Thanks to the hint @ l'L'l linked to: I was able to get around this.
You will need two shells.
In shell A (we will check the shell):
# copy this shell PID to clipboard (93827 for this example) echo $$ | pbcopy
In shell B (the shell that will run DTrace), start tracing this PID:
sudo dtrace -n 'syscall:::entry /progenyof($1) && pid != $1/ { @[probefunc] = count(); }' 93827
We use progenyof() so that we track shell child processes. I added && pid != $1 , because for some reason progenyof(x) seems to include x .
Now go back to shell A, run some code that you want to test:
grep 1 <<< 123
Our DTrace program in shell B will successfully catch the child process running in shell A.
There is some noise to sift. Perhaps the shell launches many children. Not sure how to be more selective.
This is a tutorial to see how dtruss implements -f ("keep track of children as they are forked") ...
less "$(which dtruss)"
Relevant suggestions are those that use the OPT_follow && filter (indicates that -f enabled) or the self->child variable (indicates that this thread is a child of the process specified by -p PID ).
It is also useful to know that ppid is a built-in variable that gives the parent PID.
Birchlabs Jun 25 '17 at 17:44 2017-06-25 17:44
source share