Merged
Conversation
This is the groundwork for stack enrichment based on the events emitted by the kernel logger or stack trace items available in event extended properties.
Symbolizer is capable of decorating return addresses with symbol information as well as memory region characteristics.
Make symbolizer aware of symbol resolution frequency to alleviate the pressure on the CPU when initializing symbol handles. Also, introduce a config option to indicate if kernel addresses are symbolized.
Callstack enrichment for CreateFile events is performed in the fs processor, as we activate the stack tracing for CreateFile and not FileOpEnd events. Also, this commit introduces a ton of improvements and facilities to ease unit testing
rabbitstack
force-pushed
the
stack-enrichment
branch
from
6351210 to
67ea4b8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack enrichment foundation is based on
StackWalkevents emitted by the system logger provider. The collection of return addresses is appended to supported events and symbolized afterward. The symbolization process is delegated to Debug Helper API with a couple of nuances:CreateFilewith open disposition are enriched with module information from the process state. Symbol names are not obtained.The following events are eligible for stack enrichment: