Date: Mon, 12 Jul 2004 14:51:34 +0300 (EEST) From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua> To: Steven Smith <sos22@cantab.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Article on Sun's DTrace Message-ID: <20040712115134.D6C3F14F@pm514-9.comsys.ntu-kpi.kiev.ua> In-Reply-To: <1089501790.00086820.1089489001@10.7.7.3>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Jul 2004 20:45:14 +0100 in lucky.freebsd.hackers, Steven Smith wrote: > >> > It's also possible to put probes on the return instruction of the >> > function. I'm not sure how they're actually finding that, though. >> I think the return probe is done by adding a call probe that changes the >> return address. > Yeah, I thought that when I first saw it, but the probe is passed the > address of the return instruction when it fires, and I can't see how > you could get that if it was just invoked by modifying the return > address on the call stack. Don't you think that they disassemble functions on-the-fly to find out prolog and return sequence of a function? On their DTrace support forum there is the article about the problem with different byte patterns of "movl %esp, %ebp" produced by different assemblers. (As an optimization fbt:::entry and fbt:::return probes' entry points can be found before and be placed in well known section.) At least if the control goes from the target function to some DTrace probe dispatch function, then this DTrace function should know which commands to emulate before returning to the target function, and it is impossible to run original function's commands without knowing their size, I mean that DTrace function should copy exactly complete sequence of commands from target function, not some bytes. I haven't opportunity to test DTrace, but there is another interesting question. fbt:::entry probe (or similar so called wild card probe) can create tens of thousands entry points on-the-fly. How does this creation affect on whole system? Also modifying functions on-the-fly require some sort of synchronization: noone should run function which currently is being modified (fbt provider).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040712115134.D6C3F14F>