2 * Copryight 1997 Sean Eric Fagan
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * 3. All advertising materials mentioning features or use of this software
13 * must display the following acknowledgement:
14 * This product includes software developed by Sean Eric Fagan
15 * 4. Neither the name of the author may be used to endorse or promote
16 * products derived from this software without specific prior written
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
36 * The main module for truss. Suprisingly simple, but, then, the other
37 * files handle the bulk of the work. And, of course, the kernel has to
38 * do a lot of the work :).
41 #include <sys/param.h>
42 #include <sys/ioctl.h>
43 #include <sys/pioctl.h>
44 #include <sys/types.h>
46 #include <sys/resource.h>
63 * It's difficult to parameterize this because it must be
64 * accessible in a signal handler.
72 fprintf(stderr, "%s\n%s\n",
73 "usage: truss [-faedDS] [-o file] -p pid",
74 " truss [-faedDS] [-o file] command [args]");
79 * WARNING! "FreeBSD a.out" must be first, or set_etype will not
84 void (*enter_syscall)(struct trussinfo *, int);
85 long (*exit_syscall)(struct trussinfo *, int);
88 { "FreeBSD ELF", alpha_syscall_entry, alpha_syscall_exit },
91 { "FreeBSD ELF64", amd64_syscall_entry, amd64_syscall_exit },
94 { "FreeBSD a.out", i386_syscall_entry, i386_syscall_exit },
95 { "FreeBSD ELF", i386_syscall_entry, i386_syscall_exit },
96 { "FreeBSD ELF32", i386_syscall_entry, i386_syscall_exit },
97 { "Linux ELF", i386_linux_syscall_entry, i386_linux_syscall_exit },
100 { "FreeBSD ELF64", ia64_syscall_entry, ia64_syscall_exit },
103 { "FreeBSD ELF64", sparc64_syscall_entry, sparc64_syscall_exit },
109 * Set the execution type. This is called after every exec, and when
110 * a process is first monitored. The procfs pseudo-file "etype" has
111 * the execution module type -- see /proc/curproc/etype for an example.
114 static struct ex_types *
115 set_etype(struct trussinfo *trussinfo)
117 struct ex_types *funcs;
122 sprintf(etype, "/proc/%d/etype", trussinfo->pid);
123 if ((fd = open(etype, O_RDONLY)) == -1) {
124 strcpy(progt, "FreeBSD a.out");
126 int len = read(fd, progt, sizeof(progt));
131 for (funcs = ex_types; funcs->type; funcs++)
132 if (!strcmp(funcs->type, progt))
135 if (funcs->type == NULL) {
136 funcs = &ex_types[0];
137 warn("execution type %s is not supported -- using %s",
149 if (sig > 0 && sig < NSIG) {
151 asprintf(&ret, "sig%s", sys_signame[sig]);
154 for (i = 0; ret[i] != '\0'; ++i)
155 ret[i] = toupper(ret[i]);
161 main(int ac, char **av)
166 struct procfs_status pfs;
167 struct ex_types *funcs;
168 int in_exec, sigexit, initial_open;
170 struct trussinfo *trussinfo;
178 /* Initialize the trussinfo struct */
179 trussinfo = (struct trussinfo *)malloc(sizeof(struct trussinfo));
180 if (trussinfo == NULL)
181 errx(1, "malloc() failed");
182 bzero(trussinfo, sizeof(struct trussinfo));
183 trussinfo->outfile = stderr;
185 while ((c = getopt(ac, av, "p:o:faedDS")) != -1) {
187 case 'p': /* specified pid */
188 trussinfo->pid = atoi(optarg);
190 case 'f': /* Follow fork()'s */
191 trussinfo->flags |= FOLLOWFORKS;
193 case 'a': /* Print execve() argument strings. */
194 trussinfo->flags |= EXECVEARGS;
196 case 'e': /* Print execve() environment strings. */
197 trussinfo->flags |= EXECVEENVS;
199 case 'd': /* Absolute timestamps */
200 trussinfo->flags |= ABSOLUTETIMESTAMPS;
202 case 'D': /* Relative timestamps */
203 trussinfo->flags |= RELATIVETIMESTAMPS;
205 case 'o': /* Specified output file */
208 case 'S': /* Don't trace signals */
209 trussinfo->flags |= NOSIGS;
216 ac -= optind; av += optind;
217 if ((trussinfo->pid == 0 && ac == 0) ||
218 (trussinfo->pid != 0 && ac != 0))
221 if (fname != NULL) { /* Use output file */
222 if ((trussinfo->outfile = fopen(fname, "w")) == NULL)
223 errx(1, "cannot open %s", fname);
227 * If truss starts the process itself, it will ignore some signals --
228 * they should be passed off to the process, which may or may not
229 * exit. If, however, we are examining an already-running process,
230 * then we restore the event mask on these same signals.
233 if (trussinfo->pid == 0) { /* Start a command ourselves */
235 trussinfo->pid = setup_and_wait(command);
236 signal(SIGINT, SIG_IGN);
237 signal(SIGTERM, SIG_IGN);
238 signal(SIGQUIT, SIG_IGN);
240 signal(SIGINT, restore_proc);
241 signal(SIGTERM, restore_proc);
242 signal(SIGQUIT, restore_proc);
247 * At this point, if we started the process, it is stopped waiting to
248 * be woken up, either in exit() or in execve().
252 Procfd = start_tracing(
253 trussinfo->pid, initial_open,
254 S_EXEC | S_SCE | S_SCX | S_CORE | S_EXIT |
255 ((trussinfo->flags & NOSIGS) ? 0 : S_SIG),
256 ((trussinfo->flags & FOLLOWFORKS) ? PF_FORK : 0));
263 funcs = set_etype(trussinfo);
265 * At this point, it's a simple loop, waiting for the process to
266 * stop, finding out why, printing out why, and then continuing it.
267 * All of the grunt work is done in the support routines.
270 clock_gettime(CLOCK_REALTIME, &trussinfo->start_time);
275 if (ioctl(Procfd, PIOCWAIT, &pfs) == -1)
276 warn("PIOCWAIT top of loop");
278 switch(i = pfs.why) {
280 funcs->enter_syscall(trussinfo, pfs.val);
281 clock_gettime(CLOCK_REALTIME,
285 clock_gettime(CLOCK_REALTIME,
288 * This is so we don't get two messages for
289 * an exec -- one for the S_EXEC, and one for
290 * the syscall exit. It also, conveniently,
291 * ensures that the first message printed out
292 * isn't the return-from-syscall used to
293 * create the process.
300 if (trussinfo->in_fork &&
301 (trussinfo->flags & FOLLOWFORKS)) {
304 trussinfo->in_fork = 0;
306 funcs->exit_syscall(trussinfo,
310 * Fork a new copy of ourself to trace
311 * the child of the original traced
315 trussinfo->pid = childpid;
320 funcs->exit_syscall(trussinfo, pfs.val);
323 signame = strsig(pfs.val);
324 fprintf(trussinfo->outfile,
325 "SIGNAL %lu (%s)\n", pfs.val,
326 signame == NULL ? "?" : signame);
331 fprintf(trussinfo->outfile,
332 "process exit, rval = %lu\n", pfs.val);
335 funcs = set_etype(trussinfo);
339 fprintf(trussinfo->outfile,
340 "Process stopped because of: %d\n", i);
344 if (ioctl(Procfd, PIOCCONT, val) == -1) {
345 if (kill(trussinfo->pid, 0) == -1 && errno == ESRCH)
350 } while (pfs.why != S_EXIT);
351 fflush(trussinfo->outfile);
357 setrlimit(RLIMIT_CORE, &rlp);
358 (void) signal(sigexit, SIG_DFL);
359 (void) kill(getpid(), sigexit);