7.

3 Interactive debugging systems

Introduction
An interactive debugging system provides programmers with facilities that aid in the testing and debugging of programs.

Approaches to debugging
Print statements Printing to log files Sprinkling the code with assertions Using post-mortem dumps Having programs that provide function call stacks on termination Profiling Heap checking System call tracing tools Interactive source-level debugging Reverse execution ...

Debugger basic principles

The Heisenberg principle

This principle says that the debugger must intrude on the debuggee in a minimal way. The debugger must be truthful so the programmer always trusts it. The debugger should provide the program context information during debugging. Program context information.

Truthful debugging

Providing context information

source code, stack back-track variable values, thread information, ...

Debugging functions and capabilities

Breakpoints

The programmer may define a breakpoint which causes execution to be suspended when a specified point in the program is reached.

After execution is suspended, other debugging commands can be used to analyze the progress of the program and to diagnose errors detected.

Debugging functions and capabilities

Tracing

Tracing can be used to track the flow the execution logic and data modifications.

Step into Step over Run to cursor Run until return ...

Debugging functions and capabilities

Traceback

Trackback can show the path by which the current statement was reached (a list of all the functions called in order). This kind of information should be displayed symbolically, and should be related to the source program.

call stack

watch registers

Debugging functions and capabilities

Program-display capabilities

It must be possible to display the program being debugged. The user should be able to control the level at which this display occurs.

source level instruction level

Debugging functions and capabilities

Capabilities of dealing with optimized code

If the compiler has so distorted the final instruction stream through optimizations, the programmer cannot easily map this back onto the original source code

switching to a mode where the actual source code is interpreted may remove a major source of confusion for the programmer.

Fix-and-run

The goal of this approach is to minimize the turnaround time between creating a fix to test and the ability to actually test the system with the modification in place.
10

Debugging functions and capabilities

Capabilities of handling multilingual situations

Many application systems involve the use of several different programming language. A debugging system must be sensitive to the specific language being debugged so that procedural, arithmetic, and conditional logic can be coded in the syntax of that language.

11

Hardware/OS debugging support

The debuggers ability to control the execution of the debuggee depends both

on hardware support built into the processor

and on sophisticated, specialized debugging mechanisms built into the operating system.

12

Hardware/OS debugging support

A way to specify a breakpoint---a specific location in the executing code such that when the processor reaches this location, execution will stop.

This can be provided for by simply writing some illegal instruction into the code stream for the debuggee.

A notification system, also called an interrupt or a trap, that will notify the operating system (and thereby the debugger) that an important event has occurred with respect to the running process. The ability to read and write directly out of and into the hardware registers when the interrupt occurs.

13

Hardware debugging support

Breakpoint support Single-step support Fault-detection support Watchpoint support ... (such as Multithread control, Multiprocessor control)

14

Breakpoint support
Breakpoints are usually implemented as a special instruction that causes a trap to the operation system, which then can notify a special program that has registered itself as a debugger. On architectures with varying length instructions, it is normal for the trap---or breakpoint---instruction to be the length of the shortest possible instruction.

This makes it much simpler for the debugger to guarantee breakpoints are placed on instruction boundaries. Breakpoint instruction of Intel x86 is a one-byte instruction INT 3.

15

Single-step support
Single-step means that the processor is instructed to execute a single machine instruction when it is next processing instructions for the debuggee. Most processors provide a mode bit that controls single-step operation.

16

Fault-detection support
When some faults of the debuggee are detected

by the processor, such as divide by zero and memory access violations, by OS, such as I/O failure, or by some higher level software systems, such as stack corruption or array bounds check violations,

the OS notifies the debugger that its debuggee has received a fault before the debuggee actually is allowed control again.
17

Watchpoint support
Watchpoints are notifications presented to the debugger when specified portions of the debuggees address space are modified.

Set the portions of the address space as

read-only. The processor traps on any modification of data in these addresses and stop itself before the write occurs.
18

OS debugging support
To control a debuggee process, a debugger needs a mechanism to notify the OS about the executable program it wishes to control.

Once this is done, the debugger needs to modify that debuggees code in order to modify the instruction stream with the breakpoint instructions; And then, the debugger needs to tell the OS to run the debuggee but notify the debugger if any sort of exceptions occur before the debuggee itself get notified or terminated. Once the debuggee stops, the debugger needs to be able to gather information from the debuggees register set and data memory.
19

Breakpoint data structures

At least two levels of breakpoint representation are needed:

the logical breakpoints,

set by users, associated with a point in the source code.

the physical breakpoints,

it relates directly to executable machine instructions, the points in the address space where actual hardware
breakpoint instructions get written.

it stores the original instruction. the original instruction is restored if the breakpoint is to
be removed.
20

10

logical File foo.c: line 9 File foo.c: line 9 File foo.c: line 9 File foo.c: line 5

physical

physical breakpoint structure

Physical address Reference count

0x458F0

Original instruction

0x400F0

Logical-to-physical: set, modify, or delete breakpoints Physical-to-logical: whenever a hardware breakpoint event occurs

Breakpoint setting and activation

Breakpoint setting

request symbol table agent to map given file name and line number information into physical address. create logical breakpoint object containing this information. create physical breakpoint object, or increment reference count if this object already exists physical breakpoint agent must put breakpoint instruction and save original instruction at that location

22

11

Conditional breakpoint
A conditional breakpoint may or may not stop the debuggee when the breakpoint fires depending on the value of an associated condition.

Conditions are Boolean expressions that are

evaluated by the debugger when the breakpoint is activated.

23

Step over and step into

Step over is a statement step in the context of the current function scope running any descendent function full speed to completion.

For statement step over, an internal breakpoint is set on the functions return address to allow the function and all its descendents at full speed.

Step into is a statement step that goes into any descendent functions found during the current operations.

24

12

Step into stops here when entering compute().

float compute(int a,int b) { float c = b; for(int i = 0; i < a; i++) c = c * b; return c; } main() { int a,b; float c; printf(Enter a, b:\n); scanf(%d %d,&a,&b); c = compute(a,b); printf(result: %f\n,c); }

Last step ended here. From here do a step into or a step over.

Step over ends here after running compute

Source-level step into

How to implement step into ?

Main concern. Approaches

Use machine step with repeatedly checking at each instruction step to see if the current address matches a source statements starting address.

A source statement may be translated into several machine instructions.

Drawback: very slow. (1000 times slower than full-speed run to a breakpoint)

Set a temporary breakpoint at the address of the beginning of the next source statement.
How to handle branching instruction? if (expression) { ... } else { ... } either machine single-step instruction, or decode the branch target and set a temporary breakpoint at that address 26

13

Step over
The algorithm for step over is like that of step into but it notes a call instruction during instruction decode as special, and once the called function has been entered, a breakpoint is inserted at the return address of this function by looking at the current stack frame.

27

Stack trace
When a fault or breakpoint occurs, the user needs a stack track to know how did the program get here? A stack trace is a list of the procedure activation records currently on the call stack.
frame 2 frame 1 frame 0 STACK

call P2 call P1
call stack

28

14

Stack trace
Once the debugger knows
the boundaries of a activation record and the procedure-calling conventions,

a stack trace can show

the procedure names, and formal arguments.

The debugger can also retrieve the values of the local variables.

29

activation record 2 locals registers saved by P2 P1 return address arguments from P1 to P2 activation record 1 locals registers saved by P1 P0 return address arguments from P0 to P1 activation record 0 locals registers saved by P0

P1 calls P2

P0 calls P1

15

Relationship with other parts of the system

The debugger must also exist in a way that is consistent with the security and integrity components of the system.

31

16