Chapter 13: System Calls
space using the aboveptraceoperations to gather relevant information on the system call.
The traced process is stopped for a second time after completion of the system call to allow
the tracer process to check whether the call was successful.
Because the system call mechanism differs according to platform, trace programs such
asstracemust implement the reading of data separately for each architecture; this is
atedioustaskthatquicklyrenderssourcecode for portable programs unreadable (the
stracesources are overburdened with pre-processor conditionals and are no pleasure
to read).
❑ PTRACE_SINGLESTEPplaces the processor in single-step mode during execution of the
traced process. In this mode, the tracer process is able to access the traced process after
eachassembly language instruction. Again, this is a very popular application debugging
technique, particularly when attempting to track down compiler errors or other such
subtleties.
Implementation of the single-step function is strongly dependent on the CPU used — after
all, the kernel is operating on a machine-oriented level at this point. Nevertheless, a
uniform interface is available to the tracer process on all platforms. After execution of
the assembler function, aSIGCHLDsignal is sent to the tracer, which gathers detailed
information on the process state using furtherptraceoptions. This cycle is constantly
repeated — the next assembler instruction is executed after invokingptracewith
thePTRACE_SINGLESTEPargument, the process is put to sleep, the tracer is informed
accordingly by means ofSIGCHLD,andsoon.
❑ PTRACE_KILLcloses the traced process by sending aKILLsignal.
❑ PTRACE_TRACEMEstarts tracing thecurrentprocess. The parent of the current process auto-
matically assumes the role of tracer and must be prepared to receive tracing information
from its child.
❑ PTRACE_CONTresumes execution of a traced process without specifying special conditions
for stopping the process — the traced application next stops when it receives a signal.SystemCall Tracing
The following short sample program illustrates the use ofptrace.ptraceattaches itself to a process and
checks system call usage; as such, it is a minimal replacement forstrace./* Simple replacement for strace(1) */#include<stdio.h>
#include<stdlib.h>
#include<signal.h>
#include<unistd.h>
#include<sys/ptrace.h>
#include<sys/wait.h>
#include<asm/ptrace.h> /* for ORIG_EAX */static long pid;int upeek(int pid, long off, long *res) {
long val;val = ptrace(PTRACE_PEEKUSER, pid, off, 0);