swannman
commented
7 months ago I have realized that If I take too long for processing an event, I might miss many events and my callback wont get invoked for them for some reason.
Exactly right! Consider increasing the buffer size if you need to handle bursts of events.
So I assume I can't just pass the given
EVENT_RECORD&record argument in my callback, or this schema to my other thread as some of its members or itself entirely might become invalid after my callback is returned I assume?
Yes, that's correct. A recommended approach for ETW callbacks is:
- Extract a minimum set of properties from the record
- Use these to determine whether the event is "interesting"
- If it is,
- Copy all properties of interest into a separate object
- Enqueue that object for another thread to process
- Return
I have defined a callback for some providers with a user_trace, like the following:
my_callback(const EVENT_RECORD& record, const krabs::trace_context& trace_context) { krabs::schema schema(record, trace_context.schema_locator); krabs::parser parser(schema); ...But now I want to optimize and the only thing I want to do in my callback is to copy every info related to that event (safely, without having a pointer to a invalid memory in one of the members) and pass it to another thread for processing. This is because I have realized that If I take too long for processing an event, I might miss many events and my callback wont get invoked for them for some reason.
So what is the proper solution? I assume this shcema has all the info I need, but as Expected when I create a schema using krabs::schema, in its constructor its not doing a copy but just referencing, as expected:
So I assume I can't just pass the given EVENT_RECORD& record argument in my callback, or this schema to my other thread as some of its members or itself entirely might become invalid after my callback is returned I assume?
So what is the most optimized way of handling this and passing event data to another thread?