dynamic binary translation & instrumentationheng/teaching/cs260-winter... · comparison among...
TRANSCRIPT
![Page 1: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/1.jpg)
Dynamic Binary Translation & Instrumentation
![Page 2: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/2.jpg)
PLDI’05 2
Pin Building Customized Program Analysis Tools with Dynamic
Instrumentation
CK Luk, Robert Cohn, Robert Muth, Harish Patil,
Artur Klauser, Geoff Lowney, Steven Wallace, Kim Hazelwood
Intel
Vijay Janapa Reddi
University of Colorado
http://rogue.colorado.edu/Pin
![Page 3: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/3.jpg)
PLDI’05 3
Instrumentation• Insert extra code into programs to collect information
about execution• Program analysis:
• Code coverage, call-graph generation, memory-leak detection
• Architectural study:• Processor simulation, fault injection
• Existing binary-level instrumentation systems:• Static:
• ATOM, EEL, Etch, Morph
• Dynamic: • Dyninst, Vulcan, DTrace, Valgrind, Strata, DynamoRIO
C Pin is a new dynamic binary instrumentation system
![Page 4: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/4.jpg)
PLDI’05 4
A Pintool for Tracing Memory Writes
#include <iostream>#include "pin.H"
FILE* trace;
VOID RecordMemWrite(VOID* ip, VOID* addr, UINT32 size) {fprintf(trace, “%p: W %p %d\n”, ip, addr, size);
}
VOID Instruction(INS ins, VOID *v) {if (INS_IsMemoryWrite(ins))
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(RecordMemWrite), IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_MEMORYWRITE_SIZE,
IARG_END); }
int main(int argc, char * argv[]) {PIN_Init(argc, argv);trace = fopen(“atrace.out”, “w”);INS_AddInstrumentFunction(Instruction, 0);PIN_StartProgram();return 0;
}
executed when an instruction is dynamically compiled
executed immediately before a write is executed
• Same source code works on the 4 architectures
=> Pin takes care of different addressing modes
• No need to manually save/restore application state
=> Pin does it for you automatically and efficiently
![Page 5: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/5.jpg)
PLDI’05 5
Dynamic InstrumentationOriginal code
Code cache
Pin fetches trace starting block 1 and start instrumentation
7’
2’
1’
Pin
2 3
1
7
45
6
Exits point back to Pin
![Page 6: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/6.jpg)
PLDI’05 6
Dynamic InstrumentationOriginal code
Code cache
Pin transfers control intocode cache (block 1)
2 3
1
7
45
6
7’
2’
1’
Pin
![Page 7: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/7.jpg)
PLDI’05 7
Dynamic InstrumentationOriginal code
Code cache
7’
2’
1’
PinPin fetches and instrument a new trace
6’
5’
3’
trace linking
2 3
1
7
45
6
![Page 8: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/8.jpg)
PLDI’05 8
Pin’s Software Architecture
JIT Compiler
Emulation Unit
Virtual Machine (VM)
Code
Cache
Instrumentation APIs
Ap
plic
atio
n
Operating System
Hardware
PinPintool ❑ 3 programs (Pin, Pintool, App) in same
address space:
➢ User-level only
❑ Instrumentation APIs:
➢ Through which Pintool communicates with Pin
❑ JIT compiler:
➢ Dynamically compile and instrument
❑ Emulation unit:
➢ Handle insts that can’t be directly executed (e.g., syscalls)
❑ Code cache:
➢ Store compiled code
=> Coordinated by VM
Address space
![Page 9: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/9.jpg)
PLDI’05 9
Pin Internal Details
• Loading of Pin, Pintool, & Application
• An Improved Trace Linking Technique
• Register Re-allocation
• Instrumentation Optimizations
• Multithreading Support
![Page 10: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/10.jpg)
PLDI’05 10
Register Re-allocation• Instrumented code needs extra registers. E.g.:
• Virtual registers available to the tool
• A virtual stack pointer pointing to the instrumentation stack
• Many more …
• Approaches to get extra registers:1. Ad-hoc (e.g., DynamoRIO, Strata, DynInst)
– Whenever you need a register, spill one and fill it afterward
2. Re-allocate all registers during compilationa. Local allocation (e.g., Valgrind)
• Allocate registers independently within each trace
b. Global allocation (Pin)• Allocate registers across traces (can be inter-procedural)
![Page 11: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/11.jpg)
PLDI’05 11
Valgrind’s Register Re-allocationmov 1, %eax
mov 2, %ebx
cmp %ecx, %edx
jz t
add 1, %eax
sub 2, %ebx
t:
Original Code
C Simple but inefficient
• All modified registers are spilled at a trace’s end
• Refill registers at a trace’s beginning
Trace 1mov 1, %eax
mov 2, %esi
cmp %ecx, %edx
mov %eax, SPILLeax
mov %esi, SPILLebx
jz t’
mov SPILLeax, %eax
mov SPILLebx ,%edi
add 1, %eax
sub 2, %edi
Trace 2
t’:
re-allocate
%edx%edx
%ecx%ecx
%esi%ebx
%eax%eax
PhysicalVirtual
%edx%edx
%ecx%ecx
%edi%ebx
%eax%eax
PhysicalVirtual
![Page 12: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/12.jpg)
PLDI’05 12
Pin’s Register Re-allocation
%edx%edx
%ecx%ecx
%esi%ebx
%eax%eax
PhysicalVirtual
Compile Trace 2 using the
binding at Trace 1’s exit:
Scenario (1): Compiling a new trace at a trace exit
mov 1, %eax
mov 2, %ebx
cmp %ecx, %edx
jz t
add 1, %eax
sub 2, %ebx
t:
Original Code
re-allocate
Trace 2
mov 1, %eax
mov 2, %esi
cmp %ecx, %edx
jz t’
Trace 1
add 1, %eax
sub 2, %esi
t’:
C No spilling/filling needed across traces
![Page 13: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/13.jpg)
PLDI’05 13
Pin’s Register Re-allocation
C Minimal spilling/filling code
Scenario (2): Targeting an already generated trace at a trace exit
Trace 1 (being compiled)
mov 1, %eax
mov 2, %ebx
cmp %ecx, %edx
jz t
add 1, %eax
sub 2, %ebx
t:
Original Code
mov 1, %eax
mov 2, %esi
cmp %ecx, %edx
mov %esi, SPILLebx
mov SPILLebx, %edi
jz t’
add 1, %eax
sub 2, %edi
Trace 2 (in code cache)
t’:
re-allocate
%edx%edx
%ecx%ecx
%esi%ebx
%eax%eax
PhysicalVirtual
%edx%edx
%ecx%ecx
%edi%ebx
%eax%eax
PhysicalVirtual
![Page 14: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/14.jpg)
PLDI’05 14
Instrumentation Optimizations1. Inline instrumentation code into the application
2. Avoid saving/restoring eflags with liveness analysis
3. Schedule inlined instrumentation code
![Page 15: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/15.jpg)
PLDI’05 15
Example: Instruction Counting
pushf
push %edx
push %ecx
push %eax
movl 0x3, %eax
call docount
pop %eax
pop %ecx
pop %edx
popf
ret
bridge()
Instrument without applying any optimization
docount()
add %eax,icount
ret
Original code
C 33 extra instructions executed altogether
cmov %esi, %edi
cmp %edi, (%esp)
jle <target1>
add %ecx, %edx
cmp %edx, 0
je <target2>
mov %esp,SPILLappspmov SPILLpinsp,%esp
call <bridge>
cmov %esi, %edi
mov SPILLappsp,%esp
cmp %edi, (%esp)
jle <target1’>
Trace
mov %esp,SPILLappspmov SPILLpinsp,%esp
call <bridge>
add %ecx, %edx
cmp %edx, 0
je <target2’>
BBL_InsertCall(bbl, IPOINT_BEFORE, docount(), IARG_UINT32, BBL_NumIns(bbl), IARG_END)
![Page 16: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/16.jpg)
PLDI’05 16
Example: Instruction Counting
Inlining
Original code
C 11 extra instructions executed
cmov %esi, %edi
cmp %edi, (%esp)
jle <target1>
add %ecx, %edx
cmp %edx, 0
je <target2> mov %esp,SPILLappspmov SPILLpinsp,%esp
pushf
add 0x3, icount
popf
cmov %esi, %edi
mov SPILLappsp,%esp
cmp %edi, (%esp)
jle <target1’>
Trace
mov %esp,SPILLappspmov SPILLpinsp,%esp
pushf
add 0x3, icount
popf
add %ecx, %edx
cmp %edx, 0
je <target2’>
![Page 17: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/17.jpg)
PLDI’05 17
Example: Instruction Counting
Inlining + eflags liveness analysis
Original code
C 7 extra instructions executed
cmov %esi, %edi
cmp %edi, (%esp)
jle <target1>
add %ecx, %edx
cmp %edx, 0
je <target2>
Trace
add 0x3, icount
add %ecx, %edx
cmp %edx, 0
je <target2’>
mov %esp,SPILLappspmov SPILLpinsp,%esp
pushf
add 0x3, icount
popf
cmov %esi, %edi
mov SPILLappsp,%esp
cmp %edi, (%esp)
jle <target1’>
![Page 18: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/18.jpg)
PLDI’05 18
Example: Instruction Counting
Inlining + eflags liveness analysis + scheduling
Original code
C 2 extra instructions executed
cmov %esi, %edi
cmp %edi, (%esp)
jle <target1>
add %ecx, %edx
cmp %edx, 0
je <target2>
cmov %esi, %edi
add 0x3, icount
cmp %edi, (%esp)
jle <target1’>
Trace
add 0x3, icount
add %ecx, %edx
cmp %edx, 0
je <target2’>
![Page 19: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/19.jpg)
PLDI’05 19
Pin Instrumentation PerformanceRuntime overhead of basic-block counting with Pin on IA32
10.4
3.9
7.8
3.52.8
1.52.5
1.4
0123456789
1011
SPECINT SPECFP
Avera
ge S
low
do
wn
Without optimization
Inlining
Inlining + eflags liveness analysis
Inlining + eflags liveness analysis + scheduling
(SPEC2K using reference data sets)
![Page 20: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/20.jpg)
PLDI’05 20
Comparison among Dynamic Instrumentation Tools
Runtime overhead of basic-block counting with three different tools
• Valgrind is a popular instrumentation tool on Linux
• Call-based instrumentation, no inlining
• DynamoRIO is the performance leader in binary dynamic optimization
• Manually inline, no eflags liveness analysis and scheduling
C Pin automatically provides efficient instrumentation
8.3
5.1
2.5
0123456789
SPECINT
Avera
ge S
low
do
wn
Valgrind DynamoRIO Pin
![Page 21: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/21.jpg)
PLDI’05 21
Pin Applications• Sample tools in the Pin distribution:
• Cache simulators, branch predictors, address tracer, syscall tracer, edge profiler, stride profiler
• Some tools developed and used inside Intel:• Opcodemix (analyze code generated by compilers)• PinPoints (find representative regions in programs to simulate)• A tool for detecting memory bugs
• Some companies are writing their own Pintools:• A major database vendor, a major search engine provider
• Some universities using Pin in teaching and research:• U. of Colorado, MIT, Harvard, Princeton, U of Minnesota, Northeastern,
Tufts, University of Rochester, …
![Page 22: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/22.jpg)
PLDI’05 22
Conclusions• Pin
• A dynamic instrumentation system for building your own program analysis tools
• Easy to use, robust, transparent, efficient• Tool source compatible on IA32, EM64T, Itanium, ARM• Works on large applications
• database, search engine, web browsers, …
• Available on Linux; Windows version coming soon
• Downloadable from http://rogue.colorado.edu/Pin• User manual, many example tools, tutorials• 3300 downloads since 2004 July
![Page 23: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/23.jpg)
23
ValgrindA Framework for Heavyweight Dynamic Binary Instrumentation
Nicholas Nethercote — National ICT Australia
Julian Seward — OpenWorks LLP
![Page 24: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/24.jpg)
24
FAQ #1
• How do you pronounce “Valgrind”?
• “Val-grinned”, not “Val-grined”
• Don’t feel bad: almost everyone gets it wrong at first
![Page 25: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/25.jpg)
25
DBA tools
• Program analysis tools are useful• Bug detectors
• Profilers
• Visualizers
• Dynamic binary analysis (DBA) tools• Analyse a program’s machine code at run-time
• Augment original code with analysis code
![Page 26: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/26.jpg)
26
Building DBA tools• Dynamic binary instrumentation (DBI)
• Add analysis code to the original machine code at run-time
• No preparation, 100% coverage
• DBI frameworks • Pin, DynamoRIO, Valgrind, etc.
Tool FrameworkTool
plug-in+ =
![Page 27: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/27.jpg)
27
Prior work
• Potential of DBI has not been fully exploited• Tools get less attention than frameworks
• Complex tools are more interesting than simple tools
Well-studied Not well-studied
Framework performance Instrumentation capabilities
Simple tools Complex tools
![Page 28: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/28.jpg)
28
Shadow value tools
![Page 29: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/29.jpg)
29
Shadow value tools (I)• Shadow every value with another value that describes
it• Tool stores and propagates shadow values in parallel
Tool(s) Shadow values help find...
Memcheck Uses of undefined values
Annelid Array bounds violations
Hobbes Run-time type errors
TaintCheck, LIFT, TaintTrace Uses of untrusted values
“Secret tracker” Leaked secrets
DynCompB Invariants
Redux Dynamic dataflow graphs
security
bugs
properties
![Page 30: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/30.jpg)
30
Memcheck• Shadow values: defined or undefined
• 30 undefined value bugs found in OpenOffice
Original operation Shadow operation
int* p = malloc(4) sh(p) = undefined
R1 = 0x12345678 sh(R1) = defined
R1 = R2 sh(R1) = sh(R2)
R1 = R2 + R3 sh(R1) = addsh(R2, R3)
if R1==0 then goto L complain if sh(R1) is undefined
![Page 31: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/31.jpg)
31
Shadow value tools (II)• All shadow value tools work in the same basic way
• Shadow value tools are heavyweight tools• Tool’s data + ops are as complex as the original
programs’s
• Shadow value tools are hard to implement• Multiplex real and shadow registers onto register file
• Squeeze real and shadow memory into address space
• Instrument most instructions and system calls
![Page 32: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/32.jpg)
32
Valgrind basics
![Page 33: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/33.jpg)
33
Valgrind
• Software• Free software (GPL)• {x86, x86-64, PPC}/Linux, PPC/AIX
• Users • Development: Firefox, OpenOffice, KDE, GNOME, MySQL, Perl,
Python, PHP, Samba, RenderMan, Unreal Tournament, NASA, CERN
• Research: Cambridge, MIT, Berkeley, CMU, Cornell, UNM, ANU, Melbourne, TU Muenchen, TU Graz
• Design• Heavyweight tools are well supported• Lightweight tools are slow
![Page 34: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/34.jpg)
34
Two unusual features of Valgrind
![Page 35: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/35.jpg)
35
#1: Code representation
C&A
Copy-and-annotate
analysiscode
asmout
descriptionsasmin
annotate
interleave
instrumentcopy
D&R
Disassemble-and-resynthesize(Valgrind)
instrument
IR
asmout
asmindisassemble
resynthesize
![Page 36: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/36.jpg)
36
Pros and cons of D&R• Cons: Lightweight tools
• Framework design and implementation effort
• Code translation cost, code quality
• Pros: Heavyweight tools• Analysis code as expressive as original code
• Tight interleaving of original code and analysis code
• Obvious when things go wrong!
wrongbehaviour wrong
analysis
correctbehaviour
baddescriptions
bad IR
D&R C&A
![Page 37: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/37.jpg)
37
Other IR features
• Writing complex inline analysis code is easy
Feature Benefit
First-class shadow registers
As expressive as normal registers
Typed, SSA Catches instrumentation errors
RISC-like Fewer cases to handle
Infinitely many temporaries
Never have to find a spare register
![Page 38: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/38.jpg)
38
#2: Thread serialisation
• Shadow memory: memory accesses no longer atomic• Uni-processors: thread switches may intervene
• Multi-processors: real/shadow accesses may be reordered
• Simple solution: serialise thread execution!• Tools can ignore the issue
• Great for uni-processors, slow for multi-processors...
![Page 39: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/39.jpg)
39
Performance
![Page 40: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/40.jpg)
40
SPEC2000 Performance
(*) LIFT limitations:• No FP or SIMD programs
• No multi-threaded programs
• 32-bit x86 code on 64-bit x86 machines only
Valgrind, no-instrumentation 4.3x
Pin/DynRIO, no-instrumentation ~1.5x
Memcheck 22.1x (7--58x)
Most other shadow value tools 10--180x
LIFT 3.6x (*)
![Page 41: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/41.jpg)
41
Post-performance
• Only Valgrind allows robust shadow value tools• All robust ones built with Valgrind or from scratch
• Perception: “Valgrind is slow”• Too simplistic
• Beware apples-to-oranges comparisons
• Different frameworks have different strengths
![Page 42: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/42.jpg)
42
Future of DBI
![Page 43: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/43.jpg)
43
The future
• Interesting tools!• Memcheck changed many C/C++ programmer’s lives
• Tools don’t arise in a vacuum
• What do you want to know about program execution?• Think big!
• Don’t worry about being practical at first
![Page 44: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/44.jpg)
44
If you remember nothing else...
![Page 45: Dynamic Binary Translation & Instrumentationheng/teaching/cs260-winter... · Comparison among Dynamic Instrumentation Tools Runtime overhead of basic-block counting with three different](https://reader033.vdocuments.us/reader033/viewer/2022042022/5e7936e0b1935918780cbb07/html5/thumbnails/45.jpg)
45
Take-home messages
• Heavyweight tools are interesting
• Each DBI framework has its pros and cons
• Valgrind supports heavyweight tools well
www.valgrind.org