intel Pin: analysis routine detects ah register instead of rsp (REG_STACK_PTR)

Question

I asked this question few days ago.

I wanted to get the stack allocation size (after the function creation). The answer suggests to do:

if((IN         


        

Answer 1

The INS objects are only valid inside instrumentation routines, such as your Instruction routine. The INS type is nothing but a 32-bit integer that identifies an instruction. The Pin runtime internally maintains a table that maps these 32-bit integers to specific static instructions. It creates such a table whenever it's about to call an instrumentation routine. When the instrumentation routine returns, there is no guarantee that any of these identifiers map to the same static instructions and they may not even be valid. So when you save a copy of an INS object in the following line of code:

insstack.insert(std::make_pair(INS_Address(ins), new Insr(string(INS_Disassemble(ins)),
    ins)));

that copy is only useful in the same instance of the Instruction routine. The next time the Instruction routine is called (or any other instrumentation routine), an instruction identifier might be reused for other instructions.

If you really want to pass an instruction to an analysis routine, you have two options:

• Copy the actual bytes of the instruction to a buffer and pass the address of the buffer and later decode it using the XED API.
• Pass the address of the instruction and later decode it using the XED API. This works if the instruction is guaranteed to be available at the same location later.