Add "request read" event #2705

umanwizard · 2024-04-15T13:33:47Z

If a page is not mapped in a process, bpf_probe_read_user will not be able to read it (even if the page is resident, so reading would have only caused a minor fault).

In this case, instead of giving up, we can ask the agent to fault it into the process by reading /proc//mem at the specified offset.

To test, compile the following program with -O0 and attempt to profile it:

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void x(uint64_t orig_page) {
        uint64_t this_page = ((uint64_t)(&orig_page) >> 12);

        if (this_page != orig_page) {
                pid_t pid = fork();
                if (pid)
                        printf("Forked child pid: %d\n", pid);
                else
                        for (;;)
                                ;
        } else
                x(orig_page);
}

int main(int argc, char *argv[]) {
        x((uint64_t)(&argc) >> 12);
}

This program does the following:

Recurses until the stack crosses a page boundary
Forks -- the new process will initially not have any pages mapped in its address space
Loops forever -- thus it will never go back to the old stack frame and read it.

This program consistently produces 100% PreviousRipZero errors before this commit, but with this commit, it eventually starts bieng profiled successfully.

If a page is not mapped in a process, `bpf_probe_read_user` will not be able to read it (even if the page is resident, so reading would have only caused a minor fault). In this case, instead of giving up, we can ask the agent to fault it into the process by reading /proc/<pid>/mem at the specified offset. To test, compile the following program with `-O0` and attempt to profile it: #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> void x(uint64_t orig_page) { uint64_t this_page = ((uint64_t)(&orig_page) >> 12); if (this_page != orig_page) { pid_t pid = fork(); if (pid) printf("Forked child pid: %d\n", pid); else for (;;) ; } else x(orig_page); } int main(int argc, char *argv[]) { x((uint64_t)(&argc) >> 12); } This program does the following: 1. Recurses until the stack crosses a page boundary 2. Forks -- the new process will initially not have any pages mapped in its address space 3. Loops forever -- thus it will never go back to the old stack frame and read it. This program consistently produces 100% `PreviousRipZero` errors before this commit, but with this commit, it eventually starts bieng profiled successfully.

kakkoyun

This looks promising indeed 🎉 🌮

umanwizard requested a review from a team as a code owner April 15, 2024 13:33

oops, fix the build on arm

8c30d55

kakkoyun approved these changes Apr 15, 2024

View reviewed changes

Fail-safe

bd1bc11

kakkoyun approved these changes Apr 16, 2024

View reviewed changes

kakkoyun merged commit 31bdda2 into parca-dev:main Apr 16, 2024
11 of 12 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add "request read" event #2705

Add "request read" event #2705

umanwizard commented Apr 15, 2024

kakkoyun left a comment

Add "request read" event #2705

Add "request read" event #2705

Conversation

umanwizard commented Apr 15, 2024

kakkoyun left a comment

Choose a reason for hiding this comment