12

Is there an equivalent of what the -T and -U option of the truss Solaris utility does on Linux.

Those are to specify a system call (-T) or library function (-U) which when called by the traced application would cause it to stop.

Or, said otherwise, I'd want any process started by a traced application to be stopped (as if killed by SIGSTOP) as soon as it makes a given system call or a given shared library function call.

strace and ltrace on Linux provide with much of the featureset of Solaris truss, but they don't seem to be doing that.

For instance:

truss -f -T open cmd

Would be like strace -f cmd except that if the process executing cmd or any of its descendants does any open system call, it would be stopped immediately (and I can resume it later on at my convenience)

In some cases, I could use gdb's catch syscall, but I was looking for a solution that can conveniently follow forks and continue doing it for all the forked processes and keep on doing it even after execves.

I seem to recall some utility giving the same functionality, even one (or options to that same utility) to single-step applications between some occurrences of some syscall remotely like that, but my memory is failing me, I can't even be sure that was on Linux.

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
  • 1
    Not really an answer to your question but gdb does have some options for following forks, it just doesn't key off an execve. It still only does one process at a time, though, which is probably a deal breaker if you're looking for strace-like functionality, but I thought I'd mention it just in case. – Bratchley Jun 21 '13 at 12:13
  • @JoelDavis, thanks. And it seems it can also follow after exec, (`follow-exec-mode`), I'm experimenting with that. Doesn't strictly answer the question, but may be good enough for what I need. – Stéphane Chazelas Jun 21 '13 at 12:40
  • If I understand your question you're looking for a way to trace until a specific signal is seen and then stop tracing, not halt or kill the application you're tracing in any way, right? – slm Jun 21 '13 at 14:03
  • @slm, no, I want a process started by a traced application to be stopped (as if killed by SIGSTOP) as soon as it makes a given system call. I've added a link to the Solaris `truss` manpage. – Stéphane Chazelas Jun 21 '13 at 16:43
  • Let me make sure I understand correctly. You want a way to stop a process when it makes a specific systemcall. Is that correct? – sparticvs Jun 22 '13 at 13:46

2 Answers2

3

To the best of my knowledge this can't be done with strace, the ptrace function which is used internally does SIGSTOP or SIGINT on calls.

EDIT:

I inserted this simple solution in ministrace, so no coding is required.

My proposed solution, if the not all the functionality of strace is required, would be to modify ministrace - which I found here Write yourself an strace in 70 lines of code.

In a one shot program you could add two lines before the following code:

if (wait_for_syscall(child) != 0) break;

Pseudo code:

if(syscall == SYS_write)
    do {
        char str[4];
        gets(str);  // waits until enter to continue    
    } while(0);

I've not tesed any of this, these final steps are left to you.

Daniël W. Crompton
  • 570
  • 4
  • 6
  • Thanks. It works and that link is very useful. However (understandably in a few lines of code), it doesn't do the arg decoding that gdb/strace do, so would not have been useful for my purpose. It shows though that it's easily done. I went for gdb in the end but it looks like patching strace for that feature would be relatively easy. Leaving the question open as I suspect there is an existing command to do that. I'll look at python-ptrace when I've got the time. – Stéphane Chazelas Jul 14 '13 at 08:44
  • You're welcome! I went a little wild in extending the implementation, so it would be possible to reference the syscall by id and by name. It was fun playing with ptrace again. – Daniël W. Crompton Jul 15 '13 at 23:33
2

Systemtap should be able to do what you are looking for, that's a nice guide for it:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/SystemTap_Beginners_Guide/

replay
  • 8,483
  • 1
  • 26
  • 31