SGI Freeware 1999 August

home *** CD-ROM | disk | FTP | other *** search

/ SGI Freeware 1999 August / SGI Freeware 1999 August.iso / dist / fw_strace.idb / usr / freeware / catman / u_man / cat1 / strace.Z / strace

Wrap

Text File | 1998-10-28 | 24.1 KB | 595 lines

SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) NNNNAAAAMMMMEEEE strace - trace system calls and signals SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS ssssttttrrrraaaacccceeee [ ----ddddffffffffhhhhiiiiqqqqrrrrttttttttttttTTTTvvvvxxxxxxxx ] [ ----aaaa_c_o_l_u_m_n ] [ ----eeee_e_x_p_r ] ... [ ----oooo_f_i_l_e ] [ ----pppp_p_i_d ] ... [ ----ssss_s_t_r_s_i_z_e ] [ ----uuuu_u_s_e_r_n_a_m_e ] [ _c_o_m_m_a_n_d [ _a_r_g ... ] ] ssssttttrrrraaaacccceeee ----cccc [ ----eeee_e_x_p_r ] ... [ ----OOOO_o_v_e_r_h_e_a_d ] [ ----SSSS_s_o_r_t_b_y ] [ _c_o_m_m_a_n_d [ _a_r_g ... ] ] DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN In the simplest case ssssttttrrrraaaacccceeee runs the specified _c_o_m_m_a_n_d until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the ----oooo option. ssssttttrrrraaaacccceeee is a useful diagnositic, instructional, and debugging tool. System adminstrators, diagnosticians and trouble- shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a great deal can be learned about a system and its system calls by tracing even ordinary programs. And programmers will find that since system calls and signals are events that happen at the user/kernel interface, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race conditions. Each line in the trace contains the system call name, followed by its arguments in parentheses and its return value. An example from stracing the command ``cat /dev/null'' is: open("/dev/null", O_RDONLY) = 3 Errors (typically a return value of -1) have the errno symbol and error string appended. open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory) Signals are printed as a signal symbol and a signal string. An excerpt from stracing and interrupting the command ``sleep 666'' is: sigsuspend([] <unfinished ...> --- SIGINT (Interrupt) --- +++ killed by SIGINT +++ Page 1 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) Arguments are printed in symbolic form with a passion. This example shows the shell peforming ``>>xyzzy'' output redirection: open("xyzzy", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3 Here the three argument form of open is decoded by breaking down the flag argument into its three bitwise-OR constituents and printing the mode value in octal by tradition. Where traditional or native usage differs from ANSI or POSIX, the latter forms are preferred. In some cases, strace output has proven to be more readable than the source. Structure pointers are dereferenced and the members are displayed as appropriate. In all cases arguments are formatted in the most C-like fashion possible. For example, the essence of the command ``ls -l /dev/null'' is captured as: lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 Notice how the `struct stat' argument is dereferenced and how each member is displayed symbolically. In particular, observe how the st_mode member is carefully decoded into a bitwise-OR of symbolic and numeric values. Also notice in this example that the first argument to lstat is an input to the system call and the second argument is an output. Since output arguments not modified if the system call fails, arguments may not always be dereferenced. For example, retrying the ``ls -l'' example with a non-existent file produces the following line: lstat("/foo/bar", 0xb004) = -1 ENOENT (No such file or directory) In this case the porch light is on but nobody is home. Character pointers are dereferenced and printed as C strings. Non-printing characters in strings are normally represented by ordinary C escape codes. Only the first _s_t_r_s_i_z_e (32 by default) bytes of strings are printed; longer strings have an ellipsis appended following the closing quote. Here is a line from ``ls -l'' where the getpwuid library routine is reading the password file: read(3, "root::0:0:System Administrator:/"..., 1024) = 422 _W_h_i_l_e _s_t_r_u_c_t_u_r_e_s _a_r_e _a_n_n_o_t_a_t_e_d _u_s_i_n_g _c_u_r_l_y _b_r_a_c_e_s, _s_i_m_p_l_e _p_o_i_n_t_e_r_s _a_n_d _a_r_r_a_y_s _a_r_e _p_r_i_n_t_e_d _u_s_i_n_g _s_q_u_a_r_e _b_r_a_c_k_e_t_s _w_i_t_h _c_o_m_m_a_s _s_e_p_a_r_a_t_i_n_g _e_l_e_m_e_n_t_s. _H_e_r_e _i_s _a_n _e_x_a_m_p_l_e _f_r_o_m _t_h_e _c_o_m_m_a_n_d ``_i_d'' _o_n _a _s_y_s_t_e_m _w_i_t_h _s_u_p_p_l_e_m_e_n_t_a_r_y _g_r_o_u_p _i_d_s: Page 2 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) _g_e_t_g_r_o_u_p_s(_3_2, [_1_0_0, _0]) = _2 On the other hand, bit-sets are also shown using square brackets but set elements are separated only by a space. Here is the shell preparing to execute an external command: sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0 _H_e_r_e _t_h_e _s_e_c_o_n_d _a_r_g_u_m_e_n_t _i_s _a _b_i_t-_s_e_t _o_f _t_w_o _s_i_g_n_a_l_s, _S_I_G_C_H_L_D _a_n_d _S_I_G_T_T_O_U. _I_n _s_o_m_e _c_a_s_e_s _t_h_e _b_i_t-_s_e_t _i_s _s_o _f_u_l_l _t_h_a_t _p_r_i_n_t_i_n_g _o_u_t _t_h_e _u_n_s_e_t _e_l_e_m_e_n_t_s _i_s _m_o_r_e _v_a_l_u_a_b_l_e. _I_n _t_h_a_t _c_a_s_e, _t_h_e _b_i_t-_s_e_t _i_s _p_r_e_f_i_x_e_d _b_y _a _t_i_l_d_e _l_i_k_e _t_h_i_s: _s_i_g_p_r_o_c_m_a_s_k(_S_I_G__U_N_B_L_O_C_K, ~[], _N_U_L_L) = _0 Here the second argument represents the full set of all signals. OOOOPPPPTTTTIIIIOOOONNNNSSSS _s_t_d_e_r_r . ----ffff Trace child processes as they are created by currently traced processes as a result of the fork(2) system call. The new process is attached to as soon as its pid is known (through the return value of fork(2) in the parent process). This means that such children may run uncontrolled for a while (especially in the case of a vfork(2)), until the parent is scheduled again to complete its (v)fork(2) call. If the parent process decides to wait(2) for a child that is currently being traced, it is suspended until an appropriate child process either terminates or incurs a signal that would cause it to terminate (as determined from the child's current signal disposition). ----ffffffff If the ----oooo _f_i_l_e_n_a_m_e option is in effect, each processes trace is written to _f_i_l_e_n_a_m_e._p_i_d where pid is the numeric process id of each process. ----FFFF On SunOS 4.x, this option has the effect of attempting to follow vforks by performing some dynamic linking trickery. Otherwise, vforks will not be followed even if ----ffff has been given. ----hhhh Print the help summary. ----iiii Print the instruction pointer at the time of the system call. ----qqqq Suppress messages about attaching, detaching Page 3 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) etc. This happens automatically when output is redirected to a file and the command is run directly instead of attaching. ----rrrr Print a relative timestamp upon entry to each system call. This records the time difference between the beginning of successive system calls. ----tttt Prefix each line of the trace with the time of day. ----tttttttt If given twice, the time printed will include the microseconds. ----tttttttttttt If given thrice, the time printed will include the microseconds and the leading portion will be printed as the number of seconds since the epoch. ----TTTT Show the time spent in system calls. This records the time difference between the beginning and the end of each system call. ----vvvv Print unabbreviated versions of environment, stat, termios, etc. calls. These structures are very common in calls and so the default behavior displays a reasonable subset of structure members. Use this option to get all of the gory details. ----VVVV Print the version number of strace. ----xxxx Print all non-ascii strings in hexadecimal string format. ----xxxxxxxx Print all strings in hexadecimal string format. ----aaaa _c_o_l_u_m_n Align return values in a secific column (default column 40). ----eeee _e_x_p_r A qualifying expression which modifies which events to trace or how to trace them. The format of the expression is: [qualifier=][!]value1[,value2]... where qualifier is one of trace, abbrev, verbose, raw, signal, read, or write and value is a qualifier-dependent symbol or number. The default qualifier is trace. Using an exclamation mark negates the set of values. For example -eopen means literally -e trace=open Page 4 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) which in turn means trace only the open system call. By contrast, -etrace=!open means to trace every system call except open. In addition the special values all and none have the obvious meanings. Note that some shells use the exclamation point for history expansion; even inside quoted arguments. If so, you must escape the exclamation point with a backslash. ----eeee ttttrrrraaaacccceeee====_s_e_t Trace only the specified set of system calls. The ----cccc option is useful for determining which system calls might be useful to trace. For example, trace=open,close,read,write means to only trace those four system calls. Be careful when making inferences about the user/kernel boundary if only a subset of system calls are being monitored. The default is trace=all. ----eeee ttttrrrraaaacccceeee====ffffiiiilllleeee Trace all system calls which take a file name as an argument. You can think of this as an abbreviation for ----eeee ttttrrrraaaacccceeee====ooooppppeeeennnn,,,,ssssttttaaaatttt,,,,cccchhhhmmmmoooodddd,,,,uuuunnnnlllliiiinnnnkkkk,,,,... which is useful to seeing what files the process is referencing. Furthermore, using the abbreviation will ensure that you don't accidentally forget to include a call like llllssssttttaaaatttt in the list. Betchya woulda forgot that one. ----eeee ttttrrrraaaacccceeee====pppprrrroooocccceeeessssssss Trace all system calls which involve process management. This is useful for watching the fork, wait, and exec steps of a process. ----eeee ttttrrrraaaacccceeee====nnnneeeettttwwwwoooorrrrkkkk Trace all the network related system calls. ----eeee ttttrrrraaaacccceeee====ssssiiiiggggnnnnaaaallll Trace all signal related system calls. ----eeee ttttrrrraaaacccceeee====iiiippppcccc Trace all IPC related system calls. ----eeee aaaabbbbbbbbrrrreeeevvvv====_s_e_t Abbreviate the output from printing each member of large structures. The default is abbrev=all. The ----vvvv option has the effect of abbrev=none. ----eeee vvvveeeerrrrbbbboooosssseeee====_s_e_t Dereference structures for the specified set of system calls. The default is verbose=all. Page 5 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) ----eeee rrrraaaawwww====_s_e_t Print raw, undecoded arguments for the specifed set of system calls. This option has the effect of causing all arguments to be printed in hexadecimal. This is mostly useful if you don't trust the decoding or you need to know the actual numeric value of an argument. ----eeee ssssiiiiggggnnnnaaaallll====_s_e_t Trace only the specified subset of signals. The default is signal=all. For example signal=!SIGIO (or signal=!io) causes SIGIO signals not to be traced. ----eeee rrrreeeeaaaadddd====_s_e_t Perform a full hexadecimal and ascii dump of all the data read from file descriptors listed in the specified set. For example, to see all input activity on file descriptors 3 and 5 use ----eeee rrrreeeeaaaadddd====3333,,,,5555. Note that this is independent from the normal tracing of the read system call which is controlled by the option ----eeee ttttrrrraaaacccceeee====rrrreeeeaaaadddd. ----eeee wwwwrrrriiiitttteeee====_s_e_t Perform a full hexadecimal and ascii dump of all the data written to file descriptors listed in the specified set. For example, to see all output activity on file descriptors 3 and 5 use ----eeee wwwwrrrriiiitttteeee====3333,,,,5555. Note that this is independent from the normal tracing of the write system call which is controlled by the option ----eeee ttttrrrraaaacccceeee====wwwwrrrriiiitttteeee. ----oooo _f_i_l_e_n_a_m_e Write the trace output to the file _f_i_l_e_n_a_m_e rather than to stderr. Use _f_i_l_e_n_a_m_e._p_i_d if ----ffffffff is used. If the argument begins with `|' or with `!' then the rest of the argument is treated as a command and all output is piped to it. This is convenient for piping the debugging output to a program without affecting the redirections of executed programs. ----OOOO _o_v_e_r_h_e_a_d Set the overhead for tracing system calls to overhead microseconds. This is useful for overriding the default heuristic for guessing how much time is spent in mere measuring when timing system calls using the ----cccc option. The acuracy of the heuristic can be gauged by timing a given program run without tracing (using time(1)) and comparing the accumulated system call time to the total produced using ----cccc .... ----pppp _p_i_d Attach to the process with the process ID _p_i_d and begin tracing. The trace may be terminated at any time by a keyboard interrupt signal (CTRL-C). ssssttttrrrraaaacccceeee will Page 6 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) respond by detaching itself from the traced process(es) leaving it (them) to continue running. Multiple ----pppp options can be used to attach to up to 32 processes in addition to _c_o_m_m_a_n_d (which is optional if at least one ----pppp option is given). ----ssss _s_t_r_s_i_z_e Specify the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full. ----SSSS _s_o_r_t_b_y Sort the output of the histogram printed by the ----cccc option by the specified critereon. Legal values are time, calls, name, and nothing (default time). ----uuuu _u_s_e_r_n_a_m_e Run command with the userid, groupid and supplementary groups of _u_s_e_r_n_a_m_e. This option is only useful when running as root and enables the correct execution of setuid and/or setgid binaries. Unless this option is used setuid and setgid programs are executed without effective privileges. SSSSEEEETTTTUUUUIIIIDDDD IIIINNNNSSSSTTTTAAAALLLLLLLLAAAATTTTIIIIOOOONNNN If ssssttttrrrraaaacccceeee is installed setuid to root then the invoking user will be able to attach to and trace processes owned by any user. In addition setuid and setgid programs will be executed and traced with the correct effective privileges. Since only users trusted with full root privileges should be allowed to do these things, it only makes sense to install ssssttttrrrraaaacccceeee as setuid to root when the users who can execute it are restricted to those users who have this trust. For example, it makes sense to install a special version of ssssttttrrrraaaacccceeee with mode `rwsr-xr--', user root and group trace, where members of the trace group are trusted users. If you do use this feature, please remember to install a non-setuid version of strace for ordinary lusers to use. SSSSEEEEEEEE AAAALLLLSSSSOOOO ppppttttrrrraaaacccceeee((((2222)))), pppprrrroooocccc((((4444)))), ttttiiiimmmmeeee((((1111)))), ttttrrrraaaacccceeee((((1111)))), ttttrrrruuuussssssss((((1111)))) NNNNOOOOTTTTEEEESSSS It is a pity that so much tracing clutter is produced by systems employing shared libraries. It is instructive to think about system call inputs and outputs as data-flow across the user/kernel boundary. Because user-space and kernel-space are separate and address-protected, it is sometimes possible to make deductive inferences about process behavior using inputs and outputs as propositions. Page 7 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) In some cases, a system call will differ from the documented behavior or have a different name. For example, on System V derived systems the true time(2) system call does not take an argument and the stat function is called xstat and takes an extra leading argument. These discrepancies are normal but idiosyncratic characteristics of the system call interface and are accounted for by C library wrapper functions. On some platforms a process that has a system call trace applied to it with the ----pppp option will receive a SSSSIIIIGGGGSSSSTTTTOOOOPPPP. This signal may interrupt a system call that is not restartable. This may have an unpredictable effect on the process if the process takes no action to restart the system call. BBBBUUUUGGGGSSSS Programs that use the _s_e_t_u_i_d bit do not have effective user ID privileges while being traced. A traced process ignores SIGSTOP except of SVR4 platforms. A traced process which tries to block SIGTRAP will be sent a SIGSTOP in an attempt to force continuation of tracing. A traced process runs slowly. Traced processes which are descended from _c_o_m_m_a_n_d may be left running after an interrupt signal (CTRL-C). On Linux, exciting as it would be, tracing the init process is forbidden. The ----iiii option is weakly supported. HHHHIIIISSSSTTTTOOOORRRRYYYY ssssttttrrrraaaacccceeee The original strace was written by Paul Kranenburg for SunOS and was inspired by its trace utility. The SunOS version of strace was ported to Linux and enhanced by Branko Lankester, who also wrote the Linux kernel support. Even though Paul released strace 2.5 in 1992, Branko's work was based on Paul's strace 1.5 release from 1991. In 1993, Rick Sladkey merged strace 2.5 for SunOS and the second release of strace for Linux, added many of the features of truss from SVR4, and produced an strace that worked on both platforms. In 1994 Rick ported strace to SVR4 and Solaris and wrote the automatic configuration support. In 1995 he ported strace to Irix and tired of writing about himself in the third person. PPPPRRRROOOOBBBBLLLLEEEEMMMMSSSS Problems with ssssttttrrrraaaacccceeee should be reported to the current Page 8 (printed 8/4/98) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) UUUUNNNNIIIIXXXX SSSSyyyysssstttteeeemmmm VVVV ((((99996666////00002222////11113333)))) SSSSTTTTRRRRAAAACCCCEEEE((((1111)))) ssssttttrrrraaaacccceeee maintainer, Rick Sladkey, at <jrs@world.std.com>. Page 9 (printed 8/4/98)