Attribute Macro redbpf_macros::uretprobe [−][src]
#[uretprobe]
Expand description
Attribute macro that must be used to define uretprobes
.
Example
use redbpf_probes::uprobe::prelude::*;
#[uretprobe]
fn getaddrinfo(regs: Registers) {
// this is executed when getaddrinfo() returns
}
Function parameters
In general, the parmX
methods of the regs
argument do not
return the original parameter values that the function being probed
was called with. The reason is that those parameters are passed
via (architecture-dependent) general purpose registers, and the
function code most likely overwrites some or all of those registers.
RedBPF provides a convenient way to access original function parameters
by declaring the retprobe with an additional array argument that
receives function parameters 1-5:
use redbpf_probes::uprobe::prelude::*;
#[uretprobe]
fn getaddrinfo(regs: Registers, parms: [u64; 5]) {
// this is executed when getaddrinfo() returns
}
To make this possible, RedBPF generates a global map, and an entry probe corresponding to the retprobe which stores the original parameters in that map. A generated retprobe wrapper retrieves the parameters from the map, and calls the provided function with the parameter array as an argument.
Note that if no parameters for the current thread are found in the map (for example because the capacity of the map has been exhausted, or the retprobe was registered after the function had already been entered), the retprobe is not called for that function invocation.