• Home
Name Date Size #Lines LOC

..--

debian/03-May-2024-2,1961,503

linux/03-May-2024-35,09631,358

m4/03-May-2024-1,4631,185

tests/03-May-2024-88,18159,583

tests-m32/03-May-2024-88,18159,583

tests-mx32/03-May-2024-88,18159,583

xlat/03-May-2024-66,60059,826

.strace.1.in.dateD03-May-202411 21

.tarball-versionD03-May-20245 21

.versionD03-May-20245 21

.yearD03-May-20245 21

AUTHORSD03-May-202475 21

Android.bpD03-May-20247.3 KiB319308

COPYINGD03-May-20241.8 KiB3128

CREDITSD03-May-20249.2 KiB240236

ChangeLogD03-May-20242 MiB53,05841,360

ChangeLog-CVSD03-May-2024199.3 KiB5,6154,212

INSTALLD03-May-202412.7 KiB302238

LICENSED03-May-20241.8 KiB3128

MODULE_LICENSE_BSDD03-May-20240

Makefile.amD03-May-202431.5 KiB1,2001,090

Makefile.inD03-May-2024790.6 KiB8,5937,736

NEWSD03-May-202457.4 KiB1,2831,166

NOTICED03-May-20241.8 KiB3128

OWNERSD03-May-202415 21

READMED03-May-20241.3 KiB2923

README-linux-ptraceD03-May-202423.8 KiB543410

access.cD03-May-2024407 2720

aclocal.m4D03-May-202443.7 KiB1,2151,103

affinity.cD03-May-20243.6 KiB12369

aio.cD03-May-20246.8 KiB277200

alpha.cD03-May-20242.4 KiB8748

arch_defs.hD03-May-2024185 95

basic_filters.cD03-May-20249.9 KiB405255

bind.cD03-May-20241.9 KiB4410

bjm.cD03-May-20242.4 KiB7027

block.cD03-May-20245.7 KiB224154

bpf.cD03-May-202421.3 KiB763545

bpf_attr.hD03-May-20248.2 KiB295207

bpf_attr_check.cD03-May-202439.7 KiB709595

bpf_filter.cD03-May-20245.3 KiB202147

bpf_filter.hD03-May-20242 KiB5116

bpf_fprog.hD03-May-2024156 107

bpf_seccomp_filter.cD03-May-20242.4 KiB7234

bpf_sock_filter.cD03-May-20242.6 KiB7538

btrfs.cD03-May-202431.3 KiB1,3021,035

cacheflush.cD03-May-20243.5 KiB13576

capability.cD03-May-20244.3 KiB164105

caps0.hD03-May-2024484 3332

caps1.hD03-May-202496 76

chdir.cD03-May-202494 96

chmod.cD03-May-2024485 3426

clone.cD03-May-20245.1 KiB166111

compileD03-May-20247.2 KiB348258

config.guessD03-May-202443 KiB1,4671,274

config.hD03-May-202459.7 KiB1,830466

config.h.inD03-May-202457.7 KiB1,8291,287

config.subD03-May-202435.7 KiB1,8371,699

configureD03-May-2024505.5 KiB18,36814,643

configure.acD03-May-202424.8 KiB947861

copy_file_range.cD03-May-20242 KiB5115

count.cD03-May-20246.3 KiB211145

defs.hD03-May-202445.1 KiB1,4681,046

delay.cD03-May-20244.3 KiB155102

delay.hD03-May-20241.8 KiB399

depcompD03-May-202423 KiB792502

desc.cD03-May-20246.4 KiB265194

dirent.cD03-May-20244.5 KiB159106

dirent64.cD03-May-20243.7 KiB12779

dm.cD03-May-202414.6 KiB629459

dyxlat.cD03-May-20242.9 KiB10261

empty.hD03-May-20240 10

epoll.cD03-May-20243.4 KiB11970

error_prints.cD03-May-20243.3 KiB12982

error_prints.hD03-May-20243.2 KiB8037

evdev.cD03-May-202411 KiB451355

evdev_mpers.cD03-May-20244.1 KiB152102

eventfd.cD03-May-20242 KiB5824

execve.cD03-May-20243.9 KiB14996

f_owner_ex.hD03-May-20241.8 KiB4211

fadvise.cD03-May-20242.5 KiB6725

fallocate.cD03-May-2024413 2916

fanotify.cD03-May-20242.8 KiB8846

fchownat.cD03-May-2024259 1411

fcntl.cD03-May-20246 KiB227182

fetch_bpf_fprog.cD03-May-20242.2 KiB6529

fetch_indirect_syscall_args.cD03-May-20242.1 KiB5619

fetch_struct_flock.cD03-May-20243.2 KiB9451

fetch_struct_keyctl_kdf_params.cD03-May-2024693 3526

fetch_struct_mmsghdr.cD03-May-20242.8 KiB8937

fetch_struct_msghdr.cD03-May-20242.5 KiB8131

fetch_struct_stat.cD03-May-20243.8 KiB10768

fetch_struct_stat64.cD03-May-20243.8 KiB10566

fetch_struct_statfs.cD03-May-20244.5 KiB12480

fetch_struct_xfs_quotastat.cD03-May-20241.1 KiB3629

file_handle.cD03-May-20243.8 KiB14078

file_ioctl.cD03-May-20246.4 KiB251181

filter.hD03-May-20241.8 KiB408

filter_qualify.cD03-May-202412.5 KiB487373

flock.cD03-May-20241.9 KiB4510

flock.hD03-May-20242.1 KiB5118

fs_x_ioctl.cD03-May-20242.2 KiB6831

fstatfs.cD03-May-2024178 1311

fstatfs64.cD03-May-2024226 1311

futex.cD03-May-20244.2 KiB144107

gcc_compat.hD03-May-20244.7 KiB14196

gen_bpf_attr_check.shD03-May-20242.9 KiB7841

generate_sen.shD03-May-2024171 96

get_robust_list.cD03-May-20241.7 KiB4112

getcpu.cD03-May-2024221 1412

getcwd.cD03-May-2024225 1412

getpagesize.cD03-May-202478 75

getrandom.cD03-May-2024347 1715

hdio.cD03-May-20242.3 KiB6629

hostname.cD03-May-2024586 3931

inotify.cD03-May-20242.1 KiB6524

inotify_ioctl.cD03-May-20241.8 KiB4916

install-shD03-May-202413.7 KiB528351

io.cD03-May-20248.1 KiB332237

ioctl.cD03-May-20249.9 KiB383302

ioctl_iocdef.cD03-May-20242 KiB446

ioctl_iocdef.hD03-May-2024136 65

ioctl_iocdef.iD03-May-2024151 65

ioctl_redefs1.hD03-May-202434.9 KiB1,4451,444

ioctl_redefs2.hD03-May-202428.6 KiB1,2051,204

ioctlent0.hD03-May-2024106.9 KiB2,8832,881

ioctlent1.hD03-May-2024106.6 KiB2,8742,872

ioctlent2.hD03-May-2024106.6 KiB2,8752,873

ioctlsort.cD03-May-20244.3 KiB16699

ioperm.cD03-May-2024162 107

iopl.cD03-May-202498 96

ioprio.cD03-May-20242.7 KiB8541

ipc.cD03-May-20241.9 KiB4915

ipc_defs.hD03-May-20242 KiB5420

ipc_msg.cD03-May-20244.1 KiB13692

ipc_msgctl.cD03-May-20243.7 KiB11062

ipc_sem.cD03-May-20244 KiB13086

ipc_shm.cD03-May-20243.5 KiB11670

ipc_shmctl.cD03-May-20243.7 KiB11062

kcmp.cD03-May-20243 KiB10659

kernel_types.hD03-May-20243.1 KiB9139

kexec.cD03-May-20243.5 KiB12470

keyctl.cD03-May-20249.9 KiB430318

keyctl_kdf_params.hD03-May-2024581 2819

kvm.cD03-May-202410.5 KiB440328

largefile_wrappers.hD03-May-20242.3 KiB5925

ldt.cD03-May-20245.5 KiB207120

link.cD03-May-20242.6 KiB8137

listen.cD03-May-20241.8 KiB428

lookup_dcookie.cD03-May-20241.8 KiB5114

loop.cD03-May-20245.7 KiB202136

lseek.cD03-May-20243.5 KiB9532

m32_funcs.hD03-May-2024624 2423

m32_printer_decls.hD03-May-20245.2 KiB4846

m32_printer_defs.hD03-May-20242.9 KiB4846

m32_type_defs.hD03-May-20245.3 KiB173172

macros.hD03-May-20242.4 KiB7434

mem.cD03-May-20248.7 KiB368250

membarrier.cD03-May-20241.9 KiB5116

memfd_create.cD03-May-20242.2 KiB6527

missingD03-May-20246.7 KiB216143

mknod.cD03-May-20242.4 KiB7331

mmap_cache.cD03-May-20247.1 KiB248173

mmap_cache.hD03-May-20243 KiB9137

mmap_notify.cD03-May-20242 KiB5523

mmap_notify.hD03-May-20241.7 KiB419

mmsghdr.cD03-May-20246.5 KiB245175

mount.cD03-May-20242.9 KiB8842

mpers.amD03-May-2024670 32

mpers.awkD03-May-20247.6 KiB243212

mpers.shD03-May-20242.9 KiB7845

mpers_test.shD03-May-20243.7 KiB13499

mpers_type.hD03-May-20242.1 KiB5623

mpers_xlat.hD03-May-20244 KiB8988

mq.cD03-May-20243.1 KiB10563

msghdr.cD03-May-202412.3 KiB473378

msghdr.hD03-May-2024412 2114

mtd.cD03-May-20248.4 KiB366273

mx32_funcs.hD03-May-2024635 2423

mx32_printer_decls.hD03-May-20245.3 KiB4846

mx32_printer_defs.hD03-May-20243 KiB4846

mx32_type_defs.hD03-May-20245.4 KiB173172

native_defs.hD03-May-2024115 53

native_printer_decls.hD03-May-20245 KiB4846

native_printer_defs.hD03-May-20242.7 KiB4846

nbd_ioctl.cD03-May-20242.3 KiB7439

negated_errno.hD03-May-20242 KiB5215

net.cD03-May-202425.3 KiB1,099903

netlink.cD03-May-202417.5 KiB688548

netlink.hD03-May-20242.5 KiB7637

netlink_crypto.cD03-May-20246.9 KiB245188

netlink_inet_diag.cD03-May-202411.8 KiB431352

netlink_kobject_uevent.cD03-May-20242.6 KiB6633

netlink_kobject_uevent.hD03-May-2024502 1814

netlink_netfilter.cD03-May-20243.5 KiB10257

netlink_netlink_diag.cD03-May-20245.7 KiB192140

netlink_packet_diag.cD03-May-20246.5 KiB218158

netlink_route.cD03-May-20245 KiB14896

netlink_route.hD03-May-20242.7 KiB5824

netlink_selinux.cD03-May-20242.4 KiB7036

netlink_smc_diag.cD03-May-20247.7 KiB264194

netlink_sock_diag.cD03-May-20243.2 KiB9555

netlink_sock_diag.hD03-May-20242.8 KiB6528

netlink_unix_diag.cD03-May-20245.1 KiB178126

nlattr.cD03-May-202411.7 KiB495392

nlattr.hD03-May-20243.4 KiB11363

nsfs.cD03-May-20242.2 KiB6129

nsfs.hD03-May-2024409 2217

nsig.hD03-May-2024238 1611

numa.cD03-May-20244.9 KiB182126

number_set.cD03-May-20244 KiB14499

number_set.hD03-May-20242.4 KiB6726

oldstat.cD03-May-20243 KiB8646

open.cD03-May-20244.1 KiB15591

or1k_atomic.cD03-May-20242.5 KiB7940

pathtrace.cD03-May-20248.9 KiB383248

perf.cD03-May-202411.8 KiB429267

perf_event_struct.hD03-May-20241.6 KiB8170

perf_ioctl.cD03-May-20243.9 KiB15485

personality.cD03-May-20242.3 KiB6632

pkeys.cD03-May-2024282 1913

poll.cD03-May-20244.8 KiB183127

prctl.cD03-May-202410.6 KiB462356

print_aio_sigset.cD03-May-20242 KiB5420

print_dev_t.cD03-May-20241.6 KiB387

print_fields.hD03-May-20249 KiB266191

print_group_req.cD03-May-20242.1 KiB5922

print_ifindex.cD03-May-20242.6 KiB8542

print_mac.cD03-May-20241.9 KiB5620

print_mq_attr.cD03-May-20242.6 KiB6934

print_msgbuf.cD03-May-20242.3 KiB5416

print_sg_req_info.cD03-May-20242.3 KiB7533

print_sigevent.cD03-May-20242.7 KiB8144

print_statfs.cD03-May-20244.2 KiB12891

print_struct_stat.cD03-May-20243.1 KiB8848

print_time.cD03-May-20241.9 KiB5519

print_timespec.cD03-May-20244.3 KiB174117

print_timeval.cD03-May-20245 KiB213146

print_timex.cD03-May-20243 KiB7435

printers.hD03-May-20247.9 KiB14496

printmode.cD03-May-20242.6 KiB7432

printrusage.cD03-May-20244.4 KiB13190

printsiginfo.cD03-May-20247.3 KiB282205

printsiginfo.hD03-May-2024143 74

process.cD03-May-20247.9 KiB310236

process_vm.cD03-May-20242.9 KiB7831

ptp.cD03-May-20244 KiB14996

ptrace.hD03-May-20245.5 KiB187134

quota.cD03-May-202411.8 KiB440356

readahead.cD03-May-2024189 139

readlink.cD03-May-20242.6 KiB7126

reboot.cD03-May-2024751 2920

regs.hD03-May-2024119 85

renameat.cD03-May-2024482 3124

resource.cD03-May-20244.8 KiB195128

retval.cD03-May-20242.4 KiB7134

retval.hD03-May-2024205 95

riscv.cD03-May-20241.9 KiB5414

rt_sigframe.cD03-May-20241.7 KiB387

rt_sigreturn.cD03-May-20242 KiB5520

rtc.cD03-May-20244.2 KiB156112

rtnl_addr.cD03-May-20244.2 KiB14094

rtnl_addrlabel.cD03-May-20243.1 KiB9552

rtnl_dcb.cD03-May-20242.5 KiB7435

rtnl_link.cD03-May-202426.3 KiB929779

rtnl_mdb.cD03-May-20246.7 KiB237173

rtnl_neigh.cD03-May-20244.2 KiB13894

rtnl_neightbl.cD03-May-20245.6 KiB178132

rtnl_netconf.cD03-May-20242.6 KiB7233

rtnl_nsid.cD03-May-20242.3 KiB6226

rtnl_route.cD03-May-20249.2 KiB333266

rtnl_rule.cD03-May-20245.1 KiB173121

rtnl_tc.cD03-May-20248.6 KiB333263

rtnl_tc_action.cD03-May-20242.5 KiB6529

s390.cD03-May-202437.9 KiB1,263791

sched.cD03-May-20245.1 KiB196130

sched_attr.hD03-May-2024356 2015

scno.amD03-May-20242.2 KiB4640

scno.hD03-May-202424.2 KiB1,0131,011

scno.headD03-May-2024185 76

scsi.cD03-May-20244.4 KiB184128

seccomp.cD03-May-20242.3 KiB7136

sen.hD03-May-20246.3 KiB436435

sendfile.cD03-May-20242.4 KiB7542

sg_io_v3.cD03-May-20245.7 KiB184124

sg_io_v4.cD03-May-20245.5 KiB167116

shutdown.cD03-May-20241.9 KiB4510

sigaltstack.cD03-May-20242.4 KiB6927

sigevent.hD03-May-20241.8 KiB4818

signal.cD03-May-202417.2 KiB691492

signalfd.cD03-May-20242.1 KiB6227

sigreturn.cD03-May-2024279 1813

sock.cD03-May-202412 KiB460336

sockaddr.cD03-May-202416.8 KiB665509

socketcall.cD03-May-20241.7 KiB409

socketutils.cD03-May-202417.7 KiB702571

sparc.cD03-May-20241.8 KiB4712

sram_alloc.cD03-May-2024289 2011

stat.cD03-May-20242.3 KiB7642

stat.hD03-May-20242 KiB5322

stat64.cD03-May-20242.3 KiB7642

statfs.cD03-May-2024179 1311

statfs.hD03-May-20241.9 KiB4616

statfs64.cD03-May-2024227 1311

static_assert.hD03-May-20241.9 KiB5012

statx.cD03-May-20243.5 KiB11672

statx.hD03-May-20242.8 KiB7132

strace-graphD03-May-20248.9 KiB362267

strace-log-mergeD03-May-20242.6 KiB7434

strace-log-merge.1D03-May-20244.5 KiB147108

strace-log-merge.1.inD03-May-20244.5 KiB147108

strace.1D03-May-202433.8 KiB1,1861,134

strace.1.inD03-May-202433.9 KiB1,1861,134

strace.cD03-May-202465.9 KiB2,7391,912

strace.specD03-May-202421.6 KiB592443

strace.spec.inD03-May-202421.6 KiB592449

string_to_uint.cD03-May-20242.1 KiB6427

string_to_uint.hD03-May-20242.3 KiB7033

swapon.cD03-May-2024408 2418

sync_file_range.cD03-May-20241.9 KiB4613

sync_file_range2.cD03-May-20241.9 KiB4714

sys_func.hD03-May-20248.9 KiB324323

syscall.cD03-May-202430.9 KiB1,287962

sysctl.cD03-May-20245.1 KiB194150

sysent.hD03-May-20241.7 KiB3430

sysent_shorthand_defs.hD03-May-2024955 5044

sysent_shorthand_undefs.hD03-May-2024214 2120

sysinfo.cD03-May-20243 KiB8242

syslog.cD03-May-20242.4 KiB8041

sysmips.cD03-May-20242.6 KiB8142

term.cD03-May-20247 KiB297230

test-driverD03-May-20244.2 KiB14084

time.cD03-May-20247.7 KiB358278

times.cD03-May-20242.4 KiB5618

trace_event.hD03-May-20242.9 KiB9215

truncate.cD03-May-2024478 3425

ubi.cD03-May-20244.9 KiB198137

ucopy.cD03-May-20248.8 KiB329216

uid.cD03-May-20244.8 KiB205138

uid16.cD03-May-202444 32

umask.cD03-May-2024114 96

umount.cD03-May-2024196 129

uname.cD03-May-20242.3 KiB6225

unwind-libdw.cD03-May-20245.5 KiB212144

unwind-libunwind.cD03-May-20244.9 KiB191127

unwind.cD03-May-20247.3 KiB322235

unwind.hD03-May-20242.5 KiB7124

upeek.cD03-May-20242.3 KiB5518

upoke.cD03-May-20241.8 KiB4313

userfaultfd.cD03-May-20245 KiB202134

ustat.cD03-May-20242.1 KiB5725

util.cD03-May-202429.6 KiB1,265931

utime.cD03-May-2024492 2719

utimes.cD03-May-20242.6 KiB7835

v4l2.cD03-May-202427.5 KiB1,102908

wait.cD03-May-20245.2 KiB191123

xattr.cD03-May-20243.8 KiB152108

xfs_quota_stat.hD03-May-2024870 2320

xlat.cD03-May-202413.5 KiB518335

xlat.hD03-May-20241.5 KiB5632

xmalloc.cD03-May-20243.2 KiB15289

xmalloc.hD03-May-20243.4 KiB7515

xstring.hD03-May-20243.1 KiB10750

README

1This is strace - a diagnostic, debugging and instructional userspace utility
2with a traditional command-line interface for Linux.  It is used to monitor
3and tamper with interactions between processes and the Linux kernel, which
4include system calls, signal deliveries, and changes of process state.
5The operation of strace is made possible by the kernel feature known as ptrace.
6
7strace is released under a Berkeley-style license at the request
8of Paul Kranenburg; see the file COPYING for details.
9
10See the file CREDITS for a list of authors and other contributors.
11See the file INSTALL for compilation and installation instructions.
12See the file NEWS for information on what has changed in recent versions.
13
14The project's homepage is at
15	https://strace.io
16
17strace has a mailing list:
18	strace-devel@lists.strace.io
19
20System requirements:
21	* Linux kernel >= 2.6.18 is recommended.  Older versions might still work
22	  but they haven't been thoroughly tested with this release.
23	* Linux kernel >= 2.5.46 is required.
24	  Older versions without a decent PTRACE_SETOPTIONS support will not work.
25	* On mips, Linux kernel >= 2.6.15 is required.
26	  Older versions without a decent PTRACE_GETREGS support will not work.
27	* On s390 and s390x, Linux kernel >= 2.6.27 is required.
28	  Older versions without a decent PTRACE_GETREGSET support will not work.
29

README-linux-ptrace

1This document describes Linux ptrace implementation in Linux kernels
2version 3.0.0. (Update this notice if you update the document
3to reflect newer kernels).
4
5
6		Ptrace userspace API.
7
8Ptrace API (ab)uses standard Unix parent/child signaling over waitpid.
9An unfortunate effect of it is that resulting API is complex and has
10subtle quirks. This document aims to describe these quirks.
11
12Debugged processes (tracees) first need to be attached to the debugging
13process (tracer). Attachment and subsequent commands are per-thread: in
14multi-threaded process, every thread can be individually attached to a
15(potentially different) tracer, or left not attached and thus not
16debugged. Therefore, "tracee" always means "(one) thread", never "a
17(possibly multi-threaded) process". Ptrace commands are always sent to
18a specific tracee using ptrace(PTRACE_foo, pid, ...), where pid is a
19TID of the corresponding Linux thread.
20
21After attachment, each tracee can be in two states: running or stopped.
22
23There are many kinds of states when tracee is stopped, and in ptrace
24discussions they are often conflated. Therefore, it is important to use
25precise terms.
26
27In this document, any stopped state in which tracee is ready to accept
28ptrace commands from the tracer is called ptrace-stop. Ptrace-stops can
29be further subdivided into signal-delivery-stop, group-stop,
30syscall-stop and so on. They are described in detail later.
31
32
33	1.x Death under ptrace.
34
35When a (possibly multi-threaded) process receives a killing signal (a
36signal set to SIG_DFL and whose default action is to kill the process),
37all threads exit. Tracees report their death to the tracer(s). This is
38not a ptrace-stop (because tracer can't query tracee status such as
39register contents, cannot restart tracee etc) but the notification
40about this event is delivered through waitpid API similarly to
41ptrace-stop.
42
43Note that killing signal will first cause signal-delivery-stop (on one
44tracee only), and only after it is injected by tracer (or after it was
45dispatched to a thread which isn't traced), death from signal will
46happen on ALL tracees within multi-threaded process.
47
48SIGKILL operates similarly, with exceptions. No signal-delivery-stop is
49generated for SIGKILL and therefore tracer can't suppress it. SIGKILL
50kills even within syscalls (syscall-exit-stop is not generated prior to
51death by SIGKILL). The net effect is that SIGKILL always kills the
52process (all its threads), even if some threads of the process are
53ptraced.
54
55Tracer can kill a tracee with ptrace(PTRACE_KILL, pid, 0, 0). This
56operation is deprecated, use kill/tgkill(SIGKILL) instead.
57
58^^^ Oleg prefers to deprecate it instead of describing (and needing to
59support) PTRACE_KILL's quirks.
60
61When tracee executes exit syscall, it reports its death to its tracer.
62Other threads are not affected.
63
64When any thread executes exit_group syscall, every tracee in its thread
65group reports its death to its tracer.
66
67If PTRACE_O_TRACEEXIT option is on, PTRACE_EVENT_EXIT will happen
68before actual death. This applies to exits on exit syscall, group_exit
69syscall, signal deaths (except SIGKILL), and when threads are torn down
70on execve in multi-threaded process.
71
72Tracer cannot assume that ptrace-stopped tracee exists. There are many
73scenarios when tracee may die while stopped (such as SIGKILL).
74Therefore, tracer must always be prepared to handle ESRCH error on any
75ptrace operation. Unfortunately, the same error is returned if tracee
76exists but is not ptrace-stopped (for commands which require stopped
77tracee), or if it is not traced by process which issued ptrace call.
78Tracer needs to keep track of stopped/running state, and interpret
79ESRCH as "tracee died unexpectedly" only if it knows that tracee has
80been observed to enter ptrace-stop. Note that there is no guarantee
81that waitpid(WNOHANG) will reliably report tracee's death status if
82ptrace operation returned ESRCH. waitpid(WNOHANG) may return 0 instead.
83IOW: tracee may be "not yet fully dead" but already refusing ptrace ops.
84
85Tracer can not assume that tracee ALWAYS ends its life by reporting
86WIFEXITED(status) or WIFSIGNALED(status).
87
88??? or can it? Do we include such a promise into ptrace API?
89
90
91	1.x Stopped states.
92
93When running tracee enters ptrace-stop, it notifies its tracer using
94waitpid API. Tracer should use waitpid family of syscalls to wait for
95tracee to stop. Most of this document assumes that tracer waits with:
96
97	pid = waitpid(pid_or_minus_1, &status, __WALL);
98
99Ptrace-stopped tracees are reported as returns with pid > 0 and
100WIFSTOPPED(status) == true.
101
102??? Do we require __WALL usage, or will just using 0 be ok? Are the
103rules different if user wants to use waitid? Will waitid require
104WEXITED?
105
106__WALL value does not include WSTOPPED and WEXITED bits, but implies
107their functionality.
108
109Setting of WCONTINUED bit in waitpid flags is not recommended: the
110continued state is per-process and consuming it can confuse real parent
111of the tracee.
112
113Use of WNOHANG bit in waitpid flags may cause waitpid return 0 ("no
114wait results available yet") even if tracer knows there should be a
115notification. Example: kill(tracee, SIGKILL); waitpid(tracee, &status,
116__WALL | WNOHANG);
117
118??? waitid usage? WNOWAIT?
119
120??? describe how wait notifications queue (or not queue)
121
122The following kinds of ptrace-stops exist: signal-delivery-stops,
123group-stop, PTRACE_EVENT stops, syscall-stops [, SINGLESTEP, SYSEMU,
124SYSEMU_SINGLESTEP]. They all are reported as waitpid result with
125WIFSTOPPED(status) == true. They may be differentiated by checking
126(status >> 8) value, and if looking at (status >> 8) value doesn't
127resolve ambiguity, by querying PTRACE_GETSIGINFO. (Note:
128WSTOPSIG(status) macro returns ((status >> 8) & 0xff) value).
129
130
131	1.x.x Signal-delivery-stop
132
133When (possibly multi-threaded) process receives any signal except
134SIGKILL, kernel selects a thread which handles the signal (if signal is
135generated with t[g]kill, thread selection is done by user). If selected
136thread is traced, it enters signal-delivery-stop. By this point, signal
137is not yet delivered to the process, and can be suppressed by tracer.
138If tracer doesn't suppress the signal, it passes signal to tracee in
139the next ptrace request. This second step of signal delivery is called
140"signal injection" in this document. Note that if signal is blocked,
141signal-delivery-stop doesn't happen until signal is unblocked, with the
142usual exception that SIGSTOP can't be blocked.
143
144Signal-delivery-stop is observed by tracer as waitpid returning with
145WIFSTOPPED(status) == true, WSTOPSIG(status) == signal. If
146WSTOPSIG(status) == SIGTRAP, this may be a different kind of
147ptrace-stop - see "Syscall-stops" and "execve" sections below for
148details. If WSTOPSIG(status) == stopping signal, this may be a
149group-stop - see below.
150
151
152	1.x.x Signal injection and suppression.
153
154After signal-delivery-stop is observed by tracer, tracer should restart
155tracee with
156
157	ptrace(PTRACE_rest, pid, 0, sig)
158
159call, where PTRACE_rest is one of the restarting ptrace ops. If sig is
1600, then signal is not delivered. Otherwise, signal sig is delivered.
161This operation is called "signal injection" in this document, to
162distinguish it from signal-delivery-stop.
163
164Note that sig value may be different from WSTOPSIG(status) value -
165tracer can cause a different signal to be injected.
166
167Note that suppressed signal still causes syscalls to return
168prematurely. Kernel should always restart the syscall in this case:
169tracer would observe a new syscall-enter-stop for the same syscall,
170or, in case of syscalls returning ERESTART_RESTARTBLOCK,
171tracer would observe a syscall-enter-stop for restart_syscall(2)
172syscall. There may still be bugs in this area which cause some syscalls
173to instead return with -EINTR even though no observable signal
174was injected to the tracee.
175
176This is a cause of confusion among ptrace users. One typical scenario
177is that tracer observes group-stop, mistakes it for
178signal-delivery-stop, restarts tracee with ptrace(PTRACE_rest, pid, 0,
179stopsig) with the intention of injecting stopsig, but stopsig gets
180ignored and tracee continues to run.
181
182SIGCONT signal has a side effect of waking up (all threads of)
183group-stopped process. This side effect happens before
184signal-delivery-stop. Tracer can't suppress this side-effect (it can
185only suppress signal injection, which only causes SIGCONT handler to
186not be executed in the tracee, if such handler is installed). In fact,
187waking up from group-stop may be followed by signal-delivery-stop for
188signal(s) *other than* SIGCONT, if they were pending when SIGCONT was
189delivered. IOW: SIGCONT may be not the first signal observed by the
190tracee after it was sent.
191
192Stopping signals cause (all threads of) process to enter group-stop.
193This side effect happens after signal injection, and therefore can be
194suppressed by tracer.
195
196PTRACE_GETSIGINFO can be used to retrieve siginfo_t structure which
197corresponds to delivered signal. PTRACE_SETSIGINFO may be used to
198modify it. If PTRACE_SETSIGINFO has been used to alter siginfo_t,
199si_signo field and sig parameter in restarting command must match,
200otherwise the result is undefined.
201
202
203	1.x.x Group-stop
204
205When a (possibly multi-threaded) process receives a stopping signal,
206all threads stop. If some threads are traced, they enter a group-stop.
207Note that stopping signal will first cause signal-delivery-stop (on one
208tracee only), and only after it is injected by tracer (or after it was
209dispatched to a thread which isn't traced), group-stop will be
210initiated on ALL tracees within multi-threaded process. As usual, every
211tracee reports its group-stop separately to corresponding tracer.
212
213Group-stop is observed by tracer as waitpid returning with
214WIFSTOPPED(status) == true, WSTOPSIG(status) == signal. The same result
215is returned by some other classes of ptrace-stops, therefore the
216recommended practice is to perform
217
218	ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo)
219
220call. The call can be avoided if signal number is not SIGSTOP, SIGTSTP,
221SIGTTIN or SIGTTOU - only these four signals are stopping signals. If
222tracer sees something else, it can't be group-stop. Otherwise, tracer
223needs to call PTRACE_GETSIGINFO. If PTRACE_GETSIGINFO fails with
224EINVAL, then it is definitely a group-stop. (Other failure codes are
225possible, such as ESRCH "no such process" if SIGKILL killed the tracee).
226
227As of kernel 2.6.38, after tracer sees tracee ptrace-stop and until it
228restarts or kills it, tracee will not run, and will not send
229notifications (except SIGKILL death) to tracer, even if tracer enters
230into another waitpid call.
231
232Currently, it causes a problem with transparent handling of stopping
233signals: if tracer restarts tracee after group-stop, SIGSTOP is
234effectively ignored: tracee doesn't remain stopped, it runs. If tracer
235doesn't restart tracee before entering into next waitpid, future
236SIGCONT will not be reported to the tracer. Which would make SIGCONT to
237have no effect.
238
239
240	1.x.x PTRACE_EVENT stops
241
242If tracer sets TRACE_O_TRACEfoo options, tracee will enter ptrace-stops
243called PTRACE_EVENT stops.
244
245PTRACE_EVENT stops are observed by tracer as waitpid returning with
246WIFSTOPPED(status) == true, WSTOPSIG(status) == SIGTRAP. Additional bit
247is set in a higher byte of status word: value ((status >> 8) & 0xffff)
248will be (SIGTRAP | PTRACE_EVENT_foo << 8). The following events exist:
249
250PTRACE_EVENT_VFORK - stop before return from vfork/clone+CLONE_VFORK.
251When tracee is continued after this, it will wait for child to
252exit/exec before continuing its execution (IOW: usual behavior on
253vfork).
254
255PTRACE_EVENT_FORK - stop before return from fork/clone+SIGCHLD
256
257PTRACE_EVENT_CLONE - stop before return from clone
258
259PTRACE_EVENT_VFORK_DONE - stop before return from
260vfork/clone+CLONE_VFORK, but after vfork child unblocked this tracee by
261exiting or exec'ing.
262
263For all four stops described above: stop occurs in parent, not in newly
264created thread. PTRACE_GETEVENTMSG can be used to retrieve new thread's
265tid.
266
267PTRACE_EVENT_EXEC - stop before return from exec.
268
269PTRACE_EVENT_EXIT - stop before exit (including death from exit_group),
270signal death, or exit caused by execve in multi-threaded process.
271PTRACE_GETEVENTMSG returns exit status. Registers can be examined
272(unlike when "real" exit happens). The tracee is still alive, it needs
273to be PTRACE_CONTed or PTRACE_DETACHed to finish exit.
274
275PTRACE_GETSIGINFO on PTRACE_EVENT stops returns si_signo = SIGTRAP,
276si_code = (event << 8) | SIGTRAP.
277
278
279	1.x.x Syscall-stops
280
281If tracee was restarted by PTRACE_SYSCALL, tracee enters
282syscall-enter-stop just prior to entering any syscall. If tracer
283restarts it with PTRACE_SYSCALL, tracee enters syscall-exit-stop when
284syscall is finished, or if it is interrupted by a signal. (That is,
285signal-delivery-stop never happens between syscall-enter-stop and
286syscall-exit-stop, it happens *after* syscall-exit-stop).
287
288Other possibilities are that tracee may stop in a PTRACE_EVENT stop,
289exit (if it entered exit or exit_group syscall), be killed by SIGKILL,
290or die silently (if execve syscall happened in another thread).
291
292Syscall-enter-stop and syscall-exit-stop are observed by tracer as
293waitpid returning with WIFSTOPPED(status) == true, WSTOPSIG(status) ==
294SIGTRAP. If PTRACE_O_TRACESYSGOOD option was set by tracer, then
295WSTOPSIG(status) == (SIGTRAP | 0x80).
296
297Syscall-stops can be distinguished from signal-delivery-stop with
298SIGTRAP by querying PTRACE_GETSIGINFO: si_code <= 0 if sent by usual
299suspects like [tg]kill/sigqueue/etc; or = SI_KERNEL (0x80) if sent by
300kernel, whereas syscall-stops have si_code = SIGTRAP or (SIGTRAP |
3010x80). However, syscall-stops happen very often (twice per syscall),
302and performing PTRACE_GETSIGINFO for every syscall-stop may be somewhat
303expensive.
304
305Some architectures allow to distinguish them by examining registers.
306For example, on x86 rax = -ENOSYS in syscall-enter-stop. Since SIGTRAP
307(like any other signal) always happens *after* syscall-exit-stop, and
308at this point rax almost never contains -ENOSYS, SIGTRAP looks like
309"syscall-stop which is not syscall-enter-stop", IOW: it looks like a
310"stray syscall-exit-stop" and can be detected this way. But such
311detection is fragile and is best avoided.
312
313Using PTRACE_O_TRACESYSGOOD option is a recommended method, since it is
314reliable and does not incur performance penalty.
315
316Syscall-enter-stop and syscall-exit-stop are indistinguishable from
317each other by tracer. Tracer needs to keep track of the sequence of
318ptrace-stops in order to not misinterpret syscall-enter-stop as
319syscall-exit-stop or vice versa. The rule is that syscall-enter-stop is
320always followed by syscall-exit-stop, PTRACE_EVENT stop or tracee's
321death - no other kinds of ptrace-stop can occur in between.
322
323If after syscall-enter-stop tracer uses restarting command other than
324PTRACE_SYSCALL, syscall-exit-stop is not generated.
325
326PTRACE_GETSIGINFO on syscall-stops returns si_signo = SIGTRAP, si_code
327= SIGTRAP or (SIGTRAP | 0x80).
328
329
330	1.x.x SINGLESTEP, SYSEMU, SYSEMU_SINGLESTEP
331
332??? document PTRACE_SINGLESTEP, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP
333
334
335	1.x Informational and restarting ptrace commands.
336
337Most ptrace commands (all except ATTACH, TRACEME, KILL) require tracee
338to be in ptrace-stop, otherwise they fail with ESRCH.
339
340When tracee is in ptrace-stop, tracer can read and write data to tracee
341using informational commands. They leave tracee in ptrace-stopped state:
342
343longv = ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0);
344	ptrace(PTRACE_POKETEXT/POKEDATA/POKEUSER, pid, addr, long_val);
345	ptrace(PTRACE_GETREGS/GETFPREGS, pid, 0, &struct);
346	ptrace(PTRACE_SETREGS/SETFPREGS, pid, 0, &struct);
347	ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo);
348	ptrace(PTRACE_SETSIGINFO, pid, 0, &siginfo);
349	ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var);
350	ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
351
352Note that some errors are not reported. For example, setting siginfo
353may have no effect in some ptrace-stops, yet the call may succeed
354(return 0 and don't set errno).
355
356ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags) affects one tracee.
357Current flags are replaced. Flags are inherited by new tracees created
358and "auto-attached" via active PTRACE_O_TRACE[V]FORK or
359PTRACE_O_TRACECLONE options.
360
361Another group of commands makes ptrace-stopped tracee run. They have
362the form:
363
364	ptrace(PTRACE_cmd, pid, 0, sig);
365
366where cmd is CONT, DETACH, SYSCALL, SINGLESTEP, SYSEMU, or
367SYSEMU_SINGLESTEP. If tracee is in signal-delivery-stop, sig is the
368signal to be injected. Otherwise, sig may be ignored.
369
370
371	1.x Attaching and detaching
372
373A thread can be attached to tracer using ptrace(PTRACE_ATTACH, pid, 0,
3740) call. This also sends SIGSTOP to this thread. If tracer wants this
375SIGSTOP to have no effect, it needs to suppress it. Note that if other
376signals are concurrently sent to this thread during attach, tracer may
377see tracee enter signal-delivery-stop with other signal(s) first! The
378usual practice is to reinject these signals until SIGSTOP is seen, then
379suppress SIGSTOP injection. The design bug here is that attach and
380concurrent SIGSTOP are racing and SIGSTOP may be lost.
381
382??? Describe how to attach to a thread which is already group-stopped.
383
384Since attaching sends SIGSTOP and tracer usually suppresses it, this
385may cause stray EINTR return from the currently executing syscall in
386the tracee, as described in "signal injection and suppression" section.
387
388ptrace(PTRACE_TRACEME, 0, 0, 0) request turns current thread into a
389tracee. It continues to run (doesn't enter ptrace-stop). A common
390practice is to follow ptrace(PTRACE_TRACEME) with raise(SIGSTOP) and
391allow parent (which is our tracer now) to observe our
392signal-delivery-stop.
393
394If PTRACE_O_TRACE[V]FORK or PTRACE_O_TRACECLONE options are in effect,
395then children created by (vfork or clone(CLONE_VFORK)), (fork or
396clone(SIGCHLD)) and (other kinds of clone) respectively are
397automatically attached to the same tracer which traced their parent.
398SIGSTOP is delivered to them, causing them to enter
399signal-delivery-stop after they exit syscall which created them.
400
401Detaching of tracee is performed by ptrace(PTRACE_DETACH, pid, 0, sig).
402PTRACE_DETACH is a restarting operation, therefore it requires tracee
403to be in ptrace-stop. If tracee is in signal-delivery-stop, signal can
404be injected. Othervice, sig parameter may be silently ignored.
405
406If tracee is running when tracer wants to detach it, the usual solution
407is to send SIGSTOP (using tgkill, to make sure it goes to the correct
408thread), wait for tracee to stop in signal-delivery-stop for SIGSTOP
409and then detach it (suppressing SIGSTOP injection). Design bug is that
410this can race with concurrent SIGSTOPs. Another complication is that
411tracee may enter other ptrace-stops and needs to be restarted and
412waited for again, until SIGSTOP is seen. Yet another complication is to
413be sure that tracee is not already ptrace-stopped, because no signal
414delivery happens while it is - not even SIGSTOP.
415
416??? Describe how to detach from a group-stopped tracee so that it
417    doesn't run, but continues to wait for SIGCONT.
418
419If tracer dies, all tracees are automatically detached and restarted,
420unless they were in group-stop. Handling of restart from group-stop is
421currently buggy, but "as planned" behavior is to leave tracee stopped
422and waiting for SIGCONT. If tracee is restarted from
423signal-delivery-stop, pending signal is injected.
424
425
426	1.x execve under ptrace.
427
428During execve, kernel destroys all other threads in the process, and
429resets execve'ing thread tid to tgid (process id). This looks very
430confusing to tracers:
431
432All other threads stop in PTRACE_EXIT stop, if requested by active
433ptrace option. Then all other threads except thread group leader report
434death as if they exited via exit syscall with exit code 0. Then
435PTRACE_EVENT_EXEC stop happens, if requested by active ptrace option
436(on which tracee - leader? execve-ing one?).
437
438The execve-ing tracee changes its pid while it is in execve syscall.
439(Remember, under ptrace 'pid' returned from waitpid, or fed into ptrace
440calls, is tracee's tid). That is, pid is reset to process id, which
441coincides with thread group leader tid.
442
443If thread group leader has reported its death by this time, for tracer
444this looks like dead thread leader "reappears from nowhere". If thread
445group leader was still alive, for tracer this may look as if thread
446group leader returns from a different syscall than it entered, or even
447"returned from syscall even though it was not in any syscall". If
448thread group leader was not traced (or was traced by a different
449tracer), during execve it will appear as if it has become a tracee of
450the tracer of execve'ing tracee. All these effects are the artifacts of
451pid change.
452
453PTRACE_O_TRACEEXEC option is the recommended tool for dealing with this
454case. It enables PTRACE_EVENT_EXEC stop which occurs before execve
455syscall return.
456
457Pid change happens before PTRACE_EVENT_EXEC stop, not after.
458
459When tracer receives PTRACE_EVENT_EXEC stop notification, it is
460guaranteed that except this tracee and thread group leader, no other
461threads from the process are alive.
462
463On receiving this notification, tracer should clean up all its internal
464data structures about all threads of this process, and retain only one
465data structure, one which describes single still running tracee, with
466pid = tgid = process id.
467
468Currently, there is no way to retrieve former pid of execve-ing tracee.
469If tracer doesn't keep track of its tracees' thread group relations, it
470may be unable to know which tracee  execve-ed and therefore no longer
471exists under old pid due to pid change.
472
473Example: two threads execve at the same time:
474
475  ** we get syscall-entry-stop in thread 1: **
476 PID1 execve("/bin/foo", "foo" <unfinished ...>
477  ** we issue PTRACE_SYSCALL for thread 1 **
478  ** we get syscall-entry-stop in thread 2: **
479 PID2 execve("/bin/bar", "bar" <unfinished ...>
480  ** we issue PTRACE_SYSCALL for thread 2 **
481  ** we get PTRACE_EVENT_EXEC for PID0, we issue PTRACE_SYSCALL **
482  ** we get syscall-exit-stop for PID0: **
483 PID0 <... execve resumed> )             = 0
484
485In this situation there is no way to know which execve succeeded.
486
487If PTRACE_O_TRACEEXEC option is NOT in effect for the execve'ing
488tracee, kernel delivers an extra SIGTRAP to tracee after execve syscall
489returns. This is an ordinary signal (similar to one which can be
490generated by "kill -TRAP"), not a special kind of ptrace-stop.
491GETSIGINFO on it has si_code = 0 (SI_USER). It can be blocked by signal
492mask, and thus can happen (much) later.
493
494Usually, tracer (for example, strace) would not want to show this extra
495post-execve SIGTRAP signal to the user, and would suppress its delivery
496to the tracee (if SIGTRAP is set to SIG_DFL, it is a killing signal).
497However, determining *which* SIGTRAP to suppress is not easy. Setting
498PTRACE_O_TRACEEXEC option and thus suppressing this extra SIGTRAP is
499the recommended approach.
500
501
502	1.x Real parent
503
504Ptrace API (ab)uses standard Unix parent/child signaling over waitpid.
505This used to cause real parent of the process to stop receiving several
506kinds of waitpid notifications when child process is traced by some
507other process.
508
509Many of these bugs have been fixed, but as of 2.6.38 several still
510exist.
511
512As of 2.6.38, the following is believed to work correctly:
513
514- exit/death by signal is reported first to tracer, then, when tracer
515consumes waitpid result, to real parent (to real parent only when the
516whole multi-threaded process exits). If they are the same process, the
517report is sent only once.
518
519
520	1.x Known bugs
521
522Following bugs still exist:
523
524Group-stop notifications are sent to tracer, but not to real parent.
525Last confirmed on 2.6.38.6.
526
527If thread group leader is traced and exits by calling exit syscall,
528PTRACE_EVENT_EXIT stop will happen for it (if requested), but subsequent
529WIFEXITED notification will not be delivered until all other threads
530exit. As explained above, if one of other threads execve's, thread
531group leader death will *never* be reported. If execve-ed thread is not
532traced by this tracer, tracer will never know that execve happened.
533
534??? need to test this scenario
535
536One possible workaround is to detach thread group leader instead of
537restarting it in this case. Last confirmed on 2.6.38.6.
538
539SIGKILL signal may still cause PTRACE_EVENT_EXIT stop before actual
540signal death. This may be changed in the future - SIGKILL is meant to
541always immediately kill tasks even under ptrace. Last confirmed on
5422.6.38.6.
543