|
From: Scott P. <pa...@la...> - 2010-09-17 01:59:48
|
How can my instrumentation code reliably detect function calls?
I had thought I could look for an Ijk_Call JumpKind in either an
Ist_Exit statement or in the IRSB's jumpkind, but those don't seem to
catch everything. The particular code I want to catch is the
following (amd64-linux):
0x4004CD: call 0x4004DC
------ IMark(0x4004CD, 5) ------
PUT(168) = 0x4004CD:I64
t2 = Sub64(GET:I64(32),0x8:I64)
PUT(32) = t2
STle(t2) = 0x4004D2:I64
t3 = 0x4004DC:I64
====== AbiHint(Sub64(t2,0x80:I64), 128, t3) ======
0x4004DC: pushq %rbp
------ IMark(0x4004DC, 1) ------
PUT(168) = 0x4004DC:I64
t4 = GET:I64(40)
t5 = Sub64(GET:I64(32),0x8:I64)
PUT(32) = t5
STle(t5) = t4
I, for one, don't see anything in the call statement's IR that
indicates that control is being transferred as the result of a
function call.
Thanks,
-- Scott
|