Target audience: system level developers

Author: Kamil Rytarowski

uname: NetBSD 7.99.62 amd64

Date: 26th February 2017

• Overview
• ptrace(2) principles
• How to start to trace a process
• Introspecting tracee
• Breakpoints and watchpoints
• Monitoring events
• Managing threads
• ELF Auxiliary Vector
• Tracing syscalls
• News in NetBSD 8.0 (state in progress)
• Porting Linux code
• Porting FreeBSD code
• Porting OpenBSD code

ptrace(2) - process tracing and debugging facility

By using process trace one process can take over another, inspect and manipulate its register context, address space and control flow.

Underneath this interface is using the reparenting mechanism. The tracer is new parent, the tracee is a child and userland processes mostly don't notice it.

This interface is used in BSD operating systems and Linux (kernel) and they are relatively closely related.

Other Operating Systems may use different mechanisms - this includes MacOSX, SunOS family and others. These are out of scope for this talk.

Traditionally BSD 4.4 introduced procfs tracing ability to face performance issues with the original ptrace(2) design. In the past ptrace(2) was limited to peeking and poking data in sizeof(int) chunks between the tracer and its tracee. With the advent of PT_IO that's no longer true. Therefore /proc has no longer added value besides compatibiliy with software.

First appeared in Version 7 AT&T UNIX.

ptrace(2) is a signal-based monitoring mechanism. Parent intercepts from its tracee signals with a wait(2)-like function or a SIGCHLD signal handler.

ptrace(2) is used to mangle the whole process, unlike Linux where this function is used to manage each thread separately.

ptrace(2) is a nonstandard extension of a POSIX-like system.

Most of the time the tracee works normally without performance overhead, but when it receives a signal it stops.

For most ptrace(2) operations the tracee must be stopped.

A debugger can receive additional events - besides regularly intercepted signals:

• tracee termination,
• LWP events (thread creation and termination)
• child events (process fork(2), vfork(2) and vfork(2) done),
• software breakpoint
• hardware assisted breakpoint or watchpoint (debug register based)
• single step trap
• execve(2) trap - transforming the calling process into a new program
• system call trap (on syscall entry and on syscall exit)

Old, broken and/or unportable ways:

• exect(3)

  BSD4.2 specific solution, no longer works. It turns on single-step mode in the process. Formally marked deprecated in NetBSD 8.0.

• clone(3) with flags CLONE_PTRACE and CLONE_UNTRACED

  Linux specific. Not implemented nor applicable on NetBSD.

Software breakpoints are set with PIOD_WRITE_I or PT_WRITE_I operations by modifying the instruction segment of the tracee.

Hardware breakpoints are set with Machine Dependent Debug Registers with PT_SETDBREGS.

Hardware watchpoints are set with a Machine Dependent Debug Registers with PT_SETDBREGS.

A debugger can catch and differentiate the following events:

• Process software breakpoint - SIGTRAP with si_code TRAP_BRKPT
• Process child trap (fork(2), vfork(2), vfork(2) done) - SIGTRAP with si_code TRAP_CHLD
• Process hardware debug register trap - SIGTRAP with si_code TRAP_DBREG
• Process exec trap - SIGTRAP with si_code TRAP_EXEC
• Process LWP trap (thread creation and termination) - SIGTRAP with si_code TRAP_LWP
• Process trace trap (single step trap) - SIGTRAP with si_code TRAP_TRACE
• System call entry - SIGTRAP (planned si_code TRAP_SCE)
• System call exit - SIGTRAP (planned si_code TRAP_SCX)

Additionally a tracer can catch a signal emitted to the tracee and the process termination with its exit status.

In order to pass a faked signal to the tracee, the signal type must match the signal passed to the process with PT_CONTINUE, PT_DETACH.

The PT_GET_SIGINFO request can be used to determine signal information that was received by a debugger. The information is read into the struct ptrace_siginfo pointed to by addr. The data argument should be set to sizeof(struct ptrace_siginfo).

The fork(2) and vfork(2) events can occur with similar operations, like clone(2) or posix_spawn(3). The PTRACE_FORK value means that the process gives birth to its child without pending on its termination or execve(2) operation. If enabled, the child is also traced by the debugger and SIGTRAP is generated twice, first for the parent and second for the child. The PTRACE_VFORK event is the same as PTRACE_FORK, but the parent blocks after giving birth to the child. The PTRACE_VFORK_DONE event can be used to report unblocking of the parent.

A pointer to this structure is passed in addr. The data argument should be set to sizeof(struct ptrace_event).

The PT_LWPINFO call on FreeBSD and NetBSD must not be used interchangeably. The FreeBSD call is used to retrieve the event that stopped the process, while the NetBSD version is used to retrieve the list of threads within a process.

The pl_event field in struct ptrace_lwpinfo must not be used to detect if the whole process received a signal or other type of an event (process termination).

Where in FreeBSD PT_LWPINFO shows which event stopped a child, use PT_GET_SIGINFO on NetBSD instead.

To retrieve the thread that was signaled one should use PT_GET_SIGINFO and read the psi_lwpid member of struct ptrace_siginfo.

A user should be warned that PT_LWPINFO is not obligated to retrieve the threads within a process in a specific order with threads identities (lwpid_t) increasing from the lowest to the highest.

To allow a thread to execute one can use PT_RESUME.

To prevent a thread from execution a debugger can call PT_SUSPEND.

Traditionally PT_CONTINUE, PT_SYSCALL and PT_STEP can be used to continue only a specific thread, however new code should be using PT_RESUME and PT_SUSPEND operations as they don't prevent us from emitting a signal to a tracee.

To retrieve the list of suspended threads in a process the PT_LWPINFO call should be used.

The ELF Auxiliary vector of a tracee can be retrieved with PT_IO and option PIOD_READ_AUXV.

There are PT_SYSCALL and PT_SYSCALLEMU operations, both need more work and tests.

The following features have been prepared in the upcoming NetBSD 8.0 release:

• The pl_event member of struct ptrace_lwpinfo can take the new value PL_EVENT_SIGNAL
• PT_SET_EVENT_MASK in pe_set_event of struct ptrace_event has new members: PTRACE_VFORK, PTRACE_VFORK_DONE, PTRACE_LWP_CREATE, PTRACE_LWP_EXIT
• PT_SET_SIGINFO and PT_GET_SIGINFO
• PT_SET_SIGMASK and PT_GET_SIGMASK
• PT_GETDBREGS and PT_SETDBREGS on amd64 and i386
• PT_RESUME and PT_SUSPEND
• new siginfo(2) codes: TRAP_EXEC, TRAP_CHLD, TRAP_DBREG, TRAP_LWP

Porting Linux ptrace(2) code is complicated as the ptrace(2) calls are used to control threads on Linux and a process on NetBSD.

A debugger for Linux has to perform the job of synchronizing threads - stopping them, terminating, etc in its own code; on NetBSD there is no need for this as a process is a single entity from the ptrace(2) point of view.

Some of the Linux ptrace(2) calls have no direct or indirect equivalents, however these calls are not really applicable on NetBSD.

The only really missing feature on NetBSD is lack of concurrent PT_SYSCALL and PT_STEP execution.

• PTRACE_TRACEME -> PT_TRACE_ME
• PTRACE_PEEKTEXT and PTRACE_PEEKDATA -> PT_READ_I and PT_READ_D
• PTRACE_PEEKUSER - there is no direct equivalent on NetBSD, user data on NetBSD might be consisted of mcontext (general purpose registers, floating point registers and Thread Local Storage) and debug registers
• PTRACE_POKETEXT, PTRACE_POKEDATA -> PT_WRITE_I and PT_WRITE_D
• PTRACE_GETREGS -> PT_GETREGS
• PTRACE_GETFPREGS -> PT_GETFPREGS
• PTRACE_GETREGSET - there is no direct equivalent on NetBSD, use appropriate PT_GET*REGS
• PTRACE_SETREGS -> PT_SETREGS
• PTRACE_SETFPREGS -> PT_SETFPREGS
• PTRACE_SETREGSET - there is no direct equivalent on NetBSD, use appropriate PT_SET*REGS

• PTRACE_GETSIGINFO -> PT_GET_SIGINFO
• PTRACE_SETSIGINFO -> PT_SET_SIGINFO
• PTRACE_PEEKSIGINFO - there is no equivalent on NetBSD, not really applicable
• PTRACE_GETSIGMASK -> PT_GET_SIGMASK
• PTRACE_SETSIGMASK -> PT_SET_SIGMASK
• PTRACE_SETOPTIONS -> PT_SET_EVENT_MASK
• PTRACE_SETOPTIONS option PTRACE_O_EXITKILL - there is no direct equivalent on NetBSD, a tracer should just call PT_KILL before termination
• PTRACE_SETOPTIONS option PTRACE_O_TRACECLONE - PTRACE_FORK and/or PTRACE_VFORK, clone(2) works like fork(2) (parent not waiting on child) or vfork(2) (parent waiting on child)
• PTRACE_SETOPTIONS option PTRACE_O_TRACEEXEC - nothing is needed, on NetBSD SIGTRAP is always triggered unless traced with PT_SYSCALL

• PTRACE_SETOPTIONS option PTRACE_O_TRACEEXIT - not applicable on NetBSD, if really needed there is sysctl(7) proc.$PID.stopexit
• PTRACE_SETOPTIONS option PTRACE_O_TRACEFORK - PTRACE_FORK
• PTRACE_SETOPTIONS option PTRACE_O_TRACESYSGOOD - not applicable on NetBSD, to trace syscalls use PT_SYSCALL
• PTRACE_SETOPTIONS option PTRACE_O_TRACEVFORK - PTRACE_VFORK
• PTRACE_SETOPTIONS option PTRACE_O_TRACEVFORKDONE - PTRACE_VFORK_DONE
• PTRACE_GETEVENTMSG -> mostly PT_GET_PROCESS_STATE
• PTRACE_CONT -> PT_CONTINUE
• PTRACE_SYSCALL -> PT_SYSCALL

• PTRACE_SINGLESTEP -> PT_STEP
• PTRACE_SYSEMU -> PT_SYSCALLEMU
• PTRACE_SYSEMU_SINGLESTEP - not supported
• PTRACE_LISTEN - not supported nor applicable
• PTRACE_KILL -> PT_KILL
• PTRACE_INTERRUPT - not supported nor applicable
• PTRACE_ATTACH -> PT_ATTACH
• PTRACE_SEIZE - not supported nor applicable
• PTRACE_DETACH -> PT_DETACH

Both systems, FreeBSD and NetBSD, have closely related ptrace(2) operations.

The major difference is that there is no way on NetBSD to detect syscall entry (TRAP_SCE) and exit trap (TRAP_SCX).

Another difference in syntax is that FreeBSD puts event information into PT_LWPINFO, while NetBSD relies on siginfo(2) and other applicable calls like PT_GET_PROCESS_STATE.

• ELF Auxiliary Vector is stored in the kernel on FreeBSD, and retrievable with PT_IO on NetBSD
• PT_LWPINFO completely different purposes on NetBSD (list threads) and FreeBSD (detect event that interrupted the tracee)
• PT_LWPINFO pl_flags PL_FLAG_SCE - currently unsupported, as it is requires the TRAP_SCE siginfo(2) value
• PT_LWPINFO pl_flags PL_FLAG_SCX - currently unsupported, as it is requires the TRAP_SCX siginfo(2) value
• PT_LWPINFO pl_flags PL_FLAG_EXEC - TRAP_EXEC
• PT_LWPINFO pl_flags PL_FLAG_SI - the PT_GET_SIGINFO call is always available
• PT_LWPINFO pl_flags PL_FLAG_FORKED - TRAP_CHLD and PT_GET_PROCESS_STATE with PTRACE_FORK
• PT_LWPINFO pl_flags PL_FLAG_CHILD - TRAP_CHLD and PT_GET_PROCESS_STATE with PTRACE_FORK

• PT_LWPINFO pl_sigmask - PT_GET_SIGMASK
• PT_LWPINFO pl_siglist - currently no use-case, not needed, seems Linux specific clone
• PT_LWPINFO pl_siginfo - PT_GET_SIGINFO
• PT_LWPINFO pl_tdname - currently not needed, this value can be retrieved with sysctl(7) if really needed
• PT_LWPINFO pl_child_pid - TRAP_CHLD and PT_GET_PROCESS_STATE with PTRACE_FORK
• PT_LWPINFO pl_syscall_code - not applicable, debugger is supposed to use PT_GETREGS
• PT_LWPINFO pl_syscall_narg - not applicable, debugger is supposed to use PT_GETREGS
• PT_GETNUMLWPS - PT_LWPINFO and iterate over all threads or use sysctl(7)
• PT_GETLWPLIST - PT_LWPINFO

• PT_SETSTEP - not applicable, use PT_STEP
• PT_CLEARSTEP - not applicable, do not use PT_STEP
• PT_TO_SCE - not applicable, use PT_SYSCALL
• PT_TO_SCX - not applicable, use PT_SYSCALL
• PT_FOLLOW_FORK - PT_SET_EVENT_MASK with PTRACE_FORK
• PT_VM_TIMESTAMP - not applicable
• PT_VM_ENTRY - currently no use-case, there is CTL_VM (vm.proc.map) in sysctl(7)

Currently OpenBSD ptrace(2) is a subset of NetBSD's ptrace(2).

This system has different semantics to iterate over threads: PT_GET_THREAD_FIRST with PT_GET_THREAD_NEXT. On NetBSD one must use PT_LWPINFO.