PTRACE_SYSCALL analysis

Mike Frysinger vapier at gentoo.org
Thu Nov 28 19:44:59 UTC 2013


On Thursday 28 November 2013 11:59:19 Piotr Szerman wrote:
> Hello. I'm writing to ask how strace is able to distinguish a syscall entry
> from a syscall exit with ptrace(PTRACE_SYSCALL...)? On x86_64, it seems
> you can rely on the -ENOSYS value in RAX. However, for some reason I can't
> pick up an analogous coherent pattern on ARM. I'd be deeply indebted for
> sheding some light on the issue.

the most thorough documentation probably can be found here:
https://git.kernel.org/cgit/docs/man-pages/man-pages.git/tree/man2/ptrace.2

note the "syscall-stops" section.  also note, like that man page does, that a 
lot of these fine details are very arch specific because ptrace events/state 
tend to be embedded in the arch/$ARCH/ subdir of the kernel (and even worse, 
low level assembly code like the common entry points).

so if you want the "real" answer, your best bet is to dive into the arm 
assembly like arch/arm/kernel/entry-*.S.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20131128/20517f93/attachment.bin>


More information about the Strace-devel mailing list