How do DTrace pid probes, specifically entry and return probes, work on assembly level ?
My assumption was that upon initialization, DTrace would modify the target code by changing the instruction at the target location to be an interrupt (e.g. 'int 0x1'). Then in the interrupt handler first do the tracing task, then complete the original instruction and then continue execution at the original location.
To test this, I ran DTrace against my test program that calculated a checksum of the text segment for the area where my test program code was located. The checksum was calculated before and after starting DTrace, and I assumed I would see a difference. This was indeed the case, when using a specific instruction address probe in DTrace. But, when using entry or return probes, the checksum did not change.
So, repeating my question, how do these two types of probes work on the assembly level, if they are not modifying the target code?
Edit: Hmm.. My further thought is that maybe DTrace is setting page faults upon read for the segments where it has done modifications for return/entry probes to make the changes invisible. But not for instruction level probes, as the number of page faults for them might start affecting the performance of the application. Anyone know for sure?