1 .\" Copyright (c) 1993 Michael Haardt <michael@moria.de>
2 .\" Fri Apr 2 11:32:09 MET DST 1993
4 .\" and changes Copyright (C) 1999 Mike Coleman (mkc@acm.org)
5 .\" -- major revision to fully document ptrace semantics per recent Linux
6 .\" kernel (2.2.10) and glibc (2.1.2)
7 .\" Sun Nov 7 03:18:35 CST 1999
9 .\" and Copyright (c) 2011, Denys Vlasenko <vda.linux@googlemail.com>
11 .\" %%%LICENSE_START(GPLv2+_DOC_FULL)
12 .\" This is free documentation; you can redistribute it and/or
13 .\" modify it under the terms of the GNU General Public License as
14 .\" published by the Free Software Foundation; either version 2 of
15 .\" the License, or (at your option) any later version.
17 .\" The GNU General Public License's references to "object code"
18 .\" and "executables" are to be interpreted as the output of any
19 .\" document formatting or typesetting system, including
20 .\" intermediate and printed output.
22 .\" This manual is distributed in the hope that it will be useful,
23 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
24 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 .\" GNU General Public License for more details.
27 .\" You should have received a copy of the GNU General Public
28 .\" License along with this manual; if not, see
29 .\" <http://www.gnu.org/licenses/>.
32 .\" Modified Fri Jul 23 23:47:18 1993 by Rik Faith <faith@cs.unc.edu>
33 .\" Modified Fri Jan 31 16:46:30 1997 by Eric S. Raymond <esr@thyrsus.com>
34 .\" Modified Thu Oct 7 17:28:49 1999 by Andries Brouwer <aeb@cwi.nl>
35 .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com>
36 .\" Added notes on capability requirements
38 .\" 2006-03-24, Chuck Ebbert <76306.1226@compuserve.com>
39 .\" Added PTRACE_SETOPTIONS, PTRACE_GETEVENTMSG, PTRACE_GETSIGINFO,
40 .\" PTRACE_SETSIGINFO, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP
41 .\" (Thanks to Blaisorblade, Daniel Jacobowitz and others who helped.)
42 .\" 2011-09, major update by Denys Vlasenko <vda.linux@googlemail.com>
43 .\" 2015-01, Kees Cook <keescook@chromium.org>
44 .\" Added PTRACE_O_TRACESECCOMP, PTRACE_EVENT_SECCOMP
46 .TH PTRACE 2 2015-01-22 "Linux" "Linux Programmer's Manual"
48 ptrace \- process trace
51 .B #include <sys/ptrace.h>
53 .BI "long ptrace(enum __ptrace_request " request ", pid_t " pid ", "
54 .BI " void *" addr ", void *" data );
59 system call provides a means by which one process (the "tracer")
60 may observe and control the execution of another process (the "tracee"),
61 and examine and change the tracee's memory and registers.
62 It is primarily used to implement breakpoint debugging and system
65 A tracee first needs to be attached to the tracer.
66 Attachment and subsequent commands are per thread:
67 in a multithreaded process,
68 every thread can be individually attached to a
69 (potentially different) tracer,
70 or left not attached and thus not debugged.
71 Therefore, "tracee" always means "(one) thread",
72 never "a (possibly multithreaded) process".
73 Ptrace commands are always sent to
74 a specific tracee using a call of the form
76 ptrace(PTRACE_foo, pid, ...)
80 is the thread ID of the corresponding Linux thread.
82 (Note that in this page, a "multithreaded process"
83 means a thread group consisting of threads created using the
88 A process can initiate a trace by calling
90 and having the resulting child do a
92 followed (typically) by an
94 Alternatively, one process may commence tracing another process using
99 While being traced, the tracee will stop each time a signal is delivered,
100 even if the signal is being ignored.
103 which has its usual effect.)
104 The tracer will be notified at its next call to
106 (or one of the related "wait" system calls); that call will return a
108 value containing information that indicates
109 the cause of the stop in the tracee.
110 While the tracee is stopped,
111 the tracer can use various ptrace requests to inspect and modify the tracee.
112 The tracer then causes the tracee to continue,
113 optionally ignoring the delivered signal
114 (or even delivering a different signal instead).
117 .B PTRACE_O_TRACEEXEC
118 option is not in effect, all successful calls to
120 by the traced process will cause it to be sent a
123 giving the parent a chance to gain control before the new program
126 When the tracer is finished tracing, it can cause the tracee to continue
127 executing in a normal, untraced mode via
132 determines the action to be performed:
135 Indicate that this process is to be traced by its parent.
136 A process probably shouldn't make this request if its parent
137 isn't expecting to trace it.
146 request is used only by the tracee;
147 the remaining requests are used only by the tracer.
148 In the following requests,
150 specifies the thread ID of the tracee to be acted on.
151 For requests other than
154 .BR PTRACE_INTERRUPT ,
157 the tracee must be stopped.
159 .BR PTRACE_PEEKTEXT ", " PTRACE_PEEKDATA
160 Read a word at the address
162 in the tracee's memory, returning the word as the result of the
165 Linux does not have separate text and data address spaces,
166 so these two requests are currently equivalent.
168 is ignored; but see NOTES.)
171 .\" PTRACE_PEEKUSR in kernel source, but glibc uses PTRACE_PEEKUSER,
172 .\" and that is the name that seems common on other systems.
173 Read a word at offset
175 in the tracee's USER area,
176 which holds the registers and other information about the process
179 The word is returned as the result of the
182 Typically, the offset must be word-aligned, though this might vary by
186 is ignored; but see NOTES.)
188 .BR PTRACE_POKETEXT ", " PTRACE_POKEDATA
193 in the tracee's memory.
197 .BR PTRACE_PEEKDATA ,
198 these two requests are currently equivalent.
201 .\" PTRACE_POKEUSR in kernel source, but glibc uses PTRACE_POKEUSER,
202 .\" and that is the name that seems common on other systems.
207 in the tracee's USER area.
209 .BR PTRACE_PEEKUSER ,
210 the offset must typically be word-aligned.
211 In order to maintain the integrity of the kernel,
212 some modifications to the USER area are disallowed.
213 .\" FIXME In the preceding sentence, which modifications are disallowed,
214 .\" and when they are disallowed, how does user space discover that fact?
216 .BR PTRACE_GETREGS ", " PTRACE_GETFPREGS
217 Copy the tracee's general-purpose or floating-point registers,
218 respectively, to the address
223 for information on the format of this data.
226 Note that SPARC systems have the meaning of
232 is ignored and the registers are copied to the address
237 are not present on all architectures.
239 .BR PTRACE_GETREGSET " (since Linux 2.6.34)"
240 Read the tracee's registers.
242 specifies, in an architecture-dependent way, the type of registers to be read.
244 (with numerical value 1)
245 usually results in reading of general-purpose registers.
246 If the CPU has, for example,
247 floating-point and/or vector registers, they can be retrieved by setting
255 which describes the destination buffer's location and length.
256 On return, the kernel modifies
258 to indicate the actual number of bytes returned.
260 .BR PTRACE_SETREGS ", " PTRACE_SETFPREGS
261 Modify the tracee's general-purpose or floating-point registers,
262 respectively, from the address
266 .BR PTRACE_POKEUSER ,
267 some general-purpose register modifications may be disallowed.
268 .\" FIXME . In the preceding sentence, which modifications are disallowed,
269 .\" and when they are disallowed, how does user space discover that fact?
272 Note that SPARC systems have the meaning of
278 is ignored and the registers are copied from the address
283 are not present on all architectures.
285 .BR PTRACE_SETREGSET " (since Linux 2.6.34)"
286 Modify the tracee's registers.
292 .BR PTRACE_GETREGSET .
294 .BR PTRACE_GETSIGINFO " (since Linux 2.3.99-pre6)"
295 Retrieve information about the signal that caused the stop.
300 from the tracee to the address
306 .BR PTRACE_SETSIGINFO " (since Linux 2.3.99-pre6)"
307 Set signal information:
310 structure from the address
312 in the tracer to the tracee.
313 This will affect only signals that would normally be delivered to
314 the tracee and were caught by the tracer.
315 It may be difficult to tell
316 these normal signals from synthetic signals generated by
322 .BR PTRACE_PEEKSIGINFO " (since Linux 3.10)"
323 .\" commit 84c751bd4aebbaae995fe32279d3dba48327bad4
326 structures without removing signals from a queue.
329 .I ptrace_peeksiginfo_args
330 structure that specifies the ordinal position from which
331 copying of signals should start,
332 and the number of signals to copy.
334 structures are copied into the buffer pointed to by
336 The return value contains the number of copied signals (zero indicates
337 that there is no signal corresponding to the specified ordinal position).
343 field includes information
346 etc.) that are not otherwise exposed to user space.
350 struct ptrace_peeksiginfo_args {
351 u64 off; /* Ordinal position in queue at which
352 to start copying signals */
353 u32 flags; /* PTRACE_PEEKSIGINFO_SHARED or 0 */
354 s32 nr; /* Number of signals to copy */
358 Currently, there is only one flag,
359 .BR PTRACE_PEEKSIGINFO_SHARED ,
360 for dumping signals from the process-wide signal queue.
361 If this flag is not set,
362 signals are read from the per-thread queue of the specified thread.
366 .BR PTRACE_GETSIGMASK " (since Linux 3.11)"
367 .\" commit 29000caecbe87b6b66f144f72111f0d02fbbf0c1
368 Place a copy of the mask of blocked signals (see
370 in the buffer pointed to by
372 which should be a pointer to a buffer of type
376 argument contains the size of the buffer pointed to by
379 .IR sizeof(sigset_t) ).
381 .BR PTRACE_SETSIGMASK " (since Linux 3.11)"
382 Change the mask of blocked signals (see
384 to the value specified in the buffer pointed to by
386 which should be a pointer to a buffer of type
390 argument contains the size of the buffer pointed to by
393 .IR sizeof(sigset_t) ).
395 .BR PTRACE_SETOPTIONS " (since Linux 2.4.6; see BUGS for caveats)"
396 Set ptrace options from
401 is interpreted as a bit mask of options,
402 which are specified by the following flags:
405 .BR PTRACE_O_EXITKILL " (since Linux 3.8)"
406 .\" commit 992fb6e170639b0849bace8e49bf31bd37c4123
407 If a tracer sets this flag, a
409 signal will be sent to every tracee if the tracer exits.
410 This option is useful for ptrace jailers that
411 want to ensure that tracees can never escape the tracer's control.
413 .BR PTRACE_O_TRACECLONE " (since Linux 2.5.46)"
414 Stop the tracee at the next
416 and automatically start tracing the newly cloned process,
417 which will start with a
426 by the tracer will return a
431 status>>8 == (SIGTRAP | (PTRACE_EVENT_CLONE<<8))
434 The PID of the new process can be retrieved with
435 .BR PTRACE_GETEVENTMSG .
437 This option may not catch
445 .B PTRACE_EVENT_VFORK
446 will be delivered instead
448 .B PTRACE_O_TRACEVFORK
449 is set; otherwise if the tracee calls
451 with the exit signal set to
455 .B PTRACE_O_TRACEFORK
458 .BR PTRACE_O_TRACEEXEC " (since Linux 2.5.46)"
459 Stop the tracee at the next
463 by the tracer will return a
468 status>>8 == (SIGTRAP | (PTRACE_EVENT_EXEC<<8))
471 If the execing thread is not a thread group leader,
472 the thread ID is reset to thread group leader's ID before this stop.
473 Since Linux 3.0, the former thread ID can be retrieved with
474 .BR PTRACE_GETEVENTMSG .
476 .BR PTRACE_O_TRACEEXIT " (since Linux 2.5.60)"
477 Stop the tracee at exit.
480 by the tracer will return a
485 status>>8 == (SIGTRAP | (PTRACE_EVENT_EXIT<<8))
488 The tracee's exit status can be retrieved with
489 .BR PTRACE_GETEVENTMSG .
491 The tracee is stopped early during process exit,
492 when registers are still available,
493 allowing the tracer to see where the exit occurred,
494 whereas the normal exit notification is done after the process
496 Even though context is available,
497 the tracer cannot prevent the exit from happening at this point.
499 .BR PTRACE_O_TRACEFORK " (since Linux 2.5.46)"
500 Stop the tracee at the next
502 and automatically start tracing the newly forked process,
503 which will start with a
512 by the tracer will return a
517 status>>8 == (SIGTRAP | (PTRACE_EVENT_FORK<<8))
520 The PID of the new process can be retrieved with
521 .BR PTRACE_GETEVENTMSG .
523 .BR PTRACE_O_TRACESYSGOOD " (since Linux 2.4.6)"
524 When delivering system call traps, set bit 7 in the signal number
526 .IR "SIGTRAP|0x80" ).
527 This makes it easy for the tracer to distinguish
528 normal traps from those caused by a system call.
529 .RB ( PTRACE_O_TRACESYSGOOD
530 may not work on all architectures.)
532 .BR PTRACE_O_TRACEVFORK " (since Linux 2.5.46)"
533 Stop the tracee at the next
535 and automatically start tracing the newly vforked process,
536 which will start with a
545 by the tracer will return a
550 status>>8 == (SIGTRAP | (PTRACE_EVENT_VFORK<<8))
553 The PID of the new process can be retrieved with
554 .BR PTRACE_GETEVENTMSG .
556 .BR PTRACE_O_TRACEVFORKDONE " (since Linux 2.5.60)"
557 Stop the tracee at the completion of the next
561 by the tracer will return a
566 status>>8 == (SIGTRAP | (PTRACE_EVENT_VFORK_DONE<<8))
569 The PID of the new process can (since Linux 2.6.18) be retrieved with
570 .BR PTRACE_GETEVENTMSG .
572 .BR PTRACE_O_TRACESECCOMP " (since Linux 3.5)"
573 Stop the tracee when a
575 .BR SECCOMP_RET_TRACE
579 by the tracer will return a
584 status>>8 == (SIGTRAP | (PTRACE_EVENT_SECCOMP<<8))
587 While this triggers a
589 stop, it is similar to a syscall-enter-stop, in that the tracee has
590 not yet entered the syscall that seccomp triggered on.
591 The seccomp event message data (from the
593 portion of the seccomp filter rule) can be retrieved with
594 .BR PTRACE_GETEVENTMSG .
597 .BR PTRACE_GETEVENTMSG " (since Linux 2.5.46)"
598 Retrieve a message (as an
599 .IR "unsigned long" )
600 about the ptrace event
601 that just happened, placing it at the address
605 .BR PTRACE_EVENT_EXIT ,
606 this is the tracee's exit status.
608 .BR PTRACE_EVENT_FORK ,
609 .BR PTRACE_EVENT_VFORK ,
610 .BR PTRACE_EVENT_VFORK_DONE ,
612 .BR PTRACE_EVENT_CLONE ,
613 this is the PID of the new process.
615 .BR PTRACE_EVENT_SECCOMP ,
620 associated with the triggered rule.
625 Restart the stopped tracee process.
629 it is interpreted as the number of a signal to be delivered to the tracee;
630 otherwise, no signal is delivered.
631 Thus, for example, the tracer can control
632 whether a signal sent to the tracee is delivered or not.
636 .BR PTRACE_SYSCALL ", " PTRACE_SINGLESTEP
637 Restart the stopped tracee as for
639 but arrange for the tracee to be stopped at
640 the next entry to or exit from a system call,
641 or after execution of a single instruction, respectively.
642 (The tracee will also, as usual, be stopped upon receipt of a signal.)
643 From the tracer's perspective, the tracee will appear to have been
644 stopped by receipt of a
648 for example, the idea is to inspect
649 the arguments to the system call at the first stop,
652 and inspect the return value of the system call at the second stop.
655 argument is treated as for
660 .BR PTRACE_SYSEMU ", " PTRACE_SYSEMU_SINGLESTEP " (since Linux 2.6.14)"
663 continue and stop on entry to the next system call,
664 which will not be executed.
666 .BR PTRACE_SYSEMU_SINGLESTEP ,
667 do the same but also singlestep if not a system call.
668 This call is used by programs like
669 User Mode Linux that want to emulate all the tracee's system calls.
672 argument is treated as for
677 These requests are currently
679 supported only on x86.
681 .BR PTRACE_LISTEN " (since Linux 3.4)"
682 Restart the stopped tracee, but prevent it from executing.
683 The resulting state of the tracee is similar to a process which
684 has been stopped by a
686 (or other stopping signal).
687 See the "group-stop" subsection for additional information.
689 works only on tracees attached by
701 .I This operation is deprecated; do not use it!
710 is that it requires the tracee to be in signal-delivery-stop,
711 otherwise it may not work
712 (i.e., may complete successfully but won't kill the tracee).
713 By contrast, sending a
715 directly has no such limitation.
716 .\" [Note from Denys Vlasenko:
717 .\" deprecation suggested by Oleg Nesterov. He prefers to deprecate it
718 .\" instead of describing (and needing to support) PTRACE_KILL's quirks.]
720 .BR PTRACE_INTERRUPT " (since Linux 3.4)"
722 If the tracee is running or sleeping in kernel space and
725 the system call is interrupted and syscall-exit-stop is reported.
726 (The interrupted system call is restarted when the tracee is restarted.)
727 If the tracee was already stopped by a signal and
730 the tracee stops with
734 returns the stop signal.
735 If any other ptrace-stop is generated at the same time (for example,
736 if a signal is sent to the tracee), this ptrace-stop happens.
737 If none of the above applies (for example, if the tracee is running in user
738 space), it stops with
745 only works on tracees attached by
749 Attach to the process specified in
751 making it a tracee of the calling process.
752 .\" No longer true (removed by Denys Vlasenko, 2011, who remarks:
753 .\" "I think it isn't true in non-ancient 2.4 and in 2.6/3.x.
754 .\" Basically, it's not true for any Linux in practical use.
755 .\" ; the behavior of the tracee is as if it had done a
756 .\" .BR PTRACE_TRACEME .
757 .\" The calling process actually becomes the parent of the tracee
758 .\" process for most purposes (e.g., it will receive
759 .\" notification of tracee events and appears in
761 .\" output as the tracee's parent), but a
763 .\" by the tracee will still return the PID of the original parent.
766 but will not necessarily have stopped
767 by the completion of this call; use
769 to wait for the tracee to stop.
770 See the "Attaching and detaching" subsection for additional information.
776 .BR PTRACE_SEIZE " (since Linux 3.4)"
777 Attach to the process specified in
779 making it a tracee of the calling process.
783 does not stop the process.
794 contains a bit mask of ptrace options to activate immediately.
797 Restart the stopped tracee as for
799 but first detach from it.
800 Under Linux, a tracee can be detached in this way regardless
801 of which method was used to initiate tracing.
804 .SS Death under ptrace
805 When a (possibly multithreaded) process receives a killing signal
806 (one whose disposition is set to
808 and whose default action is to kill the process),
810 Tracees report their death to their tracer(s).
811 Notification of this event is delivered via
814 Note that the killing signal will first cause signal-delivery-stop
815 (on one tracee only),
816 and only after it is injected by the tracer
817 (or after it was dispatched to a thread which isn't traced),
818 will death from the signal happen on
820 tracees within a multithreaded process.
821 (The term "signal-delivery-stop" is explained below.)
824 does not generate signal-delivery-stop and
825 therefore the tracer can't suppress it.
827 kills even within system calls
828 (syscall-exit-stop is not generated prior to death by
830 The net effect is that
832 always kills the process (all its threads),
833 even if some threads of the process are ptraced.
835 When the tracee calls
837 it reports its death to its tracer.
838 Other threads are not affected.
840 When any thread executes
842 every tracee in its thread group reports its death to its tracer.
845 .B PTRACE_O_TRACEEXIT
848 will happen before actual death.
849 This applies to exits via
852 and signal deaths (except
854 and when threads are torn down on
856 in a multithreaded process.
858 The tracer cannot assume that the ptrace-stopped tracee exists.
859 There are many scenarios when the tracee may die while stopped (such as
861 Therefore, the tracer must be prepared to handle an
863 error on any ptrace operation.
864 Unfortunately, the same error is returned if the tracee
865 exists but is not ptrace-stopped
866 (for commands which require a stopped tracee),
867 or if it is not traced by the process which issued the ptrace call.
868 The tracer needs to keep track of the stopped/running state of the tracee,
871 as "tracee died unexpectedly" only if it knows that the tracee has
872 been observed to enter ptrace-stop.
873 Note that there is no guarantee that
875 will reliably report the tracee's death status if a
876 ptrace operation returned
879 may return 0 instead.
880 In other words, the tracee may be "not yet fully dead",
881 but already refusing ptrace requests.
883 The tracer can't assume that the tracee
885 ends its life by reporting
888 .IR WIFSIGNALED(status) ;
889 there are cases where this does not occur.
890 For example, if a thread other than thread group leader does an
893 its PID will never be seen again,
894 and any subsequent ptrace stops will be reported under
895 the thread group leader's PID.
897 A tracee can be in two states: running or stopped.
898 For the purposes of ptrace, a tracee which is blocked in a system call
903 is nevertheless considered to be running, even if the tracee is blocked
905 The state of the tracee after
907 is somewhat of a gray area: it is not in any ptrace-stop (ptrace commands
908 won't work on it, and it will deliver
911 but it also may be considered "stopped" because
912 it is not executing instructions (is not scheduled), and if it was
915 it will not respond to signals until
919 There are many kinds of states when the tracee is stopped, and in ptrace
920 discussions they are often conflated.
921 Therefore, it is important to use precise terms.
923 In this manual page, any stopped state in which the tracee is ready
924 to accept ptrace commands from the tracer is called
927 be further subdivided into
928 .IR signal-delivery-stop ,
932 These stopped states are described in detail below.
934 When the running tracee enters ptrace-stop, it notifies its tracer using
936 (or one of the other "wait" system calls).
937 Most of this manual page assumes that the tracer waits with:
939 pid = waitpid(pid_or_minus_1, &status, __WALL);
941 Ptrace-stopped tracees are reported as returns with
944 .I WIFSTOPPED(status)
947 .\" Do we require __WALL usage, or will just using 0 be ok? (With 0,
948 .\" I am not 100% sure there aren't ugly corner cases.) Are the
949 .\" rules different if user wants to use waitid? Will waitid require
955 flag does not include the
959 flags, but implies their functionality.
965 is not recommended: the "continued" state is per-process and
966 consuming it can confuse the real parent of the tracee.
972 to return 0 ("no wait results available yet")
973 even if the tracer knows there should be a notification.
978 ptrace(PTRACE_CONT, pid, 0L, 0L);
979 if (errno == ESRCH) {
981 r = waitpid(tracee, &status, __WALL | WNOHANG);
982 /* r can still be 0 here! */
986 .\" waitid usage? WNOWAIT?
987 .\" describe how wait notifications queue (or not queue)
989 The following kinds of ptrace-stops exist: signal-delivery-stops,
992 stops, syscall-stops.
993 They all are reported by
996 .I WIFSTOPPED(status)
998 They may be differentiated by examining the value
1000 and if there is ambiguity in that value, by querying
1001 .BR PTRACE_GETSIGINFO .
1004 macro can't be used to perform this examination,
1005 because it returns the value
1006 .IR "(status>>8)\ &\ 0xff" .)
1007 .SS Signal-delivery-stop
1008 When a (possibly multithreaded) process receives any signal except
1010 the kernel selects an arbitrary thread which handles the signal.
1011 (If the signal is generated with
1013 the target thread can be explicitly selected by the caller.)
1014 If the selected thread is traced, it enters signal-delivery-stop.
1015 At this point, the signal is not yet delivered to the process,
1016 and can be suppressed by the tracer.
1017 If the tracer doesn't suppress the signal,
1018 it passes the signal to the tracee in the next ptrace restart request.
1019 This second step of signal delivery is called
1020 .I "signal injection"
1021 in this manual page.
1022 Note that if the signal is blocked,
1023 signal-delivery-stop doesn't happen until the signal is unblocked,
1024 with the usual exception that
1028 Signal-delivery-stop is observed by the tracer as
1031 .I WIFSTOPPED(status)
1032 true, with the signal returned by
1033 .IR WSTOPSIG(status) .
1036 this may be a different kind of ptrace-stop;
1037 see the "Syscall-stops" and "execve" sections below for details.
1040 returns a stopping signal, this may be a group-stop; see below.
1041 .SS Signal injection and suppression
1042 After signal-delivery-stop is observed by the tracer,
1043 the tracer should restart the tracee with the call
1045 ptrace(PTRACE_restart, pid, 0, sig)
1049 is one of the restarting ptrace requests.
1052 is 0, then a signal is not delivered.
1053 Otherwise, the signal
1056 This operation is called
1057 .I "signal injection"
1058 in this manual page, to distinguish it from signal-delivery-stop.
1062 value may be different from the
1064 value: the tracer can cause a different signal to be injected.
1066 Note that a suppressed signal still causes system calls to return
1068 In this case, system calls will be restarted: the tracer will
1069 observe the tracee to reexecute the interrupted system call (or
1070 .BR restart_syscall (2)
1071 system call for a few system calls which use a different mechanism
1072 for restarting) if the tracer uses
1073 .BR PTRACE_SYSCALL .
1074 Even system calls (such as
1076 which are not restartable after signal are restarted after
1077 signal is suppressed;
1078 however, kernel bugs exist which cause some system calls to fail with
1080 even though no observable signal is injected to the tracee.
1082 Restarting ptrace commands issued in ptrace-stops other than
1083 signal-delivery-stop are not guaranteed to inject a signal, even if
1086 No error is reported; a nonzero
1088 may simply be ignored.
1089 Ptrace users should not try to "create a new signal" this way: use
1093 The fact that signal injection requests may be ignored
1094 when restarting the tracee after
1095 ptrace stops that are not signal-delivery-stops
1096 is a cause of confusion among ptrace users.
1097 One typical scenario is that the tracer observes group-stop,
1098 mistakes it for signal-delivery-stop, restarts the tracee with
1100 ptrace(PTRACE_restart, pid, 0, stopsig)
1102 with the intention of injecting
1106 gets ignored and the tracee continues to run.
1110 signal has a side effect of waking up (all threads of)
1111 a group-stopped process.
1112 This side effect happens before signal-delivery-stop.
1113 The tracer can't suppress this side effect (it can
1114 only suppress signal injection, which only causes the
1116 handler to not be executed in the tracee, if such a handler is installed).
1117 In fact, waking up from group-stop may be followed by
1118 signal-delivery-stop for signal(s)
1121 if they were pending when
1126 may be not the first signal observed by the tracee after it was sent.
1128 Stopping signals cause (all threads of) a process to enter group-stop.
1129 This side effect happens after signal injection, and therefore can be
1130 suppressed by the tracer.
1132 In Linux 2.4 and earlier, the
1134 signal can't be injected.
1135 .\" In the Linux 2.4 sources, in arch/i386/kernel/signal.c::do_signal(),
1138 .\" /* The debugger continued. Ignore SIGSTOP. */
1139 .\" if (signr == SIGSTOP)
1142 .B PTRACE_GETSIGINFO
1143 can be used to retrieve a
1145 structure which corresponds to the delivered signal.
1146 .B PTRACE_SETSIGINFO
1147 may be used to modify it.
1149 .B PTRACE_SETSIGINFO
1150 has been used to alter
1156 parameter in the restarting command must match,
1157 otherwise the result is undefined.
1159 When a (possibly multithreaded) process receives a stopping signal,
1161 If some threads are traced, they enter a group-stop.
1162 Note that the stopping signal will first cause signal-delivery-stop
1163 (on one tracee only), and only after it is injected by the tracer
1164 (or after it was dispatched to a thread which isn't traced),
1165 will group-stop be initiated on
1167 tracees within the multithreaded process.
1168 As usual, every tracee reports its group-stop separately
1169 to the corresponding tracer.
1171 Group-stop is observed by the tracer as
1174 .I WIFSTOPPED(status)
1175 true, with the stopping signal available via
1176 .IR WSTOPSIG(status) .
1177 The same result is returned by some other classes of ptrace-stops,
1178 therefore the recommended practice is to perform the call
1180 ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo)
1182 The call can be avoided if the signal is not
1188 only these four signals are stopping signals.
1189 If the tracer sees something else, it can't be a group-stop.
1190 Otherwise, the tracer needs to call
1191 .BR PTRACE_GETSIGINFO .
1193 .B PTRACE_GETSIGINFO
1196 then it is definitely a group-stop.
1197 (Other failure codes are possible, such as
1199 ("no such process") if a
1203 If tracee was attached using
1205 group-stop is indicated by
1206 .BR PTRACE_EVENT_STOP :
1207 .IR "status>>16 == PTRACE_EVENT_STOP" .
1208 This allows detection of group-stops
1209 without requiring an extra
1210 .B PTRACE_GETSIGINFO
1214 after the tracer sees the tracee ptrace-stop and until it
1215 restarts or kills it, the tracee will not run,
1216 and will not send notifications (except
1218 death) to the tracer, even if the tracer enters into another
1222 The kernel behavior described in the previous paragraph
1223 causes a problem with transparent handling of stopping signals.
1224 If the tracer restarts the tracee after group-stop,
1226 is effectively ignored\(emthe tracee doesn't remain stopped, it runs.
1227 If the tracer doesn't restart the tracee before entering into the next
1231 signals will not be reported to the tracer;
1232 this would cause the
1234 signals to have no effect on the tracee.
1236 Since Linux 3.4, there is a method to overcome this problem: instead of
1240 command can be used to restart a tracee in a way where it does not execute,
1241 but waits for a new event which it can report via
1244 it is restarted by a
1246 .SS PTRACE_EVENT stops
1249 options, the tracee will enter ptrace-stops called
1254 stops are observed by the tracer as
1257 .IR WIFSTOPPED(status) ,
1262 An additional bit is set in the higher byte of the status word:
1267 (SIGTRAP | PTRACE_EVENT_foo << 8).
1269 The following events exist:
1271 .B PTRACE_EVENT_VFORK
1272 Stop before return from
1279 When the tracee is continued after this stop, it will wait for child to
1280 exit/exec before continuing its execution
1281 (in other words, the usual behavior on
1284 .B PTRACE_EVENT_FORK
1285 Stop before return from
1289 with the exit signal set to
1292 .B PTRACE_EVENT_CLONE
1293 Stop before return from
1296 .B PTRACE_EVENT_VFORK_DONE
1297 Stop before return from
1304 but after the child unblocked this tracee by exiting or execing.
1306 For all four stops described above,
1307 the stop occurs in the parent (i.e., the tracee),
1308 not in the newly created thread.
1309 .BR PTRACE_GETEVENTMSG
1310 can be used to retrieve the new thread's ID.
1312 .B PTRACE_EVENT_EXEC
1313 Stop before return from
1316 .BR PTRACE_GETEVENTMSG
1317 returns the former thread ID.
1319 .B PTRACE_EVENT_EXIT
1320 Stop before exit (including death from
1321 .BR exit_group (2)),
1322 signal death, or exit caused by
1324 in a multithreaded process.
1325 .B PTRACE_GETEVENTMSG
1326 returns the exit status.
1327 Registers can be examined
1328 (unlike when "real" exit happens).
1329 The tracee is still alive; it needs to be
1332 .BR PTRACE_DETACH ed
1335 .B PTRACE_EVENT_STOP
1338 command, or group-stop, or initial ptrace-stop when a new child is attached
1339 (only if attached using
1342 .B PTRACE_EVENT_STOP
1347 .B PTRACE_EVENT_SECCOMP
1350 rule on tracee syscall entry when
1351 .BR PTRACE_O_TRACESECCOMP
1352 has been set by the tracer.
1353 The seccomp event message data (from the
1354 .BR SECCOMP_RET_DATA
1355 portion of the seccomp filter rule) can be retrieved with
1356 .BR PTRACE_GETEVENTMSG .
1358 .B PTRACE_GETSIGINFO
1368 .IR "(event<<8)\ |\ SIGTRAP" .
1370 If the tracee was restarted by
1371 .BR PTRACE_SYSCALL ,
1373 syscall-enter-stop just prior to entering any system call.
1374 If the tracer restarts the tracee with
1375 .BR PTRACE_SYSCALL ,
1376 the tracee enters syscall-exit-stop when the system call is finished,
1377 or if it is interrupted by a signal.
1378 (That is, signal-delivery-stop never happens between syscall-enter-stop
1379 and syscall-exit-stop; it happens
1383 Other possibilities are that the tracee may stop in a
1385 stop, exit (if it entered
1388 .BR exit_group (2)),
1391 or die silently (if it is a thread group leader, the
1393 happened in another thread,
1394 and that thread is not traced by the same tracer;
1395 this situation is discussed later).
1397 Syscall-enter-stop and syscall-exit-stop are observed by the tracer as
1400 .I WIFSTOPPED(status)
1406 .B PTRACE_O_TRACESYSGOOD
1407 option was set by the tracer, then
1410 .IR "(SIGTRAP\ |\ 0x80)" .
1412 Syscall-stops can be distinguished from signal-delivery-stop with
1415 .BR PTRACE_GETSIGINFO
1416 for the following cases:
1420 was delivered as a result of a user-space action,
1421 for example, a system call
1426 expiration of a POSIX timer,
1427 change of state on a POSIX message queue,
1428 or completion of an asynchronous I/O request.
1430 .IR si_code " == SI_KERNEL (0x80)"
1432 was sent by the kernel.
1434 .IR si_code " == SIGTRAP or " si_code " == (SIGTRAP|0x80)"
1435 This is a syscall-stop.
1437 However, syscall-stops happen very often (twice per system call),
1439 .B PTRACE_GETSIGINFO
1440 for every syscall-stop may be somewhat expensive.
1442 Some architectures allow the cases to be distinguished
1443 by examining registers.
1444 For example, on x86,
1448 in syscall-enter-stop.
1451 (like any other signal) always happens
1456 almost never contains
1460 looks like "syscall-stop which is not syscall-enter-stop";
1461 in other words, it looks like a
1462 "stray syscall-exit-stop" and can be detected this way.
1463 But such detection is fragile and is best avoided.
1466 .B PTRACE_O_TRACESYSGOOD
1467 option is the recommended method to distinguish syscall-stops
1468 from other kinds of ptrace-stops,
1469 since it is reliable and does not incur a performance penalty.
1471 Syscall-enter-stop and syscall-exit-stop are
1472 indistinguishable from each other by the tracer.
1473 The tracer needs to keep track of the sequence of
1474 ptrace-stops in order to not misinterpret syscall-enter-stop as
1475 syscall-exit-stop or vice versa.
1476 The rule is that syscall-enter-stop is
1477 always followed by syscall-exit-stop,
1479 stop or the tracee's death;
1480 no other kinds of ptrace-stop can occur in between.
1482 If after syscall-enter-stop,
1483 the tracer uses a restarting command other than
1484 .BR PTRACE_SYSCALL ,
1485 syscall-exit-stop is not generated.
1487 .B PTRACE_GETSIGINFO
1488 on syscall-stops returns
1497 .IR (SIGTRAP|0x80) .
1498 .SS PTRACE_SINGLESTEP, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP stops
1499 [Details of these kinds of stops are yet to be documented.]
1502 .\" document stops occurring with PTRACE_SINGLESTEP, PTRACE_SYSEMU,
1503 .\" PTRACE_SYSEMU_SINGLESTEP
1504 .SS Informational and restarting ptrace commands
1505 Most ptrace commands (all except
1508 .BR PTRACE_TRACEME ,
1509 .BR PTRACE_INTERRUPT ,
1512 require the tracee to be in a ptrace-stop, otherwise they fail with
1515 When the tracee is in ptrace-stop,
1516 the tracer can read and write data to
1517 the tracee using informational commands.
1518 These commands leave the tracee in ptrace-stopped state:
1521 ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0);
1522 ptrace(PTRACE_POKETEXT/POKEDATA/POKEUSER, pid, addr, long_val);
1523 ptrace(PTRACE_GETREGS/GETFPREGS, pid, 0, &struct);
1524 ptrace(PTRACE_SETREGS/SETFPREGS, pid, 0, &struct);
1525 ptrace(PTRACE_GETREGSET, pid, NT_foo, &iov);
1526 ptrace(PTRACE_SETREGSET, pid, NT_foo, &iov);
1527 ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo);
1528 ptrace(PTRACE_SETSIGINFO, pid, 0, &siginfo);
1529 ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var);
1530 ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
1533 Note that some errors are not reported.
1534 For example, setting signal information
1536 may have no effect in some ptrace-stops, yet the call may succeed
1537 (return 0 and not set
1540 .B PTRACE_GETEVENTMSG
1541 may succeed and return some random value if current ptrace-stop
1542 is not documented as returning a meaningful event message.
1546 ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
1549 The tracee's current flags are replaced.
1550 Flags are inherited by new tracees created and "auto-attached" via active
1551 .BR PTRACE_O_TRACEFORK ,
1552 .BR PTRACE_O_TRACEVFORK ,
1554 .BR PTRACE_O_TRACECLONE
1557 Another group of commands makes the ptrace-stopped tracee run.
1560 ptrace(cmd, pid, 0, sig);
1568 .BR PTRACE_SYSCALL ,
1569 .BR PTRACE_SINGLESTEP ,
1572 .BR PTRACE_SYSEMU_SINGLESTEP .
1573 If the tracee is in signal-delivery-stop,
1575 is the signal to be injected (if it is nonzero).
1579 (When restarting a tracee from a ptrace-stop other than signal-delivery-stop,
1580 recommended practice is to always pass 0 in
1582 .SS Attaching and detaching
1583 A thread can be attached to the tracer using the call
1585 ptrace(PTRACE_ATTACH, pid, 0, 0);
1589 ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_flags);
1595 If the tracer wants this
1597 to have no effect, it needs to suppress it.
1598 Note that if other signals are concurrently sent to
1599 this thread during attach,
1600 the tracer may see the tracee enter signal-delivery-stop
1601 with other signal(s) first!
1602 The usual practice is to reinject these signals until
1604 is seen, then suppress
1607 The design bug here is that a ptrace attach and a concurrently delivered
1609 may race and the concurrent
1613 .\" FIXME . Describe how to attach to a thread which is already group-stopped.
1615 Since attaching sends
1617 and the tracer usually suppresses it, this may cause a stray
1619 return from the currently executing system call in the tracee,
1620 as described in the "Signal injection and suppression" section.
1624 can be used instead of
1627 does not stop the attached process.
1629 it after attach (or at any other time) without sending it any signals,
1636 ptrace(PTRACE_TRACEME, 0, 0, 0);
1638 turns the calling thread into a tracee.
1639 The thread continues to run (doesn't enter ptrace-stop).
1640 A common practice is to follow the
1646 and allow the parent (which is our tracer now) to observe our
1647 signal-delivery-stop.
1650 .BR PTRACE_O_TRACEFORK ,
1651 .BR PTRACE_O_TRACEVFORK ,
1653 .BR PTRACE_O_TRACECLONE
1654 options are in effect, then children created by, respectively,
1664 with the exit signal set to
1668 are automatically attached to the same tracer which traced their parent.
1670 is delivered to the children, causing them to enter
1671 signal-delivery-stop after they exit the system call which created them.
1673 Detaching of the tracee is performed by:
1675 ptrace(PTRACE_DETACH, pid, 0, sig);
1678 is a restarting operation;
1679 therefore it requires the tracee to be in ptrace-stop.
1680 If the tracee is in signal-delivery-stop, a signal can be injected.
1683 parameter may be silently ignored.
1685 If the tracee is running when the tracer wants to detach it,
1686 the usual solution is to send
1690 to make sure it goes to the correct thread),
1691 wait for the tracee to stop in signal-delivery-stop for
1693 and then detach it (suppressing
1696 A design bug is that this can race with concurrent
1698 Another complication is that the tracee may enter other ptrace-stops
1699 and needs to be restarted and waited for again, until
1702 Yet another complication is to be sure that
1703 the tracee is not already ptrace-stopped,
1704 because no signal delivery happens while it is\(emnot even
1706 .\" FIXME . Describe how to detach from a group-stopped tracee so that it
1707 .\" doesn't run, but continues to wait for SIGCONT.
1709 If the tracer dies, all tracees are automatically detached and restarted,
1710 unless they were in group-stop.
1711 Handling of restart from group-stop is currently buggy,
1712 but the "as planned" behavior is to leave tracee stopped and waiting for
1714 If the tracee is restarted from signal-delivery-stop,
1715 the pending signal is injected.
1716 .SS execve(2) under ptrace
1717 .\" clone(2) CLONE_THREAD says:
1718 .\" If any of the threads in a thread group performs an execve(2),
1719 .\" then all threads other than the thread group leader are terminated,
1720 .\" and the new program is executed in the thread group leader.
1722 When one thread in a multithreaded process calls
1724 the kernel destroys all other threads in the process,
1725 .\" In kernel 3.1 sources, see fs/exec.c::de_thread()
1726 and resets the thread ID of the execing thread to the
1727 thread group ID (process ID).
1728 (Or, to put things another way, when a multithreaded process does an
1730 at completion of the call, it appears as though the
1732 occurred in the thread group leader, regardless of which thread did the
1734 This resetting of the thread ID looks very confusing to tracers:
1736 All other threads stop in
1737 .B PTRACE_EVENT_EXIT
1739 .BR PTRACE_O_TRACEEXIT
1740 option was turned on.
1741 Then all other threads except the thread group leader report
1742 death as if they exited via
1746 The execing tracee changes its thread ID while it is in the
1748 (Remember, under ptrace, the "pid" returned from
1750 or fed into ptrace calls, is the tracee's thread ID.)
1751 That is, the tracee's thread ID is reset to be the same as its process ID,
1752 which is the same as the thread group leader's thread ID.
1755 .B PTRACE_EVENT_EXEC
1756 stop happens, if the
1757 .BR PTRACE_O_TRACEEXEC
1758 option was turned on.
1760 If the thread group leader has reported its
1761 .B PTRACE_EVENT_EXIT
1763 it appears to the tracer that
1764 the dead thread leader "reappears from nowhere".
1765 (Note: the thread group leader does not report death via
1766 .I WIFEXITED(status)
1767 until there is at least one other live thread.
1768 This eliminates the possibility that the tracer will see
1769 it dying and then reappearing.)
1770 If the thread group leader was still alive,
1771 for the tracer this may look as if thread group leader
1772 returns from a different system call than it entered,
1773 or even "returned from a system call even though
1774 it was not in any system call".
1775 If the thread group leader was not traced
1776 (or was traced by a different tracer), then during
1778 it will appear as if it has become a tracee of
1779 the tracer of the execing tracee.
1781 All of the above effects are the artifacts of
1782 the thread ID change in the tracee.
1785 .B PTRACE_O_TRACEEXEC
1786 option is the recommended tool for dealing with this situation.
1788 .BR PTRACE_EVENT_EXEC
1793 In this stop, the tracer can use
1794 .B PTRACE_GETEVENTMSG
1795 to retrieve the tracee's former thread ID.
1796 (This feature was introduced in Linux 3.0).
1798 .B PTRACE_O_TRACEEXEC
1799 option disables legacy
1804 When the tracer receives
1805 .B PTRACE_EVENT_EXEC
1807 it is guaranteed that except this tracee and the thread group leader,
1808 no other threads from the process are alive.
1811 .B PTRACE_EVENT_EXEC
1813 the tracer should clean up all its internal
1814 data structures describing the threads of this process,
1815 and retain only one data structure\(emone which
1816 describes the single still running tracee, with
1818 thread ID == thread group ID == process ID.
1820 Example: two threads call
1825 *** we get syscall-enter-stop in thread 1: **
1826 PID1 execve("/bin/foo", "foo" <unfinished ...>
1827 *** we issue PTRACE_SYSCALL for thread 1 **
1828 *** we get syscall-enter-stop in thread 2: **
1829 PID2 execve("/bin/bar", "bar" <unfinished ...>
1830 *** we issue PTRACE_SYSCALL for thread 2 **
1831 *** we get PTRACE_EVENT_EXEC for PID0, we issue PTRACE_SYSCALL **
1832 *** we get syscall-exit-stop for PID0: **
1833 PID0 <... execve resumed> ) = 0
1837 .B PTRACE_O_TRACEEXEC
1840 in effect for the execing tracee, the kernel delivers an extra
1845 This is an ordinary signal (similar to one which can be
1848 not a special kind of ptrace-stop.
1850 .B PTRACE_GETSIGINFO
1851 for this signal returns
1855 This signal may be blocked by signal mask,
1856 and thus may be delivered (much) later.
1858 Usually, the tracer (for example,
1860 would not want to show this extra post-execve
1862 signal to the user, and would suppress its delivery to the tracee (if
1866 it is a killing signal).
1867 However, determining
1870 to suppress is not easy.
1872 .B PTRACE_O_TRACEEXEC
1873 option and thus suppressing this extra
1875 is the recommended approach.
1877 The ptrace API (ab)uses the standard UNIX parent/child signaling over
1879 This used to cause the real parent of the process to stop receiving
1882 notifications when the child process is traced by some other process.
1884 Many of these bugs have been fixed, but as of Linux 2.6.38 several still
1885 exist; see BUGS below.
1887 As of Linux 2.6.38, the following is believed to work correctly:
1889 exit/death by signal is reported first to the tracer, then,
1890 when the tracer consumes the
1892 result, to the real parent (to the real parent only when the
1893 whole multithreaded process exits).
1894 If the tracer and the real parent are the same process,
1895 the report is sent only once.
1899 requests return the requested data (but see NOTES),
1900 while other requests return zero.
1902 On error, all requests return \-1, and
1904 is set appropriately.
1905 Since the value returned by a successful
1907 request may be \-1, the caller must clear
1909 before the call, and then check it afterward
1910 to determine whether or not an error occurred.
1914 (i386 only) There was an error with allocating or freeing a debug register.
1917 There was an attempt to read from or write to an invalid area in
1918 the tracer's or the tracee's memory,
1919 probably because the area wasn't mapped or accessible.
1920 Unfortunately, under Linux, different variations of this fault
1925 more or less arbitrarily.
1928 An attempt was made to set an invalid option.
1932 is invalid, or an attempt was made to read from or
1933 write to an invalid area in the tracer's or the tracee's memory,
1934 or there was a word-alignment violation,
1935 or an invalid signal was specified during a restart request.
1938 The specified process cannot be traced.
1939 This could be because the
1940 tracer has insufficient privileges (the required capability is
1941 .BR CAP_SYS_PTRACE );
1942 unprivileged processes cannot trace processes that they
1943 cannot send signals to or those running
1944 set-user-ID/set-group-ID programs, for obvious reasons.
1945 Alternatively, the process may already be being traced,
1946 or (on kernels before 2.6.26) be
1951 The specified process does not exist, or is not currently being traced
1952 by the caller, or is not stopped
1953 (for requests that require a stopped tracee).
1957 Although arguments to
1959 are interpreted according to the prototype given,
1960 glibc currently declares
1962 as a variadic function with only the
1965 It is recommended to always supply four arguments,
1966 even if the requested operation does not use them,
1967 setting unused/ignored arguments to
1972 In Linux kernels before 2.6.26,
1973 .\" See commit 00cd5c37afd5f431ac186dd131705048c0a11fdb
1975 the process with PID 1, may not be traced.
1977 The layout of the contents of memory and the USER area are
1978 quite operating-system- and architecture-specific.
1979 The offset supplied, and the data returned,
1980 might not entirely match with the definition of
1982 .\" See http://lkml.org/lkml/2008/5/8/375
1984 The size of a "word" is determined by the operating-system variant
1985 (e.g., for 32-bit Linux it is 32 bits).
1987 This page documents the way the
1989 call works currently in Linux.
1990 Its behavior differs significantly on other flavors of UNIX.
1993 is highly specific to the operating system and architecture.
1994 .SS C library/kernel ABI differences
1995 At the system call level, the
1996 .BR PTRACE_PEEKTEXT ,
1997 .BR PTRACE_PEEKDATA ,
2000 requests have a different API: they store the result
2001 at the address specified by the
2003 parameter, and the return value is the error flag.
2004 The glibc wrapper function provides the API given in DESCRIPTION above,
2005 with the result being returned via the function return value.
2007 On hosts with 2.6 kernel headers,
2008 .B PTRACE_SETOPTIONS
2009 is declared with a different value than the one for 2.4.
2010 This leads to applications compiled with 2.6 kernel
2011 headers failing when run on 2.4 kernels.
2012 This can be worked around by redefining
2013 .B PTRACE_SETOPTIONS
2015 .BR PTRACE_OLDSETOPTIONS ,
2018 Group-stop notifications are sent to the tracer, but not to real parent.
2019 Last confirmed on 2.6.38.6.
2021 If a thread group leader is traced and exits by calling
2023 .\" Note from Denys Vlasenko:
2024 .\" Here "exits" means any kind of death - _exit, exit_group,
2025 .\" signal death. Signal death and exit_group cases are trivial,
2026 .\" though: since signal death and exit_group kill all other threads
2027 .\" too, "until all other threads exit" thing happens rather soon
2028 .\" in these cases. Therefore, only _exit presents observably
2029 .\" puzzling behavior to ptrace users: thread leader _exit's,
2030 .\" but WIFEXITED isn't reported! We are trying to explain here
2033 .B PTRACE_EVENT_EXIT
2034 stop will happen for it (if requested), but the subsequent
2036 notification will not be delivered until all other threads exit.
2037 As explained above, if one of other threads calls
2039 the death of the thread group leader will
2042 If the execed thread is not traced by this tracer,
2043 the tracer will never know that
2046 One possible workaround is to
2048 the thread group leader instead of restarting it in this case.
2049 Last confirmed on 2.6.38.6.
2050 .\" FIXME . need to test/verify this scenario
2054 signal may still cause a
2055 .B PTRACE_EVENT_EXIT
2056 stop before actual signal death.
2057 This may be changed in the future;
2059 is meant to always immediately kill tasks even under ptrace.
2060 Last confirmed on 2.6.38.6.
2062 Some system calls return with
2064 if a signal was sent to a tracee, but delivery was suppressed by the tracer.
2065 (This is very typical operation: it is usually
2066 done by debuggers on every attach, in order to not introduce
2069 As of Linux 3.2.9, the following system calls are affected
2070 (this list is likely incomplete):
2077 The usual symptom of this bug is that when you attach to
2078 a quiescent process with the command
2080 strace \-p <process-ID>
2082 then, instead of the usual
2083 and expected one-line output such as
2086 restart_syscall(<... resuming interrupted call ...>_
2092 select(6, [5], NULL, [5], NULL_
2095 ('_' denotes the cursor position), you observe more than one line.
2099 clock_gettime(CLOCK_MONOTONIC, {15370, 690928118}) = 0
2103 What is not visible here is that the process was blocked in
2110 to return to user space with the error
2112 In this particular case, the program reacted to
2114 by checking the current time, and then executing
2117 (Programs which do not expect such "stray"
2119 errors may behave in an unintended way upon an
2135 .BR capabilities (7),
2138 This page is part of release 3.78 of the Linux
2141 A description of the project,
2142 information about reporting bugs,
2143 and the latest version of this page,
2145 \%http://www.kernel.org/doc/man\-pages/.