8

I'm trying to use strace to understand how a binary program uses memory.

However, the default output of strace, in an attempt to be more user friendly, prints any char * buffers as the respective strings.

read(3, "Tell me, Muse, of that man of ma"..., 4096) = 270

Is there any way to tell strace to print the actual address of the string next to its contents?

If it's not possible to have both, printing only the address of the string instead of its truncated contents would also be ok.

Ciro Santilli OurBigBook.com
  • 347,512
  • 102
  • 1,199
  • 985
m000
  • 5,932
  • 3
  • 31
  • 28
  • I don't think that's the way strace(1) is meant to be used. You might want to take a look at ltrace and gdb instead. –  Feb 17 '14 at 05:55
  • Maybe it's not supported, but I don't see how what I describe is out of scope for strace. It already does the job but does not print the information in the format I need. I've already checked ltrace and it has the same behaviour (i.e. char * buffers are printed as strings). gdb is intented for interactive debugging which is not what I want. – m000 Feb 17 '14 at 13:22

2 Answers2

20

-e raw=read should do what you want already. There should be no need for source modification.

broadway@creepspread:~% strace -e raw=read ls 2>&1|grep ^read
read(0x3, 0x7fff5ea52e78, 0x340) = 0x340
read(0x3, 0x7fff5ea52e48, 0x340) = 0x340
read(0x3, 0x7fff5ea52e18, 0x340) = 0x340
read(0x3, 0x7fff5ea52de8, 0x340) = 0x340
read(0x3, 0x7fff5ea52ca8, 0x340) = 0x340
read(0x3, 0x7fff5ea52c48, 0x340) = 0x340
read(0x3, 0x7fff5ea52c18, 0x340) = 0x340
read(0x3, 0x7fef1433f000, 0x400) = 0x136
read(0x3, 0x7fef1433f000, 0x400) = 0

Brian Mitchell
  • 2,280
  • 14
  • 12
  • Nice to know this. Still, when debugging it is useful to know both what and where. By default strace only shows you what is written. With this option it only shows you where it is written. With the modifications made by my patch it shows you both: read(3, 0x9118000:"This is strace, a system call tr"..., 32768) = 592 – m000 Feb 28 '14 at 15:47
  • 3
    -e raw=read -e read=all shows both undecoded data for read system call as well as a hex dump of what is read. The argument to -e read is a list of file descriptors, so you can filter it that way. – Brian Mitchell Feb 28 '14 at 20:22
0

You could download the source of strace and modify all these tprintf("%s", ...) to tprintf("%p", ...), and build a local copy of strace.

Lee Duhem
  • 14,695
  • 3
  • 29
  • 47
  • Source modification is an option. I'm investigating this but it is a bit trickier than it seems. – m000 Feb 17 '14 at 13:23
  • Look forward to your share of your solution to this problem. – Lee Duhem Feb 17 '14 at 15:18
  • I made this patch for the purpose: https://gist.github.com/m000/9240954 It should be fairly easy to add a command line switch to turn this behaviour on or off. But it wouldn't worth the trouble unless the strace maintainers were interested to merge this to the trunk. – m000 Feb 26 '14 at 23:28
  • @m000 Great, your patch looks quite nice. – Lee Duhem Feb 27 '14 at 01:21