This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Analysis of broken systemtap example scripts
On 10/10/18 5:24 PM, Frank Ch. Eigler wrote:
> Hi -
>
>> [....]
>> probe syscall.openat.return {
>> filename = @entry(user_string_quoted(pointer_arg(2)))
>> printf("%s %s (%x) %s\n", proc(), pp(), @entry(pointer_arg(2)), filename)
>> }
>
>> However, running the same script on a newer fedora kernel:
>> [wcohen@cervelo io]$ stap open_args.stp -T 1
>> 1335 (libvirtd) kprobe.function("__x64_sys_openat")? (7f331f4b66e0) "/sys/devices/system/node/node0/meminfo"
>> [...]
>
> Yes, this is expected, because @entry() expressions are evaluated at
> synthetic probes at function. The syscall.* probes for 4.17+ work by
> first processing the incoming pt_regs pointer from a parameter. The
> @entry() part misses this step, so cannot work.
>
> So, both @entry($var) and $var in syscall.*.return are not generally
> available any more. We'll improve @entry() to generalize to this sort
> of situation, but in the mean time, user and samples will have to fend
> for themselves with explicit globals etc.
>
> - FChE
>
It doesn't help that the syscall interface functions are special and probably confuses the kretprobes implementation. With the fedora 28 4.18.11-200 x86_64 kernel end up with:
ffffffff812a44b0 <__x64_sys_openat>:
ffffffff812a44b0: e8 eb d2 75 00 callq ffffffff81a017a0 <__fentry__>
ffffffff812a44b5: 8b 57 60 mov 0x60(%rdi),%edx
ffffffff812a44b8: 0f b7 4f 38 movzwl 0x38(%rdi),%ecx
ffffffff812a44bc: 48 8b 77 68 mov 0x68(%rdi),%rsi
ffffffff812a44c0: 48 8b 7f 70 mov 0x70(%rdi),%rdi
ffffffff812a44c4: 80 ce 80 or $0x80,%dh
ffffffff812a44c7: e9 94 fd ff ff jmpq ffffffff812a4260 <do_sys_open>
ffffffff812a44cc: 0f 1f 40 00 nopl 0x0(%rax)
Looks like all the arguments are being pullin from the ptreg struct point to by %rdi and then a jmp to the actual function to handle the syscall. I am still a little confused why the kprobe.function("__x64_sys_openat")? probe got the correct values if the registers have been cleared.
-Will