Observing system calls with dtruss

Most UNIX systems provide ways to see what your process is doing. This is called “tracing” the process. One important thing your process does is make system calls, and on macOS, you can trace this with a program called dtruss.

Take this C program:

int main() {
	return 0;
}
$ clang main.c
$ sudo dtruss ./a.out
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args) 		 = return
open("/dev/dtracehelper\0", 0x2, 0x7FFF5A348930)		 = 3 0
ioctl(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 0 0
close(0x3)		 = 0 0
thread_selfid(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 5420279 0
bsdthread_register(0x7FFFAF245080, 0x7FFFAF245070, 0x2000)		 = 1073741919 0
ulock_wake(0x1, 0x7FFF5A3480EC, 0x0)		 = -1 Err#2
issetugid(0x1, 0x7FFF5A3480EC, 0x0)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
mprotect(0x1058BC000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D2000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D3000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058E9000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058EA000, 0x1000, 0x1)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x3)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
getpid(0x1058BA000, 0x88, 0x1)		 = 34146 0
stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF5A347FA8, 0x1)		 = -1 Err#2
stat64("/AppleInternal\0", 0x7FFF5A348040, 0x1)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A347AD0)		 = -1 Err#22
dtrace: error on enabled probe ID 2158 (ID 552: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 40
ulock_wake(0x1, 0x7FFF5A348050, 0x0)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A3473B0)		 = -1 Err#22

The first line indicates the format of all the subsequent lines:

SYSCALL(args) 		 = return

But mysteriously, all the lines show two return codes! What are they? I had to read the source code to find out: the first is the system call return value, and the second is the value of errno after the system call.

Also mysteriously, lots of these system calls don’t have man pages. What are thread_selfid, bsdthread_register, ulock_wake, csops, dtrace? I don’t know.


I wrote this because I felt like it. This post is my own, and not associated with my employer.

Jim. Public speaking. Friends. Vidrio.