Re: [PATCH 4/6] trace: trace syscall in its handler not from ptrace handler

From: Vaibhav Nagarnaik
Date: Wed Mar 28 2012 - 14:24:15 EST

Next message: Peter Zijlstra: "Re: [PATCH 4/6 OPTION-A version 3] completion: Add newwait_for_completion_timeout_state"
Previous message: Raghavendra K T: "Re: [PATCH RFC V6 0/11] Paravirtualized ticketlocks"
In reply to: H. Peter Anvin: "Re: [PATCH 4/6] trace: trace syscall in its handler not from ptracehandler"
Next in thread: H. Peter Anvin: "Re: [PATCH 4/6] trace: trace syscall in its handler not from ptracehandler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 26, 2012 at 10:00 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
> On 03/26/2012 11:39 AM, Vaibhav Nagarnaik wrote:
>> The syscalls are a tricky bunch to trace, because of their multitude and
>> dynamic nature of the list. In order to solve this, a macro handled the
>> sycalls handler definition and it was expanded into setting up the
>> metadata for the syscall event. A handler hooked into the ptrace syscall
>> tracer to check whether an invoked syscall was supposed to be traced.
>>
>> This added latency to all the invoked syscalls, since they had to be
>> checked for tracing and also affected the latency of syscall that was
>> actually getting traced. For e.g., using a simple program which invokes
>> getuid() in a repeated loop and calculates the average time per syscall
>> invocation found a latency of 570 - 117 = 453 ns added to every traced
>> syscall.
>>
>> This patch changes the syscall macro expansion, to create a function
>> that adds the entry and exit tracepoints for the given syscall so that
>> the latency can be avoided. This was suggested by Mathieu Desnoyers in
>> https://lkml.org/lkml/2010/10/13/337
>>
>> After this patch, the latency added is 370 - 117 = 253 ns per invocation
>> of a traced syscall. This is on par with a simple tracepoint added to
>> any kernel code path.
>>
>> This patch also makes syscall tracing architecture independent as there
>> is no need to have a hook into the architecture specific syscall tracer
>> functions.
>>
>
> I am officially confused here. You have a single, common, dispatch
> point for all system calls -- why don't you use it? That is of course
> the system call table. If you want to trace a system call, override the
> entry point in the syscall table to point to a hook function which can
> provide entry and exit hooks. It's not even code, it's data, so you
> don't even have to play the code patching song and dance routine
> (although you may have to map it read/write which is normally not the
> case for security reasons.)

I am sorry I don't see how that would be possible without having some
sort of architecture dependent changes. Also as you mentioned, it will
have some security considerations.

If you can suggest a better way without going through this macro
magic, I will be glad to implement it. The 2 main reasons I made this
patch was to remove the added latency in syscall tracing and to remove
penalty for syscalls that are not traced.

Thanks

Vaibhav Nagarnaik
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [PATCH 4/6 OPTION-A version 3] completion: Add newwait_for_completion_timeout_state"
Previous message: Raghavendra K T: "Re: [PATCH RFC V6 0/11] Paravirtualized ticketlocks"
In reply to: H. Peter Anvin: "Re: [PATCH 4/6] trace: trace syscall in its handler not from ptracehandler"
Next in thread: H. Peter Anvin: "Re: [PATCH 4/6] trace: trace syscall in its handler not from ptracehandler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]