and it all went horribly wrong debugging production
play

And It All Went Horribly Wrong: Debugging Production Systems Bryan - PowerPoint PPT Presentation

Nov 27, 2023 •305 likes •605 views

And It All Went Horribly Wrong: Debugging Production Systems Bryan Cantrill VP, Engineering bryan@joyent.com @bcantrill Thursday, November 17, 2011 In the beginning... Thursday, November 17, 2011 In the beginning... Sir Maurice Wilkes,

  1. And It All Went Horribly Wrong: Debugging Production Systems Bryan Cantrill VP, Engineering bryan@joyent.com @bcantrill Thursday, November 17, 2011

  2. In the beginning... Thursday, November 17, 2011

  3. In the beginning... Sir Maurice Wilkes, 1913 - 2010 Thursday, November 17, 2011

  4. In the beginning... “As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.” —Sir Maurice Wilkes, 1913 - 2010 Thursday, November 17, 2011

  5. Debugging through the ages • As systems had more and more demands placed upon them, we became better at debugging their failures... • ...but as these systems were replaced (disrupted) by faster (cheaper) ones, debuggability often regressed • At the same time, software has been developed at a higher and higher layer of abstraction — and accelerated by extensive use of componentization • The high layers of abstraction have made it easer to get the system initially working (develop) — but often harder to understand it when it fails (deploy + operate) • Production systems are more complicated and less debuggable! Thursday, November 17, 2011

  6. So how have we made it this far? • We have architected to survive component failure • We have carefully considered state — leaving tiers of the architecture stateless wherever possible • Where we have state, we have carefully considered semantics , moving from ACID to BASE semantics (i.e., different CAP trade-offs) to increase availability • ...and even ACID systems have been made more reliable by using redundant components • Clouds (especially unreliable ones) have expanded the architectural imperative to survive datacenter failure Thursday, November 17, 2011

  7. Do we still need to care about failure? • Software engineers should not be fooled by the rise of the putatively reliable distributed system; single component failure still has significant cost: • Economic cost : the system has fewer available resources with the component in a failed state • Run-time cost : system reconstruction or recovery often induces additional work that can degrade performance • Most dangerously, single component failure puts the system in a more vulnerable mode whereby further failure becomes more likely • This is cascading failure — and it is what induces failure in mature, reliable systems Thursday, November 17, 2011

  8. Disaster Porn I Thursday, November 17, 2011

  9. Wait, it gets worse • This assumes that the failure is fail-stop — a failed drive, a panicked kernel, a seg fault, an uncaught exception • If the failure is transient or byzantine, single component failure can alone induce system failure • Monitoring attempts to get at this by establishing rich liveness criteria for the system — and allowing the operator to turn transient failure into fatal failure... • ...but if monitoring becomes too sophisticated or invasive, it risks becoming so complicated as to compound failure Thursday, November 17, 2011

  10. Disaster Porn II Thursday, November 17, 2011

  11. Debugging in the modern era • Failure — even of a single component — erodes the overall reliability of the system • When single components fail, we must understand why (that is, we must debug them), and we must fix them • We must be able to understand both fatal (fail-stop) failures and (especially) transient failures • We must be able to diagnose these in production Thursday, November 17, 2011

  12. Debugging fatal component failure • When a software component fails fatally (e.g., due to dereferencing invalid memory or a program-induced abort) its state is static and invalid • By saving this state (e.g., DRAM) to stable storage, the component can be debugged postmortem • One starts with the invalid state and proceeds backwards to find the transition from a valid state to an invalid one • This technique is so old, that the term for this state dates from the dawn of the computing age: a core dump Thursday, November 17, 2011

  13. Postmortem advantages • There is no run-time system overhead — cost is only induced when the software has fatally failed, and even then it is only the cost of writing state to stable storage • Once its state is saved for debugging, there is nothing else to learn from the component ʼ s failure in situ ; it can be safely restarted, minimizing downtime without sacrificing debuggability • Debugging of the code dump can occur asynchronously, in parallel, and arbitrarily distant in the future • Tooling can be made extraordinarily rich, as it need not exist on the system of failure Thursday, November 17, 2011

  14. Disaster Porn III Thursday, November 17, 2011

  15. Postmortem challenges • Must have the mechanism for saving state on failure • Must record sufficient state — which must include program text as well as program data • Must have sufficient state present in DRAM to allow for debugging (correctly formed stacks are a must, as is the symbol table; type information is invaluable) • Must manage state such that storage is not overrun by a repeatedly pathological system • These challenges are real but surmountable — and several open source systems have met them... Thursday, November 17, 2011

  16. Postmortem debugging: MDB • For example, MDB is the debugger built into the open source illumos operating system (a Solaris derivative) • MDB is modular, with a plug-in architecture that allows for components to deliver custom debugger support • Plug-ins (“dmods”) can easily build on one another to deliver powerful postmortem analysis tools, e.g.: • ::stacks coalesces threads based on stack trace, with optional filtering by module, caller, etc. • ::findleaks performs postmortem garbage collection on a core dump to find memory leaks in native code Thursday, November 17, 2011

  17. Postmortem debugging • Postmortem debugging is well advanced for native code — but much less developed for dynamic environments like Java, Python, Ruby, JavaScript, Erlang, etc. • Of these, only Java has made a serious attempt at postmortem debugging via the jdb(1) tool found in HotSpot VM — but it remains VM specific • If/as dynamic environments are used for infrastructural software components, it is critical that they support postmortem debugging as a first-class operation! • In particular, at Joyent, we ʼ re building many such components in node.js... Thursday, November 17, 2011

  18. Aside: node.js • node.js is a JavaScript-based framework (based on Google ʼ s V8) for building event-oriented servers: var http = require(‘http’); http.createServer( function (req, res) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end('Hello World\n'); }).listen(8124, "127.0.0.1"); console.log(‘Server running at http://127.0.0.1:8124!’); • node.js makes it very easy to build a reliable, event- oriented networking services Thursday, November 17, 2011

  19. Postmortem debugging: node.js • Debugging a dynamic environment requires a high degree of VM specificity in the debugger… • ...but we can leverage MDB ʼ s module-oriented nature to do this somewhat cleanly with a disjoint V8 module • Joyent ʼ s Dave Pacheco has built MDB dmods to be able to symbolically dump JavaScript stacks and arguments from an OS core dump: • ::jsstack prints out a JavaScript stack trace • ::jsprint prints out a JavaScript heap object from its C++ (V8) handle • Details: http://dtrace.org/blogs/dap/2011/10/31/nodejs-v8-postmortem-debugging/ Thursday, November 17, 2011

  20. Postmortem debugging: node.js • node.js postmortem debugging is still nascent; there ʼ s much more to do here • For example, need a way to induce an abort(3C) from JavaScript to allow program-induced core dumps… • ...but it ʼ s still incredibly useful on gcore(1)-generated core dumps • We ʼ ve already used it to nail a bug that was seen exactly twice over the course of the past year — and only in production! Thursday, November 17, 2011

  21. Debugging transient component failure • Despite its violence, fatal component failure can be dealt with architecturally and (given proper postmortem debugging support) be root-caused from a single failure • Non-fatal component failure is much more difficult to compensate for — and much more difficult to debug! • State is dynamic and valid — it ʼ s hard to know where to start, and the system is still moving! • When non-fatal pathologies cascade, it is difficult to sort symptom from cause — you are physician, not scientist • This is Leventhal ʼ s Conundrum : given the hurricane, where is the butterfly? Thursday, November 17, 2011

  22. Disaster Porn IV Thursday, November 17, 2011

  23. DTrace • Facility for dynamic instrumentation of production systems originally developed circa 2003 for Solaris 10 • Open sourced (along with the rest of Solaris) in 2005; subsequently ported to many other systems (MacOS X, FreeBSD, NetBSD, QNX, nascent Linux port) • Support for arbitrary actions, arbitrary predicates, in situ data aggregation, statically-defined instrumentation • Designed for safe, ad hoc use in production: concise answers to arbitrary questions • Early on in DTrace development, it became clear that the most significant non-fatal pathologies were high in the stack of abstraction... Thursday, November 17, 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director, AutoCAD Web & Mobile. Software Architect at IAI Aerospace. Coding for the past 16 years - C++, Delphi, .NET, Java. Focus on real-time,

460 views • 35 slides
Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure <david.faure@kdab.com> Outline QThread Debugging race conditions Debugging deadlocks Unit-testing for thread-safety How to use QThread A busy

167 views • 16 slides
1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

Debugging and debuggers Debugging in the development cycle You have probably already had the experience of making Edit a mistake in a program Speaking roughly, debugging is the process: After you know that your code is wrong

911 views • 3 slides
DIY Production Monitoring About Me Co-founder Takipi, JVM Production Debugging. Director,

DIY Production Monitoring About Me Co-founder Takipi, JVM Production Debugging. Director,

DIY Production Monitoring About Me Co-founder Takipi, JVM Production Debugging. Director, AutoCAD Web & Mobile. Software Architect at IAI Aerospace. Coding for the past 16 years - C++, Delphi, .NET, Java. Focus on real-time, scalable

131 views • 11 slides
Production Debugging @ 100mph About Me Co-founder Takipi (God mode in Production Code).

Production Debugging @ 100mph About Me Co-founder Takipi (God mode in Production Code).

Production Debugging @ 100mph About Me Co-founder Takipi (God mode in Production Code). Co-founder VisualTao (acquired by Autodesk). Director, AutoCAD Web & Mobile. Software Architect at IAI Aerospace. Coding for the past 16 years -

910 views • 33 slides
Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures

Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures

Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures Baris Kasikci, Benjamin Schubert, Cristiano Pereira, Gilles Pokam, George Candea Debugging In-Production Software Failures Today 2 Debugging

937 views • 93 slides
Debugging microservices in production Bryan Cantrill CTO bryan@joyent.com @bcantrill

Debugging microservices in production Bryan Cantrill CTO bryan@joyent.com @bcantrill

Debugging microservices in production Bryan Cantrill CTO bryan@joyent.com @bcantrill Debugging in the beginning... Debugging in the beginning... Sir Maurice Wilkes, 1913 - 2010 Debugging in the beginning... Sir Maurice Wilkes, 1913

779 views • 45 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
what is WLSSD History 1971 Created by Minnesota Legislature St. Louis River horribly

what is WLSSD History 1971 Created by Minnesota Legislature St. Louis River horribly

The Next Generation of Power Biogas Harnessing Energy from Wastewater what is WLSSD History 1971 Created by Minnesota Legislature St. Louis River horribly polluted Existing facilities inadequate 18 separate river discharges

572 views • 43 slides
Node.js in Production: Postmortem Debugging and Performance Analysis OSCON 2012 David Pacheco

Node.js in Production: Postmortem Debugging and Performance Analysis OSCON 2012 David Pacheco

Node.js in Production: Postmortem Debugging and Performance Analysis OSCON 2012 David Pacheco (@dapsays) Joyent The Rise of Node.js We see Node.js as the confluence of three ideas: JavaScripts friendliness and rich support for

376 views • 27 slides
Scheme problems Unsolved: Printf debugging Solved: Need switch or similar (Clausal

Scheme problems Unsolved: Printf debugging Solved: Need switch or similar (Clausal

Scheme problems Unsolved: Printf debugging Solved: Need switch or similar (Clausal definition, case expression) Only cons for data (Define as many forms as you like: datatype) Wrong number of arguments (typecheck) car or

722 views • 32 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar P. Brighten Godfrey, Samuel T. King University of Illinois at Urbana-Champaign Network debugging is challenging Production networks are

929 views • 50 slides
Getting a System to Production and keeping it there Eoin Woods, Endava Content

Getting a System to Production and keeping it there Eoin Woods, Endava Content

Getting a System to Production and keeping it there Eoin Woods, Endava Content Introducing Production Systems What Goes Wrong in Production? Solutions for Production Systems Conclusions 3 Production Systems 4 What is a production

740 views • 44 slides
Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence

Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence

Psychological Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence and workplace security Social prejudice Media influences Differences of climates and customs Characteristics unique to

407 views • 18 slides
Session II Examples and Paradigms Thomas J. Leeper Government Department London School of

Session II Examples and Paradigms Thomas J. Leeper Government Department London School of

Hypotheses > Design Assessing Quality Examples More Designs Session II Examples and Paradigms Thomas J. Leeper Government Department London School of Economics and Political Science Hypotheses > Design Assessing Quality Examples

1.39k views • 122 slides
FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J.

FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J.

FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J. Abadi, Yale University Presented by Bojun Wang FAIRNESS THROUGHPUT ISOLATION 1 Isolation v.s. Throughput and Fairness Strong isolation

542 views • 20 slides
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

955 views • 58 slides
The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

Webinar: Abortion & Conscientious Objection 2 July 2020 (Adv Keith Matthee SC) 1 As a nation we would be well advised to heed the words of Professor Forstchen in his review on the film Downfall, which exposes the evil of Adolf

490 views • 11 slides
High Performance Transactions via Early Write Visibility Jose Faleiro Daniel Abadi Joseph

High Performance Transactions via Early Write Visibility Jose Faleiro Daniel Abadi Joseph

High Performance Transactions via Early Write Visibility Jose Faleiro Daniel Abadi Joseph Hellerstein Serializability is our gold standard Developers focus on individual transaction correctness System ensures correctness under concurrency

1.19k views • 83 slides
STEVE o E on F FHI HIR NAHDO 2020 Annual Meeting Caprice Edwards Systems Director

STEVE o E on F FHI HIR NAHDO 2020 Annual Meeting Caprice Edwards Systems Director

National Association for Public Health Statistics and Information Systems STEVE o E on F FHI HIR NAHDO 2020 Annual Meeting Caprice Edwards Systems Director cedwards@naphsis.org Who We Are The national nonprofit organization

265 views • 11 slides
New Rewriter Features in FGL Sol Swords Centaur Technology, Inc. ACL2 Workshop 2020 Paper:

New Rewriter Features in FGL Sol Swords Centaur Technology, Inc. ACL2 Workshop 2020 Paper:

New Rewriter Features in FGL Sol Swords Centaur Technology, Inc. ACL2 Workshop 2020 Paper: http://acl2-2020.info/papers/new-rewriter-features.pdf What is FGL? Bit-blasting framework, successor to GL. Core of FGL is a rewriter inspired by

655 views • 16 slides

More recommend