Okay so in the previous post I said I will tell you about the CatchError. Well here is the code: CatchError.java
So lets take a closer look at the critical parts of the code.
public static String myError;public static void main (String[] args){//some argument parsing//...Manager.host.requestCreateAttachedProc(myArgs, attachedObserver);Manager.eventLoop.run();}
In the above code segment we do some argument parsing, we ask the host object to create an attached Proc and we start the event loop. The rest of the juicy details happen in attachedObserver:
static TaskObserver.Attached attachedObserver = new TaskObserver.Attached(){
public Action updateAttached (Task task)
{
task.requestAddSyscallObserver(syscallObserver);
return Action.BLOCK;
}
public void addFailed (Object observable, Throwable w){}
public void addedTo (Object observable){}
public void deletedFrom (Object observable){}
};Very simple. When updateAttached is called we are being told the process has been created, attached, is block very early in its life time, and waiting for instructions. So we attempt to add a syscallObserver to it, and make sure to return Action.BLOCK so that the process doesnt slip through our fingers before syscallObserver is watching those naught write calls.
syscallObserver does all the heavy lifting:
static TaskObserver.Syscall syscallObserver = new TaskObserver.Syscall(){public Action updateSyscallEnter (Task task){SyscallEventInfo eventInfo = task.getSyscallEventInfo();frysk.proc.Syscall syscall = eventInfo.getSyscall(task);if(syscall.getName().equals("write")){long address = syscall.getArguments(task, 2);StringBuffer x = new StringBuffer();task.getMemory().get(address, 200, x);String xString = new String(x);if(xString.contains(myError)){Frame frame = StackFactory.createFrame(task);System.out.println("we got it! here is a stack trace:n" +StackFactory.printStackTrace(frame));}}return Action.CONTINUE;}public Action updateSyscallExit (Task task){return Action.CONTINUE;}public void addedTo (Object observable){Task task = (Task) observable;task.requestUnblock(attachedObserver);}public void addFailed (Object observable, Throwable w){}public void deletedFrom (Object observable){}};
updateSyscallEnter gets called telling us that a syscall is happening, we check if it is a write, if so we retrieve its string argument, and figure out if it is trying to write the string that we are interested in. If so, we ask frysk to extract a stack trace at that point in the procs life time. One thing to point out that I guess might not be obvious is that we actually get notified while the system call is happening, and during the execution of the code inside updateSyscallEnter, the task is actually stopped during the stack call that resulted in the syscall so it is a good point to extract a stack back trace.
Another interesting part in syscallObserver is this:
public void addedTo (Object observable)
{
Task task = (Task) observable;
task.requestUnblock(attachedObserver);
}If you remember earlier we told the task to stay blocked, well we have to unblock it so it can go on to exec, and make all those write calls. This is a good point to unblock it because we are now sure that the syscallObserver has been added. Also note that the api to unblock a task requires you to pass in the object that requested the block. This is to prevent any unintentional unblocking of tasks. That is to say that a task is not unblock until all parties that requested blocks have signed off.
It was pretty cool to use eclipse to do this. Code completion allowed me to focuse on frysk rather than java, and syntax errors. Also, I was able to finish coding in ~35 minutes.
