Skip to main content

Tracing syscalls with trace-cmd and bpftrace

In my ongoing quest to understand more how GNU Linux works under the hood, I took upon myself a courageous assignment to figure out what a simple go program does from a kernel's point of view - which syscalls are called and what data is passed down there

Here is the program

So a simple hello world, which prints out the famous words and creates an empty file. To figure out which syscalls are triggered, I decided to use trace-cmd package. It is a frontend to ftrace which helps for example in filtering out the syscalls related to a single binary or a PID.

After some intense googling, watching a couple of youtube videos, and fiddling around, I ran this command.

sudo trace-cmd record -p function_graph --max-graph-depth 3 -e syscalls -g do_syscall_64 -F ./gohello

It records a list of kernel functions practically in the order they are called with max depth and some filtering. It shows only syscalls and not, for example, system interrupts that clutter the output and are not in this exercise's scope. I'll not go into too much detail since, frankly, I lack the competence to decipher what all the parameters mean.

The output looks like this

With this single program, there is a lot of output, thousands of lines even with the filtering. The example shows one interesting syscall, the SyS_write which is actually the call to write the "Hello world" plus timestamp to stdout. 

We can actually take a closer look at the full stack of calls related to SyS_write

sudo trace-cmd record -p function_graph -g SyS_write  -F ./gohello

I tried to look for clock_gettime or suchlike kernel calls to see which kernel function is used to get the current time but turns out, there are things called vDSO shared objects which map parts of the kernel memory to be directly accessible to usespace eliminating the need for a syscall. The go runtime reads the timestamp registry directly. Check the implementation here.



The file operation calls show in the above output. It all starts by reading the file path "./example.txt", opening files, creating file descriptors, piping data to it, and closing the file and fd. More on the functions can be found on their corresponding man pages.


Ok, cool, we now know which are the most exciting syscalls. Obviously, there are more system calls, like a bunch of SyS_mmaps for mapping virtual memory pages, etc... but the next step is to take a look inside a selected few calls. For that, I use eBPF, or rather a frontend for it called bpftrace.

I have watched a number of presentations about the fascinating topic of eBPF and have played with bpftrace occasionally and I admit this is one of the main reasons of writing this post. 

First up, lets see the file writing operations. We can take a look at the file open for example. Step one, find the tracepoint

sudo bpftrace -l "*openat"

Ok we have a tracepoint, next let's check which arguments we can trace


We can see the filename in the trace point arguments. The tracing call can be done with for example this one line bpf program

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }' -c ./gohello


In the output, you can see all the calls made to sys_openat during the program execution, and voila, there is example.txt

An interesting finding is that readlinkat is not related to the file path of example.txt but is a link to self.


We can also trace the sys_write calls, and whoo boy, are there plenty of those. We can attempt to filter those a bit with a PID constraint

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_write /pid > 7000/ { printf("<%s>\n", str(args->buf, args->count)); }'  -c ./gohello | less



And there you have it, a hello world amid all the mess!



Labels:

Comments

Post a Comment

Popular posts from this blog

I'm not a passionate developer

A family friend of mine is an airlane pilot. A dream job for most, right? As a child, I certainly thought so. Now that I can have grown-up talks with him, I have discovered a more accurate description of his profession. He says that the truth about the job is that it is boring. To me, that is not that surprising. Airplanes are cool and all, but when you are in the middle of the Atlantic sitting next to the colleague you have been talking to past five years, how stimulating can that be? When he says the job is boring, it is not a bad kind of boring. It is a very specific boring. The "boring" you would want as a passenger. Uneventful.  Yet, he loves his job. According to him, an experienced pilot is most pleased when each and every tiny thing in the flight plan - goes according to plan. Passengers in the cabin of an expert pilot sit in the comfort of not even noticing who is flying. As someone employed in a field where being boring is not exactly in high demand, this sounds pro
Post a Comment
Read more

Extracting object properties from an IFC file with IfcOpenShell

Besides the object geometry information, IFC files may contain properties for the IFC objects. The properties can be, for example, some predefined dimension information such as an object volume or a choice of material. Some of the properties are predefined in the IFC standards, but custom ones can be added. IFC files can be massive and resource-intensive to process, so in some cases, it helps to separate the object properties from the geometry data. IfcOpenShell  is a toolset for processing IFC files. It is written mostly in C++ but also provides a Python interface. To read an IFC file >>> ifc_file = ifcopenshell.open("model.ifc") Fetch all objects of type IfcSlab >>> slab = ifc_file.by_type("IfcSlab")[1] Get the list of properties >>> slab.IsDefinedBy (#145075=IfcRelDefinesByType('2_fok0__fAcBZmMlQcYwie',#1,$,$,(#27,#59),#145074), #145140=IfcRelDefinesByProperties('3U2LyORgXC2f_hWf6I16C1',#1,$,$,(#27,#59),#145141), #145142
Post a Comment
Read more

Canyon Precede:ON 7

I bought or technically leased a Canyon Precede:ON 7 (2022) electric bike last fall. This post is about my experiences with it after riding for about 2000 km this winter. The season was a bit colder than usual, and we had more snow than in years, so I properly put the bike through its paces. I've been cycling for almost 20 years. I've never owned a car nor used public transport regularly. I pedal all distances below 30km in all seasons. Besides commuting, I've mountain biked and raced BMX, and I still actively ride my road bike during the spring and summer months. I've owned a handful of bikes and kept them until their frames failed. Buying new bikes or gear has not been a major part of my hobby, and frankly, I'm quite sceptical about the benefits of updating bikes or gear frequently. I've never owned an E-bike before, but I've rented one a couple of times. The bike arrived in a hilariously large box. I suppose there's no need to worry about damage durin
Post a Comment
Read more