GNU/Linux man pages
Livre :
Expressions régulières,
Syntaxe et mise en oeuvre :
GNU/Linux |
CentOS 5.6 |
|
 |
ftrace(1) |
 |
ftrace − Runs the frysk systemcall and function call tracing utility
|
ftrace [−c] [−i] [−m] [−o=FILE] [−p=PID...] [−sys=SYSCALL[,SYSCALL...]] [−sig=SIG[,SIG...]] [−plt=RULE[,RULE...]] [−dyn=RULE[,RULE...]] [−sym=RULE[,RULE...]] [−stack] [−−] command [arguments...] |
ftrace starts given command and according to tracing script given via command−line arguments, it traces its system calls, symbol entry points in general, and possibly other events as well. It uses the Frysk framework to implement tracing.
The working set of events ftrace should trace is defined by the following arguments.
Process Selection Options
|
−p=PID |
Attach to a process with given PID. | ||
|
−c |
Trace children: automatically attach to forks of traced process. |
System Call
and Signal Tracing
−sys=SYSCALL[,SYSCALL...]
Trace system calls that match given SYSCALL ruleset. See below for description of SYSCALL syntax.
−sig=SIGNAL[,SIGNAL...]
Trace signals that match given SIGNAL ruleset. See below for description of SIGNAL syntax.
|
−stack |
Stack trace when traced system call is hit. Note that this option also applies to traced symbols. If you need to cherry−pick which event should stack trace, use # operator described in sections below. |
Symbol Tracing
|
−i |
Trace inside dynamic linker. When this option is not present, ftrace will function as if −@INTERP rule was present at the end of each tracing script. |
−plt=SYMBOL[,SYMBOL...]
Trace library calls done via PLT entries matching each given SYMBOL ruleset. By tracing PLT entry, you effectively trace calls done FROM given library or executable, and generally can’t say which library the call leads TO. (At least for now. Ftrace may grow brains for this in future.) See below for description of SYMBOL rule syntax.
−dyn=SYMBOL[,SYMBOL...]
Trace calls through the symbol entry points. By tracing entry points, you catch all calls that end up at this symbol, including the calls that don’t go through PLT and as such are not intended as inter−library calls, but rather intra−library calls. This is probably not what you usually want, because you get lots of output when various functions call each other in the library internals. On the other hand, it may be useful to cherry pick few entry points to see when or if they are called, and with which arguments. See below for description of SYMBOL rule syntax.
−sym=SYMBOL[,SYMBOL...]
Just like −dyn, but doesn’t look for symbols in dynamic symbol table, but normal symbol table. (Which doesn’t have to be present, e.g. when a binary is stripped.) See below for description of SYMBOL rule syntax.
|
−stack |
Stack trace when traced symbol is hit. Note that this option also applies to traced system calls. If you need to cherry−pick which event should stack trace, use # operator described in sections below. |
Other Traceable Events
|
−m |
Print each file mapped to or unmapped from address space of the traced process. |
To decide which PLT slots or entry points should be traced, following process takes place. Initial working set is empty. Rules, if present, are then enumerated from left to right, and set is modified depending on the rules. Rules are delimited by a colon. Syntax of each rule is following:
[−][#]pattern
Optional "−" at the beginning of the rule means removal from the working set. When the sign is omitted, the default action is to add to the working set. Optional "#" means that ftrace should print out stack trace when it hits the call. The combination of "−#" then means that the call should still be traced, but stack trace shouldn’t be generated. pattern defines which PLT entries from which libraries should be added or removed from working sennt. Syntax of pattern is the following:
[symbol][@soname][@@version]
All three components, symbol, soname and version, are written using extended regular expression syntax. Any of the components can be omitted, missing component is then wild card matching anything. By extension, empty pattern matches all symbols of all versions in all libraries and in the executable itself.
symbol component is matched against name of symbol associated with PLT slot under consideration. Whole symbol name has to match.
soname component is matched against a soname of a library in which we wish to track the call. If the library has no associated soname or it is a main executable, the match is done against the file name (without a path). Two special sonames are distinguished: "MAIN", which always matches main executable; and "INTERP", which always matches ELF interpreter of the main executable.
version component is matched against version associated with symbol. If the symbol has no associated version, it is considered to be an empty string. (It is possible to request symbol without a version with the pattern "foo@@".)
Empty rule is considered to miss all components.
Under the presence of the −sys (or −sig) option, ALL system calls (or signals) are ALWAYS traced. This is a limitation of the ptrace layer. The system call and signal rules however serve as a simple way of filtering out the output that you are not interested in. In following paragraphs, the word "event" will be used to mean "signal or syscall, whatever applies".
The system call and signal rule syntax and semantics are the same as the symbol rule syntax:
[−][#]pattern
Event selection pattern syntax is then as follows:
[event name|event number]
When the pattern is empty, then it matches all events known to frysk. When the pattern is simple number (e.g. "12"), then the pattern matches the event with the given number. Otherwise the pattern is considered to be case−insensitive glob, and matched against event names. Whole name has to match for event to be part of working set.
Signal can be given both with and without leading "sig" (e.g. "sigkill" as well as "kill").
Trace all system calls:
|
ftrace −sys= ls |
Trace variants of stat system call and moreover a system call #3:
|
ftrace −sys=’*stat*,3’ ls |
Various ways to tell ftrace that you want to stack trace on SIGUSR1:
|
ftrace −sig=#USR1,#usr1,#SIGUSR1,#sigusr1,#10 ~/sig |
Trace all library calls:
|
ftrace −plt= ls |
Trace all library calls to functions that contain substring "write" in their names:
|
ftrace −plt=’*write*’ ls |
Trace memory functions done from libraries, i.e. not from main executable:
|
ftrace −plt=’[cm]alloc|free,−@MAIN’ ls |
Stack trace on everything, except for memory allocation functions (which should still be traced):
|
ftrace −plt=’#,−#[cm]alloc,−#free’ ls |
frysk(7)
The option parser is greedy when looking for options so running ftrace on a program that uses options can be a problem, use −− to split between ftrace and the program. So change from:
~/prefix/bin/ftrace ~/prefix/lib64/frysk/funit −−arch 32 frysk.proc.TestAbandon
to
~/prefix/bin/ftrace −− ~/prefix/lib64/frysk/funit −−arch 32 frysk.proc.TestAbandon
Report bugs to http://sourceware.org/frysk
|
ftrace(1) | |