following forks
Daniel Jacobowitz
drow at false.org
Fri Nov 14 07:13:08 UTC 2003
On Fri, Nov 14, 2003 at 01:05:03PM +0100, Michal Ludvig wrote:
> Hi there,
>
> could someone please give me a hint how to follow forks?
>
> Situation: I have a Linux/i386 prgram (Tracer) that attaches a given
> process (Slave) via ptrace(PTRACE_ATTACH) and does some wierd magic with
> it (e.g. setting watchpoints/breakpoints and waiting for hitting them).
> So far so good.
>
> Now I need to follow forks of the Slave and attach to all of it's
> children as well (and those children's children recursively...).
> I was thinking about using PTRACE_SYSCALL and look for fork() syscall
> but got confused: Slave generates SIGTRAP both when hitting the
> watchpoint, stepping on the breakpoint as well as on entering/returning
> from the syscall. How do I distinguish between these cases?
>
> The naive approach would be inspecting the opcode at EIP address and see
> if it was "int 0x80" instruction. If so, pretend that we're entering the
> syscall and the next SIGTRAP will occur at the return from that syscall.
> Is this a correct approach?
>
> How about fork() syscalls - do I get one SIGTRAP for entering and two
> SIGTRAPS for both parent's and child's return?
>
> Or is there an easier way to follow forks? (inspecting all syscalls
> feels like an overkill for this task...)
>
> Thanks in advance for hints!
If you can use recent kernels, take a look at the way I do it at GDB.
Also, for distinguishing between syscall traps and
breakpoint/watchpoints, see PTRACE_O_TRACESYSGOOD.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
More information about the Strace-devel
mailing list