]> git.saurik.com Git - apple/xnu.git/blob - bsd/man/man2/ptrace.2
b3590325cb58c9d22ecc3e778dd8b11a16a30b1e
[apple/xnu.git] / bsd / man / man2 / ptrace.2
1 .\" $OpenBSD: ptrace.2,v 1.3 1996/10/08 01:20:12 michaels Exp $
2 .\" $NetBSD: ptrace.2,v 1.3 1996/02/23 01:39:41 jtc Exp $
3 .\"
4 .\" This file is in the public domain.
5 .Dd November 7, 1994
6 .Dt PTRACE 2
7 .Os
8 .Sh NAME
9 .Nm ptrace
10 .Nd process tracing and debugging
11 .Sh SYNOPSIS
12 .Fd #include <sys/types.h>
13 .Fd #include <sys/ptrace.h>
14 .Ft int
15 .Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data"
16 .Sh DESCRIPTION
17 .Fn ptrace
18 provides tracing and debugging facilities. It allows one process (the
19 .Em tracing
20 process) to control another (the
21 .Em traced
22 process). Most of the time, the traced process runs normally, but when
23 it receives a signal
24 .Po
25 see
26 .Xr sigaction 2
27 .Pc ,
28 it stops. The tracing process is expected to notice this via
29 .Xr wait 2
30 or the delivery of a
31 .Dv SIGCHLD
32 signal, examine the state of the stopped process, and cause it to
33 terminate or continue as appropriate.
34 .Fn ptrace
35 is the mechanism by which all this happens.
36 .Pp
37 The
38 .Fa request
39 argument specifies what operation is being performed; the meaning of
40 the rest of the arguments depends on the operation, but except for one
41 special case noted below, all
42 .Fn ptrace
43 calls are made by the tracing process, and the
44 .Fa pid
45 argument specifies the process ID of the traced process.
46 .Fa request
47 can be:
48 .Bl -tag -width 12n
49 .It Dv PT_TRACE_ME
50 This request is the only one used by the traced process; it declares
51 that the process expects to be traced by its parent. All the other
52 arguments are ignored. (If the parent process does not expect to trace
53 the child, it will probably be rather confused by the results; once the
54 traced process stops, it cannot be made to continue except via
55 .Eo \&
56 .Fn ptrace
57 .Ec \&.)
58 When a process has used this request and calls
59 .Xr execve 2
60 or any of the routines built on it
61 .Po
62 such as
63 .Xr execv 3
64 .Pc ,
65 it will stop before executing the first instruction of the new image.
66 Also, any setuid or setgid bits on the executable being executed will
67 be ignored.
68 .It Dv PT_READ_I , Dv PT_READ_D
69 These requests read a single
70 .Li int
71 of data from the traced process' address space. Traditionally,
72 .Fn ptrace
73 has allowed for machines with distinct address spaces for instruction
74 and data, which is why there are two requests: conceptually,
75 .Dv PT_READ_I
76 reads from the instruction space and
77 .Dv PT_READ_D
78 reads from the data space. In the current OpenBSD implementation, these
79 two requests are completely identical. The
80 .Fa addr
81 argument specifies the address (in the traced process' virtual address
82 space) at which the read is to be done. This address does not have to
83 meet any alignment constraints. The value read is returned as the
84 return value from
85 .Eo \&
86 .Fn ptrace
87 .Ec .
88 .It Dv PT_WRITE_I , Dv PT_WRITE_D
89 These requests parallel
90 .Dv PT_READ_I
91 and
92 .Dv PT_READ_D ,
93 except that they write rather than read. The
94 .Fa data
95 argument supplies the value to be written.
96 .\" .It Dv PT_READ_U
97 .\" This request reads an
98 .\" .Li int
99 .\" from the traced process' user structure. The
100 .\" .Fa addr
101 .\" argument specifies the location of the int relative to the base of the
102 .\" user structure; it will usually be an integer value cast to
103 .\" .Li caddr_t
104 .\" either explicitly or via the presence of a prototype for
105 .\" .Eo \&
106 .\" .Fn ptrace
107 .\" .Ec .
108 .\" Unlike
109 .\" .Dv PT_READ_I
110 .\" and
111 .\" .Dv PT_READ_D ,
112 .\" .Fa addr
113 .\" must be aligned on an
114 .\" .Li int
115 .\" boundary. The value read is returned as the return value from
116 .\" .Eo \&
117 .\" .Fn ptrace
118 .\" .Ec .
119 .\" .It Dv PT_WRITE_U
120 .\" This request writes an
121 .\" .Li int
122 .\" into the traced process' user structure.
123 .\" .Fa addr
124 .\" specifies the offset, just as for
125 .\" .Dv PT_READ_U ,
126 .\" and
127 .\" .Fa data
128 .\" specifies the value to be written, just as for
129 .\" .Dv PT_WRITE_I
130 .\" and
131 .\" .Dv PT_WRITE_D .
132 .It Dv PT_CONTINUE
133 The traced process continues execution.
134 .Fa addr
135 is an address specifying the place where execution is to be resumed (a
136 new value for the program counter), or
137 .Li (caddr_t)1
138 to indicate that execution is to pick up where it left off.
139 .Fa data
140 provides a signal number to be delivered to the traced process as it
141 resumes execution, or 0 if no signal is to be sent.
142 .It Dv PT_KILL
143 The traced process terminates, as if
144 .Dv PT_CONTINUE
145 had been used with
146 .Dv SIGKILL
147 given as the signal to be delivered.
148 .It Dv PT_ATTACH
149 This request allows a process to gain control of an otherwise unrelated
150 process and begin tracing it. It does not need any cooperation from
151 the to-be-traced process. In this case,
152 .Fa pid
153 specifies the process ID of the to-be-traced process, and the other two
154 arguments are ignored. This request requires that the target process
155 must have the same real UID as the tracing process, and that it must
156 not be executing a setuid or setgid executable. (If the tracing
157 process is running as root, these restrictions do not apply.) The
158 tracing process will see the newly-traced process stop and may then
159 control it as if it had been traced all along.
160 .It Dv PT_DETACH
161 This request is like PT_CONTINUE, except that it does not allow
162 specifying an alternate place to continue execution, and after it
163 succeeds, the traced process is no longer traced and continues
164 execution normally.
165 .El
166 .Pp
167 Additionally, machine-specific requests can exist. On the SPARC, these
168 are:
169 .Bl -tag -width 12n
170 .It Dv PT_GETREGS
171 This request reads the traced process' machine registers into the
172 .Dq Li "struct reg"
173 (defined in
174 .Aq Pa machine/reg.h )
175 pointed to by
176 .Fa addr .
177 .It Dv PT_SETREGS
178 This request is the converse of
179 .Dv PT_GETREGS ;
180 it loads the traced process' machine registers from the
181 .Dq Li "struct reg"
182 (defined in
183 .Aq Pa machine/reg.h )
184 pointed to by
185 .Fa addr .
186 .It Dv PT_GETFPREGS
187 This request reads the traced process' floating-point registers into
188 the
189 .Dq Li "struct fpreg"
190 (defined in
191 .Aq Pa machine/reg.h )
192 pointed to by
193 .Fa addr .
194 .It Dv PT_SETFPREGS
195 This request is the converse of
196 .Dv PT_GETFPREGS ;
197 it loads the traced process' floating-point registers from the
198 .Dq Li "struct fpreg"
199 (defined in
200 .Aq Pa machine/reg.h )
201 pointed to by
202 .Fa addr .
203 .\" .It Dv PT_SYSCALL
204 .\" This request is like
205 .\" .Dv PT_CONTINUE
206 .\" except that the process will stop next time it executes any system
207 .\" call. Information about the system call can be examined with
208 .\" .Dv PT_READ_U
209 .\" and potentially modified with
210 .\" .Dv PT_WRITE_U
211 .\" through the
212 .\" .Li u_kproc.kp_proc.p_md
213 .\" element of the user structure (see below). If the process is continued
214 .\" with another
215 .\" .Dv PT_SYSCALL
216 .\" request, it will stop again on exit from the syscall, at which point
217 .\" the return values can be examined and potentially changed. The
218 .\" .Li u_kproc.kp_proc.p_md
219 .\" element is of type
220 .\" .Dq Li "struct mdproc" ,
221 .\" which should be declared by including
222 .\" .Aq Pa sys/param.h ,
223 .\" .Aq Pa sys/user.h ,
224 .\" and
225 .\" .Aq Pa machine/proc.h ,
226 .\" and contains the following fields (among others):
227 .\" .Bl -item -compact -offset indent
228 .\" .It
229 .\" .Li syscall_num
230 .\" .It
231 .\" .Li syscall_nargs
232 .\" .It
233 .\" .Li syscall_args[8]
234 .\" .It
235 .\" .Li syscall_err
236 .\" .It
237 .\" .Li syscall_rv[2]
238 .\" .El
239 .\" When a process stops on entry to a syscall,
240 .\" .Li syscall_num
241 .\" holds the number of the syscall,
242 .\" .Li syscall_nargs
243 .\" holds the number of arguments it expects, and
244 .\" .Li syscall_args
245 .\" holds the arguments themselves. (Only the first
246 .\" .Li syscall_nargs
247 .\" elements of
248 .\" .Li syscall_args
249 .\" are guaranteed to be useful.) When a process stops on exit from a
250 .\" syscall,
251 .\" .Li syscall_num
252 .\" is
253 .\" .Eo \&
254 .\" .Li -1
255 .\" .Ec ,
256 .\" .Li syscall_err
257 .\" holds the error number
258 .\" .Po
259 .\" see
260 .\" .Xr errno 2
261 .\" .Pc ,
262 .\" or 0 if no error occurred, and
263 .\" .Li syscall_rv
264 .\" holds the return values. (If the syscall returns only one value, only
265 .\" .Li syscall_rv[0]
266 .\" is useful.) The tracing process can modify any of these with
267 .\" .Dv PT_WRITE_U ;
268 .\" only some modifications are useful.
269 .\" .Pp
270 .\" On entry to a syscall,
271 .\" .Li syscall_num
272 .\" can be changed, and the syscall actually performed will correspond to
273 .\" the new number (it is the responsibility of the tracing process to fill
274 .\" in
275 .\" .Li syscall_args
276 .\" appropriately for the new call, but there is no need to modify
277 .\" .Eo \&
278 .\" .Li syscall_nargs
279 .\" .Ec ).
280 .\" If the new syscall number is 0, no syscall is actually performed;
281 .\" instead,
282 .\" .Li syscall_err
283 .\" and
284 .\" .Li syscall_rv
285 .\" are passed back to the traced process directly (and therefore should be
286 .\" filled in). If the syscall number is otherwise out of range, a dummy
287 .\" syscall which simply produces an
288 .\" .Er ENOSYS
289 .\" error is effectively performed.
290 .\" .Pp
291 .\" On exit from a syscall, only
292 .\" .Li syscall_err
293 .\" and
294 .\" .Li syscall_rv
295 .\" can usefully be changed; they are set to the values returned by the
296 .\" syscall and will be passed back to the traced process by the normal
297 .\" syscall return mechanism.
298 .El
299 .Sh ERRORS
300 Some requests can cause
301 .Fn ptrace
302 to return
303 .Li -1
304 as a non-error value; to disambiguate,
305 .Va errno
306 can be set to 0 before the call and checked afterwards. The possible
307 errors are:
308 .Bl -tag -width 4n
309 .It Bq Er ESRCH
310 No process having the specified process ID exists.
311 .It Bq Er EINVAL
312 .Bl -bullet -compact
313 .It
314 A process attempted to use
315 .Dv PT_ATTACH
316 on itself.
317 .It
318 The
319 .Fa request
320 was not one of the legal requests.
321 .\" .It
322 .\" The
323 .\" .Fa addr
324 .\" to
325 .\" .Dv PT_READ_U
326 .\" or
327 .\" .Dv PT_WRITE_U
328 .\" was not
329 .\" .Li int Ns \&-aligned.
330 .It
331 The signal number (in
332 .Fa data )
333 to
334 .Dv PT_CONTINUE
335 .\" or
336 .\" .Dv PT_SYSCALL
337 was neither 0 nor a legal signal number.
338 .It
339 .Dv PT_GETREGS ,
340 .Dv PT_SETREGS ,
341 .Dv PT_GETFPREGS ,
342 or
343 .Dv PT_SETFPREGS
344 was attempted on a process with no valid register set. (This is
345 normally true only of system processes.)
346 .El
347 .It Bq Er EBUSY
348 .Bl -bullet -compact
349 .It
350 .Dv PT_ATTACH
351 was attempted on a process that was already being traced.
352 .It
353 A request attempted to manipulate a process that was being traced by
354 some process other than the one making the request.
355 .It
356 A request (other than
357 .Dv PT_ATTACH )
358 specified a process that wasn't stopped.
359 .El
360 .It Bq Er EPERM
361 .Bl -bullet -compact
362 .It
363 A request (other than
364 .Dv PT_ATTACH )
365 attempted to manipulate a process that wasn't being traced at all.
366 .It
367 An attempt was made to use
368 .Dv PT_ATTACH
369 on a process in violation of the requirements listed under
370 .Dv PT_ATTACH
371 above.
372 .El
373 .Sh BUGS
374 On the SPARC, the PC is set to the provided PC value for
375 .Dv PT_CONTINUE
376 and similar calls, but the NPC is set willy-nilly to 4 greater than the
377 PC value. Using
378 .Dv PT_GETREGS
379 and
380 .Dv PT_SETREGS
381 to modify the PC, passing
382 .Li (caddr_t)1
383 to
384 .Eo \&
385 .Fn ptrace
386 .Ec ,
387 should be able to sidestep this.
388 .Pp
389 Single-stepping is not available.
390 .\" .Pp
391 .\" When using
392 .\" .Dv PT_SYSCALL ,
393 .\" there is no easy way to tell whether the traced process stopped because
394 .\" it made a syscall or because a signal was sent at a moment that it just
395 .\" happened to have valid-looking garbage in its
396 .\" .Dq Li "struct mdproc" .