NAME
ptrace —
process tracing and
debugging
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/types.h>
#include <sys/ptrace.h>
int
ptrace(
int
request,
pid_t pid,
void *addr,
int data);
DESCRIPTION
ptrace() provides tracing and debugging facilities. It allows
one process (the
tracing process) to control another (the
traced process). Most of the time, the traced process runs
normally, but when it receives a signal (see
sigaction(2)), it stops. The
tracing process is expected to notice this via
wait(2) or the delivery of a
SIGCHLD
signal (see
siginfo(2)), examine the state
of the stopped process, and cause it to terminate or continue as appropriate.
ptrace() is the mechanism by which all this happens.
When a process that is traced by a debugger requests and calls
execve(2) or any of the routines
built on it (such as
execv(3)),
it will stop before executing the first instruction of the new image and emit
SIGTRAP
with
si_code
set to
TRAP_EXEC
. If a program is traced with the
PT_SYSCALL
option enabled, this event notifier is
disabled. If a traced program calls
execve(2) any setuid or setgid
bits on the executable being executed will be ignored.
Program (software) breakpoints are reported with
SIGTRAP
and the
si_code
value set to
TRAP_BKPT
. These breakpoints are machine specific
instructions that interrupt the process. In order to put a trap by a tracer
into the tracee's program, debugger must violate the
PaX
MPROTECT
restrictions. For details check the
security.pax.mprotect.ptrace
option described in
sysctl(7). When a tracee is
interrupted by a trap, the trap is not removed by the kernel and it must be
handled by a debugger.
If a program is traced with single steps (
PT_STEP
) it
reports each step with
SIGTRAP
with
si_code
set to
TRAP_TRACE
.
This event is not maskable
PT_SET_EVENT_MASK
.
Child program traps are reported with
SIGTRAP
and the
si_code
value set to
TRAP_CHLD
. These events are by default disabled and
can be configured with
PT_SET_EVENT_MASK
. If this
event occurs, check with
PT_GET_PROCESS_STATE
the
details of the process state associated with this event.
Design choices for Debug Register accessors
- exec()
(
TRAP_EXEC
event) must remove debug registers from
LWP
- debug registers are only per-LWP, not per-process
globally
- debug registers must not be inherited after (v)forking a
process
- debug registers must not be inherited after forking a
thread
- a debugger is responsible to set global
watchpoints/breakpoints with the debug registers, to achieve this
PTRACE_LWP_CREATE
/
PTRACE_LWP_EXIT
event monitoring function is
designed to be used
- debug register traps must generate
SIGTRAP with
si_code
TRAP_DBREG
- debugger is responsible to retrieve debug register state
to distinguish the exact debug register trap
- kernel must not remove debug register traps after
triggering a trap event; a debugger is responsible to detach this trap
with appropriate
PT_SETDBREGS
call
- debug registers must not be exposed in mcontext
- userland must not be allowed to set a trap on the
kernel
A debugger might reuse port specific symbols, to help writing portable code as
described in the port specific part of the
<sys/ptrace.h> header. Among these
symbols, there are:
PTRACE_REG_PC
PTRACE_REG_SET_PC
PTRACE_REG_SP
PTRACE_REG_INTRV
PTRACE_BREAKPOINT
PTRACE_BREAKPOINT_SIZE
PTRACE_BREAKPOINT_ADJ
The
request argument of
ptrace specifies
what operation is being performed; the meaning of the rest of the arguments
depends on the operation, but except for one special case noted below, all
ptrace calls are made by the tracing process, and the
pid argument specifies the process ID of the traced
process.
request can be:
-
-
PT_TRACE_ME
- This request is the only one used by the traced process; it
declares that the process expects to be traced by its parent. All the
other arguments are ignored. If the parent process does not expect to
trace the child, it will probably be rather confused by the results; once
the traced process stops, it cannot be made to continue except via
ptrace().
This call does not stop the process neither emit
SIGSTOP
to parent.
-
-
PT_READ_I
,
PT_READ_D
- These requests read a single
int
of
data from the traced process' address space. Traditionally,
ptrace() has allowed for machines with distinct address
spaces for instruction and data, which is why there are two requests:
conceptually, PT_READ_I
reads from the instruction
space and PT_READ_D
reads from the data space. In
the current NetBSD implementation, these two
requests are completely identical. The addr argument
specifies the address (in the traced process' virtual address space) at
which the read is to be done. This address does not have to meet any
alignment constraints. The value read is returned as the return value from
ptrace().
-
-
PT_WRITE_I
,
PT_WRITE_D
- These requests parallel
PT_READ_I
and PT_READ_D
, except that they write rather than
read. The data argument supplies the value to be
written.
-
-
PT_CONTINUE
- The traced process continues execution.
addr is an address specifying the place where
execution is to be resumed (a new value for the program counter), or
(void *)1
to indicate that execution is to pick up
where it left off. data provides a signal number to
be delivered to the traced process as it resumes execution, or 0 if no
signal is to be sent. If a negative value is supplied, that is the
negative of the LWP ID of the thread to be resumed, and only that thread
executes.
-
-
PT_KILL
- The traced process terminates, as if
PT_CONTINUE
had been used with
SIGKILL
given as the signal to be delivered.
-
-
PT_ATTACH
- This request allows a process to gain control of an
otherwise unrelated process and begin tracing it. It does not need any
cooperation from the to-be-traced process. In this case,
pid specifies the process ID of the to-be-traced
process, and the other two arguments are ignored. This request requires
that the target process must have the same real UID as the tracing
process, and that it must not be executing a setuid or setgid executable.
(If the tracing process is running as root, these restrictions do not
apply.)
The tracing process will see the newly-traced process stop and may then
control it as if it had been traced all along. It means that the
SIGSTOP
signal is emitted to tracer. It is
different behavior to the one from PT_TRACE_ME
.
Three other restrictions apply to all tracing processes, even those running
as root. First, no process may trace a system process. Second, no process
may trace the process running
init(8). Third, if a process
has its root directory set with
chroot(2), it may not trace
another process unless that process' root directory is at or below the
tracing process' root.
-
-
PT_DETACH
- This request is like PT_CONTINUE, except that after it
succeeds, the traced process is no longer traced and continues execution
normally.
-
-
PT_IO
- This request is a more general interface that can be used
instead of
PT_READ_D
,
PT_WRITE_D
, PT_READ_I
, and
PT_WRITE_I
. The I/O request is encoded in a
“struct ptrace_io_desc
” defined as:
struct ptrace_io_desc {
int piod_op;
void *piod_offs;
void *piod_addr;
size_t piod_len;
};
where piod_offs is the offset within the traced
process where the I/O operation should take place,
piod_addr is the buffer in the tracing process, and
piod_len is the length of the I/O request. The
piod_op field specifies which type of I/O operation
to perform. Possible values are:
PIOD_READ_D
-
PIOD_WRITE_D
-
PIOD_READ_I
-
PIOD_WRITE_I
-
PIOD_READ_AUXV
-
See the description of PT_READ_I
for the difference
between I and D spaces.
The PIOD_READ_AUXV
operation can be used to read
from the ELF auxiliary vector. The piod_offs
argument sets the offset within the tracee's vector. To read from the
beginning of it, this value must be set to 0 and cast to
(void *)
.
A pointer to the I/O descriptor is passed in the addr
argument to ptrace(). On return, the
piod_len field in the I/O descriptor will be updated
with the actual number of bytes transferred. If the requested I/O could
not be successfully performed, ptrace() will return
-1
and set errno.
-
-
PT_DUMPCORE
- Makes the process specified in the
pid pid generate a core dump. The
addr argument should contain the name of the core
file to be generated and the data argument should
contain the length of the core filename.
-
-
PT_LWPINFO
- Returns information about a thread from the list of threads
for the process specified in the pid argument. The
addr argument should contain a
“
struct ptrace_lwpinfo
” defined as:
struct ptrace_lwpinfo {
lwpid_t pl_lwpid;
int pl_event;
};
where pl_lwpid contains a thread LWP ID. Information
is returned for the thread following the one with the specified ID in the
process thread list, or for the first thread if
pl_lwpid is 0. Upon return
pl_lwpid contains the LWP ID of the thread that was
found, or 0 if there is no thread after the one whose LWP ID was supplied
in the call. pl_event contains the event that
stopped the thread. Possible values are:
PL_EVENT_NONE
-
PL_EVENT_SIGNAL
-
PL_EVENT_SUSPENDED
-
The data argument should contain
“sizeof(struct ptrace_lwpinfo)
”.
-
-
PT_SYSCALL
- Stops a process before and after executing each system
call. Otherwise this operation is the same as
PT_CONTINUE
.
-
-
PT_SYSCALLEMU
- Intercept and ignore a system call before it has been
executed, for use with
PT_SYSCALL
. This operation
shall be called for syscall entry trap from
PT_SYSCALL
. To resume execution after intercepting
the system call, another PT_SYSCALL
shall be
used.
-
-
PT_SET_EVENT_MASK
- This request can be used to specify which events in the
traced process should be reported to the tracing process. These events are
specified in a “
struct ptrace_event
”
defined as:
typedef struct ptrace_event {
int pe_set_event;
} ptrace_event_t;
pe_set_event is the set of events to be reported. This
set is formed by OR'ing together the following values:
-
-
- PTRACE_FORK
- Report
fork(2).
-
-
- PTRACE_VFORK
- Report
vfork(2).
-
-
- PTRACE_VFORK_DONE
- Report parent resumed after
vfork(2).
-
-
- PTRACE_LWP_CREATE
- Report thread birth.
-
-
- PTRACE_LWP_EXIT
- Report thread termination.
The fork(2) and
vfork(2) events can occur
with similar operations, like
clone(2) or
posix_spawn(3). The
PTRACE_FORK
value means that process gives birth
to its child without pending on its termination or
execve(2) operation. If
enabled, the child is also traced by the debugger and
SIGRAP
is generated twice, first for the parent
and second for the child. The PTRACE_VFORK
event
is the same as PTRACE_FORK
, but the parent blocks
after giving birth to the child. The
PTRACE_VFORK_DONE
event can be used to report
unblocking of the parent.
A pointer to this structure is passed in addr. The
data argument should be set to
sizeof(struct ptrace_event)
.
-
-
PT_GET_EVENT_MASK
- This request can be used to determine which events in the
traced process will be reported. The information is read into the
“
struct ptrace_event
” pointed to by
addr. The data argument should
be set to sizeof(struct ptrace_event)
.
-
-
PT_GET_PROCESS_STATE
- This request reads the state information associated with
the event that stopped the traced process. The information is reported in
a “
struct ptrace_state
” defined as:
typedef struct ptrace_state {
int pe_report_event;
pid_t pe_other_pid;
} ptrace_state_t;
A pointer to this structure is passed in addr. The
data argument should be set to
sizeof(struct ptrace_state)
.
-
-
PT_SET_SIGINFO
- This request can be used to specify signal information
emitted to tracee. This signal information is specified in
“
struct ptrace_siginfo
” defined as:
typedef struct ptrace_siginfo {
siginfo_t psi_siginfo;
lwpid_t psi_lwpid;
} ptrace_siginfo_t;
Where psi_siginfo is the set to signal information
structure. The psi_lwpid field describes LWP address
of the signal. Value 0
means the whole process
(route signal to all LWPs).
A pointer to this structure is passed in addr. The
data argument should be set to
sizeof(struct ptrace_siginfo)
.
In order to pass faked signal to the tracee, the signal type must match the
signal passed to the process with PT_CONTINUE
or
PT_SYSCALL
.
-
-
PT_GET_SIGINFO
- This request can be used to determine signal information
that was received by a debugger (see
siginfo(2)). The
information is read into the “
struct
ptrace_siginfo
” pointed to by addr. The
data argument should be set to
sizeof(struct ptrace_siginfo)
.
-
-
PT_RESUME
- Allow execution of a specified thread, change its state
from suspended to continued. The addr argument is
unused. The data argument specifies the LWP ID.
This call is equivalent to
_lwp_continue(2)
called by a traced process. This call does not change the general process
state from stopped to continued.
-
-
PT_SUSPEND
- Prevent execution of a specified thread, change its state
from continued to suspended. The addr argument is
unused. The data argument specifies the requested
LWP ID.
This call is equivalent to
_lwp_suspend(2) called
by a traced process. This call does not change the general process state
from continued to stopped.
Additionally, the following requests exist but are not available on all machine
architectures. The file
<machine/ptrace.h> lists which
requests exist on a given machine.
-
-
PT_STEP
- Execution continues as in request PT_CONTINUE; however as
soon as possible after execution of at least one instruction, execution
stops again. If the data argument is greater than 0,
it contains the LWP ID of the thread to be stepped, and any other threads
are continued. If the data argument is less than
zero, it contains the negative of the LWP ID of the thread to be stepped,
and only that thread executes.
-
-
PT_SETSTEP
- This request will turn on single stepping of the specified
process.
-
-
PT_CLEARSTEP
- This request will turn off single stepping of the specified
process.
-
-
PT_GETREGS
- This request reads the traced process' machine registers
into the “
struct reg
” (defined in
<machine/reg.h>) pointed to by
addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.
-
-
PT_SETREGS
- This request is the converse of
PT_GETREGS
; it loads the traced process' machine
registers from the “struct reg
”
(defined in <machine/reg.h>)
pointed to by addr. The data
argument contains the LWP ID of the thread whose registers are to be
written. If zero is supplied, the first thread of the process is
written.
-
-
PT_GETFPREGS
- This request reads the traced process' floating-point
registers into the “
struct fpreg
”
(defined in <machine/reg.h>)
pointed to by addr. The data
argument contains the LWP ID of the thread whose registers are to be read.
If zero is supplied, the first thread of the process is read.
-
-
PT_SETFPREGS
- This request is the converse of
PT_GETFPREGS
; it loads the traced process'
floating-point registers from the “struct
fpreg
” (defined in
<machine/reg.h>) pointed to by
addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.
-
-
PT_GETDBREGS
- This request reads the traced process' debug registers into
the “
struct dbreg
” (defined in
<machine/reg.h>) pointed to by
addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.
-
-
PT_SETDBREGS
- This request is the converse of
PT_GETDBREGS
; it loads the traced process' debug
registers from the “struct dbreg
”
(defined in <machine/reg.h>)
pointed to by addr. The data
argument contains the LWP ID of the thread whose registers are to be
written. If zero is supplied, the first thread of the process is
written.
-
-
PT_GETXMMREGS
- This request reads the traced process' XMM registers into
the “
struct xmmregs
” (defined in
<machine/reg.h>) pointed to by
addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.
-
-
PT_SETXMMREGS
- This request is the converse of
PT_GETXMMREGS
; it loads the traced process' XMM
registers from the “struct xmmregs
”
(defined in <machine/reg.h>)
pointed to by addr. The data
argument contains the LWP ID of the thread whose registers are to be
written. If zero is supplied, the first thread of the process is
written.
-
-
PT_GETVECREGS
- This request reads the traced process' vector registers
into the “
struct vreg
” (defined in
<machine/reg.h>) pointed to by
addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.
-
-
PT_SETVECREGS
- This request is the converse of
PT_GETVECREGS
; it loads the traced process' vector
registers from the “struct vreg
”
(defined in <machine/reg.h>)
pointed to by addr. The data
argument contains the LWP ID of the thread whose registers are to be
written. If zero is supplied, the first thread of the process is
written.
ERRORS
Some requests can cause
ptrace() to return
-1
as a non-error value; to disambiguate,
errno can be set to 0 before the call and checked
afterwards. The possible errors are:
-
-
- [
EAGAIN
]
- Process is currently exec'ing and cannot be traced.
-
-
- [
EBUSY
]
-
PT_ATTACH
was attempted on a process that was already being traced.
- A request attempted to
manipulate a process that was being traced by some process other than
the one making the request.
- A request (other than
PT_ATTACH
) specified a process that wasn't
stopped.
-
-
- [
EDEADLK
]
- An attempt to unstop a process with locked threads.
-
-
- [
EINVAL
]
-
- A process attempted to
use
PT_ATTACH
on itself.
- The
request was not a legal request on this machine
architecture.
- The signal number (in
data) to
PT_CONTINUE
was
neither 0 nor a legal signal number.
PT_GETREGS
,
PT_SETREGS
,
PT_GETFPREGS
, or
PT_SETFPREGS
was attempted on a process with
no valid register set. (This is normally true only of system
processes.)
-
-
- [
EPERM
]
-
- A request (other than
PT_ATTACH
) attempted to manipulate a process
that wasn't being traced at all.
- An attempt was made to
use
PT_ATTACH
on a process in violation of the
requirements listed under PT_ATTACH
above.
-
-
- [
ESRCH
]
- No process having the specified process ID exists.
SEE ALSO
sigaction(2),
signal(7)
HISTORY
The
ptrace() function appeared in
Version 7 AT&T UNIX.
BUGS
On the SPARC, the PC is set to the provided PC value for
PT_CONTINUE
and similar calls, but the NPC is set
willy-nilly to 4 greater than the PC value. Using
PT_GETREGS
and
PT_SETREGS
to
modify the PC, passing
(void *)1
to
ptrace(), should be able to sidestep this.
PTRACE_VFORK
is currently unimplemented and it will
return
ENOTSUP
.
PT_SET_SIGINFO
,
PT_RESUME
and
PT_SUSPEND
can change the image of process returned by
PT_LWPINFO
.