Next Generation Debugging
Transcript of Next Generation Debugging
OverviewTesting.Debugging:
Debuggingwithgdb.Strace.Valgrind.RecordingexecutionwithUndo.
Undoresearch:Executionanalysis.Dataflowanalysis.
(Linux-specific.)
Testinghaschanged:
Resultingin:
Testing.
Continuousintegration.Test-drivendevelopment.Cloudtesting.
1,000softestsperhour.Manyintermittenttestfailures.Verydifficulttofixthemall.
Fixingtestfailuresishard.
Testing.
Recreatecomplexsetups:Multi-application.Networking.Multi-machine.
Re-runflakeytestsmanytimestoreproducefailureRecompile/linkwithchangeswheninvestigating.
Changesbehaviour.Slow.Requiresadevelopermachine.
Fixingtestfailuresisslow.
Testing
Reproducingslowfailuresis…slow.Reproducingintermittentfailuresisalsoslow.
Requiresrepeatedlyrunningatestmanytimesinordertocatchthefailure.
Criticalbugs:
Canoccuroneinathousandruns.Eachruncantakehours.
Toolstofixtestfailures
Testing.
Debuggers.Logging.Systemlogging.Memorycheckers.Recordingexecution+reversibledebugging.
GDB
Debugging.
Betterthanyoumayremember:TUImodeshowssourcecodewithinterminalwindow:
gdb--tui
OrtogglewithCtrl-XCtrl-A.
GDB-7usespythonasextensionlanguage.Scripteddebugging,e.g.toreproduceintermittentfailures.
Compilerscangeneratedebugsymbolsevenforoptimisedcode:gcc-O2-g...
Optimisationmaygivenon-linearresultswhensteppingthroughcode.
Miscellaneous:Showbacktraceofallthreads:threadapplyallbt.Showstackpointeroffirstfourthreads:threadapply1-4print$sp.Conveniencevariables:print$ax,print$pc,print$_exitcode.Showsourceforanaddress:infoline*0x12345678.Showaddressboundsofcurrentline:infoline*$pc.Showaddressofsourcecodeline:infolinefoo.c:42.
Pythonscriptinginundodb-gdbandgdb.GDBsupportspythonasanextensionlanguage.Usedbyundodb-gdb.
Capturinganintermittentfailure.Createpythonscriptandrunwith:
(gdb)sourcefoo.py
(undodb-gdb)sourcefoo.py
Examples:
repeat_until_non_zero_exit.py
repeat_until_breakpoint.py
repeat_until_signal.py
Pythonscriptinginundodb-gdbandgdb.repeat_until_non_zero_exit.py'''Repeatedlyrundebuggeeuntilitfails.'''importgdb
while1:print'-'*40gdb.execute('run')e=gdb.parse_and_eval('$_exitcode')print('$_exitcodeis:%s'%e)ife!=0:break
Pythonscriptinginundodb-gdbandgdb.repeat_until_breakpoint.py'''Repeatedlyrundebuggeeuntilithitsabreakpoint.'''importgdb
events=[]defevent_handler(event):events.append(event)gdb.events.exited.connect(event_handler)gdb.events.stop.connect(event_handler)
while1:print'-'*40events=[]gdb.execute('run')breakpoint=Noneforeventinevents:ifisinstance(event,gdb.BreakpointEvent):breakpoint=eventbreakifbreakpoint:print('havehitbreakpoint:%s'%breakpoint)break
Pythonscriptinginundodb-gdbandgdb.repeat_until_signal.py'''RepeatedlyrundebuggeeuntilitreceivesSIGSEGV.'''importgdbimportsignal
events=[]defevent_handler(event):events.append(event)gdb.events.exited.connect(event_handler)gdb.events.stop.connect(event_handler)
while1:print'-'*40events=[]gdb.execute('run')breakpoint=Noneforeventinevents:if(isinstance(event,gdb.SignalEvent)andevent.stop_signal=='SIGSEGV'):breakpoint=eventbreakifbreakpoint:print('havehitbreakpoint:%s'%breakpoint.stop_signal)break
Logging.Cansometimesworkwell.Needtocontrolwhattolog.
Defineareasoffunctionalityandassigndifferentdebuglevels.E.g.parser,lexer,network.Moredetailed:memoryallocator,socket,serialiser.
Wecandefinedebuglevelsfordifferentcategoriestomatchthebugweareinvestigating.
Thiscangetcomplicated.
logcategory_t*io_category=...;logcategory_t*serialisation_category=...;...logf(io_category,"haveread%zibytesfromsocketfd=%i",n,fd);...logf(serialisation_category,"serialised%pto%zibytes",foo,actualsize);...
Problemswithloggingcategories.
Logging.
Howmanycategories-howdetailedshouldwego?
Dependsonthebugweareinvestigating.Mayneedtorecompilewithnewcategories.
Whatcategorydoweuseforcodethatwritesserialiseddatatoafile-io_categoryorserialisation_category?
Useprogrammestructureforcategories.
Logging.
Wealreadyhaveareasoffunctionality:
Sourcecodedirectories.Sourcefiles.Functions.
Wecanusetheseasimplicitcategories:
Noneedtodefineourowncategories.Wegetdifferentlevelsofcategoriesforfree.Wegetnestedcategoriesforfree.
Controllingverbosityprogrammatically:
Logging.
debug_add("network/socket",NULL,1);//Extraverboseforalldiagnosicsinnetwork/socket*.*.
debug_add("network/",NULL,1);debug_add("network/socket",NULL,1);//Extraverboseforalldiagnosticsinnetwork/*.*.//Evenmoreverboseinnetwork/socket*.*.
debug_add("heap/alloc.c","",1);debug_add("network/socket.c",Send,2);debug_add("parser/","",-1);//Verboseforheapoperations.//Veryverboseforalldiagnosticsinnetwork/socket.c:Send().//Lessverboseinparser/.
Controlverbositywithenvironmentalvariables:
Example:
Logging.
QA-friendly.Noneedtorecompile/link/build.Activateloggingindifferentpartsoftheprogrammedependingonthebugwhichisbeinginvestigated.
DEBUG_LEVELS="heap/alloc.c=1parser/=-1network/socket.c:Send=2"myprog...
Strace.Linux/unix-specific.
Getadetailedlogofallsyscalls.
>stracedateexecve("/bin/date",["date"],[/*34vars*/])=0brk(0)=0xd50000access("/etc/ld.so.nohwcap",F_OK)=-1ENOENT(Nosuchfileordirectory)mmap(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602059000access("/etc/ld.so.preload",R_OK)=-1ENOENT(Nosuchfileordirectory)open("/etc/ld.so.cache",O_RDONLY|O_CLOEXEC)=3</etc/ld.so.cache>fstat(3</etc/ld.so.cache>,{st_mode=S_IFREG|0644,st_size=144491,...})=0mmap(NULL,144491,PROT_READ,MAP_PRIVATE,3</etc/ld.so.cache>,0)=0x7f7602035000close(3</etc/ld.so.cache>)=0access("/etc/ld.so.nohwcap",F_OK)=-1ENOENT(Nosuchfileordirectory)open("/lib/x86_64-linux-gnu/libc.so.6",O_RDONLY|O_CLOEXEC)=3</lib/x86_64-linux-gnu/libc-2.19.so>read(3</lib/x86_64-linux-gnu/libc-2.19.so>,"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\34\2\0\0\0\0\0"...,832)=832fstat(3</lib/x86_64-linux-gnu/libc-2.19.so>,{st_mode=S_IFREG|0755,st_size=1738176,...})=0mmap(NULL,3844640,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_DENYWRITE,3</lib/x86_64-linux-gnu/libc-2.19.so>,0)=0x7f7601a90000mprotect(0x7f7601c32000,2093056,PROT_NONE)=0mmap(0x7f7601e31000,24576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,3</lib/x86_64-linux-gnu/libc-2.19.so>,0x1a1000)=0x7f7601e31000mmap(0x7f7601e37000,14880,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0)=0x7f7601e37000close(3</lib/x86_64-linux-gnu/libc-2.19.so>)=0mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602034000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602033000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602032000arch_prctl(ARCH_SET_FS,0x7f7602033700)=0mprotect(0x7f7601e31000,16384,PROT_READ)=0mprotect(0x60e000,4096,PROT_READ)=0mprotect(0x7f760205b000,4096,PROT_READ)=0munmap(0x7f7602035000,144491)=0brk(0)=0xd50000brk(0xd71000)=0xd71000open("/usr/lib/locale/locale-archive",O_RDONLY|O_CLOEXEC)=3</usr/lib/locale/locale-archive>fstat(3</usr/lib/locale/locale-archive>,{st_mode=S_IFREG|0644,st_size=1607760,...})=0mmap(NULL,1607760,PROT_READ,MAP_PRIVATE,3</usr/lib/locale/locale-archive>,0)=0x7f7601ea9000close(3</usr/lib/locale/locale-archive>)=0open("/etc/localtime",O_RDONLY|O_CLOEXEC)=3</etc/localtime>fstat(3</etc/localtime>,{st_mode=S_IFREG|0644,st_size=3661,...})=0fstat(3</etc/localtime>,{st_mode=S_IFREG|0644,st_size=3661,...})=0mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602058000read(3</etc/localtime>,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"...,4096)=3661lseek(3</etc/localtime>,-2338,SEEK_CUR)=1323read(3</etc/localtime>,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"...,4096)=2338close(3</etc/localtime>)=0munmap(0x7f7602058000,4096)=0fstat(1</dev/pts/50>,{st_mode=S_IFCHR|0620,st_rdev=makedev(136,50),...})=0mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f7602058000write(1</dev/pts/50>,"Mon26Sep12:27:50BST2016\n",29Mon26Sep12:27:50BST2016)=29close(1</dev/pts/50>)=0munmap(0x7f7602058000,4096)=0close(2</dev/pts/50>)=0exit_group(0)=?+++exitedwith0+++
Subsetofsyscalls-fileoperations:
>strace-y-etrace=filedateexecve("/bin/date",["date"],[/*34vars*/])=0access("/etc/ld.so.nohwcap",F_OK)=-1ENOENT(Nosuchfileordirectory)access("/etc/ld.so.preload",R_OK)=-1ENOENT(Nosuchfileordirectory)open("/etc/ld.so.cache",O_RDONLY|O_CLOEXEC)=3</etc/ld.so.cache>access("/etc/ld.so.nohwcap",F_OK)=-1ENOENT(Nosuchfileordirectory)open("/lib/x86_64-linux-gnu/libc.so.6",O_RDONLY|O_CLOEXEC)=3</lib/x86_64-linux-gnu/libc-2.19.so>open("/usr/lib/locale/locale-archive",O_RDONLY|O_CLOEXEC)=3</usr/lib/locale/locale-archive>open("/etc/localtime",O_RDONLY|O_CLOEXEC)=3</etc/localtime>Mon26Sep12:29:01BST2016+++exitedwith0+++
Subsetofsyscalls-memoryoperations:
>strace-y-etrace=memorydatebrk(0)=0x25b8000mmap(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc871000mmap(NULL,144491,PROT_READ,MAP_PRIVATE,3</etc/ld.so.cache>,0)=0x7f14cc84d000mmap(NULL,3844640,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_DENYWRITE,3</lib/x86_64-linux-gnu/libc-2.19.so>,0)=0x7f14cc2a8000mprotect(0x7f14cc44a000,2093056,PROT_NONE)=0mmap(0x7f14cc649000,24576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,3</lib/x86_64-linux-gnu/libc-2.19.so>,0x1a1000)=0x7f14cc649000mmap(0x7f14cc64f000,14880,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0)=0x7f14cc64f000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc84c000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc84b000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc84a000mprotect(0x7f14cc649000,16384,PROT_READ)=0mprotect(0x60e000,4096,PROT_READ)=0mprotect(0x7f14cc873000,4096,PROT_READ)=0munmap(0x7f14cc84d000,144491)=0brk(0)=0x25b8000brk(0x25d9000)=0x25d9000mmap(NULL,1607760,PROT_READ,MAP_PRIVATE,3</usr/lib/locale/locale-archive>,0)=0x7f14cc6c1000mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc870000munmap(0x7f14cc870000,4096)=0mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7f14cc870000Mon26Sep12:29:40BST2016munmap(0x7f14cc870000,4096)=0+++exitedwith0+++
Summary:
Strace.
Notperfect-onlyworksonsyscalllevel.Butstillusefulforlow-levelinvestigations.Norecompilationrequired.
Overview:
Valgrind.
Linux,OSX,Solaris,Android.Verydetailedcheckingofexecution.Free.SimilartoPurifyetc.
Memorychecking:
Threadchecking.
Other:
Valgrind.
Illegalmemoryaccesses:Overrun/underrunheapblocks.Overrunstack.Use-after-free.
Doublefree.Memoryleaks.
Inconsistentlockorderings.Dataraces(e.g.missingmutex).
CPUcachebehaviour.Heapprofiler.
Newdebuggingtechnologyinrecentyears.
Recordingexecution.
Linux:UndoLiveRecorder.RR.
Windows:Intellitrace(partialrecordingonly).TimeMachineFor.Net(partialrecordingonly).
Java:Chronon.Undo(soon).
LiveRecorder.Alibrary,forlinkingintoanapplication.Allowstheapplicationtocontroltherecordingofitsownexecution.ProvidesasimpleCAPItostart/save/stoprecording.APIisdefinedinundolr.hheaderfileandimplementedinlibundolrlibrary.
LiveRecorder.LiveRecorderrecordings:
ArestandardUndoRecordingfiles.Containeverythingneedtoreplayexecution:
Non-deterministicevents(inputstoprogram).Initialstate(initialmemoryandregisters).
Alsocontaininformationneededforsymbolicdebugging:Completeexecutableand.sofiles.Debuginfofiles.
Allowsdebuggingevenwhenlibrariesand/ordebuginformationisnotavailablelocally(e.g.loadandreplayonadifferentLinuxdistribution).LoadedintoUndoDB:
undodb-gdb--undodb-load<filename>
(undodb-gdb)undodb-load<filename>
Fullreversibledebugging.
LiveRecorder.LibraryAPI(undolr.h):intundolr_recording_start(undolr_error_t*o_error);
intundolr_recording_stop(void);
intundolr_recording_save(constchar*filename);
intundolr_recording_stop_and_save(constchar*filename);
intundolr_save_on_termination(constchar*filename);
intundolr_save_on_termination_cancel(void);
intundolr_event_log_size_get(long*o_bytes);
intundolr_event_log_size_set(longbytes);
intundolr_include_symbol_files(intinclude);
LiveRecorder.UseLiveRecorder:
Ininternaltesting.Atcustomersite.
Advantages:
Investigatebugseasilyusingreversibledebugging.Youoryourcustomercontrolwhen/ifrecordingisenabled.Avoidproblemswithdifferingenvironments.Noneedtoreproducecomplexmulti-machinesetups.Havemultipledevelopersworkonthesametestfailure.
LiveRecorder.Savearecordingonlyifsomethingwentwrong....undolr_save_on_termination_cancel();exit(0);...exit(1);...intmain(intargv,char**argv){undolr_recording_start(NULL);undolr_save_on_termination("failure.undo");...if(...){return1;}...undolr_save_on_termination_cancel();return0;}
ExecutionAnalysisTraditionaldebuggingonlygivespartialinformation:Corefile:
Givesprogrammestateonlyattheendofexecution.
Traditionaldebugger:
Cannotgobacktoanearlierstate.
Valgrind:
Havetoknowinadvancewhattypeoferrorisgoingtohappen,andchooseappropriateengine:CachegrindMemcheckCallgrindHelgrind
WhatifyourunwithHelgrindbutencounteranintermittentmemoryerror?OryourunwithMemcheckandgetarareracecondition?RunsslowlybecauseValgrindenginesaredoingverycomplicatedanalysis.
Logging:
Showsinformationonlyfromtheloggingthatisenabled.Usuallynotwhatyouneedtofixthebug.Sore-runwithdifferentlogging.Hopethatbugisn’tintermittent.
AnUndorecordinggivesyou100%knowledgeofwhatyourprogrammedid:
UndoisfasterthanValgrind:
ExecutionAnalysis
Proof:Youcanfindtothestateoftheentireprogramme(memoryplusregisters)atanypointinitsexecution.stepi
stepi
…
and/or:reverse-stepi
reverse-stepi
…
Becauseitisnotperforminganalysiswhenrecording.
Butthisisn’talwaysenoughtotrackdownreallydifficultbugs.
ExecutionAnalysisMoreusefulnavigationofprogrammeexecution:Normalandreversedebugging:
undodb-goto-time...
next,finish,reverse-next,reverse-finish,…BreakpointsWatchpoints.
Also:
Movetonext/previouseventmatchingacriteria:ugoeventprevname=='read'orname=='mmap'
ugoeventprevname=='read'andresult<0
ExecutionAnalysisHowcouldwemakebetteruseofthis100%completeknowledge?Replayexactexecution,butgather/outputextrainformation:
Annotatereplaywithextradiagnosticsfromdebugger(withoutchangingtheexecution).E.g.gdb’sbreakpointcommands.ReplaywithMemcheck-stylememorychecking.ReplaywithHelgrind-stylememorychecking.Logallcallstoaparticularsetoffunctions.Navigateforwards/backwardstonext/previouscallofaparticularsetoffunctions.Loglocksofaparticularmutex.Navigateforwards/backwardstonext/previouslockofaparticularmutex.Gobacktolastcalltoafunctionwithparticularparametervalues.…Suggestions?
Witharecording,itmustbepossibletofigureoutthebug.
ExecutionAnalysisHowtofindandfixabug:
Replayrecording,useforward/reversecommands,watchpoints,breakpointstoinvestigate.Ifnotabletofigureitout:
Replaywithappropriateannotationsorvalgrind-stylecheckingtofindmoreinformation.
Repeatuntilbugisfound.
Becauserecordingcontains100%informationabouttheprogramme’sexecution.
ExecutionAnalysisSummaryofUndoadvantages:Constantmodestspeedoverhead:
UndorecordingisfasterthanValgrinddoingmemory/thread/cacheanalysis.Incurlargeanalysisoverheadonlywhenrequired.
Retrospectiveanalysis:
Runprogrammetoday.Saverecording.Analyseagainstnewregulationsin6monthstime.
Indevelopment:DataflowAnalysis.Thisisinternalresearchanddevelopment.
Aparticulartypeofexecutionanalysis.Notavailableyet.Subjecttochangebeforerelease.
Indevelopment:DataflowAnalysis.Whendebugging,weusuallyfocusonfunctioncalls:
Lookatfunctionsinthestacktrace.Stepforwardswithstepi,step,nexti,next,finish.Stepbackwardswithreverse-stepi,reverse-step,reverse-nexti,reverse-next,reverse-finish.Moveforwardsandbackwardswithcontinueandreverse-continue.
Usebreakpoints.Usewatchpoints.
Thenlookatstateofdatawhereverweendup:
Registers.Localvariables.Globalvariables.
Indevelopment:DataflowAnalysis.Canweinsteadlookmoregenerallyatdata?WhatinputsdoescurrentCPUinstructionuse,andwheredidtheseinputscomefrom?
Newundodb-gdbcommand:undodb-current-instruction-infoShowinputs/outputsofcurrentinstruction.Example,instructionsub-0x8(%rbp),%eax:
(undodb-gdb)undodb-current-instruction-infoundodb-gdb:currentinstructionisat0x4005df:undodb-gdb:reads:undodb-gdb:memory0x7ffc8d6ed6d8..+4undodb-gdb:register0(ax)undodb-gdb:writes:undodb-gdb:register0(ax)(undodb-gdb)
Tofollowthedata:
Wecanseta4-bytewatchpointonaddress0x7ffc8d6ed6d8.Weneedtobeabletoseta"watchpoint"onregister%ax.
NotsupportedbyCPUhardware.
Indevelopment:DataflowAnalysis.ButUndoknowseverythingaboutexecution.Sowecanmakeitspeciallyinstrumentcodetodoregisterwatchpoints.
Newundodb-gdbcommand:undodb-search-registersSearchbackwardsforreads/writestoregisters.Example:
(undodb-gdb)undodb-search-registersax,bpds
Goesbacktomostrecentlyexecutedinstructionthatdidanyof:Readregister%ax.Readregister%bp.Wrotetoregister%ds.
Notes:
Thisisonlypossiblebecausewehavearecord/replyengine.Withoutrecord/replayengine,combinatoricsmakethingsimpossible.Onlypossibleifwemodifyreplaytoalsotrackchangestoregisters.
Indevelopment:DataflowAnalysis.Puttingittogether:
Wecanlookatwhatregister/memoryisusedbycurrentinstruction.Wecangobacktomostrecenttimeregister/memorywaschanged.
Reversedataflowanalysis:Ifcurrentinstructionreadsonememorylocation:
Setwatchpoint.Reversecontinue.
Ifcurrentinstructionreadsoneregister:Useundodb-search-registers.
Dataflowisatree.
Indevelopment:DataflowAnalysis.Butwhatifcurrentinstruction…
…readsmorethanoneregister?…readsregisterandmemory?…readsmorethanonelocationinmemory?
Indevelopment:DataflowAnalysis.Semi-automaticdataflowanalysis:
Exploredataflowtreeonestepatatime.Ateachstep:
Usememory-watchpoint+reverse-continue,orundob-search-registers.Rememberresultsofeachstep.Breadth-firstsearch.
(undodb-gdb)undodb-dataflow-backwards-explore-start(undodb-gdb)undodb-dataflow-backwards-explore-next(undodb-gdb)undodb-dataflow-backwards-explore-next...undodb-gdb:Havefinisheddataflowexploration(undodb-gdb)undodb-dataflow-backwards-explore-show
Indevelopment:DataflowAnalysis.Exampleoutput:
(undodb-gdb)undodb-dataflow-backwards-explore-showundodb-gdb:Dataflowis(13):undodb-gdb:316038:0x400728=>316039:0x400735:memory0x7ffd23ec1214..+4undodb-gdb:316039:0x400732=>316039:0x400735:register0(ax)undodb-gdb:316029:0x4006f6=>316040:0x40071e:memory0x7ffd23ec11f0..+4undodb-gdb:316029:0x4006f6=>316040:0x40071e:memory0x7ffd23ec11f0..+4undodb-gdb:316040:0x40071e=>316040:0x400722:register0(ax)undodb-gdb:316040:0x40071e=>316040:0x400722:register0(ax)undodb-gdb:316040:0x400722=>316040:0x400725:memory0x7ffd23ec11fc..+4undodb-gdb:316040:0x400725=>316040:0x400728:register0(ax)undodb-gdb:316039:0x400735=>316040:0x400728:memory0x7ffd23ec1214..+4undodb-gdb:316040:0x400722=>316041:0x400732:memory0x7ffd23ec11fc..+4undodb-gdb:316040:0x400728=>316041:0x400735:memory0x7ffd23ec1214..+4undodb-gdb:316041:0x400732=>316041:0x400735:register0(ax)undodb-gdb:316041:0x400735=>316042:0x400747:memory0x7ffd23ec1214..+4(undodb-gdb)
Questions?
Indevelopment:DataflowAnalysis.Whatcouldwedowithreversedataflow?
Easiertracingoftheultimatecauseofincorrectdata.Test-casesynthesis-findwhatinputswouldberequiredtomakeprogrammetakeaparticularpath.
Issues:Currentlyonlydetectreads/writestogeneralpurposeregisters.Consider:add%eax,-0xc(%rbp)
Readsmemoryat%bp-0xc.Doesthisalsoreadregister%bp?(Currentlywesay:No.)
Currentlyslow.