1 .\" Copyright (c) 1991, 1992 Paul Kranenburg <pk@cs.few.eur.nl>
2 .\" Copyright (c) 1993 Branko Lankester <branko@hacktic.nl>
3 .\" Copyright (c) 1993, 1994, 1995, 1996 Rick Sladkey <jrs@world.std.com>
4 .\" Copyright (c) 1996-2017 The strace developers.
5 .\" All rights reserved.
7 .\" SPDX-License-Identifier: LGPL-2.1-or-later
20 .\" Like .OP, but with ellipsis at the end in order to signify that option
21 .\" can be provided multiple times. Based on .OP definition in groff's
25 . RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
27 . RB "[" "\\$1" "]...\&"
32 . RI "\fB\\$1\fP" "\ \\$2"
36 .TH STRACE 1 "@MANPAGE_DATE@" "strace @VERSION@"
38 strace \- trace system calls and signals
41 .if '@ENABLE_STACKTRACE_FALSE@'#' .OP \-ACdffhikqqrtttTvVwxxyyzZ
42 .if '@ENABLE_STACKTRACE_TRUE@'#' .OP \-ACdffhiqqrtttTvVwxxyyzZ
56 .OM \-E var\fR[=\fIval\fR]
58 .IR command " [" args ]
75 .OM \-E var\fR[=\fIval\fR]
77 .IR command " [" args ]
82 .IX "strace command" "" "\fLstrace\fR command"
89 It intercepts and records the system calls which are called
90 by a process and the signals which are received by a process.
91 The name of each system call, its arguments and its return value
92 are printed on standard error or to the file specified with the
97 is a useful diagnostic, instructional, and debugging tool.
98 System administrators, diagnosticians and trouble-shooters will find
99 it invaluable for solving problems with
100 programs for which the source is not readily available since
101 they do not need to be recompiled in order to trace them.
102 Students, hackers and the overly-curious will find that
103 a great deal can be learned about a system and its system calls by
104 tracing even ordinary programs. And programmers will find that
105 since system calls and signals are events that happen at the user/kernel
106 interface, a close examination of this boundary is very
107 useful for bug isolation, sanity checking and
108 attempting to capture race conditions.
110 Each line in the trace contains the system call name, followed
111 by its arguments in parentheses and its return value.
112 An example from stracing the command "cat /dev/null" is:
114 open("/dev/null", O_RDONLY) = 3
116 Errors (typically a return value of \-1) have the errno symbol
117 and error string appended.
119 open("/foo/bar", O_RDONLY) = \-1 ENOENT (No such file or directory)
121 Signals are printed as signal symbol and decoded siginfo structure.
122 An excerpt from stracing and interrupting the command "sleep 666" is:
124 sigsuspend([] <unfinished ...>
125 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=...} ---
126 +++ killed by SIGINT +++
128 If a system call is being executed and meanwhile another one is being called
129 from a different thread/process then
131 will try to preserve the order of those events and mark the ongoing call as
134 When the call returns it will be marked as
137 [pid 28772] select(4, [3], NULL, NULL, NULL <unfinished ...>
138 [pid 28779] clock_gettime(CLOCK_REALTIME, {1130322148, 939977000}) = 0
139 [pid 28772] <... select resumed> ) = 1 (in [3])
141 Interruption of a (restartable) system call by a signal delivery is processed
142 differently as kernel terminates the system call and also arranges its
143 immediate reexecution after the signal handler completes.
145 read(0, 0x7ffff72cf5cf, 1) = ? ERESTARTSYS (To be restarted)
147 rt_sigreturn(0xe) = 0
150 Arguments are printed in symbolic form with passion.
151 This example shows the shell performing ">>xyzzy" output redirection:
153 open("xyzzy", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3
155 Here, the third argument of
157 is decoded by breaking down the
158 flag argument into its three bitwise-OR constituents and printing the
159 mode value in octal by tradition. Where the traditional or native
160 usage differs from ANSI or POSIX, the latter forms are preferred.
163 output is proven to be more readable than the source.
165 Structure pointers are dereferenced and the members are displayed
166 as appropriate. In most cases, arguments are formatted in the most C-like
168 For example, the essence of the command "ls \-l /dev/null" is captured as:
170 lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x1, 0x3), ...}) = 0
172 Notice how the 'struct stat' argument is dereferenced and how each member is
173 displayed symbolically. In particular, observe how the
175 member is carefully decoded into a bitwise-OR of symbolic and numeric values.
176 Also notice in this example that the first argument to
178 is an input to the system call and the second argument is an output.
179 Since output arguments are not modified if the system call fails, arguments may
180 not always be dereferenced. For example, retrying the "ls \-l" example
181 with a non-existent file produces the following line:
183 lstat("/foo/bar", 0xb004) = \-1 ENOENT (No such file or directory)
185 In this case the porch light is on but nobody is home.
189 are printed raw, with the unknown system call number printed in hexadecimal form
190 and prefixed with "syscall_":
192 syscall_0xbad(0x1, 0x2, 0x3, 0x4, 0x5, 0x6) = -1 ENOSYS (Function not implemented)
195 Character pointers are dereferenced and printed as C strings.
196 Non-printing characters in strings are normally represented by
197 ordinary C escape codes.
200 (32 by default) bytes of strings are printed;
201 longer strings have an ellipsis appended following the closing quote.
202 Here is a line from "ls \-l" where the
204 library routine is reading the password file:
206 read(3, "root::0:0:System Administrator:/"..., 1024) = 422
208 While structures are annotated using curly braces, simple pointers
209 and arrays are printed using square brackets with commas separating
210 elements. Here is an example from the command
212 on a system with supplementary group ids:
214 getgroups(32, [100, 0]) = 2
216 On the other hand, bit-sets are also shown using square brackets
217 but set elements are separated only by a space. Here is the shell,
218 preparing to execute an external command:
220 sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0
222 Here, the second argument is a bit-set of two signals,
223 .BR SIGCHLD " and " SIGTTOU .
224 In some cases, the bit-set is so full that printing out the unset
225 elements is more valuable. In that case, the bit-set is prefixed by
228 sigprocmask(SIG_UNBLOCK, ~[], NULL) = 0
230 Here, the second argument represents the full set of all signals.
235 A qualifying expression which modifies which events to trace
236 or how to trace them. The format of the expression is:
239 [\,\fIqualifier\/\fB=\fR][\fB!\fR][\fB?\fR]\,\fIvalue1\/\fR[\fB,\fR[\fB?\fR]\,\fIvalue2\/\fR]...
259 is a qualifier-dependent symbol or number. The default
262 Using an exclamation mark negates the set of values. For example,
265 .BR \-e "\ " trace = open
266 which in turn means trace only the
268 system call. By contrast,
269 .BR \-e "\ " trace "=!" open
270 means to trace every system call except
272 Question mark before the syscall qualification allows suppression of error
273 in case no syscalls matched the qualification provided.
274 Appending one of "@64", "@32", or "@x32" suffixes to the syscall qualification
275 allows specifying syscalls only for the 64-bit, 32-bit, or 32-on-64-bit
276 personality, respectively.
277 In addition, the special values
281 have the obvious meanings.
283 Note that some shells use the exclamation point for history
284 expansion even inside quoted arguments. If so, you must escape
285 the exclamation point with a backslash.
288 \fB\-E\ \fIvar\fR=\,\fIval\fR
291 in its list of environment variables.
296 from the inherited list of environment variables before passing it on to
300 Attach to the process with the process
304 The trace may be terminated
305 at any time by a keyboard interrupt signal
308 will respond by detaching itself from the traced process(es)
309 leaving it (them) to continue running.
312 options can be used to attach to many processes in addition to
314 (which is optional if at least one
318 "`pidof PROG`" syntax is supported.
321 Run command with the user \s-1ID\s0, group \s-2ID\s0, and
322 supplementary groups of
324 This option is only useful when running as root and enables the
325 correct execution of setuid and/or setgid binaries.
326 Unless this option is used setuid and setgid programs are executed
327 without effective privileges.
331 If specified syscall is reached, detach from traced process.
334 syscall is supported. This option is useful if you want to trace
335 multi-threaded process and therefore require
337 but don't want to trace its (potentially very complex) children.
340 Run tracer process as a detached grandchild, not as parent of the
341 tracee. This reduces the visible effect of
343 by keeping the tracee a direct child of the calling process.
346 Trace child processes as they are created by currently traced
347 processes as a result of the
352 system calls. Note that
356 will attach all threads of process
358 if it is multi-threaded, not only thread with
359 .IR thread_id " = " PID .
365 option is in effect, each processes trace is written to
369 is the numeric process id of each process.
370 This is incompatible with
372 since no per-process counts are kept.
374 One might want to consider using
375 .BR strace-log-merge (1)
376 to obtain a combined strace log view.
378 .BI "\-I " interruptible
381 can be interrupted by signals (such as pressing
386 no signals are blocked;
389 fatal signals are blocked while decoding syscall (default);
392 fatal signals are always blocked (default if
393 .BR -o " " \fIFILE\fR " " \fIPROG\fR );
397 .BR SIGTSTP " (" CTRL\-Z )
398 are always blocked (useful to make
399 .BI "strace -o " "FILE PROG"
407 \fB\-e\ trace\fR=\,\fIset\fR
408 Trace only the specified set of system calls. The
410 option is useful for determining which system calls might be useful
411 to trace. For example,
412 .BR trace = open,close,read,write
414 trace those four system calls. Be careful when making inferences
415 about the user/kernel boundary if only a subset of system calls
416 are being monitored. The default is
419 \fB\-e\ trace\fR=/\,\fIregex\fR
420 Trace only those system calls that match the
424 Extended Regular Expression syntax (see
427 .BR "\-e\ trace" = %file
429 .BR "\-e\ trace" = file " (deprecated)"
430 Trace all system calls which take a file name as an argument. You
431 can think of this as an abbreviation for
432 .BR "\-e\ trace" = open , stat , chmod , unlink ,...
433 which is useful to seeing what files the process is referencing.
434 Furthermore, using the abbreviation will ensure that you don't
435 accidentally forget to include a call like
437 in the list. Betchya woulda forgot that one.
439 .BR "\-e\ trace" = %process
441 .BR "\-e\ trace" = process " (deprecated)"
442 Trace all system calls which involve process management. This
443 is useful for watching the fork, wait, and exec steps of a process.
445 .BR "\-e\ trace" = %net
447 .BR "\-e\ trace" = %network
449 .BR "\-e\ trace" = network " (deprecated)"
450 Trace all the network related system calls.
452 .BR "\-e\ trace" = %signal
454 .BR "\-e\ trace" = signal " (deprecated)"
455 Trace all signal related system calls.
457 .BR "\-e\ trace" = %ipc
459 .BR "\-e\ trace" = ipc " (deprecated)"
460 Trace all IPC related system calls.
462 .BR "\-e\ trace" = %desc
464 .BR "\-e\ trace" = desc " (deprecated)"
465 Trace all file descriptor related system calls.
467 .BR "\-e\ trace" = %memory
469 .BR "\-e\ trace" = memory " (deprecated)"
470 Trace all memory mapping related system calls.
472 .BR "\-e\ trace" = %stat
473 Trace stat syscall variants.
475 .BR "\-e\ trace" = %lstat
476 Trace lstat syscall variants.
478 .BR "\-e\ trace" = %fstat
479 Trace fstat and fstatat syscall variants.
481 .BR "\-e\ trace" = %%stat
482 Trace syscalls used for requesting file status (stat, lstat, fstat, fstatat,
483 statx, and their variants).
485 .BR "\-e\ trace" = %statfs
486 Trace statfs, statfs64, statvfs, osf_statfs, and osf_statfs64 system calls.
487 The same effect can be achieved with
488 .BR "\-e\ trace" = /^(.*_)?statv?fs
491 .BR "\-e\ trace" = %fstatfs
492 Trace fstatfs, fstatfs64, fstatvfs, osf_fstatfs, and osf_fstatfs64 system calls.
493 The same effect can be achieved with
494 .BR "\-e\ trace" = /fstatv?fs
497 .BR "\-e\ trace" = %%statfs
498 Trace syscalls related to file system statistics (statfs-like, fstatfs-like,
499 and ustat). The same effect can be achieved with
500 .BR "\-e\ trace" = /statv?fs|fsstat|ustat
503 .BR "\-e\ trace" = %pure
504 Trace syscalls that always succeed and have no arguments.
505 Currently, this list includes
506 .BR arc_gettls "(2), " getdtablesize "(2), " getegid "(2), " getegid32 "(2),"
507 .BR geteuid "(2), " geteuid32 "(2), " getgid "(2), " getgid32 "(2),"
508 .BR getpagesize "(2), " getpgrp "(2), " getpid "(2), " getppid "(2),"
509 .BR get_thread_area (2)
510 (on architectures other than x86),
511 .BR gettid "(2), " get_tls "(2), " getuid "(2), " getuid32 "(2),"
512 .BR getxgid "(2), " getxpid "(2), " getxuid "(2), " kern_features "(2), and"
513 .BR metag_get_tls "(2)"
516 \fB\-e\ signal\fR=\,\fIset\fR
517 Trace only the specified subset of signals. The default is
520 .BR signal "=!" SIGIO
525 signals not to be traced.
527 \fB\-e\ status\fR=\,\fIset\fR
528 Print only system calls with the specified return status. The default is
534 waits for system calls to return before deciding whether they should be printed
535 or not, the traditional order of events may not be preserved anymore. If two
536 system calls are executed by concurrent threads,
538 will first print both the entry and exit of the first system call to exit,
539 regardless of their respective entry time. The entry and exit of the second
540 system call to exit will be printed afterwards. Here is an example when
542 is called, but a different thread calls
543 .BR clock_gettime (2)
548 [pid 28779] 1130322148.939977 clock_gettime(CLOCK_REALTIME, {1130322148, 939977000}) = 0
549 [pid 28772] 1130322148.438139 select(4, [3], NULL, NULL, NULL) = 1 (in [3])
552 can include the following elements:
556 Trace system calls that returned without an error code.
559 option has the effect of
560 .BR status = successful .
563 Trace system calls that returned with an error code.
566 option has the effect of
567 .BR status = failed .
570 Trace system calls that did not return. This might happen, for example, due to
571 an execve call in a neighbour thread.
574 Trace system calls that returned but strace failed to fetch the error status.
577 Trace system calls for which strace detached before the return.
581 Trace only system calls accessing
585 options can be used to specify several paths.
588 Print only syscalls that returned without an error code.
591 Print only syscalls that returned with an error code.
595 Align return values in a specific column (default column 40).
597 \fB\-e\ abbrev\fR=\,\fIset\fR
598 Abbreviate the output from printing each member of large structures.
603 option has the effect of
606 \fB\-e\ verbose\fR=\,\fIset\fR
607 Dereference structures for the specified set of system calls. The
611 \fB\-e\ raw\fR=\,\fIset\fR
612 Print raw, undecoded arguments for the specified set of system calls.
613 This option has the effect of causing all arguments to be printed
614 in hexadecimal. This is mostly useful if you don't trust the
615 decoding or you need to know the actual numeric value of an
621 \fB\-e\ read\fR=\,\fIset\fR
622 Perform a full hexadecimal and ASCII dump of all the data read from
623 file descriptors listed in the specified set. For example, to see
624 all input activity on file descriptors
629 \fB\-e\ read\fR=\,\fI3\fR,\fI5\fR.
630 Note that this is independent from the normal tracing of the
632 system call which is controlled by the option
633 .BR -e "\ " trace = read .
635 \fB\-e\ write\fR=\,\fIset\fR
636 Perform a full hexadecimal and ASCII dump of all the data written to
637 file descriptors listed in the specified set. For example, to see
638 all output activity on file descriptors
643 \fB\-e\ write\fR=\,\fI3\fR,\,\fI5\fR.
644 Note that this is independent from the normal tracing of the
646 system call which is controlled by the option
647 .BR -e "\ " trace = write .
649 .BR "\-e\ kvm" = vcpu
650 Print the exit reason of kvm vcpu. Requires Linux kernel version 4.16.0
655 Print the instruction pointer at the time of the system call.
656 .if '@ENABLE_STACKTRACE_FALSE@'#' .TP
657 .if '@ENABLE_STACKTRACE_FALSE@'#' .B \-k
658 .if '@ENABLE_STACKTRACE_FALSE@'#' Print the execution stack trace of the traced
659 .if '@ENABLE_STACKTRACE_FALSE@'#' processes after each system call.
662 Write the trace output to the file
664 rather than to stderr.
669 If the argument begins with '|' or '!', the rest of the
670 argument is treated as a command and all output is piped to it.
671 This is convenient for piping the debugging output to a program
672 without affecting the redirections of executed programs.
673 The latter is not compatible with
678 Open the file provided in the
680 option in append mode.
683 Suppress messages about attaching, detaching etc. This happens
684 automatically when output is redirected to a file and the command
685 is run directly instead of attaching.
688 If given twice, suppress messages about process exit status.
691 Print a relative timestamp upon entry to each system call. This
692 records the time difference between the beginning of successive
696 option uses the monotonic clock time for measuring time difference and not the
697 wall clock time, its measurements can differ from the difference in time
703 Specify the maximum string size to print (the default is 32). Note
704 that filenames are not considered strings and are always printed in
708 Prefix each line of the trace with the wall clock time.
711 If given twice, the time printed will include the microseconds.
714 If given thrice, the time printed will include the microseconds
715 and the leading portion will be printed as the number
716 of seconds since the epoch.
719 Show the time spent in system calls. This records the time
720 difference between the beginning and the end of each system call.
723 Print unabbreviated versions of environment, stat, termios, etc.
724 calls. These structures are very common in calls and so the default
725 behavior displays a reasonable subset of structure members. Use
726 this option to get all of the gory details.
729 Print all non-ASCII strings in hexadecimal string format.
732 Print all strings in hexadecimal string format.
735 Set the format for printing of named constants and flags.
742 Raw number output, without decoding.
745 Output a named constant or a set of flags instead of the raw number if they are
752 Output both the raw value and the decoded string (as a comment).
756 Print paths associated with file descriptor arguments.
759 Print protocol specific information associated with socket file descriptors,
760 and block/character device number associated with device file descriptors.
764 Count time, calls, and errors for each system call and report a summary on
765 program exit, suppressing the regular output.
766 This attempts to show system time (CPU time spent running
767 in the kernel) independent of wall clock time. If
771 only aggregate totals for all traced processes are kept.
776 but also print regular output while processes are running.
779 Set the overhead for tracing system calls to
782 This is useful for overriding the default heuristic for guessing
783 how much time is spent in mere measuring when timing system calls using
786 option. The accuracy of the heuristic can be gauged by timing a given
787 program run without tracing (using
789 and comparing the accumulated
790 system call time to the total produced using
794 Sort the output of the histogram printed by the
796 option by the specified criterion. Legal values are
797 .BR time " (or " time_total " or " total_time ),
798 .BR calls " (or " count ),
799 .BR name " (or " syscall " or " syscall_name ),
801 .BR nothing " (or " none );
806 Summarise the time difference between the beginning and end of
807 each system call. The default is to summarise the system time.
810 \fB\-e\ inject\fR=\,\fIset\/\fR[:\fBerror\fR=\,\fIerrno\/\fR|:\fBretval\fR=\,\fIvalue\/\fR][:\fBsignal\fR=\,\fIsig\/\fR][:\fBsyscall\fR=\fIsyscall\fR][:\fBdelay_enter\fR=\,\fIusecs\/\fR][:\fBdelay_exit\fR=\,\fIusecs\/\fR][:\fBwhen\fR=\,\fIexpr\/\fR]
811 Perform syscall tampering for the specified set of syscalls.
820 options has to be specified.
824 are mutually exclusive.
826 If :\fBerror\fR=\,\fIerrno\/\fR option is specified,
827 a fault is injected into a syscall invocation:
828 the syscall number is replaced by -1 which corresponds to an invalid syscall
829 (unless a syscall is specified with :\fBsyscall=\fR option),
830 and the error code is specified using a symbolic
834 or a numeric value within 1..4095 range.
836 If :\fBretval\fR=\,\fIvalue\/\fR option is specified,
837 success injection is performed: the syscall number is replaced by -1,
838 but a bogus success value is returned to the callee.
840 If :\fBsignal\fR=\,\fIsig\/\fR option is specified with either a symbolic value
843 or a numeric value within 1..\fBSIGRTMAX\fR range,
844 that signal is delivered on entering every syscall specified by the
847 If :\fBdelay_enter\fR=\,\fIusecs\/\fR or :\fBdelay_exit\fR=\,\fIusecs\/\fR
848 options are specified, delay injection is performed: the tracee is delayed
851 microseconds on entering or exiting the syscall.
853 If :\fBsignal\fR=\,\fIsig\/\fR option is specified without
854 :\fBerror\fR=\,\fIerrno\/\fR, :\fBretval\fR=\,\fIvalue\/\fR or
855 :\fBdelay_{enter,exit}\fR=\,\fIusecs\/\fR options,
858 is delivered without a syscall fault or delay injection.
859 Conversely, :\fBerror\fR=\,\fIerrno\/\fR or
860 :\fBretval\fR=\,\fIvalue\/\fR option without
861 :\fBdelay_enter\fR=\,\fIusecs\/\fR,
862 :\fBdelay_exit\fR=\,\fIusecs\/\fR or
863 :\fBsignal\fR=\,\fIsig\/\fR options injects a fault without delivering a signal
864 or injecting a delay, etc.
866 If both :\fBerror\fR=\,\fIerrno\/\fR or :\fBretval\fR=\,\fIvalue\/\fR
867 and :\fBsignal\fR=\,\fIsig\/\fR options are specified, then both
868 a fault or success is injected and a signal is delivered.
870 if :\fBsyscall\fR=\fIsyscall\fR option is specified, the corresponding syscall
871 with no side effects is injected instead of -1.
872 Currently, only "pure" (see
873 .BR "-e trace" = "%pure"
874 description) syscalls can be specified there.
876 Unless a :\fBwhen\fR=\,\fIexpr\fR subexpression is specified,
877 an injection is being made into every invocation of each syscall from the
880 The format of the subexpression is one of the following:
884 For every syscall from the
886 perform an injection for the syscall invocation number
891 For every syscall from the
893 perform injections for the syscall invocation number
895 and all subsequent invocations.
897 \fIfirst\/\fB+\fIstep\fR
898 For every syscall from the
900 perform injections for syscall invocations number
903 .IR first + step + step ,
907 For example, to fail each third and subsequent chdir syscalls with
910 \fB\-e\ inject\fR=\,\fIchdir\/\fR:\fBerror\fR=\,\fIENOENT\/\fR:\fBwhen\fR=\,\fI3\/\fB+\fR.
912 The valid range for numbers
918 An injection expression can contain only one
922 specification, and only one
924 specification. If an injection expression contains multiple
926 specifications, the last one takes precedence.
928 Accounting of syscalls that are subject to injection
929 is done per syscall and per tracee.
931 Specification of syscall injection can be combined
932 with other syscall filtering options, for example,
933 \fB\-P \fI/dev/urandom \fB\-e inject\fR=\,\fIfile\/\fR:\fBerror\fR=\,\fIENOENT\fR.
936 \fB\-e\ fault\fR=\,\fIset\/\fR[:\fBerror\fR=\,\fIerrno\/\fR][:\fBwhen\fR=\,\fIexpr\/\fR]
937 Perform syscall fault injection for the specified set of syscalls.
939 This is equivalent to more generic
940 \fB\-e\ inject\fR= expression with default value of
947 Show some debugging output of
949 itself on the standard error.
952 This option is deprecated. It is retained for backward compatibility only
953 and may be removed in future releases.
954 Usage of multiple instances of
956 option is still equivalent to a single
958 and it is ignored at all if used along with one or more instances of
963 Print the help summary.
966 Print the version number of
973 exits with the same exit status.
976 is terminated by a signal,
978 terminates itself with the same signal, so that
980 can be used as a wrapper process transparent to the invoking parent process.
981 Note that parent-child relationship (signal stop notifications,
983 value, etc) between traced process and its parent are not preserved
994 is zero unless no processes has been attached or there was an unexpected error
995 in doing the tracing.
996 .SH "SETUID INSTALLATION"
999 is installed setuid to root then the invoking user will be able to
1000 attach to and trace processes owned by any user.
1001 In addition setuid and setgid programs will be executed and traced
1002 with the correct effective privileges.
1003 Since only users trusted with full root privileges should be allowed
1005 it only makes sense to install
1007 as setuid to root when the users who can execute it are restricted
1008 to those users who have this trust.
1009 For example, it makes sense to install a special version of
1011 with mode 'rwsr-xr--', user
1015 where members of the
1017 group are trusted users.
1018 If you do use this feature, please remember to install
1019 a regular non-setuid version of
1021 for ordinary users to use.
1022 .SH "MULTIPLE PERSONALITY SUPPORT"
1023 On some architectures,
1025 supports decoding of syscalls for processes that use different ABI rather than
1029 Specifically, in addition to decoding native ABI,
1031 can decode the following ABIs on the following architectures:
1036 Architecture ABIs supported
1037 x86_64 i386, x32 [1]; i386 [2]
1038 AArch64 ARM 32-bit EABI
1039 PowerPC 64-bit [3] PowerPC 32-bit
1040 RISC-V 64-bit RISC-V 32-bit
1042 SPARC 64-bit SPARC 32-bit
1043 TILE 64-bit TILE 32-bit
1050 is built as an x86_64 application
1055 is built as an x32 application
1061 This support is optional and relies on ability to generate and parse structure
1062 definitions during the build time.
1063 Please refer to the output of the
1065 command in order to figure out what support is available in your
1067 build ("non-native" refers to an ABI that differs from the ABI
1073 can trace and properly decode non-native 32-bit binaries.
1077 can trace, but cannot properly decode non-native 32-bit binaries.
1081 can trace and properly decode non-native 32-on-64-bit binaries.
1085 can trace, but cannot properly decode non-native 32-on-64-bit binaries.
1087 If the output contains neither
1091 then decoding of non-native 32-bit binaries is not implemented at all
1094 Likewise, if the output contains neither
1098 then decoding of non-native 32-on-64-bit binaries is not implemented at all
1101 It is a pity that so much tracing clutter is produced by systems
1102 employing shared libraries.
1104 It is instructive to think about system call inputs and outputs
1105 as data-flow across the user/kernel boundary. Because user-space
1106 and kernel-space are separate and address-protected, it is
1107 sometimes possible to make deductive inferences about process
1108 behavior using inputs and outputs as propositions.
1110 In some cases, a system call will differ from the documented behavior
1111 or have a different name. For example, the
1113 system call does not have
1117 library function uses
1119 system call on modern (2.6.38+) kernels. These
1120 discrepancies are normal but idiosyncratic characteristics of the
1121 system call interface and are accounted for by C library wrapper
1124 Some system calls have different names in different architectures and
1125 personalities. In these cases, system call filtering and printing
1126 uses the names that match corresponding
1128 kernel macros of the tracee's architecture and personality.
1129 There are two exceptions from this general rule:
1130 .BR arm_fadvise64_64 (2)
1132 .BR xtensa_fadvise64_64 (2)
1133 Xtensa syscall are filtered and printed as
1134 .BR fadvise64_64 (2).
1136 On x32, syscalls that are intended to be used by 64-bit processes and not x32
1139 that has syscall number 19 on x86_64, with its x32 counterpart has syscall
1140 number 515), but called with
1141 .B __X32_SYSCALL_BIT
1142 flag being set, are designated with
1146 On some platforms a process that is attached to with the
1148 option may observe a spurious
1150 return from the current system call that is not restartable.
1151 (Ideally, all system calls should be restarted on
1153 attach, making the attach invisible
1154 to the traced process, but a few system calls aren't.
1155 Arguably, every instance of such behavior is a kernel bug.)
1156 This may have an unpredictable effect on the process
1157 if the process takes no action to restart the system call.
1161 executes the specified
1163 directly and does not employ a shell for that, scripts without shebang
1164 that usually run just fine when invoked by shell fail to execute with
1167 It is advisable to manually supply a shell as a
1169 with the script as its argument.
1171 Programs that use the
1176 privileges while being traced.
1178 A traced process runs slowly.
1180 Traced processes which are descended from
1182 may be left running after an interrupt signal
1187 was written by Paul Kranenburg
1188 for SunOS and was inspired by its
1191 The SunOS version of
1193 was ported to Linux and enhanced
1194 by Branko Lankester, who also wrote the Linux kernel support.
1195 Even though Paul released
1198 Branko's work was based on Paul's
1200 1.5 release from 1991.
1201 In 1993, Rick Sladkey merged
1203 2.5 for SunOS and the second release of
1205 for Linux, added many of the features of
1207 from SVR4, and produced an
1209 that worked on both platforms. In 1994 Rick ported
1211 to SVR4 and Solaris and wrote the
1212 automatic configuration support. In 1995 he ported
1215 and tired of writing about himself in the third person.
1217 Beginning with 1996,
1219 was maintained by Wichert Akkerman.
1222 development migrated to CVS; ports to FreeBSD and many architectures on Linux
1223 (including ARM, IA-64, MIPS, PA-RISC, PowerPC, s390, SPARC) were introduced.
1224 In 2002, the burden of
1226 maintainership was transferred to Roland McGrath.
1229 gained support for several new Linux architectures (AMD64, s390x, SuperH),
1230 bi-architecture support for some of them, and received numerous additions and
1231 improvements in syscalls decoders on Linux;
1233 development migrated to
1238 is actively maintained by Dmitry Levin.
1240 gained support for AArch64, ARC, AVR32, Blackfin, Meta, Nios II, OpenSISC 1000,
1241 RISC-V, Tile/TileGx, Xtensa architectures since that time.
1242 In 2012, unmaintained and apparently broken support for non-Linux operating
1243 systems was removed.
1246 gained support for path tracing and file descriptor path decoding.
1247 In 2014, support for stack traces printing was added.
1248 In 2016, syscall fault injection was implemented.
1250 For the additional information, please refer to the
1254 repository commit log.
1258 should be reported to the
1260 mailing list at <strace\-devel@lists.strace.io>.
1262 .BR strace-log-merge (1),
1270 .UR https://strace.io/
1275 The complete list of
1277 contributors can be found in the