This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Analysis of broken systemtap example scripts

From: William Cohen <wcohen at redhat dot com>
To: "Frank Ch. Eigler" <fche at redhat dot com>
Cc: systemtap at sourceware dot org, Jafeer Uddin <juddin at redhat dot com>
Date: Wed, 10 Oct 2018 17:36:40 -0400
Subject: Re: Analysis of broken systemtap example scripts
References: <1586b447-75dd-7286-4870-895bd1aa70c8@redhat.com> <5c0d2128-b529-3e3c-6b73-084d6e2a149b@redhat.com> <20181010212420.GO10194@redhat.com>

On 10/10/18 5:24 PM, Frank Ch. Eigler wrote:
> Hi -
> 
>> [....]
>> probe syscall.openat.return {
>>   filename = @entry(user_string_quoted(pointer_arg(2)))
>>   printf("%s %s (%x) %s\n", proc(), pp(), @entry(pointer_arg(2)), filename)
>> }
> 
>> However, running the same script on a newer fedora kernel:
>> [wcohen@cervelo io]$ stap open_args.stp -T 1
>> 1335 (libvirtd) kprobe.function("__x64_sys_openat")? (7f331f4b66e0) "/sys/devices/system/node/node0/meminfo"
>> [...]
> 
> Yes, this is expected, because @entry() expressions are evaluated at
> synthetic probes at function.  The syscall.* probes for 4.17+ work by
> first processing the incoming pt_regs pointer from a parameter.  The
> @entry() part misses this step, so cannot work.
> 
> So, both @entry($var) and $var in syscall.*.return are not generally
> available any more.  We'll improve @entry() to generalize to this sort
> of situation, but in the mean time, user and samples will have to fend
> for themselves with explicit globals etc.
> 
> - FChE
> 


It doesn't help that the syscall interface functions are special and probably confuses the kretprobes implementation.  With the fedora 28 4.18.11-200 x86_64 kernel end up with:

ffffffff812a44b0 <__x64_sys_openat>:
ffffffff812a44b0:	e8 eb d2 75 00       	callq  ffffffff81a017a0 <__fentry__>
ffffffff812a44b5:	8b 57 60             	mov    0x60(%rdi),%edx
ffffffff812a44b8:	0f b7 4f 38          	movzwl 0x38(%rdi),%ecx
ffffffff812a44bc:	48 8b 77 68          	mov    0x68(%rdi),%rsi
ffffffff812a44c0:	48 8b 7f 70          	mov    0x70(%rdi),%rdi
ffffffff812a44c4:	80 ce 80             	or     $0x80,%dh
ffffffff812a44c7:	e9 94 fd ff ff       	jmpq   ffffffff812a4260 <do_sys_open>
ffffffff812a44cc:	0f 1f 40 00          	nopl   0x0(%rax)

Looks like all the arguments are being pullin from the ptreg struct point to by %rdi and then a jmp to the actual function to handle the syscall. I am still a little confused why the kprobe.function("__x64_sys_openat")? probe got the correct values if the registers have been cleared.

-Will

References:
- Analysis of broken systemtap example scripts
  - From: William Cohen
- Re: Analysis of broken systemtap example scripts
  - From: William Cohen
- Re: Analysis of broken systemtap example scripts
  - From: Frank Ch. Eigler

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]