SystemTap exec probes

exec.stp

probe kprocess.exec
{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC)%}
 	tid = tid()
 	if (stringat(filename,0) == 0x22) // filename starts with a quotation mark
 	{
		MAP_SYSCALL_EXEC_NAME[tid] = filename 
		MAP_SYSCALL_EXEC_ARGV[tid] = args
 	}
 	else  // failed to recog the filename, trigger do_execve
 	{
		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_MISS)%}
 		MAP_SYSCALL_DOEXECV_NAME[tid] = @choose_defined($filename, $name)
 		MAP_SYSCALL_DOEXECV_ARGV[tid] = @choose_defined($__argv, $argv)
 	}
}

probe kernel.function("do_execve")
{
	%{HIT_MAP_INC(HIT_MAP_KERNEL_FUNCTION_DO_EXECVE)%}
	
	// see http://lxr.free-electrons.com/source/fs/exec.c#L1805 : I have filename, __argv, __envp
	// see http://lxr.free-electrons.com/source/include/linux/fs.h#L2293
	// I want to do something like
	// MAP_SYSCALL_EXEC_NAME[tid] = pointer_arg(1) // @cast(pointer_arg(1), "filename", "kernel<linux/fs.h>")->name
	// MAP_SYSCALL_EXEC_ARGV[tid] = user_string(pointer_arg(2))
	// MAP_SYSCALL_EXEC_ENVP[tid] = user_string(pointer_arg(3))
	// but it does not work - fails in user_string()
 	tid = tid()
 	if (tid in MAP_SYSCALL_DOEXECV_NAME)
 	{
		%{HIT_MAP_INC(HIT_MAP_KPROCESS_DOEXECVE_HIT)%}

 		filename = user_string(MAP_SYSCALL_DOEXECV_NAME[tid])
 		args = __get_argv(MAP_SYSCALL_DOEXECV_ARGV[tid], 0)
		MAP_SYSCALL_EXEC_NAME[tid] = filename
		MAP_SYSCALL_EXEC_ARGV[tid] = args
 	}
}

function send_syscall_exec(name, argv)
%{
	sendIncidentChars2(INCIDENT_TYPE_KPROCESS_EXEC, (u8*)STAP_ARG_name, (u8*)STAP_ARG_argv);
%}

probe kprocess.exec_complete
{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_COMPLETE)%}
	if ($return >= 0)
	{
		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_OK)%}
 		tid = tid()
		send_syscall_exec(MAP_SYSCALL_EXEC_NAME[tid], MAP_SYSCALL_EXEC_ARGV[tid])
	}
	else
	{
		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_ERR)%}
	}
}