What is a "per-CPU probe"?

This should be done using the DPCPU macros, same as intr_probe.

What if the cached value of sstatus is 0? Then the code doesn't distinguish between two different cases.

It would be better to have an explicit state machine. Try defining a per-CPU struct:

struct kinst_cpu_state {
    enum {
        KINST_PROBE_ARMED,
        KINST_PROBE_FIRED,
    } state;
    struct kinst_probe *kp;
    register_t sstatus;
};

When a probe is enabled, it enters state ARMED. When it fires, kinst_invop() calls dtrace_probe() and sets the state to FIRED. If single-stepping is done using a trampoline, then the second call to kinst_invop() will start in state FIRED, and there it will go back to ARMED. If single-stepping is done using emulation, then the state goes immediately from FIRED back to ARMED.

In particular, kinst_invop() should be simpler. Now that each probe has its own trampoline, and trampolines are executed with interrupts disabled, kinst_invop() doesn't need to check SPIE, and I think t_kinst_curprobe isn't needed.

Where does this trampoline get freed?

It is the per-CPU equivalent of t_kinst_curprobe. I noticed that the kernel was crashing if I tried to fetch
t_kinst_curprobe when the thread had been executing with interrupts disabled, so I followed the per-CPU trampoline
scheme, which presumably to fix this issue.

In kinst_unload() when it calls kinst_trampoline_deinit().

Since amd64 is going to eventually also use the double-breakpoint mechanism, and arm64 will need this as well, do you think we should add the struct definition to kinst.h and replace register_t sstatus with a generic register_t field?

But what exactly is the issue? If the trampoline is executed with interrupts disabled, there should be no way to re-enter kinst_invop() while executing a trampoline.

I don't have a strong opinion on whether the implementation should be per-platform or generic. It's not a lot of code either way. I just find the current implementation hard to follow and believe it should be simpler.

It should be freed when the probe is destroyed, if possible. Otherwise the memory will remain allocated even when the trampoline is unused.

Yeah, that's a left over I forgot to get rid of.

Then the trampoline allocations and deallocations can go to kinst_enable() and kinst_disable() respectively.

We can and should declare kp const. In particular, multiple CPUs might be sharing a reference to a single probe; we should make sure that kinst_invop() doesn't mutate any state in the probe itself.

I don't see a point in updating the state only to update it again a few lines below. This can just go after the emulate check.

We don't need to handle this case anymore, now that trampoline allocation is handled at the time that probes are enabled.

You need to check kp_tramp == NULL and return ENOMEM if it happens.

I think you can DPCPU_DEFINE a struct, there's no need for dynamic allocation. Then use DPCPU_PTR() to get a pointer to that struct.

Sorry, I don't understand - why do we need to populate the trampoline upon every call to kinst_invop()? It needs to be done only once, at the time the probe is created.