Shulou(Shulou.com)06/03 Report--

Brief introduction

Strace is often used to track system calls and received signals when a process is executing. In the Linux world, processes cannot access hardware devices directly. When processes need to access hardware devices (such as reading disk files, receiving network data, etc.), they must switch from user mode to kernel mode and access hardware devices through system calls. Strace can track system calls generated by a process, including parameters, return values, and execution time.

Meaning of output parameters

Root@ubuntu:/usr#strace cat / dev/null

Execve ("/ bin/cat", ["cat", "/ dev/null"], [/ * 22 vars * /]) = 0

Brk (0) = 0xab1000

Access ("/ etc/ld.so.nohwcap", F_OK) =-1 ENOENT (No such file or directory)

Mmap (NULL, 8192, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) = 0x7f29379a7000

Access ("/ etc/ld.so.preload", R_OK) =-1 ENOENT (No such file or directory)

...

Brk (0) = 0xab1000

Brk (0xad2000) = 0xad2000

Fstat (1, {st_mode=S_IFCHR | 0620, st_rdev=makedev (136,0),...}) = 0

Open ("/ dev/null", O_RDONLY) = 3

Fstat (3, {st_mode=S_IFCHR | 0666, st_rdev=makedev (1,3),...}) = 0

Read (3, ", 32768) = 0

Close (3) = 0

Close (1) = 0

Close (2) = 0

Exit_group (0) =?

Each line is a system call. To the left of the equal sign is the function name of the system call and its parameters, and on the right is the return value of the call.

Strace displays the parameters of these calls and returns values in symbolic form. Strace receives information from the kernel and does not need to build the kernel in any special way.

Strace parameter

C counts the execution time, number of times and errors of each system call.

-d outputs strace debugging information about standard error.

-f tracks the child processes generated by fork calls.

-ff if-o filename is provided, the tracking results of all processes are output to the corresponding filename.pid, where pid is the process number of each process.

-F attempts to trace vfork calls. At-f, vfork is not tracked.

-h outputs brief help information.

-I output the entry pointer to the system call.

-Q forbids the output of messages about separation.

-r prints out the relative time for each system call.

-t adds time information before each line in the output.

-tt adds time information to each line in the output in microseconds.

-ttt microsecond output, which represents the time in seconds.

-T shows the time spent on each call.

-v outputs all system calls. Some calls about environment variables, status, input and output, etc., are not output by default due to frequent use.

-V outputs the version information of strace.

-x outputs non-standard strings in hexadecimal form

-xx all strings are output in hexadecimal form.

-a column

Sets the output location of the return value. The default is 40.

-e expr

Specifies an expression that controls how to trace. The format is as follows:

[qualifier=] [!] value1 [, value2]...

Qualifier can only be one of the trace,abbrev,verbose,raw,signal,read,write. Value is a symbol or number used to qualify. The default qualifier is trace. An exclamation point is a negative symbol. For example:

-eopen is equivalent to-e trace=open, which means that only open calls are tracked. And-eTracetracking calls open means to trace calls other than open. There are two special symbols, all and none.

Note that some shell is used! To execute the commands in the history, so use\.

-e trace=set

Only the specified system calls are tracked. For example:-e trace=open,close,rean,write means that only these four system calls are tracked. The default is set=all.

-e trace=file

Only system calls about file operations are tracked.

-e trace=process

Only system calls about process control are tracked.

-e trace=network

Track all system calls related to the network.

-e strace=signal

Track all system calls related to system signals

-e trace=ipc

Track all system calls related to process communication

-e abbrev=set

Set the result set of strace output system calls.-v, etc., and abbrev=none. The default is abbrev=all.

-e raw=set

Displays the parameters of the specified system call in hexadecimal.

-e signal=set

Specifies the system signal to track. The default is all. For example, the SIGIO signal is not tracked, for example, Sigo (or Sigio).

-e read=set

Outputs the data read from the specified file. For example:

-e read=3,5

-e write=set

Outputs the data written to the specified file.

-o filename

Write the output of strace to the file filename

-p pid

Trace the specified process pid.

-s strsize

Specifies the maximum length of the output string. The default is 32. All the file names are output all the time.

-u username

Execute tracked commands with username's UID and GID

Command instance

General and complete usage:

Strace-o output.txt-T-tt-e trace=all-p 28979

The meaning above is to track all the system calls of the 28979 process (- e trace=all) and count the time spent by the system calls, as well as the start time (and displayed in a visual time-minute-second format), and finally store the recording results in the output.txt file.

Strace case

Debug programs with strace

In an ideal world, whenever a program fails to perform a function properly, it will give you a useful error tip that tells you enough clues to correct the error. But unfortunately, we do not live in an ideal world, at least not always. Sometimes there is something wrong with a program and you can't find the reason.

This is why the debugger appears. Strace is an essential debugging tool, and strace is used to monitor system calls. You can debug not only a newly started program, but also an already running program (binding strace to an existing PID).

First, let's look at a real example: there is a problem starting KDE.

Some time ago, I had a problem starting KDE, and the KDE error message didn't give me any helpful clues.

_ KDE_IceTransSocketCreateListener:failed to bind listener

_ KDE_IceTransSocketUNIXCreateListener:... SocketCreateListener () failed

_ KDE_IceTransMakeAllCOTSServerListeners: failed to create listener for local

Cannot establish any listening sockets DCOPServer self-test failed.

This error message doesn't make much sense to me, except that a program responsible for interprocess communication, which is vital to KDE, cannot be started. I can also know that this error is related to the ICE protocol (Inter Client Exchange). Other than that, I don't know what is the cause of the KDE startup error.

I decided to use strace to see what the program did when it started dcopserver:

Strace-f-F-o ~ / dcop-strace.txt dcopserver

Here the-f-F option tells strace to track both fork and vfork processes, and the-o option writes all strace output to ~ / dcop-strace.txt. Dcopserver is the program to start and debug.

After the error occurs again, I check the error output file dcop-strace.txt, which contains a lot of records of system calls. The relevant records before the error in the running of the program are as follows:

27207 mkdir ("/ tmp/.ICE-unix", 0777) =-1 EEXIST (File exists)

27207 lstat64 ("/ tmp/.ICE-unix", {st_mode=S_IFDIR | S_ISVTX | 0755, st_size=4096,...}) = 0

27207 unlink ("/ tmp/.ICE-unix/dcop27207-1066844596") =-1 ENOENT (No such file or directory)

27207 bind (3, {sin_family=AF_UNIX, path= "/ tmp/.ICE-unix/dcop27207-1066844596"}, 38) =-1 EACCES (Permission denied)

27207 write (2, "_ KDE_IceTrans", 13) = 13

27207 write (2, "SocketCreateListener: failed to"..., 46) = 46

27207 close (3) = 027207 write (2, "_ KDE_IceTrans", 13) = 13

27207 write (2, "SocketUNIXCreateListener: .Soc", 59) = 59

27207 umask (0) = 027207 write (2, "_ KDE_IceTrans", 13) = 13

27207 write (2, "MakeAllCOTSServerListeners: fail"..., 64) = 64

27207 write (2, "Cannot establish any listening s"..., 39) = 39

The first line shows that the program attempted to create a / tmp/.ICE-unix directory with permissions of 0777, which failed because the directory already exists. The second system call (lstat64) checks the status of the directory and shows that the permission of the directory is 0755. Here is the clue of the first program running error: the program tried to create a directory with attribute 0777, but there is already a directory with attribute 0755. The third system call (unlink) attempts to delete a file, but the file does not exist. This is not surprising, because this operation is just an attempt to delete old files that may exist.

However, the fourth line confirms the error. He tried to bind to / tmp/.ICE-unix/dcop27207-1066844596, but an access denied error occurred. . The users and groups of the ICE_unix directory are root, and only the owner has write permissions. A non-root user cannot create files under this directory, and if you change the directory attribute to 0777, the previous operation may be performed, which is exactly what was done when the first step error occurred.

So after I run chmod 0777/tmp/.ICE-unix, KDE can start normally, and the problem is solved. Tracking debugging with strace only takes a few minutes to trace the program to run, and then check and analyze the output file.

Description: running chmod 0777 is just a test, generally do not set a directory so that all users can read and write, and do not set sticky bit (sticky bit). Setting sticky bits to a directory can prevent a user from deleting files of others under the writable directory at will. You will generally find that the / tmp directory sets the stickiness bit for this reason. After KDE starts normally, run chmod + t / tmp/.ICE-unix to set the stickiness bit to .ICE _ unix.

Solve the problem of library dependency

Another use of starce is to solve problems related to dynamic libraries. When you run ldd on an executable, it tells you which dynamic libraries the program uses and where to find them. But if you are using an older version of glibc (2.2 or earlier), you may have a ldd program with bug that may report finding a dynamic library in one directory, but the dynamic linker (/ lib/ld-linux.so.2) may go to another directory to find the dynamic link library when you actually run the program. This is usually because / etc/ld.so.conf and / etc/ld.so.cache files are inconsistent, or / etc/ld.so.cache is corrupted. This error will not occur in glibc version 2.3.2, and the bug of ld-linux may have been resolved.

However, ldd does not list all the dynamic libraries that programs depend on, and the system call dlopen can automatically call in the required dynamic libraries when needed, and these libraries may not be listed by ldd. The NSS (Name Server Switch) library, which is part of glibc, is a typical example. One of the functions of NSS is to tell applications where to find the system account database. The application does not connect directly to the NSS library, and glibc automatically calls into the NSS library through dlopen. If such a library is accidentally lost, you will not be told that there is a library dependency problem, but such a program will not be able to get the user ID through user name resolution. Let's look at an example:

The whoami program will give you your own user name, which is very useful in some scripts that need to know the real user who is running the program. An example output from whoami is as follows:

# whoami

Root

Assuming that for some reason NSS, the library responsible for user name and user ID conversion, is lost during the upgrade of glibc, we can simulate this environment by renaming the nss library:

# mv/lib/libnss_files.so.2 / lib/libnss_files.so.2.backup

# whoami

Whoami: cannot find username for UID 0

Here you can see that there was an error running whoami, and the output of the ldd program will not provide useful help:

# ldd / usr/bin/whoami

Libc.so.6 = > / lib/libc.so.6 (0x4001f000)

/ lib/ld-linux.so.2 = > / lib/ld-linux.so.2 (0x40000000)

You'll only see that whoami relies on Libc.so.6 and ld-linux.so.2, and it doesn't give you the other libraries necessary to run whoami. Here, use strace to trace the output of whoami:

Strace-o whoami-strace.txt whoami

Open ("/ lib/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Open ("/ lib/i686/mmx/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Stat64 ("/ lib/i686/mmx", 0xbffff190) =-1 ENOENT (No such file or directory)

Open ("/ lib/i686/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Stat64 ("/ lib/i686", 0xbffff190) =-1 ENOENT (No such file or directory)

Open ("/ lib/mmx/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Stat64 ("/ lib/mmx", 0xbffff190) =-1 ENOENT (No such file or directory)

Open ("/ lib/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Stat64 ("/ lib", {st_mode=S_IFDIR | 0755, st_size=2352,...}) = 0

Open ("/ usr/lib/i686/mmx/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

Stat64 ("/ usr/lib/i686/mmx", 0xbffff190) =-1 ENOENT (No such file or directory)

Open ("/ usr/lib/i686/libnss_files.so.2", O_RDONLY) =-1 ENOENT (No such file or directory)

You can find attempts to find libnss.so.2 in different directories, but all failed. Without a tool like strace, it's hard to find that this error is caused by a lack of dynamic libraries. Now all you have to do is find the libnss.so.2 and put it back in the right place.

Restrict strace to trace only specific system calls

If you already know what you're looking for, you can ask strace to track only some types of system calls. For example, you need to look at the program executed in the configure script, and the system call you need to monitor is execve. Let strace record only the calls to execve with this command:

Strace-f-o configure-strace.txt-e execve./configure

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.