Closed wangbj closed 5 years ago
Is the idea that it assumes capturing syscalls is just an "optimization" and is assumes a tracer will be there to catch what it misses?
It would be great for systrace to work "standalone" and guarantee to catch every syscall. RR doesn't set up their library-based interception until partway through the execution (therefore missing ~80 syscalls, limiting their efficiency on short process executions), but I'm not sure why we can't set it up first thing. To quote the ATC17 paper:
In-process system-call interception only starts working in a process
once the interception library has been loaded, but at least 80 system
calls are performed before that completes, so its effectiveness is limited for short-lived processes
that is likely because the program has to be loaded by a loader (ld-linux.so
), until loader loads our (LD_PRELOAD
) library, we couldn't do anything (because our code is not loaded yet). The loader itself also calls syscalls to perform the task.
The current design is when systrace
sees a filtered syscall, it still allows the syscall going through, even if the syscall site is patched. we should be able to run the patched syscall as soon as the patch happens, it is more complicated because we needs rewind IP
to run the patched instructions.
Yeah, but if we could get in there before libc gets loaded, wouldn't we get in there before most or all of those 80 syscalls happen?
I don't know what exactly the 80 syscalls are, but ld-linux.so does do its own syscalls, before libc.so is loaded.
There're about 41 syscalls cannot be patched, because they happened before libsystrace.so
is loaded; even though libsystrace.so
is loaded by LD_PRELOAD
. The List can be found here.
This issue should be fixed by commit: d728a8c4c95f41c5ba95e632a0a8435804baf67f
The exact number may depends on which program is invoked.
Thanks for documenting those.
Right now
systrace
patch syscalls after let the first one going through, however, a more ideal way should be patch the syscall first, and then run the patched version.