Although compiler optimizations play a crucial role in the performance of modern computer systems, debugger technology has lagged behind in its support of optimizations. Yet debugging the unoptimized translation is often impossible or futile, so handling of code optimizations in the debugger is necessary. But compiler optimizations make it difficult to provide source-level debugger functionality: Global optimizations can cause the runtime value of a variable to be inconsistent with the source-level value expected at a breakpoint; such variables are called endangered variables. A debugger must detect and warn the user of endangered variables otherwise the user may draw incorrect conclusions about the program. This paper presents a new algorithm for detecting variables that are endangered due to global scalar optimizations. Our approach provides more precise classifications of variables and is still simpler than past approaches. We have implemented and evaluated our techniques in the con...

Naive program transformations can have surprising effects due to the interaction between introduced identifier references and previously existing identifier bindings, or between introduced bindings and previously existing references. These interactions can result in the inadvertent binding, or capturing, of identifiers. A further complication results from the fact that the transformed program may have little resemblance to the original program, making correlation of source and object code difficult. We address both the capturing problem and the problem of source-object code correlation. Previous approaches to the capturing problem have been both inadequate and overly restrictive, and the problem of source-object code correlation has been largely unaddressed. Our approach is based on a new algorithm for implementing syntactic transformations...

We present a novel approach to avoid the debugging of optimized code through comparison checking. In the technique presented, both the unoptimized and optimized versions of an application program are executed, and computed values are compared to ensure the behaviors of the two versions are the same under the given input. If the values are different, the comparison checker displays where in the application program the differences occurred and what optimizations were involved. The user can utilize this information and a conventional debugger to determine if an error is in the unoptimized code. If the error is in the optimized code, the user can turn off those offending optimizations and leave the other optimizations in place. We implemented our comparison checking scheme, which executes the unoptimized and optimized versions of C programs, and ran experiments that demonstrate the approach is effective and practical.

Instruction scheduling re-orders and interleaves instruction sequences from different source statements. This impacts the task of a symbolic debugger, which attempts to present the user a picture of program execution that matches the source program. At a breakpoint B, if the value in the run-time location of a variable V may not correspond to the value the user expects V to have, then this variable is endangered at B. This paper describes an approach to detecting and recovering endangered variables caused by instruction scheduling. We measure the effects of instruction scheduling on a symbolic debugger's ability to recover source values at a breakpoint. This paper reports measurements for three C programs from the SPEC suite and a collection of programs from the Numerical Recipes, which have been compiled with a variant of a commercial C compiler. 1 Introduction A debugger allows a user to control the execution of a program (e.g., to set breakpoints) and to inspect the state o...

With an increasing number of executable binaries generated by optimizing compilers today, providing a clear and correct source-level debugger for programmers to debug optimized code has become a necessity. In this paper, a new framework for debugging globally optimized code is proposed. This framework consists of a new code location mapping scheme, a data location tracking scheme, and an emulationbased forward recovery model. By taking over the control early and emulating instructions selectively, the debugger can preserve and gather the required program state for the recovery of expected variable values at source breakpoints. The framework has been prototyped in the IMPACT compiler and GDB-4.16. Preliminary experiments conducted on several SPEC95 integer programs have yielded encouraging results. The extra time needed for the debugger to calculate the limits of the emulated region and to emulate instructions is hardly noticeable, while the increase in executable file size due to the e...

Programmers constantly design, implement, and program in little languages. Two different approaches to the implementation of little languages have evolved. One emphasizes the design of little languages from scratch, using conventional technology to implement interpreters and compilers. The other advances the idea of extending a general-purpose host language; that is, the little language shares the host language’s features (variables, data, loops, functions) where possible; its interpreters and compilers; and even its type soundness theorem. The second approach is often called a language embedding. This paper directs the attention of little language designers to a badly neglected area: the programming environments of little languages. We argue that an embedded little language should inherit not only the host language’s syntactic and semantic structure, but also its programming environment. We illustrate the idea with our DrScheme programming environment and S-XML, a little transformation language for XML trees. DrScheme provides a host of tools for Scheme: a syntax analysis tool, a static debugger, an algebraic stepper, a portable plugin system, and an interactive evaluator. S-XML supports the definition of XML languages using a simple form of schemas, the convenient creation of XML data, and the definition of XML transformations.

Existing techniques for garbage collection and machine code optimizations can interfere with each other. The inability to fully optimize code in a garbage-collected system is a hidden cost of garbage collection. One solution to this problem is proposed; an inexpensive protocol that permits most optimizations and garbage collection to coexist. A second approach to this problem and a separate problem in its own right is to reduce the need for garbage collection. This requires analysis of storage lifetime. Inferring storage lifetime is di#cult in a language with nested and recursive data structures, but it is precisely these languages in which garbage collection is most useful. An improved analysis for "storage containment" is described. Containment information can be represented in a directed graph. The derivation of this graph falls into a monotone data-flow analysis framework; in addition, the derivation has the Church-Rosser property. The graphs produced in the analysis of a value-a...

Abstract. In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plugins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome: – For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon. – To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because ¯While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult). ¯Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed. ¯There is no notion of type at the hardware level, so address values cannot be distinguished from integer values. ¯Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes. We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and CodeSurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables.

Compiler optimizations pose many problems to source-level debugging of an optimized program due to reordering, insertion, and deletion of code. One such problem is to determine whether the value of a variable is current at a breakpoint—that is, whether its actual value is the same as its expected value. We use the notion of dynamic currency of a variable in source-level debugging and propose the use of a minimal unrolled graph to reduce the run-time overhead of dynamic currency determination. We prove that the minimal unrolled graph is an adequate basis for performing bit-vector data flow analyses at a breakpoint. This property is used to perform dynamic currency determination. It is also shown to help in recovery of a dynamically noncurrent variable.

There are many difficulties to be overcome in the process of designing and implementing a debugger for optimized code. One of the first problems facing the designer of such a debugger is determining how to accurately map between locations in the source program and locations in the corresponding optimized binary. The solution to this problem is critical for many aspects of debugger design, from setting breakpoints, to implementing single-stepping, to reporting error locations. Previous approaches to debugging optimized code have presented many different techniques for solving this location mapping problem (commonly known as the code location problem). These techniques are often very complex and sometimes incomplete. Identifying key instructions allows for a simple yet formal way of mapping between locations in the source program and the optimized target program. In this paper we present the concept of key instructions. We give a formal definition of key instructions and present algorit...