2 * Copyright (c) 1991, 1992 Paul Kranenburg <pk@cs.few.eur.nl>
3 * Copyright (c) 1993 Branko Lankester <branko@hacktic.nl>
4 * Copyright (c) 1993, 1994, 1995, 1996 Rick Sladkey <jrs@world.std.com>
5 * Copyright (c) 1996-1999 Wichert Akkerman <wichert@cistron.nl>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include <sys/param.h>
35 #include <sys/resource.h>
41 #include <sys/utsname.h>
43 # include <asm/ptrace_offsets.h>
45 /* In some libc, these aren't declared. Do it ourself: */
46 extern char **environ;
51 #if defined __NR_tkill
52 # define my_tkill(tid, sig) syscall(__NR_tkill, (tid), (sig))
54 /* kill() may choose arbitrarily the target task of the process group
55 while we later wait on a that specific TID. PID process waits become
56 TID task specific waits for a process under ptrace(2). */
57 # warning "Neither tkill(2) nor tgkill(2) available, risk of strace hangs!"
58 # define my_tkill(tid, sig) kill((tid), (sig))
62 #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
64 cflag_t cflag = CFLAG_NONE;
65 unsigned int followfork = 0;
66 unsigned int ptrace_setoptions = 0;
67 unsigned int xflag = 0;
71 /* Which WSTOPSIG(status) value marks syscall traps? */
72 static unsigned int syscall_trap_sig = SIGTRAP;
73 static unsigned int tflag = 0;
74 static bool iflag = 0;
75 static bool rflag = 0;
76 static bool print_pid_pfx = 0;
81 INTR_ANYWHERE = 1, /* don't block/ignore any signals */
82 INTR_WHILE_WAIT = 2, /* block fatal signals while decoding syscall. default */
83 INTR_NEVER = 3, /* block fatal signals. default if '-o FILE PROG' */
84 INTR_BLOCK_TSTP_TOO = 4, /* block fatal signals and SIGTSTP (^Z) */
88 /* We play with signal mask only if this mode is active: */
89 #define interactive (opt_intr == INTR_WHILE_WAIT)
92 * daemonized_tracer supports -D option.
93 * With this option, strace forks twice.
94 * Unlike normal case, with -D *grandparent* process exec's,
95 * becoming a traced process. Child exits (this prevents traced process
96 * from having children it doesn't expect to have), and grandchild
97 * attaches to grandparent similarly to strace -p PID.
98 * This allows for more transparent interaction in cases
99 * when process and its parent are communicating via signals,
100 * wait() etc. Without -D, strace process gets lodged in between,
101 * disrupting parent<->child link.
103 static bool daemonized_tracer = 0;
106 static int post_attach_sigstop = TCB_IGNORE_ONE_SIGSTOP;
107 # define use_seize (post_attach_sigstop == 0)
109 # define post_attach_sigstop TCB_IGNORE_ONE_SIGSTOP
113 /* Sometimes we want to print only succeeding syscalls. */
114 bool not_failing_only = 0;
116 /* Show path associated with fd arguments */
117 bool show_fd_path = 0;
119 /* are we filtering traces based on paths? */
120 bool tracing_paths = 0;
122 static bool detach_on_execve = 0;
123 static bool skip_startup_execve = 0;
125 static int exit_code = 0;
126 static int strace_child = 0;
127 static int strace_tracer_pid = 0;
129 static char *username = NULL;
130 static uid_t run_uid;
131 static gid_t run_gid;
133 unsigned int max_strlen = DEFAULT_STRLEN;
134 static int acolumn = DEFAULT_ACOLUMN;
135 static char *acolumn_spaces;
137 static char *outfname = NULL;
138 /* If -ff, points to stderr. Else, it's our common output log */
139 static FILE *shared_log;
141 struct tcb *printing_tcp = NULL;
142 static struct tcb *current_tcp;
144 static struct tcb **tcbtab;
145 static unsigned int nprocs, tcbtabsize;
146 static const char *progname;
148 static unsigned os_release; /* generated from uname()'s u.release */
150 static int detach(struct tcb *tcp);
151 static int trace(void);
152 static void cleanup(void);
153 static void interrupt(int sig);
154 static sigset_t empty_set, blocked_set;
156 #ifdef HAVE_SIG_ATOMIC_T
157 static volatile sig_atomic_t interrupted;
159 static volatile int interrupted;
162 #ifndef HAVE_STRERROR
164 #if !HAVE_DECL_SYS_ERRLIST
166 extern char *sys_errlist[];
172 static char buf[sizeof("Unknown error %d") + sizeof(int)*3];
174 if (err_no < 1 || err_no >= sys_nerr) {
175 sprintf(buf, "Unknown error %d", err_no);
178 return sys_errlist[err_no];
181 #endif /* HAVE_STERRROR */
184 usage(FILE *ofp, int exitval)
187 usage: strace [-CdffhiqrtttTvVxxy] [-I n] [-e expr]...\n\
188 [-a column] [-o file] [-s strsize] [-P path]...\n\
189 -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]\n\
190 or: strace -c[df] [-I n] [-e expr]... [-O overhead] [-S sortby]\n\
191 -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]\n\
192 -c -- count time, calls, and errors for each syscall and report summary\n\
193 -C -- like -c but also print regular output\n\
194 -d -- enable debug output to stderr\n\
195 -D -- run tracer process as a detached grandchild, not as parent\n\
196 -f -- follow forks, -ff -- with output into separate files\n\
197 -F -- attempt to follow vforks (deprecated, use -f)\n\
198 -i -- print instruction pointer at time of syscall\n\
199 -q -- suppress messages about attaching, detaching, etc.\n\
200 -r -- print relative timestamp, -t -- absolute timestamp, -tt -- with usecs\n\
201 -T -- print time spent in each syscall\n\
202 -v -- verbose mode: print unabbreviated argv, stat, termios, etc. args\n\
203 -x -- print non-ascii strings in hex, -xx -- print all strings in hex\n\
204 -y -- print paths associated with file descriptor arguments\n\
205 -h -- print help message, -V -- print version\n\
206 -a column -- alignment COLUMN for printing syscall results (default %d)\n\
207 -e expr -- a qualifying expression: option=[!]all or option=[!]val1[,val2]...\n\
208 options: trace, abbrev, verbose, raw, signal, read, or write\n\
209 -I interruptible --\n\
210 1: no signals are blocked\n\
211 2: fatal signals are blocked while decoding syscall (default)\n\
212 3: fatal signals are always blocked (default if '-o FILE PROG')\n\
213 4: fatal signals and SIGTSTP (^Z) are always blocked\n\
214 (useful to make 'strace -o FILE PROG' not stop on ^Z)\n\
215 -o file -- send trace output to FILE instead of stderr\n\
216 -O overhead -- set overhead for tracing syscalls to OVERHEAD usecs\n\
217 -p pid -- trace process with process id PID, may be repeated\n\
218 -s strsize -- limit length of print strings to STRSIZE chars (default %d)\n\
219 -S sortby -- sort syscall counts by: time, calls, name, nothing (default %s)\n\
220 -u username -- run command as username handling setuid and/or setgid\n\
221 -E var=val -- put var=val in the environment for command\n\
222 -E var -- remove var from the environment for command\n\
223 -P path -- trace accesses to path\n\
225 /* this is broken, so don't document it
226 -z -- print only succeeding syscalls\n\
228 /* experimental, don't document it yet (option letter may change in the future!)
229 -b -- detach on successful execve\n\
231 , DEFAULT_ACOLUMN, DEFAULT_STRLEN, DEFAULT_SORTBY);
235 static void die(void) __attribute__ ((noreturn));
236 static void die(void)
238 if (strace_tracer_pid == getpid()) {
245 static void verror_msg(int err_no, const char *fmt, va_list p)
251 /* We want to print entire message with single fprintf to ensure
252 * message integrity if stderr is shared with other programs.
253 * Thus we use vasprintf + single fprintf.
256 if (vasprintf(&msg, fmt, p) >= 0) {
258 fprintf(stderr, "%s: %s: %s\n", progname, msg, strerror(err_no));
260 fprintf(stderr, "%s: %s\n", progname, msg);
263 /* malloc in vasprintf failed, try it without malloc */
264 fprintf(stderr, "%s: ", progname);
265 vfprintf(stderr, fmt, p);
267 fprintf(stderr, ": %s\n", strerror(err_no));
271 /* We don't switch stderr to buffered, thus fprintf(stderr)
272 * always flushes its output and this is not necessary: */
273 /* fflush(stderr); */
276 void error_msg(const char *fmt, ...)
280 verror_msg(0, fmt, p);
284 void error_msg_and_die(const char *fmt, ...)
288 verror_msg(0, fmt, p);
292 void perror_msg(const char *fmt, ...)
296 verror_msg(errno, fmt, p);
300 void perror_msg_and_die(const char *fmt, ...)
304 verror_msg(errno, fmt, p);
308 void die_out_of_memory(void)
310 static bool recursed = 0;
314 error_msg_and_die("Out of memory");
318 error_opt_arg(int opt, const char *arg)
320 error_msg_and_die("Invalid -%c argument: '%s'", opt, arg);
323 /* Glue for systems without a MMU that cannot provide fork() */
325 # define strace_vforked 0
327 # define strace_vforked 1
328 # define fork() vfork()
333 ptrace_attach_or_seize(int pid)
337 return ptrace(PTRACE_ATTACH, pid, 0, 0);
338 r = ptrace(PTRACE_SEIZE, pid, 0, PTRACE_SEIZE_DEVEL);
341 r = ptrace(PTRACE_INTERRUPT, pid, 0, 0);
345 # define ptrace_attach_or_seize(pid) ptrace(PTRACE_ATTACH, (pid), 0, 0)
349 * Used when we want to unblock stopped traced process.
350 * Should be only used with PTRACE_CONT, PTRACE_DETACH and PTRACE_SYSCALL.
351 * Returns 0 on success or if error was ESRCH
352 * (presumably process was killed while we talk to it).
353 * Otherwise prints error message and returns -1.
356 ptrace_restart(int op, struct tcb *tcp, int sig)
362 ptrace(op, tcp->pid, (void *) 0, (long) sig);
368 if (op == PTRACE_CONT)
370 if (op == PTRACE_DETACH)
373 if (op == PTRACE_LISTEN)
377 * Why curcol != 0? Otherwise sometimes we get this:
379 * 10252 kill(10253, SIGKILL) = 0
380 * <ptrace(SYSCALL,10252):No such process>10253 ...next decode...
382 * 10252 died after we retrieved syscall exit data,
383 * but before we tried to restart it. Log looks ugly.
385 if (current_tcp && current_tcp->curcol != 0) {
386 tprintf(" <ptrace(%s):%s>\n", msg, strerror(err));
392 perror_msg("ptrace(PTRACE_%s,pid:%d,sig:%d)", msg, tcp->pid, sig);
397 set_cloexec_flag(int fd)
401 flags = fcntl(fd, F_GETFD);
403 /* Can happen only if fd is bad.
404 * Should never happen: if it does, we have a bug
405 * in the caller. Therefore we just abort
406 * instead of propagating the error.
408 perror_msg_and_die("fcntl(%d, F_GETFD)", fd);
411 newflags = flags | FD_CLOEXEC;
412 if (flags == newflags)
415 fcntl(fd, F_SETFD, newflags); /* never fails */
418 static void kill_save_errno(pid_t pid, int sig)
420 int saved_errno = errno;
422 (void) kill(pid, sig);
427 * When strace is setuid executable, we have to swap uids
428 * before and after filesystem and process management operations.
433 int euid = geteuid(), uid = getuid();
435 if (euid != uid && setreuid(euid, uid) < 0) {
436 perror_msg_and_die("setreuid");
441 # define fopen_for_output fopen64
443 # define fopen_for_output fopen
447 strace_fopen(const char *path)
452 fp = fopen_for_output(path, "w");
454 perror_msg_and_die("Can't fopen '%s'", path);
456 set_cloexec_flag(fileno(fp));
460 static int popen_pid = 0;
463 # define _PATH_BSHELL "/bin/sh"
467 * We cannot use standard popen(3) here because we have to distinguish
468 * popen child process from other processes we trace, and standard popen(3)
469 * does not export its child's pid.
472 strace_popen(const char *command)
479 perror_msg_and_die("pipe");
481 set_cloexec_flag(fds[1]); /* never fails */
485 perror_msg_and_die("vfork");
487 if (popen_pid == 0) {
492 perror_msg_and_die("dup2");
495 execl(_PATH_BSHELL, "sh", "-c", command, NULL);
496 perror_msg_and_die("Can't execute '%s'", _PATH_BSHELL);
502 fp = fdopen(fds[1], "w");
509 tprintf(const char *fmt, ...)
515 int n = strace_vfprintf(current_tcp->outf, fmt, args);
517 if (current_tcp->outf != stderr)
518 perror(outfname == NULL
519 ? "<writing to pipe>" : outfname);
521 current_tcp->curcol += n;
527 tprints(const char *str)
530 int n = fputs_unlocked(str, current_tcp->outf);
532 current_tcp->curcol += strlen(str);
535 if (current_tcp->outf != stderr)
536 perror(!outfname ? "<writing to pipe>" : outfname);
544 current_tcp->curcol = 0;
545 fflush(current_tcp->outf);
548 printing_tcp->curcol = 0;
554 printleader(struct tcb *tcp)
556 /* If -ff, "previous tcb we printed" is always the same as current,
557 * because we have per-tcb output files.
563 current_tcp = printing_tcp;
564 if (printing_tcp->curcol != 0 && (followfork < 2 || printing_tcp == tcp)) {
566 * case 1: we have a shared log (i.e. not -ff), and last line
567 * wasn't finished (same or different tcb, doesn't matter).
568 * case 2: split log, we are the same tcb, but our last line
569 * didn't finish ("SIGKILL nuked us after syscall entry" etc).
571 tprints(" <unfinished ...>\n");
572 printing_tcp->curcol = 0;
578 current_tcp->curcol = 0;
581 tprintf("%-5d ", tcp->pid);
582 else if (nprocs > 1 && !outfname)
583 tprintf("[pid %5u] ", tcp->pid);
586 char str[sizeof("HH:MM:SS")];
587 struct timeval tv, dtv;
588 static struct timeval otv;
590 gettimeofday(&tv, NULL);
594 tv_sub(&dtv, &tv, &otv);
595 tprintf("%6ld.%06ld ",
596 (long) dtv.tv_sec, (long) dtv.tv_usec);
599 else if (tflag > 2) {
600 tprintf("%ld.%06ld ",
601 (long) tv.tv_sec, (long) tv.tv_usec);
604 time_t local = tv.tv_sec;
605 strftime(str, sizeof(str), "%T", localtime(&local));
607 tprintf("%s.%06ld ", str, (long) tv.tv_usec);
619 if (current_tcp->curcol < acolumn)
620 tprints(acolumn_spaces + current_tcp->curcol);
623 /* Should be only called directly *after successful attach* to a tracee.
624 * Otherwise, "strace -oFILE -ff -p<nonexistant_pid>"
625 * may create bogus empty FILE.<nonexistant_pid>, and then die.
628 newoutf(struct tcb *tcp)
630 tcp->outf = shared_log; /* if not -ff mode, the same file is for all */
631 if (followfork >= 2) {
632 char name[520 + sizeof(int) * 3];
633 sprintf(name, "%.512s.%u", outfname, tcp->pid);
634 tcp->outf = strace_fopen(name);
641 /* Allocate some more TCBs and expand the table.
642 We don't want to relocate the TCBs because our
643 callers have pointers and it would be a pain.
644 So tcbtab is a table of pointers. Since we never
645 free the TCBs, we allocate a single chunk of many. */
647 struct tcb *newtcbs = calloc(tcbtabsize, sizeof(newtcbs[0]));
648 struct tcb **newtab = realloc(tcbtab, tcbtabsize * 2 * sizeof(tcbtab[0]));
649 if (!newtab || !newtcbs)
653 while (i < tcbtabsize)
654 tcbtab[i++] = newtcbs++;
663 if (nprocs == tcbtabsize)
666 for (i = 0; i < tcbtabsize; i++) {
668 if ((tcp->flags & TCB_INUSE) == 0) {
669 memset(tcp, 0, sizeof(*tcp));
671 tcp->flags = TCB_INUSE;
672 #if SUPPORTED_PERSONALITIES > 1
673 tcp->currpers = current_personality;
677 fprintf(stderr, "new tcb for pid %d, active tcbs:%d\n", tcp->pid, nprocs);
681 error_msg_and_die("bug in alloctcb");
685 droptcb(struct tcb *tcp)
692 fprintf(stderr, "dropped tcb for pid %d, %d remain\n", tcp->pid, nprocs);
695 if (followfork >= 2) {
696 if (tcp->curcol != 0)
697 fprintf(tcp->outf, " <detached ...>\n");
700 if (printing_tcp == tcp && tcp->curcol != 0)
701 fprintf(tcp->outf, " <detached ...>\n");
706 if (current_tcp == tcp)
708 if (printing_tcp == tcp)
711 memset(tcp, 0, sizeof(*tcp));
714 /* detach traced process; continue with sig
715 * Never call DETACH twice on the same process as both unattached and
716 * attached-unstopped processes give the same ESRCH. For unattached process we
717 * would SIGSTOP it and wait for its SIGSTOP notification forever.
720 detach(struct tcb *tcp)
723 int status, sigstop_expected;
725 if (tcp->flags & TCB_BPTSET)
729 * Linux wrongly insists the child be stopped
730 * before detaching. Arghh. We go through hoops
731 * to make a clean break of things.
735 #define PTRACE_DETACH PTRACE_SUNDETACH
739 sigstop_expected = 0;
740 if (tcp->flags & TCB_ATTACHED) {
742 * We attached but possibly didn't see the expected SIGSTOP.
743 * We must catch exactly one as otherwise the detached process
744 * would be left stopped (process state T).
746 sigstop_expected = (tcp->flags & TCB_IGNORE_ONE_SIGSTOP);
747 error = ptrace(PTRACE_DETACH, tcp->pid, (char *) 1, 0);
749 /* On a clear day, you can see forever. */
751 else if (errno != ESRCH) {
752 /* Shouldn't happen. */
753 perror("detach: ptrace(PTRACE_DETACH, ...)");
755 else if (my_tkill(tcp->pid, 0) < 0) {
757 perror("detach: checking sanity");
759 else if (!sigstop_expected && my_tkill(tcp->pid, SIGSTOP) < 0) {
761 perror("detach: stopping child");
764 sigstop_expected = 1;
767 if (sigstop_expected) {
770 if (waitpid(tcp->pid, &status, __WALL) < 0) {
771 if (errno == ECHILD) /* Already gone. */
773 if (errno != EINVAL) {
774 perror("detach: waiting");
778 /* No __WALL here. */
779 if (waitpid(tcp->pid, &status, 0) < 0) {
780 if (errno != ECHILD) {
781 perror("detach: waiting");
785 /* If no processes, try clones. */
786 if (waitpid(tcp->pid, &status, __WCLONE) < 0) {
788 perror("detach: waiting");
791 #endif /* __WCLONE */
796 if (!WIFSTOPPED(status)) {
797 /* Au revoir, mon ami. */
800 if (WSTOPSIG(status) == SIGSTOP) {
801 ptrace_restart(PTRACE_DETACH, tcp, 0);
804 error = ptrace_restart(PTRACE_CONT, tcp,
805 WSTOPSIG(status) == syscall_trap_sig ? 0
812 if (!qflag && (tcp->flags & TCB_ATTACHED))
813 fprintf(stderr, "Process %u detached\n", tcp->pid);
821 process_opt_p_list(char *opt)
825 * We accept -p PID,PID; -p "`pidof PROG`"; -p "`pgrep PROG`".
826 * pidof uses space as delim, pgrep uses newline. :(
829 char *delim = opt + strcspn(opt, ", \n\t");
833 pid = string_to_uint(opt);
835 error_msg_and_die("Invalid process id: '%s'", opt);
837 if (pid == strace_tracer_pid) {
838 error_msg_and_die("I'm sorry, I can't let you do that, Dave.");
855 * Block user interruptions as we would leave the traced
856 * process stopped (process state T) if we would terminate in
857 * between PTRACE_ATTACH and wait4() on SIGSTOP.
858 * We rely on cleanup() from this point on.
861 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
863 if (daemonized_tracer) {
866 perror_msg_and_die("fork");
868 if (pid) { /* parent */
870 * Wait for grandchild to attach to straced process
871 * (grandparent). Grandchild SIGKILLs us after it attached.
872 * Grandparent's wait() is unblocked by our death,
873 * it proceeds to exec the straced program.
876 _exit(0); /* paranoia */
879 /* We will be the tracer process. Remember our new pid: */
880 strace_tracer_pid = getpid();
883 for (tcbi = 0; tcbi < tcbtabsize; tcbi++) {
886 if (!(tcp->flags & TCB_INUSE))
889 /* Is this a process we should attach to, but not yet attached? */
890 if (tcp->flags & TCB_ATTACHED)
891 continue; /* no, we already attached it */
893 if (followfork && !daemonized_tracer) {
894 char procdir[sizeof("/proc/%d/task") + sizeof(int) * 3];
897 sprintf(procdir, "/proc/%d/task", tcp->pid);
898 dir = opendir(procdir);
900 unsigned int ntid = 0, nerr = 0;
903 while ((de = readdir(dir)) != NULL) {
907 if (de->d_fileno == 0)
909 /* we trust /proc filesystem */
910 tid = atoi(de->d_name);
914 if (ptrace_attach_or_seize(tid) < 0) {
917 fprintf(stderr, "attach to pid %d failed\n", tid);
921 fprintf(stderr, "attach to pid %d succeeded\n", tid);
924 cur_tcp = alloctcb(tid);
925 cur_tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
930 sigprocmask(SIG_SETMASK, &empty_set, NULL);
933 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
937 perror("attach: ptrace(PTRACE_ATTACH, ...)");
942 fprintf(stderr, ntid > 1
943 ? "Process %u attached with %u threads\n"
944 : "Process %u attached\n",
947 if (!(tcp->flags & TCB_ATTACHED)) {
948 /* -p PID, we failed to attach to PID itself
949 * but did attach to some of its sibling threads.
955 } /* if (opendir worked) */
957 if (ptrace_attach_or_seize(tcp->pid) < 0) {
958 perror("attach: ptrace(PTRACE_ATTACH, ...)");
962 tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
965 fprintf(stderr, "attach to pid %d (main) succeeded\n", tcp->pid);
967 if (daemonized_tracer) {
969 * Make parent go away.
970 * Also makes grandparent's wait() unblock.
972 kill(getppid(), SIGKILL);
977 "Process %u attached\n",
979 } /* for each tcbtab[] */
983 sigprocmask(SIG_SETMASK, &empty_set, NULL);
987 startup_child(char **argv)
990 const char *filename;
991 char pathname[MAXPATHLEN];
996 if (strchr(filename, '/')) {
997 if (strlen(filename) > sizeof pathname - 1) {
998 errno = ENAMETOOLONG;
999 perror_msg_and_die("exec");
1001 strcpy(pathname, filename);
1003 #ifdef USE_DEBUGGING_EXEC
1005 * Debuggers customarily check the current directory
1006 * first regardless of the path but doing that gives
1007 * security geeks a panic attack.
1009 else if (stat(filename, &statbuf) == 0)
1010 strcpy(pathname, filename);
1011 #endif /* USE_DEBUGGING_EXEC */
1016 for (path = getenv("PATH"); path && *path; path += m) {
1017 const char *colon = strchr(path, ':');
1023 m = n = strlen(path);
1025 if (!getcwd(pathname, MAXPATHLEN))
1027 len = strlen(pathname);
1029 else if (n > sizeof pathname - 1)
1032 strncpy(pathname, path, n);
1035 if (len && pathname[len - 1] != '/')
1036 pathname[len++] = '/';
1037 strcpy(pathname + len, filename);
1038 if (stat(pathname, &statbuf) == 0 &&
1039 /* Accept only regular files
1040 with some execute bits set.
1041 XXX not perfect, might still fail */
1042 S_ISREG(statbuf.st_mode) &&
1043 (statbuf.st_mode & 0111))
1047 if (stat(pathname, &statbuf) < 0) {
1048 perror_msg_and_die("Can't stat '%s'", filename);
1050 strace_child = pid = fork();
1052 perror_msg_and_die("fork");
1054 if ((pid != 0 && daemonized_tracer) /* -D: parent to become a traced process */
1055 || (pid == 0 && !daemonized_tracer) /* not -D: child to become a traced process */
1058 if (shared_log != stderr)
1059 close(fileno(shared_log));
1060 if (!daemonized_tracer && !use_seize) {
1061 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0) {
1062 perror_msg_and_die("ptrace(PTRACE_TRACEME, ...)");
1066 if (username != NULL) {
1067 uid_t run_euid = run_uid;
1068 gid_t run_egid = run_gid;
1070 if (statbuf.st_mode & S_ISUID)
1071 run_euid = statbuf.st_uid;
1072 if (statbuf.st_mode & S_ISGID)
1073 run_egid = statbuf.st_gid;
1075 * It is important to set groups before we
1076 * lose privileges on setuid.
1078 if (initgroups(username, run_gid) < 0) {
1079 perror_msg_and_die("initgroups");
1081 if (setregid(run_gid, run_egid) < 0) {
1082 perror_msg_and_die("setregid");
1084 if (setreuid(run_uid, run_euid) < 0) {
1085 perror_msg_and_die("setreuid");
1088 else if (geteuid() != 0)
1089 setreuid(run_uid, run_uid);
1091 if (!daemonized_tracer) {
1093 * Induce a ptrace stop. Tracer (our parent)
1094 * will resume us with PTRACE_SYSCALL and display
1095 * the immediately following execve syscall.
1096 * Can't do this on NOMMU systems, we are after
1097 * vfork: parent is blocked, stopping would deadlock.
1099 if (!strace_vforked)
1103 /* we depend on SIGCHLD set to SIG_DFL by init code */
1104 /* if it happens to be SIG_IGN'ed, wait won't block */
1109 execv(pathname, argv);
1110 perror_msg_and_die("exec");
1113 /* We are the tracer */
1115 if (!daemonized_tracer) {
1117 /* child did PTRACE_TRACEME, nothing to do in parent */
1119 if (!strace_vforked) {
1120 /* Wait until child stopped itself */
1122 while (waitpid(pid, &status, WSTOPPED) < 0) {
1125 perror_msg_and_die("waitpid");
1127 if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGSTOP) {
1128 kill_save_errno(pid, SIGKILL);
1129 perror_msg_and_die("Unexpected wait status %x", status);
1132 /* Else: vforked case, we have no way to sync.
1133 * Just attach to it as soon as possible.
1134 * This means that we may miss a few first syscalls...
1137 if (ptrace_attach_or_seize(pid)) {
1138 kill_save_errno(pid, SIGKILL);
1139 perror_msg_and_die("Can't attach to %d", pid);
1141 if (!strace_vforked)
1144 tcp = alloctcb(pid);
1145 if (!strace_vforked)
1146 tcp->flags |= TCB_ATTACHED | TCB_STRACE_CHILD | TCB_STARTUP | post_attach_sigstop;
1148 tcp->flags |= TCB_ATTACHED | TCB_STRACE_CHILD | TCB_STARTUP;
1152 /* With -D, *we* are child here, IOW: different pid. Fetch it: */
1153 strace_tracer_pid = getpid();
1154 /* The tracee is our parent: */
1157 /* attaching will be done later, by startup_attach */
1158 /* note: we don't do newoutf(tcp) here either! */
1163 * Test whether the kernel support PTRACE_O_TRACECLONE et al options.
1164 * First fork a new child, call ptrace with PTRACE_SETOPTIONS on it,
1165 * and then see which options are supported by the kernel.
1168 test_ptrace_setoptions_followfork(void)
1170 int pid, expected_grandchild = 0, found_grandchild = 0;
1171 const unsigned int test_options = PTRACE_O_TRACECLONE |
1172 PTRACE_O_TRACEFORK |
1173 PTRACE_O_TRACEVFORK;
1177 perror_msg_and_die("fork");
1180 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
1181 perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
1183 kill_save_errno(pid, SIGSTOP);
1185 perror_msg_and_die("fork");
1190 int status, tracee_pid;
1193 tracee_pid = wait(&status);
1194 if (tracee_pid <= 0) {
1197 if (errno == ECHILD)
1199 kill_save_errno(pid, SIGKILL);
1200 perror_msg_and_die("%s: unexpected wait result %d",
1201 __func__, tracee_pid);
1203 if (WIFEXITED(status)) {
1204 if (WEXITSTATUS(status)) {
1205 if (tracee_pid != pid)
1206 kill_save_errno(pid, SIGKILL);
1207 error_msg_and_die("%s: unexpected exit status %u",
1208 __func__, WEXITSTATUS(status));
1212 if (WIFSIGNALED(status)) {
1213 if (tracee_pid != pid)
1214 kill_save_errno(pid, SIGKILL);
1215 error_msg_and_die("%s: unexpected signal %u",
1216 __func__, WTERMSIG(status));
1218 if (!WIFSTOPPED(status)) {
1219 if (tracee_pid != pid)
1220 kill_save_errno(tracee_pid, SIGKILL);
1221 kill_save_errno(pid, SIGKILL);
1222 error_msg_and_die("%s: unexpected wait status %x",
1225 if (tracee_pid != pid) {
1226 found_grandchild = tracee_pid;
1227 if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
1228 kill_save_errno(tracee_pid, SIGKILL);
1229 kill_save_errno(pid, SIGKILL);
1230 perror_msg_and_die("PTRACE_CONT doesn't work");
1234 switch (WSTOPSIG(status)) {
1236 if (ptrace(PTRACE_SETOPTIONS, pid, 0, test_options) < 0
1237 && errno != EINVAL && errno != EIO)
1238 perror_msg("PTRACE_SETOPTIONS");
1241 if (status >> 16 == PTRACE_EVENT_FORK) {
1244 if (ptrace(PTRACE_GETEVENTMSG, pid,
1245 NULL, (long) &msg) == 0)
1246 expected_grandchild = msg;
1250 if (ptrace(PTRACE_SYSCALL, pid, 0, 0) < 0) {
1251 kill_save_errno(pid, SIGKILL);
1252 perror_msg_and_die("PTRACE_SYSCALL doesn't work");
1255 if (expected_grandchild && expected_grandchild == found_grandchild) {
1256 ptrace_setoptions |= test_options;
1258 fprintf(stderr, "ptrace_setoptions = %#x\n",
1262 error_msg("Test for PTRACE_O_TRACECLONE failed, "
1263 "giving up using this feature.");
1267 * Test whether the kernel support PTRACE_O_TRACESYSGOOD.
1268 * First fork a new child, call ptrace(PTRACE_SETOPTIONS) on it,
1269 * and then see whether it will stop with (SIGTRAP | 0x80).
1271 * Use of this option enables correct handling of user-generated SIGTRAPs,
1272 * and SIGTRAPs generated by special instructions such as int3 on x86:
1273 * _start: .globl _start
1278 * (compile with: "gcc -nostartfiles -nostdlib -o int3 int3.S")
1281 test_ptrace_setoptions_for_all(void)
1283 const unsigned int test_options = PTRACE_O_TRACESYSGOOD |
1288 /* this fork test doesn't work on no-mmu systems */
1294 perror_msg_and_die("fork");
1298 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
1299 /* Note: exits with exitcode 1 */
1300 perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
1303 _exit(0); /* parent should see entry into this syscall */
1307 int status, tracee_pid;
1310 tracee_pid = wait(&status);
1311 if (tracee_pid <= 0) {
1314 kill_save_errno(pid, SIGKILL);
1315 perror_msg_and_die("%s: unexpected wait result %d",
1316 __func__, tracee_pid);
1318 if (WIFEXITED(status)) {
1319 if (WEXITSTATUS(status) == 0)
1321 error_msg_and_die("%s: unexpected exit status %u",
1322 __func__, WEXITSTATUS(status));
1324 if (WIFSIGNALED(status)) {
1325 error_msg_and_die("%s: unexpected signal %u",
1326 __func__, WTERMSIG(status));
1328 if (!WIFSTOPPED(status)) {
1330 error_msg_and_die("%s: unexpected wait status %x",
1333 if (WSTOPSIG(status) == SIGSTOP) {
1335 * We don't check "options aren't accepted" error.
1336 * If it happens, we'll never get (SIGTRAP | 0x80),
1337 * and thus will decide to not use the option.
1338 * IOW: the outcome of the test will be correct.
1340 if (ptrace(PTRACE_SETOPTIONS, pid, 0L, test_options) < 0
1341 && errno != EINVAL && errno != EIO)
1342 perror_msg("PTRACE_SETOPTIONS");
1344 if (WSTOPSIG(status) == (SIGTRAP | 0x80)) {
1347 if (ptrace(PTRACE_SYSCALL, pid, 0L, 0L) < 0) {
1348 kill_save_errno(pid, SIGKILL);
1349 perror_msg_and_die("PTRACE_SYSCALL doesn't work");
1354 syscall_trap_sig = (SIGTRAP | 0x80);
1355 ptrace_setoptions |= test_options;
1357 fprintf(stderr, "ptrace_setoptions = %#x\n",
1362 error_msg("Test for PTRACE_O_TRACESYSGOOD failed, "
1363 "giving up using this feature.");
1368 test_ptrace_seize(void)
1374 perror_msg_and_die("fork");
1381 /* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
1382 * attaching tracee continues to run unless a trap condition occurs.
1383 * PTRACE_SEIZE doesn't affect signal or group stop state.
1385 if (ptrace(PTRACE_SEIZE, pid, 0, PTRACE_SEIZE_DEVEL) == 0) {
1386 post_attach_sigstop = 0; /* this sets use_seize to 1 */
1387 } else if (debug_flag) {
1388 fprintf(stderr, "PTRACE_SEIZE doesn't work\n");
1394 int status, tracee_pid;
1397 tracee_pid = waitpid(pid, &status, 0);
1398 if (tracee_pid <= 0) {
1401 perror_msg_and_die("%s: unexpected wait result %d",
1402 __func__, tracee_pid);
1404 if (WIFSIGNALED(status)) {
1407 error_msg_and_die("%s: unexpected wait status %x",
1411 # else /* !USE_SEIZE */
1412 # define test_ptrace_seize() ((void)0)
1416 get_os_release(void)
1422 perror_msg_and_die("uname");
1423 /* u.release has this form: "3.2.9[-some-garbage]" */
1427 if (!(*p >= '0' && *p <= '9'))
1428 error_msg_and_die("Bad OS release string: '%s'", u.release);
1429 /* Note: this open-codes KERNEL_VERSION(): */
1430 rel = (rel << 8) | atoi(p);
1431 if (rel >= KERNEL_VERSION(1,0,0))
1433 while (*p >= '0' && *p <= '9')
1436 error_msg_and_die("Bad OS release string: '%s'", u.release);
1443 * Initialization part of main() was eating much stack (~0.5k),
1444 * which was unused after init.
1445 * We can reuse it if we move init code into a separate function.
1447 * Don't want main() to inline us and defeat the reason
1448 * we have a separate function.
1450 static void __attribute__ ((noinline))
1451 init(int argc, char *argv[])
1456 struct sigaction sa;
1458 progname = argv[0] ? argv[0] : "strace";
1460 /* Make sure SIGCHLD has the default action so that waitpid
1461 definitely works without losing track of children. The user
1462 should not have given us a bogus state to inherit, but he might
1463 have. Arguably we should detect SIG_IGN here and pass it on
1464 to children, but probably noone really needs that. */
1465 signal(SIGCHLD, SIG_DFL);
1467 strace_tracer_pid = getpid();
1469 os_release = get_os_release();
1471 /* Allocate the initial tcbtab. */
1472 tcbtabsize = argc; /* Surely enough for all -p args. */
1473 tcbtab = calloc(tcbtabsize, sizeof(tcbtab[0]));
1475 die_out_of_memory();
1476 tcp = calloc(tcbtabsize, sizeof(*tcp));
1478 die_out_of_memory();
1479 for (c = 0; c < tcbtabsize; c++)
1482 shared_log = stderr;
1483 set_sortby(DEFAULT_SORTBY);
1484 set_personality(DEFAULT_PERSONALITY);
1485 qualify("trace=all");
1486 qualify("abbrev=all");
1487 qualify("verbose=all");
1488 qualify("signal=all");
1489 while ((c = getopt(argc, argv,
1490 "+bcCdfFhiqrtTvVxyz"
1492 "a:e:o:O:p:s:S:u:E:P:I:")) != EOF) {
1495 detach_on_execve = 1;
1498 if (cflag == CFLAG_BOTH) {
1499 error_msg_and_die("-c and -C are mutually exclusive");
1501 cflag = CFLAG_ONLY_STATS;
1504 if (cflag == CFLAG_ONLY_STATS) {
1505 error_msg_and_die("-c and -C are mutually exclusive");
1513 daemonized_tracer = 1;
1532 /* fall through to tflag++ */
1546 qualify("abbrev=none");
1549 printf("%s -- version %s\n", PACKAGE_NAME, VERSION);
1553 not_failing_only = 1;
1556 acolumn = string_to_uint(optarg);
1558 error_opt_arg(c, optarg);
1564 outfname = strdup(optarg);
1567 i = string_to_uint(optarg);
1569 error_opt_arg(c, optarg);
1573 process_opt_p_list(optarg);
1577 if (pathtrace_select(optarg)) {
1578 error_msg_and_die("Failed to select path '%s'", optarg);
1582 i = string_to_uint(optarg);
1584 error_opt_arg(c, optarg);
1591 username = strdup(optarg);
1594 if (putenv(optarg) < 0)
1595 die_out_of_memory();
1598 opt_intr = string_to_uint(optarg);
1599 if (opt_intr <= 0 || opt_intr >= NUM_INTR_OPTS)
1600 error_opt_arg(c, optarg);
1608 /* argc -= optind; - no need, argc is not used below */
1610 acolumn_spaces = malloc(acolumn + 1);
1611 if (!acolumn_spaces)
1612 die_out_of_memory();
1613 memset(acolumn_spaces, ' ', acolumn);
1614 acolumn_spaces[acolumn] = '\0';
1616 /* Must have PROG [ARGS], or -p PID. Not both. */
1617 if (!argv[0] == !nprocs)
1620 if (nprocs != 0 && daemonized_tracer) {
1621 error_msg_and_die("-D and -p are mutually exclusive");
1627 if (followfork >= 2 && cflag) {
1628 error_msg_and_die("(-c or -C) and -ff are mutually exclusive");
1631 /* See if they want to run as another user. */
1632 if (username != NULL) {
1633 struct passwd *pent;
1635 if (getuid() != 0 || geteuid() != 0) {
1636 error_msg_and_die("You must be root to use the -u option");
1638 pent = getpwnam(username);
1640 error_msg_and_die("Cannot find user '%s'", username);
1642 run_uid = pent->pw_uid;
1643 run_gid = pent->pw_gid;
1651 test_ptrace_setoptions_followfork();
1652 test_ptrace_setoptions_for_all();
1653 test_ptrace_seize();
1655 /* Check if they want to redirect the output. */
1657 /* See if they want to pipe the output. */
1658 if (outfname[0] == '|' || outfname[0] == '!') {
1660 * We can't do the <outfname>.PID funny business
1661 * when using popen, so prohibit it.
1663 if (followfork >= 2)
1664 error_msg_and_die("Piping the output and -ff are mutually exclusive");
1665 shared_log = strace_popen(outfname + 1);
1667 else if (followfork < 2)
1668 shared_log = strace_fopen(outfname);
1670 /* -ff without -o FILE is the same as single -f */
1671 if (followfork >= 2)
1675 if (!outfname || outfname[0] == '|' || outfname[0] == '!') {
1676 char *buf = malloc(BUFSIZ);
1678 die_out_of_memory();
1679 setvbuf(shared_log, buf, _IOLBF, BUFSIZ);
1681 if (outfname && argv[0]) {
1683 opt_intr = INTR_NEVER;
1687 opt_intr = INTR_WHILE_WAIT;
1689 /* argv[0] -pPID -oFILE Default interactive setting
1690 * yes 0 0 INTR_WHILE_WAIT
1691 * no 1 0 INTR_WHILE_WAIT
1692 * yes 0 1 INTR_NEVER
1693 * no 1 1 INTR_WHILE_WAIT
1696 /* STARTUP_CHILD must be called before the signal handlers get
1697 installed below as they are inherited into the spawned process.
1698 Also we do not need to be protected by them as during interruption
1699 in the STARTUP_CHILD mode we kill the spawned process anyway. */
1701 skip_startup_execve = 1;
1702 startup_child(argv);
1705 sigemptyset(&empty_set);
1706 sigemptyset(&blocked_set);
1707 sa.sa_handler = SIG_IGN;
1708 sigemptyset(&sa.sa_mask);
1710 sigaction(SIGTTOU, &sa, NULL); /* SIG_IGN */
1711 sigaction(SIGTTIN, &sa, NULL); /* SIG_IGN */
1712 if (opt_intr != INTR_ANYWHERE) {
1713 if (opt_intr == INTR_BLOCK_TSTP_TOO)
1714 sigaction(SIGTSTP, &sa, NULL); /* SIG_IGN */
1716 * In interactive mode (if no -o OUTFILE, or -p PID is used),
1717 * fatal signals are blocked while syscall stop is processed,
1718 * and acted on in between, when waiting for new syscall stops.
1719 * In non-interactive mode, signals are ignored.
1721 if (opt_intr == INTR_WHILE_WAIT) {
1722 sigaddset(&blocked_set, SIGHUP);
1723 sigaddset(&blocked_set, SIGINT);
1724 sigaddset(&blocked_set, SIGQUIT);
1725 sigaddset(&blocked_set, SIGPIPE);
1726 sigaddset(&blocked_set, SIGTERM);
1727 sa.sa_handler = interrupt;
1729 /* SIG_IGN, or set handler for these */
1730 sigaction(SIGHUP, &sa, NULL);
1731 sigaction(SIGINT, &sa, NULL);
1732 sigaction(SIGQUIT, &sa, NULL);
1733 sigaction(SIGPIPE, &sa, NULL);
1734 sigaction(SIGTERM, &sa, NULL);
1736 if (nprocs != 0 || daemonized_tracer)
1739 /* Do we want pids printed in our -o OUTFILE?
1740 * -ff: no (every pid has its own file); or
1741 * -f: yes (there can be more pids in the future); or
1742 * -p PID1,PID2: yes (there are already more than one pid)
1744 print_pid_pfx = (outfname && followfork < 2 && (followfork == 1 || nprocs > 1));
1755 for (i = 0; i < tcbtabsize; i++) {
1756 struct tcb *tcp = tcbtab[i];
1757 if (tcp->pid == pid && (tcp->flags & TCB_INUSE))
1771 /* 'interrupted' is a volatile object, fetch it only once */
1772 fatal_sig = interrupted;
1774 fatal_sig = SIGTERM;
1776 for (i = 0; i < tcbtabsize; i++) {
1778 if (!(tcp->flags & TCB_INUSE))
1782 "cleanup: looking at pid %u\n", tcp->pid);
1783 if (tcp->flags & TCB_STRACE_CHILD) {
1784 kill(tcp->pid, SIGCONT);
1785 kill(tcp->pid, fatal_sig);
1790 call_summary(shared_log);
1803 struct rusage *rup = cflag ? &ru : NULL;
1805 static int wait4_options = __WALL;
1808 while (nprocs != 0) {
1819 sigprocmask(SIG_SETMASK, &empty_set, NULL);
1821 pid = wait4(-1, &status, wait4_options, rup);
1822 if (pid < 0 && (wait4_options & __WALL) && errno == EINVAL) {
1823 /* this kernel does not support __WALL */
1824 wait4_options &= ~__WALL;
1825 pid = wait4(-1, &status, wait4_options, rup);
1827 if (pid < 0 && !(wait4_options & __WALL) && errno == ECHILD) {
1828 /* most likely a "cloned" process */
1829 pid = wait4(-1, &status, __WCLONE, rup);
1831 perror_msg("wait4(__WCLONE) failed");
1835 pid = wait4(-1, &status, 0, rup);
1836 # endif /* __WALL */
1839 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
1842 switch (wait_errno) {
1847 * We would like to verify this case
1848 * but sometimes a race in Solbourne's
1849 * version of SunOS sometimes reports
1850 * ECHILD before sending us SIGCHILD.
1859 if (pid == popen_pid) {
1860 if (WIFEXITED(status) || WIFSIGNALED(status))
1865 event = ((unsigned)status >> 16);
1867 char buf[sizeof("WIFEXITED,exitcode=%u") + sizeof(int)*3 /*paranoia:*/ + 16];
1868 char evbuf[sizeof(",PTRACE_EVENT_?? (%u)") + sizeof(int)*3 /*paranoia:*/ + 16];
1870 if (WIFSIGNALED(status))
1872 sprintf(buf, "WIFSIGNALED,%ssig=%s",
1873 WCOREDUMP(status) ? "core," : "",
1874 signame(WTERMSIG(status)));
1876 sprintf(buf, "WIFSIGNALED,sig=%s",
1877 signame(WTERMSIG(status)));
1879 if (WIFEXITED(status))
1880 sprintf(buf, "WIFEXITED,exitcode=%u", WEXITSTATUS(status));
1881 if (WIFSTOPPED(status))
1882 sprintf(buf, "WIFSTOPPED,sig=%s", signame(WSTOPSIG(status)));
1884 if (WIFCONTINUED(status))
1885 strcpy(buf, "WIFCONTINUED");
1889 static const char *const event_names[] = {
1890 [PTRACE_EVENT_CLONE] = "CLONE",
1891 [PTRACE_EVENT_FORK] = "FORK",
1892 [PTRACE_EVENT_VFORK] = "VFORK",
1893 [PTRACE_EVENT_VFORK_DONE] = "VFORK_DONE",
1894 [PTRACE_EVENT_EXEC] = "EXEC",
1895 [PTRACE_EVENT_EXIT] = "EXIT",
1898 if (event < ARRAY_SIZE(event_names))
1899 e = event_names[event];
1901 sprintf(buf, "?? (%u)", event);
1904 sprintf(evbuf, ",PTRACE_EVENT_%s", e);
1906 fprintf(stderr, " [wait(0x%04x) = %u] %s%s\n", status, pid, buf, evbuf);
1909 /* Look up 'pid' in our table. */
1914 /* This is needed to go with the CLONE_PTRACE
1915 changes in process.c/util.c: we might see
1916 the child's initial trap before we see the
1917 parent return from the clone syscall.
1918 Leave the child suspended until the parent
1919 returns from its system call. Only then
1920 will we have the association of parent and
1921 child so that we know how to do clearbpt
1923 tcp = alloctcb(pid);
1924 tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
1927 fprintf(stderr, "Process %d attached\n",
1930 /* This can happen if a clone call used
1931 CLONE_PTRACE itself. */
1932 if (WIFSTOPPED(status))
1933 ptrace(PTRACE_CONT, pid, (char *) 0, 0);
1934 error_msg_and_die("Unknown pid: %u", pid);
1938 /* Under Linux, execve changes pid to thread leader's pid,
1939 * and we see this changed pid on EVENT_EXEC and later,
1940 * execve sysexit. Leader "disappears" without exit
1941 * notification. Let user know that, drop leader's tcb,
1942 * and fix up pid in execve thread's tcb.
1943 * Effectively, execve thread's tcb replaces leader's tcb.
1945 * BTW, leader is 'stuck undead' (doesn't report WIFEXITED
1946 * on exit syscall) in multithreaded programs exactly
1947 * in order to handle this case.
1949 * PTRACE_GETEVENTMSG returns old pid starting from Linux 3.0.
1950 * On 2.6 and earlier, it can return garbage.
1952 if (event == PTRACE_EVENT_EXEC && os_release >= KERNEL_VERSION(3,0,0)) {
1954 struct tcb *execve_thread;
1957 if (ptrace(PTRACE_GETEVENTMSG, pid, NULL, (long) &old_pid) < 0)
1958 goto dont_switch_tcbs;
1959 if (old_pid <= 0 || old_pid == pid)
1960 goto dont_switch_tcbs;
1961 execve_thread = pid2tcb(old_pid);
1962 /* It should be !NULL, but I feel paranoid */
1964 goto dont_switch_tcbs;
1966 if (execve_thread->curcol != 0) {
1968 * One case we are here is -ff:
1969 * try "strace -oLOG -ff test/threaded_execve"
1971 fprintf(execve_thread->outf, " <pid changed to %d ...>\n", pid);
1972 /*execve_thread->curcol = 0; - no need, see code below */
1974 /* Swap output FILEs (needed for -ff) */
1975 fp = execve_thread->outf;
1976 execve_thread->outf = tcp->outf;
1978 /* And their column positions */
1979 execve_thread->curcol = tcp->curcol;
1981 /* Drop leader, but close execve'd thread outfile (if -ff) */
1983 /* Switch to the thread, reusing leader's outfile and pid */
1984 tcp = execve_thread;
1986 if (cflag != CFLAG_ONLY_STATS) {
1988 tprintf("+++ superseded by execve in pid %lu +++\n", old_pid);
1990 tcp->flags |= TCB_REPRINT;
1995 if (event == PTRACE_EVENT_EXEC && detach_on_execve) {
1996 if (!skip_startup_execve)
1998 /* This was initial execve for "strace PROG". Skip. */
1999 skip_startup_execve = 0;
2002 /* Set current output file */
2006 tv_sub(&tcp->dtime, &ru.ru_stime, &tcp->stime);
2007 tcp->stime = ru.ru_stime;
2010 if (WIFSIGNALED(status)) {
2011 if (pid == strace_child)
2012 exit_code = 0x100 | WTERMSIG(status);
2013 if (cflag != CFLAG_ONLY_STATS
2014 && (qual_flags[WTERMSIG(status)] & QUAL_SIGNAL)) {
2017 tprintf("+++ killed by %s %s+++\n",
2018 signame(WTERMSIG(status)),
2019 WCOREDUMP(status) ? "(core dumped) " : "");
2021 tprintf("+++ killed by %s +++\n",
2022 signame(WTERMSIG(status)));
2029 if (WIFEXITED(status)) {
2030 if (pid == strace_child)
2031 exit_code = WEXITSTATUS(status);
2032 if (cflag != CFLAG_ONLY_STATS) {
2034 tprintf("+++ exited with %d +++\n", WEXITSTATUS(status));
2040 if (!WIFSTOPPED(status)) {
2041 fprintf(stderr, "PANIC: pid %u not stopped\n", pid);
2046 /* Is this the very first time we see this tracee stopped? */
2047 if (tcp->flags & TCB_STARTUP) {
2049 fprintf(stderr, "pid %d has TCB_STARTUP, initializing it\n", tcp->pid);
2050 tcp->flags &= ~TCB_STARTUP;
2051 if (tcp->flags & TCB_BPTSET) {
2053 * One example is a breakpoint inherited from
2054 * parent through fork().
2056 if (clearbpt(tcp) < 0) {
2063 if (ptrace_setoptions) {
2065 fprintf(stderr, "setting opts %x on pid %d\n", ptrace_setoptions, tcp->pid);
2066 if (ptrace(PTRACE_SETOPTIONS, tcp->pid, NULL, ptrace_setoptions) < 0) {
2067 if (errno != ESRCH) {
2068 /* Should never happen, really */
2069 perror_msg_and_die("PTRACE_SETOPTIONS");
2075 sig = WSTOPSIG(status);
2080 if (event == PTRACE_EVENT_STOP || event == PTRACE_EVENT_STOP1) {
2082 * PTRACE_INTERRUPT-stop or group-stop.
2083 * PTRACE_INTERRUPT-stop has sig == SIGTRAP here.
2095 goto restart_tracee_with_sig_0;
2098 /* Is this post-attach SIGSTOP?
2099 * Interestingly, the process may stop
2100 * with STOPSIG equal to some other signal
2101 * than SIGSTOP if we happend to attach
2102 * just before the process takes a signal.
2104 if (sig == SIGSTOP && (tcp->flags & TCB_IGNORE_ONE_SIGSTOP)) {
2106 fprintf(stderr, "ignored SIGSTOP on pid %d\n", tcp->pid);
2107 tcp->flags &= ~TCB_IGNORE_ONE_SIGSTOP;
2108 goto restart_tracee_with_sig_0;
2111 if (sig != syscall_trap_sig) {
2114 /* Nonzero (true) if tracee is stopped by signal
2115 * (as opposed to "tracee received signal").
2116 * TODO: shouldn't we check for errno == EINVAL too?
2117 * We can get ESRCH instead, you know...
2119 stopped = (ptrace(PTRACE_GETSIGINFO, pid, 0, (long) &si) < 0);
2123 if (cflag != CFLAG_ONLY_STATS
2124 && (qual_flags[sig] & QUAL_SIGNAL)) {
2125 #if defined(PT_CR_IPSR) && defined(PT_CR_IIP)
2129 upeek(tcp, PT_CR_IPSR, &psr);
2130 upeek(tcp, PT_CR_IIP, &pc);
2133 pc += (psr >> PSR_RI) & 0x3;
2134 # define PC_FORMAT_STR " @ %lx"
2135 # define PC_FORMAT_ARG , pc
2137 # define PC_FORMAT_STR ""
2138 # define PC_FORMAT_ARG /* nothing */
2142 tprintf("--- %s ", signame(sig));
2143 printsiginfo(&si, verbose(tcp));
2144 tprintf(PC_FORMAT_STR " ---\n"
2147 tprintf("--- stopped by %s" PC_FORMAT_STR " ---\n",
2154 /* It's signal-delivery-stop. Inject the signal */
2155 goto restart_tracee;
2157 /* It's group-stop */
2161 * This ends ptrace-stop, but does *not* end group-stop.
2162 * This makes stopping signals work properly on straced process
2163 * (that is, process really stops. It used to continue to run).
2165 if (ptrace_restart(PTRACE_LISTEN, tcp, 0) < 0) {
2171 /* We don't have PTRACE_LISTEN support... */
2173 goto restart_tracee;
2176 /* We handled quick cases, we are permitted to interrupt now. */
2180 /* This should be syscall entry or exit.
2181 * (Or it still can be that pesky post-execve SIGTRAP!)
2184 if (trace_syscall(tcp) < 0) {
2185 /* ptrace() failed in trace_syscall().
2186 * Likely a result of process disappearing mid-flight.
2187 * Observed case: exit_group() or SIGKILL terminating
2188 * all processes in thread group.
2189 * We assume that ptrace error was caused by process death.
2190 * We used to detach(tcp) here, but since we no longer
2191 * implement "detach before death" policy/hack,
2192 * we can let this process to report its death to us
2193 * normally, via WIFEXITED or WIFSIGNALED wait status.
2197 restart_tracee_with_sig_0:
2200 /* Remember current print column before continuing. */
2201 if (ptrace_restart(PTRACE_SYSCALL, tcp, sig) < 0) {
2210 main(int argc, char *argv[])
2214 /* Run main tracing loop */
2220 if (exit_code > 0xff) {
2221 /* Avoid potential core file clobbering. */
2222 struct rlimit rlim = {0, 0};
2223 setrlimit(RLIMIT_CORE, &rlim);
2225 /* Child was killed by a signal, mimic that. */
2227 signal(exit_code, SIG_DFL);
2229 /* Paranoia - what if this signal is not fatal?
2230 Exit with 128 + signo then. */