This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How to get correct filename in probe.execve
- From: fche at redhat dot com (Frank Ch. Eigler)
- To: Arkady <larytet at gmail dot com>
- Cc: systemtap at sourceware dot org
- Date: Thu, 19 Jan 2017 09:55:56 -0500
- Subject: Re: How to get correct filename in probe.execve
- Authentication-results: sourceware.org; auth=none
- References: <CANA-60q=SyAPsa3645iBW1JpvixQPLaVA1dUYN5g+L+HWu5bKg@mail.gmail.com>
Arkady <larytet@gmail.com> writes:
> [...]
> stap -e 'probe syscall.execve { { printf("exec %s\n", filename) } }'
Looks good.
> import os
> os.system("ls /tmp")
> I am doing something like python ./echo.py
> In the exec probe output I am getting
> exec "/usr/bin/python"
> exec 00007fce05d05177
> Where does 00007fce05d05177 come from?
That could be the address, in user-space, of the "ls ..." string that
has not been paged into the process' address space yet. (systemtap
probes never cause page faults, so can't wait to "fault in" such
strings.) That sometimes happens with C programs, but I wouldn't have
expected it in python, where these are heap-resident, freshly copied
objects. I wonder it's not the "ls ..." one but some other brief child
process of the python interpreter.
Ah wait, strace suggests an answer. The filename for a python-initiated
os.system() is "/bin/sh", which is a C-side string constant. So it
could still be paged out at this early time in the program's life. I
bet that if you change your python program to have two os.system()
calls, you'd get the "/bin/sh" string printed by the second stap probe
hit.
- FChE