Hi resolution kernel profiling (which adds a function call and return to
every function without engrotting the source code with explicit calls)
has surprisingly little overhead when not in use. This depends partly
on it not using -finstrument-functions. -finstrument-functions produces
bloated code to pass 2 args (function pointer and frame pointer) in a
portable way.
(Unfortunately, -mprofiler-epilogue was broken (turned into a no-op)
in gcc-4.2.1 and is more broken (unsupported) in clang. It is
regression-tested by configuring LINT with -pp, but the test is
broken for gcc-4.2.1 by accepting -mprofiler-epilogue without actually
supporting it, and for clang by ifdefing the addition of
-mprofiler-epilogue. I normally don't notice the bug since I use
old versions of FreeBSD with a working gcc (3.3.3), and recently
fixed 4.2.1. The fix is fragile, and I just noticed that it doesn't
work for functions returning a value that don't have an explicit
return statement (this is permitted for main()). Old versions of
FreeBSD used -finstrument-functions during a previous round of
compiler breakage.)

-pg and -mprofiler-epilogue produce calls to mcount and .mexitcount
for every function (and most trap handlers and some jumps). These
functions execute "cmpl $ENABLE,enable_flag; jne done; ... done: ret $0"
when the feature is not enable. The branch is easy to predict since
there are only 2 instances of it. Scattered instances in callers might
bust the branch target cache. So might the scattered calls to .mcount
and .mexitcount. Calls are similar to unconditional branches so they
are easy to predict, but I think old x86's (ones not too old to have a
branch target cache) don't handle them well.

High resolution kernel profiling doesn't support SMP, except in my
version where it is too slow to use with SMP (due to enormous lock
contention). Low resolution kernel profiling has bad locking for
the SMP case. The bad locking first gives the enormous lock
contention even when profiling is not enabled, since it is done
before checking the flag. It also gives deadlock in ddb and some
other traps. In the non-SMP case, similar wrapping before checking
the flag makes the low-res case is a smaller pessimization.

A common function checking the flags wouldn't so well if func_ptr or
<probe args> depends on the call site. But if you can figure out
everything from the call site address then it could work similarly
to the breakpoint instruction.

Kernel profiling could use similar nop/breakpoint methods. It is
much easier to patch since there are only 2 functions and 2 args.
It already determines the args from the frame. This is the main
difference between it and -finstrument functions.
When high resolution profiling is enabled, it takes similar times. It
also uses the TSC (directly and not slowed down by synchronization) and
this use is a major difference between it and low resolution profiling.
Overheads on haswell: UP: 60 cycles for .mcount and 40 cycles for
.mexitcount; SMP: 88 cycles for .mcount and 60 cycles for .mexitcount.
IIRC, rdtsc takes 24 cycles on haswell -- more than half of the UP
.mexitcount time; synchronizing it takes another 12-24 cycles; it was
much slower on older Intel x86 (65 cycles on freefall with its previous
CPU) and much faster on older amd x86 (9 cycles on Athlon XP). This
slowness make sit not very useful to optimize other things in anything
that uses the TSC.

I can believe a mere 2 cycle difference between the highly optimized
version and the simple version. It seems hardly worth the effort to
optimize. Arg pushing and tests and/or calls are fast, especially
when they don't do anything. It might be possible to optimize them
better to reduce dependencies, so that they take zero time if they
can be executed in parallel. The 100-200 extra cyles per function
given by enabled kernel profiling make a difference of about 100%
(twice as slow). With giant locking, this scales with the number
of CPUs in the kernel (800%) (8-9 times slower) with 8 such CPUs.
Accesses to the same variable cost little.
This can be moved out of the way. I don't like __predict_*(), but one
thing it can do right is this. The generated code for an inline flags
test should look something like:

cmpl $ENABLE,enable_flag
je slow_path
back:
# main path here
ret
slow_path:
cmpl $NULL,func_ptr
je back
# load func_ptr and args
# ...
jmp back
With everything non-inline, arg loading is kept out of the way without
really trying:

call decoder
# main path here
ret

The call can be replaced by nops or a trap instruction + nops (or start
like that). 'decoder' starts with the flags test. Loading args is
difficult if they are local in the caller's frame. Oops, if they were
in registers, then they would have to be saved in the frame for the
call to decoder, and that is almost as slow as passing them. So the
inline flags method may even be better than the no-op method -- it
allows the compiler to do the register saving only in the slow path.
In fact, I think you can do everything with this method and no complex
decoding:

# The following is identical to the above except for this comment.
# To optimise this, replace the next 2 instructions by nops or
# a trap instruction and nops. This gives only a time optimization.
# Not large, but easy to do. When not enabled, space is wasted
# far away where it doesn't mess up the cache.
cmpl $ENABLE,enable_flag
je slow_path
back:
# main path here
ret
slow_path:
cmpl $NULL,func_ptr
je back
# load func_ptr and args
# ...
jmp back

High resolution profiling deals with this partially as follows:
- calling .mcount and .mexitcount tends to require more saving than
necessary. gcc is not smart about placing these calls in the best
position. The main thing done wrong is frame pointer handling.
- but it is arranged that .mexitcount is called without saving the
return register(s). The callee preserves them if necessary (only
necessary if profiling is enabled).
They are large and ugly already. It probably doesn't matter for them.
Lots of instructions can be loaded (and excecuted speculatively) during
the slow locked instruction. Perhaps during the many earlier instructions.
The instructions at the branch target are more important. I think the
previous branch is usually taken (for no contention) and the branche at
...1328 is unimportant. Both branches are into another cache line and
there is no padding to align the branch targets because such padding
would not be useful for the target arch (or the optimizations are not
complete). I think it is only important that enough instructions in
the branch target are in the same cache line as the target. That usually
happens accidentally when the target is the function epilogue.
Kernel profiling also bloats the kernel a lot. I was happy to get back
to the lesser bloat given by .mcount/.mexitcount instead of
__cyg_profile_name_too_long_to_remember(). But the text space needed is
small compared with the data space which is allocated at runtime (the
allocation is stupid and allocates space even if profiling is never used).
Patching inline "cmpl $ENABLE,enable flag" also allows this very easily,
unless you want to vary the args for a single call site.

Yet another variation, which is easier to implement since it only requires
modifying data:

call decoder
testl %rax,%rax
je slow_path
# rest as above

'decoder' now just checks a table of enable flags indexed by the call
site and returns true/false. All the args passing remains inline (but
far away). (First check a global enable flag to optimize for the
non-enabled case).
I use gcc -O1 -fno-inline-functions-called-once, and usually i386 and
-march=i386, to prevent bogus optimizations. Maximal compiler
optimizations rarely gain as much as 1% in kernel code, even in
micro-benchmarks. Compilers like to produce large code that gives
negative optimizations except in loops, and kernels don't have many
loops.

The above flags make ddb and stack traces almost correct on i386 for
public functions. Static functions are often called with args in
registers even on i386. To debug these, or to make them available
using "call", they must be declared with a regparm attribute (cdecl
only does enough for public functions where it is the default anyway).
I think some arches need more than 1 byte for a trap/breakpoint instruction.

I jut remembered what the "ret $0" in .mcount does. It is because
plain ret doesn't work so well at a branch target, even when the target
is aligned. IIRC, "nop; ret" is just as good a fix on the arches where
plain ret is slower, but "ret $0" is better on older in-order arches
where nop is not so special. Extra nops or larger nop instructions
should also be sprinkled for alignment. It is too hard to know the
best number to use in asm code. Compilers generate magic amounts
depending on the arch and how far away the instruction pointer is from
an alignment boundary (so as to not align if too far away). I don't
trust compilers to get this right either, even if the arch matches
exactly. In the too-far-away cases, it is likely that a small change
nearby moves closer and thus gives faster code.

Bruce

Several variations of the approach allow to control each probe site
individually, while still avoiding jumps and reducing the cache consumption.
And, of course, the biggest advantage is avoiding the need to change the
text at runtime.

E.g., you could have a byte allocated somewhere for each probe, with usual
boolean values true/false for enabled/disabled state. Also, somewhere,
you have two KVA pages allocated, say, starting at address p, the first
page is mapped, the second page is not. The pages are shared between all
probes. Then, the following code sequence would trigger the page fault
only for enabled probe:
movzbl this_probe_enable_byte, %eax
movl (p + PAGE_SIZE - 4)(%eax), %eax
This approach is quite portable and can be expressed in C.

If expected count of probes is thousands, as you mentioned, then you
would pay only for several KB of memory for enable control bytes.

Another variant is possible with the use of INTO instruction, which
has relatively low latency when not trapping, according to the Agner
Fog tables.