Retsnoop injection probes and other improvements #70
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This might be less surprising for tracing mode. Doing `-T -Sn` is non-obvious, while `-T -x any` is probably more intuitive. Unfortunately, due to how argp library handles ARG_OPTIONAL arguments, we can't mark -x as having optional value and allow to specify just `-x` to mean any error, because it has bad interaction with subsequent arguments. E.g., '-x -v' is not really two separate options, but rather passing '-v' as a value to '-x' argument. argp expectx '-x=blah', which is also not super obvious and not what users came to expect with -x argument. Signed-off-by: Andrii Nakryiko <[email protected]>
Older kernels might not verify retsnoop with -A (function args) feature enabled. Make sure that compiler won't re-load validated len by using barrier_var() and sticking to full-sized u64. Signed-off-by: Andrii Nakryiko <[email protected]>
argp is really buggy about help output, but do what we can to mitigate this a littel bit. Signed-off-by: Andrii Nakryiko <[email protected]>
This makes it easier to distinguish it in bpftool output. Signed-off-by: Andrii Nakryiko <[email protected]>
I don't even remember what that was supposed to be used for. Signed-off-by: Andrii Nakryiko <[email protected]>
We'll use this for detecting if rawtp-based injected probes are supported. Signed-off-by: Andrii Nakryiko <[email protected]>
Add ability to specify point-like injection probes, which allow to get more visibility into what the kernel is doing, in addition to function entry/exit data that retsnoop collects already. Four types of injection probes are supported: - kprobes (including with non-zero offset into the function); - kretprobe; - raw tracepoints; - classic tracepoints. Signed-off-by: Andrii Nakryiko <[email protected]>
We are going to add generic injected probes capture next. Signed-off-by: Andrii Nakryiko <[email protected]>
Also generalize some naming, fix commit, etc. Signed-off-by: Andrii Nakryiko <[email protected]>
Add capture of pt_regs for kprobe/kretprobe injection probes. Signed-off-by: Andrii Nakryiko <[email protected]>
Wire up preparing and formatting injected probe context arguments. BPF sie doesn't really follow it yet, but existing kprobe capture code is memory-layout compatible already, so we can test end-to-end. Signed-off-by: Andrii Nakryiko <[email protected]>
Use consistent and obvious rec_xxx naming convention. Signed-off-by: Andrii Nakryiko <[email protected]>
Make it possible to reuse not just for function arguments capture. Signed-off-by: Andrii Nakryiko <[email protected]>
This will now be tested with kprobe probes. Signed-off-by: Andrii Nakryiko <[email protected]>
Augment context args capture with raw tracepoint support. Signed-off-by: Andrii Nakryiko <[email protected]>
Some PIDs are larger than 1 mln, so bump the heuristics to emit integers as decimal up to about 4 millions. Signed-off-by: Andrii Nakryiko <[email protected]>
We don't really need to re-read ksyms 3 times. One is more than enough. Signed-off-by: Andrii Nakryiko <[email protected]>
Teach retsnoop to find, parse, and capture classic tracepoint arguments. See extensive comment for how we go about this, because tracepoint name isn't enough, we also need tracepoint "class". Signed-off-by: Andrii Nakryiko <[email protected]>
We accidentally used function count instead of injected probe cnt. Fix it. Signed-off-by: Andrii Nakryiko <[email protected]>
Complete a set of injected probe functionality with extending README.md with documentation on how to use this feature, with some examples. Signed-off-by: Andrii Nakryiko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.