Powered by
27th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2026), June 15–16, 2026,
Boulder, CO, USA
27th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2026)
Frontmatter
Partial-Credit RL for Reliable Code Generation with Small Language Models (WIP)
Suryansh Singh Sijwali and
Suman Saha
(Pennsylvania State University, USA)
Small language models (SLMs, ≤1.5B parameters) are attractive for embedded and resource-limited development workflows because they can run under single-GPU or CPU budgets and be adapted without distributed training. However, SLM-based code generation is brittle under strict sandboxed
evaluation, and reinforcement learning (RL) with binary test rewards is often too sparse to train reliably. This WIP paper presents a reliability-first RL framework for SLM code generation with a partial-credit functional reward that distinguishes common near-miss outcomes and assigns inter-
mediate credit for syntax validity, crash-free execution, and output production. We include a static-analysis term in the objective to discourage unsafe shortcuts during training. On DeepSeek-Coder-1.3B evaluated on 100 stdin-style APPS+ prompts, partial-credit PPO improves syntax validity to 63% and produces solutions that pass at least one test in 9% of prompts in a single generated attempt, while binary-reward PPO regresses below a supervised fine-tuning baseline. We also observe that a binary-to-partial-credit curriculum outperforms training with partial credit from scratch.
Article Search
Article: pldiws26lctesmain-p11-p
SymFlow: Event-Chain-Aware Symbolic Execution for Serverless Sensitive Data Flow Detection
Yuanpeng Wang,
Zhineng Zhong,
Zhenkai Liang,
Ding Li,
Yao Guo, and
Xiangqun Chen
(Peking University, China; National University of Singapore, Singapore)
Serverless applications are widely adopted for their scalability, cost-efficiency, and elastic resource management. However, their event-driven nature introduces complex event chains whose trigger-handler relationships are often determined dynamically by conditional logic, asynchronous callbacks, and resource-state dependencies. Existing security analysis tools, such as CloudFlow, mainly rely on static analysis, making it difficult to capture these dynamic event-chain interactions and the semantics of coarse-grained cloud APIs. As a result, they often fail to bridge the gap between architectural reachability and semantic feasibility, leading to both false positives and false negatives.
To address this limitation, we propose SymFlow, an event-chain-aware symbolic execution framework for sensitive data flow detection in serverless applications. SymFlow combines static architectural analysis with symbolic reasoning to identify feasible event chains and validate their concrete code semantics across service boundaries. By constraining exploration with architectural event dependencies while semantically analyzing inter-function and inter-service behaviors along each event chain, SymFlow can more precisely recover real sensitive data flows and substantially reduce spurious results from purely static reasoning. Evaluated on CloudBench and 104 real-world AWSomePy applications, SymFlow reports 36.6% more sensitive data flows than CloudFlow, improves detection precision by 14.4% and increases event-chain coverage by 73.6%. It also discovered two previously unknown zero-day vulnerabilities in real-world applications.
Article Search
Article: pldiws26lctesmain-p21-p
On the Origins of Indirect Jumps in Embedded Software
Ariane Nicolas,
Ronan Lashermes,
Isabelle Puaut, and
Erven Rohou
(Univ Rennes - Inria - CNRS - IRISA, France; Rambus, France)
Indirect control-flow transfers complicate control-flow graph (CFG) construction, thereby reducing the precision of static analyses and control-flow integrity mechanisms in embedded systems.
While previous work has primarily focused on resolving indirect jump targets, comparatively little attention has been devoted to understanding the reasons behind their generation.
This paper presents a systematic empirical study of the origins of indirect jumps in compiled binaries.
We introduce a taxonomy that characterizes the programming constructs and compiler transformations responsible for their generation.
Our analysis encompasses C, C++, Fortran, and Rust programs compiled with GCC and LLVM at multiple optimization levels, targeting the 32-bit RISC-V instruction set.
We then quantify the prevalence of each identified category over representative benchmarks and analyze differences across programming languages and compilation configurations.
By clarifying the origins of indirect control transfers, this work provides insight into their impact on CFG precision and the static analysis of embedded software.
Article Search
Artifacts Available
Article: pldiws26lctesmain-p55-p
MemSpec: Memory-Aware Runtime for Adaptive Draft Scheduling in Speculative Decoding on Edge Devices
Eunjeong Kim,
Yeong Jun Jeon, and
Myeonggyun Han
(Kyungpook National University, Republic of Korea)
Speculative decoding accelerates autoregressive large language model (LLM) inference by using a lightweight draft model to speculate multiple tokens, reducing expensive target model decoding steps. Its effectiveness depends heavily on draft selection, motivating adaptive methods that exploit variation across inputs and generation stages. On memory-constrained edge devices, however, these methods often fail to improve end-to-end throughput due to the overhead of switching between draft models. We identify a key limitation in this setting: the mismatch between draft selection and draft availability under tight memory budgets.
To address this challenge, we present MemSpec, a prediction-guided, memory-aware runtime for adaptive speculative decoding on edge devices. MemSpec decouples draft selection from execution through proactive resident working-set management. A lightweight predictor estimates draft effectiveness from prompt and generation context, while a memory-aware scheduler reduces reactive model loading overhead. Experiments on a Jetson Orin Nano show that MemSpec improves steady-state generation throughput by 40.7% on average over state-of-the-art bandit-based adaptive methods while closely approaching the oracle upper bound.
Article Search
Article: pldiws26lctesmain-p56-p
Bridging the Memory Hotness Gap in Edge Systems with Hotness-Segregated Object Allocation
Ruizhe Huang,
Jiahua Wang,
Qihang Xu,
Peng Jiang,
Zhida An,
Ding Li,
Yao Guo,
Xiangqun Chen,
Yuxin Ren, and
Ning Jia
(Peking University, China; Southeast University, China; Huawei Technologies, China)
Kernel operations in resource-constrained edge systems, such as memory swapping and deduplication, use the access frequency (hotness) of memory pages to guide page placement and reclamation. However, these operations suffer from page-hotness skew: a page may contain a mix of highly accessed and infrequently accessed objects, which causes inaccurate page-level classification, wasted DRAM capacity, and expensive I/O. We attribute this skewness to a cross-layer mismatch: the kernel manages memory at page granularity, whereas user-level allocators place objects without considering access hotness.
To bridge this gap, we present HotMalloc, a memory allocator that reduces this skewness through object-granularity hotness-segregated allocation. HotMalloc uses profile-guided optimization to analyze object access patterns offline and synthesizes an application-specific allocator. At runtime, HotMalloc identifies object hotness from offset-encoded call-site contexts and co-locates objects with similar hotness on the same pages without adding per-access overhead. Additionally, HotMalloc exposes simple interfaces to inform the kernel of page hotness. Evaluation on memory swapping and deduplication shows that HotMalloc significantly reduces skewness and improves hotness-aware kernel operations by 4.6% to 42.1%.
Article Search
Article: pldiws26lctesmain-p64-p
FLUX: Frequency Scaling with Layer-wise Utilization for Energy-Efficient NPU Execution (WIP)
Inho Lee,
Ky Yeop Lim,
Hyejun Kim,
Beomseok Kim,
Dongsuk Jeon,
Hunjun Lee, and
Yongjun Park
(Hanyang University, Republic of Korea; Samsung Electronics, Republic of Korea; Yonsei University, Republic of Korea; Seoul National University, Republic of Korea)
Article Search
Article: pldiws26lctesmain-p69-p
CVS: A Metric for Security-Aware Compilation against Side-Channel Attacks in Edge SoCs (WIP)
Yi Han,
Puhong Lei,
Yang Shi,
Zhe Li,
Xing Mou,
Jianjun Chen, and
Yaohua Wang
(National University of Defense Technology, Changsha, China; Key Laboratory of Advanced Microprocessor Chips and Systems, Changsha, China; Hunan Greatwall Galaxy Science and Technology, Changsha, China)
Deep learning compilers (DLCs) have become the standard approach for optimizing edge inference performance, employing techniques such as operator fusion, loop tiling, and scheduling to meet stringent resource constraints. Yet, the security implications of these optimizations remain largely unexplored. In this work, we investigate shared-memory side-channel attacks on edge SoCs and analyze how compiler optimizations reshape the leakage surface. Our study reveals that identical operators can exhibit distinct shared-resource access patterns under different compilation strategies, resulting in divergent attack outcomes. To address this, we introduce the Confusion Variance Score (CVS), a metric that quantifies compilation-induced security by measuring confusion in time-series resource traces (e.g., DRAM bandwidth). CVS integrates multidimensional dynamic time warping with statistical morphological features to ensure temporal robustness, and shows a strong negative correlation (Spearman r ≈ −0.9394) with practical attack error rates. Finally, we demonstrate the feasibility of CVS-guided compilation in TVM and TensorRT, achieving a 24 % increase in attack error rate compared to default strategies, while limiting inference latency overhead to under 5 %.
Article Search
Article: pldiws26lctesmain-p71-p
proc time: 16.62