Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Valgrind A Framework for Heavyweight Dynamic Binary Instrumentation Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP.

Published byLeonard Warner Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Valgrind A Framework for Heavyweight Dynamic Binary Instrumentation Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP."— Presentation transcript:

1 1 Valgrind A Framework for Heavyweight Dynamic Binary Instrumentation Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP

2 2 FAQ #1 How do you pronounce “Valgrind”? “Val-grinned”, not “Val-grined” Don’t feel bad: almost everyone gets it wrong at first

3 3 DBA tools Program analysis tools are useful –Bug detectors –Profilers –Visualizers Dynamic binary analysis (DBA) tools –Analyse a program’s machine code at run-time –Augment original code with analysis code

4 4 Building DBA tools Dynamic binary instrumentation (DBI) –Add analysis code to the original machine code at run-time –No preparation, 100% coverage DBI frameworks –Pin, DynamoRIO, Valgrind, etc. ToolFramework Tool plug-in +=

5 5 Prior work Potential of DBI has not been fully exploited –Tools get less attention than frameworks –Complex tools are more interesting than simple tools Well-studiedNot well-studied Framework performance Instrumentation capabilities Simple toolsComplex tools

6 6 Shadow value tools

7 7 Shadow value tools (I) Shadow every value with another value that describes it –Tool stores and propagates shadow values in parallel Tool(s)Shadow values help find... MemcheckUses of undefined values AnnelidArray bounds violations HobbesRun-time type errors TaintCheck, LIFT, TaintTrace Uses of untrusted values “Secret tracker”Leaked secrets DynCompBInvariants ReduxDynamic dataflow graphs security bugs propertie s

8 8 Memcheck Shadow values: defined or undefined 30 undefined value bugs found in OpenOffice Original operationShadow operation int* p = malloc(4)sh(p) = undefined R1 = 0x12345678sh(R1) = defined R1 = R2sh(R1) = sh(R2) R1 = R2 + R3sh(R1) = add sh (R2, R3) if R1==0 then goto Lcomplain if sh(R1) is undefined

9 9 Shadow value tools (II) All shadow value tools work in the same basic way Shadow value tools are heavyweight tools –Tool’s data + ops are as complex as the original programs’s Shadow value tools are hard to implement –Multiplex real and shadow registers onto register file –Squeeze real and shadow memory into address space –Instrument most instructions and system calls

10 10 Valgrind basics

11 11 Valgrind Software –Free software (GPL) –{x86, x86-64, PPC}/Linux, PPC/AIX Users –Development: Firefox, OpenOffice, KDE, GNOME, MySQL, Perl, Python, PHP, Samba, RenderMan, Unreal Tournament, NASA, CERN –Research: Cambridge, MIT, Berkeley, CMU, Cornell, UNM, ANU, Melbourne, TU Muenchen, TU Graz Design –Heavyweight tools are well supported –Lightweight tools are slow

12 12 Two unusual features of Valgrind

13 13 #1: Code representation C&A Copy- and- annotat e analysis code asm out descriptionsasm in annotate interleave instrument copy D&R Disassemble - and- resynthesize (Valgrind) instrument IR asm out asm in disassemble resynthesize

14 14 Pros and cons of D&R Cons: Lightweight tools –Framework design and implementation effort –Code translation cost, code quality Pros: Heavyweight tools –Analysis code as expressive as original code –Tight interleaving of original code and analysis code –Obvious when things go wrong! wrong behaviour wrong analysis correct behaviour bad descriptions bad IR D&RC&A

15 15 Other IR features Writing complex inline analysis code is easy FeatureBenefit First-class shadow registers As expressive as normal registers Typed, SSACatches instrumentation errors RISC-likeFewer cases to handle Infinitely many temporaries Never have to find a spare register

16 16 #2: Thread serialisation Shadow memory: memory accesses no longer atomic –Uni-processors: thread switches may intervene –Multi-processors: real/shadow accesses may be reordered Simple solution: serialise thread execution! –Tools can ignore the issue –Great for uni-processors, slow for multi- processors...

17 17 Performance

18 18 SPEC2000 Performance (*) LIFT limitations: –No FP or SIMD programs –No multi-threaded programs –32-bit x86 code on 64-bit x86 machines only Valgrind, no-instrumentation 4.3x Pin/DynRIO, no- instrumentation ~1.5x Memcheck 22.1x (7-- 58x) Most other shadow value tools 10--180x LIFT 3.6x (*)

19 19 Post-performance Only Valgrind allows robust shadow value tools –All robust ones built with Valgrind or from scratch Perception: “Valgrind is slow” –Too simplistic –Beware apples-to-oranges comparisons –Different frameworks have different strengths

20 20 Future of DBI

21 21 The future Interesting tools! –Memcheck changed many C/C++ programmer’s lives –Tools don’t arise in a vacuum What do you want to know about program execution? –Think big! –Don’t worry about being practical at first

22 22 If you remember nothing else...

23 23 Take-home messages Heavyweight tools are interesting Each DBI framework has its pros and cons Valgrind supports heavyweight tools well www.valgrind.or g

24 24 (Extra slides)

25 25 The past: performance Influenced by Dynamo: dynamic binary optimizer Everyone in research focuses on performance –No PLDI paper ever got rejected for focusing on performance “The subjective issues are important — ease of use and robustness, but performance is the item which would be most interesting for the audience.” (my italics) Slow tools are ok, if sufficiently useful

26 26 Shadow value requirements Requirements: –(1) Shadow all state –(2) Instrument operations that involve state –(3) Produce extra output without disturbing execution

27 27 Robustness Q. How many programs can Valgrind run? –A. A lot Valgrind is robust, Valgrind tools can be SPEC2000 is not a good stress test! –Reviewer: “If the authors want to claim that their tool is to be used in real projects, then they would need to evaluate their tools using the reference inputs for the SPEC CPU2K benchmarks.”

Download ppt "1 Valgrind A Framework for Heavyweight Dynamic Binary Instrumentation Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP."

Similar presentations

Intro to C#. Programming Coverage Methods, Classes, Arrays Iteration, Control Structures Variables, Expressions Data Types.

Intro to C#. Programming Coverage Methods, Classes, Arrays Iteration, Control Structures Variables, Expressions Data Types.
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.

An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Anshul Kumar, CSE IITD CSL718 : VLIW - Software Driven ILP Hardware Support for Exposing ILP at Compile Time 3rd Apr, 2006.

Anshul Kumar, CSE IITD CSL718 : VLIW - Software Driven ILP Hardware Support for Exposing ILP at Compile Time 3rd Apr, 2006.
Dr. Ken Hoganson, © August 2014 Programming in R COURSE NOTES 2 Hoganson Language Translation.

Dr. Ken Hoganson, © August 2014 Programming in R COURSE NOTES 2 Hoganson Language Translation.
ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto

ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.

Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
October - December 2013CSC5021: The Problem With Aspects (J P Gibson)1 The Problem With Aspects (AOP) A style of programming that attempts to abstract.

October - December 2013CSC5021: The Problem With Aspects (J P Gibson)1 The Problem With Aspects (AOP) A style of programming that attempts to abstract.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
1 COMP 206: Computer Architecture and Implementation Montek Singh Mon, Dec 5, 2005 Topic: Intro to Multiprocessors and Thread-Level Parallelism.

1 COMP 206: Computer Architecture and Implementation Montek Singh Mon, Dec 5, 2005 Topic: Intro to Multiprocessors and Thread-Level Parallelism.
Microprocessors Introduction to ia64 Architecture Jan 31st, 2002 General Principles.

Microprocessors Introduction to ia64 Architecture Jan 31st, 2002 General Principles.
Dynamic Program Analysis Xiangyu Zhang. 2 CS510 S o f t w a r e E n g i n e e r i n g Introduction Dynamic program analysis is to solve problems regarding.

Dynamic Program Analysis Xiangyu Zhang. 2 CS510 S o f t w a r e E n g i n e e r i n g Introduction Dynamic program analysis is to solve problems regarding.
Code Generation CS 480. Can be complex To do a good job of teaching about code generation I could easily spend ten weeks But, don’t have ten weeks, so.

Code Generation CS 480. Can be complex To do a good job of teaching about code generation I could easily spend ten weeks But, don’t have ten weeks, so.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Similar presentations

Ads by Google