1STRACE(1) General Commands Manual STRACE(1)
2
6 strace - trace system calls and signals
7
9 strace [-ACdffhikqrtttTvVxxy] [-I n] [-b execve] [-e expr]...
10 [-a column] [-o file] [-s strsize] [-X format] [-P path]...
11 [-p pid]... { -p pid | [-D] [-E var[=val]]... [-u username]
12 command [args] }
13 strace -c [-df] [-I n] [-b execve] [-e expr]... [-O overhead]
15 [-S sortby] [-P path]... [-p pid]... { -p pid | [-D]
16 [-E var[=val]]... [-u username] command [args] }
17
20 In the simplest case strace runs the specified command until it exits.
21 It intercepts and records the system calls which are called by a
22 process and the signals which are received by a process. The name of
23 each system call, its arguments and its return value are printed on
24 standard error or to the file specified with the -o option.
25 strace is a useful diagnostic, instructional, and debugging tool. Sys‐
27 tem administrators, diagnosticians and trouble-shooters will find it
28 invaluable for solving problems with programs for which the source is
29 not readily available since they do not need to be recompiled in order
30 to trace them. Students, hackers and the overly-curious will find that
31 a great deal can be learned about a system and its system calls by
32 tracing even ordinary programs. And programmers will find that since
33 system calls and signals are events that happen at the user/kernel
34 interface, a close examination of this boundary is very useful for bug
35 isolation, sanity checking and attempting to capture race conditions.
36 Each line in the trace contains the system call name, followed by its
38 arguments in parentheses and its return value. An example from strac‐
39 ing the command "cat /dev/null" is:
40 open("/dev/null", O_RDONLY) = 3
42 Errors (typically a return value of -1) have the errno symbol and error
44 string appended.
45 open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory)
47 Signals are printed as signal symbol and decoded siginfo structure. An
49 excerpt from stracing and interrupting the command "sleep 666" is:
50 sigsuspend([] <unfinished ...>
52 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=...} ---
53 +++ killed by SIGINT +++
54 If a system call is being executed and meanwhile another one is being
56 called from a different thread/process then strace will try to preserve
57 the order of those events and mark the ongoing call as being unfin‐
58 ished. When the call returns it will be marked as resumed.
59 [pid 28772] select(4, [3], NULL, NULL, NULL <unfinished ...>
61 [pid 28779] clock_gettime(CLOCK_REALTIME, {1130322148, 939977000}) = 0
62 [pid 28772] <... select resumed> ) = 1 (in [3])
63 Interruption of a (restartable) system call by a signal delivery is
65 processed differently as kernel terminates the system call and also
66 arranges its immediate reexecution after the signal handler completes.
67 read(0, 0x7ffff72cf5cf, 1) = ? ERESTARTSYS (To be restarted)
69 --- SIGALRM ... ---
70 rt_sigreturn(0xe) = 0
71 read(0, "", 1) = 0
72 Arguments are printed in symbolic form with passion. This example
74 shows the shell performing ">>xyzzy" output redirection:
75 open("xyzzy", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3
77 Here, the third argument of open is decoded by breaking down the flag
79 argument into its three bitwise-OR constituents and printing the mode
80 value in octal by tradition. Where the traditional or native usage
81 differs from ANSI or POSIX, the latter forms are preferred. In some
82 cases, strace output is proven to be more readable than the source.
83 Structure pointers are dereferenced and the members are displayed as
85 appropriate. In most cases, arguments are formatted in the most C-like
86 fashion possible. For example, the essence of the command "ls -l
87 /dev/null" is captured as:
88 lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
90 Notice how the 'struct stat' argument is dereferenced and how each mem‐
92 ber is displayed symbolically. In particular, observe how the st_mode
93 member is carefully decoded into a bitwise-OR of symbolic and numeric
94 values. Also notice in this example that the first argument to lstat
95 is an input to the system call and the second argument is an output.
96 Since output arguments are not modified if the system call fails, argu‐
97 ments may not always be dereferenced. For example, retrying the "ls
98 -l" example with a non-existent file produces the following line:
99 lstat("/foo/bar", 0xb004) = -1 ENOENT (No such file or directory)
101 In this case the porch light is on but nobody is home.
103 Syscalls unknown to strace are printed raw, with the unknown system
105 call number printed in hexadecimal form and prefixed with "syscall_":
106 syscall_0xbad(0x1, 0x2, 0x3, 0x4, 0x5, 0x6) = -1 ENOSYS (Function not implemented)
108 Character pointers are dereferenced and printed as C strings. Non-
111 printing characters in strings are normally represented by ordinary C
112 escape codes. Only the first strsize (32 by default) bytes of strings
113 are printed; longer strings have an ellipsis appended following the
114 closing quote. Here is a line from "ls -l" where the getpwuid library
115 routine is reading the password file:
116 read(3, "root::0:0:System Administrator:/"..., 1024) = 422
118 While structures are annotated using curly braces, simple pointers and
120 arrays are printed using square brackets with commas separating ele‐
121 ments. Here is an example from the command "id" on a system with sup‐
122 plementary group ids:
123 getgroups(32, [100, 0]) = 2
125 On the other hand, bit-sets are also shown using square brackets but
127 set elements are separated only by a space. Here is the shell, prepar‐
128 ing to execute an external command:
129 sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0
131 Here, the second argument is a bit-set of two signals, SIGCHLD and
133 SIGTTOU. In some cases, the bit-set is so full that printing out the
134 unset elements is more valuable. In that case, the bit-set is prefixed
135 by a tilde like this:
136 sigprocmask(SIG_UNBLOCK, ~[], NULL) = 0
138 Here, the second argument represents the full set of all signals.
140
142 Output format
143 -a column Align return values in a specific column (default column
144 40).
145 -i Print the instruction pointer at the time of the system
147 call.
148 -k Print the execution stack trace of the traced processes
150 after each system call.
151 -o filename Write the trace output to the file filename rather than to
153 stderr. filename.pid form is used if -ff option is sup‐
154 plied. If the argument begins with '|' or '!', the rest of
155 the argument is treated as a command and all output is
156 piped to it. This is convenient for piping the debugging
157 output to a program without affecting the redirections of
158 executed programs. The latter is not compatible with -ff
159 option currently.
160 -A Open the file provided in the -o option in append mode.
162 -q Suppress messages about attaching, detaching etc. This
164 happens automatically when output is redirected to a file
165 and the command is run directly instead of attaching.
166 -qq If given twice, suppress messages about process exit sta‐
168 tus.
169 -r Print a relative timestamp upon entry to each system call.
171 This records the time difference between the beginning of
172 successive system calls. Note that since -r option uses
173 the monotonic clock time for measuring time difference and
174 not the wall clock time, its measurements can differ from
175 the difference in time reported by the -t option.
176 -s strsize Specify the maximum string size to print (the default is
178 32). Note that filenames are not considered strings and
179 are always printed in full.
180 -t Prefix each line of the trace with the wall clock time.
182 -tt If given twice, the time printed will include the microsec‐
184 onds.
185 -ttt If given thrice, the time printed will include the
187 microseconds and the leading portion will be printed as the
188 number of seconds since the epoch.
189 -T Show the time spent in system calls. This records the time
191 difference between the beginning and the end of each system
192 call.
193 -x Print all non-ASCII strings in hexadecimal string format.
195 -xx Print all strings in hexadecimal string format.
197 -X format Set the format for printing of named constants and flags.
199 Supported format values are:
200 raw Raw number output, without decoding.
202 abbrev Output a named constant or a set of flags instead
204 of the raw number if they are found. This is the
205 default strace behaviour.
206 verbose Output both the raw value and the decoded string
208 (as a comment).
209 -y Print paths associated with file descriptor arguments.
211 -yy Print protocol specific information associated with socket
213 file descriptors, and block/character device number associ‐
214 ated with device file descriptors.
215 Statistics
217 -c Count time, calls, and errors for each system call and
218 report a summary on program exit, suppressing the regular
219 output. This attempts to show system time (CPU time spent
220 running in the kernel) independent of wall clock time. If
221 -c is used with -f, only aggregate totals for all traced
222 processes are kept.
223 -C Like -c but also print regular output while processes are
225 running.
226 -O overhead Set the overhead for tracing system calls to overhead
228 microseconds. This is useful for overriding the default
229 heuristic for guessing how much time is spent in mere mea‐
230 suring when timing system calls using the -c option. The
231 accuracy of the heuristic can be gauged by timing a given
232 program run without tracing (using time(1)) and comparing
233 the accumulated system call time to the total produced
234 using -c.
235 -S sortby Sort the output of the histogram printed by the -c option
237 by the specified criterion. Legal values are time, calls,
238 name, and nothing (default is time).
239 -w Summarise the time difference between the beginning and end
241 of each system call. The default is to summarise the sys‐
242 tem time.
243 Filtering
245 -e expr A qualifying expression which modifies which events to
246 trace or how to trace them. The format of the expression
247 is:
248 [qualifier=][!][?]value1[,[?]value2]...
250 where qualifier is one of trace, abbrev, verbose, raw, sig‐
252 nal, read, write, fault, inject, or kvm and value is a
253 qualifier-dependent symbol or number. The default quali‐
254 fier is trace. Using an exclamation mark negates the set
255 of values. For example, -e open means literally
256 -e trace=open which in turn means trace only the open sys‐
257 tem call. By contrast, -e trace=!open means to trace every
258 system call except open. Question mark before the syscall
259 qualification allows suppression of error in case no
260 syscalls matched the qualification provided. Appending one
261 of "@64", "@32", or "@x32" suffixes to the syscall qualifi‐
262 cation allows specifying syscalls only for the 64-bit,
263 32-bit, or 32-on-64-bit personality, respectively. In
264 addition, the special values all and none have the obvious
265 meanings.
266 Note that some shells use the exclamation point for history
268 expansion even inside quoted arguments. If so, you must
269 escape the exclamation point with a backslash.
270 -e trace=set
272 Trace only the specified set of system calls. The -c
273 option is useful for determining which system calls might
274 be useful to trace. For example,
275 trace=open,close,read,write means to only trace those four
276 system calls. Be careful when making inferences about the
277 user/kernel boundary if only a subset of system calls are
278 being monitored. The default is trace=all.
279 -e trace=/regex
281 Trace only those system calls that match the regex. You
282 can use POSIX Extended Regular Expression syntax (see
283 regex(7)).
284 -e trace=%file
286 -e trace=file (deprecated)
287 Trace all system calls which take a file name as an argu‐
288 ment. You can think of this as an abbreviation for
289 -e trace=open,stat,chmod,unlink,... which is useful to
290 seeing what files the process is referencing. Furthermore,
291 using the abbreviation will ensure that you don't acciden‐
292 tally forget to include a call like lstat in the list.
293 Betchya woulda forgot that one.
294 -e trace=%process
296 -e trace=process (deprecated)
297 Trace all system calls which involve process management.
298 This is useful for watching the fork, wait, and exec steps
299 of a process.
300 -e trace=%network
302 -e trace=network (deprecated)
303 Trace all the network related system calls.
304 -e trace=%signal
306 -e trace=signal (deprecated)
307 Trace all signal related system calls.
308 -e trace=%ipc
310 -e trace=ipc (deprecated)
311 Trace all IPC related system calls.
312 -e trace=%desc
314 -e trace=desc (deprecated)
315 Trace all file descriptor related system calls.
316 -e trace=%memory
318 -e trace=memory (deprecated)
319 Trace all memory mapping related system calls.
320 -e trace=%stat
322 Trace stat syscall variants.
323 -e trace=%lstat
325 Trace lstat syscall variants.
326 -e trace=%fstat
328 Trace fstat and fstatat syscall variants.
329 -e trace=%%stat
331 Trace syscalls used for requesting file status (stat,
332 lstat, fstat, fstatat, statx, and their variants).
333 -e trace=%statfs
335 Trace statfs, statfs64, statvfs, osf_statfs, and
336 osf_statfs64 system calls. The same effect can be achieved
337 with -e trace=/^(.*_)?statv?fs regular expression.
338 -e trace=%fstatfs
340 Trace fstatfs, fstatfs64, fstatvfs, osf_fstatfs, and
341 osf_fstatfs64 system calls. The same effect can be
342 achieved with -e trace=/fstatv?fs regular expression.
343 -e trace=%%statfs
345 Trace syscalls related to file system statistics (statfs-
346 like, fstatfs-like, and ustat). The same effect can be
347 achieved with -e trace=/statv?fs|fsstat|ustat regular
348 expression.
349 -e trace=%pure
351 Trace syscalls that always succeed and have no arguments.
352 Currently, this list includes arc_gettls(2), getdtable‐
353 size(2), getegid(2), getegid32(2), geteuid(2),
354 geteuid32(2), getgid(2), getgid32(2), getpagesize(2), getp‐
355 grp(2), getpid(2), getppid(2), get_thread_area(2) (on
356 architectures other than x86), gettid(2), get_tls(2),
357 getuid(2), getuid32(2), getxgid(2), getxpid(2), getxuid(2),
358 kern_features(2), and metag_get_tls(2) syscalls.
359 -e abbrev=set
361 Abbreviate the output from printing each member of large
362 structures. The default is abbrev=all. The -v option has
363 the effect of abbrev=none.
364 -e verbose=set
366 Dereference structures for the specified set of system
367 calls. The default is verbose=all.
368 -e raw=set Print raw, undecoded arguments for the specified set of
370 system calls. This option has the effect of causing all
371 arguments to be printed in hexadecimal. This is mostly
372 useful if you don't trust the decoding or you need to know
373 the actual numeric value of an argument. See also -X raw
374 option.
375 -e signal=set
377 Trace only the specified subset of signals. The default is
378 signal=all. For example, signal=!SIGIO (or signal=!io)
379 causes SIGIO signals not to be traced.
380 -e read=set Perform a full hexadecimal and ASCII dump of all the data
382 read from file descriptors listed in the specified set.
383 For example, to see all input activity on file descriptors
384 3 and 5 use -e read=3,5. Note that this is independent
385 from the normal tracing of the read(2) system call which is
386 controlled by the option -e trace=read.
387 -e write=set
389 Perform a full hexadecimal and ASCII dump of all the data
390 written to file descriptors listed in the specified set.
391 For example, to see all output activity on file descriptors
392 3 and 5 use -e write=3,5. Note that this is independent
393 from the normal tracing of the write(2) system call which
394 is controlled by the option -e trace=write.
395 -e inject=set[:error=errno|:retval=value][:sig‐
397 nal=sig][:syscall=syscall][:delay_enter=usecs][:delay_exit=usecs][:when=expr]
398 Perform syscall tampering for the specified set of
399 syscalls.
400 At least one of error, retval, signal, delay_enter, or
402 delay_exit options has to be specified. error and retval
403 are mutually exclusive.
404 If :error=errno option is specified, a fault is injected
406 into a syscall invocation: the syscall number is replaced
407 by -1 which corresponds to an invalid syscall (unless a
408 syscall is specified with :syscall= option), and the error
409 code is specified using a symbolic errno value like ENOSYS
410 or a numeric value within 1..4095 range.
411 If :retval=value option is specified, success injection is
413 performed: the syscall number is replaced by -1, but a
414 bogus success value is returned to the callee.
415 If :signal=sig option is specified with either a symbolic
417 value like SIGSEGV or a numeric value within 1..SIGRTMAX
418 range, that signal is delivered on entering every syscall
419 specified by the set.
420 If :delay_enter=usecs or :delay_exit=usecs options are
422 specified, delay injection is performed: the tracee is
423 delayed by at least usecs microseconds on entering or exit‐
424 ing the syscall.
425 If :signal=sig option is specified without :error=errno,
427 :retval=value or :delay_{enter,exit}=usecs options, then
428 only a signal sig is delivered without a syscall fault or
429 delay injection. Conversely, :error=errno or :retval=value
430 option without :delay_enter=usecs, :delay_exit=usecs or
431 :signal=sig options injects a fault without delivering a
432 signal or injecting a delay, etc.
433 If both :error=errno or :retval=value and :signal=sig
435 options are specified, then both a fault or success is
436 injected and a signal is delivered.
437 if :syscall=syscall option is specified, the corresponding
439 syscall with no side effects is injected instead of -1.
440 Currently, only "pure" (see -e trace=%pure description)
441 syscalls can be specified there.
442 Unless a :when=expr subexpression is specified, an injec‐
444 tion is being made into every invocation of each syscall
445 from the set.
446 The format of the subexpression is one of the following:
448 first
450 For every syscall from the set, perform an injection
451 for the syscall invocation number first only.
452 first+
454 For every syscall from the set, perform injections for
455 the syscall invocation number first and all subsequent
456 invocations.
457 first+step
459 For every syscall from the set, perform injections for
460 syscall invocations number first, first+step,
461 first+step+step, and so on.
462 For example, to fail each third and subsequent chdir
464 syscalls with ENOENT, use
465 -e inject=chdir:error=ENOENT:when=3+.
466 The valid range for numbers first and step is 1..65535.
468 An injection expression can contain only one error= or ret‐
470 val= specification, and only one signal= specification. If
471 an injection expression contains multiple when= specifica‐
472 tions, the last one takes precedence.
473 Accounting of syscalls that are subject to injection is
475 done per syscall and per tracee.
476 Specification of syscall injection can be combined with
478 other syscall filtering options, for example, -P /dev/uran‐
479 dom -e inject=file:error=ENOENT.
480 -e fault=set[:error=errno][:when=expr]
483 Perform syscall fault injection for the specified set of
484 syscalls.
485 This is equivalent to more generic -e inject= expression
487 with default value of errno option set to ENOSYS.
488 -e kvm=vcpu Print the exit reason of kvm vcpu. Requires Linux kernel
491 version 4.16.0 or higher.
492 -P path Trace only system calls accessing path. Multiple -P
495 options can be used to specify several paths.
496 -v Print unabbreviated versions of environment, stat, termios,
498 etc. calls. These structures are very common in calls and
499 so the default behavior displays a reasonable subset of
500 structure members. Use this option to get all of the gory
501 details.
502 Tracing
504 -b syscall If specified syscall is reached, detach from traced
505 process. Currently, only execve syscall is supported.
506 This option is useful if you want to trace multi-threaded
507 process and therefore require -f, but don't want to trace
508 its (potentially very complex) children.
509 -D Run tracer process as a detached grandchild, not as parent
511 of the tracee. This reduces the visible effect of strace
512 by keeping the tracee a direct child of the calling
513 process.
514 -f Trace child processes as they are created by currently
516 traced processes as a result of the fork(2), vfork(2) and
517 clone(2) system calls. Note that -p PID -f will attach all
518 threads of process PID if it is multi-threaded, not only
519 thread with thread_id = PID.
520 -ff If the -o filename option is in effect, each processes
522 trace is written to filename.pid where pid is the numeric
523 process id of each process. This is incompatible with -c,
524 since no per-process counts are kept.
525 One might want to consider using strace-log-merge(1) to
527 obtain a combined strace log view.
528 -I interruptible
530 When strace can be interrupted by signals (such as pressing
531 ^C). 1: no signals are blocked; 2: fatal signals are
532 blocked while decoding syscall (default); 3: fatal signals
533 are always blocked (default if '-o FILE PROG'); 4: fatal
534 signals and SIGTSTP (^Z) are always blocked (useful to make
535 strace -o FILE PROG not stop on ^Z).
536 Startup
538 -E var=val Run command with var=val in its list of environment vari‐
539 ables.
540 -E var Remove var from the inherited list of environment variables
542 before passing it on to the command.
543 -p pid Attach to the process with the process ID pid and begin
545 tracing. The trace may be terminated at any time by a key‐
546 board interrupt signal (CTRL-C). strace will respond by
547 detaching itself from the traced process(es) leaving it
548 (them) to continue running. Multiple -p options can be
549 used to attach to many processes in addition to command
550 (which is optional if at least one -p option is given). -p
551 "`pidof PROG`" syntax is supported.
552 -u username Run command with the user ID, group ID, and supplementary
554 groups of username. This option is only useful when run‐
555 ning as root and enables the correct execution of setuid
556 and/or setgid binaries. Unless this option is used setuid
557 and setgid programs are executed without effective privi‐
558 leges.
559 Miscellaneous
561 -d Show some debugging output of strace itself on the standard
562 error.
563 -F This option is deprecated. It is retained for backward
565 compatibility only and may be removed in future releases.
566 Usage of multiple instances of -F option is still equiva‐
567 lent to a single -f, and it is ignored at all if used along
568 with one or more instances of -f option.
569 -h Print the help summary.
571 -V Print the version number of strace.
573
575 When command exits, strace exits with the same exit status. If command
576 is terminated by a signal, strace terminates itself with the same sig‐
577 nal, so that strace can be used as a wrapper process transparent to the
578 invoking parent process. Note that parent-child relationship (signal
579 stop notifications, getppid() value, etc) between traced process and
580 its parent are not preserved unless -D is used.
581 When using -p without a command, the exit status of strace is zero
583 unless no processes has been attached or there was an unexpected error
584 in doing the tracing.
585
587 If strace is installed setuid to root then the invoking user will be
588 able to attach to and trace processes owned by any user. In addition
589 setuid and setgid programs will be executed and traced with the correct
590 effective privileges. Since only users trusted with full root privi‐
591 leges should be allowed to do these things, it only makes sense to
592 install strace as setuid to root when the users who can execute it are
593 restricted to those users who have this trust. For example, it makes
594 sense to install a special version of strace with mode 'rwsr-xr--',
595 user root and group trace, where members of the trace group are trusted
596 users. If you do use this feature, please remember to install a regu‐
597 lar non-setuid version of strace for ordinary users to use.
598
600 On some architectures, strace supports decoding of syscalls for pro‐
601 cesses that use different ABI rather than the one strace uses. Specif‐
602 ically, in addition to decoding native ABI, strace can decode the fol‐
603 lowing ABIs on the following architectures:
604 ┌───────────────┬──────────────────────────────────────────────────────────────────────────────────────────┐
606 │Architecture │ ABIs supported │
607 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
608 │x86_64 │ i386, x32 (when built as an x86_64 application); i386 (when built as an x32 application) │
609 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
610 │AArch64 │ ARM 32-bit EABI │
611 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
612 │PowerPC 64-bit │ PowerPC 32-bit │
613 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
614 │RISC-V 64-bit │ RISC-V 32-bit │
615 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
616 │s390x │ s390 │
617 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
618 │SPARC 64-bit │ SPARC 32-bit │
619 ├───────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤
620 │TILE 64-bit │ TILE 32-bit │
621 └───────────────┴──────────────────────────────────────────────────────────────────────────────────────────┘
622 This support is optional and relies on ability to generate and parse
623 structure definitions during the build time. Please refer to the out‐
624 put of the strace -V command in order to figure out what support is
625 available in your strace build ("non-native" refers to an ABI that dif‐
626 fers from the ABI strace has):
627 m32-mpers strace can trace and properly decode non-native 32-bit
629 binaries.
630 no-m32-mpers strace can trace, but cannot properly decode non-native
632 32-bit binaries.
633 mx32-mpers strace can trace and properly decode non-native
635 32-on-64-bit binaries.
636 no-mx32-mpers strace can trace, but cannot properly decode non-native
638 32-on-64-bit binaries.
639 If the output contains neither m32-mpers nor no-m32-mpers, then decod‐
641 ing of non-native 32-bit binaries is not implemented at all or not
642 applicable.
643 Likewise, if the output contains neither mx32-mpers nor no-mx32-mpers,
645 then decoding of non-native 32-on-64-bit binaries is not implemented at
646 all or not applicable.
647
649 It is a pity that so much tracing clutter is produced by systems
650 employing shared libraries.
651 It is instructive to think about system call inputs and outputs as
653 data-flow across the user/kernel boundary. Because user-space and ker‐
654 nel-space are separate and address-protected, it is sometimes possible
655 to make deductive inferences about process behavior using inputs and
656 outputs as propositions.
657 In some cases, a system call will differ from the documented behavior
659 or have a different name. For example, the faccessat(2) system call
660 does not have flags argument, and the setrlimit(2) library function
661 uses prlimit64(2) system call on modern (2.6.38+) kernels. These dis‐
662 crepancies are normal but idiosyncratic characteristics of the system
663 call interface and are accounted for by C library wrapper functions.
664 Some system calls have different names in different architectures and
666 personalities. In these cases, system call filtering and printing uses
667 the names that match corresponding __NR_* kernel macros of the tracee's
668 architecture and personality. There are two exceptions from this gen‐
669 eral rule: arm_fadvise64_64(2) ARM syscall and xtensa_fadvise64_64(2)
670 Xtensa syscall are filtered and printed as fadvise64_64(2).
671 On x32, syscalls that are intended to be used by 64-bit processes and
673 not x32 ones (for example, readv, that has syscall number 19 on x86_64,
674 with its x32 counterpart has syscall number 515), but called with
675 __X32_SYSCALL_BIT flag being set, are designated with "#64" suffix.
676 On some platforms a process that is attached to with the -p option may
678 observe a spurious EINTR return from the current system call that is
679 not restartable. (Ideally, all system calls should be restarted on
680 strace attach, making the attach invisible to the traced process, but a
681 few system calls aren't. Arguably, every instance of such behavior is
682 a kernel bug.) This may have an unpredictable effect on the process if
683 the process takes no action to restart the system call.
684 As strace executes the specified command directly and does not employ a
686 shell for that, scripts without shebang that usually run just fine when
687 invoked by shell fail to execute with ENOEXEC error. It is advisable
688 to manually supply a shell as a command with the script as its argu‐
689 ment.
690
692 Programs that use the setuid bit do not have effective user ID privi‐
693 leges while being traced.
694 A traced process runs slowly.
696 Traced processes which are descended from command may be left running
698 after an interrupt signal (CTRL-C).
699
701 The original strace was written by Paul Kranenburg for SunOS and was
702 inspired by its trace utility. The SunOS version of strace was ported
703 to Linux and enhanced by Branko Lankester, who also wrote the Linux
704 kernel support. Even though Paul released strace 2.5 in 1992, Branko's
705 work was based on Paul's strace 1.5 release from 1991. In 1993, Rick
706 Sladkey merged strace 2.5 for SunOS and the second release of strace
707 for Linux, added many of the features of truss(1) from SVR4, and pro‐
708 duced an strace that worked on both platforms. In 1994 Rick ported
709 strace to SVR4 and Solaris and wrote the automatic configuration sup‐
710 port. In 1995 he ported strace to Irix and tired of writing about him‐
711 self in the third person.
712 Beginning with 1996, strace was maintained by Wichert Akkerman. During
714 his tenure, strace development migrated to CVS; ports to FreeBSD and
715 many architectures on Linux (including ARM, IA-64, MIPS, PA-RISC, Pow‐
716 erPC, s390, SPARC) were introduced. In 2002, the burden of strace
717 maintainership was transferred to Roland McGrath. Since then, strace
718 gained support for several new Linux architectures (AMD64, s390x,
719 SuperH), bi-architecture support for some of them, and received numer‐
720 ous additions and improvements in syscalls decoders on Linux; strace
721 development migrated to git during that period. Since 2009, strace is
722 actively maintained by Dmitry Levin. strace gained support for
723 AArch64, ARC, AVR32, Blackfin, Meta, Nios II, OpenSISC 1000, RISC-V,
724 Tile/TileGx, Xtensa architectures since that time. In 2012, unmain‐
725 tained and apparently broken support for non-Linux operating systems
726 was removed. Also, in 2012 strace gained support for path tracing and
727 file descriptor path decoding. In 2014, support for stack traces
728 printing was added. In 2016, syscall fault injection was implemented.
729 For the additional information, please refer to the NEWS file and
731 strace repository commit log.
732
734 Problems with strace should be reported to the strace mailing list at
735 <strace-devel@lists.strace.io>.
736
738 strace-log-merge(1), ltrace(1), perf-trace(1), trace-cmd(1), time(1),
739 ptrace(2), proc(5)
740strace 4.24 2018-07-07 STRACE(1)