I''m not sure if I understand this correctly but I would like to access
the values after the system call returns.
syscall::stat:entry { /* int stat(const char *restrict path, struct stat
*restrict buf); */
/* where arg0 = const char *restrict path */
/* arg1 = struct stat *restrict buf */
self->arg0 = copyinstr ( arg0 );
self->arg1 = (struct stat *) arg1;
}
syscall::stat:return / self->arg0 != 0 / {
printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d]",
pid,
uid,
execname,
self->arg0,
arg0 == 0 ? self->arg1->st_uid : -1,
arg0 == 0 ? self->arg1->st_gid : -1 );
self->arg0 = 0;
self->arg1 = 0;
}
When :entry fires it should store the pointer to stat buf to be used in the
:return event.
When :return fires I get the following when the return value of
''stat()'' is zero:
dtrace: error on enabled probe ID 2 (ID 4694: syscall::stat:return): invalid
address (0xfcc7bd48) in action #5 at DIF offset 48
What am I doing wrong?
Cheers
-------------------------------------------------------------------------
NOTICE: Confidential message which may be privileged. Unauthorized
use/disclosure prohibited. If received in error, please go to www.td.com/legal
for instructions.
AVIS : Message confidentiel dont le contenu peut ?tre privil?gi?.
Utilisation/divulgation interdites sans permission. Si re?u par erreur, pri?re
d''aller au www.td.com/francais/avis_juridique pour des instructions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20111213/a1d46c1b/attachment.html>
On Tue, Dec 13, 2011 at 1:00 PM, Szabo, Steve G < Steve.G.Szabo at tdsecurities.com> wrote:> ** > I''m not sure if I understand this correctly but I would like to access the > values after the system call returns. > > > > syscall::stat:entry { /* int stat(const char *restrict path, struct stat > *restrict buf); */ > > /* where arg0 = const char *restrict path */ > /* arg1 = struct stat *restrict buf */ > > self->arg0 = copyinstr ( arg0 ); > self->arg1 = (struct stat *) arg1; > > } > > syscall::stat:return / self->arg0 != 0 / { > > printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d]", > pid, > uid, > execname, > self->arg0, > arg0 == 0 ? self->arg1->st_uid : -1, > arg0 == 0 ? self->arg1->st_gid : -1 ); > > self->arg0 = 0; > self->arg1 = 0; > > } > > When :entry fires it should store the pointer to stat buf to be used in > the :return event. > > When :return fires I get the following when the return value of ''stat()'' > is zero: > > dtrace: error on enabled probe ID 2 (ID 4694: syscall::stat:return): > invalid address (0xfcc7bd48) in action #5 at DIF offset 48 > > > What am I doing wrong? >The the "struct stat" is a userland pointer, so you have to copyin the contents in the return probe. You can''t just dereference it. -- Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20111213/0eb79c96/attachment.html>
self->arg1 is the address of a buffer in user land. You need to do a copyin before accessing it. Sent from my iPhone On Dec 13, 2011, at 16:00, "Szabo, Steve <Steve.G.Szabo at tdsecurities.com> wrote:> I''m not sure if I understand this correctly but I would like to access the values after the system call returns. > > > > syscall::stat:entry { /* int stat(const char *restrict path, struct stat *restrict buf); */ > > /* where arg0 = const char *restrict path */ > /* arg1 = struct stat *restrict buf */ > > self->arg0 = copyinstr ( arg0 ); > self->arg1 = (struct stat *) arg1; > > } > > syscall::stat:return / self->arg0 != 0 / { > > printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d]", > pid, > uid, > execname, > self->arg0, > arg0 == 0 ? self->arg1->st_uid : -1, > arg0 == 0 ? self->arg1->st_gid : -1 ); > > self->arg0 = 0; > self->arg1 = 0; > > } > > When :entry fires it should store the pointer to stat buf to be used in the :return event. > > When :return fires I get the following when the return value of ''stat()'' is zero: > > dtrace: error on enabled probe ID 2 (ID 4694: syscall::stat:return): invalid address (0xfcc7bd48) in action #5 at DIF offset 48 > > > What am I doing wrong? > > > > > > Cheers > ------------------------------------------------------------------------- > > > NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions. > AVIS : Message confidentiel dont le contenu peut ?tre privil?gi?. Utilisation/divulgation interdites sans permission. Si re?u par erreur, pri?re d''aller au www.td.com/francais/avis_juridique pour des instructions. > > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20111213/257e8dfc/attachment-0001.html>
This is great - thanks for the suggestion
syscall::stat:entry { /* int stat(const char *restrict path, struct stat
*restrict buf); */
/* where arg0 = const char *restrict path */
/* arg1 = struct stat *restrict buf */
self->arg0 = arg0;
self->arg1 = arg1;
}
syscall::stat:return / self->arg0 != 0 / {
this->arg0 = copyinstr ( self->arg0 );
this->arg1 = (struct stat *) copyin ( self->arg1, sizeof ( struct
stat ) );
printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d:%-10d]",
pid,
uid,
execname,
this->arg0,
arg0 == 0 ? this->arg1->st_uid : -1,
arg0 == 0 ? this->arg1->st_gid : -1,
arg0 == 0 ? this->arg1->st_size : -1 );
self->arg0 = 0;
self->arg1 = 0;
}
________________________________
From: David Pacheco [mailto:dap at joyent.com]
Sent: Tuesday, December 13, 2011 4:39 PM
To: Szabo, Steve G
Cc: dtrace-discuss at opensolaris.org
Subject: Re: [dtrace-discuss] Is this possible?
On Tue, Dec 13, 2011 at 1:00 PM, Szabo, Steve G <Steve.G.Szabo at
tdsecurities.com<mailto:Steve.G.Szabo at tdsecurities.com>> wrote:
I''m not sure if I understand this correctly but I would like to access
the values after the system call returns.
syscall::stat:entry { /* int stat(const char *restrict path, struct stat
*restrict buf); */
/* where arg0 = const char *restrict path */
/* arg1 = struct stat *restrict buf */
self->arg0 = copyinstr ( arg0 );
self->arg1 = (struct stat *) arg1;
}
syscall::stat:return / self->arg0 != 0 / {
printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d]",
pid,
uid,
execname,
self->arg0,
arg0 == 0 ? self->arg1->st_uid : -1,
arg0 == 0 ? self->arg1->st_gid : -1 );
self->arg0 = 0;
self->arg1 = 0;
}
When :entry fires it should store the pointer to stat buf to be used in the
:return event.
When :return fires I get the following when the return value of
''stat()'' is zero:
dtrace: error on enabled probe ID 2 (ID 4694: syscall::stat:return): invalid
address (0xfcc7bd48) in action #5 at DIF offset 48
What am I doing wrong?
The the "struct stat" is a userland pointer, so you have to copyin the
contents in the return probe. You can''t just dereference it.
-- Dave
NOTICE: Confidential message which may be privileged. Unauthorized
use/disclosure prohibited. If received in error, please go to www.td.com/legal
for instructions.
AVIS : Message confidentiel dont le contenu peut ?tre privil?gi?.
Utilisation/divulgation interdites sans permission. Si re?u par erreur, pri?re
d''aller au www.td.com/francais/avis_juridique pour des instructions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20111214/5cf342f7/attachment.html>