Hello James, so the ported version of dtrace in OS X 10.11.2 does support probing entry and return of unmount() system call.
bash-3.2# dtrace -l -f syscall::\*mount\* ID PROVIDER MODULE FUNCTION NAME 459 syscall unmount entry 460 syscall unmount return 475 syscall mount entry 476 syscall mount return 989 syscall __mac_mount entry 990 syscall __mac_mount return 991 syscall __mac_get_mount entry 992 syscall __mac_get_mount return bash-3.2# It is the same for stack() either. The executable is /sbin/umount. I ran that dtrace one-liner, then go to terminal and run the umount command and that error message immediately occurred. I'm not a developer so I will try to understand your comments regarding using stop() to halt umount and check it through a debugger. Thank your the help anyway. In you have anything else to add, please feel free to do so. - Steve ------------------ Original ------------------ From: "James Carlson";<carls...@workingcode.com>; Date: Mon, Jan 25, 2016 09:22 PM To: "STEVE"<195128...@qq.com>; "Nan Xiao"<n...@chinadtrace.org>; "dtrace-discuss"<dtrace-discuss@lists.dtrace.org>; Subject: Re: [dtrace-discuss] ?????? [dtrace-discuss] syscall::unmount: doesn't work in OS X 10.11.2 On 01/25/16 00:18, STEVE wrote: > Hi Nan Xiao, > > Yes, it is unmount. Please see the man page below. I tried to run > unmount and dtrace both under root, same issue. Just a nit, but the section 2 man page doesn't document the syscall interface. It documents the libc ABI. The two are different, and you can't always trust that one matches the other. A better place to look for supported syscall provider interfaces is here: dtrace -l -f syscall::\*mount\* or, if you prefer: dtrace -l -P syscall | grep mount At a guess, the problem is that the executable invoking unmount() itself was gone by the time the user-level dtrace got the information from the kernel.* Since it seems you're looking for the user-level stack, I suggest enabling destructive actions and using stop() to halt the user process. It can then be examined with a debugger. -- James Carlson 42.703N 71.076W <carls...@workingcode.com> ------------------------------------------- dtrace-discuss Archives: https://www.listbox.com/member/archive/184261/=now RSS Feed: https://www.listbox.com/member/archive/rss/184261/25769126-e243886f Modify Your Subscription: https://www.listbox.com/member/?member_id=25769126&id_secret=25769126-8d47a7b2 Powered by Listbox: http://www.listbox.com
