dynamic analysis tools considered difficult
play

Dynamic analysis tools considered difficult (to write) Stephen Kell - PowerPoint PPT Presentation

Jan 14, 2024 •39 likes •459 views

Dynamic analysis tools considered difficult (to write) Stephen Kell stephen.kell@usi.ch University of Lugano including joint work with Danilo Ansaloni, Yudi Zheng, Walter Binder (U. Lugano) Lubom r Bulej, Luk a s Marek, Petr T

  1. Dynamic analysis tools considered difficult (to write) Stephen Kell stephen.kell@usi.ch University of Lugano including joint work with Danilo Ansaloni, Yudi Zheng, Walter Binder (U. Lugano) Lubom´ ır Bulej, Luk´ aˇ s Marek, Petr T˚ uma (Charles University, Prague) Dynamic analysis tools. . . – p.1/38

  2. Programming is hard Dynamic analysis tools. . . – p.2/38

  3. Program analyses can help Static analysis: analyse all executions � infinitely many executions → need abstraction � approximate statements... � ... about “the program” � e.g. compiler reasoning, type checker, other verifiers... Dynamic analyses: analyse a single execution � precise statements... � ... about “the execution” � e.g. profiler, debugger, Valgrind, other bugfinders... Dynamic analysis tools. . . – p.3/38

  4. Writing dynamic analyses Straw poll: who here has written a dynamic analysis? Dynamic analysis tools. . . – p.4/38

  5. Writing dynamic analyses Straw poll: who here has written a dynamic analysis? What about something like this? /* ... */ x = 0; } else { x is %d \ n", x); printf("DEBUG: something happened! /* ... */ } Dynamic analysis tools. . . – p.4/38

  6. Instrumentation You’ve just (manually) instrumented your program � collect (retain) program state � ... for further processing � somewhat intuitive Most dynamic analyses are implemented this way � often preferable to modifying runtime � but: specify instrumentation programmatically Dynamic analysis tools. . . – p.5/38

  7. Programmatic instrumentation Here you go: static IRSB ∗ ar instrument ( VgCallbackClosure ∗ closure, IRSB ∗ sb in, VexGuestLayout ∗ layout, VexGuestExtents ∗ vge, IRType gWordTy, IRType hWordTy ) { // imperatively manipulate instructions } Dynamic analysis tools. . . – p.6/38

  8. More friendly abstractions could help Usually we add code before/after certain features : � function/method calls and returns � memory access � synchronization operations � loop back edges � ... Want to exploit this for more declarative instrumentation � can we borrow any existing approaches? Dynamic analysis tools. . . – p.7/38

  9. Aspect-oriented programming AOP lets us quantify over execution events � “pointcuts” are expressions capturing such events � e.g. call(void Point.setX(int)) Then we can insert code to do some extra work � before(): System.out.println(”about to...”); � “weaving” splices the code in at compile- or load-time Dynamic analysis tools. . . – p.8/38

  10. DiSL redux Existing AOP systems aren’t optimal for instrumentation � lack of join points e.g. basic blocks, instructions � lack of coverage, e.g. inside core libraries � overly dynamic semantics limit performance DiSL is an AOP-inspired instrumentation tool for the JVM � good coverage ( ≈ “full bytecode coverage”; more later) � good performance � open joint point model Centres on a “Java-hosted” domain-specific language... Dynamic analysis tools. . . – p.9/38

  11. Trivial example @Before(marker=BodyMarker. class , scope=”Point.setX(int)”) static void mySnippet( ) { System.out.println(”about to ... ” ); } Dynamic analysis tools. . . – p.10/38

  12. Bigger example: allocation counter @AfterReturning(marker = BytecodeMarker. class , args = ”new”) public static void beforeAlloc(MethodStaticContext ma, DynamicContext dc) { Analysis.instance(). onObjectInitialization ( dc.getStackValue(0, Object. class ), // allocated object ma.getAllocationSite() ); } + similar for other bytecodes newarray , multinewarray , ... Dynamic analysis tools. . . – p.11/38

  13. Parvum in multo How can I build an analysis a bit like yours? � answer: copy–paste, of course From: Nicholas Nethercote Date: Thu, 10 Mar 2011 14:17:26 -0800 (snip) Really, I think the easiest way to do these things is to just modify Memcheck. Dynamic analysis tools. . . – p.12/38

  14. Composition and decomposition DiSL-style snippets don’t compose or decompose easily � snippet and its quantifier (annotations) are one unit � snippet is opaque Java code – could do anything � hands off through user-defined inteface � no ready-made abstractions of common-case structures � snippet-based design defeats Java inheritance � still bad at the things Java is bad at Dynamic analysis tools. . . – p.13/38

  15. Let’s be FRANC (1) FRANC is a system for analysis composition � observation: analyses update state in reaction to events � let’s build abstractions at this level, instead of snippets! FRANC decomposes analyses using the following equation. Analysis = Instrumentation + ShadowMapping + ShadowValues Dynamic analysis tools. . . – p.14/38

  16. Let’s be FRANC (2) ������������ �������������� ���������������� ��������������� ��������������� ������� ������ ��������������� ������� ������� ������� This is a basic block coverage tool. Dynamic analysis tools. . . – p.15/38

  17. Let’s be FRANC (3) ������������ �������������� ���������������� ��������������� ��������������� ��� ������ ��������������� ��� ��� ��� Now it’s a basic block hotness profiler. Dynamic analysis tools. . . – p.16/38

  18. Let’s be FRANC (4) ��������������� �������������� ������������ ���������������� ������������������ ��������������� �������������������� ������������������������ ������������������������ ������������������������ ������� ������������������� ������������������������ ���������� ������������������������ ������������������������ ������������� ����������� Now it’s a context-sensitive hotness and allocation profiler... Dynamic analysis tools. . . – p.17/38

  19. FRANC example: counting field accesses Map < String, AtomicLong > fieldAccesses = new ShadowMap <> (...); class FieldMapper extends ThreadLocal < String > implements AfterCompletion < FieldAccess > { public void afterCompletion(FieldAccess codeRegion) { set(FieldAccessContext.getFullFieldName(codeRegion)); } } FieldMapper currentField = new FieldMapper(); Analysis < FieldAccess > updater = new PostIncrement <> (fieldAccesses, cu FRANC.deploy(FRANC.complete(currentField, updater)); Dynamic analysis tools. . . – p.18/38

  20. FRANC design summary � event-based programming model � instrumentation produces events � “mappers” group events spatially � shadow value updaters aggregate events over time Both mappers and updaters consume events � e.g. CCT consumes method call/return events... � separately, shadow values consume BB events � CCT “routes” BB events to the relevant counter � wart: processing order still specified manually Dynamic analysis tools. . . – p.19/38

  21. FRANC results Improvements: � FRANC allows library-based analysis development � � event sources, mappers, shadow values Performance redux: � a bit slower than manual DiSL, but not too much � typically 25–30% additional overhead More detail, case studies etc. in forthcoming ECOOP paper Dynamic analysis tools. . . – p.20/38

  22. The trouble with Java Java is a simple language, but JVM is very complex. Remember this guy? @AfterReturning(marker = BytecodeMarker. class , args = ”new”) public static void beforeInitialization (MethodStaticContext ma, DynamicContext dc) { / ∗ ... ∗ / } To record all the memory allocations, you need to � add two more snippets (each with subtleties) � implement JVMTI’s VMObjectAlloc hook � add some JNI function interposition ... and even then, your picture is incomplete Dynamic analysis tools. . . – p.21/38

  23. An “innocuous” example (using DiSL) public class TargetClass { public static void main(String[] args) { System.err.println (”MAIN”); } } public class DiSLClass { @Before(marker = BodyMarker. class , scope = ”java.lang.Object. ∗ ”) public static void onMethodExit(MethodStaticContext msc) { System.err.print(”.” ); } } Dynamic analysis tools. . . – p.22/38

  24. A choice quotation (from http://docs.oracle.com/javase/6/docs/technotes/guides/jvmti/ ) ‘Typically, these alterations are to add “events” to the code of a method —for example, to add, at the beginning of a method, a call to MyProfiler.methodEntered() . Since the changes are purely additive, they do not modify application state or behavior.’ Purely additive? Dynamic analysis tools. . . – p.23/38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th

Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th

learn invent impact Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th IEEE Interna,onal Working Conference on Source Code Analysis and Manipula,on (SCAM 2016) October 2, 2016 Benjamin Holland,

327 views • 32 slides
with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan

with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan

Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan Configuration Troubleshooting Is Difficult Software systems Users make mistakes difficult to configure Mona

644 views • 60 slides
Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic memory 2013/2014B Subjects Introducing shape analysis TVLA method Cutpoint-free method Separation logic method Conclusion &amp;

1.38k views • 70 slides
Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline Program Analsysis Tools Analysis Tools Static Analysis style checkers data flow analysis Dynamic Analysis

937 views • 45 slides
Short presentation Blind people have always considered the study of Mathematics as a difficult

Short presentation Blind people have always considered the study of Mathematics as a difficult

Short presentation Blind people have always considered the study of Mathematics as a difficult problem to solve, that strongly hindered the chance to approach scientific studies for generations of visually impaired people. The use of computer is

223 views • 3 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic

Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic

Week 11 - Lecture Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic Simulation Overview Common Use Cases and Terms Dynamic Simulation Workflow Joint Properties and Types Dynamic

575 views • 40 slides
Hotel Example: ROI Analysis The ROI Analysis needs to be done on all design options considered in

Hotel Example: ROI Analysis The ROI Analysis needs to be done on all design options considered in

Hotel Example: ROI Analysis The ROI Analysis needs to be done on all design options considered in a Feasibility Study. Option 1: Stay with Current System Background Information Note: For this hypothetical example we have made up reasonable

546 views • 5 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
DCR Tools A quick tour of tools for Dynamic Condition Response graphs Thomas T. Hildebrandt &amp;

DCR Tools A quick tour of tools for Dynamic Condition Response graphs Thomas T. Hildebrandt &amp;

DCR Tools A quick tour of tools for Dynamic Condition Response graphs Thomas T. Hildebrandt &amp; Sren Debois IT University of Copenhagen (and joint work with R. Mukkamala, T. Slaats, M. Marquard, F. Zanitti) Dagstuhl Seminar 17051 Theory and

756 views • 56 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
Program Code Analyzers Agenda The Problem Dynamic and Static Tools Examples of

Program Code Analyzers Agenda The Problem Dynamic and Static Tools Examples of

Generic Programming and Library Development The Problems Presentation on Program Code Analyzers Dynamic and Static Tools May 18 th 2007 Examples of Tools Program Code Analyzers Agenda The Problem Dynamic and Static Tools

388 views • 13 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Analysis and Parallelization Optimizations of Weather Codes Jess Labarta BSC Petascale Tools

Analysis and Parallelization Optimizations of Weather Codes Jess Labarta BSC Petascale Tools

www.bsc.es Analysis and Parallelization Optimizations of Weather Codes Jess Labarta BSC Petascale Tools Workshop, Madison, August 4 th 2014 Earth and Climate A complex system Multicomponent Dynamic High impact Societal,

789 views • 36 slides
various analysis, and all necessary analysis tools

various analysis, and all necessary analysis tools

Analysis page includes topics for analysis, descriptions of various analysis, and all necessary analysis tools

512 views • 9 slides
Inequality Analysis Tools Conchita DAmbrosio conchita.dambrosio@uni.lu Based on: My papers:

Inequality Analysis Tools Conchita DAmbrosio conchita.dambrosio@uni.lu Based on: My papers:

Inequality Analysis Tools Conchita DAmbrosio conchita.dambrosio@uni.lu Based on: My papers: Deprivation and Social Exclusion (joint with W. Bossert and V. Peragine), Economica , 74, 777-803, 2007. Dynamic Measures of

979 views • 82 slides
Model-free, Model-based, and General Intelligence Hector Geffner ICREA &amp; Universitat Pompeu

Model-free, Model-based, and General Intelligence Hector Geffner ICREA &amp; Universitat Pompeu

Model-free, Model-based, and General Intelligence Hector Geffner ICREA &amp; Universitat Pompeu Fabra Barcelona, Spain IJCAI-ECAI 2018 Outline AI, Programming, and AI programming Problem of Generality Model-free Learners

761 views • 31 slides
Test automation / JUnit Building automatically repeatable test suites JUnit in Eclipse For

Test automation / JUnit Building automatically repeatable test suites JUnit in Eclipse For

Test automation / JUnit Building automatically repeatable test suites JUnit in Eclipse For this course, we will use JUnit in Eclipse It is automatically a part of Eclipse One documentation site (all one line

1.41k views • 36 slides
min L ( ) - GANs: Hard (different) optimization problem: minimax. Gauthier Gidel

min L ( ) - GANs: Hard (different) optimization problem: minimax. Gauthier Gidel

SVRE: NEW METHOD FOR TRAINING GAN S G AUTHIER G IDEL Mila, Universit e de Montr eal Research intern at Element AI G ENERATIVE M ODELING AND M ODEL -B ASED R EASONING FOR R OBOTICS AND AI W ORKSHOP June 14, 2019 R EDUCING N OISE IN GAN T

705 views • 32 slides
A Small Reflection On Group Automorphisms Franc ois Garillot Mathematical Components

A Small Reflection On Group Automorphisms Franc ois Garillot Mathematical Components

A Small Reflection On Group Automorphisms Franc ois Garillot Mathematical Components Microsoft Research - INRIA Joint Centre Orsay, France 1 The Coq Proof Assistant 2 The Coq Proof Assistant + SSReflect V 1.1 : Just released !

761 views • 40 slides
The Fermat cubic, elliptic functions, continued fractions, and a combinatorial excursion Philippe

The Fermat cubic, elliptic functions, continued fractions, and a combinatorial excursion Philippe

2 y 1 0 -1 0 1 2 x -1 The Fermat cubic, elliptic functions, continued fractions, and a combinatorial excursion Philippe Flajolet INRIA Rocq. (France) Grenoble, S eorie des Nombres February 14, 2007 eminaire de Th Based on joint

614 views • 30 slides
A Conservative Extension of Synchronous Data-flow with State Machines Marc Pouzet LRI

A Conservative Extension of Synchronous Data-flow with State Machines Marc Pouzet LRI

A Conservative Extension of Synchronous Data-flow with State Machines Marc Pouzet LRI Marc.Pouzet@lri.fr Journ ees FAC 15 16 mars 2007 Toulouse Joint work with Jean-Louis Cola co, Gr egoire Hamon and Bruno Pagano 1 A Bit of

551 views • 53 slides
Learning invariance with a large number of objects Recognizing from one example = ? No

Learning invariance with a large number of objects Recognizing from one example = ? No

P ATTERN R ECOGNITION FROM O NE E XAMPLE BY C HOPPING Franc ois Fleuret EPFL LCN / CVLAB Gilles Blanchard Fraunhofer FIRST 1 R ECOGNITION FROM O NE E XAMPLE Given a single training example, find the same object in the test images:

275 views • 25 slides
Nathan, Rick, Steven, Willy Team Members Nathan Bornfreund Rick Franc Steven Landis Willy Tu

Nathan, Rick, Steven, Willy Team Members Nathan Bornfreund Rick Franc Steven Landis Willy Tu

Nathan, Rick, Steven, Willy Team Members Nathan Bornfreund Rick Franc Steven Landis Willy Tu Background TrueVision Alcon (TVA) help surgeons during operation by providing 3D surgical visualization Captured with a robotic stereoscopic

377 views • 27 slides

More recommend