PTRACE(2) BSD System Calls Manual PTRACE(2)
NAME
ptrace -- process tracing and debugging
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/types.h>
#include <sys/ptrace.h>
int
ptrace(int request, pid_t pid, void *addr, int data);
DESCRIPTION
ptrace() provides tracing and debugging facilities. It allows one process (the tracing process) to control another (the traced process).
Most of the time, the traced process runs normally, but when it receives a signal (see sigaction(2)), it stops. The tracing process is
expected to notice this via wait(2) or the delivery of a SIGCHLD signal, examine the state of the stopped process, and cause it to terminate
or continue as appropriate. ptrace() is the mechanism by which all this happens.
The request argument specifies what operation is being performed; the meaning of the rest of the arguments depends on the operation, but
except for one special case noted below, all ptrace() calls are made by the tracing process, and the pid argument specifies the process ID of
the traced process. request can be:
PT_TRACE_ME This request is the only one used by the traced process; it declares that the process expects to be traced by its parent. All
the other arguments are ignored. (If the parent process does not expect to trace the child, it will probably be rather con-
fused by the results; once the traced process stops, it cannot be made to continue except via ptrace().) When a process has
used this request and calls execve(2) or any of the routines built on it (such as execv(3)), it will stop before executing the
first instruction of the new image. Also, any setuid or setgid bits on the executable being executed will be ignored.
PT_READ_I, PT_READ_D
These requests read a single int of data from the traced process' address space. Traditionally, ptrace() has allowed for
machines with distinct address spaces for instruction and data, which is why there are two requests: conceptually, PT_READ_I
reads from the instruction space and PT_READ_D reads from the data space. In the current NetBSD implementation, these two
requests are completely identical. The addr argument specifies the address (in the traced process' virtual address space) at
which the read is to be done. This address does not have to meet any alignment constraints. The value read is returned as the
return value from ptrace().
PT_WRITE_I, PT_WRITE_D
These requests parallel PT_READ_I and PT_READ_D, except that they write rather than read. The data argument supplies the value
to be written.
PT_CONTINUE The traced process continues execution. addr is an address specifying the place where execution is to be resumed (a new value
for the program counter), or (caddr_t)1 to indicate that execution is to pick up where it left off. data provides a signal
number to be delivered to the traced process as it resumes execution, or 0 if no signal is to be sent. If a negative value is
supplied, that is the negative of the LWP ID of the thread to be resumed, and only that thread executes.
PT_KILL The traced process terminates, as if PT_CONTINUE had been used with SIGKILL given as the signal to be delivered.
PT_ATTACH This request allows a process to gain control of an otherwise unrelated process and begin tracing it. It does not need any
cooperation from the to-be-traced process. In this case, pid specifies the process ID of the to-be-traced process, and the
other two arguments are ignored. This request requires that the target process must have the same real UID as the tracing
process, and that it must not be executing a setuid or setgid executable. (If the tracing process is running as root, these
restrictions do not apply.) The tracing process will see the newly-traced process stop and may then control it as if it had
been traced all along.
Three other restrictions apply to all tracing processes, even those running as root. First, no process may trace a system
process. Second, no process may trace the process running init(8). Third, if a process has its root directory set with
chroot(2), it may not trace another process unless that process's root directory is at or below the tracing process's root.
PT_DETACH This request is like PT_CONTINUE, except that after it succeeds, the traced process is no longer traced and continues execution
normally.
PT_IO This request is a more general interface that can be used instead of PT_READ_D, PT_WRITE_D, PT_READ_I, and PT_WRITE_I. The I/O
request is encoded in a ``struct ptrace_io_desc'' defined as:
struct ptrace_io_desc {
int piod_op;
void *piod_offs;
void *piod_addr;
size_t piod_len;
};
where piod_offs is the offset within the traced process where the I/O operation should take place, piod_addr is the buffer in
the tracing process, and piod_len is the length of the I/O request. The piod_op field specifies which type of I/O operation to
perform. Possible values are:
PIOD_READ_D
PIOD_WRITE_D
PIOD_READ_I
PIOD_WRITE_I
See the description of PT_READ_I for the difference between I and D spaces. A pointer to the I/O descriptor is passed in the
addr argument to ptrace(). On return, the piod_len field in the I/O descriptor will be updated with the actual number of bytes
transferred. If the requested I/O could not be successfully performed, ptrace() will return -1 and set errno.
PT_DUMPCORE Makes the process specified in the pid pid generate a core dump. The addr argument should contain the name of the core file to
be generated and the data argument should contain the length of the core filename. This ptrace call currently does not stop
the child process so it can generate inconsistent data.
PT_LWPINFO Returns information about a thread from the list of threads for the process specified in the pid argument. The addr argument
should contain a ``struct ptrace_lwpinfo'' defined as:
struct ptrace_lwpinfo {
lwpid_t pl_lwpid;
int pl_event;
};
where pl_lwpid contains a thread LWP ID. Information is returned for the thread following the one with the specified ID in the
process thread list, or for the first thread if pl_lwpid is 0. Upon return pl_lwpid contains the LWP ID of the thread that was
found, or 0 if there is no thread after the one whose LWP ID was supplied in the call. pl_event contains the event that
stopped the thread. Possible values are:
PL_EVENT_NONE
PL_EVENT_SIGNAL
The data argument should contain ``sizeof(struct ptrace_lwpinfo)''.
PT_SYSCALL Stops a process before and after executing each system call.
PT_SYSCALLEMU
Intercept and ignore a system call before it has been executed, for use with PT_SYSCALL.
Additionally, the following requests exist but are not available on all machine architectures. The file <machine/ptrace.h> lists which
requests exist on a given machine.
PT_STEP Execution continues as in request PT_CONTINUE; however as soon as possible after execution of at least one instruction, execu-
tion stops again. If the data argument is greater than 0, it contains the LWP ID of the thread to be stepped, and any other
threads are continued. If the data argument is less than zero, it contains the negative of the LWP ID of the thread to be
stepped, and only that thread executes.
PT_GETREGS This request reads the traced process' machine registers into the ``struct reg'' (defined in <machine/reg.h>) pointed to by
addr. The data argument contains the LWP ID of the thread whose registers are to be read. If zero is supplied, the first
thread of the process is read.
PT_SETREGS This request is the converse of PT_GETREGS; it loads the traced process' machine registers from the ``struct reg'' (defined in
<machine/reg.h>) pointed to by addr. The data argument contains the LWP ID of the thread whose registers are to be written.
If zero is supplied, the first thread of the process is written.
PT_GETFPREGS This request reads the traced process' floating-point registers into the ``struct fpreg'' (defined in <machine/reg.h>) pointed
to by addr. The data argument contains the LWP ID of the thread whose registers are to be read. If zero is supplied, the
first thread of the process is read.
PT_SETFPREGS This request is the converse of PT_GETFPREGS; it loads the traced process' floating-point registers from the ``struct fpreg''
(defined in <machine/reg.h>) pointed to by addr. The data argument contains the LWP ID of the thread whose registers are to be
written. If zero is supplied, the first thread of the process is written.
PT_DUMPCORE Cause the traced process to dump core. If the addr argument is not NULL it is taken to be the pathname of the core file to be
generated and the data argument should contain the length of the pathname. The pathname may contain % patterns that are
expanded as described in sysctl(8). If the data argument is NULL, the default core file path generation rules are followed.
ERRORS
Some requests can cause ptrace() to return -1 as a non-error value; to disambiguate, errno can be set to 0 before the call and checked after-
wards. The possible errors are:
[EAGAIN] Process is currently exec'ing and cannot be traced.
[EBUSY]
o PT_ATTACH was attempted on a process that was already being traced.
o A request attempted to manipulate a process that was being traced by some process other than the one making the request.
o A request (other than PT_ATTACH) specified a process that wasn't stopped.
[EINVAL]
o A process attempted to use PT_ATTACH on itself.
o The request was not a legal request on this machine architecture.
o The signal number (in data) to PT_CONTINUE was neither 0 nor a legal signal number.
o PT_GETREGS, PT_SETREGS, PT_GETFPREGS, or PT_SETFPREGS was attempted on a process with no valid register set. (This is normally
true only of system processes.)
[EPERM]
o A request (other than PT_ATTACH) attempted to manipulate a process that wasn't being traced at all.
o An attempt was made to use PT_ATTACH on a process in violation of the requirements listed under PT_ATTACH above.
[ESRCH] No process having the specified process ID exists.
SEE ALSO
sigaction(2), signal(7)
BUGS
On the SPARC, the PC is set to the provided PC value for PT_CONTINUE and similar calls, but the NPC is set willy-nilly to 4 greater than the
PC value. Using PT_GETREGS and PT_SETREGS to modify the PC, passing (caddr_t)1 to ptrace(), should be able to sidestep this.
BSD
August 31, 2011 BSD