linux申请strace ,lstrace, ptrace, dtrace

ltrace命令是用来跟踪进程调用库函数的情况。

 

ltrace -h
Usage: ltrace [option ...] [command [arg ...]]
Trace library calls of a given program.

-a, --align=COLUMN align return values in a secific column.
-A MAXELTS maximum number of array elements to print.
-b, --no-signals don't print signals.
-c count time and calls, and report a summary on exit.
-C, --demangle decode low-level symbol names into user-level names.
-D, --debug=MASK enable debugging (see -Dh or --debug=help).
-Dh, --debug=help show help on debugging.
-e FILTER modify which library calls to trace.
-f trace children (fork() and clone()).
-F, --config=FILE load alternate configuration file (may be repeated).
-h, --help display this help and exit.
-i print instruction pointer at time of library call.
-l, --library=LIBRARY_PATTERN only trace symbols implemented by this library.
-L do NOT display library calls.
-n, --indent=NR indent output by NR spaces for each call level nesting.
-o, --output=FILENAME write the trace output to file with given name.
-p PID attach to the process with the process ID pid.
-r print relative timestamps.
-s STRSIZE specify the maximum string size to print.
-S trace system calls as well as library calls.
-t, -tt, -ttt print absolute timestamps.
-T show the time spent inside each call.
-u USERNAME run command with the userid, groupid of username.
-V, --version output version information and exit.
-x FILTER modify which static functions to trace.

 

https://blog.csdn.net/macky0668/article/details/6839520

 

 

运行strace，出现问题:

ptrace: Operation not permitted.

 

早上发现一个进程没有相应, 试图gdb之.

(gdb) attach 30721
Attaching to program: /data0/s/bin/s, process 30721
ptrace: Operation not permitted.

晕倒, 俺已经是sudo权限了. 后来看到一篇博客说:当他已经在 gdb 某个进程时, 试图再利用 gcore 来手动产生一个 core 文件而不得(可以在gdb下用 generate-core-file 完成), 我有所启发, 莫非还有别人在gdb 这个进程.

ps 一下, 发现我的猜想是对的, 我进一步猜想, strace 也应该会失败.

0> strace -p 30721
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted

果然如此, 两者都用到了 ptrace 这个系统调用.  man ptrace 可以查看详情:

The  ptrace  system  call provides a means by which a parent process may observe and control the execution of another pro-cess, and examine and change its core image and registers.  It is primarily used to  implement  breakpoint  debugging  and system call tracing.

看linux内核详解的话, 应该能给出更深层次的解释, 我现在还留在意会阶段.