bpftrace icon indicating copy to clipboard operation
bpftrace copied to clipboard
verified publisher icon bpftrace

Strange characters in output

Open aki-k opened this issue 2 weeks ago • 4 comments

What reproduces the bug? Provide code if possible.

bpftrace -e 'tracepoint:sched:sched_process_exec { time("%H:%M:%S"); printf(" uid = %d pid = %d ppid = %d cmd = %s \n", uid, pid, curtask->parent->pid, comm); } tracepoint:syscalls:sys_enter_execve { time("%H:%M:%S"); printf(" uid = %d pid = %d ppid = %d cmd_with_args = ", uid, pid, curtask->parent->pid); join(args->argv); }'

bpftrace --info output

System
  OS: Linux 6.17.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 24 Nov 2025 15:21:09 +0000
  Arch: x86_64

Build
  version: v0.24.1
  LLVM: 21.1.3
  bfd: yes
  libdw (DWARF support): yes
  libsystemd (systemd notify support): yes
  blazesym (advanced symbolization): no

Kernel helpers
  probe_read_user: yes             probe_read_user_str: yes           
  probe_read_kernel: yes           probe_read_kernel_str: yes         
  send_signal: yes                 get_boot_ns: yes                   
  dpath: yes                       skboutput: yes                     
  get_tai_ns: yes                  get_func_ip: yes                   
  jiffies64: yes                   for_each_map_elem: yes             
  get_ns_current_pid_tgid: yes     lookup_percpu_elem: yes            

Kernel features
  Instruction limit: 1000000       btf: yes                           
  module btf: yes                  map batch: yes                     

Map types
  hash: yes                        array: yes                         
  percpu array: yes                stack_trace: yes                   
  ringbuf: yes                     

Probe types                        
  kprobe: yes                      tracepoint: yes                    
  perf_event: yes                  fentry: yes                        
  kprobe_multi: yes                uprobe_multi: yes                  
  kprobe_session: yes              iter: yes

Example output:

Attached 2 probes
22:42:28 uid = 1000 pid = 1843 ppid = 692 cmd_with_args = /usr/lib/systemd/systemd-executor --deserialize --log-level auto pg8�          �q`]U 
22:42:28 uid = 1000 pid = 1843 ppid = 692 cmd = 9 
22:42:28 uid = 1000 pid = 1843 ppid = 692 cmd_with_args = /usr/bin/konsole               
22:42:28 uid = 1000 pid = 1843 ppid = 692 cmd = konsole 
22:42:28 uid = 1000 pid = 1852 ppid = 797 cmd_with_args = /usr/bin/rm /home/username/.config/session/konsole_10145dbd1dd000176514014800000007970007_1765140148_399358              
22:42:28 uid = 1000 pid = 1852 ppid = 797 cmd = rm 
22:42:28 uid = 1000 pid = 1854 ppid = 1853 cmd_with_args = /usr/lib/utempter/utempter add              
22:42:28 uid = 1000 pid = 1854 ppid = 1853 cmd = utempter 
22:42:28 uid = 1000 pid = 1853 ppid = 1843 cmd_with_args = /usr/bin/bash              ����� 
22:42:28 uid = 1000 pid = 1853 ppid = 1843 cmd = bash

aki-k avatar Dec 07 '25 20:12 aki-k

@jordalgo could this be related to the recent char[] -> string conversion in #4871?

viktormalik avatar Dec 08 '25 12:12 viktormalik

@viktormalik Don't believe so. The user reported this for 0.24.1.

jordalgo avatar Dec 08 '25 13:12 jordalgo

This has been fixed in 5e8702aa28bb04ef4aaf25f955b048ecd8075085. We've backported it to release/0.24.x (ff000c23291d1487bebe05b59a40c36c97bd1688) but never released a patch release containing this. IIRC,@jordalgo wanted to craft the 0.24.2 release, are we waiting for anything else here?

viktormalik avatar Dec 08 '25 14:12 viktormalik

@viktormalik Let me do another check and then I'll work on the 0.24.2 release this week.

jordalgo avatar Dec 08 '25 14:12 jordalgo