I'm currently doing some experiments, and I need to record all the events that are generated during the execution of normal stress-ng execution cyle like this /usr/bin/stress-ng -c 80 -t 30 --times --exec 50 --exec-ops 50
, specifically the ones related to exec (sched:sched_process_exec
and syscalls:sys_enter_execve
).
Unfortunately when analysing the trace file, I get some processes that didn't generated any sys_execve
, but were captured by the sched_process_exec
, which to me makes no sense.
This happened even though no events where lost (in the trace file the entries in buffer/written are the same, and trace-cmd doesn't warn about events lost).
Given this situation I can't understand why this happens, and the only explanation I can give is that these events are not being recorded. Any help would be appreciated.
Here's an example for reference of trace file I get
To be clear in what I'm saying, these lines should be the norm:
stress-ng-1748 [001] .... 19573.548553: sys_execve(filename: 7ffe7a791720, argv: 7ffe7a791700, envp: 7ffe7a7916f8)
stress-ng-1748 [001] .... 19573.548707: sched_process_exec: filename=/usr/bin/stress-ng pid=1748 old_pid=1748
A process which generated both the sys_execve
event and the sched_process_exec
event.
Whereas this one:
stress-ng-1780 [005] .... 19573.598398: sched_process_exec: filename=/usr/bin/stress-ng pid=1780 old_pid=1780
which is the last one of the file in the link, is an example of process without a sys_execve
event associated.
Bonus question: I'd also need to record the equivalent fork event (namely syscalls:sys_enter_fork
) with a stress execution with fork-ops (or something equivalent), but I haven't been able to do so, neither from trace-cmd, nor manually from Ftrace. I've read around the internet that there are some special cases when dealing with forking processes, but couldn't understand what to do in order to record this event in particular.
Any help on this matter would be appreciated as well.
I solved this problem by also capturing the event syscalls:sys_enter_execve
. Between the two of them I was able to get every instance of exec called.