linux申請strace ,lstrace, ptrace, dtrace

ltrace命令是用來跟蹤進程調用庫函數的情況。

 

ltrace -h
Usage: ltrace [option ...] [command [arg ...]]
Trace library calls of a given program.

-a, --align=COLUMN align return values in a secific column.
-A MAXELTS maximum number of array elements to print.
-b, --no-signals don't print signals.
-c count time and calls, and report a summary on exit.
-C, --demangle decode low-level symbol names into user-level names.
-D, --debug=MASK enable debugging (see -Dh or --debug=help).
-Dh, --debug=help show help on debugging.
-e FILTER modify which library calls to trace.
-f trace children (fork() and clone()).
-F, --config=FILE load alternate configuration file (may be repeated).
-h, --help display this help and exit.
-i print instruction pointer at time of library call.
-l, --library=LIBRARY_PATTERN only trace symbols implemented by this library.
-L do NOT display library calls.
-n, --indent=NR indent output by NR spaces for each call level nesting.
-o, --output=FILENAME write the trace output to file with given name.
-p PID attach to the process with the process ID pid.
-r print relative timestamps.
-s STRSIZE specify the maximum string size to print.
-S trace system calls as well as library calls.
-t, -tt, -ttt print absolute timestamps.
-T show the time spent inside each call.
-u USERNAME run command with the userid, groupid of username.
-V, --version output version information and exit.
-x FILTER modify which static functions to trace.

 

https://blog.csdn.net/macky0668/article/details/6839520

 

 

運行strace，出現問題:

ptrace: Operation not permitted.

 

早上發現一個進程沒有相應, 試圖gdb之.

(gdb) attach 30721
Attaching to program: /data0/s/bin/s, process 30721
ptrace: Operation not permitted.

暈倒, 俺已經是sudo權限了. 后來看到一篇博客說:當他已經在 gdb 某個進程時, 試圖再利用 gcore 來手動產生一個 core 文件而不得(可以在gdb下用 generate-core-file 完成), 我有所啟發, 莫非還有別人在gdb 這個進程.

ps 一下, 發現我的猜想是對的, 我進一步猜想, strace 也應該會失敗.

0> strace -p 30721
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted

果然如此, 兩者都用到了 ptrace 這個系統調用.  man ptrace 可以查看詳情:

The  ptrace  system  call provides a means by which a parent process may observe and control the execution of another pro-cess, and examine and change its core image and registers.  It is primarily used to  implement  breakpoint  debugging  and system call tracing.

看linux內核詳解的話, 應該能給出更深層次的解釋, 我現在還留在意會階段.