dtrace discuss - Jan 2008 - Functions missing return probes on Leopard

Hi All,

I have been doing some application tracing on OS X using the pid provider to
trace function entry and returns.  I have noticed that some function have
entry probes, but no return probes.  In fact, there are not even any
instruction offset probes, only the entry probe. This is unbalancing the
indent flow graphs (-F).  Any idea why this is happening?

Example:

# dtrace -l -p 243 -n ''pid$target::memcpy:''
Password:
   ID   PROVIDER            MODULE                          FUNCTION NAME
57175     pid243 libSystem.B.dylib                            memcpy entry
225226     pid243              dyld                            memcpy entry
# 


# dtrace -l -p 1617 -n ''pid$target::RTSPSession_CheckState:''
   ID   PROVIDER            MODULE                          FUNCTION NAME
437436    pid1617 QuickTimeStreaming            RTSPSession_CheckState entry
#

Tiller,

	In this case, its because dtrace believes there is a jump table:

ghopper:/# dtrace -xdebug -l -n ''pid$target::memcpy:'' -c
/usr/bin/true
	[ ... ]
libdtrace DEBUG: grabbed pid 76537 (cached)
libdtrace DEBUG: creating probe pid76537:libSystem.B.dylib:memcpy:*
libdtrace DEBUG: found a suspected jump table at memcpy:5
libdtrace DEBUG: found a suspected jump table at memcpy:5
libdtrace DEBUG: creating probe pid76537:dyld:memcpy:*
libdtrace DEBUG: found a suspected jump table at memcpy:5
libdtrace DEBUG: found a suspected jump table at memcpy:5

	However, even if that wasn''t an issue, there isn''t really
a "return" from memcpy. Here is libSystem''s memcpy stub:

_memcpy:
00006960	movl	$0xffff07a0,%eax
00006965	jmp	*%eax
00006967	nop

	I too have had pretty bad results from flowindent. It may be
that gcc just generates different enough code that more functions
are uninstrumentable on OS X.

	I''ve used something like this as a workaround:

BEGIN
{
	spaces = "                                                             
";
}

fbt:::entry
/ pid == $1 /
{
	printf("%s-> %s\n", stringof(&spaces[60 - (stackdepth * 2)]),
probefunc);
}

fbt:::return
/ pid == $1 /
{
	printf("%s<- %s (%d)\n", stringof(&spaces[60 - ((stackdepth-1)
*
2)]), probefunc, arg1 );
}

	There is probably a better & smarter way to do that, but it was a  
quick hack
that got the job done :-).

	James M

On Jan 22, 2008, at 12:41 PM, Tiller Beauchamp wrote:
> Hi All,
>
> I have been doing some application tracing on OS X using the pid  
> provider to
> trace function entry and returns.  I have noticed that some function  
> have
> entry probes, but no return probes.  In fact, there are not even any
> instruction offset probes, only the entry probe. This is unbalancing  
> the
> indent flow graphs (-F).  Any idea why this is happening?
>
> Example:
>
> # dtrace -l -p 243 -n ''pid$target::memcpy:''
> Password:
>   ID   PROVIDER            MODULE                          FUNCTION  
> NAME
> 57175     pid243 libSystem.B.dylib                            memcpy  
> entry
> 225226     pid243              dyld                             
> memcpy entry
> #
>
>
> # dtrace -l -p 1617 -n
''pid$target::RTSPSession_CheckState:''
>   ID   PROVIDER            MODULE                          FUNCTION  
> NAME
> 437436    pid1617 QuickTimeStreaming             
> RTSPSession_CheckState entry
> #
>
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org