observes which functions are executed most frequently. The program then
reorganizes the order of functions in the binary according to that information,
so that the most popular functions are moved to the beginning of the module,
and the less popular functions are placed near the end. This way the operating
system can keep the “popular code” area in memory and only load the rest of
the module as needed (and then page it out again when it’s no longer needed).
In most reversing scenarios function-level working-set tuning won’t have
any impact on the reversing process, except that it provides a tiny hint regard-
ing the program: A function’s address relative to the beginning of the module
indicates how popular that function is. The closer a function is to the begin-
ning of the module, the more popular it is. Functions that reside very near to
the end of the module (those that have higher addresses) are very rarely exe-
cuted and are probably responsible for some unusual cases such as error cases
or rarely used functionality. Figure A.13 illustrates this concept.Line-Level Working-Set Tuning
Line-level working-set tuning is a more advanced form of working-set tuning
that usually requires explicit support in the compiler itself. The idea is that
instead of shuffling functions based on their usage patterns, the working-set
tuning process can actually shuffle conditional code sections within individual
functions, so that the working set can be made even more efficient than with
function-level tuning. The working-set tuner records usage statistics for every
condition in the program and can actually relocate conditional code blocks to
other areas in the binary module.
For reversers, line-level working-set tuning provides the benefit of knowing
whether a particular condition is likely to execute during normal runtime.
However, not being able to see the entire function in one piece is a major has-
sle. Because code blocks are moved around beyond the boundaries of the func-
tions to which they belong, reversing sessions on such modules can exhibit
some peculiarities. One important thing to pay attention to is that functions
are broken up and scattered throughout the module, and that it’s hard to tell
when you’re looking at a detached snippet of code that is a part of some
unknown function at the other end of the module. The code that sits right
before or after the snippet might be totally unrelated to it. One trick that some-
times works for identifying the connections between such isolated code snip-
pets is to look for an unconditional JMPat the end of the snippet. Often this
detached snippet will jump back to the main body of the function, revealing its
location. In other cases the detached code chunk will simply return, and its
connection to its main function body would remain unknown. Figure A.14
illustrates the effect of line-level working-set tuning on code placement.516 Appendix A21_574817 appa.qxd 3/16/05 8:54 PM Page 516