time to bleed by Joe Damato

technical ramblings from a wanna-be unix dinosaur

strace: for fun, profit, and debugging.

View Comments

In this post I’m going to describe some simple uses for one of my favorite command line tools: strace. In the next post, I’ll show how I used strace to fix a bug in ruby 1.8.7’s threading implementation which had significant performance implications.

strace comes standard with all linux distributions I’ve used and for good reason. strace is a handy command line tool which allows you to see which system calls a particular user application is hitting, the arguments passed passed in, and the return values. This is particularly useful if you are trying to debug cryptic error messages from poorly documented software or if you are interested in taking a peak under the hood of an application you are tuning, debugging, or optimizing. As a rule of thumb, if some command-line utility is misbehaving before googling or bugging some one, I always run strace and take a look at where it is choking up.

Let’s look at a simple C program and a simple ruby program and compare the strace output to see how both apps interact with kernel.


#include <stdio.h>

main(int argc, char *argv[])
  return 0;


puts "hi!"

Both programs look pretty simple, but the strace output is not so simple. I like to use “strace -ttT executable” which gives the time each syscall was made and how long each syscall took. Check the strace man page for more flags – it is very flexible. strace allows you to track the syscall counts, filter for specific syscalls, and more.

Strace output:

strace of hello.c
strace of hello.rb

At a high level: wow. A lot of stuff happens when you execute code, especially ruby code! Let’s take a look at some stuff in particular.

When the C-version of hello starts up, the binary is passed to execve to be executed, the heap is extended with a call to brk, and various regions of RAM are mmapped for shared libraries. Finally, we see that write is called and passed a file descriptor of 1, our message, and the length. So, this strace gives us an idea of the startup cost for a simple C executable and what syscalls that executable hits.

Let’s compare this to the strace for our ruby test script.

The ruby version of hello incurs a much greater initialization cost, but this makes sense. First, the ruby interpreter needs to be loaded which memory maps various regions of RAM for shared libraries. We can see from the strace which libraries ruby loads; in this case we see things like: libruby, libdl, libc, and libcrypt just to name a few. In the end though, ruby also calls the write system call, passes a file descriptor of 1, the message, and the length.

If a syscall fails, you would see error codes returned from the syscalls — on your local box try something like “strace /dev/null/nada” and you should see some “No such file or directory” errors.

That’s about it for my first post – If you don’t recognize some of the listed syscalls, their arguments, or return values consult the almighty man pages for more information. I hope you will work strace into your toolbox if you haven’t already. For those of you who already know about strace, this should serve as a nice warmup before we start digging into ruby internals in my next blog post.

Written by Joe Damato

September 30th, 2008 at 3:29 pm

Posted in debugging

Tagged with , , , ,

  • Jordi

    Hi, neat information. I just wanted to clarify (8 years later) that the example command you provided won't really work. There is no command there so strace does not start:

    [14:22 jordi ~]$ strace /dev/null/
    strace: Can't stat '/dev/null/': Not a directory

    Instead, ¡strace ls /dev/null' will return the results you were looking for.

  • pepe

    you can use strace for anything even for running processes just use the -p flag and I would also reccomend using the -o flag as this will dump the strace to a file which you can grep/sed/awk later

  • Good sample
    likewise we can test any java, Python, Jython programs too?

  • The masses demand action! Blogging action!

blog comments powered by Disqus