For this we need to:

• Use the correct undefined instruction
• Leave space on the exception stack to emulate the push instruction with 16 registers
• Call dtrace_invop_jump_addr iff it's set and we are called from kernel context
• Pass the details of the push, pop, and branch instructions to the code emulating them
• Emulate said instructions

With this I am able to use probes like:

dtrace -n 'fbt::free:return { stack (); }'

and:

dtrace -n 'fbt::malloc:entry { stack (); }'

on my ARM board.