Upload
toby-lucas
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
1
Dimension: An Instrumentation Tool for Virtual Execution Environments
Jing Yang, Shukang Zhou and Mary Lou SoffaDepartment of Computer Science
University of Virginia
VEE 2006 June 16th 2006 Ottawa, Canada
2
Motivation
• Increasing usage of VEEs in many areas– Performance [Bala et al, PLDI ’00]– Security [Scott et al, ACSAC ’02]– Power consumption [Hazelwood et al, ISLPED ’04]
• Increasing importance of instrumentation for VEEs– Requested by both developers and users
• Challenge: Building instrumentation for VEEs
• When to add instrumentation – Instrumentation is added when a VEE is built
• Repetitive work, time-consuming• Only for some preplanned purposes
– Instrumentation is added after a VEE is built
• A standalone instrumentation system which can be used by different VEEs for different purposes
– even harder
3
Translation-based VEEs
• We focus on translation-based VEEs– Dynamically translate source binary to target binary– Target binary is stored in code cache for execution– Handle two binaries simultaneously
• Input source binary
• Dynamically generated target binary
• Instrumentation for translation-based VEEs – Perform on both source binary and target binary– Belong to binary instrumentation
4
Dimension
• Flexibility – plug and play– Minimum modification to a VEE to use Dimension – Minimum reconfiguration to Dimension (architecture, language)
• Comprehensiveness– Be able to instrument both source binary and target binary– Instrumentation can be done at various levels of granularities
• Easy-of-Use– Simple user specification for instrumentation
• Efficiency– Reasonable instrumentation overhead
5
Relationship between VEEs and Instrumentation
Application
VEE with instrumentation
OS + Hardware(a)
Application
VEE
Instrumentation
Application
VEE Instrumentation
OS + Hardware(b)
OS + Hardware(c)
Significant modification Hard to reuse
Unnecessary translationsUnnecessary context-switches
Easy to reuseLightweight modificationOne translation and context-switch
6
Scenario
Binary-Editing Utility Library
IA-32 MIPS ……
Stub Functions Library
……Java
VEE Dimension IA-32
MIPSJava
Java
Java
Initialize
Instrument
Finalize
IA-32 to MIPS
Java C
7
When to Add Instrumentation
VEE
Initializer
Dispatcher Translator
Code Cache
Finalizer
ApplicationDimension
Probe-based technique
Instrument source binary via corresponding target binary
Clear interfaces between Dimension and VEE
Instrumentation Unit
Translation Unit
8
Probe-Based Technique for Variable-length ISA
01 add eax, ebxD8
29 sub eax, edxD8
83 add, eax, 0x12 C012
……
JMP 01 add eax, ebxD8
Analysis Routine
Save Context
Set Up Parameters
Call Analysis Routines
Restore Context
29 sub eax, edxD8
83 add, eax, 0x12 C012
Save Context
Set Up Parameters
Call Analysis Routines
Restore Context
Trampoline
Instrumentation Uint
9
Components and Interfaces
Initializer
Translator
Finalizer
Dispatcher
Code Cache
InitializationAssistant
InstrumentationAssistant
FinalizationAssistant
InstrumentationRepository
Instrumenter
Auxiliary CodeCache
VEE Dimension
void InitDimension();void StartInstrumentation(addr src_start, addr src_end, addr tgt_start, addr tgt_end, src_to_tgt_mapping map, bb_info bb);
void FinalizeDimension(); _____________ __________
_____________ __________
____ ____
10
Instrumentation Algorithms
DimensionInstrumentation RepositoryInitialization Assistant
Finalization Assistant
Instrumentation Assistant Instrumenter
Auxiliary Code Cache
Instrumentation Specification
Basic Block Information
Source-to-Target Mapping
Source Binary
Target Binary
Plan 1
Plan 2
Opt Plan
Trampoline
11
Instrumentation Algorithms
DimensionInstrumentation RepositoryInitialization Assistant
Finalization Assistant
Instrumentation Assistant Instrumenter
Auxiliary Code Cache
Instrumentation Specification
Basic Block Information
Source-to-Target Mapping
Source Binary
Target Binary
Plan 1
Plan 2
Opt Plan
Trampoline
12
Optimizing Instrumentation
• Instrumentation overhead and optimizations– Execute the jump which branches to the trampoline
• Probe-coalescing [Kumar et al, PASTE ’05]• Parameters should remain available if coalesced
– Perform the context-switch• Partial context-switch• Registers in most platforms
– Transfer control to analysis routines• Analysis routine inlining• Only inline short ones to avoid code expansion
– Execute analysis routines• Lightweight binary-to-binary optimization
13
Case Study
• Strata [Scott et al, CGO ’03]– SPARC/Solaris– Single-entry translation units– Mainly one-to-one mapping from source binary to target binary,
except for some control-transfer instructions
• Jikes RVM [Arnold et al, OOPSLA ’02]– IA-32/Linux– Multiple-entry translation units – basic block information provided– Mapping from bytecode to machine code is maintained
• Interface insertion points are easily located
14
Scenario
Binary-Editing Utility Library
IA-32 MIPS ……
Stub Functions Library
……Java
Strata Dimension SPARCInitialize
Instrument
Finalize
SPARC to SPARC
C C
15
Scenario
Binary-Editing Utility Library
IA-32 MIPS ……
Stub Functions Library
……Java
Jikes RVM Dimension Bytecode
IA-32Java
Java
Java
Initialize
Instrument
Finalize
Bytecode to IA-32
Java C
16
Evaluation
• Experiments– Effectiveness of optimizations
• Inlining, partial context-switch, probe coalescing
• Calculating the average integer-add instructions executed in each basic block
– Generality versus efficiency• Dimension versus Jazz
• Branch coverage testing
– Comparison in traditional execution environments• Strata-Dimension versus Valgrind, DynamoRIO and Pin
• Basic block counting
• The data for Valgrind, DynamoRIO and Pin is from [luk, PLDI ’05]
17
Effectiveness of Optimizations
0
4
8
12
16
20S
low
do
wn
O0 = NO_OPT
O1 = O0 + INL
O2 = O1 + PCS
O3 = O2 + PC
Target binary instrumentation for Strata
8.6x
6.4x
2.6x2.0x
18
Effectiveness of Optimizations
0
1
2
3
4
5S
low
do
wn
O0 = NO_OPT
O1 = O0 + INL
O2 = O1 + PCS
O3 = O2 + PC
Target binary instrumentation for Jikes RVM
2.4x
2.1x
1.4x1.1x
19
Effectiveness of Optimizations
0
0.5
1
1.5
2
2.5
3S
low
do
wnO0 = NO_OPT
O1 = O0 + INL
O2 = O1 + PCS
O3 = O2 + PC
Source binary instrumentation for Jikes RVM
1.7x1.5x
1.1x1.2x
20
Evaluation
• Experiments– Effectiveness of optimizations
• Inlining, partial context-switch, probe coalescing
• Calculating the average integer-add instructions executed in each basic block
– Generality versus efficiency• Dimension versus Jazz [Misurda et al, ICSE ‘05]
• Branch coverage testing
– Comparison in traditional execution environments• Strata-Dimension versus Valgrind, DynamoRIO and Pin
• Basic block counting
• The data for Valgrind, DynamoRIO and Pin is from [luk, PLDI ’05]
21
Generality versus efficiency
0
0.5
1
1.5
2S
low
do
wn
Jazz
Dimension
Comparison of slowdown from instrumentation between Jazz and Dimension
22
Evaluation
• Experiments– Effectiveness of optimizations
• Inlining, partial context-switch, probe coalescing• Calculating the average integer-add instructions executed in each
basic block– Generality versus efficiency
• Dimension versus Jazz• Branch coverage testing
– Comparison in traditional execution environments• Strata-Dimension versus three dynamic instrumentation systems
– Valgrind [Nethercote, Ph.D. thesis, Univ. of Cambridge, 2004 ]– DynamoRIO [Bruening et al, CGO ‘03]– Pin [Luk et al, PLDI ‘05]
• Basic block counting• The data for Valgrind, DynamoRIO and Pin is from [Luk et al, PLDI
’05]
23
Comparison in traditional execution environments
0
2
4
6
8
10
12
14S
low
do
wn
ValgrindDynamoRIOPinStrata-Dimension
Comparison of slowdown from instrumentation in traditional execution environments
7.5x
4.9x
2.3x2.6x
24
Related Work
• Binary instrumentation systems developed for traditional execution environments– Static instrumentation systems
• ATOM [Srivastava et al, PLDI ’94]• Can not handle a VEE’s target binary which is generated on-the-fly
– Dynamic instrumentation systems• DTrace [Cantrill et al, OSDI ’04], Pin [Luk et al, PLDI ’05]• Can not handle a VEE’s source binary if it is non-executable
• Binary instrumentation systems designed for VEEs– DynamoRIO [Bruening et al, CGO ’03]– FIST [Kumar et al, WOSS ’04] – Tightly bound with a specific VEE– Can not instrument both the source and target binaries
25
Conclusion
• Dimension – first standalone instrumentation tool specially designed for VEEs
• Easy to be used by different VEEs
• Generality does not impact efficiency
• Reasonable instrumentation overhead compared to other systems
?
26
Instrumentation Specification
1 FILE *trace;23 // Called when program begins4 EXPORT void DIM_ProgramBegin() {5 trace = fopen("trace.out", "w");6 DIM_InsertBBCall(SOURCE, ENTRY,7 FUNCPTR(record_bb), ARG_BB_ADDR, ARG_END);8 }910 // Called when program ends11 EXPORT void DIM_ProgramEnd() {12 fclose(trace);13 } 1415 // Print a basic block record16 void record_bb(void *addr) {17 fprintf(trace, "%p\n", addr);18 }
27
Probe-Based Technique
• Replace each instruction with a jump that branches to a trampoline, which is a code sequence that does:– Execute the original instruction– Perform a context-switch– Prepare the parameters for the analysis routine– Transfer control to the analysis routine
• Problems with variable-length ISAs– A jump is longer than the original instruction
• A jump replaces several instructions• Each instrumentation unit should have a single entry at its top
– The instrumentation unit is shorter than the size of a jump• Use a shorter but expensive instruction instead of a jump
28
Reconfiguration
• For new architectures that VEEs are executing on– Binary-editing utility library– Provide general binary-editing services to Dimension
• For new languages used in VEE implementation– Dimension is written in C and compiled as a shared object– If a VEE is not implemented in C, stub functions are needed to
call C functions, e.g., Java native interface– Parameter wrapping in stub functions, e.g., Java
• Dimension needs no direct modification
29
Future Work
• Overcome the ISA and VEE restrictions– Fixed-length ISA: limit offset of a jump– Variable-length ISA: short instrumentation unit problem– VEE: fragment patching
• Determine the information by its own– Basic block information and source-to-target mapping
• Automatic reconfiguration– Binary-editing utility library and stub functions
• High-level contexts capture– An arbitrary local variable in a Java bytecode method
30
Acknowledgements
• This paper benefited from fruitful discussions with Naveen Kumar and Jonathan Misurda
• We also thank the anonymous reviewers for their useful suggestions and comments on how to improve the work