Attribute Macro redbpf_macros::uretprobe

#[uretprobe]

Attribute macro that must be used to define uretprobes.

Example

use redbpf_probes::uprobe::prelude::*;

#[uretprobe]
fn getaddrinfo(regs: Registers) {
    // this is executed when getaddrinfo() returns
}

Function parameters

In general, the parmX methods of the regs argument do not return the original parameter values that the function being probed was called with. The reason is that those parameters are passed via (architecture-dependent) general purpose registers, and the function code most likely overwrites some or all of those registers. RedBPF provides a convenient way to access original function parameters by declaring the retprobe with an additional array argument that receives function parameters 1-5:

use redbpf_probes::uprobe::prelude::*;

#[uretprobe]
fn getaddrinfo(regs: Registers, parms: [u64; 5]) {
    // this is executed when getaddrinfo() returns
}

To make this possible, RedBPF generates a global map, and an entry probe corresponding to the retprobe which stores the original parameters in that map. A generated retprobe wrapper retrieves the parameters from the map, and calls the provided function with the parameter array as an argument.

Note that if no parameters for the current thread are found in the map (for example because the capacity of the map has been exhausted, or the retprobe was registered after the function had already been entered), the retprobe is not called for that function invocation.