access function parameters with DWARF-less perf probing

access function parameters with DWARF-less perf probing

[Jun Wang]

Hi Everyone,

With systemTap, in the absence of debugging information (DWARF), one
can access function parameters using (positional) numbers. Can the
same be done with `perf`?
Why? I'm trying to capture variables in a kernel function but I don't
have an good perf with DWARF support and there is are significant
challenges to build one due to the relatively old distro.

Thanks,
Jun

Details on the SystemTap way of doing that can be referred to at
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/SystemTap_Language_Reference/ch04s03.html
4.3. DWARF-less probing

In the absence of debugging information, you can still use the /kprobe/
family of probes to examine the entry and exit points of kernel and
module functions. You cannot look up the arguments or local variables of
a function using these probes. However, you can access the parameters by
following this procedure:
When you're stopped at the entry to a function, you can refer to the
function's arguments by number. For example, when probing the function
declared:

asmlinkage ssize_t sys_read(unsigned int fd, char __user * buf, size_t
count)

You can obtain the values of |fd|, |buf|, and |count|, respectively, as
|uint_arg(1)|, |pointer_arg(2)|, and |ulong_arg(3)|. In this case, your
probe code must first call |asmlinkage()|, because on some architectures
the asmlinkage attribute affects how the function's arguments are passed.
When you're in a return probe, $|return| isn't supported without DWARF,
but you can call |returnval()| to get the value of the register in which
the function value is typically returned, or call |returnstr()| to get a
string version of that value.

Re: access function parameters with DWARF-less perf probing

[Andi Kleen]

Jun Wang <junwang123@gmail.com> writes:

> Hi Everyone,
>
> With systemTap, in the absence of debugging information (DWARF), one
> can access function parameters using (positional) numbers. Can the
> same be done with `perf`?
> Why? I'm trying to capture variables in a kernel function but I don't
> have an good perf with DWARF support and there is are significant
> challenges to build one due to the relatively old distro.

You can specify the registers according to the ABI. 
di = 1. arg, si = 2nd arg etc.

-Andi

-- 
ak@linux.intel.com -- Speaking for myself only

Re: access function parameters with DWARF-less perf probing

[David Ahern]

On 4/23/14, 11:21 PM, Andi Kleen wrote:
> Jun Wang <junwang123@gmail.com> writes:
>
>> Hi Everyone,
>>
>> With systemTap, in the absence of debugging information (DWARF), one
>> can access function parameters using (positional) numbers. Can the
>> same be done with `perf`?
>> Why? I'm trying to capture variables in a kernel function but I don't
>> have an good perf with DWARF support and there is are significant
>> challenges to build one due to the relatively old distro.
>
> You can specify the registers according to the ABI.
> di = 1. arg, si = 2nd arg etc.

http://en.wikipedia.org/wiki/X86_calling_conventions#List_of_x86_calling_conventions

Re: access function parameters with DWARF-less perf probing

[Milian Wolff]

On Wednesday 23 April 2014 22:21:07 Andi Kleen wrote:
> Jun Wang <junwang123@gmail.com> writes:
> > Hi Everyone,
> > 
> > With systemTap, in the absence of debugging information (DWARF), one
> > can access function parameters using (positional) numbers. Can the
> > same be done with `perf`?
> > Why? I'm trying to capture variables in a kernel function but I don't
> > have an good perf with DWARF support and there is are significant
> > challenges to build one due to the relatively old distro.
> 
> You can specify the registers according to the ABI.
> di = 1. arg, si = 2nd arg etc.

As I did not directly figure out how one can make use of this, here's what I 
found out:

You'll have to define a tracepoint which catches the function callback:

perf probe -x /usr/lib/libc.so.6 --add malloc="malloc size=%di"

Then, you can access the argument, e.g. perf script -g for a perf.data 
generated with the above tracepoint will contain something like this:

def probe_libc__malloc(event_name, context, common_cpu,
        common_secs, common_nsecs, common_pid, common_comm,
        __probe_ip, size):

Note the "size" argument. Similarly, you could catch the return value like 
this:

perf probe -x /usr/lib/libc.so.6 --add malloc_return="malloc%return 
ret=\$retval"

leading to:

def probe_libc__malloc_return(event_name, context, common_cpu,
        common_secs, common_nsecs, common_pid, common_comm,
        __probe_func, __probe_ret_ip, ret):

Bye
-- 
Milian Wolff
mail@milianw.de
http://milianw.de

Re: access function parameters with DWARF-less perf probing

[Jun Wang]

On Thu, Apr 24, 2014 at 7:12 AM, David Ahern <dsahern@gmail.com> wrote:
> On 4/23/14, 11:21 PM, Andi Kleen wrote:
>>
>> Jun Wang <junwang123@gmail.com> writes:
>>
>>> Hi Everyone,
>>>
>>> With systemTap, in the absence of debugging information (DWARF), one
>>> can access function parameters using (positional) numbers. Can the
>>> same be done with `perf`?
>>> Why? I'm trying to capture variables in a kernel function but I don't
>>> have an good perf with DWARF support and there is are significant
>>> challenges to build one due to the relatively old distro.
>>
>>
>> You can specify the registers according to the ABI.
>> di = 1. arg, si = 2nd arg etc.
>
>
> http://en.wikipedia.org/wiki/X86_calling_conventions#List_of_x86_calling_conventions
>

Andi/David, Thanks for the information.

In my case, the argument of the kernel function is a pointer to a
structure and I'm trying to capture the value of an element/field of
that structure.

With DWARF, I would have the following.

perf probe -a "___sys_sendmsg sk=@sock->sk"

Without DWARF,
%di can only provide sock directly. Is there anyway to use %di as the
address of the 'struct socket sock;' and capture sock->sk?
The following was tried, but we captured values are all zeros.

perf probe -a "___sys_sendmsg sk=+10(%bp):u32"

Thanks,
Jun