Understanding the 'truss' Command in Unix-like Systems (with examples)

The truss command is a powerful troubleshooting tool utilized in Unix-like operating systems, primarily for tracing system calls made by a process. Often compared to the Linux strace utility, truss provides insights into the functioning of a program by showing the sequence of system calls and signals, which is valuable for debugging and performance analysis. By understanding the flow of these low-level operations, developers and system administrators can identify issues within the applications, optimize performance, and monitor the behavior of processes.

Use case 1: Start tracing a program by executing it, following all child processes

Code:

truss -f program

Motivation: The primary motivation for using this command is to trace not only the system calls of the main program but also to track those of any spawned child processes. This use case is critically important when working with applications that spawn multiple processes, such as when a command initiates forks or executes other programs. By following all child processes, a comprehensive view of the program’s behavior is obtained, allowing for thorough debugging and performance analysis.

Explanation:

• truss: The command used to initiate the tracing operation.
• -f: A flag that instructs truss to follow child processes. Every child process spawned by program will be monitored, providing a holistic view of system call interactions.
• program: The executable or script being traced.

Example Output:

execve("/path/to/program", ["program"], [/* environment */]) = 0
[pid 1234] fork() = 1235
[pid 1235] execve("/child/program", ["child"], [/* environment */]) = 0

Use case 2: Start tracing a specific process by its PID

Code:

truss -p pid

Motivation: Tracing a specific process by its Process ID (PID) is useful in scenarios where the program is already running, and the issue or performance bottleneck needs to be identified in real-time. By targeting a specific process, the user can examine its system calls without restarting it, which is often crucial in production environments where downtime must be minimized.

Explanation:

• truss: Initiates tracing.
• -p: Specifies that truss should attach to an existing process.
• pid: The Process ID of the running process to be traced. It allows for precise monitoring of a specific application or service.

Example Output:

[pid 5678] read(3, "hello", 5) = 5
[pid 5678] write(1, "hello", 5) = 5

Use case 3: Start tracing a program by executing it, showing arguments and environment variables

Code:

truss -a -e program

Motivation: Tracing a program while capturing its arguments and environment variables can be essential for debugging issues that arise from incorrect parameter usage or unexpected environmental configurations. When applications behave differently across environments or execution contexts, understanding these inputs is vital for isolating the problem.

Explanation:

• truss: The tracing tool.
• -a: Tells truss to display the command-line arguments of each process.
• -e: Instructs truss to show the environment variables passed to the program.
• program: The binary or script to be executed and traced.

Example Output:

execve("/path/to/program", ["program", "--option"], ["VAR=value", "OTHER_VAR=other_value"]) = 0

Use case 4: Count time, calls, and errors for each system call and report a summary on program exit

Code:

truss -c -p pid

Motivation: When performance tuning or error diagnosis is needed, having a summary of system calls that includes timing, count, and errors can help pinpoint inefficiencies or failures within a process. This use case is particularly beneficial for profiling long-lived processes to understand their system-level interactions over time.

Explanation:

• truss: Tracing command.
• -c: Enables the counting of time, calls, and errors for each system call, providing a consolidated report upon completion.
• -p: Specifies the target process using its PID.
• pid: The Process ID of the process being examined.

Example Output:

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 60.00    0.060000        6000         10           read
 40.00    0.040000        4000          8           write
------ ----------- ----------- --------- --------- ----------------
100.00    0.100000                    18           total

Use case 5: Trace a process filtering output by system call

Code:

truss -p pid -t system_call_name

Motivation: When debugging complex applications, focusing on specific system calls can greatly reduce the noise in the output, making the process more efficient and targeted. This is extremely useful when a developer has already pinpointed that an issue might be related to one type of system call, such as file operations or network I/O.

Explanation:

• truss: Command for tracing.
• -p: Attaches to a running process via its PID.
• -t: Filters the trace output, only recording specified system calls.
• system_call_name: The particular system call to monitor, such as open or read.
• pid: The Process ID to target.

Example Output:

[pid 9876] open("/path/to/file", O_RDONLY) = 3
[pid 9876] open("/path/to/another_file", O_RDWR) = 4

Conclusion:

The truss command is a versatile tool for tracing system calls in Unix-like operating systems and provides a wide array of use cases suited to various debugging and performance monitoring needs. Whether examining a program’s startup process, profiling a running service, or isolating specific system calls, truss empowers developers and administrators to gain deep insights into their applications’ interactions with the system.