Session
Schedule FOSDEM 2020
Debugging Tools

strace --seccomp-bpf: a look under the hood

K.4.201
Paul Chaignon
strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace v5.3, the --seccomp-bpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccomp-bpf and inherits a few of its limitations. In this talk, we will describe the default behavior of ptrace and strace, to understand the problem --seccomp-bpf addresses. We will then detail the inner workings of the new option, as seen from ptrace (seccomp-stops) and bpf (syscall matching algorithms). Finally, we'll discuss limitations of the new option and avenues for improvement.

Problem addressed and ptrace default behavior

seccomp-bpf, SECCOMP_RET_TRACE, and the new behavior

cBPF syscall matching algorithms

Main limitations: working together with -p and -f

Avenues for improvements

Part of this talk is covered in the following blog post: https://pchaigno.github.io/strace/2019/10/02/introducing-strace-seccomp-bpf.html.

Additional information

Type devroom

More sessions

2/2/20
Debugging Tools
Marcin Kolny
K.4.201
HawkTracer is low-overhead instrumentation-based profiler built at Amazon Video for platforms with limited capabilities. It's written in C but can be used almost with any other language (we've successfully used it with JavaScript, LUA, Python and Rust). It's highly extensible (at compile time) and portable so it can be run on almost any embedded device. In this talk I'll introduce the architecture of the profiler, present it's advantages and limitations, show how can you instrument the code and ...
2/2/20
Debugging Tools
Matthew Malcomson
K.4.201
We introduce a GDB plugin for working with large data structures in the inferior. This plugin brings some of the flexibility of Unix pipelines to the GDB command prompt, providing the ability to conveniently run some action on every element in a data structure that matches certain criteria. One big aim of this plugin is to make it easy and convenient for a user to write their own sub-commands to iterate over the data structures used in their own program. This is intended for anyone who has found ...
2/2/20
Debugging Tools
Tom Tromey
K.4.201
GDB has had a curses-based interface for many years. Come see what new features are available and how it can improve your debugging experience.
2/2/20
Debugging Tools
Julian Seward
K.4.201
Valgrind's Memcheck tool reports various kinds of errors. One of the most important are those where an if-condition or a memory address uses undefined data. Detecting that reliably on optimized code is challenging, and recent compiler development has made the problem worse.
2/2/20
Debugging Tools
Dmitry Levin
K.4.201
strace is a diagnostic, debugging and instructional utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. In this talk the maintainer of strace will describe new features implemented since FOSDEM 2018.
2/2/20
Debugging Tools
Eugene Syromyatnikov
K.4.201
The talk gives an overview of various optimisations implemented in strace over the past several years. While most of them are quite trivial (like caching of frequently-used data or avoiding syscalls whenever possible), some of them are a bit more tricky (like usage of seccomp BPF programs for avoiding excessive ptrace stops) and/or target more specific use cases (like the infamous thread queueing patch[1], which was carried as a RHEL downstream patch for almost 10 years). [1] ...
2/2/20
Debugging Tools
Quentin Monnet
K.4.201
By allowing to safely load programs from user space and to execute them in the kernel, eBPF (extended Berkeley Packet Filter) has brought new possibilities to the Linux kernel, in particular in terms of tracing and network processing. But when a program fails to load, or when it does not return the expected values, what tools do we have to examine, inspect and debug eBPF objects? This talk focuses on the different tools and mechanisms available to help eBPF developers debug their programs, at ...