ptrace(2)
- NetBSD Manual Pages
PTRACE(2) NetBSD System Calls Manual PTRACE(2)
NAME
ptrace -- process tracing and debugging
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/types.h>
#include <sys/ptrace.h>
int
ptrace(int request, pid_t pid, void *addr, int data);
DESCRIPTION
ptrace() provides tracing and debugging facilities. It allows one
process (the tracing process) to control another (the traced process).
Most of the time, the traced process runs normally, but when it receives
a signal (see sigaction(2)), it stops. The tracing process is expected
to notice this via wait(2) or the delivery of a SIGCHLD signal (see
siginfo(2)), examine the state of the stopped process, and cause it to
terminate or continue as appropriate. ptrace() is the mechanism by which
all this happens.
When a process that is traced by a debugger requests and calls execve(2)
or any of the routines built on it (such as execv(3)), it will stop
before executing the first instruction of the new image and emit SIGTRAP
with si_code set to TRAP_EXEC. If a traced program calls execve(2) any
setuid or setgid bits on the executable being executed will be ignored.
Program (software) breakpoints are reported with SIGTRAP and the si_code
value set to TRAP_BKPT. These breakpoints are machine specific instruc-
tions that interrupt the process. In order to put a trap by a tracer
into the tracee's program, debugger must violate the PaX MPROTECT
restrictions. For details check the security.pax.mprotect.ptrace option
described in sysctl(7). When a tracee is interrupted by a trap, the trap
is not removed by the kernel and it must be handled by a debugger.
If a program is traced with single steps (PT_STEP) it reports each step
with SIGTRAP with si_code set to TRAP_TRACE. This event is not maskable
PT_SET_EVENT_MASK.
Child program traps are reported with SIGTRAP and the si_code value set
to TRAP_CHLD. These events are by default disabled and can be configured
with PT_SET_EVENT_MASK. If this event occurs, check with
PT_GET_PROCESS_STATE the details of the process state associated with
this event.
Design choices for Debug Register accessors
- exec() (TRAP_EXEC event) must remove debug registers from LWP
- debug registers are only per-LWP, not per-process globally
- debug registers must not be inherited after (v)forking a process
- debug registers must not be inherited after forking a thread
- a debugger is responsible to set global watchpoints/breakpoints with
the debug registers, to achieve this PTRACE_LWP_CREATE /
PTRACE_LWP_EXIT event monitoring function is designed to be used
- debug register traps must generate SIGTRAP with si_code TRAP_DBREG
- debugger is responsible to retrieve debug register state to distin-
guish the exact debug register trap
- kernel must not remove debug register traps after triggering a trap
event; a debugger is responsible to detach this trap with appropriate
PT_SETDBREGS call
- debug registers must not be exposed in mcontext
- userland must not be allowed to set a trap on the kernel
A debugger might reuse port specific symbols, to help writing portable
code as described in the port specific part of the <sys/ptrace.h> header.
Among these symbols, there are:
- PTRACE_REG_PC
- PTRACE_REG_SET_PC
- PTRACE_REG_SP
- PTRACE_REG_INTRV
- PTRACE_BREAKPOINT
- PTRACE_BREAKPOINT_SIZE
- PTRACE_BREAKPOINT_ADJ
The request argument of ptrace specifies what operation is being per-
formed; the meaning of the rest of the arguments depends on the opera-
tion, but except for one special case noted below, all ptrace calls are
made by the tracing process, and the pid argument specifies the process
ID of the traced process. request can be:
PT_TRACE_ME This request is the only one used by the traced process; it
declares that the process expects to be traced by its par-
ent. All the other arguments are ignored. If the parent
process does not expect to trace the child, it will proba-
bly be rather confused by the results; once the traced
process stops, it cannot be made to continue except via
ptrace().
This call does not stop the process neither emit SIGSTOP to
parent.
PT_READ_I, PT_READ_D
These requests read a single int of data from the traced
process' address space. Traditionally, ptrace() has
allowed for machines with distinct address spaces for
instruction and data, which is why there are two requests:
conceptually, PT_READ_I reads from the instruction space
and PT_READ_D reads from the data space. In the current
NetBSD implementation, these two requests are completely
identical. The addr argument specifies the address (in the
traced process' virtual address space) at which the read is
to be done. This address does not have to meet any align-
ment constraints. The value read is returned as the return
value from ptrace().
These operations return success on incomplete and cancelled
byte transfers. New software shall use PT_IO as it allows
to check whether a byte transfer was completed.
PT_WRITE_I, PT_WRITE_D
These requests parallel PT_READ_I and PT_READ_D, except
that they write rather than read. The data argument sup-
plies the value to be written.
New software shall use PT_IO as it allows to check whether
an operation was completed.
PT_CONTINUE The traced process continues execution. addr is an address
specifying the place where execution is to be resumed (a
new value for the program counter), or (void *)1 to indi-
cate that execution is to pick up where it left off. data
provides a signal number to be delivered to the traced
process as it resumes execution, or 0 if no signal is to be
sent. If a negative value is supplied, that is the nega-
tive of the LWP ID of the thread to be resumed, and only
that thread executes.
PT_KILL The traced process terminates, as if PT_CONTINUE has been
used with SIGKILL given as the signal to be delivered.
However, unlike PT_CONTINUE, PT_KILL can be used on a non-
stopped tracee. The addr and data arguments are ignored.
PT_STOP The traced process stops, as if kill has been used with
SIGSTOP given as the signal to be delivered. wait(2) will
report the child (again) as stopped even if it was stopped
before. The addr and data arguments are ignored. Unlike
PT_CONTINUE call with SIGSTOP, PT_STOP works both on run-
ning and stopped processes.
PT_ATTACH This request allows a process to gain control of an other-
wise unrelated process and begin tracing it. It does not
need any cooperation from the to-be-traced process. In
this case, pid specifies the process ID of the to-be-traced
process, and the other two arguments are ignored. This
request requires that the target process must have the same
real UID as the tracing process, and that it must not be
executing a setuid or setgid executable. (If the tracing
process is running as root, these restrictions do not
apply.)
The tracing process will see the newly-traced process stop
and may then control it as if it had been traced all along.
It means that the SIGSTOP signal is emitted to tracer. It
is different behavior to the one from PT_TRACE_ME.
Three other restrictions apply to all tracing processes,
even those running as root. First, no process may trace a
system process. Second, no process may trace the process
running init(8). Third, if a process has its root direc-
tory set with chroot(2), it may not trace another process
unless that process' root directory is at or below the
tracing process' root.
PT_DETACH This request is like PT_CONTINUE, except that after it suc-
ceeds, the traced process is no longer traced and continues
execution normally.
PT_IO This request is a more general interface that can be used
instead of PT_READ_D, PT_WRITE_D, PT_READ_I, and
PT_WRITE_I. The I/O request is encoded in a struct
ptrace_io_desc defined as:
struct ptrace_io_desc {
int piod_op;
void *piod_offs;
void *piod_addr;
size_t piod_len;
};
where piod_offs is the offset within the traced process
where the I/O operation should take place, piod_addr is the
buffer in the tracing process, and piod_len is the length
of the I/O request. The piod_op field specifies which type
of I/O operation to perform. Possible values are:
PIOD_READ_D
PIOD_WRITE_D
PIOD_READ_I
PIOD_WRITE_I
PIOD_READ_AUXV
See the description of PT_READ_I for the difference between
I and D spaces.
The PIOD_READ_AUXV operation can be used to read from the
ELF auxiliary vector. The piod_offs argument sets the off-
set within the tracee's vector. To read from the beginning
of it, this value must be set to 0 and cast to (void *).
A pointer to the I/O descriptor is passed in the addr argu-
ment to ptrace(). On return, the piod_len field in the I/O
descriptor will be updated with the actual number of bytes
transferred. If the requested I/O could not be success-
fully performed, ptrace() will return -1 and set errno.
This interface returns success for partial and cancelled
byte transfers. For an interrupted transfer, a user shall
check whether occurred at least a single of the following
two conditions: piod_len == 0 and set errno. Successful
but incomplete byte transfers shall be restarted in the
place where they were stopped.
PT_DUMPCORE Makes the process specified in the pid pid generate a core
dump. The addr argument should contain the name of the
core file to be generated and the data argument should con-
tain the length of the core filename.
PT_LWPINFO Returns information about a thread from the list of threads
for the process specified in the pid argument. The addr
argument should contain a struct ptrace_lwpinfo defined as:
struct ptrace_lwpinfo {
lwpid_t pl_lwpid;
int pl_event;
};
where pl_lwpid contains a thread LWP ID. Information is
returned for the thread following the one with the speci-
fied ID in the process thread list, or for the first thread
if pl_lwpid is 0. Upon return pl_lwpid contains the LWP ID
of the thread that was found, or 0 if there is no thread
after the one whose LWP ID was supplied in the call.
pl_event contains the event that stopped the thread. Pos-
sible values are:
PL_EVENT_NONE
PL_EVENT_SIGNAL
PL_EVENT_SUSPENDED
The data argument should contain ``sizeof(struct
ptrace_lwpinfo)''.
PT_SYSCALL Stops a process before and after executing each system
call. Otherwise this operation is the same as PT_CONTINUE.
PT_SYSCALLEMU
Intercept and ignore a system call before it has been exe-
cuted, for use with PT_SYSCALL. This operation shall be
called for syscall entry trap from PT_SYSCALL. To resume
execution after intercepting the system call, another
PT_SYSCALL shall be used.
PT_SET_EVENT_MASK
This request can be used to specify which events in the
traced process should be reported to the tracing process.
These events are specified in a struct ptrace_event defined
as:
typedef struct ptrace_event {
int pe_set_event;
} ptrace_event_t;
pe_set_event is the set of events to be reported. This set
is formed by OR'ing together the following values:
PTRACE_FORK Report fork(2).
PTRACE_VFORK Report vfork(2).
PTRACE_VFORK_DONE Report parent resumed after vfork(2).
PTRACE_LWP_CREATE Report thread birth.
PTRACE_LWP_EXIT Report thread termination.
PTRACE_POSIX_SPAWN Report posix_spawn(3).
The fork(2) and vfork(2) events can occur with clone(2).
The PTRACE_FORK value means that process gives birth to its
child without pending on its termination or execve(2) oper-
ation. If enabled, the child is also traced by the debug-
ger and SIGTRAP is generated twice, first for the parent
and second for the child. The PTRACE_VFORK event is the
same as PTRACE_FORK, but the parent blocks after giving
birth to the child. The PTRACE_VFORK_DONE event can be
used to report unblocking of the parent.
posix_spawn() on NetBSD directly creates the child process
without intermediate fork. The PTRACE_POSIX_SPAWN event
semantics are the same as PTRACE_FORK, but the child is
reported with implied execution of a file.
A pointer to this structure is passed in addr. The data
argument should be set to sizeof(struct ptrace_event).
PT_GET_EVENT_MASK
This request can be used to determine which events in the
traced process will be reported. The information is read
into the struct ptrace_event pointed to by addr. The data
argument should be set to sizeof(struct ptrace_event).
PT_GET_PROCESS_STATE
This request reads the state information associated with
the event that stopped the traced process. The information
is reported in a struct ptrace_state defined as:
typedef struct ptrace_state {
int pe_report_event;
pid_t pe_other_pid;
} ptrace_state_t;
A pointer to this structure is passed in addr. The data
argument should be set to sizeof(struct ptrace_state).
PT_SET_SIGINFO
This request can be used to specify signal information
emitted to tracee. This signal information is specified in
struct ptrace_siginfo defined as:
typedef struct ptrace_siginfo {
siginfo_t psi_siginfo;
lwpid_t psi_lwpid;
} ptrace_siginfo_t;
Where psi_siginfo is the set to signal information struc-
ture. The psi_lwpid field describes LWP address of the
signal. Value 0 means the whole process (route signal to
all LWPs).
A pointer to this structure is passed in addr. The data
argument should be set to sizeof(struct ptrace_siginfo).
In order to pass faked signal to the tracee, the signal
type must match the signal passed to the process with
PT_CONTINUE or PT_SYSCALL.
PT_GET_SIGINFO
This request can be used to determine signal information
that was received by a debugger (see siginfo(2)). The
information is read into the struct ptrace_siginfo pointed
to by addr. The data argument should be set to
sizeof(struct ptrace_siginfo).
PT_RESUME Allow execution of a specified thread, change its state
from suspended to continued. The addr argument is unused.
The data argument specifies the LWP ID.
This call is equivalent to _lwp_continue(2) called by a
traced process. This call does not change the general
process state from stopped to continued.
PT_SUSPEND Prevent execution of a specified thread, change its state
from continued to suspended. The addr argument is unused.
The data argument specifies the requested LWP ID.
This call is equivalent to _lwp_suspend(2) called by a
traced process. This call does not change the general
process state from continued to stopped.
Additionally, the following requests exist but are not available on all
machine architectures. The file <machine/ptrace.h> lists which requests
exist on a given machine.
PT_STEP Execution continues as in request PT_CONTINUE; however as
soon as possible after execution of at least one instruc-
tion, execution stops again. If the data argument is
greater than 0, it contains the LWP ID of the thread to be
stepped, and any other threads are continued. If the data
argument is less than zero, it contains the negative of the
LWP ID of the thread to be stepped, and only that thread
executes.
PT_SETSTEP This request will turn on single stepping of the specified
thread. addr is unused. data specifies the LWP ID of the
thread to be stepped. The execution does not continue
until PT_CONTINUE is issued. This request permits combin-
ing single-stepping with sending signals and PT_SYSCALL.
PT_CLEARSTEP This request will turn off single stepping of the specified
thread. addr is unused. data specifies the LWP ID of the
thread to disable single-stepping.
PT_GETREGS This request reads the traced process' machine registers
into the struct reg (defined in <machine/reg.h>) pointed to
by addr. The data argument contains the LWP ID of the
thread whose registers are to be read. If zero is sup-
plied, the first thread of the process is read.
PT_SETREGS This request is the converse of PT_GETREGS; it loads the
traced process' machine registers from the struct reg
(defined in <machine/reg.h>) pointed to by addr. The data
argument contains the LWP ID of the thread whose registers
are to be written. If zero is supplied, the first thread
of the process is written.
PT_GETFPREGS This request reads the traced process' floating-point reg-
isters into the struct fpreg (defined in <machine/reg.h>)
pointed to by addr. The data argument contains the LWP ID
of the thread whose registers are to be read. If zero is
supplied, the first thread of the process is read.
PT_SETFPREGS This request is the converse of PT_GETFPREGS; it loads the
traced process' floating-point registers from the struct
fpreg (defined in <machine/reg.h>) pointed to by addr. The
data argument contains the LWP ID of the thread whose reg-
isters are to be written. If zero is supplied, the first
thread of the process is written.
PT_GETDBREGS This request reads the traced process' debug registers into
the struct dbreg (defined in <machine/reg.h>) pointed to by
addr. The data argument contains the LWP ID of the thread
whose registers are to be read. If zero is supplied, the
first thread of the process is read.
PT_SETDBREGS This request is the converse of PT_GETDBREGS; it loads the
traced process' debug registers from the struct dbreg
(defined in <machine/reg.h>) pointed to by addr. The data
argument contains the LWP ID of the thread whose registers
are to be written. If zero is supplied, the first thread
of the process is written.
PT_GETXMMREGS
This request reads the traced process' XMM registers into
the struct xmmregs (defined in <machine/reg.h>) pointed to
by addr. The data argument contains the LWP ID of the
thread whose registers are to be read. If zero is sup-
plied, the first thread of the process is read.
PT_SETXMMREGS
This request is the converse of PT_GETXMMREGS; it loads the
traced process' XMM registers from the struct xmmregs
(defined in <machine/reg.h>) pointed to by addr. The data
argument contains the LWP ID of the thread whose registers
are to be written. If zero is supplied, the first thread
of the process is written.
PT_GETVECREGS
This request reads the traced process' vector registers
into the struct vreg (defined in <machine/reg.h>) pointed
to by addr. The data argument contains the LWP ID of the
thread whose registers are to be read. If zero is sup-
plied, the first thread of the process is read.
PT_SETVECREGS
This request is the converse of PT_GETVECREGS; it loads the
traced process' vector registers from the struct vreg
(defined in <machine/reg.h>) pointed to by addr. The data
argument contains the LWP ID of the thread whose registers
are to be written. If zero is supplied, the first thread
of the process is written.
PT_GETXSTATE This request reads the traced process' FPU extended state
into the struct xstate (defined in
<machine/cpu_extended_state.h>). addr should be a pointer
to struct iovec (defined in <sys/uio.h>) specifying the
pointer to the aforementioned struct as iov_base and its
size as iov_len. The data argument contains the LWP ID of
the thread whose registers are to be read. If zero is sup-
plied, the first thread of the process is read. The struct
will be filled up to the specified iov_len. The caller
needs to check the xs_rfbm bitmap in order to determine
which fields were provided by the CPU, and may check
xs_xstate_bv to determine which component states were
changed from the initial state.
PT_SETXSTATE This request is the converse of PT_GETXSTATE; it loads the
traced process' extended FPU state from the struct xstate
(defined in <machine/cpu_extended_state.h>). addr should
be a pointer to struct iovec (defined in <sys/uio.h>) spec-
ifying the pointer to the aforementioned struct as iov_base
and its size as iov_len. The data argument contains the
LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is writ-
ten. The xs_rfbm field of the supplied xstate specifies
which state components are to be updated. Other components
(fields) will be ignored. The xs_xstate_bv field specifies
whether component state should be set to provided values
(when 1) or reset to unitialized (when 0). The request
will fail if xs_xstate_bv is not a subset of xs_rfbm, or
any of the specified components is not supported by the CPU
or kernel (i.e., not returned by PT_GETXSTATE).
ERRORS
Some requests can cause ptrace() to return -1 as a non-error value; to
disambiguate, errno can be set to 0 before the call and checked after-
wards. The possible errors are:
[EAGAIN] Process is currently exec'ing and cannot be traced.
[EBUSY]
· PT_ATTACH was attempted on a process that was already being
traced.
· A request attempted to manipulate a process that was being
traced by some process other than the one making the
request.
· A request (other than PT_ATTACH) specified a process that
wasn't stopped.
[EDEADLK]
An attempt to unstop a process with locked threads.
[EINVAL]
· A process attempted to use PT_ATTACH on itself.
· The request was not a legal request on this machine archi-
tecture.
· The signal number (in data) to PT_CONTINUE was neither 0
nor a legal signal number.
· PT_GETREGS, PT_SETREGS, PT_GETFPREGS, PT_SETFPREGS,
PT_GETXSTATE, or PT_SETXSTATE was attempted on a process
with no valid register set. (This is normally true only of
system processes.)
· A process attempted to set Program Counter to 0 in
PT_CONTINUE, PT_SYSCALL or PT_DETACH with
vm.user_va0_disable set to 1.
· PT_SETXSTATE attempted to set state components not sup-
ported by the kernel, or xs_xstate_bv was not a subset of
xs_rfbm.
[EPERM]
· A request (other than PT_ATTACH) attempted to manipulate a
process that wasn't being traced at all.
· An attempt was made to use PT_ATTACH on a process in viola-
tion of the requirements listed under PT_ATTACH above.
[ESRCH] No process having the specified process ID exists.
SEE ALSO
sigaction(2), signal(7)
HISTORY
The ptrace() function appeared in Version 7 AT&T UNIX.
BUGS
On the SPARC, the PC is set to the provided PC value for PT_CONTINUE and
similar calls, but the NPC is set willy-nilly to 4 greater than the PC
value. Using PT_GETREGS and PT_SETREGS to modify the PC, passing (void
*)1 to ptrace(), should be able to sidestep this.
PT_SET_SIGINFO, PT_RESUME and PT_SUSPEND can change the image of process
returned by PT_LWPINFO.
NetBSD 9.1 October 9, 2019 NetBSD 9.1
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.