2 * Copyright (c) 1991, 1992 Paul Kranenburg <pk@cs.few.eur.nl>
3 * Copyright (c) 1993 Branko Lankester <branko@hacktic.nl>
4 * Copyright (c) 1993, 1994, 1995, 1996 Rick Sladkey <jrs@world.std.com>
5 * Copyright (c) 1996-1999 Wichert Akkerman <wichert@cistron.nl>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include <sys/param.h>
35 #include <sys/resource.h>
41 #include <sys/utsname.h>
43 # include <asm/ptrace_offsets.h>
45 /* In some libc, these aren't declared. Do it ourself: */
46 extern char **environ;
51 #if defined __NR_tkill
52 # define my_tkill(tid, sig) syscall(__NR_tkill, (tid), (sig))
54 /* kill() may choose arbitrarily the target task of the process group
55 while we later wait on a that specific TID. PID process waits become
56 TID task specific waits for a process under ptrace(2). */
57 # warning "tkill(2) not available, risk of strace hangs!"
58 # define my_tkill(tid, sig) kill((tid), (sig))
61 cflag_t cflag = CFLAG_NONE;
62 unsigned int followfork = 0;
63 unsigned int ptrace_setoptions = 0;
64 unsigned int xflag = 0;
65 bool need_fork_exec_workarounds = 0;
69 /* Which WSTOPSIG(status) value marks syscall traps? */
70 static unsigned int syscall_trap_sig = SIGTRAP;
71 static unsigned int tflag = 0;
72 static bool iflag = 0;
73 static bool rflag = 0;
74 static bool print_pid_pfx = 0;
79 INTR_ANYWHERE = 1, /* don't block/ignore any signals */
80 INTR_WHILE_WAIT = 2, /* block fatal signals while decoding syscall. default */
81 INTR_NEVER = 3, /* block fatal signals. default if '-o FILE PROG' */
82 INTR_BLOCK_TSTP_TOO = 4, /* block fatal signals and SIGTSTP (^Z) */
86 /* We play with signal mask only if this mode is active: */
87 #define interactive (opt_intr == INTR_WHILE_WAIT)
90 * daemonized_tracer supports -D option.
91 * With this option, strace forks twice.
92 * Unlike normal case, with -D *grandparent* process exec's,
93 * becoming a traced process. Child exits (this prevents traced process
94 * from having children it doesn't expect to have), and grandchild
95 * attaches to grandparent similarly to strace -p PID.
96 * This allows for more transparent interaction in cases
97 * when process and its parent are communicating via signals,
98 * wait() etc. Without -D, strace process gets lodged in between,
99 * disrupting parent<->child link.
101 static bool daemonized_tracer = 0;
104 static int post_attach_sigstop = TCB_IGNORE_ONE_SIGSTOP;
105 # define use_seize (post_attach_sigstop == 0)
107 # define post_attach_sigstop TCB_IGNORE_ONE_SIGSTOP
111 /* Sometimes we want to print only succeeding syscalls. */
112 bool not_failing_only = 0;
114 /* Show path associated with fd arguments */
115 bool show_fd_path = 0;
117 /* are we filtering traces based on paths? */
118 bool tracing_paths = 0;
120 static bool detach_on_execve = 0;
121 static bool skip_startup_execve = 0;
123 static int exit_code = 0;
124 static int strace_child = 0;
125 static int strace_tracer_pid = 0;
127 static char *username = NULL;
128 static uid_t run_uid;
129 static gid_t run_gid;
131 unsigned int max_strlen = DEFAULT_STRLEN;
132 static int acolumn = DEFAULT_ACOLUMN;
133 static char *acolumn_spaces;
135 static char *outfname = NULL;
136 /* If -ff, points to stderr. Else, it's our common output log */
137 static FILE *shared_log;
139 struct tcb *printing_tcp = NULL;
140 static struct tcb *current_tcp;
142 static struct tcb **tcbtab;
143 static unsigned int nprocs, tcbtabsize;
144 static const char *progname;
146 unsigned os_release; /* generated from uname()'s u.release */
148 static int detach(struct tcb *tcp);
149 static int trace(void);
150 static void cleanup(void);
151 static void interrupt(int sig);
152 static sigset_t empty_set, blocked_set;
154 #ifdef HAVE_SIG_ATOMIC_T
155 static volatile sig_atomic_t interrupted;
157 static volatile int interrupted;
160 #ifndef HAVE_STRERROR
162 #if !HAVE_DECL_SYS_ERRLIST
164 extern char *sys_errlist[];
170 static char buf[sizeof("Unknown error %d") + sizeof(int)*3];
172 if (err_no < 1 || err_no >= sys_nerr) {
173 sprintf(buf, "Unknown error %d", err_no);
176 return sys_errlist[err_no];
179 #endif /* HAVE_STERRROR */
182 usage(FILE *ofp, int exitval)
185 usage: strace [-CdffhiqrtttTvVxxy] [-I n] [-e expr]...\n\
186 [-a column] [-o file] [-s strsize] [-P path]...\n\
187 -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]\n\
188 or: strace -c[df] [-I n] [-e expr]... [-O overhead] [-S sortby]\n\
189 -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]\n\
190 -c -- count time, calls, and errors for each syscall and report summary\n\
191 -C -- like -c but also print regular output\n\
192 -d -- enable debug output to stderr\n\
193 -D -- run tracer process as a detached grandchild, not as parent\n\
194 -f -- follow forks, -ff -- with output into separate files\n\
195 -F -- attempt to follow vforks (deprecated, use -f)\n\
196 -i -- print instruction pointer at time of syscall\n\
197 -q -- suppress messages about attaching, detaching, etc.\n\
198 -r -- print relative timestamp, -t -- absolute timestamp, -tt -- with usecs\n\
199 -T -- print time spent in each syscall\n\
200 -v -- verbose mode: print unabbreviated argv, stat, termios, etc. args\n\
201 -x -- print non-ascii strings in hex, -xx -- print all strings in hex\n\
202 -y -- print paths associated with file descriptor arguments\n\
203 -h -- print help message, -V -- print version\n\
204 -a column -- alignment COLUMN for printing syscall results (default %d)\n\
205 -e expr -- a qualifying expression: option=[!]all or option=[!]val1[,val2]...\n\
206 options: trace, abbrev, verbose, raw, signal, read, or write\n\
207 -I interruptible --\n\
208 1: no signals are blocked\n\
209 2: fatal signals are blocked while decoding syscall (default)\n\
210 3: fatal signals are always blocked (default if '-o FILE PROG')\n\
211 4: fatal signals and SIGTSTP (^Z) are always blocked\n\
212 (useful to make 'strace -o FILE PROG' not stop on ^Z)\n\
213 -o file -- send trace output to FILE instead of stderr\n\
214 -O overhead -- set overhead for tracing syscalls to OVERHEAD usecs\n\
215 -p pid -- trace process with process id PID, may be repeated\n\
216 -s strsize -- limit length of print strings to STRSIZE chars (default %d)\n\
217 -S sortby -- sort syscall counts by: time, calls, name, nothing (default %s)\n\
218 -u username -- run command as username handling setuid and/or setgid\n\
219 -E var=val -- put var=val in the environment for command\n\
220 -E var -- remove var from the environment for command\n\
221 -P path -- trace accesses to path\n\
223 /* this is broken, so don't document it
224 -z -- print only succeeding syscalls\n\
226 /* experimental, don't document it yet (option letter may change in the future!)
227 -b -- detach on successful execve\n\
229 , DEFAULT_ACOLUMN, DEFAULT_STRLEN, DEFAULT_SORTBY);
233 static void die(void) __attribute__ ((noreturn));
234 static void die(void)
236 if (strace_tracer_pid == getpid()) {
243 static void verror_msg(int err_no, const char *fmt, va_list p)
249 /* We want to print entire message with single fprintf to ensure
250 * message integrity if stderr is shared with other programs.
251 * Thus we use vasprintf + single fprintf.
254 if (vasprintf(&msg, fmt, p) >= 0) {
256 fprintf(stderr, "%s: %s: %s\n", progname, msg, strerror(err_no));
258 fprintf(stderr, "%s: %s\n", progname, msg);
261 /* malloc in vasprintf failed, try it without malloc */
262 fprintf(stderr, "%s: ", progname);
263 vfprintf(stderr, fmt, p);
265 fprintf(stderr, ": %s\n", strerror(err_no));
269 /* We don't switch stderr to buffered, thus fprintf(stderr)
270 * always flushes its output and this is not necessary: */
271 /* fflush(stderr); */
274 void error_msg(const char *fmt, ...)
278 verror_msg(0, fmt, p);
282 void error_msg_and_die(const char *fmt, ...)
286 verror_msg(0, fmt, p);
290 void perror_msg(const char *fmt, ...)
294 verror_msg(errno, fmt, p);
298 void perror_msg_and_die(const char *fmt, ...)
302 verror_msg(errno, fmt, p);
306 void die_out_of_memory(void)
308 static bool recursed = 0;
312 error_msg_and_die("Out of memory");
316 error_opt_arg(int opt, const char *arg)
318 error_msg_and_die("Invalid -%c argument: '%s'", opt, arg);
321 /* Glue for systems without a MMU that cannot provide fork() */
323 # define strace_vforked 0
325 # define strace_vforked 1
326 # define fork() vfork()
331 ptrace_attach_or_seize(int pid)
335 return ptrace(PTRACE_ATTACH, pid, 0, 0);
336 r = ptrace(PTRACE_SEIZE, pid, 0, 0);
339 r = ptrace(PTRACE_INTERRUPT, pid, 0, 0);
343 # define ptrace_attach_or_seize(pid) ptrace(PTRACE_ATTACH, (pid), 0, 0)
347 * Used when we want to unblock stopped traced process.
348 * Should be only used with PTRACE_CONT, PTRACE_DETACH and PTRACE_SYSCALL.
349 * Returns 0 on success or if error was ESRCH
350 * (presumably process was killed while we talk to it).
351 * Otherwise prints error message and returns -1.
354 ptrace_restart(int op, struct tcb *tcp, int sig)
360 ptrace(op, tcp->pid, (void *) 0, (long) sig);
366 if (op == PTRACE_CONT)
368 if (op == PTRACE_DETACH)
371 if (op == PTRACE_LISTEN)
375 * Why curcol != 0? Otherwise sometimes we get this:
377 * 10252 kill(10253, SIGKILL) = 0
378 * <ptrace(SYSCALL,10252):No such process>10253 ...next decode...
380 * 10252 died after we retrieved syscall exit data,
381 * but before we tried to restart it. Log looks ugly.
383 if (current_tcp && current_tcp->curcol != 0) {
384 tprintf(" <ptrace(%s):%s>\n", msg, strerror(err));
390 perror_msg("ptrace(PTRACE_%s,pid:%d,sig:%d)", msg, tcp->pid, sig);
395 set_cloexec_flag(int fd)
399 flags = fcntl(fd, F_GETFD);
401 /* Can happen only if fd is bad.
402 * Should never happen: if it does, we have a bug
403 * in the caller. Therefore we just abort
404 * instead of propagating the error.
406 perror_msg_and_die("fcntl(%d, F_GETFD)", fd);
409 newflags = flags | FD_CLOEXEC;
410 if (flags == newflags)
413 fcntl(fd, F_SETFD, newflags); /* never fails */
416 static void kill_save_errno(pid_t pid, int sig)
418 int saved_errno = errno;
420 (void) kill(pid, sig);
425 * When strace is setuid executable, we have to swap uids
426 * before and after filesystem and process management operations.
431 int euid = geteuid(), uid = getuid();
433 if (euid != uid && setreuid(euid, uid) < 0) {
434 perror_msg_and_die("setreuid");
439 # define fopen_for_output fopen64
441 # define fopen_for_output fopen
445 strace_fopen(const char *path)
450 fp = fopen_for_output(path, "w");
452 perror_msg_and_die("Can't fopen '%s'", path);
454 set_cloexec_flag(fileno(fp));
458 static int popen_pid = 0;
461 # define _PATH_BSHELL "/bin/sh"
465 * We cannot use standard popen(3) here because we have to distinguish
466 * popen child process from other processes we trace, and standard popen(3)
467 * does not export its child's pid.
470 strace_popen(const char *command)
477 perror_msg_and_die("pipe");
479 set_cloexec_flag(fds[1]); /* never fails */
483 perror_msg_and_die("vfork");
485 if (popen_pid == 0) {
490 perror_msg_and_die("dup2");
493 execl(_PATH_BSHELL, "sh", "-c", command, NULL);
494 perror_msg_and_die("Can't execute '%s'", _PATH_BSHELL);
500 fp = fdopen(fds[1], "w");
507 tprintf(const char *fmt, ...)
513 int n = strace_vfprintf(current_tcp->outf, fmt, args);
515 if (current_tcp->outf != stderr)
516 perror_msg("%s", outfname);
518 current_tcp->curcol += n;
524 tprints(const char *str)
527 int n = fputs_unlocked(str, current_tcp->outf);
529 current_tcp->curcol += strlen(str);
532 if (current_tcp->outf != stderr)
533 perror_msg("%s", outfname);
541 current_tcp->curcol = 0;
542 fflush(current_tcp->outf);
545 printing_tcp->curcol = 0;
551 printleader(struct tcb *tcp)
553 /* If -ff, "previous tcb we printed" is always the same as current,
554 * because we have per-tcb output files.
560 current_tcp = printing_tcp;
561 if (printing_tcp->curcol != 0 && (followfork < 2 || printing_tcp == tcp)) {
563 * case 1: we have a shared log (i.e. not -ff), and last line
564 * wasn't finished (same or different tcb, doesn't matter).
565 * case 2: split log, we are the same tcb, but our last line
566 * didn't finish ("SIGKILL nuked us after syscall entry" etc).
568 tprints(" <unfinished ...>\n");
569 printing_tcp->curcol = 0;
575 current_tcp->curcol = 0;
578 tprintf("%-5d ", tcp->pid);
579 else if (nprocs > 1 && !outfname)
580 tprintf("[pid %5u] ", tcp->pid);
583 char str[sizeof("HH:MM:SS")];
584 struct timeval tv, dtv;
585 static struct timeval otv;
587 gettimeofday(&tv, NULL);
591 tv_sub(&dtv, &tv, &otv);
592 tprintf("%6ld.%06ld ",
593 (long) dtv.tv_sec, (long) dtv.tv_usec);
596 else if (tflag > 2) {
597 tprintf("%ld.%06ld ",
598 (long) tv.tv_sec, (long) tv.tv_usec);
601 time_t local = tv.tv_sec;
602 strftime(str, sizeof(str), "%T", localtime(&local));
604 tprintf("%s.%06ld ", str, (long) tv.tv_usec);
616 if (current_tcp->curcol < acolumn)
617 tprints(acolumn_spaces + current_tcp->curcol);
620 /* Should be only called directly *after successful attach* to a tracee.
621 * Otherwise, "strace -oFILE -ff -p<nonexistant_pid>"
622 * may create bogus empty FILE.<nonexistant_pid>, and then die.
625 newoutf(struct tcb *tcp)
627 tcp->outf = shared_log; /* if not -ff mode, the same file is for all */
628 if (followfork >= 2) {
629 char name[520 + sizeof(int) * 3];
630 sprintf(name, "%.512s.%u", outfname, tcp->pid);
631 tcp->outf = strace_fopen(name);
638 /* Allocate some more TCBs and expand the table.
639 We don't want to relocate the TCBs because our
640 callers have pointers and it would be a pain.
641 So tcbtab is a table of pointers. Since we never
642 free the TCBs, we allocate a single chunk of many. */
644 struct tcb *newtcbs = calloc(tcbtabsize, sizeof(newtcbs[0]));
645 struct tcb **newtab = realloc(tcbtab, tcbtabsize * 2 * sizeof(tcbtab[0]));
646 if (!newtab || !newtcbs)
650 while (i < tcbtabsize)
651 tcbtab[i++] = newtcbs++;
660 if (nprocs == tcbtabsize)
663 for (i = 0; i < tcbtabsize; i++) {
665 if ((tcp->flags & TCB_INUSE) == 0) {
666 memset(tcp, 0, sizeof(*tcp));
668 tcp->flags = TCB_INUSE;
669 #if SUPPORTED_PERSONALITIES > 1
670 tcp->currpers = current_personality;
674 fprintf(stderr, "new tcb for pid %d, active tcbs:%d\n", tcp->pid, nprocs);
678 error_msg_and_die("bug in alloctcb");
682 droptcb(struct tcb *tcp)
689 fprintf(stderr, "dropped tcb for pid %d, %d remain\n", tcp->pid, nprocs);
692 if (followfork >= 2) {
693 if (tcp->curcol != 0)
694 fprintf(tcp->outf, " <detached ...>\n");
697 if (printing_tcp == tcp && tcp->curcol != 0)
698 fprintf(tcp->outf, " <detached ...>\n");
703 if (current_tcp == tcp)
705 if (printing_tcp == tcp)
708 memset(tcp, 0, sizeof(*tcp));
711 /* detach traced process; continue with sig
712 * Never call DETACH twice on the same process as both unattached and
713 * attached-unstopped processes give the same ESRCH. For unattached process we
714 * would SIGSTOP it and wait for its SIGSTOP notification forever.
717 detach(struct tcb *tcp)
720 int status, sigstop_expected;
722 if (tcp->flags & TCB_BPTSET)
726 * Linux wrongly insists the child be stopped
727 * before detaching. Arghh. We go through hoops
728 * to make a clean break of things.
731 # undef PTRACE_DETACH
732 # define PTRACE_DETACH PTRACE_SUNDETACH
736 sigstop_expected = 0;
737 if (tcp->flags & TCB_ATTACHED) {
739 * We attached but possibly didn't see the expected SIGSTOP.
740 * We must catch exactly one as otherwise the detached process
741 * would be left stopped (process state T).
743 sigstop_expected = (tcp->flags & TCB_IGNORE_ONE_SIGSTOP);
744 error = ptrace(PTRACE_DETACH, tcp->pid, (char *) 1, 0);
746 /* On a clear day, you can see forever. */
748 else if (errno != ESRCH) {
749 /* Shouldn't happen. */
750 perror_msg("%s", "detach: ptrace(PTRACE_DETACH, ...)");
752 else if (my_tkill(tcp->pid, 0) < 0) {
754 perror_msg("%s", "detach: checking sanity");
756 else if (!sigstop_expected && my_tkill(tcp->pid, SIGSTOP) < 0) {
758 perror_msg("%s", "detach: stopping child");
761 sigstop_expected = 1;
764 if (sigstop_expected) {
767 if (waitpid(tcp->pid, &status, __WALL) < 0) {
768 if (errno == ECHILD) /* Already gone. */
770 if (errno != EINVAL) {
771 perror_msg("%s", "detach: waiting");
775 /* No __WALL here. */
776 if (waitpid(tcp->pid, &status, 0) < 0) {
777 if (errno != ECHILD) {
778 perror_msg("%s", "detach: waiting");
782 /* If no processes, try clones. */
783 if (waitpid(tcp->pid, &status, __WCLONE) < 0) {
785 perror_msg("%s", "detach: waiting");
788 #endif /* __WCLONE */
793 if (!WIFSTOPPED(status)) {
794 /* Au revoir, mon ami. */
797 if (WSTOPSIG(status) == SIGSTOP) {
798 ptrace_restart(PTRACE_DETACH, tcp, 0);
801 error = ptrace_restart(PTRACE_CONT, tcp,
802 WSTOPSIG(status) == syscall_trap_sig ? 0
809 if (!qflag && (tcp->flags & TCB_ATTACHED))
810 fprintf(stderr, "Process %u detached\n", tcp->pid);
818 process_opt_p_list(char *opt)
822 * We accept -p PID,PID; -p "`pidof PROG`"; -p "`pgrep PROG`".
823 * pidof uses space as delim, pgrep uses newline. :(
826 char *delim = opt + strcspn(opt, ", \n\t");
830 pid = string_to_uint(opt);
832 error_msg_and_die("Invalid process id: '%s'", opt);
834 if (pid == strace_tracer_pid) {
835 error_msg_and_die("I'm sorry, I can't let you do that, Dave.");
852 * Block user interruptions as we would leave the traced
853 * process stopped (process state T) if we would terminate in
854 * between PTRACE_ATTACH and wait4() on SIGSTOP.
855 * We rely on cleanup() from this point on.
858 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
860 if (daemonized_tracer) {
863 perror_msg_and_die("fork");
865 if (pid) { /* parent */
867 * Wait for grandchild to attach to straced process
868 * (grandparent). Grandchild SIGKILLs us after it attached.
869 * Grandparent's wait() is unblocked by our death,
870 * it proceeds to exec the straced program.
873 _exit(0); /* paranoia */
876 /* We will be the tracer process. Remember our new pid: */
877 strace_tracer_pid = getpid();
880 for (tcbi = 0; tcbi < tcbtabsize; tcbi++) {
883 if (!(tcp->flags & TCB_INUSE))
886 /* Is this a process we should attach to, but not yet attached? */
887 if (tcp->flags & TCB_ATTACHED)
888 continue; /* no, we already attached it */
890 if (followfork && !daemonized_tracer) {
891 char procdir[sizeof("/proc/%d/task") + sizeof(int) * 3];
894 sprintf(procdir, "/proc/%d/task", tcp->pid);
895 dir = opendir(procdir);
897 unsigned int ntid = 0, nerr = 0;
900 while ((de = readdir(dir)) != NULL) {
904 if (de->d_fileno == 0)
906 /* we trust /proc filesystem */
907 tid = atoi(de->d_name);
911 if (ptrace_attach_or_seize(tid) < 0) {
914 fprintf(stderr, "attach to pid %d failed\n", tid);
918 fprintf(stderr, "attach to pid %d succeeded\n", tid);
921 cur_tcp = alloctcb(tid);
922 cur_tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
927 sigprocmask(SIG_SETMASK, &empty_set, NULL);
930 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
934 perror_msg("%s", "attach: ptrace(PTRACE_ATTACH, ...)");
939 fprintf(stderr, ntid > 1
940 ? "Process %u attached with %u threads\n"
941 : "Process %u attached\n",
944 if (!(tcp->flags & TCB_ATTACHED)) {
945 /* -p PID, we failed to attach to PID itself
946 * but did attach to some of its sibling threads.
952 } /* if (opendir worked) */
954 if (ptrace_attach_or_seize(tcp->pid) < 0) {
955 perror_msg("%s", "attach: ptrace(PTRACE_ATTACH, ...)");
959 tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
962 fprintf(stderr, "attach to pid %d (main) succeeded\n", tcp->pid);
964 if (daemonized_tracer) {
966 * Make parent go away.
967 * Also makes grandparent's wait() unblock.
969 kill(getppid(), SIGKILL);
974 "Process %u attached\n",
976 } /* for each tcbtab[] */
980 sigprocmask(SIG_SETMASK, &empty_set, NULL);
984 startup_child(char **argv)
987 const char *filename;
988 char pathname[MAXPATHLEN];
993 if (strchr(filename, '/')) {
994 if (strlen(filename) > sizeof pathname - 1) {
995 errno = ENAMETOOLONG;
996 perror_msg_and_die("exec");
998 strcpy(pathname, filename);
1000 #ifdef USE_DEBUGGING_EXEC
1002 * Debuggers customarily check the current directory
1003 * first regardless of the path but doing that gives
1004 * security geeks a panic attack.
1006 else if (stat(filename, &statbuf) == 0)
1007 strcpy(pathname, filename);
1008 #endif /* USE_DEBUGGING_EXEC */
1013 for (path = getenv("PATH"); path && *path; path += m) {
1014 const char *colon = strchr(path, ':');
1020 m = n = strlen(path);
1022 if (!getcwd(pathname, MAXPATHLEN))
1024 len = strlen(pathname);
1026 else if (n > sizeof pathname - 1)
1029 strncpy(pathname, path, n);
1032 if (len && pathname[len - 1] != '/')
1033 pathname[len++] = '/';
1034 strcpy(pathname + len, filename);
1035 if (stat(pathname, &statbuf) == 0 &&
1036 /* Accept only regular files
1037 with some execute bits set.
1038 XXX not perfect, might still fail */
1039 S_ISREG(statbuf.st_mode) &&
1040 (statbuf.st_mode & 0111))
1044 if (stat(pathname, &statbuf) < 0) {
1045 perror_msg_and_die("Can't stat '%s'", filename);
1047 strace_child = pid = fork();
1049 perror_msg_and_die("fork");
1051 if ((pid != 0 && daemonized_tracer) /* -D: parent to become a traced process */
1052 || (pid == 0 && !daemonized_tracer) /* not -D: child to become a traced process */
1055 if (shared_log != stderr)
1056 close(fileno(shared_log));
1057 if (!daemonized_tracer && !use_seize) {
1058 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0) {
1059 perror_msg_and_die("ptrace(PTRACE_TRACEME, ...)");
1063 if (username != NULL) {
1064 uid_t run_euid = run_uid;
1065 gid_t run_egid = run_gid;
1067 if (statbuf.st_mode & S_ISUID)
1068 run_euid = statbuf.st_uid;
1069 if (statbuf.st_mode & S_ISGID)
1070 run_egid = statbuf.st_gid;
1072 * It is important to set groups before we
1073 * lose privileges on setuid.
1075 if (initgroups(username, run_gid) < 0) {
1076 perror_msg_and_die("initgroups");
1078 if (setregid(run_gid, run_egid) < 0) {
1079 perror_msg_and_die("setregid");
1081 if (setreuid(run_uid, run_euid) < 0) {
1082 perror_msg_and_die("setreuid");
1085 else if (geteuid() != 0)
1086 if (setreuid(run_uid, run_uid) < 0) {
1087 perror_msg_and_die("setreuid");
1090 if (!daemonized_tracer) {
1092 * Induce a ptrace stop. Tracer (our parent)
1093 * will resume us with PTRACE_SYSCALL and display
1094 * the immediately following execve syscall.
1095 * Can't do this on NOMMU systems, we are after
1096 * vfork: parent is blocked, stopping would deadlock.
1098 if (!strace_vforked)
1102 /* we depend on SIGCHLD set to SIG_DFL by init code */
1103 /* if it happens to be SIG_IGN'ed, wait won't block */
1108 execv(pathname, argv);
1109 perror_msg_and_die("exec");
1112 /* We are the tracer */
1114 if (!daemonized_tracer) {
1116 /* child did PTRACE_TRACEME, nothing to do in parent */
1118 if (!strace_vforked) {
1119 /* Wait until child stopped itself */
1121 while (waitpid(pid, &status, WSTOPPED) < 0) {
1124 perror_msg_and_die("waitpid");
1126 if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGSTOP) {
1127 kill_save_errno(pid, SIGKILL);
1128 perror_msg_and_die("Unexpected wait status %x", status);
1131 /* Else: vforked case, we have no way to sync.
1132 * Just attach to it as soon as possible.
1133 * This means that we may miss a few first syscalls...
1136 if (ptrace_attach_or_seize(pid)) {
1137 kill_save_errno(pid, SIGKILL);
1138 perror_msg_and_die("Can't attach to %d", pid);
1140 if (!strace_vforked)
1143 tcp = alloctcb(pid);
1144 if (!strace_vforked)
1145 tcp->flags |= TCB_ATTACHED | TCB_STRACE_CHILD | TCB_STARTUP | post_attach_sigstop;
1147 tcp->flags |= TCB_ATTACHED | TCB_STRACE_CHILD | TCB_STARTUP;
1151 /* With -D, *we* are child here, IOW: different pid. Fetch it: */
1152 strace_tracer_pid = getpid();
1153 /* The tracee is our parent: */
1156 /* attaching will be done later, by startup_attach */
1157 /* note: we don't do newoutf(tcp) here either! */
1162 * Test whether the kernel support PTRACE_O_TRACECLONE et al options.
1163 * First fork a new child, call ptrace with PTRACE_SETOPTIONS on it,
1164 * and then see which options are supported by the kernel.
1167 test_ptrace_setoptions_followfork(void)
1169 int pid, expected_grandchild = 0, found_grandchild = 0;
1170 const unsigned int test_options = PTRACE_O_TRACECLONE |
1171 PTRACE_O_TRACEFORK |
1172 PTRACE_O_TRACEVFORK;
1176 perror_msg_and_die("fork");
1179 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
1180 perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
1182 kill_save_errno(pid, SIGSTOP);
1184 perror_msg_and_die("fork");
1189 int status, tracee_pid;
1192 tracee_pid = wait(&status);
1193 if (tracee_pid <= 0) {
1196 if (errno == ECHILD)
1198 kill_save_errno(pid, SIGKILL);
1199 perror_msg_and_die("%s: unexpected wait result %d",
1200 __func__, tracee_pid);
1202 if (WIFEXITED(status)) {
1203 if (WEXITSTATUS(status)) {
1204 if (tracee_pid != pid)
1205 kill_save_errno(pid, SIGKILL);
1206 error_msg_and_die("%s: unexpected exit status %u",
1207 __func__, WEXITSTATUS(status));
1211 if (WIFSIGNALED(status)) {
1212 if (tracee_pid != pid)
1213 kill_save_errno(pid, SIGKILL);
1214 error_msg_and_die("%s: unexpected signal %u",
1215 __func__, WTERMSIG(status));
1217 if (!WIFSTOPPED(status)) {
1218 if (tracee_pid != pid)
1219 kill_save_errno(tracee_pid, SIGKILL);
1220 kill_save_errno(pid, SIGKILL);
1221 error_msg_and_die("%s: unexpected wait status %x",
1224 if (tracee_pid != pid) {
1225 found_grandchild = tracee_pid;
1226 if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
1227 kill_save_errno(tracee_pid, SIGKILL);
1228 kill_save_errno(pid, SIGKILL);
1229 perror_msg_and_die("PTRACE_CONT doesn't work");
1233 switch (WSTOPSIG(status)) {
1235 if (ptrace(PTRACE_SETOPTIONS, pid, 0, test_options) < 0
1236 && errno != EINVAL && errno != EIO)
1237 perror_msg("PTRACE_SETOPTIONS");
1240 if (status >> 16 == PTRACE_EVENT_FORK) {
1243 if (ptrace(PTRACE_GETEVENTMSG, pid,
1244 NULL, (long) &msg) == 0)
1245 expected_grandchild = msg;
1249 if (ptrace(PTRACE_SYSCALL, pid, 0, 0) < 0) {
1250 kill_save_errno(pid, SIGKILL);
1251 perror_msg_and_die("PTRACE_SYSCALL doesn't work");
1254 if (expected_grandchild && expected_grandchild == found_grandchild) {
1255 ptrace_setoptions |= test_options;
1257 fprintf(stderr, "ptrace_setoptions = %#x\n",
1261 error_msg("Test for PTRACE_O_TRACECLONE failed, "
1262 "giving up using this feature.");
1267 * Test whether the kernel support PTRACE_O_TRACESYSGOOD.
1268 * First fork a new child, call ptrace(PTRACE_SETOPTIONS) on it,
1269 * and then see whether it will stop with (SIGTRAP | 0x80).
1271 * Use of this option enables correct handling of user-generated SIGTRAPs,
1272 * and SIGTRAPs generated by special instructions such as int3 on x86:
1273 * _start: .globl _start
1278 * (compile with: "gcc -nostartfiles -nostdlib -o int3 int3.S")
1281 test_ptrace_setoptions_for_all(void)
1283 const unsigned int test_options = PTRACE_O_TRACESYSGOOD |
1288 /* this fork test doesn't work on no-mmu systems */
1289 /* FIXME: isn't it better to assume we *succeed*? */
1295 perror_msg_and_die("fork");
1299 if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
1300 /* Note: exits with exitcode 1 */
1301 perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
1304 _exit(0); /* parent should see entry into this syscall */
1308 int status, tracee_pid;
1311 tracee_pid = wait(&status);
1312 if (tracee_pid <= 0) {
1315 kill_save_errno(pid, SIGKILL);
1316 perror_msg_and_die("%s: unexpected wait result %d",
1317 __func__, tracee_pid);
1319 if (WIFEXITED(status)) {
1320 if (WEXITSTATUS(status) == 0)
1322 error_msg_and_die("%s: unexpected exit status %u",
1323 __func__, WEXITSTATUS(status));
1325 if (WIFSIGNALED(status)) {
1326 error_msg_and_die("%s: unexpected signal %u",
1327 __func__, WTERMSIG(status));
1329 if (!WIFSTOPPED(status)) {
1331 error_msg_and_die("%s: unexpected wait status %x",
1334 if (WSTOPSIG(status) == SIGSTOP) {
1336 * We don't check "options aren't accepted" error.
1337 * If it happens, we'll never get (SIGTRAP | 0x80),
1338 * and thus will decide to not use the option.
1339 * IOW: the outcome of the test will be correct.
1341 if (ptrace(PTRACE_SETOPTIONS, pid, 0L, test_options) < 0
1342 && errno != EINVAL && errno != EIO)
1343 perror_msg("PTRACE_SETOPTIONS");
1345 if (WSTOPSIG(status) == (SIGTRAP | 0x80)) {
1348 if (ptrace(PTRACE_SYSCALL, pid, 0L, 0L) < 0) {
1349 kill_save_errno(pid, SIGKILL);
1350 perror_msg_and_die("PTRACE_SYSCALL doesn't work");
1355 syscall_trap_sig = (SIGTRAP | 0x80);
1356 ptrace_setoptions |= test_options;
1358 fprintf(stderr, "ptrace_setoptions = %#x\n",
1363 error_msg("Test for PTRACE_O_TRACESYSGOOD failed, "
1364 "giving up using this feature.");
1370 test_ptrace_seize(void)
1376 perror_msg_and_die("fork");
1383 /* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
1384 * attaching tracee continues to run unless a trap condition occurs.
1385 * PTRACE_SEIZE doesn't affect signal or group stop state.
1387 if (ptrace(PTRACE_SEIZE, pid, 0, 0) == 0) {
1388 post_attach_sigstop = 0; /* this sets use_seize to 1 */
1389 } else if (debug_flag) {
1390 fprintf(stderr, "PTRACE_SEIZE doesn't work\n");
1396 int status, tracee_pid;
1399 tracee_pid = waitpid(pid, &status, 0);
1400 if (tracee_pid <= 0) {
1403 perror_msg_and_die("%s: unexpected wait result %d",
1404 __func__, tracee_pid);
1406 if (WIFSIGNALED(status)) {
1409 error_msg_and_die("%s: unexpected wait status %x",
1413 #else /* !USE_SEIZE */
1414 # define test_ptrace_seize() ((void)0)
1418 get_os_release(void)
1424 perror_msg_and_die("uname");
1425 /* u.release has this form: "3.2.9[-some-garbage]" */
1429 if (!(*p >= '0' && *p <= '9'))
1430 error_msg_and_die("Bad OS release string: '%s'", u.release);
1431 /* Note: this open-codes KERNEL_VERSION(): */
1432 rel = (rel << 8) | atoi(p);
1433 if (rel >= KERNEL_VERSION(1,0,0))
1435 while (*p >= '0' && *p <= '9')
1438 if (rel >= KERNEL_VERSION(0,1,0)) {
1439 /* "X.Y-something" means "X.Y.0" */
1443 error_msg_and_die("Bad OS release string: '%s'", u.release);
1451 * Initialization part of main() was eating much stack (~0.5k),
1452 * which was unused after init.
1453 * We can reuse it if we move init code into a separate function.
1455 * Don't want main() to inline us and defeat the reason
1456 * we have a separate function.
1458 static void __attribute__ ((noinline))
1459 init(int argc, char *argv[])
1464 struct sigaction sa;
1466 progname = argv[0] ? argv[0] : "strace";
1468 /* Make sure SIGCHLD has the default action so that waitpid
1469 definitely works without losing track of children. The user
1470 should not have given us a bogus state to inherit, but he might
1471 have. Arguably we should detect SIG_IGN here and pass it on
1472 to children, but probably noone really needs that. */
1473 signal(SIGCHLD, SIG_DFL);
1475 strace_tracer_pid = getpid();
1477 os_release = get_os_release();
1479 /* Allocate the initial tcbtab. */
1480 tcbtabsize = argc; /* Surely enough for all -p args. */
1481 tcbtab = calloc(tcbtabsize, sizeof(tcbtab[0]));
1483 die_out_of_memory();
1484 tcp = calloc(tcbtabsize, sizeof(*tcp));
1486 die_out_of_memory();
1487 for (c = 0; c < tcbtabsize; c++)
1490 shared_log = stderr;
1491 set_sortby(DEFAULT_SORTBY);
1492 set_personality(DEFAULT_PERSONALITY);
1493 qualify("trace=all");
1494 qualify("abbrev=all");
1495 qualify("verbose=all");
1496 qualify("signal=all");
1497 while ((c = getopt(argc, argv,
1498 "+bcCdfFhiqrtTvVxyz"
1500 "a:e:o:O:p:s:S:u:E:P:I:")) != EOF) {
1503 detach_on_execve = 1;
1506 if (cflag == CFLAG_BOTH) {
1507 error_msg_and_die("-c and -C are mutually exclusive");
1509 cflag = CFLAG_ONLY_STATS;
1512 if (cflag == CFLAG_ONLY_STATS) {
1513 error_msg_and_die("-c and -C are mutually exclusive");
1521 daemonized_tracer = 1;
1540 /* fall through to tflag++ */
1554 qualify("abbrev=none");
1557 printf("%s -- version %s\n", PACKAGE_NAME, VERSION);
1561 not_failing_only = 1;
1564 acolumn = string_to_uint(optarg);
1566 error_opt_arg(c, optarg);
1572 outfname = strdup(optarg);
1575 i = string_to_uint(optarg);
1577 error_opt_arg(c, optarg);
1581 process_opt_p_list(optarg);
1585 if (pathtrace_select(optarg)) {
1586 error_msg_and_die("Failed to select path '%s'", optarg);
1590 i = string_to_uint(optarg);
1592 error_opt_arg(c, optarg);
1599 username = strdup(optarg);
1602 if (putenv(optarg) < 0)
1603 die_out_of_memory();
1606 opt_intr = string_to_uint(optarg);
1607 if (opt_intr <= 0 || opt_intr >= NUM_INTR_OPTS)
1608 error_opt_arg(c, optarg);
1616 /* argc -= optind; - no need, argc is not used below */
1618 acolumn_spaces = malloc(acolumn + 1);
1619 if (!acolumn_spaces)
1620 die_out_of_memory();
1621 memset(acolumn_spaces, ' ', acolumn);
1622 acolumn_spaces[acolumn] = '\0';
1624 /* Must have PROG [ARGS], or -p PID. Not both. */
1625 if (!argv[0] == !nprocs)
1628 if (nprocs != 0 && daemonized_tracer) {
1629 error_msg_and_die("-D and -p are mutually exclusive");
1635 if (followfork >= 2 && cflag) {
1636 error_msg_and_die("(-c or -C) and -ff are mutually exclusive");
1639 /* See if they want to run as another user. */
1640 if (username != NULL) {
1641 struct passwd *pent;
1643 if (getuid() != 0 || geteuid() != 0) {
1644 error_msg_and_die("You must be root to use the -u option");
1646 pent = getpwnam(username);
1648 error_msg_and_die("Cannot find user '%s'", username);
1650 run_uid = pent->pw_uid;
1651 run_gid = pent->pw_gid;
1659 * On any reasonably recent Linux kernel (circa about 2.5.46)
1660 * need_fork_exec_workarounds should stay 0 after these tests:
1662 /*need_fork_exec_workarounds = 0; - already is */
1664 need_fork_exec_workarounds = test_ptrace_setoptions_followfork();
1665 need_fork_exec_workarounds |= test_ptrace_setoptions_for_all();
1666 test_ptrace_seize();
1668 /* Check if they want to redirect the output. */
1670 /* See if they want to pipe the output. */
1671 if (outfname[0] == '|' || outfname[0] == '!') {
1673 * We can't do the <outfname>.PID funny business
1674 * when using popen, so prohibit it.
1676 if (followfork >= 2)
1677 error_msg_and_die("Piping the output and -ff are mutually exclusive");
1678 shared_log = strace_popen(outfname + 1);
1680 else if (followfork < 2)
1681 shared_log = strace_fopen(outfname);
1683 /* -ff without -o FILE is the same as single -f */
1684 if (followfork >= 2)
1688 if (!outfname || outfname[0] == '|' || outfname[0] == '!') {
1689 char *buf = malloc(BUFSIZ);
1691 die_out_of_memory();
1692 setvbuf(shared_log, buf, _IOLBF, BUFSIZ);
1694 if (outfname && argv[0]) {
1696 opt_intr = INTR_NEVER;
1700 opt_intr = INTR_WHILE_WAIT;
1702 /* argv[0] -pPID -oFILE Default interactive setting
1703 * yes 0 0 INTR_WHILE_WAIT
1704 * no 1 0 INTR_WHILE_WAIT
1705 * yes 0 1 INTR_NEVER
1706 * no 1 1 INTR_WHILE_WAIT
1709 /* STARTUP_CHILD must be called before the signal handlers get
1710 installed below as they are inherited into the spawned process.
1711 Also we do not need to be protected by them as during interruption
1712 in the STARTUP_CHILD mode we kill the spawned process anyway. */
1714 skip_startup_execve = 1;
1715 startup_child(argv);
1718 sigemptyset(&empty_set);
1719 sigemptyset(&blocked_set);
1720 sa.sa_handler = SIG_IGN;
1721 sigemptyset(&sa.sa_mask);
1723 sigaction(SIGTTOU, &sa, NULL); /* SIG_IGN */
1724 sigaction(SIGTTIN, &sa, NULL); /* SIG_IGN */
1725 if (opt_intr != INTR_ANYWHERE) {
1726 if (opt_intr == INTR_BLOCK_TSTP_TOO)
1727 sigaction(SIGTSTP, &sa, NULL); /* SIG_IGN */
1729 * In interactive mode (if no -o OUTFILE, or -p PID is used),
1730 * fatal signals are blocked while syscall stop is processed,
1731 * and acted on in between, when waiting for new syscall stops.
1732 * In non-interactive mode, signals are ignored.
1734 if (opt_intr == INTR_WHILE_WAIT) {
1735 sigaddset(&blocked_set, SIGHUP);
1736 sigaddset(&blocked_set, SIGINT);
1737 sigaddset(&blocked_set, SIGQUIT);
1738 sigaddset(&blocked_set, SIGPIPE);
1739 sigaddset(&blocked_set, SIGTERM);
1740 sa.sa_handler = interrupt;
1742 /* SIG_IGN, or set handler for these */
1743 sigaction(SIGHUP, &sa, NULL);
1744 sigaction(SIGINT, &sa, NULL);
1745 sigaction(SIGQUIT, &sa, NULL);
1746 sigaction(SIGPIPE, &sa, NULL);
1747 sigaction(SIGTERM, &sa, NULL);
1749 if (nprocs != 0 || daemonized_tracer)
1752 /* Do we want pids printed in our -o OUTFILE?
1753 * -ff: no (every pid has its own file); or
1754 * -f: yes (there can be more pids in the future); or
1755 * -p PID1,PID2: yes (there are already more than one pid)
1757 print_pid_pfx = (outfname && followfork < 2 && (followfork == 1 || nprocs > 1));
1768 for (i = 0; i < tcbtabsize; i++) {
1769 struct tcb *tcp = tcbtab[i];
1770 if (tcp->pid == pid && (tcp->flags & TCB_INUSE))
1784 /* 'interrupted' is a volatile object, fetch it only once */
1785 fatal_sig = interrupted;
1787 fatal_sig = SIGTERM;
1789 for (i = 0; i < tcbtabsize; i++) {
1791 if (!(tcp->flags & TCB_INUSE))
1795 "cleanup: looking at pid %u\n", tcp->pid);
1796 if (tcp->flags & TCB_STRACE_CHILD) {
1797 kill(tcp->pid, SIGCONT);
1798 kill(tcp->pid, fatal_sig);
1803 call_summary(shared_log);
1816 struct rusage *rup = cflag ? &ru : NULL;
1818 static int wait4_options = __WALL;
1821 while (nprocs != 0) {
1832 sigprocmask(SIG_SETMASK, &empty_set, NULL);
1834 pid = wait4(-1, &status, wait4_options, rup);
1835 if (pid < 0 && (wait4_options & __WALL) && errno == EINVAL) {
1836 /* this kernel does not support __WALL */
1837 wait4_options &= ~__WALL;
1838 pid = wait4(-1, &status, wait4_options, rup);
1840 if (pid < 0 && !(wait4_options & __WALL) && errno == ECHILD) {
1841 /* most likely a "cloned" process */
1842 pid = wait4(-1, &status, __WCLONE, rup);
1844 perror_msg("wait4(__WCLONE) failed");
1848 pid = wait4(-1, &status, 0, rup);
1852 sigprocmask(SIG_BLOCK, &blocked_set, NULL);
1855 switch (wait_errno) {
1860 * We would like to verify this case
1861 * but sometimes a race in Solbourne's
1862 * version of SunOS sometimes reports
1863 * ECHILD before sending us SIGCHILD.
1872 if (pid == popen_pid) {
1873 if (WIFEXITED(status) || WIFSIGNALED(status))
1878 event = ((unsigned)status >> 16);
1880 char buf[sizeof("WIFEXITED,exitcode=%u") + sizeof(int)*3 /*paranoia:*/ + 16];
1881 char evbuf[sizeof(",PTRACE_EVENT_?? (%u)") + sizeof(int)*3 /*paranoia:*/ + 16];
1883 if (WIFSIGNALED(status))
1885 sprintf(buf, "WIFSIGNALED,%ssig=%s",
1886 WCOREDUMP(status) ? "core," : "",
1887 signame(WTERMSIG(status)));
1889 sprintf(buf, "WIFSIGNALED,sig=%s",
1890 signame(WTERMSIG(status)));
1892 if (WIFEXITED(status))
1893 sprintf(buf, "WIFEXITED,exitcode=%u", WEXITSTATUS(status));
1894 if (WIFSTOPPED(status))
1895 sprintf(buf, "WIFSTOPPED,sig=%s", signame(WSTOPSIG(status)));
1897 if (WIFCONTINUED(status))
1898 strcpy(buf, "WIFCONTINUED");
1902 static const char *const event_names[] = {
1903 [PTRACE_EVENT_CLONE] = "CLONE",
1904 [PTRACE_EVENT_FORK] = "FORK",
1905 [PTRACE_EVENT_VFORK] = "VFORK",
1906 [PTRACE_EVENT_VFORK_DONE] = "VFORK_DONE",
1907 [PTRACE_EVENT_EXEC] = "EXEC",
1908 [PTRACE_EVENT_EXIT] = "EXIT",
1911 if (event < ARRAY_SIZE(event_names))
1912 e = event_names[event];
1914 sprintf(buf, "?? (%u)", event);
1917 sprintf(evbuf, ",PTRACE_EVENT_%s", e);
1919 fprintf(stderr, " [wait(0x%04x) = %u] %s%s\n", status, pid, buf, evbuf);
1922 /* Look up 'pid' in our table. */
1927 tcp = alloctcb(pid);
1928 tcp->flags |= TCB_ATTACHED | TCB_STARTUP | post_attach_sigstop;
1931 fprintf(stderr, "Process %d attached\n",
1934 /* This can happen if a clone call used
1935 CLONE_PTRACE itself. */
1936 if (WIFSTOPPED(status))
1937 ptrace(PTRACE_CONT, pid, (char *) 0, 0);
1938 error_msg_and_die("Unknown pid: %u", pid);
1943 if (WIFSTOPPED(status))
1946 /* Under Linux, execve changes pid to thread leader's pid,
1947 * and we see this changed pid on EVENT_EXEC and later,
1948 * execve sysexit. Leader "disappears" without exit
1949 * notification. Let user know that, drop leader's tcb,
1950 * and fix up pid in execve thread's tcb.
1951 * Effectively, execve thread's tcb replaces leader's tcb.
1953 * BTW, leader is 'stuck undead' (doesn't report WIFEXITED
1954 * on exit syscall) in multithreaded programs exactly
1955 * in order to handle this case.
1957 * PTRACE_GETEVENTMSG returns old pid starting from Linux 3.0.
1958 * On 2.6 and earlier, it can return garbage.
1960 if (event == PTRACE_EVENT_EXEC && os_release >= KERNEL_VERSION(3,0,0)) {
1962 struct tcb *execve_thread;
1965 if (ptrace(PTRACE_GETEVENTMSG, pid, NULL, (long) &old_pid) < 0)
1966 goto dont_switch_tcbs;
1967 if (old_pid <= 0 || old_pid == pid)
1968 goto dont_switch_tcbs;
1969 execve_thread = pid2tcb(old_pid);
1970 /* It should be !NULL, but I feel paranoid */
1972 goto dont_switch_tcbs;
1974 if (execve_thread->curcol != 0) {
1976 * One case we are here is -ff:
1977 * try "strace -oLOG -ff test/threaded_execve"
1979 fprintf(execve_thread->outf, " <pid changed to %d ...>\n", pid);
1980 /*execve_thread->curcol = 0; - no need, see code below */
1982 /* Swap output FILEs (needed for -ff) */
1983 fp = execve_thread->outf;
1984 execve_thread->outf = tcp->outf;
1986 /* And their column positions */
1987 execve_thread->curcol = tcp->curcol;
1989 /* Drop leader, but close execve'd thread outfile (if -ff) */
1991 /* Switch to the thread, reusing leader's outfile and pid */
1992 tcp = execve_thread;
1994 if (cflag != CFLAG_ONLY_STATS) {
1996 tprintf("+++ superseded by execve in pid %lu +++\n", old_pid);
1998 tcp->flags |= TCB_REPRINT;
2003 if (event == PTRACE_EVENT_EXEC && detach_on_execve) {
2004 if (!skip_startup_execve)
2006 /* This was initial execve for "strace PROG". Skip. */
2007 skip_startup_execve = 0;
2010 /* Set current output file */
2014 tv_sub(&tcp->dtime, &ru.ru_stime, &tcp->stime);
2015 tcp->stime = ru.ru_stime;
2018 if (WIFSIGNALED(status)) {
2019 if (pid == strace_child)
2020 exit_code = 0x100 | WTERMSIG(status);
2021 if (cflag != CFLAG_ONLY_STATS
2022 && (qual_flags[WTERMSIG(status)] & QUAL_SIGNAL)) {
2025 tprintf("+++ killed by %s %s+++\n",
2026 signame(WTERMSIG(status)),
2027 WCOREDUMP(status) ? "(core dumped) " : "");
2029 tprintf("+++ killed by %s +++\n",
2030 signame(WTERMSIG(status)));
2037 if (WIFEXITED(status)) {
2038 if (pid == strace_child)
2039 exit_code = WEXITSTATUS(status);
2040 if (cflag != CFLAG_ONLY_STATS) {
2042 tprintf("+++ exited with %d +++\n", WEXITSTATUS(status));
2048 if (!WIFSTOPPED(status)) {
2049 fprintf(stderr, "PANIC: pid %u not stopped\n", pid);
2054 /* Is this the very first time we see this tracee stopped? */
2055 if (tcp->flags & TCB_STARTUP) {
2057 fprintf(stderr, "pid %d has TCB_STARTUP, initializing it\n", tcp->pid);
2058 tcp->flags &= ~TCB_STARTUP;
2059 if (tcp->flags & TCB_BPTSET) {
2061 * One example is a breakpoint inherited from
2062 * parent through fork().
2064 if (clearbpt(tcp) < 0) {
2071 if (ptrace_setoptions) {
2073 fprintf(stderr, "setting opts %x on pid %d\n", ptrace_setoptions, tcp->pid);
2074 if (ptrace(PTRACE_SETOPTIONS, tcp->pid, NULL, ptrace_setoptions) < 0) {
2075 if (errno != ESRCH) {
2076 /* Should never happen, really */
2077 perror_msg_and_die("PTRACE_SETOPTIONS");
2083 sig = WSTOPSIG(status);
2088 if (event == PTRACE_EVENT_STOP) {
2090 * PTRACE_INTERRUPT-stop or group-stop.
2091 * PTRACE_INTERRUPT-stop has sig == SIGTRAP here.
2103 goto restart_tracee_with_sig_0;
2106 /* Is this post-attach SIGSTOP?
2107 * Interestingly, the process may stop
2108 * with STOPSIG equal to some other signal
2109 * than SIGSTOP if we happend to attach
2110 * just before the process takes a signal.
2112 if (sig == SIGSTOP && (tcp->flags & TCB_IGNORE_ONE_SIGSTOP)) {
2114 fprintf(stderr, "ignored SIGSTOP on pid %d\n", tcp->pid);
2115 tcp->flags &= ~TCB_IGNORE_ONE_SIGSTOP;
2116 goto restart_tracee_with_sig_0;
2119 if (sig != syscall_trap_sig) {
2122 /* Nonzero (true) if tracee is stopped by signal
2123 * (as opposed to "tracee received signal").
2124 * TODO: shouldn't we check for errno == EINVAL too?
2125 * We can get ESRCH instead, you know...
2127 stopped = (ptrace(PTRACE_GETSIGINFO, pid, 0, (long) &si) < 0);
2131 if (cflag != CFLAG_ONLY_STATS
2132 && (qual_flags[sig] & QUAL_SIGNAL)) {
2133 #if defined(PT_CR_IPSR) && defined(PT_CR_IIP)
2137 upeek(tcp, PT_CR_IPSR, &psr);
2138 upeek(tcp, PT_CR_IIP, &pc);
2141 pc += (psr >> PSR_RI) & 0x3;
2142 # define PC_FORMAT_STR " @ %lx"
2143 # define PC_FORMAT_ARG , pc
2145 # define PC_FORMAT_STR ""
2146 # define PC_FORMAT_ARG /* nothing */
2150 tprintf("--- %s ", signame(sig));
2151 printsiginfo(&si, verbose(tcp));
2152 tprintf(PC_FORMAT_STR " ---\n"
2155 tprintf("--- stopped by %s" PC_FORMAT_STR " ---\n",
2162 /* It's signal-delivery-stop. Inject the signal */
2163 goto restart_tracee;
2165 /* It's group-stop */
2169 * This ends ptrace-stop, but does *not* end group-stop.
2170 * This makes stopping signals work properly on straced process
2171 * (that is, process really stops. It used to continue to run).
2173 if (ptrace_restart(PTRACE_LISTEN, tcp, 0) < 0) {
2179 /* We don't have PTRACE_LISTEN support... */
2181 goto restart_tracee;
2184 /* We handled quick cases, we are permitted to interrupt now. */
2188 /* This should be syscall entry or exit.
2189 * (Or it still can be that pesky post-execve SIGTRAP!)
2192 if (trace_syscall(tcp) < 0) {
2193 /* ptrace() failed in trace_syscall().
2194 * Likely a result of process disappearing mid-flight.
2195 * Observed case: exit_group() or SIGKILL terminating
2196 * all processes in thread group.
2197 * We assume that ptrace error was caused by process death.
2198 * We used to detach(tcp) here, but since we no longer
2199 * implement "detach before death" policy/hack,
2200 * we can let this process to report its death to us
2201 * normally, via WIFEXITED or WIFSIGNALED wait status.
2205 restart_tracee_with_sig_0:
2208 if (ptrace_restart(PTRACE_SYSCALL, tcp, sig) < 0) {
2217 main(int argc, char *argv[])
2221 /* Run main tracing loop */
2227 if (shared_log != stderr)
2230 while (waitpid(popen_pid, NULL, 0) < 0 && errno == EINTR)
2233 if (exit_code > 0xff) {
2234 /* Avoid potential core file clobbering. */
2235 struct rlimit rlim = {0, 0};
2236 setrlimit(RLIMIT_CORE, &rlim);
2238 /* Child was killed by a signal, mimic that. */
2240 signal(exit_code, SIG_DFL);
2242 /* Paranoia - what if this signal is not fatal?
2243 Exit with 128 + signo then. */