Chapter 13: System Calls
❑ pididentifies the target process. The process identifier is interpreted with respect to the
namespace of the caller. Even though the way in whichstraceis handled suggests that process
tracing must be enabled right from the start, this is not true. The tracer program must ‘‘attach‘‘
itself to the target process by means ofptrace— and this can be done while the process is
already running (not only when the process starts).
straceis responsible forattachingto the process, usually immediately after the target program
is started withforkandexec.
❑ addranddatapass a memory address and additional information to the kernel. Their meanings
differ according to the operation selected.
❑ With the help of symbolic constants,requestselects an operation to be performed byptrace.A
list of all possible values is given on the manual pageptrace(2)and in<ptrace.h>in the kernel
sources. The available options are as follows:❑ PTRACE_ATTACHissues a request to attach to a process and initiates tracing.PTRACE_DETACH
detaches from the process and terminates tracing. A traced process is always terminated
when a signal is pending. The options below enableptraceto be stopped during a system
call or after a single assembly language instruction.
When a traced process is stopped, the tracer program is informed by means of aSIGCHLD
signal that waiting can take place using thewaitfunction discussed in Chapter 2.
When tracing is installed, theSIGSTOPsignal is sent to the traced process — this causes the
tracer process to be interrupted for the first time. This is essential when system calls are
traced, as demonstrated below by means of an example.
❑ PEEKTEXT,PEEKDATA,andPEEKUSRread data from the process address space.PEEKUSRreads
the normal CPU registers and any other debug registers used^11 (of course, only the contents
of a single register selected on the basis of its identifier are read — not the contents of the
entire register set).PEEKTEXTandPEEKDATAread any words from the text or data segment
of the process.
❑ POKETEXT,POKEDATA,andPEEKUSRwrite values to the three specified areas of the moni-
tored process and therefore manipulate the process address space contents; this can be very
important when debugging programs interactively.
BecausePTRACE_POKEUSRmanipulates the debug registers of the CPU, this option supports
the use of advanced debugging techniques; for example, monitoring of events that halt
program execution at a particular point when certain conditions are satisfied.
❑ PTRACE_SETREGSandPTRACE_GETREGSset and read values in the privileged register set of
the CPU.
❑ PTRACE_SETFPREGSandPTRACE_GETFPREGSset and read registers used for floating-point
computations. These operations are also very useful when testing and debugging applica-
tions interactively.
❑ System call tracing is based onPTRACE_SYSCALL.Ifptraceis activated with this option, the
kernel starts process execution until a system call is invoked. Once the traced process has
been stopped,waitinforms the tracer process, which then analyzes the process address(^11) Because a process other than the traced process is running when theptracesystem call is invoked, the physical registers
of the CPU naturally hold the values of the tracer program and not those of the traced process. This is why the data of the
pt_regsinstance discussed in Chapter 14 are used; these data are copied into the register set when the process is activated
after a task switch. Manipulating the data of this structure is tantamount to manipulating the registers themselves.