Ma Chi
ABSTRACT
Debugging costs almost half of the development time of programmers. To understand what happened in the buggy execution, one has to backtrack on the execution history, examine suspicious behaviours one by one and finally locate the key symptom. Accelerating this searching procedure will largely reduce the debugging time.
In this paper, I propose a backward slicing method to reason the cause of the memory crash on the source code execution trace. It iteratively finds the last modification of new tainted seeds in a thin data slicing style and generates the interprocedural data dependency graph. The slicing method can perform inner function alias analysis and a cross procedural argument tainting analysis. The call sites of dynamic function pointers or call sites expanded by macros are also handled in a heuristic way.
I demonstrate the efficacy of method by applying the proto-type system ClueHunter in the vulnerability analysis procedure of 7 open-source projects. The tracing method reduce the amount of code to inspect by 94% for trace-based crash analysis.
- C. Parnin and A. Orso, "Are automated debugging techniques actually helping programmers?" in Proceedings of the 2011 International Sym- posium on Software Testing and Analysis. ACM, 2011, pp. 199--209.Google Scholar
- S. Mirghasemi, J. J. Barton, and C. Petitpierre, "Debugging by lastchange," Pro Apache Struts with Ajax, pp. 317--357, 2011.Google Scholar
- S.Mirghasemi, J. J. Barton, C. Petitpierre, "Querypoint: Moving backwards on wrong values in the buggy execution," in Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering, ser. ESEC/FSE '11. New York, NY, USA: ACM, 2011, pp. 436--439. [Online].Available: http://doi.acm.org/10.1145/2025113.2025184.Google ScholarDigital Library
- A. Beszdes, G. Lki, T. Gyimthy, G. Dis, and F. Kovcs, "Using backward dynamic program slicing to isolate influencing statements in gdb," in Gcc Developerstextquoteright Summit, 2007, pp. 21--30.Google Scholar
- B. Korel and J. Laski, "Dynamic slicing of computer programs," Journal of Systems & Software, vol. 13, no. 3, pp. 187--195, 1990.Google ScholarDigital Library
- M. D. Weiser, Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. University of Michigan, 1979.Google ScholarDigital Library
- H. Agrawal, R. A. Demillo, and E. H. Spafford, "Debugging with dynamic slicing and backtracking," Software Practice & Experience, vol. 23, no. 6, pp. 589--616, 1993.Google ScholarDigital Library
- X. Zhang, N. Gupta, and R. Gupta, "A study of effectiveness of dynamic slicing in locating real faults," Empirical Software Engineering, vol. 12, no. 2, pp. 143--160, 2007.Google ScholarDigital Library
- M. Sridharan, S. J. Fink, and R. Bodik, "Thin slicing," ACM SIGPLAN Notices, vol. 42, no. 6, pp. 112--122, 2007.Google ScholarDigital Library
- W. E. Wong, R. Gao, Y. Li, A. Rui, and F. Wotawa, "A survey on software fault localization," IEEE Transactions on Software Engineering, pp. 1--1, 2016.Google Scholar
- rpd Beszedes, T. Gergely, Z. M. Szab, J. Csirik, and T. Gyimothy, "Dy- namic slicing method for maintenance of large c programs," in Software Maintenance and Reengineering, 2001. Fifth European Conference on, 2001, pp. 105--113.Google Scholar
- A. Zaidman, "Scalability solutions for program comprehension through dynamic analysis," in Conference on Software Maintenance and Reengi- neering (CSMR'06), March 2006, pp. 4 pp.-330.Google Scholar
- L. Andersen, "Program analysis and specialization for the c program- ming language," Addison-Wesley Series in Computer Science, vol. 2, no. 1, pp. 37--77, 1994.Google Scholar
- B. Steensgaard, "Points-to analysis in almost linear time," in Proceed- ings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 1996, pp. 32--41.Google Scholar
- Q. Zhang, X. Xiao, C. Zhang, H. Yuan, and Z. Su, "Efficient subcubic alias analysis for c," ACM SIGPLAN Notices, vol. 49, no. 10, pp. 829--845, 2014.Google ScholarDigital Library
- X. Wang, H. Ma, and L. Jing, "A dynamic marking method for implicit information flow in dynamic taint analysis," in Proceedings of the 8th International Conference on Security of Information and Networks, ser. SIN '15. New York, NY, USA: ACM, 2015, pp. 275--282. [Online].Available: http://doi.acm.org/10.1145/2799979.2799988Google ScholarCross Ref
- B. Boote, "Efficient algorithms for bidirectional debugging," in Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, ser. PLDI '00. New York, NY, USA: ACM, 2000, pp. 299--310. [Online]. Available: http://doi.acm.org/10.1145/349299.349339Google Scholar
- K. Maryama and M. Terada, "Debugging with reverse watchpoint," in Quality Software, 2003. Proceedings. Third International Conference on. IEEE, 2003, pp. 116--123.Google Scholar
- B. Lewis and M. Ducasse, "Using events to debug java programs backwards in time," in Companion of the 18th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. ACM, 2003, pp. 96--97.Google Scholar
- C. Hofer, S. Ducasse, O. Nierstrasz, and D.-I. M. Denker, "Implementing a backward-in-time debugger," Master's thesis, University of Bern, 2006.Google Scholar
- A. J. Ko and B. A. Myers, "Debugging reinvented:asking and answering why and why not questions about program behavior," in Software Engineering, 2008. ICSE'08. ACM/IEEE 30th International Conference on. IEEE, 2008, pp. 301--310.Google ScholarDigital Library
- J. Engblom, "A review of reverse debugging," in System, Software, SoC and Silicon Debug Conference (S4D), 2012, Sept 2012, pp. 1--6.Google Scholar
- P. Dovgalyuk, D. Dmitriev, and V. Makarov, "Don't panic: Reverse debugging of kernel drivers," in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2015. New York, NY, USA: ACM, 2015, pp. 938--941. [Online]. Available: http://doi.acm.org/10.1145/2786805.2803179.Google Scholar
Index Terms
- Backward Slicing Analysis on Debug Log for Crash Comprehension
Recommendations
Static Backward Demand-Driven Slicing
PEPM '15: Proceedings of the 2015 Workshop on Partial Evaluation and Program ManipulationProgram slicing identifies the program parts that may affect certain properties of the program, such as the outcomes of conditions affecting the program flow. Ottenstein's Program Dependence Graph (PDG) based algorithm is the state-of-practice for ...
StraightTaint: decoupled offline symbolic taint analysis
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringTaint analysis has been widely applied in ex post facto security applications, such as attack provenance investigation, computer forensic analysis, and reverse engineering. Unfortunately, the high runtime overhead imposed by dynamic taint analysis ...
P/Taint: unified points-to and taint analysis
Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Comments