南京大学：《软件工程研究导引 Introduction to Software Engineering Research》课程教学资源（课件讲稿）07 Tracing, Profiling, and Dynamic Program Analysis

Dynamic Program Analysis Jun Ma majun@nju.edu.cn

Dynamic Program Analysis majun@nju.edu.cn Jun Ma

Overview Static analysis A program that takes programs as input and produces useful results(without executing it). Dynamic analysis A program that monitors and alters program execution to produce useful results

Overview Static analysis A program that takes programs as input and produces useful results (without executing it). Dynamic analysis A program that monitors and alters program execution to produce useful results

Computer Systems as State Machine

Computer Systems as State Machine

Computer Systems .. Computer system state machine of(memory,registers)whose running is driven by instructions. (Because computer systems are simply circuits.) M,R -instruction-M',R' instruction M",R" …instructions.-pM,R" This model works for user-level programs(syscall is a special non-deterministic instruction) operating systems(may have external interrupts) concurrent/multiprocessor systems (we can choose a thread for executing an instruction)

Computer Systems … Computer system = state machine of (memory, registers) whose running is driven by instructions. (Because computer systems are simply circuits.) M,R instruction M',R' instruction M'',R'' instructions M''',R''' This model works for user-level programs (syscall is a special non-deterministic instruction) operating systems (may have external interrupts) concurrent/multiprocessor systems (we can choose a thread for executing an instruction)

Dynamic Analysis A program that monitors and alters program execution to produce useful results. That is,a function f(T)to produce useful results given the execution trace T of a state machine(program/computer system). Only provides useful results for the given T usually complete but unsound complements static analyses SE tasks tolerate unsound and incomplete analyses as long as results are useful in engineering PL guys don't like this

Dynamic Analysis A program that monitors and alters program execution to produce useful results. That is, a function to produce useful results given the execution trace of a state machine (program/computer system). Only provides useful results for the given usually complete but unsound complements static analyses SE tasks tolerate unsound and incomplete analyses as long as results are useful in engineering PL guys don’t like this f(τ ) τ τ

Debuggers

Debuggers

The GNU Project Debugger(GDB) GDB,the GNU Project debugger,allows you to see what is going on "inside"another program while it executes-or what another program was doing at the moment it crashed. Start your program,specifying anything that might affect its behavior. Make your program stop on specified conditions. Examine what has happened when your program has stopped. Change things in your program,so you can experiment with correcting the effects of one bug and go on to learn about another

The GNU Project Debugger (GDB) GDB, the GNU Project debugger, allows you to see what is going on “inside” another program while it executes – or what another program was doing at the moment it crashed. Start your program, specifying anything that might affect its behavior. Make your program stop on specified conditions. Examine what has happened when your program has stopped. Change things in your program, so you can experiment with correcting the effects of one bug and go on to learn about another

GDB's Offer Lots of commands Execution controlr,c,f,n,s,si,.. Breakpoints b,hb,wa,... ·Program state display`p,x,i,bt`,… Program state modification set,... Black magic -reverse debugging: ■`record,rc,rn,rsi, Suffices for anything GDB captures the entire "state transition"procedure of a process

GDB’s Offer Lots of commands Execution control r, c, f, n, s, si ,… Breakpoints b, hb, wa , … Program state display p, x, i, bt , … Program state modification set , … Black magic - reverse debugging: record, rc, rn, rsi , … Suffices for anything GDB captures the entire “ state transition” procedure of a process ` ` ` ` ` ` ` ` ` `

Debugger is ALL Dynamic Analyses Any practical dynamic analysis is a "simplified"(and more efficient)debugger. Virtually,we can do any observation or perturbation on a debugger Understanding program states info inferiors;thread 1;info registers;x/i srip Modifying program states ■`set var=value But single-step execution incurs 1000X slowdown and GB/s instruction log

Debugger is ALL Dynamic Analyses Any practical dynamic analysis is a “ simplified” (and more efficient) debugger. Virtually, we can do any observation or perturbation on a debugger Understanding program states info inferiors; thread 1; info registers; x/i $rip Modifying program states set var = value But single-step execution incurs 1000X slowdown and GB/s instruction log ` ` ` `

Implementing GDB The fundamental problem: How to pause program execution at an instruction (address)or statement? Dynamic program instrumentation patch the instruction!(quite clever idea) make the code writable(thus cannot breakpoint on ROM addresses) ■`mprotect() patch the instruction with a“debugger trap” int $3 (0xcc for x86)or 'ebreak (for risc-v) -OS will send a signal to the parent process(gdb) restore the instruction after hitting the breakpoint

Implementing GDB The fundamental problem: How to pause program execution at an instruction (address) or statement? Dynamic program instrumentation patch the instruction! (quite clever idea) make the code writable (thus cannot breakpoint on ROM addresses) mprotect() patch the instruction with a “debugger trap” int $3 ( 0xcc for x86) or ebreak (for risc-v) OS will send a signal to the parent process (gdb) restore the instruction after hitting the breakpoint ` ` ` ` ` ` ` `