bernat - multitramps2

7/31/2019 Bernat - multitramps2

1/25

Generalized Code Relocation 2006 Andrew R. Bernat March 2006

Generalized Code Relocation forInstrumentation and Efficiency

Andrew R. BernatUniversity of Wisconsin

[email protected]
mailto:[email protected]:[email protected]


2/25

2 Generalized Code Relocation 2006 Andrew R. Bernat

Design Objectives

Whole-program instrumentation

Instrument every instruction in the program

and all control flow edges as well

Efficient instrumentation

No traps! Minimize extraneous jumps

Restrict register save/restores

Flexible, extensible instrumentation system Laying the groundwork for binary rewriting


3/25


Multitramps


All instructions, including neighbors

All control flow edges

One trampoline per basic block

Reduces number of extra branches Hierarchical code generation

Extensible

Allows for a variety of optimizations


4/25


Function Relocation


Blocks too small for branch to instrumentation

Instrumentation too far away

No traps!

Shared functions

Copy to remove sharing

Function rewriting Undo optimizations


5/25


Old Instrumentation Overview

Application

Program

Application

Program

Function fooFunction foo

Base TrampolineBase Trampoline

Save RegsSave Regs

instr2instr2

Mini TrampolinesMini Trampolines

InstrumentationInstrumentationCodeCode

InstrumentationInstrumentationCodeCode

instr1instr2instr3

Restore RegsRestore Regs

Save RegsSave Regs



6/25


Old Instrumentation - Consecutive

Application

Program

Application

Program


Multiple Base

Trampolines

Multiple Base

Trampolines Mini TrampolinesMini Trampolines

instr2instr2

instr1instr2instr3

instr1instr1


7/25


Old Instrumentation Uninstrumentable Neighbors

ApplicationProgram

Application

Program


Base TrampolineBase Trampoline

Save RegsSave Regs

instr2instr2

Mini TrampolinesMini Trampolines

InstrumentationInstrumentation

CodeCode

InstrumentationInstrumentation

CodeCode

instr1instr2instr3

instr1instr1

instr3instr3


Save RegsSave Regs



8/25


Edge instrumentation

Application

Program

Application

Program


Base TrampolinesBase Trampolines

branch

Edge TrampolineEdge Trampoline

save/restoresave/restore

save/restoresave/restore

save/restoresave/restorebranchbranch

Instrument edges viaanother level of indirection

(plus extra branches)

Instrument edges viaanother level of indirection

(plus extra branches)

pre-branch

fallthrough

jump taken


9/25


Limitations of Old Instrumentation

Incomplete instrumentation coverage

Often could not instrument near-byinstructions

Inefficient instrumentation

Edges, consecutive instructions require extrabranches

Platform specific implementation

Inextensible and bug-prone


10/25


Multitramp Principles

Basic-block instrumentation

One jump to/from per block Efficient instrumentation of neighbor

instructions

Logical view: a control flow graph Relocated instructions + instrumentation

Apply compiler techniques to dynamic

instrumentation


11/25


Multitramps

Application

Program

Application

Program


MultitrampMultitramp

Basic Block

Base Tramp

InstructionInstruction


Base Tramp

BranchBranch

Fallthrough Target


12/25


Multitramp Implementation

A multitramp is a tree of code objects

Code objects provide the following:

Maximum space required (worst case)

Generate, install, and link callbacks

Map relocated to original address

Single mechanism for both instruction andedge instrumentation


13/25


Multitramp Example

Base Tramp 1


Base Tramp 2

BranchBranch

Mini Tramp 4Base Tramp 3

Mini Tramp 3

Mini Tramp 1

Mini Tramp 2

save ; BT 1branch


14/25


In-Line Instrumentation

Current out-of-line model is based on the

requirements of Paradyn Frequent insertion/removal of instrumentation

Limited opportunity for optimization Particularly register saves and restores

What about long-lived instrumentation?


15/25


In-Line Instrumentation

In-line instrumentation into a single code

sequence: Relocated instructions

Save/restore code

Instrumentation Replace entire sequence when something

changes!

BPatch::setMergeTramp(true)


16/25


Multitramp Status

Extensible implementation

Can add new code objects to multitramp CFG: Raw binary sections.

Control flow-altering code

In-line instrumentation POWER, x86-64

Platform-independent design

Encapsulated platform-dependent sections Included with all platforms in Dyninst 5.0


17/25


Multitramp Results


Instrument every instruction in the program and all control flow edges as well


No traps!Minimize extraneous jumpsRestrict register save/restores

Flexible, extensible instrumentation systemLaying the groundwork for binary rewriting


18/25


Function Relocation

The basic block may be too small to contain a

branch to instrumentation IA-32, x86-64

We may not have the available registers to

construct a long branch POWER, SPARC

Solution: relocate on a function level

Sufficient space to fit large branches Dead registers that can be used to branch


19/25


Old Approach

One-time relocation

Preemptively expand possible instrumentationsites: Function entry, exit, call sites; loop entry, exits

But what about everything else? Linear scan of the function, ignoring control

flow.

Dangerous with in-lined data


20/25


21/25


Function Relocation - Example

Block 2 is too small topatch in a jump

block 1

block 5

block 4

block 3block 2 block 2

block 1

block 5

block 4

block 3 block 2

1. Copy thefunction

2. Enlarge bloc2

3. Replace

Addmodification


22/25


Other Uses for Relocation

Overlapping functions

Relocation disambiguates code Instrument unique per-function copy

Undo optimizations

Rewrite the function during relocation Example: unwinding a tail call


23/25


Function Relocation Status

Platform-independent function relocation

engine IA-32, x86-64, POWER, SPARC

Support for multiple relocated versions

On-the-fly code relocation Extensible modification interface

Block must be 5 bytes long

Modify the instructions in the block


24/25


Design Objectives


Instrument every instruction in the program and all control flow edges as well


No traps!Minimize extraneous jumpsRestrict register save/restores

Flexible, extensible instrumentation systemLaying the groundwork for binary rewriting


25/25


Conclusion

Multitramps

Whole-program instrumentation approach Function relocation

Instrument everywhere (without traps)

People Drew Bernat Multitramps

Nate Rosenblum Function relocation

Nick Rutar Register optimizations

bernat - multitramps2

Documents