Determining When the LBR Stack is Full

StackOverflow https://stackoverflow.com/questions/14555147

Question

I'll start with some background on the project that I'm involved involved in. We are attempting to write a Linux kernel module (in the 3.5 kernel) that will enable the last branch record (LBR) feature present in some newer x86 processors and write the branch data to a file on the hard disk for later analysis.

We currently have been able to enable LBR and can see the LBR Top of Stack Pointer changing as it detects branches (so we know that LBR has been enabled).

Our problem arises in that we can not figure out how to determine when the LBR Stack becomes full so that we can read the data from it and write it to hard disk. Ideally we would like to enable an option in LBR to throw an exception when the LBR stack is close to full and write a handler that retrieves the information.

So far, the closest thing that I have been able to find to doing that is setting the 8th bit on the IA32_DEBUGCTL MSR which enables throwing an interrupt every time that a branch is detected. Unfortunately, writing to disk every time that a branch occurs creates more of a performance impact than we would like. We would prefer to write the data in batches each time the LBR Stack is full rather than on each individual branch. Are there any alternatives that I am missing or do we just have to bite the bullet and write to disk after every branch?

Thanks

Was it helpful?

Solution

You should be able to read the TOS when you want to begin recording and then check if the TOS equals this original value during the interrupt to determine if the stack is full of new records and only do a single disk write per full stack. Another alternative if you are willing to possibly lose some of the early records would simply be to only write to disk when TOS equals some arbitrary value within the range of values causing a single write to disk per full stack.

One issue may be that the interrupt themselves we be pushed onto the LBR stack since they are seen as jumps but I am unsure how that will work based on different permission levels.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top