Hi Ashley,

Could it be that you're reaching the maxactive bound and thus some probes
are missed? From the kprobes documentation [1]:

While the probed function is executing, its return address is
stored in an object of type kretprobe_instance. Before calling
register_kretprobe(), the user sets the maxactive field of the
kretprobe struct to specify how many instances of the specified
function can be probed simultaneously. register_kretprobe()
pre-allocates the indicated number of kretprobe_instance objects.

For example, if the function is non-recursive and is called with a
spinlock held, maxactive = 1 should be enough. If the function is
non-recursive and can never relinquish the CPU (e.g., via a semaphore
or preemption), NR_CPUS should be enough. If maxactive <= 0, it is
set to a default value. If CONFIG_PREEMPT is enabled, the default
is max(10, 2*NR_CPUS). Otherwise, the default is NR_CPUS.

I tried to patch bcc [2] to set the maxactive value to 1000 on
attach_kretprobe, but it didn't make a difference when running your
script. Maybe you could check the nmissed field mentioned in the
documentation (with a kernel module instead of bpf)?

Paul

1 - https://www.kernel.org/doc/Documentation/kprobes.txt
2 - https://github.com/pchaigno/bcc/tree/bump-maxactive