Wednesday, 5 April 2017

How to use strace

How to use strace

really cool unix utility, lets us inspect what an executable is doing - dont need:

  • source code
  • knowledge of what  program the executable came from
  • debugger
one big caveat to note is that strace stops/starts a process so can make it a lot, lot slower - e.g.:

[root@einstein ~]# time dd if=/dev/zero of=./test bs=1024k count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 11.0078 s, 95.3 MB/s

real    0m11.050s
user    0m0.001s
sys     0m0.377s
[root@einstein ~]#  sync; echo 3 > /proc/sys/vm/drop_caches
[root@einstein ~]# time strace -f -o out  dd if=/dev/zero of=./test bs=1024k count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 14.4345 s, 72.6 MB/s

real    0m14.491s
user    0m0.005s
sys     0m0.406s
[root@einstein ~]# 
so approximately 40% degradation here in performance - something you wouldnt want in prod.

How does a program interact with my computer?

so when a program runs in user mode it doesnt have direct access to the hardware (unless its something cool like solaflare network card or mellanox..).
For the program to get access to the hardware it needs to use a system call..(have a look at man 2 syscalls) - systems calls are essentially how a user program enters the kernel to perform a privileged task.

the categories of system calls are:
  • process control (load/exec/abort/create/terminate/get/set attributes/wait/allocate/free memory)
  • file management (create/delete/open/close/read/write/reposition/get-set attributes)
  • device management (request/release/read/write/reposition/attach/detach)
  • info maintenance (get/set time date/data/process file or dev attributes)
  • communicate (create/del connection/send/rcv message/transfer status info/attach or detach remote dev)


you dont need to be root to use strace - just have permission to read the process (i.e. generally you're own proc)
lots of output - try

# strace ls

following the output of this we'll see an :
  • execve - (os starts process)
  • brk(0) - kludge to read end of data segment
  • open of filenames and assigning a filedescriptor number
  • read using filedescriptor
  • fstat details perm owner etc
  • close
to see which files a program is opening we could use:

strace -e open ls

as a practical example - lets see what config files a program uses (e.g. if i type bash does it use profile/bashrc or bash_profile - I sometimes forget!):
strace -e open bash
/truncated output)
open("/home/sabramshumphries/.bashrc", O_RDONLY) = 3
open("/etc/bashrc", O_RDONLY)           = 3

yay - we can see the files it opens!!

useful flags:

-e just list the system calls specified - e.g. strace -e open,close
-f follow any subprocesses also that are created
-p - follow a process that started earlier
-o - write to a file so can look through output more easily
-s print out lines of length.. e.g. give a larger number so strace doesnt truncate output)
-c statistical summary of calls - shows output really nicely 
-t show timestamp (-tt even finer time)
-r relative time between calls

syscall                           function
open                             opens a file,returns a fd
close                             closes a filedescriptor
read                              reads bytes from a fd
write                             writes to a fd
fork                               creates a new process - cow of parent
exec                              executes a new program
brk                                extend heap pointer
mmap                           map a file to process address space
stat                                read info about a file
ioctl                               set io properties

No comments:

Post a Comment

bash best practices

Bash best practices A few hints on bash best practice: * use #!/usr/bin/env bash .. this is more portable but you cant rely on a spe...