Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / 7cbd074cb5af6b82f53a5de9936ffaa74fea00f0^! / . / tools / trace_example.txt
commit7cbd074cb5af6b82f53a5de9936ffaa74fea00f0[log] [tgz]
authorSumanth Korikkar <sumanthk@linux.ibm.com>Mon Apr 27 09:09:28 2020 -0500
committerSumanth Korikkar <sumanthk@linux.ibm.com>Wed Apr 29 06:51:48 2020 -0500
tree2838af31019e62fe676c256bdb5a7d4635eba853
parent306080b9c6370974b0e11ed6bbe47f086c42d7ac [diff] [blame]
bcc: Support bpf_probe_read_user in trace.py

Arguments of a probe point can be either user pointer or kernel
pointer.

Previously:
- tools/trace.py 'do_sys_open "%s", arg2'
  When reading arg2 as char *, it would resolve to bpf_probe_read.

Now:
- tools/trace.py 'do_sys_open "%s", arg2@user'
  - When reading arg2 as char *, it is resolved to bpf_probe_read_user.
- tools/trace.py 'do_sys_open (STRCMP("test.txt", arg2@user)) "%s", arg2'
  - For arg2 char * read, bpf_probe_read_user is utilized

To distinguish this, add arg@user.
- All userspace probes char *read converted to bpf_probe_read_user
- Syscall/kprobes with arg[1-6]@user attribute are converted to
  bpf_probe_read_user.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>

diff --git a/tools/trace_example.txt b/tools/trace_example.txt
index eb63750..a16b039 100644
--- a/tools/trace_example.txt
+++ b/tools/trace_example.txt

@@ -54,7 +54,7 @@
 Like the program open thousands file and you only want to see the "temp" file
 and print stack.
 
-# trace 'do_sys_open "%s", arg2' -UK -f temp
+# trace 'do_sys_open "%s", arg2@user' -UK -f temp
 PID     TID     COMM            FUNC             -
 9557    9557    a.out           do_sys_open      temp.1
         do_sys_open+0x1 [kernel]
@@ -71,7 +71,7 @@
 
 Process name filter is porting from tools/opensnoop
 
-# trace 'do_sys_open "%s", arg2' -UK -n out
+# trace 'do_sys_open "%s", arg2@user' -UK -n out
 PID     TID     COMM            FUNC             -
 9557    9557    a.out           do_sys_open      temp.1
         do_sys_open+0x1 [kernel]
@@ -241,7 +241,7 @@
 As a final example, let's trace open syscalls for a specific process. By
 default, tracing is system-wide, but the -p switch overrides this:
 
-# trace -p 2740 'do_sys_open "%s", arg2' -T
+# trace -p 2740 'do_sys_open "%s", arg2@user' -T
 TIME     PID    COMM         FUNC             -
 05:36:16 15872  ls           do_sys_open      /etc/ld.so.cache
 05:36:16 15872  ls           do_sys_open      /lib64/libselinux.so.1
@@ -335,11 +335,14 @@
 
 trace do_sys_open
         Trace the open syscall and print a default trace message when entered
-trace 'do_sys_open "%s", arg2'
-        Trace the open syscall and print the filename being opened
-trace 'do_sys_open "%s", arg2' -n main
+trace 'do_sys_open "%s", arg2@user'
+        Trace the open syscall and print the filename being opened. @user is
+        added to arg2 in kprobes to ensure that char * should be copied from
+        the userspace stack to the bpf stack. If not specified, previous
+        behaviour is expected.
+trace 'do_sys_open "%s", arg2@user' -n main
         Trace the open syscall and only print event that process names containing "main"
-trace 'do_sys_open "%s", arg2' -f config
+trace 'do_sys_open "%s", arg2@user' -f config
         Trace the open syscall and print the filename being opened filtered by "config"
 trace 'sys_read (arg3 > 20000) "read %d bytes", arg3'
         Trace the read syscall and print a message for reads >20000 bytes