This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How to get correct filename in probe.execve
- From: Arkady <larytet at gmail dot com>
- To: "Frank Ch. Eigler" <fche at redhat dot com>
- Cc: systemtap at sourceware dot org
- Date: Fri, 20 Jan 2017 02:34:29 +0200
- Subject: Re: How to get correct filename in probe.execve
- Authentication-results: sourceware.org; auth=none
- References: <CANA-60q=SyAPsa3645iBW1JpvixQPLaVA1dUYN5g+L+HWu5bKg@mail.gmail.com> <y0mefzzf69v.fsf@fche.csb>
I appreciate the valuable responses.
I have modified the scripts a little bit
stap -e 'probe kprocess.exec { { printf("exec pid=%u ts=%u filename=%s
args=%s\n", pid(), gettimeofday_ns(), filename, argstr) } }'
import os
os.system("echo Hello")
os.system("echo Hello")
os.system("ls /tmp")
os.system("ls /tmp")
and the output is:
exec pid=2578 ts=1484871567781365344 filename="/usr/bin/python"
args="/usr/bin/python", ["python", "echo.py"], [/* 20 vars */]
exec pid=2579 ts=1484871567790241888 filename=00007fd509724177
args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
Hello"], [/* 20 vars */]
exec pid=2580 ts=1484871567791230838 filename=00007fd509724177
args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
Hello"], [/* 20 vars */]
exec pid=2581 ts=1484871567792359834 filename=00007fd509724177
args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
/tmp"], [/* 20 vars */]
exec pid=2582 ts=1484871567793112384 filename="/bin/ls"
args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
exec pid=2583 ts=1484871567794590362 filename=00007fd509724177
args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
/tmp"], [/* 20 vars */]
exec pid=2584 ts=1484871567795367498 filename="/bin/ls"
args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
When running under strace I see execve. When I check the generated by
the SystemTap C source code I see a probe in execveat in the file
fs/exec.c. Does the probe kprocess.exec hooks all "exec" syscalls?
In the syscall.accept the sockaddress argument is an address to the
user space buffer. Shall I expect to hit a not loaded page from time
to time?
Thank you.
On Thu, Jan 19, 2017 at 4:55 PM, Frank Ch. Eigler <fche@redhat.com> wrote:
> Arkady <larytet@gmail.com> writes:
>
>> [...]
>> stap -e 'probe syscall.execve { { printf("exec %s\n", filename) } }'
>
> Looks good.
>
>> import os
>> os.system("ls /tmp")
>> I am doing something like python ./echo.py
>> In the exec probe output I am getting
>> exec "/usr/bin/python"
>> exec 00007fce05d05177
>> Where does 00007fce05d05177 come from?
>
> That could be the address, in user-space, of the "ls ..." string that
> has not been paged into the process' address space yet. (systemtap
> probes never cause page faults, so can't wait to "fault in" such
> strings.) That sometimes happens with C programs, but I wouldn't have
> expected it in python, where these are heap-resident, freshly copied
> objects. I wonder it's not the "ls ..." one but some other brief child
> process of the python interpreter.
>
> Ah wait, strace suggests an answer. The filename for a python-initiated
> os.system() is "/bin/sh", which is a C-side string constant. So it
> could still be paged out at this early time in the program's life. I
> bet that if you change your python program to have two os.system()
> calls, you'd get the "/bin/sh" string printed by the second stap probe
> hit.
>
> - FChE