On Sun, Oct 22, 2023 at 06:00:43AM +0000, RVP wrote: > On Fri, 20 Oct 2023, Thomas Klausner wrote: > > > # dtrace -n syscall::unlink:entry'/pid == 27647/{ self->file = arg0; }' -n > > syscall::unlink:return'{ trace(copyinstr(self->file)); self->file = 0; }' > > > > but this just gives me lots of > > > > dtrace: error on enabled probe ID 2 (ID 405: syscall::unlink:return): > > invalid address (0x79c4586577ce) in action #1 at DIF offset 12 > > : No such file or directory > > > > Actually, this command-line is almost correct. What's missing is the paired > /pid == 27647/ for syscall::unlink:return. Without it, unlink:return is called > for _every_ pid and there's not going to be a valid self->file for almost > every > one of them.
I tried that (see attachment), didn't help. dtrace: error on enabled probe ID 1 (ID 404: syscall::unlink:entry): invalid address (0x7a8e0685a7ce) in action #1 at DIF offset 12 : No such file or directory dtrace: error on enabled probe ID 2 (ID 405: syscall::unlink:return): invalid address (0x0) in action #2 : No such file or directory dtrace: error on enabled probe ID 1 (ID 404: syscall::unlink:entry): invalid address (0x7a8e0685a7ce) in action #1 at DIF offset 12 : No such file or directory dtrace: error on enabled probe ID 2 (ID 405: syscall::unlink:return): invalid address (0x0) in action #2 : No such file or directory The machine has 128 GB RAM and ~450 GB swap. I haven't tried limiting the RAM from BIOS yet. Thomas
#!/usr/sbin/dtrace -s #pragma D option destructive #pragma D option quiet syscall::unlink:entry /pid == 28651/ { self->file = copyinstr(arg0); } syscall::unlink:return /pid == 28651/ { printf("%d %s\n", pid, self->file); self->file = 0; }