Use an array field inside a struct to store list of system calls in BCC

Question

I'm trying to create a program using BCC, in which I store an array with all System calls performed by each process. My code is as follows:

struct data_t{
 u32 syscalls[MAX_SYSCALLS];
 u64 count;
}

TRACEPOINT_PROBE(raw_syscalls, sys_exit{
 u32 key = pid_tgid;
 struct data_t *val, zero ={};
 val = data.lookup_or_try_init(&key, &zero);
 if (val){
  lock_xadd(&val->count,1);
  //Here I want to put the val->syscalls[count] = args->id

I want to know if it's possible and how to write that commented line of code, since using the standard C syntax to do so results in "Call to built-in function 'memset' is not supported"

score 0 · Answer 1 · answered Mar 22 '23 at 18:02

Yes, it's possible. See the syscount tool in the bcc repository for an example of how to attach.

Regarding incrementing the syscalls field, you should be able to write:

val->syscalls[args->id] = 1

Then val->syscalls will have a value of 1 for any syscall that was called and 0 otherwise.

Use an array field inside a struct to store list of system calls in BCC

1 Answers1