On Tue, Dec 13, 2011 at 1:00 PM, Szabo, Steve G <
steve.g.sz...@tdsecurities.com> wrote:
> **
> I'm not sure if I understand this correctly but I would like to access the
> values after the system call returns.
>
>
>
> syscall::stat:entry { /* int stat(const char *restrict path, struct stat
> *restrict buf); */
>
> /* where arg0 = const char *restrict path */
> /* arg1 = struct stat *restrict buf */
>
> self->arg0 = copyinstr ( arg0 );
> self->arg1 = (struct stat *) arg1;
>
> }
>
> syscall::stat:return / self->arg0 != 0 / {
>
> printf ( "%-10d %-10d %-10s: [%-25s:%-10d:%-10d]",
> pid,
> uid,
> execname,
> self->arg0,
> arg0 == 0 ? self->arg1->st_uid : -1,
> arg0 == 0 ? self->arg1->st_gid : -1 );
>
> self->arg0 = 0;
> self->arg1 = 0;
>
> }
>
> When :entry fires it should store the pointer to stat buf to be used in
> the :return event.
>
> When :return fires I get the following when the return value of 'stat()'
> is zero:
>
> dtrace: error on enabled probe ID 2 (ID 4694: syscall::stat:return):
> invalid address (0xfcc7bd48) in action #5 at DIF offset 48
>
>
> What am I doing wrong?
>
The the "struct stat" is a userland pointer, so you have to copyin the
contents in the return probe. You can't just dereference it.
-- Dave
_______________________________________________
dtrace-discuss mailing list
dtrace-discuss@opensolaris.org
