4.4. Tracing Program Actions Two programs help you trace the actions that an executable is taking. Neither requires the source code; in fact, neither can make use of the source code. Both print out in symbolic, textual form a log of the actions being taken by a program. The first, strace, prints out a record of each system call that the program makes. The second, ltrace, prints out a record of each library function that the program makes (and can optionally also trace system calls). These tools can be particularly useful for determining "what went wrong" in obvious failure cases. For example, consider a system daemon that has been working for quite a while, but then starts exhibiting segmentation faults when you try to start it up. It is likely that the bug has been triggered by a change in some data files, but you do not know which one. The first step might be to run the system daemon under strace and look for the last few files that it opens before taking the segmentation fault, and examining those files to look for likely causes. Or consider another daemon that is unexpectedly taking lots of CPU time; you can run it under strace first, and then ltrace if strace doesn't show clearly what it is doing, to understand what input or conditions are causing it to take an unexpected amount of CPU time. Like gdb, strace and ltrace can either be used to run a program from beginning to end, or can attach to running programs. By default, both programs send their output to standard out. Both programs require that their own options come first, followed by the executable to run (when applicable), and if an executable is specified, any options to pass to that executable follow next. Both programs provide a similar set of options: -C or --demangle | In ltrace only, decode (or "demangle") the names of library symbols into recognizable names. This strips leading underscore characters (many glibc functions are internally implemented with versions with leading underscores) and makes C++ library functions readable (C++ encodes type information into symbol names). | -e | In strace only, specify a subset of actions to print. There are many possible specifications described in the strace man page; the most commonly useful specification is -e trace= file, which traces only system calls involved in file I/O and manipulation. | -f | Attempt to "follow fork()," trace child processes as well as possible. Note that the child process may run without being traced for a short time before strace or ltrace is able to attach to it and trace its actions. | -o filename | Instead of sending the output to standard out, store it in the file named filename. | -p pid | Instead of starting a new instance of a program, attach to the process ID specified in pid. | - S | In ltrace only, report system calls as well as library calls. | -v | In strace only, do not abbreviate large structures in system calls such as the stat() family of calls, termios calls, and others with large structures. |
The manual pages for each of the utilities cover these options and others not mentioned here. |