phd-defense/slides/50_staticdeps/main.tex

\section{\staticdeps: static extraction of memory-carried dependencies}

\begin{frame}
    \todo{}
    \begin{itemize}
    \item Dependency through registers: easy
    \item Loop-carried: still fine
    \item Through memory: indirections, arithmetics, …
    \item Loop-carried: ROB is finite and small-ish
    \item Requires comparison of arbitrary formal expressions
    \item Use randomness as a kind of hash table instead
    \end{itemize}
\end{frame}

\begin{frame}{The \staticdeps{} algorithm}
    \begin{itemize}
        \item \alert{Unroll} kernel until $\card{\kerK} \geq \card{\text{ROB}} +
            \card{\kerK_0}$
        \item \alert{Simulate} execution
        \item Unknown value (reg./mem.)? \alert{Sample} uniformly in $0\ldots2^{64}-1$
            (\alert{``fresh''})
        \item \alert{Compute arithmetics} normally (overflow is fine)
        \item Float or unknown operands $\leadsto \alert{\bot}$
        \item Upon write, remember from which instruction
        \item Upon read, if writer known, \alert{generate dependency}
    \end{itemize}
\end{frame}

\begin{frame}[fragile]{An example: memoized Fibonacci sequence}
    \begin{minipage}[c]{0.46\textwidth}
\begin{lstlisting}[language=C]
int fibo(int* F, int n) {
    for(int i=2; i <= n; ++i) {
        F[i] = F[i-1] + F[i-2];
    }
    return F[n];
}
\end{lstlisting}
\end{minipage}\hfill\begin{minipage}[c]{0.06\textwidth}
\contour{black}{$\longrightarrow$}
\end{minipage}\hfill\begin{minipage}[c]{0.40\textwidth}
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
0:   mov    (%rax),%edx
1:   add    0x4(%rax),%edx
2:   mov    %edx,0x8(%rax)
3:   add    $0x4,%rax
4:   cmp    %rcx,%rax
5:   jne    0
\end{lstlisting}
    \end{minipage}
\end{frame}

\begin{frame}[fragile]
        \vspace{1cm}
    \newcommand{\unk}{{\color{gray}?}}
    \newcommand{\h}{\cellcolor[HTML]{D0ECFF}}
    \newcommand{\w}{\cellcolor[HTML]{d6bf86}}
    \newcommand{\dep}[1]{{\color{red}$\veryshortarrow$\,#1}}
\begin{columns}
\column{\dimexpr\paperwidth-8pt}
    \centering
    \hfill\begin{minipage}{0.29\textwidth}
        {\footnotesize
        \begin{tabular}{c c c}
            Mem. read\h & & Mem. write\w \\
        \end{tabular}
    }
    \vspace{1em}
        \vfill
    \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
0: mov   (%rax),%edx
1: add   0x4(%rax),%edx
2: mov   %edx,0x8(%rax)
3: add   $0x4,%rax
4: cmp   %rcx,%rax
5: jne   0
\end{lstlisting}
    \end{minipage}\hfill
    \begin{minipage}{0.69\textwidth}
    \centering
        \footnotesize
    \begin{tabular}{c c c c c c c c c l}
        \toprule
        \textbf{Before} & \multicolumn{2}{c}{\textbf{Registers}} &&
            \multicolumn{5}{c}{\textbf{Memory}} & \textbf{Dep}\\
        \textbf{instr} & \reg{rax} & \reg{edx}
           && \texttt{100} & \texttt{104} & \texttt{108} & \texttt{112} & \texttt{116} & \\
        \midrule
        0,0 & \unk& \unk&& \unk & \unk & \unk & \unk & \unk & \\
        \pause{}
        0,1 & 100 & 200 && 200\h& \unk & \unk & \unk & \unk & \\
        \pause{}
        0,2 & 100 & 376 && 200  & 176\h& \unk & \unk & \unk & \\
        \pause{}
        0,3 & 100 & 376 && 200  & 176  & 376\w& \unk & \unk & \\
        \pause{}
        0,4 & \alert{104} & 376 && 200  & 176  & 376  & \unk & \unk & \\
        0,5 & 100 & 376 && 200  & 176  & 376  & \unk & \unk & \\
        \midrule
        \pause{}
        1,1 & 104 & \alert{176} && 200  & 176\h& 376  & \unk & \unk & \\
        \pause{}
        1,2 & 104 & \alert{552} && 200  & 176  & 376\h& \unk & \unk & \dep{-1,3}\\
        \pause{}
        1,3 & 104 & 552 && 200  & 176  & 376  & 552\w& \unk & \\
        \midrule
        \pause{}
        2,1 & 108 & \alert{376} && 200  & 176  & 376\h& 552  & \unk & \dep{-2,2}\\
        \pause{}
        2,2 & 108 & \alert{928} && 200  & 176  & 376  & 552\h& \unk & \dep{-1,3}\\
        \pause{}
        2,3 & 108 & 928 && 200  & 176  & 376  & 552  & 928\w &\\
        \bottomrule{}
    \end{tabular}
    \end{minipage}\hfill
\end{columns}
    \let\unk\unefined
    \let\h\unefined
    \let\w\unefined
    \let\dep\unefined

\end{frame}

\begin{frame}{Practical implementation}
    \begin{itemize}
        \item Python code
        \item Reads asm / elf / symbol in elf
        \item Disassembly: \texttt{capstone}
        \item Semantics: \texttt{VEX} (aka Valgrind)
    \end{itemize}

    \begin{center}
        $\leadsto$ fast-ish; supports many architectures
    \end{center}
\end{frame}

\begin{frame}{Limitations}
    \begin{itemize}
        \item Randomness may generate false positives
            \begin{itemize}
                \item Very unlikely: $2^{64}$ vs. $\sim~10^{4}$
                \item If needed, amplify (run twice)
            \end{itemize}
        \item No false negatives caused by randomness, however

        \bigskip
        \item Unaware of context: \emph{assumes no pointers alias}
            \begin{itemize}
                \item Intrinsic limitation of block-based code analyzers
                \item Future works: abstract interpretation?
            \end{itemize}
    \end{itemize}
\end{frame}

\begin{frame}{Evaluation: coverage}
    \begin{itemize}
        \item Baseline: instrumentation (extract deps at runtime)
        \item On all \cesasme{} benchmarks
    \end{itemize}
    \begin{minipage}{0.4\textwidth}
        \[
            \cov_u =
            \frac{\card{\text{found}}}{\card{\text{found}}+\card{\text{missed}}}
        \]
    \end{minipage}\hfill
    \begin{minipage}{0.4\textwidth}
        \[
            \cov_w =
            \frac{\sum_{d\in\text{found}}\rho_d}
            {\sum_{d\in\text{found}~\cup~\text{missed}}\rho_d}
        \]
    \end{minipage}

    \vfill

    \begin{center}
        \begin{tabular}{r r}
            \toprule
            $\cov_u$ (\%) & $\cov_w$ (\%) \\
            \midrule
            \alert{94.4} & \alert{98.3} \\
            \bottomrule
        \end{tabular}
    \end{center}
\end{frame}