The behavior you’re seeing is expected and relates to how static strings are handled in memory. When you define args and envp as static arrays (e.g., char *args[] = {"/usr/bin/ls", "-l", NULL, NULL}), the compiler embeds these strings into the binary, but they aren’t loaded into memory until they’re accessed. In your eBPF program, the tracepoint__syscalls__sys_enter_execve runs before this access happens, so bpf_probe_read_str may fail to read the data, resulting in empty output.

When you add printf("args addr: %p\n", args), it forces the program to access these variables, triggering the kernel to fault the memory page containing the strings into RAM. Since memory is loaded in pages (not individual variables), this makes the data available by the time your eBPF probe runs. This explains why adding printf "fixes" the issue.

This is a known behavior in eBPF tracing. As noted in this GitHub issue comment:

the data you're using isn't in memory yet. These static strings are compiled in and are not actually faulted into memory until they're accessed. The access won't happen until its read, which is after your bpftrace probe ran. BPF won't pull the data in so you get an EFAULT/-14.

By printing the values or just a random print of a constant string you pull the small amount of data into memory (as it goes by page, not by var) and then it works

For a deeper dive, see this blog post which explores a similar case.