Understanding a parser.

Wed Mar 22 01:42:32 UTC 2017

On Sun, Mar 19, 2017 at 01:47:22AM +0530, Rishi Bhatt wrote:
> Hi,
> Well i am currently understanding how to implement a parser,so i am
> starting with the simple ones first i.e umask.c,readahead.c,mount.c.
> 
> What i know about the implementation of parser:
> What we do in these are use the tcb struct(u_arg[]) to get the values that
> are passed in as arguments,i am not going into that detail for now (or
> should i go?),i guess for now i should just accept it.
You can check trace_syscall_entering() and specifically get_syscall_args()
linux/*/get_syscall_args.c for the code which retrieves data from the tracee in
case you are wondering how it is implemented. Basically, it retrieves
data from registers used for passing function call arguments. For the most
part, they trivially map on function arguments, except some peculiarities like
passing 64-bit argument on 32-bit architectures.

> Now taking an example of a parser lets say mount.c:
> arguments of mount:source,target,filesystem,mountflags and data.
> 
> So if i am implementing a mount parser i have to get the values that is
> being passed in this syscall that i can get from registers(somehow), also
> the return value and error values.
This is done already in the beginning of trace_syscall_{entering,exiting}().

> Also we have to consider printing the
> appropriate things with appropriate wrappers like if we are printing source
> and target in mount.c we are using printpath and if address ,it is prinnted
> by printaddr and etc.
Well, this is the current state of things. Printing is handled by
decoders, there are some helpers defined in defs.h/util.c for printing
specific formats, but in most cases it boils down to set of tprintf/tprints with
appropriately casted/processed arguments.

> And we have to first know what can be value of a specific parameter in
> different condition,like in mount.c we are printing "mount_filesystem" as a
> address or as string.(ignore_type)
Yes, this is a part of mount syscall semantics.

> So this should be the info to start implementing a parser?
> 
> So please fill me up with more detail if i am missing something or i am
> interpreting something in a wrong way,and if possible can you give me some
> small parser related thing to implement so i can understand it better.So i
> can try to start implementing a parser.

First, which parser you want to implement? Usually it starts with
figuring out the syscall argument semantics and the way arguments are
handled by the kernel—strace tries to show the way kernel sees
arguments, so one (while it uses strace) could try to extrapolate what kernel
would do with them. Once this understanding is obtained, decoder implementation
itself is relatively easy. Other tricky part is figuring out proper test cases
which check whether decoder prints what it is intended to be printed as much as
possible.

Please, do not hesitate to ask specific questions.