This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: How to get correct filename in probe.execve


On 01/19/2017 08:08 AM, Arkady wrote:
> Hello,
> 
> I am doing the following
> 
> stap -e 'probe syscall.execve { { printf("exec %s\n", filename) } }'
> 
> My platform is
> 
> Linux ubuntu 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC
> 2017 x86_64 x86_64 x86_64 GNU/Linux
> 
> I am running a Python script called echo.py which contains two lines:
> 
> import os
> os.system("ls /tmp")
> 
> I am doing something like python ./echo.py
> 
> In the exec probe output I am getting
> 
> exec "/usr/bin/python"
> exec 00007fce05d05177
> 
> Where does 00007fce05d05177 come from?

When the execve syscall gets called, systemtap gets an address for the
filename. It then tries to read that userspace address in the kernel to
find the string stored there. If it can't read that userspace address,
it instead will just report the address it tried to read. I'd bet that's
what happened here.

Why couldn't the address be read? The most likely answer (assuming the
address is valid) is that the memory the address points to hasn't been
paged in yet.

When I run your example, I see the following:

====
exec "/usr/bin/python"
exec 0x7fd57a129032
exec "/usr/bin/ls"
====

So, I'm also seeing the address. Why are there 3 execs in my output?
When you run 'os.system("ls /tmp")', python will run the equivalent of
'sh -c "ls /tmp"'. So, the 2nd exec is for 'sh' and the 3rd is for 'ls'
itself.

So, that's where the address is coming from. I'm not sure how to more
reliably get the string. Perhaps someone else will have an idea.

(I tried the following, but actually got worse results:

  stap -ve 'probe syscall.execve.return { printf("exec %s\n",
user_string_quoted(@entry($filename))) }' -c "python test.py"

)

-- 
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]