Analysing Switch-Case Tables by Partial Evaluation

Tracing the flow of control in code generated from switch-case statements is difficult for static program analysis tools when the code contains jumps to dynamically computed target addresses. Analytical methods such as abstract interpretation using integer intervals can work for some forms of switchcase code, for example a jump via a table of addresses indexed 1 .. n, but fail when the target compiler encodes the switch-case structure in a ROM table with a complex format and uses a library routine to interpret the table at runtime. This paper shows how to extract the flow of control from such switch-case tables by partial evaluation of the table-interpreting routine. The resulting control-flow graph allows accurate analysis of the execution time and the logical conditions for reaching each case in the switch-case statement. The method is implemented in Tidorum's Bound-T tool for worstcase executiontime analysis. The implementation builds on some basic BoundT features for modeling program states in the flowgraph and propagating constant values through the graph.