Capability Wrangling Made Easy: Debugging on a Microkernel with - - PowerPoint PPT Presentation

▶

Oct 10, 2022 212 likes •443 views

Dept. of Computer Science, Institute of System Architecture, Operating Systems Group Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind Aaron Pohle, Bjrn Dbel, Michael Roitzsch, Hermann Hrtig Technische Universitt

SLIDE 1

Dept. of Computer Science, Institute of System Architecture, Operating Systems Group

Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind

Pittsburgh, 2010-03-17 Aaron Pohle, Björn Döbel, Michael Roitzsch, Hermann Härtig

Technische Universität Dresden, Germany

SLIDE 2

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 2 / 18

Programmers Make Mistakes

void grow_heap(unsigned size) { int idx = alloc_capability(); mem_area mem = mem_alloc(size, idx); return mem->addr; } void shrink_heap(void *addr) { mem_free(addr); }

SLIDE 3

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 3 / 18

Outline

Valgrind and Fiasco.OC
Porting challenges
CapCheck leak detector

SLIDE 4

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 4 / 18

Valgrind: Binary Instrumentation

Valgrind Tool Client Address Space POSIX kernel interface

SLIDE 5

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 5 / 18

Valgrind: Complex Tools

Valgrind Client

Thread 1 Thread 2

Shadow values
Consistency requirement:

Basic blocks must be atomic.

SLIDE 6

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 6 / 18

Fiasco.OC – Capabilities

Fiasco.OC microkernel Task A Task B

1 2 3 1 2 3

A A B B C C

SLIDE 7

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 7 / 18

Porting Valgrind to Fiasco.OC

POSIX environment
Threads
User-level thread control block (UTCB)

– Carries system call payload – Need one for each thread role

User-level memory management

SLIDE 8

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 8 / 18

Fiasco.OC – Memory Management

Region Map Region Manager Client Thread

SLIDE 9

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 9 / 18

Fiasco.OC – Memory Management

Region Map Valgrind Segment List Region Manager Client Thread

RM Proxy

SLIDE 10

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 10 / 18

Page Fault Handling (Linux)

User Thread Kernel

Handle Fault

Page Fault interrupts → basic block

SLIDE 11

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 11 / 18

Page Fault Handling (Fiasco.OC)

User Thread Kernel

Handle Fault

Page Fault interrupts → basic block

Region Manager

SLIDE 12

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 12 / 18

Two basic blocks may execute in parallel.

Solving the Parallelism Problem

Potential solutions:

Eliminate atomicity assumption
Checkpoint & restart for basic blocks
Eliminate special case

SLIDE 13

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 13 / 18

Eliminate special case

User Thread Kernel

Handle Fault

Page Fault interrupts → basic block

Region Manager

Handle Fault

SLIDE 14

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 14 / 18

Virtual Region Manager

Valgrind Segment List Client Thread

C V VRM

SLIDE 15

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 15 / 18

Capability bugs

User-level slot management

– Capability leakage

Advanced feature: capability overmap

– Optimization – Error

SLIDE 16

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 16 / 18

CapCheck

Track CAP_ALLOC / CAP_FREE events

– Cap alloc stack trace

Track capability mappings

– Map stack trace

Track capability invocations

– Protocol ID – Detect mismatches

SLIDE 17

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 17 / 18

Evaluation

LibC wrappers ~ 400 LoC Binary translator 13 LoC System call handling ~ 200 LoC Virtual Region Manager ~ 400 LoC CapCheck tool ~ 200 LoC

SLIDE 18

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 18 / 18

Summary

Valgrind (and tools) running on Fiasco.OC
Memory management issues

– Virtual region manager

CapCheck tool for

– Detecting capability leakage – Detecting capability overmap

SLIDE 19

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 19 / 18

Lessons Learned

Moving POSIX kernel features to user space
Capabilities aid flexibility.

SLIDE 20

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 20 / 18

Valgrind Tools

MemCheck

– Memory leak detector

Helgrind

– Thread checker / race detector

CacheGrind

– Cache profiler

Massif

– Heap profiler

Chronicle-Recorder

– Memory tracer (in the works)

SLIDE 21

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 21 / 18

Non-POSIX Difficulties: Files

Common in Valgrind core:

NSegment s = VG_(lookup_nsegment)(addr); int fd = open(filename, ...) / use segment s */

Problem: only works, if nsegment array stays

constant

– L4Re's open() may establish a new memory mapping modifies nsegment array →

SLIDE 22

VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 22 / 18

Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind

Pittsburgh, 2010-03-17 Aaron Pohle, Björn Döbel, Michael Roitzsch, Hermann Härtig

Technische Universität Dresden, Germany

Programmers Make Mistakes

void *grow_heap(unsigned size) { int idx = alloc_capability(); mem_area *mem = mem_alloc(size, idx); return mem->addr; } void shrink_heap(void *addr) { mem_free(addr); }

Outline

Valgrind: Binary Instrumentation

Valgrind Tool Client Address Space POSIX kernel interface

Valgrind: Complex Tools

Valgrind Client

Thread 1 Thread 2

Basic blocks must be atomic.

Fiasco.OC – Capabilities

Fiasco.OC microkernel Task A Task B

A A B B C C

Porting Valgrind to Fiasco.OC

– Carries system call payload – Need one for each thread role

Fiasco.OC – Memory Management

Region Map Region Manager Client Thread

Fiasco.OC – Memory Management

Region Map Valgrind Segment List Region Manager Client Thread

RM Proxy

Page Fault Handling (Linux)

User Thread Kernel

Handle Fault

Page Fault Handling (Fiasco.OC)

User Thread Kernel

Handle Fault

Region Manager

Two basic blocks may execute in parallel.

Solving the Parallelism Problem

Potential solutions:

Eliminate special case

User Thread Kernel

Handle Fault

Region Manager

Handle Fault

Virtual Region Manager

Valgrind Segment List Client Thread

C V VRM

Capability bugs

– Capability leakage

– Optimization – Error

CapCheck

– Cap alloc stack trace

– Map stack trace

– Protocol ID – Detect mismatches

Evaluation

LibC wrappers ~ 400 LoC Binary translator 13 LoC System call handling ~ 200 LoC Virtual Region Manager ~ 400 LoC CapCheck tool ~ 200 LoC

Summary

– Virtual region manager

– Detecting capability leakage – Detecting capability overmap

Lessons Learned

Valgrind Tools

– Memory leak detector

– Thread checker / race detector

– Cache profiler

– Heap profiler

– Memory tracer (in the works)

Non-POSIX Difficulties: Files

NSegment *s = VG_(lookup_nsegment)(addr); int fd = open(filename, ...) /* use segment s */

constant

– L4Re's open() may establish a new memory mapping modifies nsegment array →

Valgrind vs. Fiasco.OC Assumptions

(1) There is exactly one pager per thread. (2) There is exactly one region manager per task. (3) Basic blocks are executed atomically.

void grow_heap(unsigned size) { int idx = alloc_capability(); mem_area mem = mem_alloc(size, idx); return mem->addr; } void shrink_heap(void *addr) { mem_free(addr); }

NSegment s = VG_(lookup_nsegment)(addr); int fd = open(filename, ...) / use segment s */