DrDebug: Deterministic Replay based Cyclic Debugging with Dynamic Slicing Yan Wang *, Harish Patil **, Cristiano Pereira **, Gregory Lueck **, Rajiv Gupta.

Slides:



Advertisements
Similar presentations
Concurrent Predicates: A Debugging Technique for Every Parallel Programmer PACT 13 Justin Gottschlich Gilles Pokam Cristiano Pereira Youfeng Wu Intel Corporation.
Advertisements

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Presented By: Krishna Balasubramanian
1 Cost Effective Dynamic Program Slicing Xiangyu Zhang Rajiv Gupta The University of Arizona.
CS590F Software Reliability What is a slice? S: …. = f (v)  Slice of v at S is the set of statements involved in computing v’s value at S. [Mark Weiser,
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
DrDebug: Deterministic Replay based Cyclic Debugging with Dynamic Slicing Yan Wang *, Harish Patil **, Cristiano Pereira **, Gregory Lueck **, Rajiv Gupta.
1 S. Tallam, R. Gupta, and X. Zhang PACT 2005 Extended Whole Program Paths Sriraman Tallam Rajiv Gupta Xiangyu Zhang University of Arizona.
An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.
1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.
A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.
Pruning Dynamic Slices With Confidence Xiangyu Zhang Neelam Gupta Rajiv Gupta The University of Arizona.
S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.
Continuously Recording Program Execution for Deterministic Replay Debugging.
Deterministic Logging/Replaying of Applications. Motivation Run-time framework goals –Collect a complete trace of a program’s user-mode execution –Keep.
BugNet Continuously Recording Program Execution for Deterministic Replay Debugging Satish Narayanasamy Gilles Pokam Brad Calder.
Automated Diagnosis of Software Configuration Errors
0 Deterministic Replay for Real- time Software Systems Alice Lee Safety, Reliability & Quality Assurance Office JSC, NASA Yann-Hang.
Timing and Race Condition Verification of Real-time Systems Yann–Hang Lee, Gerald Gannod, and Karam Chatha Dept. of Computer Science and Eng. Arizona State.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Instructor Kostas Kontogiannis.
Software (Program) Analysis. Automated Static Analysis Static analyzers are software tools for source text processing They parse the program text and.
Microsoft Research Asia Ming Wu, Haoxiang Lin, Xuezheng Liu, Zhenyu Guo, Huayang Guo, Lidong Zhou, Zheng Zhang MIT Fan Long, Xi Wang, Zhilei Xu.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Analyzing parallel programs with Pin Moshe Bach, Mark Charney, Robert Cohn, Elena Demikhovsky, Tevi Devor, Kim Hazelwood, Aamer Jaleel, Chi- Keung Luk,
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
- 1 - Dongyoon Lee †, Mahmoud Said*, Satish Narayanasamy †, Zijiang James Yang*, and Cristiano L. Pereira ‡ University of Michigan, Ann Arbor † Western.
SSGRR A Taxonomy of Execution Replay Systems Frank Cornelis Andy Georges Mark Christiaens Michiel Ronsse Tom Ghesquiere Koen De Bosschere Dept. ELIS.
Bug Localization with Machine Learning Techniques Wujie Zheng
AADEBUG MUNCHEN Non-intrusive on-the-fly data race detection using execution replay Michiel Ronsse - Koen De Bosschere Ghent University - Belgium.
Interactive Debugging QuickZoom: A State Alteration and Inspection-based Interactive Debugger 1.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Technology and Science, Osaka University Dependence-Cache.
Debugging parallel programs. Breakpoint debugging Probably the most widely familiar method of debugging programs is breakpoint debugging. In this method,
References: “Pruning Dynamic Slices With Confidence’’, by X. Zhang, N. Gupta and R. Gupta (PLDI 2006). “Locating Faults Through Automated Predicate Switching’’,
Lecture Notes - Copyright © S. C. Kothari, All rights reserved.1 Efficient Debugging CPRE 556 Lecture 19.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Seminar of “Virtual Machines” Course Mohammad Mahdizadeh SM. University of Science and Technology Mazandaran-Babol January 2010.
Software Engineering Research Group, Graduate School of Engineering Science, Osaka University A Slicing Method for Object-Oriented Programs Using Lightweight.
Fast Reproducing Web Application Errors Jie Wang, Wensheng Dou, Chushu Gao, Jun Wei Institute of Software Chinese Academy of Sciences
Yongjian HuTanzirul Azim Iulian Neamtiu Improving the Android Development Lifecycle with the VALERA Record-and- replay Approach.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Concolic Execution for Automatic Exploit Generation Todd Frederick.
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
31 Oktober 2000 SEESCOASEESCOA STWW - Programma Work Package 5 – Debugging Task Generic Debug Interface K. De Bosschere e.a.
Pruning Dynamic Slices With Confidence Original by: Xiangyu Zhang Neelam Gupta Rajiv Gupta The University of Arizona Presented by: David Carrillo.
Execution Replay and Debugging. Contents Introduction Parallel program: set of co-operating processes Co-operation using –shared variables –message passing.
Flashback : A Lightweight Extension for Rollback and Deterministic Replay for Software Debugging Sudarshan M. Srinivasan, Srikanth Kandula, Christopher.
Agenda  Quick Review  Finish Introduction  Java Threads.
Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.
Automated Adaptive Bug Isolation using Dyninst Piramanayagam Arumuga Nainar, Prof. Ben Liblit University of Wisconsin-Madison.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Kendo: Efficient Deterministic Multithreading in Software M. Olszewski, J. Ansel, S. Amarasinghe MIT to be presented in ASPLOS 2009 slides by Evangelos.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Chapter 3 General-Purpose Processors: Software
Testing and Debugging PPT By :Dr. R. Mall.
Static Slicing Static slice is the set of statements that COULD influence the value of a variable for ANY input. Construct static dependence graph Control.
Microprocessor and Assembly Language
Yongle Zhang, Serguei Makarov, Xiang Ren, David Lion, Ding Yuan
Log20: Fully Automated Optimal Placement of Log Printing Statements under Specified Overhead Threshold Xu Zhao*, Kirk Rodrigues*, Yu Luo*, Michael Stumm*,
Program Slicing Baishakhi Ray University of Virginia
CPRE 416-Software Evolution and Maintenance-Lecture 11
Dynamic Binary Translators and Instrumenters
Presentation transcript:

DrDebug: Deterministic Replay based Cyclic Debugging with Dynamic Slicing Yan Wang *, Harish Patil **, Cristiano Pereira **, Gregory Lueck **, Rajiv Gupta *, and Iulian Neamtiu * * University of California Riverside ** Intel Corporation

Cyclic Debugging for Multi-threaded Programs Mozilla developer Bug report Id: Observe program state/ reach failure Fast-forward to the buggy region Program binary + input Form/Refine a hypothesis about the cause of the bug Buggy Region: only 12% of total execution Long time taken by fast-forwarding ver # of instructions in buggy region: 999,997 Difficult to locate bug among them Non-deterministic execution, difficult to reproduce Data race on variable rt->scriptFilenameTable T0 T1T2

Key Contributions of DrDebug  Execution Region  Only capture execution of buggy region  Avoid fast forwarding  Execution Slice  Only capture bug related execution  Single-step slice in a live debugging session Cyclic Debugging Based on Deterministic Replay of Execution Region and Execution Slice Results: # of instructions in execution region vs. whole program execution: 0.04%— 14.3% for bugs in 3 real-world programs # of instructions in execution slice vs. execution region: 0.01%—47.2% for bugs in 3 real-world programs, and only 41% on average for PARSEC T1T2 Region

DrDebug Program binary + input Observe program state/ reach failure Form/Refine a hypothesis about the cause of the bug Only Capture Bug Related Program Execution DrDebug – Deterministic replay based Debugging slice pinball Cyclic Debugging Based on Replay of Execution Slice Benefits: Only need fast- forwarding once Deterministic program execution Single-step bug- related statements

PinPlay in DrDebug PinPlay [Patil et. al., CGO’10] is a record/replay system, using the Pin dynamic instrumentation system. Logger Program binary + input region pinball Captures the non-deterministic events of the execution of a (buggy) region Replayer region pinball Program Output Deterministically repeat the captured execution Relogger pinball region pinball Relog execution—exclude the execution of some code regions

T2T1 Region Replay Efficiency using Execution Region region pinball

T1T2 region pinball compute slice Location Efficiency via Dynamic Slicing Dynamic slicing identifies bug related executed statement

T1T2 region pinball compute slice Replaying Execution Region and Dynamic Slicing slice pinball Excluded Code Region

T1T2 slice pinball execute slice Replaying Execution Slice Inject value Prior work: post-mortem analysis

Computing Dynamic Slicing for Multi-threaded Programs  Collect Per Thread Local Execution Traces  Construct the Combined Global Trace Shared Memory Access Order Topological Order  Compute Dynamic Slice by Backwards Traversing the Global Trace Adopted Limited Preprocessing (LP) algorithm [Zhang et al., ICSE’03] to speed up the traversal of the trace

Dynamic Slicing a Multithreaded Program 1 1 {x} {} 2 1 {z} {x} 5 1 {m} {x} 3 1 {w} {y} Def-Use Trace for T1 4 1 {w}{w} 6 1 {x} {m} Def-Use Trace for T {k} {y} 8 1 {j} {y} 9 1 {j} {z,j} 11 1 {k,x} {} 12 1 {k}{k,x} 13 1 {k} {} 7 1 {y} {} x x y x z shared memory access order fox x x program order Per Thread Traces and Shared Memory Access Order T1T2 1x=5; 2 z=x; 3 int w=y; 4 w=w-2; 5 int m=3*x; 6 x=m+2; 7 y=2; 8 int j=y + 1; 9 j=z + j; 10 int k=4*y; 11 if (k>x){ 12 k=k-x; 13 assert(k>0); } Example Code int x, y, z; wrongly assumed atomic region

Dynamic Slicing a Multithreaded Program 7 1 {y} {} 8 1 {j} {y} 9 1 {j} {z,j} 10 1 {k} {y} 11 1 {k,x} {} 3 1 {w} {y} 4 1 {w} {w} 5 1 {m} {x} 6 1 {x} {m} 1 1 {x} {} 2 1 {z} {x} 12 1 {k} {k,x} 13 1 {k} {} T1 T2 T1 Global Trace 5 1 m=3*x 11 1 if(k>x) 12 1 k=k-x 13 1 assert(k>0) 6 1 x=m y=2 CD x k m 1 1 x= k=4*y x x k y slice criterion root cause Slice for k at 13 1 should read (depend on) the same definition of x

Execution Slice Example 10 1 k=4*y 11 1 if (k>x) 12 1 k=k-x 13 1 assert(k>0) T1T2 5 1 m=3*x 6 1 x=m x=5 7 1 y=2 inject j=8 z=5 w=0 inject Injecting Values During Replay 8 1 j=y j=z + j 10 1 k=4*y 11 1 if (k>x) 12 1 k=k-x 13 1 assert(k>0) T1T2 5 1 m=3*x 6 1 x=m x=5 2 1 z=x 3 1 w=y 4 1 w=w y=2 Code Exclusion Regions Only Bug Related Executions (e.g., root cause, failure point) are Replayed and Examined to Understand and Locate bugs.  Prior works-- postmortem analysis  Execution Slice – single-stepping/examining slice in a live debugging session

Improved Dynamic Dependence Precision  Dynamic Control Dependence Precision Indirect jump (switch-case statement): Inaccurate CFG  missing Control Dependence Refine CFG with dynamically collected jump targets  Dynamic Data Dependence Precision Spurious dependence caused by save/restore pairs at the entry/exit of each function Identify save/restore pairs and bypass data dependences

Control Dependences in the Presence of indirect jump 1P(FILE* fin, int d){ 2 int w; 3 char c=fgetc(fin); 4 switch(c){ 5 case 'a': /* slice criterion */ 6 w = d + 2; 7 break; 8 … 11} C Code 3call fgetc mov %al,- 0x9(%ebp) 4... mov 0x (,%eax,4),%eax jmp *%eax 6 mov 0xc(%ebp),%eax add $0x2,%eax mov %eax,-0x10(%ebp) 7 jmp 80485c88... Assembly Code Inaccurate CFG Causing Missed Control Dependence 6 1 : w=d+2 Imprecise Slice for w at line : c=fgetc(fin) 4 1 : switch(c) 6 1 : w=d+2 ‘a’ c CD Capture Missing Control Dependence due to indirect jump

Improve Dynamic Control Dependence Precision  Implement a static analyzer based on Pin's static code discovery library -- this allows DrDebug to work with any x86 or Intel64 binary.  We construct an approximate static CFG and as the program executes, we collect the dynamic jump targets for the indirect jumps and refine the CFG by adding the missing edges.  The refined CFG is used to compute the immediate post- dominator for each basic block

Spurious Dependences Example 1P(FILE* fin, int d){ 2 int w, e; 3 char c=fgetc(fin); 4 e= d + d; 5 if(c=='t') 6 Q(); 7 w=e; /* slice criterion */ 8 } 9Q() 10 { } C Code 3 call fgetc mov %al,-0x9(%ebp) 4 mov 0xc(%ebp),%eax add %eax,%eax 5 cmpb $0x74,-0x9(%ebp) jne d 6 call Q d 7 mov %eax,-0x10(%ebp) 9 Q() 10 push %eax pop %eax Assembly Code save/restore pair Spurious Data/Control Dependence

Spurious Dependences Example 7 1 : w = e mov %eax, -0x10(%ebp) 4 1 : e = d+d add %eax, %eax e Refined Slice 3 1 : c=fgetc(fin) 5 1 : if(c==‘t’) 121: pop %eax ‘t’ c 7 1 : w = e mov %eax, -0x10(%ebp) 10 1 : push %eax 4 1 : e = d+d add %eax, %eax CD eax e Imprecise Slice for w at line 7 1 Bypass data dependences caused by save/restore pairs True Definition of eax

Integration with Maple  Maple [Yu et al. OOPSLA’12] is a thread interleaving coverage-driven testing tool. Maple exposes untested thread interleaving as much as possible.  We changed Maple to optionally do PinPlay-based logging of the buggy execution it exposes.  We have successfully recorded multiple buggy executions and replayed them using DrDebug.

Slice Criterion DrDebug GUI showing a dynamic slice

Data Race bugs used in our Case Studies Program NameBug Description pbzip A data race on variable fifo  mut between main thread and the compressor threads Aget-0.57A data race on variable bwritten between downloader threads and the signal handler thread Mozilla-1.9.1A data race on variable rt  scriptFilenameTable. One thread destroys a hash table, and another thread crashes in js_SweepScriptFilenames when accessing this hash table Quantify the buggy execution region size for real bugs. Time and space overhead of DrDebug are reasonable for real bugs.

Time and Space Overheads for Data Race Bugs with Buggy Execution Region Program Name #ins(%ins in region vs. whole) #ins in slice pinball (%ins in slice vs. region pinball) Logging Overhead Replay Time (sec) Slicing Time (sec) Time (sec) Space (MB) Pbzip2 (0.9.4) 11,186 (0.04%) 1,065 (9.5%) Aget (0.57) 108,695 (14.3%) 51,278(47.2%) Mozilla (1.9.1) 999,997 (12.2%) 100 (0.01%) Buggy region size ~ 1M # of instructions in execution region vs. whole program execution: 0.04%— 14.3% for bugs in 3 real-world programs # of instructions in execution slice vs. execution region: 0.01%—47.2% for bugs in 3 real-world programs

Logging Time Overheads with native input

Replay Time Overheads with native input

Execution Slice: replay time with native input 36%

Conclusions A working debugger with a graphical user interface that allows cyclic debugging based on replay of pinballs for multi-threaded programs Support for recording: execution regions and dynamic slices Execution of dynamic slices for improved bug localization and replay efficiency Backward navigation of a dynamic slice along dependence edges with Kdbg based GUI Results: # of instructions in execution slice vs. execution region: 0.01%—47.2% for bugs in 3 real-world programs, and only 41% on average for PARSEC

Backup

Time and Space Overheads for Data Race Bugs with Whole Execution Region Program Name #executed ins #ins in slice pinball (%ins in slice pinball) Logging Overhead Replay Time (sec) Slicing Time (sec) Time (sec) Space (MB) pbzip230,260,30011,152 (0.04%) Aget761,59279,794 (10.5%) Mozilla8,180, ,496 (9.9%) ,200.4

Logging Time Overheads

Replay Time Overheads

Removal of Spurious Dependences: slice sizes