In this thesis, we propose a mechanism to analyze the Thumb-2 binaries and locate all types of embedded data in the executables. This work effectively addresses the code-discovery problem for translating GCC generated Thumb-2 executables statically. We also discuss how to expand this work to more general cases as possible future works in section 3.4.
Our implementation is based on the static translator part of Mc2llvm, which is a retargetable hybrid binary translator. We locate PC-relative data by identifying LDR-prefixed instructions and switch tables by using a finite state machine that matches the code patterns generated for switch tables by GCC. Furthermore, we reduce the size of the address mapping table by narrowing down possible addresses that can be function entries. The reduced address mapping table in turn yields much better performance for the translated code. In addition, we have also introduced a framework for partition the translated LLVM functions into smaller slices in order to significantly reduce the compile time. Since LLVM IR file cannot be executed directly, our system finally generates x86 executable for performance
comparison.
According to our experiments, the code-discovery problem for GCC-generated Thumb-2 binary has been effectively addressed. With our static Thumb-2 binary translator and using SPEC2006 CINT benchmark (translated by GCC to Thumb-2 code) running with the reference input data, the execution time is about 5.6 times faster than executing with QEMU (a popular system virtual machine via dynamic binary translation). The execution time is about 2.1 times slower, with 2.5 times code expansion, when compared with the x86 native binaries of SPEC2006 CINT translated by GCC. When compared with the results of unstripped Thumb-2 executables, whose function entries can be easily identified by debug symbols, the slow-down of using a little larger address mapping table is only 11% and the overall code
expansion is about 20%. Note that, many modern released application binaries are stripped rather than unstripped. Furthermore, with our function partitioning approach, the execution time will be increased by 30% while the translation time could be 13X better if the source is an unstripped executable.
55
To lower the difference of the execution time between the executable generated by our system and the native executable, more optimization pass should be added when optimizing, including target-independent level (LLVM optimizer) and target-dependent level (LLVM static compiler), or our system should have ability to do some aggressive optimizations when translating.
Our current work is for translating Thumb-2 only executables. One future work could be building a retargetable translator for ARM/Thumb-2 mixed ISA. By combining the
mechanisms used in [17] and our work presented in this thesis, a static binary translator for ARM/Thumb-2 mixed ISA would be more practical in general.
56
Reference
[1] R. L. Sites, A. Chernoff, M. B. Kirk, M. P. Marks, and S. G. Robinson, "Binary translation,"
Commun, ACM, vol. 36, pp. 69-81, Feb 1993.
[2] J. Y. Chen, W. Yang, C. Su, and W. C. Hsu, "A Static Binary Translator for Efficient Migration of ARM based Applications," in Proceedings of the 6th Workshop on Optimizations for DSP and Embedded Systems, 2008.
[3] A. Chernoff, M.Herdeg, R. Hookway, C. Reeve, N. Rubin, T. Tye, S. Yadavalli, and J. Yates,
"A profile-directed binary translator," IEEE Micro, vol. 18(2), pp. 56-64, 1998.
[4] B. Y. Shen, J. Y. Chen, W. C. Hsu, and W. Yang, "LLBT: an llvm-based static binary translator," in In Proceedings of the 2012 international conference on Compilers, architectures and synthesis for embedded systems, CASES, New York, NY, USA, 2012.
[5] B. Cmelik and D. Keppel, "Shade: A fast instruction-set simulator for execution profiling," ACM, vol. 22, 1994.
[6] V. Bala, E.Duesterwald, and S. Banerjia, "Dynamo: a transparent dynamic optimization system," SIGPLAN, vol. 35(5), pp. 1-12, May 2000.
[7] D.Bruening, T. Garnett, and S. Amarasinghe, "An infrastructure for adaptive dynamic optimization," in In Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization, CGO, Washington, DC, USA, 2003.
[8] J. Smith and R. Nair, Virtual Machine: Versatile Platforms for Systems and Processes, Morgan Kaufmann, 2005.
[9] C. Cifuentes and V. M. Malhotra, "Binary Translation: Static, Dynamic, Retargetable?," in Proceedings of the 1996 International Conference on Software Maintenance,
Washinton, DC, USA, 1996.
[10] Bor-Yeh Shen, Jyun-Yan You, Wuu Yang, and Wei-Chung Hsu, "An LLVM-based hybrid binary translation system," in 7th IEEE International Symposium on Industrial Embedded Systems (SIES'12), Karlsruhe, Germany, 2012.
[11] "ARM-The Architecture for the Digital World," [Online]. Available:
http://www.arm.com/.
[12] "ARM Architecture Reference Manual ARMv7-A and ARMv7-R Edition," [Online].
Available: https://silver.arm.com/download/download.tm?pv=1203633.
[13] "GCC," [Online]. Available: http://gcc.gnu.org/.
[14] C. Lattner and V. Adve, "LLVM: A Compilation Framework for Lifelong Program Analysis
57
& Transformation," in Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization, Washington, DC, USA, 2004.
[15] F. Bellard, "QEMU: a fast and portable dynamic translator," in In proceedings of the annual conference on USENIX Annual Technical Conference, ATEC, Berkeley, CA, USA, 2005.
[16] Horspool, R. N. and N. Marovac, "An Approach to the Problem of Detranslation of Computer Programs," Computer Jounal (August), pp. 223-229, 1980.
[17] Jiunn-Yeu Chen, Bor-Yeh Shen, Quan-Huei Ou, Wuu Yang and Wei-Chung Hsu, "Effective code discovery for ARM/Thumb-1 mixed ISA binaries in a static binary translator," in International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES'13), Montreal, Canada, 2013.
[18] C. Lattner, "Intro to the LLVM MC Project," [Online]. Available:
http://blog.llvm.org/2010/04/intro-to-llvm-mc-project.html.
[19] "EEMBC," [Online]. Available: http://www.eembc.org.
[20] "µClibc," [Online]. Available: http://www.uclibc.org.
[21] R. Spencer and G. Henriksen, "LLVM's Analysis and Transform Passes," [Online].
Available: http://llvm.org/docs/Passes.html.
[22] "SPEC CPU2006," [Online]. Available: http://www.spec.org/cpu2006/.
58