Chapter 13. Kernel Process Tapset
This family of probe points is used to probe process-related activities. It contains the following probe points:
Name
probe::kprocess.create — Fires whenever a new process is successfully created
Values
new_pid
The PID of the newly created process
Context
Parent of the created process.
Description
Fires whenever a new process is successfully created, either as a result of fork (or one of its syscall variants), or a new kernel thread.
Name
probe::kprocess.start — Starting new process
Context
Newly created process.
Description
Fires immediately before a new process begins execution.
Name
probe::kprocess.exec — Attempt to exec to a new program
Values
filename
The path to the new executable
Context
The caller of exec.
Description
Fires whenever a process attempts to exec to a new program.
Name
probe::kprocess.exec_complete — Return from exec to a new program
Synopsis
kprocess.exec_complete
Values
success
A boolean indicating whether the exec was successful
errno
The error number resulting from the exec
Context
On success, the context of the new executable. On failure, remains in the context of the caller.
Description
Fires at the completion of an exec call.
Name
probe::kprocess.exit — Exit from process
Values
code
The exit code of the process
Context
The process which is terminating.
Description
Fires when a process terminates. This will always be followed by a kprocess.release, though the latter may be delayed if the process waits in a zombie state.
Name
probe::kprocess.release — Process released
Synopsis
kprocess.release
Values
pid
PID of the process being released
task
A task handle to the process being released
Context
The context of the parent, if it wanted notification of this process' termination, else the context of the process itself.
Description
Fires when a process is released from the kernel. This always follows a kprocess.exit, though it may be delayed somewhat if the process waits in a zombie state.
