Why does attaching stop a process/thread in Linux?

Question

I understand how single stepping and the int 3 bytes are used to debug programs. In the first case, the tracer uses PTRACE_SINGLESTEP to be able to debug the program one instruction at a time. On x86, this means that the trap flag would be set while debugging. In the second case, 0xcc bytes are inserted into the tracee's address space and whenever a SIGTRAP arises, control is passed back onto the tracer(debugger).

Now, when I attach to a program using the gdb debugger, the tracee is paused. What happens internally? Is a 0xcc byte inserted? How exactly does the ptrace library pause the tracee's exection?

Answer 1

ptrace is a system call, implemented by the kernel. The kernel decides whether a process can execute at all. When it is attached via ptrace in the ordinary way, it pauses execution -- presumably by setting a flag and never scheduling it, but I never looked that deep.

Note that newer versions of the Linux kernel include a PTRACE_SEIZE request, which can be used to attach to a process without stopping it. The ptrace man page explains this a bit.