[lttng-dev] [PATCH lttng-modules v6 4/5] Extract the payload for epoll_ctl

Fri Apr 29 22:53:23 UTC 2016

Map the operation to its name (EPOLL_CTL_*), extract the standard event
flags (EPOLL*) and output the data in two different formats: FD as an
int in decimal, and u64 in hex. The less standard event flags are not
extracted yet, but we extract the raw value in hex for more advanced
analyses.

Here is an example output:
syscall_entry_epoll_ctl: {
  epfd = 4, op_enum = ( "EPOLL_CTL_ADD" : container = 1 ),
  fd = 0, event = { raw_events = 0x80000003,
  events = { EPOLLIN = 1, EPOLLPRI = 1, EPOLLOUT = 0, EPOLLERR = 0,
    padding = 0 },
  data_union = { u64 = 0x0, fd = 0 } }
}

syscall_exit_epoll_ctl: { ret = 0 }

Signed-off-by: Julien Desfossez <jdesfossez at efficios.com>
---
 .../syscalls/headers/syscalls_pointers_override.h  | 140 +++++++++++++++++++++
 1 file changed, 140 insertions(+)

diff --git a/instrumentation/syscalls/headers/syscalls_pointers_override.h b/instrumentation/syscalls/headers/syscalls_pointers_override.h
index 11d5f3d..59931df 100644
--- a/instrumentation/syscalls/headers/syscalls_pointers_override.h
+++ b/instrumentation/syscalls/headers/syscalls_pointers_override.h
@@ -555,4 +555,144 @@ SC_LTTNG_TRACEPOINT_EVENT_CODE(ppoll,
 )
 #endif /* defined(CONFIG_X86_32) || defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_ARM) */
 
+#include <linux/eventpoll.h>
+
+SC_LTTNG_TRACEPOINT_ENUM(lttng_epoll_op,
+	TP_ENUM_VALUES(
+		ctf_enum_value("EPOLL_CTL_ADD", EPOLL_CTL_ADD)
+		ctf_enum_value("EPOLL_CTL_DEL", EPOLL_CTL_DEL)
+		ctf_enum_value("EPOLL_CTL_MOD", EPOLL_CTL_MOD)
+	)
+)
+
+#ifndef ONCE_LTTNG_TRACE_EPOLL_CTL_H
+#define ONCE_LTTNG_TRACE_EPOLL_CTL_H
+
+#define LTTNG_EPOLL_NRFLAGS (POLLHUP + 1)
+#define EPOLL_FLAGS_PADDING_SIZE (sizeof(uint8_t) * BITS_PER_BYTE) - \
+	ilog2(LTTNG_EPOLL_NRFLAGS - 1)
+
+/*
+ * Only extract the values specified by iBCS2 for now.
+ */
+static struct lttng_event_field lttng_epoll_ctl_events_fields[] = {
+	/* 0x0001 */
+	[ilog2(POLLIN)] = {
+		.name = "EPOLLIN",
+		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
+	},
+	/* 0x0002 */
+	[ilog2(POLLPRI)] = {
+		.name = "EPOLLPRI",
+		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
+	},
+	/* 0x0004 */
+	[ilog2(POLLOUT)] = {
+		.name = "EPOLLOUT",
+		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
+	},
+	/* 0x0008 */
+	[ilog2(POLLERR)] = {
+		.name = "EPOLLERR",
+		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
+	},
+	/* 0x0010 */
+	[ilog2(POLLHUP)] = {
+		.name = "EPOLLHUP",
+		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
+	},
+	[ilog2(LTTNG_EPOLL_NRFLAGS)] = {
+		.name = "padding",
+		.type = __type_integer(int, EPOLL_FLAGS_PADDING_SIZE, 1, 0,
+				__LITTLE_ENDIAN, 10, none),
+	},
+
+};
+
+static struct lttng_event_field lttng_epoll_data_fields[] = {
+	[0] = {
+		.name = "u64",
+		.type = __type_integer(uint64_t, 0, 0, 0, __BYTE_ORDER, 16, none),
+	},
+	[1] = {
+		.name = "fd",
+		.type = __type_integer(int, 0, 0, 0, __BYTE_ORDER, 10, none),
+	},
+};
+
+static struct lttng_event_field epoll_ctl_fields[] = {
+	[0] = {
+		.name = "data_union",
+		.type = {
+			.atype = atype_struct,
+			.u._struct.nr_fields = ARRAY_SIZE(lttng_epoll_data_fields),
+			.u._struct.fields = lttng_epoll_data_fields,
+		}
+	},
+	[1] = {
+		.name = "raw_events",
+		.type = __type_integer(uint32_t, 0, 0, 0, __BYTE_ORDER, 16, none),
+	},
+	[2] = {
+		.name = "events",
+		.type = {
+			.atype = atype_struct,
+			.u._struct.nr_fields = ARRAY_SIZE(lttng_epoll_ctl_events_fields),
+			.u._struct.fields = lttng_epoll_ctl_events_fields,
+		}
+	},
+};
+#endif /* ONCE_LTTNG_TRACE_EPOLL_CTL_H */
+
+#if defined(CONFIG_X86_32) || defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_ARM)
+#define OVERRIDE_32_epoll_ctl
+#define OVERRIDE_64_epoll_ctl
+SC_LTTNG_TRACEPOINT_EVENT_CODE(epoll_ctl,
+	TP_PROTO(sc_exit(long ret,) int epfd, int op, int fd,
+		struct epoll_event __user * uevent),
+	TP_ARGS(sc_exit(ret,) epfd, op, fd, uevent),
+	TP_locvar(
+		struct epoll_event event;
+		int err;
+	),
+	TP_code_pre(
+		tp_locvar->err = lib_ring_buffer_copy_from_user_check_nofault(
+			&tp_locvar->event, uevent, sizeof(struct epoll_event));
+		),
+	TP_FIELDS(
+		sc_exit(ctf_integer(long, ret, ret))
+		sc_in(ctf_integer(int, epfd, epfd))
+		sc_in(ctf_enum(lttng_epoll_op, int, op_enum, op))
+		sc_in(ctf_integer(int, fd, fd))
+		sc_in(
+			ctf_custom_field(
+				ctf_custom_type(
+					.atype = atype_struct,
+					.u._struct.nr_fields = ARRAY_SIZE(epoll_ctl_fields),
+					.u._struct.fields = epoll_ctl_fields,
+				),
+				event,
+				ctf_custom_code(
+					ctf_align(uint64_t)
+					if (!tp_locvar->err) {
+						ctf_integer_type(uint64_t, tp_locvar->event.data)
+						ctf_integer_type(int, tp_locvar->event.data)
+						ctf_integer_bitfield_type(uint32_t,
+							cpu_to_le32(tp_locvar->event.events))
+						ctf_integer_bitfield_type(uint8_t,
+							(uint8_t) tp_locvar->event.events)
+					} else {
+						ctf_integer_type(uint64_t, 0)
+						ctf_integer_type(int, 0)
+						ctf_integer_bitfield_type(uint32_t, 0)
+						ctf_integer_bitfield_type(uint8_t, 0)
+					}
+				)
+			)
+		)
+	),
+	TP_code_post()
+)
+#endif /* defined(CONFIG_X86_32) || defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_ARM) */
+
 #endif /* CREATE_SYSCALL_TABLE */
-- 
1.9.1

