Control Flow Analysis Tim Blazytko @mr_phrazer [email protected] https://synthesis.to Why? Motivation • high-level structure of a function • detect branches and loops • pattern matching to spot interesting code parts • foundation for automated program analysis 2 Basic Block • single entry: only first instruction can be target of a branch • single exit: only last instruction can branch to other basic blocks Basic Block • sequence of ordered instructions 4 • single exit: only last instruction can branch to other basic blocks Basic Block • sequence of ordered instructions • single entry: only first instruction can be target of a branch 4 Basic Block • sequence of ordered instructions • single entry: only first instruction can be target of a branch • single exit: only last instruction can branch to other basic blocks 4 Basic Block Identification Rules: Leader Instruction Identification 1. first instruction is a leader 2. target of a control flow transfer is a leader 3. instruction that immediately follows a control flow transfer is a leader 6 • many tools handle it differently due to readability reasons • most calls return to the next instruction Know how your tool handles it. Split on calls? • strict basic block definition: yes • calls interrupt the control flow 7 Know how your tool handles it. Split on calls? • strict basic block definition: yes • calls interrupt the control flow • many tools handle it differently due to readability reasons • most calls return to the next instruction 7 Split on calls? • strict basic block definition: yes • calls interrupt the control flow • many tools handle it differently due to readability reasons • most calls return to the next instruction Know how your tool handles it. 7 Basic Blocks ; leader: first instruction 0x170A0: cmpedi , 26h 0x170A3: jzshort 0x170C0 ; leader: follows a control flow transfer 0x170A5: jgshort 0x170B8 ; leader: follows a control flow transfer 0x170A7: xoreax , eax 0x170A9: cmpedi , 10h 0x170AC: jzshort 0x170C2 ; leader: follows a control flow transfer 0x170AE: cmpedi , 16h 0x170B1: setnzal 0x170B4: retn ; leader: target of control flow transfer 0x170B8: cmpedi , 5Fh 0x170BB: setnzal 0x170BE: retn ; leader: target of control flow transfer 0x170C0: xoreax , eax ; leader: target of control flow transfer 0x170C2: retn 8 Control Flow Graph loc_170a0 CMP EDI, 0x26 JZ loc_170c0 loc_170c0 loc_170a5 XOR EAX, EAX JG loc_170b8 loc_170b8 loc_170a7 CMP EDI, 0x5F XOR EAX, EAX SETNZ AL CMP EDI, 0x10 RET JZ loc_170c2 loc_170ae loc_170c2 CMP EDI, 0x16 RET SETNZ AL RET 9 Control Flow Graph Control Flow Graph • directed multigraph • nodes are basic blocks • edges represent control flow between basic blocks • represents all program paths that might be traversed 11 Exit A node that has no outgoing edges. Path A chain of transition between nodes. Control Flow Graph Entry A node that has no incoming edges. 12 Path A chain of transition between nodes. Control Flow Graph Entry A node that has no incoming edges. Exit A node that has no outgoing edges. 12 Control Flow Graph Entry A node that has no incoming edges. Exit A node that has no outgoing edges. Path A chain of transition between nodes. 12 • a is a entry node • f and g are exists • a ! c ! d ! f is a path between a and f Control Flow Graph a b c d e f g 13 Control Flow Graph a b c d e f g • a is a entry node • f and g are exists • a ! c ! d ! f is a path between a and f 13 Dominance Relations • analyze relations between basic blocks • provide guarantees that a basic block x is always executed before y • loop detection and analysis • foundation for many compiler optimizations and other analysis techniques Motivation • graph-theoretic concept 15 • provide guarantees that a basic block x is always executed before y • loop detection and analysis • foundation for many compiler optimizations and other analysis techniques Motivation • graph-theoretic concept • analyze relations between basic blocks 15 • loop detection and analysis • foundation for many compiler optimizations and other analysis techniques Motivation • graph-theoretic concept • analyze relations between basic blocks • provide guarantees that a basic block x is always executed before y 15 • foundation for many compiler optimizations and other analysis techniques Motivation • graph-theoretic concept • analyze relations between basic blocks • provide guarantees that a basic block x is always executed before y • loop detection and analysis 15 Motivation • graph-theoretic concept • analyze relations between basic blocks • provide guarantees that a basic block x is always executed before y • loop detection and analysis • foundation for many compiler optimizations and other analysis techniques 15 Dominator • x is a dominator of y:(x ≤ y) • y is dominated by x:(y ≥ x) • dom(y) is the set of all dominators of y (dominator set) • each node dominates itself: y 2 dom(y) • entry node dominates all nodes in the graph Dominator • a node x dominates a node y if every path from the entry node to y goes through x 17 • y is dominated by x:(y ≥ x) • dom(y) is the set of all dominators of y (dominator set) • each node dominates itself: y 2 dom(y) • entry node dominates all nodes in the graph Dominator • a node x dominates a node y if every path from the entry node to y goes through x • x is a dominator of y:(x ≤ y) 17 • dom(y) is the set of all dominators of y (dominator set) • each node dominates itself: y 2 dom(y) • entry node dominates all nodes in the graph Dominator • a node x dominates a node y if every path from the entry node to y goes through x • x is a dominator of y:(x ≤ y) • y is dominated by x:(y ≥ x) 17 • each node dominates itself: y 2 dom(y) • entry node dominates all nodes in the graph Dominator • a node x dominates a node y if every path from the entry node to y goes through x • x is a dominator of y:(x ≤ y) • y is dominated by x:(y ≥ x) • dom(y) is the set of all dominators of y (dominator set) 17 • entry node dominates all nodes in the graph Dominator • a node x dominates a node y if every path from the entry node to y goes through x • x is a dominator of y:(x ≤ y) • y is dominated by x:(y ≥ x) • dom(y) is the set of all dominators of y (dominator set) • each node dominates itself: y 2 dom(y) 17 Dominator • a node x dominates a node y if every path from the entry node to y goes through x • x is a dominator of y:(x ≤ y) • y is dominated by x:(y ≥ x) • dom(y) is the set of all dominators of y (dominator set) • each node dominates itself: y 2 dom(y) • entry node dominates all nodes in the graph 17 • dom(a) = fag • dom(b) = fa; bg • dom(c) = fa; cg • dom(d) = fa; dg • dom(e) = fa; c; eg • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a b c d e f g 18 • dom(b) = fa; bg • dom(c) = fa; cg • dom(d) = fa; dg • dom(e) = fa; c; eg • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b c d e f g 18 • dom(c) = fa; cg • dom(d) = fa; dg • dom(e) = fa; c; eg • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg d e f g 18 • dom(d) = fa; dg • dom(e) = fa; c; eg • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg • dom(c) = fa; cg d e f g 18 • dom(e) = fa; c; eg • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg • dom(c) = fa; cg d e • dom(d) = fa; dg f g 18 • dom(f) = fa; fg • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg • dom(c) = fa; cg d e • dom(d) = fa; dg • dom(e) = fa; c; eg f g 18 • dom(g) = fa; c; e; gg Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg • dom(c) = fa; cg d e • dom(d) = fa; dg • dom(e) = fa; c; eg f g • dom(f) = fa; fg 18 Dominator Sets a • dom(a) = fag b • dom(c b) = fa; bg • dom(c) = fa; cg d e • dom(d) = fa; dg • dom(e) = fa; c; eg f g • dom(f) = fa; fg • dom(g) = fa; c; e; gg 18 Immediate Dominator • x is an immediate dominator of y if 1. x < y 2. @c : x < c < y • x is the closest dominator to y with x =6 y • every node (except entry) has an immediate dominator Immediate Dominator • a node x strictly dominates a node y if x ≤ y and x =6 y: x < y 20 1. x < y 2. @c : x < c < y • x is the closest dominator to y with x =6 y • every node (except entry) has an immediate dominator Immediate Dominator • a node x strictly dominates a node y if x ≤ y and x =6 y: x < y • x is an immediate dominator of y if 20 2. @c : x < c < y • x is the closest dominator to y with x =6 y • every node (except entry) has an immediate dominator Immediate Dominator • a node x strictly dominates a node y if x ≤ y and x =6 y: x < y • x is an immediate dominator of y if 1.