1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
// process tapset
// Copyright (C) 2006 Intel Corporation.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
function _IS_ERR:long(ptr) %{
THIS->__retvalue = IS_ERR((const void *)(long)THIS->ptr);
%}
/* probe process.create
*
* Fires whenever a new process is successfully created, either as a result of
* one of the fork syscall variants, or a new kernel thread.
*
* Context:
* Parent of the created process.
*
* Arguments:
* task - a handle to the newly created process.
*/
probe process.create = kernel.function("copy_process").return {
task = retval()
if (_IS_ERR(task)) next
}
/* probe process.start
*
* Fires immediately before a new process begins execution.
*
* Context:
* Newly created process.
*/
probe process.start = kernel.function("schedule_tail") { }
/* probe process.exec
*
* Fires whenever a process attempts to exec to a new program.
*
* Context:
* The caller of exec.
*
* Arguments:
* filename - the path to the new executable
*/
probe process.exec =
kernel.function("do_execve")
%( arch != "i586" %? %( arch != "i686" %?
, kernel.function("compat_do_execve")
%) %)
{
filename = kernel_string($filename)
}
/* probe process.exec.complete
*
* Fires at the completion of an exec call.
*
* Context:
* On success, the context of the new executable.
* On failure, remains in the context of the caller.
*
* Arguments:
* errno - the error number resulting from the exec
* success - a boolean indicating whether the exec was successful
*/
probe process.exec.complete =
kernel.function("do_execve").return
%( arch != "i586" %? %( arch != "i686" %?
, kernel.function("compat_do_execve").return
%) %)
{
errno = retval()
success = (errno >= 0)
}
/* probe process.exit
*
* Fires when a process terminates. This will always be followed by a
* process.release, though the latter may be delayed if the process waits in a
* zombie state.
*
* Context:
* The process which is terminating.
*
* Arguments:
* code - the exit code of the process
*/
probe process.exit = kernel.function("do_exit") {
code = $code
}
/* probe process.release
*
* Fires when a process is released from the kernel. This always follows a
* process.exit, though it may be delayed somewhat if the process waits in a
* zombie state.
*
* Context:
* The context of the parent, if it wanted notification of this process'
* termination, else the context of the process itself.
*
* Arguments:
* task - a task handle to the process being released
*/
probe process.release = kernel.function("release_task") {
task = $p
}
/* probe process.signal.send
*
* Fires when a process sends a signal to another process. This does not
* include ignored signals.
*
* Context:
* The signal's sender.
*
* Arguments:
* signal - the number of the signal
* signal_name - a string representation of the signal
* task - a task handle to the signal recipient
* shared - indicates whether this signal is shared by the thread group
*/
probe process.signal.send = _process.signal.send.* {
signal = $sig
signal_name = _signal_name($sig)
}
probe _process.signal.send.part1 =
kernel.function("__group_send_sig_info"),
kernel.function("send_group_sigqueue")
{
task = $p
shared = 1
}
probe _process.signal.send.part2 =
kernel.function("send_sigqueue")
{
task = $p
shared = 0
}
probe _process.signal.send.part3 =
kernel.function("specific_send_sig_info")
{
task = $t
shared = 0
}
/* probe process.signal.handle
*
* Fires when a process handles a signal.
*
* Context:
* The signal recipient.
*
* Arguments:
* signal - the number of the signal
* signal_name - a string representation of the signal
*/
/* FIXME - handle_signal is sometimes inlined, depending on the whims of the
* compiler. On FC5 it is inlined, but on RHEL4 it is not. Until we have a
* nice way for tapsets to specify "possibly inlined", we can't include this
* probe point.
probe process.signal.handle = kernel.function("handle_signal") {
signal = $sig
signal_name = _signal_name($sig)
}
*/
|
