Documentation ¶
Overview ¶
strace traces Linux process events.
An straced process will emit events for syscalls, signals, exits, and new children.
Index ¶
- Constants
- func CaptureAddress(t Task, addr Addr, addrlen uint32) ([]byte, error)
- func ReadString(t Task, addr Addr, max int) (string, error)
- func ReadStringVector(t Task, addr Addr, maxsize, maxno int) ([]string, error)
- func Trace(c *exec.Cmd, recordCallback ...EventCallback) error
- type Addr
- type EventCallback
- type EventType
- type ExitEvent
- type NewChildEvent
- type SignalEvent
- type SyscallArgument
- type SyscallArguments
- type SyscallEvent
- type Task
- type TraceError
- type TraceRecord
Constants ¶
const ( // ExecMaxTotalSize is the maximum length of all argv and envv entries. // // N.B. The behavior here is different than Linux. Linux provides a limit on // individual arguments of 32 pages, and an aggregate limit of at least 32 pages // but otherwise bounded by min(stack size / 4, 8 MB * 3 / 4). We don't implement // any behavior based on the stack size, and instead provide a fixed hard-limit of // 2 MB (which should work well given that 8 MB stack limits are common). ExecMaxTotalSize = 2 * 1024 * 1024 // ExecMaxElemSize is the maximum length of a single argv or envv entry. ExecMaxElemSize = 32 * 4096 )
From gvisor:
Variables ¶
This section is empty.
Functions ¶
func CaptureAddress ¶
CaptureAddress pulls a socket address from the process as a byte slice. It returns any errors.
func ReadString ¶
ReadString reads a null-terminated string from the process at Addr and any errors.
func ReadStringVector ¶
ReadStringVector takes an address, max string size, and max number of string to read, and returns a string slice or error.
Types ¶
type EventCallback ¶
type EventCallback func(t Task, record *TraceRecord) error
EventCallback is a function called on each event while the subject process is stopped.
func RecordTraces ¶
func RecordTraces(c chan<- *TraceRecord) EventCallback
RecordTraces sends each event on c.
type EventType ¶
type EventType int
EventType describes a process event.
const ( // Unknown is for events we do not know how to interpret. Unknown EventType = 0x0 // SyscallEnter is the event for a process calling a syscall. Event // Args will contain the arguments sent by the userspace process. // // ptrace calls this a syscall-enter-stop. SyscallEnter EventType = 0x2 // SyscallExit is the event for the kernel returning a syscall. Args // will contain the arguments as returned by the kernel. // // ptrace calls this a syscall-exit-stop. SyscallExit EventType = 0x3 // SignalExit means the process has been terminated by a signal. SignalExit EventType = 0x4 // Exit means the process has exited with an exit code. Exit EventType = 0x5 // SignalStop means the process was stopped by a signal. // // ptrace calls this a signal-delivery-stop. SignalStop EventType = 0x6 // NewChild means the process created a new child thread or child // process via fork, clone, or vfork. // // ptrace calls this a PTRACE_EVENT_(FORK|CLONE|VFORK). NewChild EventType = 0x7 )
type ExitEvent ¶
type ExitEvent struct { // WaitStatus is the exit status. WaitStatus unix.WaitStatus }
ExitEvent is emitted when the process exits regularly using exit_group(2).
type NewChildEvent ¶
type NewChildEvent struct {
PID int
}
NewChildEvent is emitted when a clone/fork/vfork syscall is done.
type SignalEvent ¶
SignalEvent is a signal that was delivered to the process.
type SyscallArgument ¶
type SyscallArgument struct { // Prefer to use accessor methods instead of 'Value' directly. Value uintptr }
SyscallArgument is an argument supplied to a syscall implementation. The methods used to access the arguments are named after the ***C type name*** and they convert to the closest Go type available. For example, Int() refers to a 32-bit signed integer argument represented in Go as an int32.
Using the accessor methods guarantees that the conversion between types is correct, taking into account size and signedness (i.e., zero-extension vs signed-extension).
func (SyscallArgument) Int ¶
func (a SyscallArgument) Int() int32
Int returns the int32 representation of a 32-bit signed integer argument.
func (SyscallArgument) Int64 ¶
func (a SyscallArgument) Int64() int64
Int64 returns the int64 representation of a 64-bit signed integer argument.
func (SyscallArgument) ModeT ¶
func (a SyscallArgument) ModeT() uint
ModeT returns the int representation of a mode_t argument.
func (SyscallArgument) Pointer ¶
func (a SyscallArgument) Pointer() Addr
Pointer returns the usermem.Addr representation of a pointer argument.
func (SyscallArgument) SizeT ¶
func (a SyscallArgument) SizeT() uint
SizeT returns the uint representation of a size_t argument.
func (SyscallArgument) Uint ¶
func (a SyscallArgument) Uint() uint32
Uint returns the uint32 representation of a 32-bit unsigned integer argument.
func (SyscallArgument) Uint64 ¶
func (a SyscallArgument) Uint64() uint64
Uint64 returns the uint64 representation of a 64-bit unsigned integer argument.
type SyscallArguments ¶
type SyscallArguments [6]SyscallArgument
SyscallArguments represents the set of arguments passed to a syscall.
type SyscallEvent ¶
type SyscallEvent struct { // Regs are the process's registers as they were when the event was // recorded. Regs unix.PtraceRegs // Sysno is the syscall number. Sysno int // Args are the arguments to the syscall. Args SyscallArguments // Ret is the return value of the syscall. Only populated on // SyscallExit. Ret [2]SyscallArgument // Errno is an errno, if there was on in Ret. Only populated on // SyscallExit. Errno unix.Errno // Duration is the duration from enter to exit for this particular // syscall. Only populated on SyscallExit. Duration time.Duration }
SyscallEvent is populated for both SyscallEnter and SyscallExit event types.
func (*SyscallEvent) FillArgs ¶
func (s *SyscallEvent) FillArgs()
FillArgs pulls the correct registers to populate system call arguments and the system call number into a TraceRecord. Note that the system call number is not technically an argument. This is good, in a sense, since it makes the function arguments end up in "the right place" from the point of view of the caller. The performance improvement is negligible, as you can see by a look at the GNU runtime.
func (*SyscallEvent) FillRet ¶
func (s *SyscallEvent) FillRet()
FillRet fills the TraceRecord with the result values from the registers.
type Task ¶
type Task interface { // Read reads from the process at Addr to the interface{} // and returns a byte count and error. Read(addr Addr, v interface{}) (int, error) // Name is a human-readable process identifier. E.g. PID or argv[0]. Name() string }
Task is a Linux process.
type TraceError ¶
TraceError is returned when something failed on a specific process.
func (*TraceError) Error ¶
func (t *TraceError) Error() string
type TraceRecord ¶
type TraceRecord struct { PID int Time time.Time Event EventType Syscall *SyscallEvent SignalExit *SignalEvent SignalStop *SignalEvent Exit *ExitEvent NewChild *NewChildEvent }
TraceRecord has information about a process event.