RDE: Replay DEbugging for Diagnosing Production Site Failures

Slides:

Advertisements

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Advertisements

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

Continuously Recording Program Execution for Deterministic Replay Debugging.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

Presenter: Chi-Hung Lu 1. Problems Distributed applications are hard to validate Distribution of application state across many distinct execution environments.

1 Guide to JSP common functions 1.Including the libraries as per a Java class, e.g. not having to refer to java.util.Date 2.Accessing & using external.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

University of Maryland Bug Driven Bug Finding Chadd Williams.

Bug Localization with Machine Learning Techniques Wujie Zheng

1 Conditions Logical Expressions Selection Control Structures Chapter 5.

Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.

Which Configuration Option Should I Change? Sai Zhang, Michael D. Ernst University of Washington Presented by: Kıvanç Muşlu.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

Copyright © 2010 Certification Partners, LLC -- All Rights Reserved Perl Specialist.

Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.

Looping and Counting Lecture 3 Hartmut Kaiser

IDENTIFYING SEMANTIC DIFFERENCES IN ASPECTJ PROGRAMS Martin Görg and Jianjun Zhao Computer Science Department, Shanghai Jiao Tong University.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.

Copyright © 2003 ProsoftTraining. All rights reserved. Perl Fundamentals.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

A Test Case + Mock Class Generator for Coding Against Interfaces Mainul Islam, Christoph Csallner Software Engineering Research Center (SERC) Computer.

A Runtime Verification Based Trace-Oriented Monitoring Framework for Cloud Systems Jingwen Zhou 1, Zhenbang Chen 1, Ji Wang 1, Zibin Zheng 2, and Wei Dong.

Error Handling Tonga Institute of Higher Education.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.

Functional Processing of Collections (Advanced) 6.0.

Implementing Subprograms

Testing Tutorial 7.

Configuration Fuzzing for Software Vulnerability Detection

CS1101X Programming Methodology

APEx: Automated Inference of Error Specifications for C APIs

Representation, Syntax, Paradigms, Types

Yongle Zhang, Serguei Makarov, Xiang Ren, David Lion, Ding Yuan

Log20: Fully Automated Optimal Placement of Log Printing Statements under Specified Overhead Threshold Xu Zhao*, Kirk Rodrigues*, Yu Luo*, Michael Stumm*,

A Test Case + Mock Class Generator for Coding Against Interfaces

Understanding Real World Data Corruptions in Cloud Systems

Java Software Structures: John Lewis & Joseph Chase

Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley

High Coverage Detection of Input-Related Security Faults

Implementing Subprograms

Implementing Subprograms

Evaluating Transaction System Performance

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Representation, Syntax, Paradigms, Types

Android Topics UI Thread and Limited processing resources

Representation, Syntax, Paradigms, Types

Representation, Syntax, Paradigms, Types

CUTE: A Concolic Unit Testing Engine for C

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Review of Previous Lesson

Dynamic Binary Translators and Instrumenters

Implementing Subprograms

Stream-based Memory Specialization for General Purpose Processors

Presentation transcript:

RDE: Replay DEbugging for Diagnosing Production Site Failures Peipei Wang1, Hiep Nguyen2, Xiaohui (Helen) Gu1, Shan Lu3 North Carolina State University1 Google Inc.2 University of Chicago3

Motivation Reproducing production site failures is difficult Cannot Lack environment information (e.g., user inputs, configuration files) Miss interacting components (e.g., storage, third-party libraries) Cannot replay Bug report Production Site Development Site

The State of the Art Record and reply High overhead Privacy concerns Deployment challenges Development site Production site Partial record and reply---privacy

Onsite Failure Path Inference Our Approach Production site Onsite Failure Path Inference [Insight ATC14] Application binary Environment information Inferred failure path Development site Failure-triggering input Overall framework RDE Debugger source code Developer

Background Insight: In-situ Online Service Failure Path Inference [Hiep et al ATC`14] Onsite failure path inference within the production environments Leverage production environment clues (e.g., configuration files, console logs, system call traces) Dynamic shadow server creation----Decouple analysis from the production run When we say “Onsite”, we mean it collects runtime system call sequences

Onsite Failure Path Inference Input: console log 1 log (“Checking request state in database”); 2 my @selected_rows = database_select ( $select_statement ); 3 if ( ( scalar @selected_rows ) == 0 ) { 4 log (“0 rows returned from request state select statement, request was probably deleted, returning 0” ); 5 return 0; 6 }else{ 7 if ( ( scalar @selected_rows ) > 1 ) { log (“More than 1 row returned from request state select statement, returning 0” ); 9 return 0; 10 }else{ 11 log (“Start processing reservation”); 12 } 13 } Checking request state in database Start processing reservation True False Unmatched 1 False True True False Don’t need to read all points Unmatched 2 True False Matched Output: inferred failure path

Failure Reproduction Challenge Infeasible path problem Original failure-triggering user input is unavailable Insufficient guidance during onsite failure path inference Solution Find a similar feasible path bool make_dir_parents ( … ) …. if((parent_mode & WX_USR)…){ re_protect = true; }else{ re_protect = false; } … if(re_protect){ …. } 1 This example is the example of infeasible inferred path: the bug for mkdir It is a infeasible path because path constraint solver could not find correct value for re_protect Both branches have no log messages. So both branches could be flippable True False re_protect = true; 2 True False

Guided Symbolic Execution Console log This is branch 1 Function end void example (int a){ if (a>=2){ log(“This is branch 1”); b=10; } if (a<=2 && b>7){ c=1; }else{ c=2; log(“Function end”); 1 True False 2 True False Concrete: determined condition value Explored: undetermined condition value Non-flippable branches Flippable branches

Input Synthesis with Symbolic Execution A symbolic execution path void foo (int a){ 1: if (a>=2) 2: … //do something 3: if (a<=2) 4: ... //do something 5: } Input: a=2 1 True False 2 True False Code line number: 1, 2, 3, 4 Don’t need to read all points Path constraints: a>=2 and a<=2

Implementation Symbolic execution engine Path alignment KLEE [Cadar et al. OSDI 2008] Path alignment Branch mapping of the binary and the LLVM bitcode. Same compiler, similar code block layout, same branch order Path alignment is because binary and bit-code using different code block layout Binary: if true jump to higher address Bitcode: if false jump to lower address

Evaluation Benchmarks System name LOC Failure path length Num. of console log messages Num. of system calls Successfully reproduced ? Num. of functions Num. of branches mkdir 400 2 42 202 YES rmdir 200 23 3 198 ln 600 43 186 touch 500 1 7 188 cp 1900 13 116 199 Alternative input:: a different input but of the same type as the original input

Guided Symbolic Execution Complexity Distance of call path between original path and RDE produced path Distance of branch level between original path and RDE produced path Traversed number of paths in RDE

Guided Symbolic Execution Time Failure name Inferred path setting Path alignment Input synthesis mkdir Original input Alternative input 0.9 ± 0.1 s 0.9 ± 0.2 s 2.3 ± 0.4 s 2.3 ± 0.3 s rmdir 0.8 ± 0.1 s 1.8 ± 0.2 s 1.8 ± 0.3 s ln 1.0 ± 0.1 s 3.2 ± 0.4 s 3.2 ± 0.5 s touch 1.1 ± 0.1 s 1.2 ± 0.2 s 2.1 ± 0.3 s 2.2 ± 0.3 s cp 3.8 ± 0.4 s 3.9 ± 0.3 s Alternative input is the same input of the original input, but different value

Related Work Failure input synthesis ESD [Zamfir et al. EUROSYS 2010] Extract failure points from core dumps and use static control flow analysis to narrow down the symbolic execution space RDE handles non-crashing failures and use runtime inferred failure path to speedup the symbolic execution Better Bug Reporting [Castro et al. ASPLOS 2008] Use symbolic execution along the known failure path to synthesize a set of inputs that are different from the original one. RDE does not require exact failure path or any user input Don’t need to read all points

Related Work Guided symbolic execution Pathfinder [Pasareanu and Rungta ASE 2015] Limits the loop iterations and recursions of symbolic execution for Java code. Fitnex [Xie et al. DSN 2009] Use a fitness function to measure the distance between a feasible path and a particular target Different approaches to alleviate the space explosion problem of symbolic execution Fitness values measure the distance between a feasible path and a particular target

Limitation & Future work Prohibitive symbolic execution overhead in library calls such as libc Record exact path within library functions Require symbolic execution engine to support production library Support multi-process and multithreaded applications KLEE does not support multi-process or multithreaded applications Integrate with CLOUD9 [Bucur EUROSYS`2011] Could not use function call branches to guide symbolic execution into library function

Conclusion RDE: Replay debugging for diagnosing production site failures Reproduce production-site failure execution at the development site using inferred failure path Provide guided symbolic execution exploration to synthesize failure-triggering user inputs. Don’t need to read all points Thank you!