Error hooking 32-bit code

[ghost]

I have tried to override the BSD connect function like this (replaced the content of the test source file, test_mach_override.cp):

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>

#include "mach_override.h"

int (*connect_orig)(int, struct sockaddr const*, socklen_t) = &connect;

int main ()
{
    kern_return_t err;

    MACH_OVERRIDE(int, connect, (int s, struct sockaddr const* p, socklen_t n), err) {
        printf ("connect hook\n");
        return connect_reenter (s, p, n);
    } END_MACH_OVERRIDE(connect);

    return connect_orig (0, 0, 0);
}

and I end up with this:

$ ./build/Development/mach_override 
mach_override: some instructions unknown! Need to update mach_override.c
err = f8000001 /tmp/mach_star/mach_override/mach_override.c:226
err = f8000001 /tmp/mach_star/mach_override/mach_override.c:239
err = f8000001 /tmp/mach_star/mach_override/mach_override.c:245
err = f8000001 /tmp/mach_star/mach_override/mach_override.c:259
err = f8000001 /tmp/mach_star/mach_override/mach_override.c:264

I have built the mach_override binary for i386 only:

$ xcodebuild -alltargets -arch i386 -configuration Default 
Build settings from command line:
    ARCHS = i386

=== BUILD NATIVE TARGET mach_override OF PROJECT mach_override WITH CONFIGURATION Default ===
Check dependencies

CompileC build/mach_override.build/Default/mach_override.build/Objects-normal/i386/mach_override.o mach_override.c normal i386 c com.apple.compilers.llvmgcc42
    cd /tmp/mach_star/mach_override
    setenv LANG en_US.US-ASCII
    /Developer/usr/bin/llvm-gcc-4.2 -x c -arch i386 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -Os -fasm-blocks -fvisibility=hidden -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/mach_override.hmap -I/tmp/mach_star/mach_override/build/Default/include -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/DerivedSources/i386 -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/DerivedSources -F/tmp/mach_star/mach_override/build/Default -c /tmp/mach_star/mach_override/mach_override.c -o /tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/Objects-normal/i386/mach_override.o

CompileC build/mach_override.build/Default/mach_override.build/Objects-normal/i386/test_mach_override.o test_mach_override.cp normal i386 c++ com.apple.compilers.llvmgcc42
    cd /tmp/mach_star/mach_override
    setenv LANG en_US.US-ASCII
    /Developer/usr/bin/llvm-gcc-4.2 -x c++ -arch i386 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -Os -fasm-blocks -fvisibility=hidden -fvisibility-inlines-hidden -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/mach_override.hmap -I/tmp/mach_star/mach_override/build/Default/include -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/DerivedSources/i386 -I/tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/DerivedSources -F/tmp/mach_star/mach_override/build/Default -c /tmp/mach_star/mach_override/test_mach_override.cp -o /tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/Objects-normal/i386/test_mach_override.o

Ld build/Default/mach_override normal i386
    cd /tmp/mach_star/mach_override
    /Developer/usr/bin/llvm-g++-4.2 -arch i386 -L/tmp/mach_star/mach_override/build/Default -F/tmp/mach_star/mach_override/build/Default -filelist /tmp/mach_star/mach_override/build/mach_override.build/Default/mach_override.build/Objects-normal/i386/mach_override.LinkFileList -framework CoreServices -o /tmp/mach_star/mach_override/build/Default/mach_override


** BUILD SUCCEEDED **

Environment and compiler:

$ uname -a
Darwin nomad.local 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64
$ gcc -v
Using built-in specs.
Target: i686-apple-darwin11
Configured with: /private/var/tmp/llvmgcc42/llvmgcc42-2336.1~1/src/configure --disable-checking --enable-werror --prefix=/Developer/usr/llvm-gcc-4.2 --mandir=/share/man --enable-languages=c,objc,c++,obj-c++ --program-prefix=llvm- --program-transform-name=/^[cg][^.-]*$/s/$/-4.2/ --with-slibdir=/usr/lib --build=i686-apple-darwin11 --enable-llvm=/private/var/tmp/llvmgcc42/llvmgcc42-2336.1~1/dst-llvmCore/Developer/usr/local --program-prefix=i686-apple-darwin11- --host=x86_64-apple-darwin11 --target=i686-apple-darwin11 --with-gxx-include-dir=/usr/include/c++/4.2.1
Thread model: posix
gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00)

Is this a usage issue or a library issue?

FWIW, debugging with gdb showed me that the system calls (connect call included) emitted from 32-bit code go through a thunk which creates a new stack frame before hitting what appears to be 64-bit code. That is what eatKnownInstructions appears to try to disassemble and fails.