m2-internship/talk-2018-11-uppsala
1
0
Fork 1
Code Issues Pull requests Releases Wiki Activity

Amends while doing beta test

Browse source
This commit is contained in:
Théophile Bastian 2019-10-15 15:57:52 +02:00
parent 5ecaeca632
commit cf661b00a5
1 changed files with 31 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
slides.tex
View file

@ -80,7 +80,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title[] {Reliable and Fast DWARF-based Stack Unwinding} \title[] {Reliable and Fast DWARF-based Stack Unwinding}
\author[\slidecountline]{\textbf{Théophile Bastian}\\ \author[\slidecountline]{\alert{\textbf{Théophile Bastian}}\\
\textbf{Stephen Kell} \\ \textbf{Stephen Kell} \\
\textbf{Francesco Zappa Nardelli}} \textbf{Francesco Zappa Nardelli}}
\date{} \date{}
@ -114,7 +114,7 @@
\vspace{-1em} \vspace{-1em}
\smallskip \smallskip
ONR Vertica \\ ONR VerticA \\
Google Research Fellowship Google Research Fellowship
\end{tcolorbox} \end{tcolorbox}
\end{column} \end{column}
@ -187,7 +187,7 @@ Segmentation fault.
>{\columncolor{Thistle}}l >{\columncolor{Thistle}}l
l l l l l l l l l l l l
>{\columncolor{Apricot}}l} >{\columncolor{Apricot}}l}
~LOC & CFA & rbx & rbp & r12 & r13 & r14 & r15 & ra \\ ~PC & CFA & rbx & rbp & r12 & r13 & r14 & r15 & ra \\
0084950 & rsp+8 & u & u & u & u & u & u & c-8 \\ 0084950 & rsp+8 & u & u & u & u & u & u & c-8 \\
0084952 & rsp+16 & u & u & u & u & u & c-16 & c-8 \\ 0084952 & rsp+16 & u & u & u & u & u & c-16 & c-8 \\
0084954 & rsp+24 & u & u & u & u & c-24 & c-16 & c-8 \\ 0084954 & rsp+24 & u & u & u & u & c-24 & c-16 & c-8 \\
@ -236,6 +236,8 @@ Segmentation fault.
[...] [...]
\end{lstlisting} \end{lstlisting}
\pause{}
\begin{itemize} \begin{itemize}
\item[\textbf{$\longrightarrow$}] \textbf{\alert{constructed} on-demand \item[\textbf{$\longrightarrow$}] \textbf{\alert{constructed} on-demand
by a \alert{Turing-complete stack machine}!} by a \alert{Turing-complete stack machine}!}
@ -312,7 +314,7 @@ Segmentation fault.
\end{frame} \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Unwinding data as an abstract execution of the assembly} \section{Correct by construction unwinding tables: synthesis}
\sectiontitleframe{} \sectiontitleframe{}
\newcommand{\tblrowval}[4]{#1 & #2 & \only<2->{#3} & \only<2->{#4} \\} \newcommand{\tblrowval}[4]{#1 & #2 & \only<2->{#3} & \only<2->{#4} \\}
@ -350,7 +352,7 @@ Segmentation fault.
\begin{itemize} \begin{itemize}
\item the assembly is was generated by a compiler \item the assembly is was generated by a compiler
\item which also generated unwinding data \item which also generated unwinding data
\item and I have a reliable DWARF parser \item and I have a reliable DWARF interpreter
\end{itemize} \end{itemize}
\end{tcolorbox} \end{tcolorbox}
\end{textblock*} \end{textblock*}
@ -382,7 +384,7 @@ Segmentation fault.
\alert{ra = *(\reg{rsp} + 16)}} \alert{ra = *(\reg{rsp} + 16)}}
\only<8>{The unwinding table captures an \alert{abstract execution} \only<8>{The unwinding table captures an \alert{abstract execution}
of the code\ldots} of the code\ldots}
\only<9>{\ldots and thus can be \alert{synthesized from the binary}.} \only<9>{\ldots and thus is \alert{redundant with the binary}.}
\end{overlayarea} \end{overlayarea}
} }
} }
@ -391,36 +393,25 @@ Segmentation fault.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Unwinding data synthesis from binaries} \section{Unwinding data synthesis from binaries}
%\begin{frame}{Why would synthesis be useful?} \begin{frame}{Synthesis strategy}
% \begin{itemize}
% \item As said earlier, \alert{DWARF is complex}
% \item Some compilers \alert{do not generate it}: hard to \alert{debug}
% \& \alert{profile}.
% \item Think of \alert{JIT-compiled assembly} (eg. JVM)
% \item \ldots{}or even \alert{hand-written inlined assembly}!
% \begin{itemize}
% \item Painful enough to write for not bothering with DWARF
% \item May not even be known by the programmer, breaks gdb
% \item May be wrong (remember Linus!)
% \end{itemize}
% \end{itemize}
%\end{frame}
\begin{frame}{How do we actually synthesize?}
\begin{itemize} \begin{itemize}
\item Upon entering a function, we know \item Upon entering a function, we know
\[ \cfa = \reg{rsp} - 8 \[ \cfa = \reg{rsp} - 8
\qquad \ra = \cfa + 8 \] \qquad \ra = \cfa + 8 \]
\item The semantics of each instruction specifies \alert{how it changes \cfa}. \item The semantics of each instruction specifies \alert{how it changes
the \cfa}.
\begin{itemize} \begin{itemize}
\item Heuristic to decide whether we index with \reg{rbp} or \item Heuristic to decide whether we index with \reg{rbp} or
\reg{rsp} \reg{rsp}
\end{itemize} \end{itemize}
\item By performing a symbolic execution, we can \alert{synthesize the \item By performing symbolic execution, we can \alert{synthesize the
unwinding table} line by line. unwinding table} line by line.
\item Control flow: forward data-flow analysis \item Control flow: forward data-flow analysis
\item The fixpoints are immediate, cf article \item The fixpoints are immediate, cf article
\end{itemize} \end{itemize}
\todo{Mettre en boîte}
Implemented on top of CMU's \prog{BAP}
\end{frame} \end{frame}
\begin{frame}{} \begin{frame}{}
@ -457,7 +448,7 @@ Segmentation fault.
>{\columncolor{Thistle}}l >{\columncolor{Thistle}}l
l l l l
>{\columncolor{Apricot}}l} >{\columncolor{Apricot}}l}
LOC & CFA & rbx & rbp & ra \\ ~PC & CFA & rbx & rbp & ra \\
0084950 & rsp+8 & u & u & c-8 \\ 0084950 & rsp+8 & u & u & c-8 \\
0084952 & rsp+16 & u & u & c-8 \\ 0084952 & rsp+16 & u & u & c-8 \\
0084954 & rsp+24 & u & u & c-8 \\ 0084954 & rsp+24 & u & u & c-8 \\
@ -501,7 +492,7 @@ Segmentation fault.
\item \texttt{libunwind-eh\_elf}: alternative implementation using \item \texttt{libunwind-eh\_elf}: alternative implementation using
\ehelfs{} \ehelfs{}
\item[$\leadsto$] almost \alert{``relink-and-play''} for existing projects! \item[$\leadsto$] Same API, almost \alert{``relink-and-play''} for existing projects!
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -519,11 +510,6 @@ Segmentation fault.
\end{itemize} \end{itemize}
\item \alert{Space overhead}: x2.6 to x3 vs. DWARF \item \alert{Space overhead}: x2.6 to x3 vs. DWARF
\vspace{2em}
\item[$\leadsto$] Alternative time/space trade-off, favorable eg. for
profiling.
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -531,13 +517,22 @@ Segmentation fault.
\section*{Conclusion} \section*{Conclusion}
\setcounter{section}{0} \setcounter{section}{0}
\begin{frame}{A lot of things remain to be done!} \begin{frame}{}
\vfill
\centering
\begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
\Large
What's next?
\end{beamercolorbox}
\vfill
\end{frame}
\begin{frame}{}
\begin{itemize} \begin{itemize}
\item{} Synthesis + compare = verification of unwinding data! \item{} Synthesis + compare = verification of unwinding data!
\item{} Synthesis could be integrated in compilers: support for inline \item{} Integrate synthesis into compilers \& debuggers\\
assembly, fallback, \ldots $\rightarrow$ support for inline assembly, fallback method, \ldots
\item{} Speedup could be implemented in profilers, debuggers, \item{} Integrate into \prog{perf} for a faster analysis
\ldots{}
\item{} Probably many more cool things to do! \item{} Probably many more cool things to do!
\end{itemize} \end{itemize}