The Binary Rewriter and New Code Optimizations

1
The Binary Rewriter and New Code Optimizations

• Matthew LeGendre
• University of Wisconsin
• legendre_at_cs.wisc.edu
• http//www.paradyn.org

2
Dyninst and Static Rewriting
Mutatee Process
DyninstAPI
a.out push ebp mov esp, ebp sub 0x16,
esp libc.so push eax push 0x8 call
foo libm.so fstl eax fmul st, st(1) ret
Process Control
Object Parser
Object Output
Code Parsing
Instrumentation
3
Dyninst and Static Rewriting
DyninstAPI
Process Control
Object Parser
Object Output
Code Parsing
Instrumentation
4
A Static Binary Rewriter

• Instrument and modify objects on disk
• Instrument once, run many times
• Run instrumented binaries on otherwise
  unsupported systems (e.g. BlueGene)
• Operates on unmodified binaries.
• No debug information required
• No linker relocations required
• No symbols required
• Uses the same abstractions and interfaces as
  Dyninst.

5
Static Vs. Dynamic Rewriting
6
The Binary Rewriter Interface
Common Functionality
BPatch_process
One time code Process Control Instrumentation Imag
e functions
Dynamic Rewriting
Static Rewriting
7
BPatch_addressSpace

• Use BPatch_addressSpace for static and dynamic
  code instrumentation.

if (use_bin_edit) addr_space
bpatch.openFile(...) else addr_space
bpatch.attachProcess(...) ... addr_space-gtgetIma
ge()-gtfindFunction(...) addr_space-gtinsertSnippet
(...) addr_space-gtreplaceFunction(...)
8
BPatch_binaryEdit

• Open a file and its libraries for rewriting

• Open a single file for rewriting

• Add new libraries to an application

9
Not Save-the-World

• Save-the-World was Dyninsts old binary
  rewriter.
• Loaded the application into memory and stopped it
  at main.
• Allowed user to apply instrumentation.
• Copied the memory image of modified binaries back
  to disk.
• Did not work if libraries loaded at different
  addresses between runs.
• Only worked on Dyninst supported OSs.

10
New Dyninst Requirements

• Need to write object files
• Add new code
• e.g., Add generated instrumentation code
• Write changes to existing code.
• e.g., Write trampoline jumps
• Reference symbols in other libraries
• e.g., Generate instrumentation that calls libcs
  write from the a.out
• Update headers
• Start with Dyninsts existing instrumentation and
  parsing mechanisms.

11
Modifying the Binary

• Elf Header contains
• Meta-information about the object
• Pointers to the locations of important sections

12
Modifying the Binary

• Program Header contains
• Information on how to lay out the binary in
  memory
• The related section header contains information
  on how the binary is laid out on disk.

13
Modifying the Binary

• Dynamic Section contains
• How to resolve references to other libraries.
• Multiple sections involved
• Dynamic Symbol Table
• Dynamic Strings Table
• Relocation tables
• Symbol Versioning info

14
Modifying the Binary

• Add space for instrumentation and relocated
  functions to end of object.

15
Modifying the Binary

• Need to modify prog_hdr with new section info.
• Grow prog_hdr by copying it elsewhere.
• Linux bug means prog_hdr must follow elf_hdr

16
Modifying the Binary

• Add trampolines and other Dyninst modifications
  by patching existing code.

17
Modifying the Binary

• Need to add to dynamic for external references
  made by instrumentation.
• Cannot grow dynamic, so copy to end of object.

18
Modifying the Binary

• Left old copies of sections in place.
• Updated pointers in elf_hdr to refer to new
  section locations.
• Did not move code or data sections.

19
Current Status

• Beta of binary rewriter in Dyninst 5.2.
• Static binaries
• Dynamic objects (but not inter-library calls)
• System V ELF platforms (Linux,BG/L,Solaris,)
• x86, x86-64, PPC, IA-64, SPARC
• Coming Soon in Dyninst 6.0
• Inter-library calls in dynamic objects
• Adding new libraries to an object
• Other Dyninst supported platforms

20
New Code Optimizations

• New focus on fast code
• Binary rewriter
• Fine-grianed instrumentation
• New optimizations in Dyninst
• Improved register liveness analysis and saving
• Fixed point code generation

21
Register Liveness

• Old liveness analysis
• Only MQ register on PPC
• Floating point registers on x86
• New liveness analysis
• Floating point and flags register on x86
• x86 GPRs hard to save and minimal payoff
• All registers on PPC and x86-64
• New framework for liveness allows easy porting to
  other platforms

22
Fixpoint Code Generation

• Old layout code based on maximum possible size
  of address references.

• New layout code based on actual size of basic
  blocks

add mov jcc
add mov jcc nop nop
mov
mov nop nop
23
Optimization Results Register Saving

• CBI
• Bug finding system
• Instruments conditional jump and return
  instructions.
• x86, go benchmark of SPECINT2000
• No longer saving flags register
• 10.2x slowdown to 6.6x slowdown

24
Optimization Results Fixpoint

• BBL Instrumenter
• Internal DyninstAPI testing tool
• Instruments every basic block with nop
  instrumentation
• x86, go benchmark of SPECINT2000
• 8.2x slowdown to 6.0x slowdown

25
Summary

• New static binary rewriter
• Modifies files on disk
• Same interface as Dyninst
• Beta in 5.2, full support in 6.0
• New optimizations
• Improved register liveness
• New code layout
• Available in 5.2

26
Questions?
Matthew LeGendre University of Wisconsin legendre_at_
cs.wisc.edu http//www.paradyn.org