|
From: Emilio C. <er...@gm...> - 2011-08-24 21:52:45
|
Hi Josef, thanks for your reply :) Can you show us an example of the differences you get? > My output <http://pastebin.com/6k0g2i9f> and callgrind output.<http://pastebin.com/XXbzP56Q>See the difference it's a little bit caotic, sorry. For example (line numbers on the left), callgrind says: > . > strlen(0x40183b6, 0xbe918faa, ...) [ld-2.13.so / 0x16c20] > > . > calloc(0x2e9, 0x1, ...) [ld-2.13.so / 0x14dd0] > > . > 0x000174ab(0xbe918194, 0x401cff4, ...) [ld-2.13.so / 0x174ab] > > . .> malloc(0x2e9, 0x401cff4, ...) [ld-2.13.so / 0x14da0] > > . . > 0x000174ab(0x401cff4, 0xbe918158, ...) [ld-2.13.so / 0x174ab] > > . . > __libc_memalign(0x8, 0x2e9, ...) [ld-2.13.so / 0x14c90] > > . . > 0x000174ab(0x0, 0x0, ...) [ld-2.13.so / 0x174ab] > > . > memcpy(0x401dc00, 0x40183b6, ...) [ld-2.13.so / 0x17330] My code says (number inside [] is my simulated stack depth ): > [5] Entered strlen() > [5] Exit strlen() > [4] Inside _dl_new_object > Valgrind does not know where we are: 0x40007E4 > [5] Entered calloc() > Valgrind does not know where we are: 0x40174AB > Valgrind does not know where we are: 0x40007D4 > [6] Entered malloc() > Valgrind does not know where we are: 0x40174AB > Valgrind does not know where we are: 0x40007C4 > [7] Entered __libc_memalign() > Valgrind does not know where we are: 0x40174AB > [7] Exit __libc_memalign() > [6] Inside malloc > [6] Exit malloc() > [5] Inside calloc > [5] Exit calloc() > [4] Inside _dl_new_object > [5] Entered memcpy() > [5] Exit memcpy() As you can see with my code strlen() return immediately, with callgrind not. There are a lot of other difference if you see the two files. Callgrind not only assumes a call if VG_(get_fnname_if_entry) is true, but > also, > if VEX returns jump kind "Call" for the last BB. Why this? I mean if the last BB do a jump type Ijk_Call, why does it not jump to first instruction of a BB (of another function)? I expect this if it's a "call". Sorry if it's a stupid question. Can I do this: during instrumentation, if jmpkind of the BB is Ijk_Call invoke an helper function that simulate the call ? - tail recursions (jumping to the beginning of a function) > Ok, I am seeing your code ( setup_bbcc() ), you do a lot of things: - if last BB has a jmpkind == IjkRet and SP is smaller or equal (if is a return we expect a bigger SP) to the one on top of the stack, you set ret_without_call = True - you simulate a call if: ret_without_call is true OR current BB is the first BB of a function OR (last_bb->sect_kind != bb->sect_kind) || (last_bb->obj->number != bb->obj->number) Am I correct? > - multithreaded code (you need a shadow stack for every thread) > Yes of course. > - signal handlers (you will see arbitrary function calls when a signal > handler > calls a function) > How callgrind manage this? > However, this does not work nicely with RISC architectures (PPC/ARM), as a > call or > a return does not need to change the SP there. Instead, the return address > is stored > and restored from a specific register ("link register") using regular > branch instructions. > Callgrind does not do this right at the moment, too. Ok. Emilio. |