following forks

[Michal Ludvig]

Hi there,

could someone please give me a hint how to follow forks?

Situation: I have a Linux/i386 prgram (Tracer) that attaches a given 
process (Slave) via ptrace(PTRACE_ATTACH) and does some wierd magic with 
it (e.g. setting watchpoints/breakpoints and waiting for hitting them). 
So far so good.

Now I need to follow forks of the Slave and attach to all of it's 
children as well (and those children's children recursively...).
I was thinking about using PTRACE_SYSCALL and look for fork() syscall 
but got confused: Slave generates SIGTRAP both when hitting the 
watchpoint, stepping on the breakpoint as well as on entering/returning 
from the syscall. How do I distinguish between these cases?

The naive approach would be inspecting the opcode at EIP address and see 
if it was "int 0x80" instruction. If so, pretend that we're entering the 
syscall and the next SIGTRAP will occur at the return from that syscall. 
Is this a correct approach?

How about fork() syscalls - do I get one SIGTRAP for entering and two 
SIGTRAPS for both parent's and child's return?

Or is there an easier way to follow forks? (inspecting all syscalls 
feels like an overkill for this task...)

Thanks in advance for hints!

Michal Ludvig