1 / 27

Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels

Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels. Ariel Tamches Barton P. Miller {tamches,bart}@cs.wisc.edu Computer Sciences Department University of Wisconsin 1210 W. Dayton Street Madison, WI 53706-1685 USA. The Vision.

donald
Download Presentation

Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels Ariel Tamches Barton P. Miller {tamches,bart}@cs.wisc.edu Computer Sciences Department University of Wisconsin 1210 W. Dayton Street Madison, WI 53706-1685 USA OSDI ‘99

  2. The Vision A unified infrastructure for dynamic OS’s Fine-grained runtime code instrumentation for: • Performance measurement • Tracing • Testing (e.g., code coverage) • Debugging: conditional breaks, access checks • Optimizations: specialization, code reorganization • Extensibility OSDI ‘99

  3. Motivation: Measurement • Measurement primitives • Counts, cycle timers, cache misses, branch misprediction time (on-chip counters) • Instrument kernel to self-measure as it runs • Predicates • A specific code path; when a process is running, etc. • Many interesting routines in the kernel: • Scheduling: preempt, disp, swtch • VM management: hat_chgprot, hat_swapin • Network: tcp_lookup, tcp_wput, ip_csum_hdr, hmeintr OSDI ‘99

  4. Motivation: Optimization • Performance measurement shows slow code? Pick from a cookbook of on-line optimizations • Specialization • Instrument function to find common params • Generate specialized function • Install (old version jumps to new if condition met) • Can predicate specialization (e.g. a specific process) • Reorganize code to improve i-cache • Instrument function to measure icache miss cycles • Then instrument to find cold basic blocks • Generate “outlined” function & install OSDI ‘99

  5. Technology to Make it Happen KernInst: fine-grained dynamic kernel instrumentation • Inserts runtime-generated code into kernel • Dynamic: everything at runtime • no recompile, reboot, or even pause • Fine-grained: insert at instruction granularity • Runs on unmodified commoditykernel • Solaris on UltraSparc OSDI ‘99

  6. Dynamic Instrumentation Code Patch some_kernel_func() • Insert any code, almost anywhere (fine-grained), entirely at runtime (dynamic) instruc1 runtime-generated code instruc2 branch equivalent of instruc3 instruc4 branch instruc19 Net effect: desired code is inserted before instruc3 instruc20 OSDI ‘99

  7. Kerninst Tools (kernel profiler, tracer, optimizer,...) Our System: KernInst Instrumentation request kerninstd ioctl() Patch Heap Data Heap /dev/kerninst Kernel Space OSDI ‘99

  8. How KernInst Works kerninstd startup: • Installs the KernInst driver, /dev/kerninst • Allocates patch and data heaps, and reads kernel symbol table (with assistance from /dev/kerninst) • Parses kernel code into CFG • Tools may want to identify basic blocks • Finds unused registers • Inserted code will use these registers (avoid spills) • From an interprocedural data-flow analysis on the CFG • 15 seconds OSDI ‘99

  9. How KernInst Works (2) • To splice in instrumentation code, kerninstd: • Allocates code patch • Fills code patch with instrumentation code, overwritten instruction, and a jump back • Overwrites instruction at instrumentation point with a branch to the code patch • Writing to kernel memory • /dev/kmem works for most of the kernel • Have /dev/kerninst map into D-TLB for nucleus OSDI ‘99

  10. Code Splicing Hazard Jumping to the patch using two instructions: Execution sequence: (ORIG1, NEW2) • Cannot pause kernel to check for hazard • Splicing must replace only one instruction! Before After Thread is (still) executing here Kernel thread is executing here ORIG 1 ORIG 2 NEW 1 NEW 2 crash! OSDI ‘99

  11. Code Splicing: Reach Problem • Tough to reach patch with just 1 instruction! • Usually too far from the instrumentation point. • SPARC branch instruction has only +/- 8MB offset (ba,a <offset>) • General solution: springboards Springboard instruc Long jump (using as many insns as needed) Code Patch (as usual) instruc branch instruc OSDI ‘99

  12. Springboard Heap • Any scratch space located close to the splice point is suitable for a springboard • Must be reachable by the 1-instruction branch • Kernel modules have initialization and termination routines that can be overwritten • _init and _fini on SVR4 • Ideal because located throughout the kernel • Lock modules into memory for safety • Other unused space in the kernel: • _start and main are only used when booting OSDI ‘99

  13. Web Proxy Server Measurement • Simple kernel measurement tool • Number of calls made to a kernel function • Number of kernel threads executing within a kernel function (“concurrency”) • Squid v1.1.22 http proxy server • Caches HTTP objects in memory and on disk • We used KernInst to understand the cause of two Squid disk I/O bottlenecks. OSDI ‘99

  14. Web Proxy Server Measurement • Profile of the kernel open() routine • Called 20-25 times/sec; taking 40% of time! OSDI ‘99

  15. open() calling vn_create; has 2 sub-bottlenecks: • lookuppn (a.k.a. namei): path name translation (20%) • ufs_create: file create on local disk (20%) OSDI ‘99

  16. File Creation Bottleneck • How Squid manages its on-disk cache: • 1 file per cached HTTP object • A fixed hierarchy of cache files • Stale cache files overwritten • File creation bottleneck • Overwriting existing files: truncates first • UFS semantics: meta-data changed synchronously OSDI ‘99

  17. File Creation Optimization • Overwrite cache file; truncate only if needed • What took 20% now takes 6% OSDI ‘99

  18. Conclusion Fine-grained dynamic kernel instrumentation is feasible on an unmodified commodity OS A single infrastructure for • Profiling, debugging, code coverage • Optimizations • Extensibility The foundation for an evolving OS Measures and constantly adapts itself to runtime usage patterns OSDI ‘99

  19. The Big Picture http://www.cs.wisc.edu/paradyn OSDI ‘99

  20. (Backup slides follow) OSDI ‘99

  21. Patch Area Data Area tcp_lookup() start timer displaced code time_tcp_lookup Start timer displaced code stop timer displaced code Time Spent Demuxing TCP Packets OSDI ‘99

  22. Kernel Metrics • Number of preemptions Kernel Code Timers & Counters Area Code Patch Area num_preempt++ displaced code num_preempt preempt() OSDI ‘99

  23. Kernel Metrics • Number of preemptions of process foo Kernel Code Timers & Counters Area Code Patch Area if curthread-> t_procp == foo num_preempt++ displaced code num_preempt preempt() OSDI ‘99

  24. Kernel Metrics • Time spent filtering incoming TCP packets Kernel Code Code Patch Area Timers & Counters Area start timer displaced code time_tcp_lookup tcp_lookup() Start timer displaced code stop timer displaced code OSDI ‘99

  25. Kernel Metrics • Virtual time spent allocating kernel memory if in_proc_P start timer displaced code kmem_alloc() timer if in_proc_P stop timer displaced code swtch() if leaving P stop timer if starting P start timer displaced code OSDI ‘99

  26. Example: Specialization • Profile: kmem_alloc() get size parameter numcalls[size]++; displaced code numcalls[] hash tab le • Decision: examine hash table • Generate specialized version: • choose fixed value & run constant propagation • expect unconditional branches & dead code OSDI ‘99

  27. Example: Specialization • Splice in the specialized version: kmem_alloc() if size==value then displaced code specialized version • Patch calls to kmem_alloc • Detect constant values for size, where possible • If specialized version appropriate, patch call • No overhead in this case OSDI ‘99

More Related