Deterministic Replay and Reverse Debugging for QEMU

Similar documents
Instrumenting, Introspection, and Debugging with QEMU

From eventual to strong consistency. Primary-Backup Replication. Primary-Backup Replication. Replication State Machines via Primary-Backup

Abstractions for Practical Virtual Machine Replay. Anton Burtsev, David Johnson, Mike Hibler, Eric Eride, John Regehr University of Utah

Advanced Memory Management

Wind River. All Rights Reserved.

Efficient and Large Scale Program Flow Tracing in Linux. Alexander Shishkin, Intel

ECE 485/585 Microprocessor System Design

Computer Organization & Assembly Language Programming (CSE 2312)

CS 201. Exceptions and Processes. Gerson Robboy Portland State University

Operating System Review

Using the GNU Debugger

Using the GNU Debugger

Status Update About COLO FT

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

Applications of DMTCP for Checkpointing

Acceleration of Virtual Machine Live Migration on QEMU/KVM by Reusing VM Memory

Debugging Applications in Pervasive Computing

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

The control of I/O devices is a major concern for OS designers

International Journal of Current Research and Modern Education (IJCRME) ISSN (Online): ( Volume I, Issue II, 2016

Operating System: Chap13 I/O Systems. National Tsing-Hua University 2016, Fall Semester

15: OS Scheduling and Buffering

I/O Systems. Amir H. Payberah. Amirkabir University of Technology (Tehran Polytechnic)

Parallel Simulation Accelerates Embedded Software Development, Debug and Test

Module 12: I/O Systems

Autosave for Research Where to Start with Checkpoint/Restart

Samsara: Efficient Deterministic Replay in Multiprocessor. Environments with Hardware Virtualization Extensions

Checkpointing using DMTCP, Condor, Matlab and FReD

Virtualization Overview NSRC

Malware

Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems

Designing Embedded Processors in FPGAs

Chapter 2: Operating-System Structures


Module 12: I/O Systems

Process Description and Control

+ Overview. Projects: Developing an OS Kernel for x86. ! Handling Intel Processor Exceptions: the Interrupt Descriptor Table (IDT)

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edition

Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski

Windows Interrupts

Chapter 13: I/O Systems

Performance Optimization for an ARM Cortex-A53 System Using Software Workloads and Cycle Accurate Models. Jason Andrews

T Jarkko Turkulainen, F-Secure Corporation

Standalone Network Video Recorder

Computing platforms. Design methodology. Consumer electronics architectures. System-level performance and power analysis.

Simulation Based Analysis and Debug of Heterogeneous Platforms

GFS: The Google File System. Dr. Yingwu Zhu

NightStar. NightView Source Level Debugger. Real-Time Linux Debugging and Analysis Tools BROCHURE

Embedded Packet Capture

Samuel T. King, George W. Dunlap, and Peter M. Chen University of Michigan. Presented by: Zhiyong (Ricky) Cheng

CMPE3D02/SMD02 Embedded Systems

Primary-Backup Replication

I/O Design, I/O Subsystem, I/O-Handler Device Driver, Buffering, Disks, RAID January WT 2008/09

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

CSE 4/521 Introduction to Operating Systems. Lecture 24 I/O Systems (Overview, Application I/O Interface, Kernel I/O Subsystem) Summer 2018

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

Qualcomm Snapdragon Profiler

Exercise Session 6 Computer Architecture and Systems Programming

Silberschatz and Galvin Chapter 12

Zhang Chen Zhang Chen Copyright 2017 FUJITSU LIMITED

Input/Output Systems

Chapter 13: I/O Systems

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University

Debug for GDB Users. Action Description Debug GDB $debug <program> <args> >create <program> <args>

Chapter 13: I/O Systems

KVM Weather Report. Amit Shah SCALE 14x

by Marina Cholakyan, Hyduke Noshadi, Sepehr Sahba and Young Cha

Introduction to Pintos

From last time. What is the maximum size of a file in bytes? What is the maximum total size of directories and files in a single disk partition?

Chapter 13: I/O Systems

Chapter 13: I/O Systems. Chapter 13: I/O Systems. Objectives. I/O Hardware. A Typical PC Bus Structure. Device I/O Port Locations on PCs (partial)

About Parallels Desktop 11 for Mac

CSCI 350 Pintos Intro. Mark Redekopp

Xen on ARM. How fast is it, really? Stefano Stabellini. 18 August 2014

Input Output (IO) Management

Detection and Resolution of Real-Time Issues using TimeDoctor Embedded Linux Conference

Chapter 2. Operating-System Structures

Ref: Chap 12. Secondary Storage and I/O Systems. Applied Operating System Concepts 12.1

Primary/Backup. CS6450: Distributed Systems Lecture 3/4. Ryan Stutsman

Implementing a GDB Stub in Lightweight Kitten OS

METU Department of Computer Engineering

Computer Organization & Assembly Language Programming (CSE 2312)

_ V Renesas R8C In-Circuit Emulation. Contents. Technical Notes

Chapter 13: I/O Systems. Operating System Concepts 9 th Edition

Chapter 13: I/O Systems

CSI3131 Final Exam Review

RT extensions/applications of general-purpose OSs

EB-51 Low-Cost Emulator

Sangfor adesk v5.1 Feature List

PROCESSES. Jo, Heeseung

Processes. Jo, Heeseung

Decoding Those Inscrutable RCU CPU Stall Warnings

The All-in-one VDI Solution Within Reach. Start

Debugging operating systems with time-traveling virtual machines

Outline. Operating Systems: Devices and I/O p. 1/18

What You Need to Know for Project Three. Dave Eckhardt Steve Muckle

Interrupt/Timer/DMA 1

Problem Set: Processes

Application Fault Tolerance Using Continuous Checkpoint/Restart

Under The Hood: Performance Tuning With Tizen. Ravi Sankar Guntur

Transcription:

Deterministic Replay and Reverse Debugging for QEMU P. Dovgalyuk Novgorod State University Institute for System Programming of the Russian Academy of Sciences

Our projects Working on QEMU projects since 2010 (version 0.13) Software analysis for x86 Deterministic replay Reverse debugging Several upgrades (0.13 0.15 1.0 1.5 2.1) Deterministic replay was presented at CSMR 2012 2

How it works Log recording phase Log replaying phase Virtual machine Contains OS and program for analysis QEMU Log file Nondeterministic events in VM are saved into the external file QEMU Offline analysis tool Results of debugging, trace capturing, taint analysis, and so on Analysis results 3

Deterministic replay applications No intrusion and overhead Profiling Taint analysis Offline dynamic analysis Analysis of the real-time applications Deterministic Replay and reverse debugging Debugging in complex environment Finding Heisenbugs Debugging of new virtual platforms and virtual devices for QEMU 4

Deterministic replay and reverse debugging Supports x86, x64, ARM User interface is the same for all platforms Works on Windows and Linux hosts Whole system debugging Allows debugging system-level code Non-intrusive analysis Debugger does not affect on target program Offline log analysis Suitable for analysis of network and other real-time applications due to the low recording overhead Log file is independent of a host-machine Bug reproducing scenario may be recorded on one machine and replayed on another 5

Replaying the simulator Deterministic part Record CPU RAM Virtual devices Virtual timers TAP Socket libusb Winaudio Slirp Mouse Keyboard Clocks Real world Block devices Virtual input Replay Video output Replay log 6

Deterministic replay implementation High-level non-deterministic events are written into the log in record mode mouse, keyboard, hardware clock, network packets, USB packets Non-deterministic events read from the log in replay mode are used instead of real inputs Disk I/O is deterministic, because of using unchanged disk image Thread pool tasks execution sequence is serialized to make it deterministic 7

QEMU changes Added log recording subsystem Target-specific dynamic translators were changed to add instructions counting Target-independent components were changed to record incoming events 8

Instructions counting: icount issues Different counting for REP instructions in single step and normal modes icount is not incremented for the last (ecx=0) iteration in normal mode Incorrect when using breakpoints through gdb icount is incremented for non-executed instruction, which located at the breakpoint address Seem to be x86-specific 9

Instructions counting check tcg_exit_req 000f2e0e: push %ebx ++icount 000f2e0f: sub ++icount $0x2c,%esp 000f2e12: movl $0xf64bc,0x4(%esp) ++icount 000f2e1a: movl $0xf4d50,(%esp) ++icount 000f2e21: call 0xf1ca0 ++icount I m going to create my own icount with black jack and hookers. 10

Hardware clock and timers Saving time into the events log QEMU core Clock interface Hardware clock Events log Request time Write time into the log 11

Hardware clock and timers Reading time from the events log QEMU core Clock interface Events log Request time Read time from the log 12

Checkpointing Making periodic snapshots for convenient replay debugging Allow navigation in the execution scenario Required for reverse execution Rewind to saved snapshot Normal replay 13

User input and passthru devices Keyboard Mouse Audio card Network adapters Serial interface USB devices 14

Reverse debugging Using checkpoints for faster rewind to the desired moment of execution GDB reverse debugging commands reverse-continue reverse-step reverse-stepi reverse-next reverse-nexti reverse-finish 15

Reverse debugging int *p = malloc(sizeof(int));. p = NULL;. int a = *p; 16

Reverse debugging int *p = malloc(sizeof(int));. p = NULL;. int a = *p; gdb> watch p gdb> reverse-continue 17

Reverse debugging 4 3 2 1 int *p = malloc(sizeof(int));. p = NULL;. int a = *p; gdb> watch p gdb> reverse-continue 18

Evaluation Environment Core i7 with 8G of RAM Windows 7 x64 Virtual machine i386 with 128M of RAM Three testing scenarios Windows XP loading Download of 8M file Compressing 8M file with gzip 19

Evaluation Instructions count Normal execution time Windows XP File download Gzip 5 billions 1.4 billions 3 billions 69 sec 41 sec 12 sec Log size 15 M 2.1 M* 1.1 M Log size per 1000 instructions Recording overhead Replaying overhead 3 bytes 1.6 bytes 0.4 bytes 1.5x 1.1x 3.2x 4.5x 2.9x 12.8x * Without network traffic 20

Results and status Found several bugs in QEMU core Prepared reverse execution patches about 6000 LOC split into two parts replay core and reverse debugging 21

Results: applied patches Date Hash Description 2014-09-26 5a6e8ba kvmvapic: fix migration when VM paused and when not running Windows 2014-09-18 5bde140 target-i386: update fp status fix 2014-09-11 462efe9 gdbstub: init mon_chr through qemu_chr_alloc 2014-09-11 a28fe7e pckbd: adding new fields to vmstate 2014-09-11 0b10215 mc146818rtc: add missed field to vmstate 2014-09-11 2c9ecde piix: do not set irq while loading vmstate 2014-09-11 7385b27 serial: fixing vmstate for save/restore 2014-09-11 461a275 parallel: adding vmstate for save/restore 2014-09-11 c0b92f3 fdc: adding vmstate for save/restore 2014-09-11 4603ea0 cpu: init vmstate for ticks and clock offset 2014-09-11 a6dead4 apic_common: vapic_paddr synchronization fix 2014-09-05 6c3bff0 exec: Save CPUState::exception_index field 2013-04-20 089305a i386 ROR r8/r16 instruction fix 2012-06-15 b75a028 Prevent disk data loss when closing qemu 2011-02-25 c7eb1f0 Fixing network over sockets implementation for win32 22

How can you use it? (1/3) Deterministic debugging of devices implementation in QEMU ROR r8/r16 23

How can you use it? (2/3) Reverse debugging through GDB interface user-mode programs drivers kernel 24

How can you use it? (3/3) Capturing execution data for offline analysis instructions sequence memory accesses network traffic 25

Future work Up-streaming the rest of the bug-fixes Up-streaming the reverse execution core patches Up-streaming reverse debugging patches Improving performance Improve instructions counting to increase replaying speed Reduce log saving overhead to improve usability Save additional data for faster transition between states while replaying and debugging Creating framework for testing of the deterministic replay 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback