strace tips for better debugging

42 points by rrampage

YogurtGuy

Also, if you’re tracing a subset of system calls, passing --seccomp-bpf can massively speed things up, because it lets the kernel only wake up strace for the syscalls you’ve decided to trace, rather than waking it up for every syscall.

kwas

todo for when I’m feeling like not working on my tasks: check whether the normally VDSO’d calls also get straced. Hyphotesis: they do.
- donio
  
  Normally they don’t. This tool can be used to work around this if you really need to see them.
ibookstein

Any idea why is that not the default when available?
- YogurtGuy
  
  It requires --follow-forks which is not a default option (thought I feel like it should be!)
  - dijit
    
    --follow-forks is frustrating when the thing you’re debugging will fork and then continue working like normal, completely redirecting your debugging.
    
    It would be a terrible default.
    
    (source: former sysadmin who used strace in production, a lot).
    
    YogurtGuy
    
    I thought --follow-forks meant that both the parent and the child were strace’d. Is that not true? Is the issue that the child’s strace output would pollute the output of the parent you actually wanted to trace?
  - 0x2ba22e11
    
    Handy! Thank you.