Roland Schatz

A Comprehensive Solution for Deterministic Replay Debugging of SoftPLC Applications

Deterministic replay debugging is an approach to finding bugs in deployed software. It records an application run in the field so that it can deterministically be replayed offline in a development system for debugging purposes. To enable deterministic replay debugging, it is necessary to record all external influences and sources of nondeterminism in the original program run. From that trace log and from a known initial state, the program can be replayed deterministically without requiring any connection to the original environment. In this paper, we present a solution for deterministic replay debugging of hard real-time multitasking SoftPLC applications written in the IEC 61131-3 languages. By taking advantage of the special properties of these programs and by careful engineering, our technique allows recording a SoftPLC application run in the field with minimal overhead and obeying real-time constraints. In later phases, which are offline, the original program run is reconstructed from the minimal information recorded so it can be replayed for debugging. In comparison to previous work, our solution has several advantages: Instead of recording task scheduling information, it reconstructs the task interleaving based on data dependencies, thereby significantly simplifying the recording phase. Additionally, it incorporates a technique for periodically capturing the complete internal state of the system, which can later be used as a starting point for replay. We present the conceptual basis of our approach, a tool chain which provides deterministic replay debugging to the user as a set of fully automated tools, and an evaluation as well as an industrial case study for validating the approach.

High-performance cross-language interoperability in a multi-language runtime

Programmers combine different programming languages because it allows them to use the most suitable language for a given problem, to gradually migrate existing projects from one language to another, or to reuse existing source code. However, existing cross-language mechanisms suffer from complex interfaces, insufficient flexibility, or poor performance. We present the TruffleVM, a multi-language runtime that allows composing different language implementations in a seamless way. It reduces the amount of required boiler-plate code to a minimum by allowing programmers to access foreign functions or objects by using the notation of the host language. We compose language implementations that translate source code to an intermediate representation (IR), which is executed on top of a shared runtime system. Language implementations use language-independent messages that the runtime resolves at their first execution by transforming them to efficient foreign-language-specific operations. The TruffleVM avoids conversion or marshaling of foreign objects at the language boundary and allows the dynamic compiler to perform its optimizations across language boundaries, which guarantees high performance. This paper presents an implementation of our ideas based on the Truffle system and its guest language implementations JavaScript, Ruby, and C.

An efficient native function interface for Java

We present an efficient and dynamic approach for calling native functions from within Java. Traditionally, programmers use the Java Native Interface (JNI) to call such functions. This paper introduces a new mechanism which we tailored specifically towards calling native functions from Java. We call it the Graal Native Function Interface (GNFI). It is faster than JNI in all relevant cases and more flexible because it avoids the JNI boiler-plate code. GNFI enables the user to directly invoke native code from Java applications. We describe how GNFI creates call stubs for native functions that a just-in-time (JIT) compiler can optimize and how we embed these stubs into Java code. We introduce different approaches for calling native functions from within compiled and interpreted Java code. In particular, we describe how our approach embeds the call stubs into a Java application so that the JIT-compiled code consists of a direct call to a native function. We evaluate the call overhead of GNFI. The measurements demonstrate a significant performance advantage of GNFI compared to JNI and the Java Native Access (JNA). Also, we evaluate our approach against JNI and JNA on a jblas matrix multiplication benchmark. The evaluation shows that GNFI outperforms JNI and JNA in compiled and interpreted mode by a factor of 1.9 in the best case.

Memory-safe Execution of C on a Java VM

In low-level languages such as C, spatial and temporal safety errors (e.g. buffer overflows or dangling pointer dereferences) are hard to find and can cause security vulnerabilities. Modern high-level languages such as Java avoid these problems by running programs on a virtual machine that provides automated memory management. In this paper we show how we can safely execute C code on top of a modern runtime (e.g., a Java Virtual Machine) by allocating all data on the managed heap. We reuse the memory management of the runtime, hence, we can ensure spatial and temporal safety with little effort. Nevertheless, we retain all characteristics that are typical for unsafe languages (such as pointer arithmetic, pointers into objects, or arbitrary type casts).We discuss how our approach complies with the C99 standard. Compared to an optimized unsafe execution of a C program (compiled with the GNU C compiler and all optimizations enabled) our approach has overhead of 15% on average (peak-performance).

Monaco-A domain-specific language solution for reactive process control programming with hierarchical components

In this paper, we present Monaco - a domain-specific language for developing event-based, reactive process control programs - and its visual interactive programming environment. The main purpose of the language is to bring process control programming closer to domain experts. Important design goals have therefore been to keep the language concise and to allow programs to be written that reflect the perceptions of domain experts. Monaco is similar to Statecharts in its expressive power, but adopts an imperative notation. Moreover, Monaco uses a state-of-the-art component approach with interfaces and polymorphic implementations, and enforces strict hierarchical component architectures that support hierarchical abstraction of control functionality. We present the main design goals, the essential programming elements, the visual interactive programming environment, results from industrial case studies, and a formal definition of the semantics of the reactive behavior of Monaco programs in the form of labeled transition systems.

Software support for building end-user programming environments in the automation domain

Projects in the automation domain often require that end users, who are the machine operators, have means to change control software to make adaptations and optimizations for the machining task at hand. Although they usually do not have any software development expertise, they intervene in safety-critical software systems. This results in high demands on end-user programming environments with respect to supporting, guiding, and supervising end users. In this paper we present a software framework which is intended to serve as a basis for developing end-user programming environments. The main parts of this framework are a domain-specific language for programming automation solutions at a high level of abstraction, different visual editors for supporting end users, an approach for checking program changes against formal specifications, a variability modeling approach for representing high-level user decisions, and an approach for setting up customized end-user environments from models.

Sulong, and Thanks for All the Bugs: Finding Errors in C Programs by Abstracting from the Native Execution Model

In C, memory errors, such as buffer overflows, are among the most dangerous software errors; as we show, they are still on the rise. Current dynamic bug-finding tools that try to detect such errors are based on the low-level execution model of the underlying machine. They insert additional checks in an ad-hoc fashion, which makes them prone to omitting checks for corner cases. To address this, we devised a novel approach to finding bugs during the execution of a program. At the core of this approach is an interpreter written in a high-level language that performs automatic checks (such as bounds, NULL, and type checks). By mapping data structures in C to those of the high-level language, accesses are automatically checked and bugs discovered. We have implemented this approach and show that our tool (called Safe Sulong) can find bugs that state-of-the-art tools overlook, such as out-of-bounds accesses to the main function arguments.

Detection of high-level execution patterns in reactive behavior of control programs

This paper presents an approach to extract high-level patterns from traces of programmable logic control (PLC) programs recorded with a deterministic replay debugging tool. Our deterministic replay debugging works by recording an application run in real-time with minimal overhead so that it can be reproduced afterwards. In a subsequent phase, the application is replayed in offline mode to produce a more detailed trace log with additional information about the application run. A software developer can replay the program in a debugger and use debugger features to analyze the program run and locate errors. However, due to the vast amount of data and the complex behavior of reactive control programs, a normal debugger is usually only a poor support in comprehending the program behavior. In this paper we present an approach to analyze recorded program runs of PLC applications. We present a technology to visualize the reactive behavior of a program run and find recurring high-level execution patterns in long-running applications. We give an overview of possible application scenarios to support program comprehension, testing, and debugging.

Deterministic Replay Debugging of IEC 61131-3 SoftPLC programs

Deterministic Replay Debugging is an approach to finding field failures in application runs. It records an application run so that it can be replayed deterministically in a development system for debugging purposes without connection to a physical environment. In this paper, we present a solution for deterministic replay debugging of hard real-time SoftPLC applications written in the IEC 61131-3 languages. By taking advantage of the special properties of these programs and by careful engineering, our technique allows recording a SoftPLC application run with minimal overhead and obeying real-time constraints. In later phases, which are off-line, the original program run is reconstructed to be replayed for debugging. We present the conceptual basis of our approach, a tool chain including a time-traveling debugger, and an evaluation

Introspection for C and its Applications to Library Robustness

Context: In C, low-level errors, such as buffer overflow and use-after-free, are a major problem, as they cause security vulnerabilities and hard-to-find bugs. C lacks automatic checks, and programmers cannot apply defensive programming techniques because objects (e.g., arrays or structs) lack run-time information about bounds, lifetime, and types. Inquiry: Current approaches to tackling low-level errors include dynamic tools, such as bounds or type checkers, that check for certain actions during program execution. If they detect an error, they typically abort execution. Although they track run-time information as part of their runtimes, they do not expose this information to programmers. Approach: We devised an introspection interface that allows C programmers to access run-time information and to query object bounds, object lifetimes, object types, and information about variadic arguments. This enables library writers to check for invalid input or program states and thus, for example, to implement custom error handling that maintains system availability and does not terminate on benign errors. As we assume that introspection is used together with a dynamic tool that implements automatic checks, errors that are not handled in the application logic continue to cause the dynamic tool to abort execution. Knowledge: Using the introspection interface, we implemented a more robust, source-compatible version of the C standard library that validates parameters to its functions. The library functions react to otherwise undefined behavior; for example, they can detect lurking flaws, handle unterminated strings, check format string arguments, and set errno when they detect benign usage errors. Grounding: Existing dynamic tools maintain run-time information that can be used to implement the introspection interface, and we demonstrate its implementation in Safe Sulong, an interpreter and dynamic bug-finding tool for C that runs on a Java Virtual Machine and can thus easily expose relevant run-time information. Importance: Using introspection in user code is a novel approach to tackling the long-standing problem of low-level errors in C. As new approaches are lowering the performance overhead of run-time information maintenance, the usage of dynamic runtimes for C could become more common, which could ultimately facilitate a more widespread implementation of such an introspection interface.