bpftrace execsnoop not catch "echo" command

Question

I'm trying to figure out what execsnoop can catch or not. \

ENV

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:    22.04
Codename:   jammy
5.15.0-48-generic
bpftrace v0.16.0

Terminal 1

execsnoop.bt

Terminal 2

ls
/usr/bin/echo
/usr/bin/echo a
strace echo a
echo a          # Not showed in Terminal 1
echo            # Not showed in Terminal 1

• The docs say it catches which event call exec() https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop_example.txt. But command strace echo a actualy call it. https://github.com/iovisor/bpftrace/pull/1490/files \

>strace echo a
execve("/usr/bin/echo", ["echo", "a"], 0x7fff01460c38 /* 30 vars */) = 0
brk(NULL)                               = 0x55d40d778000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff0f437c90) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f93860f4000

Answer 1

My guess is that strace echo a forces the use of /usr/bin/echo, a binary which your shell exec() into, whereas just running plain echo in the terminal uses a built-in from your shell, and as such does not trigger an exec().

This is why /usr/bin/echo a works as expected as well.

info echo from bash mentions the built-in:

   Due to shell aliases and built-in ‘echo’ functions, using an
unadorned ‘echo’ interactively or in a script may get you different
functionality than that described here.  Invoke it via ‘env’ (i.e., ‘env
echo ...’) to avoid interference from the shell.

You will also likely get different outputs from echo --help and /usr/bin/echo --help.