1.\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $ 2.\" 3.\" This file is in the public domain. 4.Dd June 19, 2025 5.Dt PTRACE 2 6.Os 7.Sh NAME 8.Nm ptrace 9.Nd process tracing and debugging 10.Sh LIBRARY 11.Lb libc 12.Sh SYNOPSIS 13.In sys/types.h 14.In sys/ptrace.h 15.Ft int 16.Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data" 17.Sh DESCRIPTION 18The 19.Fn ptrace 20system call 21provides tracing and debugging facilities. 22It allows one process 23(the 24.Em tracing 25process) 26to control another 27(the 28.Em traced 29process). 30The tracing process must first attach to the traced process, and then 31issue a series of 32.Fn ptrace 33system calls to control the execution of the process, as well as access 34process memory and register state. 35For the duration of the tracing session, the traced process will be 36.Dq re-parented , 37with its parent process ID (and resulting behavior) 38changed to the tracing process. 39It is permissible for a tracing process to attach to more than one 40other process at a time. 41When the tracing process has completed its work, it must detach the 42traced process; if a tracing process exits without first detaching all 43processes it has attached, those processes will be killed. 44.Pp 45Most of the time, the traced process runs normally, but when it 46receives a signal 47(see 48.Xr sigaction 2 ) , 49it stops. 50The tracing process is expected to notice this via 51.Xr wait 2 52or the delivery of a 53.Dv SIGCHLD 54signal, examine the state of the stopped process, and cause it to 55terminate or continue as appropriate. 56The signal may be a normal process signal, generated as a result of 57traced process behavior, or use of the 58.Xr kill 2 59system call; alternatively, it may be generated by the tracing facility 60as a result of attaching, stepping by the tracing 61process, 62or an event in the traced process. 63The tracing process may choose to intercept the signal, using it to 64observe process behavior (such as 65.Dv SIGTRAP ) , 66or forward the signal to the process if appropriate. 67The 68.Fn ptrace 69system call 70is the mechanism by which all this happens. 71.Pp 72A traced process may report additional signal stops corresponding to 73events in the traced process. 74These additional signal stops are reported as 75.Dv SIGTRAP 76or 77.Dv SIGSTOP 78signals. 79The tracing process can use the 80.Dv PT_LWPINFO 81request to determine which events are associated with a 82.Dv SIGTRAP 83or 84.Dv SIGSTOP 85signal. 86Note that multiple events may be associated with a single signal. 87For example, events indicated by the 88.Dv PL_FLAG_BORN , 89.Dv PL_FLAG_FORKED , 90and 91.Dv PL_FLAG_EXEC 92flags are also reported as a system call exit event 93.Pq Dv PL_FLAG_SCX . 94The signal stop for a new child process enabled via 95.Dv PTRACE_FORK 96will report a 97.Dv SIGSTOP 98signal. 99All other additional signal stops use 100.Dv SIGTRAP . 101.Sh DETACH AND TERMINATION 102.Pp 103Normally, exiting tracing process should wait for all pending 104debugging events and then detach from all alive traced processes 105before exiting using 106.Dv PT_DETACH 107request. 108If tracing process exits without detaching, for instance due to abnormal 109termination, the destiny of the traced children processes is determined 110by the 111.Dv kern.kill_on_debugger_exit 112sysctl control. 113.Pp 114If the control is set to the default value 1, such traced processes 115are terminated. 116If set to zero, kernel implicitly detaches traced processes. 117Traced processes are un-stopped if needed, and then continue the execution 118without tracing. 119Kernel drops any 120.Dv SIGTRAP 121signals queued to the traced children, which could be either generated by 122not yet consumed debug events, or sent by other means, the later should 123not be done anyway. 124.Sh SELECTING THE TARGET 125The 126.Fa pid 127argument of the call specifies the target on which to perform 128the requested operation. 129For operations affecting the global process state, the process ID 130is typically passed there. 131Similarly, for operations affecting only a thread, the thread ID 132needs to be passed. 133.Pp 134Still, for global operations, the ID of any thread can be used as the 135target, and system will perform the request on the process owning 136that thread. 137If a thread operation got the process ID as 138.Fa pid , 139the system randomly selects a thread from among the threads owned 140by the process. 141For single-threaded processes there is no difference between specifying 142process or thread ID as the target. 143.Sh DISABLING PTRACE 144The 145.Nm 146subsystem provides rich facilities to manipulate other processes state. 147Sometimes it may be desirable to disallow it either completely, or limit 148its scope. 149The following controls are provided for this: 150.Bl -tag -width security.bsd.unprivileged_proc_debug 151.It Dv security.bsd.allow_ptrace 152Setting this sysctl to zero makes 153.Nm 154return 155.Er ENOSYS 156always as if the syscall is not implemented by the kernel. 157.It Dv security.bsd.unprivileged_proc_debug 158Setting this sysctl to zero disallows the use of 159.Fn ptrace 160by unprivileged processes. 161.It Dv security.bsd.see_other_uids 162Setting this sysctl to zero prevents 163.Fn ptrace 164requests from targeting processes with a real user identifier different 165from the caller's. 166These requests will fail with error 167.Er ESRCH . 168.It Dv security.bsd.see_other_gids 169Setting this sysctl to zero disallows 170.Fn ptrace 171requests from processes that have no groups in common with the target process, 172considering their sets of real and supplementary groups. 173These requests will fail with error 174.Er ESRCH . 175.It Dv security.bsd.see_jail_proc 176Setting this sysctl to zero disallows 177.Fn ptrace 178requests from processes belonging to a different jail than that of the target 179process, even if the requesting process' jail is an ancestor of the target 180process'. 181These requests will fail with error 182.Er ESRCH . 183.It Dv securelevel and init 184The 185.Xr init 1 186process can only be traced with 187.Nm 188if securelevel is zero. 189.It Dv procctl(2) PROC_TRACE_CTL 190Process can deny attempts to trace itself with 191.Xr procctl 2 192.Dv PROC_TRACE_CTL 193request. 194In this case requests return 195.Xr EPERM 196error. 197.El 198.Sh TRACING EVENTS 199.Pp 200Each traced process has a tracing event mask. 201An event in the traced process only reports a 202signal stop if the corresponding flag is set in the tracing event mask. 203The current set of tracing event flags include: 204.Bl -tag -width "Dv PTRACE_SYSCALL" 205.It Dv PTRACE_EXEC 206Report a stop for a successful invocation of 207.Xr execve 2 . 208This event is indicated by the 209.Dv PL_FLAG_EXEC 210flag in the 211.Va pl_flags 212member of 213.Vt "struct ptrace_lwpinfo" . 214.It Dv PTRACE_SCE 215Report a stop on each system call entry. 216This event is indicated by the 217.Dv PL_FLAG_SCE 218flag in the 219.Va pl_flags 220member of 221.Vt "struct ptrace_lwpinfo" . 222.It Dv PTRACE_SCX 223Report a stop on each system call exit. 224This event is indicated by the 225.Dv PL_FLAG_SCX 226flag in the 227.Va pl_flags 228member of 229.Vt "struct ptrace_lwpinfo" . 230.It Dv PTRACE_SYSCALL 231Report stops for both system call entry and exit. 232.It Dv PTRACE_FORK 233This event flag controls tracing for new child processes of a traced process. 234.Pp 235When this event flag is enabled, 236new child processes will enable tracing and stop before executing their 237first instruction. 238The new child process will include the 239.Dv PL_FLAG_CHILD 240flag in the 241.Va pl_flags 242member of 243.Vt "struct ptrace_lwpinfo" . 244The traced process will report a stop that includes the 245.Dv PL_FLAG_FORKED 246flag. 247The process ID of the new child process will also be present in the 248.Va pl_child_pid 249member of 250.Vt "struct ptrace_lwpinfo" . 251If the new child process was created via 252.Xr vfork 2 , 253the traced process's stop will also include the 254.Dv PL_FLAG_VFORKED 255flag. 256Note that new child processes will be attached with the default 257tracing event mask; 258they do not inherit the event mask of the traced process. 259.Pp 260When this event flag is not enabled, 261new child processes will execute without tracing enabled. 262.It Dv PTRACE_LWP 263This event flag controls tracing of LWP 264.Pq kernel thread 265creation and destruction. 266When this event is enabled, 267new LWPs will stop and report an event with 268.Dv PL_FLAG_BORN 269set before executing their first instruction, 270and exiting LWPs will stop and report an event with 271.Dv PL_FLAG_EXITED 272set before completing their termination. 273.Pp 274Note that new processes do not report an event for the creation of their 275initial thread, 276and exiting processes do not report an event for the termination of the 277last thread. 278.It Dv PTRACE_VFORK 279Report a stop event when a parent process resumes after a 280.Xr vfork 2 . 281.Pp 282When a thread in the traced process creates a new child process via 283.Xr vfork 2 , 284the stop that reports 285.Dv PL_FLAG_FORKED 286and 287.Dv PL_FLAG_SCX 288occurs just after the child process is created, 289but before the thread waits for the child process to stop sharing process 290memory. 291If a debugger is not tracing the new child process, 292it must ensure that no breakpoints are enabled in the shared process 293memory before detaching from the new child process. 294This means that no breakpoints are enabled in the parent process either. 295.Pp 296The 297.Dv PTRACE_VFORK 298flag enables a new stop that indicates when the new child process stops 299sharing the process memory of the parent process. 300A debugger can reinsert breakpoints in the parent process and resume it 301in response to this event. 302This event is indicated by setting the 303.Dv PL_FLAG_VFORK_DONE 304flag. 305.El 306.Pp 307The default tracing event mask when attaching to a process via 308.Dv PT_ATTACH , 309.Dv PT_TRACE_ME , 310or 311.Dv PTRACE_FORK 312includes only 313.Dv PTRACE_EXEC 314events. 315All other event flags are disabled. 316.Sh PTRACE REQUESTS 317.Pp 318The 319.Fa request 320argument specifies what operation is being performed; the meaning of 321the rest of the arguments depends on the operation, but except for one 322special case noted below, all 323.Fn ptrace 324calls are made by the tracing process, and the 325.Fa pid 326argument specifies the process ID of the traced process 327or a corresponding thread ID. 328The 329.Fa request 330argument 331can be: 332.Bl -tag -width "Dv PT_GET_EVENT_MASK" 333.It Dv PT_TRACE_ME 334This request is the only one used by the traced process; it declares 335that the process expects to be traced by its parent. 336All the other arguments are ignored. 337(If the parent process does not expect to trace the child, it will 338probably be rather confused by the results; once the traced process 339stops, it cannot be made to continue except via 340.Fn ptrace . ) 341When a process has used this request and calls 342.Xr execve 2 343or any of the routines built on it 344(such as 345.Xr execv 3 ) , 346it will stop before executing the first instruction of the new image. 347Also, any setuid or setgid bits on the executable being executed will 348be ignored. 349If the child was created by 350.Xr vfork 2 351system call or 352.Xr rfork 2 353call with the 354.Dv RFMEM 355flag specified, the debugging events are reported to the parent 356only after the 357.Xr execve 2 358is executed. 359.It Dv PT_READ_I , Dv PT_READ_D 360These requests read a single 361.Vt int 362of data from the traced process's address space. 363Traditionally, 364.Fn ptrace 365has allowed for machines with distinct address spaces for instruction 366and data, which is why there are two requests: conceptually, 367.Dv PT_READ_I 368reads from the instruction space and 369.Dv PT_READ_D 370reads from the data space. 371In the current 372.Fx 373implementation, these two requests are completely identical. 374The 375.Fa addr 376argument specifies the address 377(in the traced process's virtual address space) 378at which the read is to be done. 379This address does not have to meet any alignment constraints. 380The value read is returned as the return value from 381.Fn ptrace . 382.It Dv PT_WRITE_I , Dv PT_WRITE_D 383These requests parallel 384.Dv PT_READ_I 385and 386.Dv PT_READ_D , 387except that they write rather than read. 388The 389.Fa data 390argument supplies the value to be written. 391.It Dv PT_IO 392This request allows reading and writing arbitrary amounts of data in 393the traced process's address space. 394The 395.Fa addr 396argument specifies a pointer to a 397.Vt "struct ptrace_io_desc" , 398which is defined as follows: 399.Bd -literal 400struct ptrace_io_desc { 401 int piod_op; /* I/O operation */ 402 void *piod_offs; /* child offset */ 403 void *piod_addr; /* parent offset */ 404 size_t piod_len; /* request length */ 405}; 406 407/* 408 * Operations in piod_op. 409 */ 410#define PIOD_READ_D 1 /* Read from D space */ 411#define PIOD_WRITE_D 2 /* Write to D space */ 412#define PIOD_READ_I 3 /* Read from I space */ 413#define PIOD_WRITE_I 4 /* Write to I space */ 414.Ed 415.Pp 416The 417.Fa data 418argument is ignored. 419The actual number of bytes read or written is stored in 420.Va piod_len 421upon return. 422.It Dv PT_CONTINUE 423The traced process continues execution. 424The 425.Fa addr 426argument 427is an address specifying the place where execution is to be resumed 428(a new value for the program counter), 429or 430.Po Vt caddr_t Pc Ns 1 431to indicate that execution is to pick up where it left off. 432The 433.Fa data 434argument 435provides a signal number to be delivered to the traced process as it 436resumes execution, or 0 if no signal is to be sent. 437.It Dv PT_STEP 438The traced process is single stepped one instruction. 439The 440.Fa addr 441argument 442should be passed 443.Po Vt caddr_t Pc Ns 1 . 444The 445.Fa data 446argument 447provides a signal number to be delivered to the traced process as it 448resumes execution, or 0 if no signal is to be sent. 449.It Dv PT_KILL 450The traced process terminates, as if 451.Dv PT_CONTINUE 452had been used with 453.Dv SIGKILL 454given as the signal to be delivered. 455.It Dv PT_ATTACH 456This request allows a process to gain control of an otherwise 457unrelated process and begin tracing it. 458It does not need any cooperation from the process to trace. 459In 460this case, 461.Fa pid 462specifies the process ID of the process to trace, and the other 463two arguments are ignored. 464This request requires that the target process must have the same real 465UID as the tracing process, and that it must not be executing a setuid 466or setgid executable. 467(If the tracing process is running as root, these restrictions do not 468apply.) 469The tracing process will see the newly-traced process stop and may 470then control it as if it had been traced all along. 471.It Dv PT_DETACH 472This request is like PT_CONTINUE, except that it does not allow 473specifying an alternate place to continue execution, and after it 474succeeds, the traced process is no longer traced and continues 475execution normally. 476.Pp 477The parent of the traced process will be sent a 478.Dv SIGCHLD 479to indicate that the process has continued from a stopped state regardless of 480whether the process was in a stopped state prior to the corresponding 481.Dv PT_ATTACH 482request. 483A 484.Xr wait 2 485for the traced process would indicate that it had been continued. 486.It Dv PT_GETREGS 487This request reads the traced process's machine registers into the 488.Do 489.Vt "struct reg" 490.Dc 491(defined in 492.In machine/reg.h ) 493pointed to by 494.Fa addr . 495.It Dv PT_SETREGS 496This request is the converse of 497.Dv PT_GETREGS ; 498it loads the traced process's machine registers from the 499.Do 500.Vt "struct reg" 501.Dc 502(defined in 503.In machine/reg.h ) 504pointed to by 505.Fa addr . 506.It Dv PT_GETFPREGS 507This request reads the traced process's floating-point registers into 508the 509.Do 510.Vt "struct fpreg" 511.Dc 512(defined in 513.In machine/reg.h ) 514pointed to by 515.Fa addr . 516.It Dv PT_SETFPREGS 517This request is the converse of 518.Dv PT_GETFPREGS ; 519it loads the traced process's floating-point registers from the 520.Do 521.Vt "struct fpreg" 522.Dc 523(defined in 524.In machine/reg.h ) 525pointed to by 526.Fa addr . 527.It Dv PT_GETDBREGS 528This request reads the traced process's debug registers into 529the 530.Do 531.Vt "struct dbreg" 532.Dc 533(defined in 534.In machine/reg.h ) 535pointed to by 536.Fa addr . 537.It Dv PT_SETDBREGS 538This request is the converse of 539.Dv PT_GETDBREGS ; 540it loads the traced process's debug registers from the 541.Do 542.Vt "struct dbreg" 543.Dc 544(defined in 545.In machine/reg.h ) 546pointed to by 547.Fa addr . 548.It Dv PT_GETREGSET 549This request reads the registers from the traced process. 550The 551.Fa data 552argument specifies the register set to read, with the 553.Fa addr 554argument pointing at a 555.Vt "struct iovec" 556where the 557.Va iov_base 558field points to a register set specific structure to hold the registers, 559and the 560.Va iov_len 561field holds the length of the structure. 562.It Dv PT_SETREGSET 563This request writes to the registers of the traced process. 564The 565.Fa data 566argument specifies the register set to write to, with the 567.Fa addr 568argument pointing at a 569.Vt "struct iovec" 570where the 571.Va iov_base 572field points to a register set specific structure to hold the registers, 573and the 574.Va iov_len 575field holds the length of the structure. 576If 577.Va iov_base 578is NULL the kernel will return the expected length of the register set 579specific structure in the 580.Va iov_len 581field and not change the target register set. 582.It Dv PT_LWPINFO 583This request can be used to obtain information about the kernel thread, 584also known as light-weight process, that caused the traced process to stop. 585The 586.Fa addr 587argument specifies a pointer to a 588.Vt "struct ptrace_lwpinfo" , 589which is defined as follows: 590.Bd -literal 591struct ptrace_lwpinfo { 592 lwpid_t pl_lwpid; 593 int pl_event; 594 int pl_flags; 595 sigset_t pl_sigmask; 596 sigset_t pl_siglist; 597 siginfo_t pl_siginfo; 598 char pl_tdname[MAXCOMLEN + 1]; 599 pid_t pl_child_pid; 600 u_int pl_syscall_code; 601 u_int pl_syscall_narg; 602}; 603.Ed 604.Pp 605The 606.Fa data 607argument is to be set to the size of the structure known to the caller. 608This allows the structure to grow without affecting older programs. 609.Pp 610The fields in the 611.Vt "struct ptrace_lwpinfo" 612have the following meaning: 613.Bl -tag -width indent -compact 614.It Va pl_lwpid 615LWP id of the thread 616.It Va pl_event 617Event that caused the stop. 618Currently defined events are: 619.Bl -tag -width "Dv PL_EVENT_SIGNAL" -compact 620.It Dv PL_EVENT_NONE 621No reason given 622.It Dv PL_EVENT_SIGNAL 623Thread stopped due to the pending signal 624.El 625.It Va pl_flags 626Flags that specify additional details about observed stop. 627Currently defined flags are: 628.Bl -tag -width indent -compact 629.It Dv PL_FLAG_SCE 630The thread stopped due to system call entry, right after the kernel is entered. 631The debugger may examine syscall arguments that are stored in memory and 632registers according to the ABI of the current process, and modify them, 633if needed. 634.It Dv PL_FLAG_SCX 635The thread is stopped immediately before syscall is returning to the usermode. 636The debugger may examine system call return values in the ABI-defined registers 637and/or memory. 638.It Dv PL_FLAG_EXEC 639When 640.Dv PL_FLAG_SCX 641is set, this flag may be additionally specified to inform that the 642program being executed by debuggee process has been changed by successful 643execution of a system call from the 644.Fn execve 2 645family. 646.It Dv PL_FLAG_SI 647Indicates that 648.Va pl_siginfo 649member of 650.Vt "struct ptrace_lwpinfo" 651contains valid information. 652.It Dv PL_FLAG_FORKED 653Indicates that the process is returning from a call to 654.Fn fork 2 655that created a new child process. 656The process identifier of the new process is available in the 657.Va pl_child_pid 658member of 659.Vt "struct ptrace_lwpinfo" . 660.It Dv PL_FLAG_CHILD 661The flag is set for first event reported from a new child which is 662automatically attached when 663.Dv PTRACE_FORK 664is enabled. 665.It Dv PL_FLAG_BORN 666This flag is set for the first event reported from a new LWP when 667.Dv PTRACE_LWP 668is enabled. 669It is reported along with 670.Dv PL_FLAG_SCX . 671.It Dv PL_FLAG_EXITED 672This flag is set for the last event reported by an exiting LWP when 673.Dv PTRACE_LWP 674is enabled. 675Note that this event is not reported when the last LWP in a process exits. 676The termination of the last thread is reported via a normal process exit 677event. 678.It Dv PL_FLAG_VFORKED 679Indicates that the thread is returning from a call to 680.Xr vfork 2 681that created a new child process. 682This flag is set in addition to 683.Dv PL_FLAG_FORKED . 684.It Dv PL_FLAG_VFORK_DONE 685Indicates that the thread has resumed after a child process created via 686.Xr vfork 2 687has stopped sharing its address space with the traced process. 688.El 689.It Va pl_sigmask 690The current signal mask of the LWP 691.It Va pl_siglist 692The current pending set of signals for the LWP. 693Note that signals that are delivered to the process would not appear 694on an LWP siglist until the thread is selected for delivery. 695.It Va pl_siginfo 696The siginfo that accompanies the signal pending. 697Only valid for 698.Dv PL_EVENT_SIGNAL 699stop when 700.Dv PL_FLAG_SI 701is set in 702.Va pl_flags . 703.It Va pl_tdname 704The name of the thread. 705.It Va pl_child_pid 706The process identifier of the new child process. 707Only valid for a 708.Dv PL_EVENT_SIGNAL 709stop when 710.Dv PL_FLAG_FORKED 711is set in 712.Va pl_flags . 713.It Va pl_syscall_code 714The ABI-specific identifier of the current system call. 715Note that for indirect system calls this field reports the indirected 716system call. 717Only valid when 718.Dv PL_FLAG_SCE 719or 720.Dv PL_FLAG_SCX 721is set in 722.Va pl_flags . 723.It Va pl_syscall_narg 724The number of arguments passed to the current system call not counting 725the system call identifier. 726Note that for indirect system calls this field reports the arguments 727passed to the indirected system call. 728Only valid when 729.Dv PL_FLAG_SCE 730or 731.Dv PL_FLAG_SCX 732is set in 733.Va pl_flags . 734.El 735.It Dv PT_GETNUMLWPS 736This request returns the number of kernel threads associated with the 737traced process. 738.It Dv PT_GETLWPLIST 739This request can be used to get the current thread list. 740A pointer to an array of type 741.Vt lwpid_t 742should be passed in 743.Fa addr , 744with the array size specified by 745.Fa data . 746The return value from 747.Fn ptrace 748is the count of array entries filled in. 749.It Dv PT_SETSTEP 750This request will turn on single stepping of the specified process. 751Stepping is automatically disabled when a single step trap is caught. 752.It Dv PT_CLEARSTEP 753This request will turn off single stepping of the specified process. 754.It Dv PT_SUSPEND 755This request will suspend the specified thread. 756.It Dv PT_RESUME 757This request will resume the specified thread. 758.It Dv PT_TO_SCE 759This request will set the 760.Dv PTRACE_SCE 761event flag to trace all future system call entries and continue the process. 762The 763.Fa addr 764and 765.Fa data 766arguments are used the same as for 767.Dv PT_CONTINUE . 768.It Dv PT_TO_SCX 769This request will set the 770.Dv PTRACE_SCX 771event flag to trace all future system call exits and continue the process. 772The 773.Fa addr 774and 775.Fa data 776arguments are used the same as for 777.Dv PT_CONTINUE . 778.It Dv PT_SYSCALL 779This request will set the 780.Dv PTRACE_SYSCALL 781event flag to trace all future system call entries and exits and continue 782the process. 783The 784.Fa addr 785and 786.Fa data 787arguments are used the same as for 788.Dv PT_CONTINUE . 789.It Dv PT_GET_SC_ARGS 790For the thread which is stopped in either 791.Dv PL_FLAG_SCE 792or 793.Dv PL_FLAG_SCX 794state, that is, on entry or exit to a syscall, 795this request fetches the syscall arguments. 796.Pp 797The arguments are copied out into the buffer pointed to by the 798.Fa addr 799pointer, sequentially. 800Each syscall argument is stored as the machine word. 801Kernel copies out as many arguments as the syscall accepts, 802see the 803.Va pl_syscall_narg 804member of the 805.Vt struct ptrace_lwpinfo , 806but not more than the 807.Fa data 808bytes in total are copied. 809.It Dv PT_GET_SC_RET 810Fetch the system call return values on exit from a syscall. 811This request is only valid for threads stopped in a syscall 812exit (the 813.Dv PL_FLAG_SCX 814state). 815The 816.Fa addr 817argument specifies a pointer to a 818.Vt "struct ptrace_sc_ret" , 819which is defined as follows: 820.Bd -literal 821struct ptrace_sc_ret { 822 register_t sr_retval[2]; 823 int sr_error; 824}; 825.Ed 826.Pp 827The 828.Fa data 829argument is set to the size of the structure. 830.Pp 831If the system call completed successfully, 832.Va sr_error 833is set to zero and the return values of the system call are saved in 834.Va sr_retval . 835If the system call failed to execute, 836.Va sr_error 837field is set to a positive 838.Xr errno 2 839value. 840If the system call completed in an unusual fashion, 841.Va sr_error 842is set to a negative value: 843.Bl -tag -width EJUSTRETURN -compact 844.It Dv ERESTART 845System call will be restarted. 846.It Dv EJUSTRETURN 847System call completed sucessfully but did not set a return value 848.Po for example, 849.Xr setcontext 2 850and 851.Xr sigreturn 2 852.Pc . 853.El 854.It Dv PT_FOLLOW_FORK 855This request controls tracing for new child processes of a traced process. 856If 857.Fa data 858is non-zero, 859.Dv PTRACE_FORK 860is set in the traced process's event tracing mask. 861If 862.Fa data 863is zero, 864.Dv PTRACE_FORK 865is cleared from the traced process's event tracing mask. 866.It Dv PT_LWP_EVENTS 867This request controls tracing of LWP creation and destruction. 868If 869.Fa data 870is non-zero, 871.Dv PTRACE_LWP 872is set in the traced process's event tracing mask. 873If 874.Fa data 875is zero, 876.Dv PTRACE_LWP 877is cleared from the traced process's event tracing mask. 878.It Dv PT_GET_EVENT_MASK 879This request reads the traced process's event tracing mask into the 880integer pointed to by 881.Fa addr . 882The size of the integer must be passed in 883.Fa data . 884.It Dv PT_SET_EVENT_MASK 885This request sets the traced process's event tracing mask from the 886integer pointed to by 887.Fa addr . 888The size of the integer must be passed in 889.Fa data . 890.It Dv PT_VM_TIMESTAMP 891This request returns the generation number or timestamp of the memory map of 892the traced process as the return value from 893.Fn ptrace . 894This provides a low-cost way for the tracing process to determine if the 895VM map changed since the last time this request was made. 896.It Dv PT_VM_ENTRY 897This request is used to iterate over the entries of the VM map of the traced 898process. 899The 900.Fa addr 901argument specifies a pointer to a 902.Vt "struct ptrace_vm_entry" , 903which is defined as follows: 904.Bd -literal 905struct ptrace_vm_entry { 906 int pve_entry; 907 int pve_timestamp; 908 u_long pve_start; 909 u_long pve_end; 910 u_long pve_offset; 911 u_int pve_prot; 912 u_int pve_pathlen; 913 long pve_fileid; 914 uint32_t pve_fsid; 915 char *pve_path; 916}; 917.Ed 918.Pp 919The first entry is returned by setting 920.Va pve_entry 921to zero. 922Subsequent entries are returned by leaving 923.Va pve_entry 924unmodified from the value returned by previous requests. 925The 926.Va pve_timestamp 927field can be used to detect changes to the VM map while iterating over the 928entries. 929The tracing process can then take appropriate action, such as restarting. 930By setting 931.Va pve_pathlen 932to a non-zero value on entry, the pathname of the backing object is returned 933in the buffer pointed to by 934.Va pve_path , 935provided the entry is backed by a vnode. 936The 937.Va pve_pathlen 938field is updated with the actual length of the pathname (including the 939terminating null character). 940The 941.Va pve_offset 942field is the offset within the backing object at which the range starts. 943The range is located in the VM space at 944.Va pve_start 945and extends up to 946.Va pve_end 947(inclusive). 948.Pp 949The 950.Fa data 951argument is ignored. 952.It Dv PT_COREDUMP 953This request creates a coredump for the stopped program. 954The 955.Fa addr 956argument specifies a pointer to a 957.Vt "struct ptrace_coredump" , 958which is defined as follows: 959.Bd -literal 960struct ptrace_coredump { 961 int pc_fd; 962 uint32_t pc_flags; 963 off_t pc_limit; 964}; 965.Ed 966The fields of the structure are: 967.Bl -tag -width pc_flags 968.It Dv pc_fd 969File descriptor to write the dump to. 970It must refer to a regular file, opened for writing. 971.It Dv pc_flags 972Flags. 973The following flags are defined: 974.Bl -tag -width PC_COMPRESS 975.It Dv PC_COMPRESS 976Request compression of the dump. 977.It Dv PC_ALL 978Include non-dumpable entries into the dump. 979The dumper ignores 980.Dv MAP_NOCORE 981flag of the process map entry, but device mappings are not dumped even with 982.Dv PC_ALL 983set. 984.El 985.It Dv pc_limit 986Maximum size of the coredump. 987Specify zero for no limit. 988.El 989.Pp 990The size of 991.Vt "struct ptrace_coredump" 992must be passed in 993.Fa data . 994.It Dv PT_SC_REMOTE 995Request to execute a syscall in the context of the traced process, 996in the specified thread. 997The 998.Fa addr 999argument must point to the 1000.Vt "struct ptrace_sc_remote" , 1001which describes the requested syscall and its arguments, and receives 1002the result. 1003The size of 1004.Vt "struct ptrace_sc_remote" 1005must be passed in 1006.Fa data. 1007.Bd -literal 1008struct ptrace_sc_remote { 1009 struct ptrace_sc_ret pscr_ret; 1010 u_int pscr_syscall; 1011 u_int pscr_nargs; 1012 u_long *pscr_args; 1013}; 1014.Ed 1015The 1016.Dv pscr_syscall 1017contains the syscall number to execute, the 1018.Dv pscr_nargs 1019is the number of supplied arguments, which are supplied in the 1020.Dv pscr_args 1021array. 1022Result of the execution is returned in the 1023.Dv pscr_ret 1024member. 1025Note that the request and its result do not affect the returned value from 1026the currently executed syscall, if any. 1027.El 1028.Sh PT_COREDUMP and PT_SC_REMOTE usage 1029The process must be stopped before dumping or initiating a remote system call. 1030A single thread in the target process is temporarily unsuspended 1031in the kernel to perform the action. 1032If the 1033.Nm 1034call fails before a thread is unsuspended, there is no event to 1035.Xr waitpid 2 1036for. 1037If a thread was unsuspended, it will stop again before the 1038.Nm 1039call returns, and the process must be waited upon using 1040.Xr waitpid 2 1041to consume the new stop event. 1042Since it is hard to deduce whether a thread was unsuspended before 1043an error occurred, it is recommended to unconditionally perform 1044.Xr waitpid 2 1045with 1046.Dv WNOHANG 1047flag after 1048.Dv PT_COREDUMP 1049and 1050.Dv PT_SC_REMOTE , 1051and silently accept zero result from it. 1052.Pp 1053For 1054.Dv PT_SC_REMOTE , 1055the selected thread must be stopped in the safe place, which is 1056currently defined as a syscall exit, or a return from kernel to 1057user mode (basically, a signal handler call place). 1058Kernel returns 1059.Er EBUSY 1060status if attempt is made to execute remote syscall at unsafe stop. 1061.Pp 1062Note that neither 1063.Dv kern.trap_enotcap 1064sysctl setting, nor the corresponding 1065.Xr procctl 2 1066flag 1067.Dv PROC_TRAPCAP_CTL_ENABLE 1068are obeyed during the execution of the syscall by 1069.Dv PT_SC_REMOTE . 1070In other words, 1071.Dv SIGTRAP 1072signal is not sent to a process executing in capability mode, 1073which violated a mode access restriction. 1074.Pp 1075Note that due to the mode of execution for the remote syscall, in 1076particular, the setting where only one thread is allowed to run, 1077the syscall might block on resources owned by suspended threads. 1078This might result in the target process deadlock. 1079In this situation, the only way out is to kill the target. 1080.Sh ARM MACHINE-SPECIFIC REQUESTS 1081.Bl -tag -width "Dv PT_SETVFPREGS" 1082.It Dv PT_GETVFPREGS 1083Return the thread's 1084.Dv VFP 1085machine state in the buffer pointed to by 1086.Fa addr . 1087.Pp 1088The 1089.Fa data 1090argument is ignored. 1091.It Dv PT_SETVFPREGS 1092Set the thread's 1093.Dv VFP 1094machine state from the buffer pointed to by 1095.Fa addr . 1096.Pp 1097The 1098.Fa data 1099argument is ignored. 1100.El 1101.Sh x86 MACHINE-SPECIFIC REQUESTS 1102.Bl -tag -width "Dv PT_GETXSTATE_INFO" 1103.It Dv PT_GETXMMREGS 1104Copy the XMM FPU state into the buffer pointed to by the 1105argument 1106.Fa addr . 1107The buffer has the same layout as the 32-bit save buffer for the 1108machine instruction 1109.Dv FXSAVE . 1110.Pp 1111This request is only valid for i386 programs, both on native 32-bit 1112systems and on amd64 kernels. 1113For 64-bit amd64 programs, the XMM state is reported as part of 1114the FPU state returned by the 1115.Dv PT_GETFPREGS 1116request. 1117.Pp 1118The 1119.Fa data 1120argument is ignored. 1121.It Dv PT_SETXMMREGS 1122Load the XMM FPU state for the thread from the buffer pointed to 1123by the argument 1124.Fa addr . 1125The buffer has the same layout as the 32-bit load buffer for the 1126machine instruction 1127.Dv FXRSTOR . 1128.Pp 1129As with 1130.Dv PT_GETXMMREGS , 1131this request is only valid for i386 programs. 1132.Pp 1133The 1134.Fa data 1135argument is ignored. 1136.It Dv PT_GETXSTATE_INFO 1137Report which XSAVE FPU extensions are supported by the CPU 1138and allowed in userspace programs. 1139The 1140.Fa addr 1141argument must point to a variable of type 1142.Vt struct ptrace_xstate_info , 1143which contains the information on the request return. 1144.Vt struct ptrace_xstate_info 1145is defined as follows: 1146.Bd -literal 1147struct ptrace_xstate_info { 1148 uint64_t xsave_mask; 1149 uint32_t xsave_len; 1150}; 1151.Ed 1152The 1153.Dv xsave_mask 1154field is a bitmask of the currently enabled extensions. 1155The meaning of the bits is defined in the Intel and AMD 1156processor documentation. 1157The 1158.Dv xsave_len 1159field reports the length of the XSAVE area for storing the hardware 1160state for currently enabled extensions in the format defined by the x86 1161.Dv XSAVE 1162machine instruction. 1163.Pp 1164The 1165.Fa data 1166argument value must be equal to the size of the 1167.Vt struct ptrace_xstate_info . 1168.It Dv PT_GETXSTATE 1169Return the content of the XSAVE area for the thread. 1170The 1171.Fa addr 1172argument points to the buffer where the content is copied, and the 1173.Fa data 1174argument specifies the size of the buffer. 1175The kernel copies out as much content as allowed by the buffer size. 1176The buffer layout is specified by the layout of the save area for the 1177.Dv XSAVE 1178machine instruction. 1179.It Dv PT_SETXSTATE 1180Load the XSAVE state for the thread from the buffer specified by the 1181.Fa addr 1182pointer. 1183The buffer size is passed in the 1184.Fa data 1185argument. 1186The buffer must be at least as large as the 1187.Vt struct savefpu 1188(defined in 1189.Pa x86/fpu.h ) 1190to allow the complete x87 FPU and XMM state load. 1191It must not be larger than the XSAVE state length, as reported by the 1192.Dv xsave_len 1193field from the 1194.Vt struct ptrace_xstate_info 1195of the 1196.Dv PT_GETXSTATE_INFO 1197request. 1198Layout of the buffer is identical to the layout of the load area for the 1199.Dv XRSTOR 1200machine instruction. 1201.It Dv PT_GETFSBASE 1202Return the value of the base used when doing segmented 1203memory addressing using the %fs segment register. 1204The 1205.Fa addr 1206argument points to an 1207.Vt unsigned long 1208variable where the base value is stored. 1209.Pp 1210The 1211.Fa data 1212argument is ignored. 1213.It Dv PT_GETGSBASE 1214Like the 1215.Dv PT_GETFSBASE 1216request, but returns the base for the %gs segment register. 1217.It Dv PT_SETFSBASE 1218Set the base for the %fs segment register to the value pointed to 1219by the 1220.Fa addr 1221argument. 1222.Fa addr 1223must point to the 1224.Vt unsigned long 1225variable containing the new base. 1226.Pp 1227The 1228.Fa data 1229argument is ignored. 1230.It Dv PT_SETGSBASE 1231Like the 1232.Dv PT_SETFSBASE 1233request, but sets the base for the %gs segment register. 1234.El 1235.Sh PowerPC MACHINE-SPECIFIC REQUESTS 1236.Bl -tag -width "Dv PT_SETVRREGS" 1237.It Dv PT_GETVRREGS 1238Return the thread's 1239.Dv ALTIVEC 1240machine state in the buffer pointed to by 1241.Fa addr . 1242.Pp 1243The 1244.Fa data 1245argument is ignored. 1246.It Dv PT_SETVRREGS 1247Set the thread's 1248.Dv ALTIVEC 1249machine state from the buffer pointed to by 1250.Fa addr . 1251.Pp 1252The 1253.Fa data 1254argument is ignored. 1255.It Dv PT_GETVSRREGS 1256Return doubleword 1 of the thread's 1257.Dv VSX 1258registers VSR0-VSR31 in the buffer pointed to by 1259.Fa addr . 1260.Pp 1261The 1262.Fa data 1263argument is ignored. 1264.It Dv PT_SETVSRREGS 1265Set doubleword 1 of the thread's 1266.Dv VSX 1267registers VSR0-VSR31 from the buffer pointed to by 1268.Fa addr . 1269.Pp 1270The 1271.Fa data 1272argument is ignored. 1273.El 1274.Pp 1275Additionally, other machine-specific requests can exist. 1276.Sh RETURN VALUES 1277Most requests return 0 on success and \-1 on error. 1278Some requests can cause 1279.Fn ptrace 1280to return 1281\-1 1282as a non-error value, among them are 1283.Dv PT_READ_I 1284and 1285.Dv PT_READ_D , 1286which return the value read from the process memory on success. 1287To disambiguate, 1288.Va errno 1289can be set to 0 before the call and checked afterwards. 1290.Pp 1291The current 1292.Fn ptrace 1293implementation always sets 1294.Va errno 1295to 0 before calling into the kernel, both for historic reasons and for 1296consistency with other operating systems. 1297It is recommended to assign zero to 1298.Va errno 1299explicitly for forward compatibility. 1300.Sh ERRORS 1301The 1302.Fn ptrace 1303system call may fail if: 1304.Bl -tag -width Er 1305.It Bq Er ESRCH 1306.Bl -bullet -compact 1307.It 1308No process having the specified process ID exists. 1309.El 1310.It Bq Er EINVAL 1311.Bl -bullet -compact 1312.It 1313A process attempted to use 1314.Dv PT_ATTACH 1315on itself. 1316.It 1317The 1318.Fa request 1319argument 1320was not one of the legal requests. 1321.It 1322The signal number 1323(in 1324.Fa data ) 1325to 1326.Dv PT_CONTINUE 1327was neither 0 nor a legal signal number. 1328.It 1329.Dv PT_GETREGS , 1330.Dv PT_SETREGS , 1331.Dv PT_GETFPREGS , 1332.Dv PT_SETFPREGS , 1333.Dv PT_GETDBREGS , 1334or 1335.Dv PT_SETDBREGS 1336was attempted on a process with no valid register set. 1337(This is normally true only of system processes.) 1338.It 1339.Dv PT_VM_ENTRY 1340was given an invalid value for 1341.Fa pve_entry . 1342This can also be caused by changes to the VM map of the process. 1343.It 1344The size (in 1345.Fa data ) 1346provided to 1347.Dv PT_LWPINFO 1348was less than or equal to zero, or larger than the 1349.Vt ptrace_lwpinfo 1350structure known to the kernel. 1351.It 1352The size (in 1353.Fa data ) 1354provided to the x86-specific 1355.Dv PT_GETXSTATE_INFO 1356request was not equal to the size of the 1357.Vt struct ptrace_xstate_info . 1358.It 1359The size (in 1360.Fa data ) 1361provided to the x86-specific 1362.Dv PT_SETXSTATE 1363request was less than the size of the x87 plus the XMM save area. 1364.It 1365The size (in 1366.Fa data ) 1367provided to the x86-specific 1368.Dv PT_SETXSTATE 1369request was larger than returned in the 1370.Dv xsave_len 1371member of the 1372.Vt struct ptrace_xstate_info 1373from the 1374.Dv PT_GETXSTATE_INFO 1375request. 1376.It 1377The base value, provided to the amd64-specific requests 1378.Dv PT_SETFSBASE 1379or 1380.Dv PT_SETGSBASE , 1381pointed outside of the valid user address space. 1382This error will not occur in 32-bit programs. 1383.El 1384.It Bq Er EBUSY 1385.Bl -bullet -compact 1386.It 1387.Dv PT_ATTACH 1388was attempted on a process that was already being traced. 1389.It 1390A request attempted to manipulate a process that was being traced by 1391some process other than the one making the request. 1392.It 1393A request 1394(other than 1395.Dv PT_ATTACH ) 1396specified a process that was not stopped. 1397.El 1398.It Bq Er EPERM 1399.Bl -bullet -compact 1400.It 1401A request 1402(other than 1403.Dv PT_ATTACH ) 1404attempted to manipulate a process that was not being traced at all. 1405.It 1406An attempt was made to use 1407.Dv PT_ATTACH 1408on a process in violation of the requirements listed under 1409.Dv PT_ATTACH 1410above. 1411.El 1412.It Bq Er ENOENT 1413.Bl -bullet -compact 1414.It 1415.Dv PT_VM_ENTRY 1416previously returned the last entry of the memory map. 1417No more entries exist. 1418.El 1419.It Bq Er ENOMEM 1420.Bl -bullet -compact 1421.It 1422A 1423.Dv PT_READ_I, 1424.Dv PT_READ_D, 1425.Dv PT_WRITE_I, or 1426.Dv PT_WRITE_D 1427request attempted to access an invalid address, or a memory allocation failure 1428occurred when accessing process memory. 1429.El 1430.It Bq Er ENAMETOOLONG 1431.Bl -bullet -compact 1432.It 1433.Dv PT_VM_ENTRY 1434cannot return the pathname of the backing object because the buffer is not big 1435enough. 1436.Fa pve_pathlen 1437holds the minimum buffer size required on return. 1438.El 1439.El 1440.Sh SEE ALSO 1441.Xr execve 2 , 1442.Xr sigaction 2 , 1443.Xr wait 2 , 1444.Xr execv 3 , 1445.Xr i386_clr_watch 3 , 1446.Xr i386_set_watch 3 1447.Sh HISTORY 1448The 1449.Fn ptrace 1450function appeared in 1451.At v6 . 1452