In Intel Pin you can get the return address of a routine call using IARG_RETURN_IP as one of the arguments of RTN_InsertCall.
I wanted to do the same with a system call, instrumented using PIN_AddSyscallEntryFunction and PIN_AddSyscallExitFunction.
So at first I thought about getting the value of the instruction pointer after the call using
ADDRINT returnIp = PIN_GetContextReg(ctx, REG_INST_PTR);in the function passed as argument to PIN_AddSyscallExitFunction.
However, I noticed that, if I get the value of REG_INST_POINTER in the same way but this time before the system call is executed, I always get the same two values for the instruction pointer.
For example, I would always get 2003266482 before and 2003266484 after.
So I was wondering why is this the case and if I am doing something wrong.
This has to do with the way system calls are executed in libc, there is a single assembly stub that actually does what needs to be done to pass control from and back to the kernel, which all system calls go through.