1.\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $ 2.\" 3.\" This file is in the public domain. 4.Dd August 18, 2023 5.Dt PTRACE 2 6.Os 7.Sh NAME 8.Nm ptrace 9.Nd process tracing and debugging 10.Sh LIBRARY 11.Lb libc 12.Sh SYNOPSIS 13.In sys/types.h 14.In sys/ptrace.h 15.Ft int 16.Fn ptrace "int request" "pid_t pid" "caddr_t addr" "int data" 17.Sh DESCRIPTION 18The 19.Fn ptrace 20system call 21provides tracing and debugging facilities. 22It allows one process 23(the 24.Em tracing 25process) 26to control another 27(the 28.Em traced 29process). 30The tracing process must first attach to the traced process, and then 31issue a series of 32.Fn ptrace 33system calls to control the execution of the process, as well as access 34process memory and register state. 35For the duration of the tracing session, the traced process will be 36.Dq re-parented , 37with its parent process ID (and resulting behavior) 38changed to the tracing process. 39It is permissible for a tracing process to attach to more than one 40other process at a time. 41When the tracing process has completed its work, it must detach the 42traced process; if a tracing process exits without first detaching all 43processes it has attached, those processes will be killed. 44.Pp 45Most of the time, the traced process runs normally, but when it 46receives a signal 47(see 48.Xr sigaction 2 ) , 49it stops. 50The tracing process is expected to notice this via 51.Xr wait 2 52or the delivery of a 53.Dv SIGCHLD 54signal, examine the state of the stopped process, and cause it to 55terminate or continue as appropriate. 56The signal may be a normal process signal, generated as a result of 57traced process behavior, or use of the 58.Xr kill 2 59system call; alternatively, it may be generated by the tracing facility 60as a result of attaching, stepping by the tracing 61process, 62or an event in the traced process. 63The tracing process may choose to intercept the signal, using it to 64observe process behavior (such as 65.Dv SIGTRAP ) , 66or forward the signal to the process if appropriate. 67The 68.Fn ptrace 69system call 70is the mechanism by which all this happens. 71.Pp 72A traced process may report additional signal stops corresponding to 73events in the traced process. 74These additional signal stops are reported as 75.Dv SIGTRAP 76or 77.Dv SIGSTOP 78signals. 79The tracing process can use the 80.Dv PT_LWPINFO 81request to determine which events are associated with a 82.Dv SIGTRAP 83or 84.Dv SIGSTOP 85signal. 86Note that multiple events may be associated with a single signal. 87For example, events indicated by the 88.Dv PL_FLAG_BORN , 89.Dv PL_FLAG_FORKED , 90and 91.Dv PL_FLAG_EXEC 92flags are also reported as a system call exit event 93.Pq Dv PL_FLAG_SCX . 94The signal stop for a new child process enabled via 95.Dv PTRACE_FORK 96will report a 97.Dv SIGSTOP 98signal. 99All other additional signal stops use 100.Dv SIGTRAP . 101.Sh DETACH AND TERMINATION 102.Pp 103Normally, exiting tracing process should wait for all pending 104debugging events and then detach from all alive traced processes 105before exiting using 106.Dv PT_DETACH 107request. 108If tracing process exits without detaching, for instance due to abnormal 109termination, the destiny of the traced children processes is determined 110by the 111.Dv kern.kill_on_debugger_exit 112sysctl control. 113.Pp 114If the control is set to the default value 1, such traced processes 115are terminated. 116If set to zero, kernel implicitly detaches traced processes. 117Traced processes are un-stopped if needed, and then continue the execution 118without tracing. 119Kernel drops any 120.Dv SIGTRAP 121signals queued to the traced children, which could be either generated by 122not yet consumed debug events, or sent by other means, the later should 123not be done anyway. 124.Sh SELECTING THE TARGET 125The 126.Fa pid 127argument of the call specifies the target on which to perform 128the requested operation. 129For operations affecting the global process state, the process ID 130is typically passed there. 131Similarly, for operations affecting only a thread, the thread ID 132needs to be passed. 133.Pp 134Still, for global operations, the ID of any thread can be used as the 135target, and system will perform the request on the process owning 136that thread. 137If a thread operation got the process ID as 138.Fa pid , 139the system randomly selects a thread from among the threads owned 140by the process. 141For single-threaded processes there is no difference between specifying 142process or thread ID as the target. 143.Sh DISABLING PTRACE 144The 145.Nm 146subsystem provides rich facilities to manipulate other processes state. 147Sometimes it may be desirable to disallow it either completely, or limit 148its scope. 149The following controls are provided for this: 150.Bl -tag -width security.bsd.unprivileged_proc_debug 151.It Dv security.bsd.allow_ptrace 152Setting this sysctl to zero makes 153.Nm 154return 155.Er ENOSYS 156always as if the syscall is not implemented by the kernel. 157.It Dv security.bsd.unprivileged_proc_debug 158Setting this sysctl to zero disallows the use of 159.Fn ptrace 160by unprivileged processes. 161.It Dv security.bsd.see_other_uids 162Setting this sysctl to zero prevents 163.Fn ptrace 164requests from targeting processes with a real user identifier different 165from the caller's. 166These requests will fail with error 167.Er ESRCH . 168.It Dv security.bsd.see_other_gids 169Setting this sysctl to zero disallows 170.Fn ptrace 171requests from processes that have no groups in common with the target process, 172considering their sets of real and supplementary groups. 173These requests will fail with error 174.Er ESRCH . 175.It Dv security.bsd.see_jail_proc 176Setting this sysctl to zero disallows 177.Fn ptrace 178requests from processes belonging to a different jail than that of the target 179process, even if the requesting process' jail is an ancestor of the target 180process'. 181These requests will fail with error 182.Er ESRCH . 183.It Dv securelevel and init 184The 185.Xr init 1 186process can only be traced with 187.Nm 188if securelevel is zero. 189.It Dv procctl(2) PROC_TRACE_CTL 190Process can deny attempts to trace itself with 191.Xr procctl 2 192.Dv PROC_TRACE_CTL 193request. 194In this case requests return 195.Xr EPERM 196error. 197.El 198.Sh TRACING EVENTS 199.Pp 200Each traced process has a tracing event mask. 201An event in the traced process only reports a 202signal stop if the corresponding flag is set in the tracing event mask. 203The current set of tracing event flags include: 204.Bl -tag -width "Dv PTRACE_SYSCALL" 205.It Dv PTRACE_EXEC 206Report a stop for a successful invocation of 207.Xr execve 2 . 208This event is indicated by the 209.Dv PL_FLAG_EXEC 210flag in the 211.Va pl_flags 212member of 213.Vt "struct ptrace_lwpinfo" . 214.It Dv PTRACE_SCE 215Report a stop on each system call entry. 216This event is indicated by the 217.Dv PL_FLAG_SCE 218flag in the 219.Va pl_flags 220member of 221.Vt "struct ptrace_lwpinfo" . 222.It Dv PTRACE_SCX 223Report a stop on each system call exit. 224This event is indicated by the 225.Dv PL_FLAG_SCX 226flag in the 227.Va pl_flags 228member of 229.Vt "struct ptrace_lwpinfo" . 230.It Dv PTRACE_SYSCALL 231Report stops for both system call entry and exit. 232.It Dv PTRACE_FORK 233This event flag controls tracing for new child processes of a traced process. 234.Pp 235When this event flag is enabled, 236new child processes will enable tracing and stop before executing their 237first instruction. 238The new child process will include the 239.Dv PL_FLAG_CHILD 240flag in the 241.Va pl_flags 242member of 243.Vt "struct ptrace_lwpinfo" . 244The traced process will report a stop that includes the 245.Dv PL_FLAG_FORKED 246flag. 247The process ID of the new child process will also be present in the 248.Va pl_child_pid 249member of 250.Vt "struct ptrace_lwpinfo" . 251If the new child process was created via 252.Xr vfork 2 , 253the traced process's stop will also include the 254.Dv PL_FLAG_VFORKED 255flag. 256Note that new child processes will be attached with the default 257tracing event mask; 258they do not inherit the event mask of the traced process. 259.Pp 260When this event flag is not enabled, 261new child processes will execute without tracing enabled. 262.It Dv PTRACE_LWP 263This event flag controls tracing of LWP 264.Pq kernel thread 265creation and destruction. 266When this event is enabled, 267new LWPs will stop and report an event with 268.Dv PL_FLAG_BORN 269set before executing their first instruction, 270and exiting LWPs will stop and report an event with 271.Dv PL_FLAG_EXITED 272set before completing their termination. 273.Pp 274Note that new processes do not report an event for the creation of their 275initial thread, 276and exiting processes do not report an event for the termination of the 277last thread. 278.It Dv PTRACE_VFORK 279Report a stop event when a parent process resumes after a 280.Xr vfork 2 . 281.Pp 282When a thread in the traced process creates a new child process via 283.Xr vfork 2 , 284the stop that reports 285.Dv PL_FLAG_FORKED 286and 287.Dv PL_FLAG_SCX 288occurs just after the child process is created, 289but before the thread waits for the child process to stop sharing process 290memory. 291If a debugger is not tracing the new child process, 292it must ensure that no breakpoints are enabled in the shared process 293memory before detaching from the new child process. 294This means that no breakpoints are enabled in the parent process either. 295.Pp 296The 297.Dv PTRACE_VFORK 298flag enables a new stop that indicates when the new child process stops 299sharing the process memory of the parent process. 300A debugger can reinsert breakpoints in the parent process and resume it 301in response to this event. 302This event is indicated by setting the 303.Dv PL_FLAG_VFORK_DONE 304flag. 305.El 306.Pp 307The default tracing event mask when attaching to a process via 308.Dv PT_ATTACH , 309.Dv PT_TRACE_ME , 310or 311.Dv PTRACE_FORK 312includes only 313.Dv PTRACE_EXEC 314events. 315All other event flags are disabled. 316.Sh PTRACE REQUESTS 317.Pp 318The 319.Fa request 320argument specifies what operation is being performed; the meaning of 321the rest of the arguments depends on the operation, but except for one 322special case noted below, all 323.Fn ptrace 324calls are made by the tracing process, and the 325.Fa pid 326argument specifies the process ID of the traced process 327or a corresponding thread ID. 328The 329.Fa request 330argument 331can be: 332.Bl -tag -width "Dv PT_GET_EVENT_MASK" 333.It Dv PT_TRACE_ME 334This request is the only one used by the traced process; it declares 335that the process expects to be traced by its parent. 336All the other arguments are ignored. 337(If the parent process does not expect to trace the child, it will 338probably be rather confused by the results; once the traced process 339stops, it cannot be made to continue except via 340.Fn ptrace . ) 341When a process has used this request and calls 342.Xr execve 2 343or any of the routines built on it 344(such as 345.Xr execv 3 ) , 346it will stop before executing the first instruction of the new image. 347Also, any setuid or setgid bits on the executable being executed will 348be ignored. 349If the child was created by 350.Xr vfork 2 351system call or 352.Xr rfork 2 353call with the 354.Dv RFMEM 355flag specified, the debugging events are reported to the parent 356only after the 357.Xr execve 2 358is executed. 359.It Dv PT_READ_I , Dv PT_READ_D 360These requests read a single 361.Vt int 362of data from the traced process's address space. 363Traditionally, 364.Fn ptrace 365has allowed for machines with distinct address spaces for instruction 366and data, which is why there are two requests: conceptually, 367.Dv PT_READ_I 368reads from the instruction space and 369.Dv PT_READ_D 370reads from the data space. 371In the current 372.Fx 373implementation, these two requests are completely identical. 374The 375.Fa addr 376argument specifies the address 377(in the traced process's virtual address space) 378at which the read is to be done. 379This address does not have to meet any alignment constraints. 380The value read is returned as the return value from 381.Fn ptrace . 382.It Dv PT_WRITE_I , Dv PT_WRITE_D 383These requests parallel 384.Dv PT_READ_I 385and 386.Dv PT_READ_D , 387except that they write rather than read. 388The 389.Fa data 390argument supplies the value to be written. 391.It Dv PT_IO 392This request allows reading and writing arbitrary amounts of data in 393the traced process's address space. 394The 395.Fa addr 396argument specifies a pointer to a 397.Vt "struct ptrace_io_desc" , 398which is defined as follows: 399.Bd -literal 400struct ptrace_io_desc { 401 int piod_op; /* I/O operation */ 402 void *piod_offs; /* child offset */ 403 void *piod_addr; /* parent offset */ 404 size_t piod_len; /* request length */ 405}; 406 407/* 408 * Operations in piod_op. 409 */ 410#define PIOD_READ_D 1 /* Read from D space */ 411#define PIOD_WRITE_D 2 /* Write to D space */ 412#define PIOD_READ_I 3 /* Read from I space */ 413#define PIOD_WRITE_I 4 /* Write to I space */ 414.Ed 415.Pp 416The 417.Fa data 418argument is ignored. 419The actual number of bytes read or written is stored in 420.Va piod_len 421upon return. 422.It Dv PT_CONTINUE 423The traced process continues execution. 424The 425.Fa addr 426argument 427is an address specifying the place where execution is to be resumed 428(a new value for the program counter), 429or 430.Po Vt caddr_t Pc Ns 1 431to indicate that execution is to pick up where it left off. 432The 433.Fa data 434argument 435provides a signal number to be delivered to the traced process as it 436resumes execution, or 0 if no signal is to be sent. 437.It Dv PT_STEP 438The traced process is single stepped one instruction. 439The 440.Fa addr 441argument 442should be passed 443.Po Vt caddr_t Pc Ns 1 . 444The 445.Fa data 446argument 447provides a signal number to be delivered to the traced process as it 448resumes execution, or 0 if no signal is to be sent. 449.It Dv PT_KILL 450The traced process terminates, as if 451.Dv PT_CONTINUE 452had been used with 453.Dv SIGKILL 454given as the signal to be delivered. 455.It Dv PT_ATTACH 456This request allows a process to gain control of an otherwise 457unrelated process and begin tracing it. 458It does not need any cooperation from the process to trace. 459In 460this case, 461.Fa pid 462specifies the process ID of the process to trace, and the other 463two arguments are ignored. 464This request requires that the target process must have the same real 465UID as the tracing process, and that it must not be executing a setuid 466or setgid executable. 467(If the tracing process is running as root, these restrictions do not 468apply.) 469The tracing process will see the newly-traced process stop and may 470then control it as if it had been traced all along. 471.It Dv PT_DETACH 472This request is like PT_CONTINUE, except that it does not allow 473specifying an alternate place to continue execution, and after it 474succeeds, the traced process is no longer traced and continues 475execution normally. 476.It Dv PT_GETREGS 477This request reads the traced process's machine registers into the 478.Do 479.Vt "struct reg" 480.Dc 481(defined in 482.In machine/reg.h ) 483pointed to by 484.Fa addr . 485.It Dv PT_SETREGS 486This request is the converse of 487.Dv PT_GETREGS ; 488it loads the traced process's machine registers from the 489.Do 490.Vt "struct reg" 491.Dc 492(defined in 493.In machine/reg.h ) 494pointed to by 495.Fa addr . 496.It Dv PT_GETFPREGS 497This request reads the traced process's floating-point registers into 498the 499.Do 500.Vt "struct fpreg" 501.Dc 502(defined in 503.In machine/reg.h ) 504pointed to by 505.Fa addr . 506.It Dv PT_SETFPREGS 507This request is the converse of 508.Dv PT_GETFPREGS ; 509it loads the traced process's floating-point registers from the 510.Do 511.Vt "struct fpreg" 512.Dc 513(defined in 514.In machine/reg.h ) 515pointed to by 516.Fa addr . 517.It Dv PT_GETDBREGS 518This request reads the traced process's debug registers into 519the 520.Do 521.Vt "struct dbreg" 522.Dc 523(defined in 524.In machine/reg.h ) 525pointed to by 526.Fa addr . 527.It Dv PT_SETDBREGS 528This request is the converse of 529.Dv PT_GETDBREGS ; 530it loads the traced process's debug registers from the 531.Do 532.Vt "struct dbreg" 533.Dc 534(defined in 535.In machine/reg.h ) 536pointed to by 537.Fa addr . 538.It Dv PT_GETREGSET 539This request reads the registers from the traced process. 540The 541.Fa data 542argument specifies the register set to read, with the 543.Fa addr 544argument pointing at a 545.Vt "struct iovec" 546where the 547.Va iov_base 548field points to a register set specific structure to hold the registers, 549and the 550.Va iov_len 551field holds the length of the structure. 552.It Dv PT_SETREGSET 553This request writes to the registers of the traced process. 554The 555.Fa data 556argument specifies the register set to write to, with the 557.Fa addr 558argument pointing at a 559.Vt "struct iovec" 560where the 561.Va iov_base 562field points to a register set specific structure to hold the registers, 563and the 564.Va iov_len 565field holds the length of the structure. 566If 567.Va iov_base 568is NULL the kernel will return the expected length of the register set 569specific structure in the 570.Va iov_len 571field and not change the target register set. 572.It Dv PT_LWPINFO 573This request can be used to obtain information about the kernel thread, 574also known as light-weight process, that caused the traced process to stop. 575The 576.Fa addr 577argument specifies a pointer to a 578.Vt "struct ptrace_lwpinfo" , 579which is defined as follows: 580.Bd -literal 581struct ptrace_lwpinfo { 582 lwpid_t pl_lwpid; 583 int pl_event; 584 int pl_flags; 585 sigset_t pl_sigmask; 586 sigset_t pl_siglist; 587 siginfo_t pl_siginfo; 588 char pl_tdname[MAXCOMLEN + 1]; 589 pid_t pl_child_pid; 590 u_int pl_syscall_code; 591 u_int pl_syscall_narg; 592}; 593.Ed 594.Pp 595The 596.Fa data 597argument is to be set to the size of the structure known to the caller. 598This allows the structure to grow without affecting older programs. 599.Pp 600The fields in the 601.Vt "struct ptrace_lwpinfo" 602have the following meaning: 603.Bl -tag -width indent -compact 604.It Va pl_lwpid 605LWP id of the thread 606.It Va pl_event 607Event that caused the stop. 608Currently defined events are: 609.Bl -tag -width "Dv PL_EVENT_SIGNAL" -compact 610.It Dv PL_EVENT_NONE 611No reason given 612.It Dv PL_EVENT_SIGNAL 613Thread stopped due to the pending signal 614.El 615.It Va pl_flags 616Flags that specify additional details about observed stop. 617Currently defined flags are: 618.Bl -tag -width indent -compact 619.It Dv PL_FLAG_SCE 620The thread stopped due to system call entry, right after the kernel is entered. 621The debugger may examine syscall arguments that are stored in memory and 622registers according to the ABI of the current process, and modify them, 623if needed. 624.It Dv PL_FLAG_SCX 625The thread is stopped immediately before syscall is returning to the usermode. 626The debugger may examine system call return values in the ABI-defined registers 627and/or memory. 628.It Dv PL_FLAG_EXEC 629When 630.Dv PL_FLAG_SCX 631is set, this flag may be additionally specified to inform that the 632program being executed by debuggee process has been changed by successful 633execution of a system call from the 634.Fn execve 2 635family. 636.It Dv PL_FLAG_SI 637Indicates that 638.Va pl_siginfo 639member of 640.Vt "struct ptrace_lwpinfo" 641contains valid information. 642.It Dv PL_FLAG_FORKED 643Indicates that the process is returning from a call to 644.Fn fork 2 645that created a new child process. 646The process identifier of the new process is available in the 647.Va pl_child_pid 648member of 649.Vt "struct ptrace_lwpinfo" . 650.It Dv PL_FLAG_CHILD 651The flag is set for first event reported from a new child which is 652automatically attached when 653.Dv PTRACE_FORK 654is enabled. 655.It Dv PL_FLAG_BORN 656This flag is set for the first event reported from a new LWP when 657.Dv PTRACE_LWP 658is enabled. 659It is reported along with 660.Dv PL_FLAG_SCX . 661.It Dv PL_FLAG_EXITED 662This flag is set for the last event reported by an exiting LWP when 663.Dv PTRACE_LWP 664is enabled. 665Note that this event is not reported when the last LWP in a process exits. 666The termination of the last thread is reported via a normal process exit 667event. 668.It Dv PL_FLAG_VFORKED 669Indicates that the thread is returning from a call to 670.Xr vfork 2 671that created a new child process. 672This flag is set in addition to 673.Dv PL_FLAG_FORKED . 674.It Dv PL_FLAG_VFORK_DONE 675Indicates that the thread has resumed after a child process created via 676.Xr vfork 2 677has stopped sharing its address space with the traced process. 678.El 679.It Va pl_sigmask 680The current signal mask of the LWP 681.It Va pl_siglist 682The current pending set of signals for the LWP. 683Note that signals that are delivered to the process would not appear 684on an LWP siglist until the thread is selected for delivery. 685.It Va pl_siginfo 686The siginfo that accompanies the signal pending. 687Only valid for 688.Dv PL_EVENT_SIGNAL 689stop when 690.Dv PL_FLAG_SI 691is set in 692.Va pl_flags . 693.It Va pl_tdname 694The name of the thread. 695.It Va pl_child_pid 696The process identifier of the new child process. 697Only valid for a 698.Dv PL_EVENT_SIGNAL 699stop when 700.Dv PL_FLAG_FORKED 701is set in 702.Va pl_flags . 703.It Va pl_syscall_code 704The ABI-specific identifier of the current system call. 705Note that for indirect system calls this field reports the indirected 706system call. 707Only valid when 708.Dv PL_FLAG_SCE 709or 710.Dv PL_FLAG_SCX 711is set in 712.Va pl_flags . 713.It Va pl_syscall_narg 714The number of arguments passed to the current system call not counting 715the system call identifier. 716Note that for indirect system calls this field reports the arguments 717passed to the indirected system call. 718Only valid when 719.Dv PL_FLAG_SCE 720or 721.Dv PL_FLAG_SCX 722is set in 723.Va pl_flags . 724.El 725.It Dv PT_GETNUMLWPS 726This request returns the number of kernel threads associated with the 727traced process. 728.It Dv PT_GETLWPLIST 729This request can be used to get the current thread list. 730A pointer to an array of type 731.Vt lwpid_t 732should be passed in 733.Fa addr , 734with the array size specified by 735.Fa data . 736The return value from 737.Fn ptrace 738is the count of array entries filled in. 739.It Dv PT_SETSTEP 740This request will turn on single stepping of the specified process. 741Stepping is automatically disabled when a single step trap is caught. 742.It Dv PT_CLEARSTEP 743This request will turn off single stepping of the specified process. 744.It Dv PT_SUSPEND 745This request will suspend the specified thread. 746.It Dv PT_RESUME 747This request will resume the specified thread. 748.It Dv PT_TO_SCE 749This request will set the 750.Dv PTRACE_SCE 751event flag to trace all future system call entries and continue the process. 752The 753.Fa addr 754and 755.Fa data 756arguments are used the same as for 757.Dv PT_CONTINUE . 758.It Dv PT_TO_SCX 759This request will set the 760.Dv PTRACE_SCX 761event flag to trace all future system call exits and continue the process. 762The 763.Fa addr 764and 765.Fa data 766arguments are used the same as for 767.Dv PT_CONTINUE . 768.It Dv PT_SYSCALL 769This request will set the 770.Dv PTRACE_SYSCALL 771event flag to trace all future system call entries and exits and continue 772the process. 773The 774.Fa addr 775and 776.Fa data 777arguments are used the same as for 778.Dv PT_CONTINUE . 779.It Dv PT_GET_SC_ARGS 780For the thread which is stopped in either 781.Dv PL_FLAG_SCE 782or 783.Dv PL_FLAG_SCX 784state, that is, on entry or exit to a syscall, 785this request fetches the syscall arguments. 786.Pp 787The arguments are copied out into the buffer pointed to by the 788.Fa addr 789pointer, sequentially. 790Each syscall argument is stored as the machine word. 791Kernel copies out as many arguments as the syscall accepts, 792see the 793.Va pl_syscall_narg 794member of the 795.Vt struct ptrace_lwpinfo , 796but not more than the 797.Fa data 798bytes in total are copied. 799.It Dv PT_GET_SC_RET 800Fetch the system call return values on exit from a syscall. 801This request is only valid for threads stopped in a syscall 802exit (the 803.Dv PL_FLAG_SCX 804state). 805The 806.Fa addr 807argument specifies a pointer to a 808.Vt "struct ptrace_sc_ret" , 809which is defined as follows: 810.Bd -literal 811struct ptrace_sc_ret { 812 register_t sr_retval[2]; 813 int sr_error; 814}; 815.Ed 816.Pp 817The 818.Fa data 819argument is set to the size of the structure. 820.Pp 821If the system call completed successfully, 822.Va sr_error 823is set to zero and the return values of the system call are saved in 824.Va sr_retval . 825If the system call failed to execute, 826.Va sr_error 827field is set to a positive 828.Xr errno 2 829value. 830If the system call completed in an unusual fashion, 831.Va sr_error 832is set to a negative value: 833.Bl -tag -width Dv EJUSTRETURN -compact 834.It Dv ERESTART 835System call will be restarted. 836.It Dv EJUSTRETURN 837System call completed sucessfully but did not set a return value 838.Po for example, 839.Xr setcontext 2 840and 841.Xr sigreturn 2 842.Pc . 843.El 844.It Dv PT_FOLLOW_FORK 845This request controls tracing for new child processes of a traced process. 846If 847.Fa data 848is non-zero, 849.Dv PTRACE_FORK 850is set in the traced process's event tracing mask. 851If 852.Fa data 853is zero, 854.Dv PTRACE_FORK 855is cleared from the traced process's event tracing mask. 856.It Dv PT_LWP_EVENTS 857This request controls tracing of LWP creation and destruction. 858If 859.Fa data 860is non-zero, 861.Dv PTRACE_LWP 862is set in the traced process's event tracing mask. 863If 864.Fa data 865is zero, 866.Dv PTRACE_LWP 867is cleared from the traced process's event tracing mask. 868.It Dv PT_GET_EVENT_MASK 869This request reads the traced process's event tracing mask into the 870integer pointed to by 871.Fa addr . 872The size of the integer must be passed in 873.Fa data . 874.It Dv PT_SET_EVENT_MASK 875This request sets the traced process's event tracing mask from the 876integer pointed to by 877.Fa addr . 878The size of the integer must be passed in 879.Fa data . 880.It Dv PT_VM_TIMESTAMP 881This request returns the generation number or timestamp of the memory map of 882the traced process as the return value from 883.Fn ptrace . 884This provides a low-cost way for the tracing process to determine if the 885VM map changed since the last time this request was made. 886.It Dv PT_VM_ENTRY 887This request is used to iterate over the entries of the VM map of the traced 888process. 889The 890.Fa addr 891argument specifies a pointer to a 892.Vt "struct ptrace_vm_entry" , 893which is defined as follows: 894.Bd -literal 895struct ptrace_vm_entry { 896 int pve_entry; 897 int pve_timestamp; 898 u_long pve_start; 899 u_long pve_end; 900 u_long pve_offset; 901 u_int pve_prot; 902 u_int pve_pathlen; 903 long pve_fileid; 904 uint32_t pve_fsid; 905 char *pve_path; 906}; 907.Ed 908.Pp 909The first entry is returned by setting 910.Va pve_entry 911to zero. 912Subsequent entries are returned by leaving 913.Va pve_entry 914unmodified from the value returned by previous requests. 915The 916.Va pve_timestamp 917field can be used to detect changes to the VM map while iterating over the 918entries. 919The tracing process can then take appropriate action, such as restarting. 920By setting 921.Va pve_pathlen 922to a non-zero value on entry, the pathname of the backing object is returned 923in the buffer pointed to by 924.Va pve_path , 925provided the entry is backed by a vnode. 926The 927.Va pve_pathlen 928field is updated with the actual length of the pathname (including the 929terminating null character). 930The 931.Va pve_offset 932field is the offset within the backing object at which the range starts. 933The range is located in the VM space at 934.Va pve_start 935and extends up to 936.Va pve_end 937(inclusive). 938.Pp 939The 940.Fa data 941argument is ignored. 942.It Dv PT_COREDUMP 943This request creates a coredump for the stopped program. 944The 945.Fa addr 946argument specifies a pointer to a 947.Vt "struct ptrace_coredump" , 948which is defined as follows: 949.Bd -literal 950struct ptrace_coredump { 951 int pc_fd; 952 uint32_t pc_flags; 953 off_t pc_limit; 954}; 955.Ed 956The fields of the structure are: 957.Bl -tag -width pc_flags 958.It Dv pc_fd 959File descriptor to write the dump to. 960It must refer to a regular file, opened for writing. 961.It Dv pc_flags 962Flags. 963The following flags are defined: 964.Bl -tag -width PC_COMPRESS 965.It Dv PC_COMPRESS 966Request compression of the dump. 967.It Dv PC_ALL 968Include non-dumpable entries into the dump. 969The dumper ignores 970.Dv MAP_NOCORE 971flag of the process map entry, but device mappings are not dumped even with 972.Dv PC_ALL 973set. 974.El 975.It Dv pc_limit 976Maximum size of the coredump. 977Specify zero for no limit. 978.El 979.Pp 980The size of 981.Vt "struct ptrace_coredump" 982must be passed in 983.Fa data . 984.It Dv PT_SC_REMOTE 985Request to execute a syscall in the context of the traced process, 986in the specified thread. 987The 988.Fa addr 989argument must point to the 990.Vt "struct ptrace_sc_remote" , 991which describes the requested syscall and its arguments, and receives 992the result. 993The size of 994.Vt "struct ptrace_sc_remote" 995must be passed in 996.Fa data. 997.Bd -literal 998struct ptrace_sc_remote { 999 struct ptrace_sc_ret pscr_ret; 1000 u_int pscr_syscall; 1001 u_int pscr_nargs; 1002 u_long *pscr_args; 1003}; 1004.Ed 1005The 1006.Dv pscr_syscall 1007contains the syscall number to execute, the 1008.Dv pscr_nargs 1009is the number of supplied arguments, which are supplied in the 1010.Dv pscr_args 1011array. 1012Result of the execution is returned in the 1013.Dv pscr_ret 1014member. 1015Note that the request and its result do not affect the returned value from 1016the currently executed syscall, if any. 1017.El 1018.Sh PT_COREDUMP and PT_SC_REMOTE usage 1019The process must be stopped before dumping or initiating a remote system call. 1020A single thread in the target process is temporarily unsuspended 1021in the kernel to perform the action. 1022If the 1023.Nm 1024call fails before a thread is unsuspended, there is no event to 1025.Xr waitpid 2 1026for. 1027If a thread was unsuspended, it will stop again before the 1028.Nm 1029call returns, and the process must be waited upon using 1030.Xr waitpid 2 1031to consume the new stop event. 1032Since it is hard to deduce whether a thread was unsuspended before 1033an error occurred, it is recommended to unconditionally perform 1034.Xr waitpid 2 1035with 1036.Dv WNOHANG 1037flag after 1038.Dv PT_COREDUMP 1039and 1040.Dv PT_SC_REMOTE , 1041and silently accept zero result from it. 1042.Pp 1043For 1044.Dv PT_SC_REMOTE , 1045the selected thread must be stopped in the safe place, which is 1046currently defined as a syscall exit, or a return from kernel to 1047user mode (basically, a signal handler call place). 1048Kernel returns 1049.Er EBUSY 1050status if attempt is made to execute remote syscall at unsafe stop. 1051.Pp 1052Note that neither 1053.Dv kern.trap_enotcap 1054sysctl setting, nor the corresponding 1055.Xr procctl 2 1056flag 1057.Dv PROC_TRAPCAP_CTL_ENABLE 1058are obeyed during the execution of the syscall by 1059.Dv PT_SC_REMOTE . 1060In other words, 1061.Dv SIGTRAP 1062signal is not sent to a process executing in capability mode, 1063which violated a mode access restriction. 1064.Pp 1065Note that due to the mode of execution for the remote syscall, in 1066particular, the setting where only one thread is allowed to run, 1067the syscall might block on resources owned by suspended threads. 1068This might result in the target process deadlock. 1069In this situation, the only way out is to kill the target. 1070.Sh ARM MACHINE-SPECIFIC REQUESTS 1071.Bl -tag -width "Dv PT_SETVFPREGS" 1072.It Dv PT_GETVFPREGS 1073Return the thread's 1074.Dv VFP 1075machine state in the buffer pointed to by 1076.Fa addr . 1077.Pp 1078The 1079.Fa data 1080argument is ignored. 1081.It Dv PT_SETVFPREGS 1082Set the thread's 1083.Dv VFP 1084machine state from the buffer pointed to by 1085.Fa addr . 1086.Pp 1087The 1088.Fa data 1089argument is ignored. 1090.El 1091.Sh x86 MACHINE-SPECIFIC REQUESTS 1092.Bl -tag -width "Dv PT_GETXSTATE_INFO" 1093.It Dv PT_GETXMMREGS 1094Copy the XMM FPU state into the buffer pointed to by the 1095argument 1096.Fa addr . 1097The buffer has the same layout as the 32-bit save buffer for the 1098machine instruction 1099.Dv FXSAVE . 1100.Pp 1101This request is only valid for i386 programs, both on native 32-bit 1102systems and on amd64 kernels. 1103For 64-bit amd64 programs, the XMM state is reported as part of 1104the FPU state returned by the 1105.Dv PT_GETFPREGS 1106request. 1107.Pp 1108The 1109.Fa data 1110argument is ignored. 1111.It Dv PT_SETXMMREGS 1112Load the XMM FPU state for the thread from the buffer pointed to 1113by the argument 1114.Fa addr . 1115The buffer has the same layout as the 32-bit load buffer for the 1116machine instruction 1117.Dv FXRSTOR . 1118.Pp 1119As with 1120.Dv PT_GETXMMREGS , 1121this request is only valid for i386 programs. 1122.Pp 1123The 1124.Fa data 1125argument is ignored. 1126.It Dv PT_GETXSTATE_INFO 1127Report which XSAVE FPU extensions are supported by the CPU 1128and allowed in userspace programs. 1129The 1130.Fa addr 1131argument must point to a variable of type 1132.Vt struct ptrace_xstate_info , 1133which contains the information on the request return. 1134.Vt struct ptrace_xstate_info 1135is defined as follows: 1136.Bd -literal 1137struct ptrace_xstate_info { 1138 uint64_t xsave_mask; 1139 uint32_t xsave_len; 1140}; 1141.Ed 1142The 1143.Dv xsave_mask 1144field is a bitmask of the currently enabled extensions. 1145The meaning of the bits is defined in the Intel and AMD 1146processor documentation. 1147The 1148.Dv xsave_len 1149field reports the length of the XSAVE area for storing the hardware 1150state for currently enabled extensions in the format defined by the x86 1151.Dv XSAVE 1152machine instruction. 1153.Pp 1154The 1155.Fa data 1156argument value must be equal to the size of the 1157.Vt struct ptrace_xstate_info . 1158.It Dv PT_GETXSTATE 1159Return the content of the XSAVE area for the thread. 1160The 1161.Fa addr 1162argument points to the buffer where the content is copied, and the 1163.Fa data 1164argument specifies the size of the buffer. 1165The kernel copies out as much content as allowed by the buffer size. 1166The buffer layout is specified by the layout of the save area for the 1167.Dv XSAVE 1168machine instruction. 1169.It Dv PT_SETXSTATE 1170Load the XSAVE state for the thread from the buffer specified by the 1171.Fa addr 1172pointer. 1173The buffer size is passed in the 1174.Fa data 1175argument. 1176The buffer must be at least as large as the 1177.Vt struct savefpu 1178(defined in 1179.Pa x86/fpu.h ) 1180to allow the complete x87 FPU and XMM state load. 1181It must not be larger than the XSAVE state length, as reported by the 1182.Dv xsave_len 1183field from the 1184.Vt struct ptrace_xstate_info 1185of the 1186.Dv PT_GETXSTATE_INFO 1187request. 1188Layout of the buffer is identical to the layout of the load area for the 1189.Dv XRSTOR 1190machine instruction. 1191.It Dv PT_GETFSBASE 1192Return the value of the base used when doing segmented 1193memory addressing using the %fs segment register. 1194The 1195.Fa addr 1196argument points to an 1197.Vt unsigned long 1198variable where the base value is stored. 1199.Pp 1200The 1201.Fa data 1202argument is ignored. 1203.It Dv PT_GETGSBASE 1204Like the 1205.Dv PT_GETFSBASE 1206request, but returns the base for the %gs segment register. 1207.It Dv PT_SETFSBASE 1208Set the base for the %fs segment register to the value pointed to 1209by the 1210.Fa addr 1211argument. 1212.Fa addr 1213must point to the 1214.Vt unsigned long 1215variable containing the new base. 1216.Pp 1217The 1218.Fa data 1219argument is ignored. 1220.It Dv PT_SETGSBASE 1221Like the 1222.Dv PT_SETFSBASE 1223request, but sets the base for the %gs segment register. 1224.El 1225.Sh PowerPC MACHINE-SPECIFIC REQUESTS 1226.Bl -tag -width "Dv PT_SETVRREGS" 1227.It Dv PT_GETVRREGS 1228Return the thread's 1229.Dv ALTIVEC 1230machine state in the buffer pointed to by 1231.Fa addr . 1232.Pp 1233The 1234.Fa data 1235argument is ignored. 1236.It Dv PT_SETVRREGS 1237Set the thread's 1238.Dv ALTIVEC 1239machine state from the buffer pointed to by 1240.Fa addr . 1241.Pp 1242The 1243.Fa data 1244argument is ignored. 1245.It Dv PT_GETVSRREGS 1246Return doubleword 1 of the thread's 1247.Dv VSX 1248registers VSR0-VSR31 in the buffer pointed to by 1249.Fa addr . 1250.Pp 1251The 1252.Fa data 1253argument is ignored. 1254.It Dv PT_SETVSRREGS 1255Set doubleword 1 of the thread's 1256.Dv VSX 1257registers VSR0-VSR31 from the buffer pointed to by 1258.Fa addr . 1259.Pp 1260The 1261.Fa data 1262argument is ignored. 1263.El 1264.Pp 1265Additionally, other machine-specific requests can exist. 1266.Sh RETURN VALUES 1267Most requests return 0 on success and \-1 on error. 1268Some requests can cause 1269.Fn ptrace 1270to return 1271\-1 1272as a non-error value, among them are 1273.Dv PT_READ_I 1274and 1275.Dv PT_READ_D , 1276which return the value read from the process memory on success. 1277To disambiguate, 1278.Va errno 1279can be set to 0 before the call and checked afterwards. 1280.Pp 1281The current 1282.Fn ptrace 1283implementation always sets 1284.Va errno 1285to 0 before calling into the kernel, both for historic reasons and for 1286consistency with other operating systems. 1287It is recommended to assign zero to 1288.Va errno 1289explicitly for forward compatibility. 1290.Sh ERRORS 1291The 1292.Fn ptrace 1293system call may fail if: 1294.Bl -tag -width Er 1295.It Bq Er ESRCH 1296.Bl -bullet -compact 1297.It 1298No process having the specified process ID exists. 1299.El 1300.It Bq Er EINVAL 1301.Bl -bullet -compact 1302.It 1303A process attempted to use 1304.Dv PT_ATTACH 1305on itself. 1306.It 1307The 1308.Fa request 1309argument 1310was not one of the legal requests. 1311.It 1312The signal number 1313(in 1314.Fa data ) 1315to 1316.Dv PT_CONTINUE 1317was neither 0 nor a legal signal number. 1318.It 1319.Dv PT_GETREGS , 1320.Dv PT_SETREGS , 1321.Dv PT_GETFPREGS , 1322.Dv PT_SETFPREGS , 1323.Dv PT_GETDBREGS , 1324or 1325.Dv PT_SETDBREGS 1326was attempted on a process with no valid register set. 1327(This is normally true only of system processes.) 1328.It 1329.Dv PT_VM_ENTRY 1330was given an invalid value for 1331.Fa pve_entry . 1332This can also be caused by changes to the VM map of the process. 1333.It 1334The size (in 1335.Fa data ) 1336provided to 1337.Dv PT_LWPINFO 1338was less than or equal to zero, or larger than the 1339.Vt ptrace_lwpinfo 1340structure known to the kernel. 1341.It 1342The size (in 1343.Fa data ) 1344provided to the x86-specific 1345.Dv PT_GETXSTATE_INFO 1346request was not equal to the size of the 1347.Vt struct ptrace_xstate_info . 1348.It 1349The size (in 1350.Fa data ) 1351provided to the x86-specific 1352.Dv PT_SETXSTATE 1353request was less than the size of the x87 plus the XMM save area. 1354.It 1355The size (in 1356.Fa data ) 1357provided to the x86-specific 1358.Dv PT_SETXSTATE 1359request was larger than returned in the 1360.Dv xsave_len 1361member of the 1362.Vt struct ptrace_xstate_info 1363from the 1364.Dv PT_GETXSTATE_INFO 1365request. 1366.It 1367The base value, provided to the amd64-specific requests 1368.Dv PT_SETFSBASE 1369or 1370.Dv PT_SETGSBASE , 1371pointed outside of the valid user address space. 1372This error will not occur in 32-bit programs. 1373.El 1374.It Bq Er EBUSY 1375.Bl -bullet -compact 1376.It 1377.Dv PT_ATTACH 1378was attempted on a process that was already being traced. 1379.It 1380A request attempted to manipulate a process that was being traced by 1381some process other than the one making the request. 1382.It 1383A request 1384(other than 1385.Dv PT_ATTACH ) 1386specified a process that was not stopped. 1387.El 1388.It Bq Er EPERM 1389.Bl -bullet -compact 1390.It 1391A request 1392(other than 1393.Dv PT_ATTACH ) 1394attempted to manipulate a process that was not being traced at all. 1395.It 1396An attempt was made to use 1397.Dv PT_ATTACH 1398on a process in violation of the requirements listed under 1399.Dv PT_ATTACH 1400above. 1401.El 1402.It Bq Er ENOENT 1403.Bl -bullet -compact 1404.It 1405.Dv PT_VM_ENTRY 1406previously returned the last entry of the memory map. 1407No more entries exist. 1408.El 1409.It Bq Er ENOMEM 1410.Bl -bullet -compact 1411.It 1412A 1413.Dv PT_READ_I, 1414.Dv PT_READ_D, 1415.Dv PT_WRITE_I, or 1416.Dv PT_WRITE_D 1417request attempted to access an invalid address, or a memory allocation failure 1418occurred when accessing process memory. 1419.El 1420.It Bq Er ENAMETOOLONG 1421.Bl -bullet -compact 1422.It 1423.Dv PT_VM_ENTRY 1424cannot return the pathname of the backing object because the buffer is not big 1425enough. 1426.Fa pve_pathlen 1427holds the minimum buffer size required on return. 1428.El 1429.El 1430.Sh SEE ALSO 1431.Xr execve 2 , 1432.Xr sigaction 2 , 1433.Xr wait 2 , 1434.Xr execv 3 , 1435.Xr i386_clr_watch 3 , 1436.Xr i386_set_watch 3 1437.Sh HISTORY 1438The 1439.Fn ptrace 1440function appeared in 1441.At v6 . 1442