Login/Register
How to trace system calls of a program in Mac OS X?
Asked Answered
Solved macosstracetrussdtruss
D

3

131

I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls.

Suggested accepted answer doesn't work for me. This is what I tried:

cd ~
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

error:

codesign --remove-signature ./find
sudo dtruss ./find 
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute ./find: Could not create symbolicator for task
Doxy answered 25/6, 2015 at 8:52 Comment(5)
A quick search for strace osx gave me this four year old blog post. It should be easy to find other alternatives using the same search.Maribeth
@JoachimPileborg Nice point. I went another way, starting with apropos trace and searching from that. I overlooked dtruss and dtrace because all outcomes I have found were about a trace utility for the D language.S
Just a note, FreeBSD ships with truss(1), not strace.Preece
did you try the strace provided by brew? e.g. formulae.brew.sh/formula/straceVentage
@CharlieParker it only supports Linux, not macOS (some people use brew on Linux).Rochdale
D
86

You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.

Dormie answered 25/6, 2015 at 8:54 Comment(8)
dtruss did work then (June '15) but was broken by the System Integrity Protection regime of El Capitan.Chrisman
@Chrisman Same issue with dtrace: the current security restriction (rootless enabled) prevent dtrace from attaching to an executable not signed with the [com.apple.security.get-task-allow] entitlementSudorific
It is possible to disable SIP developer.apple.com/library/content/documentation/Security/…Peasecod
Also see #33476932Peasecod
Adding a real example is helpful for testing, thanks.Innerdirected
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/straceVentage
@CharlieParker strace is only available for Linux.Nalchik
this answer fails: ``` dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute find: Operation not permitted ```Ventage
M
112

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.

You can bypass this by making a copy of the executable in your home directory and tracing the copy:

cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).

Management answered 17/10, 2017 at 20:53 Comment(7)
In my case after copying of the executable the bug that I wanted to debug stopped happening ..(Sudorific
Probably my bug is really SIP-related so that's a success too.Sudorific
Not working on macOS 10.15.4. Had to execute codesign --remove-signature ./find first.Re
MacOs does not executes the program after its signature is removed. I get error something like this cannot open this program, source is untrustedNalchik
@CharlieParker Homebrew also works on Linux. :) strace is for Linux.Hardecanute
Does not work for me on MacOS Monterey with ls: dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute ./ls: Could not create symbolicator for task Rochdale
does work for me, I get this error: ``` dtrace: failed to execute ./find: Could not create symbolicator for task ```Ventage
D
86

You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.

Dormie answered 25/6, 2015 at 8:54 Comment(8)
dtruss did work then (June '15) but was broken by the System Integrity Protection regime of El Capitan.Chrisman
@Chrisman Same issue with dtrace: the current security restriction (rootless enabled) prevent dtrace from attaching to an executable not signed with the [com.apple.security.get-task-allow] entitlementSudorific
It is possible to disable SIP developer.apple.com/library/content/documentation/Security/…Peasecod
Also see #33476932Peasecod
Adding a real example is helpful for testing, thanks.Innerdirected
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/straceVentage
@CharlieParker strace is only available for Linux.Nalchik
this answer fails: ``` dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute find: Operation not permitted ```Ventage
S
13

You might have better luck with ktrace. For example (on Sonoma 14.0):

sudo ktrace trace -S -f C3 -c find .

-f = filter description, C3 = class 3 = DBG_FSYSTEM, -S = print arguments as strings where possible.

On Yosemite it would have been something like sudo ktrace -t cin -c find .

More ktrace filter examples in https://stackoverflow.com/a/76987655.

Stomatitis answered 27/8, 2023 at 15:44 Comment(1)
This is working also in Ventura. The accepted answer it won't work anymore because of the system integrity protection.Wick

© 2022 - 2024 — McMap. All rights reserved.