Skip to main content

stracers_core/
event.rs

1/// Represents a single syscall that has been observed (after both entry and exit).
2pub struct SyscallEvent {
3    pub pid: i32,
4    pub number: u64,
5    pub name: Option<&'static str>,
6    pub args: [u64; 6],
7    pub ret: Option<i64>,
8    pub decoded_args: Vec<DecodedArg>,
9}
10
11/// A pretty-printed syscall argument.
12pub enum DecodedArg {
13    /// Raw hex value (fallback when no decoding is available).
14    Raw(u64),
15    /// File descriptor, e.g. `3` or a symbolic name like `AT_FDCWD`.
16    Fd(i32),
17    /// Null-terminated path string read from tracee memory.
18    Path(String),
19    /// Bitwise OR of named flags, e.g. `O_RDONLY|O_CLOEXEC`.
20    Flags(String),
21    /// A buffer shown as a quoted byte string (truncated).
22    Buf(Vec<u8>, usize),
23    /// An opaque pointer/address, displayed as hex.
24    Addr(u64),
25    /// A plain integer (signed).
26    Int(i64),
27    /// An unsigned size value.
28    Size(u64),
29}
30
31impl std::fmt::Display for DecodedArg {
32    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
33        match self {
34            DecodedArg::Raw(v) => write!(f, "{:#x}", v),
35            DecodedArg::Fd(fd) => {
36                match *fd {
37                    -100 => write!(f, "AT_FDCWD"),
38                    _ => write!(f, "{}", fd),
39                }
40            }
41            DecodedArg::Path(s) => write!(f, "\"{}\"", s),
42            DecodedArg::Flags(s) => write!(f, "{}", s),
43            DecodedArg::Buf(bytes, total_len) => {
44                write!(f, "\"")?;
45                for &b in bytes.iter().take(32) {
46                    match b {
47                        b'\n' => write!(f, "\\n")?,
48                        b'\r' => write!(f, "\\r")?,
49                        b'\t' => write!(f, "\\t")?,
50                        b'\\' => write!(f, "\\\\")?,
51                        b'"' => write!(f, "\\\"")?,
52                        0x20..=0x7e => write!(f, "{}", b as char)?,
53                        _ => write!(f, "\\x{:02x}", b)?,
54                    }
55                }
56                write!(f, "\"")?;
57                if *total_len > 32 {
58                    write!(f, "...({} bytes)", total_len)?;
59                }
60                Ok(())
61            }
62            DecodedArg::Addr(v) => {
63                if *v == 0 {
64                    write!(f, "NULL")
65                } else {
66                    write!(f, "{:#x}", v)
67                }
68            }
69            DecodedArg::Int(v) => write!(f, "{}", v),
70            DecodedArg::Size(v) => write!(f, "{}", v),
71        }
72    }
73}