Here is the output from strace for an echo of Hello World .
The actual output is in black and my description (interpretation ) of the system call is in red italics above the output.
system call (ARGUMENT ) = RETURN CODE
[root@server1 ~]# strace -f echo “Hello world”
Execute (program,argument list, its environment list) = success
execve("/usr/bin/echo", ["echo", "Hello world"], [/* 25 vars */]) = 0
Determine the location of the pointer in the process memory address space
brk(0) = 0x1f73000
Allocate 4kB of memory at the location of the kernel‘s choice ( NULL) ,
allow reads and writes, anonymous memory , not backed by a file fd =-1 ,
no offset from start address = the address of the start of the mapped memory
mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7ff9d54ea000
Checks if the file exists with read access = FAIL
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
Open the file as read only and assign FD as 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
The above file fd=3 is a regular file with permissions 0644
and 85.8kbytes in size
fstat(3, {st_mode=S_IFREG|0644, st_size=85800, ...}) = 0
Allocate 85.8Kbytes of memory for FD3 at any location ( NULL) ,
allow reads and writes , private process memory with no
offset from the start address = start of mapped mem
mmap(NULL, 85800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff9d54d5000
Close the FD and return integer 3 to the OS
close(3) = 0
Open this new file as read only and assign FD as 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
Read 832 bytes from FD 3 and store at the buffer below = 322 bytes read
read(3, "\177ELF\2\1\1\3\3>\1@\30\2G<"..., 832) = 832
FD 3 is a regular file with permissions 0755 and 2MB in size
fstat(3, {st_mode=S_IFREG|0755, st_size=2065552, ...}) = 0
Allocate 3.9MB of memory for FD 3 at location 0x3c47000000,
ballow reads and execute, private process memory with no
offset from the start address = start of mapped mem
mmap(0x3c47000000,3892376,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_DENYWRITE,3,0)=0x3c47000000
Set no protection (all access to rwx ) on 2MB or memory starting at 0x3c471ac000,
mprotect(0x3c471ac000, 2097152, PROT_NONE) = 0
Allocate 24.5kB of memory for FD 3 at location 0x3c473ac000, allow reads
and write , private process memory with an offset of 0x1ac000 from the
start address = start of mapped memory
mmap(0x3c473ac000,24576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,3,0x1ac000)=0x3c473ac000
Allocate 17.5kB of memory at location 0x3c473b2000, allow reads and write,
private process memory , anonymous memory , not backed by a file fd =-1
with no offset from the start address = start of mapped memory
mmap(0x3c473b2000,17560,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0)=0x3c473b2000
Close the FD and return it integer 3 to the OS
close(3) = 0b
Allocate 4096 bytes at the location of the kernel‘s choice (NULL) , allow read
and writes, anonymous private memory, not backed by a file fd =-1 , no offset
from start address = the address of the start of the mapped memory
mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7ff9d54d4000
Allocate 8292 bytes at the location of the kernel‘s choice (NULL) , allow read
and writes,anonymous private memory , not backed by a file fd =-1 , no offset
from start address = the address of the start of the mapped memory
mmap(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7ff9d54d2000
Set the 64-bit base for the FS register at 0x7ff9d54d2740
arch_prctl(ARCH_SET_FS, 0x7ff9d54d2740) = 0
Set read only protection on 4kB off memory starting at 0x605000
mprotect(0x605000, 4096, PROT_READ) = 0
Set read only protection on 16kB of memory starting at 0x3c473ac000
mprotect(0x3c473ac000, 16384, PROT_READ) = 0
Set read only protection on 4kB of memory starting at 0x3c46e1f000
mprotect(0x3c46e1f000, 4096, PROT_READ) = 0
Unmap or release 85.8kB of memory starting at 0x7ff9d54d5000
munmap(0x7ff9d54d5000, 85800) = 0
Determine the current location of the pointer to the memory
allocated to the data segment of the process
brk(0) = 0x1f73000
Set the end of memory allocated to the data segment of the process
to 0x1f94000
brk(0x1f94000) = 0x1f94000
Determine the location of the pointer in the process memory address space
brk(0) = 0x1f94000
Open this new file as read only and assign FD as 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
FD 3 is a regular file with permissions 0644 and 105MB in size
fstat(3, {st_mode=S_IFREG|0644, st_size=105038240, ...}) = 0
Allocate 105MB of memory for FD3 at any location ( NULL) ,
allow read , private process memory with no offset from the start
address = start of mapped mem
mmap(NULL, 105038240, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff9cf0a5000
Close the FD and return integer 3 to the OS
close(3) = 0
FD1 ie std output is a character device with permission 620 with device id
( inode) 136,0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
Allocate 4kB of memory at any location ( NULL) , allow read and write
private anonymous process memory , not backed by a file fd =-1,
with no offset from the start address = start of mapped mem
mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0)=0x7ff9d54e9000
Write the 12 byte phrase “hello world “ to std output = 12 bytes written
write(1, "Hello world\n", 12Hello world) = 12
Close the std output FD and return it integer 1 to the OS
close(1) = 0
Unmap or release 4kB for memory starting from address 0x7ff9d54e9000
munmap(0x7ff9d54e9000, 4096) = 0
Close the std error FD and return it integer 2 to the OS
close(2) = 0
Exit all threads in a process
exit_group(0) = ?
+++ exited with 0 +++
wonderful, never understood strace so clearly as today. Thanks for sharing your knowledge.
hello, thanks for this! Exactly the kind of example analysis I was looking for.
Excellent explanation, really learnt to intrepret the strace output
Wow, great!!!!!!!!
very nicely explained