Query regarding syscall decoders

Sahil icegambit91 at gmail.com
Thu Feb 15 09:22:01 UTC 2024


Thank you for your reply.

On Tuesday, February 13, 2024 7:46:33 PM IST Eugene Syromyatnikov wrote:
> On Tue, Feb 13, 2024 at 03:31:39AM +0530, Sahil Siddiq wrote:
> A syscall decoder can be called twice, on syscall entering (to decode/print
> leading input arguments up to the first output one and possibly stash
> some data provided by the tracee to the kernel in input/output buffers)
> and on exiting (to decode/print the rest of the arguments and possibly
> set the auxstr).

Right. For "listmount" as well, the initial arguments will be decoded and
printed on syscall entering, while the rest will be printed on syscall exiting.

> In some cases, there is nothing to decode on exiting,
> and that is indicated by setting the RVAL_DECODED flag in the decoder's
> return value, when the decoder is called the first time on syscall
> entering, so the decoder won't be called the second time on syscall
> exiting.  Some other bits that are provided in the decoder return code:
>  * Return value format, set in the bits covered by RVAL_MASK (017).
>    These include RVAL_UDECIMAL/RVAL_HEX/RVAL_OCTAL for number
>    formatting, RVAL_FD for FDs (so the value is then formatted with
>    printfd()), and RVAL_TID/RVAL_SID/RVAL_TGID/RVAL_PGID for process IDs
>    (it is then formatted with printpid()).
>  * RVAL_STR indicates that tcp->auxstr is to be printed if set.  auxstr
>    is used to provide arbitrary auxiliary information that augments
>    the return value (like the event triggered the poll(2) exit, or
>    human-readable representation of return value flags).
>  * RVAL_NONE is used when the return value was impossible to retrieve
>    and provide, so far it is used only in the indirect shmat(2) calls,
>    when the return value cannot be retrieved from the tracee's memory.
>  * RVAL_IOCTL_DECODED is only used for ioctl decoders, see
>    the description of src/ioctl.c:ioctl_decode().
> Feel free to refer to src/syscall.c:syscall_exiting_trace() for
> implementation details.

Thank you for the detailed explanation. This makes sense now. I went
through syscall_exiting_trace() and found the part where RVAL_DECODED
is used to check the decoding status.

I also noticed that RVAL_UDECIMAL is defined as 000 in src/defs.h. Some
syscall decoders (such as the one for getrusage) return 0. This is identical to
returning RVAL_UDECIMAL, right? If so, is there any reason as to why the
macro isn't used?


More information about the Strace-devel mailing list