Question about rr alternative design

Nathan Froyd nfroyd at
Tue Feb 20 19:30:37 UTC 2018

On Tue, Feb 20, 2018 at 2:14 PM, Octav Chipara <ochipara at> wrote:
> I have a question about the mechanisms that rr uses the record sys calls. One of the issues that limits rr's performance is that intercepting system calls usually requires 2 context switches (without the Seccomp optimization) . An alternative would be to intercept/wrap libc calls that map to system calls and perform most of the logging in user space. I was wondering if you guys took a look at this alternative.

I don't know whether this alternative was considered, but one
stumbling block with wrapping libc calls is that most calls to libc
functions from inside libc itself are not overridable via an
LD_PRELOAD wrapper library (malloc and related calls are the notable
exceptions), so you have to figure out a way to capture those.  (This
is at least true for glibc; it may not be true for alternative libcs
like musl.)

Of course, libc can just invoke the system call directly rather than
calling the requisite libc function, too, so you have to figure out a
way to capture those system calls.  Finally, there may not even *be*
libc wrappers for particular system calls.  These points apply equally
well to userspace, too.

Once you've handled all the special cases, you may notice that the
whole thing is basically intercepting system calls anyway, so you
might as well just do that. :)


More information about the rr-dev mailing list