Modifying rr to trace specific system calls

Robert O'Callahan robert at
Mon Nov 30 20:50:03 UTC 2015

On Tue, Dec 1, 2015 at 8:47 AM, Kapil Agarwal <kapila at> wrote:

> I am trying to modify rr to break whenever it traces a particular syscall,
> for example, open("/etc/localtime"). I am unable to figure out where
> exactly is it checked that a particular syscall was called. I want to check
> if orig_eax==SYS_open and the filename stored in the ebx register and
> record this during `rr record`. I would then want to insert a breakpoint at
> that syscall during `rr replay`, and be able to reverse-execute from there.
> It would be helpful if you could point me to relevant code portions which
> can give me a starting point.

rec_prepare_syscall_arch and rec_process_syscall_arch are called before and
after each syscall respectively. If you add a case for Arch::open to
rec_prepare_syscall_arch you'll need to change 'open' to
IrregularExecutedSyscall in In rec_process_syscall_arch we're
already inspecting the filename so you can add something similar. There you
can get the event number and then replay it to it using `rr replay -g N` or
possibly `rr replay -g N-1`

HOWEVER, most opens don't actually reach the rr process because they're
treated as buffered syscalls in preload.c. So you'd also want to modify
sys_open, check the pathname and if it matches the one you want, divert to
the traced_raw_syscall path (avoid calling start_commit_buffered_syscall).

Hope that helps.

lbir ye,ea yer.tnietoehr  rdn rdsme,anea lurpr  edna e hnysnenh hhe uresyf
selthor  stor  edna  siewaoeodm  or v sstvr  esBa  kbvted,t
o l euetiuruewFa  kbn e hnystoivateweh uresyf tulsa rehr  rdm  or rnea
.a war hsrer holsa rodvted,t  nenh hneireseoouot.tniesiewaoeivatewt sstvr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rr-dev mailing list