probe to track destinations of calls and branches

[William Cohen <wcohen at redhat dot com>]

Fleshing out another building block for instrumentation, tracking 
destinations of branches and calls. The attached probe has a parameter 
that is the address of the branch or call instruction be instrumented. 
The probe records the destinations of the call or branch in a map. This 
can be used to examine the destinations of indirect calls and jumps.

So I found out the address for the call for the syscall call from the 
disassembled code:

c0103f1c <syscall_call>:
c0103f1c:       ff 14 85 3c 7a 35 c0    call   *0xc0357a3c(,%eax,4)
c0103f23:       89 44 24 18             mov    %eax,0x18(%esp)


# /sbin/insmod kprobe_dest_branch.ko branch_address=0xc0103f1c

Let things run for a little while then:

# /sbin/rmmod kprobe_dest_branch

Below is a portion of the output in /var/log/messages:


Mar 24 16:31:57 slingshot kernel: STP: c0103f1c() branched 2064 times.
Mar 24 16:31:57 slingshot kernel: STP: NUM      Brancher Addr   Brancher 
Name
Mar 24 16:31:57 slingshot kernel: STP: 2        0xc01241ac 
(sys_exit_group+0x0/0xd)
Mar 24 16:31:57 slingshot kernel: STP: 56       0xc012cc7f 
(sys_rt_sigprocmask+0x0/0xc7)
Mar 24 16:31:57 slingshot kernel: STP: 42       0xc016f045 
(sys_ioctl+0x0/0x6f)
Mar 24 16:31:57 slingshot kernel: STP: 4        0xc01254d9 
(sys_waitpid+0x0/0x2b)
...


Right now the code is hard coded for the x86 program counter. That will 
be fixed once there is an entry in the runtime libraries for the program 
counter.

An oddity I found was that I need to to have a pre_handler function. 
Without the pre_handler function the instrumentation would die in the 
post handler. Is there some expectation that there has to be a 
pre_handler function in the kprobe? For this example there really is no 
need for pre_handler and I would get rid of it if the probe didn't crash 
when it was removed.

-Will

Attachment: dest_branch.tar.gz
Description: Unix tar archive