Added some more #ifdef BPATCH_LIBRARYs to eliminate some Dyninst API

[dyninst.git] / dyninstAPI / src / inst-x86.C

/*
 * Copyright (c) 1996 Barton P. Miller
 * 
 * We provide the Paradyn Parallel Performance Tools (below
 * described as Paradyn") on an AS IS basis, and do not warrant its
 * validity or performance.  We reserve the right to update, modify,
 * or discontinue this software at any time.  We shall have no
 * obligation to supply such updates or modifications or any other
 * form of support to you.
 * 
 * This license is for research uses.  For such uses, there is no
 * charge. We define "research use" to mean you may freely use it
 * inside your organization for whatever purposes you see fit. But you
 * may not re-distribute Paradyn or parts of Paradyn, in any form
 * source or binary (including derivatives), electronic or otherwise,
 * to any other organization or entity without our permission.
 * 
 * (for other uses, please contact us at paradyn@cs.wisc.edu)
 * 
 * All warranties, including without limitation, any warranty of
 * merchantability or fitness for a particular purpose, are hereby
 * excluded.
 * 
 * By your use of Paradyn, you understand and agree that we (or any
 * other person or entity with proprietary rights in Paradyn) are
 * under no obligation to provide either maintenance services,
 * update services, notices of latent defects, or correction of
 * defects for Paradyn.
 * 
 * Even if advised of the possibility of such damages, under no
 * circumstances shall we (or any other person or entity with
 * proprietary rights in the software licensed hereunder) be liable
 * to you or any third party for direct, indirect, or consequential
 * damages of any character regardless of type of action, including,
 * without limitation, loss of profits, loss of use, loss of good
 * will, or computer failure or malfunction.  You agree to indemnify
 * us (and any other person or entity with proprietary rights in the
 * software licensed hereunder) for any and all liability it may
 * incur to third parties resulting from your use of Paradyn.
 */

/*
 * inst-x86.C - x86 dependent functions and code generator
 *
 * $Log: inst-x86.C,v $
 * Revision 1.27  1997/09/28 22:22:31  buck
 * Added some more #ifdef BPATCH_LIBRARYs to eliminate some Dyninst API
 * library dependencies on files in rtinst.
 *
 * Revision 1.26  1997/08/19 19:50:38  naim
 * Adding support to dynamically link libdyninstRT by using dlopen on sparc-
 * solaris - naim
 *
 * Revision 1.25  1997/08/18 01:34:23  buck
 * Ported the Dyninst API to Windows NT.
 *
 * Revision 1.1.1.5  1997/07/08 20:02:44  buck
 * Bring latest changes from Wisconsin over to Maryland repository.
 *
 * Revision 1.24  1997/07/08 19:15:13  buck
 * Added support for the x86 Solaris platform and dynamically linked
 * executables to the dyninst API library.
 *
 * Revision 1.23  1997/06/23 17:09:29  tamches
 * include of instPoint.h is new
 *
 * Revision 1.22  1997/06/14 18:27:48  ssuen
 * Moved class instPoint from inst-x86.C to inst-x86.h and added/moved the following
 * standard definitions to the public section
 *
 *   Address addr_;
 *   pd_Function *func_;
 *   pd_Function *callee_;
 *
 *   function_base *iPgetFunction() const { ... }
 *   function_base *iPgetCallee()   const { ... }
 *   const image   *iPgetOwner()    const { ... }
 *   Address        iPgetAddress()  const { ... }
 *
 * Revision 1.21  1997/06/06 18:27:15  mjrg
 * Changed checkCallPoints to keep calls to shared object functions in the
 * list of calls for a function
 *
 * Revision 1.20  1997/06/04 13:24:24  naim
 * Removing debugging info - naim
 *
 * Revision 1.19  1997/05/23 23:01:26  mjrg
 * Windows NT port
 * bug fix to inst-x86.C
 *
 * Revision 1.18  1997/05/16 22:02:27  mjrg
 * Fixed problem with instrumentation of conditional jumps
 *
 * Revision 1.17  1997/05/07 19:03:12  naim
 * Getting rid of old support for threads and turning it off until the new
 * version is finished. Additionally, new superTable, baseTable and superVector
 * classes for future support of multiple threads. The fastInferiorHeap class has
 * also changed - naim
 *
 * Revision 1.16  1997/05/02 18:25:36  mjrg
 * Changes for allowing different main functions on different platforms
 *
 * Revision 1.15  1997/04/29 23:16:02  mjrg
 * Changes for WindowsNT port
 * Delayed check for DYNINST symbols to allow linking libdyninst dynamically
 * Changed way paradyn and paradynd generate resource ids
 * Changes to instPoint class in inst-x86.C to reduce size of objects
 * Added initialization for process->threads to fork and attach constructors
 *
 * Revision 1.14  1997/04/14 00:22:07  newhall
 * removed class pdFunction and replaced it with base class function_base and
 * derived class pd_Function
 *
 * Revision 1.13  1997/02/26 23:42:52  mjrg
 * First part on WindowsNT port: changes for compiling with Visual C++;
 * moved unix specific code to unix.C
 *
 * Revision 1.12  1997/02/21 20:13:38  naim
 * Moving files from paradynd to dyninstAPI + moving references to dataReqNode
 * out of the ast class. The is the first pre-dyninstAPI commit! - naim
 *
 * Revision 1.11  1997/02/03 17:20:55  lzheng
 * Changes made for combining the long jump and short jump on solaris platform
 *
 * Revision 1.10  1997/01/30 18:19:27  tamches
 * emitInferiorRPCtrailer revamped; can now stop to read the result value of
 * an inferiorRPC
 *
 * Revision 1.9  1997/01/27 19:40:57  naim
 * Part of the base instrumentation for supporting multithreaded applications
 * (vectors of counter/timers) implemented for all current platforms +
 * different bug fixes - naim
 *
 * Revision 1.8  1997/01/21 23:58:53  mjrg
 * Moved allocation of virtual registers to basetramp and fix to
 * emitInferiorRPCheader to allocate virtual registers
 *
 * Revision 1.7  1997/01/21 00:27:58  tamches
 * removed uses of DYNINSTglobalData
 *
 * Revision 1.6  1996/11/26 16:08:08  naim
 * Fixing asserts - naim
 *
 * Revision 1.5  1996/11/19 16:28:04  newhall
 * Fix to stack walking on Solaris: find leaf functions in stack (these can occur
 * on top of stack or in middle of stack if the signal handler is on the stack)
 * Fix to relocated functions: new instrumentation points are kept on a per
 * process basis.  Cleaned up some of the code.
 *
 * Revision 1.4  1996/11/14 14:27:09  naim
 * Changing AstNodes back to pointers to improve performance - naim
 *
 * Revision 1.3  1996/11/12 17:48:28  mjrg
 * Moved the computation of cost to the basetramp in the x86 platform,
 * and changed other platform to keep code consistent.
 * Removed warnings, and made changes for compiling with Visual C++
 *
 * Revision 1.2  1996/10/31 08:51:09  tamches
 * the shm-sampling commit; routines to implement inferiorRPC; removed some
 * warnings; added noCost param to some fns.
 *
 * Revision 1.1  1996/10/18 23:54:14  mjrg
 * Solaris/X86 port
 *
 *
 *
 */

#include <limits.h>
#include "util/h/headers.h"

#ifndef BPATCH_LIBRARY
#include "rtinst/h/rtinst.h"
#endif
#include "dyninstAPI/src/symtab.h"
#include "dyninstAPI/src/process.h"
#include "dyninstAPI/src/inst.h"
#include "dyninstAPI/src/instP.h"
#include "dyninstAPI/src/ast.h"
#include "dyninstAPI/src/util.h"
#include "dyninstAPI/src/stats.h"
#include "dyninstAPI/src/os.h"
#include "paradynd/src/showerror.h"

#include "dyninstAPI/src/arch-x86.h"
#include "dyninstAPI/src/inst-x86.h"
#include "dyninstAPI/src/instPoint.h" // includes instPoint-x86.h
#include "dyninstAPI/src/instP.h" // class returnInstance

extern bool isPowerOf2(int value, int &result);

// The general machine registers. 
// These values are taken from the Pentium manual and CANNOT be changed.
#define EAX (0)
#define ECX (1)
#define EDX (2)
#define EBX (3)
#define ESP (4)
#define EBP (5)
#define ESI (6)
#define EDI (7)

// Size of a jump rel32 instruction
#define JUMP_REL32_SZ (5)
#define JUMP_SZ (5)
// Size of a call rel32 instruction
#define CALL_REL32_SZ (5)

#define PUSH_RM_OPC1 (0xFF)
#define PUSH_RM_OPC2 (6)
#define CALL_RM_OPC1 (0xFF)
#define CALL_RM_OPC2 (2)
#define PUSH_EBP (0x50+EBP)
#define SUB_REG_IMM32 (5)
#define LEAVE (0xC9)

/*
   Function arguments are in the stack and are addressed with a displacement
   from EBP. EBP points to the saved EBP, EBP+4 is the saved return address,
   EBP+8 is the first parameter.
   TODO: what about far calls?
 */

#define PARAM_OFFSET (8)


// number of virtual registers
#define NUM_VIRTUAL_REGISTERS (32)

// offset from EBP of the saved EAX for a tramp
#define SAVED_EAX_OFFSET (-NUM_VIRTUAL_REGISTERS*4-4)




/*
   checkInstructions: check that there are no known jumps to the instructions
   before and after the point.
*/
void instPoint::checkInstructions() {
  unsigned currAddr = addr_;
  unsigned OKinsns = 0;

  // if jumpAddr_ is not zero, this point has been checked already
  if (jumpAddr_) 
    return;

  unsigned tSize;
  unsigned maxSize = JUMP_SZ;
  if (address() == func()->getAddress(0)) // entry point
    maxSize = 2*JUMP_SZ;
  tSize = insnAtPoint_.size();

  if (!owner()->isJumpTarget(currAddr)) {
    // check instructions before point
    unsigned insnsBefore_ = insnsBefore();
    for (unsigned u = 0; u < insnsBefore_; u++) {
      OKinsns++;
      tSize += (*insnBeforePt_)[u].size();
      currAddr -= (*insnBeforePt_)[u].size();
      if (owner()->isJumpTarget(currAddr)) {
        // must remove instruction from point
        // fprintf(stderr, "check instructions point %x, jmp to %x\n", addr,currAddr);
        break;
      }
    }
  }
  if (insnBeforePt_)
    (*insnBeforePt_).resize(OKinsns);

  // this is the address where we insert the jump
  jumpAddr_ = currAddr;

  // check instructions after point
  currAddr = addr_ + insnAtPoint_.size();
  OKinsns = 0;
  unsigned insnsAfter_ = insnsAfter();
  for (unsigned u = 0; tSize < maxSize && u < insnsAfter_; u++) {
    if (owner()->isJumpTarget(currAddr))
      break;
    OKinsns++;
    unsigned size = (*insnAfterPt_)[u].size();
    currAddr += size;
    tSize += size;
  }
  if (insnAfterPt_)
    (*insnAfterPt_).resize(OKinsns);
  
#ifdef notdef
  if (tSize < maxSize) {
    tSize = insnAtPoint_.size();
    jumpAddr_ = addr_;
    if (insnBeforePt_) (*insnBeforePt_).resize(0);
    if (insnAfterPt_) (*insnAfterPt_).resize(0);
  }
#endif
}


/**************************************************************
 *
 *  machine dependent methods of pdFunction
 *
 **************************************************************/

// Determine if the called function is a "library" function or a "user" function
// This cannot be done until all of the functions have been seen, verified, and
// classified
//
void pd_Function::checkCallPoints() {
  unsigned int i;
  instPoint *p;
  Address loc_addr;

  vector<instPoint*> non_lib;

  for (i=0; i<calls.size(); ++i) {
    /* check to see where we are calling */
    p = calls[i];
    assert(p);

    if (!p->insnAtPoint().isCallIndir()) {
      loc_addr = p->insnAtPoint().getTarget(p->address());
      file()->exec()->addJumpTarget(loc_addr);
      pd_Function *pdf = (file_->exec())->findFunction(loc_addr);

      if (pdf && !pdf->isLibTag()) {
        p->set_callee(pdf);
        non_lib += p;
      } else if(!pdf){
           // if this is a call outside the fuction, keep it
           if((loc_addr < getAddress(0))||(loc_addr > (getAddress(0)+size()))){
                non_lib += p;
           }
           else {
               delete p;
           }
      } else {
          delete p;
        }
    } else {
      // Indirect call -- be conservative, assume it is a call to
      // an unnamed user function
      //assert(!p->callee());
      p->set_callee(NULL);
      non_lib += p;
    }
  }
  calls = non_lib;

}

// this function is not needed
Address pd_Function::newCallPoint(Address, const instruction,
                                 const image *, bool &)
{ assert(0); return 0; }


// see if we can recognize a jump table and skip it
// return the size of the table in tableSz.
bool checkJumpTable(image *im, instruction insn, Address addr, 
                    Address funcBegin, 
                    Address &funcEnd,
                    unsigned &tableSz) {

  const unsigned char *instr = insn.ptr();
  tableSz = 0;
  /*
     the instruction usually used for jump tables is 
       jmp dword ptr [REG*4 + ADDR]
     where ADDR is an immediate following the SIB byte.
     The opcode is 0xFF and the MOD/RM byte is 0x24. 
     The SS field (bits 7 and 6) of SIB is 2, and the
     base ( bits 2, 1, 0) is 5. The index bits (5,4,3) 
     select the register.
  */
  if (instr[0] == 0xFF && instr[1] == 0x24 &&
      ((instr[2] & 0xC0)>>6) == 2 && (instr[2] & 0x7) == 5) {
    const unsigned tableBase = *(const int *)(instr+3);
    //fprintf(stderr, "Found jump table at %x %x\n",addr, tableBase);
    // check if the table is right after the jump and inside the current function
    if (tableBase > funcBegin && tableBase < funcEnd) {
      // table is within function code
      if (tableBase < addr+insn.size()) {
        fprintf(stderr, "bad indirect jump at %x\n", addr);
        return false;
      } else if (tableBase > addr+insn.size()) {
        // jump table may be at the end of the function code - adjust funcEnd
        funcEnd = tableBase;
        return true;
      }
      // skip the jump table
      for (const unsigned *ptr = (unsigned *)tableBase; 
           *ptr >= funcBegin && *ptr <= funcEnd; ptr++) {
        //fprintf(stderr, " jump table entry = %x\n", *(unsigned *)ptr);
        tableSz += sizeof(int);
      }
    }
    else {
      const unsigned char *ptr = im->getPtrToInstruction(tableBase);
      for ( ; *(const unsigned *)ptr >= funcBegin && *(const unsigned *)ptr <= funcEnd; 
           ptr += sizeof(unsigned)) {
        //fprintf(stderr, " jump table entry = %x\n", *(unsigned *)ptr);
      }
    }
  }
  return true;
}


/* auxiliary data structures for function findInstPoints */
enum { EntryPt, CallPt, ReturnPt };
class point_ {
  public:
     point_(): point(0), index(0), type(0) {};
     point_(instPoint *p, unsigned i, unsigned t): point(p), index(i), type(t) {};
     instPoint *point;
     unsigned index;
     unsigned type;
};


bool pd_Function::findInstPoints(const image *i_owner) {
   // sorry this this hack, but this routine can modify the image passed in,
   // which doesn't occur on other platforms --ari
   image *owner = (image *)i_owner; // const cast

   if (size() == 0) {
     //fprintf(stderr,"Function %s, size = %d\n", prettyName().string_of(), size());
     return false;
   }

// XXXXX kludge: these functions are called by DYNINSTgetCPUtime, 
// they can't be instrumented or we would have an infinite loop
if (prettyName() == "gethrvtime" || prettyName() == "_divdi3"
    || prettyName() == "GetProcessTimes")
  return false;

   point_ *points = new point_[size()];
   //point_ *points = (point_ *)alloca(size()*sizeof(point));
   unsigned npoints = 0;

   const unsigned char *instr = (const unsigned char *)owner->getPtrToInstruction(getAddress(0));
   Address adr = getAddress(0);
   unsigned numInsns = 0;

   instruction insn;
   unsigned insnSize;

   // keep a buffer with all the instructions in this function
   instruction *allInstr = new instruction[size()+5];
   //instruction *allInstr = (instruction *)alloca((size()+5)*sizeof(instruction));

   // define the entry point
   insnSize = insn.getNextInstruction(instr);
   instPoint *p = new instPoint(this, owner, adr, insn);
   funcEntry_ = p;
   points[npoints++] = point_(p, numInsns, EntryPt);

   // check if the entry point contains another point
   if (insn.isJumpDir()) {
     Address target = insn.getTarget(adr);
     owner->addJumpTarget(target);
     if (target < getAddress(0) || target >= getAddress(0) + size()) {
       // jump out of function
       // this is an empty function
       delete points;
       delete allInstr;
       return false;
     }
   } else if (insn.isReturn()) {
     // this is an empty function
     delete points;
     delete allInstr;
     return false;
   } else if (insn.isCall()) {
     // TODO: handle calls at entry point
     // call at entry point
     //instPoint *p = new instPoint(this, owner, adr, insn);
     //calls += p;
     //points[npoints++] = point_(p, numInsns, CallPt);
     //fprintf(stderr,"Function %s, call at entry point\n", prettyName().string_of());
     delete points;
     delete allInstr;
     return false;
   }

   allInstr[numInsns] = insn;
   numInsns++;
   instr += insnSize;
   adr += insnSize;

   // get all the instructions for this function, and define the instrumentation
   // points. For now, we only add one instruction to each point.
   // Additional instructions, for the points that need them, will be added later.

   Address funcEnd = getAddress(0) + size();
   for ( ; adr < funcEnd; instr += insnSize, adr += insnSize) {
     insnSize = insn.getNextInstruction(instr);
     assert(insnSize > 0);

     if (adr + insnSize > funcEnd) {
       break;
     }

     if (insn.isJumpIndir()) {
       unsigned jumpTableSz;
       // check for jump table. This may update funcEnd
       if (!checkJumpTable(owner, insn, adr, getAddress(0), funcEnd, jumpTableSz)) {
         delete points;
         delete allInstr;
         //fprintf(stderr,"Function %s, size = %d, bad jump table\n", 
         //          prettyName().string_of(), size());
         return false;
       }
       // process the jump instruction
       allInstr[numInsns] = insn;
       numInsns++;

       if (jumpTableSz > 0) {
         // skip the jump table
         // insert an illegal instruction with the size of the jump table
         insn = instruction(instr, ILLEGAL, jumpTableSz);
       }

     } else if (insn.isJumpDir()) {
       // check for jumps out of this function
       Address target = insn.getTarget(adr);
       owner->addJumpTarget(target);
       if (target < getAddress(0) || target >= getAddress(0) + size()) {
         // jump out of function
         instPoint *p = new instPoint(this, owner, adr, insn);
         funcReturns += p;
         points[npoints++] = point_(p, numInsns, ReturnPt);
       } 
     } else if (insn.isReturn()) {
       instPoint *p = new instPoint(this, owner, adr, insn);
       funcReturns += p;
       points[npoints++] = point_(p, numInsns, ReturnPt);

     } else if (insn.isCall()) {
       // calls to adr+5 are not really calls, they are used in dynamically linked
       // libraries to get the address of the code.
       // We skip them here.
       if (insn.getTarget(adr) != adr + 5) {
         instPoint *p = new instPoint(this, owner, adr, insn);
         calls += p;
         points[npoints++] = point_(p, numInsns, CallPt);
       }
     }

     allInstr[numInsns] = insn;
     numInsns++;
     assert(npoints < size());
     assert(numInsns <= size());
   }

   unsigned u;
   // there are often nops after the end of the function. We get them here,
   // since they may be usefull to instrument the return point
   for (u = 0; u < 4; u++) {
     if (owner->isValidAddress(adr)) {
       insnSize = insn.getNextInstruction(instr);
       if (insn.isNop()) {
         allInstr[numInsns] = insn;
         numInsns++;
         assert(numInsns < size()+5);
         instr += insnSize;
         adr += insnSize;
       }
       else
         break;
     }
   }


   // add extra instructions to the points that need it.
   unsigned lastPointEnd = 0;
   unsigned thisPointEnd = 0;
   for (u = 0; u < npoints; u++) {
     instPoint *p = points[u].point;
     unsigned index = points[u].index;
     unsigned type = points[u].type;
     lastPointEnd = thisPointEnd;
     thisPointEnd = index;

     // add instructions before the point
     unsigned size = p->size();
     for (int u1 = index-1; size < JUMP_SZ && u1 >= 0 && u1 > (int)lastPointEnd; u1--) {
       if (!allInstr[u1].isCall()) {
         p->addInstrBeforePt(allInstr[u1]);
         size += allInstr[u1].size();
       } else
         break;
     }

     lastPointEnd = index;
     // add instructions after the point
     if (type == ReturnPt) {
       // normally, we would not add instructions after the return, but the 
       // compilers often add nops after the return, and we can use them if necessary
       for (unsigned u1 = index+1; u1 < index+JUMP_SZ-1 && u1 < numInsns; u1++) {
         if (allInstr[u1].isNop() || *(allInstr[u1].ptr()) == 0xCC) {
           p->addInstrAfterPt(allInstr[u1]);
           thisPointEnd = u1;
         }
         else 
           break;
       }
     } else {
       size = p->size();
       unsigned maxSize = JUMP_SZ;
       if (type == EntryPt) maxSize = 2*JUMP_SZ;
       for (unsigned u1 = index+1; size < maxSize && u1 <= numInsns; u1++) {
         if (u+1 < npoints && points[u+1].index > u1 && !allInstr[u1].isCall()) {
           p->addInstrAfterPt(allInstr[u1]);
           size += allInstr[u1].size();
           thisPointEnd = u1;
         }
         else 
           break;
       }
     }
   }

   delete points;
   delete allInstr;

   return true;
}


/*
 * Given an instruction, relocate it to a new address, patching up
 *   any relative addressing that is present.
 * The instruction may need to be replaced with a different size instruction
 * or with multiple instructions.
 * Return the size of the new instruction(s)
 */
unsigned relocateInstruction(instruction insn,
                         int origAddr, int newAddr,
                         unsigned char *&newInsn)
{
  /* 
     Relative address instructions need to be modified. The relative address
     can be a 8, 16, or 32-byte displacement relative to the next instruction.
     Since we are relocating the instruction to a different area, we have
     to replace 8 and 16-byte displacements with 32-byte displacements.

     All relative address instructions are one or two-byte opcode followed
     by a displacement relative to the next instruction:

       CALL rel16 / CALL rel32
       Jcc rel8 / Jcc rel16 / Jcc rel32
       JMP rel8 / JMP rel16 / JMP rel32

     The only two-byte opcode instructions are the Jcc rel16/rel32,
     all others have one byte opcode.

     The instruction JCXZ/JECXZ rel8 does not have an equivalent with rel32
     displacement. We must generate code to emulate this instruction:
     
       JCXZ rel8

     becomes

       A0: JCXZ 2 (jump to A4)
       A2: JMP 5  (jump to A9)
       A4: JMP rel32 (relocated displacement)
       A9: ...

  */

  const unsigned char *origInsn = insn.ptr();
  unsigned insnType = insn.type();
  unsigned insnSz = insn.size();
  unsigned char *first = newInsn;

  int oldDisp;
  int newDisp;

  if (insnType & REL_B) {
    /* replace with rel32 instruction, opcode is one byte. */
    if (*origInsn == JCXZ) {
      oldDisp = (int)*(const char *)(origInsn+1);
      newDisp = (origAddr + 2) + oldDisp - (newAddr + 9);
      *newInsn++ = *origInsn; *(newInsn++) = 2; // jcxz 2
      *newInsn++ = 0xEB; *newInsn++ = 5;        // jmp 5
      *newInsn++ = 0xE9;                        // jmp rel32
      *((int *)newInsn) = newDisp;
      newInsn += sizeof(int);
    }
    else {
      unsigned newSz;
      if (insnType & IS_JCC) {
        /* Change a Jcc rel8 to Jcc rel32. 
           Must generate a new opcode: a 0x0F followed by (old opcode + 16) */
        unsigned char opcode = *origInsn++;
        *newInsn++ = 0x0F;
        *newInsn++ = opcode + 0x10;
        newSz = 6;
      }
      else if (insnType & IS_JUMP) {
        /* change opcode to 0xE9 */
        origInsn++;
        *newInsn++ = 0xE9;
        newSz = 5;
      }
      oldDisp = (int)*(const char *)origInsn;
      newDisp = (origAddr + 2) + oldDisp - (newAddr + newSz);
      *((int *)newInsn) = newDisp;
      newInsn += sizeof(int);
    }
  }
  else if (insnType & REL_W) {
    /* Skip prefixes */
    if (insnType & PREFIX_OPR)
      origInsn++;
    if (insnType & PREFIX_SEG)
      origInsn++;
    /* opcode is unchanged, just relocate the displacement */
    if (*origInsn == (unsigned char)0x0F)
      *newInsn++ = *origInsn++;
    *newInsn++ = *origInsn++;
    oldDisp = *((const short *)origInsn);
    newDisp = (origAddr + 5) + oldDisp - (newAddr + 3);
    *((int *)newInsn) = newDisp;
    newInsn += sizeof(int);
  } else if (insnType & REL_D) {
    // Skip prefixes
    unsigned nPrefixes = 0;
    if (insnType & PREFIX_OPR)
      nPrefixes++;
    if (insnType & PREFIX_SEG)
      nPrefixes++;
    for (unsigned u = 0; u < nPrefixes; u++)
      *newInsn++ = *origInsn++;

    /* opcode is unchanged, just relocate the displacement */
    if (*origInsn == 0x0F)
      *newInsn++ = *origInsn++;
    *newInsn++ = *origInsn++;
    oldDisp = *((const int *)origInsn);
    newDisp = (origAddr + insnSz) + oldDisp - (newAddr + insnSz);
    *((int *)newInsn) = newDisp;
    newInsn += sizeof(int);
  }
  else {
    /* instruction is unchanged */
    for (unsigned u = 0; u < insnSz; u++)
      *newInsn++ = *origInsn++;
  }

  return (newInsn - first);
}


/*
 * Relocate a conditional jump and change the target to newTarget.
 * The new target must be within 128 bytes from the new address
 * Size of instruction is unchanged.
 * Returns the old target
 */
unsigned changeConditionalJump(instruction insn,
                         int origAddr, int newAddr, int newTargetAddr,
                         unsigned char *&newInsn)
{

  const unsigned char *origInsn = insn.ptr();
  unsigned insnType = insn.type();
  unsigned insnSz = insn.size();

  int oldDisp;
  int newDisp;

  if (insnType & REL_B) {
    /* one byte opcode followed by displacement */
    /* opcode is unchanged */
    assert(insnSz==2);
    *newInsn++ = *origInsn++;
    oldDisp = (int)*(const char *)origInsn;
    newDisp = newTargetAddr - (newAddr + insnSz);
    *newInsn++ = (char)newDisp;
  }
  else if (insnType & REL_W) {
    /* Skip prefixes */
    if (insnType & PREFIX_OPR)
      *newInsn++ = *origInsn++;
    if (insnType & PREFIX_SEG)
      *newInsn++ = *origInsn++;

    assert(*origInsn==0x0F);
    *newInsn++ = *origInsn++; // copy the 0x0F
    *newInsn++ = *origInsn++; // second opcode byte

    oldDisp = *((const short *)origInsn);
    newDisp = newTargetAddr - (newAddr + insnSz);
    *((short *)newInsn) = (short)newDisp;
    newInsn += sizeof(short);
  }
  else if (insnType & REL_D) {
    // Skip prefixes
    if (insnType & PREFIX_OPR)
      *newInsn++ = *origInsn++;
    if (insnType & PREFIX_SEG)
      *newInsn++ = *origInsn++;

    assert(*origInsn==0x0F);
    *newInsn++ = *origInsn++; // copy the 0x0F
    *newInsn++ = *origInsn++; // second opcode byte

    oldDisp = *((const int *)origInsn);
    newDisp = newTargetAddr - (newAddr + insnSz);
    *((int *)newInsn) = (int)newDisp;
    newInsn += sizeof(int);
  }

  return (origAddr+insnSz+oldDisp);
}



unsigned getRelocatedInstructionSz(instruction insn)
{
  const unsigned char *origInsn = insn.ptr();
  unsigned insnType = insn.type();
  unsigned insnSz = insn.size();

  if (insnType & REL_B) {
    if (*origInsn == JCXZ)
      return 9;
    else {
      if (insnType & IS_JCC)
        return 6;
      else if (insnType & IS_JUMP) {
        return 5;
      }
    }
  }
  else if (insnType & REL_W) {
    return insnSz + 2;
  }
  return insnSz;
}


registerSpace *regSpace;


bool registerSpace::readOnlyRegister(reg) {
  return false;
}

/*
   We don't use the machine registers to store temporaries,
   but "virtual registers" that are located on the stack.
   The stack frame for a tramp is:

     ebp->    saved ebp (4 bytes)
     ebp-4:   128-byte space for 32 virtual registers (32*4 bytes)
     ebp-132: saved registers (8*4 bytes)
     ebp-164: saved flags registers (4 bytes)

     The temporaries are assigned numbers from 1 so that it is easier
     to refer to them: -(reg*4)[ebp]. So the first reg is -4[ebp].

     We are using a fixed number of temporaries now (32), but we could 
     change to using an arbitrary number.

*/
int deadList[NUM_VIRTUAL_REGISTERS];
int deadListSize = sizeof(deadList);

void initTramps()
{
    static bool inited=false;

    if (inited) return;
    inited = true;

#if defined(SHM_SAMPLING) && defined(MT_THREAD)
    for (unsigned u = 0; u < NUM_VIRTUAL_REGISTERS-1; u++) {
#else
    for (unsigned u = 0; u < NUM_VIRTUAL_REGISTERS; u++) {
#endif
      deadList[u] = u+1;
    }

    regSpace = new registerSpace(sizeof(deadList)/sizeof(int), deadList,                                         0, NULL);
}


void emitJump(unsigned disp32, unsigned char *&insn);
void emitSimpleInsn(unsigned opcode, unsigned char *&insn);
void emitMovRegToReg(reg dest, reg src, unsigned char *&insn);
void emitAddMemImm32(Address dest, int imm, unsigned char *&insn);
void emitOpRegImm(int opcode, reg dest, int imm, unsigned char *&insn);
void emitMovRegToRM(reg base, int disp, reg src, unsigned char *&insn);
void emitMovRMToReg(reg dest, reg base, int disp, unsigned char *&insn);
void emitCallRel32(unsigned disp32, unsigned char *&insn);

void generateMTpreamble(char *insn, unsigned &base, process *proc)
{
  AstNode *t1,*t2,*t3,*t4,*t5;;
  vector<AstNode *> dummy;
  unsigned tableAddr;
  int value; 
  bool err;
  reg src = -1;

  /* t3=DYNINSTthreadTable[thr_self()] */
  t1 = new AstNode("DYNINSTthreadPos", dummy);
  value = sizeof(unsigned);
  t4 = new AstNode(AstNode::Constant,(void *)value);
  t2 = new AstNode(timesOp, t1, t4);
  removeAst(t1);
  removeAst(t4);

  tableAddr = proc->findInternalAddress("DYNINSTthreadTable",true,err);
  assert(!err);
  t5 = new AstNode(AstNode::Constant, (void *)tableAddr);
  t3 = new AstNode(plusOp, t2, t5);
  removeAst(t2);
  removeAst(t5);
  src = t3->generateCode(proc, regSpace, insn, base, false);
  removeAst(t3);
  // this instruction is different on every platform
  unsigned char *tmp_insn = (unsigned char *) (&insn[base]);
  emitMovRMToReg(EAX, EBP, -(src*4), tmp_insn);
  emitMovRegToRM(EBP, -(REG_MT*4), EAX, tmp_insn); 
  base += (unsigned)tmp_insn - (unsigned)(&insn[base]);
  regSpace->freeRegister(src);
}

/*
 * change the insn at addr to be a branch to newAddr.
 *   Used to add multiple tramps to a point.
 */
void generateBranch(process *proc, unsigned fromAddr, unsigned newAddr)
{
  unsigned char inst[JUMP_REL32_SZ+1];
  unsigned char *insn = inst;
  emitJump(newAddr - (fromAddr + JUMP_REL32_SZ), insn);
  proc->writeTextSpace((caddr_t)fromAddr, JUMP_REL32_SZ, (caddr_t)inst);
}


bool insertInTrampTable(process *proc, unsigned key, unsigned val) {
  unsigned u;

  // check for overflow of the tramp table. 
  // stop at 95% capacicty to ensure good performance
  if (proc->trampTableItems == (TRAMPTABLESZ - TRAMPTABLESZ/20))
    return false;
  proc->trampTableItems++;
  for (u = HASH1(key); proc->trampTable[u].key != 0; 
       u = (u + HASH2(key)) % TRAMPTABLESZ)
    ;
  proc->trampTable[u].key = key;
  proc->trampTable[u].val = val;

#if !defined(i386_unknown_nt4_0)
  bool err = false;
  Address addr = proc->findInternalAddress("DYNINSTtrampTable",true, err);
  assert(err==false);
  return proc->writeTextSpace((caddr_t)addr+u*sizeof(trampTableEntry),
                       sizeof(trampTableEntry),
                       (caddr_t)&(proc->trampTable[u]));
#else
  return true;
#endif
}

// generate a jump to a base tramp or a trap
// return the size of the instruction generated
unsigned generateBranchToTramp(process *proc, const instPoint *point, unsigned baseAddr, 
                           Address imageBaseAddr, unsigned char *insn) {
  if (point->size() < JUMP_REL32_SZ) {

    // the point is not big enough for a jump
    // First, check if we can use an indirection with the entry point
    // if that is not possible, we must use a trap
    // We get 10 bytes for the entry points, instead of the usual five,
    // so that we have space for an extra jump. We can then insert a
    // jump to the basetramp in the second slot of the base tramp
    // and use a short 2-byte jump from the point to the second jump.
    // We adopt the following rule: Only one point in the function
    // can use the indirect jump, and this is the first return point
    // with a size that is less than five bytes
    pd_Function *f = point->func();
    vector<instPoint *>fReturns = f->funcExits(proc);

    // first check if this point can use the extra slot in the entry point
    bool canUse = false;
    for (unsigned u = 0; u < fReturns.size(); u++) {
      if (fReturns[u] == point) {
        canUse = true;
        break;
      } else if (fReturns[u]->size() < JUMP_SZ)
        break;
    }
    if (canUse) {
      const instPoint *entry = f->funcEntry(proc);
      if (proc->baseMap.defines(entry) && entry->size() >= 2*JUMP_SZ) {
        assert(point->jumpAddr() > entry->address());
        // actual displacement needs to subtract size of instruction (2 bytes)
        int displacement = entry->address() + 5 - point->jumpAddr();
        assert(displacement < 0);
        if (point->size() >= 2 && (displacement-2) > SCHAR_MIN) {
          generateBranch(proc, entry->address()+5, baseAddr);
          *insn++ = 0xEB;
          *insn++ = (char)(displacement-2);
          return 2;
        }
      }
    }

    // must use trap
    //sprintf(errorLine, "Warning: unable to insert jump in function %s, address %x. Using trap\n",point->func()->prettyName().string_of(),point->address());
    //logLine(errorLine);

    if (!insertInTrampTable(proc, point->jumpAddr()+imageBaseAddr, baseAddr))
      return 0;

    *insn = 0xCC;
    return 1;
  } else {
    // replace instructions at point with jump to base tramp
    emitJump(baseAddr - (point->jumpAddr() + imageBaseAddr + JUMP_REL32_SZ), insn);
    return JUMP_REL32_SZ;
  }
}


/*
 * Install a base tramp, relocating the instructions at location
 * The pre and post jumps are filled with a 'jump 0'
 * Return a descriptor for the base tramp.
 *
 */

trampTemplate *installBaseTramp(const instPoint *&location, process *proc, bool noCost) 
{
   bool aflag;
/*
   The base tramp:
   addr   instruction             cost
   0:    <relocated instructions before point>
   a = size of relocated instructions before point
   a+0:   jmp a+30 <skip pre insn>  1
   a+5:   push ebp                  1
   a+6:   mov esp, ebp              1
   a+8:   subl esp, 0x80            1
   a+14:  pushad                    5
   a+15:  pushaf                    9
   a+16:  jmp <global pre inst>     1
   a+21:  jmp <local pre inst>      1
   a+26:  popaf                    14
   a+27:  popad                     5
   a+28:  leave                     3
   a+29:  add costAddr, cost        3
   a+39:  <relocated instructions at point>

   b = a +30 + size of relocated instructions at point
   b+0:   jmp b+30 <skip post insn>
   b+5:   push ebp
   b+6:   mov esp, ebp
   b+8:   subl esp, 0x80
   b+14:  pushad
   b+15:  pushaf
   b+16:  jmp <global post inst>
   b+21:  jmp <local post inst>
   b+26:  popaf
   b+27:  popad
   b+28:  leave
   b+29:  <relocated instructions after point>

   c:     jmp <return to user code>

   tramp size = 2*23 + 10 + 5 + size of relocated instructions
   Make sure to update the size if the tramp is changed

   cost of pre and post instrumentation is (1+1+1+5+9+1+1+15+5+3) = 42
   cost of rest of tramp is (1+3+1+1)

*/

  unsigned u;
  trampTemplate *ret = new trampTemplate;
  ret->trampTemp = 0;
  unsigned jccTarget = 0; // used when the instruction at the point is a cond. jump
  unsigned auxJumpOffset = 0;

  // check instructions at this point to find how many instructions 
  // we should relocate
  instPoint *temp = (instPoint *)location;
  temp->checkInstructions();

  // compute the tramp size
  // if there are any changes to the tramp, the size must be updated.
#if defined(SHM_SAMPLING) && defined(MT_THREAD)
  unsigned trampSize = 73+2*27;
#else
  unsigned trampSize = 73;
#endif
  for (u = 0; u < location->insnsBefore(); u++) {
    trampSize += getRelocatedInstructionSz(location->insnBeforePt(u));
  }
  if (location->insnAtPoint().type() & IS_JCC)
    trampSize += location->insnAtPoint().size() + 2 * JUMP_SZ;
  else
    trampSize += getRelocatedInstructionSz(location->insnAtPoint());
  for (u = 0; u < location->insnsAfter(); u++) {
    trampSize += getRelocatedInstructionSz(location->insnAfterPt(u));
  }

  Address imageBaseAddr;
  if (!proc->getBaseAddress(location->owner(), imageBaseAddr)) {
    abort();
  }

  Address costAddr = 0; // for now...
  if (!noCost) {
#ifdef SHM_SAMPLING
     costAddr = (Address)proc->getObsCostLowAddrInApplicSpace();
     assert(costAddr);
#else
     // get address of DYNINSTobsCostLow to update observed cost
     bool err = false;
     costAddr = proc->findInternalAddress("DYNINSTobsCostLow",
                                          true, err);
     assert(costAddr && !err);
#endif
  }

  ret->size = trampSize;
  unsigned baseAddr = inferiorMalloc(proc, trampSize, textHeap);
  ret->baseAddr = baseAddr;

  unsigned char *code = new unsigned char[2*trampSize];
  unsigned char *insn = code;
  unsigned currAddr = baseAddr;

  // get the current instruction that is being executed. If the PC is at a
  // instruction that is being relocated, we must change the PC.
  unsigned currentPC = proc->currentPC();

  // emulate the instructions before the point
  unsigned origAddr = location->jumpAddr() + imageBaseAddr;
  for (u = location->insnsBefore(); u > 0; ) {
    --u;
    if (currentPC == origAddr) {
      //fprintf(stderr, "changed PC: %x to %x\n", currentPC, currAddr);
      proc->setNewPC(currAddr);
    }

    unsigned newSize = relocateInstruction(location->insnBeforePt(u), origAddr, currAddr, insn);
    aflag=(newSize == getRelocatedInstructionSz(location->insnBeforePt(u)));
    assert(aflag);
    currAddr += newSize;
    origAddr += location->insnBeforePt(u).size();
  }


  /***
    If the instruction at the point is a conditional jump, we relocate it to
    the top of the base tramp, and change the code so that the tramp is executed
    only if the branch is taken.

    e.g.
     L1:  jne target
     L2:  ...

    becomes

          jne T1
          jmp T2
          jne
     T1:  ...

     T2:  relocated instructions after point

     then later at the base tramp, at the point where we relocate the instruction
     at the point, we insert a jump to target
  ***/
  if (location->insnAtPoint().type() & IS_JCC) {
     currAddr = baseAddr + (insn - code);
     assert(origAddr == location->address() + imageBaseAddr);
     origAddr = location->address() + imageBaseAddr;
     if (currentPC == origAddr) {
       //fprintf(stderr, "changed PC: %x to %x\n", currentPC, currAddr);
       proc->setNewPC(currAddr);
     }

     jccTarget = changeConditionalJump(location->insnAtPoint(), origAddr, currAddr,
                                       currAddr+location->insnAtPoint().size()+5, insn);
     currAddr += location->insnAtPoint().size();
     auxJumpOffset = insn-code;
     emitJump(0, insn);
     origAddr += location->insnAtPoint().size();
  }

  // pre branches
  // skip pre instrumentation
  ret->skipPreInsOffset = insn-code;
  emitJump(0, insn);

  // save registers and create a new stack frame for the tramp
  emitSimpleInsn(PUSH_EBP, insn);  // push ebp
  emitMovRegToReg(EBP, ESP, insn); // mov ebp, esp  (2-byte instruction)
  // allocate space for temporaries (virtual registers)
  emitOpRegImm(5, ESP, 128, insn); // sub esp, 128
  emitSimpleInsn(PUSHAD, insn);    // pushad
  emitSimpleInsn(PUSHFD, insn);    // pushfd

#if defined(SHM_SAMPLING) && defined(MT_THREAD)
  // generate preamble for MT version
  unsigned base=0;
  generateMTpreamble((char *)insn, base, proc);
  insn += base;
#endif

  // global pre branch
  ret->globalPreOffset = insn-code;
  emitJump(0, insn);

  // local pre branch
  ret->localPreOffset = insn-code;
  emitJump(0, insn);

  ret->localPreReturnOffset = insn-code;

  // restore registers
  emitSimpleInsn(POPFD, insn);     // popfd
  emitSimpleInsn(POPAD, insn);     // popad
  emitSimpleInsn(LEAVE, insn);     // leave

  // update cost
  // update cost -- a 10-byte instruction
  ret->updateCostOffset = insn-code;
  currAddr = baseAddr + (insn-code);
  ret->costAddr = currAddr;
  if (!noCost) {
     emitAddMemImm32(costAddr, 88, insn);  // add (costAddr), cost
  }
  else {
     // minor hack: we still need to fill up the rest of the 10 bytes, since
     // assumptions are made about the positioning of instructions that follow.
     // (This could in theory be fixed)
     // So, 10 NOP instructions (each 1 byte)
     for (unsigned foo=0; foo < 10; foo++)
        emitSimpleInsn(0x90, insn); // NOP
  }

   
  if (!(location->insnAtPoint().type() & IS_JCC)) {
    // emulate the instruction at the point 
    ret->emulateInsOffset = insn-code;
    currAddr = baseAddr + (insn - code);
    assert(origAddr == location->address() + imageBaseAddr);
    origAddr = location->address() + imageBaseAddr;
    if (currentPC == origAddr) {
      //fprintf(stderr, "changed PC: %x to %x\n", currentPC, currAddr);
      proc->setNewPC(currAddr);
    }

    unsigned newSize = relocateInstruction(location->insnAtPoint(), origAddr, currAddr, insn);
    aflag=(newSize == getRelocatedInstructionSz(location->insnAtPoint()));
    assert(aflag);
    currAddr += newSize;
    origAddr += location->insnAtPoint().size();
  } else {
    // instruction at point is a conditional jump. 
    // The instruction was relocated to the beggining of the tramp (see comments above)
    // We must generate a jump to the original target here
    assert(jccTarget > 0);
    currAddr = baseAddr + (insn - code);
    emitJump(jccTarget-(currAddr+JUMP_SZ), insn);
    currAddr += JUMP_SZ;
  }

  // post branches
  // skip post instrumentation
  ret->skipPostInsOffset = insn-code;
  emitJump(0, insn);


  // save registers and create a new stack frame for the tramp
  emitSimpleInsn(PUSH_EBP, insn);  // push ebp
  emitMovRegToReg(EBP, ESP, insn); // mov ebp, esp
  // allocate space for temporaries (virtual registers)
  emitOpRegImm(5, ESP, 128, insn); // sub esp, 128
  emitSimpleInsn(PUSHAD, insn);    // pushad
  emitSimpleInsn(PUSHFD, insn);    // pushfd

#if defined(SHM_SAMPLING) && defined(MT_THREAD)
  // generate preamble for MT version
  base=0;
  generateMTpreamble((char *)insn, base, proc);
  insn += base;
#endif

  // global post branch
  ret->globalPostOffset = insn-code; 
  emitJump(0, insn);

  // local post branch
  ret->localPostOffset = insn-code;
  emitJump(0, insn);

  ret->localPostReturnOffset = insn-code;

  // restore registers
  emitSimpleInsn(POPFD, insn);     // popfd
  emitSimpleInsn(POPAD, insn);     // popad
  emitSimpleInsn(LEAVE, insn);     // leave
  
  // emulate the instructions after the point
  ret->returnInsOffset = insn-code;
  currAddr = baseAddr + (insn - code);
  assert(origAddr == location->address() + imageBaseAddr + location->insnAtPoint().size());
  origAddr = location->address() + imageBaseAddr + location->insnAtPoint().size();
  for (u = 0; u < location->insnsAfter(); u++) {
    if (currentPC == origAddr) {
      //fprintf(stderr, "changed PC: %x to %x\n", currentPC, currAddr);
      proc->setNewPC(currAddr);
    }
    unsigned newSize = relocateInstruction(location->insnAfterPt(u), origAddr, currAddr, insn);
    aflag=(newSize == getRelocatedInstructionSz(location->insnAfterPt(u)));
    assert(aflag);
    currAddr += newSize;
    origAddr += location->insnAfterPt(u).size();
  }

  // return to user code
  currAddr = baseAddr + (insn - code);
  emitJump((location->returnAddr() + imageBaseAddr) - (currAddr+JUMP_SZ), insn);

  assert((unsigned)(insn-code) == trampSize);

  // update the jumps to skip pre and post instrumentation
  unsigned char *ip = code + ret->skipPreInsOffset;
  emitJump(ret->updateCostOffset - (ret->skipPreInsOffset+JUMP_SZ), ip);
  ip = code + ret->skipPostInsOffset;
  emitJump(ret->returnInsOffset - (ret->skipPostInsOffset+JUMP_SZ), ip);

  if (auxJumpOffset > 0) {
    ip = code + auxJumpOffset;
    emitJump(ret->returnInsOffset - (auxJumpOffset+JUMP_SZ), ip);
  }
  
  // put the tramp in the application space
  proc->writeDataSpace((caddr_t)baseAddr, insn-code, (caddr_t) code);

  free(code);

  ret->cost = 6;
  //
  // The cost for generateMTpreamble is 25 for pre and post instrumentation:
  // movl   $0x80570ec,%eax                1
  // call   *%ea                           5
  // movl   %eax,0xfffffffc(%ebp)          1
  // shll   $0x2,0xfffffffc(%ebp)         12
  // addl   $0x84ac670,0xfffffffc(%ebp)    4
  // movl   0xfffffffc(%ebp),%eax          1
  // movl   %eax,0xffffff80(%ebp)          1
  //
  ret->prevBaseCost = 42+25;
  ret->postBaseCost = 42+25;
  ret->prevInstru = false;
  ret->postInstru = false;
  return ret;
}


// This function is used to clear a jump from base to minitramps
// For the x86 platform, we generate a jump to the next instruction
void generateNoOp(process *proc, int addr) 
{
  static unsigned char jump0[5] = { 0xE9, 0, 0, 0, 0 };
  proc->writeDataSpace((caddr_t) addr, 5, (caddr_t)jump0);
}


trampTemplate *findAndInstallBaseTramp(process *proc, 
                                       instPoint *&location, 
                                       returnInstance *&retInstance,
                                       bool noCost)
{
    trampTemplate *ret;
    retInstance = NULL;

    if (!proc->baseMap.defines(location)) {
        ret = installBaseTramp(location, proc, noCost);
        proc->baseMap[location] = ret;
        // generate branch from instrumentation point to base tramp
        unsigned imageBaseAddr;
        if (!proc->getBaseAddress(location->owner(), imageBaseAddr))
          abort();
        unsigned char *insn = new unsigned char[JUMP_REL32_SZ];
        unsigned size = generateBranchToTramp(proc, location, (int)ret->baseAddr, 
                                              imageBaseAddr, insn);
        if (size == 0)
          return NULL;
        retInstance = new returnInstance(new instruction(insn, 0, size), size,
                                         location->jumpAddr() + imageBaseAddr, size);
    } else {
        ret = proc->baseMap[location];
    }
    return(ret);
}


/*
 * Install a single mini-tramp.
 *
 */
void installTramp(instInstance *inst, char *code, int codeSize) 
{
    totalMiniTramps++;
    //insnGenerated += codeSize/sizeof(int);
    (inst->proc)->writeDataSpace((caddr_t)inst->trampBase, codeSize, code);
    unsigned atAddr;
    if (inst->when == callPreInsn) {
        if (inst->baseInstance->prevInstru == false) {
            atAddr = inst->baseInstance->baseAddr+inst->baseInstance->skipPreInsOffset;
            inst->baseInstance->cost += inst->baseInstance->prevBaseCost;
            inst->baseInstance->prevInstru = true;
            generateNoOp(inst->proc, atAddr);
        }
    }
    else {
        if (inst->baseInstance->postInstru == false) {
            atAddr = inst->baseInstance->baseAddr+inst->baseInstance->skipPostInsOffset; 
            inst->baseInstance->cost += inst->baseInstance->postBaseCost;
            inst->baseInstance->postInstru = true;
            generateNoOp(inst->proc, atAddr);
        }
    }
}


/**************************************************************
 *
 *  code generator for x86
 *
 **************************************************************/




#define MAX_BRANCH      (0x1<<31)

unsigned getMaxBranch() {
  return (unsigned)MAX_BRANCH;
}


bool doNotOverflow(int)
{
  //
  // this should be changed by the correct code. If there isn't any case to
  // be checked here, then the function should return TRUE. If there isn't
  // any immediate code to be generated, then it should return FALSE - naim
  //
  // any int value can be an immediate on the pentium
  return(true);
}



/* build the MOD/RM byte of an instruction */
inline unsigned char makeModRMbyte(unsigned Mod, unsigned Reg, unsigned RM) {
  return ((Mod & 0x3) << 6) + ((Reg & 0x7) << 3) + (RM & 0x7);
}

/* 
   Emit the ModRM byte and displacement for addressing modes.
   base is a register (EAX, ECX, EDX, EBX, EBP, ESI, EDI)
   disp is a displacement
   reg_opcode is either a register or an opcode
 */
void emitAddressingMode(int base, int disp, int reg_opcode, 
                        unsigned char *&insn) {
  assert(base != ESP);
  if (base == -1) {
    *insn++ = makeModRMbyte(0, reg_opcode, 5);
    *((int *)insn) = disp;
    insn += sizeof(int);
  } else if (disp == 0 && base != EBP) {
    *insn++ = makeModRMbyte(0, reg_opcode, base);
  } else if (disp >= -128 && disp <= 127) {
    *insn++ = makeModRMbyte(1, reg_opcode, base);
    *((char *)insn++) = (char) disp;
  } else {
    *insn++ = makeModRMbyte(2, reg_opcode, base);
    *((int *)insn) = disp;
    insn += sizeof(int);
  }
}


/* emit a simple one-byte instruction */
void emitSimpleInsn(unsigned op, unsigned char *&insn) {
  *insn++ = op;
}

// emit a simple register to register instruction: OP dest, src
// opcode is one or two byte
void emitOpRegReg(unsigned opcode, reg dest, reg src, unsigned char *&insn) {
  if (opcode <= 0xFF)
    *insn++ = opcode;
  else {
    *insn++ = opcode >> 8;
    *insn++ = opcode & 0xFF;
  }
  // ModRM byte define the operands: Mod = 3, Reg = dest, RM = src
  *insn++ = makeModRMbyte(3, dest, src);
}

// emit OP reg, r/m
void emitOpRegRM(unsigned opcode, reg dest, reg base, int disp, unsigned char *&insn) {
  *insn++ = opcode;
  emitAddressingMode(base, disp, dest, insn);
}

// emit OP r/m, reg
void emitOpRMReg(unsigned opcode, reg base, int disp, reg src, unsigned char *&insn) {
  *insn++ = opcode;
  emitAddressingMode(base, disp, src, insn);
}

// emit OP reg, imm32
void emitOpRegImm(int opcode, reg dest, int imm, unsigned char *&insn) {
  *insn++ = 0x81;
  *insn++ = makeModRMbyte(3, opcode, dest);
  *((int *)insn) = imm;
  insn+= sizeof(int);
}

/*
// emit OP r/m, imm32
void emitOpRMImm(unsigned opcode, reg base, int disp, int imm, unsigned char *&insn) {
  *insn++ = 0x81;
  emitAddressingMode(base, disp, opcode, insn);
  *((int *)insn) = imm;
  insn += sizeof(int);
}
*/

// emit OP r/m, imm32
void emitOpRMImm(unsigned opcode1, unsigned opcode2,
                 reg base, int disp, int imm, unsigned char *&insn) {
  *insn++ = opcode1;
  emitAddressingMode(base, disp, opcode2, insn);
  *((int *)insn) = imm;
  insn += sizeof(int);
}

// emit OP r/m, imm8
void emitOpRMImm8(unsigned opcode1, unsigned opcode2,
                 reg base, int disp, char imm, unsigned char *&insn) {
  *insn++ = opcode1;
  emitAddressingMode(base, disp, opcode2, insn);
  *insn++ = imm;
}

// emit OP reg, r/m, imm32
void emitOpRegRMImm(unsigned opcode, reg dest,
                 reg base, int disp, int imm, unsigned char *&insn) {
  *insn++ = opcode;
  emitAddressingMode(base, disp, dest, insn);
  *((int *)insn) = imm;
  insn += sizeof(int);
}

// emit MOV reg, reg
void emitMovRegToReg(reg dest, reg src, unsigned char *&insn) {
  *insn++ = 0x8B;
  *insn++ = makeModRMbyte(3, dest, src);
}

// emit MOV reg, r/m
void emitMovRMToReg(reg dest, reg base, int disp, unsigned char *&insn) {
  *insn++ = 0x8B;
  emitAddressingMode(base, disp, dest, insn);
}

// emit MOV r/m, reg
void emitMovRegToRM(reg base, int disp, reg src, unsigned char *&insn) {
  *insn++ = 0x89;
  emitAddressingMode(base, disp, src, insn);
}

// emit MOV m, reg
void emitMovRegToM(int disp, reg src, unsigned char *&insn) {
  *insn++ = 0x89;
  emitAddressingMode(-1, disp, src, insn);
}

// emit MOV reg, m
void emitMovMToReg(reg dest, int disp, unsigned char *&insn) {
  *insn++ = 0x8B;
  emitAddressingMode(-1, disp, dest, insn);
}

// emit MOV reg, imm32
void emitMovImmToReg(reg dest, int imm, unsigned char *&insn) {
  *insn++ = 0xB8 + dest;
  *((int *)insn) = imm;
  insn += sizeof(int);
}

// emit MOV r/m32, imm32
void emitMovImmToRM(reg base, int disp, int imm, unsigned char *&insn) {
  *insn++ = 0xC7;
  emitAddressingMode(base, disp, 0, insn);
  *((int*)insn) = imm;
  insn += sizeof(int);
}

// emit MOV mem32, imm32
void emitMovImmToMem(unsigned maddr, int imm, unsigned char *&insn) {
  *insn++ = 0xC7;
  // emit the ModRM byte: we use a 32-bit displacement for the address,
  // the ModRM value is 0x05
  *insn++ = 0x05;
  *((unsigned *)insn) = maddr;
  insn += sizeof(unsigned);
  *((int*)insn) = imm;
  insn += sizeof(int);
}


// emit Add dword ptr DS:[addr], imm
void emitAddMemImm32(Address addr, int imm, unsigned char *&insn) {
  *insn++ = 0x81;
  *insn++ = 0x05;
  *((unsigned *)insn) = addr;
  insn += sizeof(unsigned);
  *((int *)insn) = imm;
  insn += sizeof(int);
}

// emit JUMP rel32
void emitJump(unsigned disp32, unsigned char *&insn) {
  *insn++ = 0xE9;
  *((int *)insn) = disp32;
  insn += sizeof(int);
} 

// emit CALL rel32
void emitCallRel32(unsigned disp32, unsigned char *&insn) {
  *insn++ = 0xE8;
  *((int *)insn) = disp32;
  insn += sizeof(int);
}

// set dest=1 if src1 op src2, otherwise dest = 0
void emitRelOp(unsigned op, reg dest, reg src1, reg src2, unsigned char *&insn) {
  //fprintf(stderr,"Relop dest = %d, src1 = %d, src2 = %d\n", dest, src1, src2);
  emitOpRegReg(0x29, ECX, ECX, insn);           // clear ECX
  emitMovRMToReg(EAX, EBP, -(src1*4), insn);    // mov eax, -(src1*4)[ebp]
  emitOpRegRM(0x3B, EAX, EBP, -(src2*4), insn); // cmp eax, -(src2*4)[ebp]
  unsigned char opcode;
  switch (op) {
    case eqOp: opcode = JNE_R8; break;
    case neOp: opcode = JE_R8; break;
    case lessOp: opcode = JGE_R8; break;
    case leOp: opcode = JG_R8; break;
    case greaterOp: opcode = JLE_R8; break;
    case geOp: opcode = JL_R8; break;
    default: assert(0);
  }
  *insn++ = opcode; *insn++ = 1;                // jcc 1
  emitSimpleInsn(0x40+ECX, insn);               // inc ECX
  emitMovRegToRM(EBP, -(dest*4), ECX, insn);    // mov -(dest*4)[ebp], ecx

}

// set dest=1 if src1 op src2imm, otherwise dest = 0
void emitRelOpImm(unsigned op, reg dest, reg src1, int src2imm, unsigned char *&insn) {
  //fprintf(stderr,"Relop dest = %d, src1 = %d, src2 = %d\n", dest, src1, src2);
  emitOpRegReg(0x29, ECX, ECX, insn);           // clear ECX
  emitMovRMToReg(EAX, EBP, -(src1*4), insn);    // mov eax, -(src1*4)[ebp]
  emitOpRegImm(0x3D, EAX, src2imm, insn);       // cmp eax, src2
  unsigned char opcode;
  switch (op) {
    case eqOp: opcode = JNE_R8; break;
    case neOp: opcode = JE_R8; break;
    case lessOp: opcode = JGE_R8; break;
    case leOp: opcode = JG_R8; break;
    case greaterOp: opcode = JLE_R8; break;
    case geOp: opcode = JL_R8; break;
    default: assert(0);
  }
  *insn++ = opcode; *insn++ = 1;                // jcc 1
  emitSimpleInsn(0x40+ECX, insn);               // inc ECX
  emitMovRegToRM(EBP, -(dest*4), ECX, insn);    // mov -(dest*4)[ebp], ecx

}

void emitEnter(short imm16, unsigned char *&insn) {
  *insn++ = 0xC8;
  *((short*)insn) = imm16;
  insn += sizeof(short);
  *insn++ = 0;
}



unsigned emitFuncCall(opCode op, 
                      registerSpace *rs,
                      char *ibuf, unsigned &base,
                      const vector<AstNode *> &operands, 
                      const string &callee, process *proc,
                      bool noCost)
{
  assert(op == callOp);
  unsigned addr;
  bool err;
  vector <reg> srcs;

  addr = proc->findInternalAddress(callee, false, err);
  if (err) {
    function_base *func = proc->findOneFunction(callee);
    if (!func) {
      ostrstream os(errorLine, 1024, ios::out);
      os << "Internal error: unable to find addr of " << callee << endl;
      logLine(errorLine);
      showErrorCallback(80, (const char *) errorLine);
      P_abort();
    }
    addr = func->getAddress(0);
  }

  for (unsigned u = 0; u < operands.size(); u++)
    srcs += operands[u]->generateCode(proc, rs, ibuf, base, noCost);

  unsigned char *insn = (unsigned char *) ((void*)&ibuf[base]);
  unsigned char *first = insn;

  // push arguments in reverse order, last argument first
  // must use int instead of unsigned to avoid nasty underflow problem:
  for (int i=srcs.size() - 1 ; i >= 0; i--) {
     emitOpRMReg(PUSH_RM_OPC1, EBP, -(srcs[i]*4), PUSH_RM_OPC2, insn);
     rs->freeRegister(srcs[i]);
  }

  // make the call
  // we are using an indirect call here because we don't know the
  // address of this instruction, so we can't use a relative call.
  // TODO: change this to use a direct call
  emitMovImmToReg(EAX, addr, insn);       // mov eax, addr
  emitOpRegReg(CALL_RM_OPC1, CALL_RM_OPC2, EAX, insn);   // call *(eax)

  // reset the stack pointer
  if (srcs.size() > 0)
     emitOpRegImm(0, ESP, srcs.size()*4, insn); // add esp, srcs.size()*4

  // allocate a (virtual) register to store the return value
  reg ret = rs->allocateRegister((char *)insn, base, noCost);
  emitMovRegToRM(EBP, -(ret*4), EAX, insn);

  base += insn - first;
  return ret;
}



/*
 * emit code for op(sr1,src2, dest)
 * ibuf is an instruction buffer where instructions are generated
 * base is the next free position on ibuf where code is to be generated
 */
unsigned emit(opCode op, reg src1, reg src2, reg dest, char *ibuf, unsigned &base,
              bool noCost)
{
    unsigned char *insn = (unsigned char *) (&ibuf[base]);
    unsigned char *first = insn;

    if (op == updateCostOp) {
      // src1 is the cost value
      // src2 is not used
      // desc is the address of observed cost

      if (!noCost) {
         // update observed cost
         // dest = address of DYNINSTobsCostLow
         // src1 = cost
         emitAddMemImm32(dest, src1, insn);  // ADD (dest), src1
      }
      base += insn-first;
      return base;

    } else if (op == loadConstOp) {
      // dest is a temporary
      // src1 is an immediate value 
      // dest = src1:imm32
      emitMovImmToRM(EBP, -(dest*4), src1, insn);

    } else if (op ==  loadOp) {
      // dest is a temporary
      // src1 is the address of the operand
      // dest = [src1]
      emitMovMToReg(EAX, src1, insn);               // mov eax, src1
      emitMovRegToRM(EBP, -(dest*4), EAX, insn);    // mov -(dest*4)[ebp], eax

    } else if (op ==  loadIndirOp) {
      // same as loadOp, but the value to load is already in a register
      emitMovRMToReg(EAX, EBP, -(src1*4), insn); // mov eax, -(src1*4)[ebp]
      emitMovRMToReg(EAX, EAX, 0, insn);         // mov eax, [eax]
      emitMovRegToRM(EBP, -(dest*4), EAX, insn); // mov -(dest*4)[ebp], eax

    } else if (op ==  storeOp) {
      // [dest] = src1
      // dest has the address where src1 is to be stored
      // src1 is a temporary
      // src2 is a "scratch" register, we don't need it in this architecture
      emitMovRMToReg(EAX, EBP, -(src1*4), insn);    // mov eax, -(src1*4)[ebp]
      emitMovRegToM(dest, EAX, insn);               // mov dest, eax

    } else if (op ==  storeIndirOp) {
      // same as storeOp, but the address where to store is already in a
      // register
      emitMovRMToReg(EAX, EBP, -(src1*4), insn);   // mov eax, -(src1*4)[ebp]
      emitMovRMToReg(ECX, EBP, -(dest*4), insn);   // mov ecx, -(dest*4)[ebp]
      emitMovRegToRM(ECX, 0, EAX, insn);           // mov [ecx], eax

    } else if (op ==  ifOp) {
      // if src1 == 0 jump to dest
      // src1 is a temporary
      // dest is a target address
      emitOpRegReg(0x29, EAX, EAX, insn);           // sub EAX, EAX ; clear EAX
      emitOpRegRM(0x3B, EAX, EBP, -(src1*4), insn); // cmp -(src1*4)[EBP], EAX
      // je dest
      *insn++ = 0x0F;
      *insn++ = 0x84;
      *((int *)insn) = dest;
      insn += sizeof(int);
      base += insn-first;
      return base;

    } else if (op == branchOp) { 
        emitJump(dest - JUMP_REL32_SZ, insn); 
        base += JUMP_REL32_SZ;
        return(base - JUMP_REL32_SZ);
    } else if (op ==  trampPreamble) {
      // no code is needed here
      
    } else if (op ==  trampTrailer) {

      // generate the template for a jump -- actual jump is generated elsewhere
      emitJump(0, insn); // jump xxxx
      // return the offset of the previous jump
      base += insn - first;
      return(base - JUMP_REL32_SZ);

    } else if (op == noOp) {
       emitSimpleInsn(NOP, insn); // nop

    } else if (op == getRetValOp) {
      // dest is a register were we can store the value
      // the return value is in the saved EAX
      emitMovRMToReg(EAX, EBP, SAVED_EAX_OFFSET, insn);
      emitMovRegToRM(EBP, -(dest*4), EAX, insn);
      base += insn - first;
      return dest;

    } else if (op == getParamOp) {
      // src1 is the number of the argument
      // dest is a register were we can store the value
      // Parameters are addressed by a positive offset from ebp,
      // the first is PARAM_OFFSET[ebp]
      emitMovRMToReg(EAX, EBP, PARAM_OFFSET + src1*4, insn);
      emitMovRegToRM(EBP, -(dest*4), EAX, insn);
      base += insn - first;
      return dest;

    } else if (op == saveRegOp) {
      // should not be used on this platform
      assert(0);

    } else {
        unsigned opcode;
        switch (op) {
            // integer ops
            case plusOp:
                // dest = src1 + src2
                // mv eax, src1
                // add eax, src2
                // mov dest, eax
                opcode = 0x03; // ADD
                break;

            case minusOp:
                opcode = 0x2B; // SUB
                break;

            case timesOp:
                opcode = 0x0FAF; // IMUL
                break;

            case divOp:
                // dest = src1 div src2
                // mov eax, src1
                // cdq   ; edx = sign extend of eax
                // idiv eax, src2 ; eax = edx:eax div src2, edx = edx:eax mod src2
                // mov dest, eax
                emitMovRMToReg(EAX, EBP, -(src1*4), insn);
                emitSimpleInsn(0x99, insn);
                emitOpRegRM(0xF7, 0x7 /*opcode extension*/, EBP, -(src2*4), insn);
                emitMovRegToRM(EBP, -(dest*4), EAX, insn);
                base += insn-first;
                return 0;
                break;

            // Bool ops
            case orOp:
                opcode = 0x0B; // OR 
                break;

            case andOp:
                opcode = 0x23; // AND
                break;

            // rel ops
            // dest = src1 relop src2
            case eqOp:
            case neOp:
            case lessOp:
            case leOp:
            case greaterOp:
            case geOp:
                emitRelOp(op, dest, src1, src2, insn);
                base += insn-first;
                return 0;
                break;

            default:
                abort();
                break;
        }

        emitMovRMToReg(EAX, EBP, -(src1*4), insn);
        emitOpRegRM(opcode, EAX, EBP, -(src2*4), insn);
        emitMovRegToRM(EBP, -(dest*4), EAX, insn);
      }
    base += insn - first;
    return(0);
}


unsigned emitImm(opCode op, reg src1, int src2imm, reg dest, char *ibuf, unsigned &base, bool)
{
    unsigned char *insn = (unsigned char *) (&ibuf[base]);
    unsigned char *first = insn;

    if (op ==  storeOp) {
      // [dest] = src1
      // dest has the address where src1 is to be stored
      // src1 is an immediate value
      // src2 is a "scratch" register, we don't need it in this architecture
      emitMovImmToReg(EAX, dest, insn);
      emitMovImmToRM(EAX, 0, src1, insn);
    } else {
        unsigned opcode1;
        unsigned opcode2;
        switch (op) {
            // integer ops
            case plusOp:
                opcode1 = 0x81;
                opcode2 = 0x0; // ADD
                break;

            case minusOp:
                opcode1 = 0x81;
                opcode2 = 0x5; // SUB
                break;

            case timesOp: {
                int result;
                if (isPowerOf2(src2imm, result) && result <= MAX_IMM8) {
                  if (src1 != dest) {
                    emitMovRMToReg(EAX, EBP, -(src1*4), insn);
                    emitMovRegToRM(EBP, -(dest*4), EAX, insn);
                  }
                  // sal dest, result
                  emitOpRMImm8(0xC1, 4, EBP, -(dest*4), result, insn);
                }
                else {
                  // imul EAX, -(src1*4)[ebp], src2imm
                  emitOpRegRMImm(0x69, EAX, EBP, -(src1*4), src2imm, insn);
                  emitMovRegToRM(EBP, -(dest*4), EAX, insn);
                } 
                base += insn-first;
                return 0;
              }
                break;

            case divOp: {
                int result;
                if (isPowerOf2(src2imm, result) && result <= MAX_IMM8) {
                  if (src1 != dest) {
                    emitMovRMToReg(EAX, EBP, -(src1*4), insn);
                    emitMovRegToRM(EBP, -(dest*4), EAX, insn);
                  }
                  // sar dest, result
                  emitOpRMImm8(0xC1, 7, EBP, -(dest*4), result, insn);
                }
                else {
                  // dest = src1 div src2imm
                  // mov eax, src1
                  // cdq   ; edx = sign extend of eax
                  // mov ebx, src2imm
                  // idiv eax, ebx ; eax = edx:eax div src2, edx = edx:eax mod src2
                  // mov dest, eax
                  emitMovRMToReg(EAX, EBP, -(src1*4), insn);
                  emitSimpleInsn(0x99, insn);
                  emitMovImmToReg(EBX, src2imm, insn);
                  // idiv eax, ebx
                  emitOpRegReg(0xF7, 0x7 /*opcode extension*/, EBX, insn); 
                  emitMovRegToRM(EBP, -(dest*4), EAX, insn);
                }
              }
                base += insn-first;
                return 0;
                break;

            // Bool ops
            case orOp:
                opcode1 = 0x81;
                opcode2 = 0x1; // OR 
                break;

            case andOp:
                opcode1 = 0x81;
                opcode2 = 0x4; // AND
                break;

            // rel ops
            // dest = src1 relop src2
            case eqOp:
            case neOp:
            case lessOp:
            case leOp:
            case greaterOp:
            case geOp:
                emitRelOpImm(op, dest, src1, src2imm, insn);
                base += insn-first;
                return 0;
                break;

            default:
                abort();
                break;
        }
        if (src1 != dest) {
          emitMovRMToReg(EAX, EBP, -(src1*4), insn);
          emitMovRegToRM(EBP, -(dest*4), EAX, insn);
        }
        emitOpRMImm(opcode1, opcode2, EBP, -(dest*4), src2imm, insn);
      }
    base += insn - first;
    return(0);
}



int getInsnCost(opCode op)
{
    if (op == loadConstOp) {
        return(1);
    } else if (op ==  loadOp) {
        return(1+1);
    } else if (op ==  loadIndirOp) {
        return(3);
    } else if (op ==  storeOp) {
        return(1+1); 
    } else if (op ==  storeIndirOp) {
        return(3);
    } else if (op ==  ifOp) {
        return(1+2+1);
    } else if (op == branchOp) {
        return(1);      /* XXX Need to find out what value this should be. */
    } else if (op ==  callOp) {
        // cost of call only
        return(1+2+1+1);
    } else if (op == updateCostOp) {
        return(3);
    } else if (op ==  trampPreamble) {
        return(0);
    } else if (op ==  trampTrailer) {
        return(1);
    } else if (op == noOp) {
        return(1);
    } else if (op == getRetValOp) {
        return (1+1);
    } else if (op == getParamOp) {
        return(1+1);
    } else {
        switch (op) {
            // rel ops
            case eqOp:
            case neOp:
            case lessOp:
            case leOp:
            case greaterOp:
            case geOp:
                return(1+1+2+1+1+1);
                break;
            case divOp:
                return(1+2+46+1);
            case timesOp:
                return(1+10+1);
            case plusOp:
            case minusOp:
            case orOp:
            case andOp:
                return(1+2+1);
            default:
                assert(0);
                return 0;
                break;
        }
    }
}



bool process::heapIsOk(const vector<sym_data> &find_us) {
  Symbol sym;
  string str;
  Address baseAddr;

  // find the main function
  // first look for main or _main
#if !defined(i386_unknown_nt4_0)
  if (!((mainFunction = findOneFunction("main")) 
        || (mainFunction = findOneFunction("_main")))) {
     string msg = "Cannot find main. Exiting.";
     statusLine(msg.string_of());
     showErrorCallback(50, msg);
     return false;
  }
#else
  if (!((mainFunction = findOneFunction("main")) 
        || (mainFunction = findOneFunction("_main"))
        || (mainFunction = findOneFunction("WinMain"))
        || (mainFunction = findOneFunction("_WinMain")))) {
     string msg = "Cannot find main or WinMain. Exiting.";
     statusLine(msg.string_of());
     showErrorCallback(50, msg);
     return false;
  }
#endif

  for (unsigned i=0; i<find_us.size(); i++) {
    str = find_us[i].name;
    if (!getSymbolInfo(str, sym, baseAddr)) {
      string str1 = string("_") + str.string_of();
      if (!getSymbolInfo(str1, sym, baseAddr) && find_us[i].must_find) {
        string msg;
        msg = string("Cannot find ") + str + string(". Exiting");
        statusLine(msg.string_of());
        showErrorCallback(50, msg);
        return false;
      }
    }
  }

//  string ghb = GLOBAL_HEAP_BASE;
//  if (!getSymbolInfo(ghb, sym, baseAddr)) {
//    ghb = U_GLOBAL_HEAP_BASE;
//    if (!getSymbolInfo(ghb, symm baseAddr)) {
//      string msg;
//      msg = string("Cannot find ") + str + string(". Exiting");
//      statusLine(msg.string_of());
//      showErrorCallback(50, msg);
//      return false;
//    }
//  }
//  Address instHeapEnd = sym.addr()+baseAddr;
//  addInternalSymbol(ghb, instHeapEnd);

  string ghb = INFERIOR_HEAP_BASE;
  if (!getSymbolInfo(ghb, sym, baseAddr)) {
    ghb = UINFERIOR_HEAP_BASE;
    if (!getSymbolInfo(ghb, sym, baseAddr)) {
      string msg;
      msg = string("Cannot find ") + ghb + string(". Cannot use this application");
      statusLine(msg.string_of());
      showErrorCallback(50, msg);
      return false;
    }
  }
  Address curr = sym.addr()+baseAddr;

#if !defined(i386_unknown_nt4_0)
  string tt = "DYNINSTtrampTable";
  if (!getSymbolInfo(tt, sym, baseAddr)) {
      string msg;
      msg = string("Cannot find ") + tt + string(". Cannot use this application");
      statusLine(msg.string_of());
      showErrorCallback(50, msg);
      return false;
  }
#endif

  // Check that we can patch up user code to jump to our base trampolines:
  const Address instHeapStart = curr;
  const Address instHeapEnd = instHeapStart + SYN_INST_BUF_SIZE - 1;

  if (instHeapEnd > getMaxBranch()) {
    logLine("*** FATAL ERROR: Program text + data too big for dyninst\n");
    sprintf(errorLine, "    heap starts at %x and ends at %x\n",
            instHeapStart, instHeapEnd);
    logLine(errorLine);
    return false;
  }

  return true;
}



dictionary_hash<string, unsigned> funcFrequencyTable(string::hash);

//
// initDefaultPointFrequencyTable - define the expected call frequency of
//    procedures.  Currently we just define several one shots with a
//    frequency of one, and provide a hook to read a file with more accurate
//    information.
//
void initDefaultPointFrequencyTable()
{
    FILE *fp;
    float value;
    char name[512];

    funcFrequencyTable["main"] = 1;
    funcFrequencyTable["DYNINSTsampleValues"] = 1;
    funcFrequencyTable[EXIT_NAME] = 1;

    // try to read file.
    fp = fopen("freq.input", "r");
    if (!fp) {
        return;
    } else {
        printf("found freq.input file\n");
    }
    while (!feof(fp)) {
        fscanf(fp, "%s %f\n", name, &value);
        funcFrequencyTable[name] = (int) value;
        printf("adding %s %f\n", name, value);
    }
    fclose(fp);
}

/*
 * Get an etimate of the frequency for the passed instPoint.  
 *    This is not (always) the same as the function that contains the point.
 * 
 *  The function is selected as follows:
 *
 *  If the point is an entry or an exit return the function name.
 *  If the point is a call and the callee can be determined, return the called
 *     function.
 *  else return the funcation containing the point.
 *
 *  WARNING: This code contins arbitray values for func frequency (both user 
 *     and system).  This should be refined over time.
 *
 * Using 1000 calls sec to be one SD from the mean for most FPSPEC apps.
 *      -- jkh 6/24/94
 *
 */
float getPointFrequency(instPoint *point)
{

    pd_Function *func = point->callee();

    if (!func)
      func = point->func();

    if (!funcFrequencyTable.defines(func->prettyName())) {
      if (func->isLibTag()) {
        return(100.0);
      } else {
        // Changing this value from 250 to 100 because predictedCost was
        // too high - naim 07/18/96
        return(100.0); 
      }
    } else {
      return ((float)funcFrequencyTable[func->prettyName()]);
    }
}

//
// return cost in cycles of executing at this point.  This is the cost
//   of the base tramp if it is the first at this point or 0 otherwise.
//
int getPointCost(process *proc, const instPoint *point)
{
    instPoint *temp = (instPoint *)point;
    temp->checkInstructions();

    if (proc->baseMap.defines(point)) {
        return(0);
    } else {
        if (point->size() == 1)
          return 9000; // estimated number of cycles for traps
        else
          return(83);
    }
}



bool returnInstance::checkReturnInstance(const vector<Address> &, u_int &) {
    return true;
}
 
void returnInstance::installReturnInstance(process *proc) {
    assert(instructionSeq);
    proc->writeTextSpace((void *)addr_, instSeqSize, instructionSeq->ptr());
    delete instructionSeq;
    instructionSeq = 0;
}

void returnInstance::addToReturnWaitingList(Address , process *) {
    P_abort();
}

void generateBreakPoint(instruction &insn) {
  P_abort();
}

void instWaitingList::cleanUp(process *, Address ) {
  P_abort();
}

/* ***************************************************** */

bool process::emitInferiorRPCheader(void *void_insnPtr, unsigned &base) {
   unsigned char *insnPtr = (unsigned char *)void_insnPtr;
   unsigned char *origInsnPtr = insnPtr;
   insnPtr += base;

   // We emit the following here (to set up a fresh stack frame):
   // pushl %ebp        (0x55)
   // movl  %esp, %ebp  (0x89 0xe5)
   // pushad
   // pushfd

   emitSimpleInsn(PUSH_EBP, insnPtr);
   emitMovRegToReg(EBP, ESP, insnPtr);
   // allocate space for temporaries (virtual registers)
   emitOpRegImm(5, ESP, 128, insnPtr); // sub esp, 128
   emitSimpleInsn(PUSHAD, insnPtr);
   emitSimpleInsn(PUSHFD, insnPtr);

   base += (insnPtr - origInsnPtr);

   return true;
}

bool process::emitInferiorRPCtrailer(void *void_insnPtr, unsigned &base,
                                     unsigned &breakOffset,
                                     bool shouldStopForResult,
                                     unsigned &stopForResultOffset,
                                     unsigned &justAfter_stopForResultOffset) {
   unsigned char *insnPtr = (unsigned char *)void_insnPtr;
      // unsigned char * is the most natural to work with on x86, since instructions
      // are always an integral # of bytes.  Besides, it makes the following line easy:
   insnPtr += base; // start off in the right spot

   if (shouldStopForResult) {
      // illegal insn: 0x0f0b does the trick.
      stopForResultOffset = base;
      *insnPtr++ = 0x0f;
      *insnPtr++ = 0x0b;
      base += 2;

      justAfter_stopForResultOffset = base;
   }

   // Sequence: popfd, popad, leave (0xc9), call DYNINSTbreakPoint(), illegal

   emitSimpleInsn(POPFD, insnPtr); // popfd
   emitSimpleInsn(POPAD, insnPtr); // popad
   emitSimpleInsn(LEAVE, insnPtr); // leave
   base += 3; // all simple insns are 1 byte

   // We can't do a SIGTRAP since SIGTRAP is reserved in x86.
   // So we do a SIGILL instead.
   breakOffset = base;
   *insnPtr++ = 0x0f;
   *insnPtr++ = 0x0b;
   base += 2;

   // Here, we should generate an illegal insn, or something.
   // A two-byte insn, 0x0f0b, should do the trick.  The idea is that
   // the code should never be executed.
   *insnPtr++ = 0x0f;
   *insnPtr++ = 0x0b;
   base += 2;

   return true;
}

// process::replaceFunctionCall
//
// Replace the function call at the given instrumentation point with a call to
// a different function, or with a NOOP.  In order to replace the call with a
// NOOP, pass NULL as the parameter "func."
// Returns true if sucessful, false if not.  Fails if the site is not a call
// site, or if the site has already been instrumented using a base tramp.
//
// Note that right now we can only replace a call instruction that is five
// bytes long (like a call to a 32-bit relative address).
bool process::replaceFunctionCall(const instPoint *point,
                                  const function_base *func) {
    // Must be a call site
    if (!point->insnAtPoint().isCall())
        return false;

    // Cannot already be instrumented with a base tramp
    if (baseMap.defines(point))
        return false;

    // Replace the call
    if (func == NULL) { // Replace with NOOPs
        unsigned char *newInsn = new unsigned char[point->insnAtPoint().size()];
        unsigned char *p = newInsn;
        for (int i = 0; i < point->insnAtPoint().size(); i++)
            emitSimpleInsn(NOP, p);
        writeTextSpace((void *)point->iPgetAddress(),
                       point->insnAtPoint().size(), newInsn);
    } else { // Replace with a call to a different function
        // XXX Right only, call has to be 5 bytes -- sometime, we should make
        // it work for other calls as well.
        assert(point->insnAtPoint().size() == CALL_REL32_SZ);
        unsigned char *newInsn = new unsigned char[CALL_REL32_SZ];
        unsigned char *p = newInsn;
        emitCallRel32(func->addr() - (point->iPgetAddress()+CALL_REL32_SZ), p);
        writeTextSpace((void *)point->iPgetAddress(), CALL_REL32_SZ, newInsn);
    }

    return true;
}