[DynInst_API:] Dyninst for dynamic analysis

[svartanov@xxxxxxxxx]

Dear all,

I am working on developing dynamic analysis tool for defect detection in Java programs: bytecode and binary code used by JVM through JNI.Â

Previously our team have built Avalanche tool for crash detection in C/C++ programs. It was build on top of Valgrind. Our approach is quite simple. Avalanche runs target program with random input, and extracts full path conditions using dynamic instrumentation. After that tool inverts one of the branch conditions, generates new input data, and repeats these actions for other execution paths.

To this purpose we have to instrument every significant (almost every) instruction. And Valgrind is pretty good for this.

Dealing with Java, I have modified Avian virtual machine to extract path conditions trace for Java during bytecode interpretation. But now I want to extract the same path conditions trace from native code execution (native libraries used through JNI).

I can use Valgrind for this, but I must run whole JVM on top of Valgrind just for native functions instrumentation. I will get too much overhead.

I am impressed by Dyninst ability to perform static instrumentation and code inserting into a running program. I wrote a couple of simple Dyninst tools for instrumentation but faced a problem with instrumentation points. I can't find a way to set instrumentation point for every instruction in target program. Is it possible to do this? If not in current Dyninst version, may be in further versions?

Or may be you know some tricks to extract path conditions trace without instrumentation every instruction. As I understand, every basic block start or even every memory access instrumentation points are insufficient for full taint data tracking and path condition trace dumping even if I know everything about static instruction list in basic block, because I must know, for example, register values on-the-fly.

Thank you.

Best regards,

Sergey Vartanov.