About instrumentation clients
Arm Instruction Emulator provides a set of instrumentation clients which can be used to analyze SVE binaries at runtime. The term 'instrumentation client' in this context refers to the way ArmIE uses DynamoRIO to work as an analysis tool as well as an emulator. ArmIE is invoked with an instrumentation client and the SVE binary to be emulated and analyzed. The client is simply a shared object file which uses the DynamoRIO API to capture and process desired runtime events.
This topic describes the basic structure of an instrumentation client, including the main events which occur during execution and what is typically done in each event.
To correctly modify the
libopcodes_emulated.so client, you must understand its existing implementation,
opcodes_emulated.cpp (download this file). The diagram below shows the key functions in
opcodes_emulated.cpp and how they relate to each other.
The easiest way to understand the client is to think of it as event-driven. Each function is called as a result of events which occur as the application is running:
- DynamoRIO loads and runs the client, calling
dr_client_main(), before beginning to execute the application.
dr_client_main(), the client registers a function which will be called just before the client stops running,
Registering such a function for an event is usually referred to as a 'callback function'.
dr_client_main(), the client registers a callback function as each block of code in the application is prepared before being executed.
event_basic_block(), the client registers a callback function which will be executed for each emulated instruction which appears in the application's code,
record_emulated_inst()function is the instrumentation which is the purpose of the client.
event_basic_block(), the client registers a callback function which will be executed for each native instruction which appears in the application's code,
opcount()function is the instrumentation which is the purpose of the client.
- The application stops running and DynamoRIO calls
This is a simplified explanation to describe how a client operates. For more detailed information, read the
opcodes_emulated.cpp file (download
opcodes_emulated.cpp here) and refer to details of key functions in the DynamoRIO functions reference manual, especially:
dr_insert_clean_call()which implements the instrumentation you want.
drmgr_register_bb_app2app_event()which defines where the instrumentation should be inserted.
Code Transformation and Code Execution
If you are new to the DynamoRIO dynamic binary instrumentation tool platform (DBI) in general and DynamoRIO in particular, ensure you understand the method by which instrumentation is added to application code.
Remember that instrumentation occurs in two phases, transformation and execution:
- Transformation - Instrumentation code is inserted into the application code.
- Execution - The application code runs, including the instrumentation code which was inserted during transformation.
DynamoRIO performs transformation and execution transparently, provided that you conform to the rules of its API.
In the example above,
event_basic_block() is the transformation phase. Calls to
record_emulated_inst() will be inserted for each instruction but will not be called at transformation time. If or when a particular block of code is run at execution time, those functions will be called, to increment and store the instruction and count.
This is a subtle distinction for new users. The best way to think of the difference is to recognize that
will be called once when a block of application code is transformed but the function it registered may be called many times when the block is executed.
- Building Custom Analysis Instrumentation
- Analyzing SVE programs
- Emulation Functions Reference
- Arm Instruction Emulator