/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */


#include <sys/errno.h>
#include <sys/stat.h>
#include <sys/modctl.h>
#include <sys/conf.h>
#include <sys/systm.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>
#include <sys/cpuvar.h>
#include <sys/kmem.h>
#include <sys/strsubr.h>
#include <sys/dtrace.h>
#include <sys/kobj.h>
#include <sys/modctl.h>
#include <sys/atomic.h>
#include <vm/seg_kmem.h>
#include <sys/stack.h>
#include <sys/ctf_api.h>
#include <sys/sysmacros.h>

static dev_info_t		*fbt_devi;
static dtrace_provider_id_t	fbt_id;
static uintptr_t		fbt_trampoline;
static caddr_t			fbt_trampoline_window;
static size_t			fbt_trampoline_size;
static int			fbt_verbose = 0;

/*
 * Various interesting bean counters.
 */
static int			fbt_entry;
static int			fbt_ret;
static int			fbt_retl;
static int			fbt_retl_jmptab;
static int			fbt_retl_twoinstr;
static int			fbt_retl_tailcall;
static int			fbt_retl_tailjmpl;
static int			fbt_leaf_functions;

extern char			stubs_base[];
extern char			stubs_end[];

#define	FBT_REG_G0		0
#define	FBT_REG_G1		1
#define	FBT_REG_O0		8
#define	FBT_REG_O1		9
#define	FBT_REG_O2		10
#define	FBT_REG_O3		11
#define	FBT_REG_O4		12
#define	FBT_REG_O5		13
#define	FBT_REG_O6		14
#define	FBT_REG_O7		15
#define	FBT_REG_I0		24
#define	FBT_REG_I1		25
#define	FBT_REG_I2		26
#define	FBT_REG_I3		27
#define	FBT_REG_I4		28
#define	FBT_REG_I7		31
#define	FBT_REG_L0		16
#define	FBT_REG_L1		17
#define	FBT_REG_L2		18
#define	FBT_REG_L3		19
#define	FBT_REG_PC		5

#define	FBT_REG_ISGLOBAL(r)	((r) < 8)
#define	FBT_REG_ISOUTPUT(r)	((r) >= 8 && (r) < 16)
#define	FBT_REG_ISLOCAL(r)	((r) >= 16 && (r) < 24)
#define	FBT_REG_ISVOLATILE(r)	\
	((FBT_REG_ISGLOBAL(r) || FBT_REG_ISOUTPUT(r)) && (r) != FBT_REG_G0)
#define	FBT_REG_NLOCALS		8

#define	FBT_REG_MARKLOCAL(locals, r)	\
	if (FBT_REG_ISLOCAL(r)) \
		(locals)[(r) - FBT_REG_L0] = 1;

#define	FBT_REG_INITLOCALS(local, locals)	\
	for ((local) = 0; (local) < FBT_REG_NLOCALS; (local)++)  \
		(locals)[(local)] = 0; \
	(local) = FBT_REG_L0

#define	FBT_REG_ALLOCLOCAL(local, locals)	\
	while ((locals)[(local) - FBT_REG_L0]) \
		(local)++; \
	(locals)[(local) - FBT_REG_L0] = 1;

#define	FBT_OP_MASK		0xc0000000
#define	FBT_OP_SHIFT		30
#define	FBT_OP(val)		((val) & FBT_FMT1_MASK)

#define	FBT_SIMM13_MASK		0x1fff
#define	FBT_SIMM13_MAX		((int32_t)0xfff)
#define	FBT_IMM22_MASK		0x3fffff
#define	FBT_IMM22_SHIFT		10
#define	FBT_IMM10_MASK		0x3ff

#define	FBT_DISP30_MASK		0x3fffffff
#define	FBT_DISP30(from, to)	\
	(((uintptr_t)(to) - (uintptr_t)(from) >> 2) & FBT_DISP30_MASK)

#define	FBT_DISP22_MASK		0x3fffff
#define	FBT_DISP22(from, to)	\
	(((uintptr_t)(to) - (uintptr_t)(from) >> 2) & FBT_DISP22_MASK)

#define	FBT_DISP19_MASK		0x7ffff
#define	FBT_DISP19(from, to)	\
	(((uintptr_t)(to) - (uintptr_t)(from) >> 2) & FBT_DISP19_MASK)

#define	FBT_DISP16_HISHIFT	20
#define	FBT_DISP16_HIMASK	(0x3 << FBT_DISP16_HISHIFT)
#define	FBT_DISP16_LOMASK	(0x3fff)
#define	FBT_DISP16_MASK		(FBT_DISP16_HIMASK | FBT_DISP16_LOMASK)
#define	FBT_DISP16(val)	\
	((((val) & FBT_DISP16_HIMASK) >> 6) | ((val) & FBT_DISP16_LOMASK))

#define	FBT_DISP14_MASK		0x3fff
#define	FBT_DISP14(from, to)	\
	(((uintptr_t)(to) - (uintptr_t)(from) >> 2) & FBT_DISP14_MASK)

#define	FBT_OP0			(((uint32_t)0) << FBT_OP_SHIFT)
#define	FBT_OP1			(((uint32_t)1) << FBT_OP_SHIFT)
#define	FBT_OP2			(((uint32_t)2) << FBT_OP_SHIFT)
#define	FBT_ILLTRAP		0

#define	FBT_ANNUL_SHIFT		29
#define	FBT_ANNUL		(1 << FBT_ANNUL_SHIFT)

#define	FBT_FMT3_OP3_SHIFT	19
#define	FBT_FMT3_OP_MASK	0xc1f80000
#define	FBT_FMT3_OP(val)	((val) & FBT_FMT3_OP_MASK)

#define	FBT_FMT3_RD_SHIFT	25
#define	FBT_FMT3_RD_MASK	(0x1f << FBT_FMT3_RD_SHIFT)
#define	FBT_FMT3_RD(val)	\
	(((val) & FBT_FMT3_RD_MASK) >> FBT_FMT3_RD_SHIFT)

#define	FBT_FMT3_RS1_SHIFT	14
#define	FBT_FMT3_RS1_MASK	(0x1f << FBT_FMT3_RS1_SHIFT)
#define	FBT_FMT3_RS1(val)	\
	(((val) & FBT_FMT3_RS1_MASK) >> FBT_FMT3_RS1_SHIFT)
#define	FBT_FMT3_RS1_SET(val, rs1) \
	(val) = ((val) & ~FBT_FMT3_RS1_MASK) | ((rs1) << FBT_FMT3_RS1_SHIFT)

#define	FBT_FMT3_RS2_SHIFT	0
#define	FBT_FMT3_RS2_MASK	(0x1f << FBT_FMT3_RS2_SHIFT)
#define	FBT_FMT3_RS2(val)	\
	(((val) & FBT_FMT3_RS2_MASK) >> FBT_FMT3_RS2_SHIFT)
#define	FBT_FMT3_RS2_SET(val, rs2) \
	(val) = ((val) & ~FBT_FMT3_RS2_MASK) | ((rs2) << FBT_FMT3_RS2_SHIFT)

#define	FBT_FMT3_IMM_SHIFT	13
#define	FBT_FMT3_IMM		(1 << FBT_FMT3_IMM_SHIFT)
#define	FBT_FMT3_SIMM13_MASK	FBT_SIMM13_MASK

#define	FBT_FMT3_ISIMM(val)	((val) & FBT_FMT3_IMM)
#define	FBT_FMT3_SIMM13(val)	((val) & FBT_FMT3_SIMM13_MASK)

#define	FBT_FMT2_OP2_SHIFT	22
#define	FBT_FMT2_OP2_MASK	(0x7 << FBT_FMT2_OP2_SHIFT)
#define	FBT_FMT2_RD_SHIFT	25

#define	FBT_FMT1_OP(val)	((val) & FBT_OP_MASK)
#define	FBT_FMT1_DISP30(val)	((val) & FBT_DISP30_MASK)

#define	FBT_FMT2_OP2_BPCC	(0x01 << FBT_FMT2_OP2_SHIFT)
#define	FBT_FMT2_OP2_BCC	(0x02 << FBT_FMT2_OP2_SHIFT)
#define	FBT_FMT2_OP2_BPR	(0x03 << FBT_FMT2_OP2_SHIFT)
#define	FBT_FMT2_OP2_SETHI	(0x04 << FBT_FMT2_OP2_SHIFT)

#define	FBT_FMT2_COND_SHIFT	25
#define	FBT_FMT2_COND_BA	(0x8 << FBT_FMT2_COND_SHIFT)
#define	FBT_FMT2_COND_BL	(0x3 << FBT_FMT2_COND_SHIFT)
#define	FBT_FMT2_COND_BGE	(0xb << FBT_FMT2_COND_SHIFT)

#define	FBT_OP_RESTORE		(FBT_OP2 | (0x3d << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_SAVE		(FBT_OP2 | (0x3c << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_JMPL		(FBT_OP2 | (0x38 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_RETURN		(FBT_OP2 | (0x39 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_CALL		FBT_OP1
#define	FBT_OP_SETHI		(FBT_OP0 | FBT_FMT2_OP2_SETHI)
#define	FBT_OP_ADD		(FBT_OP2 | (0x00 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_OR		(FBT_OP2 | (0x02 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_SUB		(FBT_OP2 | (0x04 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_CC		(FBT_OP2 | (0x10 << FBT_FMT3_OP3_SHIFT))
#define	FBT_OP_BA		(FBT_OP0 | FBT_FMT2_OP2_BCC | FBT_FMT2_COND_BA)
#define	FBT_OP_BL		(FBT_OP0 | FBT_FMT2_OP2_BCC | FBT_FMT2_COND_BL)
#define	FBT_OP_BGE		(FBT_OP0 | FBT_FMT2_OP2_BCC | FBT_FMT2_COND_BGE)
#define	FBT_OP_BAPCC		(FBT_OP0 | FBT_FMT2_OP2_BPCC | FBT_FMT2_COND_BA)
#define	FBT_OP_RD		(FBT_OP2 | (0x28 << FBT_FMT3_OP3_SHIFT))

#define	FBT_ORLO(rs, val, rd) \
	(FBT_OP_OR | ((rs) << FBT_FMT3_RS1_SHIFT) | \
	((rd) << FBT_FMT3_RD_SHIFT) | FBT_FMT3_IMM | ((val) & FBT_IMM10_MASK))

#define	FBT_ORSIMM13(rs, val, rd) \
	(FBT_OP_OR | ((rs) << FBT_FMT3_RS1_SHIFT) | \
	((rd) << FBT_FMT3_RD_SHIFT) | FBT_FMT3_IMM | ((val) & FBT_SIMM13_MASK))

#define	FBT_ADDSIMM13(rs, val, rd) \
	(FBT_OP_ADD | ((rs) << FBT_FMT3_RS1_SHIFT) | \
	((rd) << FBT_FMT3_RD_SHIFT) | FBT_FMT3_IMM | ((val) & FBT_SIMM13_MASK))

#define	FBT_ADD(rs1, rs2, rd) \
	(FBT_OP_ADD | ((rs1) << FBT_FMT3_RS1_SHIFT) | \
	((rs2) << FBT_FMT3_RS2_SHIFT) | ((rd) << FBT_FMT3_RD_SHIFT))

#define	FBT_CMP(rs1, rs2) \
	(FBT_OP_SUB | FBT_OP_CC | ((rs1) << FBT_FMT3_RS1_SHIFT) | \
	((rs2) << FBT_FMT3_RS2_SHIFT) | (FBT_REG_G0 << FBT_FMT3_RD_SHIFT))

#define	FBT_MOV(rs, rd) \
	(FBT_OP_OR | (FBT_REG_G0 << FBT_FMT3_RS1_SHIFT) | \
	((rs) << FBT_FMT3_RS2_SHIFT) | ((rd) << FBT_FMT3_RD_SHIFT))

#define	FBT_SETHI(val, reg)	\
	(FBT_OP_SETHI | (reg << FBT_FMT2_RD_SHIFT) | \
	((val >> FBT_IMM22_SHIFT) & FBT_IMM22_MASK))

#define	FBT_CALL(orig, dest)	(FBT_OP_CALL | FBT_DISP30(orig, dest))

#define	FBT_RET \
	(FBT_OP_JMPL | (FBT_REG_I7 << FBT_FMT3_RS1_SHIFT) | \
	(FBT_REG_G0 << FBT_FMT3_RD_SHIFT) | FBT_FMT3_IMM | (sizeof (pc_t) << 1))

#define	FBT_SAVEIMM(rd, val, rs1)	\
	(FBT_OP_SAVE | ((rs1) << FBT_FMT3_RS1_SHIFT) | \
	((rd) << FBT_FMT3_RD_SHIFT) | FBT_FMT3_IMM | ((val) & FBT_SIMM13_MASK))

#define	FBT_RESTORE(rd, rs1, rs2)	\
	(FBT_OP_RESTORE | ((rs1) << FBT_FMT3_RS1_SHIFT) | \
	((rd) << FBT_FMT3_RD_SHIFT) | ((rs2) << FBT_FMT3_RS2_SHIFT))

#define	FBT_RETURN(rs1, val)		\
	(FBT_OP_RETURN | ((rs1) << FBT_FMT3_RS1_SHIFT) | \
	FBT_FMT3_IMM | ((val) & FBT_SIMM13_MASK))

#define	FBT_BA(orig, dest)	(FBT_OP_BA | FBT_DISP22(orig, dest))
#define	FBT_BAA(orig, dest)	(FBT_BA(orig, dest) | FBT_ANNUL)
#define	FBT_BL(orig, dest)	(FBT_OP_BL | FBT_DISP22(orig, dest))
#define	FBT_BGE(orig, dest)	(FBT_OP_BGE | FBT_DISP22(orig, dest))
#define	FBT_BDEST(va, instr)	((uintptr_t)(va) + \
	(((int32_t)(((instr) & FBT_DISP22_MASK) << 10)) >> 8))
#define	FBT_BPCCDEST(va, instr)	((uintptr_t)(va) + \
	(((int32_t)(((instr) & FBT_DISP19_MASK) << 13)) >> 11))
#define	FBT_BPRDEST(va, instr)	((uintptr_t)(va) + \
	(((int32_t)((FBT_DISP16(instr)) << 16)) >> 14))

/*
 * We're only going to treat a save as safe if (a) both rs1 and rd are
 * %sp and (b) if the instruction has a simm, the value isn't 0.
 */
#define	FBT_IS_SAVE(instr)	\
	(FBT_FMT3_OP(instr) == FBT_OP_SAVE && \
	FBT_FMT3_RD(instr) == FBT_REG_O6 && \
	FBT_FMT3_RS1(instr) == FBT_REG_O6 && \
	!(FBT_FMT3_ISIMM(instr) && FBT_FMT3_SIMM13(instr) == 0))

#define	FBT_IS_BA(instr)	(((instr) & ~FBT_DISP22_MASK) == FBT_OP_BA)
#define	FBT_IS_BAPCC(instr)	(((instr) & ~FBT_DISP22_MASK) == FBT_OP_BAPCC)

#define	FBT_IS_RDPC(instr)	((FBT_FMT3_OP(instr) == FBT_OP_RD) && \
	(FBT_FMT3_RD(instr) == FBT_REG_PC))

#define	FBT_IS_PCRELATIVE(instr)	\
	((((instr) & FBT_OP_MASK) == FBT_OP0 && \
	((instr) & FBT_FMT2_OP2_MASK) != FBT_FMT2_OP2_SETHI) || \
	((instr) & FBT_OP_MASK) == FBT_OP1 || \
	FBT_IS_RDPC(instr))

#define	FBT_IS_CTI(instr)	\
	((((instr) & FBT_OP_MASK) == FBT_OP0 && \
	((instr) & FBT_FMT2_OP2_MASK) != FBT_FMT2_OP2_SETHI) || \
	((instr) & FBT_OP_MASK) == FBT_OP1 || \
	(FBT_FMT3_OP(instr) == FBT_OP_JMPL) || \
	(FBT_FMT3_OP(instr) == FBT_OP_RETURN))

#define	FBT_PROBENAME_ENTRY	"entry"
#define	FBT_PROBENAME_RETURN	"return"
#define	FBT_ESTIMATE_ID		(UINT32_MAX)
#define	FBT_COUNTER(id, count)	if ((id) != FBT_ESTIMATE_ID) (count)++

#define	FBT_ENTENT_MAXSIZE	(16 * sizeof (uint32_t))
#define	FBT_RETENT_MAXSIZE	(11 * sizeof (uint32_t))
#define	FBT_RETLENT_MAXSIZE	(23 * sizeof (uint32_t))
#define	FBT_ENT_MAXSIZE		\
	MAX(MAX(FBT_ENTENT_MAXSIZE, FBT_RETENT_MAXSIZE), FBT_RETLENT_MAXSIZE)

typedef struct fbt_probe {
	char		*fbtp_name;
	dtrace_id_t	fbtp_id;
	uintptr_t	fbtp_addr;
	struct modctl	*fbtp_ctl;
	int		fbtp_loadcnt;
	int		fbtp_symndx;
	int		fbtp_primary;
	int		fbtp_return;
	uint32_t	*fbtp_patchpoint;
	uint32_t	fbtp_patchval;
	uint32_t	fbtp_savedval;
	struct fbt_probe *fbtp_next;
} fbt_probe_t;

typedef struct fbt_trampoline {
	uintptr_t	fbtt_va;
	uintptr_t	fbtt_limit;
	uintptr_t	fbtt_next;
} fbt_trampoline_t;

static caddr_t
fbt_trampoline_map(uintptr_t tramp, size_t size)
{
	uintptr_t offs;
	page_t **ppl;

	ASSERT(fbt_trampoline_window == NULL);
	ASSERT(fbt_trampoline_size == 0);
	ASSERT(fbt_trampoline == NULL);

	size += tramp & PAGEOFFSET;
	fbt_trampoline = tramp & PAGEMASK;
	fbt_trampoline_size = (size + PAGESIZE - 1) & PAGEMASK;
	fbt_trampoline_window =
	    vmem_alloc(heap_arena, fbt_trampoline_size, VM_SLEEP);

	(void) as_pagelock(&kas, &ppl, (caddr_t)fbt_trampoline,
	    fbt_trampoline_size, S_WRITE);

	for (offs = 0; offs < fbt_trampoline_size; offs += PAGESIZE) {
		hat_devload(kas.a_hat, fbt_trampoline_window + offs, PAGESIZE,
		    hat_getpfnum(kas.a_hat, (caddr_t)fbt_trampoline + offs),
		    PROT_READ | PROT_WRITE,
		    HAT_LOAD_LOCK | HAT_LOAD_NOCONSIST);
	}

	as_pageunlock(&kas, ppl, (caddr_t)fbt_trampoline, fbt_trampoline_size,
	    S_WRITE);

	return (fbt_trampoline_window + (tramp & PAGEOFFSET));
}

static void
fbt_trampoline_unmap()
{
	ASSERT(fbt_trampoline_window != NULL);
	ASSERT(fbt_trampoline_size != 0);
	ASSERT(fbt_trampoline != NULL);

	membar_enter();
	sync_icache((caddr_t)fbt_trampoline, fbt_trampoline_size);
	sync_icache(fbt_trampoline_window, fbt_trampoline_size);

	hat_unload(kas.a_hat, fbt_trampoline_window, fbt_trampoline_size,
	    HAT_UNLOAD_UNLOCK);

	vmem_free(heap_arena, fbt_trampoline_window, fbt_trampoline_size);

	fbt_trampoline_window = NULL;
	fbt_trampoline = NULL;
	fbt_trampoline_size = 0;
}

static uintptr_t
fbt_patch_entry(uint32_t *instr, uint32_t id, fbt_trampoline_t *tramp,
    int nargs)
{
	uint32_t *tinstr = (uint32_t *)tramp->fbtt_next;
	uint32_t first = *instr;
	uintptr_t va = tramp->fbtt_va;
	uintptr_t base = tramp->fbtt_next;

	if (tramp->fbtt_next + FBT_ENTENT_MAXSIZE > tramp->fbtt_limit) {
		/*
		 * There isn't sufficient room for this entry; return failure.
		 */
		return (0);
	}

	FBT_COUNTER(id, fbt_entry);

	if (FBT_IS_SAVE(first)) {
		*tinstr++ = first;
	} else {
		*tinstr++ = FBT_SAVEIMM(FBT_REG_O6, -SA(MINFRAME), FBT_REG_O6);
	}

	if (id > (uint32_t)FBT_SIMM13_MAX) {
		*tinstr++ = FBT_SETHI(id, FBT_REG_O0);
		*tinstr++ = FBT_ORLO(FBT_REG_O0, id, FBT_REG_O0);
	} else {
		*tinstr++ = FBT_ORSIMM13(FBT_REG_G0, id, FBT_REG_O0);
	}

	if (nargs >= 1)
		*tinstr++ = FBT_MOV(FBT_REG_I0, FBT_REG_O1);

	if (nargs >= 2)
		*tinstr++ = FBT_MOV(FBT_REG_I1, FBT_REG_O2);

	if (nargs >= 3)
		*tinstr++ = FBT_MOV(FBT_REG_I2, FBT_REG_O3);

	if (nargs >= 4)
		*tinstr++ = FBT_MOV(FBT_REG_I3, FBT_REG_O4);

	if (nargs >= 5)
		*tinstr++ = FBT_MOV(FBT_REG_I4, FBT_REG_O5);

	if (FBT_IS_SAVE(first)) {
		uintptr_t ret = (uintptr_t)instr - sizeof (uint32_t);

		*tinstr++ = FBT_SETHI(ret, FBT_REG_G1);
		*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dtrace_probe);
		tinstr++;
		*tinstr++ = FBT_ORLO(FBT_REG_G1, ret, FBT_REG_O7);
	} else {
		uintptr_t slot = *--tinstr;
		uintptr_t ret = (uintptr_t)instr + sizeof (uint32_t);
		uint32_t delay = first;

		*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dtrace_probe);
		tinstr++;
		*tinstr++ = slot;
		*tinstr++ = FBT_RESTORE(FBT_REG_G0, FBT_REG_G0, FBT_REG_G0);

		if (FBT_IS_BA(first) || FBT_IS_BAPCC(first)) {
			/*
			 * This is a special case:  we are instrumenting a
			 * a non-annulled branch-always (or variant).  We'll
			 * return directly to the destination of the branch,
			 * copying the instruction in the delay slot here,
			 * and then executing it in the slot of a ba.
			 */
			if (FBT_IS_BA(first)) {
				ret = FBT_BDEST(instr, *instr);
			} else {
				ret = FBT_BPCCDEST(instr, *instr);
			}

			delay = *(instr + 1);
		}

		if ((first & FBT_OP_MASK) != FBT_OP0 ||
		    (first & FBT_FMT2_OP2_MASK) != FBT_FMT2_OP2_BPR) {
			*tinstr = FBT_BA((uintptr_t)tinstr - base + va, ret);
			tinstr++;
			*tinstr++ = delay;
		} else {
			/*
			 * If this is a branch-on-register, we have a little
			 * more work to do:  because the displacement is only
			 * sixteen bits, we're going to thunk the branch into
			 * the trampoline, and then ba,a to the appropriate
			 * destination in the branch targets.  That is, we're
			 * constructing this sequence in the trampoline:
			 *
			 *		br[cc]	%[rs], 1f
			 *		<delay-instruction>
			 *		ba,a	<not-taken-destination>
			 *	1:	ba,a	<taken-destination>
			 *
			 */
			uintptr_t targ = FBT_BPRDEST(instr, first);

			*tinstr = first & ~(FBT_DISP16_MASK);
			*tinstr |= FBT_DISP14(tinstr, &tinstr[3]);
			tinstr++;
			*tinstr++ = *(instr + 1);
			*tinstr = FBT_BAA((uintptr_t)tinstr - base + va,
			    ret + sizeof (uint32_t));
			tinstr++;
			*tinstr = FBT_BAA((uintptr_t)tinstr - base + va, targ);
			tinstr++;
		}
	}

	tramp->fbtt_va += (uintptr_t)tinstr - tramp->fbtt_next;
	tramp->fbtt_next = (uintptr_t)tinstr;

	return (1);
}

/*
 * We are patching control-transfer/restore couplets.  There are three
 * variants of couplet:
 *
 * (a)	return		rs1 + imm
 *	delay
 *
 * (b)	jmpl		rs1 + (rs2 | offset), rd
 *	restore		rs1, rs2 | imm, rd
 *
 * (c)	call		displacement
 *	restore		rs1, rs2 | imm, rd
 *
 * If rs1 in (a) is anything other than %i7, or imm is anything other than 8,
 * or delay is a DCTI, we fail.  If rd from the jmpl in (b) is something other
 * than %g0 (a ret or a tail-call through a function pointer) or %o7 (a call
 * through a register), we fail.
 *
 * Note that rs1 and rs2 in the restore instructions in (b) and (c) are
 * potentially outputs and/or globals.  Because these registers cannot be
 * relied upon across the call to dtrace_probe(), we move rs1 into an unused
 * local, ls0, and rs2 into an unused local, ls1, and restructure the restore
 * to be:
 *
 *	restore		ls0, ls1, rd
 *
 * Likewise, rs1 and rs2 in the jmpl of case (b) may be outputs and/or globals.
 * If the jmpl uses outputs or globals, we restructure it to be:
 *
 * 	jmpl		ls2 + (ls3 | offset), (%g0 | %o7)
 *
 */
/*ARGSUSED*/
static int
fbt_canpatch_return(uint32_t *instr, int offset, const char *name)
{
	int rd;

	if (FBT_FMT3_OP(*instr) == FBT_OP_RETURN) {
		uint32_t delay = *(instr + 1);

		if (*instr != FBT_RETURN(FBT_REG_I7, 8)) {
			/*
			 * It's unclear if we should warn about this or not.
			 * We really wouldn't expect the compiler to generate
			 * return instructions with something other than %i7
			 * as rs1 and 8 as the simm13 -- it would just be
			 * mean-spirited.  That said, such a construct isn't
			 * necessarily incorrect.  Sill, we err on the side of
			 * caution and warn about it...
			 */
			cmn_err(CE_NOTE, "cannot instrument return of %s at "
			    "%p: non-canonical return instruction", name,
			    (void *)instr);
			return (0);
		}

		if (FBT_IS_CTI(delay)) {
			/*
			 * This is even weirder -- a DCTI coupled with a
			 * return instruction.  Similar constructs are used to
			 * return from utraps, but these typically have the
			 * return in the slot -- and we wouldn't expect to see
			 * it in the kernel regardless.  At any rate, we don't
			 * want to try to instrument this construct, whatever
			 * it may be.
			 */
			cmn_err(CE_NOTE, "cannot instrument return of %s at "
			    "%p: CTI in delay slot of return instruction",
			    name, (void *)instr);
			return (0);
		}

		if (FBT_IS_PCRELATIVE(delay)) {
			/*
			 * This is also very weird, but might be correct code
			 * if the function is (for example) returning the
			 * address of the delay instruction of the return as
			 * its return value (e.g. "rd %pc, %o0" in the slot).
			 * Perhaps correct, but still too weird to not warn
			 * about it...
			 */
			cmn_err(CE_NOTE, "cannot instrument return of %s at "
			    "%p: PC-relative instruction in delay slot of "
			    "return instruction", name, (void *)instr);
			return (0);
		}

		return (1);
	}

	if (FBT_FMT3_OP(*(instr + 1)) != FBT_OP_RESTORE)
		return (0);

	if (FBT_FMT1_OP(*instr) == FBT_OP_CALL)
		return (1);

	if (FBT_FMT3_OP(*instr) != FBT_OP_JMPL)
		return (0);

	rd = FBT_FMT3_RD(*instr);

	if (rd == FBT_REG_I7 || rd == FBT_REG_O7 || rd == FBT_REG_G0)
		return (1);

	/*
	 * We have encountered a jmpl that is storing the calling %pc in
	 * some register besides %i7, %o7 or %g0.  This is strange; emit
	 * a warning and fail.
	 */
	cmn_err(CE_NOTE, "cannot instrument return of %s at %p: unexpected "
	    "jmpl destination register", name, (void *)instr);
	return (0);
}

static int
fbt_canpatch_retl(uint32_t *instr, int offset, const char *name)
{
	if (FBT_FMT1_OP(*instr) == FBT_OP_CALL ||
	    (FBT_FMT3_OP(*instr) == FBT_OP_JMPL &&
	    FBT_FMT3_RD(*instr) == FBT_REG_O7)) {
		/*
		 * If this is a call (or a jmpl that links into %o7), we can
		 * patch it iff the next instruction uses %o7 as a destination
		 * register.  Because there is an ABI responsibility to
		 * restore %o7 to the value before the call/jmpl, we don't
		 * particularly care how this routine is managing to restore
		 * it (mov, add, ld or divx for all we care).  If it doesn't
		 * seem to be restoring it at all, however, we'll refuse
		 * to patch it.
		 */
		uint32_t delay = *(instr + 1);
		uint32_t op, rd;

		op = FBT_FMT1_OP(delay);
		rd = FBT_FMT3_RD(delay);

		if (op != FBT_OP2 || rd != FBT_REG_O7) {
			/*
			 * This is odd.  Before we assume that we're looking
			 * at something bizarre (and warn accordingly), we'll
			 * check to see if it's obviously a jump table entry.
			 */
			if (*instr < (uintptr_t)instr &&
			    *instr >= (uintptr_t)instr - offset)
				return (0);

			cmn_err(CE_NOTE, "cannot instrument return of %s at "
			    "%p: leaf jmpl/call delay isn't restoring %%o7",
			    name, (void *)instr);
			return (0);
		}

		return (1);
	}

	if (offset == sizeof (uint32_t)) {
		/*
		 * If this is the second instruction in the function, we're
		 * going to allow it to be patched if the first instruction
		 * is a patchable return-from-leaf instruction.
		 */
		if (fbt_canpatch_retl(instr - 1, 0, name))
			return (1);
	}

	if (FBT_FMT3_OP(*instr) != FBT_OP_JMPL)
		return (0);

	if (FBT_FMT3_RD(*instr) != FBT_REG_G0)
		return (0);

	return (1);
}

/*ARGSUSED*/
static uint32_t
fbt_patch_return(uint32_t *instr, uint32_t *funcbase, uint32_t *funclim,
    int offset, uint32_t id, fbt_trampoline_t *tramp, const char *name)
{
	uint32_t *tinstr = (uint32_t *)tramp->fbtt_next;
	uint32_t cti = *instr, restore = *(instr + 1), rs1, dest;
	uintptr_t va = tramp->fbtt_va;
	uintptr_t base = tramp->fbtt_next;
	uint32_t locals[FBT_REG_NLOCALS], local;

	if (tramp->fbtt_next + FBT_RETENT_MAXSIZE > tramp->fbtt_limit) {
		/*
		 * There isn't sufficient room for this entry; return failure.
		 */
		return (FBT_ILLTRAP);
	}

	FBT_COUNTER(id, fbt_ret);

	if (FBT_FMT3_OP(*instr) == FBT_OP_RETURN) {
		/*
		 * To handle the case of the return instruction, we'll emit a
		 * restore, followed by the instruction in the slot (which
		 * we'll transplant here), and then another save.  While it
		 * may seem intellectually unsatisfying to emit the additional
		 * restore/save couplet, one can take solace in the fact that
		 * we don't do this if the instruction in the return delay
		 * slot is a nop -- which it is nearly 90% of the time with
		 * gcc.  (And besides, this couplet can't induce unnecessary
		 * spill/fill traps; rewriting the delay instruction to be
		 * in terms of the current window hardly seems worth the
		 * trouble -- let alone the risk.)
		 */
		uint32_t delay = *(instr + 1);
		ASSERT(*instr == FBT_RETURN(FBT_REG_I7, 8));

		cti = FBT_RET;
		restore = FBT_RESTORE(FBT_REG_G0, FBT_REG_G0, FBT_REG_G0);

		if (delay != FBT_SETHI(0, FBT_REG_G0)) {
			*tinstr++ = restore;
			*tinstr++ = delay;
			*tinstr++ = FBT_SAVEIMM(FBT_REG_O6,
			    -SA(MINFRAME), FBT_REG_O6);
		}
	}

	FBT_REG_INITLOCALS(local, locals);

	/*
	 * Mark the locals used in the jmpl.
	 */
	if (FBT_FMT3_OP(cti) == FBT_OP_JMPL) {
		uint32_t rs1 = FBT_FMT3_RS1(cti);
		FBT_REG_MARKLOCAL(locals, rs1);

		if (!FBT_FMT3_ISIMM(cti)) {
			uint32_t rs2 = FBT_FMT3_RS2(cti);
			FBT_REG_MARKLOCAL(locals, rs2);
		}
	}

	/*
	 * And mark the locals used in the restore.
	 */
	rs1 = FBT_FMT3_RS1(restore);
	FBT_REG_MARKLOCAL(locals, rs1);

	if (!FBT_FMT3_ISIMM(restore)) {
		uint32_t rs2 = FBT_FMT3_RS2(restore);
		FBT_REG_MARKLOCAL(locals, rs2);
	}

	if (FBT_FMT3_OP(cti) == FBT_OP_JMPL) {
		uint32_t rs1 = FBT_FMT3_RS1(cti);

		if (FBT_REG_ISVOLATILE(rs1)) {
			FBT_REG_ALLOCLOCAL(local, locals);
			FBT_FMT3_RS1_SET(cti, local);
			*tinstr++ = FBT_MOV(rs1, local);
		}

		if (!FBT_FMT3_ISIMM(cti)) {
			uint32_t rs2 = FBT_FMT3_RS2(cti);

			if (FBT_REG_ISVOLATILE(rs2)) {
				FBT_REG_ALLOCLOCAL(local, locals);
				FBT_FMT3_RS2_SET(cti, local);
				*tinstr++ = FBT_MOV(rs2, local);
			}
		}
	}

	rs1 = FBT_FMT3_RS1(restore);

	if (FBT_REG_ISVOLATILE(rs1)) {
		FBT_REG_ALLOCLOCAL(local, locals);
		FBT_FMT3_RS1_SET(restore, local);
		*tinstr++ = FBT_MOV(rs1, local);
	}

	if (!FBT_FMT3_ISIMM(restore)) {
		uint32_t rs2 = FBT_FMT3_RS2(restore);

		if (FBT_REG_ISVOLATILE(rs2)) {
			FBT_REG_ALLOCLOCAL(local, locals);
			FBT_FMT3_RS2_SET(restore, local);
			*tinstr++ = FBT_MOV(rs2, local);
		}
	}

	if (id > (uint32_t)FBT_SIMM13_MAX) {
		*tinstr++ = FBT_SETHI(id, FBT_REG_O0);
		*tinstr++ = FBT_ORLO(FBT_REG_O0, id, FBT_REG_O0);
	} else {
		*tinstr++ = FBT_ORSIMM13(FBT_REG_G0, id, FBT_REG_O0);
	}

	if (offset > (uint32_t)FBT_SIMM13_MAX) {
		*tinstr++ = FBT_SETHI(offset, FBT_REG_O1);
		*tinstr++ = FBT_ORLO(FBT_REG_O1, offset, FBT_REG_O1);
	} else {
		*tinstr++ = FBT_ORSIMM13(FBT_REG_G0, offset, FBT_REG_O1);
	}

	*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dtrace_probe);
	tinstr++;

	if (FBT_FMT3_RD(restore) == FBT_REG_O0) {
		/*
		 * If the destination register of the restore is %o0, we
		 * need to perform the implied calculation to derive the
		 * return value.
		 */
		uint32_t add = (restore & ~FBT_FMT3_OP_MASK) | FBT_OP_ADD;
		add &= ~FBT_FMT3_RD_MASK;
		*tinstr++ = add | (FBT_REG_O2 << FBT_FMT3_RD_SHIFT);
	} else {
		*tinstr++ = FBT_MOV(FBT_REG_I0, FBT_REG_O2);
	}

	/*
	 * If the control transfer instruction is %pc-relative (i.e. a
	 * call), we need to reset it appropriately.
	 */
	if (FBT_FMT1_OP(cti) == FBT_OP_CALL) {
		dest = (uintptr_t)instr + (FBT_FMT1_DISP30(cti) << 2);
		*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dest);
		tinstr++;
	} else {
		*tinstr++ = cti;
	}

	*tinstr++ = restore;
	tramp->fbtt_va += (uintptr_t)tinstr - tramp->fbtt_next;
	tramp->fbtt_next = (uintptr_t)tinstr;

	return (FBT_BAA(instr, va));
}

static uint32_t
fbt_patch_retl(uint32_t *instr, uint32_t *funcbase, uint32_t *funclim,
    int offset, uint32_t id, fbt_trampoline_t *tramp, const char *name)
{
	uint32_t *tinstr = (uint32_t *)tramp->fbtt_next;
	uintptr_t va = tramp->fbtt_va;
	uintptr_t base = tramp->fbtt_next;
	uint32_t cti = *instr, dest;
	int annul = 0;

	FBT_COUNTER(id, fbt_retl);

	if (tramp->fbtt_next + FBT_RETLENT_MAXSIZE > tramp->fbtt_limit) {
		/*
		 * There isn't sufficient room for this entry; return failure.
		 */
		return (FBT_ILLTRAP);
	}

	if (offset == sizeof (uint32_t) &&
	    fbt_canpatch_retl(instr - 1, 0, name)) {
		*tinstr++ = *instr;
		annul = 1;
		FBT_COUNTER(id, fbt_retl_twoinstr);
	} else {
		if (FBT_FMT3_OP(cti) == FBT_OP_JMPL &&
		    FBT_FMT3_RD(cti) != FBT_REG_O7 &&
		    FBT_FMT3_RS1(cti) != FBT_REG_O7) {
			annul = 1;
			*tinstr++ = *(instr + 1);
		}
	}

	*tinstr++ = FBT_SAVEIMM(FBT_REG_O6, -SA(MINFRAME), FBT_REG_O6);

	if (FBT_FMT3_OP(cti) == FBT_OP_JMPL) {
		uint32_t rs1, rs2, o2i = FBT_REG_I0 - FBT_REG_O0;

		/*
		 * If we have a jmpl and it's in terms of output registers, we
		 * need to rewrite it to be in terms of the corresponding input
		 * registers.  If it's in terms of the globals, we'll rewrite
		 * it to be in terms of locals.
		 */
		rs1 = FBT_FMT3_RS1(cti);

		if (FBT_REG_ISOUTPUT(rs1))
			rs1 += o2i;

		if (FBT_REG_ISGLOBAL(rs1)) {
			*tinstr++ = FBT_MOV(rs1, FBT_REG_L0);
			rs1 = FBT_REG_L0;
		}

		FBT_FMT3_RS1_SET(cti, rs1);

		if (!FBT_FMT3_ISIMM(cti)) {
			rs2 = FBT_FMT3_RS2(cti);

			if (FBT_REG_ISOUTPUT(rs2))
				rs2 += o2i;

			if (FBT_REG_ISGLOBAL(rs2)) {
				*tinstr++ = FBT_MOV(rs2, FBT_REG_L1);
				rs2 = FBT_REG_L1;
			}

			FBT_FMT3_RS2_SET(cti, rs2);
		}

		/*
		 * Now we need to check the rd and source register for the jmpl;
		 * If neither rd nor the source register is %o7, then we might
		 * have a jmp that is actually part of a jump table.  We need
		 * to generate the code to compare it to the base and limit of
		 * the function.
		 */
		if (FBT_FMT3_RD(cti) != FBT_REG_O7 && rs1 != FBT_REG_I7) {
			uintptr_t base = (uintptr_t)funcbase;
			uintptr_t limit = (uintptr_t)funclim;

			FBT_COUNTER(id, fbt_retl_jmptab);

			if (FBT_FMT3_ISIMM(cti)) {
				*tinstr++ = FBT_ADDSIMM13(rs1,
				    FBT_FMT3_SIMM13(cti), FBT_REG_L2);
			} else {
				*tinstr++ = FBT_ADD(rs1, rs2, FBT_REG_L2);
			}

			*tinstr++ = FBT_SETHI(base, FBT_REG_L3);
			*tinstr++ = FBT_ORLO(FBT_REG_L3, base, FBT_REG_L3);
			*tinstr++ = FBT_CMP(FBT_REG_L2, FBT_REG_L3);
			*tinstr++ = FBT_BL(0, 8 * sizeof (uint32_t));
			*tinstr++ = FBT_SETHI(limit, FBT_REG_L3);
			*tinstr++ = FBT_ORLO(FBT_REG_L3, limit, FBT_REG_L3);
			*tinstr++ = FBT_CMP(FBT_REG_L2, FBT_REG_L3);
			*tinstr++ = FBT_BGE(0, 4 * sizeof (uint32_t));
			*tinstr++ = FBT_SETHI(0, FBT_REG_G0);
			*tinstr++ = cti;
			*tinstr++ = FBT_RESTORE(FBT_REG_G0,
			    FBT_REG_G0, FBT_REG_G0);
		}
	}

	if (id > (uint32_t)FBT_SIMM13_MAX) {
		*tinstr++ = FBT_SETHI(id, FBT_REG_O0);
		*tinstr++ = FBT_ORLO(FBT_REG_O0, id, FBT_REG_O0);
	} else {
		*tinstr++ = FBT_ORSIMM13(FBT_REG_G0, id, FBT_REG_O0);
	}

	if (offset > (uint32_t)FBT_SIMM13_MAX) {
		*tinstr++ = FBT_SETHI(offset, FBT_REG_O1);
		*tinstr++ = FBT_ORLO(FBT_REG_O1, offset, FBT_REG_O1);
	} else {
		*tinstr++ = FBT_ORSIMM13(FBT_REG_G0, offset, FBT_REG_O1);
	}

	*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dtrace_probe);
	tinstr++;
	*tinstr++ = FBT_MOV(FBT_REG_I0, FBT_REG_O2);

	/*
	 * If the control transfer instruction is %pc-relative (i.e. a
	 * call), we need to reset it appropriately.
	 */
	if (FBT_FMT1_OP(cti) == FBT_OP_CALL) {
		FBT_COUNTER(id, fbt_retl_tailcall);
		dest = (uintptr_t)instr + (FBT_FMT1_DISP30(cti) << 2);
		*tinstr = FBT_CALL((uintptr_t)tinstr - base + va, dest);
		tinstr++;
		annul = 1;
	} else {
		if (FBT_FMT3_OP(cti) == FBT_OP_JMPL) {
			*tinstr++ = cti;

			if (FBT_FMT3_RD(cti) == FBT_REG_O7) {
				FBT_COUNTER(id, fbt_retl_tailjmpl);
				annul = 1;
			}
		} else {
			*tinstr++ = FBT_RET;
		}
	}

	*tinstr++ = FBT_RESTORE(FBT_REG_G0, FBT_REG_G0, FBT_REG_G0);

	tramp->fbtt_va += (uintptr_t)tinstr - tramp->fbtt_next;
	tramp->fbtt_next = (uintptr_t)tinstr;

	return (annul ? FBT_BAA(instr, va) : FBT_BA(instr, va));
}

/*ARGSUSED*/
static void
fbt_provide_module(void *arg, struct modctl *ctl)
{
	struct module *mp = ctl->mod_mp;
	char *modname = ctl->mod_modname;
	char *str = mp->strings;
	int nsyms = mp->nsyms;
	Shdr *symhdr = mp->symhdr;
	size_t symsize;
	char *name;
	int i;
	fbt_probe_t *fbt, *retfbt;
	fbt_trampoline_t tramp;
	uintptr_t offset;
	int primary = 0;
	ctf_file_t *fp = NULL;
	int error;
	int estimate = 1;
	uint32_t faketramp[50];
	size_t fbt_size = 0;

	/*
	 * Employees of dtrace and their families are ineligible.  Void
	 * where prohibited.
	 */
	if (strcmp(modname, "dtrace") == 0)
		return;

	if (ctl->mod_requisites != NULL) {
		struct modctl_list *list;

		list = (struct modctl_list *)ctl->mod_requisites;

		for (; list != NULL; list = list->modl_next) {
			if (strcmp(list->modl_modp->mod_modname, "dtrace") == 0)
				return;
		}
	}

	/*
	 * KMDB is ineligible for instrumentation -- it may execute in
	 * any context, including probe context.
	 */
	if (strcmp(modname, "kmdbmod") == 0)
		return;

	if (str == NULL || symhdr == NULL || symhdr->sh_addr == NULL) {
		/*
		 * If this module doesn't (yet) have its string or symbol
		 * table allocated, clear out.
		 */
		return;
	}

	symsize = symhdr->sh_entsize;

	if (mp->fbt_nentries) {
		/*
		 * This module has some FBT entries allocated; we're afraid
		 * to screw with it.
		 */
		return;
	}

	if (mp->fbt_tab != NULL)
		estimate = 0;

	/*
	 * This is a hack for unix/genunix/krtld.
	 */
	primary = vmem_contains(heap_arena, (void *)ctl,
	    sizeof (struct modctl)) == 0;
	kobj_textwin_alloc(mp);

	/*
	 * Open the CTF data for the module.  We'll use this to determine the
	 * functions that can be instrumented.  Note that this call can fail,
	 * in which case we'll use heuristics to determine the functions that
	 * can be instrumented.  (But in particular, leaf functions will not be
	 * instrumented.)
	 */
	fp = ctf_modopen(mp, &error);

forreal:
	if (!estimate) {
		tramp.fbtt_next =
		    (uintptr_t)fbt_trampoline_map((uintptr_t)mp->fbt_tab,
		    mp->fbt_size);
		tramp.fbtt_limit = tramp.fbtt_next + mp->fbt_size;
		tramp.fbtt_va = (uintptr_t)mp->fbt_tab;
	}

	for (i = 1; i < nsyms; i++) {
		ctf_funcinfo_t f;
		uint32_t *instr, *base, *limit;
		Sym *sym = (Sym *)(symhdr->sh_addr + i * symsize);
		int have_ctf = 0, is_leaf = 0, nargs, cti = 0;
		int (*canpatch)(uint32_t *, int, const char *);
		uint32_t (*patch)(uint32_t *, uint32_t *, uint32_t *, int,
		    uint32_t, fbt_trampoline_t *, const char *);

		if (ELF_ST_TYPE(sym->st_info) != STT_FUNC)
			continue;

		/*
		 * Weak symbols are not candidates.  This could be made to
		 * work (where weak functions and their underlying function
		 * appear as two disjoint probes), but it's not simple.
		 */
		if (ELF_ST_BIND(sym->st_info) == STB_WEAK)
			continue;

		name = str + sym->st_name;

		if (strstr(name, "dtrace_") == name &&
		    strstr(name, "dtrace_safe_") != name) {
			/*
			 * Anything beginning with "dtrace_" may be called
			 * from probe context unless it explitly indicates
			 * that it won't be called from probe context by
			 * using the prefix "dtrace_safe_".
			 */
			continue;
		}

		if (strstr(name, "kdi_") == name ||
		    strstr(name, "_kdi_") != NULL) {
			/*
			 * Any function name beginning with "kdi_" or
			 * containing the string "_kdi_" is a part of the
			 * kernel debugger interface and may be called in
			 * arbitrary context -- including probe context.
			 */
			continue;
		}

		if (strstr(name, "__relocatable") != NULL) {
			/*
			 * Anything with the string "__relocatable" anywhere
			 * in the function name is considered to be a function
			 * that may be manually relocated before execution.
			 * Because FBT uses a PC-relative technique for
			 * instrumentation, these functions cannot safely
			 * be instrumented by us.
			 */
			continue;
		}

		if (strstr(name, "ip_ocsum") == name) {
			/*
			 * The ip_ocsum_* family of routines are all ABI
			 * violators.  (They expect incoming arguments in the
			 * globals!)  Break the ABI?  No soup for you!
			 */
			continue;
		}

		/*
		 * We want to scan the function for one (and only one) save.
		 * Any more indicates that something fancy is going on.
		 */
		base = (uint32_t *)sym->st_value;
		limit = (uint32_t *)(sym->st_value + sym->st_size);

		/*
		 * We don't want to interpose on the module stubs.
		 */
		if (base >= (uint32_t *)stubs_base &&
		    base <= (uint32_t *)stubs_end)
			continue;

		/*
		 * We can't safely trace a zero-length function...
		 */
		if (base == limit)
			continue;

		/*
		 * Due to 4524008, _init and _fini may have a bloated st_size.
		 * While this bug was fixed quite some time ago, old drivers
		 * may be lurking.  We need to develop a better solution to
		 * this problem, such that correct _init and _fini functions
		 * (the vast majority) may be correctly traced.  One solution
		 * may be to scan through the entire symbol table to see if
		 * any symbol overlaps with _init.  If none does, set a bit in
		 * the module structure that this module has correct _init and
		 * _fini sizes.  This will cause some pain the first time a
		 * module is scanned, but at least it would be O(N) instead of
		 * O(N log N)...
		 */
		if (strcmp(name, "_init") == 0)
			continue;

		if (strcmp(name, "_fini") == 0)
			continue;

		instr = base;

		/*
		 * While we try hard to only trace safe functions (that is,
		 * functions at TL=0), one unsafe function manages to otherwise
		 * appear safe:  prom_trap().  We could discover prom_trap()
		 * if we added an additional rule:  in order to trace a
		 * function, we must either (a) discover a restore or (b)
		 * determine that the function does not have any unlinked
		 * control transfers to another function (i.e., the function
		 * never returns).  Unfortunately, as of this writing, one
		 * legitimate function (resume_from_zombie()) transfers
		 * control to a different function (_resume_from_idle())
		 * without executing a restore.  Barring a rule to figure out
		 * that resume_from_zombie() is safe while prom_trap() is not,
		 * we resort to hard-coding prom_trap() here.
		 */
		if (strcmp(name, "prom_trap") == 0)
			continue;

		if (fp != NULL && ctf_func_info(fp, i, &f) != CTF_ERR) {
			nargs = f.ctc_argc;
			have_ctf = 1;
		} else {
			nargs = 32;
		}

		/*
		 * If the first instruction of the function is a branch and
		 * it's not a branch-always-not-annulled, we're going to refuse
		 * to patch it.
		 */
		if ((*instr & FBT_OP_MASK) == FBT_OP0 &&
		    (*instr & FBT_FMT2_OP2_MASK) != FBT_FMT2_OP2_SETHI &&
		    (*instr & FBT_FMT2_OP2_MASK) != FBT_FMT2_OP2_BPR) {
			if (!FBT_IS_BA(*instr) && !FBT_IS_BAPCC(*instr)) {
				if (have_ctf) {
					cmn_err(CE_NOTE, "cannot instrument %s:"
					    " begins with non-ba, "
					    "non-br CTI", name);
				}
				continue;
			}
		}

		while (!FBT_IS_SAVE(*instr)) {
			/*
			 * Before we assume that this is a leaf routine, check
			 * forward in the basic block for a save.
			 */
			int op = *instr & FBT_OP_MASK;
			int op2 = *instr & FBT_FMT2_OP2_MASK;

			if (op == FBT_OP0 && op2 != FBT_FMT2_OP2_SETHI) {
				/*
				 * This is a CTI.  If we see a subsequent
				 * save, we will refuse to process this
				 * routine unless both of the following are
				 * true:
				 *
				 *  (a)	The branch is not annulled
				 *
				 *  (b)	The subsequent save is in the delay
				 *	slot of the branch
				 */
				if ((*instr & FBT_ANNUL) ||
				    !FBT_IS_SAVE(*(instr + 1))) {
					cti = 1;
				} else {
					instr++;
					break;
				}
			}

			if (op == FBT_OP1)
				cti = 1;

			if (++instr == limit)
				break;
		}

		if (instr < limit && cti) {
			/*
			 * If we found a CTI before the save, we need to not
			 * do anything.  But if we have CTF information, this
			 * is weird enough that it merits a message.
			 */
			if (!have_ctf)
				continue;

			cmn_err(CE_NOTE, "cannot instrument %s: "
			    "save not in first basic block", name);
			continue;
		}

		if (instr == limit) {
			if (!have_ctf)
				continue;
			is_leaf = 1;

			if (!estimate)
				fbt_leaf_functions++;

			canpatch = fbt_canpatch_retl;
			patch = fbt_patch_retl;
		} else {
			canpatch = fbt_canpatch_return;
			patch = fbt_patch_return;
		}

		if (!have_ctf && !is_leaf) {
			/*
			 * Before we assume that this isn't something tricky,
			 * look for other saves.  If we find them, there are
			 * multiple entry points here (or something), and we'll
			 * leave it alone.
			 */
			while (++instr < limit) {
				if (FBT_IS_SAVE(*instr))
					break;
			}

			if (instr != limit)
				continue;
		}

		instr = base;

		if (FBT_IS_CTI(*instr)) {
			/*
			 * If we have a CTI, we want to be sure that we don't
			 * have a CTI or a PC-relative instruction in the
			 * delay slot -- we want to be able to thunk the
			 * instruction into the trampoline without worrying
			 * about either DCTIs or relocations.  It would be
			 * very odd for the compiler to generate this kind of
			 * code, so we warn about it if we have CTF
			 * information.
			 */
			if (FBT_IS_CTI(*(instr + 1))) {
				if (!have_ctf)
					continue;

				cmn_err(CE_NOTE, "cannot instrument %s: "
				    "CTI in delay slot of first instruction",
				    name);
				continue;
			}

			if (FBT_IS_PCRELATIVE(*(instr + 1))) {
				if (!have_ctf)
					continue;

				cmn_err(CE_NOTE, "cannot instrument %s: "
				    "PC-relative instruction in delay slot of"
				    " first instruction", name);
				continue;
			}
		}

		if (estimate) {
			tramp.fbtt_next = (uintptr_t)faketramp;
			tramp.fbtt_limit = tramp.fbtt_next + sizeof (faketramp);
			(void) fbt_patch_entry(instr, FBT_ESTIMATE_ID,
			    &tramp, nargs);
			fbt_size += tramp.fbtt_next - (uintptr_t)faketramp;
		} else {
			fbt = kmem_zalloc(sizeof (fbt_probe_t), KM_SLEEP);
			fbt->fbtp_name = name;
			fbt->fbtp_ctl = ctl;
			fbt->fbtp_id = dtrace_probe_create(fbt_id, modname,
			    name, FBT_PROBENAME_ENTRY, 1, fbt);
			fbt->fbtp_patchval = FBT_BAA(instr, tramp.fbtt_va);

			if (!fbt_patch_entry(instr, fbt->fbtp_id,
			    &tramp, nargs)) {
				cmn_err(CE_WARN, "unexpectedly short FBT table "
				    "in module %s (sym %d of %d)", modname,
				    i, nsyms);
				break;
			}

			fbt->fbtp_patchpoint =
			    (uint32_t *)((uintptr_t)mp->textwin +
			    ((uintptr_t)instr - (uintptr_t)mp->text));
			fbt->fbtp_savedval = *instr;

			fbt->fbtp_loadcnt = ctl->mod_loadcnt;
			fbt->fbtp_primary = primary;
			fbt->fbtp_symndx = i;
			mp->fbt_nentries++;
		}

		retfbt = NULL;
again:
		if (++instr == limit)
			continue;

		offset = (uintptr_t)instr - (uintptr_t)base;

		if (!(*canpatch)(instr, offset, name))
			goto again;

		if (estimate) {
			tramp.fbtt_next = (uintptr_t)faketramp;
			tramp.fbtt_limit = tramp.fbtt_next + sizeof (faketramp);
			(void) (*patch)(instr, base, limit,
			    offset, FBT_ESTIMATE_ID, &tramp, name);
			fbt_size += tramp.fbtt_next - (uintptr_t)faketramp;

			goto again;
		}

		fbt = kmem_zalloc(sizeof (fbt_probe_t), KM_SLEEP);
		fbt->fbtp_name = name;
		fbt->fbtp_ctl = ctl;

		if (retfbt == NULL) {
			fbt->fbtp_id = dtrace_probe_create(fbt_id, modname,
			    name, FBT_PROBENAME_RETURN, 1, fbt);
		} else {
			retfbt->fbtp_next = fbt;
			fbt->fbtp_id = retfbt->fbtp_id;
		}

		fbt->fbtp_return = 1;
		retfbt = fbt;

		if ((fbt->fbtp_patchval = (*patch)(instr, base, limit, offset,
		    fbt->fbtp_id, &tramp, name)) == FBT_ILLTRAP) {
			cmn_err(CE_WARN, "unexpectedly short FBT table "
			    "in module %s (sym %d of %d)", modname, i, nsyms);
			break;
		}

		fbt->fbtp_patchpoint = (uint32_t *)((uintptr_t)mp->textwin +
		    ((uintptr_t)instr - (uintptr_t)mp->text));
		fbt->fbtp_savedval = *instr;
		fbt->fbtp_loadcnt = ctl->mod_loadcnt;
		fbt->fbtp_primary = primary;
		fbt->fbtp_symndx = i;
		mp->fbt_nentries++;

		goto again;
	}

	if (estimate) {
		/*
		 * Slosh on another entry's worth...
		 */
		fbt_size += FBT_ENT_MAXSIZE;
		mp->fbt_size = fbt_size;
		mp->fbt_tab = kobj_texthole_alloc(mp->text, fbt_size);

		if (mp->fbt_tab == NULL) {
			cmn_err(CE_WARN, "couldn't allocate FBT table "
			    "for module %s", modname);
		} else {
			estimate = 0;
			goto forreal;
		}
	} else {
		fbt_trampoline_unmap();
	}

error:
	if (fp != NULL)
		ctf_close(fp);
}

/*ARGSUSED*/
static void
fbt_destroy(void *arg, dtrace_id_t id, void *parg)
{
	fbt_probe_t *fbt = parg, *next;
	struct modctl *ctl = fbt->fbtp_ctl;

	do {
		if (ctl != NULL && ctl->mod_loadcnt == fbt->fbtp_loadcnt) {
			if ((ctl->mod_loadcnt == fbt->fbtp_loadcnt &&
			    ctl->mod_loaded) || fbt->fbtp_primary) {
				((struct module *)
				    (ctl->mod_mp))->fbt_nentries--;
			}
		}

		next = fbt->fbtp_next;
		kmem_free(fbt, sizeof (fbt_probe_t));
		fbt = next;
	} while (fbt != NULL);
}

/*ARGSUSED*/
static int
fbt_enable(void *arg, dtrace_id_t id, void *parg)
{
	fbt_probe_t *fbt = parg, *f;
	struct modctl *ctl = fbt->fbtp_ctl;

	ctl->mod_nenabled++;

	for (f = fbt; f != NULL; f = f->fbtp_next) {
		if (f->fbtp_patchpoint == NULL) {
			/*
			 * Due to a shortened FBT table, this entry was never
			 * completed; refuse to enable it.
			 */
			if (fbt_verbose) {
				cmn_err(CE_NOTE, "fbt is failing for probe %s "
				    "(short FBT table in %s)",
				    fbt->fbtp_name, ctl->mod_modname);
			}

			return (0);
		}
	}

	/*
	 * If this module has disappeared since we discovered its probes,
	 * refuse to enable it.
	 */
	if (!fbt->fbtp_primary && !ctl->mod_loaded) {
		if (fbt_verbose) {
			cmn_err(CE_NOTE, "fbt is failing for probe %s "
			    "(module %s unloaded)",
			    fbt->fbtp_name, ctl->mod_modname);
		}

		return (0);
	}

	/*
	 * Now check that our modctl has the expected load count.  If it
	 * doesn't, this module must have been unloaded and reloaded -- and
	 * we're not going to touch it.
	 */
	if (ctl->mod_loadcnt != fbt->fbtp_loadcnt) {
		if (fbt_verbose) {
			cmn_err(CE_NOTE, "fbt is failing for probe %s "
			    "(module %s reloaded)",
			    fbt->fbtp_name, ctl->mod_modname);
		}

		return (0);
	}

	for (; fbt != NULL; fbt = fbt->fbtp_next)
		*fbt->fbtp_patchpoint = fbt->fbtp_patchval;

	return (0);
}

/*ARGSUSED*/
static void
fbt_disable(void *arg, dtrace_id_t id, void *parg)
{
	fbt_probe_t *fbt = parg, *f;
	struct modctl *ctl = fbt->fbtp_ctl;

	ASSERT(ctl->mod_nenabled > 0);
	ctl->mod_nenabled--;

	for (f = fbt; f != NULL; f = f->fbtp_next) {
		if (f->fbtp_patchpoint == NULL)
			return;
	}

	if ((!fbt->fbtp_primary && !ctl->mod_loaded) ||
	    (ctl->mod_loadcnt != fbt->fbtp_loadcnt))
		return;

	for (; fbt != NULL; fbt = fbt->fbtp_next)
		*fbt->fbtp_patchpoint = fbt->fbtp_savedval;
}

/*ARGSUSED*/
static void
fbt_suspend(void *arg, dtrace_id_t id, void *parg)
{
	fbt_probe_t *fbt = parg;
	struct modctl *ctl = fbt->fbtp_ctl;

	if (!fbt->fbtp_primary && !ctl->mod_loaded)
		return;

	if (ctl->mod_loadcnt != fbt->fbtp_loadcnt)
		return;

	ASSERT(ctl->mod_nenabled > 0);

	for (; fbt != NULL; fbt = fbt->fbtp_next)
		*fbt->fbtp_patchpoint = fbt->fbtp_savedval;
}

/*ARGSUSED*/
static void
fbt_resume(void *arg, dtrace_id_t id, void *parg)
{
	fbt_probe_t *fbt = parg;
	struct modctl *ctl = fbt->fbtp_ctl;

	if (!fbt->fbtp_primary && !ctl->mod_loaded)
		return;

	if (ctl->mod_loadcnt != fbt->fbtp_loadcnt)
		return;

	ASSERT(ctl->mod_nenabled > 0);

	for (; fbt != NULL; fbt = fbt->fbtp_next)
		*fbt->fbtp_patchpoint = fbt->fbtp_patchval;
}

/*ARGSUSED*/
static void
fbt_getargdesc(void *arg, dtrace_id_t id, void *parg, dtrace_argdesc_t *desc)
{
	fbt_probe_t *fbt = parg;
	struct modctl *ctl = fbt->fbtp_ctl;
	struct module *mp = ctl->mod_mp;
	ctf_file_t *fp = NULL, *pfp;
	ctf_funcinfo_t f;
	int error;
	ctf_id_t argv[32], type;
	int argc = sizeof (argv) / sizeof (ctf_id_t);
	const char *parent;

	if (!ctl->mod_loaded || (ctl->mod_loadcnt != fbt->fbtp_loadcnt))
		goto err;

	if (fbt->fbtp_return && desc->dtargd_ndx == 0) {
		(void) strcpy(desc->dtargd_native, "int");
		return;
	}

	if ((fp = ctf_modopen(mp, &error)) == NULL) {
		/*
		 * We have no CTF information for this module -- and therefore
		 * no args[] information.
		 */
		goto err;
	}

	/*
	 * If we have a parent container, we must manually import it.
	 */
	if ((parent = ctf_parent_name(fp)) != NULL) {
		struct modctl *mp = &modules;
		struct modctl *mod = NULL;

		/*
		 * We must iterate over all modules to find the module that
		 * is our parent.
		 */
		do {
			if (strcmp(mp->mod_modname, parent) == 0) {
				mod = mp;
				break;
			}
		} while ((mp = mp->mod_next) != &modules);

		if (mod == NULL)
			goto err;

		if ((pfp = ctf_modopen(mod->mod_mp, &error)) == NULL)
			goto err;

		if (ctf_import(fp, pfp) != 0) {
			ctf_close(pfp);
			goto err;
		}

		ctf_close(pfp);
	}

	if (ctf_func_info(fp, fbt->fbtp_symndx, &f) == CTF_ERR)
		goto err;

	if (fbt->fbtp_return) {
		if (desc->dtargd_ndx > 1)
			goto err;

		ASSERT(desc->dtargd_ndx == 1);
		type = f.ctc_return;
	} else {
		if (desc->dtargd_ndx + 1 > f.ctc_argc)
			goto err;

		if (ctf_func_args(fp, fbt->fbtp_symndx, argc, argv) == CTF_ERR)
			goto err;

		type = argv[desc->dtargd_ndx];
	}

	if (ctf_type_name(fp, type, desc->dtargd_native,
	    DTRACE_ARGTYPELEN) != NULL) {
		ctf_close(fp);
		return;
	}
err:
	if (fp != NULL)
		ctf_close(fp);

	desc->dtargd_ndx = DTRACE_ARGNONE;
}

static dtrace_pattr_t fbt_attr = {
{ DTRACE_STABILITY_EVOLVING, DTRACE_STABILITY_EVOLVING, DTRACE_CLASS_ISA },
{ DTRACE_STABILITY_PRIVATE, DTRACE_STABILITY_PRIVATE, DTRACE_CLASS_UNKNOWN },
{ DTRACE_STABILITY_PRIVATE, DTRACE_STABILITY_PRIVATE, DTRACE_CLASS_UNKNOWN },
{ DTRACE_STABILITY_EVOLVING, DTRACE_STABILITY_EVOLVING, DTRACE_CLASS_ISA },
{ DTRACE_STABILITY_PRIVATE, DTRACE_STABILITY_PRIVATE, DTRACE_CLASS_ISA },
};

static dtrace_pops_t fbt_pops = {
	NULL,
	fbt_provide_module,
	fbt_enable,
	fbt_disable,
	fbt_suspend,
	fbt_resume,
	fbt_getargdesc,
	NULL,
	NULL,
	fbt_destroy
};

static int
fbt_attach(dev_info_t *devi, ddi_attach_cmd_t cmd)
{
	switch (cmd) {
	case DDI_ATTACH:
		break;
	case DDI_RESUME:
		return (DDI_SUCCESS);
	default:
		return (DDI_FAILURE);
	}

	if (ddi_create_minor_node(devi, "fbt", S_IFCHR, 0,
	    DDI_PSEUDO, NULL) == DDI_FAILURE ||
	    dtrace_register("fbt", &fbt_attr, DTRACE_PRIV_KERNEL, NULL,
	    &fbt_pops, NULL, &fbt_id) != 0) {
		ddi_remove_minor_node(devi, NULL);
		return (DDI_FAILURE);
	}

	ddi_report_dev(devi);
	fbt_devi = devi;
	return (DDI_SUCCESS);
}

static int
fbt_detach(dev_info_t *devi, ddi_detach_cmd_t cmd)
{
	switch (cmd) {
	case DDI_DETACH:
		break;
	case DDI_SUSPEND:
		return (DDI_SUCCESS);
	default:
		return (DDI_FAILURE);
	}

	if (dtrace_unregister(fbt_id) != 0)
		return (DDI_FAILURE);

	ddi_remove_minor_node(devi, NULL);
	return (DDI_SUCCESS);
}

/*ARGSUSED*/
static int
fbt_info(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
{
	int error;

	switch (infocmd) {
	case DDI_INFO_DEVT2DEVINFO:
		*result = (void *)fbt_devi;
		error = DDI_SUCCESS;
		break;
	case DDI_INFO_DEVT2INSTANCE:
		*result = (void *)0;
		error = DDI_SUCCESS;
		break;
	default:
		error = DDI_FAILURE;
	}
	return (error);
}

/*ARGSUSED*/
static int
fbt_open(dev_t *devp, int flag, int otyp, cred_t *cred_p)
{
	return (0);
}

static struct cb_ops fbt_cb_ops = {
	fbt_open,		/* open */
	nodev,			/* close */
	nulldev,		/* strategy */
	nulldev,		/* print */
	nodev,			/* dump */
	nodev,			/* read */
	nodev,			/* write */
	nodev,			/* ioctl */
	nodev,			/* devmap */
	nodev,			/* mmap */
	nodev,			/* segmap */
	nochpoll,		/* poll */
	ddi_prop_op,		/* cb_prop_op */
	0,			/* streamtab  */
	D_NEW | D_MP		/* Driver compatibility flag */
};

static struct dev_ops fbt_ops = {
	DEVO_REV,		/* devo_rev */
	0,			/* refcnt */
	fbt_info,		/* get_dev_info */
	nulldev,		/* identify */
	nulldev,		/* probe */
	fbt_attach,		/* attach */
	fbt_detach,		/* detach */
	nodev,			/* reset */
	&fbt_cb_ops,		/* driver operations */
	NULL,			/* bus operations */
	nodev,			/* dev power */
	ddi_quiesce_not_needed,		/* quiesce */
};

/*
 * Module linkage information for the kernel.
 */
static struct modldrv modldrv = {
	&mod_driverops,		/* module type (this is a pseudo driver) */
	"Function Boundary Tracing",	/* name of module */
	&fbt_ops,		/* driver ops */
};

static struct modlinkage modlinkage = {
	MODREV_1,
	(void *)&modldrv,
	NULL
};

int
_init(void)
{
	return (mod_install(&modlinkage));
}

int
_info(struct modinfo *modinfop)
{
	return (mod_info(&modlinkage, modinfop));
}

int
_fini(void)
{
	return (mod_remove(&modlinkage));
}