DTRACE_PROC(4) | Device Drivers Manual | DTRACE_PROC(4) |
dtrace_proc
— a
DTrace provider for tracing events related to user processes
proc:::create
(struct
proc *, struct proc
*, int);
proc:::exec
(char
*);
proc:::exec-failure
(int);
proc:::exec-success
(char
*);
proc:::exit
(int);
proc:::signal-clear
(int,
ksiginfo_t *);
proc:::signal-discard
(struct
thread *, struct proc
*, int);
proc:::signal-send
(struct
thread *, struct proc
*, int);
The DTrace proc
provider provides insight
into events related to user processes: process and thread creation and
termination events, and process signalling.
The
proc:::create
()
probe fires when a user process is created via the
fork(2), vfork(2),
pdfork(2), or rfork(2) system calls. In
particular, kernel processes created with the kproc(9) KPI
will not trigger this probe. The proc:::create
()
probe's first two arguments are the new child process and its parent,
respectively. The third argument is a mask of rfork(2)
flags indicating which process resources are to be shared between the parent
and child processes.
The
proc:::exec
()
probe fires when a process attempts to execute a file. Its argument is the
specified filename for the file. If the attempt fails because of an error,
the
proc:::exec-failure
()
probe will subsequently fire, providing the corresponding
errno(2) value in its first argument. Otherwise, the
proc:::exec-success
()
probe will fire.
The
proc:::exit
()
probe fires when a process exits or is terminated. Its argument is the
corresponding SIGCHLD
signal code; valid values are
documented in the siginfo(3) manual page and defined in
signal.h. For example, when a process exits
normally, the value of args[0]
will be
CLD_EXITED
.
The
proc:::signal-send
()
probe fires when a signal is about to be sent to a process. The
proc:::signal-discard
()
probe fires when a signal is sent to a process that ignores it. This probe
will fire after the proc:::signal-send
() probe for
the signal in question. The arguments to these probes are the thread and
process to which the signal will be sent, and the signal number of the
signal. Valid signal numbers are defined in the signal(3)
manual page. The
proc:::signal-clear
()
probe fires when a pending signal has been cleared by one of the
sigwait(2), sigtimedwait(2), or
sigwaitinfo(2) system calls. Its arguments are the signal
number of the cleared signal, and a pointer to the corresponding signal
information. The siginfo_t for the signal can be
obtained from args[1]->ksi_info
.
Though the proc
provider probes use native
FreeBSD arguments types, standard D types for
processes and threads are available. These are
psinfo_t and lwpsinfo_t
respectively, and are defined in
/usr/lib/dtrace/psinfo.d. This file also defines two
global variables, curpsinfo and
curlwpsinfo, which provide representations of the
current process and thread using these types.
The fields of psinfo_t are:
The fields of lwpsinfo_t are:
’?.proc
provider.The following script logs process execution events as they occur:
#pragma D option quiet proc:::exec-success { printf("%s", curpsinfo->pr_psargs); }
Note that the pr_psargs
field is subject
to the limit defined by the kern.ps_arg_cache_limit
sysctl. In particular, processes with an argument list longer than the value
defined by this sysctl cannot be logged in this way.
The proc
provider in
FreeBSD is not compatible with the
proc
provider in Solaris. In particular,
FreeBSD uses the native struct
proc and struct thread types for probe arguments
rather than translated types. Additionally, a number of
proc
provider probes found in Solaris are not
currently available on FreeBSD.
dtrace(1), errno(2), fork(2), pdfork(2), rfork(2), vfork(2), siginfo(3), signal(3), dtrace_sched(4), kproc(9)
The proc
provider first appeared in
FreeBSD 7.1.
This manual page was written by Mark Johnston <markj@FreeBSD.org>.
April 17, 2016 | Debian |