Presentation is loading. Please wait.

Presentation is loading. Please wait.

RDE: Replay DEbugging for Diagnosing Production Site Failures

Published byVirgil Morgan Modified over 6 years ago

Similar presentations

Presentation on theme: "RDE: Replay DEbugging for Diagnosing Production Site Failures"— Presentation transcript:

1 RDE: Replay DEbugging for Diagnosing Production Site Failures
Peipei Wang1, Hiep Nguyen2, Xiaohui (Helen) Gu1, Shan Lu3 North Carolina State University1 Google Inc.2 University of Chicago3

2 Motivation Reproducing production site failures is difficult Cannot
Lack environment information (e.g., user inputs, configuration files) Miss interacting components (e.g., storage, third-party libraries) Cannot replay Bug report Production Site Development Site

3 The State of the Art Record and reply High overhead Privacy concerns
Deployment challenges Development site Production site Partial record and reply---privacy

4 Onsite Failure Path Inference
Our Approach Production site Onsite Failure Path Inference [Insight ATC14] Application binary Environment information Inferred failure path Development site Failure-triggering input Overall framework RDE Debugger source code Developer

5 Background Insight: In-situ Online Service Failure Path Inference [Hiep et al ATC`14] Onsite failure path inference within the production environments Leverage production environment clues (e.g., configuration files, console logs, system call traces) Dynamic shadow server creation----Decouple analysis from the production run When we say “Onsite”, we mean it collects runtime system call sequences

6 Onsite Failure Path Inference
Input: console log 1 log (“Checking request state in database”); 2 = database_select ( $select_statement ); 3 if ( ( ) == 0 ) { log (“0 rows returned from request state select statement, request was probably deleted, returning 0” ); return 0; 6 }else{ if ( ( ) > 1 ) { log (“More than 1 row returned from request state select statement, returning 0” ); return 0; }else{ log (“Start processing reservation”); } 13 } Checking request state in database Start processing reservation True False Unmatched 1 False True True False Don’t need to read all points Unmatched 2 True False Matched Output: inferred failure path

7 Failure Reproduction Challenge
Infeasible path problem Original failure-triggering user input is unavailable Insufficient guidance during onsite failure path inference Solution Find a similar feasible path bool make_dir_parents ( … ) …. if((parent_mode & WX_USR)…){ re_protect = true; }else{ re_protect = false; } if(re_protect){ …. } 1 This example is the example of infeasible inferred path: the bug for mkdir It is a infeasible path because path constraint solver could not find correct value for re_protect Both branches have no log messages. So both branches could be flippable True False re_protect = true; 2 True False

8 Guided Symbolic Execution
Console log This is branch 1 Function end void example (int a){ if (a>=2){ log(“This is branch 1”); b=10; } if (a<=2 && b>7){ c=1; }else{ c=2; log(“Function end”); 1 True False 2 True False Concrete: determined condition value Explored: undetermined condition value Non-flippable branches Flippable branches

9 Input Synthesis with Symbolic Execution
A symbolic execution path void foo (int a){ 1: if (a>=2) 2: … //do something 3: if (a<=2) 4: //do something 5: } Input: a=2 1 True False 2 True False Code line number: 1, 2, 3, 4 Don’t need to read all points Path constraints: a>=2 and a<=2

10 Implementation Symbolic execution engine Path alignment
KLEE [Cadar et al. OSDI 2008] Path alignment Branch mapping of the binary and the LLVM bitcode. Same compiler, similar code block layout, same branch order Path alignment is because binary and bit-code using different code block layout Binary: if true jump to higher address Bitcode: if false jump to lower address

11 Evaluation Benchmarks
System name LOC Failure path length Num. of console log messages Num. of system calls Successfully reproduced ? Num. of functions Num. of branches mkdir 400 2 42 202 YES rmdir 200 23 3 198 ln 600 43 186 touch 500 1 7 188 cp 1900 13 116 199 Alternative input:: a different input but of the same type as the original input

12 Guided Symbolic Execution Complexity
Distance of call path between original path and RDE produced path Distance of branch level between original path and RDE produced path Traversed number of paths in RDE

13 Guided Symbolic Execution Time
Failure name Inferred path setting Path alignment Input synthesis mkdir Original input Alternative input 0.9 ± 0.1 s 0.9 ± 0.2 s 2.3 ± 0.4 s 2.3 ± 0.3 s rmdir 0.8 ± 0.1 s 1.8 ± 0.2 s 1.8 ± 0.3 s ln 1.0 ± 0.1 s 3.2 ± 0.4 s 3.2 ± 0.5 s touch 1.1 ± 0.1 s 1.2 ± 0.2 s 2.1 ± 0.3 s 2.2 ± 0.3 s cp 3.8 ± 0.4 s 3.9 ± 0.3 s Alternative input is the same input of the original input, but different value

14 Related Work Failure input synthesis ESD [Zamfir et al. EUROSYS 2010]
Extract failure points from core dumps and use static control flow analysis to narrow down the symbolic execution space RDE handles non-crashing failures and use runtime inferred failure path to speedup the symbolic execution Better Bug Reporting [Castro et al. ASPLOS 2008] Use symbolic execution along the known failure path to synthesize a set of inputs that are different from the original one. RDE does not require exact failure path or any user input Don’t need to read all points

15 Related Work Guided symbolic execution
Pathfinder [Pasareanu and Rungta ASE 2015] Limits the loop iterations and recursions of symbolic execution for Java code. Fitnex [Xie et al. DSN 2009] Use a fitness function to measure the distance between a feasible path and a particular target Different approaches to alleviate the space explosion problem of symbolic execution Fitness values measure the distance between a feasible path and a particular target

16 Limitation & Future work
Prohibitive symbolic execution overhead in library calls such as libc Record exact path within library functions Require symbolic execution engine to support production library Support multi-process and multithreaded applications KLEE does not support multi-process or multithreaded applications Integrate with CLOUD9 [Bucur EUROSYS`2011] Could not use function call branches to guide symbolic execution into library function

17 Conclusion RDE: Replay debugging for diagnosing production site failures Reproduce production-site failure execution at the development site using inferred failure path Provide guided symbolic execution exploration to synthesize failure-triggering user inputs. Don’t need to read all points Thank you!

Download ppt "RDE: Replay DEbugging for Diagnosing Production Site Failures"

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.

Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Continuously Recording Program Execution for Deterministic Replay Debugging.

Continuously Recording Program Execution for Deterministic Replay Debugging.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
Presenter: Chi-Hung Lu 1. Problems Distributed applications are hard to validate Distribution of application state across many distinct execution environments.

Presenter: Chi-Hung Lu 1. Problems Distributed applications are hard to validate Distribution of application state across many distinct execution environments.
1 Guide to JSP common functions 1.Including the libraries as per a Java class, e.g. not having to refer to java.util.Date 2.Accessing & using external.

1 Guide to JSP common functions 1.Including the libraries as per a Java class, e.g. not having to refer to java.util.Date 2.Accessing & using external.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Similar presentations

Ads by Google