1

Interactive Debugging

QuickZoom: A State Alteration and Inspection-based Interactive

Debugger

2

QZDB GoalQUICK:

State Inspection—Source Code Modification — Compile —Run From Beginning

State Inspection—State Rollback—State Alteration

3

Faulty Program

ZoomFaulty

Function

Faulty Statement/Variabl

e

Zoom

ZOOM:

QZDB Goal

4

QZDB Overview

State Inspection

State Alteration

State Rollback

ZOOM

QUICK

5

Debugging Process

Incorrect Output or Crash

ERROR

Correct?

State Rollba

ck

State Alteration

State Inspection

6

QZDB features State Alteration

predicate switching [ICSE 2006] execution suppression [TOPLAS 2010]

State Inspection record dynamic slice [TOPLAS 2005] prune sbreak conditional breakpoint

State Rollback checkpoint rollback

Add State Inspection Enabling Commands

Set Checkpoint Set Record regionSet breakpoints

Perform State Inspection

Compute Slice Navigate Slice

Prune Slice

Introduce State Alteration Commands

Switch CommandsSuppress Commands

Execute program from Begin point

Introduce new State Inspection Enabling Commands

Sbreak Set Record RegionSet Checkpoints

Select New Begin Point && Rollback Execution

ZOOM

ZOOM

QUICK

QZDBProgram Start

8

Predicate Switching The predicate switching interface allows programmers

to dynamically change the outcome of a branch. Benefit

root cause speculation avoid source code modification, recompilation and re-

execution Interface

switch fileName:lineNum [all|once|n]all: switch the result of all the execution instances of

this predicateonce: only switch the result of next execution

instancen: only switch the result of N-th execution instance

9

Predicate Switching-Example

(qzdb) 1: for(i=0; i<N; i++) 2: { 3: if(i>j) 4: j++; 5: else 6: k++; 7: } (qzdb)

list

switch 3 all/once/4

10

Execution Suppression The execution suppression interface allows

programmers to dynamically suppress the execution of some statement or function invocation.

Benefit bug isolation and root cause speculation avoid repeated source code modification,

recompilation and re-execution Interface

suppress fileName:lineNum [all|once|n]all: suppress all the execution instances of this

statementonce: only suppress the next execution instancen: only suppress the N-th execution instance

11

Execution Suppression-Example

(qzdb) 1: for(i=0; i<N; i++) 2: { 3 array[i]=NULL; 4: } 5: do();

list

suppress 3 all/once/2 suppress 5 all/once/1

(qzdb)

(qzdb)

12

Dynamic Slice based State Inspection The dynamic slice interface allows programmers to

construct a backwards dynamic slice for the given criterion.

Benefit Programmers can only focus and speculate(through

predicate switching or execution suppression) on bug-related statements, which are much less compared to the whole execution trace with traditional debuggers.

Enhance debugging efficiency Interface

slice statement i variable|address [size]|registerslice statement islice statement

13

Record on/off The record interface allows programmers to

designate interesting/suspicious code regions for logging and dynamic slicing .

Predicate switching and execution suppression can suggest smaller suspicious code regions for record interface.

Benefit Enhance logging and slicing efficiency save programmers’ time and effort to inspect the

slice and reason about the root cause Interface

record on/offrecord fileName:lineNum instance on/off

Example

1: p=…; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; //wrong sum

Control Flow

Graph

Execution with N=1

15

Compute Dynamic Slice - Example (qzdb) 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb)

(qzdb)

slice 17 1 sum

record on

record off

1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;

Dynamic Slice

1: 17 1 14 1 due to sum

2: 14 1 12 1 due to j3: 12 1 9 1 due to

CD4: 14 1 6 1 due to

CD5: 9 1 6 1 due to CD6: 14 1 4 1 due to

sum7: 12 1 3 1 due to j8: 9 1 2 1 due to i 9: 6 1 2 1 due to i

Dynamic Slice

16

Prune Slice The prune interface allows programmers to

exclude dependence edges regarding user-specified confident variables from the generated slice.

It is useful when programmers are pretty sure that the values of some variables are correct.

Benefit Irrelevant or less important statements can be

significantly suppressed. save programmers’ time and effort to inspect the

slice and reason about the root cause Interface

prune slice_id variable list

17

Prune Slice - Example (qzdb) 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb)

(qzdb) (qzdb)

slice 17 1 sum

list

record off

1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;

Pruned Dynamic Slice

Slice Id=2

prune 2 i, j

1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;

Dynamic SliceSlice Id =2

18

Sbreak The sbreak interface allows programmers to generate a breakpoint at the statements in

the slice.

Benefit set breakpoints more efficiently and easily

Interface sbreak slice_id s1,s2, ... sbreak slice_id all

19

breakpoint Slice - Example 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb) (qzdb) (qzdb) (qzdb)

slice 17 1 sum

record off

1: p=x; 2: i=0; 3: j=3; 4: sum=0; //insert a breakpoint 5: p=i+j; 6: while(i<N) //insert a breakpoint 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;

Pruned Dynamic Slice

Slice Id =2

prune 2 i, j sbreak 2 s1, s2

20

Conditional Breakpoint The extended conditional breakpoint interface

allows programmers to set conditional breakpoint for standard library functions, whose source code are often unavailable.

Benefit Designed for memory-related bugs selectively and efficiently capture critical

library function invocations Interface

breakpoint library function [if condition] if write/read/access address [size]if argN|ret==value

21

Conditional Breakpoint-Example (qzdb) (qzdb) 1: str=malloc(N*sizeof(char)); //suppose checkpoint 3 is

saved here 2: … 3: … 4: … 5: free(str); 6: … 7: p=str; 8: free(p); //suppose the address of p is Addr /*crash point*/

rollback 3 list

breakpoint malloc if ret==Addr breakpoint free if arg1==Addr breakpoint free if write Addr

(qzdb) (qzdb) (qzdb)

22

State Rollback Interfaces The state rollback interfaces allows

programmers to restore the program state to a previous point.

Benefit useful for repeated debugging(repeated state

inspection, state alteration in SAID) avoid repeated execution from start

Interface checkpoint rollback checkpoint_id

23

Checkpoint & Rollback-Example (qzdb) 1: for(i=0; i<N; i++) 2: { 3 array[i]=NULL; 4: } 5: process(job); (qzdb) Checkpoint 2 at 0x80482b7: file tidy.c, line 1. You can

rollback the program state to this checkpoint by rollback 2

list

checkpoint

(qzdb) 5: process(job); 6: … (qzdb)

rollback 2

list

Case Studies

Benchmark Overview

25

QZDB Demo

Stack Smashing bug in ncompress-4.2.4

Program Binary

Programmer

Remote Debugging Protocol

KD

bg

GDB

QZDB – Implementation

Dynamic Slicing

Checkpoint&Rollba

ck

Other Command

s

Pin

27

QZDB Implementation GDB provides the monitor command for remote

debugging. It can send arbitrary commands to the remote monitor and is designed for extending GDB. We use the monitor command to support

the new commands implemented based on Pin. monitor slice linenum instance variable

Modify GDB to preprocess the monitor command mapping from source lines to program addresses

(ref info line) mapping from variable names to memory

addresses(ref print &a) Modify GDB to post-process the generated slice

28

Dynamic Slice Time &Space Overhead

Program MS/K instr. KB/K instr.

tidy 11.3 35.6

ncompress 8.4 45.4

bc 15.6 33.8

ghostscript 11.4 53.9

tar 58.6 40.4

29

Future PlanMore State Alteration features

Insert a statement Replacement a statement Automatic patch source code

Combination of Slice and Reversible Debugging Allow reverse execution along dependence edge Easy forward and backward source code

navigation along sliceUser Studies

Comparison of debugging efficiency between QZDB and GDB

30

Question?