xref: /netbsd/lib/libc/sys/ptrace.2 (revision c4a72b64) 
1.\"	$NetBSD: ptrace.2,v 1.20 2002/10/01 18:10:45 wiz Exp $
2.\"
3.\" This file is in the public domain.
4.Dd November 7, 1994
5.Dt PTRACE 2
6.Os
7.Sh NAME
8.Nm ptrace
9.Nd process tracing and debugging
10.Sh LIBRARY
11.Lb libc
12.Sh SYNOPSIS
13.Fd #include \*[Lt]sys/types.h\*[Gt]
14.Fd #include \*[Lt]sys/ptrace.h\*[Gt]
15.Ft int
16.Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data"
17.Sh DESCRIPTION
18.Fn ptrace
19provides tracing and debugging facilities.
20It allows one process (the
21.Em tracing
22process) to control another (the
23.Em traced
24process).
25Most of the time, the traced process runs normally, but when
26it receives a signal
27.Po
28see
29.Xr sigaction 2
30.Pc ,
31it stops.
32The tracing process is expected to notice this via
33.Xr wait 2
34or the delivery of a
35.Dv SIGCHLD
36signal, examine the state of the stopped process, and cause it to
37terminate or continue as appropriate.
38.Fn ptrace
39is the mechanism by which all this happens.
40.Pp
41The
42.Fa request
43argument specifies what operation is being performed; the meaning of
44the rest of the arguments depends on the operation, but except for one
45special case noted below, all
46.Fn ptrace
47calls are made by the tracing process, and the
48.Fa pid
49argument specifies the process ID of the traced process.
50.Fa request
51can be:
52.Bl -tag -width 12n
53.It Dv PT_TRACE_ME
54This request is the only one used by the traced process; it declares
55that the process expects to be traced by its parent.
56All the other arguments are ignored.
57(If the parent process does not expect to trace
58the child, it will probably be rather confused by the results; once the
59traced process stops, it cannot be made to continue except via
60.Fn ptrace . )
61When a process has used this request and calls
62.Xr execve 2
63or any of the routines built on it
64.Po
65such as
66.Xr execv 3
67.Pc ,
68it will stop before executing the first instruction of the new image.
69Also, any setuid or setgid bits on the executable being executed will
70be ignored.
71.It Dv PT_READ_I , Dv PT_READ_D
72These requests read a single
73.Li int
74of data from the traced process' address space.
75Traditionally,
76.Fn ptrace
77has allowed for machines with distinct address spaces for instruction
78and data, which is why there are two requests: conceptually,
79.Dv PT_READ_I
80reads from the instruction space and
81.Dv PT_READ_D
82reads from the data space.
83In the current
84.Nx
85implementation, these
86two requests are completely identical.
87The
88.Fa addr
89argument specifies the address (in the traced process' virtual address
90space) at which the read is to be done.
91This address does not have to meet any alignment constraints.
92The value read is returned as the return value from
93.Eo \&
94.Fn ptrace
95.Ec .
96.It Dv PT_WRITE_I , Dv PT_WRITE_D
97These requests parallel
98.Dv PT_READ_I
99and
100.Dv PT_READ_D ,
101except that they write rather than read.
102The
103.Fa data
104argument supplies the value to be written.
105.\" .It Dv PT_READ_U
106.\" This request reads an
107.\" .Li int
108.\" from the traced process' user structure.
109.\" The
110.\" .Fa addr
111.\" argument specifies the location of the int relative to the base of the
112.\" user structure; it will usually be an integer value cast to
113.\" .Li caddr_t
114.\" either explicitly or via the presence of a prototype for
115.\" .Eo \&
116.\" .Fn ptrace
117.\" .Ec .
118.\" Unlike
119.\" .Dv PT_READ_I
120.\" and
121.\" .Dv PT_READ_D ,
122.\" .Fa addr
123.\" must be aligned on an
124.\" .Li int
125.\" boundary.
126.\" The value read is returned as the return value from
127.\" .Eo \&
128.\" .Fn ptrace
129.\" .Ec .
130.\" .It Dv PT_WRITE_U
131.\" This request writes an
132.\" .Li int
133.\" into the traced process' user structure.
134.\" .Fa addr
135.\" specifies the offset, just as for
136.\" .Dv PT_READ_U ,
137.\" and
138.\" .Fa data
139.\" specifies the value to be written, just as for
140.\" .Dv PT_WRITE_I
141.\" and
142.\" .Dv PT_WRITE_D .
143.It Dv PT_CONTINUE
144The traced process continues execution.
145.Fa addr
146is an address specifying the place where execution is to be resumed (a
147new value for the program counter), or
148.Li (caddr_t)1
149to indicate that execution is to pick up where it left off.
150.Fa data
151provides a signal number to be delivered to the traced process as it
152resumes execution, or 0 if no signal is to be sent.
153.It Dv PT_KILL
154The traced process terminates, as if
155.Dv PT_CONTINUE
156had been used with
157.Dv SIGKILL
158given as the signal to be delivered.
159.It Dv PT_ATTACH
160This request allows a process to gain control of an otherwise unrelated
161process and begin tracing it.
162It does not need any cooperation from the to-be-traced process.
163In this case,
164.Fa pid
165specifies the process ID of the to-be-traced process, and the other two
166arguments are ignored.
167This request requires that the target process
168must have the same real UID as the tracing process, and that it must
169not be executing a setuid or setgid executable.
170(If the tracing process is running as root,
171these restrictions do not apply.)
172The tracing process will see the newly-traced process stop and may then
173control it as if it had been traced all along.
174.Pp
175Three other restrictions apply to all tracing processes, even those
176running as root.
177First, no process may trace a system process.
178Second, no process may trace the process running
179.Xr init 8 .
180Third, if a process has its root directory set with
181.Xr chroot 2 ,
182it may not trace another process unless that process's root directory
183is at or below the tracing process's root.
184.It Dv PT_DETACH
185This request is like PT_CONTINUE, except that after it
186succeeds, the traced process is no longer traced and continues
187execution normally.
188.It Dv PT_IO
189This request is a more general interface that can be used instead of
190.Dv PT_READ_D ,
191.Dv PT_WRITE_D ,
192.Dv PT_READ_I ,
193and
194.Dv PT_WRITE_I .
195The I/O request is encoded in a
196.Dq Li "struct ptrace_io_desc"
197defined as:
198.Bd -literal -ffset indent
199struct ptrace_io_desc {
200	int	piod_op;
201	void	*piod_offs;
202	void	*piod_addr;
203	size_t	piod_len;
204};
205.Ed
206.Pp
207where
208.Fa piod_offs
209is the offset within the traced process where the I/O operation should
210take place,
211.Fa piod_addr
212is the buffer in the tracing process, and
213.Fa piod_len
214is the length of the I/O request.
215The
216.Fa piod_op
217field specifies which type of I/O operation to perform.
218Possible
219values are:
220.Bl -tag -width 18n
221.It PIOD_READ_D
222.It PIOD_WRITE_D
223.It PIOD_READ_I
224.It PIOD_WRITE_I
225.El
226.Pp
227See the description of
228.Dv PT_READ_I
229for the difference between I and D spaces.
230A pointer to the I/O descriptor is passed in the
231.Fa addr
232argument to
233.Fn ptrace .
234On return, the
235.Fa piod_len
236field in the I/O descriptor will be updated with the actual number of
237bytes transferred.
238If the requested I/O could not be successfully performed,
239.Fn ptrace
240will return
241.Li -1
242and set
243.Va errno .
244.El
245.Pp
246Additionally, the following requests exist but are
247not avaliable on all machine architectures.
248The file
249.Aq Pa machine/ptrace.h
250lists which requests exist on a given machine.
251.Bl -tag -width 12n
252.It Dv PT_STEP
253Execution continues as in request PT_CONTINUE; however
254as soon as possible after execution of at least one
255instruction, execution stops again.
256.It Dv PT_GETREGS
257This request reads the traced process' machine registers into the
258.Dq Li "struct reg"
259(defined in
260.Aq Pa machine/reg.h )
261pointed to by
262.Fa addr .
263.It Dv PT_SETREGS
264This request is the converse of
265.Dv PT_GETREGS ;
266it loads the traced process' machine registers from the
267.Dq Li "struct reg"
268(defined in
269.Aq Pa machine/reg.h )
270pointed to by
271.Fa addr .
272.It Dv PT_GETFPREGS
273This request reads the traced process' floating-point registers into
274the
275.Dq Li "struct fpreg"
276(defined in
277.Aq Pa machine/reg.h )
278pointed to by
279.Fa addr .
280.It Dv PT_SETFPREGS
281This request is the converse of
282.Dv PT_GETFPREGS ;
283it loads the traced process' floating-point registers from the
284.Dq Li "struct fpreg"
285(defined in
286.Aq Pa machine/reg.h )
287pointed to by
288.Fa addr .
289.\" .It Dv PT_SYSCALL
290.\" This request is like
291.\" .Dv PT_CONTINUE
292.\" except that the process will stop next time it executes any system
293.\" call.  Information about the system call can be examined with
294.\" .Dv PT_READ_U
295.\" and potentially modified with
296.\" .Dv PT_WRITE_U
297.\" through the
298.\" .Li u_kproc.kp_proc.p_md
299.\" element of the user structure (see below).  If the process is continued
300.\" with another
301.\" .Dv PT_SYSCALL
302.\" request, it will stop again on exit from the syscall, at which point
303.\" the return values can be examined and potentially changed.  The
304.\" .Li u_kproc.kp_proc.p_md
305.\" element is of type
306.\" .Dq Li "struct mdproc" ,
307.\" which should be declared by including
308.\" .Aq Pa sys/param.h ,
309.\" .Aq Pa sys/user.h ,
310.\" and
311.\" .Aq Pa machine/proc.h ,
312.\" and contains the following fields (among others):
313.\" .Bl -item -compact -offset indent
314.\" .It
315.\" .Li syscall_num
316.\" .It
317.\" .Li syscall_nargs
318.\" .It
319.\" .Li syscall_args[8]
320.\" .It
321.\" .Li syscall_err
322.\" .It
323.\" .Li syscall_rv[2]
324.\" .El
325.\" When a process stops on entry to a syscall,
326.\" .Li syscall_num
327.\" holds the number of the syscall,
328.\" .Li syscall_nargs
329.\" holds the number of arguments it expects, and
330.\" .Li syscall_args
331.\" holds the arguments themselves.
332.\" (Only the first
333.\" .Li syscall_nargs
334.\" elements of
335.\" .Li syscall_args
336.\" are guaranteed to be useful.)
337.\" When a process stops on exit from a syscall,
338.\" .Li syscall_num
339.\" is
340.\" .Eo \&
341.\" .Li -1
342.\" .Ec ,
343.\" .Li syscall_err
344.\" holds the error number
345.\" .Po
346.\" see
347.\" .Xr errno 2
348.\" .Pc ,
349.\" or 0 if no error occurred, and
350.\" .Li syscall_rv
351.\" holds the return values.
352.\" (If the syscall returns only one value, only
353.\" .Li syscall_rv[0]
354.\" is useful.)
355.\" The tracing process can modify any of these with
356.\" .Dv PT_WRITE_U ;
357.\" only some modifications are useful.
358.\" .Pp
359.\" On entry to a syscall,
360.\" .Li syscall_num
361.\" can be changed, and the syscall actually performed will correspond to
362.\" the new number (it is the responsibility of the tracing process to fill
363.\" in
364.\" .Li syscall_args
365.\" appropriately for the new call, but there is no need to modify
366.\" .Eo \&
367.\" .Li syscall_nargs
368.\" .Ec ).
369.\" If the new syscall number is 0, no syscall is actually performed;
370.\" instead,
371.\" .Li syscall_err
372.\" and
373.\" .Li syscall_rv
374.\" are passed back to the traced process directly (and therefore should be
375.\" filled in).
376.\" If the syscall number is otherwise out of range, a dummy
377.\" syscall which simply produces an
378.\" .Er ENOSYS
379.\" error is effectively performed.
380.\" .Pp
381.\" On exit from a syscall, only
382.\" .Li syscall_err
383.\" and
384.\" .Li syscall_rv
385.\" can usefully be changed; they are set to the values returned by the
386.\" syscall and will be passed back to the traced process by the normal
387.\" syscall return mechanism.
388.El
389.Sh ERRORS
390Some requests can cause
391.Fn ptrace
392to return
393.Li -1
394as a non-error value; to disambiguate,
395.Va errno
396can be set to 0 before the call and checked afterwards.
397The possible errors are:
398.Bl -tag -width 4n
399.It Bq Er EAGAIN
400Process is currently exec'ing and cannot be traced.
401.It Bq Er ESRCH
402No process having the specified process ID exists.
403.It Bq Er EINVAL
404.Bl -bullet -compact
405.It
406A process attempted to use
407.Dv PT_ATTACH
408on itself.
409.It
410The
411.Fa request
412was not a legal request on this machine architecture.
413.\" .It
414.\" The
415.\" .Fa addr
416.\" to
417.\" .Dv PT_READ_U
418.\" or
419.\" .Dv PT_WRITE_U
420.\" was not
421.\" .Li int Ns \&-aligned.
422.It
423The signal number (in
424.Fa data )
425to
426.Dv PT_CONTINUE
427.\" or
428.\" .Dv PT_SYSCALL
429was neither 0 nor a legal signal number.
430.It
431.Dv PT_GETREGS ,
432.Dv PT_SETREGS ,
433.Dv PT_GETFPREGS ,
434or
435.Dv PT_SETFPREGS
436was attempted on a process with no valid register set.
437(This is normally true only of system processes.)
438.El
439.It Bq Er EBUSY
440.Bl -bullet -compact
441.It
442.Dv PT_ATTACH
443was attempted on a process that was already being traced.
444.It
445A request attempted to manipulate a process that was being traced by
446some process other than the one making the request.
447.It
448A request (other than
449.Dv PT_ATTACH )
450specified a process that wasn't stopped.
451.El
452.It Bq Er EPERM
453.Bl -bullet -compact
454.It
455A request (other than
456.Dv PT_ATTACH )
457attempted to manipulate a process that wasn't being traced at all.
458.It
459An attempt was made to use
460.Dv PT_ATTACH
461on a process in violation of the requirements listed under
462.Dv PT_ATTACH
463above.
464.El
465.El
466.Sh SEE ALSO
467.Xr sigaction 2 ,
468.Xr signal 7
469.Sh BUGS
470On the SPARC, the PC is set to the provided PC value for
471.Dv PT_CONTINUE
472and similar calls,
473but the NPC is set willy-nilly to 4 greater than the PC value.
474Using
475.Dv PT_GETREGS
476and
477.Dv PT_SETREGS
478to modify the PC, passing
479.Li (caddr_t)1
480to
481.Eo \&
482.Fn ptrace
483.Ec ,
484should be able to sidestep this.
485.\" .Pp
486.\" When using
487.\" .Dv PT_SYSCALL ,
488.\" there is no easy way to tell whether the traced process stopped because
489.\" it made a syscall or because a signal was sent at a moment that it just
490.\" happened to have valid-looking garbage in its
491.\" .Dq Li "struct mdproc" .
492