(command.CommandList children: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:tracing spids:[148]) op: Equal rhs: {(/sys/kernel/debug/tracing)} spids: [148] ) ] spids: [148] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:flock spids:[151]) op: Equal rhs: {(/var/tmp/.ftrace-lock)} spids: [151] ) ] spids: [151] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:wroteflock spids:[155]) op: Equal rhs: {(0)} spids: [155] ) ] spids: [155] ) ] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_duration spids:[158]) op: Equal rhs: {(0)} spids: [158] ) ] spids: [158] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:duration spids:[162]) op: Equal rhs: (word.EmptyWord) spids: [162] ) ] spids: [162] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_name spids:[165]) op: Equal rhs: {(0)} spids: [165] ) ] spids: [165] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:name spids:[169]) op: Equal rhs: (word.EmptyWord) spids: [169] ) ] spids: [169] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_pid spids:[172]) op: Equal rhs: {(0)} spids: [172] ) ] spids: [172] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:pid spids:[176]) op: Equal rhs: (word.EmptyWord) spids: [176] ) ] spids: [176] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[179]) op: Equal rhs: (word.EmptyWord) spids: [179] ) ] spids: [179] ) ] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_time spids:[181]) op: Equal rhs: {(0)} spids: [181] ) ] spids: [181] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_fail spids:[185]) op: Equal rhs: {(0)} spids: [185] ) ] spids: [185] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_file spids:[189]) op: Equal rhs: {(0)} spids: [189] ) ] spids: [189] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:file spids:[193]) op: Equal rhs: (word.EmptyWord) spids: [193] ) ] spids: [193] ) ] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:kevent_entry spids:[195]) op: Equal rhs: {(events/syscalls/sys_enter_kill)} spids: [195] ) ] spids: [195] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:kevent_return spids:[198]) op: Equal rhs: {(events/syscalls/sys_exit_kill)} spids: [198] ) ] spids: [198] ) (C {(trap)} {(SQ <':'>)} {(INT)} {(QUIT)} {(TERM)} {(PIPE)} {(HUP)}) (command.FuncDef name: usage body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(cat)}] redirects: [ (redir.HereDoc op: <Redir_DLessDash '<<-'> fd: 16777215 here_begin: {(END)} here_end_span_id: 250 stdin_parts: [ ('USAGE: killsnoop [-hst] [-d secs] [-p PID] [-n name] [filename]\n') (' -d seconds # trace duration, and use buffers\n') (' -n name # process name to match \n') (' -p PID # PID to match on kill issue\n') (' -t # include time (seconds)\n') (' -s # human readable signal names\n') (' -h # this usage message\n') (' eg,\n') (' killsnoop # watch kill()s live (unbuffered)\n') (' killsnoop -d 1 # trace 1 sec (buffered)\n') (' killsnoop -p 181 # trace kill()s issued to PID 181 only\n') ('\n') ('See the man page and example file for more info.\n') ] ) (redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)}) ] ) (command.ControlFlow token:<ControlFlow_Exit exit>) ] spids: [225] ) spids: [221 224] ) (command.FuncDef name: warn body: (command.BraceGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(eval)} {(DQ ($ VSub_At '$@'))})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (command.SimpleCommand words: [ {(echo)} { (DQ ('WARNING: command failed ') (word_part.EscapedLiteralPart token: <Lit_EscapedChar '\\"'> ) ($ VSub_At '$@') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ) } ] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) ] spids: [16777215 275] ) ] spids: [16777215 291] ) ] spids: [261] ) spids: [257 260] ) (command.FuncDef name: end body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)}] redirects: [(redir.Redir op:<Redir_Great '2>'> fd:2 arg_word:{(/dev/null)})] ) (command.SimpleCommand words: [{(echo)} {(DQ ('Ending tracing...'))}] redirects: [(redir.Redir op:<Redir_Great '2>'> fd:2 arg_word:{(/dev/null)})] ) (C {(cd)} {($ VSub_DollarName '$tracing')}) (C {(warn)} {(DQ ('echo 0 > ') ($ VSub_DollarName '$kevent_entry') (/enable))}) (C {(warn)} {(DQ ('echo 0 > ') ($ VSub_DollarName '$kevent_return') (/enable))}) (C {(warn)} {(DQ ('echo > trace'))}) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike wroteflock>) spids: [353 358] ) (C {(warn)} {(DQ ('rm ') ($ VSub_DollarName '$flock'))}) ] ) ] spids: [300] ) spids: [296 299] ) (command.FuncDef name: die body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)} {(DQ ($ VSub_At '$@'))}] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(1)}) ] spids: [376] ) spids: [372 375] ) (command.FuncDef name: edie body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)} {(DQ ($ VSub_At '$@'))}] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) (command.SimpleCommand words: [{(exec)}] redirects: [ (redir.Redir op:<Redir_Great '>'> fd:16777215 arg_word:{(/dev/null)}) (redir.Redir op:<Redir_GreatAnd '2>&'> fd:2 arg_word:{(1)}) ] ) (C {(end)}) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(1)}) ] spids: [400] ) spids: [396 399] ) (command.WhileUntil keyword: <KW_While while> cond: [ (C {(getopts)} {(d) (Lit_Other ':') (hn) (Lit_Other ':') (p) (Lit_Other ':') (st)} {(opt)}) ] body: (command.DoGroup children: [ (command.Case to_match: {($ VSub_DollarName '$opt')} arms: [ (case_arm pat_list: [{(d)}] action: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_duration spids:[466]) op: Equal rhs: {(1)} spids: [466] ) ] spids: [466] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:duration spids:[470]) op: Equal rhs: {($ VSub_DollarName '$OPTARG')} spids: [470] ) ] spids: [470] ) ] spids: [463 464 473 16777215] ) (case_arm pat_list: [{(n)}] action: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_name spids:[479]) op: Equal rhs: {(1)} spids: [479] ) ] spids: [479] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:name spids:[483]) op: Equal rhs: {($ VSub_DollarName '$OPTARG')} spids: [483] ) ] spids: [483] ) ] spids: [476 477 486 16777215] ) (case_arm pat_list: [{(p)}] action: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_pid spids:[492]) op: Equal rhs: {(1)} spids: [492] ) ] spids: [492] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:pid spids:[496]) op: Equal rhs: {($ VSub_DollarName '$OPTARG')} spids: [496] ) ] spids: [496] ) ] spids: [489 490 499 16777215] ) (case_arm pat_list: [{(t)}] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_time spids:[505]) op: Equal rhs: {(1)} spids: [505] ) ] spids: [505] ) ] spids: [502 503 508 16777215] ) (case_arm pat_list: [{(s)}] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_fancy spids:[514]) op: Equal rhs: {(1)} spids: [514] ) ] spids: [514] ) ] spids: [511 512 517 16777215] ) (case_arm pat_list: [{(h)} {(Lit_Other '?')}] action: [(C {(usage)})] spids: [520 523 527 16777215] ) ] spids: [456 460 530] ) ] spids: [453 532] ) ) (C {(shift)} { (word_part.ArithSubPart anode: (arith_expr.ArithBinary op_id: Arith_Minus left: (arith_expr.ArithWord w:{($ VSub_DollarName '$OPTIND')}) right: (arith_expr.ArithWord w:{(Lit_Digits 1)}) ) spids: [536 545] ) } ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child:(arith_expr.ArithWord w:{($ VSub_Pound '$#')}) spids:[547 552]) (C {(usage)}) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithBinary op_id: Arith_DAmp left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_pid>) right: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_name>) ) spids: [562 571] ) (C {(die)} {(DQ ('ERROR: use either -p or -n.'))}) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_pid>) spids: [581 586] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[590]) op: Equal rhs: {(DQ (' issued to PID ') ($ VSub_DollarName '$pid'))} spids: [590] ) ] spids: [590] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_name>) spids: [596 601] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[605]) op: Equal rhs: { (DQ (' issued by process name ') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ($ VSub_DollarName '$name') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ) } spids: [605] ) ] spids: [605] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_duration>) spids: [615 620] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} { (DQ ('Tracing kill()s') ($ VSub_DollarName '$ftext') (' for ') ($ VSub_DollarName '$duration') (' seconds (buffered)...') ) } ) ] spids: [16777215 623] ) ] else_action: [ (C {(echo)} {(DQ ('Tracing kill()s') ($ VSub_DollarName '$ftext') ('. Ctrl-C to end.'))}) ] spids: [636 647] ) (command.AndOr ops: [Op_DAmp Op_DAmp Op_DAmp Op_DAmp] children: [ (command.DBracket expr:(bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/mawk)})) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[666]) op: Equal rhs: {(DQ (mawk))} spids: [666] ) ] spids: [666] ) (C {(mawk)} {(-W)} {(interactive)}) (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[694]) op: Equal rhs: {(DQ ('mawk -W interactive'))} spids: [694] ) ] spids: [694] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DBracket expr:(bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/gawk)})) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[712]) op: Equal rhs: {(DQ ('gawk --non-decimal-data'))} spids: [712] ) ] spids: [712] ) ] ) (command.AndOr ops: [Op_DPipe] children: [ (C {(cd)} {($ VSub_DollarName '$tracing')}) (C {(die)} { (DQ ('ERROR: accessing tracing. Root user? Kernel has FTRACE?\n') (' debugfs mounted? (mount -t debugfs debugfs /sys/kernel/debug)') ) } ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_e child:{($ VSub_DollarName '$flock')}) ) (C {(die)} { (DQ ('ERROR: ftrace may be in use by PID ') (word_part.CommandSubPart command_list: (command.CommandList children: [(C {(cat)} {($ VSub_DollarName '$flock')})] ) left_token: <Left_CommandSub '$('> spids: [752 756] ) (' ') ($ VSub_DollarName '$flock') ) } ) ] ) (command.AndOr ops: [Op_DPipe] children: [ (command.SimpleCommand words: [{(echo)} {($ VSub_Dollar '$$')}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {($ VSub_DollarName '$flock')} ) ] ) (C {(die)} {(DQ ('ERROR: unable to write ') ($ VSub_DollarName '$flock') (.))}) ] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:wroteflock spids:[779]) op: Equal rhs: {(1)} spids: [779] ) ] spids: [779] ) (command.SimpleCommand words: [{(echo)} {(nop)}] redirects: [(redir.Redir op:<Redir_Great '>'> fd:16777215 arg_word:{(current_tracer)})] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {(1)}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {($ VSub_DollarName '$kevent_entry') (/enable)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [(C {(edie)} {(DQ ('ERROR: enabling kill() entry tracepoint Exiting.'))})] spids: [16777215 808] ) ] spids: [16777215 817] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {(1)}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {($ VSub_DollarName '$kevent_return') (/enable)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [(C {(edie)} {(DQ ('ERROR: enabling kill() return tracepoint. Exiting.'))})] spids: [16777215 833] ) ] spids: [16777215 842] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_time>) spids: [844 849] ) (C {(printf)} {(DQ ('%-16s '))} {(DQ (TIMEs))}) ] ) (C {(printf)} {(DQ ('%-16.16s %-6s %-8s %-10s %4s') (Lit_Other '\\') (n))} {(DQ (COMM))} {(DQ (PID))} {(DQ (TPID))} {(DQ (SIGNAL))} {(DQ (RETURN))} ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:offset spids:[913]) op: Equal rhs: { (word_part.CommandSubPart command_list: (command.CommandList children: [ (C {($ VSub_DollarName '$awk')} { (SQ <'BEGIN { o = 0; }\n'> <' $1 == "#" && $2 ~ /TASK/ && NF == 6 { o = 1; }\n'> <' $2 ~ /TASK/ { print o; exit }'> ) } {(trace)} ) ] ) left_token: <Left_CommandSub '$('> spids: [914 924] ) } spids: [913] ) ] spids: [913] ) (C {(warn)} {(DQ ('echo > trace'))}) (command.Pipeline children: [ (command.Subshell command_list: (command.CommandList children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_duration>) spids: [940 945] ) terminator: <Op_Semi ';'> ) ] action: [(C {(sleep)} {($ VSub_DollarName '$duration')}) (C {(cat)} {(trace)})] spids: [16777215 948] ) ] else_action: [(C {(cat)} {(trace_pipe)})] spids: [964 975] ) ] ) spids: [936 977] ) (C {($ VSub_DollarName '$awk')} {(-v)} {(Lit_VarLike 'o=') ($ VSub_DollarName '$offset')} {(-v)} {(Lit_VarLike 'opt_name=') ($ VSub_DollarName '$opt_name')} {(-v)} {(Lit_VarLike 'name=') ($ VSub_DollarName '$name')} {(-v)} {(Lit_VarLike 'opt_duration=') ($ VSub_DollarName '$opt_duration')} {(-v)} {(Lit_VarLike 'opt_time=') ($ VSub_DollarName '$opt_time')} {(-v)} {(Lit_VarLike 'opt_pid=') ($ VSub_DollarName '$pid')} {(-v)} {(Lit_VarLike 'opt_fancy=') ($ VSub_DollarName '$opt_fancy')} { (SQ <'\n'> <' # fancy signal names\n'> <' BEGIN {\n'> <' signals[1] = "SIGHUP"\n'> <' signals[2] = "SIGINT"\n'> <' signals[3] = "SIGQUIT"\n'> <' signals[4] = "SIGILL"\n'> <' signals[6] = "SIGABRT"\n'> <' signals[8] = "SIGFPE"\n'> <' signals[9] = "SIGKILL"\n'> <' signals[11] = "SIGSEGV"\n'> <' signals[13] = "SIGPIPE"\n'> <' signals[14] = "SIGALRM"\n'> <' signals[15] = "SIGTERM"\n'> <' signals[10] = "SIGUSR1"\n'> <' signals[12] = "SIGUSR2"\n'> <' signals[17] = "SIGCHLD"\n'> <' signals[18] = "SIGCONT"\n'> <' signals[19] = "SIGSTOP"\n'> <' signals[20] = "SIGTSTP"\n'> <' signals[21] = "SIGTTIN"\n'> <' signals[22] = "SIGTTOU"\n'> <' }\n'> <'\n'> <' # common fields\n'> <' $1 != "#" {\n'> <' # task name can contain dashes\n'> <' comm = pid = $1\n'> <' sub(/-[0-9][0-9]*/, "", comm)\n'> <' if (opt_name && match(comm, name) == 0)\n'> <' next\n'> <' sub(/.*-/, "", pid)\n'> <' }\n'> <'\n'> <' # sys_kill() entry\n'> <' $1 != "#" && $(4+o) ~ /sys_kill/ && $(5+o) !~ /->/ {\n'> <' #\n'> <' # eg: ... sys_kill(pid:...\n'> <' #\n'> <' kpid = $(5+o)\n'> <' signal = $(7+o)\n'> <' sub(/,$/, "", kpid)\n'> <' sub(/\\)$/, "", signal)\n'> <' kpid = int("0x"kpid)\n'> <' signal = int("0x"signal)\n'> <' current[pid,"kpid"] = kpid\n'> <' current[pid,"signal"] = signal\n'> <' }\n'> <'\n'> <' # sys_kill exit\n'> <' $1 != "#" && $(5+o) ~ /->/ {\n'> <' rv = int($NF)\n'> <' killed_pid = current[pid,"kpid"]\n'> <' signal = current[pid,"signal"]\n'> <'\n'> <' delete current[pid,"kpid"]\n'> <' delete current[pid,"signal"]\n'> <'\n'> <' if(opt_pid && killed_pid != opt_pid) {\n'> <' next\n'> <' }\n'> <'\n'> <' if (opt_time) {\n'> <' time = $(3+o); sub(":", "", time)\n'> <' printf "%-16s ", time\n'> <' }\n'> <'\n'> <' if (opt_fancy) {\n'> <' if (signals[signal] != "") {\n'> <' signal = signals[signal]\n'> <' }\n'> <' }\n'> <'\n'> < ' printf "%-16.16s %-6s %-8s %-10s %-4s\\n", comm, pid, killed_pid, signal,\n' > <' rv\n'> <' }\n'> <'\n'> <' $0 ~ /LOST.*EVENTS/ { print "WARNING: " $0 > "/dev/stderr" }\n'> ) } ) ] negated: F ) (C {(end)}) ] )