refactor(callstack): Use creator process id for callstack treatment

Author: rabbitstack

pkg/event/event_windows.go

@@ -267,8 +267,24 @@ func (e *Event) IsOpenDisposition() bool {
 	return e.IsCreateFile() && e.Params.MustGetUint32(params.FileOperation) == windows.FILE_OPEN
 }
 
-// StackID returns the integer that is used to identify the callstack present in the StackWalk event.
-func (e *Event) StackID() uint64 { return uint64(e.PID + e.Tid) }
+// StackID returns the integer that is used to stich the callstack present in the StackWalk event.
+func (e *Event) StackID() uint64 {
+	if e.IsCreateProcess() {
+		return uint64(e.Params.MustGetPpid() + e.Tid)
+	}
+	return uint64(e.PID + e.Tid)
+}
+
+// StackPID returns the process id as seen the creator
+// from the callstack execution perspective. For example,
+// the pid associated with CreateProcess events is the
+// parent, not the process being created.
+func (e *Event) StackPID() uint32 {
+	if e.IsCreateProcess() {
+		return e.Params.MustGetPpid()
+	}
+	return e.PID
+}
 
 // RundownKey calculates the rundown event hash. The hash is
 // used to determine if the rundown event was already processed.

pkg/filter/accessor_windows.go

@@ -563,13 +563,13 @@ func (t *threadAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 
 		return e.Callstack.Symbols(), nil
 	case fields.ThreadCallstackAllocationSizes:
-		return e.Callstack.AllocationSizes(e.PID), nil
+		return e.Callstack.AllocationSizes(framePID(e)), nil
 	case fields.ThreadCallstackProtections:
-		return e.Callstack.Protections(e.PID), nil
+		return e.Callstack.Protections(framePID(e)), nil
 	case fields.ThreadCallstackCallsiteLeadingAssembly:
-		return e.Callstack.CallsiteInsns(e.PID, true), nil
+		return e.Callstack.CallsiteInsns(framePID(e), true), nil
 	case fields.ThreadCallstackCallsiteTrailingAssembly:
-		return e.Callstack.CallsiteInsns(e.PID, false), nil
+		return e.Callstack.CallsiteInsns(framePID(e), false), nil
 	case fields.ThreadCallstackIsUnbacked:
 		return e.Callstack.ContainsUnbacked(), nil
 	case fields.ThreadCallstack:

pkg/filter/util.go

@@ -19,13 +19,14 @@
 package filter
 
 import (
+	"path/filepath"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
 	"github.com/rabbitstack/fibratus/pkg/util/loldrivers"
 	"github.com/rabbitstack/fibratus/pkg/util/signature"
 	"github.com/rabbitstack/fibratus/pkg/util/va"
-	"path/filepath"
 )
 
 // isLOLDriver interacts with the loldrivers client to determine
@@ -104,3 +105,11 @@ func getSignature(addr va.Address, filename string, parseCert bool) *signature.S
 
 	return sign
 }
+
+// framePID returns the pid associated with the stack frame.
+func framePID(e *event.Event) uint32 {
+	if !e.Callstack.IsEmpty() && e.Callstack.FrameAt(0).PID != 0 {
+		return e.Callstack.FrameAt(0).PID
+	}
+	return e.PID
+}

pkg/symbolize/symbolizer.go

@@ -398,9 +398,10 @@ func (s *Symbolizer) processCallstack(e *event.Event) error {
 		return nil
 	}
 
-	proc, ok := s.procs[e.PID]
+	pid := e.StackPID()
+	proc, ok := s.procs[pid]
 	if !ok {
-		handle, err := windows.OpenProcess(windows.SYNCHRONIZE|windows.PROCESS_QUERY_INFORMATION, false, e.PID)
+		handle, err := windows.OpenProcess(windows.SYNCHRONIZE|windows.PROCESS_QUERY_INFORMATION, false, pid)
 		if err != nil {
 			s.pushFrames(addrs, e)
 			return err
@@ -410,10 +411,10 @@ func (s *Symbolizer) processCallstack(e *event.Event) error {
 		err = s.r.Initialize(handle, opts)
 		if err != nil {
 			s.pushFrames(addrs, e)
-			return ErrSymInitialize(e.PID)
+			return ErrSymInitialize(pid)
 		}
-		proc = &process{e.PID, handle, time.Now(), 1}
-		s.procs[e.PID] = proc
+		proc = &process{pid, handle, time.Now(), 1}
+		s.procs[pid] = proc
 	}
 
 	s.pushFrames(addrs, e)
@@ -442,7 +443,8 @@ func (s *Symbolizer) pushFrames(addrs []va.Address, e *event.Event) {
 // symbol or module are not resolved, then we
 // fall back to Debug API.
 func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Frame {
-	frame := callstack.Frame{PID: e.PID, Addr: addr}
+	pid := e.StackPID()
+	frame := callstack.Frame{PID: pid, Addr: addr}
 	if addr.InSystemRange() {
 		if s.config.SymbolizeKernelAddresses {
 			frame.Module = s.r.GetModuleName(windows.CurrentProcess(), addr)
@@ -452,7 +454,7 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Fra
 	}
 
 	// did we hit this address previously?
-	if sym, ok := s.symbols[e.PID]; ok {
+	if sym, ok := s.symbols[pid]; ok {
 		if symbol, ok := sym[addr]; ok {
 			symCacheHits.Add(1)
 			frame.Module, frame.Symbol, frame.ModuleAddress = symbol.module, symbol.symbol, symbol.moduleAddress
@@ -468,7 +470,7 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Fra
 		}
 		if mod == nil {
 			// our last resort is to enumerate process modules
-			modules := sys.EnumProcessModules(e.PID)
+			modules := sys.EnumProcessModules(pid)
 			for _, m := range modules {
 				b := va.Address(m.BaseOfDll)
 				size := uint64(m.SizeOfImage)
@@ -526,17 +528,17 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Fra
 		}
 		if frame.Module != "" && frame.Symbol != "" {
 			// store resolved symbol information in cache
-			s.cacheSymbol(e.PID, addr, &frame)
+			s.cacheSymbol(pid, addr, &frame)
 			return frame
 		}
 	}
 
 	debugHelpFallbacks.Add(1)
 
 	// fallback to Debug Help API
-	proc, ok := s.procs[e.PID]
+	proc, ok := s.procs[pid]
 	if !ok {
-		handle, err := windows.OpenProcess(windows.SYNCHRONIZE|windows.PROCESS_QUERY_INFORMATION, false, e.PID)
+		handle, err := windows.OpenProcess(windows.SYNCHRONIZE|windows.PROCESS_QUERY_INFORMATION, false, pid)
 		if err != nil {
 			return frame
 		}
@@ -546,8 +548,8 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Fra
 		if err != nil {
 			return frame
 		}
-		proc = &process{e.PID, handle, time.Now(), 1}
-		s.procs[e.PID] = proc
+		proc = &process{pid, handle, time.Now(), 1}
+		s.procs[pid] = proc
 	}
 
 	proc.keepalive()
@@ -564,7 +566,7 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *event.Event) callstack.Fra
 	}
 
 	// store resolved symbol information in cache
-	s.cacheSymbol(e.PID, addr, &frame)
+	s.cacheSymbol(pid, addr, &frame)
 
 	return frame
 }

pkg/symbolize/symbolizer_test.go

@@ -19,6 +19,12 @@
 package symbolize
 
 import (
+	"math/rand"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
 	"github.com/rabbitstack/fibratus/pkg/config"
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
@@ -33,11 +39,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
-	"math/rand"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
 )
 
 // MockResolver for unit testing
@@ -282,15 +283,16 @@ func TestProcessCallstack(t *testing.T) {
 	e := &event.Event{
 		Type:      event.CreateProcess,
 		Tid:       2484,
-		PID:       uint32(os.Getpid()),
+		PID:       2232,
 		CPU:       1,
 		Seq:       2,
 		Name:      "CreatedProcess",
 		Timestamp: time.Now(),
 		Category:  event.Process,
 		Host:      "archrabbit",
 		Params: event.Params{
-			params.Callstack: {Name: params.Callstack, Type: params.Slice, Value: []va.Address{0x7ffb5c1d0396, 0x7ffb5d8e61f4, 0x7ffb3138592e, 0x7ffb313853b2, 0x2638e59e0a5}},
+			params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: (uint32(os.Getpid()))},
+			params.Callstack:       {Name: params.Callstack, Type: params.Slice, Value: []va.Address{0x7ffb5c1d0396, 0x7ffb5d8e61f4, 0x7ffb3138592e, 0x7ffb313853b2, 0x2638e59e0a5}},
 		},
 		PS: proc,
 	}
@@ -454,15 +456,16 @@ func TestProcessCallstackProcsTTL(t *testing.T) {
 		e := &event.Event{
 			Type:      event.CreateProcess,
 			Tid:       2484,
-			PID:       uint32(os.Getpid()),
+			PID:       1232,
 			CPU:       1,
 			Seq:       2,
 			Name:      "CreatedProcess",
 			Timestamp: time.Now().Add(time.Millisecond * time.Duration(n)),
 			Category:  event.Process,
 			Host:      "archrabbit",
 			Params: event.Params{
-				params.Callstack: {Name: params.Callstack, Type: params.Slice, Value: []va.Address{0x7ffb5c1d0396, 0x7ffb5d8e61f4, 0x7ffb3138592e, 0x7ffb313853b2, 0x2638e59e0a5}},
+				params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: (uint32(os.Getpid()))},
+				params.Callstack:       {Name: params.Callstack, Type: params.Slice, Value: []va.Address{0x7ffb5c1d0396, 0x7ffb5d8e61f4, 0x7ffb3138592e, 0x7ffb313853b2, 0x2638e59e0a5}},
 			},
 		}
 		_, _ = s.ProcessEvent(e)