This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How to get correct filename in probe.execve
- From: "Frank Ch. Eigler" <fche at redhat dot com>
- To: Arkady <larytet at gmail dot com>
- Cc: David Smith <dsmith at redhat dot com>, systemtap at sourceware dot org
- Date: Sat, 21 Jan 2017 01:52:15 -0500
- Subject: Re: How to get correct filename in probe.execve
- Authentication-results: sourceware.org; auth=none
- References: <CANA-60q=SyAPsa3645iBW1JpvixQPLaVA1dUYN5g+L+HWu5bKg@mail.gmail.com> <y0mefzzf69v.fsf@fche.csb> <CANA-60qHj=KJkA+k=P5OmVuxp_zdFq85Hn_sa_rN-UgOfP0P=A@mail.gmail.com> <fba52f17-7761-8381-f67d-cbb483e5655d@redhat.com> <CANA-60rt-Fy8y-KfiSeoioA4Crva=BnFiNbX3B18s-LnJGgsfw@mail.gmail.com>
Hi -
> probe kprocess.exec
> {
> printf("exec pid=%u ts=%u filename=%s arg1=%s args=%s\n",
> pid(), gettimeofday_ns(), filename, user_string_quoted(ulong_arg(1)),
> argstr)
> EXEC_FILENAME[pid(),tid()] = ulong_arg(1)
> }
I'd use the tapset-provided variables or $context variables rather
than ulong_arg*:
% stap -L kprocess.exec
kprocess.exec name:string filename:string __argv:long args:string __envp:long env_str:string argstr:string $filename:long int $argv:long int $envp:long int
Those are likely more stable across versions / architectures. You can
use the @defined() function to test for availability of $context
variables, so your script can even fall back between one and the other.
> [...]
> probe kernel.function("do_filp_open").call
> {
> if ([pid(), tid()] in EXEC_FILENAME)
> [...]
By the way, there is no need to index -both- by pid() and tid().
Just tid() is enough if you want per-process+per-thread tracking;
just pid() if per-process.
> I am getting this marvel:
>
> exec pid=30825 ts=1484976492960517468 filename=00007f32db232177
> arg1=00007f32db232177 args=00007f32db232177, [00007f32db23217c,
> 00007f32db232174, "echo Hello"], [/* 20 vars */]
> [...]
Good, enjoy!
- FChE