[lttng-dev] [PATCH lttng-modules v6 4/5] Extract the payload for epoll_ctl

Julien Desfossez jdesfossez at efficios.com
Sat Apr 30 14:54:53 UTC 2016 

On 30-Apr-2016 02:19:24 PM, Mathieu Desnoyers wrote:
> ----- On Apr 30, 2016, at 10:17 AM, Mathieu Desnoyers mathieu.desnoyers at efficios.com wrote:
> 
> > ----- On Apr 29, 2016, at 6:53 PM, Julien Desfossez jdesfossez at efficios.com
> > wrote:
> > 
> >> Map the operation to its name (EPOLL_CTL_*), extract the standard event
> >> flags (EPOLL*) and output the data in two different formats: FD as an
> >> int in decimal, and u64 in hex. The less standard event flags are not
> >> extracted yet, but we extract the raw value in hex for more advanced
> >> analyses.
> >> 
> >> Here is an example output:
> >> syscall_entry_epoll_ctl: {
> >>  epfd = 4, op_enum = ( "EPOLL_CTL_ADD" : container = 1 ),
> >>  fd = 0, event = { raw_events = 0x80000003,
> >>  events = { EPOLLIN = 1, EPOLLPRI = 1, EPOLLOUT = 0, EPOLLERR = 0,
> >>    padding = 0 },
> >>  data_union = { u64 = 0x0, fd = 0 } }
> >> }
> >> 
> >> syscall_exit_epoll_ctl: { ret = 0 }
> >> 
> >> Signed-off-by: Julien Desfossez <jdesfossez at efficios.com>
> >> ---
> >> .../syscalls/headers/syscalls_pointers_override.h  | 140 +++++++++++++++++++++
> >> 1 file changed, 140 insertions(+)
> >> 
> >> diff --git a/instrumentation/syscalls/headers/syscalls_pointers_override.h
> >> b/instrumentation/syscalls/headers/syscalls_pointers_override.h
> >> index 11d5f3d..59931df 100644
> >> --- a/instrumentation/syscalls/headers/syscalls_pointers_override.h
> >> +++ b/instrumentation/syscalls/headers/syscalls_pointers_override.h
> >> @@ -555,4 +555,144 @@ SC_LTTNG_TRACEPOINT_EVENT_CODE(ppoll,
> >> )
> >> #endif /* defined(CONFIG_X86_32) || defined(CONFIG_X86_64) ||
> >> defined(CONFIG_ARM64) || defined(CONFIG_ARM) */
> >> 
> >> +#include <linux/eventpoll.h>
> >> +
> >> +SC_LTTNG_TRACEPOINT_ENUM(lttng_epoll_op,
> >> +	TP_ENUM_VALUES(
> >> +		ctf_enum_value("EPOLL_CTL_ADD", EPOLL_CTL_ADD)
> >> +		ctf_enum_value("EPOLL_CTL_DEL", EPOLL_CTL_DEL)
> >> +		ctf_enum_value("EPOLL_CTL_MOD", EPOLL_CTL_MOD)
> >> +	)
> >> +)
> >> +
> >> +#ifndef ONCE_LTTNG_TRACE_EPOLL_CTL_H
> >> +#define ONCE_LTTNG_TRACE_EPOLL_CTL_H
> >> +
> >> +#define LTTNG_EPOLL_NRFLAGS (POLLHUP + 1)
> >> +#define EPOLL_FLAGS_PADDING_SIZE (sizeof(uint8_t) * BITS_PER_BYTE) - \
> >> +	ilog2(LTTNG_EPOLL_NRFLAGS - 1)
> >> +
> >> +/*
> >> + * Only extract the values specified by iBCS2 for now.
> >> + */
> >> +static struct lttng_event_field lttng_epoll_ctl_events_fields[] = {
> >> +	/* 0x0001 */
> >> +	[ilog2(POLLIN)] = {
> >> +		.name = "EPOLLIN",
> >> +		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +	/* 0x0002 */
> >> +	[ilog2(POLLPRI)] = {
> >> +		.name = "EPOLLPRI",
> >> +		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +	/* 0x0004 */
> >> +	[ilog2(POLLOUT)] = {
> >> +		.name = "EPOLLOUT",
> >> +		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +	/* 0x0008 */
> >> +	[ilog2(POLLERR)] = {
> >> +		.name = "EPOLLERR",
> >> +		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +	/* 0x0010 */
> >> +	[ilog2(POLLHUP)] = {
> >> +		.name = "EPOLLHUP",
> >> +		.type = __type_integer(int, 1, 1, 0, __LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +	[ilog2(LTTNG_EPOLL_NRFLAGS)] = {
> >> +		.name = "padding",
> >> +		.type = __type_integer(int, EPOLL_FLAGS_PADDING_SIZE, 1, 0,
> >> +				__LITTLE_ENDIAN, 10, none),
> >> +	},
> >> +
> >> +};
> >> +
> >> +static struct lttng_event_field lttng_epoll_data_fields[] = {
> >> +	[0] = {
> >> +		.name = "u64",
> >> +		.type = __type_integer(uint64_t, 0, 0, 0, __BYTE_ORDER, 16, none),
> >> +	},
> >> +	[1] = {
> >> +		.name = "fd",
> >> +		.type = __type_integer(int, 0, 0, 0, __BYTE_ORDER, 10, none),
> >> +	},
> >> +};
> >> +
> >> +static struct lttng_event_field epoll_ctl_fields[] = {
> >> +	[0] = {
> >> +		.name = "data_union",
> >> +		.type = {
> >> +			.atype = atype_struct,
> >> +			.u._struct.nr_fields = ARRAY_SIZE(lttng_epoll_data_fields),
> >> +			.u._struct.fields = lttng_epoll_data_fields,
> >> +		}
> >> +	},
> >> +	[1] = {
> >> +		.name = "raw_events",
> >> +		.type = __type_integer(uint32_t, 0, 0, 0, __BYTE_ORDER, 16, none),
> >> +	},
> >> +	[2] = {
> >> +		.name = "events",
> >> +		.type = {
> >> +			.atype = atype_struct,
> >> +			.u._struct.nr_fields = ARRAY_SIZE(lttng_epoll_ctl_events_fields),
> >> +			.u._struct.fields = lttng_epoll_ctl_events_fields,
> >> +		}
> >> +	},
> >> +};
> >> +#endif /* ONCE_LTTNG_TRACE_EPOLL_CTL_H */
> >> +
> >> +#if defined(CONFIG_X86_32) || defined(CONFIG_X86_64) || defined(CONFIG_ARM64)
> >> || defined(CONFIG_ARM)
> >> +#define OVERRIDE_32_epoll_ctl
> >> +#define OVERRIDE_64_epoll_ctl
> >> +SC_LTTNG_TRACEPOINT_EVENT_CODE(epoll_ctl,
> >> +	TP_PROTO(sc_exit(long ret,) int epfd, int op, int fd,
> >> +		struct epoll_event __user * uevent),
> >> +	TP_ARGS(sc_exit(ret,) epfd, op, fd, uevent),
> >> +	TP_locvar(
> >> +		struct epoll_event event;
> >> +		int err;
> >> +	),
> >> +	TP_code_pre(
> >> +		tp_locvar->err = lib_ring_buffer_copy_from_user_check_nofault(
> >> +			&tp_locvar->event, uevent, sizeof(struct epoll_event));
> >> +		),
> >> +	TP_FIELDS(
> >> +		sc_exit(ctf_integer(long, ret, ret))
> >> +		sc_in(ctf_integer(int, epfd, epfd))
> >> +		sc_in(ctf_enum(lttng_epoll_op, int, op_enum, op))
> >> +		sc_in(ctf_integer(int, fd, fd))
> >> +		sc_in(
> >> +			ctf_custom_field(
> >> +				ctf_custom_type(
> >> +					.atype = atype_struct,
> >> +					.u._struct.nr_fields = ARRAY_SIZE(epoll_ctl_fields),
> >> +					.u._struct.fields = epoll_ctl_fields,
> >> +				),
> >> +				event,
> >> +				ctf_custom_code(
> >> +					ctf_align(uint64_t)
> >> +					if (!tp_locvar->err) {
> >> +						ctf_integer_type(uint64_t, tp_locvar->event.data)
> >> +						ctf_integer_type(int, tp_locvar->event.data)
> >> +						ctf_integer_bitfield_type(uint32_t,
> >> +							cpu_to_le32(tp_locvar->event.events))
> > 
> > not sure why we reverse the endianness here ? It does not
> > match the "__BYTE_ORDER" type description, and differs from
> > the way raw_events fields is handled in the poll/ppoll instrumentation.
> 
> also, why use a 32-bit integer rather than 16-bit as in poll/ppoll here ?

Poll uses a short for the "events" field, but this field in struct
epoll_event is a uint32_t, so we have to use the full 32 bits for the
raw value in epoll_ctl and epoll_wait.

Julien

More information about the lttng-dev mailing list