LIZARD IZ A Replay Debugger

Replaying programs that use mmap and munmap

How to handle mmap() and munmap()

During Trace

 * mmap

	in syscall log, put args, return value, and number of
	mmap-family calls before this call.

 * munmap

	log args of munmap, return value, flags of that region

During Replay

Suppose you are at Source and have to go to Target,
and there is/isn't a Checkpoint.

Forward Replay

          Source (S)     -->      +-----+
                                  |     |
                                  |     |
          Checkpoint (C) -->   =============
                                  |     |
                                  |     |
          Target (T)     -->      +-----+

If C exists:
       1. Do all mmaps between S and C [1]
       2. Restore checkpoint C and execute program till T

else if C does not exist:
       1. Execute program till T

Backward Replay

          Checkpoint (C) -->   ==============
                                  |     |
                                  |     |
          Target (T)     -->      +-----+
                                  |     |
                                  |     |
          Source (S)     -->      +-----+

   1. Undo all mmaps between C and S [2]
   2. Restore checkpoint C and execute program till T

How to "do" and "undo" mmaps and munmaps

(id(X) is defined as the number of mmap family calls before X.)

[1] Do all mmap-family calls from S to C

L = [ M | M <- mmaps, id(M) >= id(S), chkpt_before(M) < C ]

Execute mmaps in L in order.

[2] UNdo all mmap-family calls from S to C

L' = [ M | M <- mmaps, id(M) < id(S) , chkpt_before(M) == C ]

for each x in reverse(L')
    if x is an mmap
       unmap it
    else if x is an unmap
       map it with the right args

Who's doing what and interfaces between Replayer and sysfake_mmap

sysfake_mmap always keeps track of id(S).

           As soon as he knows C, he calls sysfake_mmap_pre_restore
           giving it C and the direction of the jump.

           Based on the direction of the jump, this guy decides
	   whether to do [1] or [2] and then does them.  He does NOT
	   restore any checkpoints or effectively change the EIP.

How to keep track of id(S):
   1. initially id(S) is zero.

   2. whenever sysfake_mmap_pre_restore does or undoes mmaps, he adds
      to or subtracts from id(S) respectively.

   3. whenever debugee (being executed) hits a syscall breakpoint,
      sysfake's on_syscall() handler increments id(S) if the syscall
      is mmap family.

Project hosted by Logo