Re: [9fans] 8l -e
http://4e.iwp9.org
Re: [9fans] 8l -e
4th iwp9 October 21-23 2009
Re: [9fans] 8l -e
> ok. i'm beginning to understand better. is there a specific use case, > such as the kernel or userland? > > i didn't see anything like a tool that could poke nops into the right > places. i started to write an acid function to put the nops in one > named function, and then i realized that the ret can appear several > times in one function and i would need to search for and patch them > out. but only the *first* ret, not second, e.g.: this tool was ment for use with the kernel. there is a devtrace in 9atom's pc and pcpae kernels that does this. ron wrote a paper for the first athens, ga iwp9. i don't remember the year. 2009? - erik
Re: [9fans] 8l -e
On Tue, May 27, 2014 at 04:16:24PM -0400, erik quanstrom wrote:
> > you can see there is a JMP over _tracein and a RET before _traceout.
> > what gives?
>
> ah, that's the magic! the idea is to be able to enable and disable these
> tracepoints
> at runtime in a multiprocessor environment without any locking.
>
> - erik
>
ok. i'm beginning to understand better. is there a specific use case,
such as the kernel or userland?
i didn't see anything like a tool that could poke nops into the right
places. i started to write an acid function to put the nops in one
named function, and then i realized that the ret can appear several
times in one function and i would need to search for and patch them
out. but only the *first* ret, not second, e.g.:
setvar+0x3a 0xadf5 RET <--- should be NOP
setvar+0x3b 0xadf6 CALL_traceout(SB)
setvar+0x40 0xadfb RET <--- should not be NOP
i was able to patch the JMP, and the RET but only in the case where it
appears at the bottom of a function.
defn traceon(fn){
bound = fnbound(fn);
// nop first jmp
*(bound[0]) = 0x90\b;
*(bound[0]+1) = 0x90\b;
// and the ret
// XXX should search for ret
*(bound[1]-7) = 0x90\b;
}
maybe these were not the droids i was looking for.
my real goal is to make timing statistics for function calls in a program.
perhaps this goal is better fulfilled simply by prof!
pgpqkthbklevj.pgp
Description: PGP signature
Re: [9fans] 8l -e
> you can see there is a JMP over _tracein and a RET before _traceout. > what gives? ah, that's the magic! the idea is to be able to enable and disable these tracepoints at runtime in a multiprocessor environment without any locking. - erik
[9fans] 8l -e
i was trying to use 8l's '-e' flag today, when i found some interesting problems. first, -e doesn't do what it says unless you pass -p, which goes unmentioned in the manual page. (luckily i read the source). second, and more importantly, the calls to _tracein/_traceout are skipped, as in the following disassembly, but i can't determine why. is there some tool (besides noping with acid) meant to be used to 'turn on' the tracing calls? third, when you use -e with -p, prof.$pid files are generated as with -p, but the prof files are empty. this seems unintentional. this example is using rc. ; 8l -p -e -o 8.out code.8 exec.8 getflags.8 glob.8 here.8 io.8 lex.8 pcmd.8 pfnc.8 simple.8 subr.8 trap.8 tree.8 var.8 havefork.8 plan9.8 y.tab.8 ; acid 8.out 8.out:386 plan 9 executable /sys/lib/acid/port /sys/lib/acid/386 acid: asm(setvar) setvar 0xadbb JMP setvar+0x7(SB) setvar+0x2 0xadbd CALL_tracein(SB) setvar+0x7 0xadc2 SUBL$0x10,SP setvar+0xa 0xadc5 MOVLname+0x0(FP),CX setvar+0xe 0xadc9 MOVLCX,0x0(SP) setvar+0x11 0xadcc CALLvlook(SB) setvar+0x16 0xadd1 MOVLAX,v+0xc(SP) setvar+0x1a 0xadd5 MOVL0x4(AX),AX setvar+0x1d 0xadd8 MOVLAX,0x0(SP) setvar+0x20 0xaddb CALLfreewords(SB) setvar+0x25 0xade0 MOVLv+0xc(SP),DX setvar+0x29 0xade4 MOVLval+0x4(FP),CX setvar+0x2d 0xade8 MOVLCX,0x4(DX) setvar+0x30 0xadeb MOVL$0x1,0x8(DX) setvar+0x37 0xadf2 ADDL$0x10,SP setvar+0x3a 0xadf5 RET setvar+0x3b 0xadf6 CALL_traceout(SB) setvar+0x40 0xadfb RET Xasync 0xadfc JMP Xasync+0x7(SB) acid: you can see there is a JMP over _tracein and a RET before _traceout. what gives? pgpKVkRxWkLd9.pgp Description: PGP signature
