Demonstrations of aliexitsnoop.

This Linux tool is actually an enhanced version of the exitsnoop. For more details about
exitsnoop, see exitsnoop_example.txt. Compared to the exitsnoop, aliexitsnoop not only print
the exit code, pid, ppid, lifetime of the exiting processes, but also the stack of the exiting
processes. The demand stems from the fact that in the production environment, some processes
end up unexpectedly. Therefore we need to dump the stack of the target processes to find out
what caused the target process to exit.

Usage:
aliexitsnoop.py [-h] [-t] [--utc] [-p PID] [--label LABEL] [-x]

Trace all process termination (exit, fatal signal)

optional arguments:
  -h, --help         show this help message and exit
  -t, --timestamp    include timestamp (local time default)
  --utc              include timestamp in UTC (-t implied)
  -p PID, --pid PID  trace this PID only
  --label LABEL      label each line
  -x, --failed       trace only fails, exclude exit(0)

examples:
    aliexitsnoop                # trace all process termination
    aliexitsnoop -x             # trace only fails, exclude exit(0)
    aliexitsnoop -t             # include timestamps (local time)
    aliexitsnoop --utc          # include timestamps (UTC)
    aliexitsnoop -p 181         # only trace PID 181
    aliexitsnoop --label=exit   # label each output line with 'exit'

The following example shows the output example when run in a loop that is interrupted with
Ctrl-C from the terminal:

grep             25099  25087  25099  0.00    0
Kernel Stack:    ffffffffa5800088  entry_SYSCALL_64_after_hwframe
Kernel Stack:    ffffffffa500201b  do_syscall_64
Kernel Stack:    ffffffffa5083b54  __x64_sys_exit_group
Kernel Stack:    ffffffffa5083ad9  do_group_exit
Kernel Stack:    ffffffffa5082e11  do_exit
USER Stack:      c74864108b48      [unknown]
USER Stack:      7fd29b10c660      [unknown]
USER Stack:      7fd29b0611d9      [unknown]
=================================

id               25101  25100  25101  0.00    0
Kernel Stack:    ffffffffa5800088  entry_SYSCALL_64_after_hwframe
Kernel Stack:    ffffffffa500201b  do_syscall_64
Kernel Stack:    ffffffffa5083b54  __x64_sys_exit_group
Kernel Stack:    ffffffffa5083ad9  do_group_exit
Kernel Stack:    ffffffffa5082e11  do_exit
USER Stack:      c74864108b48      [unknown]
USER Stack:      7f932c07b660      [unknown]
USER Stack:      7f932bfd01d9      [unknown]
=================================

bash             25100  25087  25100  0.00    0
Kernel Stack:    ffffffffa5800088  entry_SYSCALL_64_after_hwframe
Kernel Stack:    ffffffffa500201b  do_syscall_64
Kernel Stack:    ffffffffa5083b54  __x64_sys_exit_group
Kernel Stack:    ffffffffa5083ad9  do_group_exit
Kernel Stack:    ffffffffa5082e11  do_exit
USER Stack:      c74864108b48      [unknown]
USER Stack:      7f5318862660      [unknown]
USER Stack:      7f53187b71d9      [unknown]
=================================

systemd          1      0      25102  0.00    0
Kernel Stack:    ffffffffa5800088  entry_SYSCALL_64_after_hwframe
Kernel Stack:    ffffffffa500201b  do_syscall_64
Kernel Stack:    ffffffffa5083a97  __x64_sys_exit
Kernel Stack:    ffffffffa5082e11  do_exit
USER Stack:      7f92232c1e64      [unknown]

We can see that aliexitsnoop prints the user stack and kernel stack of the exiting processes.
What needs to be noted is that aliexitsnoop can only get the address track of the user stack.
The reason why aliexitsnoop cannot get the symbols corresponding the addresses is that the
user space of the process does not exists after the process ends. However, the address track
of the user stack still helps, because you can analyze together with /proc/$pid/maps.
