not sure if we have a counter

[chensong2000]

that we are going to want to print anything when it is full. Maybe for debugging? obj_instance[6]

https://lore.kernel.org/all/20221017155829.7e8d4812@gandalf.local.home/

I'm thinking instead of using the above syntax that is new, instead use
the syntax that is used by kprobes, eprobes and uprobes. That is:

objtrace:+offset(obj):type

That is, instead of:

objtrace:add:arg1,0x28:u32:1

have:

objtrace:+0x28(arg1):u32

Perhaps we can add for count for greater than 1:

obtrace:+0x28(arg1):u32[2]

for two items.

Then we could do even more complex analysis where we can dereference a
pointer within a structure to another pointer:

obtrace:+0x16(+0x28(arg1)):u32[2]

Which will look at arg1, add 0x28 to it. dereference that location,
then add 0x16 to the value, and then dereference that location as well.

This code is available in the kprobe code that eprobes also uses:

See process_fetch_insn() in kernel/trace/trace_eprobe.c

and the parsing of the string is in kernel/trace/trace_probe.c:

parse_probe_arg()

I think doing this will make it much more extensive, not to mention it
will match the syntax of other code in the tracing infrastructure.

What do you think?

-- Steve
https://lore.kernel.org/all/20220924160136.5029e942@rorschach.local.home/

[chensong2000]

echo 'objtrace:+0x38(+0x8($arg1)):string:7 -- 这种格式无法解析，目前trace_events_trigger的helper函数不支持，他们只支持stacktrace:5这样的格式。
见函数event_trigger_parse_num

[chensong2000]

echo 'objtrace:+0x38(+0x8($arg1)):string[7] if comm == "cat"' > ./events/kprobes/p_vfs_open_0/trigger
这种格式可以，但在get_object_value会出错误，多走了一次FETCH_OP_DEREF:分支，这样取地址会出错，正在查。
PS：[7]在trace probe里表示为parg->count，code->op 会等于FETCH_OP_LP_ARRAY，在get_object_value没有处理（参照process_fetch_insn_bottom）

[chensong2000]

echo 'objtrace:+0x38(+0x8($arg1)):string if comm == "cat"' > ./events/kprobes/p_vfs_open_0/trigger
在traceprobe_parse_probe_arg_body中会有4个code：
[ 177.211023] cs0,begin, code:0xffff8a0644450900, op:7
[ 177.211554] cs1, code:0xffff8a0644450900, op:7
[ 177.211840] cs1, code:0xffff8a0644450910, op:10
[ 177.212154] cs1, code:0xffff8a0644450920, op:15
[ 177.212418] cs2, end, code:0xffff8a0644450930, op:21, ret:0

0xffff88800700cd00
$13 = {op = FETCH_OP_ARG, {param = 0, {size = 0, offset = 0}, {basesize = 0 '\000', lshift = 0 '\000',
rshift = 0 '\000'}, immediate = 0, data = 0x0 <fixed_percpu_data>}}

0xffff88800700cd10
$17 = {op = FETCH_OP_DEREF, {param = 0, {size = 0, offset = 8}, {basesize = 0 '\000',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 34359738368, data = 0x800000000}}

0xffff88800700cd20
$43 = {op = FETCH_OP_ST_STRING, {param = 4, {size = 4, offset = 56}, {basesize = 4 '\004',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 240518168580, data = 0x3800000004}}

0xffff88800700cd30
$24 = {op = FETCH_OP_END, {param = 0, {size = 0, offset = 0}, {basesize = 0 '\000', lshift = 0 '\000',
rshift = 0 '\000'}, immediate = 0, data = 0x0 <fixed_percpu_data>}}

其中第三个code->op会在trace_probe.c的717行（code->op = FETCH_OP_ST_STRING）变成FETCH_OP_ST_STRING

所以在trace_object.c的get_object_value中，只有一次FETCH_OP_DEREF

[chensong2000]

echo 'objtrace:+0x38(+0x8($arg1)):string[7] if comm == "cat"' > ./events/kprobes/p_vfs_open_0/trigger
[ 29.617414] cs0,begin, code:0xffff8a0643eb9240, op:7
[ 29.619017] cs1, code:0xffff8a0643eb9240, op:7
[ 29.619391] cs1, code:0xffff8a0643eb9250, op:10
[ 29.619686] cs1, code:0xffff8a0643eb9260, op:10
[ 29.619987] cs1, code:0xffff8a0643eb9270, op:15
[ 29.620282] cs1, code:0xffff8a0643eb9280, op:19
[ 29.620574] cs2, end, code:0xffff8a0643eb9290, op:21, ret:0

0xffff8880073ede00 (多了一次递归，由trace_probe.c +695 parg->count，多了一个count，不是多了一个递归)
$20 = {op = FETCH_OP_ARG, {param = 0, {size = 0, offset = 0}, {basesize = 0 '\000', lshift = 0 '\000',
rshift = 0 '\000'}, immediate = 0, data = 0x0 <fixed_percpu_data>}}

0xffff8880073ede10
$25 = {op = FETCH_OP_DEREF, {param = 0, {size = 0, offset = 8}, {basesize = 0 '\000',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 34359738368, data = 0x800000000}}

0xffff8880073ede20
p *code
$28 = {op = FETCH_OP_DEREF, {param = 0, {size = 0, offset = 56}, {basesize = 0 '\000',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 240518168576, data = 0x3800000000}}

0xffff8880073ede30
$34 = {op = FETCH_OP_ST_STRING, {param = 4, {size = 4, offset = 0}, {basesize = 4 '\004',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 4, data = 0x4 <fixed_percpu_data+4>}}

0xffff8880073ede40
{op = FETCH_OP_LP_ARRAY, {param = 7, {size = 7, offset = 0}, {basesize = 7 '\a',
lshift = 0 '\000', rshift = 0 '\000'}, immediate = 7, data = 0x7 <fixed_percpu_data+7>}}

0xffff88800724e250
$7 = {op = FETCH_OP_END, {param = 0, {size = 0, offset = 0}, {basesize = 0 '\000', lshift = 0 '\000',
rshift = 0 '\000'}, immediate = 0, data = 0x0 <fixed_percpu_data>

会分配6个code，在trace_probe.c的695行：
692 if (!strcmp(parg->type->name, "symstr") || │
│ 693 (code->op == FETCH_OP_IMM || code->op == FETCH_OP_COMM || │
│ 694 code->op == FETCH_OP_DATA) || code->op == FETCH_OP_TP_ARG || │
│ 695 parg->count) { │ 多了count，所以多了一个code
│ 696 /* │
│ 697 * IMM, DATA and COMM is pointing actual address, those │
│ 698 * must be kept, and if parg->count != 0, this is an │
│ 699 * array of string pointers instead of string address │
│ 700 * itself. │
│ 701 * For the symstr, it doesn't need to dereference, thus │
│ 702 * it just get the value. │
│ 703 */ │
│ >704 code++;

由于parg->count大于0，所以导致了code++，这样第三个code->op就没有变成FETCH_OP_ST_STRING，还是FETCH_OP_DEREF。
那么在在trace_object.c的get_object_value中，第二次进入case FETCH_OP_DEREF，获取地址会出错，因为这时候已经不是dereference了。

[chensong2000]

[x]在kprobe里是array的意思，见Documentation/trace/kprobetrace.rst
69 Types
70 -----
71 Several types are supported for fetchargs. Kprobe tracer will access memory
72 by given type. Prefix 's' and 'u' means those types are signed and unsigned
73 respectively. 'x' prefix implies it is unsigned. Traced arguments are shown
74 in decimal ('s' and 'u') or hexadecimal ('x'). Without type casting, 'x32'
75 or 'x64' is used depends on the architecture (e.g. x86-32 uses x32, and
76 x86-64 uses x64).
77
78 These value types can be an array. To record array data, you can add '[N]'
79 (where N is a fixed number, less than 64) to the base type.
80 E.g. 'x16[4]' means an array of x16 (2-byte hex) with 4 elements.
81 Note that the array can be applied to memory type fetchargs, you can not
82 apply it to registers/stack-entries etc. (for example, '$stack1:x8[8]' is
83 wrong, but '+8($stack):x8[8]' is OK.)
84
85 Char type can be used to show the character value of traced arguments.
86
87 String type is a special type, which fetches a "null-terminated" string from
88 kernel space. This means it will fail and store NULL if the string container
89 has been paged out. "ustring" type is an alternative of string for user-space.
90 See :ref:user_mem_access for more info.
91
92 The string array type is a bit different from other types. For other base
93 types, [1] is equal to (e.g. +0(%di):x32[1] is same
94 as +0(%di):x32.) But string[1] is not equal to string. The string type itself
95 represents "char array", but string array type represents "char * array".
96 So, for example, +0(%di):string[1] is equal to +0(+0(%di)):string.
97 Bitfield is another special type, which takes 3 parameters, bit-width, bit-
98 offset, and container-size (usually 32). The syntax is::

表示的是数组，trigger的count的语法是“stacktrace：5”这样，所以混合在一起，比较混乱。