1STRACE(1) General Commands Manual STRACE(1)
2
6 strace - trace system calls and signals
7
9 strace [ -CdDffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] ... [ -ofile ] [
10 -ppid ] ... [ -sstrsize ] [ -uusername ] [ -Evar=val ] ... [ -Evar ]
11 ... [ command [ arg ... ] ]
12 strace -c [ -D ] [ -eexpr ] ... [ -Ooverhead ] [ -Ssortby ] [ command
14 [ arg ... ] ]
15
17 In the simplest case strace runs the specified command until it exits.
18 It intercepts and records the system calls which are called by a
19 process and the signals which are received by a process. The name of
20 each system call, its arguments and its return value are printed on
21 standard error or to the file specified with the -o option.
22 strace is a useful diagnostic, instructional, and debugging tool. Sys‐
24 tem administrators, diagnosticians and trouble-shooters will find it
25 invaluable for solving problems with programs for which the source is
26 not readily available since they do not need to be recompiled in order
27 to trace them. Students, hackers and the overly-curious will find that
28 a great deal can be learned about a system and its system calls by
29 tracing even ordinary programs. And programmers will find that since
30 system calls and signals are events that happen at the user/kernel
31 interface, a close examination of this boundary is very useful for bug
32 isolation, sanity checking and attempting to capture race conditions.
33 Each line in the trace contains the system call name, followed by its
35 arguments in parentheses and its return value. An example from strac‐
36 ing the command ``cat /dev/null'' is:
37 open("/dev/null", O_RDONLY) = 3
39 Errors (typically a return value of -1) have the errno symbol and error
41 string appended.
42 open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory)
44 Signals are printed as a signal symbol and a signal string. An excerpt
46 from stracing and interrupting the command ``sleep 666'' is:
47 sigsuspend([] <unfinished ...>
49 --- SIGINT (Interrupt) ---
50 +++ killed by SIGINT +++
51 If a system call is being executed and meanwhile another one is being
53 called from a different thread/process then strace will try to preserve
54 the order of those events and mark the ongoing call as being unfin‐
55 ished. When the call returns it will be marked as resumed.
56 [pid 28772] select(4, [3], NULL, NULL, NULL <unfinished ...>
58 [pid 28779] clock_gettime(CLOCK_REALTIME, {1130322148, 939977000}) = 0
59 [pid 28772] <... select resumed> ) = 1 (in [3])
60 Interruption of a (restartable) system call by a signal delivery is
62 processed differently as kernel terminates the system call and also
63 arranges its immediate reexecution after the signal handler completes.
64 read(0, 0x7ffff72cf5cf, 1) = ? ERESTARTSYS (To be restarted)
66 --- SIGALRM (Alarm clock) @ 0 (0) ---
67 rt_sigreturn(0xe) = 0
68 read(0, ""..., 1) = 0
69 Arguments are printed in symbolic form with a passion. This example
71 shows the shell performing ``>>xyzzy'' output redirection:
72 open("xyzzy", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3
74 Here the three argument form of open is decoded by breaking down the
76 flag argument into its three bitwise-OR constituents and printing the
77 mode value in octal by tradition. Where traditional or native usage
78 differs from ANSI or POSIX, the latter forms are preferred. In some
79 cases, strace output has proven to be more readable than the source.
80 Structure pointers are dereferenced and the members are displayed as
82 appropriate. In all cases arguments are formatted in the most C-like
83 fashion possible. For example, the essence of the command ``ls -l
84 /dev/null'' is captured as:
85 lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
87 Notice how the `struct stat' argument is dereferenced and how each mem‐
89 ber is displayed symbolically. In particular, observe how the st_mode
90 member is carefully decoded into a bitwise-OR of symbolic and numeric
91 values. Also notice in this example that the first argument to lstat
92 is an input to the system call and the second argument is an output.
93 Since output arguments are not modified if the system call fails, argu‐
94 ments may not always be dereferenced. For example, retrying the ``ls
95 -l'' example with a non-existent file produces the following line:
96 lstat("/foo/bar", 0xb004) = -1 ENOENT (No such file or directory)
98 In this case the porch light is on but nobody is home.
100 Character pointers are dereferenced and printed as C strings. Non-
102 printing characters in strings are normally represented by ordinary C
103 escape codes. Only the first strsize (32 by default) bytes of strings
104 are printed; longer strings have an ellipsis appended following the
105 closing quote. Here is a line from ``ls -l'' where the getpwuid
106 library routine is reading the password file:
107 read(3, "root::0:0:System Administrator:/"..., 1024) = 422
109 While structures are annotated using curly braces, simple pointers and
111 arrays are printed using square brackets with commas separating ele‐
112 ments. Here is an example from the command ``id'' on a system with
113 supplementary group ids:
114 getgroups(32, [100, 0]) = 2
116 On the other hand, bit-sets are also shown using square brackets but
118 set elements are separated only by a space. Here is the shell prepar‐
119 ing to execute an external command:
120 sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0
122 Here the second argument is a bit-set of two signals, SIGCHLD and SIGT‐
124 TOU. In some cases the bit-set is so full that printing out the unset
125 elements is more valuable. In that case, the bit-set is prefixed by a
126 tilde like this:
127 sigprocmask(SIG_UNBLOCK, ~[], NULL) = 0
129 Here the second argument represents the full set of all signals.
131
133 -c Count time, calls, and errors for each system call
134 and report a summary on program exit. On Linux,
135 this attempts to show system time (CPU time spent
136 running in the kernel) independent of wall clock
137 time. If -c is used with -f or -F (below), only
138 aggregate totals for all traced processes are kept.
139 -C Like -c but also print regular output while pro‐
141 cesses are running.
142 -D (Not available on SVR4 and FreeBSD.) Run tracer
144 process as a detached grandchild, not as parent of
145 the tracee. This reduces the visible effect of
146 strace by keeping the tracee a direct child of the
147 calling process.
148 -d Show some debugging output of strace itself on the
150 standard error.
151 -f Trace child processes as they are created by cur‐
153 rently traced processes as a result of the fork(2)
154 system call.
155 On non-Linux platforms the new process is attached
157 to as soon as its pid is known (through the return
158 value of fork(2) in the parent process). This means
159 that such children may run uncontrolled for a while
160 (especially in the case of a vfork(2)), until the
161 parent is scheduled again to complete its (v)fork(2)
162 call. On Linux the child is traced from its first
163 instruction with no delay. If the parent process
164 decides to wait(2) for a child that is currently
165 being traced, it is suspended until an appropriate
166 child process either terminates or incurs a signal
167 that would cause it to terminate (as determined from
168 the child's current signal disposition).
169 On SunOS 4.x the tracing of vforks is accomplished
171 with some dynamic linking trickery.
172 -ff If the -o filename option is in effect, each pro‐
174 cesses trace is written to filename.pid where pid is
175 the numeric process id of each process. This is
176 incompatible with -c, since no per-process counts
177 are kept.
178 -F This option is now obsolete and it has the same
180 functionality as -f.
181 -h Print the help summary.
183 -i Print the instruction pointer at the time of the
185 system call.
186 -q Suppress messages about attaching, detaching etc.
188 This happens automatically when output is redirected
189 to a file and the command is run directly instead of
190 attaching.
191 -r Print a relative timestamp upon entry to each system
193 call. This records the time difference between the
194 beginning of successive system calls.
195 -t Prefix each line of the trace with the time of day.
197 -tt If given twice, the time printed will include the
199 microseconds.
200 -ttt If given thrice, the time printed will include the
202 microseconds and the leading portion will be printed
203 as the number of seconds since the epoch.
204 -T Show the time spent in system calls. This records
206 the time difference between the beginning and the
207 end of each system call.
208 -v Print unabbreviated versions of environment, stat,
210 termios, etc. calls. These structures are very
211 common in calls and so the default behavior displays
212 a reasonable subset of structure members. Use this
213 option to get all of the gory details.
214 -V Print the version number of strace.
216 -x Print all non-ASCII strings in hexadecimal string
218 format.
219 -xx Print all strings in hexadecimal string format.
221 -a column Align return values in a specific column (default
223 column 40).
224 -e expr A qualifying expression which modifies which events
226 to trace or how to trace them. The format of the
227 expression is:
228 [qualifier=][!]value1[,value2]...
230 where qualifier is one of trace, abbrev, verbose,
232 raw, signal, read, or write and value is a quali‐
233 fier-dependent symbol or number. The default quali‐
234 fier is trace. Using an exclamation mark negates
235 the set of values. For example, -e open means lit‐
236 erally -e trace=open which in turn means trace only
237 the open system call. By contrast, -e trace=!open
238 means to trace every system call except open. In
239 addition, the special values all and none have the
240 obvious meanings.
241 Note that some shells use the exclamation point for
243 history expansion even inside quoted arguments. If
244 so, you must escape the exclamation point with a
245 backslash.
246 -e trace=set
248 Trace only the specified set of system calls. The
249 -c option is useful for determining which system
250 calls might be useful to trace. For example,
251 trace=open,close,read,write means to only trace
252 those four system calls. Be careful when making
253 inferences about the user/kernel boundary if only a
254 subset of system calls are being monitored. The
255 default is trace=all.
256 -e trace=file
258 Trace all system calls which take a file name as an
259 argument. You can think of this as an abbreviation
260 for -e trace=open,stat,chmod,unlink,... which is
261 useful to seeing what files the process is referenc‐
262 ing. Furthermore, using the abbreviation will
263 ensure that you don't accidentally forget to include
264 a call like lstat in the list. Betchya woulda for‐
265 got that one.
266 -e trace=process
268 Trace all system calls which involve process manage‐
269 ment. This is useful for watching the fork, wait,
270 and exec steps of a process.
271 -e trace=network
273 Trace all the network related system calls.
274 -e trace=signal
276 Trace all signal related system calls.
277 -e trace=ipc
279 Trace all IPC related system calls.
280 -e trace=desc
282 Trace all file descriptor related system calls.
283 -e abbrev=set
285 Abbreviate the output from printing each member of
286 large structures. The default is abbrev=all. The
287 -v option has the effect of abbrev=none.
288 -e verbose=set
290 Dereference structures for the specified set of sys‐
291 tem calls. The default is verbose=all.
292 -e raw=set Print raw, undecoded arguments for the specified set
294 of system calls. This option has the effect of
295 causing all arguments to be printed in hexadecimal.
296 This is mostly useful if you don't trust the decod‐
297 ing or you need to know the actual numeric value of
298 an argument.
299 -e signal=set
301 Trace only the specified subset of signals. The
302 default is signal=all. For example, signal =! SIGIO
303 (or signal=!io) causes SIGIO signals not to be
304 traced.
305 -e read=set Perform a full hexadecimal and ASCII dump of all the
307 data read from file descriptors listed in the speci‐
308 fied set. For example, to see all input activity on
309 file descriptors 3 and 5 use -e read=3,5. Note that
310 this is independent from the normal tracing of the
311 read(2) system call which is controlled by the
312 option -e trace=read.
313 -e write=set
315 Perform a full hexadecimal and ASCII dump of all the
316 data written to file descriptors listed in the spec‐
317 ified set. For example, to see all output activity
318 on file descriptors 3 and 5 use -e write=3,5. Note
319 that this is independent from the normal tracing of
320 the write(2) system call which is controlled by the
321 option -e trace=write.
322 -o filename Write the trace output to the file filename rather
324 than to stderr. Use filename.pid if -ff is used.
325 If the argument begins with `|' or with `!' then the
326 rest of the argument is treated as a command and all
327 output is piped to it. This is convenient for pip‐
328 ing the debugging output to a program without
329 affecting the redirections of executed programs.
330 -O overhead Set the overhead for tracing system calls to over‐
332 head microseconds. This is useful for overriding
333 the default heuristic for guessing how much time is
334 spent in mere measuring when timing system calls
335 using the -c option. The accuracy of the heuristic
336 can be gauged by timing a given program run without
337 tracing (using time(1)) and comparing the accumu‐
338 lated system call time to the total produced using
339 -c.
340 -p pid Attach to the process with the process ID pid and
342 begin tracing. The trace may be terminated at any
343 time by a keyboard interrupt signal (CTRL-C).
344 strace will respond by detaching itself from the
345 traced process(es) leaving it (them) to continue
346 running. Multiple -p options can be used to attach
347 to up to 32 processes in addition to command (which
348 is optional if at least one -p option is given).
349 -s strsize Specify the maximum string size to print (the
351 default is 32). Note that filenames are not consid‐
352 ered strings and are always printed in full.
353 -S sortby Sort the output of the histogram printed by the -c
355 option by the specified criterion. Legal values are
356 time, calls, name, and nothing (default is time).
357 -u username Run command with the user ID, group ID, and supple‐
359 mentary groups of username. This option is only
360 useful when running as root and enables the correct
361 execution of setuid and/or setgid binaries. Unless
362 this option is used setuid and setgid programs are
363 executed without effective privileges.
364 -E var=val Run command with var=val in its list of environment
366 variables.
367 -E var Remove var from the inherited list of environment
369 variables before passing it on to the command.
370
372 When command exits, strace exits with the same exit status. If
373 command is terminated by a signal, strace terminates itself with
374 the same signal, so that strace can be used as a wrapper process
375 transparent to the invoking parent process.
376 When using -p, the exit status of strace is zero unless there
378 was an unexpected error in doing the tracing.
379
381 If strace is installed setuid to root then the invoking user
382 will be able to attach to and trace processes owned by any user.
383 In addition setuid and setgid programs will be executed and
384 traced with the correct effective privileges. Since only users
385 trusted with full root privileges should be allowed to do these
386 things, it only makes sense to install strace as setuid to root
387 when the users who can execute it are restricted to those users
388 who have this trust. For example, it makes sense to install a
389 special version of strace with mode `rwsr-xr--', user root and
390 group trace, where members of the trace group are trusted users.
391 If you do use this feature, please remember to install a non-
392 setuid version of strace for ordinary lusers to use.
393
395 ltrace(1), time(1), ptrace(2), proc(5)
396
398 It is a pity that so much tracing clutter is produced by systems
399 employing shared libraries.
400 It is instructive to think about system call inputs and outputs
402 as data-flow across the user/kernel boundary. Because user-
403 space and kernel-space are separate and address-protected, it is
404 sometimes possible to make deductive inferences about process
405 behavior using inputs and outputs as propositions.
406 In some cases, a system call will differ from the documented
408 behavior or have a different name. For example, on System V-
409 derived systems the true time(2) system call does not take an
410 argument and the stat function is called xstat and takes an
411 extra leading argument. These discrepancies are normal but
412 idiosyncratic characteristics of the system call interface and
413 are accounted for by C library wrapper functions.
414 On some platforms a process that has a system call trace applied
416 to it with the -p option will receive a SIGSTOP. This signal
417 may interrupt a system call that is not restartable. This may
418 have an unpredictable effect on the process if the process takes
419 no action to restart the system call.
420
422 Programs that use the setuid bit do not have effective user ID
423 privileges while being traced.
424 A traced process ignores SIGSTOP except on SVR4 platforms.
426 A traced process which tries to block SIGTRAP will be sent a
428 SIGSTOP in an attempt to force continuation of tracing.
429 A traced process runs slowly.
431 Traced processes which are descended from command may be left
433 running after an interrupt signal (CTRL-C).
434 On Linux, exciting as it would be, tracing the init process is
436 forbidden.
437 The -i option is weakly supported.
439
441 strace The original strace was written by Paul Kranenburg for
442 SunOS and was inspired by its trace utility. The SunOS version
443 of strace was ported to Linux and enhanced by Branko Lankester,
444 who also wrote the Linux kernel support. Even though Paul
445 released strace 2.5 in 1992, Branko's work was based on Paul's
446 strace 1.5 release from 1991. In 1993, Rick Sladkey merged
447 strace 2.5 for SunOS and the second release of strace for Linux,
448 added many of the features of truss(1) from SVR4, and produced
449 an strace that worked on both platforms. In 1994 Rick ported
450 strace to SVR4 and Solaris and wrote the automatic configuration
451 support. In 1995 he ported strace to Irix and tired of writing
452 about himself in the third person.
453
455 The SIGTRAP signal is used internally by the kernel implementa‐
456 tion of system call tracing. When a traced process receives a
457 SIGTRAP signal not associated with tracing, strace will not
458 report that signal correctly. This signal is not normally used
459 by programs, but could be via a hard-coded break instruction or
460 via kill(2).
461
463 Problems with strace should be reported via the Debian Bug
464 Tracking System, or to the strace mailing list at
465 <strace-devel@lists.sourceforge.net>.
466 2010-03-30 STRACE(1)