The current kallsyms implementation uses a lazy approach where only symbols marked as required ahead of time are stored. When looking up a symbol that wasn't marked as required fails, the symbol is added ad-hoc to the required symbols and the symbol table is refreshed (the entire /proc/kallsyms is read and parsed).

For the most part, symbols that will be looked up are added to the required symbols ahead of time. But there are some cases involving dependencies and kprobe attachments where there are lookup failures which result in a re-read of /proc/kallsyms. From a check I performed, a standard execution of tracee with no arguments resulted in /proc/kallsyms being parsed 11 times, accounting for more than 10% of the initialization time (around 0.7 seconds from a total of 5.8 seconds). This slowdown becomes much worse with more kprobe attachments. For example,. when supplying a long syscall list (~70 syscalls) for the susipcious_syscall_source event, the initialization takes 22 seconds, 15 of which are just from updating the symbol table.