]> git.saurik.com Git - apple/xnu.git/blame - bsd/man/man2/ptrace.2
xnu-517.tar.gz
[apple/xnu.git] / bsd / man / man2 / ptrace.2
CommitLineData
9bccf70c
A
1.\" $OpenBSD: ptrace.2,v 1.3 1996/10/08 01:20:12 michaels Exp $
2.\" $NetBSD: ptrace.2,v 1.3 1996/02/23 01:39:41 jtc Exp $
3.\"
4.\" This file is in the public domain.
5.Dd November 7, 1994
6.Dt PTRACE 2
7.Os
8.Sh NAME
9.Nm ptrace
10.Nd process tracing and debugging
11.Sh SYNOPSIS
12.Fd #include <sys/types.h>
13.Fd #include <sys/ptrace.h>
14.Ft int
15.Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data"
16.Sh DESCRIPTION
17.Fn ptrace
18provides tracing and debugging facilities. It allows one process (the
19.Em tracing
20process) to control another (the
21.Em traced
22process). Most of the time, the traced process runs normally, but when
23it receives a signal
24.Po
25see
26.Xr sigaction 2
27.Pc ,
28it stops. The tracing process is expected to notice this via
29.Xr wait 2
30or the delivery of a
31.Dv SIGCHLD
32signal, examine the state of the stopped process, and cause it to
33terminate or continue as appropriate.
34.Fn ptrace
35is the mechanism by which all this happens.
36.Pp
37The
38.Fa request
39argument specifies what operation is being performed; the meaning of
40the rest of the arguments depends on the operation, but except for one
41special case noted below, all
42.Fn ptrace
43calls are made by the tracing process, and the
44.Fa pid
45argument specifies the process ID of the traced process.
46.Fa request
47can be:
48.Bl -tag -width 12n
49.It Dv PT_TRACE_ME
50This request is the only one used by the traced process; it declares
51that the process expects to be traced by its parent. All the other
52arguments are ignored. (If the parent process does not expect to trace
53the child, it will probably be rather confused by the results; once the
54traced process stops, it cannot be made to continue except via
55.Eo \&
56.Fn ptrace
57.Ec \&.)
58When a process has used this request and calls
59.Xr execve 2
60or any of the routines built on it
61.Po
62such as
63.Xr execv 3
64.Pc ,
65it will stop before executing the first instruction of the new image.
66Also, any setuid or setgid bits on the executable being executed will
67be ignored.
68.It Dv PT_READ_I , Dv PT_READ_D
69These requests read a single
70.Li int
71of data from the traced process' address space. Traditionally,
72.Fn ptrace
73has allowed for machines with distinct address spaces for instruction
74and data, which is why there are two requests: conceptually,
75.Dv PT_READ_I
76reads from the instruction space and
77.Dv PT_READ_D
78reads from the data space. In the current OpenBSD implementation, these
79two requests are completely identical. The
80.Fa addr
81argument specifies the address (in the traced process' virtual address
82space) at which the read is to be done. This address does not have to
83meet any alignment constraints. The value read is returned as the
84return value from
85.Eo \&
86.Fn ptrace
87.Ec .
88.It Dv PT_WRITE_I , Dv PT_WRITE_D
89These requests parallel
90.Dv PT_READ_I
91and
92.Dv PT_READ_D ,
93except that they write rather than read. The
94.Fa data
95argument supplies the value to be written.
96.\" .It Dv PT_READ_U
97.\" This request reads an
98.\" .Li int
99.\" from the traced process' user structure. The
100.\" .Fa addr
101.\" argument specifies the location of the int relative to the base of the
102.\" user structure; it will usually be an integer value cast to
103.\" .Li caddr_t
104.\" either explicitly or via the presence of a prototype for
105.\" .Eo \&
106.\" .Fn ptrace
107.\" .Ec .
108.\" Unlike
109.\" .Dv PT_READ_I
110.\" and
111.\" .Dv PT_READ_D ,
112.\" .Fa addr
113.\" must be aligned on an
114.\" .Li int
115.\" boundary. The value read is returned as the return value from
116.\" .Eo \&
117.\" .Fn ptrace
118.\" .Ec .
119.\" .It Dv PT_WRITE_U
120.\" This request writes an
121.\" .Li int
122.\" into the traced process' user structure.
123.\" .Fa addr
124.\" specifies the offset, just as for
125.\" .Dv PT_READ_U ,
126.\" and
127.\" .Fa data
128.\" specifies the value to be written, just as for
129.\" .Dv PT_WRITE_I
130.\" and
131.\" .Dv PT_WRITE_D .
132.It Dv PT_CONTINUE
133The traced process continues execution.
134.Fa addr
135is an address specifying the place where execution is to be resumed (a
136new value for the program counter), or
137.Li (caddr_t)1
138to indicate that execution is to pick up where it left off.
139.Fa data
140provides a signal number to be delivered to the traced process as it
141resumes execution, or 0 if no signal is to be sent.
142.It Dv PT_KILL
143The traced process terminates, as if
144.Dv PT_CONTINUE
145had been used with
146.Dv SIGKILL
147given as the signal to be delivered.
148.It Dv PT_ATTACH
149This request allows a process to gain control of an otherwise unrelated
150process and begin tracing it. It does not need any cooperation from
151the to-be-traced process. In this case,
152.Fa pid
153specifies the process ID of the to-be-traced process, and the other two
154arguments are ignored. This request requires that the target process
155must have the same real UID as the tracing process, and that it must
156not be executing a setuid or setgid executable. (If the tracing
157process is running as root, these restrictions do not apply.) The
158tracing process will see the newly-traced process stop and may then
159control it as if it had been traced all along.
160.It Dv PT_DETACH
161This request is like PT_CONTINUE, except that it does not allow
162specifying an alternate place to continue execution, and after it
163succeeds, the traced process is no longer traced and continues
164execution normally.
165.El
166.Pp
167Additionally, machine-specific requests can exist. On the SPARC, these
168are:
169.Bl -tag -width 12n
170.It Dv PT_GETREGS
171This request reads the traced process' machine registers into the
172.Dq Li "struct reg"
173(defined in
174.Aq Pa machine/reg.h )
175pointed to by
176.Fa addr .
177.It Dv PT_SETREGS
178This request is the converse of
179.Dv PT_GETREGS ;
180it loads the traced process' machine registers from the
181.Dq Li "struct reg"
182(defined in
183.Aq Pa machine/reg.h )
184pointed to by
185.Fa addr .
186.It Dv PT_GETFPREGS
187This request reads the traced process' floating-point registers into
188the
189.Dq Li "struct fpreg"
190(defined in
191.Aq Pa machine/reg.h )
192pointed to by
193.Fa addr .
194.It Dv PT_SETFPREGS
195This request is the converse of
196.Dv PT_GETFPREGS ;
197it loads the traced process' floating-point registers from the
198.Dq Li "struct fpreg"
199(defined in
200.Aq Pa machine/reg.h )
201pointed to by
202.Fa addr .
203.\" .It Dv PT_SYSCALL
204.\" This request is like
205.\" .Dv PT_CONTINUE
206.\" except that the process will stop next time it executes any system
207.\" call. Information about the system call can be examined with
208.\" .Dv PT_READ_U
209.\" and potentially modified with
210.\" .Dv PT_WRITE_U
211.\" through the
212.\" .Li u_kproc.kp_proc.p_md
213.\" element of the user structure (see below). If the process is continued
214.\" with another
215.\" .Dv PT_SYSCALL
216.\" request, it will stop again on exit from the syscall, at which point
217.\" the return values can be examined and potentially changed. The
218.\" .Li u_kproc.kp_proc.p_md
219.\" element is of type
220.\" .Dq Li "struct mdproc" ,
221.\" which should be declared by including
222.\" .Aq Pa sys/param.h ,
223.\" .Aq Pa sys/user.h ,
224.\" and
225.\" .Aq Pa machine/proc.h ,
226.\" and contains the following fields (among others):
227.\" .Bl -item -compact -offset indent
228.\" .It
229.\" .Li syscall_num
230.\" .It
231.\" .Li syscall_nargs
232.\" .It
233.\" .Li syscall_args[8]
234.\" .It
235.\" .Li syscall_err
236.\" .It
237.\" .Li syscall_rv[2]
238.\" .El
239.\" When a process stops on entry to a syscall,
240.\" .Li syscall_num
241.\" holds the number of the syscall,
242.\" .Li syscall_nargs
243.\" holds the number of arguments it expects, and
244.\" .Li syscall_args
245.\" holds the arguments themselves. (Only the first
246.\" .Li syscall_nargs
247.\" elements of
248.\" .Li syscall_args
249.\" are guaranteed to be useful.) When a process stops on exit from a
250.\" syscall,
251.\" .Li syscall_num
252.\" is
253.\" .Eo \&
254.\" .Li -1
255.\" .Ec ,
256.\" .Li syscall_err
257.\" holds the error number
258.\" .Po
259.\" see
260.\" .Xr errno 2
261.\" .Pc ,
262.\" or 0 if no error occurred, and
263.\" .Li syscall_rv
264.\" holds the return values. (If the syscall returns only one value, only
265.\" .Li syscall_rv[0]
266.\" is useful.) The tracing process can modify any of these with
267.\" .Dv PT_WRITE_U ;
268.\" only some modifications are useful.
269.\" .Pp
270.\" On entry to a syscall,
271.\" .Li syscall_num
272.\" can be changed, and the syscall actually performed will correspond to
273.\" the new number (it is the responsibility of the tracing process to fill
274.\" in
275.\" .Li syscall_args
276.\" appropriately for the new call, but there is no need to modify
277.\" .Eo \&
278.\" .Li syscall_nargs
279.\" .Ec ).
280.\" If the new syscall number is 0, no syscall is actually performed;
281.\" instead,
282.\" .Li syscall_err
283.\" and
284.\" .Li syscall_rv
285.\" are passed back to the traced process directly (and therefore should be
286.\" filled in). If the syscall number is otherwise out of range, a dummy
287.\" syscall which simply produces an
288.\" .Er ENOSYS
289.\" error is effectively performed.
290.\" .Pp
291.\" On exit from a syscall, only
292.\" .Li syscall_err
293.\" and
294.\" .Li syscall_rv
295.\" can usefully be changed; they are set to the values returned by the
296.\" syscall and will be passed back to the traced process by the normal
297.\" syscall return mechanism.
298.El
299.Sh ERRORS
300Some requests can cause
301.Fn ptrace
302to return
303.Li -1
304as a non-error value; to disambiguate,
305.Va errno
306can be set to 0 before the call and checked afterwards. The possible
307errors are:
308.Bl -tag -width 4n
309.It Bq Er ESRCH
310No process having the specified process ID exists.
311.It Bq Er EINVAL
312.Bl -bullet -compact
313.It
314A process attempted to use
315.Dv PT_ATTACH
316on itself.
317.It
318The
319.Fa request
320was not one of the legal requests.
321.\" .It
322.\" The
323.\" .Fa addr
324.\" to
325.\" .Dv PT_READ_U
326.\" or
327.\" .Dv PT_WRITE_U
328.\" was not
329.\" .Li int Ns \&-aligned.
330.It
331The signal number (in
332.Fa data )
333to
334.Dv PT_CONTINUE
335.\" or
336.\" .Dv PT_SYSCALL
337was neither 0 nor a legal signal number.
338.It
339.Dv PT_GETREGS ,
340.Dv PT_SETREGS ,
341.Dv PT_GETFPREGS ,
342or
343.Dv PT_SETFPREGS
344was attempted on a process with no valid register set. (This is
345normally true only of system processes.)
346.El
347.It Bq Er EBUSY
348.Bl -bullet -compact
349.It
350.Dv PT_ATTACH
351was attempted on a process that was already being traced.
352.It
353A request attempted to manipulate a process that was being traced by
354some process other than the one making the request.
355.It
356A request (other than
357.Dv PT_ATTACH )
358specified a process that wasn't stopped.
359.El
360.It Bq Er EPERM
361.Bl -bullet -compact
362.It
363A request (other than
364.Dv PT_ATTACH )
365attempted to manipulate a process that wasn't being traced at all.
366.It
367An attempt was made to use
368.Dv PT_ATTACH
369on a process in violation of the requirements listed under
370.Dv PT_ATTACH
371above.
372.El
55e303ae 373.El
9bccf70c
A
374.Sh BUGS
375On the SPARC, the PC is set to the provided PC value for
376.Dv PT_CONTINUE
377and similar calls, but the NPC is set willy-nilly to 4 greater than the
378PC value. Using
379.Dv PT_GETREGS
380and
381.Dv PT_SETREGS
382to modify the PC, passing
383.Li (caddr_t)1
384to
385.Eo \&
386.Fn ptrace
387.Ec ,
388should be able to sidestep this.
389.Pp
390Single-stepping is not available.
391.\" .Pp
392.\" When using
393.\" .Dv PT_SYSCALL ,
394.\" there is no easy way to tell whether the traced process stopped because
395.\" it made a syscall or because a signal was sent at a moment that it just
396.\" happened to have valid-looking garbage in its
397.\" .Dq Li "struct mdproc" .