static VOID Trace(TRACE trace, VOID *v) { RTN rtn = TRACE_Rtn(trace); ADDRINT version = TRACE_Version(trace); // If we are not in watch_rtn, switch back to base version if (!RTN_Valid(rtn) || RTN_Name(rtn) != watch_rtn) { if (version != VERSION_BASE) BBL_SetTargetVersion(TRACE_BblHead(trace), VERSION_BASE); return; } if (TRACE_Address(trace) == RTN_Address(rtn)) { INS ins = BBL_InsHead(TRACE_BblHead(trace)); if (version == VERSION_BASE) { // version_reg is used to select the version, use the first // argument of watch_rtn to set it INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(select_version), IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_RETURN_REGS, version_reg, IARG_END); // IF we are in the base version, decide if we should go to the // other versions // Note that the version instrumentation will occur before any // following instrumentation done on this ins INS_InsertVersionCase(ins, version_reg, 10, VERSION_1, IARG_END); INS_InsertVersionCase(ins, version_reg, 20, VERSION_2, IARG_END); printf ("Instrumentation at %p\n", reinterpret_cast<void *>(INS_Address(ins))); } } INS ins = BBL_InsHead(TRACE_BblHead(trace)); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Instrumentation depends on version // These instrumentations occur after the preceeding version instrumentation // (i.e. the instrumentation inserted by the above INS_InsertVersionCase calls switch(version) { case VERSION_BASE: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version base", IARG_END); break; case VERSION_1: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version 1", IARG_END); break; case VERSION_2: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version 2", IARG_END); break; default: assert(0); break; } } }
VOID Trace(TRACE trace, VOID *v) { static BOOL programStart = TRUE; if (programStart) { programStart = FALSE; next_pc = (void*)INS_Address(BBL_InsHead(TRACE_BblHead(trace))); } for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // check BBL entry PC INS_InsertCall( BBL_InsHead(bbl), IPOINT_BEFORE, (AFUNPTR)CheckPc, IARG_INST_PTR, IARG_END); INS tail = BBL_InsTail(bbl); if (INS_IsBranchOrCall(tail)) { // record taken branch targets INS_InsertCall( tail, IPOINT_BEFORE, AFUNPTR(RecordPc), IARG_INST_PTR, IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END); } if (INS_HasFallThrough(tail)) { // record fall-through INS_InsertCall( tail, IPOINT_AFTER, (AFUNPTR)RecordPc, IARG_INST_PTR, IARG_FALLTHROUGH_ADDR, IARG_BOOL, TRUE, IARG_END); } #if defined(TARGET_IA32) || defined(TARGET_IA32E) if (INS_IsSysenter(tail) || INS_HasRealRep(tail)) { // sysenter on x86 has some funny control flow that we can't correctly verify for now // Genuinely REP prefixed instructions are also odd, they appear to stutter. INS_InsertCall(tail, IPOINT_BEFORE, (AFUNPTR)Skip, IARG_END); } #endif } }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { INS tail = BBL_InsTail(bbl); if( INS_IsCall(tail) ) { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END); } else { // sometimes code is not in an image RTN rtn = TRACE_Rtn(trace); // also track stup jumps into share libraries if( RTN_Valid(rtn) && !INS_IsDirectBranchOrCall(tail) && ".plt" == SEC_Name( RTN_Sec( rtn ) )) { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END); } } } }
VOID Trace(TRACE trace, VOID *v) { BOOL rewrite = false; for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { // If we see an instruction that needs rewriting, then rewrite all if (SwizzleRefs.find(INS_Address(ins)) != SwizzleRefs.end()) rewrite = true; if (rewrite) { // If we suspect this instruction needs to be swizzled, generate safe, but slow code RewriteIns(ins); } else { // Generate code to check if swizzling is needed, but not do it CheckIns(ins, TRACE_Address(trace)); } } } }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { INS_InsertCall(BBL_InsHead(bbl), IPOINT_BEFORE, (AFUNPTR)docount, IARG_UINT32, BBL_NumIns(bbl), IARG_END); } }
// Pin calls this function every time a new basic block is encountered // It inserts a call to docount VOID Trace(TRACE trace, VOID *v) { // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { if (INS_IsMemoryRead(ins)) { INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ReadAlways, IARG_MEMORYREAD_EA, IARG_END); INS_InsertThenCall(ins, IPOINT_BEFORE, (AFUNPTR)ReadRare, IARG_MEMORYREAD_EA, IARG_END); } } // Always()->Rare() are partially inlined BBL_InsertIfCall(bbl, IPOINT_BEFORE, (AFUNPTR)Always, IARG_END); BBL_InsertThenCall(bbl, IPOINT_BEFORE, (AFUNPTR)Rare, IARG_END); // Always()->Rare() are partially inlined BBL_InsertIfCall(bbl, IPOINT_BEFORE, (AFUNPTR)AlwaysNoinline, IARG_END); BBL_InsertThenCall(bbl, IPOINT_BEFORE, (AFUNPTR)RareNoinline, IARG_END); // Noinline() is not inlined BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)Noinline, IARG_END); } }
VOID Trace (TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { xed_iclass_enum_t iclass1 = static_cast<xed_iclass_enum_t>(INS_Opcode(ins)); if (iclass1 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(ins))) { xed_iclass_enum_t iclass2 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(ins))); if (iclass2 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(INS_Next(ins)))) { xed_iclass_enum_t iclass3 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(INS_Next(ins)))); if (iclass3 == XED_ICLASS_FLD1) { printf ("tool: found fld1 sequence at %p\n", (void *)INS_Address(INS_Next(INS_Next(ins)))); fflush (stdout); // Insert an analysis call that will cause the xmm scratch registers to be spilled INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_AFTER, (AFUNPTR)SetXmmScratchesFun, IARG_END); return; } } } } } }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)LogBBL, IARG_FAST_ANALYSIS_CALL, IARG_ADDRINT, BBL_Address(bbl), IARG_END); } }
VOID Trace (TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { xed_iclass_enum_t iclass1 = static_cast<xed_iclass_enum_t>(INS_Opcode(ins)); if (iclass1 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(ins))) { xed_iclass_enum_t iclass2 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(ins))); if (iclass2 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(INS_Next(ins)))) { xed_iclass_enum_t iclass3 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(INS_Next(ins)))); if (iclass3 == XED_ICLASS_FLD1) { printf ("found fld1 sequence at %x\n", INS_Address(INS_Next(INS_Next(ins)))); { INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_AFTER, AFUNPTR(CallToFldzToTop3), IARG_END); printf ("Inserted call1 to FldzToTop3 after instruction at %x\n", INS_Address(INS_Next(INS_Next(ins)))); } } } } } } }
// We have to instrument traces in order to instrument each BBL, the API doesn't have a BBL_AddInstrumentFunction VOID trace_instrumentation(TRACE trace, VOID *v) { // We don't want to instrument the BBL contained in the Windows API if(is_address_in_blacklisted_modules(TRACE_Address(trace))) return; for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // What's going on under the hood // LOG("[INSTRU] BBL Address: " + hexstr(BBL_Address(bbl)) + ", " + hexstr(BBL_NumIns(bbl)) + "\n"); // Insert a call to handle_basic_block before every basic block, passing the number of instructions BBL_InsertCall( bbl, IPOINT_ANYWHERE, (AFUNPTR)handle_basic_block, IARG_FAST_ANALYSIS_CALL, // Use a faster linkage for calls to analysis functions. Add PIN_FAST_ANALYSIS_CALL to the declaration between the return type and the function name. You must also add IARG_FAST_ANALYSIS_CALL to the InsertCall. For example: IARG_UINT32, BBL_NumIns(bbl), IARG_ADDRINT, BBL_Address(bbl), IARG_END ); } }
VOID PolymorphicCodeHandlerModule::inspectTrace(TRACE trace){ // set the range of address in which the current trace resides this->trace_head = TRACE_Address(trace); this->trace_tail = trace_head + TRACE_Size(trace); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { // for ech instruction we have to check if it has been overwritten by a previous instruction of the current trace (polimiorfic code detection) INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(checkIfWrittenAddress), IARG_INST_PTR, IARG_CONTEXT, IARG_UINT32, INS_Size(ins), IARG_PTR, this, IARG_END); for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) { if(INS_MemoryOperandIsWritten(ins,op)){ // for each write operation we have to check if the traget address is inside the current trace (attempt to write polimorfic code) INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(polimorficCodeHandler), IARG_INST_PTR, IARG_MEMORYOP_EA, op, IARG_PTR, this, IARG_END); } } } } }
VOID Trace (TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { xed_iclass_enum_t iclass1 = static_cast<xed_iclass_enum_t>(INS_Opcode(ins)); if (iclass1 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(ins))) { xed_iclass_enum_t iclass2 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(ins))); if (iclass2 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(INS_Next(ins)))) { xed_iclass_enum_t iclass3 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(INS_Next(ins)))); if (iclass3 == XED_ICLASS_FLD1) { printf ("found fld1 sequence at %lx\n", (unsigned long)(INS_Address(INS_Next(INS_Next(ins))))); if (testNum == 0) { INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_AFTER, AFUNPTR(CallToUnMaskZeroDivideInMxcsr), IARG_END); printf ("Inserted call1 to UnMaskZeroDivideInMxcsr after instruction at %lx\n", (unsigned long)(INS_Address(INS_Next(INS_Next(ins))))); testNum++; } return; } } } } } }
VOID Trace(TRACE trace, VOID *) { if (!EnableInstrumentation) return; for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) BBL_InsertCall(bbl, IPOINT_BEFORE, AFUNPTR(CheckPC), IARG_INST_PTR, IARG_END); }
// Pin calls this function every time a new instruction is encountered void Trace(TRACE trace , void *v) { for(BBL bbl= TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)){ for( INS ins = BBL_InsHead(bbl); INS_Valid(ins) ; ins =INS_Next(ins)){ oepf.IsCurrentInOEP(ins); } } }
VOID Trace(TRACE trace, VOID *v) { const INS beginIns = BBL_InsHead(TRACE_BblHead(trace)); const INS endIns = BBL_InsTail(TRACE_BblTail(trace)); const ADDRINT beginAddr = INS_Address(beginIns); const ADDRINT endAddr = INS_Address(endIns) + INS_Size(endIns) - 1; sandbox.CheckAddressRange(reinterpret_cast<const char *>(beginAddr), reinterpret_cast<const char *>(endAddr)); }
/*! * Insert call to the CountBbl() analysis routine before every basic block * of the trace. * This function is called every time a new trace is encountered. * @param[in] trace trace to be instrumented * @param[in] v value specified by the tool in the TRACE_AddInstrumentFunction * function call */ VOID Trace(TRACE trace, VOID *v) { // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Insert a call to CountBbl() before every basic bloc, passing the number of instructions BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)CountBbl, IARG_UINT32, BBL_NumIns(bbl), IARG_END); } }
static void instrument_trace(TRACE trace, VOID *v) { sse_aligner_t* pthis = static_cast<sse_aligner_t*>(v); bool is_read = false; for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) if (check_for_sse_memop(ins, is_read, pthis)) rewrite_instruction(ins, is_read, pthis); }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) BBL_InsertCall(bbl, IPOINT_ANYWHERE, AFUNPTR(Count), IARG_FAST_ANALYSIS_CALL, IARG_THREAD_ID, IARG_UINT32, BBL_NumIns(bbl), IARG_END); }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { RewriteIns(ins); } } }
VOID Trace(TRACE trace, VOID *v) { // Instrument only at the head of the trace BBL bbl = TRACE_BblHead(trace); if (BBL_Valid(bbl)) { INS_InsertCall(BBL_InsHead(bbl), IPOINT_BEFORE, (AFUNPTR)docount, IARG_UINT32, 1, IARG_END); } for (bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { ASSERTX(INS_Size(ins) != 0); } } }
void Trace(TRACE trace, void *v) { // for each bbl in the application trace... for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // args: bbl=bbl, IPOINT_BEFORE=insert before bbl, checkBBL=ptr to function to insert, // IARG_PTR=function argument type, BBL_Address(bbl)=function argument, IARG_END=end of arguement marker BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)checkBBL, IARG_PTR, BBL_Address(bbl), IARG_END); } }
VOID TraceInserted(TRACE trace, VOID *) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { cacheInstructions++; } } }
static VOID Trace(TRACE trace, VOID *v) { RTN rtn = TRACE_Rtn(trace); ADDRINT version = TRACE_Version(trace); // If we are not in watch_rtn, switch back to base version if (!RTN_Valid(rtn) || RTN_Name(rtn) != watch_rtn) { if (version != VERSION_BASE) BBL_SetTargetVersion(TRACE_BblHead(trace), VERSION_BASE); return; } INS ins = BBL_InsHead(TRACE_BblHead(trace)); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Instrumentation depends on version // These instrumentations occur after the following version instrumentation // (i.e. the instrumentation inserted by the below INS_InsertVersionCase calls // from within the image load callback - because image load callback // instrumentation occurs before trace and before instruction callback instrumentation switch(version) { case VERSION_BASE: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version base", IARG_END); break; case VERSION_1: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version 1", IARG_END); break; case VERSION_2: INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "version 2", IARG_END); break; default: assert(0); break; } } }
// Pin calls this function every time a new basic block is encountered. // It inserts a call to docount. VOID Trace(TRACE trace, VOID *v) { // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Insert a call to docount for every bbl, passing the number of instructions. BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)docount, IARG_FAST_ANALYSIS_CALL, IARG_UINT32, BBL_NumIns(bbl), IARG_THREAD_ID, IARG_END); } }
// Pin calls this function every time a new basic block is encountered // It inserts a call to docount VOID Trace(TRACE trace, VOID *v) { // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Insert a call to docount for every bbl, passing the number of instructions. // IPOINT_ANYWHERE allows Pin to schedule the call anywhere in the bbl to obtain best performance. // Use a fast linkage for the call. BBL_InsertCall(bbl, IPOINT_ANYWHERE, AFUNPTR(docount), IARG_FAST_ANALYSIS_CALL, IARG_UINT32, BBL_NumIns(bbl), IARG_END); } }
VOID Trace(TRACE trace, VOID *v) { if (first) { BBL_InsertCall(TRACE_BblHead(trace), IPOINT_BEFORE, AFUNPTR(GetConsts), IARG_FAST_ANALYSIS_CALL, IARG_UINT32, val2, IARG_ADDRINT, val3, IARG_END); first = FALSE; } }
static VOID Trace(TRACE trace, VOID *v) { RTN rtn = TRACE_Rtn(trace); if (!RTN_Valid(rtn) || RTN_Name(rtn) != watch_rtn) { return; } if (TRACE_Address(trace) == RTN_Address(rtn)) { TRACE_InsertCall(trace, IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "Trace instrumentation", IARG_CALL_ORDER, CALL_ORDER_FIRST+2, IARG_END); BBL_InsertCall(TRACE_BblHead(trace), IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "Trace_BBL instrumentation", IARG_CALL_ORDER, CALL_ORDER_FIRST+2, IARG_END); INS_InsertCall(BBL_InsHead(TRACE_BblHead(trace)), IPOINT_BEFORE, AFUNPTR(Emit), IARG_PTR, "Trace_INS instrumentation", IARG_CALL_ORDER, CALL_ORDER_FIRST+2, IARG_END); printf("Trace Instrumenting %s\n", watch_rtn, reinterpret_cast<void *>(RTN_Address(rtn))); } }
VOID DumpTrace(CHAR * message, TRACE trace) { fprintf(stderr,"\n%s:\n",message); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { fprintf(stderr,"%p %s\n",(void*)INS_Address(ins),INS_Disassemble(ins).c_str()); } } }
/* * trace inspection (instrumentation function) * * traverse the basic blocks (BBLs) on the trace and * inspect every instruction for instrumenting it * accordingly * * @trace: instructions trace; given by PIN * @v: callback value */ static void trace_inspect(TRACE trace, VOID *v) { /* iterators */ BBL bbl; INS ins; xed_iclass_enum_t ins_indx; /* versioning support */ ADDRINT version, version_mask = (ADDRINT)v; if (version_mask) { /* * ignore code cache versions that we * are not supposed to instrument */ version = TRACE_Version(trace); if ((version & version_mask) == 0) return; } /* traverse all the BBLs in the trace */ for (bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { /* traverse all the instructions in the BBL */ for (ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { /* * use XED to decode the instruction and * extract its opcode */ ins_indx = (xed_iclass_enum_t)INS_Opcode(ins); /* * invoke the pre-ins instrumentation callback */ if (ins_desc[ins_indx].pre != NULL) ins_desc[ins_indx].pre(ins); /* * analyze the instruction (default handler) */ if (ins_desc[ins_indx].dflact == INSDFL_ENABLE) ins_inspect(ins); /* * invoke the post-ins instrumentation callback */ if (ins_desc[ins_indx].post != NULL) ins_desc[ins_indx].post(ins); } } }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { BasicBlockTrace(trace, bbl); for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { CallTrace(trace, ins); MemoryTrace(trace, ins); } } }