Modifying rr to trace specific system calls
robert at ocallahan.org
Mon Nov 30 20:50:03 UTC 2015
On Tue, Dec 1, 2015 at 8:47 AM, Kapil Agarwal <kapila at gatech.edu> wrote:
> I am trying to modify rr to break whenever it traces a particular syscall,
> for example, open("/etc/localtime"). I am unable to figure out where
> exactly is it checked that a particular syscall was called. I want to check
> if orig_eax==SYS_open and the filename stored in the ebx register and
> record this during `rr record`. I would then want to insert a breakpoint at
> that syscall during `rr replay`, and be able to reverse-execute from there.
> It would be helpful if you could point me to relevant code portions which
> can give me a starting point.
rec_prepare_syscall_arch and rec_process_syscall_arch are called before and
after each syscall respectively. If you add a case for Arch::open to
rec_prepare_syscall_arch you'll need to change 'open' to
IrregularExecutedSyscall in syscalls.py. In rec_process_syscall_arch we're
already inspecting the filename so you can add something similar. There you
can get the event number and then replay it to it using `rr replay -g N` or
possibly `rr replay -g N-1`
HOWEVER, most opens don't actually reach the rr process because they're
treated as buffered syscalls in preload.c. So you'd also want to modify
sys_open, check the pathname and if it matches the one you want, divert to
the traced_raw_syscall path (avoid calling start_commit_buffered_syscall).
Hope that helps.
lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf
selthor stor edna siewaoeodm or v sstvr esBa kbvted,t
o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea
.a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rr-dev