(command.CommandList children: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:tracing spids:[166]) op: Equal rhs: {(/sys/kernel/debug/tracing)} spids: [166] ) ] spids: [166] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:flock spids:[169]) op: Equal rhs: {(/var/tmp/.ftrace-lock)} spids: [169] ) ] spids: [169] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:wroteflock spids:[173]) op: Equal rhs: {(0)} spids: [173] ) ] spids: [173] ) ] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_duration spids:[176]) op: Equal rhs: {(0)} spids: [176] ) ] spids: [176] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:duration spids:[180]) op: Equal rhs: (word.EmptyWord) spids: [180] ) ] spids: [180] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_name spids:[183]) op: Equal rhs: {(0)} spids: [183] ) ] spids: [183] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:name spids:[187]) op: Equal rhs: (word.EmptyWord) spids: [187] ) ] spids: [187] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_time spids:[190]) op: Equal rhs: {(0)} spids: [190] ) ] spids: [190] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_reexec spids:[194]) op: Equal rhs: {(0)} spids: [194] ) ] spids: [194] ) ] ) (command.CommandList children: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_argc spids:[197]) op: Equal rhs: {(0)} spids: [197] ) ] spids: [197] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:argc spids:[201]) op: Equal rhs: {(8)} spids: [201] ) ] spids: [201] ) terminator: <Op_Semi ';'> ) (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:max_argc spids:[205]) op: Equal rhs: {(16)} spids: [205] ) ] spids: [205] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[209]) op: Equal rhs: (word.EmptyWord) spids: [209] ) ] spids: [209] ) ] ) (C {(trap)} {(SQ <':'>)} {(INT)} {(QUIT)} {(TERM)} {(PIPE)} {(HUP)}) (command.FuncDef name: usage body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(cat)}] redirects: [ (redir.HereDoc op: <Redir_DLessDash '<<-'> fd: 16777215 here_begin: {(END)} here_end_span_id: 267 stdin_parts: [ ('USAGE: execsnoop [-hrt] [-a argc] [-d secs] [name]\n') (' -d seconds # trace duration, and use buffers\n') (' -a argc # max args to show (default 8)\n') (' -r # include re-execs\n') (' -t # include time (seconds)\n') (' -h # this usage message\n') (' name # process name to match (REs allowed)\n') (' eg,\n') (' execsnoop # watch exec()s live (unbuffered)\n') (' execsnoop -d 1 # trace 1 sec (buffered)\n') (' execsnoop grep # trace process names containing grep\n') (" execsnoop 'log") (Lit_Other '$') ("' # filenames ending in ") (Right_DoubleQuote '"') (log) (Right_DoubleQuote '"') ('\n') ('\n') ('See the man page and example file for more info.\n') ] ) (redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)}) ] ) (command.ControlFlow token:<ControlFlow_Exit exit>) ] spids: [235] ) spids: [231 234] ) (command.FuncDef name: warn body: (command.BraceGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(eval)} {(DQ ($ VSub_At '$@'))})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (command.SimpleCommand words: [ {(echo)} { (DQ ('WARNING: command failed ') (word_part.EscapedLiteralPart token: <Lit_EscapedChar '\\"'> ) ($ VSub_At '$@') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ) } ] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) ] spids: [16777215 292] ) ] spids: [16777215 308] ) ] spids: [278] ) spids: [274 277] ) (command.FuncDef name: end body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)}] redirects: [(redir.Redir op:<Redir_Great '2>'> fd:2 arg_word:{(/dev/null)})] ) (command.SimpleCommand words: [{(echo)} {(DQ ('Ending tracing...'))}] redirects: [(redir.Redir op:<Redir_Great '2>'> fd:2 arg_word:{(/dev/null)})] ) (C {(cd)} {($ VSub_DollarName '$tracing')}) (C {(warn)} {(DQ ('echo 0 > events/kprobes/') ($ VSub_DollarName '$kname') (/enable))}) (C {(warn)} {(DQ ('echo 0 > events/sched/sched_process_fork/enable'))}) (C {(warn)} {(DQ ('echo -:') ($ VSub_DollarName '$kname') (' >> kprobe_events'))}) (C {(warn)} {(DQ ('echo > trace'))}) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike wroteflock>) spids: [377 382] ) (C {(warn)} {(DQ ('rm ') ($ VSub_DollarName '$flock'))}) ] ) ] spids: [317] ) spids: [313 316] ) (command.FuncDef name: die body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)} {(DQ ($ VSub_At '$@'))}] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(1)}) ] spids: [400] ) spids: [396 399] ) (command.FuncDef name: edie body: (command.BraceGroup children: [ (command.SimpleCommand words: [{(echo)} {(DQ ($ VSub_At '$@'))}] redirects: [(redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)})] ) (command.SimpleCommand words: [{(exec)}] redirects: [ (redir.Redir op:<Redir_Great '>'> fd:16777215 arg_word:{(/dev/null)}) (redir.Redir op:<Redir_GreatAnd '2>&'> fd:2 arg_word:{(1)}) ] ) (C {(end)}) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(1)}) ] spids: [424] ) spids: [420 423] ) (command.WhileUntil keyword: <KW_While while> cond: [(C {(getopts)} {(a) (Lit_Other ':') (d) (Lit_Other ':') (hrt)} {(opt)})] body: (command.DoGroup children: [ (command.Case to_match: {($ VSub_DollarName '$opt')} arms: [ (case_arm pat_list: [{(a)}] action: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_argc spids:[488]) op: Equal rhs: {(1)} spids: [488] ) ] spids: [488] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:argc spids:[492]) op: Equal rhs: {($ VSub_DollarName '$OPTARG')} spids: [492] ) ] spids: [492] ) ] spids: [485 486 495 16777215] ) (case_arm pat_list: [{(d)}] action: [ (command.Sentence child: (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_duration spids:[501]) op: Equal rhs: {(1)} spids: [501] ) ] spids: [501] ) terminator: <Op_Semi ';'> ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:duration spids:[505]) op: Equal rhs: {($ VSub_DollarName '$OPTARG')} spids: [505] ) ] spids: [505] ) ] spids: [498 499 508 16777215] ) (case_arm pat_list: [{(r)}] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_reexec spids:[514]) op: Equal rhs: {(1)} spids: [514] ) ] spids: [514] ) ] spids: [511 512 517 16777215] ) (case_arm pat_list: [{(t)}] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_time spids:[523]) op: Equal rhs: {(1)} spids: [523] ) ] spids: [523] ) ] spids: [520 521 526 16777215] ) (case_arm pat_list: [{(h)} {(Lit_Other '?')}] action: [(C {(usage)})] spids: [529 532 536 16777215] ) ] spids: [478 482 539] ) ] spids: [475 541] ) ) (C {(shift)} { (word_part.ArithSubPart anode: (arith_expr.ArithBinary op_id: Arith_Minus left: (arith_expr.ArithWord w:{($ VSub_DollarName '$OPTIND')}) right: (arith_expr.ArithWord w:{(Lit_Digits 1)}) ) spids: [545 554] ) } ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithWord w:{($ VSub_Pound '$#')}) spids: [558 563] ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:opt_name spids:[569]) op: Equal rhs: {(1)} spids: [569] ) ] spids: [569] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:name spids:[573]) op: Equal rhs: {($ VSub_Number '$1')} spids: [573] ) ] spids: [573] ) (C {(shift)}) ] spids: [16777215 566] ) ] spids: [16777215 579] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child:(arith_expr.ArithWord w:{($ VSub_Pound '$#')}) spids:[581 586]) (C {(usage)}) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithBinary op_id: Arith_DAmp left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_pid>) right: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_name>) ) spids: [596 605] ) (C {(die)} {(DQ ('ERROR: use either -p or -n.'))}) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_pid>) spids: [615 620] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[624]) op: Equal rhs: {(DQ (' issued by PID ') ($ VSub_DollarName '$pid'))} spids: [624] ) ] spids: [624] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_name>) spids: [630 635] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[639]) op: Equal rhs: { (DQ (' issued by process name ') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ($ VSub_DollarName '$name') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ) } spids: [639] ) ] spids: [639] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_file>) spids: [647 652] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:ftext spids:[656]) op: Equal rhs: { (DQ ($ VSub_DollarName '$ftext') (' for filenames containing ') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ($ VSub_DollarName '$file') (word_part.EscapedLiteralPart token:<Lit_EscapedChar '\\"'>) ) } spids: [656] ) ] spids: [656] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithBinary op_id: Arith_DAmp left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_argc>) right: (arith_expr.ArithBinary op_id: Arith_Great left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike argc>) right: (arith_expr.ArithVarRef token:<Lit_ArithVarLike max_argc>) ) ) spids: [665 678] ) (C {(die)} {(DQ ('ERROR: max -a argc is ') ($ VSub_DollarName '$max_argc') (.))}) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_duration>) spids: [692 697] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} { (DQ ('Tracing exec()s') ($ VSub_DollarName '$ftext') (' for ') ($ VSub_DollarName '$duration') (' seconds (buffered)...') ) } ) ] spids: [16777215 700] ) ] else_action: [ (C {(echo)} {(DQ ('Tracing exec()s') ($ VSub_DollarName '$ftext') ('. Ctrl-C to end.'))}) ] spids: [713 724] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_duration>) spids: [732 737] ) terminator: <Op_Semi ';'> ) ] action: [ (command.AndOr ops: [Op_DAmp Op_DPipe] children: [ (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/mawk)}) ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[753]) op: Equal rhs: {(mawk)} spids: [753] ) ] spids: [753] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[758]) op: Equal rhs: {(awk)} spids: [758] ) ] spids: [758] ) ] ) ] spids: [16777215 740] ) ] else_action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/gawk)}) ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[782]) op: Equal rhs: {(gawk)} spids: [782] ) ] spids: [782] ) ] spids: [16777215 779] ) (if_arm cond: [ (command.Sentence child: (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/mawk)}) ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[800]) op: Equal rhs: {(DQ ('mawk -W interactive'))} spids: [800] ) ] spids: [800] ) ] spids: [786 797] ) ] else_action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:awk spids:[809]) op: Equal rhs: {(awk)} spids: [809] ) ] spids: [809] ) ] spids: [806 813] ) ] spids: [761 815] ) (command.AndOr ops: [Op_DPipe] children: [ (C {(cd)} {($ VSub_DollarName '$tracing')}) (C {(die)} { (DQ ('ERROR: accessing tracing. Root user? Kernel has FTRACE?\n') (' debugfs mounted? (mount -t debugfs debugfs /sys/kernel/debug)') ) } ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_e child:{($ VSub_DollarName '$flock')}) ) (C {(die)} { (DQ ('ERROR: ftrace may be in use by PID ') (word_part.CommandSubPart command_list: (command.CommandList children: [(C {(cat)} {($ VSub_DollarName '$flock')})] ) left_token: <Left_CommandSub '$('> spids: [852 856] ) (' ') ($ VSub_DollarName '$flock') ) } ) ] ) (command.AndOr ops: [Op_DPipe] children: [ (command.SimpleCommand words: [{(echo)} {($ VSub_Dollar '$$')}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {($ VSub_DollarName '$flock')} ) ] ) (C {(die)} {(DQ ('ERROR: unable to write ') ($ VSub_DollarName '$flock') (.))}) ] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:wroteflock spids:[879]) op: Equal rhs: {(1)} spids: [879] ) ] spids: [879] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DBracket expr: (bool_expr.BoolUnary op_id:BoolUnary_x child:{(/usr/bin/getconf)}) ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:bits spids:[900]) op: Equal rhs: { (word_part.CommandSubPart command_list: (command.CommandList children:[(C {(getconf)} {(LONG_BIT)})]) left_token: <Left_CommandSub '$('> spids: [901 905] ) } spids: [900] ) ] spids: [900] ) ] spids: [16777215 897] ) ] else_action: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:bits spids:[910]) op: Equal rhs: {(64)} spids: [910] ) ] spids: [910] ) (command.AndOr ops: [Op_DAmp] children: [ (command.DBracket expr: (bool_expr.BoolBinary op_id: BoolBinary_GlobDEqual left: { (word_part.CommandSubPart command_list: (command.CommandList children:[(C {(uname)} {(-m)})]) left_token: <Left_CommandSub '$('> spids: [916 920] ) } right: {(i) (Lit_Other '*')} ) ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:bits spids:[931]) op: Equal rhs: {(32)} spids: [931] ) ] spids: [931] ) ] ) ] spids: [907 934] ) (command.DParen child: (arith_expr.BinaryAssign op_id: Arith_Equal left: (lhs_expr.LhsName name:offset spids:[938]) right: (arith_expr.ArithBinary op_id: Arith_Slash left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike bits>) right: (arith_expr.ArithWord w:{(Lit_Digits 8)}) ) ) spids: [936 949] ) (command.FuncDef name: makeprobe body: (command.BraceGroup children: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:func spids:[958]) op: Equal rhs: {($ VSub_Number '$1')} spids: [958] ) ] spids: [958] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:kname spids:[962]) op: Equal rhs: {(execsnoop_) ($ VSub_DollarName '$func')} spids: [962] ) ] spids: [962] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:kprobe spids:[967]) op: Equal rhs: {(DQ ('p:') ($ VSub_DollarName '$kname') (' ') ($ VSub_DollarName '$func'))} spids: [967] ) ] spids: [967] ) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:i spids:[976]) op: Equal rhs: {(0)} spids: [976] ) ] spids: [976] ) (command.WhileUntil keyword: <KW_While while> cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithBinary op_id: Arith_Less left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike i>) right: (arith_expr.ArithBinary op_id: Arith_Plus left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike argc>) right: (arith_expr.ArithWord w:{(Lit_Digits 1)}) ) ) spids: [982 995] ) terminator: <Op_Semi ';'> ) ] body: (command.DoGroup children: [ (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:kprobe spids:[1005]) op: Equal rhs: { (DQ ($ VSub_DollarName '$kprobe') (' +0(+') (word_part.ArithSubPart anode: (arith_expr.ArithBinary op_id: Arith_Star left: (arith_expr.ArithVarRef token:<Lit_ArithVarLike i>) right: (arith_expr.ArithVarRef token:<Lit_ArithVarLike offset>) ) spids: [1009 1018] ) ('(%si)):string') ) } spids: [1005] ) ] spids: [1005] ) (command.DParen child: (arith_expr.UnaryAssign op_id: Node_PostDPlus child: (lhs_expr.LhsName name:i spids:[1025]) ) spids: [1023 1029] ) ] spids: [998 1032] ) ) ] spids: [955] ) spids: [951 954] ) (C {(makeprobe)} {(sys_execve)}) (command.SimpleCommand words: [{(echo)} {(nop)}] redirects: [(redir.Redir op:<Redir_Great '>'> fd:16777215 arg_word:{(current_tracer)})] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {($ VSub_DollarName '$kprobe')}] redirects: [ (redir.Redir op: <Redir_DGreat '>>'> fd: 16777215 arg_word: {(kprobe_events)} ) (redir.Redir op: <Redir_Great '2>'> fd: 2 arg_word: {(/dev/null)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(makeprobe)} {(stub_execve)}) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {($ VSub_DollarName '$kprobe')}] redirects: [ (redir.Redir op: <Redir_DGreat '>>'> fd: 16777215 arg_word: {(kprobe_events)} ) (redir.Redir op: <Redir_Great '2>'> fd: 2 arg_word: {(/dev/null)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(makeprobe)} {(do_execve)}) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {($ VSub_DollarName '$kprobe')}] redirects: [ (redir.Redir op: <Redir_DGreat '>>'> fd: 16777215 arg_word: {(kprobe_events)} ) (redir.Redir op: <Redir_Great '2>'> fd: 2 arg_word: {(/dev/null)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [(C {(edie)} {(DQ ('ERROR: adding a kprobe for execve. Exiting.'))})] spids: [16777215 1119] ) ] spids: [16777215 1129] ) ] spids: [16777215 1095] ) ] spids: [16777215 1132] ) ] spids: [16777215 1071] ) ] spids: [16777215 1134] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {(1)}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {(events/kprobes/) ($ VSub_DollarName '$kname') (/enable)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [(C {(edie)} {(DQ ('ERROR: enabling kprobe for execve. Exiting.'))})] spids: [16777215 1151] ) ] spids: [16777215 1160] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (command.SimpleCommand words: [{(echo)} {(1)}] redirects: [ (redir.Redir op: <Redir_Great '>'> fd: 16777215 arg_word: {(events/sched/sched_process_fork/enable)} ) ] ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [(C {(edie)} {(DQ ('ERROR: enabling sched:sched_process_fork tracepoint. Exiting.'))})] spids: [16777215 1175] ) ] spids: [16777215 1184] ) (C {(echo)} {(DQ ('Instrumenting ') ($ VSub_DollarName '$func'))}) (command.AndOr ops: [Op_DAmp] children: [ (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_time>) spids: [1193 1198] ) (C {(printf)} {(DQ ('%-16s '))} {(DQ (TIMEs))}) ] ) (C {(printf)} {(DQ ('%6s %6s %s') (Lit_Other '\\') (n))} {(DQ (PID))} {(DQ (PPID))} {(DQ (ARGS))}) (command.Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:offset spids:[1254]) op: Equal rhs: { (word_part.CommandSubPart command_list: (command.CommandList children: [ (C {($ VSub_DollarName '$awk')} { (SQ <'BEGIN { o = 0; }\n'> <'\t$1 == "#" && $2 ~ /TASK/ && NF == 6 { o = 1; }\n'> <'\t$2 ~ /TASK/ { print o; exit }'> ) } {(trace)} ) ] ) left_token: <Left_CommandSub '$('> spids: [1255 1265] ) } spids: [1254] ) ] spids: [1254] ) (C {(warn)} {(DQ ('echo > trace'))}) (command.Pipeline children: [ (command.Subshell child: (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.DParen child: (arith_expr.ArithVarRef token:<Lit_ArithVarLike opt_duration>) spids: [1281 1286] ) terminator: <Op_Semi ';'> ) ] action: [(C {(sleep)} {($ VSub_DollarName '$duration')}) (C {(cat)} {(-v)} {(trace)})] spids: [16777215 1289] ) ] else_action: [(C {(cat)} {(-v)} {(trace_pipe)})] spids: [1307 1320] ) spids: [1277 1322] ) (C {($ VSub_DollarName '$awk')} {(-v)} {(Lit_VarLike 'o=') ($ VSub_DollarName '$offset')} {(-v)} {(Lit_VarLike 'opt_name=') ($ VSub_DollarName '$opt_name')} {(-v)} {(Lit_VarLike 'name=') ($ VSub_DollarName '$name')} {(-v)} {(Lit_VarLike 'opt_duration=') ($ VSub_DollarName '$opt_duration')} {(-v)} {(Lit_VarLike 'opt_time=') ($ VSub_DollarName '$opt_time')} {(-v)} {(Lit_VarLike 'kname=') ($ VSub_DollarName '$kname')} {(-v)} {(Lit_VarLike 'opt_reexec=') ($ VSub_DollarName '$opt_reexec')} { (SQ <'\n'> <'\t# common fields\n'> <'\t$1 != "#" {\n'> <'\t\t# task name can contain dashes\n'> <'\t\tcomm = pid = $1\n'> <'\t\tsub(/-[0-9][0-9]*/, "", comm)\n'> <'\t\tsub(/.*-/, "", pid)\n'> <'\t}\n'> <'\n'> <'\t$1 != "#" && $(4+o) ~ /sched_process_fork/ {\n'> <'\t\tcpid=$0\n'> <'\t\tsub(/.* child_pid=/, "", cpid)\n'> <'\t\tsub(/ .*/, "", cpid)\n'> <'\t\tgetppid[cpid] = pid\n'> <'\t\tdelete seen[pid]\n'> <'\t}\n'> <'\n'> <'\t$1 != "#" && $(4+o) ~ kname {\n'> <'\t\tif (seen[pid])\n'> <'\t\t\tnext\n'> <'\t\tif (opt_name && comm !~ name)\n'> <'\t\t\tnext\n'> <'\n'> <'\t\t#\n'> <'\t\t# examples:\n'> <'\t\t# ... arg1="/bin/echo" arg2="1" arg3="2" arg4="3" ...\n'> <'\t\t# ... arg1="sleep" arg2="2" arg3=(fault) arg4="" ...\n'> <'\t\t# ... arg1="" arg2=(fault) arg3="" arg4="" ...\n'> <'\t\t# the last example is uncommon, and may be a race.\n'> <'\t\t#\n'> <'\t\tif ($0 ~ /arg1=""/) {\n'> <'\t\t\targs = comm " [?]"\n'> <'\t\t} else {\n'> <'\t\t\targs=$0\n'> <'\t\t\tsub(/ arg[0-9]*=\\(fault\\).*/, "", args)\n'> <'\t\t\tsub(/.*arg1="/, "", args)\n'> <'\t\t\tgsub(/" arg[0-9]*="/, " ", args)\n'> <'\t\t\tsub(/"$/, "", args)\n'> <'\t\t\tif ($0 !~ /\\(fault\\)/)\n'> <'\t\t\t\targs = args " [...]"\n'> <'\t\t}\n'> <'\n'> <'\t\tif (opt_time) {\n'> <'\t\t\ttime = $(3+o); sub(":", "", time)\n'> <'\t\t\tprintf "%-16s ", time\n'> <'\t\t}\n'> <'\t\tprintf "%6s %6d %s\\n", pid, getppid[pid], args\n'> <'\t\tif (!opt_duration)\n'> <'\t\t\tfflush()\n'> <'\t\tif (!opt_reexec) {\n'> <'\t\t\tseen[pid] = 1\n'> <'\t\t\tdelete getppid[pid]\n'> <'\t\t}\n'> <'\t}\n'> <'\n'> <'\t$0 ~ /LOST.*EVENT[S]/ { print "WARNING: " $0 > "/dev/stderr" }\n'> ) } ) ] negated: F ) (C {(end)}) ] )