Print indd

Download 18,42 Mb.

Pdf ko'rish

bet	99/366
Sana	31.12.2021
Hajmi	18,42 Mb.
	#276933

1 ... 95 96 97 98 99 100 101 102 ... 366

Bog'liq
(Lecture Notes in Computer Science 10793) Mladen Berekovic, Rainer Buchty, Heiko Hamann, Dirk Koch, Thilo Pionteck - Architecture of Computing Systems – ARCS

3.1
Analyzing the Program
Since the key concept of the approach requires to know the addresses of the
loops within the binary, the ﬁrst action is to investigate the instruction stream
and to create a CFG consisting of basic blocks. A basic block is deﬁned by
Cooper as a maximal length sequence of instructions with only one entry at the
beginning and one exit at the end [
4
]. It allows a more abstract view on the
control ﬂow and is used in compilers to analyze the program. There are two
possibilities to create a CFG. The ﬁrst one is to perform a static analysis of
the binary ﬁle. Reverse engineering tools often provide this functionality and
oﬀer a library to use within other software. For the means of this paper, this
would suﬃce. However, the implementation created here uses another method
to build a CFG that also delivers information about the actual control ﬂow
during the execution. It takes the instruction trace of a fast functional simulation
for this purpose. Thereby, the loops and basic blocks can be annotated by the
amount of times they were executed. Additionally, dead code is not taken into
account. With this knowledge, future enhancements of this methodology might
for example use diﬀerent amounts of accurate iterations for each loop depending
on the information gathered from the ﬁrst run. As of now, a plain CFG extracted
from the program under test is enough.
As depicted in Fig.
1
, the next step is to ﬁnd the loops within the CFG. For
this, the dominance relationship between the basic blocks inside a function is
required. If a node
A in a graph dominates another node B, it means that all
paths that reach
B starting from the function entry block also must contain A.
This relationship can be extracted by a simple textbook algorithm that is fast

A Hybrid Approach for Runtime Analysis
89
enough in most occasions [
5
]. A loop consists of basic blocks in between a loop
entry block dominating all instructions in the loop body and the backward edge
returning to the loop entry. Irreducible loops without an unambiguous head are
not taken into account within this work. Since functions called within loops are
diﬃcult to handle, a simpliﬁcation is introduced. A set called “considered blocks”
is created that contains all basic blocks of the loop body. Additionally, all called
functions are visited and their basic blocks including the basic blocks of other
functions called within them are inserted recursively. The set is used to ﬁnd
out if a certain loop is already left or still executed but currently calls another
function. While this approach is simple to determine the basic control ﬂow of a
program, sophisticated cases containing complex call hierarchies within a loop
are not satisfactorily handled. Furthermore, the start and end addresses of all
basic blocks are saved to allow the identiﬁcation of the currently executed block
by using the current program counter of the simulated architecture. Additional
information that can be annotated to the nodes of the CFG is the amount of
executions of a basic block in case an instruction stream was analyzed.
Another simpliﬁcation that is implemented into the presented system is that
only the outer loops are taken into account. This is sensible since all iterations
of the inner loops are run during one iteration of an outer loop. However, this
is not true for inner loops with diﬀerent runtimes during each iteration of the
outer loop. Thus, future improvements of this methodology might need to also
take inner loops into account.

Download 18,42 Mb.

Do'stlaringiz bilan baham:

1 ... 95 96 97 98 99 100 101 102 ... 366