Duplicate `exec`s

Question

Duplicate `exec`s

Opened this issue 3 months ago · 3 comments

Steps to reproduce:

$ proctrace record -o demo.log -- ./demo_script.sh
$ proctrace render -i demo.log -d by-process

You'll see a bunch of duplicate exec events at the beginning of the output.
I suspect that the probe we're using is also firing for threads for some reason.

Answer 1 · 2024-09-09T21:01:55.000Z

Ha, it turns out the events aren't erroneous duplicates, they're real! From the output of strace:

[pid 171963] execve("/home/zmitchell/src/proctrace/main/target/debug/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/src/proctrace/main/.flox/run/x86_64-linux.proctrace/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/src/proctrace/main/.flox/run/x86_64-linux.proctrace/sbin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.local/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/run/wrappers/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.nix-profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/nix/profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.local/state/nix/profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/etc/profiles/per-user/zmitchell/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/nix/var/nix/profiles/default/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/run/current-system/sw/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = 0

Answer 2 · 2024-09-09T21:08:35.000Z

So basically we need to record the filename of the program being execed, not just the arguments. We also need to filter out any execve calls that had a non-zero return code.

Answer 3 · 2024-09-09T21:09:05.000Z

Both of these can be done very simply in the bpftrace script