Eric Schrock's Blog

MDB puzzle, take two

June 24, 2005

Since Bryan solved my last puzzle a little too quickly, this post will serve as a followup puzzle that may or may not be easier. All I know is that Bryan is ineligible this time around 😉

Once again, the rules are simple. The solution must be a single line dcmd that produces precise output without any additional steps or post processing. For this puzzle, you’re actually allowed two commands: one for your dcmd, and another for ‘::run’. For this puzzle, we’ll be using the following test program:

main(int argc, char **argv)
int i;
for (i = 0; i < 100; i++)
write(rand() % 10, NULL, 0);
return (0);

The puzzle itself demonstrates how conditional breakpoints can be implemented on top of existing functionality:

Stop the test program on entry to the write() system call only when the file descriptor number is 7

I thought this one would be harder than the last, but now I’m not so sure, especially once you absorb some of the finer points from the last post.

Technorati Tag:

6 Responses

  1. Hi all,

    where is my chocolate ? 🙂

    >4::sysbp -c ‘<o0=K | ::grep “.!=7” | ::eval ::cont’


  2. Vita –
    Congrats. I would have also accepted x86 answers with <tt>&ltesp+4/K</tt> or <tt>&ltrsi=K</tt>. I’ll be adding these useful tricks to the MDB community page shortly. You have my utmost respect as an MDB hacker…

  3. It’s a shame you limited it to mdb 😉

    dtrace -w -c ./testprog -n ‘pid$target::write:entry /arg0 == 7/ {stop();}’

    This will actually stop it before we do the trap to the system call 😉
    You could then gcore it and look what’s happenning, or even attach an mdb with the -p argument.

  4. Eric,
    How do you know that you should use esp+4?
    Is it about the number of arguments to write()?

  5. sitchai –
    We use <tt>esp+4</tt> due to the way arguments are passed on 32-bit x86. Arguments are pushed onto the stack, so the first argument to the function is the first item on the stack. Except that when we issued the <tt>call</tt> instruction to get here, we pushed the return PC as well. You can find more information about argument passing on x86 (and why I hate amd64 from a debugging perspective) from an old blog entry.
    Note that once you’re in the body of the function, we will have executed the standard <tt>pushl %ebp</tt>, <tt>movl %esp, %ebp</tt>, at which point the standard way to access the first argument is <tt>%ebp+8</tt>.

  6. Thanks Eric.
    I read you old post and seems like it will be more difficult on amd64.

Recent Posts

April 21, 2013
February 28, 2013
August 14, 2012
July 28, 2012