates a loop

• back edge: edge to a dominator

• loop body: set of nodes within a loop

Natural Loop

• strong mathematical properties

• generated by compilers

30 • back edge: edge to a dominator

• loop body: set of nodes within a loop

Natural Loop

• strong mathematical properties

• generated by compilers

• loop header: single entry point that dominates a loop

30 • loop body: set of nodes within a loop

Natural Loop

• strong mathematical properties

• generated by compilers

• loop header: single entry point that dominates a loop

• back edge: edge to a dominator

30 Natural Loop

• strong mathematical properties

• generated by compilers

• loop header: single entry point that dominates a loop

• back edge: edge to a dominator

• loop body: set of nodes within a loop

30 • 2 is loop header that dominates loop • {2, 3} is loop body • (3, 2) is back edge to the dominator

Natural Loop

1

2

3

4

31 • {2, 3} is loop body • (3, 2) is back edge to the dominator

Natural Loop

1

2

3

4

• 2 is loop header that dominates loop

31 • (3, 2) is back edge to the dominator

Natural Loop

1

2

3

4

• 2 is loop header that dominates loop • {2, 3} is loop body

31 Natural Loop

1

2

3

4

• 2 is loop header that dominates loop • {2, 3} is loop body • (3, 2) is back edge to the dominator

31 Natural Loop Detection • identify the loop body

1. collect all nodes that are dominated by x

2. filter nodes that can reach y without visiting x

Natural Loop Detection

• find a back edge

1. x dominates y

2. there is an edge (y, x)

33 Natural Loop Detection

• find a back edge

1. x dominates y

2. there is an edge (y, x)

• identify the loop body

1. collect all nodes that are dominated by x

2. filter nodes that can reach y without visiting x

33 edge body

(4, 3): {3, 4, 5, 6}

(6, 4): {4, 5, 6}

(6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2

3

4

5

7 6

34 (4, 3): {3, 4, 5, 6}

(6, 4): {4, 5, 6}

(6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3

4

5

7 6

34 {3, 4, 5, 6}

(6, 4): {4, 5, 6}

(6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3 (4, 3):

4

5

7 6

34 (6, 4): {4, 5, 6}

(6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3 (4, 3): {3, 4, 5, 6}

4

5

7 6

34 {4, 5, 6}

(6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3 (4, 3): {3, 4, 5, 6}

4 (6, 4):

5

7 6

34 (6, 3): {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3 (4, 3): {3, 4, 5, 6}

4 (6, 4): {4, 5, 6}

5

7 6

34 {3, 4, 5, 6}

Natural Loop Detection

1

2 edge body

3 (4, 3): {3, 4, 5, 6}

4 (6, 4): {4, 5, 6}

(6, 3): 5

7 6

34 Natural Loop Detection

1

2 edge body

3 (4, 3): {3, 4, 5, 6}

4 (6, 4): {4, 5, 6}

(6, 3): {3, 4, 5, 6} 5

7 6

34 Nested Loops • they have the same header • hard to tell how they relate to each other

• if they have different headers • their intersection is empty

• one function body is entirely contained within the other

Nesting Relations

Loops can be

• merged

• disjoint

• nested

36 • hard to tell how they relate to each other

• if they have different headers • their intersection is empty

• one function body is entirely contained within the other

Nesting Relations

Loops can be

• merged

• they have the same header

• disjoint

• nested

36 • if they have different headers • their intersection is empty

• one function body is entirely contained within the other

Nesting Relations

Loops can be

• merged

• they have the same header • hard to tell how they relate to each other

• disjoint

• nested

36 • their intersection is empty

• one function body is entirely contained within the other

Nesting Relations

Loops can be

• merged

• they have the same header • hard to tell how they relate to each other

• disjoint

• if they have different headers

• nested

36 • one function body is entirely contained within the other

Nesting Relations

Loops can be

• merged

• they have the same header • hard to tell how they relate to each other

• disjoint

• if they have different headers • their intersection is empty

• nested

36 Nesting Relations

Loops can be

• merged

• they have the same header • hard to tell how they relate to each other

• disjoint

• if they have different headers • their intersection is empty

• nested

• one function body is entirely contained within the other

36 l1: {2, 3}

l2: {2, 4}

l1 ∩ l2 = {2}

Merged Loops

1

2

3 4

5

37 l1 ∩ l2 = {2}

Merged Loops

1 l1: {2, 3}

2 l2: {2, 4}

3 4

5

37 Merged Loops

1 l1: {2, 3}

2 l2: {2, 4}

3 4 l1 ∩ l2 = {2}

5

37 l1: {2, 5}

l2: {3, 4}

l1 ∩ l2 = ∅

Disjoint Loops

1

2 3

5 4

6

38 l1 ∩ l2 = ∅

Disjoint Loops

1 l1: {2, 5}

2 3 l2: {3, 4}

5 4

6

38 Disjoint Loops

1 l1: {2, 5}

2 3 l2: {3, 4}

5 4 l1 ∩ l2 = ∅

6

38 l1: {4, 5} innermost loop

l2: {3, 4, 5, 6} inner/outer loop of l3/l1

l3: {2, 3, 4, 5, 6, 7} outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

3

4

5

6

7

8

39 innermost loop

l2: {3, 4, 5, 6} inner/outer loop of l3/l1

l3: {2, 3, 4, 5, 6, 7} outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} 3

4

5

6

7

8

39 innermost loop

inner/outer loop of l3/l1

l3: {2, 3, 4, 5, 6, 7} outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} 3

l2: {3, 4, 5, 6} 4

5

6

7

8

39 innermost loop

inner/outer loop of l3/l1

outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} 3

l2: {3, 4, 5, 6} 4

l : {2, 3, 4, 5, 6, 7} 5 3

6

7

8

39 inner/outer loop of l3/l1

outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} innermost loop 3

l2: {3, 4, 5, 6} 4

l : {2, 3, 4, 5, 6, 7} 5 3

6

7

8

39 outermost loop

l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} innermost loop 3

l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4

l : {2, 3, 4, 5, 6, 7} 5 3

6

7

8

39 l1 ⊂ l2 ⊂ l3

Nested Loops

1

2

l1: {4, 5} innermost loop 3

l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4

l : {2, 3, 4, 5, 6, 7} outermost loop 5 3

6

7

8

39 Nested Loops

1

2

l1: {4, 5} innermost loop 3

l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4

l : {2, 3, 4, 5, 6, 7} outermost loop 5 3

⊂ ⊂ 6 l1 l2 l3

7

8

39 Loop Unrolling • undecidability

• termination condition

• path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

41 • termination condition

• path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

41 • path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

41 • large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

• path explosion

41 • analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

• path explosion

• large number of iterations

41 • many questions remain decidable

• limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

• path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

41 • limited analysis scope

Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

• path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

41 Motivation

• reasoning about loops can be hard

• undecidability

• termination condition

• path explosion

• large number of iterations

• analysis with a fixed number of loop iterations beneficial

• many questions remain decidable

• limited analysis scope

41 • transform control flow graph into semantically a

1. remove back edge

2. duplicate nodes of loop body k times and preserve edge structure

• transformed graph is semantically equivalent for up to k loop iterations

Loop Unrolling

• set an upper iteration bound k

42 1. remove back edge

2. duplicate nodes of loop body k times and preserve edge structure

• transformed graph is semantically equivalent for up to k loop iterations

Loop Unrolling

• set an upper iteration bound k

• transform control flow graph into semantically a directed acyclic graph

42 • transformed graph is semantically equivalent for up to k loop iterations

Loop Unrolling

• set an upper iteration bound k

• transform control flow graph into semantically a directed acyclic graph

1. remove back edge

2. duplicate nodes of loop body k times and preserve edge structure

42 Loop Unrolling

• set an upper iteration bound k

• transform control flow graph into semantically a directed acyclic graph

1. remove back edge

2. duplicate nodes of loop body k times and preserve edge structure

• transformed graph is semantically equivalent for up to k loop iterations

42 unrolling depth 0 unrolling depth 1

Loop Unrolling

1

2

3

4

natural loop

43 unrolling depth 1

Loop Unrolling

1 1

2 2.0

3 3.0

4 4

natural loop unrolling depth 0

43 Loop Unrolling

1 1 1

2.0

2 2.0 3.0

2.1 3 3.0

3.1

4 4 4

natural loop unrolling depth 0 unrolling depth 1

43 Conclusion Control Flow Analysis

• basic blocks

• control flow graph construction

• dominance relations

• natural loop detection

• loop properties and transformations

45