2 Replies Latest reply: Jul 25, 2009 5:19 AM by Hi_Toshi
jjore Level 1 Level 1 (0 points)
I'm trying to get the arguments to execve() but failing.

On a Mac, the job of strace is handled by DTrace scripts. I get it. It's awesome. The curpsinfo->pr_psargs char[] is supposed to have the process arguments. Apparently this works in all the Solaris examples. On the mac... not so much:

$ sudo dtrace -n 'syscall::exec*: {printf("%s",curpsinfo->pr_psargs)}'
dtrace: description 'syscall::exec*: ' matched 2 probes
CPU ID FUNCTION:NAME
0 17765 execve:entry bash
0 17766 execve:return emacs
1 17765 execve:entry emacs
1 17766 execve:return emacs-i386
1 17765 execve:entry emacs-i386
1 17766 execve:return perl

All of those calls had arguments. For giggles, try trace() instead of prinf()

$ sudo dtrace -n 'syscall::exec*: {trace(curpsinfo->pr_psargs)}'
dtrace: description 'syscall::exec*: ' matched 2 probes
CPU ID FUNCTION:NAME
1 17765 execve:entry
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 65 6d 61 63 73 00 61 6c 00 73 6b 00 00 00 00 00 emacs.al.sk.....
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 00 46 04 04 00 00 00 00 01 00 00 00 .....F..........
40: 00 00 00 00 00 00 00 00 00 00 00 00 30 f9 13 07 ............0...

Mac loses?! How do I make it un-lose?

Mac, Mac OS X (10.5.6)
  • tlrobinson Level 1 Level 1 (0 points)
    I'm wondering the same thing. Is there some sort of workaround? It would be really useful.
  • Hi_Toshi Level 1 Level 1 (0 points)
    I also had the same problem. To resolve it, I read dtrace's source code.
    Unfortunately, I found that the function was omitted.

    dtrace-48.1/scripts/darwin.d:
    pr_psargs = T->p_comm; /* XXX omits command line arguments XXX */



    But I need arguments strongly, I decided to grab them from the executed process stack.
    The below is the code.



    #!/usr/sbin/dtrace -C -s

    #pragma D option quiet

    proc::posixspawn:exec-success,proc::__macexecve:exec-success
    {
    this->isx64=(curproc->p_flag & P_LP64)!=0;
    #define SELECT6486(x64, x86) (this->isx64 ? (x64) : (x86))
    #define GET_POINTER(base, offset) (useraddr_t)SELECT_64_86(*(uint64t )((base)+sizeof(uint64_t)(offset)), *(uint32_t )((base)+sizeof(uint32_t)(offset)))

    this->ptrsize=SELECT64_86(sizeof(uint64_t),sizeof(uint32t));
    this->argc=curproc->p_argc;

    // I havn't recognized whether the x64 occurs tha same problem (argv\[0\] points invalid area)
    this->isClean=SELECT6486(1, (curproc->pdtrace_argv==(uregs[R_SP]sizeof(uint32_t)sizeof(uint32t))));
    this->argv=(uint64t)copyin(curproc->p_dtraceargv,this->ptrsize*this->argc);

    /* printf("%s with args:%d (%p, %p)\n",execname, this->argc, curproc->pdtraceargv, uregs\[R_SP\]); */

    printf("%s ", (0 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,0)) : "");
    printf("%s ", (1 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,1)) : "");
    printf("%s ", (2 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,2)) : "");
    printf("%s ", (3 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,3)) : "");
    printf("%s ", (4 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,4)) : "");
    printf("%s ", (5 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,5)) : "");
    printf("%s ", (6 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,6)) : "");
    printf("%s ", (7 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,7)) : "");
    printf("%s ", (8 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,8)) : "");
    printf("%s ", (9 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,9)) : "");
    printf("\n");

    #undef GET_POINTER
    #undef SELECT6486
    }

    *Work as:*
    $ sudo dtrace -C -s args.d
    cc1: warning: /dev/fd/5 is shorter than expected
    gls -Fh --color=auto
    gls -Fh --color=auto -al
    /Applications/OmniGraffle Professional 4.app/Contents/MacOS/OmniGraffle Professional -psn05780867


    Attention:
    This sometimes works not well (checked by this->isClean), and I couldn't find out the reason.
    This dtrace can get 10 arguments maximally, since dtrace has no control-flow instructions.
    Parsing the execve's arguments (arg1) fails more frequently than the above way.

    Message was edited by: Hi_Toshi