Capability Wrangling Made Easy: Debugging on a Microkernel with - PowerPoint PPT Presentation

Dept. of Computer Science, Institute of System Architecture, Operating Systems Group Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind Aaron Pohle, Björn Döbel, Michael Roitzsch, Hermann Härtig Technische Universität Dresden, Germany Pittsburgh, 2010-03-17

Programmers Make Mistakes void *grow_heap( unsigned size) { int idx = alloc_capability(); mem_area *mem = mem_alloc(size, idx); return mem->addr; } void shrink_heap( void *addr) { mem_free(addr); } VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 2 / 18

Outline • Valgrind and Fiasco.OC • Porting challenges • CapCheck leak detector VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 3 / 18

Valgrind: Binary Instrumentation Client Valgrind Tool Address Space POSIX kernel interface VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 4 / 18

Valgrind: Complex Tools • Shadow values • Consistency requirement: Basic blocks must be atomic. Thread 1 Thread 2 Valgrind Client VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 5 / 18

Fiasco.OC – Capabilities Task A Task B 0 0 1 1 2 2 3 3 A B C A B C Fiasco.OC microkernel VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 6 / 18

Porting Valgrind to Fiasco.OC • POSIX environment • Threads • User-level thread control block (UTCB) – Carries system call payload – Need one for each thread role • User-level memory management VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 7 / 18

Fiasco.OC – Memory Management Region Client Manager Thread Region Map VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 8 / 18

Fiasco.OC – Memory Management Region Client Manager Thread RM Proxy Region Map Valgrind Segment List VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 9 / 18

Page Fault Handling (Linux) Page Fault interrupts → basic block User Thread Kernel Handle Fault VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 10 / 18

Page Fault Handling (Fiasco.OC) Page Fault interrupts → basic block User Thread Region Handle Fault Manager Kernel VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 11 / 18

Solving the Parallelism Problem Two basic blocks may execute in parallel. Potential solutions: • Eliminate atomicity assumption • Checkpoint & restart for basic blocks • Eliminate special case VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 12 / 18

Eliminate special case Page Fault interrupts → basic block User Thread Region Handle Fault Handle Fault Manager Kernel VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 13 / 18

Virtual Region Manager V Client VRM Thread C Valgrind Segment List VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 14 / 18

Capability bugs • User-level slot management – Capability leakage • Advanced feature: capability overmap – Optimization – Error VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 15 / 18

CapCheck • Track CAP_ALLOC / CAP_FREE events – Cap alloc stack trace • Track capability mappings – Map stack trace • Track capability invocations – Protocol ID – Detect mismatches VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 16 / 18

Evaluation LibC wrappers ~ 400 LoC Binary translator 13 LoC System call handling ~ 200 LoC Virtual Region Manager ~ 400 LoC CapCheck tool ~ 200 LoC VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 17 / 18

Summary • Valgrind (and tools) running on Fiasco.OC • Memory management issues – Virtual region manager • CapCheck tool for – Detecting capability leakage – Detecting capability overmap VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 18 / 18

Lessons Learned • Moving POSIX kernel features to user space • Capabilities aid flexibility. VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 19 / 18

Valgrind Tools • MemCheck – Memory leak detector • Helgrind – Thread checker / race detector • CacheGrind – Cache profiler • Massif – Heap profiler • Chronicle-Recorder – Memory tracer (in the works) VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 20 / 18

Non-POSIX Difficulties: Files • Common in Valgrind core: NSegment *s = VG_(lookup_nsegment)(addr); int fd = open(filename, ...) /* use segment s */ • Problem: only works, if nsegment array stays constant – L4Re's open() may establish a new memory mapping modifies nsegment array → VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 21 / 18

Valgrind vs. Fiasco.OC Assumptions (1) There is exactly one pager per thread . (2) There is exactly one region manager per task . (3) Basic blocks are executed atomically . VEE '10, 2010-03-17 Capability Wrangling Made Easy Slide 22 / 18