linux - Linux 中的进程跟踪工具

Question

在Linux中，我想跟踪新进程在实际启动之前进行的函数调用。哪个工具可以帮助我解决这个问题？

例如:将调用“do_fork”来创建新进程。想知道新进程的此类调用的流程。

如果对进程启动的理解有误，请纠正我。

提前致谢

Answer 1

正如我在评论中建议的那样，strace 父 shell，例如如下所示:

strace -fF -v -p PIDOF_PARENT_SHELL

您需要首先获取 shell 的 pid(例如通过 echo $$)，-fF 确保 strace 遵循 fork 并vforks。

这是一个跟踪示例(zsh 启动一个名为 test 的程序):

24077 15:03:07.094522 alarm(0)          = 0 <0.000029>
24077 15:03:07.097920 ioctl(10, SNDCTL_TMR_STOP or TCSETSW, {c_iflags=0x2502, c_oflags=0x5, c_cflags=0x4bf, c_lflags=0x8a3b, c_line=0, c_cc="\x03\x1c\x7f\x15\x04\x00\x01\x00\x11\x13\x1a\x00\x12\x0f\x17\x16\x00\x00\x00"}) = 0 <0.000047>
24077 15:03:07.098450 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 <0.000029>
24077 15:03:07.098830 rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0 <0.000027>
24077 15:03:07.099033 pipe([3, 4])      = 0 <0.000311>
24077 15:03:07.099559 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f663a44c9d0) = 32626 <0.002433>
24077 15:03:07.103197 close(4)          = 0 <0.000032>
24077 15:03:07.103413 read(3,  <unfinished ...>
32626 15:03:07.103700 close(3)          = 0 <0.001051>
32626 15:03:07.105151 setpgid(0, 32626) = 0 <0.001103>
32626 15:03:07.106440 ioctl(10, TIOCSPGRP, [32626]) = 0 <0.000036>
32626 15:03:07.106717 close(10)         = 0 <0.000026>
32626 15:03:07.106933 rt_sigaction(SIGTTOU, {SIG_DFL, [TTOU], SA_RESTORER|SA_RESTART, 0x7f6639669b30},  {SIG_IGN, [TTOU], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, 8) = 0 <0.004122>
32626 15:03:07.111713 rt_sigaction(SIGTTIN, {SIG_DFL, [TTIN], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, {SIG_IGN, [TTIN], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, 8) = 0 <0.000027>
32626 15:03:07.112005 rt_sigaction(SIGTSTP, {SIG_DFL, [TSTP], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, {SIG_IGN, [TSTP], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, 8) = 0 <0.000027>
32626 15:03:07.112253 rt_sigaction(SIGTERM, {SIG_DFL, [TERM], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, {SIG_IGN, [TERM], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, 8) = 0 <0.000026>
32626 15:03:07.112493 rt_sigaction(SIGINT, {SIG_DFL, [INT], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, {0x474510, [], SA_RESTORER|SA_INTERRUPT, 0x7f6639669b30}, 8) = 0 <0.000026>
32626 15:03:07.112732 rt_sigaction(SIGQUIT, {SIG_DFL, [QUIT], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, {SIG_IGN, [QUIT], SA_RESTORER|SA_RESTART, 0x7f6639669b30}, 8) = 0 <0.000027>
32626 15:03:07.113558 getrusage(RUSAGE_CHILDREN, {ru_utime={0, 0}, ru_stime={0, 0}, ru_maxrss=0, ru_ixrss=0, ru_idrss=0, ru_isrss=0, ru_minflt=0, ru_majflt=0, ru_nswap=0, ru_inblock=0, ru_oublock=0, ru_msgsnd=0, ru_msgrcv=0, ru_nsignals=0, ru_nvcsw=0, ru_nivcsw=0}) = 0 <0.001173>
32626 15:03:07.114989 close(4 <unfinished ...>
24077 15:03:07.115109 <... read resumed> "", 1) = 0 <0.011627>
24077 15:03:07.116448 close(3)          = 0 <0.000047>
24077 15:03:07.116804 rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0 <0.000028>
24077 15:03:07.117025 rt_sigsuspend([] <unfinished ...>
32626 15:03:07.117147 <... close resumed> ) = 0 <0.002089>
32626 15:03:07.117471 rt_sigprocmask(SIG_UNBLOCK, [CHLD], [CHLD], 8) = 0 <0.000027>
32626 15:03:07.118987 execve("/home/freundt/temp/test", ["test"], [...]]) = 0 <0.035287>
32626 15:03:07.264156 brk(0)            = 0x60a000 <0.000027>
...

您可以清楚地看到对 clone() 和 execve() 的调用以及其他有趣的内容。