Hello,
Many monitoring tools use /proc/kallsyms to build a symbol table for the kernel.
This technique has the advantage that it does not require root privileges, nor
an up-to-date /boot/System.map, nor a decompressed kernel in /boot.
The problem is that /proc/kallsyms does not report the size of the symbols.
Yet, the information is available in the kernel as it is used by functions such
as __print_symbol(). Having the size is useful to correlate the address obtained
is a sample with a symbol name. Most tools use an approximation which assumes
symbols are contiguous to estimate the size.
Apart from the backward compatbility problem for the output of kallsyms, what
would be the major issue with exposing this information?
Thanks.
--
-Stephane
Stephane Eranian wrote:
> Hello,
Hi, Stephane
> Many monitoring tools use /proc/kallsyms to build a symbol table for the kernel.
> This technique has the advantage that it does not require root privileges, nor
> an up-to-date /boot/System.map, nor a decompressed kernel in /boot.
>
> The problem is that /proc/kallsyms does not report the size of the symbols.
> Yet, the information is available in the kernel as it is used by functions such
> as __print_symbol(). Having the size is useful to correlate the address obtained
> is a sample with a symbol name. Most tools use an approximation which assumes
> symbols are contiguous to estimate the size.
That is actually what the kernel does internally, too. It does not keep
the size of the symbol, but tries to guess it from the address of the
next non-aliased symbol.
Since the addresses are sorted, this works fine most of the time. This
is done to reduce the size used by the symbol table in the running kernel.
Just take a look at "get_symbol_pos" in kernel/kallsyms.c and
"get_ksymbol" in kernel/module.c to see exactly how this is done
--
Paulo Marques - http://www.grupopie.com
"There cannot be a crisis today; my schedule is already full."
Paulo,
On Tue, Sep 25, 2007 at 05:21:06PM +0100, Paulo Marques wrote:
> Stephane Eranian wrote:
> >Hello,
>
> Hi, Stephane
>
> >Many monitoring tools use /proc/kallsyms to build a symbol table for the
> >kernel.
> >This technique has the advantage that it does not require root privileges,
> >nor
> >an up-to-date /boot/System.map, nor a decompressed kernel in /boot.
> >
> >The problem is that /proc/kallsyms does not report the size of the symbols.
> >Yet, the information is available in the kernel as it is used by functions
> >such as __print_symbol(). Having the size is useful to correlate the address
> >obtained
> >is a sample with a symbol name. Most tools use an approximation which
> >assumes
> >symbols are contiguous to estimate the size.
>
> That is actually what the kernel does internally, too. It does not keep
> the size of the symbol, but tries to guess it from the address of the
> next non-aliased symbol.
>
> Since the addresses are sorted, this works fine most of the time. This
> is done to reduce the size used by the symbol table in the running kernel.
>
> Just take a look at "get_symbol_pos" in kernel/kallsyms.c and
> "get_ksymbol" in kernel/module.c to see exactly how this is done
>
Ok. Then we cannot really do better.
Also thank you for alerting me on the aliased symbols. I have modified
my user code to only keep the first symbol.
Thanks for you help.
--
-Stephane