Finding out when a child process forks or calls exec

[Dan McNulty]

Hi all,

I have been experimenting with ptrace to determine when a child
process forks or calls exec. Particularly, I have explored tracing
every system call entry and exit similar to what the truss utility
does, and for my case, the performance impact of tracing every system
call is too great.

Is there a more efficient way than tracing every system call entry and
exit to determine when a child process forks, calls exec, or creates a
new LWP?

Thanks a lot for your help!
-Dan

On Mon, May 3, 2010 at 4:39 PM, Dan Nelson <dnelson at allantgroup.com> wrote:
> In the last episode (May 03), Dan McNulty said:
>> I am trying to port a debugging tool that uses the ptrace interface from
>> Linux to FreeBSD.  From what I can tell, the ptrace interface on FreeBSD
>> is pretty similar to the Linux interface; however, it doesn't appear that
>> the FreeBSD interface generate events when the child process forks, calls
>> exec, creates a new LWP, etc.  My question then is:
>>
>> Does FreeBSD provide any way to determine from a parent/tracing
>> process if a child process has called fork, exec, exit, or created a
>> new LWP?
>
> /usr/bin/truss watches for syscalls named "fork", "rfork", and "vfork", and
> when they return it forks another copy of itself to watch the child.  See
> /usr/src/usr.bin/truss/i386-fbsd.c and main.c (search for "in_fork").
>
> You can tell when a new lwp is created because lwpid changes.  In setup.c
> the waitevent() function calls ptrace(PT_LWPINFO...) on every syscall
> entry/exit so it's easy to track; it then calls the find_thread() function
> which allocates a new helper struct every time a new lwp appears.
>
> --
>        Dan Nelson
>        dnelson at allantgroup.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>