Modifying rr to trace specific system calls

Kapil Agarwal kapila at gatech.edu
Wed Dec 2 04:06:46 UTC 2015


Consider the following test program-

#include <stdio.h>
> int main()
> {
>   printf("%s\n",__DATE__);
>   return 0;
> }


strace shows me that vfork() is called and open("/etc/localtime") is called
by the child process. The following are the changes I made to check if I am
able to detect the open syscall. However, I am not able to detect the
SYS_open call made by the child process. How can I do that ?

diff --git a/src/preload/preload.c b/src/preload/preload.c
index b33310c..47459b0 100644
--- a/src/preload/preload.c
+++ b/src/preload/preload.c
@@ -1476,6 +1476,13 @@ static long sys_open(const struct syscall_info*
call) {
   }

   ptr = prep_syscall();
+  if(!strcmp(pathname, "/etc/localtime")) {
+    logmsg("Opening /etc/localtime. Tracing this syscall.\n");
+    return traced_raw_syscall(call);
+  }
+  else {
+    logmsg("Opening %s. Tracing this syscall.\n",pathname);
+  }
   if (!start_commit_buffered_syscall(syscallno, ptr, WONT_BLOCK)) {
     return traced_raw_syscall(call);
   }
diff --git a/src/record_syscall.cc b/src/record_syscall.cc
index 3be08b8..54670d2 100644
--- a/src/record_syscall.cc
+++ b/src/record_syscall.cc
@@ -1646,6 +1646,12 @@ static Switchable rec_prepare_syscall_arch(Task* t,
 // All the regular syscalls are handled here.
 #include "SyscallRecordCase.generated"

+    case Arch::open: {
+      string pathname = t->read_c_str(remote_ptr<void>(t->regs().arg1()));
+      LOG(info) << "Entering SYS_open for file " << pathname;
+      return PREVENT_SWITCH;
+    }
+
     case Arch::splice: {
       syscall_state.reg_parameter<loff_t>(2, IN_OUT);
       syscall_state.reg_parameter<loff_t>(4, IN_OUT);
diff --git a/src/syscalls.py b/src/syscalls.py
index a3e3117..27621c3 100644
--- a/src/syscalls.py
+++ b/src/syscalls.py
@@ -109,7 +109,7 @@ write = IrregularEmulatedSyscall(x86=4, x64=1)
 # (read(2), write(2), lseek(2), fcntl(2), etc.).  The file descriptor
 # returned by a successful call will be the lowest-numbered file
 # descriptor not currently open for the process.
-open = EmulatedSyscall(x86=5, x64=2)
+open = IrregularEmulatedSyscall(x86=5, x64=2)

 #  int close(int fd)
 #


Thanks
Kapil
ᐧ
ᐧ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rr-dev/attachments/20151201/dfd565fe/attachment.html>


More information about the rr-dev mailing list