[PPT] - REPT: Reverse Debugging of Failures in Deployed Software Weidong Cui PowerPoint Presentation

SLIDE 1

REPT: Reverse Debugging of Failures in Deployed Software

Weidong Cui1, Xinyang Ge1, Baris Kasikci2, Ben Niu1, Upamanyu Sharma2, Ruoyu Wang3, and Insu Yun4 Microsoft Research1 University of Michigan2 Arizona State University3 Georgia Institute of Technology4

OSDI 2018, Carlsbad, CA

SLIDE 2

What happened before the crash?

SLIDE 3

SLIDE 4

SLIDE 5

SLIDE 6

REPT: Reverse Execution with Processor Trace

SLIDE 7

REPT: Reverse Execution with Processor Trace

Online hardware tracing (e.g., Intel Processor Trace)
Log the control flow with timestamps
Low runtime overhead (1 – 5%)
No data!
Offline binary analysis
Recovers data flow from the control flow

SLIDE 8

SLIDE 9

REPT Data Recovery

Single-threaded execution reconstruction
Multi-threaded execution reconstruction
Multi-threaded execution reconstruction

SLIDE 10

Core Dump Instruction Sequence

+ = ?

Execution History

How to recover

verwritten states

SLIDE 11

lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx

SLIDE 12

lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=?, [g]=3 rax=3, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=3, rbx=?, [g]=3 rax=?, rbx=?, [g]=3

SLIDE 13

lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=?, [g]=3 rax=3, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=?, rbx=?, [g]=3 rax=?, rbx=g, [g]=3 rax=1, rbx=g, [g]=3 4? rax=3, rbx=g, [g]=3 rax=?, rbx=g, [g]=3 rax=1, rbx=g, [g]=3

SLIDE 14

rax=3, rbx=g, [g]=? rax=1, rbx=g, [g]=? rax=?, rbx=g, [g]=? lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=?, [g]=3 rax=?, rbx=?, [g]=? rax=3, rbx=g, [g]=3 rax=?, rbx=?, [g]=? rax=?, rbx=g, [g]=? rax=1, rbx=g, [g]=? rax=3, rbx=g, [g]=?

SLIDE 15

lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=g, [g]=3 rax=3, rbx=g, [g]=? rax=1, rbx=g, [g]=? rax=?, rbx=g, [g]=? rax=?, rbx=?, [g]=? rax=1, rbx=g, [g]=2 rax=?, rbx=g, [g]=2 rax=?, rbx=?, [g]=2 rax=1, rbx=g, [g]=2

SLIDE 16

lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=g, [g]=3 rax=3, rbx=g, [g]=? rax=1, rbx=g, [g]=2 rax=?, rbx=g, [g]=2 rax=?, rbx=?, [g]=2 rax=3, rbx=g, [g]=2

SLIDE 17

rax=3, rbx=g, [g]=2 rax=1, rbx=g, [g]=2 rax=?, rbx=g, [g]=2 lea rbx, [g] mov rax, 1 add rax, [rbx] mov [rbx], rax xor rbx, rbx rax=3, rbx=0, [g]=3 rax=3, rbx=g, [g]=3 rax=?, rbx=?, [g]=2

SLIDE 18

Key Techniques

Forward Execution
Recovers states before irreversible instructions
Error Correction
Handles errors introduced by “missing” memory writes

SLIDE 19

REPT Data Recovery

Single-threaded execution reconstruction
Multi-threaded execution reconstruction

SLIDE 20

Core Dump Instruction Sequence #1

+ = ?

Execution History

How to determine the thread interleavings?

+

Instruction Sequence #2

SLIDE 21

A D

Time

B C E F G

SLIDE 22

A B C D E F G

Time

A B C D E F G

SLIDE 23

A B C D E F G

Time

A D E B F G C

10

SLIDE 24

A B C D E F G

Time

A D E B F G C

18 or 20 10

SLIDE 25

A B C D E F G

Time

A D E B F G C

10 18 or 20

SLIDE 26

Key Techniques

Hardware Timestamps
Constructs a partial order
Concurrent memory write detection
Constrains their usage to avoid propagating a wrong value

SLIDE 27

With REPT, …

SLIDE 28

Hey, client, turn on tracing next time. I want history information!

SLIDE 29

Demo

SLIDE 30

16 bugs 1-5% overhead 92% accuracy 14 bugs

SLIDE 31

Conclusion

Debugging production failures is important but hard
REPT is a practical reverse debugging solution for production failures
Online hardware tracing to log the control flow with timestamps
Offline binary analysis to recover the data flow with high accuracy
REPT has been deployed on Microsoft Windows