[PATCH/RFC v1 0/2] [GSoC] Stop condition based on number of syscalls
Dmitry V. Levin
ldv at strace.io
Thu Feb 16 06:57:41 UTC 2023
Hi,
On Wed, Feb 15, 2023 at 02:53:59AM +0530, Sahil Siddiq wrote:
> This patch adds the option to detach strace after capturing a specified
> number of syscalls.
>
> I went through the relevant parts of the codebase while working on this
> patch and there are a few things that I am not clear on.
>
> 1. I have assumed that a syscall is considered to be traced only if
> "syscall_exiting_decode()" returns a non-zero value (does not "bail
> out"). I am not sure if that is correct.
The tracee is being stopped both on entering and on exiting syscall, that
is, twice per syscall invocation. If --seccomp-bpf option is in effect,
then the tracee is not stopped on syscalls that are filtered out.
> 2. I tried to understand the workings of the "trace_syscall()" function.
> When can there a situation where "syscall_entering_decode()" does
> not bail out, but "syscall_exiting_decode" bails out?
syscall_entering_decode doesn't normally bail out, while
syscall_exiting_decode routinely bails out on syscalls
that are filtered out by syscall_entering_trace.
--
ldv
More information about the Strace-devel
mailing list