summaryrefslogtreecommitdiffstats
path: root/lib/libc/sys/ptrace.2
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libc/sys/ptrace.2')
-rw-r--r--lib/libc/sys/ptrace.2606
1 files changed, 606 insertions, 0 deletions
diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2
new file mode 100644
index 0000000..9dda8ee
--- /dev/null
+++ b/lib/libc/sys/ptrace.2
@@ -0,0 +1,606 @@
+.\" $FreeBSD$
+.\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $
+.\"
+.\" This file is in the public domain.
+.Dd February 19, 2012
+.Dt PTRACE 2
+.Os
+.Sh NAME
+.Nm ptrace
+.Nd process tracing and debugging
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In sys/types.h
+.In sys/ptrace.h
+.Ft int
+.Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data"
+.Sh DESCRIPTION
+The
+.Fn ptrace
+system call
+provides tracing and debugging facilities.
+It allows one process
+(the
+.Em tracing
+process)
+to control another
+(the
+.Em traced
+process).
+The tracing process must first attach to the traced process, and then
+issue a series of
+.Fn ptrace
+system calls to control the execution of the process, as well as access
+process memory and register state.
+For the duration of the tracing session, the traced process will be
+.Dq re-parented ,
+with its parent process ID (and resulting behavior)
+changed to the tracing process.
+It is permissible for a tracing process to attach to more than one
+other process at a time.
+When the tracing process has completed its work, it must detach the
+traced process; if a tracing process exits without first detaching all
+processes it has attached, those processes will be killed.
+.Pp
+Most of the time, the traced process runs normally, but when it
+receives a signal
+(see
+.Xr sigaction 2 ) ,
+it stops.
+The tracing process is expected to notice this via
+.Xr wait 2
+or the delivery of a
+.Dv SIGCHLD
+signal, examine the state of the stopped process, and cause it to
+terminate or continue as appropriate.
+The signal may be a normal process signal, generated as a result of
+traced process behavior, or use of the
+.Xr kill 2
+system call; alternatively, it may be generated by the tracing facility
+as a result of attaching, system calls, or stepping by the tracing
+process.
+The tracing process may choose to intercept the signal, using it to
+observe process behavior (such as
+.Dv SIGTRAP ) ,
+or forward the signal to the process if appropriate.
+The
+.Fn ptrace
+system call
+is the mechanism by which all this happens.
+.Pp
+The
+.Fa request
+argument specifies what operation is being performed; the meaning of
+the rest of the arguments depends on the operation, but except for one
+special case noted below, all
+.Fn ptrace
+calls are made by the tracing process, and the
+.Fa pid
+argument specifies the process ID of the traced process
+or a corresponding thread ID.
+The
+.Fa request
+argument
+can be:
+.Bl -tag -width 12n
+.It Dv PT_TRACE_ME
+This request is the only one used by the traced process; it declares
+that the process expects to be traced by its parent.
+All the other arguments are ignored.
+(If the parent process does not expect to trace the child, it will
+probably be rather confused by the results; once the traced process
+stops, it cannot be made to continue except via
+.Fn ptrace . )
+When a process has used this request and calls
+.Xr execve 2
+or any of the routines built on it
+(such as
+.Xr execv 3 ) ,
+it will stop before executing the first instruction of the new image.
+Also, any setuid or setgid bits on the executable being executed will
+be ignored.
+.It Dv PT_READ_I , Dv PT_READ_D
+These requests read a single
+.Vt int
+of data from the traced process's address space.
+Traditionally,
+.Fn ptrace
+has allowed for machines with distinct address spaces for instruction
+and data, which is why there are two requests: conceptually,
+.Dv PT_READ_I
+reads from the instruction space and
+.Dv PT_READ_D
+reads from the data space.
+In the current
+.Fx
+implementation, these two requests are completely identical.
+The
+.Fa addr
+argument specifies the address
+(in the traced process's virtual address space)
+at which the read is to be done.
+This address does not have to meet any alignment constraints.
+The value read is returned as the return value from
+.Fn ptrace .
+.It Dv PT_WRITE_I , Dv PT_WRITE_D
+These requests parallel
+.Dv PT_READ_I
+and
+.Dv PT_READ_D ,
+except that they write rather than read.
+The
+.Fa data
+argument supplies the value to be written.
+.It Dv PT_IO
+This request allows reading and writing arbitrary amounts of data in
+the traced process's address space.
+The
+.Fa addr
+argument specifies a pointer to a
+.Vt "struct ptrace_io_desc" ,
+which is defined as follows:
+.Bd -literal
+struct ptrace_io_desc {
+ int piod_op; /* I/O operation */
+ void *piod_offs; /* child offset */
+ void *piod_addr; /* parent offset */
+ size_t piod_len; /* request length */
+};
+
+/*
+ * Operations in piod_op.
+ */
+#define PIOD_READ_D 1 /* Read from D space */
+#define PIOD_WRITE_D 2 /* Write to D space */
+#define PIOD_READ_I 3 /* Read from I space */
+#define PIOD_WRITE_I 4 /* Write to I space */
+.Ed
+.Pp
+The
+.Fa data
+argument is ignored.
+The actual number of bytes read or written is stored in
+.Va piod_len
+upon return.
+.It Dv PT_CONTINUE
+The traced process continues execution.
+The
+.Fa addr
+argument
+is an address specifying the place where execution is to be resumed
+(a new value for the program counter),
+or
+.Po Vt caddr_t Pc Ns 1
+to indicate that execution is to pick up where it left off.
+The
+.Fa data
+argument
+provides a signal number to be delivered to the traced process as it
+resumes execution, or 0 if no signal is to be sent.
+.It Dv PT_STEP
+The traced process is single stepped one instruction.
+The
+.Fa addr
+argument
+should be passed
+.Po Vt caddr_t Pc Ns 1 .
+The
+.Fa data
+argument
+provides a signal number to be delivered to the traced process as it
+resumes execution, or 0 if no signal is to be sent.
+.It Dv PT_KILL
+The traced process terminates, as if
+.Dv PT_CONTINUE
+had been used with
+.Dv SIGKILL
+given as the signal to be delivered.
+.It Dv PT_ATTACH
+This request allows a process to gain control of an otherwise
+unrelated process and begin tracing it.
+It does not need any cooperation from the to-be-traced process.
+In
+this case,
+.Fa pid
+specifies the process ID of the to-be-traced process, and the other
+two arguments are ignored.
+This request requires that the target process must have the same real
+UID as the tracing process, and that it must not be executing a setuid
+or setgid executable.
+(If the tracing process is running as root, these restrictions do not
+apply.)
+The tracing process will see the newly-traced process stop and may
+then control it as if it had been traced all along.
+.It Dv PT_DETACH
+This request is like PT_CONTINUE, except that it does not allow
+specifying an alternate place to continue execution, and after it
+succeeds, the traced process is no longer traced and continues
+execution normally.
+.It Dv PT_GETREGS
+This request reads the traced process's machine registers into the
+.Do
+.Vt "struct reg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_SETREGS
+This request is the converse of
+.Dv PT_GETREGS ;
+it loads the traced process's machine registers from the
+.Do
+.Vt "struct reg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_GETFPREGS
+This request reads the traced process's floating-point registers into
+the
+.Do
+.Vt "struct fpreg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_SETFPREGS
+This request is the converse of
+.Dv PT_GETFPREGS ;
+it loads the traced process's floating-point registers from the
+.Do
+.Vt "struct fpreg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_GETDBREGS
+This request reads the traced process's debug registers into
+the
+.Do
+.Vt "struct dbreg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_SETDBREGS
+This request is the converse of
+.Dv PT_GETDBREGS ;
+it loads the traced process's debug registers from the
+.Do
+.Vt "struct dbreg"
+.Dc
+(defined in
+.In machine/reg.h )
+pointed to by
+.Fa addr .
+.It Dv PT_LWPINFO
+This request can be used to obtain information about the kernel thread,
+also known as light-weight process, that caused the traced process to stop.
+The
+.Fa addr
+argument specifies a pointer to a
+.Vt "struct ptrace_lwpinfo" ,
+which is defined as follows:
+.Bd -literal
+struct ptrace_lwpinfo {
+ lwpid_t pl_lwpid;
+ int pl_event;
+ int pl_flags;
+ sigset_t pl_sigmask;
+ sigset_t pl_siglist;
+ siginfo_t pl_siginfo;
+ char pl_tdname[MAXCOMLEN + 1];
+ int pl_child_pid;
+};
+.Ed
+.Pp
+The
+.Fa data
+argument is to be set to the size of the structure known to the caller.
+This allows the structure to grow without affecting older programs.
+.Pp
+The fields in the
+.Vt "struct ptrace_lwpinfo"
+have the following meaning:
+.Bl -tag -width indent -compact
+.It pl_lwpid
+LWP id of the thread
+.It pl_event
+Event that caused the stop.
+Currently defined events are
+.Bl -tag -width indent -compact
+.It PL_EVENT_NONE
+No reason given
+.It PL_EVENT_SIGNAL
+Thread stopped due to the pending signal
+.El
+.It pl_flags
+Flags that specify additional details about observed stop.
+Currently defined flags are:
+.Bl -tag -width indent -compact
+.It PL_FLAG_SCE
+The thread stopped due to system call entry, right after the kernel is entered.
+The debugger may examine syscall arguments that are stored in memory and
+registers according to the ABI of the current process, and modify them,
+if needed.
+.It PL_FLAG_SCX
+The thread is stopped immediately before syscall is returning to the usermode.
+The debugger may examine system call return values in the ABI-defined registers
+and/or memory.
+.It PL_FLAG_EXEC
+When
+.Dv PL_FLAG_SCX
+is set, this flag may be additionally specified to inform that the
+program being executed by debuggee process has been changed by successful
+execution of a system call from the
+.Fn execve 2
+family.
+.It PL_FLAG_SI
+Indicates that
+.Va pl_siginfo
+member of
+.Vt "struct ptrace_lwpinfo"
+contains valid information.
+.It PL_FLAG_FORKED
+Indicates that the process is returning from a call to
+.Fn fork 2
+that created a new child process.
+The process identifier of the new process is available in the
+.Va pl_child_pid
+member of
+.Vt "struct ptrace_lwpinfo" .
+.It PL_FLAG_CHILD
+The flag is set for first event reported from a new child, which is
+automatically attached due to
+.Dv PT_FOLLOW_FORK
+enabled.
+.El
+.It pl_sigmask
+The current signal mask of the LWP
+.It pl_siglist
+The current pending set of signals for the LWP.
+Note that signals that are delivered to the process would not appear
+on an LWP siglist until the thread is selected for delivery.
+.It pl_siginfo
+The siginfo that accompanies the signal pending.
+Only valid for
+.Dv PL_EVENT_SIGNAL
+stop when
+.Dv PL_FLAG_SI
+is set in
+.Va pl_flags .
+.It pl_tdname
+The name of the thread.
+.It pl_child_pid
+The process identifier of the new child process.
+Only valid for a
+.Dv PL_EVENT_SIGNAL
+stop when
+.Dv PL_FLAG_FORKED
+is set in
+.Va pl_flags .
+.El
+.It PT_GETNUMLWPS
+This request returns the number of kernel threads associated with the
+traced process.
+.It PT_GETLWPLIST
+This request can be used to get the current thread list.
+A pointer to an array of type
+.Vt lwpid_t
+should be passed in
+.Fa addr ,
+with the array size specified by
+.Fa data .
+The return value from
+.Fn ptrace
+is the count of array entries filled in.
+.It PT_SETSTEP
+This request will turn on single stepping of the specified process.
+.It PT_CLEARSTEP
+This request will turn off single stepping of the specified process.
+.It PT_SUSPEND
+This request will suspend the specified thread.
+.It PT_RESUME
+This request will resume the specified thread.
+.It PT_TO_SCE
+This request will trace the specified process on each system call entry.
+.It PT_TO_SCX
+This request will trace the specified process on each system call exit.
+.It PT_SYSCALL
+This request will trace the specified process
+on each system call entry and exit.
+.It PT_FOLLOW_FORK
+This request controls tracing for new child processes of a traced process.
+If
+.Fa data
+is non-zero,
+then new child processes will enable tracing and stop before executing their
+first instruction.
+If
+.Fa data
+is zero, then new child processes will execute without tracing enabled.
+By default, tracing is not enabled for new child processes.
+Child processes do not inherit this property.
+The traced process will set the
+.Dv PL_FLAG_FORKED
+flag upon exit from a system call that creates a new process.
+.It PT_VM_TIMESTAMP
+This request returns the generation number or timestamp of the memory map of
+the traced process as the return value from
+.Fn ptrace .
+This provides a low-cost way for the tracing process to determine if the
+VM map changed since the last time this request was made.
+.It PT_VM_ENTRY
+This request is used to iterate over the entries of the VM map of the traced
+process.
+The
+.Fa addr
+argument specifies a pointer to a
+.Vt "struct ptrace_vm_entry" ,
+which is defined as follows:
+.Bd -literal
+struct ptrace_vm_entry {
+ int pve_entry;
+ int pve_timestamp;
+ u_long pve_start;
+ u_long pve_end;
+ u_long pve_offset;
+ u_int pve_prot;
+ u_int pve_pathlen;
+ long pve_fileid;
+ uint32_t pve_fsid;
+ char *pve_path;
+};
+.Ed
+.Pp
+The first entry is returned by setting
+.Va pve_entry
+to zero.
+Subsequent entries are returned by leaving
+.Va pve_entry
+unmodified from the value returned by previous requests.
+The
+.Va pve_timestamp
+field can be used to detect changes to the VM map while iterating over the
+entries.
+The tracing process can then take appropriate action, such as restarting.
+By setting
+.Va pve_pathlen
+to a non-zero value on entry, the pathname of the backing object is returned
+in the buffer pointed to by
+.Va pve_path ,
+provided the entry is backed by a vnode.
+The
+.Va pve_pathlen
+field is updated with the actual length of the pathname (including the
+terminating null character).
+The
+.Va pve_offset
+field is the offset within the backing object at which the range starts.
+The range is located in the VM space at
+.Va pve_start
+and extends up to
+.Va pve_end
+(inclusive).
+.Pp
+The
+.Fa data
+argument is ignored.
+.El
+.Pp
+Additionally, machine-specific requests can exist.
+.Sh RETURN VALUES
+Some requests can cause
+.Fn ptrace
+to return
+\-1
+as a non-error value; to disambiguate,
+.Va errno
+can be set to 0 before the call and checked afterwards.
+.Sh ERRORS
+The
+.Fn ptrace
+system call may fail if:
+.Bl -tag -width Er
+.It Bq Er ESRCH
+.Bl -bullet -compact
+.It
+No process having the specified process ID exists.
+.El
+.It Bq Er EINVAL
+.Bl -bullet -compact
+.It
+A process attempted to use
+.Dv PT_ATTACH
+on itself.
+.It
+The
+.Fa request
+argument
+was not one of the legal requests.
+.It
+The signal number
+(in
+.Fa data )
+to
+.Dv PT_CONTINUE
+was neither 0 nor a legal signal number.
+.It
+.Dv PT_GETREGS ,
+.Dv PT_SETREGS ,
+.Dv PT_GETFPREGS ,
+.Dv PT_SETFPREGS ,
+.Dv PT_GETDBREGS ,
+or
+.Dv PT_SETDBREGS
+was attempted on a process with no valid register set.
+(This is normally true only of system processes.)
+.It
+.Dv PT_VM_ENTRY
+was given an invalid value for
+.Fa pve_entry .
+This can also be caused by changes to the VM map of the process.
+.El
+.It Bq Er EBUSY
+.Bl -bullet -compact
+.It
+.Dv PT_ATTACH
+was attempted on a process that was already being traced.
+.It
+A request attempted to manipulate a process that was being traced by
+some process other than the one making the request.
+.It
+A request
+(other than
+.Dv PT_ATTACH )
+specified a process that was not stopped.
+.El
+.It Bq Er EPERM
+.Bl -bullet -compact
+.It
+A request
+(other than
+.Dv PT_ATTACH )
+attempted to manipulate a process that was not being traced at all.
+.It
+An attempt was made to use
+.Dv PT_ATTACH
+on a process in violation of the requirements listed under
+.Dv PT_ATTACH
+above.
+.El
+.It Bq Er ENOENT
+.Bl -bullet -compact
+.It
+.Dv PT_VM_ENTRY
+previously returned the last entry of the memory map.
+No more entries exist.
+.El
+.It Bq Er ENAMETOOLONG
+.Bl -bullet -compact
+.It
+.Dv PT_VM_ENTRY
+cannot return the pathname of the backing object because the buffer is not big
+enough.
+.Fa pve_pathlen
+holds the minimum buffer size required on return.
+.El
+.El
+.Sh SEE ALSO
+.Xr execve 2 ,
+.Xr sigaction 2 ,
+.Xr wait 2 ,
+.Xr execv 3 ,
+.Xr i386_clr_watch 3 ,
+.Xr i386_set_watch 3
+.Sh HISTORY
+The
+.Fn ptrace
+function appeared in
+.At v7 .
OpenPOWER on IntegriCloud