TDB: A Source-level Debugger for Dynamically Translated Programs
30 Slides451.52 KB
TDB: A Source-level Debugger for Dynamically Translated Programs Naveen Kumar, Bruce Childers Department of Computer Science University of Pittsburgh Pittsburgh, Pennsylvania 15260 {naveen, childers}@cs.pitt.edu Mary Lou Soffa Department of Computer Science University of Virginia Charlottesville, Virginia 22904 [email protected]
New execution vehicle New execution vehicle for: – software security, bug isolation, simulations, dynamic optimizations . Software Dynamic Translation (SDT) – – A layer between application program and the host machine Intercepts and modifies instructions before they execute Application Binary Dynamic Translator CPU Goal: Debug the Application transparent to SDT
Challenges to debugging Static debug information is inconsistent – Code is generated and modified during execution – Code duplication at run-time Transparency of dynamic translation – Hide the SDT system – Hide the effects of dynamic translation (code modifications) on the translated code
Our approach A debug architecture for debugging dynamically translated programs Dynamic debug mappings – Relate untranslated code with translated code – Techniques to generate these mappings at run-time for different kinds of translation operations Extensibility: support different uses of SDT
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
Background Software Dynamic Translation (SDT) Application Binary Primary tasks Fetch Fetch Decode Decode Translate Next PC Emit Code Cache Host CPU SDT – Fetch application instructions – Decode – Translate (modify/instrument) – Emit translated code into a code cache
SDT Direct Execution & Cache Trampoline Regular Many Delete Operation: Operation: Operation: Operation: One Translation One instruction Translation instruction of an results of translates instruction a branch in more into exactly than results one in one translated zero a set instruction instructions of instructions instruction in codetocache invoke translator Program Code ld [ %o1 ], %o0 Code Cache Translator ld [ %o1 ], %o0 call 0x26a70c nop ld re-enter [branch %o1 ], %o0 execute fetch call 0x26a70c nop fragment fragment sethi hi(0x50400),%o7 or %o7, 0x288, %o7 branch trampoline be 0x26a77c mov %g0, %o0 mov %g0, %o0 Execute Fetch code codefragment fragment untiluntil endbranch of fragment trampoline condition
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
Debug Architecture Native Debugger Mapping Repository Breakpoint Manager Mapper Debug Engine Mapping Generator Application Breakpoint Repository SDT System Code Cache
Debug Engine Mapping Repository Mapper Mapping Generator Translation information from SDT system Breakpoint Manager Breakpoint Repository Debug Engine
Debug Engine mapAddress or writeValue from Native Debugger Mapping Repository Mapper Breakpoint Manager Debug Engine Mapping Generator Translation information from SDT system Breakpoint Repository Read/Write into Code Cache
Debug Engine mapAddress or writeValue insert or delete from Native Debugger breakpoints Mapping Repository Mapper Breakpoint Manager Debug Engine Mapping Generator Translation information from SDT system Breakpoint Repository Read/Write into Code Cache
Debug Engine Notify native debugger mapAddress or writeValue insert or delete from Native Debugger breakpoints Mapping Repository Mapper Breakpoint Manager Debug Engine Mapping Generator Translation information from SDT system Breakpoint Repository Read/Write into Code Cache Breakpoint Exception
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
Dynamic Debug Mappings Debug engine generates and uses debug information in terms of mappings Mappings used to implement debug commands Mapping types – U-T: untranslated code with translated code – T-T: translated code with translated code – T-U: translated code with untranslated code The mappings are generated based upon the kind of translation operation (regular, many etc.)
Regular Operation (copy an instruction to code cache) 50684: ld [ %o1 ], %o0 50688: call 0x26a70c 5068c: nop 26a70c: mov %o0, %o1 26a710: andcc %o1,3,%o3 26a714: be 0x26a77c 26a718: mov %g0, %o0 . . Program locations f1800c8: ld [ %o1 ], %o0 U-T Mappings 1. 50684 {f1800c8} Translated locations Uses: 1. Determine code cache location for inserting a breakpoint 2. Determine untranslated location for PC, when a breakpoint is hit u U-T t
Many Operation (translate an instruction into multiple instructions) 50684: ld [ %o1 ], %o0 50688: call 0x26a70c 5068c: nop 26a70c: mov %o0, %o1 26a710: andcc %o1,3,%o3 26a714: be 0x26a77c 26a718: mov %g0, %o0 . . Program locations f1800c8: ld [ %o1 ], %o0 Translated locations U-T Mappings 1. 50684 {f1800c8}
Many Operation 50684: ld [ %o1 ], %o0 50688: call 0x26a70c 5068c: nop 26a70c: mov %o0, %o1 26a710: andcc %o1,3,%o3 26a714: be 0x26a77c 26a718: mov %g0, %o0 . . Program locations f1800c8: ld [ %o1 ], %o0 f1800cc: sethi hi(0x50400),%o7 f1800d0: or %o7, 0x288, %o7 Translated locations U-T Mappings 1. 50684 {f1800c8}
Many Operation 50684: ld [ %o1 ], %o0 50688: call 0x26a70c 5068c: nop 26a70c: mov %o0, %o1 26a710: andcc %o1,3,%o3 26a714: be 0x26a77c 26a718: mov %g0, %o0 . . Program locations f1800c8: ld [ %o1 ], %o0 f1800cc: sethi hi(0x50400),%o7 f1800d0: or %o7, 0x288, %o7 U-T Mappings 1. 50684 {f1800c8} 2. 50688 {f1800cc} T-T Mappings 3. f1800d0 {f1800d4} Translated locations Uses: “Skip past” the execution of each additional instruction (e.g. t2 & t3 in the adjoining figure are never visible to the native debugger) u u 1 U-T U-T t1 t2 t3 t4 T T-
Other Operations 50684: ld [ %o1 ], %o0 50688: call 0x26a70c 5068c: nop 26a70c: mov %o0, %o1 26a710: andcc %o1,3,%o3 26a714: be 0x26a77c 26a718: mov %g0, %o0 . . Program locations f1800c8: f1800cc: f1800d0: f1800d4: f1800d8: f1800dc: f1800e0: f1800e4: ld [ %o1 ], %o0 sethi hi(0x50400),%o7 or %o7, 0x288, %o7 mov %o0, %o1 andcc %o1, 3, %o3 be 0xff180104 mov %g0, %o0 save %sp, -96, %sp . . 1. 2. 4. 5. 6. 7. 8. U-T Mappings 50684 {f1800c8} 50688 {f1800cc} 5068c {f1800d4} 26a70c {f1800d4} 26a710 {f1800d8} 26a714 {f1800dc} 26a718 {f1800e0} T-T Mappings 3. f1800d0 {f1800d4} Translated locations Other operations include: 1. Delete, Trampoline 2. Overhead reduction operations 3. Dynamic instrumentation T-P Mappings 9. f1800e4 {26a77c}
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
TDB Reference implementation of Debug Architecture GDB as the Native Debugger – Supports all source-level commands in GDB SDT system Strata – Basic translation operations (regular,many,delete,tramp) – Overhead reduction techniques – Dynamic instrumentation Also used by Intel for their Pin SDT system
Layout of the Debug Engine Native Debugger GDB process space Debug Engine Mapper Breakpoint Manager Mapping & Breakpoint Repositories Shared memory Mapping generator Strata process space Application SDT System
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
Experiments Experiments – Measured time to execute one breakpoint – Measured memory overhead Experimental setup – Strata-SPARC, GDB 5.3 security policy on invocation of syscalls – SUN Blade 100, SPECint2000 benchmarks – Breakpoints set in "hot" functions Programs run until 10,000 breakpoints hit
Breakpoint Overhead 2.5 2 1.5 gdb tdb 1 Slowdown 0.5 0 vpr mcf gcc gzip bzip twolf vortex Cost per breakpoint in GDB 1 Average cost of breakpoint in Tdb 1.63
Memory Requirements 10000 1000 100 Memory 10 in KB 1 mcf gcc gzip bzip twolf vortex Memory requirement ranges from 56KB to 1.3 MB – Average of 501KB vpr
Outline Background Debug Architecture Debug Mappings Implementation Experimental Results Summary
Summary Proposed a debug architecture – Debug mappings – Generation and use of mappings Available for Strata/GDB and Pin/GDB – Supports all source-level commands and queries Has minimal performance and memory overheads
For More Information Please visit http://www.cs.pitt.edu/coco/tdb University of Pittsburgh University of Virginia