User profile for user: jjore
jjore Author
User level: Level 1
0 points

dtrace's curpsinfo->pr_psargs is neutered?

I'm trying to get the arguments to execve() but failing.

On a Mac, the job of strace is handled by DTrace scripts. I get it. It's awesome. The curpsinfo->pr_psargs char[] is supposed to have the process arguments. Apparently this works in all the Solaris examples. On the mac... not so much:

$ sudo dtrace -n 'syscall::exec*: {printf("%s",curpsinfo->pr_psargs)}'
dtrace: description 'syscall::exec*: ' matched 2 probes
CPU ID FUNCTION:NAME
0 17765 execve:entry bash
0 17766 execve:return emacs
1 17765 execve:entry emacs
1 17766 execve:return emacs-i386
1 17765 execve:entry emacs-i386
1 17766 execve:return perl

All of those calls had arguments. For giggles, try trace() instead of prinf()

$ sudo dtrace -n 'syscall::exec*: {trace(curpsinfo->pr_psargs)}'
dtrace: description 'syscall::exec*: ' matched 2 probes
CPU ID FUNCTION:NAME
1 17765 execve:entry
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 65 6d 61 63 73 00 61 6c 00 73 6b 00 00 00 00 00 emacs.al.sk.....
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 00 46 04 04 00 00 00 00 01 00 00 00 .....F..........
40: 00 00 00 00 00 00 00 00 00 00 00 00 30 f9 13 07 ............0...

😟 Mac loses?! How do I make it un-lose?

Mac, Mac OS X (10.5.6)

Posted on Apr 18, 2009 11:27 AM

Reply
2 replies
User profile for user: Hi_Toshi
Hi_Toshi
User level: Level 1
0 points

Jul 25, 2009 5:19 AM in response to jjore

I also had the same problem. To resolve it, I read dtrace's source code.
Unfortunately, I found that the function was omitted.

dtrace-48.1/scripts/darwin.d:
pr_psargs = T->p_comm; /* XXX omits command line arguments XXX */



But I need arguments strongly, I decided to grab them from the executed process stack.
The below is the code.



#!/usr/sbin/dtrace -C -s

#pragma D option quiet

proc::posix spawn:exec-success,proc::__macexecve:exec-success
{
this->isx64=(curproc->p_flag & P_LP64)!=0;
#define SELECT 6486(x64, x86) (this->isx64 ? (x64) : (x86))
#define GET_POINTER(base, offset) (user addr_t)SELECT_64_86(*(uint64t )((base)+sizeof(uint64_t)(offset)), *(uint32_t )((base)+sizeof(uint32_t)(offset)))

this->ptrsize=SELECT 64_86(sizeof(uint64_t),sizeof(uint32t));
this->argc=curproc->p_argc;

// I havn't recognized whether the x64 occurs tha same problem (argv\[0\] points invalid area)
this->isClean=SELECT 6486(1, (curproc->p dtrace_argv==(uregs[R_SP]sizeof(uint32_t)sizeof(uint32t))));
this->argv=(uint64 t)copyin(curproc->p_dtraceargv,this->ptrsize*this->argc);

/* printf("%s with args:%d (%p, %p)\n",execname, this->argc, curproc->p dtraceargv, uregs\[R_SP\]); */

printf("%s ", (0 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,0)) : "");
printf("%s ", (1 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,1)) : "");
printf("%s ", (2 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,2)) : "");
printf("%s ", (3 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,3)) : "");
printf("%s ", (4 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,4)) : "");
printf("%s ", (5 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,5)) : "");
printf("%s ", (6 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,6)) : "");
printf("%s ", (7 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,7)) : "");
printf("%s ", (8 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,8)) : "");
printf("%s ", (9 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,9)) : "");
printf("\n");

#undef GET_POINTER
#undef SELECT 6486
}

*Work as:*
$ sudo dtrace -C -s args.d
cc1: warning: /dev/fd/5 is shorter than expected
gls -Fh --color=auto
gls -Fh --color=auto -al
/Applications/OmniGraffle Professional 4.app/Contents/MacOS/OmniGraffle Professional -psn 05780867


Attention:
This sometimes works not well (checked by this->isClean), and I couldn't find out the reason.
This dtrace can get 10 arguments maximally, since dtrace has no control-flow instructions.
Parsing the execve's arguments (arg1) fails more frequently than the above way.

Message was edited by: Hi_Toshi
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

dtrace's curpsinfo->pr_psargs is neutered?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up