Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat

Paradyn Project

Paradyn / Dyninst WeekMadison, Wisconsin

May 2-3, 2011

Introduction to the PatchAPI

Wenbin Fang, Drew Bernat

2

Motivation: a confluence of two tools


User Mutator

DyninstAPI

Code Patching

find pointinsert snippetdelete snippet

Process

void foo () {

}

void bar () {

}

void baz () {

}

Snippet

Snippet

Snippet

Process

void foo () {

bar()}void bar () {

baz()}void baz () {

}

Instrumenter.so

Code Patching

Snippet

Snippet

Snippet

Dyninst(3rd party instrumentation)

Self-propelled instrumentation(1st party instrumentation)

PatchAPI

PatchAPI

3Introduction to the PatchAPI

AST

Binary

Process

StackwalkerAPI

SymtabAPI

DataFlowAPI

InstructionAPI

ParseAPI

CodeGen

ProcControlAPI

Binary

= Existing Component = New Component

= Proposed

Dyninst and the Components

StackwalkerAPI

ProcControlAPI

Patch API


Binary Code

Binary

Process

SymtabAPI

InstructionAPI

ParseAPI

Binary

= Existing Component = New Component

Self-propelled and the Components

010101111001…

Patch API

5

Outline

o Overviewo Point + Snippet abstractions

o DesignoChallengeso Public + Plugin interfaces

o Applications of PatchAPIoDyninst Reintegrationo Self-propelled instrumentation


6

Abstraction in DyninstAPIBPatch_addressSpace* app = <GET ADDRESS SPACE>BPatch_function* foo = <GET FUNCTION>BPatch_snippet* snippet = <GET SNIPPET>BPatch_Vector<BPatch_point*>* points = NULL;

...points = foo->findPoint(BPatch_entry);

BPatchSnippetHandle* handle1 = app->insertSnippet(snippet, points, BPatch_callBefore);

points = foo->findPoint(BPatch_exit);

BPatchSnippetHandle* handle2 = app->insertSnippet(snippet, points, BPatch_callAfter);

...Introduction to the PatchAPI

FuncEntrySnippet

FuncExitSnippet

Basic Block

Basic Block

Basic Block

CFG of function foo

Point

Snippet

Function Exit

Block Entry

Before Function Call

Before Instruction

Function Entry

During Edge

Dyninst AST

DynC

Binary Code

User-defined

7

Refined Interfaces in PatchAPI

PatchMgrPtr patchMgr = <CREATE>PatchFunction* foo = <GET FUNCTION>SnippetPtr snippet = <GET SNIPPET>vector<PointPtr> points;FilterFunc myfilter;

patchMgr->findPoints(foo, FuncEntry | FuncExit | EdgeDuring | BlockExit, myfilter, back_inserter(points));

patchMgr->batchStart();for (int i = 0; i < points.size(); i++) points[i]->push_back(snippet);patchMgr->batchFinish();

…


Basic Block

Basic Block

Basic Block

FuncEntrySnippet

FuncExitSnippet

EdgeDuring

CFG of function foo

Snippet

BlockExitSnippet

Filter-basedpoint query

Transactionalsemantics

8

Design Challenge 1: Backward Compatibilityo PatchAPI has refined interfaces for code

patching. o Integrating PatchAPI back to dyninst should

keep dyninst interfaces unchanged.


Dyninst

PatchAPI

Code Patching

Functionality

Code Patching

Functionality

PatchAPI

Compatibility Layer

9

Design Challenge 2: Flexibility


Address Space

Snippet

CFG Parsing

InstrumentationEngine

1st Party

3rd PartyBinary RewriterAST

DynC

User-defined

Online Parsing

Stored CFG

In-line

Out-of-line

1st Party

User-defined

Stored CFG

Out-of-line

10

PluginInterface

Internal

Snippet instance at point

Opaque handle

Location + Container

PatchMgr

Point

Snippet

Instance

PatchAPI Public Interface


Binary Patching

Tools

Register plugins + Accept requests

PublicInterface

PatchAPI

11

Patch Manager

o Register pluginso Filter-based point queryo Enforce transactional semantics for

patchingo batchStart / batchFinisho Improve instrumentation performance

oReduce # of IPCs for 3rd party instrumentation.


12

Patch Manager (Cont.)

o Filter-based point queryo Scope

o function, block, edge, or instructiono Point type

oFuncEntry, BlockExit, BeforeCall, BeforeInsn … o Filter function

oUser-implementedoFine grained control

o e.g., Function calls with function name MPI_*o e.g., “push” instructionso …


13

Example // Find Points at Function Exits and Block Exits of // those having two outgoing edgesclass MyFilterFunc { bool operator() (PointPtr pt) { if (pt->type() == FuncExit) return true; PatchBlock* block = <GET BLOCK Containing pt> If (block->targets().size() == 2) return true; return false; } };

vector<PointPtr> output;MyFilterFunc myfilter;PatchFunction* foo = <GET FUNCTION>patchMgr->findPoints (foo, BlockExit | FuncExit, myfilter, back_inserter(output));


Basic Block

Basic Block

Basic Block

CFG of function foo

BlockExit

FuncExit

BlockExit

BlockExit

14

Point, Snippet, and Instanceo Snippet insertion

o Instance iterator

o Snippet removal


foo () {

}

Point

Snippet

Snippet

Snippet

Instance

Instance

Instance

Instance push_back(Snippet);Instance push_front(Snippet);

instance_iterator begin();instance_iterator end();

bool remove(Instance);

15

Address Space

Snippet

CFG Parsing


PluginInterface

PublicInterface

PatchAPI Plugin Interface


Binary Patching

Tools

Internal

PatchAPI

In-line, out-of-line

Online parsing, reuse stored CFG

AST, DynC, user-defined code …

1st party, 3rd party, binary rewriter

16

Address Space

o Memory management primitivesomalloc / realloc / freeowrite / read

o Exampleo 3rd party instrumentation uses ptraceo 1st party instrumentation uses libc


17

Snippet


DynC

if (x == 0) { inf ‘printf("x == 0\n");} else if (x > 3) { inf ‘printf("x > 3\n");} else { inf ‘printf("x < 3 but x != 0\n");}

AST

Binary Code

5548 89 e548 83 ec 2047 45 ec 00 00 00 00 eb 39 b8 00 00 00 00 e8 a8 f5 df ff

…

User-defined:

Provided by us:

18

CFG Parsing


User Mutator

PatchAPI

Process

On demand parsing

Process

Reuse

Parse CFG info

Stored CFG info

User Mutator

PatchAPIReuse CFG

info

Offlne Parser

Patching Patching

19

Address Space

Snippet

CFG Parsing


PluginInterface

PublicInterface

Dyninst Reintegration


DyninstIntern

al

PatchAPI Dyninst Address Space

ParseAPI

In-line

AST

Relocate a group of code,embed snippet

Parse CFG during the runtime of instrumentation

Will support DynC in the future

3rd party, binary rewriter

20

Address Space

Snippet

CFG Parsing


PluginInterface

PublicInterface

Self-propelled instrumentation


Self-propelle

d

Internal

PatchAPIlibc

Stored CFG

Hybrid

Binary code

Out-of-line + In-line

Reuse stored CFG information

A small set of instructions

1st party instrumentation

21

Status


Conception

Interface Design

Dyninst Reintegration

Code Refactoring

√

√ √

Build Self-propelled

instrumentation

22

Summary

o PatchAPI from/back to Dyninsto Point and Snippet

o Design of PatchAPIo Public Interface

oFilter-based Point QueryoTransactional Semantics

o Plugin InterfaceoCustomizing Instrumentation

o To be released with Dyninst 8.0



Question?

Documents

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat