4

So I'm wanting to profile my app and I specifically want to record the time from program start of when each of the functions called inside the program (ingnoring functions in DLL's) are entered and exited ie I want a simple table which looks something like this: 

THREAD_ID FUNCTION_ADDRESS TIME EVENT_TYPE
5520      0xFF435360       0    ENTERED
5520      0xFF435ED3       25   ENTERED
5520      0xFF433550       40   ENTERED
5520      0xFF433550       50   EXITED
5520      0xFF433550       60   ENTERED
5520      0xFF433550       70   EXITED
5520      0xFF435ED3       82   EXITED
5520      0xFF435360       90   EXITED

For a program looking like this ignoring compiler optimisation:

void test1(void)
{
   int a = 0;
   ++a;
}

void test(void)
{
    test1();
    test1();
}

void main(void)
{
    test();
}

I couldn't find any off the shelf solution to this the nearest I could find was Microsofts VSPerfReport but it just outputs how long was spent in each function not when entered and exited.

So I started to looking into hooking all my functions with a simple function that produces a buffer which I can generate the above table from. In order to do this I was just thinking of creating a function that is called at the start of main that can go through the entire exe modify the CALL instructions to call into my hook function instead.

The libraries out there like MinHook etc all seem a little OTT for me and probably wouldn't work because its a x64 app and I'm not trying to hook DLL functions.

So I was thinking of just modifying the JMP instruction inside each of the CALL instructions ie this program: 

void main(void)
{
...asm prologue 
    test();
002375C9  call        test (235037h) 
}
...asm epilogue

The call here goes to a table of JMP's:

@ILT+40(__set_errno):
0023502D  jmp         _set_errno (243D80h)  
@ILT+45(___crtGetEnvironmentStringsA):
00235032  jmp         __crtGetEnvironmentStringsA (239B10h)  
test:
00235037  jmp         test (237170h)  
@ILT+55(_wcstoul):
0023503C  jmp         wcstoul (27C5D0h)  
@ILT+60(__vsnprintf_s_l):

I want to go through this table and re-route all the JMP's relating to functions in my application's .exe to my hook functions that contain the timing code and then return back to the calling function.

So what does ILT stand for I'm assuming something Lookup Table and how would I go about getting hold of it?

Is this possible I've heard of IAT hooking but that looks to me to be only when hooking DLL's. Also here I've ignored exiting although another JMP in place of the RET instruction might help there?

Thanks for any help

user176168
  • 1,294
  • 1
  • 20
  • 30
  • If you were using linux, the solution, apart from valgrind, would be to use LD_PRELOAD to load a shared object that hooks your functions. I don't know if this is possible in windows, you might want to check it out. It's going to be a lot easier than replacing ASM instructions. – mfontanini Jan 27 '13 at 18:24
  • Doing this is likely to distort the result, because a tour through the hooking code will disturb the instruction cache, making some of the functions run more slowly than they would otherwise. – Bo Persson Jan 27 '13 at 18:31
  • @Bo Its a good point and your right but this is just as much about trying to get a grip on overall code execution as it exact timings. Its a big program running into millions of lines of C++ and every frame there's something different spiking. – user176168 Jan 27 '13 at 19:45
  • There is the rule that most of your code will be blameless. So instead of instrumenting everything create a RAII instrumentor and do a manual binary search for where the problem is. `lg(n)` of a million lines of code is 30 iterations. What are the odds that 30 iterations is going to be slower than writing your jump table hack? – Yakk - Adam Nevraumont Jan 27 '13 at 19:59
  • *If* your overall goal happens to be finding out what you need to fix to make the code run faster, there's a [*much quicker and more effective way to do it.*](http://stackoverflow.com/a/378024/23771) – Mike Dunlavey Jan 27 '13 at 21:54
  • @Yakk & Mike: I'm well aware of profiling practices we use a myriad of profilers and debuggers for a variety of hardware components on our already very optimal code. This is about getting a different perspective, there are motives for doing this. – user176168 Jan 27 '13 at 23:30
  • @user176168: OK, that's what I was wondering. – Mike Dunlavey Jan 28 '13 at 01:32
  • @MikeDunlavey I named that "monte carlo profiling" when I used to do it. :) – Yakk - Adam Nevraumont Jan 28 '13 at 03:05
  • @Yakk: That's a good word. I've called it "deep sampling", because it trades number of samples for information per sample. – Mike Dunlavey Jan 28 '13 at 14:38
  • @Yakk & Mike: This isn't randomly trying to find a performance bug! How about the following scenario where you have a funciton that is performant in 100 calls but in 1 call (maybe the first) it spikes. Because its called so many times and does so much work the profiler of choice just doesn't show up the problem. Another scenario might be that you want to quickly distingish where in a hot function its spending its time ie between what functions it calls again this function may be randomly spiking inside. – user176168 Jan 28 '13 at 22:02

4 Answers4

2

Have you looked into Googles profiling tools? You might find it a little easier to modify instead of crafting your own. It does do code insertion to perform its profiling, so it minimum, their injection framework would be beneficial to you.

However, for something like this, you mostly want to avoid timing overhead, so I'd suggest tracking by address, then when the profiling is completed, transform the address to the symbol names. The hooking itself can also be an arduous task, I'd suggest crafting an all-in-one wrapper, that doesn't alter the function entries or exits, but rather redirects call sites.

So what does ILT stand for I'm assuming something Lookup Table and how would I go about getting hold of it?

Import Lookup Table, and its not going to be of much use if you plan on profiling internal functions as well. Getting hold of it requires spelunking the internals of your platforms module format (PE, ELF, MACH-O).

Necrolis
  • 25,836
  • 3
  • 63
  • 101
1

gcc has an option to generate calls to hooks for function entry and exit. You compile with -finstrument-functions and the compiler generates calls to __cyg_profile_func_enter and __cyg_profile_func_exit. You can read more in the gcc documentation http://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html. A good article with an example of how to use this is here http://www.ibm.com/developerworks/library/l-graphvis/.

amdn
  • 11,314
  • 33
  • 45
0

On Linux you can use gprof(1) to get that data. But please take what Bentley in his "Programming Pearls" says on performance. It's part II is a distillation of his "Writing Efficient Programs" (sadly out of print), a very detailed discussion of how (and, much more importantly, when) to optimize code.

vonbrand
  • 11,412
  • 8
  • 32
  • 52
  • If you are recommending *gprof* to your students, here are some [*notes about it*](http://stackoverflow.com/a/1779343/23771), and check Page 35 of [*this Bentley lecture*](http://dimacs.rutgers.edu/Workshops/EAA/slides/bentley.pdf). – Mike Dunlavey Jan 28 '13 at 01:47
  • I own the book and read it over a decade ago. Its good for its time but a little outdated. Introducing the wonders of hashing or binary searches isn't going to help all but the most junior of programmers. It does nothing to take into account modern CPU and GPU acrchitecture ie out of order execution, hardware prefetching, cache lines, multiple caches, SIMD, multiple processor cores etc. Parrallelism is mentioned once as a one liner in the appendix: 'A program should be structured to exploit as much of the parrallelism as possible in the underlying hardware'. I won't go on. – user176168 Jan 28 '13 at 22:32
  • It is as on-topic as ever. Sure, technology advanced (multiple cores, NUMA, GPU as processing workhorse, higher-level languages hide the gory details of sophisticated data structures, humongous memories), but the basics stay the same: Measure before digging in, try higher-level approaches (new data structure, a different software organization) before low-level hacks (use bit-twiddling instead of arithmetic operations), check that your impovement isn't done already by your compiler, consider the impact of your changes on maintainability carefully. Don't get me started on "senior programmers". – vonbrand Jan 28 '13 at 22:45
0
struct my_time_t;
my_time_t get_current_time(); // may be asm


struct timestamp;
struct timer_buffer {
  std::unique_ptr<timestamp[]> big_buffer;
  size_t buffer_size;
  size_t current_index;
  size_t written;
  buffer( size_t size ): big_buffer( new timestamp[size] ), buffer_size(size), current_index(0), written(0) {}
  void append( timestamp const& t ) {
    big_buffer[current_index] = t;
    ++current_index;
    ++written;
    current_index = current_index % buffer_size;
  }
};
struct timestamp {
  static timer_buffer* buff;
  timestamp const* loc;
  my_time_t time;
  const char* filename;
  size_t linenum;
  timestamp( my_time_t t, const char* f=nullptr, size_t l = 0 ):
    loc(this), time(t), f(filename), l(linenum)
  {
    go();
  }
  void go() {
    buff->append(*this);
  }
};
struct scoped_timestamp:timestamp {
  scoped_timestamp( my_time_t t, const char* f=nullptr, size_t l = 0 ):
    timestamp(t, f, l)
  {}
  ~scoped_timestamp() {
    go();
  }
};
#define TIMESTAMP_SCOPE( NAME ) scoped_timestamp NAME(get_current_time(), __FILE__, __LINE__);
#define TIMESTAMP_SPOT() do{timestamp _(get_current_time(), __FILE__, __LINE__);}while(false)

Create timestamp::buff somewhere. Make the buff big enough. Write a fast an efficient get_current_time().

Insert TIMESTAMP_SCOPE(_) at the start of functions you think you have problems with.

Insert TIMESTAMP_SPOT(); at between locations that you think will take time.

Add some post-processing of the timer_buffer before you shut down -- write it out to disk, or whatever. Keep an eye on if written > current_index, in which case you wrapped the buffer. Note that none of the above code contains any branches, so it should be relatively performance friendly (other than constantly moving the array owned by buff into the cache).

The loc exists so you can relatively easily find create/destroy pairs (as its binary value tracks the value of the stack!), so you can analyze the buffer after the fact for which function calls took too long. Throwing together a visualizer isn't all that hard, and I've seen something much like the above done for detecting ms level timing glitches and hiccups in video streaming driver code.

Start the analysis at current_index and work backwards, looking for pairs, until you hit 0 (or, if written != current_index, until you wrap around to current_index+1). It shouldn't be hard to recover a call graph (if you want).

Stripping out much of the above, and simply using unique tags for each timestamp, can reduce the size if your buffer, but make it a bit harder to reconstruct your call graph.

Yes, this isn't auto-instrumentation. But the part of your code that is behaving slowly is going to be a relatively small part of it. So start instrumenting with something like the above, and I'm guessing you'll get your answer faster than messing around with disassembling the binary output of your compiler and messing around with jump tables.

Yakk - Adam Nevraumont
  • 262,606
  • 27
  • 330
  • 524