1STRACE(1) General Commands Manual STRACE(1)
2
6 strace - trace system calls and signals
7
9 strace [-ACdffhikqrtttTvVxxy] [-I n] [-b execve] [-e expr]...
10 [-a column] [-o file] [-s strsize] [-X format] [-P path]...
11 [-p pid]... { -p pid | [-D] [-E var[=val]]... [-u username]
12 command [args] }
13 strace -c [-df] [-I n] [-b execve] [-e expr]... [-O overhead]
15 [-S sortby] [-P path]... [-p pid]... { -p pid | [-D]
16 [-E var[=val]]... [-u username] command [args] }
17
20 In the simplest case strace runs the specified command until it exits.
21 It intercepts and records the system calls which are called by a
22 process and the signals which are received by a process. The name of
23 each system call, its arguments and its return value are printed on
24 standard error or to the file specified with the -o option.
25 strace is a useful diagnostic, instructional, and debugging tool. Sys‐
27 tem administrators, diagnosticians and trouble-shooters will find it
28 invaluable for solving problems with programs for which the source is
29 not readily available since they do not need to be recompiled in order
30 to trace them. Students, hackers and the overly-curious will find that
31 a great deal can be learned about a system and its system calls by
32 tracing even ordinary programs. And programmers will find that since
33 system calls and signals are events that happen at the user/kernel
34 interface, a close examination of this boundary is very useful for bug
35 isolation, sanity checking and attempting to capture race conditions.
36 Each line in the trace contains the system call name, followed by its
38 arguments in parentheses and its return value. An example from strac‐
39 ing the command "cat /dev/null" is:
40 open("/dev/null", O_RDONLY) = 3
42 Errors (typically a return value of -1) have the errno symbol and error
44 string appended.
45 open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory)
47 Signals are printed as signal symbol and decoded siginfo structure. An
49 excerpt from stracing and interrupting the command "sleep 666" is:
50 sigsuspend([] <unfinished ...>
52 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=...} ---
53 +++ killed by SIGINT +++
54 If a system call is being executed and meanwhile another one is being
56 called from a different thread/process then strace will try to preserve
57 the order of those events and mark the ongoing call as being unfin‐
58 ished. When the call returns it will be marked as resumed.
59 [pid 28772] select(4, [3], NULL, NULL, NULL <unfinished ...>
61 [pid 28779] clock_gettime(CLOCK_REALTIME, {1130322148, 939977000}) = 0
62 [pid 28772] <... select resumed> ) = 1 (in [3])
63 Interruption of a (restartable) system call by a signal delivery is
65 processed differently as kernel terminates the system call and also
66 arranges its immediate reexecution after the signal handler completes.
67 read(0, 0x7ffff72cf5cf, 1) = ? ERESTARTSYS (To be restarted)
69 --- SIGALRM ... ---
70 rt_sigreturn(0xe) = 0
71 read(0, "", 1) = 0
72 Arguments are printed in symbolic form with passion. This example
74 shows the shell performing ">>xyzzy" output redirection:
75 open("xyzzy", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3
77 Here, the third argument of open(2) is decoded by breaking down the
79 flag argument into its three bitwise-OR constituents and printing the
80 mode value in octal by tradition. Where the traditional or native
81 usage differs from ANSI or POSIX, the latter forms are preferred. In
82 some cases, strace output is proven to be more readable than the
83 source.
84 Structure pointers are dereferenced and the members are displayed as
86 appropriate. In most cases, arguments are formatted in the most C-like
87 fashion possible. For example, the essence of the command "ls -l
88 /dev/null" is captured as:
89 lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x1, 0x3), ...}) = 0
91 Notice how the 'struct stat' argument is dereferenced and how each mem‐
93 ber is displayed symbolically. In particular, observe how the st_mode
94 member is carefully decoded into a bitwise-OR of symbolic and numeric
95 values. Also notice in this example that the first argument to
96 lstat(2) is an input to the system call and the second argument is an
97 output. Since output arguments are not modified if the system call
98 fails, arguments may not always be dereferenced. For example, retrying
99 the "ls -l" example with a non-existent file produces the following
100 line:
101 lstat("/foo/bar", 0xb004) = -1 ENOENT (No such file or directory)
103 In this case the porch light is on but nobody is home.
105 Syscalls unknown to strace are printed raw, with the unknown system
107 call number printed in hexadecimal form and prefixed with "syscall_":
108 syscall_0xbad(0x1, 0x2, 0x3, 0x4, 0x5, 0x6) = -1 ENOSYS (Function not implemented)
110 Character pointers are dereferenced and printed as C strings. Non-
113 printing characters in strings are normally represented by ordinary C
114 escape codes. Only the first strsize (32 by default) bytes of strings
115 are printed; longer strings have an ellipsis appended following the
116 closing quote. Here is a line from "ls -l" where the getpwuid(3)
117 library routine is reading the password file:
118 read(3, "root::0:0:System Administrator:/"..., 1024) = 422
120 While structures are annotated using curly braces, simple pointers and
122 arrays are printed using square brackets with commas separating ele‐
123 ments. Here is an example from the command id(1) on a system with sup‐
124 plementary group ids:
125 getgroups(32, [100, 0]) = 2
127 On the other hand, bit-sets are also shown using square brackets but
129 set elements are separated only by a space. Here is the shell, prepar‐
130 ing to execute an external command:
131 sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0
133 Here, the second argument is a bit-set of two signals, SIGCHLD and
135 SIGTTOU. In some cases, the bit-set is so full that printing out the
136 unset elements is more valuable. In that case, the bit-set is prefixed
137 by a tilde like this:
138 sigprocmask(SIG_UNBLOCK, ~[], NULL) = 0
140 Here, the second argument represents the full set of all signals.
142
144 Output format
145 -a column Align return values in a specific column (default column
146 40).
147 -i Print the instruction pointer at the time of the system
149 call.
150 -k Print the execution stack trace of the traced processes
152 after each system call.
153 -o filename Write the trace output to the file filename rather than to
155 stderr. filename.pid form is used if -ff option is sup‐
156 plied. If the argument begins with '|' or '!', the rest of
157 the argument is treated as a command and all output is
158 piped to it. This is convenient for piping the debugging
159 output to a program without affecting the redirections of
160 executed programs. The latter is not compatible with -ff
161 option currently.
162 -A Open the file provided in the -o option in append mode.
164 -q Suppress messages about attaching, detaching etc. This
166 happens automatically when output is redirected to a file
167 and the command is run directly instead of attaching.
168 -qq If given twice, suppress messages about process exit sta‐
170 tus.
171 -r Print a relative timestamp upon entry to each system call.
173 This records the time difference between the beginning of
174 successive system calls. Note that since -r option uses
175 the monotonic clock time for measuring time difference and
176 not the wall clock time, its measurements can differ from
177 the difference in time reported by the -t option.
178 -s strsize Specify the maximum string size to print (the default is
180 32). Note that filenames are not considered strings and
181 are always printed in full.
182 -t Prefix each line of the trace with the wall clock time.
184 -tt If given twice, the time printed will include the microsec‐
186 onds.
187 -ttt If given thrice, the time printed will include the
189 microseconds and the leading portion will be printed as the
190 number of seconds since the epoch.
191 -T Show the time spent in system calls. This records the time
193 difference between the beginning and the end of each system
194 call.
195 -x Print all non-ASCII strings in hexadecimal string format.
197 -xx Print all strings in hexadecimal string format.
199 -X format Set the format for printing of named constants and flags.
201 Supported format values are:
202 raw Raw number output, without decoding.
204 abbrev Output a named constant or a set of flags instead
206 of the raw number if they are found. This is the
207 default strace behaviour.
208 verbose Output both the raw value and the decoded string
210 (as a comment).
211 -y Print paths associated with file descriptor arguments.
213 -yy Print protocol specific information associated with socket
215 file descriptors, and block/character device number associ‐
216 ated with device file descriptors.
217 Statistics
219 -c Count time, calls, and errors for each system call and
220 report a summary on program exit, suppressing the regular
221 output. This attempts to show system time (CPU time spent
222 running in the kernel) independent of wall clock time. If
223 -c is used with -f, only aggregate totals for all traced
224 processes are kept.
225 -C Like -c but also print regular output while processes are
227 running.
228 -O overhead Set the overhead for tracing system calls to overhead
230 microseconds. This is useful for overriding the default
231 heuristic for guessing how much time is spent in mere mea‐
232 suring when timing system calls using the -c option. The
233 accuracy of the heuristic can be gauged by timing a given
234 program run without tracing (using time(1)) and comparing
235 the accumulated system call time to the total produced
236 using -c.
237 -S sortby Sort the output of the histogram printed by the -c option
239 by the specified criterion. Legal values are time, calls,
240 name, and nothing (default is time).
241 -w Summarise the time difference between the beginning and end
243 of each system call. The default is to summarise the sys‐
244 tem time.
245 Filtering
247 -e expr A qualifying expression which modifies which events to
248 trace or how to trace them. The format of the expression
249 is:
250 [qualifier=][!][?]value1[,[?]value2]...
252 where qualifier is one of trace, abbrev, verbose, raw, sig‐
254 nal, read, write, fault, inject, or kvm and value is a
255 qualifier-dependent symbol or number. The default quali‐
256 fier is trace. Using an exclamation mark negates the set
257 of values. For example, -e open means literally
258 -e trace=open which in turn means trace only the open sys‐
259 tem call. By contrast, -e trace=!open means to trace every
260 system call except open. Question mark before the syscall
261 qualification allows suppression of error in case no
262 syscalls matched the qualification provided. Appending one
263 of "@64", "@32", or "@x32" suffixes to the syscall qualifi‐
264 cation allows specifying syscalls only for the 64-bit,
265 32-bit, or 32-on-64-bit personality, respectively. In
266 addition, the special values all and none have the obvious
267 meanings.
268 Note that some shells use the exclamation point for history
270 expansion even inside quoted arguments. If so, you must
271 escape the exclamation point with a backslash.
272 -e trace=set
274 Trace only the specified set of system calls. The -c
275 option is useful for determining which system calls might
276 be useful to trace. For example,
277 trace=open,close,read,write means to only trace those four
278 system calls. Be careful when making inferences about the
279 user/kernel boundary if only a subset of system calls are
280 being monitored. The default is trace=all.
281 -e trace=/regex
283 Trace only those system calls that match the regex. You
284 can use POSIX Extended Regular Expression syntax (see
285 regex(7)).
286 -e trace=%file
288 -e trace=file (deprecated)
289 Trace all system calls which take a file name as an argu‐
290 ment. You can think of this as an abbreviation for
291 -e trace=open,stat,chmod,unlink,... which is useful to
292 seeing what files the process is referencing. Furthermore,
293 using the abbreviation will ensure that you don't acciden‐
294 tally forget to include a call like lstat(2) in the list.
295 Betchya woulda forgot that one.
296 -e trace=%process
298 -e trace=process (deprecated)
299 Trace all system calls which involve process management.
300 This is useful for watching the fork, wait, and exec steps
301 of a process.
302 -e trace=%net
304 -e trace=%network
305 -e trace=network (deprecated)
306 Trace all the network related system calls.
307 -e trace=%signal
309 -e trace=signal (deprecated)
310 Trace all signal related system calls.
311 -e trace=%ipc
313 -e trace=ipc (deprecated)
314 Trace all IPC related system calls.
315 -e trace=%desc
317 -e trace=desc (deprecated)
318 Trace all file descriptor related system calls.
319 -e trace=%memory
321 -e trace=memory (deprecated)
322 Trace all memory mapping related system calls.
323 -e trace=%stat
325 Trace stat syscall variants.
326 -e trace=%lstat
328 Trace lstat syscall variants.
329 -e trace=%fstat
331 Trace fstat and fstatat syscall variants.
332 -e trace=%%stat
334 Trace syscalls used for requesting file status (stat,
335 lstat, fstat, fstatat, statx, and their variants).
336 -e trace=%statfs
338 Trace statfs, statfs64, statvfs, osf_statfs, and
339 osf_statfs64 system calls. The same effect can be achieved
340 with -e trace=/^(.*_)?statv?fs regular expression.
341 -e trace=%fstatfs
343 Trace fstatfs, fstatfs64, fstatvfs, osf_fstatfs, and
344 osf_fstatfs64 system calls. The same effect can be
345 achieved with -e trace=/fstatv?fs regular expression.
346 -e trace=%%statfs
348 Trace syscalls related to file system statistics (statfs-
349 like, fstatfs-like, and ustat). The same effect can be
350 achieved with -e trace=/statv?fs|fsstat|ustat regular
351 expression.
352 -e trace=%pure
354 Trace syscalls that always succeed and have no arguments.
355 Currently, this list includes arc_gettls(2), getdtable‐
356 size(2), getegid(2), getegid32(2), geteuid(2),
357 geteuid32(2), getgid(2), getgid32(2), getpagesize(2), getp‐
358 grp(2), getpid(2), getppid(2), get_thread_area(2) (on
359 architectures other than x86), gettid(2), get_tls(2),
360 getuid(2), getuid32(2), getxgid(2), getxpid(2), getxuid(2),
361 kern_features(2), and metag_get_tls(2) syscalls.
362 -e abbrev=set
364 Abbreviate the output from printing each member of large
365 structures. The default is abbrev=all. The -v option has
366 the effect of abbrev=none.
367 -e verbose=set
369 Dereference structures for the specified set of system
370 calls. The default is verbose=all.
371 -e raw=set Print raw, undecoded arguments for the specified set of
373 system calls. This option has the effect of causing all
374 arguments to be printed in hexadecimal. This is mostly
375 useful if you don't trust the decoding or you need to know
376 the actual numeric value of an argument. See also -X raw
377 option.
378 -e signal=set
380 Trace only the specified subset of signals. The default is
381 signal=all. For example, signal=!SIGIO (or signal=!io)
382 causes SIGIO signals not to be traced.
383 -e read=set Perform a full hexadecimal and ASCII dump of all the data
385 read from file descriptors listed in the specified set.
386 For example, to see all input activity on file descriptors
387 3 and 5 use -e read=3,5. Note that this is independent
388 from the normal tracing of the read(2) system call which is
389 controlled by the option -e trace=read.
390 -e write=set
392 Perform a full hexadecimal and ASCII dump of all the data
393 written to file descriptors listed in the specified set.
394 For example, to see all output activity on file descriptors
395 3 and 5 use -e write=3,5. Note that this is independent
396 from the normal tracing of the write(2) system call which
397 is controlled by the option -e trace=write.
398 -e inject=set[:error=errno|:retval=value][:sig‐
400 nal=sig][:syscall=syscall][:delay_enter=usecs][:delay_exit=usecs][:when=expr]
401 Perform syscall tampering for the specified set of
402 syscalls.
403 At least one of error, retval, signal, delay_enter, or
405 delay_exit options has to be specified. error and retval
406 are mutually exclusive.
407 If :error=errno option is specified, a fault is injected
409 into a syscall invocation: the syscall number is replaced
410 by -1 which corresponds to an invalid syscall (unless a
411 syscall is specified with :syscall= option), and the error
412 code is specified using a symbolic errno value like ENOSYS
413 or a numeric value within 1..4095 range.
414 If :retval=value option is specified, success injection is
416 performed: the syscall number is replaced by -1, but a
417 bogus success value is returned to the callee.
418 If :signal=sig option is specified with either a symbolic
420 value like SIGSEGV or a numeric value within 1..SIGRTMAX
421 range, that signal is delivered on entering every syscall
422 specified by the set.
423 If :delay_enter=usecs or :delay_exit=usecs options are
425 specified, delay injection is performed: the tracee is
426 delayed by at least usecs microseconds on entering or exit‐
427 ing the syscall.
428 If :signal=sig option is specified without :error=errno,
430 :retval=value or :delay_{enter,exit}=usecs options, then
431 only a signal sig is delivered without a syscall fault or
432 delay injection. Conversely, :error=errno or :retval=value
433 option without :delay_enter=usecs, :delay_exit=usecs or
434 :signal=sig options injects a fault without delivering a
435 signal or injecting a delay, etc.
436 If both :error=errno or :retval=value and :signal=sig
438 options are specified, then both a fault or success is
439 injected and a signal is delivered.
440 if :syscall=syscall option is specified, the corresponding
442 syscall with no side effects is injected instead of -1.
443 Currently, only "pure" (see -e trace=%pure description)
444 syscalls can be specified there.
445 Unless a :when=expr subexpression is specified, an injec‐
447 tion is being made into every invocation of each syscall
448 from the set.
449 The format of the subexpression is one of the following:
451 first
453 For every syscall from the set, perform an injection
454 for the syscall invocation number first only.
455 first+
457 For every syscall from the set, perform injections for
458 the syscall invocation number first and all subsequent
459 invocations.
460 first+step
462 For every syscall from the set, perform injections for
463 syscall invocations number first, first+step,
464 first+step+step, and so on.
465 For example, to fail each third and subsequent chdir
467 syscalls with ENOENT, use
468 -e inject=chdir:error=ENOENT:when=3+.
469 The valid range for numbers first and step is 1..65535.
471 An injection expression can contain only one error= or ret‐
473 val= specification, and only one signal= specification. If
474 an injection expression contains multiple when= specifica‐
475 tions, the last one takes precedence.
476 Accounting of syscalls that are subject to injection is
478 done per syscall and per tracee.
479 Specification of syscall injection can be combined with
481 other syscall filtering options, for example, -P /dev/uran‐
482 dom -e inject=file:error=ENOENT.
483 -e fault=set[:error=errno][:when=expr]
486 Perform syscall fault injection for the specified set of
487 syscalls.
488 This is equivalent to more generic -e inject= expression
490 with default value of errno option set to ENOSYS.
491 -e kvm=vcpu Print the exit reason of kvm vcpu. Requires Linux kernel
493 version 4.16.0 or higher.
494 -P path Trace only system calls accessing path. Multiple -P
497 options can be used to specify several paths.
498 -v Print unabbreviated versions of environment, stat, termios,
500 etc. calls. These structures are very common in calls and
501 so the default behavior displays a reasonable subset of
502 structure members. Use this option to get all of the gory
503 details.
504 Tracing
506 -b syscall If specified syscall is reached, detach from traced
507 process. Currently, only execve(2) syscall is supported.
508 This option is useful if you want to trace multi-threaded
509 process and therefore require -f, but don't want to trace
510 its (potentially very complex) children.
511 -D Run tracer process as a detached grandchild, not as parent
513 of the tracee. This reduces the visible effect of strace
514 by keeping the tracee a direct child of the calling
515 process.
516 -f Trace child processes as they are created by currently
518 traced processes as a result of the fork(2), vfork(2) and
519 clone(2) system calls. Note that -p PID -f will attach all
520 threads of process PID if it is multi-threaded, not only
521 thread with thread_id = PID.
522 -ff If the -o filename option is in effect, each processes
524 trace is written to filename.pid where pid is the numeric
525 process id of each process. This is incompatible with -c,
526 since no per-process counts are kept.
527 One might want to consider using strace-log-merge(1) to
529 obtain a combined strace log view.
530 -I interruptible
532 When strace can be interrupted by signals (such as pressing
533 CTRL-C).
534 1 no signals are blocked;
536 2 fatal signals are blocked while decoding syscall
537 (default);
538 3 fatal signals are always blocked (default if -o FILE
539 PROG);
540 4 fatal signals and SIGTSTP (CTRL-Z) are always blocked
541 (useful to make strace -o FILE PROG not stop on CTRL-Z,
542 default if -D).
543 Startup
545 -E var=val Run command with var=val in its list of environment vari‐
546 ables.
547 -E var Remove var from the inherited list of environment variables
549 before passing it on to the command.
550 -p pid Attach to the process with the process ID pid and begin
552 tracing. The trace may be terminated at any time by a key‐
553 board interrupt signal (CTRL-C). strace will respond by
554 detaching itself from the traced process(es) leaving it
555 (them) to continue running. Multiple -p options can be
556 used to attach to many processes in addition to command
557 (which is optional if at least one -p option is given). -p
558 "`pidof PROG`" syntax is supported.
559 -u username Run command with the user ID, group ID, and supplementary
561 groups of username. This option is only useful when run‐
562 ning as root and enables the correct execution of setuid
563 and/or setgid binaries. Unless this option is used setuid
564 and setgid programs are executed without effective privi‐
565 leges.
566 Miscellaneous
568 -d Show some debugging output of strace itself on the standard
569 error.
570 -F This option is deprecated. It is retained for backward
572 compatibility only and may be removed in future releases.
573 Usage of multiple instances of -F option is still equiva‐
574 lent to a single -f, and it is ignored at all if used along
575 with one or more instances of -f option.
576 -h Print the help summary.
578 -V Print the version number of strace.
580
582 When command exits, strace exits with the same exit status. If command
583 is terminated by a signal, strace terminates itself with the same sig‐
584 nal, so that strace can be used as a wrapper process transparent to the
585 invoking parent process. Note that parent-child relationship (signal
586 stop notifications, getppid(2) value, etc) between traced process and
587 its parent are not preserved unless -D is used.
588 When using -p without a command, the exit status of strace is zero
590 unless no processes has been attached or there was an unexpected error
591 in doing the tracing.
592
594 If strace is installed setuid to root then the invoking user will be
595 able to attach to and trace processes owned by any user. In addition
596 setuid and setgid programs will be executed and traced with the correct
597 effective privileges. Since only users trusted with full root privi‐
598 leges should be allowed to do these things, it only makes sense to
599 install strace as setuid to root when the users who can execute it are
600 restricted to those users who have this trust. For example, it makes
601 sense to install a special version of strace with mode 'rwsr-xr--',
602 user root and group trace, where members of the trace group are trusted
603 users. If you do use this feature, please remember to install a regu‐
604 lar non-setuid version of strace for ordinary users to use.
605
607 On some architectures, strace supports decoding of syscalls for pro‐
608 cesses that use different ABI rather than the one strace uses. Specif‐
609 ically, in addition to decoding native ABI, strace can decode the fol‐
610 lowing ABIs on the following architectures:
611 ┌───────────────┬──────────────────────────────────────────────────────────────────────────────────────────┐
613 │Architecture │ ABIs supported │
614 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
615 │x86_64 │ i386, x32 (when built as an x86_64 application); i386 (when built as an x32 application) │
616 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
617 │AArch64 │ ARM 32-bit EABI │
618 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
619 │PowerPC 64-bit │ PowerPC 32-bit │
620 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
621 │RISC-V 64-bit │ RISC-V 32-bit │
622 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
623 │s390x │ s390 │
624 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
625 │SPARC 64-bit │ SPARC 32-bit │
626 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
627 │TILE 64-bit │ TILE 32-bit │
628 └───────────────┴──────────────────────────────────────────────────────────────────────────────────────────┘
629 This support is optional and relies on ability to generate and parse
630 structure definitions during the build time. Please refer to the out‐
631 put of the strace -V command in order to figure out what support is
632 available in your strace build ("non-native" refers to an ABI that dif‐
633 fers from the ABI strace has):
634 m32-mpers strace can trace and properly decode non-native 32-bit
636 binaries.
637 no-m32-mpers strace can trace, but cannot properly decode non-native
639 32-bit binaries.
640 mx32-mpers strace can trace and properly decode non-native
642 32-on-64-bit binaries.
643 no-mx32-mpers strace can trace, but cannot properly decode non-native
645 32-on-64-bit binaries.
646 If the output contains neither m32-mpers nor no-m32-mpers, then decod‐
648 ing of non-native 32-bit binaries is not implemented at all or not
649 applicable.
650 Likewise, if the output contains neither mx32-mpers nor no-mx32-mpers,
652 then decoding of non-native 32-on-64-bit binaries is not implemented at
653 all or not applicable.
654
656 It is a pity that so much tracing clutter is produced by systems
657 employing shared libraries.
658 It is instructive to think about system call inputs and outputs as
660 data-flow across the user/kernel boundary. Because user-space and ker‐
661 nel-space are separate and address-protected, it is sometimes possible
662 to make deductive inferences about process behavior using inputs and
663 outputs as propositions.
664 In some cases, a system call will differ from the documented behavior
666 or have a different name. For example, the faccessat(2) system call
667 does not have flags argument, and the setrlimit(2) library function
668 uses prlimit64(2) system call on modern (2.6.38+) kernels. These dis‐
669 crepancies are normal but idiosyncratic characteristics of the system
670 call interface and are accounted for by C library wrapper functions.
671 Some system calls have different names in different architectures and
673 personalities. In these cases, system call filtering and printing uses
674 the names that match corresponding __NR_* kernel macros of the tracee's
675 architecture and personality. There are two exceptions from this gen‐
676 eral rule: arm_fadvise64_64(2) ARM syscall and xtensa_fadvise64_64(2)
677 Xtensa syscall are filtered and printed as fadvise64_64(2).
678 On x32, syscalls that are intended to be used by 64-bit processes and
680 not x32 ones (for example, readv(2), that has syscall number 19 on
681 x86_64, with its x32 counterpart has syscall number 515), but called
682 with __X32_SYSCALL_BIT flag being set, are designated with #64 suffix.
683 On some platforms a process that is attached to with the -p option may
685 observe a spurious EINTR return from the current system call that is
686 not restartable. (Ideally, all system calls should be restarted on
687 strace attach, making the attach invisible to the traced process, but a
688 few system calls aren't. Arguably, every instance of such behavior is
689 a kernel bug.) This may have an unpredictable effect on the process if
690 the process takes no action to restart the system call.
691 As strace executes the specified command directly and does not employ a
693 shell for that, scripts without shebang that usually run just fine when
694 invoked by shell fail to execute with ENOEXEC error. It is advisable
695 to manually supply a shell as a command with the script as its argu‐
696 ment.
697
699 Programs that use the setuid bit do not have effective user ID privi‐
700 leges while being traced.
701 A traced process runs slowly.
703 Traced processes which are descended from command may be left running
705 after an interrupt signal (CTRL-C).
706
708 The original strace was written by Paul Kranenburg for SunOS and was
709 inspired by its trace utility. The SunOS version of strace was ported
710 to Linux and enhanced by Branko Lankester, who also wrote the Linux
711 kernel support. Even though Paul released strace 2.5 in 1992, Branko's
712 work was based on Paul's strace 1.5 release from 1991. In 1993, Rick
713 Sladkey merged strace 2.5 for SunOS and the second release of strace
714 for Linux, added many of the features of truss(1) from SVR4, and pro‐
715 duced an strace that worked on both platforms. In 1994 Rick ported
716 strace to SVR4 and Solaris and wrote the automatic configuration sup‐
717 port. In 1995 he ported strace to Irix and tired of writing about him‐
718 self in the third person.
719 Beginning with 1996, strace was maintained by Wichert Akkerman. During
721 his tenure, strace development migrated to CVS; ports to FreeBSD and
722 many architectures on Linux (including ARM, IA-64, MIPS, PA-RISC, Pow‐
723 erPC, s390, SPARC) were introduced. In 2002, the burden of strace
724 maintainership was transferred to Roland McGrath. Since then, strace
725 gained support for several new Linux architectures (AMD64, s390x,
726 SuperH), bi-architecture support for some of them, and received numer‐
727 ous additions and improvements in syscalls decoders on Linux; strace
728 development migrated to git during that period. Since 2009, strace is
729 actively maintained by Dmitry Levin. strace gained support for
730 AArch64, ARC, AVR32, Blackfin, Meta, Nios II, OpenSISC 1000, RISC-V,
731 Tile/TileGx, Xtensa architectures since that time. In 2012, unmain‐
732 tained and apparently broken support for non-Linux operating systems
733 was removed. Also, in 2012 strace gained support for path tracing and
734 file descriptor path decoding. In 2014, support for stack traces
735 printing was added. In 2016, syscall fault injection was implemented.
736 For the additional information, please refer to the NEWS file and
738 strace repository commit log.
739
741 Problems with strace should be reported to the strace mailing list at
742 <strace-devel@lists.strace.io>.
743
745 strace-log-merge(1), ltrace(1), perf-trace(1), trace-cmd(1), time(1),
746 ptrace(2), proc(5)
747strace 5.0 2019-03-17 STRACE(1)