Mirror of strace – the linux syscall tracer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README-linux-ptrace 24KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542
  1. This document describes Linux ptrace implementation in Linux kernels
  2. version 3.0.0. (Update this notice if you update the document
  3. to reflect newer kernels).
  4. Ptrace userspace API.
  5. Ptrace API (ab)uses standard Unix parent/child signaling over waitpid.
  6. An unfortunate effect of it is that resulting API is complex and has
  7. subtle quirks. This document aims to describe these quirks.
  8. Debugged processes (tracees) first need to be attached to the debugging
  9. process (tracer). Attachment and subsequent commands are per-thread: in
  10. multi-threaded process, every thread can be individually attached to a
  11. (potentially different) tracer, or left not attached and thus not
  12. debugged. Therefore, "tracee" always means "(one) thread", never "a
  13. (possibly multi-threaded) process". Ptrace commands are always sent to
  14. a specific tracee using ptrace(PTRACE_foo, pid, ...), where pid is a
  15. TID of the corresponding Linux thread.
  16. After attachment, each tracee can be in two states: running or stopped.
  17. There are many kinds of states when tracee is stopped, and in ptrace
  18. discussions they are often conflated. Therefore, it is important to use
  19. precise terms.
  20. In this document, any stopped state in which tracee is ready to accept
  21. ptrace commands from the tracer is called ptrace-stop. Ptrace-stops can
  22. be further subdivided into signal-delivery-stop, group-stop,
  23. syscall-stop and so on. They are described in detail later.
  24. 1.x Death under ptrace.
  25. When a (possibly multi-threaded) process receives a killing signal (a
  26. signal set to SIG_DFL and whose default action is to kill the process),
  27. all threads exit. Tracees report their death to the tracer(s). This is
  28. not a ptrace-stop (because tracer can't query tracee status such as
  29. register contents, cannot restart tracee etc) but the notification
  30. about this event is delivered through waitpid API similarly to
  31. ptrace-stop.
  32. Note that killing signal will first cause signal-delivery-stop (on one
  33. tracee only), and only after it is injected by tracer (or after it was
  34. dispatched to a thread which isn't traced), death from signal will
  35. happen on ALL tracees within multi-threaded process.
  36. SIGKILL operates similarly, with exceptions. No signal-delivery-stop is
  37. generated for SIGKILL and therefore tracer can't suppress it. SIGKILL
  38. kills even within syscalls (syscall-exit-stop is not generated prior to
  39. death by SIGKILL). The net effect is that SIGKILL always kills the
  40. process (all its threads), even if some threads of the process are
  41. ptraced.
  42. Tracer can kill a tracee with ptrace(PTRACE_KILL, pid, 0, 0). This
  43. operation is deprecated, use kill/tgkill(SIGKILL) instead.
  44. ^^^ Oleg prefers to deprecate it instead of describing (and needing to
  45. support) PTRACE_KILL's quirks.
  46. When tracee executes exit syscall, it reports its death to its tracer.
  47. Other threads are not affected.
  48. When any thread executes exit_group syscall, every tracee in its thread
  49. group reports its death to its tracer.
  50. If PTRACE_O_TRACEEXIT option is on, PTRACE_EVENT_EXIT will happen
  51. before actual death. This applies to exits on exit syscall, group_exit
  52. syscall, signal deaths (except SIGKILL), and when threads are torn down
  53. on execve in multi-threaded process.
  54. Tracer cannot assume that ptrace-stopped tracee exists. There are many
  55. scenarios when tracee may die while stopped (such as SIGKILL).
  56. Therefore, tracer must always be prepared to handle ESRCH error on any
  57. ptrace operation. Unfortunately, the same error is returned if tracee
  58. exists but is not ptrace-stopped (for commands which require stopped
  59. tracee), or if it is not traced by process which issued ptrace call.
  60. Tracer needs to keep track of stopped/running state, and interpret
  61. ESRCH as "tracee died unexpectedly" only if it knows that tracee has
  62. been observed to enter ptrace-stop. Note that there is no guarantee
  63. that waitpid(WNOHANG) will reliably report tracee's death status if
  64. ptrace operation returned ESRCH. waitpid(WNOHANG) may return 0 instead.
  65. IOW: tracee may be "not yet fully dead" but already refusing ptrace ops.
  66. Tracer can not assume that tracee ALWAYS ends its life by reporting
  67. WIFEXITED(status) or WIFSIGNALED(status).
  68. ??? or can it? Do we include such a promise into ptrace API?
  69. 1.x Stopped states.
  70. When running tracee enters ptrace-stop, it notifies its tracer using
  71. waitpid API. Tracer should use waitpid family of syscalls to wait for
  72. tracee to stop. Most of this document assumes that tracer waits with:
  73. pid = waitpid(pid_or_minus_1, &status, __WALL);
  74. Ptrace-stopped tracees are reported as returns with pid > 0 and
  75. WIFSTOPPED(status) == true.
  76. ??? Do we require __WALL usage, or will just using 0 be ok? Are the
  77. rules different if user wants to use waitid? Will waitid require
  78. WEXITED?
  79. __WALL value does not include WSTOPPED and WEXITED bits, but implies
  80. their functionality.
  81. Setting of WCONTINUED bit in waitpid flags is not recommended: the
  82. continued state is per-process and consuming it can confuse real parent
  83. of the tracee.
  84. Use of WNOHANG bit in waitpid flags may cause waitpid return 0 ("no
  85. wait results available yet") even if tracer knows there should be a
  86. notification. Example: kill(tracee, SIGKILL); waitpid(tracee, &status,
  87. __WALL | WNOHANG);
  88. ??? waitid usage? WNOWAIT?
  89. ??? describe how wait notifications queue (or not queue)
  90. The following kinds of ptrace-stops exist: signal-delivery-stops,
  91. group-stop, PTRACE_EVENT stops, syscall-stops [, SINGLESTEP, SYSEMU,
  92. SYSEMU_SINGLESTEP]. They all are reported as waitpid result with
  93. WIFSTOPPED(status) == true. They may be differentiated by checking
  94. (status >> 8) value, and if looking at (status >> 8) value doesn't
  95. resolve ambiguity, by querying PTRACE_GETSIGINFO. (Note:
  96. WSTOPSIG(status) macro returns ((status >> 8) & 0xff) value).
  97. 1.x.x Signal-delivery-stop
  98. When (possibly multi-threaded) process receives any signal except
  99. SIGKILL, kernel selects a thread which handles the signal (if signal is
  100. generated with t[g]kill, thread selection is done by user). If selected
  101. thread is traced, it enters signal-delivery-stop. By this point, signal
  102. is not yet delivered to the process, and can be suppressed by tracer.
  103. If tracer doesn't suppress the signal, it passes signal to tracee in
  104. the next ptrace request. This second step of signal delivery is called
  105. "signal injection" in this document. Note that if signal is blocked,
  106. signal-delivery-stop doesn't happen until signal is unblocked, with the
  107. usual exception that SIGSTOP can't be blocked.
  108. Signal-delivery-stop is observed by tracer as waitpid returning with
  109. WIFSTOPPED(status) == true, WSTOPSIG(status) == signal. If
  110. WSTOPSIG(status) == SIGTRAP, this may be a different kind of
  111. ptrace-stop - see "Syscall-stops" and "execve" sections below for
  112. details. If WSTOPSIG(status) == stopping signal, this may be a
  113. group-stop - see below.
  114. 1.x.x Signal injection and suppression.
  115. After signal-delivery-stop is observed by tracer, tracer should restart
  116. tracee with
  117. ptrace(PTRACE_rest, pid, 0, sig)
  118. call, where PTRACE_rest is one of the restarting ptrace ops. If sig is
  119. 0, then signal is not delivered. Otherwise, signal sig is delivered.
  120. This operation is called "signal injection" in this document, to
  121. distinguish it from signal-delivery-stop.
  122. Note that sig value may be different from WSTOPSIG(status) value -
  123. tracer can cause a different signal to be injected.
  124. Note that suppressed signal still causes syscalls to return
  125. prematurely. Kernel should always restart the syscall in this case:
  126. tracer would observe a new syscall-enter-stop for the same syscall,
  127. or, in case of syscalls returning ERESTART_RESTARTBLOCK,
  128. tracer would observe a syscall-enter-stop for restart_syscall(2)
  129. syscall. There may still be bugs in this area which cause some syscalls
  130. to instead return with -EINTR even though no observable signal
  131. was injected to the tracee.
  132. This is a cause of confusion among ptrace users. One typical scenario
  133. is that tracer observes group-stop, mistakes it for
  134. signal-delivery-stop, restarts tracee with ptrace(PTRACE_rest, pid, 0,
  135. stopsig) with the intention of injecting stopsig, but stopsig gets
  136. ignored and tracee continues to run.
  137. SIGCONT signal has a side effect of waking up (all threads of)
  138. group-stopped process. This side effect happens before
  139. signal-delivery-stop. Tracer can't suppress this side-effect (it can
  140. only suppress signal injection, which only causes SIGCONT handler to
  141. not be executed in the tracee, if such handler is installed). In fact,
  142. waking up from group-stop may be followed by signal-delivery-stop for
  143. signal(s) *other than* SIGCONT, if they were pending when SIGCONT was
  144. delivered. IOW: SIGCONT may be not the first signal observed by the
  145. tracee after it was sent.
  146. Stopping signals cause (all threads of) process to enter group-stop.
  147. This side effect happens after signal injection, and therefore can be
  148. suppressed by tracer.
  149. PTRACE_GETSIGINFO can be used to retrieve siginfo_t structure which
  150. corresponds to delivered signal. PTRACE_SETSIGINFO may be used to
  151. modify it. If PTRACE_SETSIGINFO has been used to alter siginfo_t,
  152. si_signo field and sig parameter in restarting command must match,
  153. otherwise the result is undefined.
  154. 1.x.x Group-stop
  155. When a (possibly multi-threaded) process receives a stopping signal,
  156. all threads stop. If some threads are traced, they enter a group-stop.
  157. Note that stopping signal will first cause signal-delivery-stop (on one
  158. tracee only), and only after it is injected by tracer (or after it was
  159. dispatched to a thread which isn't traced), group-stop will be
  160. initiated on ALL tracees within multi-threaded process. As usual, every
  161. tracee reports its group-stop separately to corresponding tracer.
  162. Group-stop is observed by tracer as waitpid returning with
  163. WIFSTOPPED(status) == true, WSTOPSIG(status) == signal. The same result
  164. is returned by some other classes of ptrace-stops, therefore the
  165. recommended practice is to perform
  166. ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo)
  167. call. The call can be avoided if signal number is not SIGSTOP, SIGTSTP,
  168. SIGTTIN or SIGTTOU - only these four signals are stopping signals. If
  169. tracer sees something else, it can't be group-stop. Otherwise, tracer
  170. needs to call PTRACE_GETSIGINFO. If PTRACE_GETSIGINFO fails with
  171. EINVAL, then it is definitely a group-stop. (Other failure codes are
  172. possible, such as ESRCH "no such process" if SIGKILL killed the tracee).
  173. As of kernel 2.6.38, after tracer sees tracee ptrace-stop and until it
  174. restarts or kills it, tracee will not run, and will not send
  175. notifications (except SIGKILL death) to tracer, even if tracer enters
  176. into another waitpid call.
  177. Currently, it causes a problem with transparent handling of stopping
  178. signals: if tracer restarts tracee after group-stop, SIGSTOP is
  179. effectively ignored: tracee doesn't remain stopped, it runs. If tracer
  180. doesn't restart tracee before entering into next waitpid, future
  181. SIGCONT will not be reported to the tracer. Which would make SIGCONT to
  182. have no effect.
  183. 1.x.x PTRACE_EVENT stops
  184. If tracer sets TRACE_O_TRACEfoo options, tracee will enter ptrace-stops
  185. called PTRACE_EVENT stops.
  186. PTRACE_EVENT stops are observed by tracer as waitpid returning with
  187. WIFSTOPPED(status) == true, WSTOPSIG(status) == SIGTRAP. Additional bit
  188. is set in a higher byte of status word: value ((status >> 8) & 0xffff)
  189. will be (SIGTRAP | PTRACE_EVENT_foo << 8). The following events exist:
  190. PTRACE_EVENT_VFORK - stop before return from vfork/clone+CLONE_VFORK.
  191. When tracee is continued after this, it will wait for child to
  192. exit/exec before continuing its execution (IOW: usual behavior on
  193. vfork).
  194. PTRACE_EVENT_FORK - stop before return from fork/clone+SIGCHLD
  195. PTRACE_EVENT_CLONE - stop before return from clone
  196. PTRACE_EVENT_VFORK_DONE - stop before return from
  197. vfork/clone+CLONE_VFORK, but after vfork child unblocked this tracee by
  198. exiting or exec'ing.
  199. For all four stops described above: stop occurs in parent, not in newly
  200. created thread. PTRACE_GETEVENTMSG can be used to retrieve new thread's
  201. tid.
  202. PTRACE_EVENT_EXEC - stop before return from exec.
  203. PTRACE_EVENT_EXIT - stop before exit (including death from exit_group),
  204. signal death, or exit caused by execve in multi-threaded process.
  205. PTRACE_GETEVENTMSG returns exit status. Registers can be examined
  206. (unlike when "real" exit happens). The tracee is still alive, it needs
  207. to be PTRACE_CONTed or PTRACE_DETACHed to finish exit.
  208. PTRACE_GETSIGINFO on PTRACE_EVENT stops returns si_signo = SIGTRAP,
  209. si_code = (event << 8) | SIGTRAP.
  210. 1.x.x Syscall-stops
  211. If tracee was restarted by PTRACE_SYSCALL, tracee enters
  212. syscall-enter-stop just prior to entering any syscall. If tracer
  213. restarts it with PTRACE_SYSCALL, tracee enters syscall-exit-stop when
  214. syscall is finished, or if it is interrupted by a signal. (That is,
  215. signal-delivery-stop never happens between syscall-enter-stop and
  216. syscall-exit-stop, it happens *after* syscall-exit-stop).
  217. Other possibilities are that tracee may stop in a PTRACE_EVENT stop,
  218. exit (if it entered exit or exit_group syscall), be killed by SIGKILL,
  219. or die silently (if execve syscall happened in another thread).
  220. Syscall-enter-stop and syscall-exit-stop are observed by tracer as
  221. waitpid returning with WIFSTOPPED(status) == true, WSTOPSIG(status) ==
  222. SIGTRAP. If PTRACE_O_TRACESYSGOOD option was set by tracer, then
  223. WSTOPSIG(status) == (SIGTRAP | 0x80).
  224. Syscall-stops can be distinguished from signal-delivery-stop with
  225. SIGTRAP by querying PTRACE_GETSIGINFO: si_code <= 0 if sent by usual
  226. suspects like [tg]kill/sigqueue/etc; or = SI_KERNEL (0x80) if sent by
  227. kernel, whereas syscall-stops have si_code = SIGTRAP or (SIGTRAP |
  228. 0x80). However, syscall-stops happen very often (twice per syscall),
  229. and performing PTRACE_GETSIGINFO for every syscall-stop may be somewhat
  230. expensive.
  231. Some architectures allow to distinguish them by examining registers.
  232. For example, on x86 rax = -ENOSYS in syscall-enter-stop. Since SIGTRAP
  233. (like any other signal) always happens *after* syscall-exit-stop, and
  234. at this point rax almost never contains -ENOSYS, SIGTRAP looks like
  235. "syscall-stop which is not syscall-enter-stop", IOW: it looks like a
  236. "stray syscall-exit-stop" and can be detected this way. But such
  237. detection is fragile and is best avoided.
  238. Using PTRACE_O_TRACESYSGOOD option is a recommended method, since it is
  239. reliable and does not incur performance penalty.
  240. Syscall-enter-stop and syscall-exit-stop are indistinguishable from
  241. each other by tracer. Tracer needs to keep track of the sequence of
  242. ptrace-stops in order to not misinterpret syscall-enter-stop as
  243. syscall-exit-stop or vice versa. The rule is that syscall-enter-stop is
  244. always followed by syscall-exit-stop, PTRACE_EVENT stop or tracee's
  245. death - no other kinds of ptrace-stop can occur in between.
  246. If after syscall-enter-stop tracer uses restarting command other than
  247. PTRACE_SYSCALL, syscall-exit-stop is not generated.
  248. PTRACE_GETSIGINFO on syscall-stops returns si_signo = SIGTRAP, si_code
  249. = SIGTRAP or (SIGTRAP | 0x80).
  250. 1.x.x SINGLESTEP, SYSEMU, SYSEMU_SINGLESTEP
  251. ??? document PTRACE_SINGLESTEP, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP
  252. 1.x Informational and restarting ptrace commands.
  253. Most ptrace commands (all except ATTACH, TRACEME, KILL) require tracee
  254. to be in ptrace-stop, otherwise they fail with ESRCH.
  255. When tracee is in ptrace-stop, tracer can read and write data to tracee
  256. using informational commands. They leave tracee in ptrace-stopped state:
  257. longv = ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0);
  258. ptrace(PTRACE_POKETEXT/POKEDATA/POKEUSER, pid, addr, long_val);
  259. ptrace(PTRACE_GETREGS/GETFPREGS, pid, 0, &struct);
  260. ptrace(PTRACE_SETREGS/SETFPREGS, pid, 0, &struct);
  261. ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo);
  262. ptrace(PTRACE_SETSIGINFO, pid, 0, &siginfo);
  263. ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var);
  264. ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
  265. Note that some errors are not reported. For example, setting siginfo
  266. may have no effect in some ptrace-stops, yet the call may succeed
  267. (return 0 and don't set errno).
  268. ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags) affects one tracee.
  269. Current flags are replaced. Flags are inherited by new tracees created
  270. and "auto-attached" via active PTRACE_O_TRACE[V]FORK or
  271. PTRACE_O_TRACECLONE options.
  272. Another group of commands makes ptrace-stopped tracee run. They have
  273. the form:
  274. ptrace(PTRACE_cmd, pid, 0, sig);
  275. where cmd is CONT, DETACH, SYSCALL, SINGLESTEP, SYSEMU, or
  276. SYSEMU_SINGLESTEP. If tracee is in signal-delivery-stop, sig is the
  277. signal to be injected. Otherwise, sig may be ignored.
  278. 1.x Attaching and detaching
  279. A thread can be attached to tracer using ptrace(PTRACE_ATTACH, pid, 0,
  280. 0) call. This also sends SIGSTOP to this thread. If tracer wants this
  281. SIGSTOP to have no effect, it needs to suppress it. Note that if other
  282. signals are concurrently sent to this thread during attach, tracer may
  283. see tracee enter signal-delivery-stop with other signal(s) first! The
  284. usual practice is to reinject these signals until SIGSTOP is seen, then
  285. suppress SIGSTOP injection. The design bug here is that attach and
  286. concurrent SIGSTOP are racing and SIGSTOP may be lost.
  287. ??? Describe how to attach to a thread which is already group-stopped.
  288. Since attaching sends SIGSTOP and tracer usually suppresses it, this
  289. may cause stray EINTR return from the currently executing syscall in
  290. the tracee, as described in "signal injection and suppression" section.
  291. ptrace(PTRACE_TRACEME, 0, 0, 0) request turns current thread into a
  292. tracee. It continues to run (doesn't enter ptrace-stop). A common
  293. practice is to follow ptrace(PTRACE_TRACEME) with raise(SIGSTOP) and
  294. allow parent (which is our tracer now) to observe our
  295. signal-delivery-stop.
  296. If PTRACE_O_TRACE[V]FORK or PTRACE_O_TRACECLONE options are in effect,
  297. then children created by (vfork or clone(CLONE_VFORK)), (fork or
  298. clone(SIGCHLD)) and (other kinds of clone) respectively are
  299. automatically attached to the same tracer which traced their parent.
  300. SIGSTOP is delivered to them, causing them to enter
  301. signal-delivery-stop after they exit syscall which created them.
  302. Detaching of tracee is performed by ptrace(PTRACE_DETACH, pid, 0, sig).
  303. PTRACE_DETACH is a restarting operation, therefore it requires tracee
  304. to be in ptrace-stop. If tracee is in signal-delivery-stop, signal can
  305. be injected. Othervice, sig parameter may be silently ignored.
  306. If tracee is running when tracer wants to detach it, the usual solution
  307. is to send SIGSTOP (using tgkill, to make sure it goes to the correct
  308. thread), wait for tracee to stop in signal-delivery-stop for SIGSTOP
  309. and then detach it (suppressing SIGSTOP injection). Design bug is that
  310. this can race with concurrent SIGSTOPs. Another complication is that
  311. tracee may enter other ptrace-stops and needs to be restarted and
  312. waited for again, until SIGSTOP is seen. Yet another complication is to
  313. be sure that tracee is not already ptrace-stopped, because no signal
  314. delivery happens while it is - not even SIGSTOP.
  315. ??? Describe how to detach from a group-stopped tracee so that it
  316. doesn't run, but continues to wait for SIGCONT.
  317. If tracer dies, all tracees are automatically detached and restarted,
  318. unless they were in group-stop. Handling of restart from group-stop is
  319. currently buggy, but "as planned" behavior is to leave tracee stopped
  320. and waiting for SIGCONT. If tracee is restarted from
  321. signal-delivery-stop, pending signal is injected.
  322. 1.x execve under ptrace.
  323. During execve, kernel destroys all other threads in the process, and
  324. resets execve'ing thread tid to tgid (process id). This looks very
  325. confusing to tracers:
  326. All other threads stop in PTRACE_EXIT stop, if requested by active
  327. ptrace option. Then all other threads except thread group leader report
  328. death as if they exited via exit syscall with exit code 0. Then
  329. PTRACE_EVENT_EXEC stop happens, if requested by active ptrace option
  330. (on which tracee - leader? execve-ing one?).
  331. The execve-ing tracee changes its pid while it is in execve syscall.
  332. (Remember, under ptrace 'pid' returned from waitpid, or fed into ptrace
  333. calls, is tracee's tid). That is, pid is reset to process id, which
  334. coincides with thread group leader tid.
  335. If thread group leader has reported its death by this time, for tracer
  336. this looks like dead thread leader "reappears from nowhere". If thread
  337. group leader was still alive, for tracer this may look as if thread
  338. group leader returns from a different syscall than it entered, or even
  339. "returned from syscall even though it was not in any syscall". If
  340. thread group leader was not traced (or was traced by a different
  341. tracer), during execve it will appear as if it has become a tracee of
  342. the tracer of execve'ing tracee. All these effects are the artifacts of
  343. pid change.
  344. PTRACE_O_TRACEEXEC option is the recommended tool for dealing with this
  345. case. It enables PTRACE_EVENT_EXEC stop which occurs before execve
  346. syscall return.
  347. Pid change happens before PTRACE_EVENT_EXEC stop, not after.
  348. When tracer receives PTRACE_EVENT_EXEC stop notification, it is
  349. guaranteed that except this tracee and thread group leader, no other
  350. threads from the process are alive.
  351. On receiving this notification, tracer should clean up all its internal
  352. data structures about all threads of this process, and retain only one
  353. data structure, one which describes single still running tracee, with
  354. pid = tgid = process id.
  355. Currently, there is no way to retrieve former pid of execve-ing tracee.
  356. If tracer doesn't keep track of its tracees' thread group relations, it
  357. may be unable to know which tracee execve-ed and therefore no longer
  358. exists under old pid due to pid change.
  359. Example: two threads execve at the same time:
  360. ** we get syscall-entry-stop in thread 1: **
  361. PID1 execve("/bin/foo", "foo" <unfinished ...>
  362. ** we issue PTRACE_SYSCALL for thread 1 **
  363. ** we get syscall-entry-stop in thread 2: **
  364. PID2 execve("/bin/bar", "bar" <unfinished ...>
  365. ** we issue PTRACE_SYSCALL for thread 2 **
  366. ** we get PTRACE_EVENT_EXEC for PID0, we issue PTRACE_SYSCALL **
  367. ** we get syscall-exit-stop for PID0: **
  368. PID0 <... execve resumed> ) = 0
  369. In this situation there is no way to know which execve succeeded.
  370. If PTRACE_O_TRACEEXEC option is NOT in effect for the execve'ing
  371. tracee, kernel delivers an extra SIGTRAP to tracee after execve syscall
  372. returns. This is an ordinary signal (similar to one which can be
  373. generated by "kill -TRAP"), not a special kind of ptrace-stop.
  374. GETSIGINFO on it has si_code = 0 (SI_USER). It can be blocked by signal
  375. mask, and thus can happen (much) later.
  376. Usually, tracer (for example, strace) would not want to show this extra
  377. post-execve SIGTRAP signal to the user, and would suppress its delivery
  378. to the tracee (if SIGTRAP is set to SIG_DFL, it is a killing signal).
  379. However, determining *which* SIGTRAP to suppress is not easy. Setting
  380. PTRACE_O_TRACEEXEC option and thus suppressing this extra SIGTRAP is
  381. the recommended approach.
  382. 1.x Real parent
  383. Ptrace API (ab)uses standard Unix parent/child signaling over waitpid.
  384. This used to cause real parent of the process to stop receiving several
  385. kinds of waitpid notifications when child process is traced by some
  386. other process.
  387. Many of these bugs have been fixed, but as of 2.6.38 several still
  388. exist.
  389. As of 2.6.38, the following is believed to work correctly:
  390. - exit/death by signal is reported first to tracer, then, when tracer
  391. consumes waitpid result, to real parent (to real parent only when the
  392. whole multi-threaded process exits). If they are the same process, the
  393. report is sent only once.
  394. 1.x Known bugs
  395. Following bugs still exist:
  396. Group-stop notifications are sent to tracer, but not to real parent.
  397. Last confirmed on 2.6.38.6.
  398. If thread group leader is traced and exits by calling exit syscall,
  399. PTRACE_EVENT_EXIT stop will happen for it (if requested), but subsequent
  400. WIFEXITED notification will not be delivered until all other threads
  401. exit. As explained above, if one of other threads execve's, thread
  402. group leader death will *never* be reported. If execve-ed thread is not
  403. traced by this tracer, tracer will never know that execve happened.
  404. ??? need to test this scenario
  405. One possible workaround is to detach thread group leader instead of
  406. restarting it in this case. Last confirmed on 2.6.38.6.
  407. SIGKILL signal may still cause PTRACE_EVENT_EXIT stop before actual
  408. signal death. This may be changed in the future - SIGKILL is meant to
  409. always immediately kill tasks even under ptrace. Last confirmed on
  410. 2.6.38.6.