Re: [DynInst_API:] Dyninst for dynamic analysis

[svartanov@xxxxxxxxx]

Dear Bill,

Thank you for your help.

It's possible, though not ideal--you can use arbitrary instpoints to instrument pre- or post- instruction by address. The overhead should be better than valgrind but it'll still be high. The lookup function you want is BPatch_image::findPoints(Address, vector<BPatch_point*>&).

I missed this function from Dyninst documentation. I tried to use simple instrumentation for every instruction and all seems OK. I'm going to use static binary libraries instrumentation since it's more acceptable for iterative analysis.

Overhead is a real problem, but static instrumentation should decrease it.

Â

The best trick I can suggest is to analyze each basic block statically such that you can determine (e.g. via slicing and reaching definitions) which instructions are relevant to your taint analysis and path condition analysis, and at what points in the block the information you seek is valid. That will allow you to consolidate the instrumentation into fewer points, and possibly reuse values or otherwise reduce the workload.

We've had some conversations over the years about how to automate the above process, so that Dyninst could automatically transform instrumentation into its most efficient equivalent form, but those have not turned into code--it's a hard problem in the general case.

If I correctly understand, in terms of static instrumentation, it means some kind of code optimization after instrumentation?

Thanks for your help.

Sergey Vartanov.