

Reverse Execution in GDB 7 is imminent - grogers
http://www.gnu.org/software/gdb/news/reversible.html

======
bigmac
IIRC, The gdb team was previously talking implementing this by forking after
every instruction. Does anyone know if the current functionality is being
built on that model?

I guess the advantage of doing it that way is that the majority of the memory
pages can be shared if the OS uses a copy-on-write virtual memory system.

This:

 _Breakpoints and watchpoints will work in reverse -- allowing you for
instance to proceed directly to the previous point at which a variable was
modified._

is going to absolutely killer functionality for reverse engineers.

~~~
msnyder
No, it doesn't fork at all, it simply records the values of registers and
memory that will be modified by each instruction, so that they can be restored
later.

------
gcv
Very slick. I wonder if this upcoming release adds proper support for C++
templates. As is, I don't know of anything other than Visual Studio which
makes debugging STL or Boost-heavy C++ code a reasonable task.

~~~
grogers
For that you can check out Project Archer:

<http://sourceware.org/gdb/wiki/ProjectArcher>

------
mc
_yawn_ check out the ODB (for Java) which allows backward and forward
debugging.

<http://www.lambdacs.com/debugger/>

watch the author give a talk at Google:
<http://video.google.com/videoplay?docid=3897010229726822034>

------
bokchoi
Ever since I saw Omniscient Debugger (ODB), I've wanted this feature
integrated into my IDE. ODB was interesting but didn't seem to take off. I'm
glad GDB is raising the debugger bar.

<http://www.lambdacs.com/debugger/>

------
yason
I've been toying with the idea myself, I even considered writing a Valgrind
plugin to keep a record of how values change in register and memory until I
got scared enough of the complexity and enormity of the code.

I wonder how much memory will it take to run a "usefully large" program with
state recording on? In theory you could compress some memory mutations pretty
easily (like bzero()ing something) while other mutations would need more
memory (writing single ints to various locations). I bet you could generate
some nifty 10GB logs with this thing!

~~~
msnyder
You're right of course. It consumes tens of bytes of ram per executed
instruction. But computers have gigabytes of ram these days, so it all comes
down to what you consider a "usefully large" program. Millions of instructions
-- no problem. Billions -- can't do that. ;-)

------
nathanb
I assume that this will only work if you've executed the program inside of
GDB, not if you load a core file that was dumped earlier outside of GDB?

~~~
yan
Thinking about it, that would be the ultimate hack. If the core file does
indeed have all the regions mapped when the core was dumped, you can
theoretically load them as before then back-step each instruction since they
are fairly well defined.

The huge issue here is, the most probable reason for segfaulting was an
unexpected value coming from the environment and it's impossible to know the
environment the process was running in post-mortem.

~~~
lallysingh
Lots of state is lost! Like the prior values of variables.

~~~
duskwuff
Or, even simpler: you can't reverse an infinite loop without some prior
knowledge of when (and how) you entered it.

------
yan
This has great potential for security researchers.

~~~
ciupicri
Can you elaborate on this? Are talking about the fact that some silly bugs
like buffer overflows will be fixed more easily?

~~~
yan
I was approaching this from the opposite direction; writing and debugging
shellcode will be more pleasant. Or rather, when I have spent time writing
shell code, I wished for such a feature.

------
muon
Till now, I believed this was impossible to do.

~~~
adamt
It's been possible for quite some time. Someone I vaguely know set up a
startup back in 2006 looking to do just this: <http://undo-software.com/>

~~~
zandorg
In 2006, I wanted to see if it was possible, so I wrote (in C++) a virtual CPU
with 2 registers (A and Program Counter) and input (In/Out ports) and the
basic idea was it'd log everything (per cycle) in a reversable form.

Unfortunately I was too lazy to finish it, but I think it would have worked.
It was just a proof of concept.

------
TwoBit
FWIW, Borland C++ had this on PC back in ~1994. It worked pretty well most of
the time.

~~~
msnyder
I remember that -- but I never knew any details. Do you? Did it have a fixed-
size buffer for instruction trace? Did it perform well on reverse step
into/over functions? How was the speed performance?

------
wlievens
Do they need any substantial changes in DWARF to pull this off?

~~~
msnyder
No changes in elf or dwarf.

------
ars
Can this reverse through a seg fault?

~~~
ori_b
Why wouldn't it be able to? A segfault is just a signal like any other.

~~~
yan
Because the state of a process is undefined after a seg fault.

~~~
cracki
"undefined" doesn't mean it has _no_ state. it does have _some_ state. it's
just that this state can't be predicted. it can still be recorded and used in
debugging backwards.

------
Aegean
Finally!

