1 / 17

Dynamic Instrumentation on the IA-64

Dynamic Instrumentation on the IA-64. Todd L Miller tlmiller@cs.wisc.edu Ray Chen rchen@cs.umd.edu. Introduction. Review dynamic instrumentation Introduce IA64 architecture instruction bundles register frames Discuss the effects on inserting instrumentation process control.

nicki
Télécharger la présentation

Dynamic Instrumentation on the IA-64

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dynamic Instrumentationon the IA-64 Todd L Miller tlmiller@cs.wisc.edu Ray Chen rchen@cs.umd.edu

  2. Introduction • Review dynamic instrumentation • Introduce IA64 architecture • instruction bundles • register frames • Discuss the effects on • inserting instrumentation • process control

  3. Dynamic Instrumentation • Parse the binary code • Generate and insert instrumentation • use branches to redirect control flow to instrumentation • save registers to preserve original semantics • Control the process • Inferior RPC: call application (mutatee) functions from the dyninst-based tool (mutator) • Stack walk: acquire set of activation records

  4. Dynamic Instrumentation foo base tramp mini tramp branch save registers pre instrumentation restore registers relocated bundle ... Branching to the base tramp. Saving and restoring registers. Relocating instructions. Executing instrumentation.

  5. Inferior RPCs • Used to start instrumentation if we’re inserting it after it should have begun • An API for triggering functionality in mutatee, including loading libraries. foo start current time stop

  6. Stack Walks • Examine PCs in the activation records to determine if we’re inserting instrumentation after it should have begun. • Necessary to safely delete instrumentation. • Dynamic call-path profiling.

  7. Instruction Bundling foo • Instructions bundled into groups of three. • User-space jumps target these groups. • Processor can be interrupted mid-bundle. ...

  8. Instruction Bundling • Bundles are basic blocks. • Always safe to replace the whole bundle. • Allows us to use 64-bit immediate branches to jump to instrumentation. • Combined, this means we can insert a jump anywhere to instrumentation anywhere. • One bundle could contain three instrumentation points. • Save and restore registers in the base tramp more than once.

  9. Interrupted Bundles • We stop the process to do inferior RPCs. • Insert the function call. • Set the PC to it and continue the process. • Sometimes must stop in mid-bundle. • Instrumentation could start in mid-bundle. • Can’t jump back to the middle.

  10. Interrupted Bundles foo • Interrupt ourselves mid-bundle and have the tool mutator set the PC back. inferior RPC nop nop nop ...

  11. Register Frames • Three kinds of integer registers: • preserved across function calls (local) • call parameters (output) • registers which are neither are inaccessible • A register frame declares the number of each kind of register. • Each function defines its own frame.

  12. Register Frames • Some registers inaccessible • Attempting to read one causes an illegal instruction error. • We must know the register frame to successfully save registers. • Current frame not architecturally accessible.

  13. Saving Registers • We can analyze a function to determine its register frame. • Majority of functions define only one. • We can define a new frame to preserve the function’s registers and free others for the instrumentation. • When we’re done, return the frame to its original setting. • Paradyn’s first use of semantic analysis to improve instrumentation.

  14. IA-64 Stacks • Some registers preserved by processor. • Includes function’s return address. • As a result, the ABI does not require memory stack frames for any function. • A function’s activation record resides in its preserved registers. • Flushed to memory during a context switch. • Register frame sizes vary, and there’s not a previous frame pointer. • ABI does not specify locations for values.

  15. IA-64 Stack Walking • IA-64 binaries require a section that describes the stack structure for each function. • We use libunwind to walk the stack with this information. • This requires no special effort or analysis, and always works. • This is good news: other platforms give us trouble in this area.

  16. Walking Through Instrumentation • Executing instrumentation code creates an activation record. • This record does not correspond to any existing function. • So libunwind can’t walk through it. • We extended a facility originally intended for just-in-time compilers to tell libunwind about our instrumentation.

  17. Conclusion • The port of Dyninst to IA-64 is essentially complete. • We will support multithreaded programs. • I will be demonstrating inferior RPCs and stack walks tomorrow morning.

More Related