Replaying programs that use mmap and munmap
How to handle mmap() and munmap()
During Trace
_______________________________________________________
* mmap
in syscall log, put args, return value, and number of
mmap-family calls before this call.
* munmap
log args of munmap, return value, flags of that region
During Replay
_______________________________________________________
Suppose you are at Source and have to go to Target,
and there is/isn't a Checkpoint.
Forward Replay
____________________
Source (S) --> +-----+
| |
| |
Checkpoint (C) --> =============
| |
| |
Target (T) --> +-----+
If C exists:
1. Do all mmaps between S and C [1]
2. Restore checkpoint C and execute program till T
else if C does not exist:
1. Execute program till T
Backward Replay
____________________
Checkpoint (C) --> ==============
| |
| |
Target (T) --> +-----+
| |
| |
Source (S) --> +-----+
1. Undo all mmaps between C and S [2]
2. Restore checkpoint C and execute program till T
How to "do" and "undo" mmaps and munmaps
__________________________________________
(id(X) is defined as the number of mmap family calls before X.)
[1] Do all mmap-family calls from S to C
L = [ M | M <- mmaps, id(M) >= id(S), chkpt_before(M) < C ]
Execute mmaps in L in order.
[2] UNdo all mmap-family calls from S to C
L' = [ M | M <- mmaps, id(M) < id(S) , chkpt_before(M) == C ]
for each x in reverse(L')
if x is an mmap
unmap it
else if x is an unmap
map it with the right args
Who's doing what and interfaces between Replayer and sysfake_mmap
___________________________________________________________________
sysfake_mmap always keeps track of id(S).
Replayer:
As soon as he knows C, he calls sysfake_mmap_pre_restore
giving it C and the direction of the jump.
sysfake_mmap_pre_restore:
Based on the direction of the jump, this guy decides
whether to do [1] or [2] and then does them. He does NOT
restore any checkpoints or effectively change the EIP.
How to keep track of id(S):
1. initially id(S) is zero.
2. whenever sysfake_mmap_pre_restore does or undoes mmaps, he adds
to or subtracts from id(S) respectively.
3. whenever debugee (being executed) hits a syscall breakpoint,
sysfake's on_syscall() handler increments id(S) if the syscall
is mmap family.
