Toby Riddell
2011-09-05 21:25:47 UTC
Hi all,
I'm trying to examine the values returned to a process from a
lstat64() call. I'm using the common pattern: in the
syscall::foo:entry probe save the address the process supplies for
returning results to it, and in the syscall::foo:return probe examine
the results. I've looked at several threads on this mailing list and
seen this technique used but for the life of me I cannot get it to
work for me.
I've reduced it to a simple test case using the following C program:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main() {
struct stat64 buffer;
int status;
status = lstat64("/home/triddel/stat.c", &buffer);
}
And this dtrace script:
#!/usr/sbin/dtrace -s
#pragma D option quiet
syscall::lstat64:entry
/ pid == $target /
{
self->path = arg0; /* char * */
self->stat = arg1; /* struct stat64 * */
}
syscall::lstat64:return
/ self->stat && pid == $target /
{
this->path = copyinstr(self->path);
printf("Path: %s\n", this->path);
this->stat = (struct stat64 *) copyin( (uintptr_t) self->stat,
sizeof(struct stat64) );
printf("File mode: %d\n", this->stat->st_mode);
printf("File size: %d\n", this->stat->st_size);
printf("File inode: %d\n", this->stat->st_ino);
printf("File uid: %d\n", this->stat->st_uid);
self->stat = 0;
}
The results are:
$ sudo dtrace -s process_filesize.d -c ./stat
Path: /home/triddel/stat.c
File mode: 63676
File size: 0
File inode: 0
File uid: 33188
File fstype:
File size is definitely not zero, and nor is the inode. Clearly the
technique is working for the file path but it seems I'm doing
something incorrect when accessing members of the stat64 struct.
Can someone point me to what I'm doing wrong?
Thanks.
Toby
I'm trying to examine the values returned to a process from a
lstat64() call. I'm using the common pattern: in the
syscall::foo:entry probe save the address the process supplies for
returning results to it, and in the syscall::foo:return probe examine
the results. I've looked at several threads on this mailing list and
seen this technique used but for the life of me I cannot get it to
work for me.
I've reduced it to a simple test case using the following C program:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main() {
struct stat64 buffer;
int status;
status = lstat64("/home/triddel/stat.c", &buffer);
}
And this dtrace script:
#!/usr/sbin/dtrace -s
#pragma D option quiet
syscall::lstat64:entry
/ pid == $target /
{
self->path = arg0; /* char * */
self->stat = arg1; /* struct stat64 * */
}
syscall::lstat64:return
/ self->stat && pid == $target /
{
this->path = copyinstr(self->path);
printf("Path: %s\n", this->path);
this->stat = (struct stat64 *) copyin( (uintptr_t) self->stat,
sizeof(struct stat64) );
printf("File mode: %d\n", this->stat->st_mode);
printf("File size: %d\n", this->stat->st_size);
printf("File inode: %d\n", this->stat->st_ino);
printf("File uid: %d\n", this->stat->st_uid);
self->stat = 0;
}
The results are:
$ sudo dtrace -s process_filesize.d -c ./stat
Path: /home/triddel/stat.c
File mode: 63676
File size: 0
File inode: 0
File uid: 33188
File fstype:
File size is definitely not zero, and nor is the inode. Clearly the
technique is working for the file path but it seems I'm doing
something incorrect when accessing members of the stat64 struct.
Can someone point me to what I'm doing wrong?
Thanks.
Toby