This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
whitelist for safe-mode probes (or just a better blacklist?)
- From: Martin Hunt <hunt at redhat dot com>
- To: systemtap at sources dot redhat dot com
- Date: Tue, 19 Sep 2006 12:28:56 -0400
- Subject: whitelist for safe-mode probes (or just a better blacklist?)
- Organization: Red Hat Inc.
There are always going to be small pieces of the kernel where it will be
unsafe to insert a probe. We implemented a blacklist where we can list
bad functions to probe, however, it is not well maintained due to
several reasons. One of them is lack of testing. Another is that
sometimes a problem probing a function was due to something in systemtap
that we could fix by removing an unnecessary system dependency. We were
reluctant to add functions to the blacklist until we understood why they
failed. So the current blacklist is not complete and as kernels change,
the list will have to change with it. To guarantee a probe will not
crash the kernel it is going to be necessary to generate a whitelist of
probe points.
While this may seem like it would reduce systemtap's usefulness,
remember that we are targeting two very different users. System admins
won't care that they cannot probe the internals of the spinlock code
(for example). They want to know they can do simple things like probe
kernel.function("*") and it won't crash. Kernel developers will just
use "guru mode" and probe anywhere they want.
An alternative, would be to just create a better blacklist and use
thorough testing to guarantee that all other functions in the kernel
work with probes. This seems more difficult to maintain and will add a
new step to releasing each kernel. I think having a whitelist of safe
functions for all 2.6 kernels would require less work and be more safe.
How would this all work? The whitelist and blacklist would be files
distributed with Systemtap. They would be updated automatically with a
test script. I think we would not need version checking. One list for
2.6 would probably be OK because functions will be added and deleted
from kernel subversions but they probably won't change from safe to
unsafe. But if they do, they would need to get removed from the
whitelist for all kernels.
SAFE-MODE - Each kernel function probed must be in the whitelist (or
must be a static kernel marker. If/when those are widely implemented we
will be able to do away with the whitelist.)
GURU-MODE - whitelist is ignored. Each kernel function must not be in
the blacklist. (There should also be an option to ignore the blacklist
for testing.)
Thoughts?