Profile on DefeatMan的博客 https://defeatman.github.io/tags/profile/ Recent content in Profile on DefeatMan的博客 DefeatMan的博客 https://defeatman.github.io/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://defeatman.github.io/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo zh-cn Tue, 02 Sep 2025 12:00:00 +0800 REPT:反向调试在已部署软件中缺陷的应用 https://defeatman.github.io/posts/profile/rept/ Tue, 02 Sep 2025 12:00:00 +0800 https://defeatman.github.io/posts/profile/rept/ <p>标题:REPT: Reverse Debugging of Failures in Deployed Software</p> <p>作者:Weidong Cui, Xinyang Ge, Baris Kasikci, Ben Niu, Upamanyu Sharma, Ruoyu Wang, Insu Yun</p> <p>发表会议:USENIX OSDI 2018</p> <p>原文链接:<a href="https://www.usenix.org/system/files/osdi18-cui.pdf">REPT Reverse Debugging of Failures in Deployed Software</a></p> <h1 id="intro">Intro</h1> <p>众所周知,执行日志有助于调试,但当大多数日志或跟踪在正常运行时都会被丢弃时,没有人愿意为始终在线的日志记录/跟踪支付高性能开销。</p> <p>因此,在部署的软件出现故障时,仅靠 memory dump,以实现事后诊断。而开发人员调试memory dump具有挑战性,有很大一部分错误未得到修复</p> <p>论文针对已部署软件中难以复现的故障诊断难题,提出了REPT系统,这是一种用于对已部署系统中的软件故障进行反向调试的实用解决方案。</p> <p>REPT背后有两个关键思想</p> <ol> <li> <p>利用硬件跟踪以较低的性能开销记录程序的控制流 (Intel Processor Trace)</p> </li> <li> <p>使用一种新颖的二进制分析技术,根据记录的控制流信息和存储在内存转储中的数据值来恢复数据流信息 (Offline Binary Analysis Component Loadable Library in WinDbg)</p> </li> </ol> <p>因此,REPT通过结合记录的控制流和恢复的数据流来实现反向调试</p> <h1 id="intel-pt">Intel PT</h1> <p>由CPU内部集成的专用硬件实现。当程序运行时,PT硬件以压缩的格式生成一系列Packet,记录关键的控制流变化(分支跳转、函数调用等)</p> <table> <thead> <tr> <th>instructions</th> <th>PT</th> <th>Decoded (timestamp, instruction)</th> </tr> </thead> <tbody> <tr> <td>mov</td> <td>NT</td> <td>00.000000, mov</td> </tr> <tr> <td>jnz</td> <td>TIME 2ns + T</td> <td>00.000000, jnz</td> </tr> <tr> <td>add</td> <td>0x407e1d8</td> <td>00.000002, add</td> </tr> <tr> <td>cmp</td> <td>TIME 100ns + NT</td> <td>00.000002, cmp</td> </tr> <tr> <td>je .label</td> <td></td> <td>00.000002, je .label</td> </tr> <tr> <td>mov</td> <td></td> <td>00.000102, call (edx)</td> </tr> <tr> <td>.label:</td> <td></td> <td>00.000102, &hellip;</td> </tr> <tr> <td>call (edx)</td> <td></td> <td>00.000102, test</td> </tr> <tr> <td>test</td> <td></td> <td>00.000102, jb</td> </tr> <tr> <td>jb</td> <td></td> <td></td> </tr> </tbody> </table> <p>Linux Perf 可以方便地收集和解码 Intel PT 跟踪数据</p>