Control Flow Analysis
Tim Blazytko @mr_phrazer [email protected] https://synthesis.to Why? Motivation
• high-level structure of a function
• detect branches and loops
• pattern matching to spot interesting code parts
• foundation for automated program analysis
2 Basic Block • single entry: only first instruction can be target of a branch
• single exit: only last instruction can branch to other basic blocks
Basic Block
• sequence of ordered instructions
4 • single exit: only last instruction can branch to other basic blocks
Basic Block
• sequence of ordered instructions
• single entry: only first instruction can be target of a branch
4 Basic Block
• sequence of ordered instructions
• single entry: only first instruction can be target of a branch
• single exit: only last instruction can branch to other basic blocks
4 Basic Block Identification Rules: Leader Instruction Identification
1. first instruction is a leader
2. target of a control flow transfer is a leader
3. instruction that immediately follows a control flow transfer is a leader
6 • many tools handle it differently due to readability reasons
• most calls return to the next instruction
Know how your tool handles it.
Split on calls?
• strict basic block definition: yes
• calls interrupt the control flow
7 Know how your tool handles it.
Split on calls?
• strict basic block definition: yes
• calls interrupt the control flow
• many tools handle it differently due to readability reasons
• most calls return to the next instruction
7 Split on calls?
• strict basic block definition: yes
• calls interrupt the control flow
• many tools handle it differently due to readability reasons
• most calls return to the next instruction
Know how your tool handles it.
7 Basic Blocks
; leader: first instruction 0x170A0: cmpedi , 26h 0x170A3: jzshort 0x170C0
; leader: follows a control flow transfer 0x170A5: jgshort 0x170B8
; leader: follows a control flow transfer 0x170A7: xoreax , eax 0x170A9: cmpedi , 10h 0x170AC: jzshort 0x170C2
; leader: follows a control flow transfer 0x170AE: cmpedi , 16h 0x170B1: setnzal 0x170B4: retn
; leader: target of control flow transfer 0x170B8: cmpedi , 5Fh 0x170BB: setnzal 0x170BE: retn
; leader: target of control flow transfer 0x170C0: xoreax , eax
; leader: target of control flow transfer 0x170C2: retn
8 Control Flow Graph
loc_170a0 CMP EDI, 0x26 JZ loc_170c0
loc_170c0 loc_170a5 XOR EAX, EAX JG loc_170b8
loc_170b8 loc_170a7 CMP EDI, 0x5F XOR EAX, EAX SETNZ AL CMP EDI, 0x10 RET JZ loc_170c2
loc_170ae loc_170c2 CMP EDI, 0x16 RET SETNZ AL RET
9 Control Flow Graph Control Flow Graph
• directed multigraph
• nodes are basic blocks
• edges represent control flow between basic blocks
• represents all program paths that might be traversed
11 Exit A node that has no outgoing edges.
Path A chain of transition between nodes.
Control Flow Graph
Entry A node that has no incoming edges.
12 Path A chain of transition between nodes.
Control Flow Graph
Entry A node that has no incoming edges.
Exit A node that has no outgoing edges.
12 Control Flow Graph
Entry A node that has no incoming edges.
Exit A node that has no outgoing edges.
Path A chain of transition between nodes.
12 • a is a entry node • f and g are exists • a → c → d → f is a path between a and f
Control Flow Graph
a
b c
d e
f g
13 Control Flow Graph
a
b c
d e
f g
• a is a entry node • f and g are exists • a → c → d → f is a path between a and f 13 Dominance Relations • analyze relations between basic blocks
• provide guarantees that a basic block x is always executed before y
• loop detection and analysis
• foundation for many compiler optimizations and other analysis techniques
Motivation
• graph-theoretic concept
15 • provide guarantees that a basic block x is always executed before y
• loop detection and analysis
• foundation for many compiler optimizations and other analysis techniques
Motivation
• graph-theoretic concept
• analyze relations between basic blocks
15 • loop detection and analysis
• foundation for many compiler optimizations and other analysis techniques
Motivation
• graph-theoretic concept
• analyze relations between basic blocks
• provide guarantees that a basic block x is always executed before y
15 • foundation for many compiler optimizations and other analysis techniques
Motivation
• graph-theoretic concept
• analyze relations between basic blocks
• provide guarantees that a basic block x is always executed before y
• loop detection and analysis
15 Motivation
• graph-theoretic concept
• analyze relations between basic blocks
• provide guarantees that a basic block x is always executed before y
• loop detection and analysis
• foundation for many compiler optimizations and other analysis techniques
15 Dominator • x is a dominator of y:(x ≤ y)
• y is dominated by x:(y ≥ x)
• dom(y) is the set of all dominators of y (dominator set)
• each node dominates itself: y ∈ dom(y)
• entry node dominates all nodes in the graph
Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
17 • y is dominated by x:(y ≥ x)
• dom(y) is the set of all dominators of y (dominator set)
• each node dominates itself: y ∈ dom(y)
• entry node dominates all nodes in the graph
Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
• x is a dominator of y:(x ≤ y)
17 • dom(y) is the set of all dominators of y (dominator set)
• each node dominates itself: y ∈ dom(y)
• entry node dominates all nodes in the graph
Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
• x is a dominator of y:(x ≤ y)
• y is dominated by x:(y ≥ x)
17 • each node dominates itself: y ∈ dom(y)
• entry node dominates all nodes in the graph
Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
• x is a dominator of y:(x ≤ y)
• y is dominated by x:(y ≥ x)
• dom(y) is the set of all dominators of y (dominator set)
17 • entry node dominates all nodes in the graph
Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
• x is a dominator of y:(x ≤ y)
• y is dominated by x:(y ≥ x)
• dom(y) is the set of all dominators of y (dominator set)
• each node dominates itself: y ∈ dom(y)
17 Dominator
• a node x dominates a node y if every path from the entry node to y goes through x
• x is a dominator of y:(x ≤ y)
• y is dominated by x:(y ≥ x)
• dom(y) is the set of all dominators of y (dominator set)
• each node dominates itself: y ∈ dom(y)
• entry node dominates all nodes in the graph
17 • dom(a) = {a} • dom(b) = {a, b} • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
a
b c
d e
f g
18 • dom(b) = {a, b} • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a
b c
d e
f g
18 • dom(c) = {a, c} • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c
d e
f g
18 • dom(d) = {a, d} • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c}
d e
f g
18 • dom(e) = {a, c, e} • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d}
d e
f g
18 • dom(f) = {a, f} • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e}
f g
18 • dom(g) = {a, c, e, g}
Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g
18 Dominator Sets
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}
18 Immediate Dominator • x is an immediate dominator of y if
1. x < y
2. ∄c : x < c < y
• x is the closest dominator to y with x ≠ y
• every node (except entry) has an immediate dominator
Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
20 1. x < y
2. ∄c : x < c < y
• x is the closest dominator to y with x ≠ y
• every node (except entry) has an immediate dominator
Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
• x is an immediate dominator of y if
20 2. ∄c : x < c < y
• x is the closest dominator to y with x ≠ y
• every node (except entry) has an immediate dominator
Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
• x is an immediate dominator of y if
1. x < y
20 • x is the closest dominator to y with x ≠ y
• every node (except entry) has an immediate dominator
Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
• x is an immediate dominator of y if
1. x < y
2. ∄c : x < c < y
20 • every node (except entry) has an immediate dominator
Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
• x is an immediate dominator of y if
1. x < y
2. ∄c : x < c < y
• x is the closest dominator to y with x ≠ y
20 Immediate Dominator
• a node x strictly dominates a node y if x ≤ y and x ≠ y: x < y
• x is an immediate dominator of y if
1. x < y
2. ∄c : x < c < y
• x is the closest dominator to y with x ≠ y
• every node (except entry) has an immediate dominator
20 Immediate Dominators
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}
21 Immediate Dominators
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}
21 Immediate Dominators
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}
21 Immediate Dominators
{ } a • dom(a) = a • dom(b) = {a, b}
b c • dom(c) = {a, c} • dom(d) = {a, d} d e • dom(e) = {a, c, e} • dom(f) = {a, f} f g • dom(g) = {a, c, e, g}
21 Dominator Tree • build from immediate dominators
• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree
• start node: graph entry
• each node dominates its descendants in the tree
Dominator Tree
• compact representation of dominance relations
23 • x is an immediate dominator of y ⇔ (x, y) is an edge in the tree
• start node: graph entry
• each node dominates its descendants in the tree
Dominator Tree
• compact representation of dominance relations
• build from immediate dominators
23 • start node: graph entry
• each node dominates its descendants in the tree
Dominator Tree
• compact representation of dominance relations
• build from immediate dominators
• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree
23 • each node dominates its descendants in the tree
Dominator Tree
• compact representation of dominance relations
• build from immediate dominators
• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree
• start node: graph entry
23 Dominator Tree
• compact representation of dominance relations
• build from immediate dominators
• x is an immediate dominator of y ⇔ (x, y) is an edge in the tree
• start node: graph entry
• each node dominates its descendants in the tree
23 ⇒ root ⇒ (a, b) ⇒ (a, c) ⇒ (a, d) ⇒ (c, e) ⇒ (a, f) ⇒ (e, g)
Dominator Tree
dom(a) = {a} dom(b) = {a, b} dom(c) = {a, c} dom(d) = {a, d} dom(e) = {a, c, e} dom(f) = {a, f} dom(g) = {a, c, e, g}
24 Dominator Tree
dom(a) = {a} ⇒ root dom(b) = {a, b} ⇒ (a, b) dom(c) = {a, c} ⇒ (a, c) dom(d) = {a, d} ⇒ (a, d) dom(e) = {a, c, e} ⇒ (c, e) dom(f) = {a, f} ⇒ (a, f) dom(g) = {a, c, e, g} ⇒ (e, g)
24 Dominator Tree
a dom(a) = {a} ⇒ root dom(b) = {a, b} ⇒ (a, b) b c d f dom(c) = {a, c} ⇒ (a, c) dom(d) = {a, d} ⇒ (a, d) dom(e) = {a, c, e} ⇒ (c, e) e dom(f) = {a, f} ⇒ (a, f) dom(g) = {a, c, e, g} ⇒ (e, g) g
24 Loops • easy to spot in control flow graphs
• graph-theoretical properties that facilitate many kinds of analysis
• automated loop analysis fundamental for many reverse engineering tasks
What are loops and how can we find them?
Motivation
• common construct on function level
26 • graph-theoretical properties that facilitate many kinds of analysis
• automated loop analysis fundamental for many reverse engineering tasks
What are loops and how can we find them?
Motivation
• common construct on function level
• easy to spot in control flow graphs
26 • automated loop analysis fundamental for many reverse engineering tasks
What are loops and how can we find them?
Motivation
• common construct on function level
• easy to spot in control flow graphs
• graph-theoretical properties that facilitate many kinds of analysis
26 What are loops and how can we find them?
Motivation
• common construct on function level
• easy to spot in control flow graphs
• graph-theoretical properties that facilitate many kinds of analysis
• automated loop analysis fundamental for many reverse engineering tasks
26 Motivation
• common construct on function level
• easy to spot in control flow graphs
• graph-theoretical properties that facilitate many kinds of analysis
• automated loop analysis fundamental for many reverse engineering tasks
What are loops and how can we find them?
26 • natural loops
• compiler generated • strong mathematical properties
• irreducible loops
• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)
We focus only on natural loops.
Loops
Strongly Connected Component A subgraph in which each node is reachable from every other node.
27 • irreducible loops
• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)
We focus only on natural loops.
Loops
Strongly Connected Component A subgraph in which each node is reachable from every other node.
• natural loops
• compiler generated • strong mathematical properties
27 We focus only on natural loops.
Loops
Strongly Connected Component A subgraph in which each node is reachable from every other node.
• natural loops
• compiler generated • strong mathematical properties
• irreducible loops
• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)
27 Loops
Strongly Connected Component A subgraph in which each node is reachable from every other node.
• natural loops
• compiler generated • strong mathematical properties
• irreducible loops
• complicate to analyze • rarely seen (hand-written assembly, code obfuscation)
We focus only on natural loops.
27 Natural and Irreducible Loop
1 1
2 2
3 3
4 4
natural loop irreducible loop
28 Natural Loop • generated by compilers
• loop header: single entry point that dominates a loop
• back edge: edge to a dominator
• loop body: set of nodes within a loop
Natural Loop
• strong mathematical properties
30 • loop header: single entry point that dominates a loop
• back edge: edge to a dominator
• loop body: set of nodes within a loop
Natural Loop
• strong mathematical properties
• generated by compilers
30 • back edge: edge to a dominator
• loop body: set of nodes within a loop
Natural Loop
• strong mathematical properties
• generated by compilers
• loop header: single entry point that dominates a loop
30 • loop body: set of nodes within a loop
Natural Loop
• strong mathematical properties
• generated by compilers
• loop header: single entry point that dominates a loop
• back edge: edge to a dominator
30 Natural Loop
• strong mathematical properties
• generated by compilers
• loop header: single entry point that dominates a loop
• back edge: edge to a dominator
• loop body: set of nodes within a loop
30 • 2 is loop header that dominates loop • {2, 3} is loop body • (3, 2) is back edge to the dominator
Natural Loop
1
2
3
4
31 • {2, 3} is loop body • (3, 2) is back edge to the dominator
Natural Loop
1
2
3
4
• 2 is loop header that dominates loop
31 • (3, 2) is back edge to the dominator
Natural Loop
1
2
3
4
• 2 is loop header that dominates loop • {2, 3} is loop body
31 Natural Loop
1
2
3
4
• 2 is loop header that dominates loop • {2, 3} is loop body • (3, 2) is back edge to the dominator
31 Natural Loop Detection • identify the loop body
1. collect all nodes that are dominated by x
2. filter nodes that can reach y without visiting x
Natural Loop Detection
• find a back edge
1. x dominates y
2. there is an edge (y, x)
33 Natural Loop Detection
• find a back edge
1. x dominates y
2. there is an edge (y, x)
• identify the loop body
1. collect all nodes that are dominated by x
2. filter nodes that can reach y without visiting x
33 edge body
(4, 3): {3, 4, 5, 6}
(6, 4): {4, 5, 6}
(6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2
3
4
5
7 6
34 (4, 3): {3, 4, 5, 6}
(6, 4): {4, 5, 6}
(6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3
4
5
7 6
34 {3, 4, 5, 6}
(6, 4): {4, 5, 6}
(6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3 (4, 3):
4
5
7 6
34 (6, 4): {4, 5, 6}
(6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3 (4, 3): {3, 4, 5, 6}
4
5
7 6
34 {4, 5, 6}
(6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3 (4, 3): {3, 4, 5, 6}
4 (6, 4):
5
7 6
34 (6, 3): {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3 (4, 3): {3, 4, 5, 6}
4 (6, 4): {4, 5, 6}
5
7 6
34 {3, 4, 5, 6}
Natural Loop Detection
1
2 edge body
3 (4, 3): {3, 4, 5, 6}
4 (6, 4): {4, 5, 6}
(6, 3): 5
7 6
34 Natural Loop Detection
1
2 edge body
3 (4, 3): {3, 4, 5, 6}
4 (6, 4): {4, 5, 6}
(6, 3): {3, 4, 5, 6} 5
7 6
34 Nested Loops • they have the same header • hard to tell how they relate to each other
• if they have different headers • their intersection is empty
• one function body is entirely contained within the other
Nesting Relations
Loops can be
• merged
• disjoint
• nested
36 • hard to tell how they relate to each other
• if they have different headers • their intersection is empty
• one function body is entirely contained within the other
Nesting Relations
Loops can be
• merged
• they have the same header
• disjoint
• nested
36 • if they have different headers • their intersection is empty
• one function body is entirely contained within the other
Nesting Relations
Loops can be
• merged
• they have the same header • hard to tell how they relate to each other
• disjoint
• nested
36 • their intersection is empty
• one function body is entirely contained within the other
Nesting Relations
Loops can be
• merged
• they have the same header • hard to tell how they relate to each other
• disjoint
• if they have different headers
• nested
36 • one function body is entirely contained within the other
Nesting Relations
Loops can be
• merged
• they have the same header • hard to tell how they relate to each other
• disjoint
• if they have different headers • their intersection is empty
• nested
36 Nesting Relations
Loops can be
• merged
• they have the same header • hard to tell how they relate to each other
• disjoint
• if they have different headers • their intersection is empty
• nested
• one function body is entirely contained within the other
36 l1: {2, 3}
l2: {2, 4}
l1 ∩ l2 = {2}
Merged Loops
1
2
3 4
5
37 l1 ∩ l2 = {2}
Merged Loops
1 l1: {2, 3}
2 l2: {2, 4}
3 4
5
37 Merged Loops
1 l1: {2, 3}
2 l2: {2, 4}
3 4 l1 ∩ l2 = {2}
5
37 l1: {2, 5}
l2: {3, 4}
l1 ∩ l2 = ∅
Disjoint Loops
1
2 3
5 4
6
38 l1 ∩ l2 = ∅
Disjoint Loops
1 l1: {2, 5}
2 3 l2: {3, 4}
5 4
6
38 Disjoint Loops
1 l1: {2, 5}
2 3 l2: {3, 4}
5 4 l1 ∩ l2 = ∅
6
38 l1: {4, 5} innermost loop
l2: {3, 4, 5, 6} inner/outer loop of l3/l1
l3: {2, 3, 4, 5, 6, 7} outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
3
4
5
6
7
8
39 innermost loop
l2: {3, 4, 5, 6} inner/outer loop of l3/l1
l3: {2, 3, 4, 5, 6, 7} outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} 3
4
5
6
7
8
39 innermost loop
inner/outer loop of l3/l1
l3: {2, 3, 4, 5, 6, 7} outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} 3
l2: {3, 4, 5, 6} 4
5
6
7
8
39 innermost loop
inner/outer loop of l3/l1
outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} 3
l2: {3, 4, 5, 6} 4
l : {2, 3, 4, 5, 6, 7} 5 3
6
7
8
39 inner/outer loop of l3/l1
outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} innermost loop 3
l2: {3, 4, 5, 6} 4
l : {2, 3, 4, 5, 6, 7} 5 3
6
7
8
39 outermost loop
l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} innermost loop 3
l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4
l : {2, 3, 4, 5, 6, 7} 5 3
6
7
8
39 l1 ⊂ l2 ⊂ l3
Nested Loops
1
2
l1: {4, 5} innermost loop 3
l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4
l : {2, 3, 4, 5, 6, 7} outermost loop 5 3
6
7
8
39 Nested Loops
1
2
l1: {4, 5} innermost loop 3
l2: {3, 4, 5, 6} inner/outer loop of l3/l1 4
l : {2, 3, 4, 5, 6, 7} outermost loop 5 3
⊂ ⊂ 6 l1 l2 l3
7
8
39 Loop Unrolling • undecidability
• termination condition
• path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
41 • termination condition
• path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
41 • path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
41 • large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
• path explosion
41 • analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
• path explosion
• large number of iterations
41 • many questions remain decidable
• limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
• path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
41 • limited analysis scope
Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
• path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
41 Motivation
• reasoning about loops can be hard
• undecidability
• termination condition
• path explosion
• large number of iterations
• analysis with a fixed number of loop iterations beneficial
• many questions remain decidable
• limited analysis scope
41 • transform control flow graph into semantically a directed acyclic graph
1. remove back edge
2. duplicate nodes of loop body k times and preserve edge structure
• transformed graph is semantically equivalent for up to k loop iterations
Loop Unrolling
• set an upper iteration bound k
42 1. remove back edge
2. duplicate nodes of loop body k times and preserve edge structure
• transformed graph is semantically equivalent for up to k loop iterations
Loop Unrolling
• set an upper iteration bound k
• transform control flow graph into semantically a directed acyclic graph
42 • transformed graph is semantically equivalent for up to k loop iterations
Loop Unrolling
• set an upper iteration bound k
• transform control flow graph into semantically a directed acyclic graph
1. remove back edge
2. duplicate nodes of loop body k times and preserve edge structure
42 Loop Unrolling
• set an upper iteration bound k
• transform control flow graph into semantically a directed acyclic graph
1. remove back edge
2. duplicate nodes of loop body k times and preserve edge structure
• transformed graph is semantically equivalent for up to k loop iterations
42 unrolling depth 0 unrolling depth 1
Loop Unrolling
1
2
3
4
natural loop
43 unrolling depth 1
Loop Unrolling
1 1
2 2.0
3 3.0
4 4
natural loop unrolling depth 0
43 Loop Unrolling
1 1 1
2.0
2 2.0 3.0
2.1 3 3.0
3.1
4 4 4
natural loop unrolling depth 0 unrolling depth 1
43 Conclusion Control Flow Analysis
• basic blocks
• control flow graph construction
• dominance relations
• natural loop detection
• loop properties and transformations
45