Pin (computer program)


Pin is a platform for creating analysis tools. A pin tool comprises instrumentation, analysis and callback routines. Instrumentation routines are called when code that has not yet been recompiled is about to be run, and enable the insertion of analysis routines. Analysis routines are called when the code associated with them is run. Callback routines are only called when specific conditions are met, or when a certain event has occurred. Pin provides an extensive application programming interface for instrumentation at different abstraction levels, from one instruction to an entire binary module. It also supports callbacks for many events such as library loads, system calls, signals/exceptions and thread creation events.
Pin performs instrumentation by taking control of the program just after it loads into the memory. Then just-in-time recompiles small sections of the binary code using pin just before it is run. New instructions to perform analysis are added to the recompiled code. These new instructions come from the Pintool. A large array of optimization techniques are used to obtain the lowest possible running time and memory use overhead. As of June 2010, Pin's average base overhead is 30 percent.

Features

Instrumentation modes

Pin supports two modes of instrumentation called JIT mode and Probe mode. JIT mode supports all features of Pin, while Probe mode supports a limited feature set but is far faster, adding almost no overhead to program's running time. JIT mode uses a just-in-time compiler to recompile all program code and insert instrumentation, while Probe mode uses code trampolines for instrumentation.

Platform independence

Pin was designed for tool portability, and despite JIT compiling from one ISA to the same ISA, most of its APIs are architecture and operating system independent. It was also designed to be portable itself, carefully isolating platform-specific code from generic code, allowing the fast adaptation of Pin to new platforms. Approximately half of the code is generic and the rest is either architecture or OS dependent.

Optimizations

Pin uses many techniques to optimize instrumentation and analysis code, using techniques such as inlining, liveness analysis and smart register spilling. Pin performs these optimizations automatically whenever possible, without needing users to insert any extra code to allow inlining. Naturally, some optimizations still require user hints, and some code structures are easier to inline than others. Direct linking of jitted code sections, a technique called trace linking, and register binding reconciliation, which minimizes register spilling and remapping, are also used.

Ease of use

Pin’s API and implementation are focused on making pin tools easy to write. Pin takes full responsibility for assuring that the instrumentation code from the pin tool does not affect the application state. Also, the API enables instrumentation code to request many pieces of information from Pin. For example, the instrumentation code in the pin tool can use the Pin API to get the memory address being accessed by an instruction, without having to examine the instruction in detail.

Tools

There are many Pintools that are used for varying tasks.
There are many other tools available to collect resource usage of running programs on the system such as Bell Lab’s strapon tool and Dyninst tool etc. Bell Lab’s tool uses the strap on technology which runs a tool to collect resources simultaneously with the program but this tool is only compatible with the programs which allow other programs to run simultaneously with them. Furthermore, Dyninst tool uses binary rewriting of the program’s executable and implementable commands inside the program to check for resource usage and is very efficient. However, it is very unstable as it is a relatively new tool and crashes on large scale programs. Lastly, Intel Pin tool uses static binary instrumentation and runs the program as a part of itself while keeping track of all its resources. This approach is more suitable for an antivirus as it can easily run all the processes under itself and can kill programs if they reach a maximum allocated limit as defined by the antivirus.