interactive debugging quickzoom: a state alteration and inspection-based interactive debugger 1
TRANSCRIPT
2
QZDB GoalQUICK:
State Inspection—Source Code Modification — Compile —Run From Beginning
State Inspection—State Rollback—State Alteration
5
Debugging Process
Incorrect Output or Crash
ERROR
Correct?
State Rollba
ck
State Alteration
State Inspection
6
QZDB features State Alteration
predicate switching [ICSE 2006] execution suppression [TOPLAS 2010]
State Inspection record dynamic slice [TOPLAS 2005] prune sbreak conditional breakpoint
State Rollback checkpoint rollback
Add State Inspection Enabling Commands
Set Checkpoint Set Record regionSet breakpoints
Perform State Inspection
Compute Slice Navigate Slice
Prune Slice
Introduce State Alteration Commands
Switch CommandsSuppress Commands
Execute program from Begin point
Introduce new State Inspection Enabling Commands
Sbreak Set Record RegionSet Checkpoints
Select New Begin Point && Rollback Execution
ZOOM
ZOOM
QUICK
QZDBProgram Start
8
Predicate Switching The predicate switching interface allows programmers
to dynamically change the outcome of a branch. Benefit
root cause speculation avoid source code modification, recompilation and re-
execution Interface
switch fileName:lineNum [all|once|n]all: switch the result of all the execution instances of
this predicateonce: only switch the result of next execution
instancen: only switch the result of N-th execution instance
9
Predicate Switching-Example
(qzdb) 1: for(i=0; i<N; i++) 2: { 3: if(i>j) 4: j++; 5: else 6: k++; 7: } (qzdb)
list
switch 3 all/once/4
10
Execution Suppression The execution suppression interface allows
programmers to dynamically suppress the execution of some statement or function invocation.
Benefit bug isolation and root cause speculation avoid repeated source code modification,
recompilation and re-execution Interface
suppress fileName:lineNum [all|once|n]all: suppress all the execution instances of this
statementonce: only suppress the next execution instancen: only suppress the N-th execution instance
11
Execution Suppression-Example
(qzdb) 1: for(i=0; i<N; i++) 2: { 3 array[i]=NULL; 4: } 5: do();
list
suppress 3 all/once/2 suppress 5 all/once/1
(qzdb)
(qzdb)
12
Dynamic Slice based State Inspection The dynamic slice interface allows programmers to
construct a backwards dynamic slice for the given criterion.
Benefit Programmers can only focus and speculate(through
predicate switching or execution suppression) on bug-related statements, which are much less compared to the whole execution trace with traditional debuggers.
Enhance debugging efficiency Interface
slice statement i variable|address [size]|registerslice statement islice statement
13
Record on/off The record interface allows programmers to
designate interesting/suspicious code regions for logging and dynamic slicing .
Predicate switching and execution suppression can suggest smaller suspicious code regions for record interface.
Benefit Enhance logging and slicing efficiency save programmers’ time and effort to inspect the
slice and reason about the root cause Interface
record on/offrecord fileName:lineNum instance on/off
Example
1: p=…; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; //wrong sum
Control Flow
Graph
Execution with N=1
15
Compute Dynamic Slice - Example (qzdb) 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb)
(qzdb)
slice 17 1 sum
record on
record off
1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;
Dynamic Slice
1: 17 1 14 1 due to sum
2: 14 1 12 1 due to j3: 12 1 9 1 due to
CD4: 14 1 6 1 due to
CD5: 9 1 6 1 due to CD6: 14 1 4 1 due to
sum7: 12 1 3 1 due to j8: 9 1 2 1 due to i 9: 6 1 2 1 due to i
Dynamic Slice
16
Prune Slice The prune interface allows programmers to
exclude dependence edges regarding user-specified confident variables from the generated slice.
It is useful when programmers are pretty sure that the values of some variables are correct.
Benefit Irrelevant or less important statements can be
significantly suppressed. save programmers’ time and effort to inspect the
slice and reason about the root cause Interface
prune slice_id variable list
17
Prune Slice - Example (qzdb) 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb)
(qzdb) (qzdb)
slice 17 1 sum
list
record off
1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;
Pruned Dynamic Slice
Slice Id=2
prune 2 i, j
1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;
Dynamic SliceSlice Id =2
18
Sbreak The sbreak interface allows programmers to generate a breakpoint at the statements in
the slice.
Benefit set breakpoints more efficiently and easily
Interface sbreak slice_id s1,s2, ... sbreak slice_id all
19
breakpoint Slice - Example 1: p=x; 2: i=0; 3: j=3; 4: sum=0; 5: p=i+j; 6: while(i<N) 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum; (qzdb) (qzdb) (qzdb) (qzdb)
slice 17 1 sum
record off
1: p=x; 2: i=0; 3: j=3; 4: sum=0; //insert a breakpoint 5: p=i+j; 6: while(i<N) //insert a breakpoint 7: { 8: w=p*2; 9: if(i>=1) 10: j++; 11: else 12: j--; 13: p+=j; 14: sum+=j; 15: i++; 16: } 17: k=sum;
Pruned Dynamic Slice
Slice Id =2
prune 2 i, j sbreak 2 s1, s2
20
Conditional Breakpoint The extended conditional breakpoint interface
allows programmers to set conditional breakpoint for standard library functions, whose source code are often unavailable.
Benefit Designed for memory-related bugs selectively and efficiently capture critical
library function invocations Interface
breakpoint library function [if condition] if write/read/access address [size]if argN|ret==value
21
Conditional Breakpoint-Example (qzdb) (qzdb) 1: str=malloc(N*sizeof(char)); //suppose checkpoint 3 is
saved here 2: … 3: … 4: … 5: free(str); 6: … 7: p=str; 8: free(p); //suppose the address of p is Addr /*crash point*/
rollback 3 list
breakpoint malloc if ret==Addr breakpoint free if arg1==Addr breakpoint free if write Addr
(qzdb) (qzdb) (qzdb)
22
State Rollback Interfaces The state rollback interfaces allows
programmers to restore the program state to a previous point.
Benefit useful for repeated debugging(repeated state
inspection, state alteration in SAID) avoid repeated execution from start
Interface checkpoint rollback checkpoint_id
23
Checkpoint & Rollback-Example (qzdb) 1: for(i=0; i<N; i++) 2: { 3 array[i]=NULL; 4: } 5: process(job); (qzdb) Checkpoint 2 at 0x80482b7: file tidy.c, line 1. You can
rollback the program state to this checkpoint by rollback 2
list
checkpoint
(qzdb) 5: process(job); 6: … (qzdb)
rollback 2
list
Program Binary
Programmer
Remote Debugging Protocol
KD
bg
GDB
QZDB – Implementation
Dynamic Slicing
Checkpoint&Rollba
ck
Other Command
s
Pin
27
QZDB Implementation GDB provides the monitor command for remote
debugging. It can send arbitrary commands to the remote monitor and is designed for extending GDB. We use the monitor command to support
the new commands implemented based on Pin. monitor slice linenum instance variable
Modify GDB to preprocess the monitor command mapping from source lines to program addresses
(ref info line) mapping from variable names to memory
addresses(ref print &a) Modify GDB to post-process the generated slice
28
Dynamic Slice Time &Space Overhead
Program MS/K instr. KB/K instr.
tidy 11.3 35.6
ncompress 8.4 45.4
bc 15.6 33.8
ghostscript 11.4 53.9
tar 58.6 40.4
29
Future PlanMore State Alteration features
Insert a statement Replacement a statement Automatic patch source code
Combination of Slice and Reversible Debugging Allow reverse execution along dependence edge Easy forward and backward source code
navigation along sliceUser Studies
Comparison of debugging efficiency between QZDB and GDB