xref: /illumos-gate/usr/src/uts/common/dtrace/dtrace.c (revision ed1faac1) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2019 Joyent, Inc.
25  * Copyright (c) 2012, 2014 by Delphix. All rights reserved.
26  */
27 
28 /*
29  * DTrace - Dynamic Tracing for Solaris
30  *
31  * This is the implementation of the Solaris Dynamic Tracing framework
32  * (DTrace).  The user-visible interface to DTrace is described at length in
33  * the "Solaris Dynamic Tracing Guide".  The interfaces between the libdtrace
34  * library, the in-kernel DTrace framework, and the DTrace providers are
35  * described in the block comments in the <sys/dtrace.h> header file.  The
36  * internal architecture of DTrace is described in the block comments in the
37  * <sys/dtrace_impl.h> header file.  The comments contained within the DTrace
38  * implementation very much assume mastery of all of these sources; if one has
39  * an unanswered question about the implementation, one should consult them
40  * first.
41  *
42  * The functions here are ordered roughly as follows:
43  *
44  *   - Probe context functions
45  *   - Probe hashing functions
46  *   - Non-probe context utility functions
47  *   - Matching functions
48  *   - Provider-to-Framework API functions
49  *   - Probe management functions
50  *   - DIF object functions
51  *   - Format functions
52  *   - Predicate functions
53  *   - ECB functions
54  *   - Buffer functions
55  *   - Enabling functions
56  *   - DOF functions
57  *   - Anonymous enabling functions
58  *   - Consumer state functions
59  *   - Helper functions
60  *   - Hook functions
61  *   - Driver cookbook functions
62  *
63  * Each group of functions begins with a block comment labelled the "DTrace
64  * [Group] Functions", allowing one to find each block by searching forward
65  * on capital-f functions.
66  */
67 #include <sys/errno.h>
68 #include <sys/stat.h>
69 #include <sys/modctl.h>
70 #include <sys/conf.h>
71 #include <sys/systm.h>
72 #include <sys/ddi.h>
73 #include <sys/sunddi.h>
74 #include <sys/cpuvar.h>
75 #include <sys/kmem.h>
76 #include <sys/strsubr.h>
77 #include <sys/sysmacros.h>
78 #include <sys/dtrace_impl.h>
79 #include <sys/atomic.h>
80 #include <sys/cmn_err.h>
81 #include <sys/mutex_impl.h>
82 #include <sys/rwlock_impl.h>
83 #include <sys/ctf_api.h>
84 #include <sys/panic.h>
85 #include <sys/priv_impl.h>
86 #include <sys/policy.h>
87 #include <sys/cred_impl.h>
88 #include <sys/procfs_isa.h>
89 #include <sys/taskq.h>
90 #include <sys/mkdev.h>
91 #include <sys/kdi.h>
92 #include <sys/zone.h>
93 #include <sys/socket.h>
94 #include <netinet/in.h>
95 #include "strtolctype.h"
96 
97 /*
98  * DTrace Tunable Variables
99  *
100  * The following variables may be tuned by adding a line to /etc/system that
101  * includes both the name of the DTrace module ("dtrace") and the name of the
102  * variable.  For example:
103  *
104  *   set dtrace:dtrace_destructive_disallow = 1
105  *
106  * In general, the only variables that one should be tuning this way are those
107  * that affect system-wide DTrace behavior, and for which the default behavior
108  * is undesirable.  Most of these variables are tunable on a per-consumer
109  * basis using DTrace options, and need not be tuned on a system-wide basis.
110  * When tuning these variables, avoid pathological values; while some attempt
111  * is made to verify the integrity of these variables, they are not considered
112  * part of the supported interface to DTrace, and they are therefore not
113  * checked comprehensively.  Further, these variables should not be tuned
114  * dynamically via "mdb -kw" or other means; they should only be tuned via
115  * /etc/system.
116  */
117 int		dtrace_destructive_disallow = 0;
118 dtrace_optval_t	dtrace_nonroot_maxsize = (16 * 1024 * 1024);
119 size_t		dtrace_difo_maxsize = (256 * 1024);
120 dtrace_optval_t	dtrace_dof_maxsize = (8 * 1024 * 1024);
121 size_t		dtrace_statvar_maxsize = (16 * 1024);
122 size_t		dtrace_actions_max = (16 * 1024);
123 size_t		dtrace_retain_max = 1024;
124 dtrace_optval_t	dtrace_helper_actions_max = 1024;
125 dtrace_optval_t	dtrace_helper_providers_max = 32;
126 dtrace_optval_t	dtrace_dstate_defsize = (1 * 1024 * 1024);
127 size_t		dtrace_strsize_default = 256;
128 dtrace_optval_t	dtrace_cleanrate_default = 9900990;		/* 101 hz */
129 dtrace_optval_t	dtrace_cleanrate_min = 200000;			/* 5000 hz */
130 dtrace_optval_t	dtrace_cleanrate_max = (uint64_t)60 * NANOSEC;	/* 1/minute */
131 dtrace_optval_t	dtrace_aggrate_default = NANOSEC;		/* 1 hz */
132 dtrace_optval_t	dtrace_statusrate_default = NANOSEC;		/* 1 hz */
133 dtrace_optval_t dtrace_statusrate_max = (hrtime_t)10 * NANOSEC;	 /* 6/minute */
134 dtrace_optval_t	dtrace_switchrate_default = NANOSEC;		/* 1 hz */
135 dtrace_optval_t	dtrace_nspec_default = 1;
136 dtrace_optval_t	dtrace_specsize_default = 32 * 1024;
137 dtrace_optval_t dtrace_stackframes_default = 20;
138 dtrace_optval_t dtrace_ustackframes_default = 20;
139 dtrace_optval_t dtrace_jstackframes_default = 50;
140 dtrace_optval_t dtrace_jstackstrsize_default = 512;
141 int		dtrace_msgdsize_max = 128;
142 hrtime_t	dtrace_chill_max = MSEC2NSEC(500);		/* 500 ms */
143 hrtime_t	dtrace_chill_interval = NANOSEC;		/* 1000 ms */
144 int		dtrace_devdepth_max = 32;
145 int		dtrace_err_verbose;
146 hrtime_t	dtrace_deadman_interval = NANOSEC;
147 hrtime_t	dtrace_deadman_timeout = (hrtime_t)10 * NANOSEC;
148 hrtime_t	dtrace_deadman_user = (hrtime_t)30 * NANOSEC;
149 hrtime_t	dtrace_unregister_defunct_reap = (hrtime_t)60 * NANOSEC;
150 
151 /*
152  * DTrace External Variables
153  *
154  * As dtrace(7D) is a kernel module, any DTrace variables are obviously
155  * available to DTrace consumers via the backtick (`) syntax.  One of these,
156  * dtrace_zero, is made deliberately so:  it is provided as a source of
157  * well-known, zero-filled memory.  While this variable is not documented,
158  * it is used by some translators as an implementation detail.
159  */
160 const char	dtrace_zero[256] = { 0 };	/* zero-filled memory */
161 
162 /*
163  * DTrace Internal Variables
164  */
165 static dev_info_t	*dtrace_devi;		/* device info */
166 static vmem_t		*dtrace_arena;		/* probe ID arena */
167 static vmem_t		*dtrace_minor;		/* minor number arena */
168 static taskq_t		*dtrace_taskq;		/* task queue */
169 static dtrace_probe_t	**dtrace_probes;	/* array of all probes */
170 static int		dtrace_nprobes;		/* number of probes */
171 static dtrace_provider_t *dtrace_provider;	/* provider list */
172 static dtrace_meta_t	*dtrace_meta_pid;	/* user-land meta provider */
173 static int		dtrace_opens;		/* number of opens */
174 static int		dtrace_helpers;		/* number of helpers */
175 static int		dtrace_getf;		/* number of unpriv getf()s */
176 static void		*dtrace_softstate;	/* softstate pointer */
177 static dtrace_hash_t	*dtrace_bymod;		/* probes hashed by module */
178 static dtrace_hash_t	*dtrace_byfunc;		/* probes hashed by function */
179 static dtrace_hash_t	*dtrace_byname;		/* probes hashed by name */
180 static dtrace_toxrange_t *dtrace_toxrange;	/* toxic range array */
181 static int		dtrace_toxranges;	/* number of toxic ranges */
182 static int		dtrace_toxranges_max;	/* size of toxic range array */
183 static dtrace_anon_t	dtrace_anon;		/* anonymous enabling */
184 static kmem_cache_t	*dtrace_state_cache;	/* cache for dynamic state */
185 static uint64_t		dtrace_vtime_references; /* number of vtimestamp refs */
186 static kthread_t	*dtrace_panicked;	/* panicking thread */
187 static dtrace_ecb_t	*dtrace_ecb_create_cache; /* cached created ECB */
188 static dtrace_genid_t	dtrace_probegen;	/* current probe generation */
189 static dtrace_helpers_t *dtrace_deferred_pid;	/* deferred helper list */
190 static dtrace_enabling_t *dtrace_retained;	/* list of retained enablings */
191 static dtrace_genid_t	dtrace_retained_gen;	/* current retained enab gen */
192 static dtrace_dynvar_t	dtrace_dynhash_sink;	/* end of dynamic hash chains */
193 static int		dtrace_dynvar_failclean; /* dynvars failed to clean */
194 
195 /*
196  * DTrace Locking
197  * DTrace is protected by three (relatively coarse-grained) locks:
198  *
199  * (1) dtrace_lock is required to manipulate essentially any DTrace state,
200  *     including enabling state, probes, ECBs, consumer state, helper state,
201  *     etc.  Importantly, dtrace_lock is _not_ required when in probe context;
202  *     probe context is lock-free -- synchronization is handled via the
203  *     dtrace_sync() cross call mechanism.
204  *
205  * (2) dtrace_provider_lock is required when manipulating provider state, or
206  *     when provider state must be held constant.
207  *
208  * (3) dtrace_meta_lock is required when manipulating meta provider state, or
209  *     when meta provider state must be held constant.
210  *
211  * The lock ordering between these three locks is dtrace_meta_lock before
212  * dtrace_provider_lock before dtrace_lock.  (In particular, there are
213  * several places where dtrace_provider_lock is held by the framework as it
214  * calls into the providers -- which then call back into the framework,
215  * grabbing dtrace_lock.)
216  *
217  * There are two other locks in the mix:  mod_lock and cpu_lock.  With respect
218  * to dtrace_provider_lock and dtrace_lock, cpu_lock continues its historical
219  * role as a coarse-grained lock; it is acquired before both of these locks.
220  * With respect to dtrace_meta_lock, its behavior is stranger:  cpu_lock must
221  * be acquired _between_ dtrace_meta_lock and any other DTrace locks.
222  * mod_lock is similar with respect to dtrace_provider_lock in that it must be
223  * acquired _between_ dtrace_provider_lock and dtrace_lock.
224  */
225 static kmutex_t		dtrace_lock;		/* probe state lock */
226 static kmutex_t		dtrace_provider_lock;	/* provider state lock */
227 static kmutex_t		dtrace_meta_lock;	/* meta-provider state lock */
228 
229 /*
230  * DTrace Provider Variables
231  *
232  * These are the variables relating to DTrace as a provider (that is, the
233  * provider of the BEGIN, END, and ERROR probes).
234  */
235 static dtrace_pattr_t	dtrace_provider_attr = {
236 { DTRACE_STABILITY_STABLE, DTRACE_STABILITY_STABLE, DTRACE_CLASS_COMMON },
237 { DTRACE_STABILITY_PRIVATE, DTRACE_STABILITY_PRIVATE, DTRACE_CLASS_UNKNOWN },
238 { DTRACE_STABILITY_PRIVATE, DTRACE_STABILITY_PRIVATE, DTRACE_CLASS_UNKNOWN },
239 { DTRACE_STABILITY_STABLE, DTRACE_STABILITY_STABLE, DTRACE_CLASS_COMMON },
240 { DTRACE_STABILITY_STABLE, DTRACE_STABILITY_STABLE, DTRACE_CLASS_COMMON },
241 };
242 
243 static void
244 dtrace_nullop_provide(void *arg __unused,
245     const dtrace_probedesc_t *spec __unused)
246 {
247 }
248 
249 static void
250 dtrace_nullop_module(void *arg __unused, struct modctl *mp __unused)
251 {
252 }
253 
254 static void
255 dtrace_nullop(void *arg __unused, dtrace_id_t id __unused, void *parg __unused)
256 {
257 }
258 
259 static int
260 dtrace_enable_nullop(void *arg __unused, dtrace_id_t id __unused,
261     void *parg __unused)
262 {
263 	return (0);
264 }
265 
266 static dtrace_pops_t	dtrace_provider_ops = {
267 	.dtps_provide = dtrace_nullop_provide,
268 	.dtps_provide_module = dtrace_nullop_module,
269 	.dtps_enable = dtrace_enable_nullop,
270 	.dtps_disable = dtrace_nullop,
271 	.dtps_suspend = dtrace_nullop,
272 	.dtps_resume = dtrace_nullop,
273 	.dtps_getargdesc = NULL,
274 	.dtps_getargval = NULL,
275 	.dtps_mode = NULL,
276 	.dtps_destroy = dtrace_nullop
277 };
278 
279 static dtrace_id_t	dtrace_probeid_begin;	/* special BEGIN probe */
280 static dtrace_id_t	dtrace_probeid_end;	/* special END probe */
281 dtrace_id_t		dtrace_probeid_error;	/* special ERROR probe */
282 
283 /*
284  * DTrace Helper Tracing Variables
285  *
286  * These variables should be set dynamically to enable helper tracing.  The
287  * only variables that should be set are dtrace_helptrace_enable (which should
288  * be set to a non-zero value to allocate helper tracing buffers on the next
289  * open of /dev/dtrace) and dtrace_helptrace_disable (which should be set to a
290  * non-zero value to deallocate helper tracing buffers on the next close of
291  * /dev/dtrace).  When (and only when) helper tracing is disabled, the
292  * buffer size may also be set via dtrace_helptrace_bufsize.
293  */
294 int			dtrace_helptrace_enable = 0;
295 int			dtrace_helptrace_disable = 0;
296 int			dtrace_helptrace_bufsize = 16 * 1024 * 1024;
297 uint32_t		dtrace_helptrace_nlocals;
298 static dtrace_helptrace_t *dtrace_helptrace_buffer;
299 static uint32_t		dtrace_helptrace_next = 0;
300 static int		dtrace_helptrace_wrapped = 0;
301 
302 /*
303  * DTrace Error Hashing
304  *
305  * On DEBUG kernels, DTrace will track the errors that has seen in a hash
306  * table.  This is very useful for checking coverage of tests that are
307  * expected to induce DIF or DOF processing errors, and may be useful for
308  * debugging problems in the DIF code generator or in DOF generation .  The
309  * error hash may be examined with the ::dtrace_errhash MDB dcmd.
310  */
311 #ifdef DEBUG
312 static dtrace_errhash_t	dtrace_errhash[DTRACE_ERRHASHSZ];
313 static const char *dtrace_errlast;
314 static kthread_t *dtrace_errthread;
315 static kmutex_t dtrace_errlock;
316 #endif
317 
318 /*
319  * DTrace Macros and Constants
320  *
321  * These are various macros that are useful in various spots in the
322  * implementation, along with a few random constants that have no meaning
323  * outside of the implementation.  There is no real structure to this cpp
324  * mishmash -- but is there ever?
325  */
326 #define	DTRACE_HASHSTR(hash, probe)	\
327 	dtrace_hash_str(*((char **)((uintptr_t)(probe) + (hash)->dth_stroffs)))
328 
329 #define	DTRACE_HASHNEXT(hash, probe)	\
330 	(dtrace_probe_t **)((uintptr_t)(probe) + (hash)->dth_nextoffs)
331 
332 #define	DTRACE_HASHPREV(hash, probe)	\
333 	(dtrace_probe_t **)((uintptr_t)(probe) + (hash)->dth_prevoffs)
334 
335 #define	DTRACE_HASHEQ(hash, lhs, rhs)	\
336 	(strcmp(*((char **)((uintptr_t)(lhs) + (hash)->dth_stroffs)), \
337 	    *((char **)((uintptr_t)(rhs) + (hash)->dth_stroffs))) == 0)
338 
339 #define	DTRACE_AGGHASHSIZE_SLEW		17
340 
341 #define	DTRACE_V4MAPPED_OFFSET		(sizeof (uint32_t) * 3)
342 
343 /*
344  * The key for a thread-local variable consists of the lower 61 bits of the
345  * t_did, plus the 3 bits of the highest active interrupt above LOCK_LEVEL.
346  * We add DIF_VARIABLE_MAX to t_did to assure that the thread key is never
347  * equal to a variable identifier.  This is necessary (but not sufficient) to
348  * assure that global associative arrays never collide with thread-local
349  * variables.  To guarantee that they cannot collide, we must also define the
350  * order for keying dynamic variables.  That order is:
351  *
352  *   [ key0 ] ... [ keyn ] [ variable-key ] [ tls-key ]
353  *
354  * Because the variable-key and the tls-key are in orthogonal spaces, there is
355  * no way for a global variable key signature to match a thread-local key
356  * signature.
357  */
358 #define	DTRACE_TLS_THRKEY(where) { \
359 	uint_t intr = 0; \
360 	uint_t actv = CPU->cpu_intr_actv >> (LOCK_LEVEL + 1); \
361 	for (; actv; actv >>= 1) \
362 		intr++; \
363 	ASSERT(intr < (1 << 3)); \
364 	(where) = ((curthread->t_did + DIF_VARIABLE_MAX) & \
365 	    (((uint64_t)1 << 61) - 1)) | ((uint64_t)intr << 61); \
366 }
367 
368 #define	DT_BSWAP_8(x)	((x) & 0xff)
369 #define	DT_BSWAP_16(x)	((DT_BSWAP_8(x) << 8) | DT_BSWAP_8((x) >> 8))
370 #define	DT_BSWAP_32(x)	((DT_BSWAP_16(x) << 16) | DT_BSWAP_16((x) >> 16))
371 #define	DT_BSWAP_64(x)	((DT_BSWAP_32(x) << 32) | DT_BSWAP_32((x) >> 32))
372 
373 #define	DT_MASK_LO 0x00000000FFFFFFFFULL
374 
375 #define	DTRACE_STORE(type, tomax, offset, what) \
376 	*((type *)((uintptr_t)(tomax) + (uintptr_t)offset)) = (type)(what);
377 
378 #ifndef __x86
379 #define	DTRACE_ALIGNCHECK(addr, size, flags)				\
380 	if (addr & (size - 1)) {					\
381 		*flags |= CPU_DTRACE_BADALIGN;				\
382 		cpu_core[CPU->cpu_id].cpuc_dtrace_illval = addr;	\
383 		return (0);						\
384 	}
385 #else
386 #define	DTRACE_ALIGNCHECK(addr, size, flags)
387 #endif
388 
389 /*
390  * Test whether a range of memory starting at testaddr of size testsz falls
391  * within the range of memory described by addr, sz.  We take care to avoid
392  * problems with overflow and underflow of the unsigned quantities, and
393  * disallow all negative sizes.  Ranges of size 0 are allowed.
394  */
395 #define	DTRACE_INRANGE(testaddr, testsz, baseaddr, basesz) \
396 	((testaddr) - (uintptr_t)(baseaddr) < (basesz) && \
397 	(testaddr) + (testsz) - (uintptr_t)(baseaddr) <= (basesz) && \
398 	(testaddr) + (testsz) >= (testaddr))
399 
400 #define	DTRACE_RANGE_REMAIN(remp, addr, baseaddr, basesz)		\
401 do {									\
402 	if ((remp) != NULL) {						\
403 		*(remp) = (uintptr_t)(baseaddr) + (basesz) - (addr);	\
404 	}								\
405 _NOTE(CONSTCOND) } while (0)
406 
407 
408 /*
409  * Test whether alloc_sz bytes will fit in the scratch region.  We isolate
410  * alloc_sz on the righthand side of the comparison in order to avoid overflow
411  * or underflow in the comparison with it.  This is simpler than the INRANGE
412  * check above, because we know that the dtms_scratch_ptr is valid in the
413  * range.  Allocations of size zero are allowed.
414  */
415 #define	DTRACE_INSCRATCH(mstate, alloc_sz) \
416 	((mstate)->dtms_scratch_base + (mstate)->dtms_scratch_size - \
417 	(mstate)->dtms_scratch_ptr >= (alloc_sz))
418 
419 #define	DTRACE_LOADFUNC(bits)						\
420 /*CSTYLED*/								\
421 uint##bits##_t								\
422 dtrace_load##bits(uintptr_t addr)					\
423 {									\
424 	size_t size = bits / NBBY;					\
425 	/*CSTYLED*/							\
426 	uint##bits##_t rval;						\
427 	int i;								\
428 	volatile uint16_t *flags = (volatile uint16_t *)		\
429 	    &cpu_core[CPU->cpu_id].cpuc_dtrace_flags;			\
430 									\
431 	DTRACE_ALIGNCHECK(addr, size, flags);				\
432 									\
433 	for (i = 0; i < dtrace_toxranges; i++) {			\
434 		if (addr >= dtrace_toxrange[i].dtt_limit)		\
435 			continue;					\
436 									\
437 		if (addr + size <= dtrace_toxrange[i].dtt_base)		\
438 			continue;					\
439 									\
440 		/*							\
441 		 * This address falls within a toxic region; return 0.	\
442 		 */							\
443 		*flags |= CPU_DTRACE_BADADDR;				\
444 		cpu_core[CPU->cpu_id].cpuc_dtrace_illval = addr;	\
445 		return (0);						\
446 	}								\
447 									\
448 	*flags |= CPU_DTRACE_NOFAULT;					\
449 	/*CSTYLED*/							\
450 	rval = *((volatile uint##bits##_t *)addr);			\
451 	*flags &= ~CPU_DTRACE_NOFAULT;					\
452 									\
453 	return (!(*flags & CPU_DTRACE_FAULT) ? rval : 0);		\
454 }
455 
456 #ifdef _LP64
457 #define	dtrace_loadptr	dtrace_load64
458 #else
459 #define	dtrace_loadptr	dtrace_load32
460 #endif
461 
462 #define	DTRACE_DYNHASH_FREE	0
463 #define	DTRACE_DYNHASH_SINK	1
464 #define	DTRACE_DYNHASH_VALID	2
465 
466 #define	DTRACE_MATCH_FAIL	-1
467 #define	DTRACE_MATCH_NEXT	0
468 #define	DTRACE_MATCH_DONE	1
469 #define	DTRACE_ANCHORED(probe)	((probe)->dtpr_func[0] != '\0')
470 #define	DTRACE_STATE_ALIGN	64
471 
472 #define	DTRACE_FLAGS2FLT(flags)						\
473 	(((flags) & CPU_DTRACE_BADADDR) ? DTRACEFLT_BADADDR :		\
474 	((flags) & CPU_DTRACE_ILLOP) ? DTRACEFLT_ILLOP :		\
475 	((flags) & CPU_DTRACE_DIVZERO) ? DTRACEFLT_DIVZERO :		\
476 	((flags) & CPU_DTRACE_KPRIV) ? DTRACEFLT_KPRIV :		\
477 	((flags) & CPU_DTRACE_UPRIV) ? DTRACEFLT_UPRIV :		\
478 	((flags) & CPU_DTRACE_TUPOFLOW) ?  DTRACEFLT_TUPOFLOW :		\
479 	((flags) & CPU_DTRACE_BADALIGN) ?  DTRACEFLT_BADALIGN :		\
480 	((flags) & CPU_DTRACE_NOSCRATCH) ?  DTRACEFLT_NOSCRATCH :	\
481 	((flags) & CPU_DTRACE_BADSTACK) ?  DTRACEFLT_BADSTACK :		\
482 	DTRACEFLT_UNKNOWN)
483 
484 #define	DTRACEACT_ISSTRING(act)						\
485 	((act)->dta_kind == DTRACEACT_DIFEXPR &&			\
486 	(act)->dta_difo->dtdo_rtype.dtdt_kind == DIF_TYPE_STRING)
487 
488 static size_t dtrace_strlen(const char *, size_t);
489 static dtrace_probe_t *dtrace_probe_lookup_id(dtrace_id_t id);
490 static void dtrace_enabling_provide(dtrace_provider_t *);
491 static int dtrace_enabling_match(dtrace_enabling_t *, int *);
492 static void dtrace_enabling_matchall(void);
493 static void dtrace_enabling_reap(void);
494 static dtrace_state_t *dtrace_anon_grab(void);
495 static uint64_t dtrace_helper(int, dtrace_mstate_t *,
496     dtrace_state_t *, uint64_t, uint64_t);
497 static dtrace_helpers_t *dtrace_helpers_create(proc_t *);
498 static void dtrace_buffer_drop(dtrace_buffer_t *);
499 static int dtrace_buffer_consumed(dtrace_buffer_t *, hrtime_t when);
500 static intptr_t dtrace_buffer_reserve(dtrace_buffer_t *, size_t, size_t,
501     dtrace_state_t *, dtrace_mstate_t *);
502 static int dtrace_state_option(dtrace_state_t *, dtrace_optid_t,
503     dtrace_optval_t);
504 static int dtrace_ecb_create_enable(dtrace_probe_t *, void *);
505 static void dtrace_helper_provider_destroy(dtrace_helper_provider_t *);
506 static int dtrace_priv_proc(dtrace_state_t *, dtrace_mstate_t *);
507 static void dtrace_getf_barrier(void);
508 static int dtrace_canload_remains(uint64_t, size_t, size_t *,
509     dtrace_mstate_t *, dtrace_vstate_t *);
510 static int dtrace_canstore_remains(uint64_t, size_t, size_t *,
511     dtrace_mstate_t *, dtrace_vstate_t *);
512 
513 /*
514  * DTrace Probe Context Functions
515  *
516  * These functions are called from probe context.  Because probe context is
517  * any context in which C may be called, arbitrarily locks may be held,
518  * interrupts may be disabled, we may be in arbitrary dispatched state, etc.
519  * As a result, functions called from probe context may only call other DTrace
520  * support functions -- they may not interact at all with the system at large.
521  * (Note that the ASSERT macro is made probe-context safe by redefining it in
522  * terms of dtrace_assfail(), a probe-context safe function.) If arbitrary
523  * loads are to be performed from probe context, they _must_ be in terms of
524  * the safe dtrace_load*() variants.
525  *
526  * Some functions in this block are not actually called from probe context;
527  * for these functions, there will be a comment above the function reading
528  * "Note:  not called from probe context."
529  */
530 void
531 dtrace_panic(const char *format, ...)
532 {
533 	va_list alist;
534 
535 	va_start(alist, format);
536 	dtrace_vpanic(format, alist);
537 	va_end(alist);
538 }
539 
540 int
541 dtrace_assfail(const char *a, const char *f, int l)
542 {
543 	dtrace_panic("assertion failed: %s, file: %s, line: %d", a, f, l);
544 
545 	/*
546 	 * We just need something here that even the most clever compiler
547 	 * cannot optimize away.
548 	 */
549 	return (a[(uintptr_t)f]);
550 }
551 
552 /*
553  * Atomically increment a specified error counter from probe context.
554  */
555 static void
556 dtrace_error(uint32_t *counter)
557 {
558 	/*
559 	 * Most counters stored to in probe context are per-CPU counters.
560 	 * However, there are some error conditions that are sufficiently
561 	 * arcane that they don't merit per-CPU storage.  If these counters
562 	 * are incremented concurrently on different CPUs, scalability will be
563 	 * adversely affected -- but we don't expect them to be white-hot in a
564 	 * correctly constructed enabling...
565 	 */
566 	uint32_t oval, nval;
567 
568 	do {
569 		oval = *counter;
570 
571 		if ((nval = oval + 1) == 0) {
572 			/*
573 			 * If the counter would wrap, set it to 1 -- assuring
574 			 * that the counter is never zero when we have seen
575 			 * errors.  (The counter must be 32-bits because we
576 			 * aren't guaranteed a 64-bit compare&swap operation.)
577 			 * To save this code both the infamy of being fingered
578 			 * by a priggish news story and the indignity of being
579 			 * the target of a neo-puritan witch trial, we're
580 			 * carefully avoiding any colorful description of the
581 			 * likelihood of this condition -- but suffice it to
582 			 * say that it is only slightly more likely than the
583 			 * overflow of predicate cache IDs, as discussed in
584 			 * dtrace_predicate_create().
585 			 */
586 			nval = 1;
587 		}
588 	} while (dtrace_cas32(counter, oval, nval) != oval);
589 }
590 
591 /*
592  * Use the DTRACE_LOADFUNC macro to define functions for each of loading a
593  * uint8_t, a uint16_t, a uint32_t and a uint64_t.
594  */
595 /* BEGIN CSTYLED */
596 DTRACE_LOADFUNC(8)
597 DTRACE_LOADFUNC(16)
598 DTRACE_LOADFUNC(32)
599 DTRACE_LOADFUNC(64)
600 /* END CSTYLED */
601 
602 static int
603 dtrace_inscratch(uintptr_t dest, size_t size, dtrace_mstate_t *mstate)
604 {
605 	if (dest < mstate->dtms_scratch_base)
606 		return (0);
607 
608 	if (dest + size < dest)
609 		return (0);
610 
611 	if (dest + size > mstate->dtms_scratch_ptr)
612 		return (0);
613 
614 	return (1);
615 }
616 
617 static int
618 dtrace_canstore_statvar(uint64_t addr, size_t sz, size_t *remain,
619     dtrace_statvar_t **svars, int nsvars)
620 {
621 	int i;
622 	size_t maxglobalsize, maxlocalsize;
623 
624 	if (nsvars == 0)
625 		return (0);
626 
627 	maxglobalsize = dtrace_statvar_maxsize + sizeof (uint64_t);
628 	maxlocalsize = maxglobalsize * NCPU;
629 
630 	for (i = 0; i < nsvars; i++) {
631 		dtrace_statvar_t *svar = svars[i];
632 		uint8_t scope;
633 		size_t size;
634 
635 		if (svar == NULL || (size = svar->dtsv_size) == 0)
636 			continue;
637 
638 		scope = svar->dtsv_var.dtdv_scope;
639 
640 		/*
641 		 * We verify that our size is valid in the spirit of providing
642 		 * defense in depth:  we want to prevent attackers from using
643 		 * DTrace to escalate an orthogonal kernel heap corruption bug
644 		 * into the ability to store to arbitrary locations in memory.
645 		 */
646 		VERIFY((scope == DIFV_SCOPE_GLOBAL && size <= maxglobalsize) ||
647 		    (scope == DIFV_SCOPE_LOCAL && size <= maxlocalsize));
648 
649 		if (DTRACE_INRANGE(addr, sz, svar->dtsv_data,
650 		    svar->dtsv_size)) {
651 			DTRACE_RANGE_REMAIN(remain, addr, svar->dtsv_data,
652 			    svar->dtsv_size);
653 			return (1);
654 		}
655 	}
656 
657 	return (0);
658 }
659 
660 /*
661  * Check to see if the address is within a memory region to which a store may
662  * be issued.  This includes the DTrace scratch areas, and any DTrace variable
663  * region.  The caller of dtrace_canstore() is responsible for performing any
664  * alignment checks that are needed before stores are actually executed.
665  */
666 static int
667 dtrace_canstore(uint64_t addr, size_t sz, dtrace_mstate_t *mstate,
668     dtrace_vstate_t *vstate)
669 {
670 	return (dtrace_canstore_remains(addr, sz, NULL, mstate, vstate));
671 }
672 
673 /*
674  * Implementation of dtrace_canstore which communicates the upper bound of the
675  * allowed memory region.
676  */
677 static int
678 dtrace_canstore_remains(uint64_t addr, size_t sz, size_t *remain,
679     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate)
680 {
681 	/*
682 	 * First, check to see if the address is in scratch space...
683 	 */
684 	if (DTRACE_INRANGE(addr, sz, mstate->dtms_scratch_base,
685 	    mstate->dtms_scratch_size)) {
686 		DTRACE_RANGE_REMAIN(remain, addr, mstate->dtms_scratch_base,
687 		    mstate->dtms_scratch_size);
688 		return (1);
689 	}
690 
691 	/*
692 	 * Now check to see if it's a dynamic variable.  This check will pick
693 	 * up both thread-local variables and any global dynamically-allocated
694 	 * variables.
695 	 */
696 	if (DTRACE_INRANGE(addr, sz, vstate->dtvs_dynvars.dtds_base,
697 	    vstate->dtvs_dynvars.dtds_size)) {
698 		dtrace_dstate_t *dstate = &vstate->dtvs_dynvars;
699 		uintptr_t base = (uintptr_t)dstate->dtds_base +
700 		    (dstate->dtds_hashsize * sizeof (dtrace_dynhash_t));
701 		uintptr_t chunkoffs;
702 		dtrace_dynvar_t *dvar;
703 
704 		/*
705 		 * Before we assume that we can store here, we need to make
706 		 * sure that it isn't in our metadata -- storing to our
707 		 * dynamic variable metadata would corrupt our state.  For
708 		 * the range to not include any dynamic variable metadata,
709 		 * it must:
710 		 *
711 		 *	(1) Start above the hash table that is at the base of
712 		 *	the dynamic variable space
713 		 *
714 		 *	(2) Have a starting chunk offset that is beyond the
715 		 *	dtrace_dynvar_t that is at the base of every chunk
716 		 *
717 		 *	(3) Not span a chunk boundary
718 		 *
719 		 *	(4) Not be in the tuple space of a dynamic variable
720 		 *
721 		 */
722 		if (addr < base)
723 			return (0);
724 
725 		chunkoffs = (addr - base) % dstate->dtds_chunksize;
726 
727 		if (chunkoffs < sizeof (dtrace_dynvar_t))
728 			return (0);
729 
730 		if (chunkoffs + sz > dstate->dtds_chunksize)
731 			return (0);
732 
733 		dvar = (dtrace_dynvar_t *)((uintptr_t)addr - chunkoffs);
734 
735 		if (dvar->dtdv_hashval == DTRACE_DYNHASH_FREE)
736 			return (0);
737 
738 		if (chunkoffs < sizeof (dtrace_dynvar_t) +
739 		    ((dvar->dtdv_tuple.dtt_nkeys - 1) * sizeof (dtrace_key_t)))
740 			return (0);
741 
742 		DTRACE_RANGE_REMAIN(remain, addr, dvar, dstate->dtds_chunksize);
743 		return (1);
744 	}
745 
746 	/*
747 	 * Finally, check the static local and global variables.  These checks
748 	 * take the longest, so we perform them last.
749 	 */
750 	if (dtrace_canstore_statvar(addr, sz, remain,
751 	    vstate->dtvs_locals, vstate->dtvs_nlocals))
752 		return (1);
753 
754 	if (dtrace_canstore_statvar(addr, sz, remain,
755 	    vstate->dtvs_globals, vstate->dtvs_nglobals))
756 		return (1);
757 
758 	return (0);
759 }
760 
761 
762 /*
763  * Convenience routine to check to see if the address is within a memory
764  * region in which a load may be issued given the user's privilege level;
765  * if not, it sets the appropriate error flags and loads 'addr' into the
766  * illegal value slot.
767  *
768  * DTrace subroutines (DIF_SUBR_*) should use this helper to implement
769  * appropriate memory access protection.
770  */
771 static int
772 dtrace_canload(uint64_t addr, size_t sz, dtrace_mstate_t *mstate,
773     dtrace_vstate_t *vstate)
774 {
775 	return (dtrace_canload_remains(addr, sz, NULL, mstate, vstate));
776 }
777 
778 /*
779  * Implementation of dtrace_canload which communicates the upper bound of the
780  * allowed memory region.
781  */
782 static int
783 dtrace_canload_remains(uint64_t addr, size_t sz, size_t *remain,
784     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate)
785 {
786 	volatile uintptr_t *illval = &cpu_core[CPU->cpu_id].cpuc_dtrace_illval;
787 	file_t *fp;
788 
789 	/*
790 	 * If we hold the privilege to read from kernel memory, then
791 	 * everything is readable.
792 	 */
793 	if ((mstate->dtms_access & DTRACE_ACCESS_KERNEL) != 0) {
794 		DTRACE_RANGE_REMAIN(remain, addr, addr, sz);
795 		return (1);
796 	}
797 
798 	/*
799 	 * You can obviously read that which you can store.
800 	 */
801 	if (dtrace_canstore_remains(addr, sz, remain, mstate, vstate))
802 		return (1);
803 
804 	/*
805 	 * We're allowed to read from our own string table.
806 	 */
807 	if (DTRACE_INRANGE(addr, sz, mstate->dtms_difo->dtdo_strtab,
808 	    mstate->dtms_difo->dtdo_strlen)) {
809 		DTRACE_RANGE_REMAIN(remain, addr,
810 		    mstate->dtms_difo->dtdo_strtab,
811 		    mstate->dtms_difo->dtdo_strlen);
812 		return (1);
813 	}
814 
815 	if (vstate->dtvs_state != NULL &&
816 	    dtrace_priv_proc(vstate->dtvs_state, mstate)) {
817 		proc_t *p;
818 
819 		/*
820 		 * When we have privileges to the current process, there are
821 		 * several context-related kernel structures that are safe to
822 		 * read, even absent the privilege to read from kernel memory.
823 		 * These reads are safe because these structures contain only
824 		 * state that (1) we're permitted to read, (2) is harmless or
825 		 * (3) contains pointers to additional kernel state that we're
826 		 * not permitted to read (and as such, do not present an
827 		 * opportunity for privilege escalation).  Finally (and
828 		 * critically), because of the nature of their relation with
829 		 * the current thread context, the memory associated with these
830 		 * structures cannot change over the duration of probe context,
831 		 * and it is therefore impossible for this memory to be
832 		 * deallocated and reallocated as something else while it's
833 		 * being operated upon.
834 		 */
835 		if (DTRACE_INRANGE(addr, sz, curthread, sizeof (kthread_t))) {
836 			DTRACE_RANGE_REMAIN(remain, addr, curthread,
837 			    sizeof (kthread_t));
838 			return (1);
839 		}
840 
841 		if ((p = curthread->t_procp) != NULL && DTRACE_INRANGE(addr,
842 		    sz, curthread->t_procp, sizeof (proc_t))) {
843 			DTRACE_RANGE_REMAIN(remain, addr, curthread->t_procp,
844 			    sizeof (proc_t));
845 			return (1);
846 		}
847 
848 		if (curthread->t_cred != NULL && DTRACE_INRANGE(addr, sz,
849 		    curthread->t_cred, sizeof (cred_t))) {
850 			DTRACE_RANGE_REMAIN(remain, addr, curthread->t_cred,
851 			    sizeof (cred_t));
852 			return (1);
853 		}
854 
855 		if (p != NULL && p->p_pidp != NULL && DTRACE_INRANGE(addr, sz,
856 		    &(p->p_pidp->pid_id), sizeof (pid_t))) {
857 			DTRACE_RANGE_REMAIN(remain, addr, &(p->p_pidp->pid_id),
858 			    sizeof (pid_t));
859 			return (1);
860 		}
861 
862 		if (curthread->t_cpu != NULL && DTRACE_INRANGE(addr, sz,
863 		    curthread->t_cpu, offsetof(cpu_t, cpu_pause_thread))) {
864 			DTRACE_RANGE_REMAIN(remain, addr, curthread->t_cpu,
865 			    offsetof(cpu_t, cpu_pause_thread));
866 			return (1);
867 		}
868 	}
869 
870 	if ((fp = mstate->dtms_getf) != NULL) {
871 		uintptr_t psz = sizeof (void *);
872 		vnode_t *vp;
873 		vnodeops_t *op;
874 
875 		/*
876 		 * When getf() returns a file_t, the enabling is implicitly
877 		 * granted the (transient) right to read the returned file_t
878 		 * as well as the v_path and v_op->vnop_name of the underlying
879 		 * vnode.  These accesses are allowed after a successful
880 		 * getf() because the members that they refer to cannot change
881 		 * once set -- and the barrier logic in the kernel's closef()
882 		 * path assures that the file_t and its referenced vode_t
883 		 * cannot themselves be stale (that is, it impossible for
884 		 * either dtms_getf itself or its f_vnode member to reference
885 		 * freed memory).
886 		 */
887 		if (DTRACE_INRANGE(addr, sz, fp, sizeof (file_t))) {
888 			DTRACE_RANGE_REMAIN(remain, addr, fp, sizeof (file_t));
889 			return (1);
890 		}
891 
892 		if ((vp = fp->f_vnode) != NULL) {
893 			size_t slen;
894 
895 			if (DTRACE_INRANGE(addr, sz, &vp->v_path, psz)) {
896 				DTRACE_RANGE_REMAIN(remain, addr, &vp->v_path,
897 				    psz);
898 				return (1);
899 			}
900 
901 			slen = strlen(vp->v_path) + 1;
902 			if (DTRACE_INRANGE(addr, sz, vp->v_path, slen)) {
903 				DTRACE_RANGE_REMAIN(remain, addr, vp->v_path,
904 				    slen);
905 				return (1);
906 			}
907 
908 			if (DTRACE_INRANGE(addr, sz, &vp->v_op, psz)) {
909 				DTRACE_RANGE_REMAIN(remain, addr, &vp->v_op,
910 				    psz);
911 				return (1);
912 			}
913 
914 			if ((op = vp->v_op) != NULL &&
915 			    DTRACE_INRANGE(addr, sz, &op->vnop_name, psz)) {
916 				DTRACE_RANGE_REMAIN(remain, addr,
917 				    &op->vnop_name, psz);
918 				return (1);
919 			}
920 
921 			if (op != NULL && op->vnop_name != NULL &&
922 			    DTRACE_INRANGE(addr, sz, op->vnop_name,
923 			    (slen = strlen(op->vnop_name) + 1))) {
924 				DTRACE_RANGE_REMAIN(remain, addr,
925 				    op->vnop_name, slen);
926 				return (1);
927 			}
928 		}
929 	}
930 
931 	DTRACE_CPUFLAG_SET(CPU_DTRACE_KPRIV);
932 	*illval = addr;
933 	return (0);
934 }
935 
936 /*
937  * Convenience routine to check to see if a given string is within a memory
938  * region in which a load may be issued given the user's privilege level;
939  * this exists so that we don't need to issue unnecessary dtrace_strlen()
940  * calls in the event that the user has all privileges.
941  */
942 static int
943 dtrace_strcanload(uint64_t addr, size_t sz, size_t *remain,
944     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate)
945 {
946 	size_t rsize;
947 
948 	/*
949 	 * If we hold the privilege to read from kernel memory, then
950 	 * everything is readable.
951 	 */
952 	if ((mstate->dtms_access & DTRACE_ACCESS_KERNEL) != 0) {
953 		DTRACE_RANGE_REMAIN(remain, addr, addr, sz);
954 		return (1);
955 	}
956 
957 	/*
958 	 * Even if the caller is uninterested in querying the remaining valid
959 	 * range, it is required to ensure that the access is allowed.
960 	 */
961 	if (remain == NULL) {
962 		remain = &rsize;
963 	}
964 	if (dtrace_canload_remains(addr, 0, remain, mstate, vstate)) {
965 		size_t strsz;
966 		/*
967 		 * Perform the strlen after determining the length of the
968 		 * memory region which is accessible.  This prevents timing
969 		 * information from being used to find NULs in memory which is
970 		 * not accessible to the caller.
971 		 */
972 		strsz = 1 + dtrace_strlen((char *)(uintptr_t)addr,
973 		    MIN(sz, *remain));
974 		if (strsz <= *remain) {
975 			return (1);
976 		}
977 	}
978 
979 	return (0);
980 }
981 
982 /*
983  * Convenience routine to check to see if a given variable is within a memory
984  * region in which a load may be issued given the user's privilege level.
985  */
986 static int
987 dtrace_vcanload(void *src, dtrace_diftype_t *type, size_t *remain,
988     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate)
989 {
990 	size_t sz;
991 	ASSERT(type->dtdt_flags & DIF_TF_BYREF);
992 
993 	/*
994 	 * Calculate the max size before performing any checks since even
995 	 * DTRACE_ACCESS_KERNEL-credentialed callers expect that this function
996 	 * return the max length via 'remain'.
997 	 */
998 	if (type->dtdt_kind == DIF_TYPE_STRING) {
999 		dtrace_state_t *state = vstate->dtvs_state;
1000 
1001 		if (state != NULL) {
1002 			sz = state->dts_options[DTRACEOPT_STRSIZE];
1003 		} else {
1004 			/*
1005 			 * In helper context, we have a NULL state; fall back
1006 			 * to using the system-wide default for the string size
1007 			 * in this case.
1008 			 */
1009 			sz = dtrace_strsize_default;
1010 		}
1011 	} else {
1012 		sz = type->dtdt_size;
1013 	}
1014 
1015 	/*
1016 	 * If we hold the privilege to read from kernel memory, then
1017 	 * everything is readable.
1018 	 */
1019 	if ((mstate->dtms_access & DTRACE_ACCESS_KERNEL) != 0) {
1020 		DTRACE_RANGE_REMAIN(remain, (uintptr_t)src, src, sz);
1021 		return (1);
1022 	}
1023 
1024 	if (type->dtdt_kind == DIF_TYPE_STRING) {
1025 		return (dtrace_strcanload((uintptr_t)src, sz, remain, mstate,
1026 		    vstate));
1027 	}
1028 	return (dtrace_canload_remains((uintptr_t)src, sz, remain, mstate,
1029 	    vstate));
1030 }
1031 
1032 /*
1033  * Convert a string to a signed integer using safe loads.
1034  *
1035  * NOTE: This function uses various macros from strtolctype.h to manipulate
1036  * digit values, etc -- these have all been checked to ensure they make
1037  * no additional function calls.
1038  */
1039 static int64_t
1040 dtrace_strtoll(char *input, int base, size_t limit)
1041 {
1042 	uintptr_t pos = (uintptr_t)input;
1043 	int64_t val = 0;
1044 	int x;
1045 	boolean_t neg = B_FALSE;
1046 	char c, cc, ccc;
1047 	uintptr_t end = pos + limit;
1048 
1049 	/*
1050 	 * Consume any whitespace preceding digits.
1051 	 */
1052 	while ((c = dtrace_load8(pos)) == ' ' || c == '\t')
1053 		pos++;
1054 
1055 	/*
1056 	 * Handle an explicit sign if one is present.
1057 	 */
1058 	if (c == '-' || c == '+') {
1059 		if (c == '-')
1060 			neg = B_TRUE;
1061 		c = dtrace_load8(++pos);
1062 	}
1063 
1064 	/*
1065 	 * Check for an explicit hexadecimal prefix ("0x" or "0X") and skip it
1066 	 * if present.
1067 	 */
1068 	if (base == 16 && c == '0' && ((cc = dtrace_load8(pos + 1)) == 'x' ||
1069 	    cc == 'X') && isxdigit(ccc = dtrace_load8(pos + 2))) {
1070 		pos += 2;
1071 		c = ccc;
1072 	}
1073 
1074 	/*
1075 	 * Read in contiguous digits until the first non-digit character.
1076 	 */
1077 	for (; pos < end && c != '\0' && lisalnum(c) && (x = DIGIT(c)) < base;
1078 	    c = dtrace_load8(++pos))
1079 		val = val * base + x;
1080 
1081 	return (neg ? -val : val);
1082 }
1083 
1084 /*
1085  * Compare two strings using safe loads.
1086  */
1087 static int
1088 dtrace_strncmp(char *s1, char *s2, size_t limit)
1089 {
1090 	uint8_t c1, c2;
1091 	volatile uint16_t *flags;
1092 
1093 	if (s1 == s2 || limit == 0)
1094 		return (0);
1095 
1096 	flags = (volatile uint16_t *)&cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
1097 
1098 	do {
1099 		if (s1 == NULL) {
1100 			c1 = '\0';
1101 		} else {
1102 			c1 = dtrace_load8((uintptr_t)s1++);
1103 		}
1104 
1105 		if (s2 == NULL) {
1106 			c2 = '\0';
1107 		} else {
1108 			c2 = dtrace_load8((uintptr_t)s2++);
1109 		}
1110 
1111 		if (c1 != c2)
1112 			return (c1 - c2);
1113 	} while (--limit && c1 != '\0' && !(*flags & CPU_DTRACE_FAULT));
1114 
1115 	return (0);
1116 }
1117 
1118 /*
1119  * Compute strlen(s) for a string using safe memory accesses.  The additional
1120  * len parameter is used to specify a maximum length to ensure completion.
1121  */
1122 static size_t
1123 dtrace_strlen(const char *s, size_t lim)
1124 {
1125 	uint_t len;
1126 
1127 	for (len = 0; len != lim; len++) {
1128 		if (dtrace_load8((uintptr_t)s++) == '\0')
1129 			break;
1130 	}
1131 
1132 	return (len);
1133 }
1134 
1135 /*
1136  * Check if an address falls within a toxic region.
1137  */
1138 static int
1139 dtrace_istoxic(uintptr_t kaddr, size_t size)
1140 {
1141 	uintptr_t taddr, tsize;
1142 	int i;
1143 
1144 	for (i = 0; i < dtrace_toxranges; i++) {
1145 		taddr = dtrace_toxrange[i].dtt_base;
1146 		tsize = dtrace_toxrange[i].dtt_limit - taddr;
1147 
1148 		if (kaddr - taddr < tsize) {
1149 			DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
1150 			cpu_core[CPU->cpu_id].cpuc_dtrace_illval = kaddr;
1151 			return (1);
1152 		}
1153 
1154 		if (taddr - kaddr < size) {
1155 			DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
1156 			cpu_core[CPU->cpu_id].cpuc_dtrace_illval = taddr;
1157 			return (1);
1158 		}
1159 	}
1160 
1161 	return (0);
1162 }
1163 
1164 /*
1165  * Copy src to dst using safe memory accesses.  The src is assumed to be unsafe
1166  * memory specified by the DIF program.  The dst is assumed to be safe memory
1167  * that we can store to directly because it is managed by DTrace.  As with
1168  * standard bcopy, overlapping copies are handled properly.
1169  */
1170 static void
1171 dtrace_bcopy(const void *src, void *dst, size_t len)
1172 {
1173 	if (len != 0) {
1174 		uint8_t *s1 = dst;
1175 		const uint8_t *s2 = src;
1176 
1177 		if (s1 <= s2) {
1178 			do {
1179 				*s1++ = dtrace_load8((uintptr_t)s2++);
1180 			} while (--len != 0);
1181 		} else {
1182 			s2 += len;
1183 			s1 += len;
1184 
1185 			do {
1186 				*--s1 = dtrace_load8((uintptr_t)--s2);
1187 			} while (--len != 0);
1188 		}
1189 	}
1190 }
1191 
1192 /*
1193  * Copy src to dst using safe memory accesses, up to either the specified
1194  * length, or the point that a nul byte is encountered.  The src is assumed to
1195  * be unsafe memory specified by the DIF program.  The dst is assumed to be
1196  * safe memory that we can store to directly because it is managed by DTrace.
1197  * Unlike dtrace_bcopy(), overlapping regions are not handled.
1198  */
1199 static void
1200 dtrace_strcpy(const void *src, void *dst, size_t len)
1201 {
1202 	if (len != 0) {
1203 		uint8_t *s1 = dst, c;
1204 		const uint8_t *s2 = src;
1205 
1206 		do {
1207 			*s1++ = c = dtrace_load8((uintptr_t)s2++);
1208 		} while (--len != 0 && c != '\0');
1209 	}
1210 }
1211 
1212 /*
1213  * Copy src to dst, deriving the size and type from the specified (BYREF)
1214  * variable type.  The src is assumed to be unsafe memory specified by the DIF
1215  * program.  The dst is assumed to be DTrace variable memory that is of the
1216  * specified type; we assume that we can store to directly.
1217  */
1218 static void
1219 dtrace_vcopy(void *src, void *dst, dtrace_diftype_t *type, size_t limit)
1220 {
1221 	ASSERT(type->dtdt_flags & DIF_TF_BYREF);
1222 
1223 	if (type->dtdt_kind == DIF_TYPE_STRING) {
1224 		dtrace_strcpy(src, dst, MIN(type->dtdt_size, limit));
1225 	} else {
1226 		dtrace_bcopy(src, dst, MIN(type->dtdt_size, limit));
1227 	}
1228 }
1229 
1230 /*
1231  * Compare s1 to s2 using safe memory accesses.  The s1 data is assumed to be
1232  * unsafe memory specified by the DIF program.  The s2 data is assumed to be
1233  * safe memory that we can access directly because it is managed by DTrace.
1234  */
1235 static int
1236 dtrace_bcmp(const void *s1, const void *s2, size_t len)
1237 {
1238 	volatile uint16_t *flags;
1239 
1240 	flags = (volatile uint16_t *)&cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
1241 
1242 	if (s1 == s2)
1243 		return (0);
1244 
1245 	if (s1 == NULL || s2 == NULL)
1246 		return (1);
1247 
1248 	if (s1 != s2 && len != 0) {
1249 		const uint8_t *ps1 = s1;
1250 		const uint8_t *ps2 = s2;
1251 
1252 		do {
1253 			if (dtrace_load8((uintptr_t)ps1++) != *ps2++)
1254 				return (1);
1255 		} while (--len != 0 && !(*flags & CPU_DTRACE_FAULT));
1256 	}
1257 	return (0);
1258 }
1259 
1260 /*
1261  * Zero the specified region using a simple byte-by-byte loop.  Note that this
1262  * is for safe DTrace-managed memory only.
1263  */
1264 static void
1265 dtrace_bzero(void *dst, size_t len)
1266 {
1267 	uchar_t *cp;
1268 
1269 	for (cp = dst; len != 0; len--)
1270 		*cp++ = 0;
1271 }
1272 
1273 static void
1274 dtrace_add_128(uint64_t *addend1, uint64_t *addend2, uint64_t *sum)
1275 {
1276 	uint64_t result[2];
1277 
1278 	result[0] = addend1[0] + addend2[0];
1279 	result[1] = addend1[1] + addend2[1] +
1280 	    (result[0] < addend1[0] || result[0] < addend2[0] ? 1 : 0);
1281 
1282 	sum[0] = result[0];
1283 	sum[1] = result[1];
1284 }
1285 
1286 /*
1287  * Shift the 128-bit value in a by b. If b is positive, shift left.
1288  * If b is negative, shift right.
1289  */
1290 static void
1291 dtrace_shift_128(uint64_t *a, int b)
1292 {
1293 	uint64_t mask;
1294 
1295 	if (b == 0)
1296 		return;
1297 
1298 	if (b < 0) {
1299 		b = -b;
1300 		if (b >= 64) {
1301 			a[0] = a[1] >> (b - 64);
1302 			a[1] = 0;
1303 		} else {
1304 			a[0] >>= b;
1305 			mask = 1LL << (64 - b);
1306 			mask -= 1;
1307 			a[0] |= ((a[1] & mask) << (64 - b));
1308 			a[1] >>= b;
1309 		}
1310 	} else {
1311 		if (b >= 64) {
1312 			a[1] = a[0] << (b - 64);
1313 			a[0] = 0;
1314 		} else {
1315 			a[1] <<= b;
1316 			mask = a[0] >> (64 - b);
1317 			a[1] |= mask;
1318 			a[0] <<= b;
1319 		}
1320 	}
1321 }
1322 
1323 /*
1324  * The basic idea is to break the 2 64-bit values into 4 32-bit values,
1325  * use native multiplication on those, and then re-combine into the
1326  * resulting 128-bit value.
1327  *
1328  * (hi1 << 32 + lo1) * (hi2 << 32 + lo2) =
1329  *     hi1 * hi2 << 64 +
1330  *     hi1 * lo2 << 32 +
1331  *     hi2 * lo1 << 32 +
1332  *     lo1 * lo2
1333  */
1334 static void
1335 dtrace_multiply_128(uint64_t factor1, uint64_t factor2, uint64_t *product)
1336 {
1337 	uint64_t hi1, hi2, lo1, lo2;
1338 	uint64_t tmp[2];
1339 
1340 	hi1 = factor1 >> 32;
1341 	hi2 = factor2 >> 32;
1342 
1343 	lo1 = factor1 & DT_MASK_LO;
1344 	lo2 = factor2 & DT_MASK_LO;
1345 
1346 	product[0] = lo1 * lo2;
1347 	product[1] = hi1 * hi2;
1348 
1349 	tmp[0] = hi1 * lo2;
1350 	tmp[1] = 0;
1351 	dtrace_shift_128(tmp, 32);
1352 	dtrace_add_128(product, tmp, product);
1353 
1354 	tmp[0] = hi2 * lo1;
1355 	tmp[1] = 0;
1356 	dtrace_shift_128(tmp, 32);
1357 	dtrace_add_128(product, tmp, product);
1358 }
1359 
1360 /*
1361  * This privilege check should be used by actions and subroutines to
1362  * verify that the user credentials of the process that enabled the
1363  * invoking ECB match the target credentials
1364  */
1365 static int
1366 dtrace_priv_proc_common_user(dtrace_state_t *state)
1367 {
1368 	cred_t *cr, *s_cr = state->dts_cred.dcr_cred;
1369 
1370 	/*
1371 	 * We should always have a non-NULL state cred here, since if cred
1372 	 * is null (anonymous tracing), we fast-path bypass this routine.
1373 	 */
1374 	ASSERT(s_cr != NULL);
1375 
1376 	if ((cr = CRED()) != NULL &&
1377 	    s_cr->cr_uid == cr->cr_uid &&
1378 	    s_cr->cr_uid == cr->cr_ruid &&
1379 	    s_cr->cr_uid == cr->cr_suid &&
1380 	    s_cr->cr_gid == cr->cr_gid &&
1381 	    s_cr->cr_gid == cr->cr_rgid &&
1382 	    s_cr->cr_gid == cr->cr_sgid)
1383 		return (1);
1384 
1385 	return (0);
1386 }
1387 
1388 /*
1389  * This privilege check should be used by actions and subroutines to
1390  * verify that the zone of the process that enabled the invoking ECB
1391  * matches the target credentials
1392  */
1393 static int
1394 dtrace_priv_proc_common_zone(dtrace_state_t *state)
1395 {
1396 	cred_t *cr, *s_cr = state->dts_cred.dcr_cred;
1397 
1398 	/*
1399 	 * We should always have a non-NULL state cred here, since if cred
1400 	 * is null (anonymous tracing), we fast-path bypass this routine.
1401 	 */
1402 	ASSERT(s_cr != NULL);
1403 
1404 	if ((cr = CRED()) != NULL && s_cr->cr_zone == cr->cr_zone)
1405 		return (1);
1406 
1407 	return (0);
1408 }
1409 
1410 /*
1411  * This privilege check should be used by actions and subroutines to
1412  * verify that the process has not setuid or changed credentials.
1413  */
1414 static int
1415 dtrace_priv_proc_common_nocd()
1416 {
1417 	proc_t *proc;
1418 
1419 	if ((proc = ttoproc(curthread)) != NULL &&
1420 	    !(proc->p_flag & SNOCD))
1421 		return (1);
1422 
1423 	return (0);
1424 }
1425 
1426 static int
1427 dtrace_priv_proc_destructive(dtrace_state_t *state, dtrace_mstate_t *mstate)
1428 {
1429 	int action = state->dts_cred.dcr_action;
1430 
1431 	if (!(mstate->dtms_access & DTRACE_ACCESS_PROC))
1432 		goto bad;
1433 
1434 	if (((action & DTRACE_CRA_PROC_DESTRUCTIVE_ALLZONE) == 0) &&
1435 	    dtrace_priv_proc_common_zone(state) == 0)
1436 		goto bad;
1437 
1438 	if (((action & DTRACE_CRA_PROC_DESTRUCTIVE_ALLUSER) == 0) &&
1439 	    dtrace_priv_proc_common_user(state) == 0)
1440 		goto bad;
1441 
1442 	if (((action & DTRACE_CRA_PROC_DESTRUCTIVE_CREDCHG) == 0) &&
1443 	    dtrace_priv_proc_common_nocd() == 0)
1444 		goto bad;
1445 
1446 	return (1);
1447 
1448 bad:
1449 	cpu_core[CPU->cpu_id].cpuc_dtrace_flags |= CPU_DTRACE_UPRIV;
1450 
1451 	return (0);
1452 }
1453 
1454 static int
1455 dtrace_priv_proc_control(dtrace_state_t *state, dtrace_mstate_t *mstate)
1456 {
1457 	if (mstate->dtms_access & DTRACE_ACCESS_PROC) {
1458 		if (state->dts_cred.dcr_action & DTRACE_CRA_PROC_CONTROL)
1459 			return (1);
1460 
1461 		if (dtrace_priv_proc_common_zone(state) &&
1462 		    dtrace_priv_proc_common_user(state) &&
1463 		    dtrace_priv_proc_common_nocd())
1464 			return (1);
1465 	}
1466 
1467 	cpu_core[CPU->cpu_id].cpuc_dtrace_flags |= CPU_DTRACE_UPRIV;
1468 
1469 	return (0);
1470 }
1471 
1472 static int
1473 dtrace_priv_proc(dtrace_state_t *state, dtrace_mstate_t *mstate)
1474 {
1475 	if ((mstate->dtms_access & DTRACE_ACCESS_PROC) &&
1476 	    (state->dts_cred.dcr_action & DTRACE_CRA_PROC))
1477 		return (1);
1478 
1479 	cpu_core[CPU->cpu_id].cpuc_dtrace_flags |= CPU_DTRACE_UPRIV;
1480 
1481 	return (0);
1482 }
1483 
1484 static int
1485 dtrace_priv_kernel(dtrace_state_t *state)
1486 {
1487 	if (state->dts_cred.dcr_action & DTRACE_CRA_KERNEL)
1488 		return (1);
1489 
1490 	cpu_core[CPU->cpu_id].cpuc_dtrace_flags |= CPU_DTRACE_KPRIV;
1491 
1492 	return (0);
1493 }
1494 
1495 static int
1496 dtrace_priv_kernel_destructive(dtrace_state_t *state)
1497 {
1498 	if (state->dts_cred.dcr_action & DTRACE_CRA_KERNEL_DESTRUCTIVE)
1499 		return (1);
1500 
1501 	cpu_core[CPU->cpu_id].cpuc_dtrace_flags |= CPU_DTRACE_KPRIV;
1502 
1503 	return (0);
1504 }
1505 
1506 /*
1507  * Determine if the dte_cond of the specified ECB allows for processing of
1508  * the current probe to continue.  Note that this routine may allow continued
1509  * processing, but with access(es) stripped from the mstate's dtms_access
1510  * field.
1511  */
1512 static int
1513 dtrace_priv_probe(dtrace_state_t *state, dtrace_mstate_t *mstate,
1514     dtrace_ecb_t *ecb)
1515 {
1516 	dtrace_probe_t *probe = ecb->dte_probe;
1517 	dtrace_provider_t *prov = probe->dtpr_provider;
1518 	dtrace_pops_t *pops = &prov->dtpv_pops;
1519 	int mode = DTRACE_MODE_NOPRIV_DROP;
1520 
1521 	ASSERT(ecb->dte_cond);
1522 
1523 	if (pops->dtps_mode != NULL) {
1524 		mode = pops->dtps_mode(prov->dtpv_arg,
1525 		    probe->dtpr_id, probe->dtpr_arg);
1526 
1527 		ASSERT(mode & (DTRACE_MODE_USER | DTRACE_MODE_KERNEL));
1528 		ASSERT(mode & (DTRACE_MODE_NOPRIV_RESTRICT |
1529 		    DTRACE_MODE_NOPRIV_DROP));
1530 	}
1531 
1532 	/*
1533 	 * If the dte_cond bits indicate that this consumer is only allowed to
1534 	 * see user-mode firings of this probe, check that the probe was fired
1535 	 * while in a user context.  If that's not the case, use the policy
1536 	 * specified by the provider to determine if we drop the probe or
1537 	 * merely restrict operation.
1538 	 */
1539 	if (ecb->dte_cond & DTRACE_COND_USERMODE) {
1540 		ASSERT(mode != DTRACE_MODE_NOPRIV_DROP);
1541 
1542 		if (!(mode & DTRACE_MODE_USER)) {
1543 			if (mode & DTRACE_MODE_NOPRIV_DROP)
1544 				return (0);
1545 
1546 			mstate->dtms_access &= ~DTRACE_ACCESS_ARGS;
1547 		}
1548 	}
1549 
1550 	/*
1551 	 * This is more subtle than it looks. We have to be absolutely certain
1552 	 * that CRED() isn't going to change out from under us so it's only
1553 	 * legit to examine that structure if we're in constrained situations.
1554 	 * Currently, the only times we'll this check is if a non-super-user
1555 	 * has enabled the profile or syscall providers -- providers that
1556 	 * allow visibility of all processes. For the profile case, the check
1557 	 * above will ensure that we're examining a user context.
1558 	 */
1559 	if (ecb->dte_cond & DTRACE_COND_OWNER) {
1560 		cred_t *cr;
1561 		cred_t *s_cr = state->dts_cred.dcr_cred;
1562 		proc_t *proc;
1563 
1564 		ASSERT(s_cr != NULL);
1565 
1566 		if ((cr = CRED()) == NULL ||
1567 		    s_cr->cr_uid != cr->cr_uid ||
1568 		    s_cr->cr_uid != cr->cr_ruid ||
1569 		    s_cr->cr_uid != cr->cr_suid ||
1570 		    s_cr->cr_gid != cr->cr_gid ||
1571 		    s_cr->cr_gid != cr->cr_rgid ||
1572 		    s_cr->cr_gid != cr->cr_sgid ||
1573 		    (proc = ttoproc(curthread)) == NULL ||
1574 		    (proc->p_flag & SNOCD)) {
1575 			if (mode & DTRACE_MODE_NOPRIV_DROP)
1576 				return (0);
1577 
1578 			mstate->dtms_access &= ~DTRACE_ACCESS_PROC;
1579 		}
1580 	}
1581 
1582 	/*
1583 	 * If our dte_cond is set to DTRACE_COND_ZONEOWNER and we are not
1584 	 * in our zone, check to see if our mode policy is to restrict rather
1585 	 * than to drop; if to restrict, strip away both DTRACE_ACCESS_PROC
1586 	 * and DTRACE_ACCESS_ARGS
1587 	 */
1588 	if (ecb->dte_cond & DTRACE_COND_ZONEOWNER) {
1589 		cred_t *cr;
1590 		cred_t *s_cr = state->dts_cred.dcr_cred;
1591 
1592 		ASSERT(s_cr != NULL);
1593 
1594 		if ((cr = CRED()) == NULL ||
1595 		    s_cr->cr_zone->zone_id != cr->cr_zone->zone_id) {
1596 			if (mode & DTRACE_MODE_NOPRIV_DROP)
1597 				return (0);
1598 
1599 			mstate->dtms_access &=
1600 			    ~(DTRACE_ACCESS_PROC | DTRACE_ACCESS_ARGS);
1601 		}
1602 	}
1603 
1604 	/*
1605 	 * By merits of being in this code path at all, we have limited
1606 	 * privileges.  If the provider has indicated that limited privileges
1607 	 * are to denote restricted operation, strip off the ability to access
1608 	 * arguments.
1609 	 */
1610 	if (mode & DTRACE_MODE_LIMITEDPRIV_RESTRICT)
1611 		mstate->dtms_access &= ~DTRACE_ACCESS_ARGS;
1612 
1613 	return (1);
1614 }
1615 
1616 /*
1617  * Note:  not called from probe context.  This function is called
1618  * asynchronously (and at a regular interval) from outside of probe context to
1619  * clean the dirty dynamic variable lists on all CPUs.  Dynamic variable
1620  * cleaning is explained in detail in <sys/dtrace_impl.h>.
1621  */
1622 void
1623 dtrace_dynvar_clean(dtrace_dstate_t *dstate)
1624 {
1625 	dtrace_dynvar_t *dirty;
1626 	dtrace_dstate_percpu_t *dcpu;
1627 	dtrace_dynvar_t **rinsep;
1628 	int i, j, work = 0;
1629 
1630 	for (i = 0; i < NCPU; i++) {
1631 		dcpu = &dstate->dtds_percpu[i];
1632 		rinsep = &dcpu->dtdsc_rinsing;
1633 
1634 		/*
1635 		 * If the dirty list is NULL, there is no dirty work to do.
1636 		 */
1637 		if (dcpu->dtdsc_dirty == NULL)
1638 			continue;
1639 
1640 		if (dcpu->dtdsc_rinsing != NULL) {
1641 			/*
1642 			 * If the rinsing list is non-NULL, then it is because
1643 			 * this CPU was selected to accept another CPU's
1644 			 * dirty list -- and since that time, dirty buffers
1645 			 * have accumulated.  This is a highly unlikely
1646 			 * condition, but we choose to ignore the dirty
1647 			 * buffers -- they'll be picked up a future cleanse.
1648 			 */
1649 			continue;
1650 		}
1651 
1652 		if (dcpu->dtdsc_clean != NULL) {
1653 			/*
1654 			 * If the clean list is non-NULL, then we're in a
1655 			 * situation where a CPU has done deallocations (we
1656 			 * have a non-NULL dirty list) but no allocations (we
1657 			 * also have a non-NULL clean list).  We can't simply
1658 			 * move the dirty list into the clean list on this
1659 			 * CPU, yet we also don't want to allow this condition
1660 			 * to persist, lest a short clean list prevent a
1661 			 * massive dirty list from being cleaned (which in
1662 			 * turn could lead to otherwise avoidable dynamic
1663 			 * drops).  To deal with this, we look for some CPU
1664 			 * with a NULL clean list, NULL dirty list, and NULL
1665 			 * rinsing list -- and then we borrow this CPU to
1666 			 * rinse our dirty list.
1667 			 */
1668 			for (j = 0; j < NCPU; j++) {
1669 				dtrace_dstate_percpu_t *rinser;
1670 
1671 				rinser = &dstate->dtds_percpu[j];
1672 
1673 				if (rinser->dtdsc_rinsing != NULL)
1674 					continue;
1675 
1676 				if (rinser->dtdsc_dirty != NULL)
1677 					continue;
1678 
1679 				if (rinser->dtdsc_clean != NULL)
1680 					continue;
1681 
1682 				rinsep = &rinser->dtdsc_rinsing;
1683 				break;
1684 			}
1685 
1686 			if (j == NCPU) {
1687 				/*
1688 				 * We were unable to find another CPU that
1689 				 * could accept this dirty list -- we are
1690 				 * therefore unable to clean it now.
1691 				 */
1692 				dtrace_dynvar_failclean++;
1693 				continue;
1694 			}
1695 		}
1696 
1697 		work = 1;
1698 
1699 		/*
1700 		 * Atomically move the dirty list aside.
1701 		 */
1702 		do {
1703 			dirty = dcpu->dtdsc_dirty;
1704 
1705 			/*
1706 			 * Before we zap the dirty list, set the rinsing list.
1707 			 * (This allows for a potential assertion in
1708 			 * dtrace_dynvar():  if a free dynamic variable appears
1709 			 * on a hash chain, either the dirty list or the
1710 			 * rinsing list for some CPU must be non-NULL.)
1711 			 */
1712 			*rinsep = dirty;
1713 			dtrace_membar_producer();
1714 		} while (dtrace_casptr(&dcpu->dtdsc_dirty,
1715 		    dirty, NULL) != dirty);
1716 	}
1717 
1718 	if (!work) {
1719 		/*
1720 		 * We have no work to do; we can simply return.
1721 		 */
1722 		return;
1723 	}
1724 
1725 	dtrace_sync();
1726 
1727 	for (i = 0; i < NCPU; i++) {
1728 		dcpu = &dstate->dtds_percpu[i];
1729 
1730 		if (dcpu->dtdsc_rinsing == NULL)
1731 			continue;
1732 
1733 		/*
1734 		 * We are now guaranteed that no hash chain contains a pointer
1735 		 * into this dirty list; we can make it clean.
1736 		 */
1737 		ASSERT(dcpu->dtdsc_clean == NULL);
1738 		dcpu->dtdsc_clean = dcpu->dtdsc_rinsing;
1739 		dcpu->dtdsc_rinsing = NULL;
1740 	}
1741 
1742 	/*
1743 	 * Before we actually set the state to be DTRACE_DSTATE_CLEAN, make
1744 	 * sure that all CPUs have seen all of the dtdsc_clean pointers.
1745 	 * This prevents a race whereby a CPU incorrectly decides that
1746 	 * the state should be something other than DTRACE_DSTATE_CLEAN
1747 	 * after dtrace_dynvar_clean() has completed.
1748 	 */
1749 	dtrace_sync();
1750 
1751 	dstate->dtds_state = DTRACE_DSTATE_CLEAN;
1752 }
1753 
1754 /*
1755  * Depending on the value of the op parameter, this function looks-up,
1756  * allocates or deallocates an arbitrarily-keyed dynamic variable.  If an
1757  * allocation is requested, this function will return a pointer to a
1758  * dtrace_dynvar_t corresponding to the allocated variable -- or NULL if no
1759  * variable can be allocated.  If NULL is returned, the appropriate counter
1760  * will be incremented.
1761  */
1762 dtrace_dynvar_t *
1763 dtrace_dynvar(dtrace_dstate_t *dstate, uint_t nkeys,
1764     dtrace_key_t *key, size_t dsize, dtrace_dynvar_op_t op,
1765     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate)
1766 {
1767 	uint64_t hashval = DTRACE_DYNHASH_VALID;
1768 	dtrace_dynhash_t *hash = dstate->dtds_hash;
1769 	dtrace_dynvar_t *free, *new_free, *next, *dvar, *start, *prev = NULL;
1770 	processorid_t me = CPU->cpu_id, cpu = me;
1771 	dtrace_dstate_percpu_t *dcpu = &dstate->dtds_percpu[me];
1772 	size_t bucket, ksize;
1773 	size_t chunksize = dstate->dtds_chunksize;
1774 	uintptr_t kdata, lock, nstate;
1775 	uint_t i;
1776 
1777 	ASSERT(nkeys != 0);
1778 
1779 	/*
1780 	 * Hash the key.  As with aggregations, we use Jenkins' "One-at-a-time"
1781 	 * algorithm.  For the by-value portions, we perform the algorithm in
1782 	 * 16-bit chunks (as opposed to 8-bit chunks).  This speeds things up a
1783 	 * bit, and seems to have only a minute effect on distribution.  For
1784 	 * the by-reference data, we perform "One-at-a-time" iterating (safely)
1785 	 * over each referenced byte.  It's painful to do this, but it's much
1786 	 * better than pathological hash distribution.  The efficacy of the
1787 	 * hashing algorithm (and a comparison with other algorithms) may be
1788 	 * found by running the ::dtrace_dynstat MDB dcmd.
1789 	 */
1790 	for (i = 0; i < nkeys; i++) {
1791 		if (key[i].dttk_size == 0) {
1792 			uint64_t val = key[i].dttk_value;
1793 
1794 			hashval += (val >> 48) & 0xffff;
1795 			hashval += (hashval << 10);
1796 			hashval ^= (hashval >> 6);
1797 
1798 			hashval += (val >> 32) & 0xffff;
1799 			hashval += (hashval << 10);
1800 			hashval ^= (hashval >> 6);
1801 
1802 			hashval += (val >> 16) & 0xffff;
1803 			hashval += (hashval << 10);
1804 			hashval ^= (hashval >> 6);
1805 
1806 			hashval += val & 0xffff;
1807 			hashval += (hashval << 10);
1808 			hashval ^= (hashval >> 6);
1809 		} else {
1810 			/*
1811 			 * This is incredibly painful, but it beats the hell
1812 			 * out of the alternative.
1813 			 */
1814 			uint64_t j, size = key[i].dttk_size;
1815 			uintptr_t base = (uintptr_t)key[i].dttk_value;
1816 
1817 			if (!dtrace_canload(base, size, mstate, vstate))
1818 				break;
1819 
1820 			for (j = 0; j < size; j++) {
1821 				hashval += dtrace_load8(base + j);
1822 				hashval += (hashval << 10);
1823 				hashval ^= (hashval >> 6);
1824 			}
1825 		}
1826 	}
1827 
1828 	if (DTRACE_CPUFLAG_ISSET(CPU_DTRACE_FAULT))
1829 		return (NULL);
1830 
1831 	hashval += (hashval << 3);
1832 	hashval ^= (hashval >> 11);
1833 	hashval += (hashval << 15);
1834 
1835 	/*
1836 	 * There is a remote chance (ideally, 1 in 2^31) that our hashval
1837 	 * comes out to be one of our two sentinel hash values.  If this
1838 	 * actually happens, we set the hashval to be a value known to be a
1839 	 * non-sentinel value.
1840 	 */
1841 	if (hashval == DTRACE_DYNHASH_FREE || hashval == DTRACE_DYNHASH_SINK)
1842 		hashval = DTRACE_DYNHASH_VALID;
1843 
1844 	/*
1845 	 * Yes, it's painful to do a divide here.  If the cycle count becomes
1846 	 * important here, tricks can be pulled to reduce it.  (However, it's
1847 	 * critical that hash collisions be kept to an absolute minimum;
1848 	 * they're much more painful than a divide.)  It's better to have a
1849 	 * solution that generates few collisions and still keeps things
1850 	 * relatively simple.
1851 	 */
1852 	bucket = hashval % dstate->dtds_hashsize;
1853 
1854 	if (op == DTRACE_DYNVAR_DEALLOC) {
1855 		volatile uintptr_t *lockp = &hash[bucket].dtdh_lock;
1856 
1857 		for (;;) {
1858 			while ((lock = *lockp) & 1)
1859 				continue;
1860 
1861 			if (dtrace_casptr((void *)lockp,
1862 			    (void *)lock, (void *)(lock + 1)) == (void *)lock)
1863 				break;
1864 		}
1865 
1866 		dtrace_membar_producer();
1867 	}
1868 
1869 top:
1870 	prev = NULL;
1871 	lock = hash[bucket].dtdh_lock;
1872 
1873 	dtrace_membar_consumer();
1874 
1875 	start = hash[bucket].dtdh_chain;
1876 	ASSERT(start != NULL && (start->dtdv_hashval == DTRACE_DYNHASH_SINK ||
1877 	    start->dtdv_hashval != DTRACE_DYNHASH_FREE ||
1878 	    op != DTRACE_DYNVAR_DEALLOC));
1879 
1880 	for (dvar = start; dvar != NULL; dvar = dvar->dtdv_next) {
1881 		dtrace_tuple_t *dtuple = &dvar->dtdv_tuple;
1882 		dtrace_key_t *dkey = &dtuple->dtt_key[0];
1883 
1884 		if (dvar->dtdv_hashval != hashval) {
1885 			if (dvar->dtdv_hashval == DTRACE_DYNHASH_SINK) {
1886 				/*
1887 				 * We've reached the sink, and therefore the
1888 				 * end of the hash chain; we can kick out of
1889 				 * the loop knowing that we have seen a valid
1890 				 * snapshot of state.
1891 				 */
1892 				ASSERT(dvar->dtdv_next == NULL);
1893 				ASSERT(dvar == &dtrace_dynhash_sink);
1894 				break;
1895 			}
1896 
1897 			if (dvar->dtdv_hashval == DTRACE_DYNHASH_FREE) {
1898 				/*
1899 				 * We've gone off the rails:  somewhere along
1900 				 * the line, one of the members of this hash
1901 				 * chain was deleted.  Note that we could also
1902 				 * detect this by simply letting this loop run
1903 				 * to completion, as we would eventually hit
1904 				 * the end of the dirty list.  However, we
1905 				 * want to avoid running the length of the
1906 				 * dirty list unnecessarily (it might be quite
1907 				 * long), so we catch this as early as
1908 				 * possible by detecting the hash marker.  In
1909 				 * this case, we simply set dvar to NULL and
1910 				 * break; the conditional after the loop will
1911 				 * send us back to top.
1912 				 */
1913 				dvar = NULL;
1914 				break;
1915 			}
1916 
1917 			goto next;
1918 		}
1919 
1920 		if (dtuple->dtt_nkeys != nkeys)
1921 			goto next;
1922 
1923 		for (i = 0; i < nkeys; i++, dkey++) {
1924 			if (dkey->dttk_size != key[i].dttk_size)
1925 				goto next; /* size or type mismatch */
1926 
1927 			if (dkey->dttk_size != 0) {
1928 				if (dtrace_bcmp(
1929 				    (void *)(uintptr_t)key[i].dttk_value,
1930 				    (void *)(uintptr_t)dkey->dttk_value,
1931 				    dkey->dttk_size))
1932 					goto next;
1933 			} else {
1934 				if (dkey->dttk_value != key[i].dttk_value)
1935 					goto next;
1936 			}
1937 		}
1938 
1939 		if (op != DTRACE_DYNVAR_DEALLOC)
1940 			return (dvar);
1941 
1942 		ASSERT(dvar->dtdv_next == NULL ||
1943 		    dvar->dtdv_next->dtdv_hashval != DTRACE_DYNHASH_FREE);
1944 
1945 		if (prev != NULL) {
1946 			ASSERT(hash[bucket].dtdh_chain != dvar);
1947 			ASSERT(start != dvar);
1948 			ASSERT(prev->dtdv_next == dvar);
1949 			prev->dtdv_next = dvar->dtdv_next;
1950 		} else {
1951 			if (dtrace_casptr(&hash[bucket].dtdh_chain,
1952 			    start, dvar->dtdv_next) != start) {
1953 				/*
1954 				 * We have failed to atomically swing the
1955 				 * hash table head pointer, presumably because
1956 				 * of a conflicting allocation on another CPU.
1957 				 * We need to reread the hash chain and try
1958 				 * again.
1959 				 */
1960 				goto top;
1961 			}
1962 		}
1963 
1964 		dtrace_membar_producer();
1965 
1966 		/*
1967 		 * Now set the hash value to indicate that it's free.
1968 		 */
1969 		ASSERT(hash[bucket].dtdh_chain != dvar);
1970 		dvar->dtdv_hashval = DTRACE_DYNHASH_FREE;
1971 
1972 		dtrace_membar_producer();
1973 
1974 		/*
1975 		 * Set the next pointer to point at the dirty list, and
1976 		 * atomically swing the dirty pointer to the newly freed dvar.
1977 		 */
1978 		do {
1979 			next = dcpu->dtdsc_dirty;
1980 			dvar->dtdv_next = next;
1981 		} while (dtrace_casptr(&dcpu->dtdsc_dirty, next, dvar) != next);
1982 
1983 		/*
1984 		 * Finally, unlock this hash bucket.
1985 		 */
1986 		ASSERT(hash[bucket].dtdh_lock == lock);
1987 		ASSERT(lock & 1);
1988 		hash[bucket].dtdh_lock++;
1989 
1990 		return (NULL);
1991 next:
1992 		prev = dvar;
1993 		continue;
1994 	}
1995 
1996 	if (dvar == NULL) {
1997 		/*
1998 		 * If dvar is NULL, it is because we went off the rails:
1999 		 * one of the elements that we traversed in the hash chain
2000 		 * was deleted while we were traversing it.  In this case,
2001 		 * we assert that we aren't doing a dealloc (deallocs lock
2002 		 * the hash bucket to prevent themselves from racing with
2003 		 * one another), and retry the hash chain traversal.
2004 		 */
2005 		ASSERT(op != DTRACE_DYNVAR_DEALLOC);
2006 		goto top;
2007 	}
2008 
2009 	if (op != DTRACE_DYNVAR_ALLOC) {
2010 		/*
2011 		 * If we are not to allocate a new variable, we want to
2012 		 * return NULL now.  Before we return, check that the value
2013 		 * of the lock word hasn't changed.  If it has, we may have
2014 		 * seen an inconsistent snapshot.
2015 		 */
2016 		if (op == DTRACE_DYNVAR_NOALLOC) {
2017 			if (hash[bucket].dtdh_lock != lock)
2018 				goto top;
2019 		} else {
2020 			ASSERT(op == DTRACE_DYNVAR_DEALLOC);
2021 			ASSERT(hash[bucket].dtdh_lock == lock);
2022 			ASSERT(lock & 1);
2023 			hash[bucket].dtdh_lock++;
2024 		}
2025 
2026 		return (NULL);
2027 	}
2028 
2029 	/*
2030 	 * We need to allocate a new dynamic variable.  The size we need is the
2031 	 * size of dtrace_dynvar plus the size of nkeys dtrace_key_t's plus the
2032 	 * size of any auxiliary key data (rounded up to 8-byte alignment) plus
2033 	 * the size of any referred-to data (dsize).  We then round the final
2034 	 * size up to the chunksize for allocation.
2035 	 */
2036 	for (ksize = 0, i = 0; i < nkeys; i++)
2037 		ksize += P2ROUNDUP(key[i].dttk_size, sizeof (uint64_t));
2038 
2039 	/*
2040 	 * This should be pretty much impossible, but could happen if, say,
2041 	 * strange DIF specified the tuple.  Ideally, this should be an
2042 	 * assertion and not an error condition -- but that requires that the
2043 	 * chunksize calculation in dtrace_difo_chunksize() be absolutely
2044 	 * bullet-proof.  (That is, it must not be able to be fooled by
2045 	 * malicious DIF.)  Given the lack of backwards branches in DIF,
2046 	 * solving this would presumably not amount to solving the Halting
2047 	 * Problem -- but it still seems awfully hard.
2048 	 */
2049 	if (sizeof (dtrace_dynvar_t) + sizeof (dtrace_key_t) * (nkeys - 1) +
2050 	    ksize + dsize > chunksize) {
2051 		dcpu->dtdsc_drops++;
2052 		return (NULL);
2053 	}
2054 
2055 	nstate = DTRACE_DSTATE_EMPTY;
2056 
2057 	do {
2058 retry:
2059 		free = dcpu->dtdsc_free;
2060 
2061 		if (free == NULL) {
2062 			dtrace_dynvar_t *clean = dcpu->dtdsc_clean;
2063 			void *rval;
2064 
2065 			if (clean == NULL) {
2066 				/*
2067 				 * We're out of dynamic variable space on
2068 				 * this CPU.  Unless we have tried all CPUs,
2069 				 * we'll try to allocate from a different
2070 				 * CPU.
2071 				 */
2072 				switch (dstate->dtds_state) {
2073 				case DTRACE_DSTATE_CLEAN: {
2074 					void *sp = &dstate->dtds_state;
2075 
2076 					if (++cpu >= NCPU)
2077 						cpu = 0;
2078 
2079 					if (dcpu->dtdsc_dirty != NULL &&
2080 					    nstate == DTRACE_DSTATE_EMPTY)
2081 						nstate = DTRACE_DSTATE_DIRTY;
2082 
2083 					if (dcpu->dtdsc_rinsing != NULL)
2084 						nstate = DTRACE_DSTATE_RINSING;
2085 
2086 					dcpu = &dstate->dtds_percpu[cpu];
2087 
2088 					if (cpu != me)
2089 						goto retry;
2090 
2091 					(void) dtrace_cas32(sp,
2092 					    DTRACE_DSTATE_CLEAN, nstate);
2093 
2094 					/*
2095 					 * To increment the correct bean
2096 					 * counter, take another lap.
2097 					 */
2098 					goto retry;
2099 				}
2100 
2101 				case DTRACE_DSTATE_DIRTY:
2102 					dcpu->dtdsc_dirty_drops++;
2103 					break;
2104 
2105 				case DTRACE_DSTATE_RINSING:
2106 					dcpu->dtdsc_rinsing_drops++;
2107 					break;
2108 
2109 				case DTRACE_DSTATE_EMPTY:
2110 					dcpu->dtdsc_drops++;
2111 					break;
2112 				}
2113 
2114 				DTRACE_CPUFLAG_SET(CPU_DTRACE_DROP);
2115 				return (NULL);
2116 			}
2117 
2118 			/*
2119 			 * The clean list appears to be non-empty.  We want to
2120 			 * move the clean list to the free list; we start by
2121 			 * moving the clean pointer aside.
2122 			 */
2123 			if (dtrace_casptr(&dcpu->dtdsc_clean,
2124 			    clean, NULL) != clean) {
2125 				/*
2126 				 * We are in one of two situations:
2127 				 *
2128 				 *  (a)	The clean list was switched to the
2129 				 *	free list by another CPU.
2130 				 *
2131 				 *  (b)	The clean list was added to by the
2132 				 *	cleansing cyclic.
2133 				 *
2134 				 * In either of these situations, we can
2135 				 * just reattempt the free list allocation.
2136 				 */
2137 				goto retry;
2138 			}
2139 
2140 			ASSERT(clean->dtdv_hashval == DTRACE_DYNHASH_FREE);
2141 
2142 			/*
2143 			 * Now we'll move the clean list to our free list.
2144 			 * It's impossible for this to fail:  the only way
2145 			 * the free list can be updated is through this
2146 			 * code path, and only one CPU can own the clean list.
2147 			 * Thus, it would only be possible for this to fail if
2148 			 * this code were racing with dtrace_dynvar_clean().
2149 			 * (That is, if dtrace_dynvar_clean() updated the clean
2150 			 * list, and we ended up racing to update the free
2151 			 * list.)  This race is prevented by the dtrace_sync()
2152 			 * in dtrace_dynvar_clean() -- which flushes the
2153 			 * owners of the clean lists out before resetting
2154 			 * the clean lists.
2155 			 */
2156 			dcpu = &dstate->dtds_percpu[me];
2157 			rval = dtrace_casptr(&dcpu->dtdsc_free, NULL, clean);
2158 			ASSERT(rval == NULL);
2159 			goto retry;
2160 		}
2161 
2162 		dvar = free;
2163 		new_free = dvar->dtdv_next;
2164 	} while (dtrace_casptr(&dcpu->dtdsc_free, free, new_free) != free);
2165 
2166 	/*
2167 	 * We have now allocated a new chunk.  We copy the tuple keys into the
2168 	 * tuple array and copy any referenced key data into the data space
2169 	 * following the tuple array.  As we do this, we relocate dttk_value
2170 	 * in the final tuple to point to the key data address in the chunk.
2171 	 */
2172 	kdata = (uintptr_t)&dvar->dtdv_tuple.dtt_key[nkeys];
2173 	dvar->dtdv_data = (void *)(kdata + ksize);
2174 	dvar->dtdv_tuple.dtt_nkeys = nkeys;
2175 
2176 	for (i = 0; i < nkeys; i++) {
2177 		dtrace_key_t *dkey = &dvar->dtdv_tuple.dtt_key[i];
2178 		size_t kesize = key[i].dttk_size;
2179 
2180 		if (kesize != 0) {
2181 			dtrace_bcopy(
2182 			    (const void *)(uintptr_t)key[i].dttk_value,
2183 			    (void *)kdata, kesize);
2184 			dkey->dttk_value = kdata;
2185 			kdata += P2ROUNDUP(kesize, sizeof (uint64_t));
2186 		} else {
2187 			dkey->dttk_value = key[i].dttk_value;
2188 		}
2189 
2190 		dkey->dttk_size = kesize;
2191 	}
2192 
2193 	ASSERT(dvar->dtdv_hashval == DTRACE_DYNHASH_FREE);
2194 	dvar->dtdv_hashval = hashval;
2195 	dvar->dtdv_next = start;
2196 
2197 	if (dtrace_casptr(&hash[bucket].dtdh_chain, start, dvar) == start)
2198 		return (dvar);
2199 
2200 	/*
2201 	 * The cas has failed.  Either another CPU is adding an element to
2202 	 * this hash chain, or another CPU is deleting an element from this
2203 	 * hash chain.  The simplest way to deal with both of these cases
2204 	 * (though not necessarily the most efficient) is to free our
2205 	 * allocated block and re-attempt it all.  Note that the free is
2206 	 * to the dirty list and _not_ to the free list.  This is to prevent
2207 	 * races with allocators, above.
2208 	 */
2209 	dvar->dtdv_hashval = DTRACE_DYNHASH_FREE;
2210 
2211 	dtrace_membar_producer();
2212 
2213 	do {
2214 		free = dcpu->dtdsc_dirty;
2215 		dvar->dtdv_next = free;
2216 	} while (dtrace_casptr(&dcpu->dtdsc_dirty, free, dvar) != free);
2217 
2218 	goto top;
2219 }
2220 
2221 /*ARGSUSED*/
2222 static void
2223 dtrace_aggregate_min(uint64_t *oval, uint64_t nval, uint64_t arg)
2224 {
2225 	if ((int64_t)nval < (int64_t)*oval)
2226 		*oval = nval;
2227 }
2228 
2229 /*ARGSUSED*/
2230 static void
2231 dtrace_aggregate_max(uint64_t *oval, uint64_t nval, uint64_t arg)
2232 {
2233 	if ((int64_t)nval > (int64_t)*oval)
2234 		*oval = nval;
2235 }
2236 
2237 static void
2238 dtrace_aggregate_quantize(uint64_t *quanta, uint64_t nval, uint64_t incr)
2239 {
2240 	int i, zero = DTRACE_QUANTIZE_ZEROBUCKET;
2241 	int64_t val = (int64_t)nval;
2242 
2243 	if (val < 0) {
2244 		for (i = 0; i < zero; i++) {
2245 			if (val <= DTRACE_QUANTIZE_BUCKETVAL(i)) {
2246 				quanta[i] += incr;
2247 				return;
2248 			}
2249 		}
2250 	} else {
2251 		for (i = zero + 1; i < DTRACE_QUANTIZE_NBUCKETS; i++) {
2252 			if (val < DTRACE_QUANTIZE_BUCKETVAL(i)) {
2253 				quanta[i - 1] += incr;
2254 				return;
2255 			}
2256 		}
2257 
2258 		quanta[DTRACE_QUANTIZE_NBUCKETS - 1] += incr;
2259 		return;
2260 	}
2261 
2262 	ASSERT(0);
2263 }
2264 
2265 static void
2266 dtrace_aggregate_lquantize(uint64_t *lquanta, uint64_t nval, uint64_t incr)
2267 {
2268 	uint64_t arg = *lquanta++;
2269 	int32_t base = DTRACE_LQUANTIZE_BASE(arg);
2270 	uint16_t step = DTRACE_LQUANTIZE_STEP(arg);
2271 	uint16_t levels = DTRACE_LQUANTIZE_LEVELS(arg);
2272 	int32_t val = (int32_t)nval, level;
2273 
2274 	ASSERT(step != 0);
2275 	ASSERT(levels != 0);
2276 
2277 	if (val < base) {
2278 		/*
2279 		 * This is an underflow.
2280 		 */
2281 		lquanta[0] += incr;
2282 		return;
2283 	}
2284 
2285 	level = (val - base) / step;
2286 
2287 	if (level < levels) {
2288 		lquanta[level + 1] += incr;
2289 		return;
2290 	}
2291 
2292 	/*
2293 	 * This is an overflow.
2294 	 */
2295 	lquanta[levels + 1] += incr;
2296 }
2297 
2298 static int
2299 dtrace_aggregate_llquantize_bucket(uint16_t factor, uint16_t low,
2300     uint16_t high, uint16_t nsteps, int64_t value)
2301 {
2302 	int64_t this = 1, last, next;
2303 	int base = 1, order;
2304 
2305 	ASSERT(factor <= nsteps);
2306 	ASSERT(nsteps % factor == 0);
2307 
2308 	for (order = 0; order < low; order++)
2309 		this *= factor;
2310 
2311 	/*
2312 	 * If our value is less than our factor taken to the power of the
2313 	 * low order of magnitude, it goes into the zeroth bucket.
2314 	 */
2315 	if (value < (last = this))
2316 		return (0);
2317 
2318 	for (this *= factor; order <= high; order++) {
2319 		int nbuckets = this > nsteps ? nsteps : this;
2320 
2321 		if ((next = this * factor) < this) {
2322 			/*
2323 			 * We should not generally get log/linear quantizations
2324 			 * with a high magnitude that allows 64-bits to
2325 			 * overflow, but we nonetheless protect against this
2326 			 * by explicitly checking for overflow, and clamping
2327 			 * our value accordingly.
2328 			 */
2329 			value = this - 1;
2330 		}
2331 
2332 		if (value < this) {
2333 			/*
2334 			 * If our value lies within this order of magnitude,
2335 			 * determine its position by taking the offset within
2336 			 * the order of magnitude, dividing by the bucket
2337 			 * width, and adding to our (accumulated) base.
2338 			 */
2339 			return (base + (value - last) / (this / nbuckets));
2340 		}
2341 
2342 		base += nbuckets - (nbuckets / factor);
2343 		last = this;
2344 		this = next;
2345 	}
2346 
2347 	/*
2348 	 * Our value is greater than or equal to our factor taken to the
2349 	 * power of one plus the high magnitude -- return the top bucket.
2350 	 */
2351 	return (base);
2352 }
2353 
2354 static void
2355 dtrace_aggregate_llquantize(uint64_t *llquanta, uint64_t nval, uint64_t incr)
2356 {
2357 	uint64_t arg = *llquanta++;
2358 	uint16_t factor = DTRACE_LLQUANTIZE_FACTOR(arg);
2359 	uint16_t low = DTRACE_LLQUANTIZE_LOW(arg);
2360 	uint16_t high = DTRACE_LLQUANTIZE_HIGH(arg);
2361 	uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEP(arg);
2362 
2363 	llquanta[dtrace_aggregate_llquantize_bucket(factor,
2364 	    low, high, nsteps, nval)] += incr;
2365 }
2366 
2367 /*ARGSUSED*/
2368 static void
2369 dtrace_aggregate_avg(uint64_t *data, uint64_t nval, uint64_t arg)
2370 {
2371 	data[0]++;
2372 	data[1] += nval;
2373 }
2374 
2375 /*ARGSUSED*/
2376 static void
2377 dtrace_aggregate_stddev(uint64_t *data, uint64_t nval, uint64_t arg)
2378 {
2379 	int64_t snval = (int64_t)nval;
2380 	uint64_t tmp[2];
2381 
2382 	data[0]++;
2383 	data[1] += nval;
2384 
2385 	/*
2386 	 * What we want to say here is:
2387 	 *
2388 	 * data[2] += nval * nval;
2389 	 *
2390 	 * But given that nval is 64-bit, we could easily overflow, so
2391 	 * we do this as 128-bit arithmetic.
2392 	 */
2393 	if (snval < 0)
2394 		snval = -snval;
2395 
2396 	dtrace_multiply_128((uint64_t)snval, (uint64_t)snval, tmp);
2397 	dtrace_add_128(data + 2, tmp, data + 2);
2398 }
2399 
2400 /*ARGSUSED*/
2401 static void
2402 dtrace_aggregate_count(uint64_t *oval, uint64_t nval, uint64_t arg)
2403 {
2404 	*oval = *oval + 1;
2405 }
2406 
2407 /*ARGSUSED*/
2408 static void
2409 dtrace_aggregate_sum(uint64_t *oval, uint64_t nval, uint64_t arg)
2410 {
2411 	*oval += nval;
2412 }
2413 
2414 /*
2415  * Aggregate given the tuple in the principal data buffer, and the aggregating
2416  * action denoted by the specified dtrace_aggregation_t.  The aggregation
2417  * buffer is specified as the buf parameter.  This routine does not return
2418  * failure; if there is no space in the aggregation buffer, the data will be
2419  * dropped, and a corresponding counter incremented.
2420  */
2421 static void
2422 dtrace_aggregate(dtrace_aggregation_t *agg, dtrace_buffer_t *dbuf,
2423     intptr_t offset, dtrace_buffer_t *buf, uint64_t expr, uint64_t arg)
2424 {
2425 	dtrace_recdesc_t *rec = &agg->dtag_action.dta_rec;
2426 	uint32_t i, ndx, size, fsize;
2427 	uint32_t align = sizeof (uint64_t) - 1;
2428 	dtrace_aggbuffer_t *agb;
2429 	dtrace_aggkey_t *key;
2430 	uint32_t hashval = 0, limit, isstr;
2431 	caddr_t tomax, data, kdata;
2432 	dtrace_actkind_t action;
2433 	dtrace_action_t *act;
2434 	uintptr_t offs;
2435 
2436 	if (buf == NULL)
2437 		return;
2438 
2439 	if (!agg->dtag_hasarg) {
2440 		/*
2441 		 * Currently, only quantize() and lquantize() take additional
2442 		 * arguments, and they have the same semantics:  an increment
2443 		 * value that defaults to 1 when not present.  If additional
2444 		 * aggregating actions take arguments, the setting of the
2445 		 * default argument value will presumably have to become more
2446 		 * sophisticated...
2447 		 */
2448 		arg = 1;
2449 	}
2450 
2451 	action = agg->dtag_action.dta_kind - DTRACEACT_AGGREGATION;
2452 	size = rec->dtrd_offset - agg->dtag_base;
2453 	fsize = size + rec->dtrd_size;
2454 
2455 	ASSERT(dbuf->dtb_tomax != NULL);
2456 	data = dbuf->dtb_tomax + offset + agg->dtag_base;
2457 
2458 	if ((tomax = buf->dtb_tomax) == NULL) {
2459 		dtrace_buffer_drop(buf);
2460 		return;
2461 	}
2462 
2463 	/*
2464 	 * The metastructure is always at the bottom of the buffer.
2465 	 */
2466 	agb = (dtrace_aggbuffer_t *)(tomax + buf->dtb_size -
2467 	    sizeof (dtrace_aggbuffer_t));
2468 
2469 	if (buf->dtb_offset == 0) {
2470 		/*
2471 		 * We just kludge up approximately 1/8th of the size to be
2472 		 * buckets.  If this guess ends up being routinely
2473 		 * off-the-mark, we may need to dynamically readjust this
2474 		 * based on past performance.
2475 		 */
2476 		uintptr_t hashsize = (buf->dtb_size >> 3) / sizeof (uintptr_t);
2477 
2478 		if ((uintptr_t)agb - hashsize * sizeof (dtrace_aggkey_t *) <
2479 		    (uintptr_t)tomax || hashsize == 0) {
2480 			/*
2481 			 * We've been given a ludicrously small buffer;
2482 			 * increment our drop count and leave.
2483 			 */
2484 			dtrace_buffer_drop(buf);
2485 			return;
2486 		}
2487 
2488 		/*
2489 		 * And now, a pathetic attempt to try to get a an odd (or
2490 		 * perchance, a prime) hash size for better hash distribution.
2491 		 */
2492 		if (hashsize > (DTRACE_AGGHASHSIZE_SLEW << 3))
2493 			hashsize -= DTRACE_AGGHASHSIZE_SLEW;
2494 
2495 		agb->dtagb_hashsize = hashsize;
2496 		agb->dtagb_hash = (dtrace_aggkey_t **)((uintptr_t)agb -
2497 		    agb->dtagb_hashsize * sizeof (dtrace_aggkey_t *));
2498 		agb->dtagb_free = (uintptr_t)agb->dtagb_hash;
2499 
2500 		for (i = 0; i < agb->dtagb_hashsize; i++)
2501 			agb->dtagb_hash[i] = NULL;
2502 	}
2503 
2504 	ASSERT(agg->dtag_first != NULL);
2505 	ASSERT(agg->dtag_first->dta_intuple);
2506 
2507 	/*
2508 	 * Calculate the hash value based on the key.  Note that we _don't_
2509 	 * include the aggid in the hashing (but we will store it as part of
2510 	 * the key).  The hashing algorithm is Bob Jenkins' "One-at-a-time"
2511 	 * algorithm: a simple, quick algorithm that has no known funnels, and
2512 	 * gets good distribution in practice.  The efficacy of the hashing
2513 	 * algorithm (and a comparison with other algorithms) may be found by
2514 	 * running the ::dtrace_aggstat MDB dcmd.
2515 	 */
2516 	for (act = agg->dtag_first; act->dta_intuple; act = act->dta_next) {
2517 		i = act->dta_rec.dtrd_offset - agg->dtag_base;
2518 		limit = i + act->dta_rec.dtrd_size;
2519 		ASSERT(limit <= size);
2520 		isstr = DTRACEACT_ISSTRING(act);
2521 
2522 		for (; i < limit; i++) {
2523 			hashval += data[i];
2524 			hashval += (hashval << 10);
2525 			hashval ^= (hashval >> 6);
2526 
2527 			if (isstr && data[i] == '\0')
2528 				break;
2529 		}
2530 	}
2531 
2532 	hashval += (hashval << 3);
2533 	hashval ^= (hashval >> 11);
2534 	hashval += (hashval << 15);
2535 
2536 	/*
2537 	 * Yes, the divide here is expensive -- but it's generally the least
2538 	 * of the performance issues given the amount of data that we iterate
2539 	 * over to compute hash values, compare data, etc.
2540 	 */
2541 	ndx = hashval % agb->dtagb_hashsize;
2542 
2543 	for (key = agb->dtagb_hash[ndx]; key != NULL; key = key->dtak_next) {
2544 		ASSERT((caddr_t)key >= tomax);
2545 		ASSERT((caddr_t)key < tomax + buf->dtb_size);
2546 
2547 		if (hashval != key->dtak_hashval || key->dtak_size != size)
2548 			continue;
2549 
2550 		kdata = key->dtak_data;
2551 		ASSERT(kdata >= tomax && kdata < tomax + buf->dtb_size);
2552 
2553 		for (act = agg->dtag_first; act->dta_intuple;
2554 		    act = act->dta_next) {
2555 			i = act->dta_rec.dtrd_offset - agg->dtag_base;
2556 			limit = i + act->dta_rec.dtrd_size;
2557 			ASSERT(limit <= size);
2558 			isstr = DTRACEACT_ISSTRING(act);
2559 
2560 			for (; i < limit; i++) {
2561 				if (kdata[i] != data[i])
2562 					goto next;
2563 
2564 				if (isstr && data[i] == '\0')
2565 					break;
2566 			}
2567 		}
2568 
2569 		if (action != key->dtak_action) {
2570 			/*
2571 			 * We are aggregating on the same value in the same
2572 			 * aggregation with two different aggregating actions.
2573 			 * (This should have been picked up in the compiler,
2574 			 * so we may be dealing with errant or devious DIF.)
2575 			 * This is an error condition; we indicate as much,
2576 			 * and return.
2577 			 */
2578 			DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
2579 			return;
2580 		}
2581 
2582 		/*
2583 		 * This is a hit:  we need to apply the aggregator to
2584 		 * the value at this key.
2585 		 */
2586 		agg->dtag_aggregate((uint64_t *)(kdata + size), expr, arg);
2587 		return;
2588 next:
2589 		continue;
2590 	}
2591 
2592 	/*
2593 	 * We didn't find it.  We need to allocate some zero-filled space,
2594 	 * link it into the hash table appropriately, and apply the aggregator
2595 	 * to the (zero-filled) value.
2596 	 */
2597 	offs = buf->dtb_offset;
2598 	while (offs & (align - 1))
2599 		offs += sizeof (uint32_t);
2600 
2601 	/*
2602 	 * If we don't have enough room to both allocate a new key _and_
2603 	 * its associated data, increment the drop count and return.
2604 	 */
2605 	if ((uintptr_t)tomax + offs + fsize >
2606 	    agb->dtagb_free - sizeof (dtrace_aggkey_t)) {
2607 		dtrace_buffer_drop(buf);
2608 		return;
2609 	}
2610 
2611 	/*CONSTCOND*/
2612 	ASSERT(!(sizeof (dtrace_aggkey_t) & (sizeof (uintptr_t) - 1)));
2613 	key = (dtrace_aggkey_t *)(agb->dtagb_free - sizeof (dtrace_aggkey_t));
2614 	agb->dtagb_free -= sizeof (dtrace_aggkey_t);
2615 
2616 	key->dtak_data = kdata = tomax + offs;
2617 	buf->dtb_offset = offs + fsize;
2618 
2619 	/*
2620 	 * Now copy the data across.
2621 	 */
2622 	*((dtrace_aggid_t *)kdata) = agg->dtag_id;
2623 
2624 	for (i = sizeof (dtrace_aggid_t); i < size; i++)
2625 		kdata[i] = data[i];
2626 
2627 	/*
2628 	 * Because strings are not zeroed out by default, we need to iterate
2629 	 * looking for actions that store strings, and we need to explicitly
2630 	 * pad these strings out with zeroes.
2631 	 */
2632 	for (act = agg->dtag_first; act->dta_intuple; act = act->dta_next) {
2633 		int nul;
2634 
2635 		if (!DTRACEACT_ISSTRING(act))
2636 			continue;
2637 
2638 		i = act->dta_rec.dtrd_offset - agg->dtag_base;
2639 		limit = i + act->dta_rec.dtrd_size;
2640 		ASSERT(limit <= size);
2641 
2642 		for (nul = 0; i < limit; i++) {
2643 			if (nul) {
2644 				kdata[i] = '\0';
2645 				continue;
2646 			}
2647 
2648 			if (data[i] != '\0')
2649 				continue;
2650 
2651 			nul = 1;
2652 		}
2653 	}
2654 
2655 	for (i = size; i < fsize; i++)
2656 		kdata[i] = 0;
2657 
2658 	key->dtak_hashval = hashval;
2659 	key->dtak_size = size;
2660 	key->dtak_action = action;
2661 	key->dtak_next = agb->dtagb_hash[ndx];
2662 	agb->dtagb_hash[ndx] = key;
2663 
2664 	/*
2665 	 * Finally, apply the aggregator.
2666 	 */
2667 	*((uint64_t *)(key->dtak_data + size)) = agg->dtag_initial;
2668 	agg->dtag_aggregate((uint64_t *)(key->dtak_data + size), expr, arg);
2669 }
2670 
2671 /*
2672  * Given consumer state, this routine finds a speculation in the INACTIVE
2673  * state and transitions it into the ACTIVE state.  If there is no speculation
2674  * in the INACTIVE state, 0 is returned.  In this case, no error counter is
2675  * incremented -- it is up to the caller to take appropriate action.
2676  */
2677 static int
2678 dtrace_speculation(dtrace_state_t *state)
2679 {
2680 	int i = 0;
2681 	dtrace_speculation_state_t current;
2682 	uint32_t *stat = &state->dts_speculations_unavail, count;
2683 
2684 	while (i < state->dts_nspeculations) {
2685 		dtrace_speculation_t *spec = &state->dts_speculations[i];
2686 
2687 		current = spec->dtsp_state;
2688 
2689 		if (current != DTRACESPEC_INACTIVE) {
2690 			if (current == DTRACESPEC_COMMITTINGMANY ||
2691 			    current == DTRACESPEC_COMMITTING ||
2692 			    current == DTRACESPEC_DISCARDING)
2693 				stat = &state->dts_speculations_busy;
2694 			i++;
2695 			continue;
2696 		}
2697 
2698 		if (dtrace_cas32((uint32_t *)&spec->dtsp_state,
2699 		    current, DTRACESPEC_ACTIVE) == current)
2700 			return (i + 1);
2701 	}
2702 
2703 	/*
2704 	 * We couldn't find a speculation.  If we found as much as a single
2705 	 * busy speculation buffer, we'll attribute this failure as "busy"
2706 	 * instead of "unavail".
2707 	 */
2708 	do {
2709 		count = *stat;
2710 	} while (dtrace_cas32(stat, count, count + 1) != count);
2711 
2712 	return (0);
2713 }
2714 
2715 /*
2716  * This routine commits an active speculation.  If the specified speculation
2717  * is not in a valid state to perform a commit(), this routine will silently do
2718  * nothing.  The state of the specified speculation is transitioned according
2719  * to the state transition diagram outlined in <sys/dtrace_impl.h>
2720  */
2721 static void
2722 dtrace_speculation_commit(dtrace_state_t *state, processorid_t cpu,
2723     dtrace_specid_t which)
2724 {
2725 	dtrace_speculation_t *spec;
2726 	dtrace_buffer_t *src, *dest;
2727 	uintptr_t daddr, saddr, dlimit, slimit;
2728 	dtrace_speculation_state_t current, new;
2729 	intptr_t offs;
2730 	uint64_t timestamp;
2731 
2732 	if (which == 0)
2733 		return;
2734 
2735 	if (which > state->dts_nspeculations) {
2736 		cpu_core[cpu].cpuc_dtrace_flags |= CPU_DTRACE_ILLOP;
2737 		return;
2738 	}
2739 
2740 	spec = &state->dts_speculations[which - 1];
2741 	src = &spec->dtsp_buffer[cpu];
2742 	dest = &state->dts_buffer[cpu];
2743 
2744 	do {
2745 		current = spec->dtsp_state;
2746 
2747 		if (current == DTRACESPEC_COMMITTINGMANY)
2748 			break;
2749 
2750 		switch (current) {
2751 		case DTRACESPEC_INACTIVE:
2752 		case DTRACESPEC_DISCARDING:
2753 			return;
2754 
2755 		case DTRACESPEC_COMMITTING:
2756 			/*
2757 			 * This is only possible if we are (a) commit()'ing
2758 			 * without having done a prior speculate() on this CPU
2759 			 * and (b) racing with another commit() on a different
2760 			 * CPU.  There's nothing to do -- we just assert that
2761 			 * our offset is 0.
2762 			 */
2763 			ASSERT(src->dtb_offset == 0);
2764 			return;
2765 
2766 		case DTRACESPEC_ACTIVE:
2767 			new = DTRACESPEC_COMMITTING;
2768 			break;
2769 
2770 		case DTRACESPEC_ACTIVEONE:
2771 			/*
2772 			 * This speculation is active on one CPU.  If our
2773 			 * buffer offset is non-zero, we know that the one CPU
2774 			 * must be us.  Otherwise, we are committing on a
2775 			 * different CPU from the speculate(), and we must
2776 			 * rely on being asynchronously cleaned.
2777 			 */
2778 			if (src->dtb_offset != 0) {
2779 				new = DTRACESPEC_COMMITTING;
2780 				break;
2781 			}
2782 			/*FALLTHROUGH*/
2783 
2784 		case DTRACESPEC_ACTIVEMANY:
2785 			new = DTRACESPEC_COMMITTINGMANY;
2786 			break;
2787 
2788 		default:
2789 			ASSERT(0);
2790 		}
2791 	} while (dtrace_cas32((uint32_t *)&spec->dtsp_state,
2792 	    current, new) != current);
2793 
2794 	/*
2795 	 * We have set the state to indicate that we are committing this
2796 	 * speculation.  Now reserve the necessary space in the destination
2797 	 * buffer.
2798 	 */
2799 	if ((offs = dtrace_buffer_reserve(dest, src->dtb_offset,
2800 	    sizeof (uint64_t), state, NULL)) < 0) {
2801 		dtrace_buffer_drop(dest);
2802 		goto out;
2803 	}
2804 
2805 	/*
2806 	 * We have sufficient space to copy the speculative buffer into the
2807 	 * primary buffer.  First, modify the speculative buffer, filling
2808 	 * in the timestamp of all entries with the current time.  The data
2809 	 * must have the commit() time rather than the time it was traced,
2810 	 * so that all entries in the primary buffer are in timestamp order.
2811 	 */
2812 	timestamp = dtrace_gethrtime();
2813 	saddr = (uintptr_t)src->dtb_tomax;
2814 	slimit = saddr + src->dtb_offset;
2815 	while (saddr < slimit) {
2816 		size_t size;
2817 		dtrace_rechdr_t *dtrh = (dtrace_rechdr_t *)saddr;
2818 
2819 		if (dtrh->dtrh_epid == DTRACE_EPIDNONE) {
2820 			saddr += sizeof (dtrace_epid_t);
2821 			continue;
2822 		}
2823 		ASSERT3U(dtrh->dtrh_epid, <=, state->dts_necbs);
2824 		size = state->dts_ecbs[dtrh->dtrh_epid - 1]->dte_size;
2825 
2826 		ASSERT3U(saddr + size, <=, slimit);
2827 		ASSERT3U(size, >=, sizeof (dtrace_rechdr_t));
2828 		ASSERT3U(DTRACE_RECORD_LOAD_TIMESTAMP(dtrh), ==, UINT64_MAX);
2829 
2830 		DTRACE_RECORD_STORE_TIMESTAMP(dtrh, timestamp);
2831 
2832 		saddr += size;
2833 	}
2834 
2835 	/*
2836 	 * Copy the buffer across.  (Note that this is a
2837 	 * highly subobtimal bcopy(); in the unlikely event that this becomes
2838 	 * a serious performance issue, a high-performance DTrace-specific
2839 	 * bcopy() should obviously be invented.)
2840 	 */
2841 	daddr = (uintptr_t)dest->dtb_tomax + offs;
2842 	dlimit = daddr + src->dtb_offset;
2843 	saddr = (uintptr_t)src->dtb_tomax;
2844 
2845 	/*
2846 	 * First, the aligned portion.
2847 	 */
2848 	while (dlimit - daddr >= sizeof (uint64_t)) {
2849 		*((uint64_t *)daddr) = *((uint64_t *)saddr);
2850 
2851 		daddr += sizeof (uint64_t);
2852 		saddr += sizeof (uint64_t);
2853 	}
2854 
2855 	/*
2856 	 * Now any left-over bit...
2857 	 */
2858 	while (dlimit - daddr)
2859 		*((uint8_t *)daddr++) = *((uint8_t *)saddr++);
2860 
2861 	/*
2862 	 * Finally, commit the reserved space in the destination buffer.
2863 	 */
2864 	dest->dtb_offset = offs + src->dtb_offset;
2865 
2866 out:
2867 	/*
2868 	 * If we're lucky enough to be the only active CPU on this speculation
2869 	 * buffer, we can just set the state back to DTRACESPEC_INACTIVE.
2870 	 */
2871 	if (current == DTRACESPEC_ACTIVE ||
2872 	    (current == DTRACESPEC_ACTIVEONE && new == DTRACESPEC_COMMITTING)) {
2873 		uint32_t rval = dtrace_cas32((uint32_t *)&spec->dtsp_state,
2874 		    DTRACESPEC_COMMITTING, DTRACESPEC_INACTIVE);
2875 
2876 		ASSERT(rval == DTRACESPEC_COMMITTING);
2877 	}
2878 
2879 	src->dtb_offset = 0;
2880 	src->dtb_xamot_drops += src->dtb_drops;
2881 	src->dtb_drops = 0;
2882 }
2883 
2884 /*
2885  * This routine discards an active speculation.  If the specified speculation
2886  * is not in a valid state to perform a discard(), this routine will silently
2887  * do nothing.  The state of the specified speculation is transitioned
2888  * according to the state transition diagram outlined in <sys/dtrace_impl.h>
2889  */
2890 static void
2891 dtrace_speculation_discard(dtrace_state_t *state, processorid_t cpu,
2892     dtrace_specid_t which)
2893 {
2894 	dtrace_speculation_t *spec;
2895 	dtrace_speculation_state_t current, new;
2896 	dtrace_buffer_t *buf;
2897 
2898 	if (which == 0)
2899 		return;
2900 
2901 	if (which > state->dts_nspeculations) {
2902 		cpu_core[cpu].cpuc_dtrace_flags |= CPU_DTRACE_ILLOP;
2903 		return;
2904 	}
2905 
2906 	spec = &state->dts_speculations[which - 1];
2907 	buf = &spec->dtsp_buffer[cpu];
2908 
2909 	do {
2910 		current = spec->dtsp_state;
2911 
2912 		switch (current) {
2913 		case DTRACESPEC_INACTIVE:
2914 		case DTRACESPEC_COMMITTINGMANY:
2915 		case DTRACESPEC_COMMITTING:
2916 		case DTRACESPEC_DISCARDING:
2917 			return;
2918 
2919 		case DTRACESPEC_ACTIVE:
2920 		case DTRACESPEC_ACTIVEMANY:
2921 			new = DTRACESPEC_DISCARDING;
2922 			break;
2923 
2924 		case DTRACESPEC_ACTIVEONE:
2925 			if (buf->dtb_offset != 0) {
2926 				new = DTRACESPEC_INACTIVE;
2927 			} else {
2928 				new = DTRACESPEC_DISCARDING;
2929 			}
2930 			break;
2931 
2932 		default:
2933 			ASSERT(0);
2934 		}
2935 	} while (dtrace_cas32((uint32_t *)&spec->dtsp_state,
2936 	    current, new) != current);
2937 
2938 	buf->dtb_offset = 0;
2939 	buf->dtb_drops = 0;
2940 }
2941 
2942 /*
2943  * Note:  not called from probe context.  This function is called
2944  * asynchronously from cross call context to clean any speculations that are
2945  * in the COMMITTINGMANY or DISCARDING states.  These speculations may not be
2946  * transitioned back to the INACTIVE state until all CPUs have cleaned the
2947  * speculation.
2948  */
2949 static void
2950 dtrace_speculation_clean_here(dtrace_state_t *state)
2951 {
2952 	dtrace_icookie_t cookie;
2953 	processorid_t cpu = CPU->cpu_id;
2954 	dtrace_buffer_t *dest = &state->dts_buffer[cpu];
2955 	dtrace_specid_t i;
2956 
2957 	cookie = dtrace_interrupt_disable();
2958 
2959 	if (dest->dtb_tomax == NULL) {
2960 		dtrace_interrupt_enable(cookie);
2961 		return;
2962 	}
2963 
2964 	for (i = 0; i < state->dts_nspeculations; i++) {
2965 		dtrace_speculation_t *spec = &state->dts_speculations[i];
2966 		dtrace_buffer_t *src = &spec->dtsp_buffer[cpu];
2967 
2968 		if (src->dtb_tomax == NULL)
2969 			continue;
2970 
2971 		if (spec->dtsp_state == DTRACESPEC_DISCARDING) {
2972 			src->dtb_offset = 0;
2973 			continue;
2974 		}
2975 
2976 		if (spec->dtsp_state != DTRACESPEC_COMMITTINGMANY)
2977 			continue;
2978 
2979 		if (src->dtb_offset == 0)
2980 			continue;
2981 
2982 		dtrace_speculation_commit(state, cpu, i + 1);
2983 	}
2984 
2985 	dtrace_interrupt_enable(cookie);
2986 }
2987 
2988 /*
2989  * Note:  not called from probe context.  This function is called
2990  * asynchronously (and at a regular interval) to clean any speculations that
2991  * are in the COMMITTINGMANY or DISCARDING states.  If it discovers that there
2992  * is work to be done, it cross calls all CPUs to perform that work;
2993  * COMMITMANY and DISCARDING speculations may not be transitioned back to the
2994  * INACTIVE state until they have been cleaned by all CPUs.
2995  */
2996 static void
2997 dtrace_speculation_clean(dtrace_state_t *state)
2998 {
2999 	int work = 0, rv;
3000 	dtrace_specid_t i;
3001 
3002 	for (i = 0; i < state->dts_nspeculations; i++) {
3003 		dtrace_speculation_t *spec = &state->dts_speculations[i];
3004 
3005 		ASSERT(!spec->dtsp_cleaning);
3006 
3007 		if (spec->dtsp_state != DTRACESPEC_DISCARDING &&
3008 		    spec->dtsp_state != DTRACESPEC_COMMITTINGMANY)
3009 			continue;
3010 
3011 		work++;
3012 		spec->dtsp_cleaning = 1;
3013 	}
3014 
3015 	if (!work)
3016 		return;
3017 
3018 	dtrace_xcall(DTRACE_CPUALL,
3019 	    (dtrace_xcall_t)dtrace_speculation_clean_here, state);
3020 
3021 	/*
3022 	 * We now know that all CPUs have committed or discarded their
3023 	 * speculation buffers, as appropriate.  We can now set the state
3024 	 * to inactive.
3025 	 */
3026 	for (i = 0; i < state->dts_nspeculations; i++) {
3027 		dtrace_speculation_t *spec = &state->dts_speculations[i];
3028 		dtrace_speculation_state_t current, new;
3029 
3030 		if (!spec->dtsp_cleaning)
3031 			continue;
3032 
3033 		current = spec->dtsp_state;
3034 		ASSERT(current == DTRACESPEC_DISCARDING ||
3035 		    current == DTRACESPEC_COMMITTINGMANY);
3036 
3037 		new = DTRACESPEC_INACTIVE;
3038 
3039 		rv = dtrace_cas32((uint32_t *)&spec->dtsp_state, current, new);
3040 		ASSERT(rv == current);
3041 		spec->dtsp_cleaning = 0;
3042 	}
3043 }
3044 
3045 /*
3046  * Called as part of a speculate() to get the speculative buffer associated
3047  * with a given speculation.  Returns NULL if the specified speculation is not
3048  * in an ACTIVE state.  If the speculation is in the ACTIVEONE state -- and
3049  * the active CPU is not the specified CPU -- the speculation will be
3050  * atomically transitioned into the ACTIVEMANY state.
3051  */
3052 static dtrace_buffer_t *
3053 dtrace_speculation_buffer(dtrace_state_t *state, processorid_t cpuid,
3054     dtrace_specid_t which)
3055 {
3056 	dtrace_speculation_t *spec;
3057 	dtrace_speculation_state_t current, new;
3058 	dtrace_buffer_t *buf;
3059 
3060 	if (which == 0)
3061 		return (NULL);
3062 
3063 	if (which > state->dts_nspeculations) {
3064 		cpu_core[cpuid].cpuc_dtrace_flags |= CPU_DTRACE_ILLOP;
3065 		return (NULL);
3066 	}
3067 
3068 	spec = &state->dts_speculations[which - 1];
3069 	buf = &spec->dtsp_buffer[cpuid];
3070 
3071 	do {
3072 		current = spec->dtsp_state;
3073 
3074 		switch (current) {
3075 		case DTRACESPEC_INACTIVE:
3076 		case DTRACESPEC_COMMITTINGMANY:
3077 		case DTRACESPEC_DISCARDING:
3078 			return (NULL);
3079 
3080 		case DTRACESPEC_COMMITTING:
3081 			ASSERT(buf->dtb_offset == 0);
3082 			return (NULL);
3083 
3084 		case DTRACESPEC_ACTIVEONE:
3085 			/*
3086 			 * This speculation is currently active on one CPU.
3087 			 * Check the offset in the buffer; if it's non-zero,
3088 			 * that CPU must be us (and we leave the state alone).
3089 			 * If it's zero, assume that we're starting on a new
3090 			 * CPU -- and change the state to indicate that the
3091 			 * speculation is active on more than one CPU.
3092 			 */
3093 			if (buf->dtb_offset != 0)
3094 				return (buf);
3095 
3096 			new = DTRACESPEC_ACTIVEMANY;
3097 			break;
3098 
3099 		case DTRACESPEC_ACTIVEMANY:
3100 			return (buf);
3101 
3102 		case DTRACESPEC_ACTIVE:
3103 			new = DTRACESPEC_ACTIVEONE;
3104 			break;
3105 
3106 		default:
3107 			ASSERT(0);
3108 		}
3109 	} while (dtrace_cas32((uint32_t *)&spec->dtsp_state,
3110 	    current, new) != current);
3111 
3112 	ASSERT(new == DTRACESPEC_ACTIVEONE || new == DTRACESPEC_ACTIVEMANY);
3113 	return (buf);
3114 }
3115 
3116 /*
3117  * Return a string.  In the event that the user lacks the privilege to access
3118  * arbitrary kernel memory, we copy the string out to scratch memory so that we
3119  * don't fail access checking.
3120  *
3121  * dtrace_dif_variable() uses this routine as a helper for various
3122  * builtin values such as 'execname' and 'probefunc.'
3123  */
3124 uintptr_t
3125 dtrace_dif_varstr(uintptr_t addr, dtrace_state_t *state,
3126     dtrace_mstate_t *mstate)
3127 {
3128 	uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
3129 	uintptr_t ret;
3130 	size_t strsz;
3131 
3132 	/*
3133 	 * The easy case: this probe is allowed to read all of memory, so
3134 	 * we can just return this as a vanilla pointer.
3135 	 */
3136 	if ((mstate->dtms_access & DTRACE_ACCESS_KERNEL) != 0)
3137 		return (addr);
3138 
3139 	/*
3140 	 * This is the tougher case: we copy the string in question from
3141 	 * kernel memory into scratch memory and return it that way: this
3142 	 * ensures that we won't trip up when access checking tests the
3143 	 * BYREF return value.
3144 	 */
3145 	strsz = dtrace_strlen((char *)addr, size) + 1;
3146 
3147 	if (mstate->dtms_scratch_ptr + strsz >
3148 	    mstate->dtms_scratch_base + mstate->dtms_scratch_size) {
3149 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
3150 		return (0);
3151 	}
3152 
3153 	dtrace_strcpy((const void *)addr, (void *)mstate->dtms_scratch_ptr,
3154 	    strsz);
3155 	ret = mstate->dtms_scratch_ptr;
3156 	mstate->dtms_scratch_ptr += strsz;
3157 	return (ret);
3158 }
3159 
3160 /*
3161  * This function implements the DIF emulator's variable lookups.  The emulator
3162  * passes a reserved variable identifier and optional built-in array index.
3163  */
3164 static uint64_t
3165 dtrace_dif_variable(dtrace_mstate_t *mstate, dtrace_state_t *state, uint64_t v,
3166     uint64_t ndx)
3167 {
3168 	/*
3169 	 * If we're accessing one of the uncached arguments, we'll turn this
3170 	 * into a reference in the args array.
3171 	 */
3172 	if (v >= DIF_VAR_ARG0 && v <= DIF_VAR_ARG9) {
3173 		ndx = v - DIF_VAR_ARG0;
3174 		v = DIF_VAR_ARGS;
3175 	}
3176 
3177 	switch (v) {
3178 	case DIF_VAR_ARGS:
3179 		if (!(mstate->dtms_access & DTRACE_ACCESS_ARGS)) {
3180 			cpu_core[CPU->cpu_id].cpuc_dtrace_flags |=
3181 			    CPU_DTRACE_KPRIV;
3182 			return (0);
3183 		}
3184 
3185 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_ARGS);
3186 		if (ndx >= sizeof (mstate->dtms_arg) /
3187 		    sizeof (mstate->dtms_arg[0])) {
3188 			int aframes = mstate->dtms_probe->dtpr_aframes + 2;
3189 			dtrace_provider_t *pv;
3190 			uint64_t val;
3191 
3192 			pv = mstate->dtms_probe->dtpr_provider;
3193 			if (pv->dtpv_pops.dtps_getargval != NULL)
3194 				val = pv->dtpv_pops.dtps_getargval(pv->dtpv_arg,
3195 				    mstate->dtms_probe->dtpr_id,
3196 				    mstate->dtms_probe->dtpr_arg, ndx, aframes);
3197 			else
3198 				val = dtrace_getarg(ndx, aframes);
3199 
3200 			/*
3201 			 * This is regrettably required to keep the compiler
3202 			 * from tail-optimizing the call to dtrace_getarg().
3203 			 * The condition always evaluates to true, but the
3204 			 * compiler has no way of figuring that out a priori.
3205 			 * (None of this would be necessary if the compiler
3206 			 * could be relied upon to _always_ tail-optimize
3207 			 * the call to dtrace_getarg() -- but it can't.)
3208 			 */
3209 			if (mstate->dtms_probe != NULL)
3210 				return (val);
3211 
3212 			ASSERT(0);
3213 		}
3214 
3215 		return (mstate->dtms_arg[ndx]);
3216 
3217 	case DIF_VAR_UREGS: {
3218 		klwp_t *lwp;
3219 
3220 		if (!dtrace_priv_proc(state, mstate))
3221 			return (0);
3222 
3223 		if ((lwp = curthread->t_lwp) == NULL) {
3224 			DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
3225 			cpu_core[CPU->cpu_id].cpuc_dtrace_illval = 0;
3226 			return (0);
3227 		}
3228 
3229 		return (dtrace_getreg(lwp->lwp_regs, ndx));
3230 	}
3231 
3232 	case DIF_VAR_VMREGS: {
3233 		uint64_t rval;
3234 
3235 		if (!dtrace_priv_kernel(state))
3236 			return (0);
3237 
3238 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
3239 
3240 		rval = dtrace_getvmreg(ndx,
3241 		    &cpu_core[CPU->cpu_id].cpuc_dtrace_flags);
3242 
3243 		DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
3244 
3245 		return (rval);
3246 	}
3247 
3248 	case DIF_VAR_CURTHREAD:
3249 		if (!dtrace_priv_proc(state, mstate))
3250 			return (0);
3251 		return ((uint64_t)(uintptr_t)curthread);
3252 
3253 	case DIF_VAR_TIMESTAMP:
3254 		if (!(mstate->dtms_present & DTRACE_MSTATE_TIMESTAMP)) {
3255 			mstate->dtms_timestamp = dtrace_gethrtime();
3256 			mstate->dtms_present |= DTRACE_MSTATE_TIMESTAMP;
3257 		}
3258 		return (mstate->dtms_timestamp);
3259 
3260 	case DIF_VAR_VTIMESTAMP:
3261 		ASSERT(dtrace_vtime_references != 0);
3262 		return (curthread->t_dtrace_vtime);
3263 
3264 	case DIF_VAR_WALLTIMESTAMP:
3265 		if (!(mstate->dtms_present & DTRACE_MSTATE_WALLTIMESTAMP)) {
3266 			mstate->dtms_walltimestamp = dtrace_gethrestime();
3267 			mstate->dtms_present |= DTRACE_MSTATE_WALLTIMESTAMP;
3268 		}
3269 		return (mstate->dtms_walltimestamp);
3270 
3271 	case DIF_VAR_IPL:
3272 		if (!dtrace_priv_kernel(state))
3273 			return (0);
3274 		if (!(mstate->dtms_present & DTRACE_MSTATE_IPL)) {
3275 			mstate->dtms_ipl = dtrace_getipl();
3276 			mstate->dtms_present |= DTRACE_MSTATE_IPL;
3277 		}
3278 		return (mstate->dtms_ipl);
3279 
3280 	case DIF_VAR_EPID:
3281 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_EPID);
3282 		return (mstate->dtms_epid);
3283 
3284 	case DIF_VAR_ID:
3285 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_PROBE);
3286 		return (mstate->dtms_probe->dtpr_id);
3287 
3288 	case DIF_VAR_STACKDEPTH:
3289 		if (!dtrace_priv_kernel(state))
3290 			return (0);
3291 		if (!(mstate->dtms_present & DTRACE_MSTATE_STACKDEPTH)) {
3292 			int aframes = mstate->dtms_probe->dtpr_aframes + 2;
3293 
3294 			mstate->dtms_stackdepth = dtrace_getstackdepth(aframes);
3295 			mstate->dtms_present |= DTRACE_MSTATE_STACKDEPTH;
3296 		}
3297 		return (mstate->dtms_stackdepth);
3298 
3299 	case DIF_VAR_USTACKDEPTH:
3300 		if (!dtrace_priv_proc(state, mstate))
3301 			return (0);
3302 		if (!(mstate->dtms_present & DTRACE_MSTATE_USTACKDEPTH)) {
3303 			/*
3304 			 * See comment in DIF_VAR_PID.
3305 			 */
3306 			if (DTRACE_ANCHORED(mstate->dtms_probe) &&
3307 			    CPU_ON_INTR(CPU)) {
3308 				mstate->dtms_ustackdepth = 0;
3309 			} else {
3310 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
3311 				mstate->dtms_ustackdepth =
3312 				    dtrace_getustackdepth();
3313 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
3314 			}
3315 			mstate->dtms_present |= DTRACE_MSTATE_USTACKDEPTH;
3316 		}
3317 		return (mstate->dtms_ustackdepth);
3318 
3319 	case DIF_VAR_CALLER:
3320 		if (!dtrace_priv_kernel(state))
3321 			return (0);
3322 		if (!(mstate->dtms_present & DTRACE_MSTATE_CALLER)) {
3323 			int aframes = mstate->dtms_probe->dtpr_aframes + 2;
3324 
3325 			if (!DTRACE_ANCHORED(mstate->dtms_probe)) {
3326 				/*
3327 				 * If this is an unanchored probe, we are
3328 				 * required to go through the slow path:
3329 				 * dtrace_caller() only guarantees correct
3330 				 * results for anchored probes.
3331 				 */
3332 				pc_t caller[2];
3333 
3334 				dtrace_getpcstack(caller, 2, aframes,
3335 				    (uint32_t *)(uintptr_t)mstate->dtms_arg[0]);
3336 				mstate->dtms_caller = caller[1];
3337 			} else if ((mstate->dtms_caller =
3338 			    dtrace_caller(aframes)) == -1) {
3339 				/*
3340 				 * We have failed to do this the quick way;
3341 				 * we must resort to the slower approach of
3342 				 * calling dtrace_getpcstack().
3343 				 */
3344 				pc_t caller;
3345 
3346 				dtrace_getpcstack(&caller, 1, aframes, NULL);
3347 				mstate->dtms_caller = caller;
3348 			}
3349 
3350 			mstate->dtms_present |= DTRACE_MSTATE_CALLER;
3351 		}
3352 		return (mstate->dtms_caller);
3353 
3354 	case DIF_VAR_UCALLER:
3355 		if (!dtrace_priv_proc(state, mstate))
3356 			return (0);
3357 
3358 		if (!(mstate->dtms_present & DTRACE_MSTATE_UCALLER)) {
3359 			uint64_t ustack[3];
3360 
3361 			/*
3362 			 * dtrace_getupcstack() fills in the first uint64_t
3363 			 * with the current PID.  The second uint64_t will
3364 			 * be the program counter at user-level.  The third
3365 			 * uint64_t will contain the caller, which is what
3366 			 * we're after.
3367 			 */
3368 			ustack[2] = 0;
3369 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
3370 			dtrace_getupcstack(ustack, 3);
3371 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
3372 			mstate->dtms_ucaller = ustack[2];
3373 			mstate->dtms_present |= DTRACE_MSTATE_UCALLER;
3374 		}
3375 
3376 		return (mstate->dtms_ucaller);
3377 
3378 	case DIF_VAR_PROBEPROV:
3379 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_PROBE);
3380 		return (dtrace_dif_varstr(
3381 		    (uintptr_t)mstate->dtms_probe->dtpr_provider->dtpv_name,
3382 		    state, mstate));
3383 
3384 	case DIF_VAR_PROBEMOD:
3385 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_PROBE);
3386 		return (dtrace_dif_varstr(
3387 		    (uintptr_t)mstate->dtms_probe->dtpr_mod,
3388 		    state, mstate));
3389 
3390 	case DIF_VAR_PROBEFUNC:
3391 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_PROBE);
3392 		return (dtrace_dif_varstr(
3393 		    (uintptr_t)mstate->dtms_probe->dtpr_func,
3394 		    state, mstate));
3395 
3396 	case DIF_VAR_PROBENAME:
3397 		ASSERT(mstate->dtms_present & DTRACE_MSTATE_PROBE);
3398 		return (dtrace_dif_varstr(
3399 		    (uintptr_t)mstate->dtms_probe->dtpr_name,
3400 		    state, mstate));
3401 
3402 	case DIF_VAR_PID:
3403 		if (!dtrace_priv_proc(state, mstate))
3404 			return (0);
3405 
3406 		/*
3407 		 * Note that we are assuming that an unanchored probe is
3408 		 * always due to a high-level interrupt.  (And we're assuming
3409 		 * that there is only a single high level interrupt.)
3410 		 */
3411 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3412 			return (pid0.pid_id);
3413 
3414 		/*
3415 		 * It is always safe to dereference one's own t_procp pointer:
3416 		 * it always points to a valid, allocated proc structure.
3417 		 * Further, it is always safe to dereference the p_pidp member
3418 		 * of one's own proc structure.  (These are truisms becuase
3419 		 * threads and processes don't clean up their own state --
3420 		 * they leave that task to whomever reaps them.)
3421 		 */
3422 		return ((uint64_t)curthread->t_procp->p_pidp->pid_id);
3423 
3424 	case DIF_VAR_PPID:
3425 		if (!dtrace_priv_proc(state, mstate))
3426 			return (0);
3427 
3428 		/*
3429 		 * See comment in DIF_VAR_PID.
3430 		 */
3431 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3432 			return (pid0.pid_id);
3433 
3434 		/*
3435 		 * It is always safe to dereference one's own t_procp pointer:
3436 		 * it always points to a valid, allocated proc structure.
3437 		 * (This is true because threads don't clean up their own
3438 		 * state -- they leave that task to whomever reaps them.)
3439 		 */
3440 		return ((uint64_t)curthread->t_procp->p_ppid);
3441 
3442 	case DIF_VAR_TID:
3443 		/*
3444 		 * See comment in DIF_VAR_PID.
3445 		 */
3446 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3447 			return (0);
3448 
3449 		return ((uint64_t)curthread->t_tid);
3450 
3451 	case DIF_VAR_EXECNAME:
3452 		if (!dtrace_priv_proc(state, mstate))
3453 			return (0);
3454 
3455 		/*
3456 		 * See comment in DIF_VAR_PID.
3457 		 */
3458 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3459 			return ((uint64_t)(uintptr_t)p0.p_user.u_comm);
3460 
3461 		/*
3462 		 * It is always safe to dereference one's own t_procp pointer:
3463 		 * it always points to a valid, allocated proc structure.
3464 		 * (This is true because threads don't clean up their own
3465 		 * state -- they leave that task to whomever reaps them.)
3466 		 */
3467 		return (dtrace_dif_varstr(
3468 		    (uintptr_t)curthread->t_procp->p_user.u_comm,
3469 		    state, mstate));
3470 
3471 	case DIF_VAR_ZONENAME:
3472 		if (!dtrace_priv_proc(state, mstate))
3473 			return (0);
3474 
3475 		/*
3476 		 * See comment in DIF_VAR_PID.
3477 		 */
3478 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3479 			return ((uint64_t)(uintptr_t)p0.p_zone->zone_name);
3480 
3481 		/*
3482 		 * It is always safe to dereference one's own t_procp pointer:
3483 		 * it always points to a valid, allocated proc structure.
3484 		 * (This is true because threads don't clean up their own
3485 		 * state -- they leave that task to whomever reaps them.)
3486 		 */
3487 		return (dtrace_dif_varstr(
3488 		    (uintptr_t)curthread->t_procp->p_zone->zone_name,
3489 		    state, mstate));
3490 
3491 	case DIF_VAR_UID:
3492 		if (!dtrace_priv_proc(state, mstate))
3493 			return (0);
3494 
3495 		/*
3496 		 * See comment in DIF_VAR_PID.
3497 		 */
3498 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3499 			return ((uint64_t)p0.p_cred->cr_uid);
3500 
3501 		/*
3502 		 * It is always safe to dereference one's own t_procp pointer:
3503 		 * it always points to a valid, allocated proc structure.
3504 		 * (This is true because threads don't clean up their own
3505 		 * state -- they leave that task to whomever reaps them.)
3506 		 *
3507 		 * Additionally, it is safe to dereference one's own process
3508 		 * credential, since this is never NULL after process birth.
3509 		 */
3510 		return ((uint64_t)curthread->t_procp->p_cred->cr_uid);
3511 
3512 	case DIF_VAR_GID:
3513 		if (!dtrace_priv_proc(state, mstate))
3514 			return (0);
3515 
3516 		/*
3517 		 * See comment in DIF_VAR_PID.
3518 		 */
3519 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3520 			return ((uint64_t)p0.p_cred->cr_gid);
3521 
3522 		/*
3523 		 * It is always safe to dereference one's own t_procp pointer:
3524 		 * it always points to a valid, allocated proc structure.
3525 		 * (This is true because threads don't clean up their own
3526 		 * state -- they leave that task to whomever reaps them.)
3527 		 *
3528 		 * Additionally, it is safe to dereference one's own process
3529 		 * credential, since this is never NULL after process birth.
3530 		 */
3531 		return ((uint64_t)curthread->t_procp->p_cred->cr_gid);
3532 
3533 	case DIF_VAR_ERRNO: {
3534 		klwp_t *lwp;
3535 		if (!dtrace_priv_proc(state, mstate))
3536 			return (0);
3537 
3538 		/*
3539 		 * See comment in DIF_VAR_PID.
3540 		 */
3541 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3542 			return (0);
3543 
3544 		/*
3545 		 * It is always safe to dereference one's own t_lwp pointer in
3546 		 * the event that this pointer is non-NULL.  (This is true
3547 		 * because threads and lwps don't clean up their own state --
3548 		 * they leave that task to whomever reaps them.)
3549 		 */
3550 		if ((lwp = curthread->t_lwp) == NULL)
3551 			return (0);
3552 
3553 		return ((uint64_t)lwp->lwp_errno);
3554 	}
3555 
3556 	case DIF_VAR_THREADNAME:
3557 		/*
3558 		 * See comment in DIF_VAR_PID.
3559 		 */
3560 		if (DTRACE_ANCHORED(mstate->dtms_probe) && CPU_ON_INTR(CPU))
3561 			return (0);
3562 
3563 		if (curthread->t_name == NULL)
3564 			return (0);
3565 
3566 		/*
3567 		 * Once set, ->t_name itself is never changed: any updates are
3568 		 * made to the same buffer that we are pointing out.  So we are
3569 		 * safe to dereference it here.
3570 		 */
3571 		return (dtrace_dif_varstr((uintptr_t)curthread->t_name,
3572 		    state, mstate));
3573 
3574 	default:
3575 		DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
3576 		return (0);
3577 	}
3578 }
3579 
3580 static void
3581 dtrace_dif_variable_write(dtrace_mstate_t *mstate, dtrace_state_t *state,
3582     uint64_t v, uint64_t ndx, uint64_t data)
3583 {
3584 	switch (v) {
3585 	case DIF_VAR_UREGS: {
3586 		klwp_t *lwp;
3587 
3588 		if (dtrace_destructive_disallow ||
3589 		    !dtrace_priv_proc_control(state, mstate)) {
3590 			return;
3591 		}
3592 
3593 		if ((lwp = curthread->t_lwp) == NULL) {
3594 			DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
3595 			cpu_core[CPU->cpu_id].cpuc_dtrace_illval = 0;
3596 			return;
3597 		}
3598 
3599 		dtrace_setreg(lwp->lwp_regs, ndx, data);
3600 		return;
3601 	}
3602 
3603 	default:
3604 		DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
3605 		return;
3606 	}
3607 }
3608 
3609 typedef enum dtrace_json_state {
3610 	DTRACE_JSON_REST = 1,
3611 	DTRACE_JSON_OBJECT,
3612 	DTRACE_JSON_STRING,
3613 	DTRACE_JSON_STRING_ESCAPE,
3614 	DTRACE_JSON_STRING_ESCAPE_UNICODE,
3615 	DTRACE_JSON_COLON,
3616 	DTRACE_JSON_COMMA,
3617 	DTRACE_JSON_VALUE,
3618 	DTRACE_JSON_IDENTIFIER,
3619 	DTRACE_JSON_NUMBER,
3620 	DTRACE_JSON_NUMBER_FRAC,
3621 	DTRACE_JSON_NUMBER_EXP,
3622 	DTRACE_JSON_COLLECT_OBJECT
3623 } dtrace_json_state_t;
3624 
3625 /*
3626  * This function possesses just enough knowledge about JSON to extract a single
3627  * value from a JSON string and store it in the scratch buffer.  It is able
3628  * to extract nested object values, and members of arrays by index.
3629  *
3630  * elemlist is a list of JSON keys, stored as packed NUL-terminated strings, to
3631  * be looked up as we descend into the object tree.  e.g.
3632  *
3633  *    foo[0].bar.baz[32] --> "foo" NUL "0" NUL "bar" NUL "baz" NUL "32" NUL
3634  *       with nelems = 5.
3635  *
3636  * The run time of this function must be bounded above by strsize to limit the
3637  * amount of work done in probe context.  As such, it is implemented as a
3638  * simple state machine, reading one character at a time using safe loads
3639  * until we find the requested element, hit a parsing error or run off the
3640  * end of the object or string.
3641  *
3642  * As there is no way for a subroutine to return an error without interrupting
3643  * clause execution, we simply return NULL in the event of a missing key or any
3644  * other error condition.  Each NULL return in this function is commented with
3645  * the error condition it represents -- parsing or otherwise.
3646  *
3647  * The set of states for the state machine closely matches the JSON
3648  * specification (http://json.org/).  Briefly:
3649  *
3650  *   DTRACE_JSON_REST:
3651  *     Skip whitespace until we find either a top-level Object, moving
3652  *     to DTRACE_JSON_OBJECT; or an Array, moving to DTRACE_JSON_VALUE.
3653  *
3654  *   DTRACE_JSON_OBJECT:
3655  *     Locate the next key String in an Object.  Sets a flag to denote
3656  *     the next String as a key string and moves to DTRACE_JSON_STRING.
3657  *
3658  *   DTRACE_JSON_COLON:
3659  *     Skip whitespace until we find the colon that separates key Strings
3660  *     from their values.  Once found, move to DTRACE_JSON_VALUE.
3661  *
3662  *   DTRACE_JSON_VALUE:
3663  *     Detects the type of the next value (String, Number, Identifier, Object
3664  *     or Array) and routes to the states that process that type.  Here we also
3665  *     deal with the element selector list if we are requested to traverse down
3666  *     into the object tree.
3667  *
3668  *   DTRACE_JSON_COMMA:
3669  *     Skip whitespace until we find the comma that separates key-value pairs
3670  *     in Objects (returning to DTRACE_JSON_OBJECT) or values in Arrays
3671  *     (similarly DTRACE_JSON_VALUE).  All following literal value processing
3672  *     states return to this state at the end of their value, unless otherwise
3673  *     noted.
3674  *
3675  *   DTRACE_JSON_NUMBER, DTRACE_JSON_NUMBER_FRAC, DTRACE_JSON_NUMBER_EXP:
3676  *     Processes a Number literal from the JSON, including any exponent
3677  *     component that may be present.  Numbers are returned as strings, which
3678  *     may be passed to strtoll() if an integer is required.
3679  *
3680  *   DTRACE_JSON_IDENTIFIER:
3681  *     Processes a "true", "false" or "null" literal in the JSON.
3682  *
3683  *   DTRACE_JSON_STRING, DTRACE_JSON_STRING_ESCAPE,
3684  *   DTRACE_JSON_STRING_ESCAPE_UNICODE:
3685  *     Processes a String literal from the JSON, whether the String denotes
3686  *     a key, a value or part of a larger Object.  Handles all escape sequences
3687  *     present in the specification, including four-digit unicode characters,
3688  *     but merely includes the escape sequence without converting it to the
3689  *     actual escaped character.  If the String is flagged as a key, we
3690  *     move to DTRACE_JSON_COLON rather than DTRACE_JSON_COMMA.
3691  *
3692  *   DTRACE_JSON_COLLECT_OBJECT:
3693  *     This state collects an entire Object (or Array), correctly handling
3694  *     embedded strings.  If the full element selector list matches this nested
3695  *     object, we return the Object in full as a string.  If not, we use this
3696  *     state to skip to the next value at this level and continue processing.
3697  *
3698  * NOTE: This function uses various macros from strtolctype.h to manipulate
3699  * digit values, etc -- these have all been checked to ensure they make
3700  * no additional function calls.
3701  */
3702 static char *
3703 dtrace_json(uint64_t size, uintptr_t json, char *elemlist, int nelems,
3704     char *dest)
3705 {
3706 	dtrace_json_state_t state = DTRACE_JSON_REST;
3707 	int64_t array_elem = INT64_MIN;
3708 	int64_t array_pos = 0;
3709 	uint8_t escape_unicount = 0;
3710 	boolean_t string_is_key = B_FALSE;
3711 	boolean_t collect_object = B_FALSE;
3712 	boolean_t found_key = B_FALSE;
3713 	boolean_t in_array = B_FALSE;
3714 	uint32_t braces = 0, brackets = 0;
3715 	char *elem = elemlist;
3716 	char *dd = dest;
3717 	uintptr_t cur;
3718 
3719 	for (cur = json; cur < json + size; cur++) {
3720 		char cc = dtrace_load8(cur);
3721 		if (cc == '\0')
3722 			return (NULL);
3723 
3724 		switch (state) {
3725 		case DTRACE_JSON_REST:
3726 			if (isspace(cc))
3727 				break;
3728 
3729 			if (cc == '{') {
3730 				state = DTRACE_JSON_OBJECT;
3731 				break;
3732 			}
3733 
3734 			if (cc == '[') {
3735 				in_array = B_TRUE;
3736 				array_pos = 0;
3737 				array_elem = dtrace_strtoll(elem, 10, size);
3738 				found_key = array_elem == 0 ? B_TRUE : B_FALSE;
3739 				state = DTRACE_JSON_VALUE;
3740 				break;
3741 			}
3742 
3743 			/*
3744 			 * ERROR: expected to find a top-level object or array.
3745 			 */
3746 			return (NULL);
3747 		case DTRACE_JSON_OBJECT:
3748 			if (isspace(cc))
3749 				break;
3750 
3751 			if (cc == '"') {
3752 				state = DTRACE_JSON_STRING;
3753 				string_is_key = B_TRUE;
3754 				break;
3755 			}
3756 
3757 			/*
3758 			 * ERROR: either the object did not start with a key
3759 			 * string, or we've run off the end of the object
3760 			 * without finding the requested key.
3761 			 */
3762 			return (NULL);
3763 		case DTRACE_JSON_STRING:
3764 			if (cc == '\\') {
3765 				*dd++ = '\\';
3766 				state = DTRACE_JSON_STRING_ESCAPE;
3767 				break;
3768 			}
3769 
3770 			if (cc == '"') {
3771 				if (collect_object) {
3772 					/*
3773 					 * We don't reset the dest here, as
3774 					 * the string is part of a larger
3775 					 * object being collected.
3776 					 */
3777 					*dd++ = cc;
3778 					collect_object = B_FALSE;
3779 					state = DTRACE_JSON_COLLECT_OBJECT;
3780 					break;
3781 				}
3782 				*dd = '\0';
3783 				dd = dest; /* reset string buffer */
3784 				if (string_is_key) {
3785 					if (dtrace_strncmp(dest, elem,
3786 					    size) == 0)
3787 						found_key = B_TRUE;
3788 				} else if (found_key) {
3789 					if (nelems > 1) {
3790 						/*
3791 						 * We expected an object, not
3792 						 * this string.
3793 						 */
3794 						return (NULL);
3795 					}
3796 					return (dest);
3797 				}
3798 				state = string_is_key ? DTRACE_JSON_COLON :
3799 				    DTRACE_JSON_COMMA;
3800 				string_is_key = B_FALSE;
3801 				break;
3802 			}
3803 
3804 			*dd++ = cc;
3805 			break;
3806 		case DTRACE_JSON_STRING_ESCAPE:
3807 			*dd++ = cc;
3808 			if (cc == 'u') {
3809 				escape_unicount = 0;
3810 				state = DTRACE_JSON_STRING_ESCAPE_UNICODE;
3811 			} else {
3812 				state = DTRACE_JSON_STRING;
3813 			}
3814 			break;
3815 		case DTRACE_JSON_STRING_ESCAPE_UNICODE:
3816 			if (!isxdigit(cc)) {
3817 				/*
3818 				 * ERROR: invalid unicode escape, expected
3819 				 * four valid hexidecimal digits.
3820 				 */
3821 				return (NULL);
3822 			}
3823 
3824 			*dd++ = cc;
3825 			if (++escape_unicount == 4)
3826 				state = DTRACE_JSON_STRING;
3827 			break;
3828 		case DTRACE_JSON_COLON:
3829 			if (isspace(cc))
3830 				break;
3831 
3832 			if (cc == ':') {
3833 				state = DTRACE_JSON_VALUE;
3834 				break;
3835 			}
3836 
3837 			/*
3838 			 * ERROR: expected a colon.
3839 			 */
3840 			return (NULL);
3841 		case DTRACE_JSON_COMMA:
3842 			if (isspace(cc))
3843 				break;
3844 
3845 			if (cc == ',') {
3846 				if (in_array) {
3847 					state = DTRACE_JSON_VALUE;
3848 					if (++array_pos == array_elem)
3849 						found_key = B_TRUE;
3850 				} else {
3851 					state = DTRACE_JSON_OBJECT;
3852 				}
3853 				break;
3854 			}
3855 
3856 			/*
3857 			 * ERROR: either we hit an unexpected character, or
3858 			 * we reached the end of the object or array without
3859 			 * finding the requested key.
3860 			 */
3861 			return (NULL);
3862 		case DTRACE_JSON_IDENTIFIER:
3863 			if (islower(cc)) {
3864 				*dd++ = cc;
3865 				break;
3866 			}
3867 
3868 			*dd = '\0';
3869 			dd = dest; /* reset string buffer */
3870 
3871 			if (dtrace_strncmp(dest, "true", 5) == 0 ||
3872 			    dtrace_strncmp(dest, "false", 6) == 0 ||
3873 			    dtrace_strncmp(dest, "null", 5) == 0) {
3874 				if (found_key) {
3875 					if (nelems > 1) {
3876 						/*
3877 						 * ERROR: We expected an object,
3878 						 * not this identifier.
3879 						 */
3880 						return (NULL);
3881 					}
3882 					return (dest);
3883 				} else {
3884 					cur--;
3885 					state = DTRACE_JSON_COMMA;
3886 					break;
3887 				}
3888 			}
3889 
3890 			/*
3891 			 * ERROR: we did not recognise the identifier as one
3892 			 * of those in the JSON specification.
3893 			 */
3894 			return (NULL);
3895 		case DTRACE_JSON_NUMBER:
3896 			if (cc == '.') {
3897 				*dd++ = cc;
3898 				state = DTRACE_JSON_NUMBER_FRAC;
3899 				break;
3900 			}
3901 
3902 			if (cc == 'x' || cc == 'X') {
3903 				/*
3904 				 * ERROR: specification explicitly excludes
3905 				 * hexidecimal or octal numbers.
3906 				 */
3907 				return (NULL);
3908 			}
3909 
3910 			/* FALLTHRU */
3911 		case DTRACE_JSON_NUMBER_FRAC:
3912 			if (cc == 'e' || cc == 'E') {
3913 				*dd++ = cc;
3914 				state = DTRACE_JSON_NUMBER_EXP;
3915 				break;
3916 			}
3917 
3918 			if (cc == '+' || cc == '-') {
3919 				/*
3920 				 * ERROR: expect sign as part of exponent only.
3921 				 */
3922 				return (NULL);
3923 			}
3924 			/* FALLTHRU */
3925 		case DTRACE_JSON_NUMBER_EXP:
3926 			if (isdigit(cc) || cc == '+' || cc == '-') {
3927 				*dd++ = cc;
3928 				break;
3929 			}
3930 
3931 			*dd = '\0';
3932 			dd = dest; /* reset string buffer */
3933 			if (found_key) {
3934 				if (nelems > 1) {
3935 					/*
3936 					 * ERROR: We expected an object, not
3937 					 * this number.
3938 					 */
3939 					return (NULL);
3940 				}
3941 				return (dest);
3942 			}
3943 
3944 			cur--;
3945 			state = DTRACE_JSON_COMMA;
3946 			break;
3947 		case DTRACE_JSON_VALUE:
3948 			if (isspace(cc))
3949 				break;
3950 
3951 			if (cc == '{' || cc == '[') {
3952 				if (nelems > 1 && found_key) {
3953 					in_array = cc == '[' ? B_TRUE : B_FALSE;
3954 					/*
3955 					 * If our element selector directs us
3956 					 * to descend into this nested object,
3957 					 * then move to the next selector
3958 					 * element in the list and restart the
3959 					 * state machine.
3960 					 */
3961 					while (*elem != '\0')
3962 						elem++;
3963 					elem++; /* skip the inter-element NUL */
3964 					nelems--;
3965 					dd = dest;
3966 					if (in_array) {
3967 						state = DTRACE_JSON_VALUE;
3968 						array_pos = 0;
3969 						array_elem = dtrace_strtoll(
3970 						    elem, 10, size);
3971 						found_key = array_elem == 0 ?
3972 						    B_TRUE : B_FALSE;
3973 					} else {
3974 						found_key = B_FALSE;
3975 						state = DTRACE_JSON_OBJECT;
3976 					}
3977 					break;
3978 				}
3979 
3980 				/*
3981 				 * Otherwise, we wish to either skip this
3982 				 * nested object or return it in full.
3983 				 */
3984 				if (cc == '[')
3985 					brackets = 1;
3986 				else
3987 					braces = 1;
3988 				*dd++ = cc;
3989 				state = DTRACE_JSON_COLLECT_OBJECT;
3990 				break;
3991 			}
3992 
3993 			if (cc == '"') {
3994 				state = DTRACE_JSON_STRING;
3995 				break;
3996 			}
3997 
3998 			if (islower(cc)) {
3999 				/*
4000 				 * Here we deal with true, false and null.
4001 				 */
4002 				*dd++ = cc;
4003 				state = DTRACE_JSON_IDENTIFIER;
4004 				break;
4005 			}
4006 
4007 			if (cc == '-' || isdigit(cc)) {
4008 				*dd++ = cc;
4009 				state = DTRACE_JSON_NUMBER;
4010 				break;
4011 			}
4012 
4013 			/*
4014 			 * ERROR: unexpected character at start of value.
4015 			 */
4016 			return (NULL);
4017 		case DTRACE_JSON_COLLECT_OBJECT:
4018 			if (cc == '\0')
4019 				/*
4020 				 * ERROR: unexpected end of input.
4021 				 */
4022 				return (NULL);
4023 
4024 			*dd++ = cc;
4025 			if (cc == '"') {
4026 				collect_object = B_TRUE;
4027 				state = DTRACE_JSON_STRING;
4028 				break;
4029 			}
4030 
4031 			if (cc == ']') {
4032 				if (brackets-- == 0) {
4033 					/*
4034 					 * ERROR: unbalanced brackets.
4035 					 */
4036 					return (NULL);
4037 				}
4038 			} else if (cc == '}') {
4039 				if (braces-- == 0) {
4040 					/*
4041 					 * ERROR: unbalanced braces.
4042 					 */
4043 					return (NULL);
4044 				}
4045 			} else if (cc == '{') {
4046 				braces++;
4047 			} else if (cc == '[') {
4048 				brackets++;
4049 			}
4050 
4051 			if (brackets == 0 && braces == 0) {
4052 				if (found_key) {
4053 					*dd = '\0';
4054 					return (dest);
4055 				}
4056 				dd = dest; /* reset string buffer */
4057 				state = DTRACE_JSON_COMMA;
4058 			}
4059 			break;
4060 		}
4061 	}
4062 	return (NULL);
4063 }
4064 
4065 /*
4066  * Emulate the execution of DTrace ID subroutines invoked by the call opcode.
4067  * Notice that we don't bother validating the proper number of arguments or
4068  * their types in the tuple stack.  This isn't needed because all argument
4069  * interpretation is safe because of our load safety -- the worst that can
4070  * happen is that a bogus program can obtain bogus results.
4071  */
4072 static void
4073 dtrace_dif_subr(uint_t subr, uint_t rd, uint64_t *regs,
4074     dtrace_key_t *tupregs, int nargs,
4075     dtrace_mstate_t *mstate, dtrace_state_t *state)
4076 {
4077 	volatile uint16_t *flags = &cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
4078 	volatile uintptr_t *illval = &cpu_core[CPU->cpu_id].cpuc_dtrace_illval;
4079 	dtrace_vstate_t *vstate = &state->dts_vstate;
4080 
4081 	union {
4082 		mutex_impl_t mi;
4083 		uint64_t mx;
4084 	} m;
4085 
4086 	union {
4087 		krwlock_t ri;
4088 		uintptr_t rw;
4089 	} r;
4090 
4091 	switch (subr) {
4092 	case DIF_SUBR_RAND:
4093 		regs[rd] = (dtrace_gethrtime() * 2416 + 374441) % 1771875;
4094 		break;
4095 
4096 	case DIF_SUBR_MUTEX_OWNED:
4097 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (kmutex_t),
4098 		    mstate, vstate)) {
4099 			regs[rd] = 0;
4100 			break;
4101 		}
4102 
4103 		m.mx = dtrace_load64(tupregs[0].dttk_value);
4104 		if (MUTEX_TYPE_ADAPTIVE(&m.mi))
4105 			regs[rd] = MUTEX_OWNER(&m.mi) != MUTEX_NO_OWNER;
4106 		else
4107 			regs[rd] = LOCK_HELD(&m.mi.m_spin.m_spinlock);
4108 		break;
4109 
4110 	case DIF_SUBR_MUTEX_OWNER:
4111 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (kmutex_t),
4112 		    mstate, vstate)) {
4113 			regs[rd] = 0;
4114 			break;
4115 		}
4116 
4117 		m.mx = dtrace_load64(tupregs[0].dttk_value);
4118 		if (MUTEX_TYPE_ADAPTIVE(&m.mi) &&
4119 		    MUTEX_OWNER(&m.mi) != MUTEX_NO_OWNER)
4120 			regs[rd] = (uintptr_t)MUTEX_OWNER(&m.mi);
4121 		else
4122 			regs[rd] = 0;
4123 		break;
4124 
4125 	case DIF_SUBR_MUTEX_TYPE_ADAPTIVE:
4126 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (kmutex_t),
4127 		    mstate, vstate)) {
4128 			regs[rd] = 0;
4129 			break;
4130 		}
4131 
4132 		m.mx = dtrace_load64(tupregs[0].dttk_value);
4133 		regs[rd] = MUTEX_TYPE_ADAPTIVE(&m.mi);
4134 		break;
4135 
4136 	case DIF_SUBR_MUTEX_TYPE_SPIN:
4137 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (kmutex_t),
4138 		    mstate, vstate)) {
4139 			regs[rd] = 0;
4140 			break;
4141 		}
4142 
4143 		m.mx = dtrace_load64(tupregs[0].dttk_value);
4144 		regs[rd] = MUTEX_TYPE_SPIN(&m.mi);
4145 		break;
4146 
4147 	case DIF_SUBR_RW_READ_HELD: {
4148 		uintptr_t tmp;
4149 
4150 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (uintptr_t),
4151 		    mstate, vstate)) {
4152 			regs[rd] = 0;
4153 			break;
4154 		}
4155 
4156 		r.rw = dtrace_loadptr(tupregs[0].dttk_value);
4157 		regs[rd] = _RW_READ_HELD(&r.ri, tmp);
4158 		break;
4159 	}
4160 
4161 	case DIF_SUBR_RW_WRITE_HELD:
4162 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (krwlock_t),
4163 		    mstate, vstate)) {
4164 			regs[rd] = 0;
4165 			break;
4166 		}
4167 
4168 		r.rw = dtrace_loadptr(tupregs[0].dttk_value);
4169 		regs[rd] = _RW_WRITE_HELD(&r.ri);
4170 		break;
4171 
4172 	case DIF_SUBR_RW_ISWRITER:
4173 		if (!dtrace_canload(tupregs[0].dttk_value, sizeof (krwlock_t),
4174 		    mstate, vstate)) {
4175 			regs[rd] = 0;
4176 			break;
4177 		}
4178 
4179 		r.rw = dtrace_loadptr(tupregs[0].dttk_value);
4180 		regs[rd] = _RW_ISWRITER(&r.ri);
4181 		break;
4182 
4183 	case DIF_SUBR_BCOPY: {
4184 		/*
4185 		 * We need to be sure that the destination is in the scratch
4186 		 * region -- no other region is allowed.
4187 		 */
4188 		uintptr_t src = tupregs[0].dttk_value;
4189 		uintptr_t dest = tupregs[1].dttk_value;
4190 		size_t size = tupregs[2].dttk_value;
4191 
4192 		if (!dtrace_inscratch(dest, size, mstate)) {
4193 			*flags |= CPU_DTRACE_BADADDR;
4194 			*illval = regs[rd];
4195 			break;
4196 		}
4197 
4198 		if (!dtrace_canload(src, size, mstate, vstate)) {
4199 			regs[rd] = 0;
4200 			break;
4201 		}
4202 
4203 		dtrace_bcopy((void *)src, (void *)dest, size);
4204 		break;
4205 	}
4206 
4207 	case DIF_SUBR_ALLOCA:
4208 	case DIF_SUBR_COPYIN: {
4209 		uintptr_t dest = P2ROUNDUP(mstate->dtms_scratch_ptr, 8);
4210 		uint64_t size =
4211 		    tupregs[subr == DIF_SUBR_ALLOCA ? 0 : 1].dttk_value;
4212 		size_t scratch_size = (dest - mstate->dtms_scratch_ptr) + size;
4213 
4214 		/*
4215 		 * This action doesn't require any credential checks since
4216 		 * probes will not activate in user contexts to which the
4217 		 * enabling user does not have permissions.
4218 		 */
4219 
4220 		/*
4221 		 * Rounding up the user allocation size could have overflowed
4222 		 * a large, bogus allocation (like -1ULL) to 0.
4223 		 */
4224 		if (scratch_size < size ||
4225 		    !DTRACE_INSCRATCH(mstate, scratch_size)) {
4226 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4227 			regs[rd] = 0;
4228 			break;
4229 		}
4230 
4231 		if (subr == DIF_SUBR_COPYIN) {
4232 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4233 			dtrace_copyin(tupregs[0].dttk_value, dest, size, flags);
4234 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4235 		}
4236 
4237 		mstate->dtms_scratch_ptr += scratch_size;
4238 		regs[rd] = dest;
4239 		break;
4240 	}
4241 
4242 	case DIF_SUBR_COPYINTO: {
4243 		uint64_t size = tupregs[1].dttk_value;
4244 		uintptr_t dest = tupregs[2].dttk_value;
4245 
4246 		/*
4247 		 * This action doesn't require any credential checks since
4248 		 * probes will not activate in user contexts to which the
4249 		 * enabling user does not have permissions.
4250 		 */
4251 		if (!dtrace_inscratch(dest, size, mstate)) {
4252 			*flags |= CPU_DTRACE_BADADDR;
4253 			*illval = regs[rd];
4254 			break;
4255 		}
4256 
4257 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4258 		dtrace_copyin(tupregs[0].dttk_value, dest, size, flags);
4259 		DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4260 		break;
4261 	}
4262 
4263 	case DIF_SUBR_COPYINSTR: {
4264 		uintptr_t dest = mstate->dtms_scratch_ptr;
4265 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4266 
4267 		if (nargs > 1 && tupregs[1].dttk_value < size)
4268 			size = tupregs[1].dttk_value + 1;
4269 
4270 		/*
4271 		 * This action doesn't require any credential checks since
4272 		 * probes will not activate in user contexts to which the
4273 		 * enabling user does not have permissions.
4274 		 */
4275 		if (!DTRACE_INSCRATCH(mstate, size)) {
4276 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4277 			regs[rd] = 0;
4278 			break;
4279 		}
4280 
4281 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4282 		dtrace_copyinstr(tupregs[0].dttk_value, dest, size, flags);
4283 		DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4284 
4285 		((char *)dest)[size - 1] = '\0';
4286 		mstate->dtms_scratch_ptr += size;
4287 		regs[rd] = dest;
4288 		break;
4289 	}
4290 
4291 	case DIF_SUBR_MSGSIZE:
4292 	case DIF_SUBR_MSGDSIZE: {
4293 		uintptr_t baddr = tupregs[0].dttk_value, daddr;
4294 		uintptr_t wptr, rptr;
4295 		size_t count = 0;
4296 		int cont = 0;
4297 
4298 		while (baddr != 0 && !(*flags & CPU_DTRACE_FAULT)) {
4299 
4300 			if (!dtrace_canload(baddr, sizeof (mblk_t), mstate,
4301 			    vstate)) {
4302 				regs[rd] = 0;
4303 				break;
4304 			}
4305 
4306 			wptr = dtrace_loadptr(baddr +
4307 			    offsetof(mblk_t, b_wptr));
4308 
4309 			rptr = dtrace_loadptr(baddr +
4310 			    offsetof(mblk_t, b_rptr));
4311 
4312 			if (wptr < rptr) {
4313 				*flags |= CPU_DTRACE_BADADDR;
4314 				*illval = tupregs[0].dttk_value;
4315 				break;
4316 			}
4317 
4318 			daddr = dtrace_loadptr(baddr +
4319 			    offsetof(mblk_t, b_datap));
4320 
4321 			baddr = dtrace_loadptr(baddr +
4322 			    offsetof(mblk_t, b_cont));
4323 
4324 			/*
4325 			 * We want to prevent against denial-of-service here,
4326 			 * so we're only going to search the list for
4327 			 * dtrace_msgdsize_max mblks.
4328 			 */
4329 			if (cont++ > dtrace_msgdsize_max) {
4330 				*flags |= CPU_DTRACE_ILLOP;
4331 				break;
4332 			}
4333 
4334 			if (subr == DIF_SUBR_MSGDSIZE) {
4335 				if (dtrace_load8(daddr +
4336 				    offsetof(dblk_t, db_type)) != M_DATA)
4337 					continue;
4338 			}
4339 
4340 			count += wptr - rptr;
4341 		}
4342 
4343 		if (!(*flags & CPU_DTRACE_FAULT))
4344 			regs[rd] = count;
4345 
4346 		break;
4347 	}
4348 
4349 	case DIF_SUBR_PROGENYOF: {
4350 		pid_t pid = tupregs[0].dttk_value;
4351 		proc_t *p;
4352 		int rval = 0;
4353 
4354 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4355 
4356 		for (p = curthread->t_procp; p != NULL; p = p->p_parent) {
4357 			if (p->p_pidp->pid_id == pid) {
4358 				rval = 1;
4359 				break;
4360 			}
4361 		}
4362 
4363 		DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4364 
4365 		regs[rd] = rval;
4366 		break;
4367 	}
4368 
4369 	case DIF_SUBR_SPECULATION:
4370 		regs[rd] = dtrace_speculation(state);
4371 		break;
4372 
4373 	case DIF_SUBR_COPYOUT: {
4374 		uintptr_t kaddr = tupregs[0].dttk_value;
4375 		uintptr_t uaddr = tupregs[1].dttk_value;
4376 		uint64_t size = tupregs[2].dttk_value;
4377 
4378 		if (!dtrace_destructive_disallow &&
4379 		    dtrace_priv_proc_control(state, mstate) &&
4380 		    !dtrace_istoxic(kaddr, size) &&
4381 		    dtrace_canload(kaddr, size, mstate, vstate)) {
4382 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4383 			dtrace_copyout(kaddr, uaddr, size, flags);
4384 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4385 		}
4386 		break;
4387 	}
4388 
4389 	case DIF_SUBR_COPYOUTSTR: {
4390 		uintptr_t kaddr = tupregs[0].dttk_value;
4391 		uintptr_t uaddr = tupregs[1].dttk_value;
4392 		uint64_t size = tupregs[2].dttk_value;
4393 		size_t lim;
4394 
4395 		if (!dtrace_destructive_disallow &&
4396 		    dtrace_priv_proc_control(state, mstate) &&
4397 		    !dtrace_istoxic(kaddr, size) &&
4398 		    dtrace_strcanload(kaddr, size, &lim, mstate, vstate)) {
4399 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
4400 			dtrace_copyoutstr(kaddr, uaddr, lim, flags);
4401 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
4402 		}
4403 		break;
4404 	}
4405 
4406 	case DIF_SUBR_STRLEN: {
4407 		size_t size = state->dts_options[DTRACEOPT_STRSIZE];
4408 		uintptr_t addr = (uintptr_t)tupregs[0].dttk_value;
4409 		size_t lim;
4410 
4411 		if (!dtrace_strcanload(addr, size, &lim, mstate, vstate)) {
4412 			regs[rd] = 0;
4413 			break;
4414 		}
4415 		regs[rd] = dtrace_strlen((char *)addr, lim);
4416 
4417 		break;
4418 	}
4419 
4420 	case DIF_SUBR_STRCHR:
4421 	case DIF_SUBR_STRRCHR: {
4422 		/*
4423 		 * We're going to iterate over the string looking for the
4424 		 * specified character.  We will iterate until we have reached
4425 		 * the string length or we have found the character.  If this
4426 		 * is DIF_SUBR_STRRCHR, we will look for the last occurrence
4427 		 * of the specified character instead of the first.
4428 		 */
4429 		uintptr_t addr = tupregs[0].dttk_value;
4430 		uintptr_t addr_limit;
4431 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4432 		size_t lim;
4433 		char c, target = (char)tupregs[1].dttk_value;
4434 
4435 		if (!dtrace_strcanload(addr, size, &lim, mstate, vstate)) {
4436 			regs[rd] = 0;
4437 			break;
4438 		}
4439 		addr_limit = addr + lim;
4440 
4441 		for (regs[rd] = 0; addr < addr_limit; addr++) {
4442 			if ((c = dtrace_load8(addr)) == target) {
4443 				regs[rd] = addr;
4444 
4445 				if (subr == DIF_SUBR_STRCHR)
4446 					break;
4447 			}
4448 			if (c == '\0')
4449 				break;
4450 		}
4451 
4452 		break;
4453 	}
4454 
4455 	case DIF_SUBR_STRSTR:
4456 	case DIF_SUBR_INDEX:
4457 	case DIF_SUBR_RINDEX: {
4458 		/*
4459 		 * We're going to iterate over the string looking for the
4460 		 * specified string.  We will iterate until we have reached
4461 		 * the string length or we have found the string.  (Yes, this
4462 		 * is done in the most naive way possible -- but considering
4463 		 * that the string we're searching for is likely to be
4464 		 * relatively short, the complexity of Rabin-Karp or similar
4465 		 * hardly seems merited.)
4466 		 */
4467 		char *addr = (char *)(uintptr_t)tupregs[0].dttk_value;
4468 		char *substr = (char *)(uintptr_t)tupregs[1].dttk_value;
4469 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4470 		size_t len = dtrace_strlen(addr, size);
4471 		size_t sublen = dtrace_strlen(substr, size);
4472 		char *limit = addr + len, *orig = addr;
4473 		int notfound = subr == DIF_SUBR_STRSTR ? 0 : -1;
4474 		int inc = 1;
4475 
4476 		regs[rd] = notfound;
4477 
4478 		if (!dtrace_canload((uintptr_t)addr, len + 1, mstate, vstate)) {
4479 			regs[rd] = 0;
4480 			break;
4481 		}
4482 
4483 		if (!dtrace_canload((uintptr_t)substr, sublen + 1, mstate,
4484 		    vstate)) {
4485 			regs[rd] = 0;
4486 			break;
4487 		}
4488 
4489 		/*
4490 		 * strstr() and index()/rindex() have similar semantics if
4491 		 * both strings are the empty string: strstr() returns a
4492 		 * pointer to the (empty) string, and index() and rindex()
4493 		 * both return index 0 (regardless of any position argument).
4494 		 */
4495 		if (sublen == 0 && len == 0) {
4496 			if (subr == DIF_SUBR_STRSTR)
4497 				regs[rd] = (uintptr_t)addr;
4498 			else
4499 				regs[rd] = 0;
4500 			break;
4501 		}
4502 
4503 		if (subr != DIF_SUBR_STRSTR) {
4504 			if (subr == DIF_SUBR_RINDEX) {
4505 				limit = orig - 1;
4506 				addr += len;
4507 				inc = -1;
4508 			}
4509 
4510 			/*
4511 			 * Both index() and rindex() take an optional position
4512 			 * argument that denotes the starting position.
4513 			 */
4514 			if (nargs == 3) {
4515 				int64_t pos = (int64_t)tupregs[2].dttk_value;
4516 
4517 				/*
4518 				 * If the position argument to index() is
4519 				 * negative, Perl implicitly clamps it at
4520 				 * zero.  This semantic is a little surprising
4521 				 * given the special meaning of negative
4522 				 * positions to similar Perl functions like
4523 				 * substr(), but it appears to reflect a
4524 				 * notion that index() can start from a
4525 				 * negative index and increment its way up to
4526 				 * the string.  Given this notion, Perl's
4527 				 * rindex() is at least self-consistent in
4528 				 * that it implicitly clamps positions greater
4529 				 * than the string length to be the string
4530 				 * length.  Where Perl completely loses
4531 				 * coherence, however, is when the specified
4532 				 * substring is the empty string ("").  In
4533 				 * this case, even if the position is
4534 				 * negative, rindex() returns 0 -- and even if
4535 				 * the position is greater than the length,
4536 				 * index() returns the string length.  These
4537 				 * semantics violate the notion that index()
4538 				 * should never return a value less than the
4539 				 * specified position and that rindex() should
4540 				 * never return a value greater than the
4541 				 * specified position.  (One assumes that
4542 				 * these semantics are artifacts of Perl's
4543 				 * implementation and not the results of
4544 				 * deliberate design -- it beggars belief that
4545 				 * even Larry Wall could desire such oddness.)
4546 				 * While in the abstract one would wish for
4547 				 * consistent position semantics across
4548 				 * substr(), index() and rindex() -- or at the
4549 				 * very least self-consistent position
4550 				 * semantics for index() and rindex() -- we
4551 				 * instead opt to keep with the extant Perl
4552 				 * semantics, in all their broken glory.  (Do
4553 				 * we have more desire to maintain Perl's
4554 				 * semantics than Perl does?  Probably.)
4555 				 */
4556 				if (subr == DIF_SUBR_RINDEX) {
4557 					if (pos < 0) {
4558 						if (sublen == 0)
4559 							regs[rd] = 0;
4560 						break;
4561 					}
4562 
4563 					if (pos > len)
4564 						pos = len;
4565 				} else {
4566 					if (pos < 0)
4567 						pos = 0;
4568 
4569 					if (pos >= len) {
4570 						if (sublen == 0)
4571 							regs[rd] = len;
4572 						break;
4573 					}
4574 				}
4575 
4576 				addr = orig + pos;
4577 			}
4578 		}
4579 
4580 		for (regs[rd] = notfound; addr != limit; addr += inc) {
4581 			if (dtrace_strncmp(addr, substr, sublen) == 0) {
4582 				if (subr != DIF_SUBR_STRSTR) {
4583 					/*
4584 					 * As D index() and rindex() are
4585 					 * modeled on Perl (and not on awk),
4586 					 * we return a zero-based (and not a
4587 					 * one-based) index.  (For you Perl
4588 					 * weenies: no, we're not going to add
4589 					 * $[ -- and shouldn't you be at a con
4590 					 * or something?)
4591 					 */
4592 					regs[rd] = (uintptr_t)(addr - orig);
4593 					break;
4594 				}
4595 
4596 				ASSERT(subr == DIF_SUBR_STRSTR);
4597 				regs[rd] = (uintptr_t)addr;
4598 				break;
4599 			}
4600 		}
4601 
4602 		break;
4603 	}
4604 
4605 	case DIF_SUBR_STRTOK: {
4606 		uintptr_t addr = tupregs[0].dttk_value;
4607 		uintptr_t tokaddr = tupregs[1].dttk_value;
4608 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4609 		uintptr_t limit, toklimit;
4610 		size_t clim;
4611 		uint8_t c, tokmap[32];	 /* 256 / 8 */
4612 		char *dest = (char *)mstate->dtms_scratch_ptr;
4613 		int i;
4614 
4615 		/*
4616 		 * Check both the token buffer and (later) the input buffer,
4617 		 * since both could be non-scratch addresses.
4618 		 */
4619 		if (!dtrace_strcanload(tokaddr, size, &clim, mstate, vstate)) {
4620 			regs[rd] = 0;
4621 			break;
4622 		}
4623 		toklimit = tokaddr + clim;
4624 
4625 		if (!DTRACE_INSCRATCH(mstate, size)) {
4626 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4627 			regs[rd] = 0;
4628 			break;
4629 		}
4630 
4631 		if (addr == 0) {
4632 			/*
4633 			 * If the address specified is NULL, we use our saved
4634 			 * strtok pointer from the mstate.  Note that this
4635 			 * means that the saved strtok pointer is _only_
4636 			 * valid within multiple enablings of the same probe --
4637 			 * it behaves like an implicit clause-local variable.
4638 			 */
4639 			addr = mstate->dtms_strtok;
4640 			limit = mstate->dtms_strtok_limit;
4641 		} else {
4642 			/*
4643 			 * If the user-specified address is non-NULL we must
4644 			 * access check it.  This is the only time we have
4645 			 * a chance to do so, since this address may reside
4646 			 * in the string table of this clause-- future calls
4647 			 * (when we fetch addr from mstate->dtms_strtok)
4648 			 * would fail this access check.
4649 			 */
4650 			if (!dtrace_strcanload(addr, size, &clim, mstate,
4651 			    vstate)) {
4652 				regs[rd] = 0;
4653 				break;
4654 			}
4655 			limit = addr + clim;
4656 		}
4657 
4658 		/*
4659 		 * First, zero the token map, and then process the token
4660 		 * string -- setting a bit in the map for every character
4661 		 * found in the token string.
4662 		 */
4663 		for (i = 0; i < sizeof (tokmap); i++)
4664 			tokmap[i] = 0;
4665 
4666 		for (; tokaddr < toklimit; tokaddr++) {
4667 			if ((c = dtrace_load8(tokaddr)) == '\0')
4668 				break;
4669 
4670 			ASSERT((c >> 3) < sizeof (tokmap));
4671 			tokmap[c >> 3] |= (1 << (c & 0x7));
4672 		}
4673 
4674 		for (; addr < limit; addr++) {
4675 			/*
4676 			 * We're looking for a character that is _not_
4677 			 * contained in the token string.
4678 			 */
4679 			if ((c = dtrace_load8(addr)) == '\0')
4680 				break;
4681 
4682 			if (!(tokmap[c >> 3] & (1 << (c & 0x7))))
4683 				break;
4684 		}
4685 
4686 		if (c == '\0') {
4687 			/*
4688 			 * We reached the end of the string without finding
4689 			 * any character that was not in the token string.
4690 			 * We return NULL in this case, and we set the saved
4691 			 * address to NULL as well.
4692 			 */
4693 			regs[rd] = 0;
4694 			mstate->dtms_strtok = 0;
4695 			mstate->dtms_strtok_limit = 0;
4696 			break;
4697 		}
4698 
4699 		/*
4700 		 * From here on, we're copying into the destination string.
4701 		 */
4702 		for (i = 0; addr < limit && i < size - 1; addr++) {
4703 			if ((c = dtrace_load8(addr)) == '\0')
4704 				break;
4705 
4706 			if (tokmap[c >> 3] & (1 << (c & 0x7)))
4707 				break;
4708 
4709 			ASSERT(i < size);
4710 			dest[i++] = c;
4711 		}
4712 
4713 		ASSERT(i < size);
4714 		dest[i] = '\0';
4715 		regs[rd] = (uintptr_t)dest;
4716 		mstate->dtms_scratch_ptr += size;
4717 		mstate->dtms_strtok = addr;
4718 		mstate->dtms_strtok_limit = limit;
4719 		break;
4720 	}
4721 
4722 	case DIF_SUBR_SUBSTR: {
4723 		uintptr_t s = tupregs[0].dttk_value;
4724 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4725 		char *d = (char *)mstate->dtms_scratch_ptr;
4726 		int64_t index = (int64_t)tupregs[1].dttk_value;
4727 		int64_t remaining = (int64_t)tupregs[2].dttk_value;
4728 		size_t len = dtrace_strlen((char *)s, size);
4729 		int64_t i;
4730 
4731 		if (!dtrace_canload(s, len + 1, mstate, vstate)) {
4732 			regs[rd] = 0;
4733 			break;
4734 		}
4735 
4736 		if (!DTRACE_INSCRATCH(mstate, size)) {
4737 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4738 			regs[rd] = 0;
4739 			break;
4740 		}
4741 
4742 		if (nargs <= 2)
4743 			remaining = (int64_t)size;
4744 
4745 		if (index < 0) {
4746 			index += len;
4747 
4748 			if (index < 0 && index + remaining > 0) {
4749 				remaining += index;
4750 				index = 0;
4751 			}
4752 		}
4753 
4754 		if (index >= len || index < 0) {
4755 			remaining = 0;
4756 		} else if (remaining < 0) {
4757 			remaining += len - index;
4758 		} else if (index + remaining > size) {
4759 			remaining = size - index;
4760 		}
4761 
4762 		for (i = 0; i < remaining; i++) {
4763 			if ((d[i] = dtrace_load8(s + index + i)) == '\0')
4764 				break;
4765 		}
4766 
4767 		d[i] = '\0';
4768 
4769 		mstate->dtms_scratch_ptr += size;
4770 		regs[rd] = (uintptr_t)d;
4771 		break;
4772 	}
4773 
4774 	case DIF_SUBR_JSON: {
4775 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4776 		uintptr_t json = tupregs[0].dttk_value;
4777 		size_t jsonlen = dtrace_strlen((char *)json, size);
4778 		uintptr_t elem = tupregs[1].dttk_value;
4779 		size_t elemlen = dtrace_strlen((char *)elem, size);
4780 
4781 		char *dest = (char *)mstate->dtms_scratch_ptr;
4782 		char *elemlist = (char *)mstate->dtms_scratch_ptr + jsonlen + 1;
4783 		char *ee = elemlist;
4784 		int nelems = 1;
4785 		uintptr_t cur;
4786 
4787 		if (!dtrace_canload(json, jsonlen + 1, mstate, vstate) ||
4788 		    !dtrace_canload(elem, elemlen + 1, mstate, vstate)) {
4789 			regs[rd] = 0;
4790 			break;
4791 		}
4792 
4793 		if (!DTRACE_INSCRATCH(mstate, jsonlen + 1 + elemlen + 1)) {
4794 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4795 			regs[rd] = 0;
4796 			break;
4797 		}
4798 
4799 		/*
4800 		 * Read the element selector and split it up into a packed list
4801 		 * of strings.
4802 		 */
4803 		for (cur = elem; cur < elem + elemlen; cur++) {
4804 			char cc = dtrace_load8(cur);
4805 
4806 			if (cur == elem && cc == '[') {
4807 				/*
4808 				 * If the first element selector key is
4809 				 * actually an array index then ignore the
4810 				 * bracket.
4811 				 */
4812 				continue;
4813 			}
4814 
4815 			if (cc == ']')
4816 				continue;
4817 
4818 			if (cc == '.' || cc == '[') {
4819 				nelems++;
4820 				cc = '\0';
4821 			}
4822 
4823 			*ee++ = cc;
4824 		}
4825 		*ee++ = '\0';
4826 
4827 		if ((regs[rd] = (uintptr_t)dtrace_json(size, json, elemlist,
4828 		    nelems, dest)) != 0)
4829 			mstate->dtms_scratch_ptr += jsonlen + 1;
4830 		break;
4831 	}
4832 
4833 	case DIF_SUBR_TOUPPER:
4834 	case DIF_SUBR_TOLOWER: {
4835 		uintptr_t s = tupregs[0].dttk_value;
4836 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4837 		char *dest = (char *)mstate->dtms_scratch_ptr, c;
4838 		size_t len = dtrace_strlen((char *)s, size);
4839 		char lower, upper, convert;
4840 		int64_t i;
4841 
4842 		if (subr == DIF_SUBR_TOUPPER) {
4843 			lower = 'a';
4844 			upper = 'z';
4845 			convert = 'A';
4846 		} else {
4847 			lower = 'A';
4848 			upper = 'Z';
4849 			convert = 'a';
4850 		}
4851 
4852 		if (!dtrace_canload(s, len + 1, mstate, vstate)) {
4853 			regs[rd] = 0;
4854 			break;
4855 		}
4856 
4857 		if (!DTRACE_INSCRATCH(mstate, size)) {
4858 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4859 			regs[rd] = 0;
4860 			break;
4861 		}
4862 
4863 		for (i = 0; i < size - 1; i++) {
4864 			if ((c = dtrace_load8(s + i)) == '\0')
4865 				break;
4866 
4867 			if (c >= lower && c <= upper)
4868 				c = convert + (c - lower);
4869 
4870 			dest[i] = c;
4871 		}
4872 
4873 		ASSERT(i < size);
4874 		dest[i] = '\0';
4875 		regs[rd] = (uintptr_t)dest;
4876 		mstate->dtms_scratch_ptr += size;
4877 		break;
4878 	}
4879 
4880 case DIF_SUBR_GETMAJOR:
4881 #ifdef _LP64
4882 		regs[rd] = (tupregs[0].dttk_value >> NBITSMINOR64) & MAXMAJ64;
4883 #else
4884 		regs[rd] = (tupregs[0].dttk_value >> NBITSMINOR) & MAXMAJ;
4885 #endif
4886 		break;
4887 
4888 	case DIF_SUBR_GETMINOR:
4889 #ifdef _LP64
4890 		regs[rd] = tupregs[0].dttk_value & MAXMIN64;
4891 #else
4892 		regs[rd] = tupregs[0].dttk_value & MAXMIN;
4893 #endif
4894 		break;
4895 
4896 	case DIF_SUBR_DDI_PATHNAME: {
4897 		/*
4898 		 * This one is a galactic mess.  We are going to roughly
4899 		 * emulate ddi_pathname(), but it's made more complicated
4900 		 * by the fact that we (a) want to include the minor name and
4901 		 * (b) must proceed iteratively instead of recursively.
4902 		 */
4903 		uintptr_t dest = mstate->dtms_scratch_ptr;
4904 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
4905 		char *start = (char *)dest, *end = start + size - 1;
4906 		uintptr_t daddr = tupregs[0].dttk_value;
4907 		int64_t minor = (int64_t)tupregs[1].dttk_value;
4908 		char *s;
4909 		int i, len, depth = 0;
4910 
4911 		/*
4912 		 * Due to all the pointer jumping we do and context we must
4913 		 * rely upon, we just mandate that the user must have kernel
4914 		 * read privileges to use this routine.
4915 		 */
4916 		if ((mstate->dtms_access & DTRACE_ACCESS_KERNEL) == 0) {
4917 			*flags |= CPU_DTRACE_KPRIV;
4918 			*illval = daddr;
4919 			regs[rd] = 0;
4920 		}
4921 
4922 		if (!DTRACE_INSCRATCH(mstate, size)) {
4923 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
4924 			regs[rd] = 0;
4925 			break;
4926 		}
4927 
4928 		*end = '\0';
4929 
4930 		/*
4931 		 * We want to have a name for the minor.  In order to do this,
4932 		 * we need to walk the minor list from the devinfo.  We want
4933 		 * to be sure that we don't infinitely walk a circular list,
4934 		 * so we check for circularity by sending a scout pointer
4935 		 * ahead two elements for every element that we iterate over;
4936 		 * if the list is circular, these will ultimately point to the
4937 		 * same element.  You may recognize this little trick as the
4938 		 * answer to a stupid interview question -- one that always
4939 		 * seems to be asked by those who had to have it laboriously
4940 		 * explained to them, and who can't even concisely describe
4941 		 * the conditions under which one would be forced to resort to
4942 		 * this technique.  Needless to say, those conditions are
4943 		 * found here -- and probably only here.  Is this the only use
4944 		 * of this infamous trick in shipping, production code?  If it
4945 		 * isn't, it probably should be...
4946 		 */
4947 		if (minor != -1) {
4948 			uintptr_t maddr = dtrace_loadptr(daddr +
4949 			    offsetof(struct dev_info, devi_minor));
4950 
4951 			uintptr_t next = offsetof(struct ddi_minor_data, next);
4952 			uintptr_t name = offsetof(struct ddi_minor_data,
4953 			    d_minor) + offsetof(struct ddi_minor, name);
4954 			uintptr_t dev = offsetof(struct ddi_minor_data,
4955 			    d_minor) + offsetof(struct ddi_minor, dev);
4956 			uintptr_t scout;
4957 
4958 			if (maddr != 0)
4959 				scout = dtrace_loadptr(maddr + next);
4960 
4961 			while (maddr != 0 && !(*flags & CPU_DTRACE_FAULT)) {
4962 				uint64_t m;
4963 #ifdef _LP64
4964 				m = dtrace_load64(maddr + dev) & MAXMIN64;
4965 #else
4966 				m = dtrace_load32(maddr + dev) & MAXMIN;
4967 #endif
4968 				if (m != minor) {
4969 					maddr = dtrace_loadptr(maddr + next);
4970 
4971 					if (scout == 0)
4972 						continue;
4973 
4974 					scout = dtrace_loadptr(scout + next);
4975 
4976 					if (scout == 0)
4977 						continue;
4978 
4979 					scout = dtrace_loadptr(scout + next);
4980 
4981 					if (scout == 0)
4982 						continue;
4983 
4984 					if (scout == maddr) {
4985 						*flags |= CPU_DTRACE_ILLOP;
4986 						break;
4987 					}
4988 
4989 					continue;
4990 				}
4991 
4992 				/*
4993 				 * We have the minor data.  Now we need to
4994 				 * copy the minor's name into the end of the
4995 				 * pathname.
4996 				 */
4997 				s = (char *)dtrace_loadptr(maddr + name);
4998 				len = dtrace_strlen(s, size);
4999 
5000 				if (*flags & CPU_DTRACE_FAULT)
5001 					break;
5002 
5003 				if (len != 0) {
5004 					if ((end -= (len + 1)) < start)
5005 						break;
5006 
5007 					*end = ':';
5008 				}
5009 
5010 				for (i = 1; i <= len; i++)
5011 					end[i] = dtrace_load8((uintptr_t)s++);
5012 				break;
5013 			}
5014 		}
5015 
5016 		while (daddr != 0 && !(*flags & CPU_DTRACE_FAULT)) {
5017 			ddi_node_state_t devi_state;
5018 
5019 			devi_state = dtrace_load32(daddr +
5020 			    offsetof(struct dev_info, devi_node_state));
5021 
5022 			if (*flags & CPU_DTRACE_FAULT)
5023 				break;
5024 
5025 			if (devi_state >= DS_INITIALIZED) {
5026 				s = (char *)dtrace_loadptr(daddr +
5027 				    offsetof(struct dev_info, devi_addr));
5028 				len = dtrace_strlen(s, size);
5029 
5030 				if (*flags & CPU_DTRACE_FAULT)
5031 					break;
5032 
5033 				if (len != 0) {
5034 					if ((end -= (len + 1)) < start)
5035 						break;
5036 
5037 					*end = '@';
5038 				}
5039 
5040 				for (i = 1; i <= len; i++)
5041 					end[i] = dtrace_load8((uintptr_t)s++);
5042 			}
5043 
5044 			/*
5045 			 * Now for the node name...
5046 			 */
5047 			s = (char *)dtrace_loadptr(daddr +
5048 			    offsetof(struct dev_info, devi_node_name));
5049 
5050 			daddr = dtrace_loadptr(daddr +
5051 			    offsetof(struct dev_info, devi_parent));
5052 
5053 			/*
5054 			 * If our parent is NULL (that is, if we're the root
5055 			 * node), we're going to use the special path
5056 			 * "devices".
5057 			 */
5058 			if (daddr == 0)
5059 				s = "devices";
5060 
5061 			len = dtrace_strlen(s, size);
5062 			if (*flags & CPU_DTRACE_FAULT)
5063 				break;
5064 
5065 			if ((end -= (len + 1)) < start)
5066 				break;
5067 
5068 			for (i = 1; i <= len; i++)
5069 				end[i] = dtrace_load8((uintptr_t)s++);
5070 			*end = '/';
5071 
5072 			if (depth++ > dtrace_devdepth_max) {
5073 				*flags |= CPU_DTRACE_ILLOP;
5074 				break;
5075 			}
5076 		}
5077 
5078 		if (end < start)
5079 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5080 
5081 		if (daddr == 0) {
5082 			regs[rd] = (uintptr_t)end;
5083 			mstate->dtms_scratch_ptr += size;
5084 		}
5085 
5086 		break;
5087 	}
5088 
5089 	case DIF_SUBR_STRJOIN: {
5090 		char *d = (char *)mstate->dtms_scratch_ptr;
5091 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
5092 		uintptr_t s1 = tupregs[0].dttk_value;
5093 		uintptr_t s2 = tupregs[1].dttk_value;
5094 		int i = 0, j = 0;
5095 		size_t lim1, lim2;
5096 		char c;
5097 
5098 		if (!dtrace_strcanload(s1, size, &lim1, mstate, vstate) ||
5099 		    !dtrace_strcanload(s2, size, &lim2, mstate, vstate)) {
5100 			regs[rd] = 0;
5101 			break;
5102 		}
5103 
5104 		if (!DTRACE_INSCRATCH(mstate, size)) {
5105 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5106 			regs[rd] = 0;
5107 			break;
5108 		}
5109 
5110 		for (;;) {
5111 			if (i >= size) {
5112 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5113 				regs[rd] = 0;
5114 				break;
5115 			}
5116 			c = (i >= lim1) ? '\0' : dtrace_load8(s1++);
5117 			if ((d[i++] = c) == '\0') {
5118 				i--;
5119 				break;
5120 			}
5121 		}
5122 
5123 		for (;;) {
5124 			if (i >= size) {
5125 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5126 				regs[rd] = 0;
5127 				break;
5128 			}
5129 
5130 			c = (j++ >= lim2) ? '\0' : dtrace_load8(s2++);
5131 			if ((d[i++] = c) == '\0')
5132 				break;
5133 		}
5134 
5135 		if (i < size) {
5136 			mstate->dtms_scratch_ptr += i;
5137 			regs[rd] = (uintptr_t)d;
5138 		}
5139 
5140 		break;
5141 	}
5142 
5143 	case DIF_SUBR_STRTOLL: {
5144 		uintptr_t s = tupregs[0].dttk_value;
5145 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
5146 		size_t lim;
5147 		int base = 10;
5148 
5149 		if (nargs > 1) {
5150 			if ((base = tupregs[1].dttk_value) <= 1 ||
5151 			    base > ('z' - 'a' + 1) + ('9' - '0' + 1)) {
5152 				*flags |= CPU_DTRACE_ILLOP;
5153 				break;
5154 			}
5155 		}
5156 
5157 		if (!dtrace_strcanload(s, size, &lim, mstate, vstate)) {
5158 			regs[rd] = INT64_MIN;
5159 			break;
5160 		}
5161 
5162 		regs[rd] = dtrace_strtoll((char *)s, base, lim);
5163 		break;
5164 	}
5165 
5166 	case DIF_SUBR_LLTOSTR: {
5167 		int64_t i = (int64_t)tupregs[0].dttk_value;
5168 		uint64_t val, digit;
5169 		uint64_t size = 65;	/* enough room for 2^64 in binary */
5170 		char *end = (char *)mstate->dtms_scratch_ptr + size - 1;
5171 		int base = 10;
5172 
5173 		if (nargs > 1) {
5174 			if ((base = tupregs[1].dttk_value) <= 1 ||
5175 			    base > ('z' - 'a' + 1) + ('9' - '0' + 1)) {
5176 				*flags |= CPU_DTRACE_ILLOP;
5177 				break;
5178 			}
5179 		}
5180 
5181 		val = (base == 10 && i < 0) ? i * -1 : i;
5182 
5183 		if (!DTRACE_INSCRATCH(mstate, size)) {
5184 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5185 			regs[rd] = 0;
5186 			break;
5187 		}
5188 
5189 		for (*end-- = '\0'; val; val /= base) {
5190 			if ((digit = val % base) <= '9' - '0') {
5191 				*end-- = '0' + digit;
5192 			} else {
5193 				*end-- = 'a' + (digit - ('9' - '0') - 1);
5194 			}
5195 		}
5196 
5197 		if (i == 0 && base == 16)
5198 			*end-- = '0';
5199 
5200 		if (base == 16)
5201 			*end-- = 'x';
5202 
5203 		if (i == 0 || base == 8 || base == 16)
5204 			*end-- = '0';
5205 
5206 		if (i < 0 && base == 10)
5207 			*end-- = '-';
5208 
5209 		regs[rd] = (uintptr_t)end + 1;
5210 		mstate->dtms_scratch_ptr += size;
5211 		break;
5212 	}
5213 
5214 	case DIF_SUBR_HTONS:
5215 	case DIF_SUBR_NTOHS:
5216 #ifdef _BIG_ENDIAN
5217 		regs[rd] = (uint16_t)tupregs[0].dttk_value;
5218 #else
5219 		regs[rd] = DT_BSWAP_16((uint16_t)tupregs[0].dttk_value);
5220 #endif
5221 		break;
5222 
5223 
5224 	case DIF_SUBR_HTONL:
5225 	case DIF_SUBR_NTOHL:
5226 #ifdef _BIG_ENDIAN
5227 		regs[rd] = (uint32_t)tupregs[0].dttk_value;
5228 #else
5229 		regs[rd] = DT_BSWAP_32((uint32_t)tupregs[0].dttk_value);
5230 #endif
5231 		break;
5232 
5233 
5234 	case DIF_SUBR_HTONLL:
5235 	case DIF_SUBR_NTOHLL:
5236 #ifdef _BIG_ENDIAN
5237 		regs[rd] = (uint64_t)tupregs[0].dttk_value;
5238 #else
5239 		regs[rd] = DT_BSWAP_64((uint64_t)tupregs[0].dttk_value);
5240 #endif
5241 		break;
5242 
5243 
5244 	case DIF_SUBR_DIRNAME:
5245 	case DIF_SUBR_BASENAME: {
5246 		char *dest = (char *)mstate->dtms_scratch_ptr;
5247 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
5248 		uintptr_t src = tupregs[0].dttk_value;
5249 		int i, j, len = dtrace_strlen((char *)src, size);
5250 		int lastbase = -1, firstbase = -1, lastdir = -1;
5251 		int start, end;
5252 
5253 		if (!dtrace_canload(src, len + 1, mstate, vstate)) {
5254 			regs[rd] = 0;
5255 			break;
5256 		}
5257 
5258 		if (!DTRACE_INSCRATCH(mstate, size)) {
5259 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5260 			regs[rd] = 0;
5261 			break;
5262 		}
5263 
5264 		/*
5265 		 * The basename and dirname for a zero-length string is
5266 		 * defined to be "."
5267 		 */
5268 		if (len == 0) {
5269 			len = 1;
5270 			src = (uintptr_t)".";
5271 		}
5272 
5273 		/*
5274 		 * Start from the back of the string, moving back toward the
5275 		 * front until we see a character that isn't a slash.  That
5276 		 * character is the last character in the basename.
5277 		 */
5278 		for (i = len - 1; i >= 0; i--) {
5279 			if (dtrace_load8(src + i) != '/')
5280 				break;
5281 		}
5282 
5283 		if (i >= 0)
5284 			lastbase = i;
5285 
5286 		/*
5287 		 * Starting from the last character in the basename, move
5288 		 * towards the front until we find a slash.  The character
5289 		 * that we processed immediately before that is the first
5290 		 * character in the basename.
5291 		 */
5292 		for (; i >= 0; i--) {
5293 			if (dtrace_load8(src + i) == '/')
5294 				break;
5295 		}
5296 
5297 		if (i >= 0)
5298 			firstbase = i + 1;
5299 
5300 		/*
5301 		 * Now keep going until we find a non-slash character.  That
5302 		 * character is the last character in the dirname.
5303 		 */
5304 		for (; i >= 0; i--) {
5305 			if (dtrace_load8(src + i) != '/')
5306 				break;
5307 		}
5308 
5309 		if (i >= 0)
5310 			lastdir = i;
5311 
5312 		ASSERT(!(lastbase == -1 && firstbase != -1));
5313 		ASSERT(!(firstbase == -1 && lastdir != -1));
5314 
5315 		if (lastbase == -1) {
5316 			/*
5317 			 * We didn't find a non-slash character.  We know that
5318 			 * the length is non-zero, so the whole string must be
5319 			 * slashes.  In either the dirname or the basename
5320 			 * case, we return '/'.
5321 			 */
5322 			ASSERT(firstbase == -1);
5323 			firstbase = lastbase = lastdir = 0;
5324 		}
5325 
5326 		if (firstbase == -1) {
5327 			/*
5328 			 * The entire string consists only of a basename
5329 			 * component.  If we're looking for dirname, we need
5330 			 * to change our string to be just "."; if we're
5331 			 * looking for a basename, we'll just set the first
5332 			 * character of the basename to be 0.
5333 			 */
5334 			if (subr == DIF_SUBR_DIRNAME) {
5335 				ASSERT(lastdir == -1);
5336 				src = (uintptr_t)".";
5337 				lastdir = 0;
5338 			} else {
5339 				firstbase = 0;
5340 			}
5341 		}
5342 
5343 		if (subr == DIF_SUBR_DIRNAME) {
5344 			if (lastdir == -1) {
5345 				/*
5346 				 * We know that we have a slash in the name --
5347 				 * or lastdir would be set to 0, above.  And
5348 				 * because lastdir is -1, we know that this
5349 				 * slash must be the first character.  (That
5350 				 * is, the full string must be of the form
5351 				 * "/basename".)  In this case, the last
5352 				 * character of the directory name is 0.
5353 				 */
5354 				lastdir = 0;
5355 			}
5356 
5357 			start = 0;
5358 			end = lastdir;
5359 		} else {
5360 			ASSERT(subr == DIF_SUBR_BASENAME);
5361 			ASSERT(firstbase != -1 && lastbase != -1);
5362 			start = firstbase;
5363 			end = lastbase;
5364 		}
5365 
5366 		for (i = start, j = 0; i <= end && j < size - 1; i++, j++)
5367 			dest[j] = dtrace_load8(src + i);
5368 
5369 		dest[j] = '\0';
5370 		regs[rd] = (uintptr_t)dest;
5371 		mstate->dtms_scratch_ptr += size;
5372 		break;
5373 	}
5374 
5375 	case DIF_SUBR_GETF: {
5376 		uintptr_t fd = tupregs[0].dttk_value;
5377 		uf_info_t *finfo = &curthread->t_procp->p_user.u_finfo;
5378 		file_t *fp;
5379 
5380 		if (!dtrace_priv_proc(state, mstate)) {
5381 			regs[rd] = 0;
5382 			break;
5383 		}
5384 
5385 		/*
5386 		 * This is safe because fi_nfiles only increases, and the
5387 		 * fi_list array is not freed when the array size doubles.
5388 		 * (See the comment in flist_grow() for details on the
5389 		 * management of the u_finfo structure.)
5390 		 */
5391 		fp = fd < finfo->fi_nfiles ? finfo->fi_list[fd].uf_file : NULL;
5392 
5393 		mstate->dtms_getf = fp;
5394 		regs[rd] = (uintptr_t)fp;
5395 		break;
5396 	}
5397 
5398 	case DIF_SUBR_CLEANPATH: {
5399 		char *dest = (char *)mstate->dtms_scratch_ptr, c;
5400 		uint64_t size = state->dts_options[DTRACEOPT_STRSIZE];
5401 		uintptr_t src = tupregs[0].dttk_value;
5402 		size_t lim;
5403 		int i = 0, j = 0;
5404 		zone_t *z;
5405 
5406 		if (!dtrace_strcanload(src, size, &lim, mstate, vstate)) {
5407 			regs[rd] = 0;
5408 			break;
5409 		}
5410 
5411 		if (!DTRACE_INSCRATCH(mstate, size)) {
5412 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5413 			regs[rd] = 0;
5414 			break;
5415 		}
5416 
5417 		/*
5418 		 * Move forward, loading each character.
5419 		 */
5420 		do {
5421 			c = (i >= lim) ? '\0' : dtrace_load8(src + i++);
5422 next:
5423 			if (j + 5 >= size)	/* 5 = strlen("/..c\0") */
5424 				break;
5425 
5426 			if (c != '/') {
5427 				dest[j++] = c;
5428 				continue;
5429 			}
5430 
5431 			c = (i >= lim) ? '\0' : dtrace_load8(src + i++);
5432 
5433 			if (c == '/') {
5434 				/*
5435 				 * We have two slashes -- we can just advance
5436 				 * to the next character.
5437 				 */
5438 				goto next;
5439 			}
5440 
5441 			if (c != '.') {
5442 				/*
5443 				 * This is not "." and it's not ".." -- we can
5444 				 * just store the "/" and this character and
5445 				 * drive on.
5446 				 */
5447 				dest[j++] = '/';
5448 				dest[j++] = c;
5449 				continue;
5450 			}
5451 
5452 			c = (i >= lim) ? '\0' : dtrace_load8(src + i++);
5453 
5454 			if (c == '/') {
5455 				/*
5456 				 * This is a "/./" component.  We're not going
5457 				 * to store anything in the destination buffer;
5458 				 * we're just going to go to the next component.
5459 				 */
5460 				goto next;
5461 			}
5462 
5463 			if (c != '.') {
5464 				/*
5465 				 * This is not ".." -- we can just store the
5466 				 * "/." and this character and continue
5467 				 * processing.
5468 				 */
5469 				dest[j++] = '/';
5470 				dest[j++] = '.';
5471 				dest[j++] = c;
5472 				continue;
5473 			}
5474 
5475 			c = (i >= lim) ? '\0' : dtrace_load8(src + i++);
5476 
5477 			if (c != '/' && c != '\0') {
5478 				/*
5479 				 * This is not ".." -- it's "..[mumble]".
5480 				 * We'll store the "/.." and this character
5481 				 * and continue processing.
5482 				 */
5483 				dest[j++] = '/';
5484 				dest[j++] = '.';
5485 				dest[j++] = '.';
5486 				dest[j++] = c;
5487 				continue;
5488 			}
5489 
5490 			/*
5491 			 * This is "/../" or "/..\0".  We need to back up
5492 			 * our destination pointer until we find a "/".
5493 			 */
5494 			i--;
5495 			while (j != 0 && dest[--j] != '/')
5496 				continue;
5497 
5498 			if (c == '\0')
5499 				dest[++j] = '/';
5500 		} while (c != '\0');
5501 
5502 		dest[j] = '\0';
5503 
5504 		if (mstate->dtms_getf != NULL &&
5505 		    !(mstate->dtms_access & DTRACE_ACCESS_KERNEL) &&
5506 		    (z = state->dts_cred.dcr_cred->cr_zone) != kcred->cr_zone) {
5507 			/*
5508 			 * If we've done a getf() as a part of this ECB and we
5509 			 * don't have kernel access (and we're not in the global
5510 			 * zone), check if the path we cleaned up begins with
5511 			 * the zone's root path, and trim it off if so.  Note
5512 			 * that this is an output cleanliness issue, not a
5513 			 * security issue: knowing one's zone root path does
5514 			 * not enable privilege escalation.
5515 			 */
5516 			if (strstr(dest, z->zone_rootpath) == dest)
5517 				dest += strlen(z->zone_rootpath) - 1;
5518 		}
5519 
5520 		regs[rd] = (uintptr_t)dest;
5521 		mstate->dtms_scratch_ptr += size;
5522 		break;
5523 	}
5524 
5525 	case DIF_SUBR_INET_NTOA:
5526 	case DIF_SUBR_INET_NTOA6:
5527 	case DIF_SUBR_INET_NTOP: {
5528 		size_t size;
5529 		int af, argi, i;
5530 		char *base, *end;
5531 
5532 		if (subr == DIF_SUBR_INET_NTOP) {
5533 			af = (int)tupregs[0].dttk_value;
5534 			argi = 1;
5535 		} else {
5536 			af = subr == DIF_SUBR_INET_NTOA ? AF_INET: AF_INET6;
5537 			argi = 0;
5538 		}
5539 
5540 		if (af == AF_INET) {
5541 			ipaddr_t ip4;
5542 			uint8_t *ptr8, val;
5543 
5544 			if (!dtrace_canload(tupregs[argi].dttk_value,
5545 			    sizeof (ipaddr_t), mstate, vstate)) {
5546 				regs[rd] = 0;
5547 				break;
5548 			}
5549 
5550 			/*
5551 			 * Safely load the IPv4 address.
5552 			 */
5553 			ip4 = dtrace_load32(tupregs[argi].dttk_value);
5554 
5555 			/*
5556 			 * Check an IPv4 string will fit in scratch.
5557 			 */
5558 			size = INET_ADDRSTRLEN;
5559 			if (!DTRACE_INSCRATCH(mstate, size)) {
5560 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5561 				regs[rd] = 0;
5562 				break;
5563 			}
5564 			base = (char *)mstate->dtms_scratch_ptr;
5565 			end = (char *)mstate->dtms_scratch_ptr + size - 1;
5566 
5567 			/*
5568 			 * Stringify as a dotted decimal quad.
5569 			 */
5570 			*end-- = '\0';
5571 			ptr8 = (uint8_t *)&ip4;
5572 			for (i = 3; i >= 0; i--) {
5573 				val = ptr8[i];
5574 
5575 				if (val == 0) {
5576 					*end-- = '0';
5577 				} else {
5578 					for (; val; val /= 10) {
5579 						*end-- = '0' + (val % 10);
5580 					}
5581 				}
5582 
5583 				if (i > 0)
5584 					*end-- = '.';
5585 			}
5586 			ASSERT(end + 1 >= base);
5587 
5588 		} else if (af == AF_INET6) {
5589 			struct in6_addr ip6;
5590 			int firstzero, tryzero, numzero, v6end;
5591 			uint16_t val;
5592 			const char digits[] = "0123456789abcdef";
5593 
5594 			/*
5595 			 * Stringify using RFC 1884 convention 2 - 16 bit
5596 			 * hexadecimal values with a zero-run compression.
5597 			 * Lower case hexadecimal digits are used.
5598 			 *	eg, fe80::214:4fff:fe0b:76c8.
5599 			 * The IPv4 embedded form is returned for inet_ntop,
5600 			 * just the IPv4 string is returned for inet_ntoa6.
5601 			 */
5602 
5603 			if (!dtrace_canload(tupregs[argi].dttk_value,
5604 			    sizeof (struct in6_addr), mstate, vstate)) {
5605 				regs[rd] = 0;
5606 				break;
5607 			}
5608 
5609 			/*
5610 			 * Safely load the IPv6 address.
5611 			 */
5612 			dtrace_bcopy(
5613 			    (void *)(uintptr_t)tupregs[argi].dttk_value,
5614 			    (void *)(uintptr_t)&ip6, sizeof (struct in6_addr));
5615 
5616 			/*
5617 			 * Check an IPv6 string will fit in scratch.
5618 			 */
5619 			size = INET6_ADDRSTRLEN;
5620 			if (!DTRACE_INSCRATCH(mstate, size)) {
5621 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
5622 				regs[rd] = 0;
5623 				break;
5624 			}
5625 			base = (char *)mstate->dtms_scratch_ptr;
5626 			end = (char *)mstate->dtms_scratch_ptr + size - 1;
5627 			*end-- = '\0';
5628 
5629 			/*
5630 			 * Find the longest run of 16 bit zero values
5631 			 * for the single allowed zero compression - "::".
5632 			 */
5633 			firstzero = -1;
5634 			tryzero = -1;
5635 			numzero = 1;
5636 			for (i = 0; i < sizeof (struct in6_addr); i++) {
5637 				if (ip6._S6_un._S6_u8[i] == 0 &&
5638 				    tryzero == -1 && i % 2 == 0) {
5639 					tryzero = i;
5640 					continue;
5641 				}
5642 
5643 				if (tryzero != -1 &&
5644 				    (ip6._S6_un._S6_u8[i] != 0 ||
5645 				    i == sizeof (struct in6_addr) - 1)) {
5646 
5647 					if (i - tryzero <= numzero) {
5648 						tryzero = -1;
5649 						continue;
5650 					}
5651 
5652 					firstzero = tryzero;
5653 					numzero = i - i % 2 - tryzero;
5654 					tryzero = -1;
5655 
5656 					if (ip6._S6_un._S6_u8[i] == 0 &&
5657 					    i == sizeof (struct in6_addr) - 1)
5658 						numzero += 2;
5659 				}
5660 			}
5661 			ASSERT(firstzero + numzero <= sizeof (struct in6_addr));
5662 
5663 			/*
5664 			 * Check for an IPv4 embedded address.
5665 			 */
5666 			v6end = sizeof (struct in6_addr) - 2;
5667 			if (IN6_IS_ADDR_V4MAPPED(&ip6) ||
5668 			    IN6_IS_ADDR_V4COMPAT(&ip6)) {
5669 				for (i = sizeof (struct in6_addr) - 1;
5670 				    i >= DTRACE_V4MAPPED_OFFSET; i--) {
5671 					ASSERT(end >= base);
5672 
5673 					val = ip6._S6_un._S6_u8[i];
5674 
5675 					if (val == 0) {
5676 						*end-- = '0';
5677 					} else {
5678 						for (; val; val /= 10) {
5679 							*end-- = '0' + val % 10;
5680 						}
5681 					}
5682 
5683 					if (i > DTRACE_V4MAPPED_OFFSET)
5684 						*end-- = '.';
5685 				}
5686 
5687 				if (subr == DIF_SUBR_INET_NTOA6)
5688 					goto inetout;
5689 
5690 				/*
5691 				 * Set v6end to skip the IPv4 address that
5692 				 * we have already stringified.
5693 				 */
5694 				v6end = 10;
5695 			}
5696 
5697 			/*
5698 			 * Build the IPv6 string by working through the
5699 			 * address in reverse.
5700 			 */
5701 			for (i = v6end; i >= 0; i -= 2) {
5702 				ASSERT(end >= base);
5703 
5704 				if (i == firstzero + numzero - 2) {
5705 					*end-- = ':';
5706 					*end-- = ':';
5707 					i -= numzero - 2;
5708 					continue;
5709 				}
5710 
5711 				if (i < 14 && i != firstzero - 2)
5712 					*end-- = ':';
5713 
5714 				val = (ip6._S6_un._S6_u8[i] << 8) +
5715 				    ip6._S6_un._S6_u8[i + 1];
5716 
5717 				if (val == 0) {
5718 					*end-- = '0';
5719 				} else {
5720 					for (; val; val /= 16) {
5721 						*end-- = digits[val % 16];
5722 					}
5723 				}
5724 			}
5725 			ASSERT(end + 1 >= base);
5726 
5727 		} else {
5728 			/*
5729 			 * The user didn't use AH_INET or AH_INET6.
5730 			 */
5731 			DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
5732 			regs[rd] = 0;
5733 			break;
5734 		}
5735 
5736 inetout:	regs[rd] = (uintptr_t)end + 1;
5737 		mstate->dtms_scratch_ptr += size;
5738 		break;
5739 	}
5740 
5741 	}
5742 }
5743 
5744 /*
5745  * Emulate the execution of DTrace IR instructions specified by the given
5746  * DIF object.  This function is deliberately void of assertions as all of
5747  * the necessary checks are handled by a call to dtrace_difo_validate().
5748  */
5749 static uint64_t
5750 dtrace_dif_emulate(dtrace_difo_t *difo, dtrace_mstate_t *mstate,
5751     dtrace_vstate_t *vstate, dtrace_state_t *state)
5752 {
5753 	const dif_instr_t *text = difo->dtdo_buf;
5754 	const uint_t textlen = difo->dtdo_len;
5755 	const char *strtab = difo->dtdo_strtab;
5756 	const uint64_t *inttab = difo->dtdo_inttab;
5757 
5758 	uint64_t rval = 0;
5759 	dtrace_statvar_t *svar;
5760 	dtrace_dstate_t *dstate = &vstate->dtvs_dynvars;
5761 	dtrace_difv_t *v;
5762 	volatile uint16_t *flags = &cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
5763 	volatile uintptr_t *illval = &cpu_core[CPU->cpu_id].cpuc_dtrace_illval;
5764 
5765 	dtrace_key_t tupregs[DIF_DTR_NREGS + 2]; /* +2 for thread and id */
5766 	uint64_t regs[DIF_DIR_NREGS];
5767 	uint64_t *tmp;
5768 
5769 	uint8_t cc_n = 0, cc_z = 0, cc_v = 0, cc_c = 0;
5770 	int64_t cc_r;
5771 	uint_t pc = 0, id, opc;
5772 	uint8_t ttop = 0;
5773 	dif_instr_t instr;
5774 	uint_t r1, r2, rd;
5775 
5776 	/*
5777 	 * We stash the current DIF object into the machine state: we need it
5778 	 * for subsequent access checking.
5779 	 */
5780 	mstate->dtms_difo = difo;
5781 
5782 	regs[DIF_REG_R0] = 0;		/* %r0 is fixed at zero */
5783 
5784 	while (pc < textlen && !(*flags & CPU_DTRACE_FAULT)) {
5785 		opc = pc;
5786 
5787 		instr = text[pc++];
5788 		r1 = DIF_INSTR_R1(instr);
5789 		r2 = DIF_INSTR_R2(instr);
5790 		rd = DIF_INSTR_RD(instr);
5791 
5792 		switch (DIF_INSTR_OP(instr)) {
5793 		case DIF_OP_OR:
5794 			regs[rd] = regs[r1] | regs[r2];
5795 			break;
5796 		case DIF_OP_XOR:
5797 			regs[rd] = regs[r1] ^ regs[r2];
5798 			break;
5799 		case DIF_OP_AND:
5800 			regs[rd] = regs[r1] & regs[r2];
5801 			break;
5802 		case DIF_OP_SLL:
5803 			regs[rd] = regs[r1] << regs[r2];
5804 			break;
5805 		case DIF_OP_SRL:
5806 			regs[rd] = regs[r1] >> regs[r2];
5807 			break;
5808 		case DIF_OP_SUB:
5809 			regs[rd] = regs[r1] - regs[r2];
5810 			break;
5811 		case DIF_OP_ADD:
5812 			regs[rd] = regs[r1] + regs[r2];
5813 			break;
5814 		case DIF_OP_MUL:
5815 			regs[rd] = regs[r1] * regs[r2];
5816 			break;
5817 		case DIF_OP_SDIV:
5818 			if (regs[r2] == 0) {
5819 				regs[rd] = 0;
5820 				*flags |= CPU_DTRACE_DIVZERO;
5821 			} else {
5822 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5823 				regs[rd] = (int64_t)regs[r1] /
5824 				    (int64_t)regs[r2];
5825 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5826 			}
5827 			break;
5828 
5829 		case DIF_OP_UDIV:
5830 			if (regs[r2] == 0) {
5831 				regs[rd] = 0;
5832 				*flags |= CPU_DTRACE_DIVZERO;
5833 			} else {
5834 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5835 				regs[rd] = regs[r1] / regs[r2];
5836 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5837 			}
5838 			break;
5839 
5840 		case DIF_OP_SREM:
5841 			if (regs[r2] == 0) {
5842 				regs[rd] = 0;
5843 				*flags |= CPU_DTRACE_DIVZERO;
5844 			} else {
5845 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5846 				regs[rd] = (int64_t)regs[r1] %
5847 				    (int64_t)regs[r2];
5848 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5849 			}
5850 			break;
5851 
5852 		case DIF_OP_UREM:
5853 			if (regs[r2] == 0) {
5854 				regs[rd] = 0;
5855 				*flags |= CPU_DTRACE_DIVZERO;
5856 			} else {
5857 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5858 				regs[rd] = regs[r1] % regs[r2];
5859 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5860 			}
5861 			break;
5862 
5863 		case DIF_OP_NOT:
5864 			regs[rd] = ~regs[r1];
5865 			break;
5866 		case DIF_OP_MOV:
5867 			regs[rd] = regs[r1];
5868 			break;
5869 		case DIF_OP_CMP:
5870 			cc_r = regs[r1] - regs[r2];
5871 			cc_n = cc_r < 0;
5872 			cc_z = cc_r == 0;
5873 			cc_v = 0;
5874 			cc_c = regs[r1] < regs[r2];
5875 			break;
5876 		case DIF_OP_TST:
5877 			cc_n = cc_v = cc_c = 0;
5878 			cc_z = regs[r1] == 0;
5879 			break;
5880 		case DIF_OP_BA:
5881 			pc = DIF_INSTR_LABEL(instr);
5882 			break;
5883 		case DIF_OP_BE:
5884 			if (cc_z)
5885 				pc = DIF_INSTR_LABEL(instr);
5886 			break;
5887 		case DIF_OP_BNE:
5888 			if (cc_z == 0)
5889 				pc = DIF_INSTR_LABEL(instr);
5890 			break;
5891 		case DIF_OP_BG:
5892 			if ((cc_z | (cc_n ^ cc_v)) == 0)
5893 				pc = DIF_INSTR_LABEL(instr);
5894 			break;
5895 		case DIF_OP_BGU:
5896 			if ((cc_c | cc_z) == 0)
5897 				pc = DIF_INSTR_LABEL(instr);
5898 			break;
5899 		case DIF_OP_BGE:
5900 			if ((cc_n ^ cc_v) == 0)
5901 				pc = DIF_INSTR_LABEL(instr);
5902 			break;
5903 		case DIF_OP_BGEU:
5904 			if (cc_c == 0)
5905 				pc = DIF_INSTR_LABEL(instr);
5906 			break;
5907 		case DIF_OP_BL:
5908 			if (cc_n ^ cc_v)
5909 				pc = DIF_INSTR_LABEL(instr);
5910 			break;
5911 		case DIF_OP_BLU:
5912 			if (cc_c)
5913 				pc = DIF_INSTR_LABEL(instr);
5914 			break;
5915 		case DIF_OP_BLE:
5916 			if (cc_z | (cc_n ^ cc_v))
5917 				pc = DIF_INSTR_LABEL(instr);
5918 			break;
5919 		case DIF_OP_BLEU:
5920 			if (cc_c | cc_z)
5921 				pc = DIF_INSTR_LABEL(instr);
5922 			break;
5923 		case DIF_OP_RLDSB:
5924 			if (!dtrace_canload(regs[r1], 1, mstate, vstate))
5925 				break;
5926 			/*FALLTHROUGH*/
5927 		case DIF_OP_LDSB:
5928 			regs[rd] = (int8_t)dtrace_load8(regs[r1]);
5929 			break;
5930 		case DIF_OP_RLDSH:
5931 			if (!dtrace_canload(regs[r1], 2, mstate, vstate))
5932 				break;
5933 			/*FALLTHROUGH*/
5934 		case DIF_OP_LDSH:
5935 			regs[rd] = (int16_t)dtrace_load16(regs[r1]);
5936 			break;
5937 		case DIF_OP_RLDSW:
5938 			if (!dtrace_canload(regs[r1], 4, mstate, vstate))
5939 				break;
5940 			/*FALLTHROUGH*/
5941 		case DIF_OP_LDSW:
5942 			regs[rd] = (int32_t)dtrace_load32(regs[r1]);
5943 			break;
5944 		case DIF_OP_RLDUB:
5945 			if (!dtrace_canload(regs[r1], 1, mstate, vstate))
5946 				break;
5947 			/*FALLTHROUGH*/
5948 		case DIF_OP_LDUB:
5949 			regs[rd] = dtrace_load8(regs[r1]);
5950 			break;
5951 		case DIF_OP_RLDUH:
5952 			if (!dtrace_canload(regs[r1], 2, mstate, vstate))
5953 				break;
5954 			/*FALLTHROUGH*/
5955 		case DIF_OP_LDUH:
5956 			regs[rd] = dtrace_load16(regs[r1]);
5957 			break;
5958 		case DIF_OP_RLDUW:
5959 			if (!dtrace_canload(regs[r1], 4, mstate, vstate))
5960 				break;
5961 			/*FALLTHROUGH*/
5962 		case DIF_OP_LDUW:
5963 			regs[rd] = dtrace_load32(regs[r1]);
5964 			break;
5965 		case DIF_OP_RLDX:
5966 			if (!dtrace_canload(regs[r1], 8, mstate, vstate))
5967 				break;
5968 			/*FALLTHROUGH*/
5969 		case DIF_OP_LDX:
5970 			regs[rd] = dtrace_load64(regs[r1]);
5971 			break;
5972 		case DIF_OP_ULDSB:
5973 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5974 			regs[rd] = (int8_t)
5975 			    dtrace_fuword8((void *)(uintptr_t)regs[r1]);
5976 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5977 			break;
5978 		case DIF_OP_ULDSH:
5979 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5980 			regs[rd] = (int16_t)
5981 			    dtrace_fuword16((void *)(uintptr_t)regs[r1]);
5982 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5983 			break;
5984 		case DIF_OP_ULDSW:
5985 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5986 			regs[rd] = (int32_t)
5987 			    dtrace_fuword32((void *)(uintptr_t)regs[r1]);
5988 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5989 			break;
5990 		case DIF_OP_ULDUB:
5991 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5992 			regs[rd] =
5993 			    dtrace_fuword8((void *)(uintptr_t)regs[r1]);
5994 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
5995 			break;
5996 		case DIF_OP_ULDUH:
5997 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
5998 			regs[rd] =
5999 			    dtrace_fuword16((void *)(uintptr_t)regs[r1]);
6000 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6001 			break;
6002 		case DIF_OP_ULDUW:
6003 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6004 			regs[rd] =
6005 			    dtrace_fuword32((void *)(uintptr_t)regs[r1]);
6006 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6007 			break;
6008 		case DIF_OP_ULDX:
6009 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6010 			regs[rd] =
6011 			    dtrace_fuword64((void *)(uintptr_t)regs[r1]);
6012 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6013 			break;
6014 		case DIF_OP_RET:
6015 			rval = regs[rd];
6016 			pc = textlen;
6017 			break;
6018 		case DIF_OP_NOP:
6019 			break;
6020 		case DIF_OP_SETX:
6021 			regs[rd] = inttab[DIF_INSTR_INTEGER(instr)];
6022 			break;
6023 		case DIF_OP_SETS:
6024 			regs[rd] = (uint64_t)(uintptr_t)
6025 			    (strtab + DIF_INSTR_STRING(instr));
6026 			break;
6027 		case DIF_OP_SCMP: {
6028 			size_t sz = state->dts_options[DTRACEOPT_STRSIZE];
6029 			uintptr_t s1 = regs[r1];
6030 			uintptr_t s2 = regs[r2];
6031 			size_t lim1, lim2;
6032 
6033 			if (s1 != 0 &&
6034 			    !dtrace_strcanload(s1, sz, &lim1, mstate, vstate))
6035 				break;
6036 			if (s2 != 0 &&
6037 			    !dtrace_strcanload(s2, sz, &lim2, mstate, vstate))
6038 				break;
6039 
6040 			cc_r = dtrace_strncmp((char *)s1, (char *)s2,
6041 			    MIN(lim1, lim2));
6042 
6043 			cc_n = cc_r < 0;
6044 			cc_z = cc_r == 0;
6045 			cc_v = cc_c = 0;
6046 			break;
6047 		}
6048 		case DIF_OP_LDGA:
6049 			regs[rd] = dtrace_dif_variable(mstate, state,
6050 			    r1, regs[r2]);
6051 			break;
6052 		case DIF_OP_LDGS:
6053 			id = DIF_INSTR_VAR(instr);
6054 
6055 			if (id >= DIF_VAR_OTHER_UBASE) {
6056 				uintptr_t a;
6057 
6058 				id -= DIF_VAR_OTHER_UBASE;
6059 				svar = vstate->dtvs_globals[id];
6060 				ASSERT(svar != NULL);
6061 				v = &svar->dtsv_var;
6062 
6063 				if (!(v->dtdv_type.dtdt_flags & DIF_TF_BYREF)) {
6064 					regs[rd] = svar->dtsv_data;
6065 					break;
6066 				}
6067 
6068 				a = (uintptr_t)svar->dtsv_data;
6069 
6070 				if (*(uint8_t *)a == UINT8_MAX) {
6071 					/*
6072 					 * If the 0th byte is set to UINT8_MAX
6073 					 * then this is to be treated as a
6074 					 * reference to a NULL variable.
6075 					 */
6076 					regs[rd] = 0;
6077 				} else {
6078 					regs[rd] = a + sizeof (uint64_t);
6079 				}
6080 
6081 				break;
6082 			}
6083 
6084 			regs[rd] = dtrace_dif_variable(mstate, state, id, 0);
6085 			break;
6086 
6087 		case DIF_OP_STGA:
6088 			dtrace_dif_variable_write(mstate, state, r1, regs[r2],
6089 			    regs[rd]);
6090 			break;
6091 
6092 		case DIF_OP_STGS:
6093 			id = DIF_INSTR_VAR(instr);
6094 
6095 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6096 			id -= DIF_VAR_OTHER_UBASE;
6097 
6098 			VERIFY(id < vstate->dtvs_nglobals);
6099 			svar = vstate->dtvs_globals[id];
6100 			ASSERT(svar != NULL);
6101 			v = &svar->dtsv_var;
6102 
6103 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6104 				uintptr_t a = (uintptr_t)svar->dtsv_data;
6105 				size_t lim;
6106 
6107 				ASSERT(a != (uintptr_t)NULL);
6108 				ASSERT(svar->dtsv_size != 0);
6109 
6110 				if (regs[rd] == 0) {
6111 					*(uint8_t *)a = UINT8_MAX;
6112 					break;
6113 				} else {
6114 					*(uint8_t *)a = 0;
6115 					a += sizeof (uint64_t);
6116 				}
6117 				if (!dtrace_vcanload(
6118 				    (void *)(uintptr_t)regs[rd], &v->dtdv_type,
6119 				    &lim, mstate, vstate))
6120 					break;
6121 
6122 				dtrace_vcopy((void *)(uintptr_t)regs[rd],
6123 				    (void *)a, &v->dtdv_type, lim);
6124 				break;
6125 			}
6126 
6127 			svar->dtsv_data = regs[rd];
6128 			break;
6129 
6130 		case DIF_OP_LDTA:
6131 			/*
6132 			 * There are no DTrace built-in thread-local arrays at
6133 			 * present.  This opcode is saved for future work.
6134 			 */
6135 			*flags |= CPU_DTRACE_ILLOP;
6136 			regs[rd] = 0;
6137 			break;
6138 
6139 		case DIF_OP_LDLS:
6140 			id = DIF_INSTR_VAR(instr);
6141 
6142 			if (id < DIF_VAR_OTHER_UBASE) {
6143 				/*
6144 				 * For now, this has no meaning.
6145 				 */
6146 				regs[rd] = 0;
6147 				break;
6148 			}
6149 
6150 			id -= DIF_VAR_OTHER_UBASE;
6151 
6152 			ASSERT(id < vstate->dtvs_nlocals);
6153 			ASSERT(vstate->dtvs_locals != NULL);
6154 
6155 			svar = vstate->dtvs_locals[id];
6156 			ASSERT(svar != NULL);
6157 			v = &svar->dtsv_var;
6158 
6159 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6160 				uintptr_t a = (uintptr_t)svar->dtsv_data;
6161 				size_t sz = v->dtdv_type.dtdt_size;
6162 
6163 				sz += sizeof (uint64_t);
6164 				ASSERT(svar->dtsv_size == NCPU * sz);
6165 				a += CPU->cpu_id * sz;
6166 
6167 				if (*(uint8_t *)a == UINT8_MAX) {
6168 					/*
6169 					 * If the 0th byte is set to UINT8_MAX
6170 					 * then this is to be treated as a
6171 					 * reference to a NULL variable.
6172 					 */
6173 					regs[rd] = 0;
6174 				} else {
6175 					regs[rd] = a + sizeof (uint64_t);
6176 				}
6177 
6178 				break;
6179 			}
6180 
6181 			ASSERT(svar->dtsv_size == NCPU * sizeof (uint64_t));
6182 			tmp = (uint64_t *)(uintptr_t)svar->dtsv_data;
6183 			regs[rd] = tmp[CPU->cpu_id];
6184 			break;
6185 
6186 		case DIF_OP_STLS:
6187 			id = DIF_INSTR_VAR(instr);
6188 
6189 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6190 			id -= DIF_VAR_OTHER_UBASE;
6191 			VERIFY(id < vstate->dtvs_nlocals);
6192 
6193 			ASSERT(vstate->dtvs_locals != NULL);
6194 			svar = vstate->dtvs_locals[id];
6195 			ASSERT(svar != NULL);
6196 			v = &svar->dtsv_var;
6197 
6198 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6199 				uintptr_t a = (uintptr_t)svar->dtsv_data;
6200 				size_t sz = v->dtdv_type.dtdt_size;
6201 				size_t lim;
6202 
6203 				sz += sizeof (uint64_t);
6204 				ASSERT(svar->dtsv_size == NCPU * sz);
6205 				a += CPU->cpu_id * sz;
6206 
6207 				if (regs[rd] == 0) {
6208 					*(uint8_t *)a = UINT8_MAX;
6209 					break;
6210 				} else {
6211 					*(uint8_t *)a = 0;
6212 					a += sizeof (uint64_t);
6213 				}
6214 
6215 				if (!dtrace_vcanload(
6216 				    (void *)(uintptr_t)regs[rd], &v->dtdv_type,
6217 				    &lim, mstate, vstate))
6218 					break;
6219 
6220 				dtrace_vcopy((void *)(uintptr_t)regs[rd],
6221 				    (void *)a, &v->dtdv_type, lim);
6222 				break;
6223 			}
6224 
6225 			ASSERT(svar->dtsv_size == NCPU * sizeof (uint64_t));
6226 			tmp = (uint64_t *)(uintptr_t)svar->dtsv_data;
6227 			tmp[CPU->cpu_id] = regs[rd];
6228 			break;
6229 
6230 		case DIF_OP_LDTS: {
6231 			dtrace_dynvar_t *dvar;
6232 			dtrace_key_t *key;
6233 
6234 			id = DIF_INSTR_VAR(instr);
6235 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6236 			id -= DIF_VAR_OTHER_UBASE;
6237 			v = &vstate->dtvs_tlocals[id];
6238 
6239 			key = &tupregs[DIF_DTR_NREGS];
6240 			key[0].dttk_value = (uint64_t)id;
6241 			key[0].dttk_size = 0;
6242 			DTRACE_TLS_THRKEY(key[1].dttk_value);
6243 			key[1].dttk_size = 0;
6244 
6245 			dvar = dtrace_dynvar(dstate, 2, key,
6246 			    sizeof (uint64_t), DTRACE_DYNVAR_NOALLOC,
6247 			    mstate, vstate);
6248 
6249 			if (dvar == NULL) {
6250 				regs[rd] = 0;
6251 				break;
6252 			}
6253 
6254 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6255 				regs[rd] = (uint64_t)(uintptr_t)dvar->dtdv_data;
6256 			} else {
6257 				regs[rd] = *((uint64_t *)dvar->dtdv_data);
6258 			}
6259 
6260 			break;
6261 		}
6262 
6263 		case DIF_OP_STTS: {
6264 			dtrace_dynvar_t *dvar;
6265 			dtrace_key_t *key;
6266 
6267 			id = DIF_INSTR_VAR(instr);
6268 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6269 			id -= DIF_VAR_OTHER_UBASE;
6270 			VERIFY(id < vstate->dtvs_ntlocals);
6271 
6272 			key = &tupregs[DIF_DTR_NREGS];
6273 			key[0].dttk_value = (uint64_t)id;
6274 			key[0].dttk_size = 0;
6275 			DTRACE_TLS_THRKEY(key[1].dttk_value);
6276 			key[1].dttk_size = 0;
6277 			v = &vstate->dtvs_tlocals[id];
6278 
6279 			dvar = dtrace_dynvar(dstate, 2, key,
6280 			    v->dtdv_type.dtdt_size > sizeof (uint64_t) ?
6281 			    v->dtdv_type.dtdt_size : sizeof (uint64_t),
6282 			    regs[rd] ? DTRACE_DYNVAR_ALLOC :
6283 			    DTRACE_DYNVAR_DEALLOC, mstate, vstate);
6284 
6285 			/*
6286 			 * Given that we're storing to thread-local data,
6287 			 * we need to flush our predicate cache.
6288 			 */
6289 			curthread->t_predcache = DTRACE_CACHEIDNONE;
6290 
6291 			if (dvar == NULL)
6292 				break;
6293 
6294 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6295 				size_t lim;
6296 
6297 				if (!dtrace_vcanload(
6298 				    (void *)(uintptr_t)regs[rd],
6299 				    &v->dtdv_type, &lim, mstate, vstate))
6300 					break;
6301 
6302 				dtrace_vcopy((void *)(uintptr_t)regs[rd],
6303 				    dvar->dtdv_data, &v->dtdv_type, lim);
6304 			} else {
6305 				*((uint64_t *)dvar->dtdv_data) = regs[rd];
6306 			}
6307 
6308 			break;
6309 		}
6310 
6311 		case DIF_OP_SRA:
6312 			regs[rd] = (int64_t)regs[r1] >> regs[r2];
6313 			break;
6314 
6315 		case DIF_OP_CALL:
6316 			dtrace_dif_subr(DIF_INSTR_SUBR(instr), rd,
6317 			    regs, tupregs, ttop, mstate, state);
6318 			break;
6319 
6320 		case DIF_OP_PUSHTR:
6321 			if (ttop == DIF_DTR_NREGS) {
6322 				*flags |= CPU_DTRACE_TUPOFLOW;
6323 				break;
6324 			}
6325 
6326 			if (r1 == DIF_TYPE_STRING) {
6327 				/*
6328 				 * If this is a string type and the size is 0,
6329 				 * we'll use the system-wide default string
6330 				 * size.  Note that we are _not_ looking at
6331 				 * the value of the DTRACEOPT_STRSIZE option;
6332 				 * had this been set, we would expect to have
6333 				 * a non-zero size value in the "pushtr".
6334 				 */
6335 				tupregs[ttop].dttk_size =
6336 				    dtrace_strlen((char *)(uintptr_t)regs[rd],
6337 				    regs[r2] ? regs[r2] :
6338 				    dtrace_strsize_default) + 1;
6339 			} else {
6340 				if (regs[r2] > LONG_MAX) {
6341 					*flags |= CPU_DTRACE_ILLOP;
6342 					break;
6343 				}
6344 
6345 				tupregs[ttop].dttk_size = regs[r2];
6346 			}
6347 
6348 			tupregs[ttop++].dttk_value = regs[rd];
6349 			break;
6350 
6351 		case DIF_OP_PUSHTV:
6352 			if (ttop == DIF_DTR_NREGS) {
6353 				*flags |= CPU_DTRACE_TUPOFLOW;
6354 				break;
6355 			}
6356 
6357 			tupregs[ttop].dttk_value = regs[rd];
6358 			tupregs[ttop++].dttk_size = 0;
6359 			break;
6360 
6361 		case DIF_OP_POPTS:
6362 			if (ttop != 0)
6363 				ttop--;
6364 			break;
6365 
6366 		case DIF_OP_FLUSHTS:
6367 			ttop = 0;
6368 			break;
6369 
6370 		case DIF_OP_LDGAA:
6371 		case DIF_OP_LDTAA: {
6372 			dtrace_dynvar_t *dvar;
6373 			dtrace_key_t *key = tupregs;
6374 			uint_t nkeys = ttop;
6375 
6376 			id = DIF_INSTR_VAR(instr);
6377 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6378 			id -= DIF_VAR_OTHER_UBASE;
6379 
6380 			key[nkeys].dttk_value = (uint64_t)id;
6381 			key[nkeys++].dttk_size = 0;
6382 
6383 			if (DIF_INSTR_OP(instr) == DIF_OP_LDTAA) {
6384 				DTRACE_TLS_THRKEY(key[nkeys].dttk_value);
6385 				key[nkeys++].dttk_size = 0;
6386 				VERIFY(id < vstate->dtvs_ntlocals);
6387 				v = &vstate->dtvs_tlocals[id];
6388 			} else {
6389 				VERIFY(id < vstate->dtvs_nglobals);
6390 				v = &vstate->dtvs_globals[id]->dtsv_var;
6391 			}
6392 
6393 			dvar = dtrace_dynvar(dstate, nkeys, key,
6394 			    v->dtdv_type.dtdt_size > sizeof (uint64_t) ?
6395 			    v->dtdv_type.dtdt_size : sizeof (uint64_t),
6396 			    DTRACE_DYNVAR_NOALLOC, mstate, vstate);
6397 
6398 			if (dvar == NULL) {
6399 				regs[rd] = 0;
6400 				break;
6401 			}
6402 
6403 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6404 				regs[rd] = (uint64_t)(uintptr_t)dvar->dtdv_data;
6405 			} else {
6406 				regs[rd] = *((uint64_t *)dvar->dtdv_data);
6407 			}
6408 
6409 			break;
6410 		}
6411 
6412 		case DIF_OP_STGAA:
6413 		case DIF_OP_STTAA: {
6414 			dtrace_dynvar_t *dvar;
6415 			dtrace_key_t *key = tupregs;
6416 			uint_t nkeys = ttop;
6417 
6418 			id = DIF_INSTR_VAR(instr);
6419 			ASSERT(id >= DIF_VAR_OTHER_UBASE);
6420 			id -= DIF_VAR_OTHER_UBASE;
6421 
6422 			key[nkeys].dttk_value = (uint64_t)id;
6423 			key[nkeys++].dttk_size = 0;
6424 
6425 			if (DIF_INSTR_OP(instr) == DIF_OP_STTAA) {
6426 				DTRACE_TLS_THRKEY(key[nkeys].dttk_value);
6427 				key[nkeys++].dttk_size = 0;
6428 				VERIFY(id < vstate->dtvs_ntlocals);
6429 				v = &vstate->dtvs_tlocals[id];
6430 			} else {
6431 				VERIFY(id < vstate->dtvs_nglobals);
6432 				v = &vstate->dtvs_globals[id]->dtsv_var;
6433 			}
6434 
6435 			dvar = dtrace_dynvar(dstate, nkeys, key,
6436 			    v->dtdv_type.dtdt_size > sizeof (uint64_t) ?
6437 			    v->dtdv_type.dtdt_size : sizeof (uint64_t),
6438 			    regs[rd] ? DTRACE_DYNVAR_ALLOC :
6439 			    DTRACE_DYNVAR_DEALLOC, mstate, vstate);
6440 
6441 			if (dvar == NULL)
6442 				break;
6443 
6444 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF) {
6445 				size_t lim;
6446 
6447 				if (!dtrace_vcanload(
6448 				    (void *)(uintptr_t)regs[rd], &v->dtdv_type,
6449 				    &lim, mstate, vstate))
6450 					break;
6451 
6452 				dtrace_vcopy((void *)(uintptr_t)regs[rd],
6453 				    dvar->dtdv_data, &v->dtdv_type, lim);
6454 			} else {
6455 				*((uint64_t *)dvar->dtdv_data) = regs[rd];
6456 			}
6457 
6458 			break;
6459 		}
6460 
6461 		case DIF_OP_ALLOCS: {
6462 			uintptr_t ptr = P2ROUNDUP(mstate->dtms_scratch_ptr, 8);
6463 			size_t size = ptr - mstate->dtms_scratch_ptr + regs[r1];
6464 
6465 			/*
6466 			 * Rounding up the user allocation size could have
6467 			 * overflowed large, bogus allocations (like -1ULL) to
6468 			 * 0.
6469 			 */
6470 			if (size < regs[r1] ||
6471 			    !DTRACE_INSCRATCH(mstate, size)) {
6472 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
6473 				regs[rd] = 0;
6474 				break;
6475 			}
6476 
6477 			dtrace_bzero((void *) mstate->dtms_scratch_ptr, size);
6478 			mstate->dtms_scratch_ptr += size;
6479 			regs[rd] = ptr;
6480 			break;
6481 		}
6482 
6483 		case DIF_OP_COPYS:
6484 			if (!dtrace_canstore(regs[rd], regs[r2],
6485 			    mstate, vstate)) {
6486 				*flags |= CPU_DTRACE_BADADDR;
6487 				*illval = regs[rd];
6488 				break;
6489 			}
6490 
6491 			if (!dtrace_canload(regs[r1], regs[r2], mstate, vstate))
6492 				break;
6493 
6494 			dtrace_bcopy((void *)(uintptr_t)regs[r1],
6495 			    (void *)(uintptr_t)regs[rd], (size_t)regs[r2]);
6496 			break;
6497 
6498 		case DIF_OP_STB:
6499 			if (!dtrace_canstore(regs[rd], 1, mstate, vstate)) {
6500 				*flags |= CPU_DTRACE_BADADDR;
6501 				*illval = regs[rd];
6502 				break;
6503 			}
6504 			*((uint8_t *)(uintptr_t)regs[rd]) = (uint8_t)regs[r1];
6505 			break;
6506 
6507 		case DIF_OP_STH:
6508 			if (!dtrace_canstore(regs[rd], 2, mstate, vstate)) {
6509 				*flags |= CPU_DTRACE_BADADDR;
6510 				*illval = regs[rd];
6511 				break;
6512 			}
6513 			if (regs[rd] & 1) {
6514 				*flags |= CPU_DTRACE_BADALIGN;
6515 				*illval = regs[rd];
6516 				break;
6517 			}
6518 			*((uint16_t *)(uintptr_t)regs[rd]) = (uint16_t)regs[r1];
6519 			break;
6520 
6521 		case DIF_OP_STW:
6522 			if (!dtrace_canstore(regs[rd], 4, mstate, vstate)) {
6523 				*flags |= CPU_DTRACE_BADADDR;
6524 				*illval = regs[rd];
6525 				break;
6526 			}
6527 			if (regs[rd] & 3) {
6528 				*flags |= CPU_DTRACE_BADALIGN;
6529 				*illval = regs[rd];
6530 				break;
6531 			}
6532 			*((uint32_t *)(uintptr_t)regs[rd]) = (uint32_t)regs[r1];
6533 			break;
6534 
6535 		case DIF_OP_STX:
6536 			if (!dtrace_canstore(regs[rd], 8, mstate, vstate)) {
6537 				*flags |= CPU_DTRACE_BADADDR;
6538 				*illval = regs[rd];
6539 				break;
6540 			}
6541 			if (regs[rd] & 7) {
6542 				*flags |= CPU_DTRACE_BADALIGN;
6543 				*illval = regs[rd];
6544 				break;
6545 			}
6546 			*((uint64_t *)(uintptr_t)regs[rd]) = regs[r1];
6547 			break;
6548 		}
6549 	}
6550 
6551 	if (!(*flags & CPU_DTRACE_FAULT))
6552 		return (rval);
6553 
6554 	mstate->dtms_fltoffs = opc * sizeof (dif_instr_t);
6555 	mstate->dtms_present |= DTRACE_MSTATE_FLTOFFS;
6556 
6557 	return (0);
6558 }
6559 
6560 static void
6561 dtrace_action_breakpoint(dtrace_ecb_t *ecb)
6562 {
6563 	dtrace_probe_t *probe = ecb->dte_probe;
6564 	dtrace_provider_t *prov = probe->dtpr_provider;
6565 	char c[DTRACE_FULLNAMELEN + 80], *str;
6566 	char *msg = "dtrace: breakpoint action at probe ";
6567 	char *ecbmsg = " (ecb ";
6568 	uintptr_t mask = (0xf << (sizeof (uintptr_t) * NBBY / 4));
6569 	uintptr_t val = (uintptr_t)ecb;
6570 	int shift = (sizeof (uintptr_t) * NBBY) - 4, i = 0;
6571 
6572 	if (dtrace_destructive_disallow)
6573 		return;
6574 
6575 	/*
6576 	 * It's impossible to be taking action on the NULL probe.
6577 	 */
6578 	ASSERT(probe != NULL);
6579 
6580 	/*
6581 	 * This is a poor man's (destitute man's?) sprintf():  we want to
6582 	 * print the provider name, module name, function name and name of
6583 	 * the probe, along with the hex address of the ECB with the breakpoint
6584 	 * action -- all of which we must place in the character buffer by
6585 	 * hand.
6586 	 */
6587 	while (*msg != '\0')
6588 		c[i++] = *msg++;
6589 
6590 	for (str = prov->dtpv_name; *str != '\0'; str++)
6591 		c[i++] = *str;
6592 	c[i++] = ':';
6593 
6594 	for (str = probe->dtpr_mod; *str != '\0'; str++)
6595 		c[i++] = *str;
6596 	c[i++] = ':';
6597 
6598 	for (str = probe->dtpr_func; *str != '\0'; str++)
6599 		c[i++] = *str;
6600 	c[i++] = ':';
6601 
6602 	for (str = probe->dtpr_name; *str != '\0'; str++)
6603 		c[i++] = *str;
6604 
6605 	while (*ecbmsg != '\0')
6606 		c[i++] = *ecbmsg++;
6607 
6608 	while (shift >= 0) {
6609 		mask = (uintptr_t)0xf << shift;
6610 
6611 		if (val >= ((uintptr_t)1 << shift))
6612 			c[i++] = "0123456789abcdef"[(val & mask) >> shift];
6613 		shift -= 4;
6614 	}
6615 
6616 	c[i++] = ')';
6617 	c[i] = '\0';
6618 
6619 	debug_enter(c);
6620 }
6621 
6622 static void
6623 dtrace_action_panic(dtrace_ecb_t *ecb)
6624 {
6625 	dtrace_probe_t *probe = ecb->dte_probe;
6626 
6627 	/*
6628 	 * It's impossible to be taking action on the NULL probe.
6629 	 */
6630 	ASSERT(probe != NULL);
6631 
6632 	if (dtrace_destructive_disallow)
6633 		return;
6634 
6635 	if (dtrace_panicked != NULL)
6636 		return;
6637 
6638 	if (dtrace_casptr(&dtrace_panicked, NULL, curthread) != NULL)
6639 		return;
6640 
6641 	/*
6642 	 * We won the right to panic.  (We want to be sure that only one
6643 	 * thread calls panic() from dtrace_probe(), and that panic() is
6644 	 * called exactly once.)
6645 	 */
6646 	dtrace_panic("dtrace: panic action at probe %s:%s:%s:%s (ecb %p)",
6647 	    probe->dtpr_provider->dtpv_name, probe->dtpr_mod,
6648 	    probe->dtpr_func, probe->dtpr_name, (void *)ecb);
6649 }
6650 
6651 static void
6652 dtrace_action_raise(uint64_t sig)
6653 {
6654 	if (dtrace_destructive_disallow)
6655 		return;
6656 
6657 	if (sig >= NSIG) {
6658 		DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
6659 		return;
6660 	}
6661 
6662 	/*
6663 	 * raise() has a queue depth of 1 -- we ignore all subsequent
6664 	 * invocations of the raise() action.
6665 	 */
6666 	if (curthread->t_dtrace_sig == 0)
6667 		curthread->t_dtrace_sig = (uint8_t)sig;
6668 
6669 	curthread->t_sig_check = 1;
6670 	aston(curthread);
6671 }
6672 
6673 static void
6674 dtrace_action_stop(void)
6675 {
6676 	if (dtrace_destructive_disallow)
6677 		return;
6678 
6679 	if (!curthread->t_dtrace_stop) {
6680 		curthread->t_dtrace_stop = 1;
6681 		curthread->t_sig_check = 1;
6682 		aston(curthread);
6683 	}
6684 }
6685 
6686 static void
6687 dtrace_action_chill(dtrace_mstate_t *mstate, hrtime_t val)
6688 {
6689 	hrtime_t now;
6690 	volatile uint16_t *flags;
6691 	cpu_t *cpu = CPU;
6692 
6693 	if (dtrace_destructive_disallow)
6694 		return;
6695 
6696 	flags = (volatile uint16_t *)&cpu_core[cpu->cpu_id].cpuc_dtrace_flags;
6697 
6698 	now = dtrace_gethrtime();
6699 
6700 	if (now - cpu->cpu_dtrace_chillmark > dtrace_chill_interval) {
6701 		/*
6702 		 * We need to advance the mark to the current time.
6703 		 */
6704 		cpu->cpu_dtrace_chillmark = now;
6705 		cpu->cpu_dtrace_chilled = 0;
6706 	}
6707 
6708 	/*
6709 	 * Now check to see if the requested chill time would take us over
6710 	 * the maximum amount of time allowed in the chill interval.  (Or
6711 	 * worse, if the calculation itself induces overflow.)
6712 	 */
6713 	if (cpu->cpu_dtrace_chilled + val > dtrace_chill_max ||
6714 	    cpu->cpu_dtrace_chilled + val < cpu->cpu_dtrace_chilled) {
6715 		*flags |= CPU_DTRACE_ILLOP;
6716 		return;
6717 	}
6718 
6719 	while (dtrace_gethrtime() - now < val)
6720 		continue;
6721 
6722 	/*
6723 	 * Normally, we assure that the value of the variable "timestamp" does
6724 	 * not change within an ECB.  The presence of chill() represents an
6725 	 * exception to this rule, however.
6726 	 */
6727 	mstate->dtms_present &= ~DTRACE_MSTATE_TIMESTAMP;
6728 	cpu->cpu_dtrace_chilled += val;
6729 }
6730 
6731 static void
6732 dtrace_action_ustack(dtrace_mstate_t *mstate, dtrace_state_t *state,
6733     uint64_t *buf, uint64_t arg)
6734 {
6735 	int nframes = DTRACE_USTACK_NFRAMES(arg);
6736 	int strsize = DTRACE_USTACK_STRSIZE(arg);
6737 	uint64_t *pcs = &buf[1], *fps;
6738 	char *str = (char *)&pcs[nframes];
6739 	int size, offs = 0, i, j;
6740 	size_t rem;
6741 	uintptr_t old = mstate->dtms_scratch_ptr, saved;
6742 	uint16_t *flags = &cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
6743 	char *sym;
6744 
6745 	/*
6746 	 * Should be taking a faster path if string space has not been
6747 	 * allocated.
6748 	 */
6749 	ASSERT(strsize != 0);
6750 
6751 	/*
6752 	 * We will first allocate some temporary space for the frame pointers.
6753 	 */
6754 	fps = (uint64_t *)P2ROUNDUP(mstate->dtms_scratch_ptr, 8);
6755 	size = (uintptr_t)fps - mstate->dtms_scratch_ptr +
6756 	    (nframes * sizeof (uint64_t));
6757 
6758 	if (!DTRACE_INSCRATCH(mstate, size)) {
6759 		/*
6760 		 * Not enough room for our frame pointers -- need to indicate
6761 		 * that we ran out of scratch space.
6762 		 */
6763 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOSCRATCH);
6764 		return;
6765 	}
6766 
6767 	mstate->dtms_scratch_ptr += size;
6768 	saved = mstate->dtms_scratch_ptr;
6769 
6770 	/*
6771 	 * Now get a stack with both program counters and frame pointers.
6772 	 */
6773 	DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6774 	dtrace_getufpstack(buf, fps, nframes + 1);
6775 	DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6776 
6777 	/*
6778 	 * If that faulted, we're cooked.
6779 	 */
6780 	if (*flags & CPU_DTRACE_FAULT)
6781 		goto out;
6782 
6783 	/*
6784 	 * Now we want to walk up the stack, calling the USTACK helper.  For
6785 	 * each iteration, we restore the scratch pointer.
6786 	 */
6787 	for (i = 0; i < nframes; i++) {
6788 		mstate->dtms_scratch_ptr = saved;
6789 
6790 		if (offs >= strsize)
6791 			break;
6792 
6793 		sym = (char *)(uintptr_t)dtrace_helper(
6794 		    DTRACE_HELPER_ACTION_USTACK,
6795 		    mstate, state, pcs[i], fps[i]);
6796 
6797 		/*
6798 		 * If we faulted while running the helper, we're going to
6799 		 * clear the fault and null out the corresponding string.
6800 		 */
6801 		if (*flags & CPU_DTRACE_FAULT) {
6802 			*flags &= ~CPU_DTRACE_FAULT;
6803 			str[offs++] = '\0';
6804 			continue;
6805 		}
6806 
6807 		if (sym == NULL) {
6808 			str[offs++] = '\0';
6809 			continue;
6810 		}
6811 
6812 		if (!dtrace_strcanload((uintptr_t)sym, strsize, &rem, mstate,
6813 		    &(state->dts_vstate))) {
6814 			str[offs++] = '\0';
6815 			continue;
6816 		}
6817 
6818 		DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6819 
6820 		/*
6821 		 * Now copy in the string that the helper returned to us.
6822 		 */
6823 		for (j = 0; offs + j < strsize && j < rem; j++) {
6824 			if ((str[offs + j] = sym[j]) == '\0')
6825 				break;
6826 		}
6827 
6828 		DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6829 
6830 		offs += j + 1;
6831 	}
6832 
6833 	if (offs >= strsize) {
6834 		/*
6835 		 * If we didn't have room for all of the strings, we don't
6836 		 * abort processing -- this needn't be a fatal error -- but we
6837 		 * still want to increment a counter (dts_stkstroverflows) to
6838 		 * allow this condition to be warned about.  (If this is from
6839 		 * a jstack() action, it is easily tuned via jstackstrsize.)
6840 		 */
6841 		dtrace_error(&state->dts_stkstroverflows);
6842 	}
6843 
6844 	while (offs < strsize)
6845 		str[offs++] = '\0';
6846 
6847 out:
6848 	mstate->dtms_scratch_ptr = old;
6849 }
6850 
6851 static void
6852 dtrace_store_by_ref(dtrace_difo_t *dp, caddr_t tomax, size_t size,
6853     size_t *valoffsp, uint64_t *valp, uint64_t end, int intuple, int dtkind)
6854 {
6855 	volatile uint16_t *flags;
6856 	uint64_t val = *valp;
6857 	size_t valoffs = *valoffsp;
6858 
6859 	flags = (volatile uint16_t *)&cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
6860 	ASSERT(dtkind == DIF_TF_BYREF || dtkind == DIF_TF_BYUREF);
6861 
6862 	/*
6863 	 * If this is a string, we're going to only load until we find the zero
6864 	 * byte -- after which we'll store zero bytes.
6865 	 */
6866 	if (dp->dtdo_rtype.dtdt_kind == DIF_TYPE_STRING) {
6867 		char c = '\0' + 1;
6868 		size_t s;
6869 
6870 		for (s = 0; s < size; s++) {
6871 			if (c != '\0' && dtkind == DIF_TF_BYREF) {
6872 				c = dtrace_load8(val++);
6873 			} else if (c != '\0' && dtkind == DIF_TF_BYUREF) {
6874 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6875 				c = dtrace_fuword8((void *)(uintptr_t)val++);
6876 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6877 				if (*flags & CPU_DTRACE_FAULT)
6878 					break;
6879 			}
6880 
6881 			DTRACE_STORE(uint8_t, tomax, valoffs++, c);
6882 
6883 			if (c == '\0' && intuple)
6884 				break;
6885 		}
6886 	} else {
6887 		uint8_t c;
6888 		while (valoffs < end) {
6889 			if (dtkind == DIF_TF_BYREF) {
6890 				c = dtrace_load8(val++);
6891 			} else if (dtkind == DIF_TF_BYUREF) {
6892 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
6893 				c = dtrace_fuword8((void *)(uintptr_t)val++);
6894 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
6895 				if (*flags & CPU_DTRACE_FAULT)
6896 					break;
6897 			}
6898 
6899 			DTRACE_STORE(uint8_t, tomax,
6900 			    valoffs++, c);
6901 		}
6902 	}
6903 
6904 	*valp = val;
6905 	*valoffsp = valoffs;
6906 }
6907 
6908 /*
6909  * If you're looking for the epicenter of DTrace, you just found it.  This
6910  * is the function called by the provider to fire a probe -- from which all
6911  * subsequent probe-context DTrace activity emanates.
6912  */
6913 void
6914 dtrace_probe(dtrace_id_t id, uintptr_t arg0, uintptr_t arg1,
6915     uintptr_t arg2, uintptr_t arg3, uintptr_t arg4)
6916 {
6917 	processorid_t cpuid;
6918 	dtrace_icookie_t cookie;
6919 	dtrace_probe_t *probe;
6920 	dtrace_mstate_t mstate;
6921 	dtrace_ecb_t *ecb;
6922 	dtrace_action_t *act;
6923 	intptr_t offs;
6924 	size_t size;
6925 	int vtime, onintr;
6926 	volatile uint16_t *flags;
6927 	hrtime_t now, end;
6928 
6929 	/*
6930 	 * Kick out immediately if this CPU is still being born (in which case
6931 	 * curthread will be set to -1) or the current thread can't allow
6932 	 * probes in its current context.
6933 	 */
6934 	if (((uintptr_t)curthread & 1) || (curthread->t_flag & T_DONTDTRACE))
6935 		return;
6936 
6937 	cookie = dtrace_interrupt_disable();
6938 
6939 	/*
6940 	 * Also refuse to process any probe firings that might happen on a
6941 	 * disabled CPU.
6942 	 */
6943 	if (CPU->cpu_flags & CPU_DISABLED) {
6944 		dtrace_interrupt_enable(cookie);
6945 		return;
6946 	}
6947 
6948 	probe = dtrace_probes[id - 1];
6949 	cpuid = CPU->cpu_id;
6950 	onintr = CPU_ON_INTR(CPU);
6951 
6952 	CPU->cpu_dtrace_probes++;
6953 
6954 	if (!onintr && probe->dtpr_predcache != DTRACE_CACHEIDNONE &&
6955 	    probe->dtpr_predcache == curthread->t_predcache) {
6956 		/*
6957 		 * We have hit in the predicate cache; we know that
6958 		 * this predicate would evaluate to be false.
6959 		 */
6960 		dtrace_interrupt_enable(cookie);
6961 		return;
6962 	}
6963 
6964 	if (panic_quiesce) {
6965 		/*
6966 		 * We don't trace anything if we're panicking.
6967 		 */
6968 		dtrace_interrupt_enable(cookie);
6969 		return;
6970 	}
6971 
6972 	now = mstate.dtms_timestamp = dtrace_gethrtime();
6973 	mstate.dtms_present |= DTRACE_MSTATE_TIMESTAMP;
6974 	vtime = dtrace_vtime_references != 0;
6975 
6976 	if (vtime && curthread->t_dtrace_start)
6977 		curthread->t_dtrace_vtime += now - curthread->t_dtrace_start;
6978 
6979 	mstate.dtms_difo = NULL;
6980 	mstate.dtms_probe = probe;
6981 	mstate.dtms_strtok = 0;
6982 	mstate.dtms_arg[0] = arg0;
6983 	mstate.dtms_arg[1] = arg1;
6984 	mstate.dtms_arg[2] = arg2;
6985 	mstate.dtms_arg[3] = arg3;
6986 	mstate.dtms_arg[4] = arg4;
6987 
6988 	flags = (volatile uint16_t *)&cpu_core[cpuid].cpuc_dtrace_flags;
6989 
6990 	for (ecb = probe->dtpr_ecb; ecb != NULL; ecb = ecb->dte_next) {
6991 		dtrace_predicate_t *pred = ecb->dte_predicate;
6992 		dtrace_state_t *state = ecb->dte_state;
6993 		dtrace_buffer_t *buf = &state->dts_buffer[cpuid];
6994 		dtrace_buffer_t *aggbuf = &state->dts_aggbuffer[cpuid];
6995 		dtrace_vstate_t *vstate = &state->dts_vstate;
6996 		dtrace_provider_t *prov = probe->dtpr_provider;
6997 		uint64_t tracememsize = 0;
6998 		int committed = 0;
6999 		caddr_t tomax;
7000 
7001 		/*
7002 		 * A little subtlety with the following (seemingly innocuous)
7003 		 * declaration of the automatic 'val':  by looking at the
7004 		 * code, you might think that it could be declared in the
7005 		 * action processing loop, below.  (That is, it's only used in
7006 		 * the action processing loop.)  However, it must be declared
7007 		 * out of that scope because in the case of DIF expression
7008 		 * arguments to aggregating actions, one iteration of the
7009 		 * action loop will use the last iteration's value.
7010 		 */
7011 #ifdef lint
7012 		uint64_t val = 0;
7013 #else
7014 		uint64_t val;
7015 #endif
7016 
7017 		mstate.dtms_present = DTRACE_MSTATE_ARGS | DTRACE_MSTATE_PROBE;
7018 		mstate.dtms_access = DTRACE_ACCESS_ARGS | DTRACE_ACCESS_PROC;
7019 		mstate.dtms_getf = NULL;
7020 
7021 		*flags &= ~CPU_DTRACE_ERROR;
7022 
7023 		if (prov == dtrace_provider) {
7024 			/*
7025 			 * If dtrace itself is the provider of this probe,
7026 			 * we're only going to continue processing the ECB if
7027 			 * arg0 (the dtrace_state_t) is equal to the ECB's
7028 			 * creating state.  (This prevents disjoint consumers
7029 			 * from seeing one another's metaprobes.)
7030 			 */
7031 			if (arg0 != (uint64_t)(uintptr_t)state)
7032 				continue;
7033 		}
7034 
7035 		if (state->dts_activity != DTRACE_ACTIVITY_ACTIVE) {
7036 			/*
7037 			 * We're not currently active.  If our provider isn't
7038 			 * the dtrace pseudo provider, we're not interested.
7039 			 */
7040 			if (prov != dtrace_provider)
7041 				continue;
7042 
7043 			/*
7044 			 * Now we must further check if we are in the BEGIN
7045 			 * probe.  If we are, we will only continue processing
7046 			 * if we're still in WARMUP -- if one BEGIN enabling
7047 			 * has invoked the exit() action, we don't want to
7048 			 * evaluate subsequent BEGIN enablings.
7049 			 */
7050 			if (probe->dtpr_id == dtrace_probeid_begin &&
7051 			    state->dts_activity != DTRACE_ACTIVITY_WARMUP) {
7052 				ASSERT(state->dts_activity ==
7053 				    DTRACE_ACTIVITY_DRAINING);
7054 				continue;
7055 			}
7056 		}
7057 
7058 		if (ecb->dte_cond && !dtrace_priv_probe(state, &mstate, ecb))
7059 			continue;
7060 
7061 		if (now - state->dts_alive > dtrace_deadman_timeout) {
7062 			/*
7063 			 * We seem to be dead.  Unless we (a) have kernel
7064 			 * destructive permissions (b) have explicitly enabled
7065 			 * destructive actions and (c) destructive actions have
7066 			 * not been disabled, we're going to transition into
7067 			 * the KILLED state, from which no further processing
7068 			 * on this state will be performed.
7069 			 */
7070 			if (!dtrace_priv_kernel_destructive(state) ||
7071 			    !state->dts_cred.dcr_destructive ||
7072 			    dtrace_destructive_disallow) {
7073 				void *activity = &state->dts_activity;
7074 				dtrace_activity_t current;
7075 
7076 				do {
7077 					current = state->dts_activity;
7078 				} while (dtrace_cas32(activity, current,
7079 				    DTRACE_ACTIVITY_KILLED) != current);
7080 
7081 				continue;
7082 			}
7083 		}
7084 
7085 		if ((offs = dtrace_buffer_reserve(buf, ecb->dte_needed,
7086 		    ecb->dte_alignment, state, &mstate)) < 0)
7087 			continue;
7088 
7089 		tomax = buf->dtb_tomax;
7090 		ASSERT(tomax != NULL);
7091 
7092 		if (ecb->dte_size != 0) {
7093 			dtrace_rechdr_t dtrh;
7094 			if (!(mstate.dtms_present & DTRACE_MSTATE_TIMESTAMP)) {
7095 				mstate.dtms_timestamp = dtrace_gethrtime();
7096 				mstate.dtms_present |= DTRACE_MSTATE_TIMESTAMP;
7097 			}
7098 			ASSERT3U(ecb->dte_size, >=, sizeof (dtrace_rechdr_t));
7099 			dtrh.dtrh_epid = ecb->dte_epid;
7100 			DTRACE_RECORD_STORE_TIMESTAMP(&dtrh,
7101 			    mstate.dtms_timestamp);
7102 			*((dtrace_rechdr_t *)(tomax + offs)) = dtrh;
7103 		}
7104 
7105 		mstate.dtms_epid = ecb->dte_epid;
7106 		mstate.dtms_present |= DTRACE_MSTATE_EPID;
7107 
7108 		if (state->dts_cred.dcr_visible & DTRACE_CRV_KERNEL)
7109 			mstate.dtms_access |= DTRACE_ACCESS_KERNEL;
7110 
7111 		if (pred != NULL) {
7112 			dtrace_difo_t *dp = pred->dtp_difo;
7113 			int rval;
7114 
7115 			rval = dtrace_dif_emulate(dp, &mstate, vstate, state);
7116 
7117 			if (!(*flags & CPU_DTRACE_ERROR) && !rval) {
7118 				dtrace_cacheid_t cid = probe->dtpr_predcache;
7119 
7120 				if (cid != DTRACE_CACHEIDNONE && !onintr) {
7121 					/*
7122 					 * Update the predicate cache...
7123 					 */
7124 					ASSERT(cid == pred->dtp_cacheid);
7125 					curthread->t_predcache = cid;
7126 				}
7127 
7128 				continue;
7129 			}
7130 		}
7131 
7132 		for (act = ecb->dte_action; !(*flags & CPU_DTRACE_ERROR) &&
7133 		    act != NULL; act = act->dta_next) {
7134 			size_t valoffs;
7135 			dtrace_difo_t *dp;
7136 			dtrace_recdesc_t *rec = &act->dta_rec;
7137 
7138 			size = rec->dtrd_size;
7139 			valoffs = offs + rec->dtrd_offset;
7140 
7141 			if (DTRACEACT_ISAGG(act->dta_kind)) {
7142 				uint64_t v = 0xbad;
7143 				dtrace_aggregation_t *agg;
7144 
7145 				agg = (dtrace_aggregation_t *)act;
7146 
7147 				if ((dp = act->dta_difo) != NULL)
7148 					v = dtrace_dif_emulate(dp,
7149 					    &mstate, vstate, state);
7150 
7151 				if (*flags & CPU_DTRACE_ERROR)
7152 					continue;
7153 
7154 				/*
7155 				 * Note that we always pass the expression
7156 				 * value from the previous iteration of the
7157 				 * action loop.  This value will only be used
7158 				 * if there is an expression argument to the
7159 				 * aggregating action, denoted by the
7160 				 * dtag_hasarg field.
7161 				 */
7162 				dtrace_aggregate(agg, buf,
7163 				    offs, aggbuf, v, val);
7164 				continue;
7165 			}
7166 
7167 			switch (act->dta_kind) {
7168 			case DTRACEACT_STOP:
7169 				if (dtrace_priv_proc_destructive(state,
7170 				    &mstate))
7171 					dtrace_action_stop();
7172 				continue;
7173 
7174 			case DTRACEACT_BREAKPOINT:
7175 				if (dtrace_priv_kernel_destructive(state))
7176 					dtrace_action_breakpoint(ecb);
7177 				continue;
7178 
7179 			case DTRACEACT_PANIC:
7180 				if (dtrace_priv_kernel_destructive(state))
7181 					dtrace_action_panic(ecb);
7182 				continue;
7183 
7184 			case DTRACEACT_STACK:
7185 				if (!dtrace_priv_kernel(state))
7186 					continue;
7187 
7188 				dtrace_getpcstack((pc_t *)(tomax + valoffs),
7189 				    size / sizeof (pc_t), probe->dtpr_aframes,
7190 				    DTRACE_ANCHORED(probe) ? NULL :
7191 				    (uint32_t *)arg0);
7192 
7193 				continue;
7194 
7195 			case DTRACEACT_JSTACK:
7196 			case DTRACEACT_USTACK:
7197 				if (!dtrace_priv_proc(state, &mstate))
7198 					continue;
7199 
7200 				/*
7201 				 * See comment in DIF_VAR_PID.
7202 				 */
7203 				if (DTRACE_ANCHORED(mstate.dtms_probe) &&
7204 				    CPU_ON_INTR(CPU)) {
7205 					int depth = DTRACE_USTACK_NFRAMES(
7206 					    rec->dtrd_arg) + 1;
7207 
7208 					dtrace_bzero((void *)(tomax + valoffs),
7209 					    DTRACE_USTACK_STRSIZE(rec->dtrd_arg)
7210 					    + depth * sizeof (uint64_t));
7211 
7212 					continue;
7213 				}
7214 
7215 				if (DTRACE_USTACK_STRSIZE(rec->dtrd_arg) != 0 &&
7216 				    curproc->p_dtrace_helpers != NULL) {
7217 					/*
7218 					 * This is the slow path -- we have
7219 					 * allocated string space, and we're
7220 					 * getting the stack of a process that
7221 					 * has helpers.  Call into a separate
7222 					 * routine to perform this processing.
7223 					 */
7224 					dtrace_action_ustack(&mstate, state,
7225 					    (uint64_t *)(tomax + valoffs),
7226 					    rec->dtrd_arg);
7227 					continue;
7228 				}
7229 
7230 				/*
7231 				 * Clear the string space, since there's no
7232 				 * helper to do it for us.
7233 				 */
7234 				if (DTRACE_USTACK_STRSIZE(rec->dtrd_arg) != 0) {
7235 					int depth = DTRACE_USTACK_NFRAMES(
7236 					    rec->dtrd_arg);
7237 					size_t strsize = DTRACE_USTACK_STRSIZE(
7238 					    rec->dtrd_arg);
7239 					uint64_t *buf = (uint64_t *)(tomax +
7240 					    valoffs);
7241 					void *strspace = &buf[depth + 1];
7242 
7243 					dtrace_bzero(strspace,
7244 					    MIN(depth, strsize));
7245 				}
7246 
7247 				DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
7248 				dtrace_getupcstack((uint64_t *)
7249 				    (tomax + valoffs),
7250 				    DTRACE_USTACK_NFRAMES(rec->dtrd_arg) + 1);
7251 				DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
7252 				continue;
7253 
7254 			default:
7255 				break;
7256 			}
7257 
7258 			dp = act->dta_difo;
7259 			ASSERT(dp != NULL);
7260 
7261 			val = dtrace_dif_emulate(dp, &mstate, vstate, state);
7262 
7263 			if (*flags & CPU_DTRACE_ERROR)
7264 				continue;
7265 
7266 			switch (act->dta_kind) {
7267 			case DTRACEACT_SPECULATE: {
7268 				dtrace_rechdr_t *dtrh;
7269 
7270 				ASSERT(buf == &state->dts_buffer[cpuid]);
7271 				buf = dtrace_speculation_buffer(state,
7272 				    cpuid, val);
7273 
7274 				if (buf == NULL) {
7275 					*flags |= CPU_DTRACE_DROP;
7276 					continue;
7277 				}
7278 
7279 				offs = dtrace_buffer_reserve(buf,
7280 				    ecb->dte_needed, ecb->dte_alignment,
7281 				    state, NULL);
7282 
7283 				if (offs < 0) {
7284 					*flags |= CPU_DTRACE_DROP;
7285 					continue;
7286 				}
7287 
7288 				tomax = buf->dtb_tomax;
7289 				ASSERT(tomax != NULL);
7290 
7291 				if (ecb->dte_size == 0)
7292 					continue;
7293 
7294 				ASSERT3U(ecb->dte_size, >=,
7295 				    sizeof (dtrace_rechdr_t));
7296 				dtrh = ((void *)(tomax + offs));
7297 				dtrh->dtrh_epid = ecb->dte_epid;
7298 				/*
7299 				 * When the speculation is committed, all of
7300 				 * the records in the speculative buffer will
7301 				 * have their timestamps set to the commit
7302 				 * time.  Until then, it is set to a sentinel
7303 				 * value, for debugability.
7304 				 */
7305 				DTRACE_RECORD_STORE_TIMESTAMP(dtrh, UINT64_MAX);
7306 				continue;
7307 			}
7308 
7309 			case DTRACEACT_CHILL:
7310 				if (dtrace_priv_kernel_destructive(state))
7311 					dtrace_action_chill(&mstate, val);
7312 				continue;
7313 
7314 			case DTRACEACT_RAISE:
7315 				if (dtrace_priv_proc_destructive(state,
7316 				    &mstate))
7317 					dtrace_action_raise(val);
7318 				continue;
7319 
7320 			case DTRACEACT_COMMIT:
7321 				ASSERT(!committed);
7322 
7323 				/*
7324 				 * We need to commit our buffer state.
7325 				 */
7326 				if (ecb->dte_size)
7327 					buf->dtb_offset = offs + ecb->dte_size;
7328 				buf = &state->dts_buffer[cpuid];
7329 				dtrace_speculation_commit(state, cpuid, val);
7330 				committed = 1;
7331 				continue;
7332 
7333 			case DTRACEACT_DISCARD:
7334 				dtrace_speculation_discard(state, cpuid, val);
7335 				continue;
7336 
7337 			case DTRACEACT_DIFEXPR:
7338 			case DTRACEACT_LIBACT:
7339 			case DTRACEACT_PRINTF:
7340 			case DTRACEACT_PRINTA:
7341 			case DTRACEACT_SYSTEM:
7342 			case DTRACEACT_FREOPEN:
7343 			case DTRACEACT_TRACEMEM:
7344 				break;
7345 
7346 			case DTRACEACT_TRACEMEM_DYNSIZE:
7347 				tracememsize = val;
7348 				break;
7349 
7350 			case DTRACEACT_SYM:
7351 			case DTRACEACT_MOD:
7352 				if (!dtrace_priv_kernel(state))
7353 					continue;
7354 				break;
7355 
7356 			case DTRACEACT_USYM:
7357 			case DTRACEACT_UMOD:
7358 			case DTRACEACT_UADDR: {
7359 				struct pid *pid = curthread->t_procp->p_pidp;
7360 
7361 				if (!dtrace_priv_proc(state, &mstate))
7362 					continue;
7363 
7364 				DTRACE_STORE(uint64_t, tomax,
7365 				    valoffs, (uint64_t)pid->pid_id);
7366 				DTRACE_STORE(uint64_t, tomax,
7367 				    valoffs + sizeof (uint64_t), val);
7368 
7369 				continue;
7370 			}
7371 
7372 			case DTRACEACT_EXIT: {
7373 				/*
7374 				 * For the exit action, we are going to attempt
7375 				 * to atomically set our activity to be
7376 				 * draining.  If this fails (either because
7377 				 * another CPU has beat us to the exit action,
7378 				 * or because our current activity is something
7379 				 * other than ACTIVE or WARMUP), we will
7380 				 * continue.  This assures that the exit action
7381 				 * can be successfully recorded at most once
7382 				 * when we're in the ACTIVE state.  If we're
7383 				 * encountering the exit() action while in
7384 				 * COOLDOWN, however, we want to honor the new
7385 				 * status code.  (We know that we're the only
7386 				 * thread in COOLDOWN, so there is no race.)
7387 				 */
7388 				void *activity = &state->dts_activity;
7389 				dtrace_activity_t current = state->dts_activity;
7390 
7391 				if (current == DTRACE_ACTIVITY_COOLDOWN)
7392 					break;
7393 
7394 				if (current != DTRACE_ACTIVITY_WARMUP)
7395 					current = DTRACE_ACTIVITY_ACTIVE;
7396 
7397 				if (dtrace_cas32(activity, current,
7398 				    DTRACE_ACTIVITY_DRAINING) != current) {
7399 					*flags |= CPU_DTRACE_DROP;
7400 					continue;
7401 				}
7402 
7403 				break;
7404 			}
7405 
7406 			default:
7407 				ASSERT(0);
7408 			}
7409 
7410 			if (dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF ||
7411 			    dp->dtdo_rtype.dtdt_flags & DIF_TF_BYUREF) {
7412 				uintptr_t end = valoffs + size;
7413 
7414 				if (tracememsize != 0 &&
7415 				    valoffs + tracememsize < end) {
7416 					end = valoffs + tracememsize;
7417 					tracememsize = 0;
7418 				}
7419 
7420 				if (dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF &&
7421 				    !dtrace_vcanload((void *)(uintptr_t)val,
7422 				    &dp->dtdo_rtype, NULL, &mstate, vstate))
7423 					continue;
7424 
7425 				dtrace_store_by_ref(dp, tomax, size, &valoffs,
7426 				    &val, end, act->dta_intuple,
7427 				    dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF ?
7428 				    DIF_TF_BYREF: DIF_TF_BYUREF);
7429 				continue;
7430 			}
7431 
7432 			switch (size) {
7433 			case 0:
7434 				break;
7435 
7436 			case sizeof (uint8_t):
7437 				DTRACE_STORE(uint8_t, tomax, valoffs, val);
7438 				break;
7439 			case sizeof (uint16_t):
7440 				DTRACE_STORE(uint16_t, tomax, valoffs, val);
7441 				break;
7442 			case sizeof (uint32_t):
7443 				DTRACE_STORE(uint32_t, tomax, valoffs, val);
7444 				break;
7445 			case sizeof (uint64_t):
7446 				DTRACE_STORE(uint64_t, tomax, valoffs, val);
7447 				break;
7448 			default:
7449 				/*
7450 				 * Any other size should have been returned by
7451 				 * reference, not by value.
7452 				 */
7453 				ASSERT(0);
7454 				break;
7455 			}
7456 		}
7457 
7458 		if (*flags & CPU_DTRACE_DROP)
7459 			continue;
7460 
7461 		if (*flags & CPU_DTRACE_FAULT) {
7462 			int ndx;
7463 			dtrace_action_t *err;
7464 
7465 			buf->dtb_errors++;
7466 
7467 			if (probe->dtpr_id == dtrace_probeid_error) {
7468 				/*
7469 				 * There's nothing we can do -- we had an
7470 				 * error on the error probe.  We bump an
7471 				 * error counter to at least indicate that
7472 				 * this condition happened.
7473 				 */
7474 				dtrace_error(&state->dts_dblerrors);
7475 				continue;
7476 			}
7477 
7478 			if (vtime) {
7479 				/*
7480 				 * Before recursing on dtrace_probe(), we
7481 				 * need to explicitly clear out our start
7482 				 * time to prevent it from being accumulated
7483 				 * into t_dtrace_vtime.
7484 				 */
7485 				curthread->t_dtrace_start = 0;
7486 			}
7487 
7488 			/*
7489 			 * Iterate over the actions to figure out which action
7490 			 * we were processing when we experienced the error.
7491 			 * Note that act points _past_ the faulting action; if
7492 			 * act is ecb->dte_action, the fault was in the
7493 			 * predicate, if it's ecb->dte_action->dta_next it's
7494 			 * in action #1, and so on.
7495 			 */
7496 			for (err = ecb->dte_action, ndx = 0;
7497 			    err != act; err = err->dta_next, ndx++)
7498 				continue;
7499 
7500 			dtrace_probe_error(state, ecb->dte_epid, ndx,
7501 			    (mstate.dtms_present & DTRACE_MSTATE_FLTOFFS) ?
7502 			    mstate.dtms_fltoffs : -1, DTRACE_FLAGS2FLT(*flags),
7503 			    cpu_core[cpuid].cpuc_dtrace_illval);
7504 
7505 			continue;
7506 		}
7507 
7508 		if (!committed)
7509 			buf->dtb_offset = offs + ecb->dte_size;
7510 	}
7511 
7512 	end = dtrace_gethrtime();
7513 	if (vtime)
7514 		curthread->t_dtrace_start = end;
7515 
7516 	CPU->cpu_dtrace_nsec += end - now;
7517 
7518 	dtrace_interrupt_enable(cookie);
7519 }
7520 
7521 /*
7522  * DTrace Probe Hashing Functions
7523  *
7524  * The functions in this section (and indeed, the functions in remaining
7525  * sections) are not _called_ from probe context.  (Any exceptions to this are
7526  * marked with a "Note:".)  Rather, they are called from elsewhere in the
7527  * DTrace framework to look-up probes in, add probes to and remove probes from
7528  * the DTrace probe hashes.  (Each probe is hashed by each element of the
7529  * probe tuple -- allowing for fast lookups, regardless of what was
7530  * specified.)
7531  */
7532 static uint_t
7533 dtrace_hash_str(char *p)
7534 {
7535 	unsigned int g;
7536 	uint_t hval = 0;
7537 
7538 	while (*p) {
7539 		hval = (hval << 4) + *p++;
7540 		if ((g = (hval & 0xf0000000)) != 0)
7541 			hval ^= g >> 24;
7542 		hval &= ~g;
7543 	}
7544 	return (hval);
7545 }
7546 
7547 static dtrace_hash_t *
7548 dtrace_hash_create(uintptr_t stroffs, uintptr_t nextoffs, uintptr_t prevoffs)
7549 {
7550 	dtrace_hash_t *hash = kmem_zalloc(sizeof (dtrace_hash_t), KM_SLEEP);
7551 
7552 	hash->dth_stroffs = stroffs;
7553 	hash->dth_nextoffs = nextoffs;
7554 	hash->dth_prevoffs = prevoffs;
7555 
7556 	hash->dth_size = 1;
7557 	hash->dth_mask = hash->dth_size - 1;
7558 
7559 	hash->dth_tab = kmem_zalloc(hash->dth_size *
7560 	    sizeof (dtrace_hashbucket_t *), KM_SLEEP);
7561 
7562 	return (hash);
7563 }
7564 
7565 static void
7566 dtrace_hash_destroy(dtrace_hash_t *hash)
7567 {
7568 #ifdef DEBUG
7569 	int i;
7570 
7571 	for (i = 0; i < hash->dth_size; i++)
7572 		ASSERT(hash->dth_tab[i] == NULL);
7573 #endif
7574 
7575 	kmem_free(hash->dth_tab,
7576 	    hash->dth_size * sizeof (dtrace_hashbucket_t *));
7577 	kmem_free(hash, sizeof (dtrace_hash_t));
7578 }
7579 
7580 static void
7581 dtrace_hash_resize(dtrace_hash_t *hash)
7582 {
7583 	int size = hash->dth_size, i, ndx;
7584 	int new_size = hash->dth_size << 1;
7585 	int new_mask = new_size - 1;
7586 	dtrace_hashbucket_t **new_tab, *bucket, *next;
7587 
7588 	ASSERT((new_size & new_mask) == 0);
7589 
7590 	new_tab = kmem_zalloc(new_size * sizeof (void *), KM_SLEEP);
7591 
7592 	for (i = 0; i < size; i++) {
7593 		for (bucket = hash->dth_tab[i]; bucket != NULL; bucket = next) {
7594 			dtrace_probe_t *probe = bucket->dthb_chain;
7595 
7596 			ASSERT(probe != NULL);
7597 			ndx = DTRACE_HASHSTR(hash, probe) & new_mask;
7598 
7599 			next = bucket->dthb_next;
7600 			bucket->dthb_next = new_tab[ndx];
7601 			new_tab[ndx] = bucket;
7602 		}
7603 	}
7604 
7605 	kmem_free(hash->dth_tab, hash->dth_size * sizeof (void *));
7606 	hash->dth_tab = new_tab;
7607 	hash->dth_size = new_size;
7608 	hash->dth_mask = new_mask;
7609 }
7610 
7611 static void
7612 dtrace_hash_add(dtrace_hash_t *hash, dtrace_probe_t *new)
7613 {
7614 	int hashval = DTRACE_HASHSTR(hash, new);
7615 	int ndx = hashval & hash->dth_mask;
7616 	dtrace_hashbucket_t *bucket = hash->dth_tab[ndx];
7617 	dtrace_probe_t **nextp, **prevp;
7618 
7619 	for (; bucket != NULL; bucket = bucket->dthb_next) {
7620 		if (DTRACE_HASHEQ(hash, bucket->dthb_chain, new))
7621 			goto add;
7622 	}
7623 
7624 	if ((hash->dth_nbuckets >> 1) > hash->dth_size) {
7625 		dtrace_hash_resize(hash);
7626 		dtrace_hash_add(hash, new);
7627 		return;
7628 	}
7629 
7630 	bucket = kmem_zalloc(sizeof (dtrace_hashbucket_t), KM_SLEEP);
7631 	bucket->dthb_next = hash->dth_tab[ndx];
7632 	hash->dth_tab[ndx] = bucket;
7633 	hash->dth_nbuckets++;
7634 
7635 add:
7636 	nextp = DTRACE_HASHNEXT(hash, new);
7637 	ASSERT(*nextp == NULL && *(DTRACE_HASHPREV(hash, new)) == NULL);
7638 	*nextp = bucket->dthb_chain;
7639 
7640 	if (bucket->dthb_chain != NULL) {
7641 		prevp = DTRACE_HASHPREV(hash, bucket->dthb_chain);
7642 		ASSERT(*prevp == NULL);
7643 		*prevp = new;
7644 	}
7645 
7646 	bucket->dthb_chain = new;
7647 	bucket->dthb_len++;
7648 }
7649 
7650 static dtrace_probe_t *
7651 dtrace_hash_lookup(dtrace_hash_t *hash, dtrace_probe_t *template)
7652 {
7653 	int hashval = DTRACE_HASHSTR(hash, template);
7654 	int ndx = hashval & hash->dth_mask;
7655 	dtrace_hashbucket_t *bucket = hash->dth_tab[ndx];
7656 
7657 	for (; bucket != NULL; bucket = bucket->dthb_next) {
7658 		if (DTRACE_HASHEQ(hash, bucket->dthb_chain, template))
7659 			return (bucket->dthb_chain);
7660 	}
7661 
7662 	return (NULL);
7663 }
7664 
7665 static int
7666 dtrace_hash_collisions(dtrace_hash_t *hash, dtrace_probe_t *template)
7667 {
7668 	int hashval = DTRACE_HASHSTR(hash, template);
7669 	int ndx = hashval & hash->dth_mask;
7670 	dtrace_hashbucket_t *bucket = hash->dth_tab[ndx];
7671 
7672 	for (; bucket != NULL; bucket = bucket->dthb_next) {
7673 		if (DTRACE_HASHEQ(hash, bucket->dthb_chain, template))
7674 			return (bucket->dthb_len);
7675 	}
7676 
7677 	return (0);
7678 }
7679 
7680 static void
7681 dtrace_hash_remove(dtrace_hash_t *hash, dtrace_probe_t *probe)
7682 {
7683 	int ndx = DTRACE_HASHSTR(hash, probe) & hash->dth_mask;
7684 	dtrace_hashbucket_t *bucket = hash->dth_tab[ndx];
7685 
7686 	dtrace_probe_t **prevp = DTRACE_HASHPREV(hash, probe);
7687 	dtrace_probe_t **nextp = DTRACE_HASHNEXT(hash, probe);
7688 
7689 	/*
7690 	 * Find the bucket that we're removing this probe from.
7691 	 */
7692 	for (; bucket != NULL; bucket = bucket->dthb_next) {
7693 		if (DTRACE_HASHEQ(hash, bucket->dthb_chain, probe))
7694 			break;
7695 	}
7696 
7697 	ASSERT(bucket != NULL);
7698 
7699 	if (*prevp == NULL) {
7700 		if (*nextp == NULL) {
7701 			/*
7702 			 * The removed probe was the only probe on this
7703 			 * bucket; we need to remove the bucket.
7704 			 */
7705 			dtrace_hashbucket_t *b = hash->dth_tab[ndx];
7706 
7707 			ASSERT(bucket->dthb_chain == probe);
7708 			ASSERT(b != NULL);
7709 
7710 			if (b == bucket) {
7711 				hash->dth_tab[ndx] = bucket->dthb_next;
7712 			} else {
7713 				while (b->dthb_next != bucket)
7714 					b = b->dthb_next;
7715 				b->dthb_next = bucket->dthb_next;
7716 			}
7717 
7718 			ASSERT(hash->dth_nbuckets > 0);
7719 			hash->dth_nbuckets--;
7720 			kmem_free(bucket, sizeof (dtrace_hashbucket_t));
7721 			return;
7722 		}
7723 
7724 		bucket->dthb_chain = *nextp;
7725 	} else {
7726 		*(DTRACE_HASHNEXT(hash, *prevp)) = *nextp;
7727 	}
7728 
7729 	if (*nextp != NULL)
7730 		*(DTRACE_HASHPREV(hash, *nextp)) = *prevp;
7731 }
7732 
7733 /*
7734  * DTrace Utility Functions
7735  *
7736  * These are random utility functions that are _not_ called from probe context.
7737  */
7738 static int
7739 dtrace_badattr(const dtrace_attribute_t *a)
7740 {
7741 	return (a->dtat_name > DTRACE_STABILITY_MAX ||
7742 	    a->dtat_data > DTRACE_STABILITY_MAX ||
7743 	    a->dtat_class > DTRACE_CLASS_MAX);
7744 }
7745 
7746 /*
7747  * Return a duplicate copy of a string.  If the specified string is NULL,
7748  * this function returns a zero-length string.
7749  */
7750 static char *
7751 dtrace_strdup(const char *str)
7752 {
7753 	char *new = kmem_zalloc((str != NULL ? strlen(str) : 0) + 1, KM_SLEEP);
7754 
7755 	if (str != NULL)
7756 		(void) strcpy(new, str);
7757 
7758 	return (new);
7759 }
7760 
7761 #define	DTRACE_ISALPHA(c)	\
7762 	(((c) >= 'a' && (c) <= 'z') || ((c) >= 'A' && (c) <= 'Z'))
7763 
7764 static int
7765 dtrace_badname(const char *s)
7766 {
7767 	char c;
7768 
7769 	if (s == NULL || (c = *s++) == '\0')
7770 		return (0);
7771 
7772 	if (!DTRACE_ISALPHA(c) && c != '-' && c != '_' && c != '.')
7773 		return (1);
7774 
7775 	while ((c = *s++) != '\0') {
7776 		if (!DTRACE_ISALPHA(c) && (c < '0' || c > '9') &&
7777 		    c != '-' && c != '_' && c != '.' && c != '`')
7778 			return (1);
7779 	}
7780 
7781 	return (0);
7782 }
7783 
7784 static void
7785 dtrace_cred2priv(cred_t *cr, uint32_t *privp, uid_t *uidp, zoneid_t *zoneidp)
7786 {
7787 	uint32_t priv;
7788 
7789 	if (cr == NULL || PRIV_POLICY_ONLY(cr, PRIV_ALL, B_FALSE)) {
7790 		/*
7791 		 * For DTRACE_PRIV_ALL, the uid and zoneid don't matter.
7792 		 */
7793 		priv = DTRACE_PRIV_ALL;
7794 	} else {
7795 		*uidp = crgetuid(cr);
7796 		*zoneidp = crgetzoneid(cr);
7797 
7798 		priv = 0;
7799 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_KERNEL, B_FALSE))
7800 			priv |= DTRACE_PRIV_KERNEL | DTRACE_PRIV_USER;
7801 		else if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_USER, B_FALSE))
7802 			priv |= DTRACE_PRIV_USER;
7803 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_PROC, B_FALSE))
7804 			priv |= DTRACE_PRIV_PROC;
7805 		if (PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, B_FALSE))
7806 			priv |= DTRACE_PRIV_OWNER;
7807 		if (PRIV_POLICY_ONLY(cr, PRIV_PROC_ZONE, B_FALSE))
7808 			priv |= DTRACE_PRIV_ZONEOWNER;
7809 	}
7810 
7811 	*privp = priv;
7812 }
7813 
7814 #ifdef DTRACE_ERRDEBUG
7815 static void
7816 dtrace_errdebug(const char *str)
7817 {
7818 	int hval = dtrace_hash_str((char *)str) % DTRACE_ERRHASHSZ;
7819 	int occupied = 0;
7820 
7821 	mutex_enter(&dtrace_errlock);
7822 	dtrace_errlast = str;
7823 	dtrace_errthread = curthread;
7824 
7825 	while (occupied++ < DTRACE_ERRHASHSZ) {
7826 		if (dtrace_errhash[hval].dter_msg == str) {
7827 			dtrace_errhash[hval].dter_count++;
7828 			goto out;
7829 		}
7830 
7831 		if (dtrace_errhash[hval].dter_msg != NULL) {
7832 			hval = (hval + 1) % DTRACE_ERRHASHSZ;
7833 			continue;
7834 		}
7835 
7836 		dtrace_errhash[hval].dter_msg = str;
7837 		dtrace_errhash[hval].dter_count = 1;
7838 		goto out;
7839 	}
7840 
7841 	panic("dtrace: undersized error hash");
7842 out:
7843 	mutex_exit(&dtrace_errlock);
7844 }
7845 #endif
7846 
7847 /*
7848  * DTrace Matching Functions
7849  *
7850  * These functions are used to match groups of probes, given some elements of
7851  * a probe tuple, or some globbed expressions for elements of a probe tuple.
7852  */
7853 static int
7854 dtrace_match_priv(const dtrace_probe_t *prp, uint32_t priv, uid_t uid,
7855     zoneid_t zoneid)
7856 {
7857 	if (priv != DTRACE_PRIV_ALL) {
7858 		uint32_t ppriv = prp->dtpr_provider->dtpv_priv.dtpp_flags;
7859 		uint32_t match = priv & ppriv;
7860 
7861 		/*
7862 		 * No PRIV_DTRACE_* privileges...
7863 		 */
7864 		if ((priv & (DTRACE_PRIV_PROC | DTRACE_PRIV_USER |
7865 		    DTRACE_PRIV_KERNEL)) == 0)
7866 			return (0);
7867 
7868 		/*
7869 		 * No matching bits, but there were bits to match...
7870 		 */
7871 		if (match == 0 && ppriv != 0)
7872 			return (0);
7873 
7874 		/*
7875 		 * Need to have permissions to the process, but don't...
7876 		 */
7877 		if (((ppriv & ~match) & DTRACE_PRIV_OWNER) != 0 &&
7878 		    uid != prp->dtpr_provider->dtpv_priv.dtpp_uid) {
7879 			return (0);
7880 		}
7881 
7882 		/*
7883 		 * Need to be in the same zone unless we possess the
7884 		 * privilege to examine all zones.
7885 		 */
7886 		if (((ppriv & ~match) & DTRACE_PRIV_ZONEOWNER) != 0 &&
7887 		    zoneid != prp->dtpr_provider->dtpv_priv.dtpp_zoneid) {
7888 			return (0);
7889 		}
7890 	}
7891 
7892 	return (1);
7893 }
7894 
7895 /*
7896  * dtrace_match_probe compares a dtrace_probe_t to a pre-compiled key, which
7897  * consists of input pattern strings and an ops-vector to evaluate them.
7898  * This function returns >0 for match, 0 for no match, and <0 for error.
7899  */
7900 static int
7901 dtrace_match_probe(const dtrace_probe_t *prp, const dtrace_probekey_t *pkp,
7902     uint32_t priv, uid_t uid, zoneid_t zoneid)
7903 {
7904 	dtrace_provider_t *pvp = prp->dtpr_provider;
7905 	int rv;
7906 
7907 	if (pvp->dtpv_defunct)
7908 		return (0);
7909 
7910 	if ((rv = pkp->dtpk_pmatch(pvp->dtpv_name, pkp->dtpk_prov, 0)) <= 0)
7911 		return (rv);
7912 
7913 	if ((rv = pkp->dtpk_mmatch(prp->dtpr_mod, pkp->dtpk_mod, 0)) <= 0)
7914 		return (rv);
7915 
7916 	if ((rv = pkp->dtpk_fmatch(prp->dtpr_func, pkp->dtpk_func, 0)) <= 0)
7917 		return (rv);
7918 
7919 	if ((rv = pkp->dtpk_nmatch(prp->dtpr_name, pkp->dtpk_name, 0)) <= 0)
7920 		return (rv);
7921 
7922 	if (dtrace_match_priv(prp, priv, uid, zoneid) == 0)
7923 		return (0);
7924 
7925 	return (rv);
7926 }
7927 
7928 /*
7929  * dtrace_match_glob() is a safe kernel implementation of the gmatch(3GEN)
7930  * interface for matching a glob pattern 'p' to an input string 's'.  Unlike
7931  * libc's version, the kernel version only applies to 8-bit ASCII strings.
7932  * In addition, all of the recursion cases except for '*' matching have been
7933  * unwound.  For '*', we still implement recursive evaluation, but a depth
7934  * counter is maintained and matching is aborted if we recurse too deep.
7935  * The function returns 0 if no match, >0 if match, and <0 if recursion error.
7936  */
7937 static int
7938 dtrace_match_glob(const char *s, const char *p, int depth)
7939 {
7940 	const char *olds;
7941 	char s1, c;
7942 	int gs;
7943 
7944 	if (depth > DTRACE_PROBEKEY_MAXDEPTH)
7945 		return (-1);
7946 
7947 	if (s == NULL)
7948 		s = ""; /* treat NULL as empty string */
7949 
7950 top:
7951 	olds = s;
7952 	s1 = *s++;
7953 
7954 	if (p == NULL)
7955 		return (0);
7956 
7957 	if ((c = *p++) == '\0')
7958 		return (s1 == '\0');
7959 
7960 	switch (c) {
7961 	case '[': {
7962 		int ok = 0, notflag = 0;
7963 		char lc = '\0';
7964 
7965 		if (s1 == '\0')
7966 			return (0);
7967 
7968 		if (*p == '!') {
7969 			notflag = 1;
7970 			p++;
7971 		}
7972 
7973 		if ((c = *p++) == '\0')
7974 			return (0);
7975 
7976 		do {
7977 			if (c == '-' && lc != '\0' && *p != ']') {
7978 				if ((c = *p++) == '\0')
7979 					return (0);
7980 				if (c == '\\' && (c = *p++) == '\0')
7981 					return (0);
7982 
7983 				if (notflag) {
7984 					if (s1 < lc || s1 > c)
7985 						ok++;
7986 					else
7987 						return (0);
7988 				} else if (lc <= s1 && s1 <= c)
7989 					ok++;
7990 
7991 			} else if (c == '\\' && (c = *p++) == '\0')
7992 				return (0);
7993 
7994 			lc = c; /* save left-hand 'c' for next iteration */
7995 
7996 			if (notflag) {
7997 				if (s1 != c)
7998 					ok++;
7999 				else
8000 					return (0);
8001 			} else if (s1 == c)
8002 				ok++;
8003 
8004 			if ((c = *p++) == '\0')
8005 				return (0);
8006 
8007 		} while (c != ']');
8008 
8009 		if (ok)
8010 			goto top;
8011 
8012 		return (0);
8013 	}
8014 
8015 	case '\\':
8016 		if ((c = *p++) == '\0')
8017 			return (0);
8018 		/*FALLTHRU*/
8019 
8020 	default:
8021 		if (c != s1)
8022 			return (0);
8023 		/*FALLTHRU*/
8024 
8025 	case '?':
8026 		if (s1 != '\0')
8027 			goto top;
8028 		return (0);
8029 
8030 	case '*':
8031 		while (*p == '*')
8032 			p++; /* consecutive *'s are identical to a single one */
8033 
8034 		if (*p == '\0')
8035 			return (1);
8036 
8037 		for (s = olds; *s != '\0'; s++) {
8038 			if ((gs = dtrace_match_glob(s, p, depth + 1)) != 0)
8039 				return (gs);
8040 		}
8041 
8042 		return (0);
8043 	}
8044 }
8045 
8046 /*ARGSUSED*/
8047 static int
8048 dtrace_match_string(const char *s, const char *p, int depth)
8049 {
8050 	return (s != NULL && strcmp(s, p) == 0);
8051 }
8052 
8053 /*ARGSUSED*/
8054 static int
8055 dtrace_match_nul(const char *s, const char *p, int depth)
8056 {
8057 	return (1); /* always match the empty pattern */
8058 }
8059 
8060 /*ARGSUSED*/
8061 static int
8062 dtrace_match_nonzero(const char *s, const char *p, int depth)
8063 {
8064 	return (s != NULL && s[0] != '\0');
8065 }
8066 
8067 static int
8068 dtrace_match(const dtrace_probekey_t *pkp, uint32_t priv, uid_t uid,
8069     zoneid_t zoneid, int (*matched)(dtrace_probe_t *, void *), void *arg)
8070 {
8071 	dtrace_probe_t template, *probe;
8072 	dtrace_hash_t *hash = NULL;
8073 	int len, rc, best = INT_MAX, nmatched = 0;
8074 	dtrace_id_t i;
8075 
8076 	ASSERT(MUTEX_HELD(&dtrace_lock));
8077 
8078 	/*
8079 	 * If the probe ID is specified in the key, just lookup by ID and
8080 	 * invoke the match callback once if a matching probe is found.
8081 	 */
8082 	if (pkp->dtpk_id != DTRACE_IDNONE) {
8083 		if ((probe = dtrace_probe_lookup_id(pkp->dtpk_id)) != NULL &&
8084 		    dtrace_match_probe(probe, pkp, priv, uid, zoneid) > 0) {
8085 			if ((*matched)(probe, arg) == DTRACE_MATCH_FAIL)
8086 				return (DTRACE_MATCH_FAIL);
8087 			nmatched++;
8088 		}
8089 		return (nmatched);
8090 	}
8091 
8092 	template.dtpr_mod = (char *)pkp->dtpk_mod;
8093 	template.dtpr_func = (char *)pkp->dtpk_func;
8094 	template.dtpr_name = (char *)pkp->dtpk_name;
8095 
8096 	/*
8097 	 * We want to find the most distinct of the module name, function
8098 	 * name, and name.  So for each one that is not a glob pattern or
8099 	 * empty string, we perform a lookup in the corresponding hash and
8100 	 * use the hash table with the fewest collisions to do our search.
8101 	 */
8102 	if (pkp->dtpk_mmatch == &dtrace_match_string &&
8103 	    (len = dtrace_hash_collisions(dtrace_bymod, &template)) < best) {
8104 		best = len;
8105 		hash = dtrace_bymod;
8106 	}
8107 
8108 	if (pkp->dtpk_fmatch == &dtrace_match_string &&
8109 	    (len = dtrace_hash_collisions(dtrace_byfunc, &template)) < best) {
8110 		best = len;
8111 		hash = dtrace_byfunc;
8112 	}
8113 
8114 	if (pkp->dtpk_nmatch == &dtrace_match_string &&
8115 	    (len = dtrace_hash_collisions(dtrace_byname, &template)) < best) {
8116 		best = len;
8117 		hash = dtrace_byname;
8118 	}
8119 
8120 	/*
8121 	 * If we did not select a hash table, iterate over every probe and
8122 	 * invoke our callback for each one that matches our input probe key.
8123 	 */
8124 	if (hash == NULL) {
8125 		for (i = 0; i < dtrace_nprobes; i++) {
8126 			if ((probe = dtrace_probes[i]) == NULL ||
8127 			    dtrace_match_probe(probe, pkp, priv, uid,
8128 			    zoneid) <= 0)
8129 				continue;
8130 
8131 			nmatched++;
8132 
8133 			if ((rc = (*matched)(probe, arg)) !=
8134 			    DTRACE_MATCH_NEXT) {
8135 				if (rc == DTRACE_MATCH_FAIL)
8136 					return (DTRACE_MATCH_FAIL);
8137 				break;
8138 			}
8139 		}
8140 
8141 		return (nmatched);
8142 	}
8143 
8144 	/*
8145 	 * If we selected a hash table, iterate over each probe of the same key
8146 	 * name and invoke the callback for every probe that matches the other
8147 	 * attributes of our input probe key.
8148 	 */
8149 	for (probe = dtrace_hash_lookup(hash, &template); probe != NULL;
8150 	    probe = *(DTRACE_HASHNEXT(hash, probe))) {
8151 
8152 		if (dtrace_match_probe(probe, pkp, priv, uid, zoneid) <= 0)
8153 			continue;
8154 
8155 		nmatched++;
8156 
8157 		if ((rc = (*matched)(probe, arg)) != DTRACE_MATCH_NEXT) {
8158 			if (rc == DTRACE_MATCH_FAIL)
8159 				return (DTRACE_MATCH_FAIL);
8160 			break;
8161 		}
8162 	}
8163 
8164 	return (nmatched);
8165 }
8166 
8167 /*
8168  * Return the function pointer dtrace_probecmp() should use to compare the
8169  * specified pattern with a string.  For NULL or empty patterns, we select
8170  * dtrace_match_nul().  For glob pattern strings, we use dtrace_match_glob().
8171  * For non-empty non-glob strings, we use dtrace_match_string().
8172  */
8173 static dtrace_probekey_f *
8174 dtrace_probekey_func(const char *p)
8175 {
8176 	char c;
8177 
8178 	if (p == NULL || *p == '\0')
8179 		return (&dtrace_match_nul);
8180 
8181 	while ((c = *p++) != '\0') {
8182 		if (c == '[' || c == '?' || c == '*' || c == '\\')
8183 			return (&dtrace_match_glob);
8184 	}
8185 
8186 	return (&dtrace_match_string);
8187 }
8188 
8189 /*
8190  * Build a probe comparison key for use with dtrace_match_probe() from the
8191  * given probe description.  By convention, a null key only matches anchored
8192  * probes: if each field is the empty string, reset dtpk_fmatch to
8193  * dtrace_match_nonzero().
8194  */
8195 static void
8196 dtrace_probekey(const dtrace_probedesc_t *pdp, dtrace_probekey_t *pkp)
8197 {
8198 	pkp->dtpk_prov = pdp->dtpd_provider;
8199 	pkp->dtpk_pmatch = dtrace_probekey_func(pdp->dtpd_provider);
8200 
8201 	pkp->dtpk_mod = pdp->dtpd_mod;
8202 	pkp->dtpk_mmatch = dtrace_probekey_func(pdp->dtpd_mod);
8203 
8204 	pkp->dtpk_func = pdp->dtpd_func;
8205 	pkp->dtpk_fmatch = dtrace_probekey_func(pdp->dtpd_func);
8206 
8207 	pkp->dtpk_name = pdp->dtpd_name;
8208 	pkp->dtpk_nmatch = dtrace_probekey_func(pdp->dtpd_name);
8209 
8210 	pkp->dtpk_id = pdp->dtpd_id;
8211 
8212 	if (pkp->dtpk_id == DTRACE_IDNONE &&
8213 	    pkp->dtpk_pmatch == &dtrace_match_nul &&
8214 	    pkp->dtpk_mmatch == &dtrace_match_nul &&
8215 	    pkp->dtpk_fmatch == &dtrace_match_nul &&
8216 	    pkp->dtpk_nmatch == &dtrace_match_nul)
8217 		pkp->dtpk_fmatch = &dtrace_match_nonzero;
8218 }
8219 
8220 /*
8221  * DTrace Provider-to-Framework API Functions
8222  *
8223  * These functions implement much of the Provider-to-Framework API, as
8224  * described in <sys/dtrace.h>.  The parts of the API not in this section are
8225  * the functions in the API for probe management (found below), and
8226  * dtrace_probe() itself (found above).
8227  */
8228 
8229 /*
8230  * Register the calling provider with the DTrace framework.  This should
8231  * generally be called by DTrace providers in their attach(9E) entry point.
8232  */
8233 int
8234 dtrace_register(const char *name, const dtrace_pattr_t *pap, uint32_t priv,
8235     cred_t *cr, const dtrace_pops_t *pops, void *arg, dtrace_provider_id_t *idp)
8236 {
8237 	dtrace_provider_t *provider;
8238 
8239 	if (name == NULL || pap == NULL || pops == NULL || idp == NULL) {
8240 		cmn_err(CE_WARN, "failed to register provider '%s': invalid "
8241 		    "arguments", name ? name : "<NULL>");
8242 		return (EINVAL);
8243 	}
8244 
8245 	if (name[0] == '\0' || dtrace_badname(name)) {
8246 		cmn_err(CE_WARN, "failed to register provider '%s': invalid "
8247 		    "provider name", name);
8248 		return (EINVAL);
8249 	}
8250 
8251 	if ((pops->dtps_provide == NULL && pops->dtps_provide_module == NULL) ||
8252 	    pops->dtps_enable == NULL || pops->dtps_disable == NULL ||
8253 	    pops->dtps_destroy == NULL ||
8254 	    ((pops->dtps_resume == NULL) != (pops->dtps_suspend == NULL))) {
8255 		cmn_err(CE_WARN, "failed to register provider '%s': invalid "
8256 		    "provider ops", name);
8257 		return (EINVAL);
8258 	}
8259 
8260 	if (dtrace_badattr(&pap->dtpa_provider) ||
8261 	    dtrace_badattr(&pap->dtpa_mod) ||
8262 	    dtrace_badattr(&pap->dtpa_func) ||
8263 	    dtrace_badattr(&pap->dtpa_name) ||
8264 	    dtrace_badattr(&pap->dtpa_args)) {
8265 		cmn_err(CE_WARN, "failed to register provider '%s': invalid "
8266 		    "provider attributes", name);
8267 		return (EINVAL);
8268 	}
8269 
8270 	if (priv & ~DTRACE_PRIV_ALL) {
8271 		cmn_err(CE_WARN, "failed to register provider '%s': invalid "
8272 		    "privilege attributes", name);
8273 		return (EINVAL);
8274 	}
8275 
8276 	if ((priv & DTRACE_PRIV_KERNEL) &&
8277 	    (priv & (DTRACE_PRIV_USER | DTRACE_PRIV_OWNER)) &&
8278 	    pops->dtps_mode == NULL) {
8279 		cmn_err(CE_WARN, "failed to register provider '%s': need "
8280 		    "dtps_mode() op for given privilege attributes", name);
8281 		return (EINVAL);
8282 	}
8283 
8284 	provider = kmem_zalloc(sizeof (dtrace_provider_t), KM_SLEEP);
8285 	provider->dtpv_name = kmem_alloc(strlen(name) + 1, KM_SLEEP);
8286 	(void) strcpy(provider->dtpv_name, name);
8287 
8288 	provider->dtpv_attr = *pap;
8289 	provider->dtpv_priv.dtpp_flags = priv;
8290 	if (cr != NULL) {
8291 		provider->dtpv_priv.dtpp_uid = crgetuid(cr);
8292 		provider->dtpv_priv.dtpp_zoneid = crgetzoneid(cr);
8293 	}
8294 	provider->dtpv_pops = *pops;
8295 
8296 	if (pops->dtps_provide == NULL) {
8297 		ASSERT(pops->dtps_provide_module != NULL);
8298 		provider->dtpv_pops.dtps_provide = dtrace_nullop_provide;
8299 	}
8300 
8301 	if (pops->dtps_provide_module == NULL) {
8302 		ASSERT(pops->dtps_provide != NULL);
8303 		provider->dtpv_pops.dtps_provide_module = dtrace_nullop_module;
8304 	}
8305 
8306 	if (pops->dtps_suspend == NULL) {
8307 		ASSERT(pops->dtps_resume == NULL);
8308 		provider->dtpv_pops.dtps_suspend = dtrace_nullop;
8309 		provider->dtpv_pops.dtps_resume = dtrace_nullop;
8310 	}
8311 
8312 	provider->dtpv_arg = arg;
8313 	*idp = (dtrace_provider_id_t)provider;
8314 
8315 	if (pops == &dtrace_provider_ops) {
8316 		ASSERT(MUTEX_HELD(&dtrace_provider_lock));
8317 		ASSERT(MUTEX_HELD(&dtrace_lock));
8318 		ASSERT(dtrace_anon.dta_enabling == NULL);
8319 
8320 		/*
8321 		 * We make sure that the DTrace provider is at the head of
8322 		 * the provider chain.
8323 		 */
8324 		provider->dtpv_next = dtrace_provider;
8325 		dtrace_provider = provider;
8326 		return (0);
8327 	}
8328 
8329 	mutex_enter(&dtrace_provider_lock);
8330 	mutex_enter(&dtrace_lock);
8331 
8332 	/*
8333 	 * If there is at least one provider registered, we'll add this
8334 	 * provider after the first provider.
8335 	 */
8336 	if (dtrace_provider != NULL) {
8337 		provider->dtpv_next = dtrace_provider->dtpv_next;
8338 		dtrace_provider->dtpv_next = provider;
8339 	} else {
8340 		dtrace_provider = provider;
8341 	}
8342 
8343 	if (dtrace_retained != NULL) {
8344 		dtrace_enabling_provide(provider);
8345 
8346 		/*
8347 		 * Now we need to call dtrace_enabling_matchall() -- which
8348 		 * will acquire cpu_lock and dtrace_lock.  We therefore need
8349 		 * to drop all of our locks before calling into it...
8350 		 */
8351 		mutex_exit(&dtrace_lock);
8352 		mutex_exit(&dtrace_provider_lock);
8353 		dtrace_enabling_matchall();
8354 
8355 		return (0);
8356 	}
8357 
8358 	mutex_exit(&dtrace_lock);
8359 	mutex_exit(&dtrace_provider_lock);
8360 
8361 	return (0);
8362 }
8363 
8364 /*
8365  * Unregister the specified provider from the DTrace framework.  This should
8366  * generally be called by DTrace providers in their detach(9E) entry point.
8367  */
8368 int
8369 dtrace_unregister(dtrace_provider_id_t id)
8370 {
8371 	dtrace_provider_t *old = (dtrace_provider_t *)id;
8372 	dtrace_provider_t *prev = NULL;
8373 	int i, self = 0, noreap = 0;
8374 	dtrace_probe_t *probe, *first = NULL;
8375 
8376 	if (old->dtpv_pops.dtps_enable == dtrace_enable_nullop) {
8377 		/*
8378 		 * If DTrace itself is the provider, we're called with locks
8379 		 * already held.
8380 		 */
8381 		ASSERT(old == dtrace_provider);
8382 		ASSERT(dtrace_devi != NULL);
8383 		ASSERT(MUTEX_HELD(&dtrace_provider_lock));
8384 		ASSERT(MUTEX_HELD(&dtrace_lock));
8385 		self = 1;
8386 
8387 		if (dtrace_provider->dtpv_next != NULL) {
8388 			/*
8389 			 * There's another provider here; return failure.
8390 			 */
8391 			return (EBUSY);
8392 		}
8393 	} else {
8394 		mutex_enter(&dtrace_provider_lock);
8395 		mutex_enter(&mod_lock);
8396 		mutex_enter(&dtrace_lock);
8397 	}
8398 
8399 	/*
8400 	 * If anyone has /dev/dtrace open, or if there are anonymous enabled
8401 	 * probes, we refuse to let providers slither away, unless this
8402 	 * provider has already been explicitly invalidated.
8403 	 */
8404 	if (!old->dtpv_defunct &&
8405 	    (dtrace_opens || (dtrace_anon.dta_state != NULL &&
8406 	    dtrace_anon.dta_state->dts_necbs > 0))) {
8407 		if (!self) {
8408 			mutex_exit(&dtrace_lock);
8409 			mutex_exit(&mod_lock);
8410 			mutex_exit(&dtrace_provider_lock);
8411 		}
8412 		return (EBUSY);
8413 	}
8414 
8415 	/*
8416 	 * Attempt to destroy the probes associated with this provider.
8417 	 */
8418 	for (i = 0; i < dtrace_nprobes; i++) {
8419 		if ((probe = dtrace_probes[i]) == NULL)
8420 			continue;
8421 
8422 		if (probe->dtpr_provider != old)
8423 			continue;
8424 
8425 		if (probe->dtpr_ecb == NULL)
8426 			continue;
8427 
8428 		/*
8429 		 * If we are trying to unregister a defunct provider, and the
8430 		 * provider was made defunct within the interval dictated by
8431 		 * dtrace_unregister_defunct_reap, we'll (asynchronously)
8432 		 * attempt to reap our enablings.  To denote that the provider
8433 		 * should reattempt to unregister itself at some point in the
8434 		 * future, we will return a differentiable error code (EAGAIN
8435 		 * instead of EBUSY) in this case.
8436 		 */
8437 		if (dtrace_gethrtime() - old->dtpv_defunct >
8438 		    dtrace_unregister_defunct_reap)
8439 			noreap = 1;
8440 
8441 		if (!self) {
8442 			mutex_exit(&dtrace_lock);
8443 			mutex_exit(&mod_lock);
8444 			mutex_exit(&dtrace_provider_lock);
8445 		}
8446 
8447 		if (noreap)
8448 			return (EBUSY);
8449 
8450 		(void) taskq_dispatch(dtrace_taskq,
8451 		    (task_func_t *)dtrace_enabling_reap, NULL, TQ_SLEEP);
8452 
8453 		return (EAGAIN);
8454 	}
8455 
8456 	/*
8457 	 * All of the probes for this provider are disabled; we can safely
8458 	 * remove all of them from their hash chains and from the probe array.
8459 	 */
8460 	for (i = 0; i < dtrace_nprobes; i++) {
8461 		if ((probe = dtrace_probes[i]) == NULL)
8462 			continue;
8463 
8464 		if (probe->dtpr_provider != old)
8465 			continue;
8466 
8467 		dtrace_probes[i] = NULL;
8468 
8469 		dtrace_hash_remove(dtrace_bymod, probe);
8470 		dtrace_hash_remove(dtrace_byfunc, probe);
8471 		dtrace_hash_remove(dtrace_byname, probe);
8472 
8473 		if (first == NULL) {
8474 			first = probe;
8475 			probe->dtpr_nextmod = NULL;
8476 		} else {
8477 			probe->dtpr_nextmod = first;
8478 			first = probe;
8479 		}
8480 	}
8481 
8482 	/*
8483 	 * The provider's probes have been removed from the hash chains and
8484 	 * from the probe array.  Now issue a dtrace_sync() to be sure that
8485 	 * everyone has cleared out from any probe array processing.
8486 	 */
8487 	dtrace_sync();
8488 
8489 	for (probe = first; probe != NULL; probe = first) {
8490 		first = probe->dtpr_nextmod;
8491 
8492 		old->dtpv_pops.dtps_destroy(old->dtpv_arg, probe->dtpr_id,
8493 		    probe->dtpr_arg);
8494 		kmem_free(probe->dtpr_mod, strlen(probe->dtpr_mod) + 1);
8495 		kmem_free(probe->dtpr_func, strlen(probe->dtpr_func) + 1);
8496 		kmem_free(probe->dtpr_name, strlen(probe->dtpr_name) + 1);
8497 		vmem_free(dtrace_arena, (void *)(uintptr_t)(probe->dtpr_id), 1);
8498 		kmem_free(probe, sizeof (dtrace_probe_t));
8499 	}
8500 
8501 	if ((prev = dtrace_provider) == old) {
8502 		ASSERT(self || dtrace_devi == NULL);
8503 		ASSERT(old->dtpv_next == NULL || dtrace_devi == NULL);
8504 		dtrace_provider = old->dtpv_next;
8505 	} else {
8506 		while (prev != NULL && prev->dtpv_next != old)
8507 			prev = prev->dtpv_next;
8508 
8509 		if (prev == NULL) {
8510 			panic("attempt to unregister non-existent "
8511 			    "dtrace provider %p\n", (void *)id);
8512 		}
8513 
8514 		prev->dtpv_next = old->dtpv_next;
8515 	}
8516 
8517 	if (!self) {
8518 		mutex_exit(&dtrace_lock);
8519 		mutex_exit(&mod_lock);
8520 		mutex_exit(&dtrace_provider_lock);
8521 	}
8522 
8523 	kmem_free(old->dtpv_name, strlen(old->dtpv_name) + 1);
8524 	kmem_free(old, sizeof (dtrace_provider_t));
8525 
8526 	return (0);
8527 }
8528 
8529 /*
8530  * Invalidate the specified provider.  All subsequent probe lookups for the
8531  * specified provider will fail, but its probes will not be removed.
8532  */
8533 void
8534 dtrace_invalidate(dtrace_provider_id_t id)
8535 {
8536 	dtrace_provider_t *pvp = (dtrace_provider_t *)id;
8537 
8538 	ASSERT(pvp->dtpv_pops.dtps_enable != dtrace_enable_nullop);
8539 
8540 	mutex_enter(&dtrace_provider_lock);
8541 	mutex_enter(&dtrace_lock);
8542 
8543 	pvp->dtpv_defunct = dtrace_gethrtime();
8544 
8545 	mutex_exit(&dtrace_lock);
8546 	mutex_exit(&dtrace_provider_lock);
8547 }
8548 
8549 /*
8550  * Indicate whether or not DTrace has attached.
8551  */
8552 int
8553 dtrace_attached(void)
8554 {
8555 	/*
8556 	 * dtrace_provider will be non-NULL iff the DTrace driver has
8557 	 * attached.  (It's non-NULL because DTrace is always itself a
8558 	 * provider.)
8559 	 */
8560 	return (dtrace_provider != NULL);
8561 }
8562 
8563 /*
8564  * Remove all the unenabled probes for the given provider.  This function is
8565  * not unlike dtrace_unregister(), except that it doesn't remove the provider
8566  * -- just as many of its associated probes as it can.
8567  */
8568 int
8569 dtrace_condense(dtrace_provider_id_t id)
8570 {
8571 	dtrace_provider_t *prov = (dtrace_provider_t *)id;
8572 	int i;
8573 	dtrace_probe_t *probe;
8574 
8575 	/*
8576 	 * Make sure this isn't the dtrace provider itself.
8577 	 */
8578 	ASSERT(prov->dtpv_pops.dtps_enable != dtrace_enable_nullop);
8579 
8580 	mutex_enter(&dtrace_provider_lock);
8581 	mutex_enter(&dtrace_lock);
8582 
8583 	/*
8584 	 * Attempt to destroy the probes associated with this provider.
8585 	 */
8586 	for (i = 0; i < dtrace_nprobes; i++) {
8587 		if ((probe = dtrace_probes[i]) == NULL)
8588 			continue;
8589 
8590 		if (probe->dtpr_provider != prov)
8591 			continue;
8592 
8593 		if (probe->dtpr_ecb != NULL)
8594 			continue;
8595 
8596 		dtrace_probes[i] = NULL;
8597 
8598 		dtrace_hash_remove(dtrace_bymod, probe);
8599 		dtrace_hash_remove(dtrace_byfunc, probe);
8600 		dtrace_hash_remove(dtrace_byname, probe);
8601 
8602 		prov->dtpv_pops.dtps_destroy(prov->dtpv_arg, i + 1,
8603 		    probe->dtpr_arg);
8604 		kmem_free(probe->dtpr_mod, strlen(probe->dtpr_mod) + 1);
8605 		kmem_free(probe->dtpr_func, strlen(probe->dtpr_func) + 1);
8606 		kmem_free(probe->dtpr_name, strlen(probe->dtpr_name) + 1);
8607 		kmem_free(probe, sizeof (dtrace_probe_t));
8608 		vmem_free(dtrace_arena, (void *)((uintptr_t)i + 1), 1);
8609 	}
8610 
8611 	mutex_exit(&dtrace_lock);
8612 	mutex_exit(&dtrace_provider_lock);
8613 
8614 	return (0);
8615 }
8616 
8617 /*
8618  * DTrace Probe Management Functions
8619  *
8620  * The functions in this section perform the DTrace probe management,
8621  * including functions to create probes, look-up probes, and call into the
8622  * providers to request that probes be provided.  Some of these functions are
8623  * in the Provider-to-Framework API; these functions can be identified by the
8624  * fact that they are not declared "static".
8625  */
8626 
8627 /*
8628  * Create a probe with the specified module name, function name, and name.
8629  */
8630 dtrace_id_t
8631 dtrace_probe_create(dtrace_provider_id_t prov, const char *mod,
8632     const char *func, const char *name, int aframes, void *arg)
8633 {
8634 	dtrace_probe_t *probe, **probes;
8635 	dtrace_provider_t *provider = (dtrace_provider_t *)prov;
8636 	dtrace_id_t id;
8637 
8638 	if (provider == dtrace_provider) {
8639 		ASSERT(MUTEX_HELD(&dtrace_lock));
8640 	} else {
8641 		mutex_enter(&dtrace_lock);
8642 	}
8643 
8644 	id = (dtrace_id_t)(uintptr_t)vmem_alloc(dtrace_arena, 1,
8645 	    VM_BESTFIT | VM_SLEEP);
8646 	probe = kmem_zalloc(sizeof (dtrace_probe_t), KM_SLEEP);
8647 
8648 	probe->dtpr_id = id;
8649 	probe->dtpr_gen = dtrace_probegen++;
8650 	probe->dtpr_mod = dtrace_strdup(mod);
8651 	probe->dtpr_func = dtrace_strdup(func);
8652 	probe->dtpr_name = dtrace_strdup(name);
8653 	probe->dtpr_arg = arg;
8654 	probe->dtpr_aframes = aframes;
8655 	probe->dtpr_provider = provider;
8656 
8657 	dtrace_hash_add(dtrace_bymod, probe);
8658 	dtrace_hash_add(dtrace_byfunc, probe);
8659 	dtrace_hash_add(dtrace_byname, probe);
8660 
8661 	if (id - 1 >= dtrace_nprobes) {
8662 		size_t osize = dtrace_nprobes * sizeof (dtrace_probe_t *);
8663 		size_t nsize = osize << 1;
8664 
8665 		if (nsize == 0) {
8666 			ASSERT(osize == 0);
8667 			ASSERT(dtrace_probes == NULL);
8668 			nsize = sizeof (dtrace_probe_t *);
8669 		}
8670 
8671 		probes = kmem_zalloc(nsize, KM_SLEEP);
8672 
8673 		if (dtrace_probes == NULL) {
8674 			ASSERT(osize == 0);
8675 			dtrace_probes = probes;
8676 			dtrace_nprobes = 1;
8677 		} else {
8678 			dtrace_probe_t **oprobes = dtrace_probes;
8679 
8680 			bcopy(oprobes, probes, osize);
8681 			dtrace_membar_producer();
8682 			dtrace_probes = probes;
8683 
8684 			dtrace_sync();
8685 
8686 			/*
8687 			 * All CPUs are now seeing the new probes array; we can
8688 			 * safely free the old array.
8689 			 */
8690 			kmem_free(oprobes, osize);
8691 			dtrace_nprobes <<= 1;
8692 		}
8693 
8694 		ASSERT(id - 1 < dtrace_nprobes);
8695 	}
8696 
8697 	ASSERT(dtrace_probes[id - 1] == NULL);
8698 	dtrace_probes[id - 1] = probe;
8699 
8700 	if (provider != dtrace_provider)
8701 		mutex_exit(&dtrace_lock);
8702 
8703 	return (id);
8704 }
8705 
8706 static dtrace_probe_t *
8707 dtrace_probe_lookup_id(dtrace_id_t id)
8708 {
8709 	ASSERT(MUTEX_HELD(&dtrace_lock));
8710 
8711 	if (id == 0 || id > dtrace_nprobes)
8712 		return (NULL);
8713 
8714 	return (dtrace_probes[id - 1]);
8715 }
8716 
8717 static int
8718 dtrace_probe_lookup_match(dtrace_probe_t *probe, void *arg)
8719 {
8720 	*((dtrace_id_t *)arg) = probe->dtpr_id;
8721 
8722 	return (DTRACE_MATCH_DONE);
8723 }
8724 
8725 /*
8726  * Look up a probe based on provider and one or more of module name, function
8727  * name and probe name.
8728  */
8729 dtrace_id_t
8730 dtrace_probe_lookup(dtrace_provider_id_t prid, const char *mod,
8731     const char *func, const char *name)
8732 {
8733 	dtrace_probekey_t pkey;
8734 	dtrace_id_t id;
8735 	int match;
8736 
8737 	pkey.dtpk_prov = ((dtrace_provider_t *)prid)->dtpv_name;
8738 	pkey.dtpk_pmatch = &dtrace_match_string;
8739 	pkey.dtpk_mod = mod;
8740 	pkey.dtpk_mmatch = mod ? &dtrace_match_string : &dtrace_match_nul;
8741 	pkey.dtpk_func = func;
8742 	pkey.dtpk_fmatch = func ? &dtrace_match_string : &dtrace_match_nul;
8743 	pkey.dtpk_name = name;
8744 	pkey.dtpk_nmatch = name ? &dtrace_match_string : &dtrace_match_nul;
8745 	pkey.dtpk_id = DTRACE_IDNONE;
8746 
8747 	mutex_enter(&dtrace_lock);
8748 	match = dtrace_match(&pkey, DTRACE_PRIV_ALL, 0, 0,
8749 	    dtrace_probe_lookup_match, &id);
8750 	mutex_exit(&dtrace_lock);
8751 
8752 	ASSERT(match == 1 || match == 0);
8753 	return (match ? id : 0);
8754 }
8755 
8756 /*
8757  * Returns the probe argument associated with the specified probe.
8758  */
8759 void *
8760 dtrace_probe_arg(dtrace_provider_id_t id, dtrace_id_t pid)
8761 {
8762 	dtrace_probe_t *probe;
8763 	void *rval = NULL;
8764 
8765 	mutex_enter(&dtrace_lock);
8766 
8767 	if ((probe = dtrace_probe_lookup_id(pid)) != NULL &&
8768 	    probe->dtpr_provider == (dtrace_provider_t *)id)
8769 		rval = probe->dtpr_arg;
8770 
8771 	mutex_exit(&dtrace_lock);
8772 
8773 	return (rval);
8774 }
8775 
8776 /*
8777  * Copy a probe into a probe description.
8778  */
8779 static void
8780 dtrace_probe_description(const dtrace_probe_t *prp, dtrace_probedesc_t *pdp)
8781 {
8782 	bzero(pdp, sizeof (dtrace_probedesc_t));
8783 	pdp->dtpd_id = prp->dtpr_id;
8784 
8785 	(void) strncpy(pdp->dtpd_provider,
8786 	    prp->dtpr_provider->dtpv_name, DTRACE_PROVNAMELEN - 1);
8787 
8788 	(void) strncpy(pdp->dtpd_mod, prp->dtpr_mod, DTRACE_MODNAMELEN - 1);
8789 	(void) strncpy(pdp->dtpd_func, prp->dtpr_func, DTRACE_FUNCNAMELEN - 1);
8790 	(void) strncpy(pdp->dtpd_name, prp->dtpr_name, DTRACE_NAMELEN - 1);
8791 }
8792 
8793 /*
8794  * Called to indicate that a probe -- or probes -- should be provided by a
8795  * specfied provider.  If the specified description is NULL, the provider will
8796  * be told to provide all of its probes.  (This is done whenever a new
8797  * consumer comes along, or whenever a retained enabling is to be matched.) If
8798  * the specified description is non-NULL, the provider is given the
8799  * opportunity to dynamically provide the specified probe, allowing providers
8800  * to support the creation of probes on-the-fly.  (So-called _autocreated_
8801  * probes.)  If the provider is NULL, the operations will be applied to all
8802  * providers; if the provider is non-NULL the operations will only be applied
8803  * to the specified provider.  The dtrace_provider_lock must be held, and the
8804  * dtrace_lock must _not_ be held -- the provider's dtps_provide() operation
8805  * will need to grab the dtrace_lock when it reenters the framework through
8806  * dtrace_probe_lookup(), dtrace_probe_create(), etc.
8807  */
8808 static void
8809 dtrace_probe_provide(dtrace_probedesc_t *desc, dtrace_provider_t *prv)
8810 {
8811 	struct modctl *ctl;
8812 	int all = 0;
8813 
8814 	ASSERT(MUTEX_HELD(&dtrace_provider_lock));
8815 
8816 	if (prv == NULL) {
8817 		all = 1;
8818 		prv = dtrace_provider;
8819 	}
8820 
8821 	do {
8822 		/*
8823 		 * First, call the blanket provide operation.
8824 		 */
8825 		prv->dtpv_pops.dtps_provide(prv->dtpv_arg, desc);
8826 
8827 		/*
8828 		 * Now call the per-module provide operation.  We will grab
8829 		 * mod_lock to prevent the list from being modified.  Note
8830 		 * that this also prevents the mod_busy bits from changing.
8831 		 * (mod_busy can only be changed with mod_lock held.)
8832 		 */
8833 		mutex_enter(&mod_lock);
8834 
8835 		ctl = &modules;
8836 		do {
8837 			if (ctl->mod_busy || ctl->mod_mp == NULL)
8838 				continue;
8839 
8840 			prv->dtpv_pops.dtps_provide_module(prv->dtpv_arg, ctl);
8841 
8842 		} while ((ctl = ctl->mod_next) != &modules);
8843 
8844 		mutex_exit(&mod_lock);
8845 	} while (all && (prv = prv->dtpv_next) != NULL);
8846 }
8847 
8848 /*
8849  * Iterate over each probe, and call the Framework-to-Provider API function
8850  * denoted by offs.
8851  */
8852 static void
8853 dtrace_probe_foreach(uintptr_t offs)
8854 {
8855 	dtrace_provider_t *prov;
8856 	void (*func)(void *, dtrace_id_t, void *);
8857 	dtrace_probe_t *probe;
8858 	dtrace_icookie_t cookie;
8859 	int i;
8860 
8861 	/*
8862 	 * We disable interrupts to walk through the probe array.  This is
8863 	 * safe -- the dtrace_sync() in dtrace_unregister() assures that we
8864 	 * won't see stale data.
8865 	 */
8866 	cookie = dtrace_interrupt_disable();
8867 
8868 	for (i = 0; i < dtrace_nprobes; i++) {
8869 		if ((probe = dtrace_probes[i]) == NULL)
8870 			continue;
8871 
8872 		if (probe->dtpr_ecb == NULL) {
8873 			/*
8874 			 * This probe isn't enabled -- don't call the function.
8875 			 */
8876 			continue;
8877 		}
8878 
8879 		prov = probe->dtpr_provider;
8880 		func = *((void(**)(void *, dtrace_id_t, void *))
8881 		    ((uintptr_t)&prov->dtpv_pops + offs));
8882 
8883 		func(prov->dtpv_arg, i + 1, probe->dtpr_arg);
8884 	}
8885 
8886 	dtrace_interrupt_enable(cookie);
8887 }
8888 
8889 static int
8890 dtrace_probe_enable(const dtrace_probedesc_t *desc, dtrace_enabling_t *enab)
8891 {
8892 	dtrace_probekey_t pkey;
8893 	uint32_t priv;
8894 	uid_t uid;
8895 	zoneid_t zoneid;
8896 
8897 	ASSERT(MUTEX_HELD(&dtrace_lock));
8898 	dtrace_ecb_create_cache = NULL;
8899 
8900 	if (desc == NULL) {
8901 		/*
8902 		 * If we're passed a NULL description, we're being asked to
8903 		 * create an ECB with a NULL probe.
8904 		 */
8905 		(void) dtrace_ecb_create_enable(NULL, enab);
8906 		return (0);
8907 	}
8908 
8909 	dtrace_probekey(desc, &pkey);
8910 	dtrace_cred2priv(enab->dten_vstate->dtvs_state->dts_cred.dcr_cred,
8911 	    &priv, &uid, &zoneid);
8912 
8913 	return (dtrace_match(&pkey, priv, uid, zoneid, dtrace_ecb_create_enable,
8914 	    enab));
8915 }
8916 
8917 /*
8918  * DTrace Helper Provider Functions
8919  */
8920 static void
8921 dtrace_dofattr2attr(dtrace_attribute_t *attr, const dof_attr_t dofattr)
8922 {
8923 	attr->dtat_name = DOF_ATTR_NAME(dofattr);
8924 	attr->dtat_data = DOF_ATTR_DATA(dofattr);
8925 	attr->dtat_class = DOF_ATTR_CLASS(dofattr);
8926 }
8927 
8928 static void
8929 dtrace_dofprov2hprov(dtrace_helper_provdesc_t *hprov,
8930     const dof_provider_t *dofprov, char *strtab)
8931 {
8932 	hprov->dthpv_provname = strtab + dofprov->dofpv_name;
8933 	dtrace_dofattr2attr(&hprov->dthpv_pattr.dtpa_provider,
8934 	    dofprov->dofpv_provattr);
8935 	dtrace_dofattr2attr(&hprov->dthpv_pattr.dtpa_mod,
8936 	    dofprov->dofpv_modattr);
8937 	dtrace_dofattr2attr(&hprov->dthpv_pattr.dtpa_func,
8938 	    dofprov->dofpv_funcattr);
8939 	dtrace_dofattr2attr(&hprov->dthpv_pattr.dtpa_name,
8940 	    dofprov->dofpv_nameattr);
8941 	dtrace_dofattr2attr(&hprov->dthpv_pattr.dtpa_args,
8942 	    dofprov->dofpv_argsattr);
8943 }
8944 
8945 static void
8946 dtrace_helper_provide_one(dof_helper_t *dhp, dof_sec_t *sec, pid_t pid)
8947 {
8948 	uintptr_t daddr = (uintptr_t)dhp->dofhp_dof;
8949 	dof_hdr_t *dof = (dof_hdr_t *)daddr;
8950 	dof_sec_t *str_sec, *prb_sec, *arg_sec, *off_sec, *enoff_sec;
8951 	dof_provider_t *provider;
8952 	dof_probe_t *probe;
8953 	uint32_t *off, *enoff;
8954 	uint8_t *arg;
8955 	char *strtab;
8956 	uint_t i, nprobes;
8957 	dtrace_helper_provdesc_t dhpv;
8958 	dtrace_helper_probedesc_t dhpb;
8959 	dtrace_meta_t *meta = dtrace_meta_pid;
8960 	dtrace_mops_t *mops = &meta->dtm_mops;
8961 	void *parg;
8962 
8963 	provider = (dof_provider_t *)(uintptr_t)(daddr + sec->dofs_offset);
8964 	str_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
8965 	    provider->dofpv_strtab * dof->dofh_secsize);
8966 	prb_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
8967 	    provider->dofpv_probes * dof->dofh_secsize);
8968 	arg_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
8969 	    provider->dofpv_prargs * dof->dofh_secsize);
8970 	off_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
8971 	    provider->dofpv_proffs * dof->dofh_secsize);
8972 
8973 	strtab = (char *)(uintptr_t)(daddr + str_sec->dofs_offset);
8974 	off = (uint32_t *)(uintptr_t)(daddr + off_sec->dofs_offset);
8975 	arg = (uint8_t *)(uintptr_t)(daddr + arg_sec->dofs_offset);
8976 	enoff = NULL;
8977 
8978 	/*
8979 	 * See dtrace_helper_provider_validate().
8980 	 */
8981 	if (dof->dofh_ident[DOF_ID_VERSION] != DOF_VERSION_1 &&
8982 	    provider->dofpv_prenoffs != DOF_SECT_NONE) {
8983 		enoff_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
8984 		    provider->dofpv_prenoffs * dof->dofh_secsize);
8985 		enoff = (uint32_t *)(uintptr_t)(daddr + enoff_sec->dofs_offset);
8986 	}
8987 
8988 	nprobes = prb_sec->dofs_size / prb_sec->dofs_entsize;
8989 
8990 	/*
8991 	 * Create the provider.
8992 	 */
8993 	dtrace_dofprov2hprov(&dhpv, provider, strtab);
8994 
8995 	if ((parg = mops->dtms_provide_pid(meta->dtm_arg, &dhpv, pid)) == NULL)
8996 		return;
8997 
8998 	meta->dtm_count++;
8999 
9000 	/*
9001 	 * Create the probes.
9002 	 */
9003 	for (i = 0; i < nprobes; i++) {
9004 		probe = (dof_probe_t *)(uintptr_t)(daddr +
9005 		    prb_sec->dofs_offset + i * prb_sec->dofs_entsize);
9006 
9007 		dhpb.dthpb_mod = dhp->dofhp_mod;
9008 		dhpb.dthpb_func = strtab + probe->dofpr_func;
9009 		dhpb.dthpb_name = strtab + probe->dofpr_name;
9010 		dhpb.dthpb_base = probe->dofpr_addr;
9011 		dhpb.dthpb_offs = off + probe->dofpr_offidx;
9012 		dhpb.dthpb_noffs = probe->dofpr_noffs;
9013 		if (enoff != NULL) {
9014 			dhpb.dthpb_enoffs = enoff + probe->dofpr_enoffidx;
9015 			dhpb.dthpb_nenoffs = probe->dofpr_nenoffs;
9016 		} else {
9017 			dhpb.dthpb_enoffs = NULL;
9018 			dhpb.dthpb_nenoffs = 0;
9019 		}
9020 		dhpb.dthpb_args = arg + probe->dofpr_argidx;
9021 		dhpb.dthpb_nargc = probe->dofpr_nargc;
9022 		dhpb.dthpb_xargc = probe->dofpr_xargc;
9023 		dhpb.dthpb_ntypes = strtab + probe->dofpr_nargv;
9024 		dhpb.dthpb_xtypes = strtab + probe->dofpr_xargv;
9025 
9026 		mops->dtms_create_probe(meta->dtm_arg, parg, &dhpb);
9027 	}
9028 }
9029 
9030 static void
9031 dtrace_helper_provide(dof_helper_t *dhp, pid_t pid)
9032 {
9033 	uintptr_t daddr = (uintptr_t)dhp->dofhp_dof;
9034 	dof_hdr_t *dof = (dof_hdr_t *)daddr;
9035 	int i;
9036 
9037 	ASSERT(MUTEX_HELD(&dtrace_meta_lock));
9038 
9039 	for (i = 0; i < dof->dofh_secnum; i++) {
9040 		dof_sec_t *sec = (dof_sec_t *)(uintptr_t)(daddr +
9041 		    dof->dofh_secoff + i * dof->dofh_secsize);
9042 
9043 		if (sec->dofs_type != DOF_SECT_PROVIDER)
9044 			continue;
9045 
9046 		dtrace_helper_provide_one(dhp, sec, pid);
9047 	}
9048 
9049 	/*
9050 	 * We may have just created probes, so we must now rematch against
9051 	 * any retained enablings.  Note that this call will acquire both
9052 	 * cpu_lock and dtrace_lock; the fact that we are holding
9053 	 * dtrace_meta_lock now is what defines the ordering with respect to
9054 	 * these three locks.
9055 	 */
9056 	dtrace_enabling_matchall();
9057 }
9058 
9059 static void
9060 dtrace_helper_provider_remove_one(dof_helper_t *dhp, dof_sec_t *sec, pid_t pid)
9061 {
9062 	uintptr_t daddr = (uintptr_t)dhp->dofhp_dof;
9063 	dof_hdr_t *dof = (dof_hdr_t *)daddr;
9064 	dof_sec_t *str_sec;
9065 	dof_provider_t *provider;
9066 	char *strtab;
9067 	dtrace_helper_provdesc_t dhpv;
9068 	dtrace_meta_t *meta = dtrace_meta_pid;
9069 	dtrace_mops_t *mops = &meta->dtm_mops;
9070 
9071 	provider = (dof_provider_t *)(uintptr_t)(daddr + sec->dofs_offset);
9072 	str_sec = (dof_sec_t *)(uintptr_t)(daddr + dof->dofh_secoff +
9073 	    provider->dofpv_strtab * dof->dofh_secsize);
9074 
9075 	strtab = (char *)(uintptr_t)(daddr + str_sec->dofs_offset);
9076 
9077 	/*
9078 	 * Create the provider.
9079 	 */
9080 	dtrace_dofprov2hprov(&dhpv, provider, strtab);
9081 
9082 	mops->dtms_remove_pid(meta->dtm_arg, &dhpv, pid);
9083 
9084 	meta->dtm_count--;
9085 }
9086 
9087 static void
9088 dtrace_helper_provider_remove(dof_helper_t *dhp, pid_t pid)
9089 {
9090 	uintptr_t daddr = (uintptr_t)dhp->dofhp_dof;
9091 	dof_hdr_t *dof = (dof_hdr_t *)daddr;
9092 	int i;
9093 
9094 	ASSERT(MUTEX_HELD(&dtrace_meta_lock));
9095 
9096 	for (i = 0; i < dof->dofh_secnum; i++) {
9097 		dof_sec_t *sec = (dof_sec_t *)(uintptr_t)(daddr +
9098 		    dof->dofh_secoff + i * dof->dofh_secsize);
9099 
9100 		if (sec->dofs_type != DOF_SECT_PROVIDER)
9101 			continue;
9102 
9103 		dtrace_helper_provider_remove_one(dhp, sec, pid);
9104 	}
9105 }
9106 
9107 /*
9108  * DTrace Meta Provider-to-Framework API Functions
9109  *
9110  * These functions implement the Meta Provider-to-Framework API, as described
9111  * in <sys/dtrace.h>.
9112  */
9113 int
9114 dtrace_meta_register(const char *name, const dtrace_mops_t *mops, void *arg,
9115     dtrace_meta_provider_id_t *idp)
9116 {
9117 	dtrace_meta_t *meta;
9118 	dtrace_helpers_t *help, *next;
9119 	int i;
9120 
9121 	*idp = DTRACE_METAPROVNONE;
9122 
9123 	/*
9124 	 * We strictly don't need the name, but we hold onto it for
9125 	 * debuggability. All hail error queues!
9126 	 */
9127 	if (name == NULL) {
9128 		cmn_err(CE_WARN, "failed to register meta-provider: "
9129 		    "invalid name");
9130 		return (EINVAL);
9131 	}
9132 
9133 	if (mops == NULL ||
9134 	    mops->dtms_create_probe == NULL ||
9135 	    mops->dtms_provide_pid == NULL ||
9136 	    mops->dtms_remove_pid == NULL) {
9137 		cmn_err(CE_WARN, "failed to register meta-register %s: "
9138 		    "invalid ops", name);
9139 		return (EINVAL);
9140 	}
9141 
9142 	meta = kmem_zalloc(sizeof (dtrace_meta_t), KM_SLEEP);
9143 	meta->dtm_mops = *mops;
9144 	meta->dtm_name = kmem_alloc(strlen(name) + 1, KM_SLEEP);
9145 	(void) strcpy(meta->dtm_name, name);
9146 	meta->dtm_arg = arg;
9147 
9148 	mutex_enter(&dtrace_meta_lock);
9149 	mutex_enter(&dtrace_lock);
9150 
9151 	if (dtrace_meta_pid != NULL) {
9152 		mutex_exit(&dtrace_lock);
9153 		mutex_exit(&dtrace_meta_lock);
9154 		cmn_err(CE_WARN, "failed to register meta-register %s: "
9155 		    "user-land meta-provider exists", name);
9156 		kmem_free(meta->dtm_name, strlen(meta->dtm_name) + 1);
9157 		kmem_free(meta, sizeof (dtrace_meta_t));
9158 		return (EINVAL);
9159 	}
9160 
9161 	dtrace_meta_pid = meta;
9162 	*idp = (dtrace_meta_provider_id_t)meta;
9163 
9164 	/*
9165 	 * If there are providers and probes ready to go, pass them
9166 	 * off to the new meta provider now.
9167 	 */
9168 
9169 	help = dtrace_deferred_pid;
9170 	dtrace_deferred_pid = NULL;
9171 
9172 	mutex_exit(&dtrace_lock);
9173 
9174 	while (help != NULL) {
9175 		for (i = 0; i < help->dthps_nprovs; i++) {
9176 			dtrace_helper_provide(&help->dthps_provs[i]->dthp_prov,
9177 			    help->dthps_pid);
9178 		}
9179 
9180 		next = help->dthps_next;
9181 		help->dthps_next = NULL;
9182 		help->dthps_prev = NULL;
9183 		help->dthps_deferred = 0;
9184 		help = next;
9185 	}
9186 
9187 	mutex_exit(&dtrace_meta_lock);
9188 
9189 	return (0);
9190 }
9191 
9192 int
9193 dtrace_meta_unregister(dtrace_meta_provider_id_t id)
9194 {
9195 	dtrace_meta_t **pp, *old = (dtrace_meta_t *)id;
9196 
9197 	mutex_enter(&dtrace_meta_lock);
9198 	mutex_enter(&dtrace_lock);
9199 
9200 	if (old == dtrace_meta_pid) {
9201 		pp = &dtrace_meta_pid;
9202 	} else {
9203 		panic("attempt to unregister non-existent "
9204 		    "dtrace meta-provider %p\n", (void *)old);
9205 	}
9206 
9207 	if (old->dtm_count != 0) {
9208 		mutex_exit(&dtrace_lock);
9209 		mutex_exit(&dtrace_meta_lock);
9210 		return (EBUSY);
9211 	}
9212 
9213 	*pp = NULL;
9214 
9215 	mutex_exit(&dtrace_lock);
9216 	mutex_exit(&dtrace_meta_lock);
9217 
9218 	kmem_free(old->dtm_name, strlen(old->dtm_name) + 1);
9219 	kmem_free(old, sizeof (dtrace_meta_t));
9220 
9221 	return (0);
9222 }
9223 
9224 
9225 /*
9226  * DTrace DIF Object Functions
9227  */
9228 static int
9229 dtrace_difo_err(uint_t pc, const char *format, ...)
9230 {
9231 	if (dtrace_err_verbose) {
9232 		va_list alist;
9233 
9234 		(void) uprintf("dtrace DIF object error: [%u]: ", pc);
9235 		va_start(alist, format);
9236 		(void) vuprintf(format, alist);
9237 		va_end(alist);
9238 	}
9239 
9240 #ifdef DTRACE_ERRDEBUG
9241 	dtrace_errdebug(format);
9242 #endif
9243 	return (1);
9244 }
9245 
9246 /*
9247  * Validate a DTrace DIF object by checking the IR instructions.  The following
9248  * rules are currently enforced by dtrace_difo_validate():
9249  *
9250  * 1. Each instruction must have a valid opcode
9251  * 2. Each register, string, variable, or subroutine reference must be valid
9252  * 3. No instruction can modify register %r0 (must be zero)
9253  * 4. All instruction reserved bits must be set to zero
9254  * 5. The last instruction must be a "ret" instruction
9255  * 6. All branch targets must reference a valid instruction _after_ the branch
9256  */
9257 static int
9258 dtrace_difo_validate(dtrace_difo_t *dp, dtrace_vstate_t *vstate, uint_t nregs,
9259     cred_t *cr)
9260 {
9261 	int err = 0, i;
9262 	int (*efunc)(uint_t pc, const char *, ...) = dtrace_difo_err;
9263 	int kcheckload;
9264 	uint_t pc;
9265 	int maxglobal = -1, maxlocal = -1, maxtlocal = -1;
9266 
9267 	kcheckload = cr == NULL ||
9268 	    (vstate->dtvs_state->dts_cred.dcr_visible & DTRACE_CRV_KERNEL) == 0;
9269 
9270 	dp->dtdo_destructive = 0;
9271 
9272 	for (pc = 0; pc < dp->dtdo_len && err == 0; pc++) {
9273 		dif_instr_t instr = dp->dtdo_buf[pc];
9274 
9275 		uint_t r1 = DIF_INSTR_R1(instr);
9276 		uint_t r2 = DIF_INSTR_R2(instr);
9277 		uint_t rd = DIF_INSTR_RD(instr);
9278 		uint_t rs = DIF_INSTR_RS(instr);
9279 		uint_t label = DIF_INSTR_LABEL(instr);
9280 		uint_t v = DIF_INSTR_VAR(instr);
9281 		uint_t subr = DIF_INSTR_SUBR(instr);
9282 		uint_t type = DIF_INSTR_TYPE(instr);
9283 		uint_t op = DIF_INSTR_OP(instr);
9284 
9285 		switch (op) {
9286 		case DIF_OP_OR:
9287 		case DIF_OP_XOR:
9288 		case DIF_OP_AND:
9289 		case DIF_OP_SLL:
9290 		case DIF_OP_SRL:
9291 		case DIF_OP_SRA:
9292 		case DIF_OP_SUB:
9293 		case DIF_OP_ADD:
9294 		case DIF_OP_MUL:
9295 		case DIF_OP_SDIV:
9296 		case DIF_OP_UDIV:
9297 		case DIF_OP_SREM:
9298 		case DIF_OP_UREM:
9299 		case DIF_OP_COPYS:
9300 			if (r1 >= nregs)
9301 				err += efunc(pc, "invalid register %u\n", r1);
9302 			if (r2 >= nregs)
9303 				err += efunc(pc, "invalid register %u\n", r2);
9304 			if (rd >= nregs)
9305 				err += efunc(pc, "invalid register %u\n", rd);
9306 			if (rd == 0)
9307 				err += efunc(pc, "cannot write to %r0\n");
9308 			break;
9309 		case DIF_OP_NOT:
9310 		case DIF_OP_MOV:
9311 		case DIF_OP_ALLOCS:
9312 			if (r1 >= nregs)
9313 				err += efunc(pc, "invalid register %u\n", r1);
9314 			if (r2 != 0)
9315 				err += efunc(pc, "non-zero reserved bits\n");
9316 			if (rd >= nregs)
9317 				err += efunc(pc, "invalid register %u\n", rd);
9318 			if (rd == 0)
9319 				err += efunc(pc, "cannot write to %r0\n");
9320 			break;
9321 		case DIF_OP_LDSB:
9322 		case DIF_OP_LDSH:
9323 		case DIF_OP_LDSW:
9324 		case DIF_OP_LDUB:
9325 		case DIF_OP_LDUH:
9326 		case DIF_OP_LDUW:
9327 		case DIF_OP_LDX:
9328 			if (r1 >= nregs)
9329 				err += efunc(pc, "invalid register %u\n", r1);
9330 			if (r2 != 0)
9331 				err += efunc(pc, "non-zero reserved bits\n");
9332 			if (rd >= nregs)
9333 				err += efunc(pc, "invalid register %u\n", rd);
9334 			if (rd == 0)
9335 				err += efunc(pc, "cannot write to %r0\n");
9336 			if (kcheckload)
9337 				dp->dtdo_buf[pc] = DIF_INSTR_LOAD(op +
9338 				    DIF_OP_RLDSB - DIF_OP_LDSB, r1, rd);
9339 			break;
9340 		case DIF_OP_RLDSB:
9341 		case DIF_OP_RLDSH:
9342 		case DIF_OP_RLDSW:
9343 		case DIF_OP_RLDUB:
9344 		case DIF_OP_RLDUH:
9345 		case DIF_OP_RLDUW:
9346 		case DIF_OP_RLDX:
9347 			if (r1 >= nregs)
9348 				err += efunc(pc, "invalid register %u\n", r1);
9349 			if (r2 != 0)
9350 				err += efunc(pc, "non-zero reserved bits\n");
9351 			if (rd >= nregs)
9352 				err += efunc(pc, "invalid register %u\n", rd);
9353 			if (rd == 0)
9354 				err += efunc(pc, "cannot write to %r0\n");
9355 			break;
9356 		case DIF_OP_ULDSB:
9357 		case DIF_OP_ULDSH:
9358 		case DIF_OP_ULDSW:
9359 		case DIF_OP_ULDUB:
9360 		case DIF_OP_ULDUH:
9361 		case DIF_OP_ULDUW:
9362 		case DIF_OP_ULDX:
9363 			if (r1 >= nregs)
9364 				err += efunc(pc, "invalid register %u\n", r1);
9365 			if (r2 != 0)
9366 				err += efunc(pc, "non-zero reserved bits\n");
9367 			if (rd >= nregs)
9368 				err += efunc(pc, "invalid register %u\n", rd);
9369 			if (rd == 0)
9370 				err += efunc(pc, "cannot write to %r0\n");
9371 			break;
9372 		case DIF_OP_STB:
9373 		case DIF_OP_STH:
9374 		case DIF_OP_STW:
9375 		case DIF_OP_STX:
9376 			if (r1 >= nregs)
9377 				err += efunc(pc, "invalid register %u\n", r1);
9378 			if (r2 != 0)
9379 				err += efunc(pc, "non-zero reserved bits\n");
9380 			if (rd >= nregs)
9381 				err += efunc(pc, "invalid register %u\n", rd);
9382 			if (rd == 0)
9383 				err += efunc(pc, "cannot write to 0 address\n");
9384 			break;
9385 		case DIF_OP_CMP:
9386 		case DIF_OP_SCMP:
9387 			if (r1 >= nregs)
9388 				err += efunc(pc, "invalid register %u\n", r1);
9389 			if (r2 >= nregs)
9390 				err += efunc(pc, "invalid register %u\n", r2);
9391 			if (rd != 0)
9392 				err += efunc(pc, "non-zero reserved bits\n");
9393 			break;
9394 		case DIF_OP_TST:
9395 			if (r1 >= nregs)
9396 				err += efunc(pc, "invalid register %u\n", r1);
9397 			if (r2 != 0 || rd != 0)
9398 				err += efunc(pc, "non-zero reserved bits\n");
9399 			break;
9400 		case DIF_OP_BA:
9401 		case DIF_OP_BE:
9402 		case DIF_OP_BNE:
9403 		case DIF_OP_BG:
9404 		case DIF_OP_BGU:
9405 		case DIF_OP_BGE:
9406 		case DIF_OP_BGEU:
9407 		case DIF_OP_BL:
9408 		case DIF_OP_BLU:
9409 		case DIF_OP_BLE:
9410 		case DIF_OP_BLEU:
9411 			if (label >= dp->dtdo_len) {
9412 				err += efunc(pc, "invalid branch target %u\n",
9413 				    label);
9414 			}
9415 			if (label <= pc) {
9416 				err += efunc(pc, "backward branch to %u\n",
9417 				    label);
9418 			}
9419 			break;
9420 		case DIF_OP_RET:
9421 			if (r1 != 0 || r2 != 0)
9422 				err += efunc(pc, "non-zero reserved bits\n");
9423 			if (rd >= nregs)
9424 				err += efunc(pc, "invalid register %u\n", rd);
9425 			break;
9426 		case DIF_OP_NOP:
9427 		case DIF_OP_POPTS:
9428 		case DIF_OP_FLUSHTS:
9429 			if (r1 != 0 || r2 != 0 || rd != 0)
9430 				err += efunc(pc, "non-zero reserved bits\n");
9431 			break;
9432 		case DIF_OP_SETX:
9433 			if (DIF_INSTR_INTEGER(instr) >= dp->dtdo_intlen) {
9434 				err += efunc(pc, "invalid integer ref %u\n",
9435 				    DIF_INSTR_INTEGER(instr));
9436 			}
9437 			if (rd >= nregs)
9438 				err += efunc(pc, "invalid register %u\n", rd);
9439 			if (rd == 0)
9440 				err += efunc(pc, "cannot write to %r0\n");
9441 			break;
9442 		case DIF_OP_SETS:
9443 			if (DIF_INSTR_STRING(instr) >= dp->dtdo_strlen) {
9444 				err += efunc(pc, "invalid string ref %u\n",
9445 				    DIF_INSTR_STRING(instr));
9446 			}
9447 			if (rd >= nregs)
9448 				err += efunc(pc, "invalid register %u\n", rd);
9449 			if (rd == 0)
9450 				err += efunc(pc, "cannot write to %r0\n");
9451 			break;
9452 		case DIF_OP_LDGA:
9453 		case DIF_OP_LDTA:
9454 			if (r1 > DIF_VAR_ARRAY_MAX)
9455 				err += efunc(pc, "invalid array %u\n", r1);
9456 			if (r2 >= nregs)
9457 				err += efunc(pc, "invalid register %u\n", r2);
9458 			if (rd >= nregs)
9459 				err += efunc(pc, "invalid register %u\n", rd);
9460 			if (rd == 0)
9461 				err += efunc(pc, "cannot write to %r0\n");
9462 			break;
9463 		case DIF_OP_STGA:
9464 			if (r1 > DIF_VAR_ARRAY_MAX)
9465 				err += efunc(pc, "invalid array %u\n", r1);
9466 			if (r2 >= nregs)
9467 				err += efunc(pc, "invalid register %u\n", r2);
9468 			if (rd >= nregs)
9469 				err += efunc(pc, "invalid register %u\n", rd);
9470 			dp->dtdo_destructive = 1;
9471 			break;
9472 		case DIF_OP_LDGS:
9473 		case DIF_OP_LDTS:
9474 		case DIF_OP_LDLS:
9475 		case DIF_OP_LDGAA:
9476 		case DIF_OP_LDTAA:
9477 			if (v < DIF_VAR_OTHER_MIN || v > DIF_VAR_OTHER_MAX)
9478 				err += efunc(pc, "invalid variable %u\n", v);
9479 			if (rd >= nregs)
9480 				err += efunc(pc, "invalid register %u\n", rd);
9481 			if (rd == 0)
9482 				err += efunc(pc, "cannot write to %r0\n");
9483 			break;
9484 		case DIF_OP_STGS:
9485 		case DIF_OP_STTS:
9486 		case DIF_OP_STLS:
9487 		case DIF_OP_STGAA:
9488 		case DIF_OP_STTAA:
9489 			if (v < DIF_VAR_OTHER_UBASE || v > DIF_VAR_OTHER_MAX)
9490 				err += efunc(pc, "invalid variable %u\n", v);
9491 			if (rs >= nregs)
9492 				err += efunc(pc, "invalid register %u\n", rd);
9493 			break;
9494 		case DIF_OP_CALL:
9495 			if (subr > DIF_SUBR_MAX)
9496 				err += efunc(pc, "invalid subr %u\n", subr);
9497 			if (rd >= nregs)
9498 				err += efunc(pc, "invalid register %u\n", rd);
9499 			if (rd == 0)
9500 				err += efunc(pc, "cannot write to %r0\n");
9501 
9502 			if (subr == DIF_SUBR_COPYOUT ||
9503 			    subr == DIF_SUBR_COPYOUTSTR) {
9504 				dp->dtdo_destructive = 1;
9505 			}
9506 
9507 			if (subr == DIF_SUBR_GETF) {
9508 				/*
9509 				 * If we have a getf() we need to record that
9510 				 * in our state.  Note that our state can be
9511 				 * NULL if this is a helper -- but in that
9512 				 * case, the call to getf() is itself illegal,
9513 				 * and will be caught (slightly later) when
9514 				 * the helper is validated.
9515 				 */
9516 				if (vstate->dtvs_state != NULL)
9517 					vstate->dtvs_state->dts_getf++;
9518 			}
9519 
9520 			break;
9521 		case DIF_OP_PUSHTR:
9522 			if (type != DIF_TYPE_STRING && type != DIF_TYPE_CTF)
9523 				err += efunc(pc, "invalid ref type %u\n", type);
9524 			if (r2 >= nregs)
9525 				err += efunc(pc, "invalid register %u\n", r2);
9526 			if (rs >= nregs)
9527 				err += efunc(pc, "invalid register %u\n", rs);
9528 			break;
9529 		case DIF_OP_PUSHTV:
9530 			if (type != DIF_TYPE_CTF)
9531 				err += efunc(pc, "invalid val type %u\n", type);
9532 			if (r2 >= nregs)
9533 				err += efunc(pc, "invalid register %u\n", r2);
9534 			if (rs >= nregs)
9535 				err += efunc(pc, "invalid register %u\n", rs);
9536 			break;
9537 		default:
9538 			err += efunc(pc, "invalid opcode %u\n",
9539 			    DIF_INSTR_OP(instr));
9540 		}
9541 	}
9542 
9543 	if (dp->dtdo_len != 0 &&
9544 	    DIF_INSTR_OP(dp->dtdo_buf[dp->dtdo_len - 1]) != DIF_OP_RET) {
9545 		err += efunc(dp->dtdo_len - 1,
9546 		    "expected 'ret' as last DIF instruction\n");
9547 	}
9548 
9549 	if (!(dp->dtdo_rtype.dtdt_flags & (DIF_TF_BYREF | DIF_TF_BYUREF))) {
9550 		/*
9551 		 * If we're not returning by reference, the size must be either
9552 		 * 0 or the size of one of the base types.
9553 		 */
9554 		switch (dp->dtdo_rtype.dtdt_size) {
9555 		case 0:
9556 		case sizeof (uint8_t):
9557 		case sizeof (uint16_t):
9558 		case sizeof (uint32_t):
9559 		case sizeof (uint64_t):
9560 			break;
9561 
9562 		default:
9563 			err += efunc(dp->dtdo_len - 1, "bad return size\n");
9564 		}
9565 	}
9566 
9567 	for (i = 0; i < dp->dtdo_varlen && err == 0; i++) {
9568 		dtrace_difv_t *v = &dp->dtdo_vartab[i], *existing = NULL;
9569 		dtrace_diftype_t *vt, *et;
9570 		uint_t id, ndx;
9571 
9572 		if (v->dtdv_scope != DIFV_SCOPE_GLOBAL &&
9573 		    v->dtdv_scope != DIFV_SCOPE_THREAD &&
9574 		    v->dtdv_scope != DIFV_SCOPE_LOCAL) {
9575 			err += efunc(i, "unrecognized variable scope %d\n",
9576 			    v->dtdv_scope);
9577 			break;
9578 		}
9579 
9580 		if (v->dtdv_kind != DIFV_KIND_ARRAY &&
9581 		    v->dtdv_kind != DIFV_KIND_SCALAR) {
9582 			err += efunc(i, "unrecognized variable type %d\n",
9583 			    v->dtdv_kind);
9584 			break;
9585 		}
9586 
9587 		if ((id = v->dtdv_id) > DIF_VARIABLE_MAX) {
9588 			err += efunc(i, "%d exceeds variable id limit\n", id);
9589 			break;
9590 		}
9591 
9592 		if (id < DIF_VAR_OTHER_UBASE)
9593 			continue;
9594 
9595 		/*
9596 		 * For user-defined variables, we need to check that this
9597 		 * definition is identical to any previous definition that we
9598 		 * encountered.
9599 		 */
9600 		ndx = id - DIF_VAR_OTHER_UBASE;
9601 
9602 		switch (v->dtdv_scope) {
9603 		case DIFV_SCOPE_GLOBAL:
9604 			if (maxglobal == -1 || ndx > maxglobal)
9605 				maxglobal = ndx;
9606 
9607 			if (ndx < vstate->dtvs_nglobals) {
9608 				dtrace_statvar_t *svar;
9609 
9610 				if ((svar = vstate->dtvs_globals[ndx]) != NULL)
9611 					existing = &svar->dtsv_var;
9612 			}
9613 
9614 			break;
9615 
9616 		case DIFV_SCOPE_THREAD:
9617 			if (maxtlocal == -1 || ndx > maxtlocal)
9618 				maxtlocal = ndx;
9619 
9620 			if (ndx < vstate->dtvs_ntlocals)
9621 				existing = &vstate->dtvs_tlocals[ndx];
9622 			break;
9623 
9624 		case DIFV_SCOPE_LOCAL:
9625 			if (maxlocal == -1 || ndx > maxlocal)
9626 				maxlocal = ndx;
9627 
9628 			if (ndx < vstate->dtvs_nlocals) {
9629 				dtrace_statvar_t *svar;
9630 
9631 				if ((svar = vstate->dtvs_locals[ndx]) != NULL)
9632 					existing = &svar->dtsv_var;
9633 			}
9634 
9635 			break;
9636 		}
9637 
9638 		vt = &v->dtdv_type;
9639 
9640 		if (vt->dtdt_flags & DIF_TF_BYREF) {
9641 			if (vt->dtdt_size == 0) {
9642 				err += efunc(i, "zero-sized variable\n");
9643 				break;
9644 			}
9645 
9646 			if ((v->dtdv_scope == DIFV_SCOPE_GLOBAL ||
9647 			    v->dtdv_scope == DIFV_SCOPE_LOCAL) &&
9648 			    vt->dtdt_size > dtrace_statvar_maxsize) {
9649 				err += efunc(i, "oversized by-ref static\n");
9650 				break;
9651 			}
9652 		}
9653 
9654 		if (existing == NULL || existing->dtdv_id == 0)
9655 			continue;
9656 
9657 		ASSERT(existing->dtdv_id == v->dtdv_id);
9658 		ASSERT(existing->dtdv_scope == v->dtdv_scope);
9659 
9660 		if (existing->dtdv_kind != v->dtdv_kind)
9661 			err += efunc(i, "%d changed variable kind\n", id);
9662 
9663 		et = &existing->dtdv_type;
9664 
9665 		if (vt->dtdt_flags != et->dtdt_flags) {
9666 			err += efunc(i, "%d changed variable type flags\n", id);
9667 			break;
9668 		}
9669 
9670 		if (vt->dtdt_size != 0 && vt->dtdt_size != et->dtdt_size) {
9671 			err += efunc(i, "%d changed variable type size\n", id);
9672 			break;
9673 		}
9674 	}
9675 
9676 	for (pc = 0; pc < dp->dtdo_len && err == 0; pc++) {
9677 		dif_instr_t instr = dp->dtdo_buf[pc];
9678 
9679 		uint_t v = DIF_INSTR_VAR(instr);
9680 		uint_t op = DIF_INSTR_OP(instr);
9681 
9682 		switch (op) {
9683 		case DIF_OP_LDGS:
9684 		case DIF_OP_LDGAA:
9685 		case DIF_OP_STGS:
9686 		case DIF_OP_STGAA:
9687 			if (v > DIF_VAR_OTHER_UBASE + maxglobal)
9688 				err += efunc(pc, "invalid variable %u\n", v);
9689 			break;
9690 		case DIF_OP_LDTS:
9691 		case DIF_OP_LDTAA:
9692 		case DIF_OP_STTS:
9693 		case DIF_OP_STTAA:
9694 			if (v > DIF_VAR_OTHER_UBASE + maxtlocal)
9695 				err += efunc(pc, "invalid variable %u\n", v);
9696 			break;
9697 		case DIF_OP_LDLS:
9698 		case DIF_OP_STLS:
9699 			if (v > DIF_VAR_OTHER_UBASE + maxlocal)
9700 				err += efunc(pc, "invalid variable %u\n", v);
9701 			break;
9702 		default:
9703 			break;
9704 		}
9705 	}
9706 
9707 	return (err);
9708 }
9709 
9710 /*
9711  * Validate a DTrace DIF object that it is to be used as a helper.  Helpers
9712  * are much more constrained than normal DIFOs.  Specifically, they may
9713  * not:
9714  *
9715  * 1. Make calls to subroutines other than copyin(), copyinstr() or
9716  *    miscellaneous string routines
9717  * 2. Access DTrace variables other than the args[] array, and the
9718  *    curthread, pid, ppid, tid, execname, zonename, uid and gid variables.
9719  * 3. Have thread-local variables.
9720  * 4. Have dynamic variables.
9721  */
9722 static int
9723 dtrace_difo_validate_helper(dtrace_difo_t *dp)
9724 {
9725 	int (*efunc)(uint_t pc, const char *, ...) = dtrace_difo_err;
9726 	int err = 0;
9727 	uint_t pc;
9728 
9729 	for (pc = 0; pc < dp->dtdo_len; pc++) {
9730 		dif_instr_t instr = dp->dtdo_buf[pc];
9731 
9732 		uint_t v = DIF_INSTR_VAR(instr);
9733 		uint_t subr = DIF_INSTR_SUBR(instr);
9734 		uint_t op = DIF_INSTR_OP(instr);
9735 
9736 		switch (op) {
9737 		case DIF_OP_OR:
9738 		case DIF_OP_XOR:
9739 		case DIF_OP_AND:
9740 		case DIF_OP_SLL:
9741 		case DIF_OP_SRL:
9742 		case DIF_OP_SRA:
9743 		case DIF_OP_SUB:
9744 		case DIF_OP_ADD:
9745 		case DIF_OP_MUL:
9746 		case DIF_OP_SDIV:
9747 		case DIF_OP_UDIV:
9748 		case DIF_OP_SREM:
9749 		case DIF_OP_UREM:
9750 		case DIF_OP_COPYS:
9751 		case DIF_OP_NOT:
9752 		case DIF_OP_MOV:
9753 		case DIF_OP_RLDSB:
9754 		case DIF_OP_RLDSH:
9755 		case DIF_OP_RLDSW:
9756 		case DIF_OP_RLDUB:
9757 		case DIF_OP_RLDUH:
9758 		case DIF_OP_RLDUW:
9759 		case DIF_OP_RLDX:
9760 		case DIF_OP_ULDSB:
9761 		case DIF_OP_ULDSH:
9762 		case DIF_OP_ULDSW:
9763 		case DIF_OP_ULDUB:
9764 		case DIF_OP_ULDUH:
9765 		case DIF_OP_ULDUW:
9766 		case DIF_OP_ULDX:
9767 		case DIF_OP_STB:
9768 		case DIF_OP_STH:
9769 		case DIF_OP_STW:
9770 		case DIF_OP_STX:
9771 		case DIF_OP_ALLOCS:
9772 		case DIF_OP_CMP:
9773 		case DIF_OP_SCMP:
9774 		case DIF_OP_TST:
9775 		case DIF_OP_BA:
9776 		case DIF_OP_BE:
9777 		case DIF_OP_BNE:
9778 		case DIF_OP_BG:
9779 		case DIF_OP_BGU:
9780 		case DIF_OP_BGE:
9781 		case DIF_OP_BGEU:
9782 		case DIF_OP_BL:
9783 		case DIF_OP_BLU:
9784 		case DIF_OP_BLE:
9785 		case DIF_OP_BLEU:
9786 		case DIF_OP_RET:
9787 		case DIF_OP_NOP:
9788 		case DIF_OP_POPTS:
9789 		case DIF_OP_FLUSHTS:
9790 		case DIF_OP_SETX:
9791 		case DIF_OP_SETS:
9792 		case DIF_OP_LDGA:
9793 		case DIF_OP_LDLS:
9794 		case DIF_OP_STGS:
9795 		case DIF_OP_STLS:
9796 		case DIF_OP_PUSHTR:
9797 		case DIF_OP_PUSHTV:
9798 			break;
9799 
9800 		case DIF_OP_LDGS:
9801 			if (v >= DIF_VAR_OTHER_UBASE)
9802 				break;
9803 
9804 			if (v >= DIF_VAR_ARG0 && v <= DIF_VAR_ARG9)
9805 				break;
9806 
9807 			if (v == DIF_VAR_CURTHREAD || v == DIF_VAR_PID ||
9808 			    v == DIF_VAR_PPID || v == DIF_VAR_TID ||
9809 			    v == DIF_VAR_EXECNAME || v == DIF_VAR_ZONENAME ||
9810 			    v == DIF_VAR_UID || v == DIF_VAR_GID)
9811 				break;
9812 
9813 			err += efunc(pc, "illegal variable %u\n", v);
9814 			break;
9815 
9816 		case DIF_OP_LDTA:
9817 			if (v < DIF_VAR_OTHER_UBASE) {
9818 				err += efunc(pc, "illegal variable load\n");
9819 				break;
9820 			}
9821 			/* FALLTHROUGH */
9822 		case DIF_OP_LDTS:
9823 		case DIF_OP_LDGAA:
9824 		case DIF_OP_LDTAA:
9825 			err += efunc(pc, "illegal dynamic variable load\n");
9826 			break;
9827 
9828 		case DIF_OP_STGA:
9829 			if (v < DIF_VAR_OTHER_UBASE) {
9830 				err += efunc(pc, "illegal variable store\n");
9831 				break;
9832 			}
9833 			/* FALLTHROUGH */
9834 		case DIF_OP_STTS:
9835 		case DIF_OP_STGAA:
9836 		case DIF_OP_STTAA:
9837 			err += efunc(pc, "illegal dynamic variable store\n");
9838 			break;
9839 
9840 		case DIF_OP_CALL:
9841 			if (subr == DIF_SUBR_ALLOCA ||
9842 			    subr == DIF_SUBR_BCOPY ||
9843 			    subr == DIF_SUBR_COPYIN ||
9844 			    subr == DIF_SUBR_COPYINTO ||
9845 			    subr == DIF_SUBR_COPYINSTR ||
9846 			    subr == DIF_SUBR_INDEX ||
9847 			    subr == DIF_SUBR_INET_NTOA ||
9848 			    subr == DIF_SUBR_INET_NTOA6 ||
9849 			    subr == DIF_SUBR_INET_NTOP ||
9850 			    subr == DIF_SUBR_JSON ||
9851 			    subr == DIF_SUBR_LLTOSTR ||
9852 			    subr == DIF_SUBR_STRTOLL ||
9853 			    subr == DIF_SUBR_RINDEX ||
9854 			    subr == DIF_SUBR_STRCHR ||
9855 			    subr == DIF_SUBR_STRJOIN ||
9856 			    subr == DIF_SUBR_STRRCHR ||
9857 			    subr == DIF_SUBR_STRSTR ||
9858 			    subr == DIF_SUBR_HTONS ||
9859 			    subr == DIF_SUBR_HTONL ||
9860 			    subr == DIF_SUBR_HTONLL ||
9861 			    subr == DIF_SUBR_NTOHS ||
9862 			    subr == DIF_SUBR_NTOHL ||
9863 			    subr == DIF_SUBR_NTOHLL)
9864 				break;
9865 
9866 			err += efunc(pc, "invalid subr %u\n", subr);
9867 			break;
9868 
9869 		default:
9870 			err += efunc(pc, "invalid opcode %u\n",
9871 			    DIF_INSTR_OP(instr));
9872 		}
9873 	}
9874 
9875 	return (err);
9876 }
9877 
9878 /*
9879  * Returns 1 if the expression in the DIF object can be cached on a per-thread
9880  * basis; 0 if not.
9881  */
9882 static int
9883 dtrace_difo_cacheable(dtrace_difo_t *dp)
9884 {
9885 	int i;
9886 
9887 	if (dp == NULL)
9888 		return (0);
9889 
9890 	for (i = 0; i < dp->dtdo_varlen; i++) {
9891 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
9892 
9893 		if (v->dtdv_scope != DIFV_SCOPE_GLOBAL)
9894 			continue;
9895 
9896 		switch (v->dtdv_id) {
9897 		case DIF_VAR_CURTHREAD:
9898 		case DIF_VAR_PID:
9899 		case DIF_VAR_TID:
9900 		case DIF_VAR_EXECNAME:
9901 		case DIF_VAR_ZONENAME:
9902 			break;
9903 
9904 		default:
9905 			return (0);
9906 		}
9907 	}
9908 
9909 	/*
9910 	 * This DIF object may be cacheable.  Now we need to look for any
9911 	 * array loading instructions, any memory loading instructions, or
9912 	 * any stores to thread-local variables.
9913 	 */
9914 	for (i = 0; i < dp->dtdo_len; i++) {
9915 		uint_t op = DIF_INSTR_OP(dp->dtdo_buf[i]);
9916 
9917 		if ((op >= DIF_OP_LDSB && op <= DIF_OP_LDX) ||
9918 		    (op >= DIF_OP_ULDSB && op <= DIF_OP_ULDX) ||
9919 		    (op >= DIF_OP_RLDSB && op <= DIF_OP_RLDX) ||
9920 		    op == DIF_OP_LDGA || op == DIF_OP_STTS)
9921 			return (0);
9922 	}
9923 
9924 	return (1);
9925 }
9926 
9927 static void
9928 dtrace_difo_hold(dtrace_difo_t *dp)
9929 {
9930 	int i;
9931 
9932 	ASSERT(MUTEX_HELD(&dtrace_lock));
9933 
9934 	dp->dtdo_refcnt++;
9935 	ASSERT(dp->dtdo_refcnt != 0);
9936 
9937 	/*
9938 	 * We need to check this DIF object for references to the variable
9939 	 * DIF_VAR_VTIMESTAMP.
9940 	 */
9941 	for (i = 0; i < dp->dtdo_varlen; i++) {
9942 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
9943 
9944 		if (v->dtdv_id != DIF_VAR_VTIMESTAMP)
9945 			continue;
9946 
9947 		if (dtrace_vtime_references++ == 0)
9948 			dtrace_vtime_enable();
9949 	}
9950 }
9951 
9952 /*
9953  * This routine calculates the dynamic variable chunksize for a given DIF
9954  * object.  The calculation is not fool-proof, and can probably be tricked by
9955  * malicious DIF -- but it works for all compiler-generated DIF.  Because this
9956  * calculation is likely imperfect, dtrace_dynvar() is able to gracefully fail
9957  * if a dynamic variable size exceeds the chunksize.
9958  */
9959 static void
9960 dtrace_difo_chunksize(dtrace_difo_t *dp, dtrace_vstate_t *vstate)
9961 {
9962 	uint64_t sval;
9963 	dtrace_key_t tupregs[DIF_DTR_NREGS + 2]; /* +2 for thread and id */
9964 	const dif_instr_t *text = dp->dtdo_buf;
9965 	uint_t pc, srd = 0;
9966 	uint_t ttop = 0;
9967 	size_t size, ksize;
9968 	uint_t id, i;
9969 
9970 	for (pc = 0; pc < dp->dtdo_len; pc++) {
9971 		dif_instr_t instr = text[pc];
9972 		uint_t op = DIF_INSTR_OP(instr);
9973 		uint_t rd = DIF_INSTR_RD(instr);
9974 		uint_t r1 = DIF_INSTR_R1(instr);
9975 		uint_t nkeys = 0;
9976 		uchar_t scope;
9977 
9978 		dtrace_key_t *key = tupregs;
9979 
9980 		switch (op) {
9981 		case DIF_OP_SETX:
9982 			sval = dp->dtdo_inttab[DIF_INSTR_INTEGER(instr)];
9983 			srd = rd;
9984 			continue;
9985 
9986 		case DIF_OP_STTS:
9987 			key = &tupregs[DIF_DTR_NREGS];
9988 			key[0].dttk_size = 0;
9989 			key[1].dttk_size = 0;
9990 			nkeys = 2;
9991 			scope = DIFV_SCOPE_THREAD;
9992 			break;
9993 
9994 		case DIF_OP_STGAA:
9995 		case DIF_OP_STTAA:
9996 			nkeys = ttop;
9997 
9998 			if (DIF_INSTR_OP(instr) == DIF_OP_STTAA)
9999 				key[nkeys++].dttk_size = 0;
10000 
10001 			key[nkeys++].dttk_size = 0;
10002 
10003 			if (op == DIF_OP_STTAA) {
10004 				scope = DIFV_SCOPE_THREAD;
10005 			} else {
10006 				scope = DIFV_SCOPE_GLOBAL;
10007 			}
10008 
10009 			break;
10010 
10011 		case DIF_OP_PUSHTR:
10012 			if (ttop == DIF_DTR_NREGS)
10013 				return;
10014 
10015 			if ((srd == 0 || sval == 0) && r1 == DIF_TYPE_STRING) {
10016 				/*
10017 				 * If the register for the size of the "pushtr"
10018 				 * is %r0 (or the value is 0) and the type is
10019 				 * a string, we'll use the system-wide default
10020 				 * string size.
10021 				 */
10022 				tupregs[ttop++].dttk_size =
10023 				    dtrace_strsize_default;
10024 			} else {
10025 				if (srd == 0)
10026 					return;
10027 
10028 				if (sval > LONG_MAX)
10029 					return;
10030 
10031 				tupregs[ttop++].dttk_size = sval;
10032 			}
10033 
10034 			break;
10035 
10036 		case DIF_OP_PUSHTV:
10037 			if (ttop == DIF_DTR_NREGS)
10038 				return;
10039 
10040 			tupregs[ttop++].dttk_size = 0;
10041 			break;
10042 
10043 		case DIF_OP_FLUSHTS:
10044 			ttop = 0;
10045 			break;
10046 
10047 		case DIF_OP_POPTS:
10048 			if (ttop != 0)
10049 				ttop--;
10050 			break;
10051 		}
10052 
10053 		sval = 0;
10054 		srd = 0;
10055 
10056 		if (nkeys == 0)
10057 			continue;
10058 
10059 		/*
10060 		 * We have a dynamic variable allocation; calculate its size.
10061 		 */
10062 		for (ksize = 0, i = 0; i < nkeys; i++)
10063 			ksize += P2ROUNDUP(key[i].dttk_size, sizeof (uint64_t));
10064 
10065 		size = sizeof (dtrace_dynvar_t);
10066 		size += sizeof (dtrace_key_t) * (nkeys - 1);
10067 		size += ksize;
10068 
10069 		/*
10070 		 * Now we need to determine the size of the stored data.
10071 		 */
10072 		id = DIF_INSTR_VAR(instr);
10073 
10074 		for (i = 0; i < dp->dtdo_varlen; i++) {
10075 			dtrace_difv_t *v = &dp->dtdo_vartab[i];
10076 
10077 			if (v->dtdv_id == id && v->dtdv_scope == scope) {
10078 				size += v->dtdv_type.dtdt_size;
10079 				break;
10080 			}
10081 		}
10082 
10083 		if (i == dp->dtdo_varlen)
10084 			return;
10085 
10086 		/*
10087 		 * We have the size.  If this is larger than the chunk size
10088 		 * for our dynamic variable state, reset the chunk size.
10089 		 */
10090 		size = P2ROUNDUP(size, sizeof (uint64_t));
10091 
10092 		/*
10093 		 * Before setting the chunk size, check that we're not going
10094 		 * to set it to a negative value...
10095 		 */
10096 		if (size > LONG_MAX)
10097 			return;
10098 
10099 		/*
10100 		 * ...and make certain that we didn't badly overflow.
10101 		 */
10102 		if (size < ksize || size < sizeof (dtrace_dynvar_t))
10103 			return;
10104 
10105 		if (size > vstate->dtvs_dynvars.dtds_chunksize)
10106 			vstate->dtvs_dynvars.dtds_chunksize = size;
10107 	}
10108 }
10109 
10110 static void
10111 dtrace_difo_init(dtrace_difo_t *dp, dtrace_vstate_t *vstate)
10112 {
10113 	int i, oldsvars, osz, nsz, otlocals, ntlocals;
10114 	uint_t id;
10115 
10116 	ASSERT(MUTEX_HELD(&dtrace_lock));
10117 	ASSERT(dp->dtdo_buf != NULL && dp->dtdo_len != 0);
10118 
10119 	for (i = 0; i < dp->dtdo_varlen; i++) {
10120 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
10121 		dtrace_statvar_t *svar, ***svarp;
10122 		size_t dsize = 0;
10123 		uint8_t scope = v->dtdv_scope;
10124 		int *np;
10125 
10126 		if ((id = v->dtdv_id) < DIF_VAR_OTHER_UBASE)
10127 			continue;
10128 
10129 		id -= DIF_VAR_OTHER_UBASE;
10130 
10131 		switch (scope) {
10132 		case DIFV_SCOPE_THREAD:
10133 			while (id >= (otlocals = vstate->dtvs_ntlocals)) {
10134 				dtrace_difv_t *tlocals;
10135 
10136 				if ((ntlocals = (otlocals << 1)) == 0)
10137 					ntlocals = 1;
10138 
10139 				osz = otlocals * sizeof (dtrace_difv_t);
10140 				nsz = ntlocals * sizeof (dtrace_difv_t);
10141 
10142 				tlocals = kmem_zalloc(nsz, KM_SLEEP);
10143 
10144 				if (osz != 0) {
10145 					bcopy(vstate->dtvs_tlocals,
10146 					    tlocals, osz);
10147 					kmem_free(vstate->dtvs_tlocals, osz);
10148 				}
10149 
10150 				vstate->dtvs_tlocals = tlocals;
10151 				vstate->dtvs_ntlocals = ntlocals;
10152 			}
10153 
10154 			vstate->dtvs_tlocals[id] = *v;
10155 			continue;
10156 
10157 		case DIFV_SCOPE_LOCAL:
10158 			np = &vstate->dtvs_nlocals;
10159 			svarp = &vstate->dtvs_locals;
10160 
10161 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF)
10162 				dsize = NCPU * (v->dtdv_type.dtdt_size +
10163 				    sizeof (uint64_t));
10164 			else
10165 				dsize = NCPU * sizeof (uint64_t);
10166 
10167 			break;
10168 
10169 		case DIFV_SCOPE_GLOBAL:
10170 			np = &vstate->dtvs_nglobals;
10171 			svarp = &vstate->dtvs_globals;
10172 
10173 			if (v->dtdv_type.dtdt_flags & DIF_TF_BYREF)
10174 				dsize = v->dtdv_type.dtdt_size +
10175 				    sizeof (uint64_t);
10176 
10177 			break;
10178 
10179 		default:
10180 			ASSERT(0);
10181 		}
10182 
10183 		while (id >= (oldsvars = *np)) {
10184 			dtrace_statvar_t **statics;
10185 			int newsvars, oldsize, newsize;
10186 
10187 			if ((newsvars = (oldsvars << 1)) == 0)
10188 				newsvars = 1;
10189 
10190 			oldsize = oldsvars * sizeof (dtrace_statvar_t *);
10191 			newsize = newsvars * sizeof (dtrace_statvar_t *);
10192 
10193 			statics = kmem_zalloc(newsize, KM_SLEEP);
10194 
10195 			if (oldsize != 0) {
10196 				bcopy(*svarp, statics, oldsize);
10197 				kmem_free(*svarp, oldsize);
10198 			}
10199 
10200 			*svarp = statics;
10201 			*np = newsvars;
10202 		}
10203 
10204 		if ((svar = (*svarp)[id]) == NULL) {
10205 			svar = kmem_zalloc(sizeof (dtrace_statvar_t), KM_SLEEP);
10206 			svar->dtsv_var = *v;
10207 
10208 			if ((svar->dtsv_size = dsize) != 0) {
10209 				svar->dtsv_data = (uint64_t)(uintptr_t)
10210 				    kmem_zalloc(dsize, KM_SLEEP);
10211 			}
10212 
10213 			(*svarp)[id] = svar;
10214 		}
10215 
10216 		svar->dtsv_refcnt++;
10217 	}
10218 
10219 	dtrace_difo_chunksize(dp, vstate);
10220 	dtrace_difo_hold(dp);
10221 }
10222 
10223 static dtrace_difo_t *
10224 dtrace_difo_duplicate(dtrace_difo_t *dp, dtrace_vstate_t *vstate)
10225 {
10226 	dtrace_difo_t *new;
10227 	size_t sz;
10228 
10229 	ASSERT(dp->dtdo_buf != NULL);
10230 	ASSERT(dp->dtdo_refcnt != 0);
10231 
10232 	new = kmem_zalloc(sizeof (dtrace_difo_t), KM_SLEEP);
10233 
10234 	ASSERT(dp->dtdo_buf != NULL);
10235 	sz = dp->dtdo_len * sizeof (dif_instr_t);
10236 	new->dtdo_buf = kmem_alloc(sz, KM_SLEEP);
10237 	bcopy(dp->dtdo_buf, new->dtdo_buf, sz);
10238 	new->dtdo_len = dp->dtdo_len;
10239 
10240 	if (dp->dtdo_strtab != NULL) {
10241 		ASSERT(dp->dtdo_strlen != 0);
10242 		new->dtdo_strtab = kmem_alloc(dp->dtdo_strlen, KM_SLEEP);
10243 		bcopy(dp->dtdo_strtab, new->dtdo_strtab, dp->dtdo_strlen);
10244 		new->dtdo_strlen = dp->dtdo_strlen;
10245 	}
10246 
10247 	if (dp->dtdo_inttab != NULL) {
10248 		ASSERT(dp->dtdo_intlen != 0);
10249 		sz = dp->dtdo_intlen * sizeof (uint64_t);
10250 		new->dtdo_inttab = kmem_alloc(sz, KM_SLEEP);
10251 		bcopy(dp->dtdo_inttab, new->dtdo_inttab, sz);
10252 		new->dtdo_intlen = dp->dtdo_intlen;
10253 	}
10254 
10255 	if (dp->dtdo_vartab != NULL) {
10256 		ASSERT(dp->dtdo_varlen != 0);
10257 		sz = dp->dtdo_varlen * sizeof (dtrace_difv_t);
10258 		new->dtdo_vartab = kmem_alloc(sz, KM_SLEEP);
10259 		bcopy(dp->dtdo_vartab, new->dtdo_vartab, sz);
10260 		new->dtdo_varlen = dp->dtdo_varlen;
10261 	}
10262 
10263 	dtrace_difo_init(new, vstate);
10264 	return (new);
10265 }
10266 
10267 static void
10268 dtrace_difo_destroy(dtrace_difo_t *dp, dtrace_vstate_t *vstate)
10269 {
10270 	int i;
10271 
10272 	ASSERT(dp->dtdo_refcnt == 0);
10273 
10274 	for (i = 0; i < dp->dtdo_varlen; i++) {
10275 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
10276 		dtrace_statvar_t *svar, **svarp;
10277 		uint_t id;
10278 		uint8_t scope = v->dtdv_scope;
10279 		int *np;
10280 
10281 		switch (scope) {
10282 		case DIFV_SCOPE_THREAD:
10283 			continue;
10284 
10285 		case DIFV_SCOPE_LOCAL:
10286 			np = &vstate->dtvs_nlocals;
10287 			svarp = vstate->dtvs_locals;
10288 			break;
10289 
10290 		case DIFV_SCOPE_GLOBAL:
10291 			np = &vstate->dtvs_nglobals;
10292 			svarp = vstate->dtvs_globals;
10293 			break;
10294 
10295 		default:
10296 			ASSERT(0);
10297 		}
10298 
10299 		if ((id = v->dtdv_id) < DIF_VAR_OTHER_UBASE)
10300 			continue;
10301 
10302 		id -= DIF_VAR_OTHER_UBASE;
10303 		ASSERT(id < *np);
10304 
10305 		svar = svarp[id];
10306 		ASSERT(svar != NULL);
10307 		ASSERT(svar->dtsv_refcnt > 0);
10308 
10309 		if (--svar->dtsv_refcnt > 0)
10310 			continue;
10311 
10312 		if (svar->dtsv_size != 0) {
10313 			ASSERT(svar->dtsv_data != 0);
10314 			kmem_free((void *)(uintptr_t)svar->dtsv_data,
10315 			    svar->dtsv_size);
10316 		}
10317 
10318 		kmem_free(svar, sizeof (dtrace_statvar_t));
10319 		svarp[id] = NULL;
10320 	}
10321 
10322 	kmem_free(dp->dtdo_buf, dp->dtdo_len * sizeof (dif_instr_t));
10323 	kmem_free(dp->dtdo_inttab, dp->dtdo_intlen * sizeof (uint64_t));
10324 	kmem_free(dp->dtdo_strtab, dp->dtdo_strlen);
10325 	kmem_free(dp->dtdo_vartab, dp->dtdo_varlen * sizeof (dtrace_difv_t));
10326 
10327 	kmem_free(dp, sizeof (dtrace_difo_t));
10328 }
10329 
10330 static void
10331 dtrace_difo_release(dtrace_difo_t *dp, dtrace_vstate_t *vstate)
10332 {
10333 	int i;
10334 
10335 	ASSERT(MUTEX_HELD(&dtrace_lock));
10336 	ASSERT(dp->dtdo_refcnt != 0);
10337 
10338 	for (i = 0; i < dp->dtdo_varlen; i++) {
10339 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
10340 
10341 		if (v->dtdv_id != DIF_VAR_VTIMESTAMP)
10342 			continue;
10343 
10344 		ASSERT(dtrace_vtime_references > 0);
10345 		if (--dtrace_vtime_references == 0)
10346 			dtrace_vtime_disable();
10347 	}
10348 
10349 	if (--dp->dtdo_refcnt == 0)
10350 		dtrace_difo_destroy(dp, vstate);
10351 }
10352 
10353 /*
10354  * DTrace Format Functions
10355  */
10356 static uint16_t
10357 dtrace_format_add(dtrace_state_t *state, char *str)
10358 {
10359 	char *fmt, **new;
10360 	uint16_t ndx, len = strlen(str) + 1;
10361 
10362 	fmt = kmem_zalloc(len, KM_SLEEP);
10363 	bcopy(str, fmt, len);
10364 
10365 	for (ndx = 0; ndx < state->dts_nformats; ndx++) {
10366 		if (state->dts_formats[ndx] == NULL) {
10367 			state->dts_formats[ndx] = fmt;
10368 			return (ndx + 1);
10369 		}
10370 	}
10371 
10372 	if (state->dts_nformats == USHRT_MAX) {
10373 		/*
10374 		 * This is only likely if a denial-of-service attack is being
10375 		 * attempted.  As such, it's okay to fail silently here.
10376 		 */
10377 		kmem_free(fmt, len);
10378 		return (0);
10379 	}
10380 
10381 	/*
10382 	 * For simplicity, we always resize the formats array to be exactly the
10383 	 * number of formats.
10384 	 */
10385 	ndx = state->dts_nformats++;
10386 	new = kmem_alloc((ndx + 1) * sizeof (char *), KM_SLEEP);
10387 
10388 	if (state->dts_formats != NULL) {
10389 		ASSERT(ndx != 0);
10390 		bcopy(state->dts_formats, new, ndx * sizeof (char *));
10391 		kmem_free(state->dts_formats, ndx * sizeof (char *));
10392 	}
10393 
10394 	state->dts_formats = new;
10395 	state->dts_formats[ndx] = fmt;
10396 
10397 	return (ndx + 1);
10398 }
10399 
10400 static void
10401 dtrace_format_remove(dtrace_state_t *state, uint16_t format)
10402 {
10403 	char *fmt;
10404 
10405 	ASSERT(state->dts_formats != NULL);
10406 	ASSERT(format <= state->dts_nformats);
10407 	ASSERT(state->dts_formats[format - 1] != NULL);
10408 
10409 	fmt = state->dts_formats[format - 1];
10410 	kmem_free(fmt, strlen(fmt) + 1);
10411 	state->dts_formats[format - 1] = NULL;
10412 }
10413 
10414 static void
10415 dtrace_format_destroy(dtrace_state_t *state)
10416 {
10417 	int i;
10418 
10419 	if (state->dts_nformats == 0) {
10420 		ASSERT(state->dts_formats == NULL);
10421 		return;
10422 	}
10423 
10424 	ASSERT(state->dts_formats != NULL);
10425 
10426 	for (i = 0; i < state->dts_nformats; i++) {
10427 		char *fmt = state->dts_formats[i];
10428 
10429 		if (fmt == NULL)
10430 			continue;
10431 
10432 		kmem_free(fmt, strlen(fmt) + 1);
10433 	}
10434 
10435 	kmem_free(state->dts_formats, state->dts_nformats * sizeof (char *));
10436 	state->dts_nformats = 0;
10437 	state->dts_formats = NULL;
10438 }
10439 
10440 /*
10441  * DTrace Predicate Functions
10442  */
10443 static dtrace_predicate_t *
10444 dtrace_predicate_create(dtrace_difo_t *dp)
10445 {
10446 	dtrace_predicate_t *pred;
10447 
10448 	ASSERT(MUTEX_HELD(&dtrace_lock));
10449 	ASSERT(dp->dtdo_refcnt != 0);
10450 
10451 	pred = kmem_zalloc(sizeof (dtrace_predicate_t), KM_SLEEP);
10452 	pred->dtp_difo = dp;
10453 	pred->dtp_refcnt = 1;
10454 
10455 	if (!dtrace_difo_cacheable(dp))
10456 		return (pred);
10457 
10458 	if (dtrace_predcache_id == DTRACE_CACHEIDNONE) {
10459 		/*
10460 		 * This is only theoretically possible -- we have had 2^32
10461 		 * cacheable predicates on this machine.  We cannot allow any
10462 		 * more predicates to become cacheable:  as unlikely as it is,
10463 		 * there may be a thread caching a (now stale) predicate cache
10464 		 * ID. (N.B.: the temptation is being successfully resisted to
10465 		 * have this cmn_err() "Holy shit -- we executed this code!")
10466 		 */
10467 		return (pred);
10468 	}
10469 
10470 	pred->dtp_cacheid = dtrace_predcache_id++;
10471 
10472 	return (pred);
10473 }
10474 
10475 static void
10476 dtrace_predicate_hold(dtrace_predicate_t *pred)
10477 {
10478 	ASSERT(MUTEX_HELD(&dtrace_lock));
10479 	ASSERT(pred->dtp_difo != NULL && pred->dtp_difo->dtdo_refcnt != 0);
10480 	ASSERT(pred->dtp_refcnt > 0);
10481 
10482 	pred->dtp_refcnt++;
10483 }
10484 
10485 static void
10486 dtrace_predicate_release(dtrace_predicate_t *pred, dtrace_vstate_t *vstate)
10487 {
10488 	dtrace_difo_t *dp = pred->dtp_difo;
10489 
10490 	ASSERT(MUTEX_HELD(&dtrace_lock));
10491 	ASSERT(dp != NULL && dp->dtdo_refcnt != 0);
10492 	ASSERT(pred->dtp_refcnt > 0);
10493 
10494 	if (--pred->dtp_refcnt == 0) {
10495 		dtrace_difo_release(pred->dtp_difo, vstate);
10496 		kmem_free(pred, sizeof (dtrace_predicate_t));
10497 	}
10498 }
10499 
10500 /*
10501  * DTrace Action Description Functions
10502  */
10503 static dtrace_actdesc_t *
10504 dtrace_actdesc_create(dtrace_actkind_t kind, uint32_t ntuple,
10505     uint64_t uarg, uint64_t arg)
10506 {
10507 	dtrace_actdesc_t *act;
10508 
10509 	ASSERT(!DTRACEACT_ISPRINTFLIKE(kind) || (arg != 0 &&
10510 	    arg >= KERNELBASE) || (arg == 0 && kind == DTRACEACT_PRINTA));
10511 
10512 	act = kmem_zalloc(sizeof (dtrace_actdesc_t), KM_SLEEP);
10513 	act->dtad_kind = kind;
10514 	act->dtad_ntuple = ntuple;
10515 	act->dtad_uarg = uarg;
10516 	act->dtad_arg = arg;
10517 	act->dtad_refcnt = 1;
10518 
10519 	return (act);
10520 }
10521 
10522 static void
10523 dtrace_actdesc_hold(dtrace_actdesc_t *act)
10524 {
10525 	ASSERT(act->dtad_refcnt >= 1);
10526 	act->dtad_refcnt++;
10527 }
10528 
10529 static void
10530 dtrace_actdesc_release(dtrace_actdesc_t *act, dtrace_vstate_t *vstate)
10531 {
10532 	dtrace_actkind_t kind = act->dtad_kind;
10533 	dtrace_difo_t *dp;
10534 
10535 	ASSERT(act->dtad_refcnt >= 1);
10536 
10537 	if (--act->dtad_refcnt != 0)
10538 		return;
10539 
10540 	if ((dp = act->dtad_difo) != NULL)
10541 		dtrace_difo_release(dp, vstate);
10542 
10543 	if (DTRACEACT_ISPRINTFLIKE(kind)) {
10544 		char *str = (char *)(uintptr_t)act->dtad_arg;
10545 
10546 		ASSERT((str != NULL && (uintptr_t)str >= KERNELBASE) ||
10547 		    (str == NULL && act->dtad_kind == DTRACEACT_PRINTA));
10548 
10549 		if (str != NULL)
10550 			kmem_free(str, strlen(str) + 1);
10551 	}
10552 
10553 	kmem_free(act, sizeof (dtrace_actdesc_t));
10554 }
10555 
10556 /*
10557  * DTrace ECB Functions
10558  */
10559 static dtrace_ecb_t *
10560 dtrace_ecb_add(dtrace_state_t *state, dtrace_probe_t *probe)
10561 {
10562 	dtrace_ecb_t *ecb;
10563 	dtrace_epid_t epid;
10564 
10565 	ASSERT(MUTEX_HELD(&dtrace_lock));
10566 
10567 	ecb = kmem_zalloc(sizeof (dtrace_ecb_t), KM_SLEEP);
10568 	ecb->dte_predicate = NULL;
10569 	ecb->dte_probe = probe;
10570 
10571 	/*
10572 	 * The default size is the size of the default action: recording
10573 	 * the header.
10574 	 */
10575 	ecb->dte_size = ecb->dte_needed = sizeof (dtrace_rechdr_t);
10576 	ecb->dte_alignment = sizeof (dtrace_epid_t);
10577 
10578 	epid = state->dts_epid++;
10579 
10580 	if (epid - 1 >= state->dts_necbs) {
10581 		dtrace_ecb_t **oecbs = state->dts_ecbs, **ecbs;
10582 		int necbs = state->dts_necbs << 1;
10583 
10584 		ASSERT(epid == state->dts_necbs + 1);
10585 
10586 		if (necbs == 0) {
10587 			ASSERT(oecbs == NULL);
10588 			necbs = 1;
10589 		}
10590 
10591 		ecbs = kmem_zalloc(necbs * sizeof (*ecbs), KM_SLEEP);
10592 
10593 		if (oecbs != NULL)
10594 			bcopy(oecbs, ecbs, state->dts_necbs * sizeof (*ecbs));
10595 
10596 		dtrace_membar_producer();
10597 		state->dts_ecbs = ecbs;
10598 
10599 		if (oecbs != NULL) {
10600 			/*
10601 			 * If this state is active, we must dtrace_sync()
10602 			 * before we can free the old dts_ecbs array:  we're
10603 			 * coming in hot, and there may be active ring
10604 			 * buffer processing (which indexes into the dts_ecbs
10605 			 * array) on another CPU.
10606 			 */
10607 			if (state->dts_activity != DTRACE_ACTIVITY_INACTIVE)
10608 				dtrace_sync();
10609 
10610 			kmem_free(oecbs, state->dts_necbs * sizeof (*ecbs));
10611 		}
10612 
10613 		dtrace_membar_producer();
10614 		state->dts_necbs = necbs;
10615 	}
10616 
10617 	ecb->dte_state = state;
10618 
10619 	ASSERT(state->dts_ecbs[epid - 1] == NULL);
10620 	dtrace_membar_producer();
10621 	state->dts_ecbs[(ecb->dte_epid = epid) - 1] = ecb;
10622 
10623 	return (ecb);
10624 }
10625 
10626 static int
10627 dtrace_ecb_enable(dtrace_ecb_t *ecb)
10628 {
10629 	dtrace_probe_t *probe = ecb->dte_probe;
10630 
10631 	ASSERT(MUTEX_HELD(&cpu_lock));
10632 	ASSERT(MUTEX_HELD(&dtrace_lock));
10633 	ASSERT(ecb->dte_next == NULL);
10634 
10635 	if (probe == NULL) {
10636 		/*
10637 		 * This is the NULL probe -- there's nothing to do.
10638 		 */
10639 		return (0);
10640 	}
10641 
10642 	if (probe->dtpr_ecb == NULL) {
10643 		dtrace_provider_t *prov = probe->dtpr_provider;
10644 
10645 		/*
10646 		 * We're the first ECB on this probe.
10647 		 */
10648 		probe->dtpr_ecb = probe->dtpr_ecb_last = ecb;
10649 
10650 		if (ecb->dte_predicate != NULL)
10651 			probe->dtpr_predcache = ecb->dte_predicate->dtp_cacheid;
10652 
10653 		return (prov->dtpv_pops.dtps_enable(prov->dtpv_arg,
10654 		    probe->dtpr_id, probe->dtpr_arg));
10655 	} else {
10656 		/*
10657 		 * This probe is already active.  Swing the last pointer to
10658 		 * point to the new ECB, and issue a dtrace_sync() to assure
10659 		 * that all CPUs have seen the change.
10660 		 */
10661 		ASSERT(probe->dtpr_ecb_last != NULL);
10662 		probe->dtpr_ecb_last->dte_next = ecb;
10663 		probe->dtpr_ecb_last = ecb;
10664 		probe->dtpr_predcache = 0;
10665 
10666 		dtrace_sync();
10667 		return (0);
10668 	}
10669 }
10670 
10671 static int
10672 dtrace_ecb_resize(dtrace_ecb_t *ecb)
10673 {
10674 	dtrace_action_t *act;
10675 	uint32_t curneeded = UINT32_MAX;
10676 	uint32_t aggbase = UINT32_MAX;
10677 
10678 	/*
10679 	 * If we record anything, we always record the dtrace_rechdr_t.  (And
10680 	 * we always record it first.)
10681 	 */
10682 	ecb->dte_size = sizeof (dtrace_rechdr_t);
10683 	ecb->dte_alignment = sizeof (dtrace_epid_t);
10684 
10685 	for (act = ecb->dte_action; act != NULL; act = act->dta_next) {
10686 		dtrace_recdesc_t *rec = &act->dta_rec;
10687 		ASSERT(rec->dtrd_size > 0 || rec->dtrd_alignment == 1);
10688 
10689 		ecb->dte_alignment = MAX(ecb->dte_alignment,
10690 		    rec->dtrd_alignment);
10691 
10692 		if (DTRACEACT_ISAGG(act->dta_kind)) {
10693 			dtrace_aggregation_t *agg = (dtrace_aggregation_t *)act;
10694 
10695 			ASSERT(rec->dtrd_size != 0);
10696 			ASSERT(agg->dtag_first != NULL);
10697 			ASSERT(act->dta_prev->dta_intuple);
10698 			ASSERT(aggbase != UINT32_MAX);
10699 			ASSERT(curneeded != UINT32_MAX);
10700 
10701 			agg->dtag_base = aggbase;
10702 
10703 			curneeded = P2ROUNDUP(curneeded, rec->dtrd_alignment);
10704 			rec->dtrd_offset = curneeded;
10705 			if (curneeded + rec->dtrd_size < curneeded)
10706 				return (EINVAL);
10707 			curneeded += rec->dtrd_size;
10708 			ecb->dte_needed = MAX(ecb->dte_needed, curneeded);
10709 
10710 			aggbase = UINT32_MAX;
10711 			curneeded = UINT32_MAX;
10712 		} else if (act->dta_intuple) {
10713 			if (curneeded == UINT32_MAX) {
10714 				/*
10715 				 * This is the first record in a tuple.  Align
10716 				 * curneeded to be at offset 4 in an 8-byte
10717 				 * aligned block.
10718 				 */
10719 				ASSERT(act->dta_prev == NULL ||
10720 				    !act->dta_prev->dta_intuple);
10721 				ASSERT3U(aggbase, ==, UINT32_MAX);
10722 				curneeded = P2PHASEUP(ecb->dte_size,
10723 				    sizeof (uint64_t), sizeof (dtrace_aggid_t));
10724 
10725 				aggbase = curneeded - sizeof (dtrace_aggid_t);
10726 				ASSERT(IS_P2ALIGNED(aggbase,
10727 				    sizeof (uint64_t)));
10728 			}
10729 			curneeded = P2ROUNDUP(curneeded, rec->dtrd_alignment);
10730 			rec->dtrd_offset = curneeded;
10731 			if (curneeded + rec->dtrd_size < curneeded)
10732 				return (EINVAL);
10733 			curneeded += rec->dtrd_size;
10734 		} else {
10735 			/* tuples must be followed by an aggregation */
10736 			ASSERT(act->dta_prev == NULL ||
10737 			    !act->dta_prev->dta_intuple);
10738 
10739 			ecb->dte_size = P2ROUNDUP(ecb->dte_size,
10740 			    rec->dtrd_alignment);
10741 			rec->dtrd_offset = ecb->dte_size;
10742 			if (ecb->dte_size + rec->dtrd_size < ecb->dte_size)
10743 				return (EINVAL);
10744 			ecb->dte_size += rec->dtrd_size;
10745 			ecb->dte_needed = MAX(ecb->dte_needed, ecb->dte_size);
10746 		}
10747 	}
10748 
10749 	if ((act = ecb->dte_action) != NULL &&
10750 	    !(act->dta_kind == DTRACEACT_SPECULATE && act->dta_next == NULL) &&
10751 	    ecb->dte_size == sizeof (dtrace_rechdr_t)) {
10752 		/*
10753 		 * If the size is still sizeof (dtrace_rechdr_t), then all
10754 		 * actions store no data; set the size to 0.
10755 		 */
10756 		ecb->dte_size = 0;
10757 	}
10758 
10759 	ecb->dte_size = P2ROUNDUP(ecb->dte_size, sizeof (dtrace_epid_t));
10760 	ecb->dte_needed = P2ROUNDUP(ecb->dte_needed, (sizeof (dtrace_epid_t)));
10761 	ecb->dte_state->dts_needed = MAX(ecb->dte_state->dts_needed,
10762 	    ecb->dte_needed);
10763 	return (0);
10764 }
10765 
10766 static dtrace_action_t *
10767 dtrace_ecb_aggregation_create(dtrace_ecb_t *ecb, dtrace_actdesc_t *desc)
10768 {
10769 	dtrace_aggregation_t *agg;
10770 	size_t size = sizeof (uint64_t);
10771 	int ntuple = desc->dtad_ntuple;
10772 	dtrace_action_t *act;
10773 	dtrace_recdesc_t *frec;
10774 	dtrace_aggid_t aggid;
10775 	dtrace_state_t *state = ecb->dte_state;
10776 
10777 	agg = kmem_zalloc(sizeof (dtrace_aggregation_t), KM_SLEEP);
10778 	agg->dtag_ecb = ecb;
10779 
10780 	ASSERT(DTRACEACT_ISAGG(desc->dtad_kind));
10781 
10782 	switch (desc->dtad_kind) {
10783 	case DTRACEAGG_MIN:
10784 		agg->dtag_initial = INT64_MAX;
10785 		agg->dtag_aggregate = dtrace_aggregate_min;
10786 		break;
10787 
10788 	case DTRACEAGG_MAX:
10789 		agg->dtag_initial = INT64_MIN;
10790 		agg->dtag_aggregate = dtrace_aggregate_max;
10791 		break;
10792 
10793 	case DTRACEAGG_COUNT:
10794 		agg->dtag_aggregate = dtrace_aggregate_count;
10795 		break;
10796 
10797 	case DTRACEAGG_QUANTIZE:
10798 		agg->dtag_aggregate = dtrace_aggregate_quantize;
10799 		size = (((sizeof (uint64_t) * NBBY) - 1) * 2 + 1) *
10800 		    sizeof (uint64_t);
10801 		break;
10802 
10803 	case DTRACEAGG_LQUANTIZE: {
10804 		uint16_t step = DTRACE_LQUANTIZE_STEP(desc->dtad_arg);
10805 		uint16_t levels = DTRACE_LQUANTIZE_LEVELS(desc->dtad_arg);
10806 
10807 		agg->dtag_initial = desc->dtad_arg;
10808 		agg->dtag_aggregate = dtrace_aggregate_lquantize;
10809 
10810 		if (step == 0 || levels == 0)
10811 			goto err;
10812 
10813 		size = levels * sizeof (uint64_t) + 3 * sizeof (uint64_t);
10814 		break;
10815 	}
10816 
10817 	case DTRACEAGG_LLQUANTIZE: {
10818 		uint16_t factor = DTRACE_LLQUANTIZE_FACTOR(desc->dtad_arg);
10819 		uint16_t low = DTRACE_LLQUANTIZE_LOW(desc->dtad_arg);
10820 		uint16_t high = DTRACE_LLQUANTIZE_HIGH(desc->dtad_arg);
10821 		uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEP(desc->dtad_arg);
10822 		int64_t v;
10823 
10824 		agg->dtag_initial = desc->dtad_arg;
10825 		agg->dtag_aggregate = dtrace_aggregate_llquantize;
10826 
10827 		if (factor < 2 || low >= high || nsteps < factor)
10828 			goto err;
10829 
10830 		/*
10831 		 * Now check that the number of steps evenly divides a power
10832 		 * of the factor.  (This assures both integer bucket size and
10833 		 * linearity within each magnitude.)
10834 		 */
10835 		for (v = factor; v < nsteps; v *= factor)
10836 			continue;
10837 
10838 		if ((v % nsteps) || (nsteps % factor))
10839 			goto err;
10840 
10841 		size = (dtrace_aggregate_llquantize_bucket(factor,
10842 		    low, high, nsteps, INT64_MAX) + 2) * sizeof (uint64_t);
10843 		break;
10844 	}
10845 
10846 	case DTRACEAGG_AVG:
10847 		agg->dtag_aggregate = dtrace_aggregate_avg;
10848 		size = sizeof (uint64_t) * 2;
10849 		break;
10850 
10851 	case DTRACEAGG_STDDEV:
10852 		agg->dtag_aggregate = dtrace_aggregate_stddev;
10853 		size = sizeof (uint64_t) * 4;
10854 		break;
10855 
10856 	case DTRACEAGG_SUM:
10857 		agg->dtag_aggregate = dtrace_aggregate_sum;
10858 		break;
10859 
10860 	default:
10861 		goto err;
10862 	}
10863 
10864 	agg->dtag_action.dta_rec.dtrd_size = size;
10865 
10866 	if (ntuple == 0)
10867 		goto err;
10868 
10869 	/*
10870 	 * We must make sure that we have enough actions for the n-tuple.
10871 	 */
10872 	for (act = ecb->dte_action_last; act != NULL; act = act->dta_prev) {
10873 		if (DTRACEACT_ISAGG(act->dta_kind))
10874 			break;
10875 
10876 		if (--ntuple == 0) {
10877 			/*
10878 			 * This is the action with which our n-tuple begins.
10879 			 */
10880 			agg->dtag_first = act;
10881 			goto success;
10882 		}
10883 	}
10884 
10885 	/*
10886 	 * This n-tuple is short by ntuple elements.  Return failure.
10887 	 */
10888 	ASSERT(ntuple != 0);
10889 err:
10890 	kmem_free(agg, sizeof (dtrace_aggregation_t));
10891 	return (NULL);
10892 
10893 success:
10894 	/*
10895 	 * If the last action in the tuple has a size of zero, it's actually
10896 	 * an expression argument for the aggregating action.
10897 	 */
10898 	ASSERT(ecb->dte_action_last != NULL);
10899 	act = ecb->dte_action_last;
10900 
10901 	if (act->dta_kind == DTRACEACT_DIFEXPR) {
10902 		ASSERT(act->dta_difo != NULL);
10903 
10904 		if (act->dta_difo->dtdo_rtype.dtdt_size == 0)
10905 			agg->dtag_hasarg = 1;
10906 	}
10907 
10908 	/*
10909 	 * We need to allocate an id for this aggregation.
10910 	 */
10911 	aggid = (dtrace_aggid_t)(uintptr_t)vmem_alloc(state->dts_aggid_arena, 1,
10912 	    VM_BESTFIT | VM_SLEEP);
10913 
10914 	if (aggid - 1 >= state->dts_naggregations) {
10915 		dtrace_aggregation_t **oaggs = state->dts_aggregations;
10916 		dtrace_aggregation_t **aggs;
10917 		int naggs = state->dts_naggregations << 1;
10918 		int onaggs = state->dts_naggregations;
10919 
10920 		ASSERT(aggid == state->dts_naggregations + 1);
10921 
10922 		if (naggs == 0) {
10923 			ASSERT(oaggs == NULL);
10924 			naggs = 1;
10925 		}
10926 
10927 		aggs = kmem_zalloc(naggs * sizeof (*aggs), KM_SLEEP);
10928 
10929 		if (oaggs != NULL) {
10930 			bcopy(oaggs, aggs, onaggs * sizeof (*aggs));
10931 			kmem_free(oaggs, onaggs * sizeof (*aggs));
10932 		}
10933 
10934 		state->dts_aggregations = aggs;
10935 		state->dts_naggregations = naggs;
10936 	}
10937 
10938 	ASSERT(state->dts_aggregations[aggid - 1] == NULL);
10939 	state->dts_aggregations[(agg->dtag_id = aggid) - 1] = agg;
10940 
10941 	frec = &agg->dtag_first->dta_rec;
10942 	if (frec->dtrd_alignment < sizeof (dtrace_aggid_t))
10943 		frec->dtrd_alignment = sizeof (dtrace_aggid_t);
10944 
10945 	for (act = agg->dtag_first; act != NULL; act = act->dta_next) {
10946 		ASSERT(!act->dta_intuple);
10947 		act->dta_intuple = 1;
10948 	}
10949 
10950 	return (&agg->dtag_action);
10951 }
10952 
10953 static void
10954 dtrace_ecb_aggregation_destroy(dtrace_ecb_t *ecb, dtrace_action_t *act)
10955 {
10956 	dtrace_aggregation_t *agg = (dtrace_aggregation_t *)act;
10957 	dtrace_state_t *state = ecb->dte_state;
10958 	dtrace_aggid_t aggid = agg->dtag_id;
10959 
10960 	ASSERT(DTRACEACT_ISAGG(act->dta_kind));
10961 	vmem_free(state->dts_aggid_arena, (void *)(uintptr_t)aggid, 1);
10962 
10963 	ASSERT(state->dts_aggregations[aggid - 1] == agg);
10964 	state->dts_aggregations[aggid - 1] = NULL;
10965 
10966 	kmem_free(agg, sizeof (dtrace_aggregation_t));
10967 }
10968 
10969 static int
10970 dtrace_ecb_action_add(dtrace_ecb_t *ecb, dtrace_actdesc_t *desc)
10971 {
10972 	dtrace_action_t *action, *last;
10973 	dtrace_difo_t *dp = desc->dtad_difo;
10974 	uint32_t size = 0, align = sizeof (uint8_t), mask;
10975 	uint16_t format = 0;
10976 	dtrace_recdesc_t *rec;
10977 	dtrace_state_t *state = ecb->dte_state;
10978 	dtrace_optval_t *opt = state->dts_options, nframes, strsize;
10979 	uint64_t arg = desc->dtad_arg;
10980 
10981 	ASSERT(MUTEX_HELD(&dtrace_lock));
10982 	ASSERT(ecb->dte_action == NULL || ecb->dte_action->dta_refcnt == 1);
10983 
10984 	if (DTRACEACT_ISAGG(desc->dtad_kind)) {
10985 		/*
10986 		 * If this is an aggregating action, there must be neither
10987 		 * a speculate nor a commit on the action chain.
10988 		 */
10989 		dtrace_action_t *act;
10990 
10991 		for (act = ecb->dte_action; act != NULL; act = act->dta_next) {
10992 			if (act->dta_kind == DTRACEACT_COMMIT)
10993 				return (EINVAL);
10994 
10995 			if (act->dta_kind == DTRACEACT_SPECULATE)
10996 				return (EINVAL);
10997 		}
10998 
10999 		action = dtrace_ecb_aggregation_create(ecb, desc);
11000 
11001 		if (action == NULL)
11002 			return (EINVAL);
11003 	} else {
11004 		if (DTRACEACT_ISDESTRUCTIVE(desc->dtad_kind) ||
11005 		    (desc->dtad_kind == DTRACEACT_DIFEXPR &&
11006 		    dp != NULL && dp->dtdo_destructive)) {
11007 			state->dts_destructive = 1;
11008 		}
11009 
11010 		switch (desc->dtad_kind) {
11011 		case DTRACEACT_PRINTF:
11012 		case DTRACEACT_PRINTA:
11013 		case DTRACEACT_SYSTEM:
11014 		case DTRACEACT_FREOPEN:
11015 		case DTRACEACT_DIFEXPR:
11016 			/*
11017 			 * We know that our arg is a string -- turn it into a
11018 			 * format.
11019 			 */
11020 			if (arg == 0) {
11021 				ASSERT(desc->dtad_kind == DTRACEACT_PRINTA ||
11022 				    desc->dtad_kind == DTRACEACT_DIFEXPR);
11023 				format = 0;
11024 			} else {
11025 				ASSERT(arg != 0);
11026 				ASSERT(arg > KERNELBASE);
11027 				format = dtrace_format_add(state,
11028 				    (char *)(uintptr_t)arg);
11029 			}
11030 
11031 			/*FALLTHROUGH*/
11032 		case DTRACEACT_LIBACT:
11033 		case DTRACEACT_TRACEMEM:
11034 		case DTRACEACT_TRACEMEM_DYNSIZE:
11035 			if (dp == NULL)
11036 				return (EINVAL);
11037 
11038 			if ((size = dp->dtdo_rtype.dtdt_size) != 0)
11039 				break;
11040 
11041 			if (dp->dtdo_rtype.dtdt_kind == DIF_TYPE_STRING) {
11042 				if (!(dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF))
11043 					return (EINVAL);
11044 
11045 				size = opt[DTRACEOPT_STRSIZE];
11046 			}
11047 
11048 			break;
11049 
11050 		case DTRACEACT_STACK:
11051 			if ((nframes = arg) == 0) {
11052 				nframes = opt[DTRACEOPT_STACKFRAMES];
11053 				ASSERT(nframes > 0);
11054 				arg = nframes;
11055 			}
11056 
11057 			size = nframes * sizeof (pc_t);
11058 			break;
11059 
11060 		case DTRACEACT_JSTACK:
11061 			if ((strsize = DTRACE_USTACK_STRSIZE(arg)) == 0)
11062 				strsize = opt[DTRACEOPT_JSTACKSTRSIZE];
11063 
11064 			if ((nframes = DTRACE_USTACK_NFRAMES(arg)) == 0)
11065 				nframes = opt[DTRACEOPT_JSTACKFRAMES];
11066 
11067 			arg = DTRACE_USTACK_ARG(nframes, strsize);
11068 
11069 			/*FALLTHROUGH*/
11070 		case DTRACEACT_USTACK:
11071 			if (desc->dtad_kind != DTRACEACT_JSTACK &&
11072 			    (nframes = DTRACE_USTACK_NFRAMES(arg)) == 0) {
11073 				strsize = DTRACE_USTACK_STRSIZE(arg);
11074 				nframes = opt[DTRACEOPT_USTACKFRAMES];
11075 				ASSERT(nframes > 0);
11076 				arg = DTRACE_USTACK_ARG(nframes, strsize);
11077 			}
11078 
11079 			/*
11080 			 * Save a slot for the pid.
11081 			 */
11082 			size = (nframes + 1) * sizeof (uint64_t);
11083 			size += DTRACE_USTACK_STRSIZE(arg);
11084 			size = P2ROUNDUP(size, (uint32_t)(sizeof (uintptr_t)));
11085 
11086 			break;
11087 
11088 		case DTRACEACT_SYM:
11089 		case DTRACEACT_MOD:
11090 			if (dp == NULL || ((size = dp->dtdo_rtype.dtdt_size) !=
11091 			    sizeof (uint64_t)) ||
11092 			    (dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF))
11093 				return (EINVAL);
11094 			break;
11095 
11096 		case DTRACEACT_USYM:
11097 		case DTRACEACT_UMOD:
11098 		case DTRACEACT_UADDR:
11099 			if (dp == NULL ||
11100 			    (dp->dtdo_rtype.dtdt_size != sizeof (uint64_t)) ||
11101 			    (dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF))
11102 				return (EINVAL);
11103 
11104 			/*
11105 			 * We have a slot for the pid, plus a slot for the
11106 			 * argument.  To keep things simple (aligned with
11107 			 * bitness-neutral sizing), we store each as a 64-bit
11108 			 * quantity.
11109 			 */
11110 			size = 2 * sizeof (uint64_t);
11111 			break;
11112 
11113 		case DTRACEACT_STOP:
11114 		case DTRACEACT_BREAKPOINT:
11115 		case DTRACEACT_PANIC:
11116 			break;
11117 
11118 		case DTRACEACT_CHILL:
11119 		case DTRACEACT_DISCARD:
11120 		case DTRACEACT_RAISE:
11121 			if (dp == NULL)
11122 				return (EINVAL);
11123 			break;
11124 
11125 		case DTRACEACT_EXIT:
11126 			if (dp == NULL ||
11127 			    (size = dp->dtdo_rtype.dtdt_size) != sizeof (int) ||
11128 			    (dp->dtdo_rtype.dtdt_flags & DIF_TF_BYREF))
11129 				return (EINVAL);
11130 			break;
11131 
11132 		case DTRACEACT_SPECULATE:
11133 			if (ecb->dte_size > sizeof (dtrace_rechdr_t))
11134 				return (EINVAL);
11135 
11136 			if (dp == NULL)
11137 				return (EINVAL);
11138 
11139 			state->dts_speculates = 1;
11140 			break;
11141 
11142 		case DTRACEACT_COMMIT: {
11143 			dtrace_action_t *act = ecb->dte_action;
11144 
11145 			for (; act != NULL; act = act->dta_next) {
11146 				if (act->dta_kind == DTRACEACT_COMMIT)
11147 					return (EINVAL);
11148 			}
11149 
11150 			if (dp == NULL)
11151 				return (EINVAL);
11152 			break;
11153 		}
11154 
11155 		default:
11156 			return (EINVAL);
11157 		}
11158 
11159 		if (size != 0 || desc->dtad_kind == DTRACEACT_SPECULATE) {
11160 			/*
11161 			 * If this is a data-storing action or a speculate,
11162 			 * we must be sure that there isn't a commit on the
11163 			 * action chain.
11164 			 */
11165 			dtrace_action_t *act = ecb->dte_action;
11166 
11167 			for (; act != NULL; act = act->dta_next) {
11168 				if (act->dta_kind == DTRACEACT_COMMIT)
11169 					return (EINVAL);
11170 			}
11171 		}
11172 
11173 		action = kmem_zalloc(sizeof (dtrace_action_t), KM_SLEEP);
11174 		action->dta_rec.dtrd_size = size;
11175 	}
11176 
11177 	action->dta_refcnt = 1;
11178 	rec = &action->dta_rec;
11179 	size = rec->dtrd_size;
11180 
11181 	for (mask = sizeof (uint64_t) - 1; size != 0 && mask > 0; mask >>= 1) {
11182 		if (!(size & mask)) {
11183 			align = mask + 1;
11184 			break;
11185 		}
11186 	}
11187 
11188 	action->dta_kind = desc->dtad_kind;
11189 
11190 	if ((action->dta_difo = dp) != NULL)
11191 		dtrace_difo_hold(dp);
11192 
11193 	rec->dtrd_action = action->dta_kind;
11194 	rec->dtrd_arg = arg;
11195 	rec->dtrd_uarg = desc->dtad_uarg;
11196 	rec->dtrd_alignment = (uint16_t)align;
11197 	rec->dtrd_format = format;
11198 
11199 	if ((last = ecb->dte_action_last) != NULL) {
11200 		ASSERT(ecb->dte_action != NULL);
11201 		action->dta_prev = last;
11202 		last->dta_next = action;
11203 	} else {
11204 		ASSERT(ecb->dte_action == NULL);
11205 		ecb->dte_action = action;
11206 	}
11207 
11208 	ecb->dte_action_last = action;
11209 
11210 	return (0);
11211 }
11212 
11213 static void
11214 dtrace_ecb_action_remove(dtrace_ecb_t *ecb)
11215 {
11216 	dtrace_action_t *act = ecb->dte_action, *next;
11217 	dtrace_vstate_t *vstate = &ecb->dte_state->dts_vstate;
11218 	dtrace_difo_t *dp;
11219 	uint16_t format;
11220 
11221 	if (act != NULL && act->dta_refcnt > 1) {
11222 		ASSERT(act->dta_next == NULL || act->dta_next->dta_refcnt == 1);
11223 		act->dta_refcnt--;
11224 	} else {
11225 		for (; act != NULL; act = next) {
11226 			next = act->dta_next;
11227 			ASSERT(next != NULL || act == ecb->dte_action_last);
11228 			ASSERT(act->dta_refcnt == 1);
11229 
11230 			if ((format = act->dta_rec.dtrd_format) != 0)
11231 				dtrace_format_remove(ecb->dte_state, format);
11232 
11233 			if ((dp = act->dta_difo) != NULL)
11234 				dtrace_difo_release(dp, vstate);
11235 
11236 			if (DTRACEACT_ISAGG(act->dta_kind)) {
11237 				dtrace_ecb_aggregation_destroy(ecb, act);
11238 			} else {
11239 				kmem_free(act, sizeof (dtrace_action_t));
11240 			}
11241 		}
11242 	}
11243 
11244 	ecb->dte_action = NULL;
11245 	ecb->dte_action_last = NULL;
11246 	ecb->dte_size = 0;
11247 }
11248 
11249 static void
11250 dtrace_ecb_disable(dtrace_ecb_t *ecb)
11251 {
11252 	/*
11253 	 * We disable the ECB by removing it from its probe.
11254 	 */
11255 	dtrace_ecb_t *pecb, *prev = NULL;
11256 	dtrace_probe_t *probe = ecb->dte_probe;
11257 
11258 	ASSERT(MUTEX_HELD(&dtrace_lock));
11259 
11260 	if (probe == NULL) {
11261 		/*
11262 		 * This is the NULL probe; there is nothing to disable.
11263 		 */
11264 		return;
11265 	}
11266 
11267 	for (pecb = probe->dtpr_ecb; pecb != NULL; pecb = pecb->dte_next) {
11268 		if (pecb == ecb)
11269 			break;
11270 		prev = pecb;
11271 	}
11272 
11273 	ASSERT(pecb != NULL);
11274 
11275 	if (prev == NULL) {
11276 		probe->dtpr_ecb = ecb->dte_next;
11277 	} else {
11278 		prev->dte_next = ecb->dte_next;
11279 	}
11280 
11281 	if (ecb == probe->dtpr_ecb_last) {
11282 		ASSERT(ecb->dte_next == NULL);
11283 		probe->dtpr_ecb_last = prev;
11284 	}
11285 
11286 	/*
11287 	 * The ECB has been disconnected from the probe; now sync to assure
11288 	 * that all CPUs have seen the change before returning.
11289 	 */
11290 	dtrace_sync();
11291 
11292 	if (probe->dtpr_ecb == NULL) {
11293 		/*
11294 		 * That was the last ECB on the probe; clear the predicate
11295 		 * cache ID for the probe, disable it and sync one more time
11296 		 * to assure that we'll never hit it again.
11297 		 */
11298 		dtrace_provider_t *prov = probe->dtpr_provider;
11299 
11300 		ASSERT(ecb->dte_next == NULL);
11301 		ASSERT(probe->dtpr_ecb_last == NULL);
11302 		probe->dtpr_predcache = DTRACE_CACHEIDNONE;
11303 		prov->dtpv_pops.dtps_disable(prov->dtpv_arg,
11304 		    probe->dtpr_id, probe->dtpr_arg);
11305 		dtrace_sync();
11306 	} else {
11307 		/*
11308 		 * There is at least one ECB remaining on the probe.  If there
11309 		 * is _exactly_ one, set the probe's predicate cache ID to be
11310 		 * the predicate cache ID of the remaining ECB.
11311 		 */
11312 		ASSERT(probe->dtpr_ecb_last != NULL);
11313 		ASSERT(probe->dtpr_predcache == DTRACE_CACHEIDNONE);
11314 
11315 		if (probe->dtpr_ecb == probe->dtpr_ecb_last) {
11316 			dtrace_predicate_t *p = probe->dtpr_ecb->dte_predicate;
11317 
11318 			ASSERT(probe->dtpr_ecb->dte_next == NULL);
11319 
11320 			if (p != NULL)
11321 				probe->dtpr_predcache = p->dtp_cacheid;
11322 		}
11323 
11324 		ecb->dte_next = NULL;
11325 	}
11326 }
11327 
11328 static void
11329 dtrace_ecb_destroy(dtrace_ecb_t *ecb)
11330 {
11331 	dtrace_state_t *state = ecb->dte_state;
11332 	dtrace_vstate_t *vstate = &state->dts_vstate;
11333 	dtrace_predicate_t *pred;
11334 	dtrace_epid_t epid = ecb->dte_epid;
11335 
11336 	ASSERT(MUTEX_HELD(&dtrace_lock));
11337 	ASSERT(ecb->dte_next == NULL);
11338 	ASSERT(ecb->dte_probe == NULL || ecb->dte_probe->dtpr_ecb != ecb);
11339 
11340 	if ((pred = ecb->dte_predicate) != NULL)
11341 		dtrace_predicate_release(pred, vstate);
11342 
11343 	dtrace_ecb_action_remove(ecb);
11344 
11345 	ASSERT(state->dts_ecbs[epid - 1] == ecb);
11346 	state->dts_ecbs[epid - 1] = NULL;
11347 
11348 	kmem_free(ecb, sizeof (dtrace_ecb_t));
11349 }
11350 
11351 static dtrace_ecb_t *
11352 dtrace_ecb_create(dtrace_state_t *state, dtrace_probe_t *probe,
11353     dtrace_enabling_t *enab)
11354 {
11355 	dtrace_ecb_t *ecb;
11356 	dtrace_predicate_t *pred;
11357 	dtrace_actdesc_t *act;
11358 	dtrace_provider_t *prov;
11359 	dtrace_ecbdesc_t *desc = enab->dten_current;
11360 
11361 	ASSERT(MUTEX_HELD(&dtrace_lock));
11362 	ASSERT(state != NULL);
11363 
11364 	ecb = dtrace_ecb_add(state, probe);
11365 	ecb->dte_uarg = desc->dted_uarg;
11366 
11367 	if ((pred = desc->dted_pred.dtpdd_predicate) != NULL) {
11368 		dtrace_predicate_hold(pred);
11369 		ecb->dte_predicate = pred;
11370 	}
11371 
11372 	if (probe != NULL) {
11373 		/*
11374 		 * If the provider shows more leg than the consumer is old
11375 		 * enough to see, we need to enable the appropriate implicit
11376 		 * predicate bits to prevent the ecb from activating at
11377 		 * revealing times.
11378 		 *
11379 		 * Providers specifying DTRACE_PRIV_USER at register time
11380 		 * are stating that they need the /proc-style privilege
11381 		 * model to be enforced, and this is what DTRACE_COND_OWNER
11382 		 * and DTRACE_COND_ZONEOWNER will then do at probe time.
11383 		 */
11384 		prov = probe->dtpr_provider;
11385 		if (!(state->dts_cred.dcr_visible & DTRACE_CRV_ALLPROC) &&
11386 		    (prov->dtpv_priv.dtpp_flags & DTRACE_PRIV_USER))
11387 			ecb->dte_cond |= DTRACE_COND_OWNER;
11388 
11389 		if (!(state->dts_cred.dcr_visible & DTRACE_CRV_ALLZONE) &&
11390 		    (prov->dtpv_priv.dtpp_flags & DTRACE_PRIV_USER))
11391 			ecb->dte_cond |= DTRACE_COND_ZONEOWNER;
11392 
11393 		/*
11394 		 * If the provider shows us kernel innards and the user
11395 		 * is lacking sufficient privilege, enable the
11396 		 * DTRACE_COND_USERMODE implicit predicate.
11397 		 */
11398 		if (!(state->dts_cred.dcr_visible & DTRACE_CRV_KERNEL) &&
11399 		    (prov->dtpv_priv.dtpp_flags & DTRACE_PRIV_KERNEL))
11400 			ecb->dte_cond |= DTRACE_COND_USERMODE;
11401 	}
11402 
11403 	if (dtrace_ecb_create_cache != NULL) {
11404 		/*
11405 		 * If we have a cached ecb, we'll use its action list instead
11406 		 * of creating our own (saving both time and space).
11407 		 */
11408 		dtrace_ecb_t *cached = dtrace_ecb_create_cache;
11409 		dtrace_action_t *act = cached->dte_action;
11410 
11411 		if (act != NULL) {
11412 			ASSERT(act->dta_refcnt > 0);
11413 			act->dta_refcnt++;
11414 			ecb->dte_action = act;
11415 			ecb->dte_action_last = cached->dte_action_last;
11416 			ecb->dte_needed = cached->dte_needed;
11417 			ecb->dte_size = cached->dte_size;
11418 			ecb->dte_alignment = cached->dte_alignment;
11419 		}
11420 
11421 		return (ecb);
11422 	}
11423 
11424 	for (act = desc->dted_action; act != NULL; act = act->dtad_next) {
11425 		if ((enab->dten_error = dtrace_ecb_action_add(ecb, act)) != 0) {
11426 			dtrace_ecb_destroy(ecb);
11427 			return (NULL);
11428 		}
11429 	}
11430 
11431 	if ((enab->dten_error = dtrace_ecb_resize(ecb)) != 0) {
11432 		dtrace_ecb_destroy(ecb);
11433 		return (NULL);
11434 	}
11435 
11436 	return (dtrace_ecb_create_cache = ecb);
11437 }
11438 
11439 static int
11440 dtrace_ecb_create_enable(dtrace_probe_t *probe, void *arg)
11441 {
11442 	dtrace_ecb_t *ecb;
11443 	dtrace_enabling_t *enab = arg;
11444 	dtrace_state_t *state = enab->dten_vstate->dtvs_state;
11445 
11446 	ASSERT(state != NULL);
11447 
11448 	if (probe != NULL && probe->dtpr_gen < enab->dten_probegen) {
11449 		/*
11450 		 * This probe was created in a generation for which this
11451 		 * enabling has previously created ECBs; we don't want to
11452 		 * enable it again, so just kick out.
11453 		 */
11454 		return (DTRACE_MATCH_NEXT);
11455 	}
11456 
11457 	if ((ecb = dtrace_ecb_create(state, probe, enab)) == NULL)
11458 		return (DTRACE_MATCH_DONE);
11459 
11460 	if (dtrace_ecb_enable(ecb) < 0)
11461 		return (DTRACE_MATCH_FAIL);
11462 
11463 	return (DTRACE_MATCH_NEXT);
11464 }
11465 
11466 static dtrace_ecb_t *
11467 dtrace_epid2ecb(dtrace_state_t *state, dtrace_epid_t id)
11468 {
11469 	dtrace_ecb_t *ecb;
11470 
11471 	ASSERT(MUTEX_HELD(&dtrace_lock));
11472 
11473 	if (id == 0 || id > state->dts_necbs)
11474 		return (NULL);
11475 
11476 	ASSERT(state->dts_necbs > 0 && state->dts_ecbs != NULL);
11477 	ASSERT((ecb = state->dts_ecbs[id - 1]) == NULL || ecb->dte_epid == id);
11478 
11479 	return (state->dts_ecbs[id - 1]);
11480 }
11481 
11482 static dtrace_aggregation_t *
11483 dtrace_aggid2agg(dtrace_state_t *state, dtrace_aggid_t id)
11484 {
11485 	dtrace_aggregation_t *agg;
11486 
11487 	ASSERT(MUTEX_HELD(&dtrace_lock));
11488 
11489 	if (id == 0 || id > state->dts_naggregations)
11490 		return (NULL);
11491 
11492 	ASSERT(state->dts_naggregations > 0 && state->dts_aggregations != NULL);
11493 	ASSERT((agg = state->dts_aggregations[id - 1]) == NULL ||
11494 	    agg->dtag_id == id);
11495 
11496 	return (state->dts_aggregations[id - 1]);
11497 }
11498 
11499 /*
11500  * DTrace Buffer Functions
11501  *
11502  * The following functions manipulate DTrace buffers.  Most of these functions
11503  * are called in the context of establishing or processing consumer state;
11504  * exceptions are explicitly noted.
11505  */
11506 
11507 /*
11508  * Note:  called from cross call context.  This function switches the two
11509  * buffers on a given CPU.  The atomicity of this operation is assured by
11510  * disabling interrupts while the actual switch takes place; the disabling of
11511  * interrupts serializes the execution with any execution of dtrace_probe() on
11512  * the same CPU.
11513  */
11514 static void
11515 dtrace_buffer_switch(dtrace_buffer_t *buf)
11516 {
11517 	caddr_t tomax = buf->dtb_tomax;
11518 	caddr_t xamot = buf->dtb_xamot;
11519 	dtrace_icookie_t cookie;
11520 	hrtime_t now;
11521 
11522 	ASSERT(!(buf->dtb_flags & DTRACEBUF_NOSWITCH));
11523 	ASSERT(!(buf->dtb_flags & DTRACEBUF_RING));
11524 
11525 	cookie = dtrace_interrupt_disable();
11526 	now = dtrace_gethrtime();
11527 	buf->dtb_tomax = xamot;
11528 	buf->dtb_xamot = tomax;
11529 	buf->dtb_xamot_drops = buf->dtb_drops;
11530 	buf->dtb_xamot_offset = buf->dtb_offset;
11531 	buf->dtb_xamot_errors = buf->dtb_errors;
11532 	buf->dtb_xamot_flags = buf->dtb_flags;
11533 	buf->dtb_offset = 0;
11534 	buf->dtb_drops = 0;
11535 	buf->dtb_errors = 0;
11536 	buf->dtb_flags &= ~(DTRACEBUF_ERROR | DTRACEBUF_DROPPED);
11537 	buf->dtb_interval = now - buf->dtb_switched;
11538 	buf->dtb_switched = now;
11539 	dtrace_interrupt_enable(cookie);
11540 }
11541 
11542 /*
11543  * Note:  called from cross call context.  This function activates a buffer
11544  * on a CPU.  As with dtrace_buffer_switch(), the atomicity of the operation
11545  * is guaranteed by the disabling of interrupts.
11546  */
11547 static void
11548 dtrace_buffer_activate(dtrace_state_t *state)
11549 {
11550 	dtrace_buffer_t *buf;
11551 	dtrace_icookie_t cookie = dtrace_interrupt_disable();
11552 
11553 	buf = &state->dts_buffer[CPU->cpu_id];
11554 
11555 	if (buf->dtb_tomax != NULL) {
11556 		/*
11557 		 * We might like to assert that the buffer is marked inactive,
11558 		 * but this isn't necessarily true:  the buffer for the CPU
11559 		 * that processes the BEGIN probe has its buffer activated
11560 		 * manually.  In this case, we take the (harmless) action
11561 		 * re-clearing the bit INACTIVE bit.
11562 		 */
11563 		buf->dtb_flags &= ~DTRACEBUF_INACTIVE;
11564 	}
11565 
11566 	dtrace_interrupt_enable(cookie);
11567 }
11568 
11569 static int
11570 dtrace_buffer_alloc(dtrace_buffer_t *bufs, size_t size, int flags,
11571     processorid_t cpu, int *factor)
11572 {
11573 	cpu_t *cp;
11574 	dtrace_buffer_t *buf;
11575 	int allocated = 0, desired = 0;
11576 
11577 	ASSERT(MUTEX_HELD(&cpu_lock));
11578 	ASSERT(MUTEX_HELD(&dtrace_lock));
11579 
11580 	*factor = 1;
11581 
11582 	if (size > dtrace_nonroot_maxsize &&
11583 	    !PRIV_POLICY_CHOICE(CRED(), PRIV_ALL, B_FALSE))
11584 		return (EFBIG);
11585 
11586 	cp = cpu_list;
11587 
11588 	do {
11589 		if (cpu != DTRACE_CPUALL && cpu != cp->cpu_id)
11590 			continue;
11591 
11592 		buf = &bufs[cp->cpu_id];
11593 
11594 		/*
11595 		 * If there is already a buffer allocated for this CPU, it
11596 		 * is only possible that this is a DR event.  In this case,
11597 		 * the buffer size must match our specified size.
11598 		 */
11599 		if (buf->dtb_tomax != NULL) {
11600 			ASSERT(buf->dtb_size == size);
11601 			continue;
11602 		}
11603 
11604 		ASSERT(buf->dtb_xamot == NULL);
11605 
11606 		if ((buf->dtb_tomax = kmem_zalloc(size,
11607 		    KM_NOSLEEP | KM_NORMALPRI)) == NULL)
11608 			goto err;
11609 
11610 		buf->dtb_size = size;
11611 		buf->dtb_flags = flags;
11612 		buf->dtb_offset = 0;
11613 		buf->dtb_drops = 0;
11614 
11615 		if (flags & DTRACEBUF_NOSWITCH)
11616 			continue;
11617 
11618 		if ((buf->dtb_xamot = kmem_zalloc(size,
11619 		    KM_NOSLEEP | KM_NORMALPRI)) == NULL)
11620 			goto err;
11621 	} while ((cp = cp->cpu_next) != cpu_list);
11622 
11623 	return (0);
11624 
11625 err:
11626 	cp = cpu_list;
11627 
11628 	do {
11629 		if (cpu != DTRACE_CPUALL && cpu != cp->cpu_id)
11630 			continue;
11631 
11632 		buf = &bufs[cp->cpu_id];
11633 		desired += 2;
11634 
11635 		if (buf->dtb_xamot != NULL) {
11636 			ASSERT(buf->dtb_tomax != NULL);
11637 			ASSERT(buf->dtb_size == size);
11638 			kmem_free(buf->dtb_xamot, size);
11639 			allocated++;
11640 		}
11641 
11642 		if (buf->dtb_tomax != NULL) {
11643 			ASSERT(buf->dtb_size == size);
11644 			kmem_free(buf->dtb_tomax, size);
11645 			allocated++;
11646 		}
11647 
11648 		buf->dtb_tomax = NULL;
11649 		buf->dtb_xamot = NULL;
11650 		buf->dtb_size = 0;
11651 	} while ((cp = cp->cpu_next) != cpu_list);
11652 
11653 	*factor = desired / (allocated > 0 ? allocated : 1);
11654 
11655 	return (ENOMEM);
11656 }
11657 
11658 /*
11659  * Note:  called from probe context.  This function just increments the drop
11660  * count on a buffer.  It has been made a function to allow for the
11661  * possibility of understanding the source of mysterious drop counts.  (A
11662  * problem for which one may be particularly disappointed that DTrace cannot
11663  * be used to understand DTrace.)
11664  */
11665 static void
11666 dtrace_buffer_drop(dtrace_buffer_t *buf)
11667 {
11668 	buf->dtb_drops++;
11669 }
11670 
11671 /*
11672  * Note:  called from probe context.  This function is called to reserve space
11673  * in a buffer.  If mstate is non-NULL, sets the scratch base and size in the
11674  * mstate.  Returns the new offset in the buffer, or a negative value if an
11675  * error has occurred.
11676  */
11677 static intptr_t
11678 dtrace_buffer_reserve(dtrace_buffer_t *buf, size_t needed, size_t align,
11679     dtrace_state_t *state, dtrace_mstate_t *mstate)
11680 {
11681 	intptr_t offs = buf->dtb_offset, soffs;
11682 	intptr_t woffs;
11683 	caddr_t tomax;
11684 	size_t total;
11685 
11686 	if (buf->dtb_flags & DTRACEBUF_INACTIVE)
11687 		return (-1);
11688 
11689 	if ((tomax = buf->dtb_tomax) == NULL) {
11690 		dtrace_buffer_drop(buf);
11691 		return (-1);
11692 	}
11693 
11694 	if (!(buf->dtb_flags & (DTRACEBUF_RING | DTRACEBUF_FILL))) {
11695 		while (offs & (align - 1)) {
11696 			/*
11697 			 * Assert that our alignment is off by a number which
11698 			 * is itself sizeof (uint32_t) aligned.
11699 			 */
11700 			ASSERT(!((align - (offs & (align - 1))) &
11701 			    (sizeof (uint32_t) - 1)));
11702 			DTRACE_STORE(uint32_t, tomax, offs, DTRACE_EPIDNONE);
11703 			offs += sizeof (uint32_t);
11704 		}
11705 
11706 		if ((soffs = offs + needed) > buf->dtb_size) {
11707 			dtrace_buffer_drop(buf);
11708 			return (-1);
11709 		}
11710 
11711 		if (mstate == NULL)
11712 			return (offs);
11713 
11714 		mstate->dtms_scratch_base = (uintptr_t)tomax + soffs;
11715 		mstate->dtms_scratch_size = buf->dtb_size - soffs;
11716 		mstate->dtms_scratch_ptr = mstate->dtms_scratch_base;
11717 
11718 		return (offs);
11719 	}
11720 
11721 	if (buf->dtb_flags & DTRACEBUF_FILL) {
11722 		if (state->dts_activity != DTRACE_ACTIVITY_COOLDOWN &&
11723 		    (buf->dtb_flags & DTRACEBUF_FULL))
11724 			return (-1);
11725 		goto out;
11726 	}
11727 
11728 	total = needed + (offs & (align - 1));
11729 
11730 	/*
11731 	 * For a ring buffer, life is quite a bit more complicated.  Before
11732 	 * we can store any padding, we need to adjust our wrapping offset.
11733 	 * (If we've never before wrapped or we're not about to, no adjustment
11734 	 * is required.)
11735 	 */
11736 	if ((buf->dtb_flags & DTRACEBUF_WRAPPED) ||
11737 	    offs + total > buf->dtb_size) {
11738 		woffs = buf->dtb_xamot_offset;
11739 
11740 		if (offs + total > buf->dtb_size) {
11741 			/*
11742 			 * We can't fit in the end of the buffer.  First, a
11743 			 * sanity check that we can fit in the buffer at all.
11744 			 */
11745 			if (total > buf->dtb_size) {
11746 				dtrace_buffer_drop(buf);
11747 				return (-1);
11748 			}
11749 
11750 			/*
11751 			 * We're going to be storing at the top of the buffer,
11752 			 * so now we need to deal with the wrapped offset.  We
11753 			 * only reset our wrapped offset to 0 if it is
11754 			 * currently greater than the current offset.  If it
11755 			 * is less than the current offset, it is because a
11756 			 * previous allocation induced a wrap -- but the
11757 			 * allocation didn't subsequently take the space due
11758 			 * to an error or false predicate evaluation.  In this
11759 			 * case, we'll just leave the wrapped offset alone: if
11760 			 * the wrapped offset hasn't been advanced far enough
11761 			 * for this allocation, it will be adjusted in the
11762 			 * lower loop.
11763 			 */
11764 			if (buf->dtb_flags & DTRACEBUF_WRAPPED) {
11765 				if (woffs >= offs)
11766 					woffs = 0;
11767 			} else {
11768 				woffs = 0;
11769 			}
11770 
11771 			/*
11772 			 * Now we know that we're going to be storing to the
11773 			 * top of the buffer and that there is room for us
11774 			 * there.  We need to clear the buffer from the current
11775 			 * offset to the end (there may be old gunk there).
11776 			 */
11777 			while (offs < buf->dtb_size)
11778 				tomax[offs++] = 0;
11779 
11780 			/*
11781 			 * We need to set our offset to zero.  And because we
11782 			 * are wrapping, we need to set the bit indicating as
11783 			 * much.  We can also adjust our needed space back
11784 			 * down to the space required by the ECB -- we know
11785 			 * that the top of the buffer is aligned.
11786 			 */
11787 			offs = 0;
11788 			total = needed;
11789 			buf->dtb_flags |= DTRACEBUF_WRAPPED;
11790 		} else {
11791 			/*
11792 			 * There is room for us in the buffer, so we simply
11793 			 * need to check the wrapped offset.
11794 			 */
11795 			if (woffs < offs) {
11796 				/*
11797 				 * The wrapped offset is less than the offset.
11798 				 * This can happen if we allocated buffer space
11799 				 * that induced a wrap, but then we didn't
11800 				 * subsequently take the space due to an error
11801 				 * or false predicate evaluation.  This is
11802 				 * okay; we know that _this_ allocation isn't
11803 				 * going to induce a wrap.  We still can't
11804 				 * reset the wrapped offset to be zero,
11805 				 * however: the space may have been trashed in
11806 				 * the previous failed probe attempt.  But at
11807 				 * least the wrapped offset doesn't need to
11808 				 * be adjusted at all...
11809 				 */
11810 				goto out;
11811 			}
11812 		}
11813 
11814 		while (offs + total > woffs) {
11815 			dtrace_epid_t epid = *(uint32_t *)(tomax + woffs);
11816 			size_t size;
11817 
11818 			if (epid == DTRACE_EPIDNONE) {
11819 				size = sizeof (uint32_t);
11820 			} else {
11821 				ASSERT3U(epid, <=, state->dts_necbs);
11822 				ASSERT(state->dts_ecbs[epid - 1] != NULL);
11823 
11824 				size = state->dts_ecbs[epid - 1]->dte_size;
11825 			}
11826 
11827 			ASSERT(woffs + size <= buf->dtb_size);
11828 			ASSERT(size != 0);
11829 
11830 			if (woffs + size == buf->dtb_size) {
11831 				/*
11832 				 * We've reached the end of the buffer; we want
11833 				 * to set the wrapped offset to 0 and break
11834 				 * out.  However, if the offs is 0, then we're
11835 				 * in a strange edge-condition:  the amount of
11836 				 * space that we want to reserve plus the size
11837 				 * of the record that we're overwriting is
11838 				 * greater than the size of the buffer.  This
11839 				 * is problematic because if we reserve the
11840 				 * space but subsequently don't consume it (due
11841 				 * to a failed predicate or error) the wrapped
11842 				 * offset will be 0 -- yet the EPID at offset 0
11843 				 * will not be committed.  This situation is
11844 				 * relatively easy to deal with:  if we're in
11845 				 * this case, the buffer is indistinguishable
11846 				 * from one that hasn't wrapped; we need only
11847 				 * finish the job by clearing the wrapped bit,
11848 				 * explicitly setting the offset to be 0, and
11849 				 * zero'ing out the old data in the buffer.
11850 				 */
11851 				if (offs == 0) {
11852 					buf->dtb_flags &= ~DTRACEBUF_WRAPPED;
11853 					buf->dtb_offset = 0;
11854 					woffs = total;
11855 
11856 					while (woffs < buf->dtb_size)
11857 						tomax[woffs++] = 0;
11858 				}
11859 
11860 				woffs = 0;
11861 				break;
11862 			}
11863 
11864 			woffs += size;
11865 		}
11866 
11867 		/*
11868 		 * We have a wrapped offset.  It may be that the wrapped offset
11869 		 * has become zero -- that's okay.
11870 		 */
11871 		buf->dtb_xamot_offset = woffs;
11872 	}
11873 
11874 out:
11875 	/*
11876 	 * Now we can plow the buffer with any necessary padding.
11877 	 */
11878 	while (offs & (align - 1)) {
11879 		/*
11880 		 * Assert that our alignment is off by a number which
11881 		 * is itself sizeof (uint32_t) aligned.
11882 		 */
11883 		ASSERT(!((align - (offs & (align - 1))) &
11884 		    (sizeof (uint32_t) - 1)));
11885 		DTRACE_STORE(uint32_t, tomax, offs, DTRACE_EPIDNONE);
11886 		offs += sizeof (uint32_t);
11887 	}
11888 
11889 	if (buf->dtb_flags & DTRACEBUF_FILL) {
11890 		if (offs + needed > buf->dtb_size - state->dts_reserve) {
11891 			buf->dtb_flags |= DTRACEBUF_FULL;
11892 			return (-1);
11893 		}
11894 	}
11895 
11896 	if (mstate == NULL)
11897 		return (offs);
11898 
11899 	/*
11900 	 * For ring buffers and fill buffers, the scratch space is always
11901 	 * the inactive buffer.
11902 	 */
11903 	mstate->dtms_scratch_base = (uintptr_t)buf->dtb_xamot;
11904 	mstate->dtms_scratch_size = buf->dtb_size;
11905 	mstate->dtms_scratch_ptr = mstate->dtms_scratch_base;
11906 
11907 	return (offs);
11908 }
11909 
11910 static void
11911 dtrace_buffer_polish(dtrace_buffer_t *buf)
11912 {
11913 	ASSERT(buf->dtb_flags & DTRACEBUF_RING);
11914 	ASSERT(MUTEX_HELD(&dtrace_lock));
11915 
11916 	if (!(buf->dtb_flags & DTRACEBUF_WRAPPED))
11917 		return;
11918 
11919 	/*
11920 	 * We need to polish the ring buffer.  There are three cases:
11921 	 *
11922 	 * - The first (and presumably most common) is that there is no gap
11923 	 *   between the buffer offset and the wrapped offset.  In this case,
11924 	 *   there is nothing in the buffer that isn't valid data; we can
11925 	 *   mark the buffer as polished and return.
11926 	 *
11927 	 * - The second (less common than the first but still more common
11928 	 *   than the third) is that there is a gap between the buffer offset
11929 	 *   and the wrapped offset, and the wrapped offset is larger than the
11930 	 *   buffer offset.  This can happen because of an alignment issue, or
11931 	 *   can happen because of a call to dtrace_buffer_reserve() that
11932 	 *   didn't subsequently consume the buffer space.  In this case,
11933 	 *   we need to zero the data from the buffer offset to the wrapped
11934 	 *   offset.
11935 	 *
11936 	 * - The third (and least common) is that there is a gap between the
11937 	 *   buffer offset and the wrapped offset, but the wrapped offset is
11938 	 *   _less_ than the buffer offset.  This can only happen because a
11939 	 *   call to dtrace_buffer_reserve() induced a wrap, but the space
11940 	 *   was not subsequently consumed.  In this case, we need to zero the
11941 	 *   space from the offset to the end of the buffer _and_ from the
11942 	 *   top of the buffer to the wrapped offset.
11943 	 */
11944 	if (buf->dtb_offset < buf->dtb_xamot_offset) {
11945 		bzero(buf->dtb_tomax + buf->dtb_offset,
11946 		    buf->dtb_xamot_offset - buf->dtb_offset);
11947 	}
11948 
11949 	if (buf->dtb_offset > buf->dtb_xamot_offset) {
11950 		bzero(buf->dtb_tomax + buf->dtb_offset,
11951 		    buf->dtb_size - buf->dtb_offset);
11952 		bzero(buf->dtb_tomax, buf->dtb_xamot_offset);
11953 	}
11954 }
11955 
11956 /*
11957  * This routine determines if data generated at the specified time has likely
11958  * been entirely consumed at user-level.  This routine is called to determine
11959  * if an ECB on a defunct probe (but for an active enabling) can be safely
11960  * disabled and destroyed.
11961  */
11962 static int
11963 dtrace_buffer_consumed(dtrace_buffer_t *bufs, hrtime_t when)
11964 {
11965 	int i;
11966 
11967 	for (i = 0; i < NCPU; i++) {
11968 		dtrace_buffer_t *buf = &bufs[i];
11969 
11970 		if (buf->dtb_size == 0)
11971 			continue;
11972 
11973 		if (buf->dtb_flags & DTRACEBUF_RING)
11974 			return (0);
11975 
11976 		if (!buf->dtb_switched && buf->dtb_offset != 0)
11977 			return (0);
11978 
11979 		if (buf->dtb_switched - buf->dtb_interval < when)
11980 			return (0);
11981 	}
11982 
11983 	return (1);
11984 }
11985 
11986 static void
11987 dtrace_buffer_free(dtrace_buffer_t *bufs)
11988 {
11989 	int i;
11990 
11991 	for (i = 0; i < NCPU; i++) {
11992 		dtrace_buffer_t *buf = &bufs[i];
11993 
11994 		if (buf->dtb_tomax == NULL) {
11995 			ASSERT(buf->dtb_xamot == NULL);
11996 			ASSERT(buf->dtb_size == 0);
11997 			continue;
11998 		}
11999 
12000 		if (buf->dtb_xamot != NULL) {
12001 			ASSERT(!(buf->dtb_flags & DTRACEBUF_NOSWITCH));
12002 			kmem_free(buf->dtb_xamot, buf->dtb_size);
12003 		}
12004 
12005 		kmem_free(buf->dtb_tomax, buf->dtb_size);
12006 		buf->dtb_size = 0;
12007 		buf->dtb_tomax = NULL;
12008 		buf->dtb_xamot = NULL;
12009 	}
12010 }
12011 
12012 /*
12013  * DTrace Enabling Functions
12014  */
12015 static dtrace_enabling_t *
12016 dtrace_enabling_create(dtrace_vstate_t *vstate)
12017 {
12018 	dtrace_enabling_t *enab;
12019 
12020 	enab = kmem_zalloc(sizeof (dtrace_enabling_t), KM_SLEEP);
12021 	enab->dten_vstate = vstate;
12022 
12023 	return (enab);
12024 }
12025 
12026 static void
12027 dtrace_enabling_add(dtrace_enabling_t *enab, dtrace_ecbdesc_t *ecb)
12028 {
12029 	dtrace_ecbdesc_t **ndesc;
12030 	size_t osize, nsize;
12031 
12032 	/*
12033 	 * We can't add to enablings after we've enabled them, or after we've
12034 	 * retained them.
12035 	 */
12036 	ASSERT(enab->dten_probegen == 0);
12037 	ASSERT(enab->dten_next == NULL && enab->dten_prev == NULL);
12038 
12039 	if (enab->dten_ndesc < enab->dten_maxdesc) {
12040 		enab->dten_desc[enab->dten_ndesc++] = ecb;
12041 		return;
12042 	}
12043 
12044 	osize = enab->dten_maxdesc * sizeof (dtrace_enabling_t *);
12045 
12046 	if (enab->dten_maxdesc == 0) {
12047 		enab->dten_maxdesc = 1;
12048 	} else {
12049 		enab->dten_maxdesc <<= 1;
12050 	}
12051 
12052 	ASSERT(enab->dten_ndesc < enab->dten_maxdesc);
12053 
12054 	nsize = enab->dten_maxdesc * sizeof (dtrace_enabling_t *);
12055 	ndesc = kmem_zalloc(nsize, KM_SLEEP);
12056 	bcopy(enab->dten_desc, ndesc, osize);
12057 	kmem_free(enab->dten_desc, osize);
12058 
12059 	enab->dten_desc = ndesc;
12060 	enab->dten_desc[enab->dten_ndesc++] = ecb;
12061 }
12062 
12063 static void
12064 dtrace_enabling_addlike(dtrace_enabling_t *enab, dtrace_ecbdesc_t *ecb,
12065     dtrace_probedesc_t *pd)
12066 {
12067 	dtrace_ecbdesc_t *new;
12068 	dtrace_predicate_t *pred;
12069 	dtrace_actdesc_t *act;
12070 
12071 	/*
12072 	 * We're going to create a new ECB description that matches the
12073 	 * specified ECB in every way, but has the specified probe description.
12074 	 */
12075 	new = kmem_zalloc(sizeof (dtrace_ecbdesc_t), KM_SLEEP);
12076 
12077 	if ((pred = ecb->dted_pred.dtpdd_predicate) != NULL)
12078 		dtrace_predicate_hold(pred);
12079 
12080 	for (act = ecb->dted_action; act != NULL; act = act->dtad_next)
12081 		dtrace_actdesc_hold(act);
12082 
12083 	new->dted_action = ecb->dted_action;
12084 	new->dted_pred = ecb->dted_pred;
12085 	new->dted_probe = *pd;
12086 	new->dted_uarg = ecb->dted_uarg;
12087 
12088 	dtrace_enabling_add(enab, new);
12089 }
12090 
12091 static void
12092 dtrace_enabling_dump(dtrace_enabling_t *enab)
12093 {
12094 	int i;
12095 
12096 	for (i = 0; i < enab->dten_ndesc; i++) {
12097 		dtrace_probedesc_t *desc = &enab->dten_desc[i]->dted_probe;
12098 
12099 		cmn_err(CE_NOTE, "enabling probe %d (%s:%s:%s:%s)", i,
12100 		    desc->dtpd_provider, desc->dtpd_mod,
12101 		    desc->dtpd_func, desc->dtpd_name);
12102 	}
12103 }
12104 
12105 static void
12106 dtrace_enabling_destroy(dtrace_enabling_t *enab)
12107 {
12108 	int i;
12109 	dtrace_ecbdesc_t *ep;
12110 	dtrace_vstate_t *vstate = enab->dten_vstate;
12111 
12112 	ASSERT(MUTEX_HELD(&dtrace_lock));
12113 
12114 	for (i = 0; i < enab->dten_ndesc; i++) {
12115 		dtrace_actdesc_t *act, *next;
12116 		dtrace_predicate_t *pred;
12117 
12118 		ep = enab->dten_desc[i];
12119 
12120 		if ((pred = ep->dted_pred.dtpdd_predicate) != NULL)
12121 			dtrace_predicate_release(pred, vstate);
12122 
12123 		for (act = ep->dted_action; act != NULL; act = next) {
12124 			next = act->dtad_next;
12125 			dtrace_actdesc_release(act, vstate);
12126 		}
12127 
12128 		kmem_free(ep, sizeof (dtrace_ecbdesc_t));
12129 	}
12130 
12131 	kmem_free(enab->dten_desc,
12132 	    enab->dten_maxdesc * sizeof (dtrace_enabling_t *));
12133 
12134 	/*
12135 	 * If this was a retained enabling, decrement the dts_nretained count
12136 	 * and take it off of the dtrace_retained list.
12137 	 */
12138 	if (enab->dten_prev != NULL || enab->dten_next != NULL ||
12139 	    dtrace_retained == enab) {
12140 		ASSERT(enab->dten_vstate->dtvs_state != NULL);
12141 		ASSERT(enab->dten_vstate->dtvs_state->dts_nretained > 0);
12142 		enab->dten_vstate->dtvs_state->dts_nretained--;
12143 		dtrace_retained_gen++;
12144 	}
12145 
12146 	if (enab->dten_prev == NULL) {
12147 		if (dtrace_retained == enab) {
12148 			dtrace_retained = enab->dten_next;
12149 
12150 			if (dtrace_retained != NULL)
12151 				dtrace_retained->dten_prev = NULL;
12152 		}
12153 	} else {
12154 		ASSERT(enab != dtrace_retained);
12155 		ASSERT(dtrace_retained != NULL);
12156 		enab->dten_prev->dten_next = enab->dten_next;
12157 	}
12158 
12159 	if (enab->dten_next != NULL) {
12160 		ASSERT(dtrace_retained != NULL);
12161 		enab->dten_next->dten_prev = enab->dten_prev;
12162 	}
12163 
12164 	kmem_free(enab, sizeof (dtrace_enabling_t));
12165 }
12166 
12167 static int
12168 dtrace_enabling_retain(dtrace_enabling_t *enab)
12169 {
12170 	dtrace_state_t *state;
12171 
12172 	ASSERT(MUTEX_HELD(&dtrace_lock));
12173 	ASSERT(enab->dten_next == NULL && enab->dten_prev == NULL);
12174 	ASSERT(enab->dten_vstate != NULL);
12175 
12176 	state = enab->dten_vstate->dtvs_state;
12177 	ASSERT(state != NULL);
12178 
12179 	/*
12180 	 * We only allow each state to retain dtrace_retain_max enablings.
12181 	 */
12182 	if (state->dts_nretained >= dtrace_retain_max)
12183 		return (ENOSPC);
12184 
12185 	state->dts_nretained++;
12186 	dtrace_retained_gen++;
12187 
12188 	if (dtrace_retained == NULL) {
12189 		dtrace_retained = enab;
12190 		return (0);
12191 	}
12192 
12193 	enab->dten_next = dtrace_retained;
12194 	dtrace_retained->dten_prev = enab;
12195 	dtrace_retained = enab;
12196 
12197 	return (0);
12198 }
12199 
12200 static int
12201 dtrace_enabling_replicate(dtrace_state_t *state, dtrace_probedesc_t *match,
12202     dtrace_probedesc_t *create)
12203 {
12204 	dtrace_enabling_t *new, *enab;
12205 	int found = 0, err = ENOENT;
12206 
12207 	ASSERT(MUTEX_HELD(&dtrace_lock));
12208 	ASSERT(strlen(match->dtpd_provider) < DTRACE_PROVNAMELEN);
12209 	ASSERT(strlen(match->dtpd_mod) < DTRACE_MODNAMELEN);
12210 	ASSERT(strlen(match->dtpd_func) < DTRACE_FUNCNAMELEN);
12211 	ASSERT(strlen(match->dtpd_name) < DTRACE_NAMELEN);
12212 
12213 	new = dtrace_enabling_create(&state->dts_vstate);
12214 
12215 	/*
12216 	 * Iterate over all retained enablings, looking for enablings that
12217 	 * match the specified state.
12218 	 */
12219 	for (enab = dtrace_retained; enab != NULL; enab = enab->dten_next) {
12220 		int i;
12221 
12222 		/*
12223 		 * dtvs_state can only be NULL for helper enablings -- and
12224 		 * helper enablings can't be retained.
12225 		 */
12226 		ASSERT(enab->dten_vstate->dtvs_state != NULL);
12227 
12228 		if (enab->dten_vstate->dtvs_state != state)
12229 			continue;
12230 
12231 		/*
12232 		 * Now iterate over each probe description; we're looking for
12233 		 * an exact match to the specified probe description.
12234 		 */
12235 		for (i = 0; i < enab->dten_ndesc; i++) {
12236 			dtrace_ecbdesc_t *ep = enab->dten_desc[i];
12237 			dtrace_probedesc_t *pd = &ep->dted_probe;
12238 
12239 			if (strcmp(pd->dtpd_provider, match->dtpd_provider))
12240 				continue;
12241 
12242 			if (strcmp(pd->dtpd_mod, match->dtpd_mod))
12243 				continue;
12244 
12245 			if (strcmp(pd->dtpd_func, match->dtpd_func))
12246 				continue;
12247 
12248 			if (strcmp(pd->dtpd_name, match->dtpd_name))
12249 				continue;
12250 
12251 			/*
12252 			 * We have a winning probe!  Add it to our growing
12253 			 * enabling.
12254 			 */
12255 			found = 1;
12256 			dtrace_enabling_addlike(new, ep, create);
12257 		}
12258 	}
12259 
12260 	if (!found || (err = dtrace_enabling_retain(new)) != 0) {
12261 		dtrace_enabling_destroy(new);
12262 		return (err);
12263 	}
12264 
12265 	return (0);
12266 }
12267 
12268 static void
12269 dtrace_enabling_retract(dtrace_state_t *state)
12270 {
12271 	dtrace_enabling_t *enab, *next;
12272 
12273 	ASSERT(MUTEX_HELD(&dtrace_lock));
12274 
12275 	/*
12276 	 * Iterate over all retained enablings, destroy the enablings retained
12277 	 * for the specified state.
12278 	 */
12279 	for (enab = dtrace_retained; enab != NULL; enab = next) {
12280 		next = enab->dten_next;
12281 
12282 		/*
12283 		 * dtvs_state can only be NULL for helper enablings -- and
12284 		 * helper enablings can't be retained.
12285 		 */
12286 		ASSERT(enab->dten_vstate->dtvs_state != NULL);
12287 
12288 		if (enab->dten_vstate->dtvs_state == state) {
12289 			ASSERT(state->dts_nretained > 0);
12290 			dtrace_enabling_destroy(enab);
12291 		}
12292 	}
12293 
12294 	ASSERT(state->dts_nretained == 0);
12295 }
12296 
12297 static int
12298 dtrace_enabling_match(dtrace_enabling_t *enab, int *nmatched)
12299 {
12300 	int i = 0;
12301 	int total_matched = 0, matched = 0;
12302 
12303 	ASSERT(MUTEX_HELD(&cpu_lock));
12304 	ASSERT(MUTEX_HELD(&dtrace_lock));
12305 
12306 	for (i = 0; i < enab->dten_ndesc; i++) {
12307 		dtrace_ecbdesc_t *ep = enab->dten_desc[i];
12308 
12309 		enab->dten_current = ep;
12310 		enab->dten_error = 0;
12311 
12312 		/*
12313 		 * If a provider failed to enable a probe then get out and
12314 		 * let the consumer know we failed.
12315 		 */
12316 		if ((matched = dtrace_probe_enable(&ep->dted_probe, enab)) < 0)
12317 			return (EBUSY);
12318 
12319 		total_matched += matched;
12320 
12321 		if (enab->dten_error != 0) {
12322 			/*
12323 			 * If we get an error half-way through enabling the
12324 			 * probes, we kick out -- perhaps with some number of
12325 			 * them enabled.  Leaving enabled probes enabled may
12326 			 * be slightly confusing for user-level, but we expect
12327 			 * that no one will attempt to actually drive on in
12328 			 * the face of such errors.  If this is an anonymous
12329 			 * enabling (indicated with a NULL nmatched pointer),
12330 			 * we cmn_err() a message.  We aren't expecting to
12331 			 * get such an error -- such as it can exist at all,
12332 			 * it would be a result of corrupted DOF in the driver
12333 			 * properties.
12334 			 */
12335 			if (nmatched == NULL) {
12336 				cmn_err(CE_WARN, "dtrace_enabling_match() "
12337 				    "error on %p: %d", (void *)ep,
12338 				    enab->dten_error);
12339 			}
12340 
12341 			return (enab->dten_error);
12342 		}
12343 	}
12344 
12345 	enab->dten_probegen = dtrace_probegen;
12346 	if (nmatched != NULL)
12347 		*nmatched = total_matched;
12348 
12349 	return (0);
12350 }
12351 
12352 static void
12353 dtrace_enabling_matchall(void)
12354 {
12355 	dtrace_enabling_t *enab;
12356 
12357 	mutex_enter(&cpu_lock);
12358 	mutex_enter(&dtrace_lock);
12359 
12360 	/*
12361 	 * Iterate over all retained enablings to see if any probes match
12362 	 * against them.  We only perform this operation on enablings for which
12363 	 * we have sufficient permissions by virtue of being in the global zone
12364 	 * or in the same zone as the DTrace client.  Because we can be called
12365 	 * after dtrace_detach() has been called, we cannot assert that there
12366 	 * are retained enablings.  We can safely load from dtrace_retained,
12367 	 * however:  the taskq_destroy() at the end of dtrace_detach() will
12368 	 * block pending our completion.
12369 	 */
12370 	for (enab = dtrace_retained; enab != NULL; enab = enab->dten_next) {
12371 		dtrace_cred_t *dcr = &enab->dten_vstate->dtvs_state->dts_cred;
12372 		cred_t *cr = dcr->dcr_cred;
12373 		zoneid_t zone = cr != NULL ? crgetzoneid(cr) : 0;
12374 
12375 		if ((dcr->dcr_visible & DTRACE_CRV_ALLZONE) || (cr != NULL &&
12376 		    (zone == GLOBAL_ZONEID || getzoneid() == zone)))
12377 			(void) dtrace_enabling_match(enab, NULL);
12378 	}
12379 
12380 	mutex_exit(&dtrace_lock);
12381 	mutex_exit(&cpu_lock);
12382 }
12383 
12384 /*
12385  * If an enabling is to be enabled without having matched probes (that is, if
12386  * dtrace_state_go() is to be called on the underlying dtrace_state_t), the
12387  * enabling must be _primed_ by creating an ECB for every ECB description.
12388  * This must be done to assure that we know the number of speculations, the
12389  * number of aggregations, the minimum buffer size needed, etc. before we
12390  * transition out of DTRACE_ACTIVITY_INACTIVE.  To do this without actually
12391  * enabling any probes, we create ECBs for every ECB decription, but with a
12392  * NULL probe -- which is exactly what this function does.
12393  */
12394 static void
12395 dtrace_enabling_prime(dtrace_state_t *state)
12396 {
12397 	dtrace_enabling_t *enab;
12398 	int i;
12399 
12400 	for (enab = dtrace_retained; enab != NULL; enab = enab->dten_next) {
12401 		ASSERT(enab->dten_vstate->dtvs_state != NULL);
12402 
12403 		if (enab->dten_vstate->dtvs_state != state)
12404 			continue;
12405 
12406 		/*
12407 		 * We don't want to prime an enabling more than once, lest
12408 		 * we allow a malicious user to induce resource exhaustion.
12409 		 * (The ECBs that result from priming an enabling aren't
12410 		 * leaked -- but they also aren't deallocated until the
12411 		 * consumer state is destroyed.)
12412 		 */
12413 		if (enab->dten_primed)
12414 			continue;
12415 
12416 		for (i = 0; i < enab->dten_ndesc; i++) {
12417 			enab->dten_current = enab->dten_desc[i];
12418 			(void) dtrace_probe_enable(NULL, enab);
12419 		}
12420 
12421 		enab->dten_primed = 1;
12422 	}
12423 }
12424 
12425 /*
12426  * Called to indicate that probes should be provided due to retained
12427  * enablings.  This is implemented in terms of dtrace_probe_provide(), but it
12428  * must take an initial lap through the enabling calling the dtps_provide()
12429  * entry point explicitly to allow for autocreated probes.
12430  */
12431 static void
12432 dtrace_enabling_provide(dtrace_provider_t *prv)
12433 {
12434 	int i, all = 0;
12435 	dtrace_probedesc_t desc;
12436 	dtrace_genid_t gen;
12437 
12438 	ASSERT(MUTEX_HELD(&dtrace_lock));
12439 	ASSERT(MUTEX_HELD(&dtrace_provider_lock));
12440 
12441 	if (prv == NULL) {
12442 		all = 1;
12443 		prv = dtrace_provider;
12444 	}
12445 
12446 	do {
12447 		dtrace_enabling_t *enab;
12448 		void *parg = prv->dtpv_arg;
12449 
12450 retry:
12451 		gen = dtrace_retained_gen;
12452 		for (enab = dtrace_retained; enab != NULL;
12453 		    enab = enab->dten_next) {
12454 			for (i = 0; i < enab->dten_ndesc; i++) {
12455 				desc = enab->dten_desc[i]->dted_probe;
12456 				mutex_exit(&dtrace_lock);
12457 				prv->dtpv_pops.dtps_provide(parg, &desc);
12458 				mutex_enter(&dtrace_lock);
12459 				/*
12460 				 * Process the retained enablings again if
12461 				 * they have changed while we weren't holding
12462 				 * dtrace_lock.
12463 				 */
12464 				if (gen != dtrace_retained_gen)
12465 					goto retry;
12466 			}
12467 		}
12468 	} while (all && (prv = prv->dtpv_next) != NULL);
12469 
12470 	mutex_exit(&dtrace_lock);
12471 	dtrace_probe_provide(NULL, all ? NULL : prv);
12472 	mutex_enter(&dtrace_lock);
12473 }
12474 
12475 /*
12476  * Called to reap ECBs that are attached to probes from defunct providers.
12477  */
12478 static void
12479 dtrace_enabling_reap(void)
12480 {
12481 	dtrace_provider_t *prov;
12482 	dtrace_probe_t *probe;
12483 	dtrace_ecb_t *ecb;
12484 	hrtime_t when;
12485 	int i;
12486 
12487 	mutex_enter(&cpu_lock);
12488 	mutex_enter(&dtrace_lock);
12489 
12490 	for (i = 0; i < dtrace_nprobes; i++) {
12491 		if ((probe = dtrace_probes[i]) == NULL)
12492 			continue;
12493 
12494 		if (probe->dtpr_ecb == NULL)
12495 			continue;
12496 
12497 		prov = probe->dtpr_provider;
12498 
12499 		if ((when = prov->dtpv_defunct) == 0)
12500 			continue;
12501 
12502 		/*
12503 		 * We have ECBs on a defunct provider:  we want to reap these
12504 		 * ECBs to allow the provider to unregister.  The destruction
12505 		 * of these ECBs must be done carefully:  if we destroy the ECB
12506 		 * and the consumer later wishes to consume an EPID that
12507 		 * corresponds to the destroyed ECB (and if the EPID metadata
12508 		 * has not been previously consumed), the consumer will abort
12509 		 * processing on the unknown EPID.  To reduce (but not, sadly,
12510 		 * eliminate) the possibility of this, we will only destroy an
12511 		 * ECB for a defunct provider if, for the state that
12512 		 * corresponds to the ECB:
12513 		 *
12514 		 *  (a)	There is no speculative tracing (which can effectively
12515 		 *	cache an EPID for an arbitrary amount of time).
12516 		 *
12517 		 *  (b)	The principal buffers have been switched twice since the
12518 		 *	provider became defunct.
12519 		 *
12520 		 *  (c)	The aggregation buffers are of zero size or have been
12521 		 *	switched twice since the provider became defunct.
12522 		 *
12523 		 * We use dts_speculates to determine (a) and call a function
12524 		 * (dtrace_buffer_consumed()) to determine (b) and (c).  Note
12525 		 * that as soon as we've been unable to destroy one of the ECBs
12526 		 * associated with the probe, we quit trying -- reaping is only
12527 		 * fruitful in as much as we can destroy all ECBs associated
12528 		 * with the defunct provider's probes.
12529 		 */
12530 		while ((ecb = probe->dtpr_ecb) != NULL) {
12531 			dtrace_state_t *state = ecb->dte_state;
12532 			dtrace_buffer_t *buf = state->dts_buffer;
12533 			dtrace_buffer_t *aggbuf = state->dts_aggbuffer;
12534 
12535 			if (state->dts_speculates)
12536 				break;
12537 
12538 			if (!dtrace_buffer_consumed(buf, when))
12539 				break;
12540 
12541 			if (!dtrace_buffer_consumed(aggbuf, when))
12542 				break;
12543 
12544 			dtrace_ecb_disable(ecb);
12545 			ASSERT(probe->dtpr_ecb != ecb);
12546 			dtrace_ecb_destroy(ecb);
12547 		}
12548 	}
12549 
12550 	mutex_exit(&dtrace_lock);
12551 	mutex_exit(&cpu_lock);
12552 }
12553 
12554 /*
12555  * DTrace DOF Functions
12556  */
12557 /*ARGSUSED*/
12558 static void
12559 dtrace_dof_error(dof_hdr_t *dof, const char *str)
12560 {
12561 	if (dtrace_err_verbose)
12562 		cmn_err(CE_WARN, "failed to process DOF: %s", str);
12563 
12564 #ifdef DTRACE_ERRDEBUG
12565 	dtrace_errdebug(str);
12566 #endif
12567 }
12568 
12569 /*
12570  * Create DOF out of a currently enabled state.  Right now, we only create
12571  * DOF containing the run-time options -- but this could be expanded to create
12572  * complete DOF representing the enabled state.
12573  */
12574 static dof_hdr_t *
12575 dtrace_dof_create(dtrace_state_t *state)
12576 {
12577 	dof_hdr_t *dof;
12578 	dof_sec_t *sec;
12579 	dof_optdesc_t *opt;
12580 	int i, len = sizeof (dof_hdr_t) +
12581 	    roundup(sizeof (dof_sec_t), sizeof (uint64_t)) +
12582 	    sizeof (dof_optdesc_t) * DTRACEOPT_MAX;
12583 
12584 	ASSERT(MUTEX_HELD(&dtrace_lock));
12585 
12586 	dof = kmem_zalloc(len, KM_SLEEP);
12587 	dof->dofh_ident[DOF_ID_MAG0] = DOF_MAG_MAG0;
12588 	dof->dofh_ident[DOF_ID_MAG1] = DOF_MAG_MAG1;
12589 	dof->dofh_ident[DOF_ID_MAG2] = DOF_MAG_MAG2;
12590 	dof->dofh_ident[DOF_ID_MAG3] = DOF_MAG_MAG3;
12591 
12592 	dof->dofh_ident[DOF_ID_MODEL] = DOF_MODEL_NATIVE;
12593 	dof->dofh_ident[DOF_ID_ENCODING] = DOF_ENCODE_NATIVE;
12594 	dof->dofh_ident[DOF_ID_VERSION] = DOF_VERSION;
12595 	dof->dofh_ident[DOF_ID_DIFVERS] = DIF_VERSION;
12596 	dof->dofh_ident[DOF_ID_DIFIREG] = DIF_DIR_NREGS;
12597 	dof->dofh_ident[DOF_ID_DIFTREG] = DIF_DTR_NREGS;
12598 
12599 	dof->dofh_flags = 0;
12600 	dof->dofh_hdrsize = sizeof (dof_hdr_t);
12601 	dof->dofh_secsize = sizeof (dof_sec_t);
12602 	dof->dofh_secnum = 1;	/* only DOF_SECT_OPTDESC */
12603 	dof->dofh_secoff = sizeof (dof_hdr_t);
12604 	dof->dofh_loadsz = len;
12605 	dof->dofh_filesz = len;
12606 	dof->dofh_pad = 0;
12607 
12608 	/*
12609 	 * Fill in the option section header...
12610 	 */
12611 	sec = (dof_sec_t *)((uintptr_t)dof + sizeof (dof_hdr_t));
12612 	sec->dofs_type = DOF_SECT_OPTDESC;
12613 	sec->dofs_align = sizeof (uint64_t);
12614 	sec->dofs_flags = DOF_SECF_LOAD;
12615 	sec->dofs_entsize = sizeof (dof_optdesc_t);
12616 
12617 	opt = (dof_optdesc_t *)((uintptr_t)sec +
12618 	    roundup(sizeof (dof_sec_t), sizeof (uint64_t)));
12619 
12620 	sec->dofs_offset = (uintptr_t)opt - (uintptr_t)dof;
12621 	sec->dofs_size = sizeof (dof_optdesc_t) * DTRACEOPT_MAX;
12622 
12623 	for (i = 0; i < DTRACEOPT_MAX; i++) {
12624 		opt[i].dofo_option = i;
12625 		opt[i].dofo_strtab = DOF_SECIDX_NONE;
12626 		opt[i].dofo_value = state->dts_options[i];
12627 	}
12628 
12629 	return (dof);
12630 }
12631 
12632 static dof_hdr_t *
12633 dtrace_dof_copyin(uintptr_t uarg, int *errp)
12634 {
12635 	dof_hdr_t hdr, *dof;
12636 
12637 	ASSERT(!MUTEX_HELD(&dtrace_lock));
12638 
12639 	/*
12640 	 * First, we're going to copyin() the sizeof (dof_hdr_t).
12641 	 */
12642 	if (copyin((void *)uarg, &hdr, sizeof (hdr)) != 0) {
12643 		dtrace_dof_error(NULL, "failed to copyin DOF header");
12644 		*errp = EFAULT;
12645 		return (NULL);
12646 	}
12647 
12648 	/*
12649 	 * Now we'll allocate the entire DOF and copy it in -- provided
12650 	 * that the length isn't outrageous.
12651 	 */
12652 	if (hdr.dofh_loadsz >= dtrace_dof_maxsize) {
12653 		dtrace_dof_error(&hdr, "load size exceeds maximum");
12654 		*errp = E2BIG;
12655 		return (NULL);
12656 	}
12657 
12658 	if (hdr.dofh_loadsz < sizeof (hdr)) {
12659 		dtrace_dof_error(&hdr, "invalid load size");
12660 		*errp = EINVAL;
12661 		return (NULL);
12662 	}
12663 
12664 	dof = kmem_alloc(hdr.dofh_loadsz, KM_SLEEP);
12665 
12666 	if (copyin((void *)uarg, dof, hdr.dofh_loadsz) != 0 ||
12667 	    dof->dofh_loadsz != hdr.dofh_loadsz) {
12668 		kmem_free(dof, hdr.dofh_loadsz);
12669 		*errp = EFAULT;
12670 		return (NULL);
12671 	}
12672 
12673 	return (dof);
12674 }
12675 
12676 static dof_hdr_t *
12677 dtrace_dof_property(const char *name)
12678 {
12679 	uchar_t *buf;
12680 	uint64_t loadsz;
12681 	unsigned int len, i;
12682 	dof_hdr_t *dof;
12683 
12684 	/*
12685 	 * Unfortunately, array of values in .conf files are always (and
12686 	 * only) interpreted to be integer arrays.  We must read our DOF
12687 	 * as an integer array, and then squeeze it into a byte array.
12688 	 */
12689 	if (ddi_prop_lookup_int_array(DDI_DEV_T_ANY, dtrace_devi, 0,
12690 	    (char *)name, (int **)&buf, &len) != DDI_PROP_SUCCESS)
12691 		return (NULL);
12692 
12693 	for (i = 0; i < len; i++)
12694 		buf[i] = (uchar_t)(((int *)buf)[i]);
12695 
12696 	if (len < sizeof (dof_hdr_t)) {
12697 		ddi_prop_free(buf);
12698 		dtrace_dof_error(NULL, "truncated header");
12699 		return (NULL);
12700 	}
12701 
12702 	if (len < (loadsz = ((dof_hdr_t *)buf)->dofh_loadsz)) {
12703 		ddi_prop_free(buf);
12704 		dtrace_dof_error(NULL, "truncated DOF");
12705 		return (NULL);
12706 	}
12707 
12708 	if (loadsz >= dtrace_dof_maxsize) {
12709 		ddi_prop_free(buf);
12710 		dtrace_dof_error(NULL, "oversized DOF");
12711 		return (NULL);
12712 	}
12713 
12714 	dof = kmem_alloc(loadsz, KM_SLEEP);
12715 	bcopy(buf, dof, loadsz);
12716 	ddi_prop_free(buf);
12717 
12718 	return (dof);
12719 }
12720 
12721 static void
12722 dtrace_dof_destroy(dof_hdr_t *dof)
12723 {
12724 	kmem_free(dof, dof->dofh_loadsz);
12725 }
12726 
12727 /*
12728  * Return the dof_sec_t pointer corresponding to a given section index.  If the
12729  * index is not valid, dtrace_dof_error() is called and NULL is returned.  If
12730  * a type other than DOF_SECT_NONE is specified, the header is checked against
12731  * this type and NULL is returned if the types do not match.
12732  */
12733 static dof_sec_t *
12734 dtrace_dof_sect(dof_hdr_t *dof, uint32_t type, dof_secidx_t i)
12735 {
12736 	dof_sec_t *sec = (dof_sec_t *)(uintptr_t)
12737 	    ((uintptr_t)dof + dof->dofh_secoff + i * dof->dofh_secsize);
12738 
12739 	if (i >= dof->dofh_secnum) {
12740 		dtrace_dof_error(dof, "referenced section index is invalid");
12741 		return (NULL);
12742 	}
12743 
12744 	if (!(sec->dofs_flags & DOF_SECF_LOAD)) {
12745 		dtrace_dof_error(dof, "referenced section is not loadable");
12746 		return (NULL);
12747 	}
12748 
12749 	if (type != DOF_SECT_NONE && type != sec->dofs_type) {
12750 		dtrace_dof_error(dof, "referenced section is the wrong type");
12751 		return (NULL);
12752 	}
12753 
12754 	return (sec);
12755 }
12756 
12757 static dtrace_probedesc_t *
12758 dtrace_dof_probedesc(dof_hdr_t *dof, dof_sec_t *sec, dtrace_probedesc_t *desc)
12759 {
12760 	dof_probedesc_t *probe;
12761 	dof_sec_t *strtab;
12762 	uintptr_t daddr = (uintptr_t)dof;
12763 	uintptr_t str;
12764 	size_t size;
12765 
12766 	if (sec->dofs_type != DOF_SECT_PROBEDESC) {
12767 		dtrace_dof_error(dof, "invalid probe section");
12768 		return (NULL);
12769 	}
12770 
12771 	if (sec->dofs_align != sizeof (dof_secidx_t)) {
12772 		dtrace_dof_error(dof, "bad alignment in probe description");
12773 		return (NULL);
12774 	}
12775 
12776 	if (sec->dofs_offset + sizeof (dof_probedesc_t) > dof->dofh_loadsz) {
12777 		dtrace_dof_error(dof, "truncated probe description");
12778 		return (NULL);
12779 	}
12780 
12781 	probe = (dof_probedesc_t *)(uintptr_t)(daddr + sec->dofs_offset);
12782 	strtab = dtrace_dof_sect(dof, DOF_SECT_STRTAB, probe->dofp_strtab);
12783 
12784 	if (strtab == NULL)
12785 		return (NULL);
12786 
12787 	str = daddr + strtab->dofs_offset;
12788 	size = strtab->dofs_size;
12789 
12790 	if (probe->dofp_provider >= strtab->dofs_size) {
12791 		dtrace_dof_error(dof, "corrupt probe provider");
12792 		return (NULL);
12793 	}
12794 
12795 	(void) strncpy(desc->dtpd_provider,
12796 	    (char *)(str + probe->dofp_provider),
12797 	    MIN(DTRACE_PROVNAMELEN - 1, size - probe->dofp_provider));
12798 
12799 	if (probe->dofp_mod >= strtab->dofs_size) {
12800 		dtrace_dof_error(dof, "corrupt probe module");
12801 		return (NULL);
12802 	}
12803 
12804 	(void) strncpy(desc->dtpd_mod, (char *)(str + probe->dofp_mod),
12805 	    MIN(DTRACE_MODNAMELEN - 1, size - probe->dofp_mod));
12806 
12807 	if (probe->dofp_func >= strtab->dofs_size) {
12808 		dtrace_dof_error(dof, "corrupt probe function");
12809 		return (NULL);
12810 	}
12811 
12812 	(void) strncpy(desc->dtpd_func, (char *)(str + probe->dofp_func),
12813 	    MIN(DTRACE_FUNCNAMELEN - 1, size - probe->dofp_func));
12814 
12815 	if (probe->dofp_name >= strtab->dofs_size) {
12816 		dtrace_dof_error(dof, "corrupt probe name");
12817 		return (NULL);
12818 	}
12819 
12820 	(void) strncpy(desc->dtpd_name, (char *)(str + probe->dofp_name),
12821 	    MIN(DTRACE_NAMELEN - 1, size - probe->dofp_name));
12822 
12823 	return (desc);
12824 }
12825 
12826 static dtrace_difo_t *
12827 dtrace_dof_difo(dof_hdr_t *dof, dof_sec_t *sec, dtrace_vstate_t *vstate,
12828     cred_t *cr)
12829 {
12830 	dtrace_difo_t *dp;
12831 	size_t ttl = 0;
12832 	dof_difohdr_t *dofd;
12833 	uintptr_t daddr = (uintptr_t)dof;
12834 	size_t max = dtrace_difo_maxsize;
12835 	int i, l, n;
12836 
12837 	static const struct {
12838 		int section;
12839 		int bufoffs;
12840 		int lenoffs;
12841 		int entsize;
12842 		int align;
12843 		const char *msg;
12844 	} difo[] = {
12845 		{ DOF_SECT_DIF, offsetof(dtrace_difo_t, dtdo_buf),
12846 		offsetof(dtrace_difo_t, dtdo_len), sizeof (dif_instr_t),
12847 		sizeof (dif_instr_t), "multiple DIF sections" },
12848 
12849 		{ DOF_SECT_INTTAB, offsetof(dtrace_difo_t, dtdo_inttab),
12850 		offsetof(dtrace_difo_t, dtdo_intlen), sizeof (uint64_t),
12851 		sizeof (uint64_t), "multiple integer tables" },
12852 
12853 		{ DOF_SECT_STRTAB, offsetof(dtrace_difo_t, dtdo_strtab),
12854 		offsetof(dtrace_difo_t, dtdo_strlen), 0,
12855 		sizeof (char), "multiple string tables" },
12856 
12857 		{ DOF_SECT_VARTAB, offsetof(dtrace_difo_t, dtdo_vartab),
12858 		offsetof(dtrace_difo_t, dtdo_varlen), sizeof (dtrace_difv_t),
12859 		sizeof (uint_t), "multiple variable tables" },
12860 
12861 		{ DOF_SECT_NONE, 0, 0, 0, 0, NULL }
12862 	};
12863 
12864 	if (sec->dofs_type != DOF_SECT_DIFOHDR) {
12865 		dtrace_dof_error(dof, "invalid DIFO header section");
12866 		return (NULL);
12867 	}
12868 
12869 	if (sec->dofs_align != sizeof (dof_secidx_t)) {
12870 		dtrace_dof_error(dof, "bad alignment in DIFO header");
12871 		return (NULL);
12872 	}
12873 
12874 	if (sec->dofs_size < sizeof (dof_difohdr_t) ||
12875 	    sec->dofs_size % sizeof (dof_secidx_t)) {
12876 		dtrace_dof_error(dof, "bad size in DIFO header");
12877 		return (NULL);
12878 	}
12879 
12880 	dofd = (dof_difohdr_t *)(uintptr_t)(daddr + sec->dofs_offset);
12881 	n = (sec->dofs_size - sizeof (*dofd)) / sizeof (dof_secidx_t) + 1;
12882 
12883 	dp = kmem_zalloc(sizeof (dtrace_difo_t), KM_SLEEP);
12884 	dp->dtdo_rtype = dofd->dofd_rtype;
12885 
12886 	for (l = 0; l < n; l++) {
12887 		dof_sec_t *subsec;
12888 		void **bufp;
12889 		uint32_t *lenp;
12890 
12891 		if ((subsec = dtrace_dof_sect(dof, DOF_SECT_NONE,
12892 		    dofd->dofd_links[l])) == NULL)
12893 			goto err; /* invalid section link */
12894 
12895 		if (ttl + subsec->dofs_size > max) {
12896 			dtrace_dof_error(dof, "exceeds maximum size");
12897 			goto err;
12898 		}
12899 
12900 		ttl += subsec->dofs_size;
12901 
12902 		for (i = 0; difo[i].section != DOF_SECT_NONE; i++) {
12903 			if (subsec->dofs_type != difo[i].section)
12904 				continue;
12905 
12906 			if (!(subsec->dofs_flags & DOF_SECF_LOAD)) {
12907 				dtrace_dof_error(dof, "section not loaded");
12908 				goto err;
12909 			}
12910 
12911 			if (subsec->dofs_align != difo[i].align) {
12912 				dtrace_dof_error(dof, "bad alignment");
12913 				goto err;
12914 			}
12915 
12916 			bufp = (void **)((uintptr_t)dp + difo[i].bufoffs);
12917 			lenp = (uint32_t *)((uintptr_t)dp + difo[i].lenoffs);
12918 
12919 			if (*bufp != NULL) {
12920 				dtrace_dof_error(dof, difo[i].msg);
12921 				goto err;
12922 			}
12923 
12924 			if (difo[i].entsize != subsec->dofs_entsize) {
12925 				dtrace_dof_error(dof, "entry size mismatch");
12926 				goto err;
12927 			}
12928 
12929 			if (subsec->dofs_entsize != 0 &&
12930 			    (subsec->dofs_size % subsec->dofs_entsize) != 0) {
12931 				dtrace_dof_error(dof, "corrupt entry size");
12932 				goto err;
12933 			}
12934 
12935 			*lenp = subsec->dofs_size;
12936 			*bufp = kmem_alloc(subsec->dofs_size, KM_SLEEP);
12937 			bcopy((char *)(uintptr_t)(daddr + subsec->dofs_offset),
12938 			    *bufp, subsec->dofs_size);
12939 
12940 			if (subsec->dofs_entsize != 0)
12941 				*lenp /= subsec->dofs_entsize;
12942 
12943 			break;
12944 		}
12945 
12946 		/*
12947 		 * If we encounter a loadable DIFO sub-section that is not
12948 		 * known to us, assume this is a broken program and fail.
12949 		 */
12950 		if (difo[i].section == DOF_SECT_NONE &&
12951 		    (subsec->dofs_flags & DOF_SECF_LOAD)) {
12952 			dtrace_dof_error(dof, "unrecognized DIFO subsection");
12953 			goto err;
12954 		}
12955 	}
12956 
12957 	if (dp->dtdo_buf == NULL) {
12958 		/*
12959 		 * We can't have a DIF object without DIF text.
12960 		 */
12961 		dtrace_dof_error(dof, "missing DIF text");
12962 		goto err;
12963 	}
12964 
12965 	/*
12966 	 * Before we validate the DIF object, run through the variable table
12967 	 * looking for the strings -- if any of their size are under, we'll set
12968 	 * their size to be the system-wide default string size.  Note that
12969 	 * this should _not_ happen if the "strsize" option has been set --
12970 	 * in this case, the compiler should have set the size to reflect the
12971 	 * setting of the option.
12972 	 */
12973 	for (i = 0; i < dp->dtdo_varlen; i++) {
12974 		dtrace_difv_t *v = &dp->dtdo_vartab[i];
12975 		dtrace_diftype_t *t = &v->dtdv_type;
12976 
12977 		if (v->dtdv_id < DIF_VAR_OTHER_UBASE)
12978 			continue;
12979 
12980 		if (t->dtdt_kind == DIF_TYPE_STRING && t->dtdt_size == 0)
12981 			t->dtdt_size = dtrace_strsize_default;
12982 	}
12983 
12984 	if (dtrace_difo_validate(dp, vstate, DIF_DIR_NREGS, cr) != 0)
12985 		goto err;
12986 
12987 	dtrace_difo_init(dp, vstate);
12988 	return (dp);
12989 
12990 err:
12991 	kmem_free(dp->dtdo_buf, dp->dtdo_len * sizeof (dif_instr_t));
12992 	kmem_free(dp->dtdo_inttab, dp->dtdo_intlen * sizeof (uint64_t));
12993 	kmem_free(dp->dtdo_strtab, dp->dtdo_strlen);
12994 	kmem_free(dp->dtdo_vartab, dp->dtdo_varlen * sizeof (dtrace_difv_t));
12995 
12996 	kmem_free(dp, sizeof (dtrace_difo_t));
12997 	return (NULL);
12998 }
12999 
13000 static dtrace_predicate_t *
13001 dtrace_dof_predicate(dof_hdr_t *dof, dof_sec_t *sec, dtrace_vstate_t *vstate,
13002     cred_t *cr)
13003 {
13004 	dtrace_difo_t *dp;
13005 
13006 	if ((dp = dtrace_dof_difo(dof, sec, vstate, cr)) == NULL)
13007 		return (NULL);
13008 
13009 	return (dtrace_predicate_create(dp));
13010 }
13011 
13012 static dtrace_actdesc_t *
13013 dtrace_dof_actdesc(dof_hdr_t *dof, dof_sec_t *sec, dtrace_vstate_t *vstate,
13014     cred_t *cr)
13015 {
13016 	dtrace_actdesc_t *act, *first = NULL, *last = NULL, *next;
13017 	dof_actdesc_t *desc;
13018 	dof_sec_t *difosec;
13019 	size_t offs;
13020 	uintptr_t daddr = (uintptr_t)dof;
13021 	uint64_t arg;
13022 	dtrace_actkind_t kind;
13023 
13024 	if (sec->dofs_type != DOF_SECT_ACTDESC) {
13025 		dtrace_dof_error(dof, "invalid action section");
13026 		return (NULL);
13027 	}
13028 
13029 	if (sec->dofs_offset + sizeof (dof_actdesc_t) > dof->dofh_loadsz) {
13030 		dtrace_dof_error(dof, "truncated action description");
13031 		return (NULL);
13032 	}
13033 
13034 	if (sec->dofs_align != sizeof (uint64_t)) {
13035 		dtrace_dof_error(dof, "bad alignment in action description");
13036 		return (NULL);
13037 	}
13038 
13039 	if (sec->dofs_size < sec->dofs_entsize) {
13040 		dtrace_dof_error(dof, "section entry size exceeds total size");
13041 		return (NULL);
13042 	}
13043 
13044 	if (sec->dofs_entsize != sizeof (dof_actdesc_t)) {
13045 		dtrace_dof_error(dof, "bad entry size in action description");
13046 		return (NULL);
13047 	}
13048 
13049 	if (sec->dofs_size / sec->dofs_entsize > dtrace_actions_max) {
13050 		dtrace_dof_error(dof, "actions exceed dtrace_actions_max");
13051 		return (NULL);
13052 	}
13053 
13054 	for (offs = 0; offs < sec->dofs_size; offs += sec->dofs_entsize) {
13055 		desc = (dof_actdesc_t *)(daddr +
13056 		    (uintptr_t)sec->dofs_offset + offs);
13057 		kind = (dtrace_actkind_t)desc->dofa_kind;
13058 
13059 		if ((DTRACEACT_ISPRINTFLIKE(kind) &&
13060 		    (kind != DTRACEACT_PRINTA ||
13061 		    desc->dofa_strtab != DOF_SECIDX_NONE)) ||
13062 		    (kind == DTRACEACT_DIFEXPR &&
13063 		    desc->dofa_strtab != DOF_SECIDX_NONE)) {
13064 			dof_sec_t *strtab;
13065 			char *str, *fmt;
13066 			uint64_t i;
13067 
13068 			/*
13069 			 * The argument to these actions is an index into the
13070 			 * DOF string table.  For printf()-like actions, this
13071 			 * is the format string.  For print(), this is the
13072 			 * CTF type of the expression result.
13073 			 */
13074 			if ((strtab = dtrace_dof_sect(dof,
13075 			    DOF_SECT_STRTAB, desc->dofa_strtab)) == NULL)
13076 				goto err;
13077 
13078 			str = (char *)((uintptr_t)dof +
13079 			    (uintptr_t)strtab->dofs_offset);
13080 
13081 			for (i = desc->dofa_arg; i < strtab->dofs_size; i++) {
13082 				if (str[i] == '\0')
13083 					break;
13084 			}
13085 
13086 			if (i >= strtab->dofs_size) {
13087 				dtrace_dof_error(dof, "bogus format string");
13088 				goto err;
13089 			}
13090 
13091 			if (i == desc->dofa_arg) {
13092 				dtrace_dof_error(dof, "empty format string");
13093 				goto err;
13094 			}
13095 
13096 			i -= desc->dofa_arg;
13097 			fmt = kmem_alloc(i + 1, KM_SLEEP);
13098 			bcopy(&str[desc->dofa_arg], fmt, i + 1);
13099 			arg = (uint64_t)(uintptr_t)fmt;
13100 		} else {
13101 			if (kind == DTRACEACT_PRINTA) {
13102 				ASSERT(desc->dofa_strtab == DOF_SECIDX_NONE);
13103 				arg = 0;
13104 			} else {
13105 				arg = desc->dofa_arg;
13106 			}
13107 		}
13108 
13109 		act = dtrace_actdesc_create(kind, desc->dofa_ntuple,
13110 		    desc->dofa_uarg, arg);
13111 
13112 		if (last != NULL) {
13113 			last->dtad_next = act;
13114 		} else {
13115 			first = act;
13116 		}
13117 
13118 		last = act;
13119 
13120 		if (desc->dofa_difo == DOF_SECIDX_NONE)
13121 			continue;
13122 
13123 		if ((difosec = dtrace_dof_sect(dof,
13124 		    DOF_SECT_DIFOHDR, desc->dofa_difo)) == NULL)
13125 			goto err;
13126 
13127 		act->dtad_difo = dtrace_dof_difo(dof, difosec, vstate, cr);
13128 
13129 		if (act->dtad_difo == NULL)
13130 			goto err;
13131 	}
13132 
13133 	ASSERT(first != NULL);
13134 	return (first);
13135 
13136 err:
13137 	for (act = first; act != NULL; act = next) {
13138 		next = act->dtad_next;
13139 		dtrace_actdesc_release(act, vstate);
13140 	}
13141 
13142 	return (NULL);
13143 }
13144 
13145 static dtrace_ecbdesc_t *
13146 dtrace_dof_ecbdesc(dof_hdr_t *dof, dof_sec_t *sec, dtrace_vstate_t *vstate,
13147     cred_t *cr)
13148 {
13149 	dtrace_ecbdesc_t *ep;
13150 	dof_ecbdesc_t *ecb;
13151 	dtrace_probedesc_t *desc;
13152 	dtrace_predicate_t *pred = NULL;
13153 
13154 	if (sec->dofs_size < sizeof (dof_ecbdesc_t)) {
13155 		dtrace_dof_error(dof, "truncated ECB description");
13156 		return (NULL);
13157 	}
13158 
13159 	if (sec->dofs_align != sizeof (uint64_t)) {
13160 		dtrace_dof_error(dof, "bad alignment in ECB description");
13161 		return (NULL);
13162 	}
13163 
13164 	ecb = (dof_ecbdesc_t *)((uintptr_t)dof + (uintptr_t)sec->dofs_offset);
13165 	sec = dtrace_dof_sect(dof, DOF_SECT_PROBEDESC, ecb->dofe_probes);
13166 
13167 	if (sec == NULL)
13168 		return (NULL);
13169 
13170 	ep = kmem_zalloc(sizeof (dtrace_ecbdesc_t), KM_SLEEP);
13171 	ep->dted_uarg = ecb->dofe_uarg;
13172 	desc = &ep->dted_probe;
13173 
13174 	if (dtrace_dof_probedesc(dof, sec, desc) == NULL)
13175 		goto err;
13176 
13177 	if (ecb->dofe_pred != DOF_SECIDX_NONE) {
13178 		if ((sec = dtrace_dof_sect(dof,
13179 		    DOF_SECT_DIFOHDR, ecb->dofe_pred)) == NULL)
13180 			goto err;
13181 
13182 		if ((pred = dtrace_dof_predicate(dof, sec, vstate, cr)) == NULL)
13183 			goto err;
13184 
13185 		ep->dted_pred.dtpdd_predicate = pred;
13186 	}
13187 
13188 	if (ecb->dofe_actions != DOF_SECIDX_NONE) {
13189 		if ((sec = dtrace_dof_sect(dof,
13190 		    DOF_SECT_ACTDESC, ecb->dofe_actions)) == NULL)
13191 			goto err;
13192 
13193 		ep->dted_action = dtrace_dof_actdesc(dof, sec, vstate, cr);
13194 
13195 		if (ep->dted_action == NULL)
13196 			goto err;
13197 	}
13198 
13199 	return (ep);
13200 
13201 err:
13202 	if (pred != NULL)
13203 		dtrace_predicate_release(pred, vstate);
13204 	kmem_free(ep, sizeof (dtrace_ecbdesc_t));
13205 	return (NULL);
13206 }
13207 
13208 /*
13209  * Apply the relocations from the specified 'sec' (a DOF_SECT_URELHDR) to the
13210  * specified DOF.  At present, this amounts to simply adding 'ubase' to the
13211  * site of any user SETX relocations to account for load object base address.
13212  * In the future, if we need other relocations, this function can be extended.
13213  */
13214 static int
13215 dtrace_dof_relocate(dof_hdr_t *dof, dof_sec_t *sec, uint64_t ubase)
13216 {
13217 	uintptr_t daddr = (uintptr_t)dof;
13218 	uintptr_t ts_end;
13219 	dof_relohdr_t *dofr =
13220 	    (dof_relohdr_t *)(uintptr_t)(daddr + sec->dofs_offset);
13221 	dof_sec_t *ss, *rs, *ts;
13222 	dof_relodesc_t *r;
13223 	uint_t i, n;
13224 
13225 	if (sec->dofs_size < sizeof (dof_relohdr_t) ||
13226 	    sec->dofs_align != sizeof (dof_secidx_t)) {
13227 		dtrace_dof_error(dof, "invalid relocation header");
13228 		return (-1);
13229 	}
13230 
13231 	ss = dtrace_dof_sect(dof, DOF_SECT_STRTAB, dofr->dofr_strtab);
13232 	rs = dtrace_dof_sect(dof, DOF_SECT_RELTAB, dofr->dofr_relsec);
13233 	ts = dtrace_dof_sect(dof, DOF_SECT_NONE, dofr->dofr_tgtsec);
13234 	ts_end = (uintptr_t)ts + sizeof (dof_sec_t);
13235 
13236 	if (ss == NULL || rs == NULL || ts == NULL)
13237 		return (-1); /* dtrace_dof_error() has been called already */
13238 
13239 	if (rs->dofs_entsize < sizeof (dof_relodesc_t) ||
13240 	    rs->dofs_align != sizeof (uint64_t)) {
13241 		dtrace_dof_error(dof, "invalid relocation section");
13242 		return (-1);
13243 	}
13244 
13245 	r = (dof_relodesc_t *)(uintptr_t)(daddr + rs->dofs_offset);
13246 	n = rs->dofs_size / rs->dofs_entsize;
13247 
13248 	for (i = 0; i < n; i++) {
13249 		uintptr_t taddr = daddr + ts->dofs_offset + r->dofr_offset;
13250 
13251 		switch (r->dofr_type) {
13252 		case DOF_RELO_NONE:
13253 			break;
13254 		case DOF_RELO_SETX:
13255 			if (r->dofr_offset >= ts->dofs_size || r->dofr_offset +
13256 			    sizeof (uint64_t) > ts->dofs_size) {
13257 				dtrace_dof_error(dof, "bad relocation offset");
13258 				return (-1);
13259 			}
13260 
13261 			if (taddr >= (uintptr_t)ts && taddr < ts_end) {
13262 				dtrace_dof_error(dof, "bad relocation offset");
13263 				return (-1);
13264 			}
13265 
13266 			if (!IS_P2ALIGNED(taddr, sizeof (uint64_t))) {
13267 				dtrace_dof_error(dof, "misaligned setx relo");
13268 				return (-1);
13269 			}
13270 
13271 			*(uint64_t *)taddr += ubase;
13272 			break;
13273 		default:
13274 			dtrace_dof_error(dof, "invalid relocation type");
13275 			return (-1);
13276 		}
13277 
13278 		r = (dof_relodesc_t *)((uintptr_t)r + rs->dofs_entsize);
13279 	}
13280 
13281 	return (0);
13282 }
13283 
13284 /*
13285  * The dof_hdr_t passed to dtrace_dof_slurp() should be a partially validated
13286  * header:  it should be at the front of a memory region that is at least
13287  * sizeof (dof_hdr_t) in size -- and then at least dof_hdr.dofh_loadsz in
13288  * size.  It need not be validated in any other way.
13289  */
13290 static int
13291 dtrace_dof_slurp(dof_hdr_t *dof, dtrace_vstate_t *vstate, cred_t *cr,
13292     dtrace_enabling_t **enabp, uint64_t ubase, int noprobes)
13293 {
13294 	uint64_t len = dof->dofh_loadsz, seclen;
13295 	uintptr_t daddr = (uintptr_t)dof;
13296 	dtrace_ecbdesc_t *ep;
13297 	dtrace_enabling_t *enab;
13298 	uint_t i;
13299 
13300 	ASSERT(MUTEX_HELD(&dtrace_lock));
13301 	ASSERT(dof->dofh_loadsz >= sizeof (dof_hdr_t));
13302 
13303 	/*
13304 	 * Check the DOF header identification bytes.  In addition to checking
13305 	 * valid settings, we also verify that unused bits/bytes are zeroed so
13306 	 * we can use them later without fear of regressing existing binaries.
13307 	 */
13308 	if (bcmp(&dof->dofh_ident[DOF_ID_MAG0],
13309 	    DOF_MAG_STRING, DOF_MAG_STRLEN) != 0) {
13310 		dtrace_dof_error(dof, "DOF magic string mismatch");
13311 		return (-1);
13312 	}
13313 
13314 	if (dof->dofh_ident[DOF_ID_MODEL] != DOF_MODEL_ILP32 &&
13315 	    dof->dofh_ident[DOF_ID_MODEL] != DOF_MODEL_LP64) {
13316 		dtrace_dof_error(dof, "DOF has invalid data model");
13317 		return (-1);
13318 	}
13319 
13320 	if (dof->dofh_ident[DOF_ID_ENCODING] != DOF_ENCODE_NATIVE) {
13321 		dtrace_dof_error(dof, "DOF encoding mismatch");
13322 		return (-1);
13323 	}
13324 
13325 	if (dof->dofh_ident[DOF_ID_VERSION] != DOF_VERSION_1 &&
13326 	    dof->dofh_ident[DOF_ID_VERSION] != DOF_VERSION_2) {
13327 		dtrace_dof_error(dof, "DOF version mismatch");
13328 		return (-1);
13329 	}
13330 
13331 	if (dof->dofh_ident[DOF_ID_DIFVERS] != DIF_VERSION_2) {
13332 		dtrace_dof_error(dof, "DOF uses unsupported instruction set");
13333 		return (-1);
13334 	}
13335 
13336 	if (dof->dofh_ident[DOF_ID_DIFIREG] > DIF_DIR_NREGS) {
13337 		dtrace_dof_error(dof, "DOF uses too many integer registers");
13338 		return (-1);
13339 	}
13340 
13341 	if (dof->dofh_ident[DOF_ID_DIFTREG] > DIF_DTR_NREGS) {
13342 		dtrace_dof_error(dof, "DOF uses too many tuple registers");
13343 		return (-1);
13344 	}
13345 
13346 	for (i = DOF_ID_PAD; i < DOF_ID_SIZE; i++) {
13347 		if (dof->dofh_ident[i] != 0) {
13348 			dtrace_dof_error(dof, "DOF has invalid ident byte set");
13349 			return (-1);
13350 		}
13351 	}
13352 
13353 	if (dof->dofh_flags & ~DOF_FL_VALID) {
13354 		dtrace_dof_error(dof, "DOF has invalid flag bits set");
13355 		return (-1);
13356 	}
13357 
13358 	if (dof->dofh_secsize == 0) {
13359 		dtrace_dof_error(dof, "zero section header size");
13360 		return (-1);
13361 	}
13362 
13363 	/*
13364 	 * Check that the section headers don't exceed the amount of DOF
13365 	 * data.  Note that we cast the section size and number of sections
13366 	 * to uint64_t's to prevent possible overflow in the multiplication.
13367 	 */
13368 	seclen = (uint64_t)dof->dofh_secnum * (uint64_t)dof->dofh_secsize;
13369 
13370 	if (dof->dofh_secoff > len || seclen > len ||
13371 	    dof->dofh_secoff + seclen > len) {
13372 		dtrace_dof_error(dof, "truncated section headers");
13373 		return (-1);
13374 	}
13375 
13376 	if (!IS_P2ALIGNED(dof->dofh_secoff, sizeof (uint64_t))) {
13377 		dtrace_dof_error(dof, "misaligned section headers");
13378 		return (-1);
13379 	}
13380 
13381 	if (!IS_P2ALIGNED(dof->dofh_secsize, sizeof (uint64_t))) {
13382 		dtrace_dof_error(dof, "misaligned section size");
13383 		return (-1);
13384 	}
13385 
13386 	/*
13387 	 * Take an initial pass through the section headers to be sure that
13388 	 * the headers don't have stray offsets.  If the 'noprobes' flag is
13389 	 * set, do not permit sections relating to providers, probes, or args.
13390 	 */
13391 	for (i = 0; i < dof->dofh_secnum; i++) {
13392 		dof_sec_t *sec = (dof_sec_t *)(daddr +
13393 		    (uintptr_t)dof->dofh_secoff + i * dof->dofh_secsize);
13394 
13395 		if (noprobes) {
13396 			switch (sec->dofs_type) {
13397 			case DOF_SECT_PROVIDER:
13398 			case DOF_SECT_PROBES:
13399 			case DOF_SECT_PRARGS:
13400 			case DOF_SECT_PROFFS:
13401 				dtrace_dof_error(dof, "illegal sections "
13402 				    "for enabling");
13403 				return (-1);
13404 			}
13405 		}
13406 
13407 		if (DOF_SEC_ISLOADABLE(sec->dofs_type) &&
13408 		    !(sec->dofs_flags & DOF_SECF_LOAD)) {
13409 			dtrace_dof_error(dof, "loadable section with load "
13410 			    "flag unset");
13411 			return (-1);
13412 		}
13413 
13414 		if (!(sec->dofs_flags & DOF_SECF_LOAD))
13415 			continue; /* just ignore non-loadable sections */
13416 
13417 		if (!ISP2(sec->dofs_align)) {
13418 			dtrace_dof_error(dof, "bad section alignment");
13419 			return (-1);
13420 		}
13421 
13422 		if (sec->dofs_offset & (sec->dofs_align - 1)) {
13423 			dtrace_dof_error(dof, "misaligned section");
13424 			return (-1);
13425 		}
13426 
13427 		if (sec->dofs_offset > len || sec->dofs_size > len ||
13428 		    sec->dofs_offset + sec->dofs_size > len) {
13429 			dtrace_dof_error(dof, "corrupt section header");
13430 			return (-1);
13431 		}
13432 
13433 		if (sec->dofs_type == DOF_SECT_STRTAB && *((char *)daddr +
13434 		    sec->dofs_offset + sec->dofs_size - 1) != '\0') {
13435 			dtrace_dof_error(dof, "non-terminating string table");
13436 			return (-1);
13437 		}
13438 	}
13439 
13440 	/*
13441 	 * Take a second pass through the sections and locate and perform any
13442 	 * relocations that are present.  We do this after the first pass to
13443 	 * be sure that all sections have had their headers validated.
13444 	 */
13445 	for (i = 0; i < dof->dofh_secnum; i++) {
13446 		dof_sec_t *sec = (dof_sec_t *)(daddr +
13447 		    (uintptr_t)dof->dofh_secoff + i * dof->dofh_secsize);
13448 
13449 		if (!(sec->dofs_flags & DOF_SECF_LOAD))
13450 			continue; /* skip sections that are not loadable */
13451 
13452 		switch (sec->dofs_type) {
13453 		case DOF_SECT_URELHDR:
13454 			if (dtrace_dof_relocate(dof, sec, ubase) != 0)
13455 				return (-1);
13456 			break;
13457 		}
13458 	}
13459 
13460 	if ((enab = *enabp) == NULL)
13461 		enab = *enabp = dtrace_enabling_create(vstate);
13462 
13463 	for (i = 0; i < dof->dofh_secnum; i++) {
13464 		dof_sec_t *sec = (dof_sec_t *)(daddr +
13465 		    (uintptr_t)dof->dofh_secoff + i * dof->dofh_secsize);
13466 
13467 		if (sec->dofs_type != DOF_SECT_ECBDESC)
13468 			continue;
13469 
13470 		if ((ep = dtrace_dof_ecbdesc(dof, sec, vstate, cr)) == NULL) {
13471 			dtrace_enabling_destroy(enab);
13472 			*enabp = NULL;
13473 			return (-1);
13474 		}
13475 
13476 		dtrace_enabling_add(enab, ep);
13477 	}
13478 
13479 	return (0);
13480 }
13481 
13482 /*
13483  * Process DOF for any options.  This routine assumes that the DOF has been
13484  * at least processed by dtrace_dof_slurp().
13485  */
13486 static int
13487 dtrace_dof_options(dof_hdr_t *dof, dtrace_state_t *state)
13488 {
13489 	int i, rval;
13490 	uint32_t entsize;
13491 	size_t offs;
13492 	dof_optdesc_t *desc;
13493 
13494 	for (i = 0; i < dof->dofh_secnum; i++) {
13495 		dof_sec_t *sec = (dof_sec_t *)((uintptr_t)dof +
13496 		    (uintptr_t)dof->dofh_secoff + i * dof->dofh_secsize);
13497 
13498 		if (sec->dofs_type != DOF_SECT_OPTDESC)
13499 			continue;
13500 
13501 		if (sec->dofs_align != sizeof (uint64_t)) {
13502 			dtrace_dof_error(dof, "bad alignment in "
13503 			    "option description");
13504 			return (EINVAL);
13505 		}
13506 
13507 		if ((entsize = sec->dofs_entsize) == 0) {
13508 			dtrace_dof_error(dof, "zeroed option entry size");
13509 			return (EINVAL);
13510 		}
13511 
13512 		if (entsize < sizeof (dof_optdesc_t)) {
13513 			dtrace_dof_error(dof, "bad option entry size");
13514 			return (EINVAL);
13515 		}
13516 
13517 		for (offs = 0; offs < sec->dofs_size; offs += entsize) {
13518 			desc = (dof_optdesc_t *)((uintptr_t)dof +
13519 			    (uintptr_t)sec->dofs_offset + offs);
13520 
13521 			if (desc->dofo_strtab != DOF_SECIDX_NONE) {
13522 				dtrace_dof_error(dof, "non-zero option string");
13523 				return (EINVAL);
13524 			}
13525 
13526 			if (desc->dofo_value == DTRACEOPT_UNSET) {
13527 				dtrace_dof_error(dof, "unset option");
13528 				return (EINVAL);
13529 			}
13530 
13531 			if ((rval = dtrace_state_option(state,
13532 			    desc->dofo_option, desc->dofo_value)) != 0) {
13533 				dtrace_dof_error(dof, "rejected option");
13534 				return (rval);
13535 			}
13536 		}
13537 	}
13538 
13539 	return (0);
13540 }
13541 
13542 /*
13543  * DTrace Consumer State Functions
13544  */
13545 int
13546 dtrace_dstate_init(dtrace_dstate_t *dstate, size_t size)
13547 {
13548 	size_t hashsize, maxper, min, chunksize = dstate->dtds_chunksize;
13549 	void *base;
13550 	uintptr_t limit;
13551 	dtrace_dynvar_t *dvar, *next, *start;
13552 	int i;
13553 
13554 	ASSERT(MUTEX_HELD(&dtrace_lock));
13555 	ASSERT(dstate->dtds_base == NULL && dstate->dtds_percpu == NULL);
13556 
13557 	bzero(dstate, sizeof (dtrace_dstate_t));
13558 
13559 	if ((dstate->dtds_chunksize = chunksize) == 0)
13560 		dstate->dtds_chunksize = DTRACE_DYNVAR_CHUNKSIZE;
13561 
13562 	VERIFY(dstate->dtds_chunksize < LONG_MAX);
13563 
13564 	if (size < (min = dstate->dtds_chunksize + sizeof (dtrace_dynhash_t)))
13565 		size = min;
13566 
13567 	if ((base = kmem_zalloc(size, KM_NOSLEEP | KM_NORMALPRI)) == NULL)
13568 		return (ENOMEM);
13569 
13570 	dstate->dtds_size = size;
13571 	dstate->dtds_base = base;
13572 	dstate->dtds_percpu = kmem_cache_alloc(dtrace_state_cache, KM_SLEEP);
13573 	bzero(dstate->dtds_percpu, NCPU * sizeof (dtrace_dstate_percpu_t));
13574 
13575 	hashsize = size / (dstate->dtds_chunksize + sizeof (dtrace_dynhash_t));
13576 
13577 	if (hashsize != 1 && (hashsize & 1))
13578 		hashsize--;
13579 
13580 	dstate->dtds_hashsize = hashsize;
13581 	dstate->dtds_hash = dstate->dtds_base;
13582 
13583 	/*
13584 	 * Set all of our hash buckets to point to the single sink, and (if
13585 	 * it hasn't already been set), set the sink's hash value to be the
13586 	 * sink sentinel value.  The sink is needed for dynamic variable
13587 	 * lookups to know that they have iterated over an entire, valid hash
13588 	 * chain.
13589 	 */
13590 	for (i = 0; i < hashsize; i++)
13591 		dstate->dtds_hash[i].dtdh_chain = &dtrace_dynhash_sink;
13592 
13593 	if (dtrace_dynhash_sink.dtdv_hashval != DTRACE_DYNHASH_SINK)
13594 		dtrace_dynhash_sink.dtdv_hashval = DTRACE_DYNHASH_SINK;
13595 
13596 	/*
13597 	 * Determine number of active CPUs.  Divide free list evenly among
13598 	 * active CPUs.
13599 	 */
13600 	start = (dtrace_dynvar_t *)
13601 	    ((uintptr_t)base + hashsize * sizeof (dtrace_dynhash_t));
13602 	limit = (uintptr_t)base + size;
13603 
13604 	VERIFY((uintptr_t)start < limit);
13605 	VERIFY((uintptr_t)start >= (uintptr_t)base);
13606 
13607 	maxper = (limit - (uintptr_t)start) / NCPU;
13608 	maxper = (maxper / dstate->dtds_chunksize) * dstate->dtds_chunksize;
13609 
13610 	for (i = 0; i < NCPU; i++) {
13611 		dstate->dtds_percpu[i].dtdsc_free = dvar = start;
13612 
13613 		/*
13614 		 * If we don't even have enough chunks to make it once through
13615 		 * NCPUs, we're just going to allocate everything to the first
13616 		 * CPU.  And if we're on the last CPU, we're going to allocate
13617 		 * whatever is left over.  In either case, we set the limit to
13618 		 * be the limit of the dynamic variable space.
13619 		 */
13620 		if (maxper == 0 || i == NCPU - 1) {
13621 			limit = (uintptr_t)base + size;
13622 			start = NULL;
13623 		} else {
13624 			limit = (uintptr_t)start + maxper;
13625 			start = (dtrace_dynvar_t *)limit;
13626 		}
13627 
13628 		VERIFY(limit <= (uintptr_t)base + size);
13629 
13630 		for (;;) {
13631 			next = (dtrace_dynvar_t *)((uintptr_t)dvar +
13632 			    dstate->dtds_chunksize);
13633 
13634 			if ((uintptr_t)next + dstate->dtds_chunksize >= limit)
13635 				break;
13636 
13637 			VERIFY((uintptr_t)dvar >= (uintptr_t)base &&
13638 			    (uintptr_t)dvar <= (uintptr_t)base + size);
13639 			dvar->dtdv_next = next;
13640 			dvar = next;
13641 		}
13642 
13643 		if (maxper == 0)
13644 			break;
13645 	}
13646 
13647 	return (0);
13648 }
13649 
13650 void
13651 dtrace_dstate_fini(dtrace_dstate_t *dstate)
13652 {
13653 	ASSERT(MUTEX_HELD(&cpu_lock));
13654 
13655 	if (dstate->dtds_base == NULL)
13656 		return;
13657 
13658 	kmem_free(dstate->dtds_base, dstate->dtds_size);
13659 	kmem_cache_free(dtrace_state_cache, dstate->dtds_percpu);
13660 }
13661 
13662 static void
13663 dtrace_vstate_fini(dtrace_vstate_t *vstate)
13664 {
13665 	/*
13666 	 * Logical XOR, where are you?
13667 	 */
13668 	ASSERT((vstate->dtvs_nglobals == 0) ^ (vstate->dtvs_globals != NULL));
13669 
13670 	if (vstate->dtvs_nglobals > 0) {
13671 		kmem_free(vstate->dtvs_globals, vstate->dtvs_nglobals *
13672 		    sizeof (dtrace_statvar_t *));
13673 	}
13674 
13675 	if (vstate->dtvs_ntlocals > 0) {
13676 		kmem_free(vstate->dtvs_tlocals, vstate->dtvs_ntlocals *
13677 		    sizeof (dtrace_difv_t));
13678 	}
13679 
13680 	ASSERT((vstate->dtvs_nlocals == 0) ^ (vstate->dtvs_locals != NULL));
13681 
13682 	if (vstate->dtvs_nlocals > 0) {
13683 		kmem_free(vstate->dtvs_locals, vstate->dtvs_nlocals *
13684 		    sizeof (dtrace_statvar_t *));
13685 	}
13686 }
13687 
13688 static void
13689 dtrace_state_clean(dtrace_state_t *state)
13690 {
13691 	if (state->dts_activity == DTRACE_ACTIVITY_INACTIVE)
13692 		return;
13693 
13694 	dtrace_dynvar_clean(&state->dts_vstate.dtvs_dynvars);
13695 	dtrace_speculation_clean(state);
13696 }
13697 
13698 static void
13699 dtrace_state_deadman(dtrace_state_t *state)
13700 {
13701 	hrtime_t now;
13702 
13703 	dtrace_sync();
13704 
13705 	now = dtrace_gethrtime();
13706 
13707 	if (state != dtrace_anon.dta_state &&
13708 	    now - state->dts_laststatus >= dtrace_deadman_user)
13709 		return;
13710 
13711 	/*
13712 	 * We must be sure that dts_alive never appears to be less than the
13713 	 * value upon entry to dtrace_state_deadman(), and because we lack a
13714 	 * dtrace_cas64(), we cannot store to it atomically.  We thus instead
13715 	 * store INT64_MAX to it, followed by a memory barrier, followed by
13716 	 * the new value.  This assures that dts_alive never appears to be
13717 	 * less than its true value, regardless of the order in which the
13718 	 * stores to the underlying storage are issued.
13719 	 */
13720 	state->dts_alive = INT64_MAX;
13721 	dtrace_membar_producer();
13722 	state->dts_alive = now;
13723 }
13724 
13725 dtrace_state_t *
13726 dtrace_state_create(dev_t *devp, cred_t *cr)
13727 {
13728 	minor_t minor;
13729 	major_t major;
13730 	char c[30];
13731 	dtrace_state_t *state;
13732 	dtrace_optval_t *opt;
13733 	int bufsize = NCPU * sizeof (dtrace_buffer_t), i;
13734 
13735 	ASSERT(MUTEX_HELD(&dtrace_lock));
13736 	ASSERT(MUTEX_HELD(&cpu_lock));
13737 
13738 	minor = (minor_t)(uintptr_t)vmem_alloc(dtrace_minor, 1,
13739 	    VM_BESTFIT | VM_SLEEP);
13740 
13741 	if (ddi_soft_state_zalloc(dtrace_softstate, minor) != DDI_SUCCESS) {
13742 		vmem_free(dtrace_minor, (void *)(uintptr_t)minor, 1);
13743 		return (NULL);
13744 	}
13745 
13746 	state = ddi_get_soft_state(dtrace_softstate, minor);
13747 	state->dts_epid = DTRACE_EPIDNONE + 1;
13748 
13749 	(void) snprintf(c, sizeof (c), "dtrace_aggid_%d", minor);
13750 	state->dts_aggid_arena = vmem_create(c, (void *)1, UINT32_MAX, 1,
13751 	    NULL, NULL, NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
13752 
13753 	if (devp != NULL) {
13754 		major = getemajor(*devp);
13755 	} else {
13756 		major = ddi_driver_major(dtrace_devi);
13757 	}
13758 
13759 	state->dts_dev = makedevice(major, minor);
13760 
13761 	if (devp != NULL)
13762 		*devp = state->dts_dev;
13763 
13764 	/*
13765 	 * We allocate NCPU buffers.  On the one hand, this can be quite
13766 	 * a bit of memory per instance (nearly 36K on a Starcat).  On the
13767 	 * other hand, it saves an additional memory reference in the probe
13768 	 * path.
13769 	 */
13770 	state->dts_buffer = kmem_zalloc(bufsize, KM_SLEEP);
13771 	state->dts_aggbuffer = kmem_zalloc(bufsize, KM_SLEEP);
13772 	state->dts_cleaner = CYCLIC_NONE;
13773 	state->dts_deadman = CYCLIC_NONE;
13774 	state->dts_vstate.dtvs_state = state;
13775 
13776 	for (i = 0; i < DTRACEOPT_MAX; i++)
13777 		state->dts_options[i] = DTRACEOPT_UNSET;
13778 
13779 	/*
13780 	 * Set the default options.
13781 	 */
13782 	opt = state->dts_options;
13783 	opt[DTRACEOPT_BUFPOLICY] = DTRACEOPT_BUFPOLICY_SWITCH;
13784 	opt[DTRACEOPT_BUFRESIZE] = DTRACEOPT_BUFRESIZE_AUTO;
13785 	opt[DTRACEOPT_NSPEC] = dtrace_nspec_default;
13786 	opt[DTRACEOPT_SPECSIZE] = dtrace_specsize_default;
13787 	opt[DTRACEOPT_CPU] = (dtrace_optval_t)DTRACE_CPUALL;
13788 	opt[DTRACEOPT_STRSIZE] = dtrace_strsize_default;
13789 	opt[DTRACEOPT_STACKFRAMES] = dtrace_stackframes_default;
13790 	opt[DTRACEOPT_USTACKFRAMES] = dtrace_ustackframes_default;
13791 	opt[DTRACEOPT_CLEANRATE] = dtrace_cleanrate_default;
13792 	opt[DTRACEOPT_AGGRATE] = dtrace_aggrate_default;
13793 	opt[DTRACEOPT_SWITCHRATE] = dtrace_switchrate_default;
13794 	opt[DTRACEOPT_STATUSRATE] = dtrace_statusrate_default;
13795 	opt[DTRACEOPT_JSTACKFRAMES] = dtrace_jstackframes_default;
13796 	opt[DTRACEOPT_JSTACKSTRSIZE] = dtrace_jstackstrsize_default;
13797 
13798 	state->dts_activity = DTRACE_ACTIVITY_INACTIVE;
13799 
13800 	/*
13801 	 * Depending on the user credentials, we set flag bits which alter probe
13802 	 * visibility or the amount of destructiveness allowed.  In the case of
13803 	 * actual anonymous tracing, or the possession of all privileges, all of
13804 	 * the normal checks are bypassed.
13805 	 */
13806 	if (cr == NULL || PRIV_POLICY_ONLY(cr, PRIV_ALL, B_FALSE)) {
13807 		state->dts_cred.dcr_visible = DTRACE_CRV_ALL;
13808 		state->dts_cred.dcr_action = DTRACE_CRA_ALL;
13809 	} else {
13810 		/*
13811 		 * Set up the credentials for this instantiation.  We take a
13812 		 * hold on the credential to prevent it from disappearing on
13813 		 * us; this in turn prevents the zone_t referenced by this
13814 		 * credential from disappearing.  This means that we can
13815 		 * examine the credential and the zone from probe context.
13816 		 */
13817 		crhold(cr);
13818 		state->dts_cred.dcr_cred = cr;
13819 
13820 		/*
13821 		 * CRA_PROC means "we have *some* privilege for dtrace" and
13822 		 * unlocks the use of variables like pid, zonename, etc.
13823 		 */
13824 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_USER, B_FALSE) ||
13825 		    PRIV_POLICY_ONLY(cr, PRIV_DTRACE_PROC, B_FALSE)) {
13826 			state->dts_cred.dcr_action |= DTRACE_CRA_PROC;
13827 		}
13828 
13829 		/*
13830 		 * dtrace_user allows use of syscall and profile providers.
13831 		 * If the user also has proc_owner and/or proc_zone, we
13832 		 * extend the scope to include additional visibility and
13833 		 * destructive power.
13834 		 */
13835 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_USER, B_FALSE)) {
13836 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, B_FALSE)) {
13837 				state->dts_cred.dcr_visible |=
13838 				    DTRACE_CRV_ALLPROC;
13839 
13840 				state->dts_cred.dcr_action |=
13841 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLUSER;
13842 			}
13843 
13844 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_ZONE, B_FALSE)) {
13845 				state->dts_cred.dcr_visible |=
13846 				    DTRACE_CRV_ALLZONE;
13847 
13848 				state->dts_cred.dcr_action |=
13849 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLZONE;
13850 			}
13851 
13852 			/*
13853 			 * If we have all privs in whatever zone this is,
13854 			 * we can do destructive things to processes which
13855 			 * have altered credentials.
13856 			 */
13857 			if (priv_isequalset(priv_getset(cr, PRIV_EFFECTIVE),
13858 			    cr->cr_zone->zone_privset)) {
13859 				state->dts_cred.dcr_action |=
13860 				    DTRACE_CRA_PROC_DESTRUCTIVE_CREDCHG;
13861 			}
13862 		}
13863 
13864 		/*
13865 		 * Holding the dtrace_kernel privilege also implies that
13866 		 * the user has the dtrace_user privilege from a visibility
13867 		 * perspective.  But without further privileges, some
13868 		 * destructive actions are not available.
13869 		 */
13870 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_KERNEL, B_FALSE)) {
13871 			/*
13872 			 * Make all probes in all zones visible.  However,
13873 			 * this doesn't mean that all actions become available
13874 			 * to all zones.
13875 			 */
13876 			state->dts_cred.dcr_visible |= DTRACE_CRV_KERNEL |
13877 			    DTRACE_CRV_ALLPROC | DTRACE_CRV_ALLZONE;
13878 
13879 			state->dts_cred.dcr_action |= DTRACE_CRA_KERNEL |
13880 			    DTRACE_CRA_PROC;
13881 			/*
13882 			 * Holding proc_owner means that destructive actions
13883 			 * for *this* zone are allowed.
13884 			 */
13885 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, B_FALSE))
13886 				state->dts_cred.dcr_action |=
13887 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLUSER;
13888 
13889 			/*
13890 			 * Holding proc_zone means that destructive actions
13891 			 * for this user/group ID in all zones is allowed.
13892 			 */
13893 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_ZONE, B_FALSE))
13894 				state->dts_cred.dcr_action |=
13895 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLZONE;
13896 
13897 			/*
13898 			 * If we have all privs in whatever zone this is,
13899 			 * we can do destructive things to processes which
13900 			 * have altered credentials.
13901 			 */
13902 			if (priv_isequalset(priv_getset(cr, PRIV_EFFECTIVE),
13903 			    cr->cr_zone->zone_privset)) {
13904 				state->dts_cred.dcr_action |=
13905 				    DTRACE_CRA_PROC_DESTRUCTIVE_CREDCHG;
13906 			}
13907 		}
13908 
13909 		/*
13910 		 * Holding the dtrace_proc privilege gives control over fasttrap
13911 		 * and pid providers.  We need to grant wider destructive
13912 		 * privileges in the event that the user has proc_owner and/or
13913 		 * proc_zone.
13914 		 */
13915 		if (PRIV_POLICY_ONLY(cr, PRIV_DTRACE_PROC, B_FALSE)) {
13916 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, B_FALSE))
13917 				state->dts_cred.dcr_action |=
13918 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLUSER;
13919 
13920 			if (PRIV_POLICY_ONLY(cr, PRIV_PROC_ZONE, B_FALSE))
13921 				state->dts_cred.dcr_action |=
13922 				    DTRACE_CRA_PROC_DESTRUCTIVE_ALLZONE;
13923 		}
13924 	}
13925 
13926 	return (state);
13927 }
13928 
13929 static int
13930 dtrace_state_buffer(dtrace_state_t *state, dtrace_buffer_t *buf, int which)
13931 {
13932 	dtrace_optval_t *opt = state->dts_options, size;
13933 	processorid_t cpu;
13934 	int flags = 0, rval, factor, divisor = 1;
13935 
13936 	ASSERT(MUTEX_HELD(&dtrace_lock));
13937 	ASSERT(MUTEX_HELD(&cpu_lock));
13938 	ASSERT(which < DTRACEOPT_MAX);
13939 	ASSERT(state->dts_activity == DTRACE_ACTIVITY_INACTIVE ||
13940 	    (state == dtrace_anon.dta_state &&
13941 	    state->dts_activity == DTRACE_ACTIVITY_ACTIVE));
13942 
13943 	if (opt[which] == DTRACEOPT_UNSET || opt[which] == 0)
13944 		return (0);
13945 
13946 	if (opt[DTRACEOPT_CPU] != DTRACEOPT_UNSET)
13947 		cpu = opt[DTRACEOPT_CPU];
13948 
13949 	if (which == DTRACEOPT_SPECSIZE)
13950 		flags |= DTRACEBUF_NOSWITCH;
13951 
13952 	if (which == DTRACEOPT_BUFSIZE) {
13953 		if (opt[DTRACEOPT_BUFPOLICY] == DTRACEOPT_BUFPOLICY_RING)
13954 			flags |= DTRACEBUF_RING;
13955 
13956 		if (opt[DTRACEOPT_BUFPOLICY] == DTRACEOPT_BUFPOLICY_FILL)
13957 			flags |= DTRACEBUF_FILL;
13958 
13959 		if (state != dtrace_anon.dta_state ||
13960 		    state->dts_activity != DTRACE_ACTIVITY_ACTIVE)
13961 			flags |= DTRACEBUF_INACTIVE;
13962 	}
13963 
13964 	for (size = opt[which]; size >= sizeof (uint64_t); size /= divisor) {
13965 		/*
13966 		 * The size must be 8-byte aligned.  If the size is not 8-byte
13967 		 * aligned, drop it down by the difference.
13968 		 */
13969 		if (size & (sizeof (uint64_t) - 1))
13970 			size -= size & (sizeof (uint64_t) - 1);
13971 
13972 		if (size < state->dts_reserve) {
13973 			/*
13974 			 * Buffers always must be large enough to accommodate
13975 			 * their prereserved space.  We return E2BIG instead
13976 			 * of ENOMEM in this case to allow for user-level
13977 			 * software to differentiate the cases.
13978 			 */
13979 			return (E2BIG);
13980 		}
13981 
13982 		rval = dtrace_buffer_alloc(buf, size, flags, cpu, &factor);
13983 
13984 		if (rval != ENOMEM) {
13985 			opt[which] = size;
13986 			return (rval);
13987 		}
13988 
13989 		if (opt[DTRACEOPT_BUFRESIZE] == DTRACEOPT_BUFRESIZE_MANUAL)
13990 			return (rval);
13991 
13992 		for (divisor = 2; divisor < factor; divisor <<= 1)
13993 			continue;
13994 	}
13995 
13996 	return (ENOMEM);
13997 }
13998 
13999 static int
14000 dtrace_state_buffers(dtrace_state_t *state)
14001 {
14002 	dtrace_speculation_t *spec = state->dts_speculations;
14003 	int rval, i;
14004 
14005 	if ((rval = dtrace_state_buffer(state, state->dts_buffer,
14006 	    DTRACEOPT_BUFSIZE)) != 0)
14007 		return (rval);
14008 
14009 	if ((rval = dtrace_state_buffer(state, state->dts_aggbuffer,
14010 	    DTRACEOPT_AGGSIZE)) != 0)
14011 		return (rval);
14012 
14013 	for (i = 0; i < state->dts_nspeculations; i++) {
14014 		if ((rval = dtrace_state_buffer(state,
14015 		    spec[i].dtsp_buffer, DTRACEOPT_SPECSIZE)) != 0)
14016 			return (rval);
14017 	}
14018 
14019 	return (0);
14020 }
14021 
14022 static void
14023 dtrace_state_prereserve(dtrace_state_t *state)
14024 {
14025 	dtrace_ecb_t *ecb;
14026 	dtrace_probe_t *probe;
14027 
14028 	state->dts_reserve = 0;
14029 
14030 	if (state->dts_options[DTRACEOPT_BUFPOLICY] != DTRACEOPT_BUFPOLICY_FILL)
14031 		return;
14032 
14033 	/*
14034 	 * If our buffer policy is a "fill" buffer policy, we need to set the
14035 	 * prereserved space to be the space required by the END probes.
14036 	 */
14037 	probe = dtrace_probes[dtrace_probeid_end - 1];
14038 	ASSERT(probe != NULL);
14039 
14040 	for (ecb = probe->dtpr_ecb; ecb != NULL; ecb = ecb->dte_next) {
14041 		if (ecb->dte_state != state)
14042 			continue;
14043 
14044 		state->dts_reserve += ecb->dte_needed + ecb->dte_alignment;
14045 	}
14046 }
14047 
14048 static int
14049 dtrace_state_go(dtrace_state_t *state, processorid_t *cpu)
14050 {
14051 	dtrace_optval_t *opt = state->dts_options, sz, nspec;
14052 	dtrace_speculation_t *spec;
14053 	dtrace_buffer_t *buf;
14054 	cyc_handler_t hdlr;
14055 	cyc_time_t when;
14056 	int rval = 0, i, bufsize = NCPU * sizeof (dtrace_buffer_t);
14057 	dtrace_icookie_t cookie;
14058 
14059 	mutex_enter(&cpu_lock);
14060 	mutex_enter(&dtrace_lock);
14061 
14062 	if (state->dts_activity != DTRACE_ACTIVITY_INACTIVE) {
14063 		rval = EBUSY;
14064 		goto out;
14065 	}
14066 
14067 	/*
14068 	 * Before we can perform any checks, we must prime all of the
14069 	 * retained enablings that correspond to this state.
14070 	 */
14071 	dtrace_enabling_prime(state);
14072 
14073 	if (state->dts_destructive && !state->dts_cred.dcr_destructive) {
14074 		rval = EACCES;
14075 		goto out;
14076 	}
14077 
14078 	dtrace_state_prereserve(state);
14079 
14080 	/*
14081 	 * Now we want to do is try to allocate our speculations.
14082 	 * We do not automatically resize the number of speculations; if
14083 	 * this fails, we will fail the operation.
14084 	 */
14085 	nspec = opt[DTRACEOPT_NSPEC];
14086 	ASSERT(nspec != DTRACEOPT_UNSET);
14087 
14088 	if (nspec > INT_MAX) {
14089 		rval = ENOMEM;
14090 		goto out;
14091 	}
14092 
14093 	spec = kmem_zalloc(nspec * sizeof (dtrace_speculation_t),
14094 	    KM_NOSLEEP | KM_NORMALPRI);
14095 
14096 	if (spec == NULL) {
14097 		rval = ENOMEM;
14098 		goto out;
14099 	}
14100 
14101 	state->dts_speculations = spec;
14102 	state->dts_nspeculations = (int)nspec;
14103 
14104 	for (i = 0; i < nspec; i++) {
14105 		if ((buf = kmem_zalloc(bufsize,
14106 		    KM_NOSLEEP | KM_NORMALPRI)) == NULL) {
14107 			rval = ENOMEM;
14108 			goto err;
14109 		}
14110 
14111 		spec[i].dtsp_buffer = buf;
14112 	}
14113 
14114 	if (opt[DTRACEOPT_GRABANON] != DTRACEOPT_UNSET) {
14115 		if (dtrace_anon.dta_state == NULL) {
14116 			rval = ENOENT;
14117 			goto out;
14118 		}
14119 
14120 		if (state->dts_necbs != 0) {
14121 			rval = EALREADY;
14122 			goto out;
14123 		}
14124 
14125 		state->dts_anon = dtrace_anon_grab();
14126 		ASSERT(state->dts_anon != NULL);
14127 		state = state->dts_anon;
14128 
14129 		/*
14130 		 * We want "grabanon" to be set in the grabbed state, so we'll
14131 		 * copy that option value from the grabbing state into the
14132 		 * grabbed state.
14133 		 */
14134 		state->dts_options[DTRACEOPT_GRABANON] =
14135 		    opt[DTRACEOPT_GRABANON];
14136 
14137 		*cpu = dtrace_anon.dta_beganon;
14138 
14139 		/*
14140 		 * If the anonymous state is active (as it almost certainly
14141 		 * is if the anonymous enabling ultimately matched anything),
14142 		 * we don't allow any further option processing -- but we
14143 		 * don't return failure.
14144 		 */
14145 		if (state->dts_activity != DTRACE_ACTIVITY_INACTIVE)
14146 			goto out;
14147 	}
14148 
14149 	if (opt[DTRACEOPT_AGGSIZE] != DTRACEOPT_UNSET &&
14150 	    opt[DTRACEOPT_AGGSIZE] != 0) {
14151 		if (state->dts_aggregations == NULL) {
14152 			/*
14153 			 * We're not going to create an aggregation buffer
14154 			 * because we don't have any ECBs that contain
14155 			 * aggregations -- set this option to 0.
14156 			 */
14157 			opt[DTRACEOPT_AGGSIZE] = 0;
14158 		} else {
14159 			/*
14160 			 * If we have an aggregation buffer, we must also have
14161 			 * a buffer to use as scratch.
14162 			 */
14163 			if (opt[DTRACEOPT_BUFSIZE] == DTRACEOPT_UNSET ||
14164 			    opt[DTRACEOPT_BUFSIZE] < state->dts_needed) {
14165 				opt[DTRACEOPT_BUFSIZE] = state->dts_needed;
14166 			}
14167 		}
14168 	}
14169 
14170 	if (opt[DTRACEOPT_SPECSIZE] != DTRACEOPT_UNSET &&
14171 	    opt[DTRACEOPT_SPECSIZE] != 0) {
14172 		if (!state->dts_speculates) {
14173 			/*
14174 			 * We're not going to create speculation buffers
14175 			 * because we don't have any ECBs that actually
14176 			 * speculate -- set the speculation size to 0.
14177 			 */
14178 			opt[DTRACEOPT_SPECSIZE] = 0;
14179 		}
14180 	}
14181 
14182 	/*
14183 	 * The bare minimum size for any buffer that we're actually going to
14184 	 * do anything to is sizeof (uint64_t).
14185 	 */
14186 	sz = sizeof (uint64_t);
14187 
14188 	if ((state->dts_needed != 0 && opt[DTRACEOPT_BUFSIZE] < sz) ||
14189 	    (state->dts_speculates && opt[DTRACEOPT_SPECSIZE] < sz) ||
14190 	    (state->dts_aggregations != NULL && opt[DTRACEOPT_AGGSIZE] < sz)) {
14191 		/*
14192 		 * A buffer size has been explicitly set to 0 (or to a size
14193 		 * that will be adjusted to 0) and we need the space -- we
14194 		 * need to return failure.  We return ENOSPC to differentiate
14195 		 * it from failing to allocate a buffer due to failure to meet
14196 		 * the reserve (for which we return E2BIG).
14197 		 */
14198 		rval = ENOSPC;
14199 		goto out;
14200 	}
14201 
14202 	if ((rval = dtrace_state_buffers(state)) != 0)
14203 		goto err;
14204 
14205 	if ((sz = opt[DTRACEOPT_DYNVARSIZE]) == DTRACEOPT_UNSET)
14206 		sz = dtrace_dstate_defsize;
14207 
14208 	do {
14209 		rval = dtrace_dstate_init(&state->dts_vstate.dtvs_dynvars, sz);
14210 
14211 		if (rval == 0)
14212 			break;
14213 
14214 		if (opt[DTRACEOPT_BUFRESIZE] == DTRACEOPT_BUFRESIZE_MANUAL)
14215 			goto err;
14216 	} while (sz >>= 1);
14217 
14218 	opt[DTRACEOPT_DYNVARSIZE] = sz;
14219 
14220 	if (rval != 0)
14221 		goto err;
14222 
14223 	if (opt[DTRACEOPT_STATUSRATE] > dtrace_statusrate_max)
14224 		opt[DTRACEOPT_STATUSRATE] = dtrace_statusrate_max;
14225 
14226 	if (opt[DTRACEOPT_CLEANRATE] == 0)
14227 		opt[DTRACEOPT_CLEANRATE] = dtrace_cleanrate_max;
14228 
14229 	if (opt[DTRACEOPT_CLEANRATE] < dtrace_cleanrate_min)
14230 		opt[DTRACEOPT_CLEANRATE] = dtrace_cleanrate_min;
14231 
14232 	if (opt[DTRACEOPT_CLEANRATE] > dtrace_cleanrate_max)
14233 		opt[DTRACEOPT_CLEANRATE] = dtrace_cleanrate_max;
14234 
14235 	hdlr.cyh_func = (cyc_func_t)dtrace_state_clean;
14236 	hdlr.cyh_arg = state;
14237 	hdlr.cyh_level = CY_LOW_LEVEL;
14238 
14239 	when.cyt_when = 0;
14240 	when.cyt_interval = opt[DTRACEOPT_CLEANRATE];
14241 
14242 	state->dts_cleaner = cyclic_add(&hdlr, &when);
14243 
14244 	hdlr.cyh_func = (cyc_func_t)dtrace_state_deadman;
14245 	hdlr.cyh_arg = state;
14246 	hdlr.cyh_level = CY_LOW_LEVEL;
14247 
14248 	when.cyt_when = 0;
14249 	when.cyt_interval = dtrace_deadman_interval;
14250 
14251 	state->dts_alive = state->dts_laststatus = dtrace_gethrtime();
14252 	state->dts_deadman = cyclic_add(&hdlr, &when);
14253 
14254 	state->dts_activity = DTRACE_ACTIVITY_WARMUP;
14255 
14256 	if (state->dts_getf != 0 &&
14257 	    !(state->dts_cred.dcr_visible & DTRACE_CRV_KERNEL)) {
14258 		/*
14259 		 * We don't have kernel privs but we have at least one call
14260 		 * to getf(); we need to bump our zone's count, and (if
14261 		 * this is the first enabling to have an unprivileged call
14262 		 * to getf()) we need to hook into closef().
14263 		 */
14264 		state->dts_cred.dcr_cred->cr_zone->zone_dtrace_getf++;
14265 
14266 		if (dtrace_getf++ == 0) {
14267 			ASSERT(dtrace_closef == NULL);
14268 			dtrace_closef = dtrace_getf_barrier;
14269 		}
14270 	}
14271 
14272 	/*
14273 	 * Now it's time to actually fire the BEGIN probe.  We need to disable
14274 	 * interrupts here both to record the CPU on which we fired the BEGIN
14275 	 * probe (the data from this CPU will be processed first at user
14276 	 * level) and to manually activate the buffer for this CPU.
14277 	 */
14278 	cookie = dtrace_interrupt_disable();
14279 	*cpu = CPU->cpu_id;
14280 	ASSERT(state->dts_buffer[*cpu].dtb_flags & DTRACEBUF_INACTIVE);
14281 	state->dts_buffer[*cpu].dtb_flags &= ~DTRACEBUF_INACTIVE;
14282 
14283 	dtrace_probe(dtrace_probeid_begin,
14284 	    (uint64_t)(uintptr_t)state, 0, 0, 0, 0);
14285 	dtrace_interrupt_enable(cookie);
14286 	/*
14287 	 * We may have had an exit action from a BEGIN probe; only change our
14288 	 * state to ACTIVE if we're still in WARMUP.
14289 	 */
14290 	ASSERT(state->dts_activity == DTRACE_ACTIVITY_WARMUP ||
14291 	    state->dts_activity == DTRACE_ACTIVITY_DRAINING);
14292 
14293 	if (state->dts_activity == DTRACE_ACTIVITY_WARMUP)
14294 		state->dts_activity = DTRACE_ACTIVITY_ACTIVE;
14295 
14296 	/*
14297 	 * Regardless of whether or not now we're in ACTIVE or DRAINING, we
14298 	 * want each CPU to transition its principal buffer out of the
14299 	 * INACTIVE state.  Doing this assures that no CPU will suddenly begin
14300 	 * processing an ECB halfway down a probe's ECB chain; all CPUs will
14301 	 * atomically transition from processing none of a state's ECBs to
14302 	 * processing all of them.
14303 	 */
14304 	dtrace_xcall(DTRACE_CPUALL,
14305 	    (dtrace_xcall_t)dtrace_buffer_activate, state);
14306 	goto out;
14307 
14308 err:
14309 	dtrace_buffer_free(state->dts_buffer);
14310 	dtrace_buffer_free(state->dts_aggbuffer);
14311 
14312 	if ((nspec = state->dts_nspeculations) == 0) {
14313 		ASSERT(state->dts_speculations == NULL);
14314 		goto out;
14315 	}
14316 
14317 	spec = state->dts_speculations;
14318 	ASSERT(spec != NULL);
14319 
14320 	for (i = 0; i < state->dts_nspeculations; i++) {
14321 		if ((buf = spec[i].dtsp_buffer) == NULL)
14322 			break;
14323 
14324 		dtrace_buffer_free(buf);
14325 		kmem_free(buf, bufsize);
14326 	}
14327 
14328 	kmem_free(spec, nspec * sizeof (dtrace_speculation_t));
14329 	state->dts_nspeculations = 0;
14330 	state->dts_speculations = NULL;
14331 
14332 out:
14333 	mutex_exit(&dtrace_lock);
14334 	mutex_exit(&cpu_lock);
14335 
14336 	return (rval);
14337 }
14338 
14339 static int
14340 dtrace_state_stop(dtrace_state_t *state, processorid_t *cpu)
14341 {
14342 	dtrace_icookie_t cookie;
14343 
14344 	ASSERT(MUTEX_HELD(&dtrace_lock));
14345 
14346 	if (state->dts_activity != DTRACE_ACTIVITY_ACTIVE &&
14347 	    state->dts_activity != DTRACE_ACTIVITY_DRAINING)
14348 		return (EINVAL);
14349 
14350 	/*
14351 	 * We'll set the activity to DTRACE_ACTIVITY_DRAINING, and issue a sync
14352 	 * to be sure that every CPU has seen it.  See below for the details
14353 	 * on why this is done.
14354 	 */
14355 	state->dts_activity = DTRACE_ACTIVITY_DRAINING;
14356 	dtrace_sync();
14357 
14358 	/*
14359 	 * By this point, it is impossible for any CPU to be still processing
14360 	 * with DTRACE_ACTIVITY_ACTIVE.  We can thus set our activity to
14361 	 * DTRACE_ACTIVITY_COOLDOWN and know that we're not racing with any
14362 	 * other CPU in dtrace_buffer_reserve().  This allows dtrace_probe()
14363 	 * and callees to know that the activity is DTRACE_ACTIVITY_COOLDOWN
14364 	 * iff we're in the END probe.
14365 	 */
14366 	state->dts_activity = DTRACE_ACTIVITY_COOLDOWN;
14367 	dtrace_sync();
14368 	ASSERT(state->dts_activity == DTRACE_ACTIVITY_COOLDOWN);
14369 
14370 	/*
14371 	 * Finally, we can release the reserve and call the END probe.  We
14372 	 * disable interrupts across calling the END probe to allow us to
14373 	 * return the CPU on which we actually called the END probe.  This
14374 	 * allows user-land to be sure that this CPU's principal buffer is
14375 	 * processed last.
14376 	 */
14377 	state->dts_reserve = 0;
14378 
14379 	cookie = dtrace_interrupt_disable();
14380 	*cpu = CPU->cpu_id;
14381 	dtrace_probe(dtrace_probeid_end,
14382 	    (uint64_t)(uintptr_t)state, 0, 0, 0, 0);
14383 	dtrace_interrupt_enable(cookie);
14384 
14385 	state->dts_activity = DTRACE_ACTIVITY_STOPPED;
14386 	dtrace_sync();
14387 
14388 	if (state->dts_getf != 0 &&
14389 	    !(state->dts_cred.dcr_visible & DTRACE_CRV_KERNEL)) {
14390 		/*
14391 		 * We don't have kernel privs but we have at least one call
14392 		 * to getf(); we need to lower our zone's count, and (if
14393 		 * this is the last enabling to have an unprivileged call
14394 		 * to getf()) we need to clear the closef() hook.
14395 		 */
14396 		ASSERT(state->dts_cred.dcr_cred->cr_zone->zone_dtrace_getf > 0);
14397 		ASSERT(dtrace_closef == dtrace_getf_barrier);
14398 		ASSERT(dtrace_getf > 0);
14399 
14400 		state->dts_cred.dcr_cred->cr_zone->zone_dtrace_getf--;
14401 
14402 		if (--dtrace_getf == 0)
14403 			dtrace_closef = NULL;
14404 	}
14405 
14406 	return (0);
14407 }
14408 
14409 static int
14410 dtrace_state_option(dtrace_state_t *state, dtrace_optid_t option,
14411     dtrace_optval_t val)
14412 {
14413 	ASSERT(MUTEX_HELD(&dtrace_lock));
14414 
14415 	if (state->dts_activity != DTRACE_ACTIVITY_INACTIVE)
14416 		return (EBUSY);
14417 
14418 	if (option >= DTRACEOPT_MAX)
14419 		return (EINVAL);
14420 
14421 	if (option != DTRACEOPT_CPU && val < 0)
14422 		return (EINVAL);
14423 
14424 	switch (option) {
14425 	case DTRACEOPT_DESTRUCTIVE:
14426 		if (dtrace_destructive_disallow)
14427 			return (EACCES);
14428 
14429 		state->dts_cred.dcr_destructive = 1;
14430 		break;
14431 
14432 	case DTRACEOPT_BUFSIZE:
14433 	case DTRACEOPT_DYNVARSIZE:
14434 	case DTRACEOPT_AGGSIZE:
14435 	case DTRACEOPT_SPECSIZE:
14436 	case DTRACEOPT_STRSIZE:
14437 		if (val < 0)
14438 			return (EINVAL);
14439 
14440 		if (val >= LONG_MAX) {
14441 			/*
14442 			 * If this is an otherwise negative value, set it to
14443 			 * the highest multiple of 128m less than LONG_MAX.
14444 			 * Technically, we're adjusting the size without
14445 			 * regard to the buffer resizing policy, but in fact,
14446 			 * this has no effect -- if we set the buffer size to
14447 			 * ~LONG_MAX and the buffer policy is ultimately set to
14448 			 * be "manual", the buffer allocation is guaranteed to
14449 			 * fail, if only because the allocation requires two
14450 			 * buffers.  (We set the the size to the highest
14451 			 * multiple of 128m because it ensures that the size
14452 			 * will remain a multiple of a megabyte when
14453 			 * repeatedly halved -- all the way down to 15m.)
14454 			 */
14455 			val = LONG_MAX - (1 << 27) + 1;
14456 		}
14457 	}
14458 
14459 	state->dts_options[option] = val;
14460 
14461 	return (0);
14462 }
14463 
14464 static void
14465 dtrace_state_destroy(dtrace_state_t *state)
14466 {
14467 	dtrace_ecb_t *ecb;
14468 	dtrace_vstate_t *vstate = &state->dts_vstate;
14469 	minor_t minor = getminor(state->dts_dev);
14470 	int i, bufsize = NCPU * sizeof (dtrace_buffer_t);
14471 	dtrace_speculation_t *spec = state->dts_speculations;
14472 	int nspec = state->dts_nspeculations;
14473 	uint32_t match;
14474 
14475 	ASSERT(MUTEX_HELD(&dtrace_lock));
14476 	ASSERT(MUTEX_HELD(&cpu_lock));
14477 
14478 	/*
14479 	 * First, retract any retained enablings for this state.
14480 	 */
14481 	dtrace_enabling_retract(state);
14482 	ASSERT(state->dts_nretained == 0);
14483 
14484 	if (state->dts_activity == DTRACE_ACTIVITY_ACTIVE ||
14485 	    state->dts_activity == DTRACE_ACTIVITY_DRAINING) {
14486 		/*
14487 		 * We have managed to come into dtrace_state_destroy() on a
14488 		 * hot enabling -- almost certainly because of a disorderly
14489 		 * shutdown of a consumer.  (That is, a consumer that is
14490 		 * exiting without having called dtrace_stop().) In this case,
14491 		 * we're going to set our activity to be KILLED, and then
14492 		 * issue a sync to be sure that everyone is out of probe
14493 		 * context before we start blowing away ECBs.
14494 		 */
14495 		state->dts_activity = DTRACE_ACTIVITY_KILLED;
14496 		dtrace_sync();
14497 	}
14498 
14499 	/*
14500 	 * Release the credential hold we took in dtrace_state_create().
14501 	 */
14502 	if (state->dts_cred.dcr_cred != NULL)
14503 		crfree(state->dts_cred.dcr_cred);
14504 
14505 	/*
14506 	 * Now we can safely disable and destroy any enabled probes.  Because
14507 	 * any DTRACE_PRIV_KERNEL probes may actually be slowing our progress
14508 	 * (especially if they're all enabled), we take two passes through the
14509 	 * ECBs:  in the first, we disable just DTRACE_PRIV_KERNEL probes, and
14510 	 * in the second we disable whatever is left over.
14511 	 */
14512 	for (match = DTRACE_PRIV_KERNEL; ; match = 0) {
14513 		for (i = 0; i < state->dts_necbs; i++) {
14514 			if ((ecb = state->dts_ecbs[i]) == NULL)
14515 				continue;
14516 
14517 			if (match && ecb->dte_probe != NULL) {
14518 				dtrace_probe_t *probe = ecb->dte_probe;
14519 				dtrace_provider_t *prov = probe->dtpr_provider;
14520 
14521 				if (!(prov->dtpv_priv.dtpp_flags & match))
14522 					continue;
14523 			}
14524 
14525 			dtrace_ecb_disable(ecb);
14526 			dtrace_ecb_destroy(ecb);
14527 		}
14528 
14529 		if (!match)
14530 			break;
14531 	}
14532 
14533 	/*
14534 	 * Before we free the buffers, perform one more sync to assure that
14535 	 * every CPU is out of probe context.
14536 	 */
14537 	dtrace_sync();
14538 
14539 	dtrace_buffer_free(state->dts_buffer);
14540 	dtrace_buffer_free(state->dts_aggbuffer);
14541 
14542 	for (i = 0; i < nspec; i++)
14543 		dtrace_buffer_free(spec[i].dtsp_buffer);
14544 
14545 	if (state->dts_cleaner != CYCLIC_NONE)
14546 		cyclic_remove(state->dts_cleaner);
14547 
14548 	if (state->dts_deadman != CYCLIC_NONE)
14549 		cyclic_remove(state->dts_deadman);
14550 
14551 	dtrace_dstate_fini(&vstate->dtvs_dynvars);
14552 	dtrace_vstate_fini(vstate);
14553 	kmem_free(state->dts_ecbs, state->dts_necbs * sizeof (dtrace_ecb_t *));
14554 
14555 	if (state->dts_aggregations != NULL) {
14556 #ifdef DEBUG
14557 		for (i = 0; i < state->dts_naggregations; i++)
14558 			ASSERT(state->dts_aggregations[i] == NULL);
14559 #endif
14560 		ASSERT(state->dts_naggregations > 0);
14561 		kmem_free(state->dts_aggregations,
14562 		    state->dts_naggregations * sizeof (dtrace_aggregation_t *));
14563 	}
14564 
14565 	kmem_free(state->dts_buffer, bufsize);
14566 	kmem_free(state->dts_aggbuffer, bufsize);
14567 
14568 	for (i = 0; i < nspec; i++)
14569 		kmem_free(spec[i].dtsp_buffer, bufsize);
14570 
14571 	kmem_free(spec, nspec * sizeof (dtrace_speculation_t));
14572 
14573 	dtrace_format_destroy(state);
14574 
14575 	vmem_destroy(state->dts_aggid_arena);
14576 	ddi_soft_state_free(dtrace_softstate, minor);
14577 	vmem_free(dtrace_minor, (void *)(uintptr_t)minor, 1);
14578 }
14579 
14580 /*
14581  * DTrace Anonymous Enabling Functions
14582  */
14583 static dtrace_state_t *
14584 dtrace_anon_grab(void)
14585 {
14586 	dtrace_state_t *state;
14587 
14588 	ASSERT(MUTEX_HELD(&dtrace_lock));
14589 
14590 	if ((state = dtrace_anon.dta_state) == NULL) {
14591 		ASSERT(dtrace_anon.dta_enabling == NULL);
14592 		return (NULL);
14593 	}
14594 
14595 	ASSERT(dtrace_anon.dta_enabling != NULL);
14596 	ASSERT(dtrace_retained != NULL);
14597 
14598 	dtrace_enabling_destroy(dtrace_anon.dta_enabling);
14599 	dtrace_anon.dta_enabling = NULL;
14600 	dtrace_anon.dta_state = NULL;
14601 
14602 	return (state);
14603 }
14604 
14605 static void
14606 dtrace_anon_property(void)
14607 {
14608 	int i, rv;
14609 	dtrace_state_t *state;
14610 	dof_hdr_t *dof;
14611 	char c[32];		/* enough for "dof-data-" + digits */
14612 
14613 	ASSERT(MUTEX_HELD(&dtrace_lock));
14614 	ASSERT(MUTEX_HELD(&cpu_lock));
14615 
14616 	for (i = 0; ; i++) {
14617 		(void) snprintf(c, sizeof (c), "dof-data-%d", i);
14618 
14619 		dtrace_err_verbose = 1;
14620 
14621 		if ((dof = dtrace_dof_property(c)) == NULL) {
14622 			dtrace_err_verbose = 0;
14623 			break;
14624 		}
14625 
14626 		/*
14627 		 * We want to create anonymous state, so we need to transition
14628 		 * the kernel debugger to indicate that DTrace is active.  If
14629 		 * this fails (e.g. because the debugger has modified text in
14630 		 * some way), we won't continue with the processing.
14631 		 */
14632 		if (kdi_dtrace_set(KDI_DTSET_DTRACE_ACTIVATE) != 0) {
14633 			cmn_err(CE_NOTE, "kernel debugger active; anonymous "
14634 			    "enabling ignored.");
14635 			dtrace_dof_destroy(dof);
14636 			break;
14637 		}
14638 
14639 		/*
14640 		 * If we haven't allocated an anonymous state, we'll do so now.
14641 		 */
14642 		if ((state = dtrace_anon.dta_state) == NULL) {
14643 			state = dtrace_state_create(NULL, NULL);
14644 			dtrace_anon.dta_state = state;
14645 
14646 			if (state == NULL) {
14647 				/*
14648 				 * This basically shouldn't happen:  the only
14649 				 * failure mode from dtrace_state_create() is a
14650 				 * failure of ddi_soft_state_zalloc() that
14651 				 * itself should never happen.  Still, the
14652 				 * interface allows for a failure mode, and
14653 				 * we want to fail as gracefully as possible:
14654 				 * we'll emit an error message and cease
14655 				 * processing anonymous state in this case.
14656 				 */
14657 				cmn_err(CE_WARN, "failed to create "
14658 				    "anonymous state");
14659 				dtrace_dof_destroy(dof);
14660 				break;
14661 			}
14662 		}
14663 
14664 		rv = dtrace_dof_slurp(dof, &state->dts_vstate, CRED(),
14665 		    &dtrace_anon.dta_enabling, 0, B_TRUE);
14666 
14667 		if (rv == 0)
14668 			rv = dtrace_dof_options(dof, state);
14669 
14670 		dtrace_err_verbose = 0;
14671 		dtrace_dof_destroy(dof);
14672 
14673 		if (rv != 0) {
14674 			/*
14675 			 * This is malformed DOF; chuck any anonymous state
14676 			 * that we created.
14677 			 */
14678 			ASSERT(dtrace_anon.dta_enabling == NULL);
14679 			dtrace_state_destroy(state);
14680 			dtrace_anon.dta_state = NULL;
14681 			break;
14682 		}
14683 
14684 		ASSERT(dtrace_anon.dta_enabling != NULL);
14685 	}
14686 
14687 	if (dtrace_anon.dta_enabling != NULL) {
14688 		int rval;
14689 
14690 		/*
14691 		 * dtrace_enabling_retain() can only fail because we are
14692 		 * trying to retain more enablings than are allowed -- but
14693 		 * we only have one anonymous enabling, and we are guaranteed
14694 		 * to be allowed at least one retained enabling; we assert
14695 		 * that dtrace_enabling_retain() returns success.
14696 		 */
14697 		rval = dtrace_enabling_retain(dtrace_anon.dta_enabling);
14698 		ASSERT(rval == 0);
14699 
14700 		dtrace_enabling_dump(dtrace_anon.dta_enabling);
14701 	}
14702 }
14703 
14704 /*
14705  * DTrace Helper Functions
14706  */
14707 static void
14708 dtrace_helper_trace(dtrace_helper_action_t *helper,
14709     dtrace_mstate_t *mstate, dtrace_vstate_t *vstate, int where)
14710 {
14711 	uint32_t size, next, nnext, i;
14712 	dtrace_helptrace_t *ent, *buffer;
14713 	uint16_t flags = cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
14714 
14715 	if ((buffer = dtrace_helptrace_buffer) == NULL)
14716 		return;
14717 
14718 	ASSERT(vstate->dtvs_nlocals <= dtrace_helptrace_nlocals);
14719 
14720 	/*
14721 	 * What would a tracing framework be without its own tracing
14722 	 * framework?  (Well, a hell of a lot simpler, for starters...)
14723 	 */
14724 	size = sizeof (dtrace_helptrace_t) + dtrace_helptrace_nlocals *
14725 	    sizeof (uint64_t) - sizeof (uint64_t);
14726 
14727 	/*
14728 	 * Iterate until we can allocate a slot in the trace buffer.
14729 	 */
14730 	do {
14731 		next = dtrace_helptrace_next;
14732 
14733 		if (next + size < dtrace_helptrace_bufsize) {
14734 			nnext = next + size;
14735 		} else {
14736 			nnext = size;
14737 		}
14738 	} while (dtrace_cas32(&dtrace_helptrace_next, next, nnext) != next);
14739 
14740 	/*
14741 	 * We have our slot; fill it in.
14742 	 */
14743 	if (nnext == size) {
14744 		dtrace_helptrace_wrapped++;
14745 		next = 0;
14746 	}
14747 
14748 	ent = (dtrace_helptrace_t *)((uintptr_t)buffer + next);
14749 	ent->dtht_helper = helper;
14750 	ent->dtht_where = where;
14751 	ent->dtht_nlocals = vstate->dtvs_nlocals;
14752 
14753 	ent->dtht_fltoffs = (mstate->dtms_present & DTRACE_MSTATE_FLTOFFS) ?
14754 	    mstate->dtms_fltoffs : -1;
14755 	ent->dtht_fault = DTRACE_FLAGS2FLT(flags);
14756 	ent->dtht_illval = cpu_core[CPU->cpu_id].cpuc_dtrace_illval;
14757 
14758 	for (i = 0; i < vstate->dtvs_nlocals; i++) {
14759 		dtrace_statvar_t *svar;
14760 
14761 		if ((svar = vstate->dtvs_locals[i]) == NULL)
14762 			continue;
14763 
14764 		ASSERT(svar->dtsv_size >= NCPU * sizeof (uint64_t));
14765 		ent->dtht_locals[i] =
14766 		    ((uint64_t *)(uintptr_t)svar->dtsv_data)[CPU->cpu_id];
14767 	}
14768 }
14769 
14770 static uint64_t
14771 dtrace_helper(int which, dtrace_mstate_t *mstate,
14772     dtrace_state_t *state, uint64_t arg0, uint64_t arg1)
14773 {
14774 	uint16_t *flags = &cpu_core[CPU->cpu_id].cpuc_dtrace_flags;
14775 	uint64_t sarg0 = mstate->dtms_arg[0];
14776 	uint64_t sarg1 = mstate->dtms_arg[1];
14777 	uint64_t rval;
14778 	dtrace_helpers_t *helpers = curproc->p_dtrace_helpers;
14779 	dtrace_helper_action_t *helper;
14780 	dtrace_vstate_t *vstate;
14781 	dtrace_difo_t *pred;
14782 	int i, trace = dtrace_helptrace_buffer != NULL;
14783 
14784 	ASSERT(which >= 0 && which < DTRACE_NHELPER_ACTIONS);
14785 
14786 	if (helpers == NULL)
14787 		return (0);
14788 
14789 	if ((helper = helpers->dthps_actions[which]) == NULL)
14790 		return (0);
14791 
14792 	vstate = &helpers->dthps_vstate;
14793 	mstate->dtms_arg[0] = arg0;
14794 	mstate->dtms_arg[1] = arg1;
14795 
14796 	/*
14797 	 * Now iterate over each helper.  If its predicate evaluates to 'true',
14798 	 * we'll call the corresponding actions.  Note that the below calls
14799 	 * to dtrace_dif_emulate() may set faults in machine state.  This is
14800 	 * okay:  our caller (the outer dtrace_dif_emulate()) will simply plow
14801 	 * the stored DIF offset with its own (which is the desired behavior).
14802 	 * Also, note the calls to dtrace_dif_emulate() may allocate scratch
14803 	 * from machine state; this is okay, too.
14804 	 */
14805 	for (; helper != NULL; helper = helper->dtha_next) {
14806 		if ((pred = helper->dtha_predicate) != NULL) {
14807 			if (trace)
14808 				dtrace_helper_trace(helper, mstate, vstate, 0);
14809 
14810 			if (!dtrace_dif_emulate(pred, mstate, vstate, state))
14811 				goto next;
14812 
14813 			if (*flags & CPU_DTRACE_FAULT)
14814 				goto err;
14815 		}
14816 
14817 		for (i = 0; i < helper->dtha_nactions; i++) {
14818 			if (trace)
14819 				dtrace_helper_trace(helper,
14820 				    mstate, vstate, i + 1);
14821 
14822 			rval = dtrace_dif_emulate(helper->dtha_actions[i],
14823 			    mstate, vstate, state);
14824 
14825 			if (*flags & CPU_DTRACE_FAULT)
14826 				goto err;
14827 		}
14828 
14829 next:
14830 		if (trace)
14831 			dtrace_helper_trace(helper, mstate, vstate,
14832 			    DTRACE_HELPTRACE_NEXT);
14833 	}
14834 
14835 	if (trace)
14836 		dtrace_helper_trace(helper, mstate, vstate,
14837 		    DTRACE_HELPTRACE_DONE);
14838 
14839 	/*
14840 	 * Restore the arg0 that we saved upon entry.
14841 	 */
14842 	mstate->dtms_arg[0] = sarg0;
14843 	mstate->dtms_arg[1] = sarg1;
14844 
14845 	return (rval);
14846 
14847 err:
14848 	if (trace)
14849 		dtrace_helper_trace(helper, mstate, vstate,
14850 		    DTRACE_HELPTRACE_ERR);
14851 
14852 	/*
14853 	 * Restore the arg0 that we saved upon entry.
14854 	 */
14855 	mstate->dtms_arg[0] = sarg0;
14856 	mstate->dtms_arg[1] = sarg1;
14857 
14858 	return (0);
14859 }
14860 
14861 static void
14862 dtrace_helper_action_destroy(dtrace_helper_action_t *helper,
14863     dtrace_vstate_t *vstate)
14864 {
14865 	int i;
14866 
14867 	if (helper->dtha_predicate != NULL)
14868 		dtrace_difo_release(helper->dtha_predicate, vstate);
14869 
14870 	for (i = 0; i < helper->dtha_nactions; i++) {
14871 		ASSERT(helper->dtha_actions[i] != NULL);
14872 		dtrace_difo_release(helper->dtha_actions[i], vstate);
14873 	}
14874 
14875 	kmem_free(helper->dtha_actions,
14876 	    helper->dtha_nactions * sizeof (dtrace_difo_t *));
14877 	kmem_free(helper, sizeof (dtrace_helper_action_t));
14878 }
14879 
14880 static int
14881 dtrace_helper_destroygen(int gen)
14882 {
14883 	proc_t *p = curproc;
14884 	dtrace_helpers_t *help = p->p_dtrace_helpers;
14885 	dtrace_vstate_t *vstate;
14886 	int i;
14887 
14888 	ASSERT(MUTEX_HELD(&dtrace_lock));
14889 
14890 	if (help == NULL || gen > help->dthps_generation)
14891 		return (EINVAL);
14892 
14893 	vstate = &help->dthps_vstate;
14894 
14895 	for (i = 0; i < DTRACE_NHELPER_ACTIONS; i++) {
14896 		dtrace_helper_action_t *last = NULL, *h, *next;
14897 
14898 		for (h = help->dthps_actions[i]; h != NULL; h = next) {
14899 			next = h->dtha_next;
14900 
14901 			if (h->dtha_generation == gen) {
14902 				if (last != NULL) {
14903 					last->dtha_next = next;
14904 				} else {
14905 					help->dthps_actions[i] = next;
14906 				}
14907 
14908 				dtrace_helper_action_destroy(h, vstate);
14909 			} else {
14910 				last = h;
14911 			}
14912 		}
14913 	}
14914 
14915 	/*
14916 	 * Interate until we've cleared out all helper providers with the
14917 	 * given generation number.
14918 	 */
14919 	for (;;) {
14920 		dtrace_helper_provider_t *prov;
14921 
14922 		/*
14923 		 * Look for a helper provider with the right generation. We
14924 		 * have to start back at the beginning of the list each time
14925 		 * because we drop dtrace_lock. It's unlikely that we'll make
14926 		 * more than two passes.
14927 		 */
14928 		for (i = 0; i < help->dthps_nprovs; i++) {
14929 			prov = help->dthps_provs[i];
14930 
14931 			if (prov->dthp_generation == gen)
14932 				break;
14933 		}
14934 
14935 		/*
14936 		 * If there were no matches, we're done.
14937 		 */
14938 		if (i == help->dthps_nprovs)
14939 			break;
14940 
14941 		/*
14942 		 * Move the last helper provider into this slot.
14943 		 */
14944 		help->dthps_nprovs--;
14945 		help->dthps_provs[i] = help->dthps_provs[help->dthps_nprovs];
14946 		help->dthps_provs[help->dthps_nprovs] = NULL;
14947 
14948 		mutex_exit(&dtrace_lock);
14949 
14950 		/*
14951 		 * If we have a meta provider, remove this helper provider.
14952 		 */
14953 		mutex_enter(&dtrace_meta_lock);
14954 		if (dtrace_meta_pid != NULL) {
14955 			ASSERT(dtrace_deferred_pid == NULL);
14956 			dtrace_helper_provider_remove(&prov->dthp_prov,
14957 			    p->p_pid);
14958 		}
14959 		mutex_exit(&dtrace_meta_lock);
14960 
14961 		dtrace_helper_provider_destroy(prov);
14962 
14963 		mutex_enter(&dtrace_lock);
14964 	}
14965 
14966 	return (0);
14967 }
14968 
14969 static int
14970 dtrace_helper_validate(dtrace_helper_action_t *helper)
14971 {
14972 	int err = 0, i;
14973 	dtrace_difo_t *dp;
14974 
14975 	if ((dp = helper->dtha_predicate) != NULL)
14976 		err += dtrace_difo_validate_helper(dp);
14977 
14978 	for (i = 0; i < helper->dtha_nactions; i++)
14979 		err += dtrace_difo_validate_helper(helper->dtha_actions[i]);
14980 
14981 	return (err == 0);
14982 }
14983 
14984 static int
14985 dtrace_helper_action_add(int which, dtrace_ecbdesc_t *ep)
14986 {
14987 	dtrace_helpers_t *help;
14988 	dtrace_helper_action_t *helper, *last;
14989 	dtrace_actdesc_t *act;
14990 	dtrace_vstate_t *vstate;
14991 	dtrace_predicate_t *pred;
14992 	int count = 0, nactions = 0, i;
14993 
14994 	if (which < 0 || which >= DTRACE_NHELPER_ACTIONS)
14995 		return (EINVAL);
14996 
14997 	help = curproc->p_dtrace_helpers;
14998 	last = help->dthps_actions[which];
14999 	vstate = &help->dthps_vstate;
15000 
15001 	for (count = 0; last != NULL; last = last->dtha_next) {
15002 		count++;
15003 		if (last->dtha_next == NULL)
15004 			break;
15005 	}
15006 
15007 	/*
15008 	 * If we already have dtrace_helper_actions_max helper actions for this
15009 	 * helper action type, we'll refuse to add a new one.
15010 	 */
15011 	if (count >= dtrace_helper_actions_max)
15012 		return (ENOSPC);
15013 
15014 	helper = kmem_zalloc(sizeof (dtrace_helper_action_t), KM_SLEEP);
15015 	helper->dtha_generation = help->dthps_generation;
15016 
15017 	if ((pred = ep->dted_pred.dtpdd_predicate) != NULL) {
15018 		ASSERT(pred->dtp_difo != NULL);
15019 		dtrace_difo_hold(pred->dtp_difo);
15020 		helper->dtha_predicate = pred->dtp_difo;
15021 	}
15022 
15023 	for (act = ep->dted_action; act != NULL; act = act->dtad_next) {
15024 		if (act->dtad_kind != DTRACEACT_DIFEXPR)
15025 			goto err;
15026 
15027 		if (act->dtad_difo == NULL)
15028 			goto err;
15029 
15030 		nactions++;
15031 	}
15032 
15033 	helper->dtha_actions = kmem_zalloc(sizeof (dtrace_difo_t *) *
15034 	    (helper->dtha_nactions = nactions), KM_SLEEP);
15035 
15036 	for (act = ep->dted_action, i = 0; act != NULL; act = act->dtad_next) {
15037 		dtrace_difo_hold(act->dtad_difo);
15038 		helper->dtha_actions[i++] = act->dtad_difo;
15039 	}
15040 
15041 	if (!dtrace_helper_validate(helper))
15042 		goto err;
15043 
15044 	if (last == NULL) {
15045 		help->dthps_actions[which] = helper;
15046 	} else {
15047 		last->dtha_next = helper;
15048 	}
15049 
15050 	if (vstate->dtvs_nlocals > dtrace_helptrace_nlocals) {
15051 		dtrace_helptrace_nlocals = vstate->dtvs_nlocals;
15052 		dtrace_helptrace_next = 0;
15053 	}
15054 
15055 	return (0);
15056 err:
15057 	dtrace_helper_action_destroy(helper, vstate);
15058 	return (EINVAL);
15059 }
15060 
15061 static void
15062 dtrace_helper_provider_register(proc_t *p, dtrace_helpers_t *help,
15063     dof_helper_t *dofhp)
15064 {
15065 	ASSERT(MUTEX_NOT_HELD(&dtrace_lock));
15066 
15067 	mutex_enter(&dtrace_meta_lock);
15068 	mutex_enter(&dtrace_lock);
15069 
15070 	if (!dtrace_attached() || dtrace_meta_pid == NULL) {
15071 		/*
15072 		 * If the dtrace module is loaded but not attached, or if
15073 		 * there aren't isn't a meta provider registered to deal with
15074 		 * these provider descriptions, we need to postpone creating
15075 		 * the actual providers until later.
15076 		 */
15077 
15078 		if (help->dthps_next == NULL && help->dthps_prev == NULL &&
15079 		    dtrace_deferred_pid != help) {
15080 			help->dthps_deferred = 1;
15081 			help->dthps_pid = p->p_pid;
15082 			help->dthps_next = dtrace_deferred_pid;
15083 			help->dthps_prev = NULL;
15084 			if (dtrace_deferred_pid != NULL)
15085 				dtrace_deferred_pid->dthps_prev = help;
15086 			dtrace_deferred_pid = help;
15087 		}
15088 
15089 		mutex_exit(&dtrace_lock);
15090 
15091 	} else if (dofhp != NULL) {
15092 		/*
15093 		 * If the dtrace module is loaded and we have a particular
15094 		 * helper provider description, pass that off to the
15095 		 * meta provider.
15096 		 */
15097 
15098 		mutex_exit(&dtrace_lock);
15099 
15100 		dtrace_helper_provide(dofhp, p->p_pid);
15101 
15102 	} else {
15103 		/*
15104 		 * Otherwise, just pass all the helper provider descriptions
15105 		 * off to the meta provider.
15106 		 */
15107 
15108 		int i;
15109 		mutex_exit(&dtrace_lock);
15110 
15111 		for (i = 0; i < help->dthps_nprovs; i++) {
15112 			dtrace_helper_provide(&help->dthps_provs[i]->dthp_prov,
15113 			    p->p_pid);
15114 		}
15115 	}
15116 
15117 	mutex_exit(&dtrace_meta_lock);
15118 }
15119 
15120 static int
15121 dtrace_helper_provider_add(dof_helper_t *dofhp, int gen)
15122 {
15123 	dtrace_helpers_t *help;
15124 	dtrace_helper_provider_t *hprov, **tmp_provs;
15125 	uint_t tmp_maxprovs, i;
15126 
15127 	ASSERT(MUTEX_HELD(&dtrace_lock));
15128 
15129 	help = curproc->p_dtrace_helpers;
15130 	ASSERT(help != NULL);
15131 
15132 	/*
15133 	 * If we already have dtrace_helper_providers_max helper providers,
15134 	 * we're refuse to add a new one.
15135 	 */
15136 	if (help->dthps_nprovs >= dtrace_helper_providers_max)
15137 		return (ENOSPC);
15138 
15139 	/*
15140 	 * Check to make sure this isn't a duplicate.
15141 	 */
15142 	for (i = 0; i < help->dthps_nprovs; i++) {
15143 		if (dofhp->dofhp_addr ==
15144 		    help->dthps_provs[i]->dthp_prov.dofhp_addr)
15145 			return (EALREADY);
15146 	}
15147 
15148 	hprov = kmem_zalloc(sizeof (dtrace_helper_provider_t), KM_SLEEP);
15149 	hprov->dthp_prov = *dofhp;
15150 	hprov->dthp_ref = 1;
15151 	hprov->dthp_generation = gen;
15152 
15153 	/*
15154 	 * Allocate a bigger table for helper providers if it's already full.
15155 	 */
15156 	if (help->dthps_maxprovs == help->dthps_nprovs) {
15157 		tmp_maxprovs = help->dthps_maxprovs;
15158 		tmp_provs = help->dthps_provs;
15159 
15160 		if (help->dthps_maxprovs == 0)
15161 			help->dthps_maxprovs = 2;
15162 		else
15163 			help->dthps_maxprovs *= 2;
15164 		if (help->dthps_maxprovs > dtrace_helper_providers_max)
15165 			help->dthps_maxprovs = dtrace_helper_providers_max;
15166 
15167 		ASSERT(tmp_maxprovs < help->dthps_maxprovs);
15168 
15169 		help->dthps_provs = kmem_zalloc(help->dthps_maxprovs *
15170 		    sizeof (dtrace_helper_provider_t *), KM_SLEEP);
15171 
15172 		if (tmp_provs != NULL) {
15173 			bcopy(tmp_provs, help->dthps_provs, tmp_maxprovs *
15174 			    sizeof (dtrace_helper_provider_t *));
15175 			kmem_free(tmp_provs, tmp_maxprovs *
15176 			    sizeof (dtrace_helper_provider_t *));
15177 		}
15178 	}
15179 
15180 	help->dthps_provs[help->dthps_nprovs] = hprov;
15181 	help->dthps_nprovs++;
15182 
15183 	return (0);
15184 }
15185 
15186 static void
15187 dtrace_helper_provider_destroy(dtrace_helper_provider_t *hprov)
15188 {
15189 	mutex_enter(&dtrace_lock);
15190 
15191 	if (--hprov->dthp_ref == 0) {
15192 		dof_hdr_t *dof;
15193 		mutex_exit(&dtrace_lock);
15194 		dof = (dof_hdr_t *)(uintptr_t)hprov->dthp_prov.dofhp_dof;
15195 		dtrace_dof_destroy(dof);
15196 		kmem_free(hprov, sizeof (dtrace_helper_provider_t));
15197 	} else {
15198 		mutex_exit(&dtrace_lock);
15199 	}
15200 }
15201 
15202 static int
15203 dtrace_helper_provider_validate(dof_hdr_t *dof, dof_sec_t *sec)
15204 {
15205 	uintptr_t daddr = (uintptr_t)dof;
15206 	dof_sec_t *str_sec, *prb_sec, *arg_sec, *off_sec, *enoff_sec;
15207 	dof_provider_t *provider;
15208 	dof_probe_t *probe;
15209 	uint8_t *arg;
15210 	char *strtab, *typestr;
15211 	dof_stridx_t typeidx;
15212 	size_t typesz;
15213 	uint_t nprobes, j, k;
15214 
15215 	ASSERT(sec->dofs_type == DOF_SECT_PROVIDER);
15216 
15217 	if (sec->dofs_offset & (sizeof (uint_t) - 1)) {
15218 		dtrace_dof_error(dof, "misaligned section offset");
15219 		return (-1);
15220 	}
15221 
15222 	/*
15223 	 * The section needs to be large enough to contain the DOF provider
15224 	 * structure appropriate for the given version.
15225 	 */
15226 	if (sec->dofs_size <
15227 	    ((dof->dofh_ident[DOF_ID_VERSION] == DOF_VERSION_1) ?
15228 	    offsetof(dof_provider_t, dofpv_prenoffs) :
15229 	    sizeof (dof_provider_t))) {
15230 		dtrace_dof_error(dof, "provider section too small");
15231 		return (-1);
15232 	}
15233 
15234 	provider = (dof_provider_t *)(uintptr_t)(daddr + sec->dofs_offset);
15235 	str_sec = dtrace_dof_sect(dof, DOF_SECT_STRTAB, provider->dofpv_strtab);
15236 	prb_sec = dtrace_dof_sect(dof, DOF_SECT_PROBES, provider->dofpv_probes);
15237 	arg_sec = dtrace_dof_sect(dof, DOF_SECT_PRARGS, provider->dofpv_prargs);
15238 	off_sec = dtrace_dof_sect(dof, DOF_SECT_PROFFS, provider->dofpv_proffs);
15239 
15240 	if (str_sec == NULL || prb_sec == NULL ||
15241 	    arg_sec == NULL || off_sec == NULL)
15242 		return (-1);
15243 
15244 	enoff_sec = NULL;
15245 
15246 	if (dof->dofh_ident[DOF_ID_VERSION] != DOF_VERSION_1 &&
15247 	    provider->dofpv_prenoffs != DOF_SECT_NONE &&
15248 	    (enoff_sec = dtrace_dof_sect(dof, DOF_SECT_PRENOFFS,
15249 	    provider->dofpv_prenoffs)) == NULL)
15250 		return (-1);
15251 
15252 	strtab = (char *)(uintptr_t)(daddr + str_sec->dofs_offset);
15253 
15254 	if (provider->dofpv_name >= str_sec->dofs_size ||
15255 	    strlen(strtab + provider->dofpv_name) >= DTRACE_PROVNAMELEN) {
15256 		dtrace_dof_error(dof, "invalid provider name");
15257 		return (-1);
15258 	}
15259 
15260 	if (prb_sec->dofs_entsize == 0 ||
15261 	    prb_sec->dofs_entsize > prb_sec->dofs_size) {
15262 		dtrace_dof_error(dof, "invalid entry size");
15263 		return (-1);
15264 	}
15265 
15266 	if (prb_sec->dofs_entsize & (sizeof (uintptr_t) - 1)) {
15267 		dtrace_dof_error(dof, "misaligned entry size");
15268 		return (-1);
15269 	}
15270 
15271 	if (off_sec->dofs_entsize != sizeof (uint32_t)) {
15272 		dtrace_dof_error(dof, "invalid entry size");
15273 		return (-1);
15274 	}
15275 
15276 	if (off_sec->dofs_offset & (sizeof (uint32_t) - 1)) {
15277 		dtrace_dof_error(dof, "misaligned section offset");
15278 		return (-1);
15279 	}
15280 
15281 	if (arg_sec->dofs_entsize != sizeof (uint8_t)) {
15282 		dtrace_dof_error(dof, "invalid entry size");
15283 		return (-1);
15284 	}
15285 
15286 	arg = (uint8_t *)(uintptr_t)(daddr + arg_sec->dofs_offset);
15287 
15288 	nprobes = prb_sec->dofs_size / prb_sec->dofs_entsize;
15289 
15290 	/*
15291 	 * Take a pass through the probes to check for errors.
15292 	 */
15293 	for (j = 0; j < nprobes; j++) {
15294 		probe = (dof_probe_t *)(uintptr_t)(daddr +
15295 		    prb_sec->dofs_offset + j * prb_sec->dofs_entsize);
15296 
15297 		if (probe->dofpr_func >= str_sec->dofs_size) {
15298 			dtrace_dof_error(dof, "invalid function name");
15299 			return (-1);
15300 		}
15301 
15302 		if (strlen(strtab + probe->dofpr_func) >= DTRACE_FUNCNAMELEN) {
15303 			dtrace_dof_error(dof, "function name too long");
15304 			return (-1);
15305 		}
15306 
15307 		if (probe->dofpr_name >= str_sec->dofs_size ||
15308 		    strlen(strtab + probe->dofpr_name) >= DTRACE_NAMELEN) {
15309 			dtrace_dof_error(dof, "invalid probe name");
15310 			return (-1);
15311 		}
15312 
15313 		/*
15314 		 * The offset count must not wrap the index, and the offsets
15315 		 * must also not overflow the section's data.
15316 		 */
15317 		if (probe->dofpr_offidx + probe->dofpr_noffs <
15318 		    probe->dofpr_offidx ||
15319 		    (probe->dofpr_offidx + probe->dofpr_noffs) *
15320 		    off_sec->dofs_entsize > off_sec->dofs_size) {
15321 			dtrace_dof_error(dof, "invalid probe offset");
15322 			return (-1);
15323 		}
15324 
15325 		if (dof->dofh_ident[DOF_ID_VERSION] != DOF_VERSION_1) {
15326 			/*
15327 			 * If there's no is-enabled offset section, make sure
15328 			 * there aren't any is-enabled offsets. Otherwise
15329 			 * perform the same checks as for probe offsets
15330 			 * (immediately above).
15331 			 */
15332 			if (enoff_sec == NULL) {
15333 				if (probe->dofpr_enoffidx != 0 ||
15334 				    probe->dofpr_nenoffs != 0) {
15335 					dtrace_dof_error(dof, "is-enabled "
15336 					    "offsets with null section");
15337 					return (-1);
15338 				}
15339 			} else if (probe->dofpr_enoffidx +
15340 			    probe->dofpr_nenoffs < probe->dofpr_enoffidx ||
15341 			    (probe->dofpr_enoffidx + probe->dofpr_nenoffs) *
15342 			    enoff_sec->dofs_entsize > enoff_sec->dofs_size) {
15343 				dtrace_dof_error(dof, "invalid is-enabled "
15344 				    "offset");
15345 				return (-1);
15346 			}
15347 
15348 			if (probe->dofpr_noffs + probe->dofpr_nenoffs == 0) {
15349 				dtrace_dof_error(dof, "zero probe and "
15350 				    "is-enabled offsets");
15351 				return (-1);
15352 			}
15353 		} else if (probe->dofpr_noffs == 0) {
15354 			dtrace_dof_error(dof, "zero probe offsets");
15355 			return (-1);
15356 		}
15357 
15358 		if (probe->dofpr_argidx + probe->dofpr_xargc <
15359 		    probe->dofpr_argidx ||
15360 		    (probe->dofpr_argidx + probe->dofpr_xargc) *
15361 		    arg_sec->dofs_entsize > arg_sec->dofs_size) {
15362 			dtrace_dof_error(dof, "invalid args");
15363 			return (-1);
15364 		}
15365 
15366 		typeidx = probe->dofpr_nargv;
15367 		typestr = strtab + probe->dofpr_nargv;
15368 		for (k = 0; k < probe->dofpr_nargc; k++) {
15369 			if (typeidx >= str_sec->dofs_size) {
15370 				dtrace_dof_error(dof, "bad "
15371 				    "native argument type");
15372 				return (-1);
15373 			}
15374 
15375 			typesz = strlen(typestr) + 1;
15376 			if (typesz > DTRACE_ARGTYPELEN) {
15377 				dtrace_dof_error(dof, "native "
15378 				    "argument type too long");
15379 				return (-1);
15380 			}
15381 			typeidx += typesz;
15382 			typestr += typesz;
15383 		}
15384 
15385 		typeidx = probe->dofpr_xargv;
15386 		typestr = strtab + probe->dofpr_xargv;
15387 		for (k = 0; k < probe->dofpr_xargc; k++) {
15388 			if (arg[probe->dofpr_argidx + k] > probe->dofpr_nargc) {
15389 				dtrace_dof_error(dof, "bad "
15390 				    "native argument index");
15391 				return (-1);
15392 			}
15393 
15394 			if (typeidx >= str_sec->dofs_size) {
15395 				dtrace_dof_error(dof, "bad "
15396 				    "translated argument type");
15397 				return (-1);
15398 			}
15399 
15400 			typesz = strlen(typestr) + 1;
15401 			if (typesz > DTRACE_ARGTYPELEN) {
15402 				dtrace_dof_error(dof, "translated argument "
15403 				    "type too long");
15404 				return (-1);
15405 			}
15406 
15407 			typeidx += typesz;
15408 			typestr += typesz;
15409 		}
15410 	}
15411 
15412 	return (0);
15413 }
15414 
15415 static int
15416 dtrace_helper_slurp(dof_hdr_t *dof, dof_helper_t *dhp)
15417 {
15418 	dtrace_helpers_t *help;
15419 	dtrace_vstate_t *vstate;
15420 	dtrace_enabling_t *enab = NULL;
15421 	int i, gen, rv, nhelpers = 0, nprovs = 0, destroy = 1;
15422 	uintptr_t daddr = (uintptr_t)dof;
15423 
15424 	ASSERT(MUTEX_HELD(&dtrace_lock));
15425 
15426 	if ((help = curproc->p_dtrace_helpers) == NULL)
15427 		help = dtrace_helpers_create(curproc);
15428 
15429 	vstate = &help->dthps_vstate;
15430 
15431 	if ((rv = dtrace_dof_slurp(dof, vstate, NULL, &enab,
15432 	    dhp != NULL ? dhp->dofhp_addr : 0, B_FALSE)) != 0) {
15433 		dtrace_dof_destroy(dof);
15434 		return (rv);
15435 	}
15436 
15437 	/*
15438 	 * Look for helper providers and validate their descriptions.
15439 	 */
15440 	if (dhp != NULL) {
15441 		for (i = 0; i < dof->dofh_secnum; i++) {
15442 			dof_sec_t *sec = (dof_sec_t *)(uintptr_t)(daddr +
15443 			    dof->dofh_secoff + i * dof->dofh_secsize);
15444 
15445 			if (sec->dofs_type != DOF_SECT_PROVIDER)
15446 				continue;
15447 
15448 			if (dtrace_helper_provider_validate(dof, sec) != 0) {
15449 				dtrace_enabling_destroy(enab);
15450 				dtrace_dof_destroy(dof);
15451 				return (-1);
15452 			}
15453 
15454 			nprovs++;
15455 		}
15456 	}
15457 
15458 	/*
15459 	 * Now we need to walk through the ECB descriptions in the enabling.
15460 	 */
15461 	for (i = 0; i < enab->dten_ndesc; i++) {
15462 		dtrace_ecbdesc_t *ep = enab->dten_desc[i];
15463 		dtrace_probedesc_t *desc = &ep->dted_probe;
15464 
15465 		if (strcmp(desc->dtpd_provider, "dtrace") != 0)
15466 			continue;
15467 
15468 		if (strcmp(desc->dtpd_mod, "helper") != 0)
15469 			continue;
15470 
15471 		if (strcmp(desc->dtpd_func, "ustack") != 0)
15472 			continue;
15473 
15474 		if ((rv = dtrace_helper_action_add(DTRACE_HELPER_ACTION_USTACK,
15475 		    ep)) != 0) {
15476 			/*
15477 			 * Adding this helper action failed -- we are now going
15478 			 * to rip out the entire generation and return failure.
15479 			 */
15480 			(void) dtrace_helper_destroygen(help->dthps_generation);
15481 			dtrace_enabling_destroy(enab);
15482 			dtrace_dof_destroy(dof);
15483 			return (-1);
15484 		}
15485 
15486 		nhelpers++;
15487 	}
15488 
15489 	if (nhelpers < enab->dten_ndesc)
15490 		dtrace_dof_error(dof, "unmatched helpers");
15491 
15492 	gen = help->dthps_generation++;
15493 	dtrace_enabling_destroy(enab);
15494 
15495 	if (dhp != NULL && nprovs > 0) {
15496 		/*
15497 		 * Now that this is in-kernel, we change the sense of the
15498 		 * members:  dofhp_dof denotes the in-kernel copy of the DOF
15499 		 * and dofhp_addr denotes the address at user-level.
15500 		 */
15501 		dhp->dofhp_addr = dhp->dofhp_dof;
15502 		dhp->dofhp_dof = (uint64_t)(uintptr_t)dof;
15503 
15504 		if (dtrace_helper_provider_add(dhp, gen) == 0) {
15505 			mutex_exit(&dtrace_lock);
15506 			dtrace_helper_provider_register(curproc, help, dhp);
15507 			mutex_enter(&dtrace_lock);
15508 
15509 			destroy = 0;
15510 		}
15511 	}
15512 
15513 	if (destroy)
15514 		dtrace_dof_destroy(dof);
15515 
15516 	return (gen);
15517 }
15518 
15519 static dtrace_helpers_t *
15520 dtrace_helpers_create(proc_t *p)
15521 {
15522 	dtrace_helpers_t *help;
15523 
15524 	ASSERT(MUTEX_HELD(&dtrace_lock));
15525 	ASSERT(p->p_dtrace_helpers == NULL);
15526 
15527 	help = kmem_zalloc(sizeof (dtrace_helpers_t), KM_SLEEP);
15528 	help->dthps_actions = kmem_zalloc(sizeof (dtrace_helper_action_t *) *
15529 	    DTRACE_NHELPER_ACTIONS, KM_SLEEP);
15530 
15531 	p->p_dtrace_helpers = help;
15532 	dtrace_helpers++;
15533 
15534 	return (help);
15535 }
15536 
15537 static void
15538 dtrace_helpers_destroy(proc_t *p)
15539 {
15540 	dtrace_helpers_t *help;
15541 	dtrace_vstate_t *vstate;
15542 	int i;
15543 
15544 	mutex_enter(&dtrace_lock);
15545 
15546 	ASSERT(p->p_dtrace_helpers != NULL);
15547 	ASSERT(dtrace_helpers > 0);
15548 
15549 	help = p->p_dtrace_helpers;
15550 	vstate = &help->dthps_vstate;
15551 
15552 	/*
15553 	 * We're now going to lose the help from this process.
15554 	 */
15555 	p->p_dtrace_helpers = NULL;
15556 	if (p == curproc) {
15557 		dtrace_sync();
15558 	} else {
15559 		/*
15560 		 * It is sometimes necessary to clean up dtrace helpers from a
15561 		 * an incomplete child process as part of a failed fork
15562 		 * operation.  In such situations, a dtrace_sync() call should
15563 		 * be unnecessary as the process should be devoid of threads,
15564 		 * much less any in probe context.
15565 		 */
15566 		VERIFY(p->p_stat == SIDL);
15567 	}
15568 
15569 	/*
15570 	 * Destroy the helper actions.
15571 	 */
15572 	for (i = 0; i < DTRACE_NHELPER_ACTIONS; i++) {
15573 		dtrace_helper_action_t *h, *next;
15574 
15575 		for (h = help->dthps_actions[i]; h != NULL; h = next) {
15576 			next = h->dtha_next;
15577 			dtrace_helper_action_destroy(h, vstate);
15578 			h = next;
15579 		}
15580 	}
15581 
15582 	mutex_exit(&dtrace_lock);
15583 
15584 	/*
15585 	 * Destroy the helper providers.
15586 	 */
15587 	if (help->dthps_maxprovs > 0) {
15588 		mutex_enter(&dtrace_meta_lock);
15589 		if (dtrace_meta_pid != NULL) {
15590 			ASSERT(dtrace_deferred_pid == NULL);
15591 
15592 			for (i = 0; i < help->dthps_nprovs; i++) {
15593 				dtrace_helper_provider_remove(
15594 				    &help->dthps_provs[i]->dthp_prov, p->p_pid);
15595 			}
15596 		} else {
15597 			mutex_enter(&dtrace_lock);
15598 			ASSERT(help->dthps_deferred == 0 ||
15599 			    help->dthps_next != NULL ||
15600 			    help->dthps_prev != NULL ||
15601 			    help == dtrace_deferred_pid);
15602 
15603 			/*
15604 			 * Remove the helper from the deferred list.
15605 			 */
15606 			if (help->dthps_next != NULL)
15607 				help->dthps_next->dthps_prev = help->dthps_prev;
15608 			if (help->dthps_prev != NULL)
15609 				help->dthps_prev->dthps_next = help->dthps_next;
15610 			if (dtrace_deferred_pid == help) {
15611 				dtrace_deferred_pid = help->dthps_next;
15612 				ASSERT(help->dthps_prev == NULL);
15613 			}
15614 
15615 			mutex_exit(&dtrace_lock);
15616 		}
15617 
15618 		mutex_exit(&dtrace_meta_lock);
15619 
15620 		for (i = 0; i < help->dthps_nprovs; i++) {
15621 			dtrace_helper_provider_destroy(help->dthps_provs[i]);
15622 		}
15623 
15624 		kmem_free(help->dthps_provs, help->dthps_maxprovs *
15625 		    sizeof (dtrace_helper_provider_t *));
15626 	}
15627 
15628 	mutex_enter(&dtrace_lock);
15629 
15630 	dtrace_vstate_fini(&help->dthps_vstate);
15631 	kmem_free(help->dthps_actions,
15632 	    sizeof (dtrace_helper_action_t *) * DTRACE_NHELPER_ACTIONS);
15633 	kmem_free(help, sizeof (dtrace_helpers_t));
15634 
15635 	--dtrace_helpers;
15636 	mutex_exit(&dtrace_lock);
15637 }
15638 
15639 static void
15640 dtrace_helpers_duplicate(proc_t *from, proc_t *to)
15641 {
15642 	dtrace_helpers_t *help, *newhelp;
15643 	dtrace_helper_action_t *helper, *new, *last;
15644 	dtrace_difo_t *dp;
15645 	dtrace_vstate_t *vstate;
15646 	int i, j, sz, hasprovs = 0;
15647 
15648 	mutex_enter(&dtrace_lock);
15649 	ASSERT(from->p_dtrace_helpers != NULL);
15650 	ASSERT(dtrace_helpers > 0);
15651 
15652 	help = from->p_dtrace_helpers;
15653 	newhelp = dtrace_helpers_create(to);
15654 	ASSERT(to->p_dtrace_helpers != NULL);
15655 
15656 	newhelp->dthps_generation = help->dthps_generation;
15657 	vstate = &newhelp->dthps_vstate;
15658 
15659 	/*
15660 	 * Duplicate the helper actions.
15661 	 */
15662 	for (i = 0; i < DTRACE_NHELPER_ACTIONS; i++) {
15663 		if ((helper = help->dthps_actions[i]) == NULL)
15664 			continue;
15665 
15666 		for (last = NULL; helper != NULL; helper = helper->dtha_next) {
15667 			new = kmem_zalloc(sizeof (dtrace_helper_action_t),
15668 			    KM_SLEEP);
15669 			new->dtha_generation = helper->dtha_generation;
15670 
15671 			if ((dp = helper->dtha_predicate) != NULL) {
15672 				dp = dtrace_difo_duplicate(dp, vstate);
15673 				new->dtha_predicate = dp;
15674 			}
15675 
15676 			new->dtha_nactions = helper->dtha_nactions;
15677 			sz = sizeof (dtrace_difo_t *) * new->dtha_nactions;
15678 			new->dtha_actions = kmem_alloc(sz, KM_SLEEP);
15679 
15680 			for (j = 0; j < new->dtha_nactions; j++) {
15681 				dtrace_difo_t *dp = helper->dtha_actions[j];
15682 
15683 				ASSERT(dp != NULL);
15684 				dp = dtrace_difo_duplicate(dp, vstate);
15685 				new->dtha_actions[j] = dp;
15686 			}
15687 
15688 			if (last != NULL) {
15689 				last->dtha_next = new;
15690 			} else {
15691 				newhelp->dthps_actions[i] = new;
15692 			}
15693 
15694 			last = new;
15695 		}
15696 	}
15697 
15698 	/*
15699 	 * Duplicate the helper providers and register them with the
15700 	 * DTrace framework.
15701 	 */
15702 	if (help->dthps_nprovs > 0) {
15703 		newhelp->dthps_nprovs = help->dthps_nprovs;
15704 		newhelp->dthps_maxprovs = help->dthps_nprovs;
15705 		newhelp->dthps_provs = kmem_alloc(newhelp->dthps_nprovs *
15706 		    sizeof (dtrace_helper_provider_t *), KM_SLEEP);
15707 		for (i = 0; i < newhelp->dthps_nprovs; i++) {
15708 			newhelp->dthps_provs[i] = help->dthps_provs[i];
15709 			newhelp->dthps_provs[i]->dthp_ref++;
15710 		}
15711 
15712 		hasprovs = 1;
15713 	}
15714 
15715 	mutex_exit(&dtrace_lock);
15716 
15717 	if (hasprovs)
15718 		dtrace_helper_provider_register(to, newhelp, NULL);
15719 }
15720 
15721 /*
15722  * DTrace Hook Functions
15723  */
15724 static void
15725 dtrace_module_loaded(struct modctl *ctl)
15726 {
15727 	dtrace_provider_t *prv;
15728 
15729 	mutex_enter(&dtrace_provider_lock);
15730 	mutex_enter(&mod_lock);
15731 
15732 	ASSERT(ctl->mod_busy);
15733 
15734 	/*
15735 	 * We're going to call each providers per-module provide operation
15736 	 * specifying only this module.
15737 	 */
15738 	for (prv = dtrace_provider; prv != NULL; prv = prv->dtpv_next)
15739 		prv->dtpv_pops.dtps_provide_module(prv->dtpv_arg, ctl);
15740 
15741 	mutex_exit(&mod_lock);
15742 	mutex_exit(&dtrace_provider_lock);
15743 
15744 	/*
15745 	 * If we have any retained enablings, we need to match against them.
15746 	 * Enabling probes requires that cpu_lock be held, and we cannot hold
15747 	 * cpu_lock here -- it is legal for cpu_lock to be held when loading a
15748 	 * module.  (In particular, this happens when loading scheduling
15749 	 * classes.)  So if we have any retained enablings, we need to dispatch
15750 	 * our task queue to do the match for us.
15751 	 */
15752 	mutex_enter(&dtrace_lock);
15753 
15754 	if (dtrace_retained == NULL) {
15755 		mutex_exit(&dtrace_lock);
15756 		return;
15757 	}
15758 
15759 	(void) taskq_dispatch(dtrace_taskq,
15760 	    (task_func_t *)dtrace_enabling_matchall, NULL, TQ_SLEEP);
15761 
15762 	mutex_exit(&dtrace_lock);
15763 
15764 	/*
15765 	 * And now, for a little heuristic sleaze:  in general, we want to
15766 	 * match modules as soon as they load.  However, we cannot guarantee
15767 	 * this, because it would lead us to the lock ordering violation
15768 	 * outlined above.  The common case, of course, is that cpu_lock is
15769 	 * _not_ held -- so we delay here for a clock tick, hoping that that's
15770 	 * long enough for the task queue to do its work.  If it's not, it's
15771 	 * not a serious problem -- it just means that the module that we
15772 	 * just loaded may not be immediately instrumentable.
15773 	 */
15774 	delay(1);
15775 }
15776 
15777 static void
15778 dtrace_module_unloaded(struct modctl *ctl)
15779 {
15780 	dtrace_probe_t template, *probe, *first, *next;
15781 	dtrace_provider_t *prov;
15782 
15783 	template.dtpr_mod = ctl->mod_modname;
15784 
15785 	mutex_enter(&dtrace_provider_lock);
15786 	mutex_enter(&mod_lock);
15787 	mutex_enter(&dtrace_lock);
15788 
15789 	if (dtrace_bymod == NULL) {
15790 		/*
15791 		 * The DTrace module is loaded (obviously) but not attached;
15792 		 * we don't have any work to do.
15793 		 */
15794 		mutex_exit(&dtrace_provider_lock);
15795 		mutex_exit(&mod_lock);
15796 		mutex_exit(&dtrace_lock);
15797 		return;
15798 	}
15799 
15800 	for (probe = first = dtrace_hash_lookup(dtrace_bymod, &template);
15801 	    probe != NULL; probe = probe->dtpr_nextmod) {
15802 		if (probe->dtpr_ecb != NULL) {
15803 			mutex_exit(&dtrace_provider_lock);
15804 			mutex_exit(&mod_lock);
15805 			mutex_exit(&dtrace_lock);
15806 
15807 			/*
15808 			 * This shouldn't _actually_ be possible -- we're
15809 			 * unloading a module that has an enabled probe in it.
15810 			 * (It's normally up to the provider to make sure that
15811 			 * this can't happen.)  However, because dtps_enable()
15812 			 * doesn't have a failure mode, there can be an
15813 			 * enable/unload race.  Upshot:  we don't want to
15814 			 * assert, but we're not going to disable the
15815 			 * probe, either.
15816 			 */
15817 			if (dtrace_err_verbose) {
15818 				cmn_err(CE_WARN, "unloaded module '%s' had "
15819 				    "enabled probes", ctl->mod_modname);
15820 			}
15821 
15822 			return;
15823 		}
15824 	}
15825 
15826 	probe = first;
15827 
15828 	for (first = NULL; probe != NULL; probe = next) {
15829 		ASSERT(dtrace_probes[probe->dtpr_id - 1] == probe);
15830 
15831 		dtrace_probes[probe->dtpr_id - 1] = NULL;
15832 
15833 		next = probe->dtpr_nextmod;
15834 		dtrace_hash_remove(dtrace_bymod, probe);
15835 		dtrace_hash_remove(dtrace_byfunc, probe);
15836 		dtrace_hash_remove(dtrace_byname, probe);
15837 
15838 		if (first == NULL) {
15839 			first = probe;
15840 			probe->dtpr_nextmod = NULL;
15841 		} else {
15842 			probe->dtpr_nextmod = first;
15843 			first = probe;
15844 		}
15845 	}
15846 
15847 	/*
15848 	 * We've removed all of the module's probes from the hash chains and
15849 	 * from the probe array.  Now issue a dtrace_sync() to be sure that
15850 	 * everyone has cleared out from any probe array processing.
15851 	 */
15852 	dtrace_sync();
15853 
15854 	for (probe = first; probe != NULL; probe = first) {
15855 		first = probe->dtpr_nextmod;
15856 		prov = probe->dtpr_provider;
15857 		prov->dtpv_pops.dtps_destroy(prov->dtpv_arg, probe->dtpr_id,
15858 		    probe->dtpr_arg);
15859 		kmem_free(probe->dtpr_mod, strlen(probe->dtpr_mod) + 1);
15860 		kmem_free(probe->dtpr_func, strlen(probe->dtpr_func) + 1);
15861 		kmem_free(probe->dtpr_name, strlen(probe->dtpr_name) + 1);
15862 		vmem_free(dtrace_arena, (void *)(uintptr_t)probe->dtpr_id, 1);
15863 		kmem_free(probe, sizeof (dtrace_probe_t));
15864 	}
15865 
15866 	mutex_exit(&dtrace_lock);
15867 	mutex_exit(&mod_lock);
15868 	mutex_exit(&dtrace_provider_lock);
15869 }
15870 
15871 void
15872 dtrace_suspend(void)
15873 {
15874 	dtrace_probe_foreach(offsetof(dtrace_pops_t, dtps_suspend));
15875 }
15876 
15877 void
15878 dtrace_resume(void)
15879 {
15880 	dtrace_probe_foreach(offsetof(dtrace_pops_t, dtps_resume));
15881 }
15882 
15883 static int
15884 dtrace_cpu_setup(cpu_setup_t what, processorid_t cpu, void *ptr __unused)
15885 {
15886 	ASSERT(MUTEX_HELD(&cpu_lock));
15887 	mutex_enter(&dtrace_lock);
15888 
15889 	switch (what) {
15890 	case CPU_CONFIG: {
15891 		dtrace_state_t *state;
15892 		dtrace_optval_t *opt, rs, c;
15893 
15894 		/*
15895 		 * For now, we only allocate a new buffer for anonymous state.
15896 		 */
15897 		if ((state = dtrace_anon.dta_state) == NULL)
15898 			break;
15899 
15900 		if (state->dts_activity != DTRACE_ACTIVITY_ACTIVE)
15901 			break;
15902 
15903 		opt = state->dts_options;
15904 		c = opt[DTRACEOPT_CPU];
15905 
15906 		if (c != DTRACE_CPUALL && c != DTRACEOPT_UNSET && c != cpu)
15907 			break;
15908 
15909 		/*
15910 		 * Regardless of what the actual policy is, we're going to
15911 		 * temporarily set our resize policy to be manual.  We're
15912 		 * also going to temporarily set our CPU option to denote
15913 		 * the newly configured CPU.
15914 		 */
15915 		rs = opt[DTRACEOPT_BUFRESIZE];
15916 		opt[DTRACEOPT_BUFRESIZE] = DTRACEOPT_BUFRESIZE_MANUAL;
15917 		opt[DTRACEOPT_CPU] = (dtrace_optval_t)cpu;
15918 
15919 		(void) dtrace_state_buffers(state);
15920 
15921 		opt[DTRACEOPT_BUFRESIZE] = rs;
15922 		opt[DTRACEOPT_CPU] = c;
15923 
15924 		break;
15925 	}
15926 
15927 	case CPU_UNCONFIG:
15928 		/*
15929 		 * We don't free the buffer in the CPU_UNCONFIG case.  (The
15930 		 * buffer will be freed when the consumer exits.)
15931 		 */
15932 		break;
15933 
15934 	default:
15935 		break;
15936 	}
15937 
15938 	mutex_exit(&dtrace_lock);
15939 	return (0);
15940 }
15941 
15942 static void
15943 dtrace_cpu_setup_initial(processorid_t cpu)
15944 {
15945 	(void) dtrace_cpu_setup(CPU_CONFIG, cpu, NULL);
15946 }
15947 
15948 static void
15949 dtrace_toxrange_add(uintptr_t base, uintptr_t limit)
15950 {
15951 	if (dtrace_toxranges >= dtrace_toxranges_max) {
15952 		int osize, nsize;
15953 		dtrace_toxrange_t *range;
15954 
15955 		osize = dtrace_toxranges_max * sizeof (dtrace_toxrange_t);
15956 
15957 		if (osize == 0) {
15958 			ASSERT(dtrace_toxrange == NULL);
15959 			ASSERT(dtrace_toxranges_max == 0);
15960 			dtrace_toxranges_max = 1;
15961 		} else {
15962 			dtrace_toxranges_max <<= 1;
15963 		}
15964 
15965 		nsize = dtrace_toxranges_max * sizeof (dtrace_toxrange_t);
15966 		range = kmem_zalloc(nsize, KM_SLEEP);
15967 
15968 		if (dtrace_toxrange != NULL) {
15969 			ASSERT(osize != 0);
15970 			bcopy(dtrace_toxrange, range, osize);
15971 			kmem_free(dtrace_toxrange, osize);
15972 		}
15973 
15974 		dtrace_toxrange = range;
15975 	}
15976 
15977 	ASSERT(dtrace_toxrange[dtrace_toxranges].dtt_base == (uintptr_t)NULL);
15978 	ASSERT(dtrace_toxrange[dtrace_toxranges].dtt_limit == (uintptr_t)NULL);
15979 
15980 	dtrace_toxrange[dtrace_toxranges].dtt_base = base;
15981 	dtrace_toxrange[dtrace_toxranges].dtt_limit = limit;
15982 	dtrace_toxranges++;
15983 }
15984 
15985 static void
15986 dtrace_getf_barrier()
15987 {
15988 	/*
15989 	 * When we have unprivileged (that is, non-DTRACE_CRV_KERNEL) enablings
15990 	 * that contain calls to getf(), this routine will be called on every
15991 	 * closef() before either the underlying vnode is released or the
15992 	 * file_t itself is freed.  By the time we are here, it is essential
15993 	 * that the file_t can no longer be accessed from a call to getf()
15994 	 * in probe context -- that assures that a dtrace_sync() can be used
15995 	 * to clear out any enablings referring to the old structures.
15996 	 */
15997 	if (curthread->t_procp->p_zone->zone_dtrace_getf != 0 ||
15998 	    kcred->cr_zone->zone_dtrace_getf != 0)
15999 		dtrace_sync();
16000 }
16001 
16002 /*
16003  * DTrace Driver Cookbook Functions
16004  */
16005 /*ARGSUSED*/
16006 static int
16007 dtrace_attach(dev_info_t *devi, ddi_attach_cmd_t cmd)
16008 {
16009 	dtrace_provider_id_t id;
16010 	dtrace_state_t *state = NULL;
16011 	dtrace_enabling_t *enab;
16012 
16013 	mutex_enter(&cpu_lock);
16014 	mutex_enter(&dtrace_provider_lock);
16015 	mutex_enter(&dtrace_lock);
16016 
16017 	if (ddi_soft_state_init(&dtrace_softstate,
16018 	    sizeof (dtrace_state_t), 0) != 0) {
16019 		cmn_err(CE_NOTE, "/dev/dtrace failed to initialize soft state");
16020 		mutex_exit(&cpu_lock);
16021 		mutex_exit(&dtrace_provider_lock);
16022 		mutex_exit(&dtrace_lock);
16023 		return (DDI_FAILURE);
16024 	}
16025 
16026 	if (ddi_create_minor_node(devi, DTRACEMNR_DTRACE, S_IFCHR,
16027 	    DTRACEMNRN_DTRACE, DDI_PSEUDO, 0) == DDI_FAILURE ||
16028 	    ddi_create_minor_node(devi, DTRACEMNR_HELPER, S_IFCHR,
16029 	    DTRACEMNRN_HELPER, DDI_PSEUDO, 0) == DDI_FAILURE) {
16030 		cmn_err(CE_NOTE, "/dev/dtrace couldn't create minor nodes");
16031 		ddi_remove_minor_node(devi, NULL);
16032 		ddi_soft_state_fini(&dtrace_softstate);
16033 		mutex_exit(&cpu_lock);
16034 		mutex_exit(&dtrace_provider_lock);
16035 		mutex_exit(&dtrace_lock);
16036 		return (DDI_FAILURE);
16037 	}
16038 
16039 	ddi_report_dev(devi);
16040 	dtrace_devi = devi;
16041 
16042 	dtrace_modload = dtrace_module_loaded;
16043 	dtrace_modunload = dtrace_module_unloaded;
16044 	dtrace_cpu_init = dtrace_cpu_setup_initial;
16045 	dtrace_helpers_cleanup = dtrace_helpers_destroy;
16046 	dtrace_helpers_fork = dtrace_helpers_duplicate;
16047 	dtrace_cpustart_init = dtrace_suspend;
16048 	dtrace_cpustart_fini = dtrace_resume;
16049 	dtrace_debugger_init = dtrace_suspend;
16050 	dtrace_debugger_fini = dtrace_resume;
16051 
16052 	register_cpu_setup_func(dtrace_cpu_setup, NULL);
16053 
16054 	ASSERT(MUTEX_HELD(&cpu_lock));
16055 
16056 	dtrace_arena = vmem_create("dtrace", (void *)1, UINT32_MAX, 1,
16057 	    NULL, NULL, NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
16058 	dtrace_minor = vmem_create("dtrace_minor", (void *)DTRACEMNRN_CLONE,
16059 	    UINT32_MAX - DTRACEMNRN_CLONE, 1, NULL, NULL, NULL, 0,
16060 	    VM_SLEEP | VMC_IDENTIFIER);
16061 	dtrace_taskq = taskq_create("dtrace_taskq", 1, maxclsyspri,
16062 	    1, INT_MAX, 0);
16063 
16064 	dtrace_state_cache = kmem_cache_create("dtrace_state_cache",
16065 	    sizeof (dtrace_dstate_percpu_t) * NCPU, DTRACE_STATE_ALIGN,
16066 	    NULL, NULL, NULL, NULL, NULL, 0);
16067 
16068 	ASSERT(MUTEX_HELD(&cpu_lock));
16069 	dtrace_bymod = dtrace_hash_create(offsetof(dtrace_probe_t, dtpr_mod),
16070 	    offsetof(dtrace_probe_t, dtpr_nextmod),
16071 	    offsetof(dtrace_probe_t, dtpr_prevmod));
16072 
16073 	dtrace_byfunc = dtrace_hash_create(offsetof(dtrace_probe_t, dtpr_func),
16074 	    offsetof(dtrace_probe_t, dtpr_nextfunc),
16075 	    offsetof(dtrace_probe_t, dtpr_prevfunc));
16076 
16077 	dtrace_byname = dtrace_hash_create(offsetof(dtrace_probe_t, dtpr_name),
16078 	    offsetof(dtrace_probe_t, dtpr_nextname),
16079 	    offsetof(dtrace_probe_t, dtpr_prevname));
16080 
16081 	if (dtrace_retain_max < 1) {
16082 		cmn_err(CE_WARN, "illegal value (%lu) for dtrace_retain_max; "
16083 		    "setting to 1", dtrace_retain_max);
16084 		dtrace_retain_max = 1;
16085 	}
16086 
16087 	/*
16088 	 * Now discover our toxic ranges.
16089 	 */
16090 	dtrace_toxic_ranges(dtrace_toxrange_add);
16091 
16092 	/*
16093 	 * Before we register ourselves as a provider to our own framework,
16094 	 * we would like to assert that dtrace_provider is NULL -- but that's
16095 	 * not true if we were loaded as a dependency of a DTrace provider.
16096 	 * Once we've registered, we can assert that dtrace_provider is our
16097 	 * pseudo provider.
16098 	 */
16099 	(void) dtrace_register("dtrace", &dtrace_provider_attr,
16100 	    DTRACE_PRIV_NONE, 0, &dtrace_provider_ops, NULL, &id);
16101 
16102 	ASSERT(dtrace_provider != NULL);
16103 	ASSERT((dtrace_provider_id_t)dtrace_provider == id);
16104 
16105 	dtrace_probeid_begin = dtrace_probe_create((dtrace_provider_id_t)
16106 	    dtrace_provider, NULL, NULL, "BEGIN", 0, NULL);
16107 	dtrace_probeid_end = dtrace_probe_create((dtrace_provider_id_t)
16108 	    dtrace_provider, NULL, NULL, "END", 0, NULL);
16109 	dtrace_probeid_error = dtrace_probe_create((dtrace_provider_id_t)
16110 	    dtrace_provider, NULL, NULL, "ERROR", 1, NULL);
16111 
16112 	dtrace_anon_property();
16113 	mutex_exit(&cpu_lock);
16114 
16115 	/*
16116 	 * If there are already providers, we must ask them to provide their
16117 	 * probes, and then match any anonymous enabling against them.  Note
16118 	 * that there should be no other retained enablings at this time:
16119 	 * the only retained enablings at this time should be the anonymous
16120 	 * enabling.
16121 	 */
16122 	if (dtrace_anon.dta_enabling != NULL) {
16123 		ASSERT(dtrace_retained == dtrace_anon.dta_enabling);
16124 
16125 		dtrace_enabling_provide(NULL);
16126 		state = dtrace_anon.dta_state;
16127 
16128 		/*
16129 		 * We couldn't hold cpu_lock across the above call to
16130 		 * dtrace_enabling_provide(), but we must hold it to actually
16131 		 * enable the probes.  We have to drop all of our locks, pick
16132 		 * up cpu_lock, and regain our locks before matching the
16133 		 * retained anonymous enabling.
16134 		 */
16135 		mutex_exit(&dtrace_lock);
16136 		mutex_exit(&dtrace_provider_lock);
16137 
16138 		mutex_enter(&cpu_lock);
16139 		mutex_enter(&dtrace_provider_lock);
16140 		mutex_enter(&dtrace_lock);
16141 
16142 		if ((enab = dtrace_anon.dta_enabling) != NULL)
16143 			(void) dtrace_enabling_match(enab, NULL);
16144 
16145 		mutex_exit(&cpu_lock);
16146 	}
16147 
16148 	mutex_exit(&dtrace_lock);
16149 	mutex_exit(&dtrace_provider_lock);
16150 
16151 	if (state != NULL) {
16152 		/*
16153 		 * If we created any anonymous state, set it going now.
16154 		 */
16155 		(void) dtrace_state_go(state, &dtrace_anon.dta_beganon);
16156 	}
16157 
16158 	return (DDI_SUCCESS);
16159 }
16160 
16161 /*ARGSUSED*/
16162 static int
16163 dtrace_open(dev_t *devp, int flag, int otyp, cred_t *cred_p)
16164 {
16165 	dtrace_state_t *state;
16166 	uint32_t priv;
16167 	uid_t uid;
16168 	zoneid_t zoneid;
16169 
16170 	if (getminor(*devp) == DTRACEMNRN_HELPER)
16171 		return (0);
16172 
16173 	/*
16174 	 * If this wasn't an open with the "helper" minor, then it must be
16175 	 * the "dtrace" minor.
16176 	 */
16177 	if (getminor(*devp) != DTRACEMNRN_DTRACE)
16178 		return (ENXIO);
16179 
16180 	/*
16181 	 * If no DTRACE_PRIV_* bits are set in the credential, then the
16182 	 * caller lacks sufficient permission to do anything with DTrace.
16183 	 */
16184 	dtrace_cred2priv(cred_p, &priv, &uid, &zoneid);
16185 	if (priv == DTRACE_PRIV_NONE)
16186 		return (EACCES);
16187 
16188 	/*
16189 	 * Ask all providers to provide all their probes.
16190 	 */
16191 	mutex_enter(&dtrace_provider_lock);
16192 	dtrace_probe_provide(NULL, NULL);
16193 	mutex_exit(&dtrace_provider_lock);
16194 
16195 	mutex_enter(&cpu_lock);
16196 	mutex_enter(&dtrace_lock);
16197 	dtrace_opens++;
16198 	dtrace_membar_producer();
16199 
16200 	/*
16201 	 * If the kernel debugger is active (that is, if the kernel debugger
16202 	 * modified text in some way), we won't allow the open.
16203 	 */
16204 	if (kdi_dtrace_set(KDI_DTSET_DTRACE_ACTIVATE) != 0) {
16205 		dtrace_opens--;
16206 		mutex_exit(&cpu_lock);
16207 		mutex_exit(&dtrace_lock);
16208 		return (EBUSY);
16209 	}
16210 
16211 	if (dtrace_helptrace_enable && dtrace_helptrace_buffer == NULL) {
16212 		/*
16213 		 * If DTrace helper tracing is enabled, we need to allocate the
16214 		 * trace buffer and initialize the values.
16215 		 */
16216 		dtrace_helptrace_buffer =
16217 		    kmem_zalloc(dtrace_helptrace_bufsize, KM_SLEEP);
16218 		dtrace_helptrace_next = 0;
16219 		dtrace_helptrace_wrapped = 0;
16220 		dtrace_helptrace_enable = 0;
16221 	}
16222 
16223 	state = dtrace_state_create(devp, cred_p);
16224 	mutex_exit(&cpu_lock);
16225 
16226 	if (state == NULL) {
16227 		if (--dtrace_opens == 0 && dtrace_anon.dta_enabling == NULL)
16228 			(void) kdi_dtrace_set(KDI_DTSET_DTRACE_DEACTIVATE);
16229 		mutex_exit(&dtrace_lock);
16230 		return (EAGAIN);
16231 	}
16232 
16233 	mutex_exit(&dtrace_lock);
16234 
16235 	return (0);
16236 }
16237 
16238 /*ARGSUSED*/
16239 static int
16240 dtrace_close(dev_t dev, int flag, int otyp, cred_t *cred_p)
16241 {
16242 	minor_t minor = getminor(dev);
16243 	dtrace_state_t *state;
16244 	dtrace_helptrace_t *buf = NULL;
16245 
16246 	if (minor == DTRACEMNRN_HELPER)
16247 		return (0);
16248 
16249 	state = ddi_get_soft_state(dtrace_softstate, minor);
16250 
16251 	mutex_enter(&cpu_lock);
16252 	mutex_enter(&dtrace_lock);
16253 
16254 	if (state->dts_anon) {
16255 		/*
16256 		 * There is anonymous state. Destroy that first.
16257 		 */
16258 		ASSERT(dtrace_anon.dta_state == NULL);
16259 		dtrace_state_destroy(state->dts_anon);
16260 	}
16261 
16262 	if (dtrace_helptrace_disable) {
16263 		/*
16264 		 * If we have been told to disable helper tracing, set the
16265 		 * buffer to NULL before calling into dtrace_state_destroy();
16266 		 * we take advantage of its dtrace_sync() to know that no
16267 		 * CPU is in probe context with enabled helper tracing
16268 		 * after it returns.
16269 		 */
16270 		buf = dtrace_helptrace_buffer;
16271 		dtrace_helptrace_buffer = NULL;
16272 	}
16273 
16274 	dtrace_state_destroy(state);
16275 	ASSERT(dtrace_opens > 0);
16276 
16277 	/*
16278 	 * Only relinquish control of the kernel debugger interface when there
16279 	 * are no consumers and no anonymous enablings.
16280 	 */
16281 	if (--dtrace_opens == 0 && dtrace_anon.dta_enabling == NULL)
16282 		(void) kdi_dtrace_set(KDI_DTSET_DTRACE_DEACTIVATE);
16283 
16284 	if (buf != NULL) {
16285 		kmem_free(buf, dtrace_helptrace_bufsize);
16286 		dtrace_helptrace_disable = 0;
16287 	}
16288 
16289 	mutex_exit(&dtrace_lock);
16290 	mutex_exit(&cpu_lock);
16291 
16292 	return (0);
16293 }
16294 
16295 /*ARGSUSED*/
16296 static int
16297 dtrace_ioctl_helper(int cmd, intptr_t arg, int *rv)
16298 {
16299 	int rval;
16300 	dof_helper_t help, *dhp = NULL;
16301 
16302 	switch (cmd) {
16303 	case DTRACEHIOC_ADDDOF:
16304 		if (copyin((void *)arg, &help, sizeof (help)) != 0) {
16305 			dtrace_dof_error(NULL, "failed to copyin DOF helper");
16306 			return (EFAULT);
16307 		}
16308 
16309 		dhp = &help;
16310 		arg = (intptr_t)help.dofhp_dof;
16311 		/*FALLTHROUGH*/
16312 
16313 	case DTRACEHIOC_ADD: {
16314 		dof_hdr_t *dof = dtrace_dof_copyin(arg, &rval);
16315 
16316 		if (dof == NULL)
16317 			return (rval);
16318 
16319 		mutex_enter(&dtrace_lock);
16320 
16321 		/*
16322 		 * dtrace_helper_slurp() takes responsibility for the dof --
16323 		 * it may free it now or it may save it and free it later.
16324 		 */
16325 		if ((rval = dtrace_helper_slurp(dof, dhp)) != -1) {
16326 			*rv = rval;
16327 			rval = 0;
16328 		} else {
16329 			rval = EINVAL;
16330 		}
16331 
16332 		mutex_exit(&dtrace_lock);
16333 		return (rval);
16334 	}
16335 
16336 	case DTRACEHIOC_REMOVE: {
16337 		mutex_enter(&dtrace_lock);
16338 		rval = dtrace_helper_destroygen(arg);
16339 		mutex_exit(&dtrace_lock);
16340 
16341 		return (rval);
16342 	}
16343 
16344 	default:
16345 		break;
16346 	}
16347 
16348 	return (ENOTTY);
16349 }
16350 
16351 /*ARGSUSED*/
16352 static int
16353 dtrace_ioctl(dev_t dev, int cmd, intptr_t arg, int md, cred_t *cr, int *rv)
16354 {
16355 	minor_t minor = getminor(dev);
16356 	dtrace_state_t *state;
16357 	int rval;
16358 
16359 	if (minor == DTRACEMNRN_HELPER)
16360 		return (dtrace_ioctl_helper(cmd, arg, rv));
16361 
16362 	state = ddi_get_soft_state(dtrace_softstate, minor);
16363 
16364 	if (state->dts_anon) {
16365 		ASSERT(dtrace_anon.dta_state == NULL);
16366 		state = state->dts_anon;
16367 	}
16368 
16369 	switch (cmd) {
16370 	case DTRACEIOC_PROVIDER: {
16371 		dtrace_providerdesc_t pvd;
16372 		dtrace_provider_t *pvp;
16373 
16374 		if (copyin((void *)arg, &pvd, sizeof (pvd)) != 0)
16375 			return (EFAULT);
16376 
16377 		pvd.dtvd_name[DTRACE_PROVNAMELEN - 1] = '\0';
16378 		mutex_enter(&dtrace_provider_lock);
16379 
16380 		for (pvp = dtrace_provider; pvp != NULL; pvp = pvp->dtpv_next) {
16381 			if (strcmp(pvp->dtpv_name, pvd.dtvd_name) == 0)
16382 				break;
16383 		}
16384 
16385 		mutex_exit(&dtrace_provider_lock);
16386 
16387 		if (pvp == NULL)
16388 			return (ESRCH);
16389 
16390 		bcopy(&pvp->dtpv_priv, &pvd.dtvd_priv, sizeof (dtrace_ppriv_t));
16391 		bcopy(&pvp->dtpv_attr, &pvd.dtvd_attr, sizeof (dtrace_pattr_t));
16392 		if (copyout(&pvd, (void *)arg, sizeof (pvd)) != 0)
16393 			return (EFAULT);
16394 
16395 		return (0);
16396 	}
16397 
16398 	case DTRACEIOC_EPROBE: {
16399 		dtrace_eprobedesc_t epdesc;
16400 		dtrace_ecb_t *ecb;
16401 		dtrace_action_t *act;
16402 		void *buf;
16403 		size_t size;
16404 		uintptr_t dest;
16405 		int nrecs;
16406 
16407 		if (copyin((void *)arg, &epdesc, sizeof (epdesc)) != 0)
16408 			return (EFAULT);
16409 
16410 		mutex_enter(&dtrace_lock);
16411 
16412 		if ((ecb = dtrace_epid2ecb(state, epdesc.dtepd_epid)) == NULL) {
16413 			mutex_exit(&dtrace_lock);
16414 			return (EINVAL);
16415 		}
16416 
16417 		if (ecb->dte_probe == NULL) {
16418 			mutex_exit(&dtrace_lock);
16419 			return (EINVAL);
16420 		}
16421 
16422 		epdesc.dtepd_probeid = ecb->dte_probe->dtpr_id;
16423 		epdesc.dtepd_uarg = ecb->dte_uarg;
16424 		epdesc.dtepd_size = ecb->dte_size;
16425 
16426 		nrecs = epdesc.dtepd_nrecs;
16427 		epdesc.dtepd_nrecs = 0;
16428 		for (act = ecb->dte_action; act != NULL; act = act->dta_next) {
16429 			if (DTRACEACT_ISAGG(act->dta_kind) || act->dta_intuple)
16430 				continue;
16431 
16432 			epdesc.dtepd_nrecs++;
16433 		}
16434 
16435 		/*
16436 		 * Now that we have the size, we need to allocate a temporary
16437 		 * buffer in which to store the complete description.  We need
16438 		 * the temporary buffer to be able to drop dtrace_lock()
16439 		 * across the copyout(), below.
16440 		 */
16441 		size = sizeof (dtrace_eprobedesc_t) +
16442 		    (epdesc.dtepd_nrecs * sizeof (dtrace_recdesc_t));
16443 
16444 		buf = kmem_alloc(size, KM_SLEEP);
16445 		dest = (uintptr_t)buf;
16446 
16447 		bcopy(&epdesc, (void *)dest, sizeof (epdesc));
16448 		dest += offsetof(dtrace_eprobedesc_t, dtepd_rec[0]);
16449 
16450 		for (act = ecb->dte_action; act != NULL; act = act->dta_next) {
16451 			if (DTRACEACT_ISAGG(act->dta_kind) || act->dta_intuple)
16452 				continue;
16453 
16454 			if (nrecs-- == 0)
16455 				break;
16456 
16457 			bcopy(&act->dta_rec, (void *)dest,
16458 			    sizeof (dtrace_recdesc_t));
16459 			dest += sizeof (dtrace_recdesc_t);
16460 		}
16461 
16462 		mutex_exit(&dtrace_lock);
16463 
16464 		if (copyout(buf, (void *)arg, dest - (uintptr_t)buf) != 0) {
16465 			kmem_free(buf, size);
16466 			return (EFAULT);
16467 		}
16468 
16469 		kmem_free(buf, size);
16470 		return (0);
16471 	}
16472 
16473 	case DTRACEIOC_AGGDESC: {
16474 		dtrace_aggdesc_t aggdesc;
16475 		dtrace_action_t *act;
16476 		dtrace_aggregation_t *agg;
16477 		int nrecs;
16478 		uint32_t offs;
16479 		dtrace_recdesc_t *lrec;
16480 		void *buf;
16481 		size_t size;
16482 		uintptr_t dest;
16483 
16484 		if (copyin((void *)arg, &aggdesc, sizeof (aggdesc)) != 0)
16485 			return (EFAULT);
16486 
16487 		mutex_enter(&dtrace_lock);
16488 
16489 		if ((agg = dtrace_aggid2agg(state, aggdesc.dtagd_id)) == NULL) {
16490 			mutex_exit(&dtrace_lock);
16491 			return (EINVAL);
16492 		}
16493 
16494 		aggdesc.dtagd_epid = agg->dtag_ecb->dte_epid;
16495 
16496 		nrecs = aggdesc.dtagd_nrecs;
16497 		aggdesc.dtagd_nrecs = 0;
16498 
16499 		offs = agg->dtag_base;
16500 		lrec = &agg->dtag_action.dta_rec;
16501 		aggdesc.dtagd_size = lrec->dtrd_offset + lrec->dtrd_size - offs;
16502 
16503 		for (act = agg->dtag_first; ; act = act->dta_next) {
16504 			ASSERT(act->dta_intuple ||
16505 			    DTRACEACT_ISAGG(act->dta_kind));
16506 
16507 			/*
16508 			 * If this action has a record size of zero, it
16509 			 * denotes an argument to the aggregating action.
16510 			 * Because the presence of this record doesn't (or
16511 			 * shouldn't) affect the way the data is interpreted,
16512 			 * we don't copy it out to save user-level the
16513 			 * confusion of dealing with a zero-length record.
16514 			 */
16515 			if (act->dta_rec.dtrd_size == 0) {
16516 				ASSERT(agg->dtag_hasarg);
16517 				continue;
16518 			}
16519 
16520 			aggdesc.dtagd_nrecs++;
16521 
16522 			if (act == &agg->dtag_action)
16523 				break;
16524 		}
16525 
16526 		/*
16527 		 * Now that we have the size, we need to allocate a temporary
16528 		 * buffer in which to store the complete description.  We need
16529 		 * the temporary buffer to be able to drop dtrace_lock()
16530 		 * across the copyout(), below.
16531 		 */
16532 		size = sizeof (dtrace_aggdesc_t) +
16533 		    (aggdesc.dtagd_nrecs * sizeof (dtrace_recdesc_t));
16534 
16535 		buf = kmem_alloc(size, KM_SLEEP);
16536 		dest = (uintptr_t)buf;
16537 
16538 		bcopy(&aggdesc, (void *)dest, sizeof (aggdesc));
16539 		dest += offsetof(dtrace_aggdesc_t, dtagd_rec[0]);
16540 
16541 		for (act = agg->dtag_first; ; act = act->dta_next) {
16542 			dtrace_recdesc_t rec = act->dta_rec;
16543 
16544 			/*
16545 			 * See the comment in the above loop for why we pass
16546 			 * over zero-length records.
16547 			 */
16548 			if (rec.dtrd_size == 0) {
16549 				ASSERT(agg->dtag_hasarg);
16550 				continue;
16551 			}
16552 
16553 			if (nrecs-- == 0)
16554 				break;
16555 
16556 			rec.dtrd_offset -= offs;
16557 			bcopy(&rec, (void *)dest, sizeof (rec));
16558 			dest += sizeof (dtrace_recdesc_t);
16559 
16560 			if (act == &agg->dtag_action)
16561 				break;
16562 		}
16563 
16564 		mutex_exit(&dtrace_lock);
16565 
16566 		if (copyout(buf, (void *)arg, dest - (uintptr_t)buf) != 0) {
16567 			kmem_free(buf, size);
16568 			return (EFAULT);
16569 		}
16570 
16571 		kmem_free(buf, size);
16572 		return (0);
16573 	}
16574 
16575 	case DTRACEIOC_ENABLE: {
16576 		dof_hdr_t *dof;
16577 		dtrace_enabling_t *enab = NULL;
16578 		dtrace_vstate_t *vstate;
16579 		int err = 0;
16580 
16581 		*rv = 0;
16582 
16583 		/*
16584 		 * If a NULL argument has been passed, we take this as our
16585 		 * cue to reevaluate our enablings.
16586 		 */
16587 		if (arg == 0) {
16588 			dtrace_enabling_matchall();
16589 
16590 			return (0);
16591 		}
16592 
16593 		if ((dof = dtrace_dof_copyin(arg, &rval)) == NULL)
16594 			return (rval);
16595 
16596 		mutex_enter(&cpu_lock);
16597 		mutex_enter(&dtrace_lock);
16598 		vstate = &state->dts_vstate;
16599 
16600 		if (state->dts_activity != DTRACE_ACTIVITY_INACTIVE) {
16601 			mutex_exit(&dtrace_lock);
16602 			mutex_exit(&cpu_lock);
16603 			dtrace_dof_destroy(dof);
16604 			return (EBUSY);
16605 		}
16606 
16607 		if (dtrace_dof_slurp(dof, vstate, cr, &enab, 0, B_TRUE) != 0) {
16608 			mutex_exit(&dtrace_lock);
16609 			mutex_exit(&cpu_lock);
16610 			dtrace_dof_destroy(dof);
16611 			return (EINVAL);
16612 		}
16613 
16614 		if ((rval = dtrace_dof_options(dof, state)) != 0) {
16615 			dtrace_enabling_destroy(enab);
16616 			mutex_exit(&dtrace_lock);
16617 			mutex_exit(&cpu_lock);
16618 			dtrace_dof_destroy(dof);
16619 			return (rval);
16620 		}
16621 
16622 		if ((err = dtrace_enabling_match(enab, rv)) == 0) {
16623 			err = dtrace_enabling_retain(enab);
16624 		} else {
16625 			dtrace_enabling_destroy(enab);
16626 		}
16627 
16628 		mutex_exit(&cpu_lock);
16629 		mutex_exit(&dtrace_lock);
16630 		dtrace_dof_destroy(dof);
16631 
16632 		return (err);
16633 	}
16634 
16635 	case DTRACEIOC_REPLICATE: {
16636 		dtrace_repldesc_t desc;
16637 		dtrace_probedesc_t *match = &desc.dtrpd_match;
16638 		dtrace_probedesc_t *create = &desc.dtrpd_create;
16639 		int err;
16640 
16641 		if (copyin((void *)arg, &desc, sizeof (desc)) != 0)
16642 			return (EFAULT);
16643 
16644 		match->dtpd_provider[DTRACE_PROVNAMELEN - 1] = '\0';
16645 		match->dtpd_mod[DTRACE_MODNAMELEN - 1] = '\0';
16646 		match->dtpd_func[DTRACE_FUNCNAMELEN - 1] = '\0';
16647 		match->dtpd_name[DTRACE_NAMELEN - 1] = '\0';
16648 
16649 		create->dtpd_provider[DTRACE_PROVNAMELEN - 1] = '\0';
16650 		create->dtpd_mod[DTRACE_MODNAMELEN - 1] = '\0';
16651 		create->dtpd_func[DTRACE_FUNCNAMELEN - 1] = '\0';
16652 		create->dtpd_name[DTRACE_NAMELEN - 1] = '\0';
16653 
16654 		mutex_enter(&dtrace_lock);
16655 		err = dtrace_enabling_replicate(state, match, create);
16656 		mutex_exit(&dtrace_lock);
16657 
16658 		return (err);
16659 	}
16660 
16661 	case DTRACEIOC_PROBEMATCH:
16662 	case DTRACEIOC_PROBES: {
16663 		dtrace_probe_t *probe = NULL;
16664 		dtrace_probedesc_t desc;
16665 		dtrace_probekey_t pkey;
16666 		dtrace_id_t i;
16667 		int m = 0;
16668 		uint32_t priv;
16669 		uid_t uid;
16670 		zoneid_t zoneid;
16671 
16672 		if (copyin((void *)arg, &desc, sizeof (desc)) != 0)
16673 			return (EFAULT);
16674 
16675 		desc.dtpd_provider[DTRACE_PROVNAMELEN - 1] = '\0';
16676 		desc.dtpd_mod[DTRACE_MODNAMELEN - 1] = '\0';
16677 		desc.dtpd_func[DTRACE_FUNCNAMELEN - 1] = '\0';
16678 		desc.dtpd_name[DTRACE_NAMELEN - 1] = '\0';
16679 
16680 		/*
16681 		 * Before we attempt to match this probe, we want to give
16682 		 * all providers the opportunity to provide it.
16683 		 */
16684 		if (desc.dtpd_id == DTRACE_IDNONE) {
16685 			mutex_enter(&dtrace_provider_lock);
16686 			dtrace_probe_provide(&desc, NULL);
16687 			mutex_exit(&dtrace_provider_lock);
16688 			desc.dtpd_id++;
16689 		}
16690 
16691 		if (cmd == DTRACEIOC_PROBEMATCH)  {
16692 			dtrace_probekey(&desc, &pkey);
16693 			pkey.dtpk_id = DTRACE_IDNONE;
16694 		}
16695 
16696 		dtrace_cred2priv(cr, &priv, &uid, &zoneid);
16697 
16698 		mutex_enter(&dtrace_lock);
16699 
16700 		if (cmd == DTRACEIOC_PROBEMATCH) {
16701 			for (i = desc.dtpd_id; i <= dtrace_nprobes; i++) {
16702 				if ((probe = dtrace_probes[i - 1]) != NULL &&
16703 				    (m = dtrace_match_probe(probe, &pkey,
16704 				    priv, uid, zoneid)) != 0)
16705 					break;
16706 			}
16707 
16708 			if (m < 0) {
16709 				mutex_exit(&dtrace_lock);
16710 				return (EINVAL);
16711 			}
16712 
16713 		} else {
16714 			for (i = desc.dtpd_id; i <= dtrace_nprobes; i++) {
16715 				if ((probe = dtrace_probes[i - 1]) != NULL &&
16716 				    dtrace_match_priv(probe, priv, uid, zoneid))
16717 					break;
16718 			}
16719 		}
16720 
16721 		if (probe == NULL) {
16722 			mutex_exit(&dtrace_lock);
16723 			return (ESRCH);
16724 		}
16725 
16726 		dtrace_probe_description(probe, &desc);
16727 		mutex_exit(&dtrace_lock);
16728 
16729 		if (copyout(&desc, (void *)arg, sizeof (desc)) != 0)
16730 			return (EFAULT);
16731 
16732 		return (0);
16733 	}
16734 
16735 	case DTRACEIOC_PROBEARG: {
16736 		dtrace_argdesc_t desc;
16737 		dtrace_probe_t *probe;
16738 		dtrace_provider_t *prov;
16739 
16740 		if (copyin((void *)arg, &desc, sizeof (desc)) != 0)
16741 			return (EFAULT);
16742 
16743 		if (desc.dtargd_id == DTRACE_IDNONE)
16744 			return (EINVAL);
16745 
16746 		if (desc.dtargd_ndx == DTRACE_ARGNONE)
16747 			return (EINVAL);
16748 
16749 		mutex_enter(&dtrace_provider_lock);
16750 		mutex_enter(&mod_lock);
16751 		mutex_enter(&dtrace_lock);
16752 
16753 		if (desc.dtargd_id > dtrace_nprobes) {
16754 			mutex_exit(&dtrace_lock);
16755 			mutex_exit(&mod_lock);
16756 			mutex_exit(&dtrace_provider_lock);
16757 			return (EINVAL);
16758 		}
16759 
16760 		if ((probe = dtrace_probes[desc.dtargd_id - 1]) == NULL) {
16761 			mutex_exit(&dtrace_lock);
16762 			mutex_exit(&mod_lock);
16763 			mutex_exit(&dtrace_provider_lock);
16764 			return (EINVAL);
16765 		}
16766 
16767 		mutex_exit(&dtrace_lock);
16768 
16769 		prov = probe->dtpr_provider;
16770 
16771 		if (prov->dtpv_pops.dtps_getargdesc == NULL) {
16772 			/*
16773 			 * There isn't any typed information for this probe.
16774 			 * Set the argument number to DTRACE_ARGNONE.
16775 			 */
16776 			desc.dtargd_ndx = DTRACE_ARGNONE;
16777 		} else {
16778 			desc.dtargd_native[0] = '\0';
16779 			desc.dtargd_xlate[0] = '\0';
16780 			desc.dtargd_mapping = desc.dtargd_ndx;
16781 
16782 			prov->dtpv_pops.dtps_getargdesc(prov->dtpv_arg,
16783 			    probe->dtpr_id, probe->dtpr_arg, &desc);
16784 		}
16785 
16786 		mutex_exit(&mod_lock);
16787 		mutex_exit(&dtrace_provider_lock);
16788 
16789 		if (copyout(&desc, (void *)arg, sizeof (desc)) != 0)
16790 			return (EFAULT);
16791 
16792 		return (0);
16793 	}
16794 
16795 	case DTRACEIOC_GO: {
16796 		processorid_t cpuid;
16797 		rval = dtrace_state_go(state, &cpuid);
16798 
16799 		if (rval != 0)
16800 			return (rval);
16801 
16802 		if (copyout(&cpuid, (void *)arg, sizeof (cpuid)) != 0)
16803 			return (EFAULT);
16804 
16805 		return (0);
16806 	}
16807 
16808 	case DTRACEIOC_STOP: {
16809 		processorid_t cpuid;
16810 
16811 		mutex_enter(&dtrace_lock);
16812 		rval = dtrace_state_stop(state, &cpuid);
16813 		mutex_exit(&dtrace_lock);
16814 
16815 		if (rval != 0)
16816 			return (rval);
16817 
16818 		if (copyout(&cpuid, (void *)arg, sizeof (cpuid)) != 0)
16819 			return (EFAULT);
16820 
16821 		return (0);
16822 	}
16823 
16824 	case DTRACEIOC_DOFGET: {
16825 		dof_hdr_t hdr, *dof;
16826 		uint64_t len;
16827 
16828 		if (copyin((void *)arg, &hdr, sizeof (hdr)) != 0)
16829 			return (EFAULT);
16830 
16831 		mutex_enter(&dtrace_lock);
16832 		dof = dtrace_dof_create(state);
16833 		mutex_exit(&dtrace_lock);
16834 
16835 		len = MIN(hdr.dofh_loadsz, dof->dofh_loadsz);
16836 		rval = copyout(dof, (void *)arg, len);
16837 		dtrace_dof_destroy(dof);
16838 
16839 		return (rval == 0 ? 0 : EFAULT);
16840 	}
16841 
16842 	case DTRACEIOC_AGGSNAP:
16843 	case DTRACEIOC_BUFSNAP: {
16844 		dtrace_bufdesc_t desc;
16845 		caddr_t cached;
16846 		dtrace_buffer_t *buf;
16847 
16848 		if (copyin((void *)arg, &desc, sizeof (desc)) != 0)
16849 			return (EFAULT);
16850 
16851 		if (desc.dtbd_cpu < 0 || desc.dtbd_cpu >= NCPU)
16852 			return (EINVAL);
16853 
16854 		mutex_enter(&dtrace_lock);
16855 
16856 		if (cmd == DTRACEIOC_BUFSNAP) {
16857 			buf = &state->dts_buffer[desc.dtbd_cpu];
16858 		} else {
16859 			buf = &state->dts_aggbuffer[desc.dtbd_cpu];
16860 		}
16861 
16862 		if (buf->dtb_flags & (DTRACEBUF_RING | DTRACEBUF_FILL)) {
16863 			size_t sz = buf->dtb_offset;
16864 
16865 			if (state->dts_activity != DTRACE_ACTIVITY_STOPPED) {
16866 				mutex_exit(&dtrace_lock);
16867 				return (EBUSY);
16868 			}
16869 
16870 			/*
16871 			 * If this buffer has already been consumed, we're
16872 			 * going to indicate that there's nothing left here
16873 			 * to consume.
16874 			 */
16875 			if (buf->dtb_flags & DTRACEBUF_CONSUMED) {
16876 				mutex_exit(&dtrace_lock);
16877 
16878 				desc.dtbd_size = 0;
16879 				desc.dtbd_drops = 0;
16880 				desc.dtbd_errors = 0;
16881 				desc.dtbd_oldest = 0;
16882 				sz = sizeof (desc);
16883 
16884 				if (copyout(&desc, (void *)arg, sz) != 0)
16885 					return (EFAULT);
16886 
16887 				return (0);
16888 			}
16889 
16890 			/*
16891 			 * If this is a ring buffer that has wrapped, we want
16892 			 * to copy the whole thing out.
16893 			 */
16894 			if (buf->dtb_flags & DTRACEBUF_WRAPPED) {
16895 				dtrace_buffer_polish(buf);
16896 				sz = buf->dtb_size;
16897 			}
16898 
16899 			if (copyout(buf->dtb_tomax, desc.dtbd_data, sz) != 0) {
16900 				mutex_exit(&dtrace_lock);
16901 				return (EFAULT);
16902 			}
16903 
16904 			desc.dtbd_size = sz;
16905 			desc.dtbd_drops = buf->dtb_drops;
16906 			desc.dtbd_errors = buf->dtb_errors;
16907 			desc.dtbd_oldest = buf->dtb_xamot_offset;
16908 			desc.dtbd_timestamp = dtrace_gethrtime();
16909 
16910 			mutex_exit(&dtrace_lock);
16911 
16912 			if (copyout(&desc, (void *)arg, sizeof (desc)) != 0)
16913 				return (EFAULT);
16914 
16915 			buf->dtb_flags |= DTRACEBUF_CONSUMED;
16916 
16917 			return (0);
16918 		}
16919 
16920 		if (buf->dtb_tomax == NULL) {
16921 			ASSERT(buf->dtb_xamot == NULL);
16922 			mutex_exit(&dtrace_lock);
16923 			return (ENOENT);
16924 		}
16925 
16926 		cached = buf->dtb_tomax;
16927 		ASSERT(!(buf->dtb_flags & DTRACEBUF_NOSWITCH));
16928 
16929 		dtrace_xcall(desc.dtbd_cpu,
16930 		    (dtrace_xcall_t)dtrace_buffer_switch, buf);
16931 
16932 		state->dts_errors += buf->dtb_xamot_errors;
16933 
16934 		/*
16935 		 * If the buffers did not actually switch, then the cross call
16936 		 * did not take place -- presumably because the given CPU is
16937 		 * not in the ready set.  If this is the case, we'll return
16938 		 * ENOENT.
16939 		 */
16940 		if (buf->dtb_tomax == cached) {
16941 			ASSERT(buf->dtb_xamot != cached);
16942 			mutex_exit(&dtrace_lock);
16943 			return (ENOENT);
16944 		}
16945 
16946 		ASSERT(cached == buf->dtb_xamot);
16947 
16948 		/*
16949 		 * We have our snapshot; now copy it out.
16950 		 */
16951 		if (copyout(buf->dtb_xamot, desc.dtbd_data,
16952 		    buf->dtb_xamot_offset) != 0) {
16953 			mutex_exit(&dtrace_lock);
16954 			return (EFAULT);
16955 		}
16956 
16957 		desc.dtbd_size = buf->dtb_xamot_offset;
16958 		desc.dtbd_drops = buf->dtb_xamot_drops;
16959 		desc.dtbd_errors = buf->dtb_xamot_errors;
16960 		desc.dtbd_oldest = 0;
16961 		desc.dtbd_timestamp = buf->dtb_switched;
16962 
16963 		mutex_exit(&dtrace_lock);
16964 
16965 		/*
16966 		 * Finally, copy out the buffer description.
16967 		 */
16968 		if (copyout(&desc, (void *)arg, sizeof (desc)) != 0)
16969 			return (EFAULT);
16970 
16971 		return (0);
16972 	}
16973 
16974 	case DTRACEIOC_CONF: {
16975 		dtrace_conf_t conf;
16976 
16977 		bzero(&conf, sizeof (conf));
16978 		conf.dtc_difversion = DIF_VERSION;
16979 		conf.dtc_difintregs = DIF_DIR_NREGS;
16980 		conf.dtc_diftupregs = DIF_DTR_NREGS;
16981 		conf.dtc_ctfmodel = CTF_MODEL_NATIVE;
16982 
16983 		if (copyout(&conf, (void *)arg, sizeof (conf)) != 0)
16984 			return (EFAULT);
16985 
16986 		return (0);
16987 	}
16988 
16989 	case DTRACEIOC_STATUS: {
16990 		dtrace_status_t stat;
16991 		dtrace_dstate_t *dstate;
16992 		int i, j;
16993 		uint64_t nerrs;
16994 
16995 		/*
16996 		 * See the comment in dtrace_state_deadman() for the reason
16997 		 * for setting dts_laststatus to INT64_MAX before setting
16998 		 * it to the correct value.
16999 		 */
17000 		state->dts_laststatus = INT64_MAX;
17001 		dtrace_membar_producer();
17002 		state->dts_laststatus = dtrace_gethrtime();
17003 
17004 		bzero(&stat, sizeof (stat));
17005 
17006 		mutex_enter(&dtrace_lock);
17007 
17008 		if (state->dts_activity == DTRACE_ACTIVITY_INACTIVE) {
17009 			mutex_exit(&dtrace_lock);
17010 			return (ENOENT);
17011 		}
17012 
17013 		if (state->dts_activity == DTRACE_ACTIVITY_DRAINING)
17014 			stat.dtst_exiting = 1;
17015 
17016 		nerrs = state->dts_errors;
17017 		dstate = &state->dts_vstate.dtvs_dynvars;
17018 
17019 		for (i = 0; i < NCPU; i++) {
17020 			dtrace_dstate_percpu_t *dcpu = &dstate->dtds_percpu[i];
17021 
17022 			stat.dtst_dyndrops += dcpu->dtdsc_drops;
17023 			stat.dtst_dyndrops_dirty += dcpu->dtdsc_dirty_drops;
17024 			stat.dtst_dyndrops_rinsing += dcpu->dtdsc_rinsing_drops;
17025 
17026 			if (state->dts_buffer[i].dtb_flags & DTRACEBUF_FULL)
17027 				stat.dtst_filled++;
17028 
17029 			nerrs += state->dts_buffer[i].dtb_errors;
17030 
17031 			for (j = 0; j < state->dts_nspeculations; j++) {
17032 				dtrace_speculation_t *spec;
17033 				dtrace_buffer_t *buf;
17034 
17035 				spec = &state->dts_speculations[j];
17036 				buf = &spec->dtsp_buffer[i];
17037 				stat.dtst_specdrops += buf->dtb_xamot_drops;
17038 			}
17039 		}
17040 
17041 		stat.dtst_specdrops_busy = state->dts_speculations_busy;
17042 		stat.dtst_specdrops_unavail = state->dts_speculations_unavail;
17043 		stat.dtst_stkstroverflows = state->dts_stkstroverflows;
17044 		stat.dtst_dblerrors = state->dts_dblerrors;
17045 		stat.dtst_killed =
17046 		    (state->dts_activity == DTRACE_ACTIVITY_KILLED);
17047 		stat.dtst_errors = nerrs;
17048 
17049 		mutex_exit(&dtrace_lock);
17050 
17051 		if (copyout(&stat, (void *)arg, sizeof (stat)) != 0)
17052 			return (EFAULT);
17053 
17054 		return (0);
17055 	}
17056 
17057 	case DTRACEIOC_FORMAT: {
17058 		dtrace_fmtdesc_t fmt;
17059 		char *str;
17060 		int len;
17061 
17062 		if (copyin((void *)arg, &fmt, sizeof (fmt)) != 0)
17063 			return (EFAULT);
17064 
17065 		mutex_enter(&dtrace_lock);
17066 
17067 		if (fmt.dtfd_format == 0 ||
17068 		    fmt.dtfd_format > state->dts_nformats) {
17069 			mutex_exit(&dtrace_lock);
17070 			return (EINVAL);
17071 		}
17072 
17073 		/*
17074 		 * Format strings are allocated contiguously and they are
17075 		 * never freed; if a format index is less than the number
17076 		 * of formats, we can assert that the format map is non-NULL
17077 		 * and that the format for the specified index is non-NULL.
17078 		 */
17079 		ASSERT(state->dts_formats != NULL);
17080 		str = state->dts_formats[fmt.dtfd_format - 1];
17081 		ASSERT(str != NULL);
17082 
17083 		len = strlen(str) + 1;
17084 
17085 		if (len > fmt.dtfd_length) {
17086 			fmt.dtfd_length = len;
17087 
17088 			if (copyout(&fmt, (void *)arg, sizeof (fmt)) != 0) {
17089 				mutex_exit(&dtrace_lock);
17090 				return (EINVAL);
17091 			}
17092 		} else {
17093 			if (copyout(str, fmt.dtfd_string, len) != 0) {
17094 				mutex_exit(&dtrace_lock);
17095 				return (EINVAL);
17096 			}
17097 		}
17098 
17099 		mutex_exit(&dtrace_lock);
17100 		return (0);
17101 	}
17102 
17103 	default:
17104 		break;
17105 	}
17106 
17107 	return (ENOTTY);
17108 }
17109 
17110 /*ARGSUSED*/
17111 static int
17112 dtrace_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
17113 {
17114 	dtrace_state_t *state;
17115 
17116 	switch (cmd) {
17117 	case DDI_DETACH:
17118 		break;
17119 
17120 	case DDI_SUSPEND:
17121 		return (DDI_SUCCESS);
17122 
17123 	default:
17124 		return (DDI_FAILURE);
17125 	}
17126 
17127 	mutex_enter(&cpu_lock);
17128 	mutex_enter(&dtrace_provider_lock);
17129 	mutex_enter(&dtrace_lock);
17130 
17131 	ASSERT(dtrace_opens == 0);
17132 
17133 	if (dtrace_helpers > 0) {
17134 		mutex_exit(&dtrace_provider_lock);
17135 		mutex_exit(&dtrace_lock);
17136 		mutex_exit(&cpu_lock);
17137 		return (DDI_FAILURE);
17138 	}
17139 
17140 	if (dtrace_unregister((dtrace_provider_id_t)dtrace_provider) != 0) {
17141 		mutex_exit(&dtrace_provider_lock);
17142 		mutex_exit(&dtrace_lock);
17143 		mutex_exit(&cpu_lock);
17144 		return (DDI_FAILURE);
17145 	}
17146 
17147 	dtrace_provider = NULL;
17148 
17149 	if ((state = dtrace_anon_grab()) != NULL) {
17150 		/*
17151 		 * If there were ECBs on this state, the provider should
17152 		 * have not been allowed to detach; assert that there is
17153 		 * none.
17154 		 */
17155 		ASSERT(state->dts_necbs == 0);
17156 		dtrace_state_destroy(state);
17157 
17158 		/*
17159 		 * If we're being detached with anonymous state, we need to
17160 		 * indicate to the kernel debugger that DTrace is now inactive.
17161 		 */
17162 		(void) kdi_dtrace_set(KDI_DTSET_DTRACE_DEACTIVATE);
17163 	}
17164 
17165 	bzero(&dtrace_anon, sizeof (dtrace_anon_t));
17166 	unregister_cpu_setup_func(dtrace_cpu_setup, NULL);
17167 	dtrace_cpu_init = NULL;
17168 	dtrace_helpers_cleanup = NULL;
17169 	dtrace_helpers_fork = NULL;
17170 	dtrace_cpustart_init = NULL;
17171 	dtrace_cpustart_fini = NULL;
17172 	dtrace_debugger_init = NULL;
17173 	dtrace_debugger_fini = NULL;
17174 	dtrace_modload = NULL;
17175 	dtrace_modunload = NULL;
17176 
17177 	ASSERT(dtrace_getf == 0);
17178 	ASSERT(dtrace_closef == NULL);
17179 
17180 	mutex_exit(&cpu_lock);
17181 
17182 	kmem_free(dtrace_probes, dtrace_nprobes * sizeof (dtrace_probe_t *));
17183 	dtrace_probes = NULL;
17184 	dtrace_nprobes = 0;
17185 
17186 	dtrace_hash_destroy(dtrace_bymod);
17187 	dtrace_hash_destroy(dtrace_byfunc);
17188 	dtrace_hash_destroy(dtrace_byname);
17189 	dtrace_bymod = NULL;
17190 	dtrace_byfunc = NULL;
17191 	dtrace_byname = NULL;
17192 
17193 	kmem_cache_destroy(dtrace_state_cache);
17194 	vmem_destroy(dtrace_minor);
17195 	vmem_destroy(dtrace_arena);
17196 
17197 	if (dtrace_toxrange != NULL) {
17198 		kmem_free(dtrace_toxrange,
17199 		    dtrace_toxranges_max * sizeof (dtrace_toxrange_t));
17200 		dtrace_toxrange = NULL;
17201 		dtrace_toxranges = 0;
17202 		dtrace_toxranges_max = 0;
17203 	}
17204 
17205 	ddi_remove_minor_node(dtrace_devi, NULL);
17206 	dtrace_devi = NULL;
17207 
17208 	ddi_soft_state_fini(&dtrace_softstate);
17209 
17210 	ASSERT(dtrace_vtime_references == 0);
17211 	ASSERT(dtrace_opens == 0);
17212 	ASSERT(dtrace_retained == NULL);
17213 
17214 	mutex_exit(&dtrace_lock);
17215 	mutex_exit(&dtrace_provider_lock);
17216 
17217 	/*
17218 	 * We don't destroy the task queue until after we have dropped our
17219 	 * locks (taskq_destroy() may block on running tasks).  To prevent
17220 	 * attempting to do work after we have effectively detached but before
17221 	 * the task queue has been destroyed, all tasks dispatched via the
17222 	 * task queue must check that DTrace is still attached before
17223 	 * performing any operation.
17224 	 */
17225 	taskq_destroy(dtrace_taskq);
17226 	dtrace_taskq = NULL;
17227 
17228 	return (DDI_SUCCESS);
17229 }
17230 
17231 /*ARGSUSED*/
17232 static int
17233 dtrace_info(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
17234 {
17235 	int error;
17236 
17237 	switch (infocmd) {
17238 	case DDI_INFO_DEVT2DEVINFO:
17239 		*result = (void *)dtrace_devi;
17240 		error = DDI_SUCCESS;
17241 		break;
17242 	case DDI_INFO_DEVT2INSTANCE:
17243 		*result = (void *)0;
17244 		error = DDI_SUCCESS;
17245 		break;
17246 	default:
17247 		error = DDI_FAILURE;
17248 	}
17249 	return (error);
17250 }
17251 
17252 static struct cb_ops dtrace_cb_ops = {
17253 	dtrace_open,		/* open */
17254 	dtrace_close,		/* close */
17255 	nulldev,		/* strategy */
17256 	nulldev,		/* print */
17257 	nodev,			/* dump */
17258 	nodev,			/* read */
17259 	nodev,			/* write */
17260 	dtrace_ioctl,		/* ioctl */
17261 	nodev,			/* devmap */
17262 	nodev,			/* mmap */
17263 	nodev,			/* segmap */
17264 	nochpoll,		/* poll */
17265 	ddi_prop_op,		/* cb_prop_op */
17266 	0,			/* streamtab  */
17267 	D_NEW | D_MP		/* Driver compatibility flag */
17268 };
17269 
17270 static struct dev_ops dtrace_ops = {
17271 	DEVO_REV,		/* devo_rev */
17272 	0,			/* refcnt */
17273 	dtrace_info,		/* get_dev_info */
17274 	nulldev,		/* identify */
17275 	nulldev,		/* probe */
17276 	dtrace_attach,		/* attach */
17277 	dtrace_detach,		/* detach */
17278 	nodev,			/* reset */
17279 	&dtrace_cb_ops,		/* driver operations */
17280 	NULL,			/* bus operations */
17281 	nodev,			/* dev power */
17282 	ddi_quiesce_not_needed,		/* quiesce */
17283 };
17284 
17285 static struct modldrv modldrv = {
17286 	&mod_driverops,		/* module type (this is a pseudo driver) */
17287 	"Dynamic Tracing",	/* name of module */
17288 	&dtrace_ops,		/* driver ops */
17289 };
17290 
17291 static struct modlinkage modlinkage = {
17292 	MODREV_1,
17293 	(void *)&modldrv,
17294 	NULL
17295 };
17296 
17297 int
17298 _init(void)
17299 {
17300 	return (mod_install(&modlinkage));
17301 }
17302 
17303 int
17304 _info(struct modinfo *modinfop)
17305 {
17306 	return (mod_info(&modlinkage, modinfop));
17307 }
17308 
17309 int
17310 _fini(void)
17311 {
17312 	return (mod_remove(&modlinkage));
17313 }
17314