Why execve and brk(NULL) are always the first two system calls?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
When I try
strace ping google.com
or
strace ls
or
even strace curl <domain>
The first two systemcalls are always,
execve("/usr/bin/curl", ["curl", "google.com"], 0x7ffecf1bc378 /* 61 vars */) = 0
brk(NULL) = 0x55f553c49000
Can someone please tell me if execve will always be the first systemcall when I execute anything?
I read this manual page, https://linux.die.net/man/2/execve
But don't understand if execve is really a system call or executable program?
system-calls
asked Aug 26 at 22:39
MaverickD
394
add a comment |Â
up vote
1
down vote
favorite
When I try
strace ping google.com
or
strace ls
or
even strace curl <domain>
The first two systemcalls are always,
execve("/usr/bin/curl", ["curl", "google.com"], 0x7ffecf1bc378 /* 61 vars */) = 0
brk(NULL) = 0x55f553c49000
Can someone please tell me if execve will always be the first systemcall when I execute anything?
I read this manual page, https://linux.die.net/man/2/execve
But don't understand if execve is really a system call or executable program?
system-calls
asked Aug 26 at 22:39
MaverickD
394
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
When I try
strace ping google.com
or
strace ls
or
even strace curl <domain>
The first two systemcalls are always,
execve("/usr/bin/curl", ["curl", "google.com"], 0x7ffecf1bc378 /* 61 vars */) = 0
brk(NULL) = 0x55f553c49000
Can someone please tell me if execve will always be the first systemcall when I execute anything?
I read this manual page, https://linux.die.net/man/2/execve
But don't understand if execve is really a system call or executable program?
system-calls
asked Aug 26 at 22:39
MaverickD
394
When I try
strace ping google.com
or
strace ls
or
even strace curl <domain>
The first two systemcalls are always,
execve("/usr/bin/curl", ["curl", "google.com"], 0x7ffecf1bc378 /* 61 vars */) = 0
brk(NULL) = 0x55f553c49000
Can someone please tell me if execve will always be the first systemcall when I execute anything?
I read this manual page, https://linux.die.net/man/2/execve
But don't understand if execve is really a system call or executable program?
system-calls
system-calls
asked Aug 26 at 22:39
MaverickD
394
asked Aug 26 at 22:39
MaverickD
394
asked Aug 26 at 22:39
MaverickD
394
asked Aug 26 at 22:39
MaverickD
394
asked Aug 26 at 22:39
MaverickD
394
394
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
In Linux a new process is created via fork(), which makes a child process which is almost identical to the parent process. To create a new process whose program is different than the program of the original process, the new child process immediately calls execve(), which is basically the process saying "replace my current program with this other program".
brk(NULL) is the process asking where its heap memory ends. Many programs call this as their first system call (which will show up right after execve()) because they use malloc() right away (or a library call they make uses malloc() internally). If the program and its library calls don't need to call malloc() for a while then something besides brk(NULL) will be the second system call.
answered Aug 27 at 0:38
Matthew Cline
1,24011021
Linux'sbrk(0)actually just checks the current break, it doesn't change it yet.
– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain whybrk(NULL)is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I runstrace ping google.com, I getaccess("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)as a 2nd call afterexecve
– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
In Linux a new process is created via fork(), which makes a child process which is almost identical to the parent process. To create a new process whose program is different than the program of the original process, the new child process immediately calls execve(), which is basically the process saying "replace my current program with this other program".
brk(NULL) is the process asking where its heap memory ends. Many programs call this as their first system call (which will show up right after execve()) because they use malloc() right away (or a library call they make uses malloc() internally). If the program and its library calls don't need to call malloc() for a while then something besides brk(NULL) will be the second system call.
answered Aug 27 at 0:38
Matthew Cline
1,24011021
Linux'sbrk(0)actually just checks the current break, it doesn't change it yet.
– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain whybrk(NULL)is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I runstrace ping google.com, I getaccess("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)as a 2nd call afterexecve
– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
add a comment |Â
up vote
2
down vote
accepted
In Linux a new process is created via fork(), which makes a child process which is almost identical to the parent process. To create a new process whose program is different than the program of the original process, the new child process immediately calls execve(), which is basically the process saying "replace my current program with this other program".
brk(NULL) is the process asking where its heap memory ends. Many programs call this as their first system call (which will show up right after execve()) because they use malloc() right away (or a library call they make uses malloc() internally). If the program and its library calls don't need to call malloc() for a while then something besides brk(NULL) will be the second system call.
answered Aug 27 at 0:38
Matthew Cline
1,24011021
Linux'sbrk(0)actually just checks the current break, it doesn't change it yet.
– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain whybrk(NULL)is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I runstrace ping google.com, I getaccess("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)as a 2nd call afterexecve
– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
In Linux a new process is created via fork(), which makes a child process which is almost identical to the parent process. To create a new process whose program is different than the program of the original process, the new child process immediately calls execve(), which is basically the process saying "replace my current program with this other program".
brk(NULL) is the process asking where its heap memory ends. Many programs call this as their first system call (which will show up right after execve()) because they use malloc() right away (or a library call they make uses malloc() internally). If the program and its library calls don't need to call malloc() for a while then something besides brk(NULL) will be the second system call.
answered Aug 27 at 0:38
Matthew Cline
1,24011021
In Linux a new process is created via fork(), which makes a child process which is almost identical to the parent process. To create a new process whose program is different than the program of the original process, the new child process immediately calls execve(), which is basically the process saying "replace my current program with this other program".
brk(NULL) is the process asking where its heap memory ends. Many programs call this as their first system call (which will show up right after execve()) because they use malloc() right away (or a library call they make uses malloc() internally). If the program and its library calls don't need to call malloc() for a while then something besides brk(NULL) will be the second system call.
answered Aug 27 at 0:38
Matthew Cline
1,24011021
edited Aug 29 at 0:51
answered Aug 27 at 0:38
Matthew Cline
1,24011021
answered Aug 27 at 0:38
Matthew Cline
1,24011021
answered Aug 27 at 0:38
Matthew Cline
1,24011021
1,24011021
Linux'sbrk(0)actually just checks the current break, it doesn't change it yet.
– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain whybrk(NULL)is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I runstrace ping google.com, I getaccess("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)as a 2nd call afterexecve
– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
add a comment |Â
Linux'sbrk(0)actually just checks the current break, it doesn't change it yet.
– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain whybrk(NULL)is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I runstrace ping google.com, I getaccess("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)as a 2nd call afterexecve
– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
Linux's
brk(0) actually just checks the current break, it doesn't change it yet.– ilkkachu
Aug 27 at 8:38
Linux's
brk(0) actually just checks the current break, it doesn't change it yet.– ilkkachu
Aug 27 at 8:38
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
Oops, I'd glossed over that brk()'s argument was NULL/0. (And I didn't know about it special behavior on that value)
– Matthew Cline
Aug 27 at 14:12
but that doesn't explain why
brk(NULL) is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I run strace ping google.com, I get access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) as a 2nd call after execve– MaverickD
Aug 29 at 0:48
but that doesn't explain why
brk(NULL) is the 2nd system call. Well I just realized it is not always the 2nd systemcall. When I run strace ping google.com, I get access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) as a 2nd call after execve– MaverickD
Aug 29 at 0:48
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
@MaverickD added more details to my answer.
– Matthew Cline
Aug 29 at 0:51
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464974%2fwhy-execve-and-brknull-are-always-the-first-two-system-calls%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
