mago debugger inner workings

Download Mago  Debugger Inner  Workings

Post on 14-Feb-2016




0 download

Embed Size (px)


An implementation overview By Aldo Núñez. Mago Debugger Inner Workings. Mago Debugger. What is debugging? What is a debugger? What is Mago ? Execution Agent Expression Evaluator Symbol Reader Debug Engine D and the debugger. What is debugging?. Run/Attach Control Inspect Why? - PowerPoint PPT Presentation


Mago Debugger Inner Workings

Mago DebuggerInner WorkingsAn implementation overviewBy Aldo Nez[Greet everyone]

Im going to talk about a debugger Ive worked on for a few years.

Along the way, Ill cover what debugging is, and how to debug programs, in particular on Windows.Most of the concepts should apply to other OSes and machine architectures.1Mago DebuggerWhat is debugging?What is a debugger?What is Mago?Execution AgentExpression EvaluatorSymbol ReaderDebug EngineD and the debugger[Ask how many people use debuggers?Ever used one?Use one on a regular basis?]

For someone just starting programming (or laymen)-How would you explain what debugging is?-[Ask someone]2What is debugging?Run/AttachControlInspectWhy?Find out the cause of a problem (bug)This is what I consider the 3 aspects of debugging.

You manipulate a running program in these 3 ways.

And why do you do it?To find out the cause of a problem in your code.3Run/AttachKick off a processAttach to an already running processYou take a program and you launch it.

Or, you take a process thats already running, and you attach to it.

(while debugging, can also do the opposite: detach or kill)During debugging, youll likely need to shut down a process, detect when it shut down on its own; or detach from it and leave it running.4ControlBreakpointsSteppingChanging instruction pointerSuspend and resume threadsExplain these.(from users standpoint)5InspectCallstackLoaded modulesThreadsMemoryRegistersVariablesExpressionsExplain these.-Callstack: all the activation frames in a given thread-Loaded modules-All threads in your process-Memory-Sets of registers-Variables in your code-Expressions expressed in your high-level language6Mago DebuggerWhat is debugging?What is a debugger?What is Mago?Execution AgentExpression EvaluatorSymbol ReaderDebug EngineD and the debuggerWhat is a debugger?A process that runs, controls, and inspects another processSpecial relationship between debugger and debuggeeSystem notifies debugger of events taking place in debuggeeThose were the tasks involved in debugging. Now, what is a debugger?

Read the points.

On Windows, the special relationship between a debugger and a debuggee includes special privileges:-Accessing any part of memory-Normally when a process reads or writes its own memory, its limited by memory protections in place that the OS and hardware enforce.-Suspending and resuming threadsThese are given to a debugger for the simple fact that it is a debugger.

Ill go over the events when we go over Windows debuggers.8OS APIs v. HardwareThere are 4 beings that interact to implement a debugging experience:DebuggeeDebuggerOperating SystemHardware

Lets talk about things that others are responsible for.

Operating systems and hardware.

Detecting and changing break/run mode.At any time, a debuggee is in one of 2 modes: break and run.Run mode: your program is running. It looks like a regular process thats not being debugged.Break mode: your program has stopped running, because of some important eventHere you are free to inspect and change all of the process state.

Note that we still use the OS to talk to the hardware.9Break and Run Mode

Run mode: process runs full speed, w/o anything stopping runs as it was designed intentionally or not

Break mode: all threads are on hold. Can freely look at and change process state.

[Describe transitions shown here]10A Windows DebuggerLoopevent WaitForDebugEvent( timeout )if got eventContinueDebugEvent(,event.tid,DISCARD_EXCEPTION )Until event.code = EXIT_PROCESS

This is the simplest debugger on Windows.

It mirrors the break and run mode state machine from one slide ago.

There is an API called WaitForDebugEvent which waits until a timeout or an event happens in the debuggee. When one does, the API returns a description of the event.

If WaitForDebugEvent doesnt return an event, then the debuggee is probably still in run mode.If it returned an event, then the debuggee is in break mode.

Once youve come to break mode, a call to ContinueDebugEvent will put the debuggee in run mode again.

In this example, we see that the loop will end when the debuggee has ended.11Debug EventsStart ProcessExit ProcessStart ThreadExit ThreadLoad ModuleUnload ModuleExceptionMessage

These are the debug events that Windows can tell you about.

When the Start Thread event comes in, the new thread is not ready to run code, yet. So, asking for the Instruction Pointer then is pointless.

And, because a process only runs code thru its threads, no code is ready to run when the Start Process event comes in.

We get Load and Unload Module events when a DLL is mapped or unmapped from process memory.

As well see in more detail later, you do a lot of things thru the use of the Exception event. This will tell you about language exceptions, Windows exceptions, even an exception for when a threads name changes. I believe this is a convention in the Microsoft CRT.

Message events carry the string passed to OutputDebugString.

12Windows API for DebuggingHere I have some APIs broken down by category.

Some of them are for very general use, like CreateProcess. But, some like WaitForDebugEvent, probably dont have much use other than for debuggers and related programs.13OS and HW Co-op (x86): Single StepI want to give some examples of how we use both the OS and hardware to implement two big features: single step and breakpoints.

First we have single step.

Explain these steps. (Notice whats hardware specific, and what isnt)14OS and HW Co-op (x86): BreakpointPutting and taking away the BP instruction: I call it patching and unpatching.

[Explain these steps. Explain about patching BPs over instructions longer than 1 byte.]15Mago DebuggerWhat is debugging?What is a debugger?What is Mago?Execution AgentExpression EvaluatorSymbol ReaderDebug EngineD and the debuggerWhat is Mago?A debugger for D programsA set of independent librariesA Visual Studio plug-inA debugger for D programs on Windows.

A set of independent libraries that can be used for writing your own debugger.You can also write other tools that need to run, control, and inspect.For example, tracing, code coverage, and other code analysisSome libraries dont depend on WindowsSome dont depend on D

A plug-in for Visual StudioIn this way, Mago is a graphical debugger, because of the environment that its in

Written in C++17HistoryInterest in debuggers since 2005Started September 2009Source code released August 2010Integrated into Visual D September 2010How did Mago begin?

- Took interest when I came across debugging APIs- Team at MS- complained about lack of debugger- shortcomings of WinDbg and plain VS- DDbg- gdb- tinkering for years, then commit- business

I took interest in debuggers in 2005, when I came across the documentation for some Windows debugging APIs online.Actually, before I left Microsoft I worked in Visual Studio, where the team I was in was making a new debugger. I happened to not work on the debugger at the time, but I guess the curiosity must have lingered in my mind.

The idea of working on a debugger for D came shortly after that.I was trying out the D programming language, and complained about the lack of a dedicated debugger.Walter Bright, who made the D language, and others have pointed out that you can use tools like WinDbg and even VS as is to debug D programs. But, this is far from ideal, because there are many missing features. For example, they dont understand D name mangling, and cant access many symbols, or evaluate D expressions. There were other stop gap measures, too.

DDbg came along a few years ago, but its command line only. And the owner seems to have stopped working on it.

I also thought about changing gdb. But, I was scared away by how huge and complicated it is.

So, I was tinkering with debugging APIs and formats for years before I decided I wanted to commit to writing a debugger. And, actually, I wanted to turn it into a business.18Libraries v. Visual Studio plug-inBenefits to making separate componentsTargeted testingMix and match for different purposesUse with any shell programBenefits to making VS plug-inWell tested shell program already writtenHigh level debug programming modelSo, why define these two levels of components?

Each has its own benefits.

By separating the functionality into different components:I make it easier to testI can get an extra level of coverage,For example, the EE unit tests only link with the EE library. They get 2 inputs: One xml file describing declarations and values Many xml files each with an expressionMix and match for other purposes. Like I said at the beginning, that you can use these for tracing or code analysis.By separating these libs out, you can make a debugger that plugs into something like CodeBlocks, instead of VS.

In terms of the benefits,Visual Studio is a shell program thats already written and well tested.I didnt have to worry about writing this partIt comes with a High level debug programming modelGiven all the other pieces involved, it was nice to have this one already from the beginning

19What does Mago look like?VS plug-in: Debug EngineSeparate libraries/components: EA, EE, SR

[Say the whole names.]

[Mention the disassembler (udis86).]20Component ResponsibilitiesWhat do each of the components do?EA: nitty-gritty of low-level of 3 aspects (run, control, inspect)EE: eval based on static debug info from Syms, dynamic proc. state from EADE bridges them

No component depends on any other, except for DE.

The Execution Agent is responsible for controlling the debuggee, and reading and changing its state. Its w