New Features

Now it's possible to export detailed trace to perfetto trace format!
The trace can be collected with tracexec collect --format perfetto
and viewed in https://ui.perfetto.dev/ as demonstrated in the following video:

This feature enables interesting new use cases such as build system profiling
and examining the detailed exec traces in tree format using perfetto UI.

Improvements

• eBPF backend: use BPF_RB_FORCE_WAKEUP for event delivery.
• Perf: use internment crate for much faster string interning.

Bug Fixes

• Ptrace backend: use timestamp produced at a single location.
• Ptrace backend: fix parent tracking for exec failure events.
• TUI: fix "Prev Match" command.
• Collect command now handles SIGINT and SIGTERM gracefully.
• eBPF backend: don't write skel to src dir in build script
• eBPF backend: fix data race with per-cpu data structures.
• Ptrace backend: fix interpreter path extraction for files smaller than 2 bytes.

Build Related Changes

• tracexec is now split into multiple crates (tracexec-core, tracexec-backend-ptrace, tracexec-backend-ebpf, tracexec-exporter-json, tracexec-exporter-perfetto, tracexec-tui and optionally perfetto-trace-proto) for better modularity and faster compilation.
• A new feature protobuf-binding-from-source is added for building protobuf bindings to the perfetto trace format.
  By default, this feature is disabled and tracexec uses a vendored and hand-minified protobuf binding to perfetto to speed up compilation and avoid protoc build dependency.
  See INSTALL.md for more details.

Internal Changes

• Obsolete directories (casts, screenshots, 3rdparty) are removed from git repo.
• Update dependencies. Notably ratatui is updated to 0.30 and lru is bumped for an unsoundness fix.
• Update and refactor UKCI.
• Add CodeRabbit configuration for AI powered code review.
• Remove whitesource bolt bot from CI.
• Track test coverage with Codecov and cargo-llvm-cov in CI.
• Check code style in CI with rustfmt.
• Explicitly specify Github Actions workflow permissions

New Features

Now it's possible to export detailed trace to perfetto trace format!
The trace can be collected with tracexec collect --format perfetto
and viewed in https://ui.perfetto.dev/.

This feature enables interesting new use cases such as build system profiling
and examining the detailed exec traces in tree format using perfetto UI.

Bug Fixes

• Ptrace backend: use timestamp produced at a single location.
• Ptrace backend: fix parent tracking for exec failure events.
• TUI: fix "Prev Match" command.
• Collect command now handles SIGINT and SIGTERM gracefully.
• eBPF backend: don't write skel to src dir in build script
• eBPF backend: fix data race with per-cpu data structures.
• Ptrace backend: fix interpreter path extraction for files smaller than 2 bytes.

Improvements

• eBPF backend: use BPF_RB_FORCE_WAKEUP for event delivery.
• Perf: use internment crate for much faster string interning.

Internal Changes

• tracexec is now split into multiple crates for better modularity and faster compilation.
• Obsolete directories (casts, screenshots, 3rdparty) are removed from git repo.
• Update dependencies. Notably ratatui is updated to 0.30 and lru is bumped for an unsoundness fix.
• Update and refactor UKCI.
• Add CodeRabbit configuration for AI powered code review.
• Remove whitesource bolt bot from CI.
• Track test coverage with Codecov and cargo-llvm-cov in CI.
• Check code style in CI with rustfmt.
• Explicitly specify Github Actions workflow permissions

This patch release fixes a bug that might cause tracexec's eBPF backend to
misbehave on architectures other than x86_64. It is caused by clangd
auto-inserting a x86-specific header include.

New Features

• Show UID, GID and supplemental groups in TUI.
• Expose UID, GID and supplemental groups in collect command.

Bug Fixes

• TUI: Fix parent cmdline in details popup. When this feature was introduced,
  it incorrectly shows the event's own cmdline.

Internal Changes

• Update UKCI.
• Typo fixes.

Security fix

• Fix env command argument injection via environment variables starting with dash in traced exec events.
  See the linked security advisory for more details.

New Feature

• TUI: the copy dialog now offers a new option for copying the command line with full environment variables.

Fixes

• eBPF: fix load failure when compiled with clang >= 20.1
• eBPF: drop old printk hack
• Fix cargo-about failure introduced by breaking changes in cargo-about v0.8 (by @hatch01)
• Ensure that when not using pty, open /dev/null with O_RDWR so that stderr/stdout is writable by tracee.

Misc

• Upgrade dependencies

Notice

The experimental eBPF backend may fail to load with "BPF program is too large."
error when compiled with clang 20/21.
This appears to be a regression in clang. I am still investigating this bug.
In case you need the experimental eBPF backend, please use CLANG environment
variable to specify the full path to an older version of clang when building tracexec.

(clang 18/19 is known to be good)

Breaking Changes

--tracer-delay option is now replaced with --polling-interval.
The naming of this option was not intuitive. This should not break
most use cases as this option is not widely used.
We apologize for potential breakages.

Previous versions of tracexec uses polling in ptrace backend,
which is less reactive to ptrace events than blocking and could introduce
noticeable delays when --tracer-delay is not adjusted for exec-heavy workloads.

In order to work towards making tracexec a build system profiler,
starting from v0.13.0, tracexec by default no longer uses polling in ptrace
backend. Instead, we are now relying on blocking syscalls and signals.
This way, we can achieve higher throughput by default.

To revert to the previous behavior of polling, specify a positive polling interval
with --polling-interval. A negative value would disable polling.

Fixes

• Fix typos (by @Xeonacid)

Misc

• Bump MSRV to 1.88
• Update UKCI
• Refactor to use snafu instead of thiserror
• Add profiling cargo profile
• Refactor ptrace tracer to use type state pattern.

New Features

Exec Backtrace

Similar to stack traces, exec events also forms a backtrace.

In TUI, tracexec now supports viewing the backtrace of any exec events by
pressing T.

The exec backtraces shows all the exec events that lead to the selected event.

• For most events, the parent process spawns a new child process to execute the new program. (label S)
• For some event, the parent process tears it self down and directly becomes(executes) the new program. (label B)

Go To Parent

Sometimes, reading the whole exec backtrace is unnecessary. A light-weight alternative is Go To Parent.

By pressing U on an event, the TUI will jump to and select its parent event.
In details view, pressing U will open the details of the parent event.

And in the details view of an event, we now shows its parent event's commandline.

Fixes

• Greatly improve TUI responsiveness to user input when in following mode.

Misc

• Internal refactor
• UKCI: register ukci as a GC root.

New Features

tracexec now collects the timestamps of the events.
It is currently hidden by default.
To show the timestamps inline, use --timestamp option.
To control the format of the inline timestamp, use --inline-timestamp-format
(Please refer to https://docs.rs/chrono/latest/chrono/format/strftime/index.html for available specifiers)

Use timestamp.enable config under modifier section to control whether to enable it by default or not
and timestamp.inline_format config to control the format.

Breaking Changes

File descriptors that are O_CLOEXEC(closing upon exec) are hidden by default now.
The rationale behind this change is that most of the time we are only interested to know
which FDs are inherited across exec.

This behavior can be controlled with --hide-cloexec-fds or --no-hide-cloexec-fds options
and hide_cloexec_fds config under modifier section.

Fixes

• Fix caching in UKCI.

Other

• TUI: The order of fields in details view are slightly adjusted.
• Bump dependencies.
• Regular kernel version bumps for UKCI.

Breaking Changes

• The compile-time seccomp-bpf feature gate is removed. It is always enabled now.