NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
Writing a system call tracer using eBPF (sh4dy.com)
99 points by tim_sw 163 days ago | 2 comments
khuey 163 days ago [-]
This example doesn't really gain much by using eBPF. The tracepoint machinery and perf_event_open is perfectly capable of recording pids and registers at syscall entry/exit (via PERF_SAMPLE_TID and PERF_SAMPLE_REGS_USER) into a ring buffer. `perf trace` does that today and it can be a useful replacement for strace in situations where strace disturbs the program's timing too much or otherwise cannot be used (e.g. you want to strace something that's already being ptraced by another process).

Where eBPF is powerful is that it allows you to extend the tracepoint ability to grab more complicated system call arguments. The first register argument to open(2) for instance, is a pointer to the filename to open. Merely reporting the registers is largely useless, the tracer needs to chase the pointer and report the string too. An eBPF filter can be used to recognize that the tracepoint is at an open(2) and to read the userspace memory that the relevant register points to. This enables a "full" strace replacement without using ptrace at all. There's some ongoing work to add this capability to `perf trace`.

T3OU-736 163 days ago [-]
There is an additional aspect to this, I think - `stace` has a hell (order of 100x AFAIK) of an impact on performance of the process being traced. Aside from obvious, this leads to things like hiding race conditions.
163 days ago [-]
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 09:17:45 GMT+0000 (Coordinated Universal Time) with Vercel.