Hi,
> [1] Predicates in one-liners
> I would like to list the probe modules in my executable and then
> dynamically create a dscript to trace execution of those modules alone
> (by excluding the 3rd party and system libraries). I tried the below
> script without success. The conditional given in the predicate is not
> taking effect. Why is this so ?
> $ dtrace -ln 'pid$target::: /probemod!="libc.so.1"/ { printf("%s -----
> %s",probefunc, probename); } ' -p `pgrep a.out`
By using pid$target::: you already placed probe to every instruction in
the binary. And dtrace -l shows all of them. The condition /.../ is
evaluated when the probe is fired.
> Similar is the case for the below script, I expect only the entry
> points to be printed but all the probes in a.out are being printed.
> $ dtrace -ln 'pid$target:a.out:: /probename=="entry"/ { printf("%s
> ----- %s",probefunc, probename); } ' -p `pgrep a.out`
I think that you want something like this:
dtrace -l -n 'pid$target:xxd::entry' -c xxd
ID PROVIDER MODULE FUNCTION NAME
76158 pid11781 xxd _start entry
76159 pid11781 xxd __fsr entry
76160 pid11781 xxd exit_with_usage entry
76161 pid11781 xxd huntype entry
76162 pid11781 xxd xxdline entry
76163 pid11781 xxd main entry
> [2] Is there any means to get the arguments of a function dynamically?
> I would like to create dscripts automatically to trace the functions
> and if possible trace arguments as well (when I have access only to
> the binaries).
$ dtrace -n 'pid$target::strcmp:entry{trace(copyinstr(arg0));
trace(copyinstr(arg1))}' -c ls | tail
dtrace: description 'pid$target::strcmp:entry' matched 2 probes
dtrace: pid 11814 has exited
dtrace: error on enabled probe ID 1 (ID 76165:
pid11814:libc.so.1:strcmp:entry): invalid address (0xfef1ca59) in action #2 at
DIF offset 28
1 76164 strcmp:entry pthread_getspecific
pthread_getspecific
1 76164 strcmp:entry flush
flush
1 76164 strcmp:entry flush
flush
1 76164 strcmp:entry _environ_lock
xflsbuf
1 76164 strcmp:entry edata
xflsbuf
1 76164 strcmp:entry xflsbuf
xflsbuf
1 76164 strcmp:entry PROCEDURE_LINKAGE_TABLE_
write
1 76164 strcmp:entry write
write
1 76164 strcmp:entry write
write
Let's look at the script
pid$target::strcmp:entry - trace entry point of strcmp function (function
arguments are available in entry point)
copyinstr(arg0); - dtrace probes "are executed in kernel". You have to
copy the string from userland to kernel by copyinstr function
trace(...) - dump something on the screen
So basically I just dump first and second parameter of the strcmp
function.
You can also trace return values:
$ dtrace -n 'pid$target::strcmp:entry{trace(copyinstr(arg0));
trace(copyinstr(arg1))} pid$target::strcmp:return{trace(arg1)}' -c ls | tail
dtrace: description 'pid$target::strcmp:entry' matched 4 probes
dtrace: pid 11827 has exited
dtrace: error on enabled probe ID 1 (ID 76165:
pid11827:libc.so.1:strcmp:entry): invalid address (0xfef1ca59) in action #2 at
DIF offset 28
1 76166 strcmp:return 4294967277
1 76164 strcmp:entry xflsbuf
xflsbuf
1 76166 strcmp:return 0
1 76164 strcmp:entry PROCEDURE_LINKAGE_TABLE_
write
1 76166 strcmp:return 4294967257
1 76164 strcmp:entry write
write
1 76166 strcmp:return 0
1 76164 strcmp:entry write
write
1 76166 strcmp:return 0
trace(arg1) displays the return value (only available in the *:return
probe)
Hope this helps
--
Vlad
pgpFiWqiBHnb4.pgp
Description: PGP signature
_______________________________________________ dtrace-discuss mailing list [email protected]
