% PT_INSN_NEXT(3)
pt_insn_next, pt_insn - iterate over traced instructions
#include <intel-pt.h> |
|---|
| struct pt_insn; |
| int pt_insn_next(struct pt_insn_decoder *decoder, |
| struct pt_insn *insn, size_t size); |
Link with -lipt.
pt_insn_next() provides the next instruction in execution order, which is described by the pt_insn structure.
The size argument must be set to sizeof(struct pt_insn). The function will provide at most size bytes of the pt_insn structure. A newer decoder library may truncate an extended pt_insn object to size bytes.
An older decoder library may provide less pt_insn fields. Fields that are not provided will be zero-initialized. For fields where zero is a valid value (e.g. for bit-fields), check the decoder library version to determine which fields are valid. See pt_library_version(3).
On success, the next instruction is provided in the pt_insn object pointed to by the insn argument. The pt_insn structure is declared as:
/** A single traced instruction. */ struct pt_insn { /** The virtual address in its process. */ uint64_t ip; /** A coarse classification. */ enum pt_insn_class iclass; /** The execution mode. */ enum pt_exec_mode mode; /** The raw bytes. */ uint8_t raw[pt_max_insn_size]; /** The size in bytes. */ uint8_t size; /** A collection of flags giving additional information: * * - the instruction was executed speculatively. */ uint32_t speculative:1; /** - speculative execution was aborted after this * instruction. */ uint32_t aborted:1; /** - speculative execution was committed after this * instruction. */ uint32_t committed:1; /** - tracing was disabled after this instruction. */ uint32_t disabled:1; /** - tracing was enabled at this instruction. */ uint32_t enabled:1; /** - tracing was resumed at this instruction. * * In addition to tracing being enabled, it continues * from the IP at which tracing had been disabled before. */ uint32_t resumed:1; /** - normal execution flow was interrupted after this * instruction. */ uint32_t interrupted:1; /** - tracing resumed at this instruction after an * overflow. */ uint32_t resynced:1; /** - tracing was stopped after this instruction. */ uint32_t stopped:1; /** - this instruction is truncated in its image section. * * It starts in the image section identified by \@isid and continues * in one or more other sections. */ uint32_t truncated:1; /** The image section identifier for the section containing this * instruction. * * A value of zero means that the section did not have an identifier. * The section was not added via an image section cache or the memory * was read via the read memory callback. */ int isid; };
The fields of the pt_insn structure are described in more detail below:
/** The instruction class. * * We provide only a very coarse classification suitable for * reconstructing the execution flow. */ enum pt_insn_class { /* The instruction could not be classified. */ ptic_error, /* The instruction is something not listed below. */ ptic_other, /* The instruction is a near (function) call. */ ptic_call, /* The instruction is a near (function) return. */ ptic_return, /* The instruction is a near unconditional jump. */ ptic_jump, /* The instruction is a near conditional jump. */ ptic_cond_jump, /* The instruction is a call-like far transfer. * E.g. SYSCALL, SYSENTER, or FAR CALL. */ ptic_far_call, /* The instruction is a return-like far transfer. * E.g. SYSRET, SYSEXIT, IRET, or FAR RET. */ ptic_far_return, /* The instruction is a jump-like far transfer. * E.g. FAR JMP. */ ptic_far_jump };
/** An execution mode. */ enum pt_exec_mode { ptem_unknown, ptem_16bit, ptem_32bit, ptem_64bit };
A flag saying whether tracing was resumed at this instruction. If set, tracing was previously disabled at this instruction's IP before executing this instruction and was then enabled at this instruction.
A typical example would be a system call or interrupt when tracing only user space. Tracing is disabled due to the context switch and is then resumed from the next instruction after returning to user space.
A flag saying whether normal execution flow was interrupted after this instruction. If set, the normal execution flow was interrupted.
The next instruction, which is provided by another call to pt_insn_next(), is the next instruction that retired after the interrupt. This is not necessarily the interrupt's destination.
The image section identifier of the section from which the instruction originated. This will be zero unless the instruction came from a section that was added via an image section cache. See pt_image_add_cached(3).
The image section identifier can be used to trace an instruction back to its binary file and from there to source code.
pt_insn_next() returns zero or a positive value on success or a negative pt_error_code enumeration constant in case of an error.
On success, a bit-vector of pt_status_flag enumeration constants is returned. The pt_status_flag enumeration is declared as:
/** Decoder status flags. */ enum pt_status_flag { /** There is an event pending. */ pts_event_pending = 1 << 0, /** The address has been suppressed. */ pts_ip_suppressed = 1 << 1, /** There is no more trace data available. */ pts_eos = 1 << 2 };
The pt_eos flag indicates that the information contained in the Intel PT stream has been consumed. Further calls to pt_insn_next() will continue to provide instructions as long as the instruction's address can be determined without further trace.
Execution flow reconstruction and trace got out of sync.
This typically means that, on its way to the virtual address of the next event, the decoder encountered a conditional or indirect branch for which it did not find guidance in the trace.
pt_insn_alloc_decoder(3), pt_insn_free_decoder(3), pt_insn_sync_forward(3), pt_insn_sync_backward(3), pt_insn_sync_set(3), pt_insn_time(3), pt_insn_core_bus_ratio(3)