If systemtap could find the 'syscalls' set of tracepoints, the syscall tapsets could be written to prefer those tracepoints over using kprobes. As an example: ==== probe syscall.access = kernel.trace("sys_enter_access") !, kernel.function("sys_access").call { # ... we'd probably need to use @defined() to get the correct arguments } ====
(In reply to comment #0) > probe syscall.access = kernel.trace("sys_enter_access") !, > kernel.function("sys_access").call > { > # ... we'd probably need to use @defined() to get the correct arguments > } IMO, when we already know what variables should be used in which probe point, it's better to split the aliases than use @defined, e.g. probe syscall.access = tp_syscall.access!, kp_syscall.access { /* common stuff */ } probe tp_syscall.access = kernel.trace("sys_enter_access") { /* tracepoint specifics */ } probe kp_syscall.access = kernel.function("sys_access").call { /* kprobe specifics */ } We might even choose to unify nd_syscall.access in there too.
This little toy script checks whether the _stp_syscall_nr() function provides a good-enough substitute for the missing $id parameter from the sys_exit tracepoint. It turns out that generally yes, at least on x86_64. global i% probe kernel.trace("sys_enter") { __set_usermode_pt_regs($regs) x=$id y=_stp_syscall_nr(); i[tid()]=x; if (x!=y) println("entry ", x, " ", y) } probe kernel.trace("sys_exit") { __set_usermode_pt_regs($regs) y = _stp_syscall_nr(); x=i[tid()]; delete i[tid()] ; if(x!=y) println("exit ", x, " ", y) }
All syscall tracepoints have been added in commit 8b8c9b636389b67a2288e31eb1f9b14a3992bc18