Equivalent of "truss -T" and "truss -U" on Linux?

linux signals debugging system-calls truss
9,122

Solution 1

To the best of my knowledge this can't be done with strace, the ptrace function which is used internally does SIGSTOP or SIGINT on calls.

EDIT:

I inserted this simple solution in ministrace, so no coding is required.

My proposed solution, if the not all the functionality of strace is required, would be to modify ministrace - which I found here Write yourself an strace in 70 lines of code.

In a one shot program you could add two lines before the following code:

if (wait_for_syscall(child) != 0) break;

Pseudo code:

if(syscall == SYS_write)
    do {
        char str[4];
        gets(str);  // waits until enter to continue    
    } while(0);

I've not tesed any of this, these final steps are left to you.

Solution 2

Systemtap should be able to do what you are looking for, that's a nice guide for it:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/SystemTap_Beginners_Guide/

Share:
9,122

Related videos on Youtube

Stéphane Chazelas
Author by

Stéphane Chazelas

Updated on September 18, 2022

Comments

  • Stéphane Chazelas
    Stéphane Chazelas over 1 year

    Is there an equivalent of what the -T and -U option of the truss Solaris utility does on Linux.

    Those are to specify a system call (-T) or library function (-U) which when called by the traced application would cause it to stop.

    Or, said otherwise, I'd want any process started by a traced application to be stopped (as if killed by SIGSTOP) as soon as it makes a given system call or a given shared library function call.

    strace and ltrace on Linux provide with much of the featureset of Solaris truss, but they don't seem to be doing that.

    For instance:

    truss -f -T open cmd

    Would be like strace -f cmd except that if the process executing cmd or any of its descendants does any open system call, it would be stopped immediately (and I can resume it later on at my convenience)

    In some cases, I could use gdb's catch syscall, but I was looking for a solution that can conveniently follow forks and continue doing it for all the forked processes and keep on doing it even after execves.

    I seem to recall some utility giving the same functionality, even one (or options to that same utility) to single-step applications between some occurrences of some syscall remotely like that, but my memory is failing me, I can't even be sure that was on Linux.

    • Bratchley
      Bratchley almost 11 years
      Not really an answer to your question but gdb does have some options for following forks, it just doesn't key off an execve. It still only does one process at a time, though, which is probably a deal breaker if you're looking for strace-like functionality, but I thought I'd mention it just in case.
    • Stéphane Chazelas
      Stéphane Chazelas almost 11 years
      @JoelDavis, thanks. And it seems it can also follow after exec, (follow-exec-mode), I'm experimenting with that. Doesn't strictly answer the question, but may be good enough for what I need.
    • slm
      slm almost 11 years
      If I understand your question you're looking for a way to trace until a specific signal is seen and then stop tracing, not halt or kill the application you're tracing in any way, right?
    • Stéphane Chazelas
      Stéphane Chazelas almost 11 years
      @slm, no, I want a process started by a traced application to be stopped (as if killed by SIGSTOP) as soon as it makes a given system call. I've added a link to the Solaris truss manpage.
    • sparticvs
      sparticvs almost 11 years
      Let me make sure I understand correctly. You want a way to stop a process when it makes a specific systemcall. Is that correct?
  • Stéphane Chazelas
    Stéphane Chazelas almost 11 years
    Thanks. It works and that link is very useful. However (understandably in a few lines of code), it doesn't do the arg decoding that gdb/strace do, so would not have been useful for my purpose. It shows though that it's easily done. I went for gdb in the end but it looks like patching strace for that feature would be relatively easy. Leaving the question open as I suspect there is an existing command to do that. I'll look at python-ptrace when I've got the time.
  • Daniël W. Crompton
    Daniël W. Crompton almost 11 years
    You're welcome! I went a little wild in extending the implementation, so it would be possible to reference the syscall by id and by name. It was fun playing with ptrace again.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

compile errors using signal.h in Linux
How to debug a Linux kernel that freezes during boot?
Why do we need to call poll_wait in poll?
Passing parameters to system calls
debug a dotnet core program in terminal
What are the general causes of abort signal?
"creat" System Call in Unix
difference between POLLIN and POLLPRI in poll() syscall
How to send USR2 signal?
Resume a stopped process through command line