kumar by xiaoyounan

VIEWS: 4 PAGES: 30

									TDB: A Source-level Debugger for
Dynamically Translated Programs



Naveen Kumar, Bruce Childers              Mary Lou Soffa
 Department of Computer Science    Department of Computer Science
       University of Pittsburgh          University of Virginia
  Pittsburgh, Pennsylvania 15260    Charlottesville, Virginia 22904
  {naveen, childers}@cs.pitt.edu          soffa@virginia.edu
          New execution vehicle

• New execution vehicle for:
  – software security, bug isolation, simulations, dynamic
    optimizations….
• Software Dynamic Translation (SDT)
  –   A layer between application program and the host machine
  –   Intercepts and modifies instructions before they execute

                        Application Binary
                       Dynamic Translator

                               CPU

• Goal: Debug the Application transparent to SDT
       Challenges to debugging

• Static debug information is inconsistent
  – Code is generated and modified during execution
  – Code duplication at run-time


• Transparency of dynamic translation
  – Hide the SDT system
  – Hide the effects of dynamic translation (code
    modifications) on the translated code
                Our approach

• A debug architecture for debugging dynamically
  translated programs

• Dynamic debug mappings
  – Relate untranslated code with translated code
  – Techniques to generate these mappings at run-time
    for different kinds of translation operations


• Extensibility: support different uses of SDT
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
                        Background

• Software Dynamic Translation (SDT)

    Application Binary

                                 • Primary tasks
          Fetch
             Fetch
                                    – Fetch application
       Decode
           Decode
                                      instructions
           Translate                – Decode
       Next PC
                 Emit      SDT      – Translate
                                      (modify/instrument)
                                    – Emit translated code into
       Code Cache
                                      a code cache


        Host CPU
    SDT Direct Execution & Cache
                  Many Operation: One instructionan translates
                  Regular Operation: One instructionof a branchinto
                  Trampoline Operation: Translation instruction
                  Delete Operation: Translation of results in more
                  than one zero instructions
                  exactly in translated instruction cache translator
                             a instruction in code
                  results one set of instructions to invoke
Program Code                                                           Code Cache



                                     Translator
ld [ %o1 ], %o0
                                                                       ld [ %o1 ], %o0
call 0x26a70c                                                    sethi hi(0x50400),%o7
     nop                                                         or %o7, 0x288, %o7
                                  fetch0x26a70c
                                  callre-enter
                                  ld [ branch
                                        nop
                                         fragment
                                           fragment
                                 execute … ], %o0
                                       %o1
      …                                                                      …

be 0x26a77c                                                               branch
                                                                        trampoline
mov %g0, %o0
                                                                       mov %g0, %o0


                                 Fetch code fragment
                                Execute code fragment
                                 end of fragment condition
                           untiluntil branch trampoline
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
       Debug Architecture

                 Native Debugger



 Mapping                        Breakpoint   Breakpoint
              Mapper
Repository                       Manager     Repository




  Mapping                                    Debug
  Generator                                  Engine

                        SDT                  Code
Application
                       System                Cache
                Debug Engine



   Mapping                    Breakpoint   Breakpoint
                     Mapper
  Repository                   Manager     Repository




    Mapping                                Debug
    Generator                              Engine



Translation information
from SDT system
                Debug Engine

           mapAddress or writeValue
           from Native Debugger



   Mapping                             Breakpoint   Breakpoint
                     Mapper
  Repository                            Manager     Repository




    Mapping                                         Debug
    Generator                                       Engine


                              Read/Write into
Translation information       Code Cache
from SDT system
                Debug Engine

           mapAddress or writeValue     insert or delete
           from Native Debugger         breakpoints



   Mapping                             Breakpoint          Breakpoint
                     Mapper
  Repository                            Manager            Repository




    Mapping                                                Debug
    Generator                                              Engine


                              Read/Write into
Translation information       Code Cache
from SDT system
                Debug Engine
                                                      Notify native debugger
           mapAddress or writeValue     insert or delete
           from Native Debugger         breakpoints



   Mapping                             Breakpoint       Breakpoint
                     Mapper
  Repository                            Manager         Repository




    Mapping                                            Debug
    Generator                                          Engine


                              Read/Write into
Translation information       Code Cache
from SDT system                            Breakpoint Exception
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
       Dynamic Debug Mappings

• Debug engine generates and uses debug
  information in terms of mappings
• Mappings used to implement debug commands
• Mapping types
   – U-T: untranslated code with translated code
   – T-T: translated code with translated code
   – T-U: translated code with untranslated code


• The mappings are generated based upon the
  kind of translation operation (regular, many etc.)
                     Regular Operation
                      (copy an instruction to code cache)

50684: ld [ %o1 ], %o0    f1800c8: ld [ %o1 ], %o0             U-T Mappings
50688: call 0x26a70c                                     1. 50684  {f1800c8}
5068c: nop
…
…
26a70c: mov %o0, %o1
26a710: andcc %o1,3,%o3
26a714: be 0x26a77c
26a718: mov %g0, %o0
...
...
    Program locations       Translated locations


  Uses:
  1. Determine code cache location
     for inserting a breakpoint
                                                     u      U-T        t
  2. Determine untranslated location
     for PC, when a breakpoint is hit
                          Many Operation
              (translate an instruction into multiple instructions)

50684: ld [ %o1 ], %o0    f1800c8: ld [ %o1 ], %o0              U-T Mappings
50688: call 0x26a70c                                      1. 50684  {f1800c8}
5068c: nop
…
…
26a70c: mov %o0, %o1
26a710: andcc %o1,3,%o3
26a714: be 0x26a77c
26a718: mov %g0, %o0
...
...
    Program locations       Translated locations
                          Many Operation
50684: ld [ %o1 ], %o0    f1800c8: ld [ %o1 ], %o0               U-T Mappings
50688: call 0x26a70c      f1800cc: sethi hi(0x50400),%o7   1. 50684  {f1800c8}
5068c: nop                f1800d0: or %o7, 0x288, %o7
…
…
26a70c: mov %o0, %o1
26a710: andcc %o1,3,%o3
26a714: be 0x26a77c
26a718: mov %g0, %o0
...
...
    Program locations       Translated locations
                          Many Operation
50684: ld [ %o1 ], %o0    f1800c8: ld [ %o1 ], %o0                     U-T Mappings
50688: call 0x26a70c      f1800cc: sethi hi(0x50400),%o7         1. 50684  {f1800c8}
5068c: nop                f1800d0: or %o7, 0x288, %o7            2. 50688  {f1800cc}
…
…
26a70c: mov %o0, %o1
26a710: andcc %o1,3,%o3
26a714: be 0x26a77c
26a718: mov %g0, %o0
...                                                                     T-T Mappings
...                                                              3. f1800d0  {f1800d4}
    Program locations       Translated locations


  Uses:
     “Skip past” the execution of each
      additional instruction                                                    t1
                                                           u                    t2
     (e.g. t2 & t3 in the adjoining figure are             u+1                  t3
     never visible to the native debugger)                                      t4
                      Other Operations
50684: ld [ %o1 ], %o0    f1800c8:    ld [ %o1 ], %o0                 U-T Mappings
50688: call 0x26a70c      f1800cc:    sethi hi(0x50400),%o7   1.   50684  {f1800c8}
5068c: nop                f1800d0:    or %o7, 0x288, %o7      2.   50688  {f1800cc}
…                         f1800d4:    mov %o0, %o1            4.   5068c  {f1800d4}
…                         f1800d8:    andcc %o1, 3, %o3       5.   26a70c  {f1800d4}
26a70c: mov %o0, %o1      f1800dc:    be 0xff180104           6.   26a710  {f1800d8}
26a710: andcc %o1,3,%o3   f1800e0:    mov %g0, %o0            7.   26a714  {f1800dc}
26a714: be 0x26a77c       f1800e4:    save %sp, -96, %sp      8.   26a718  {f1800e0}
26a718: mov %g0, %o0      ...
...                       ...                                        T-T Mappings
...                                                           3. f1800d0  {f1800d4}
    Program locations           Translated locations
                                                                     T-P Mappings
                                                              9. f1800e4  {26a77c}


  Other operations include:
  1. Delete, Trampoline
  2. Overhead reduction operations
  3. Dynamic instrumentation
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
                        TDB

• Reference implementation of Debug Architecture

• GDB as the Native Debugger
  – Supports all source-level commands in GDB

• SDT system Strata
  – Basic translation operations (regular,many,delete,tramp)
  – Overhead reduction techniques
  – Dynamic instrumentation


• Also used by Intel for their Pin SDT system
  Layout of the Debug Engine

                   Native Debugger
                                              GDB process
                                                space
          Mapper      Breakpoint Manager
Debug
Engine   Mapping & Breakpoint Repositories   Shared memory

                Mapping generator
                                             Strata process
                                                 space
             Application + SDT System
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
                    Experiments

• Experiments
  – Measured time to execute one breakpoint
  – Measured memory overhead

• Experimental setup
  – Strata-SPARC, GDB 5.3
     • security policy on invocation of syscalls
  – SUN Blade 100, SPECint2000 benchmarks
  – Breakpoints set in "hot" functions
     • Programs run until 10,000 breakpoints hit
                      Breakpoint Overhead
           2.5

            2
Slowdown




           1.5
                                                            gdb
                                                            tdb
            1

           0.5

            0



                                             x
                       c




                                                   r
                                              f
                            ip

                                  ip
                 cf




                                            ol



                                                  vp
                                          rte
                      gc

                           gz

                                 bz
             m




                                        tw
                                       vo
                      Cost per breakpoint in GDB = 1
                 Average cost of breakpoint in Tdb = 1.63
                       Memory Requirements
               10000


                1000
Memory in KB




                 100


                  10


                   1
                       mcf   gcc   gzip   bzip   twolf vortex   vpr

     • Memory requirement ranges from 56KB to
       1.3 MB
                 – Average of 501KB
                     Outline

•   Background
•   Debug Architecture
•   Debug Mappings
•   Implementation
•   Experimental Results
•   Summary
                   Summary

• Proposed a debug architecture
  – Debug mappings
  – Generation and use of mappings

• Available for Strata/GDB and Pin/GDB
  – Supports all source-level commands and queries


• Has minimal performance and memory overheads
      For More Information


                   Please visit

http://www.cs.pitt.edu/coco/tdb




 University of Pittsburgh    University of Virginia

								
To top