man strace:php
strace - trace system calls and signalsgit
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are
received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.github
strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems
with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will
find that a great deal can be learned about a system and its system calls by tracing even ordinary programs. And programmers will find that since system calls and signals
are events that happen at the user/kernel interface, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race
Each line in the trace contains the system call name, followed by its arguments in parentheses and its return value. An example from stracing the command ``cat /dev/null''
open("/dev/null", O_RDONLY) = 3服務器
Errors (typically a return value of -1) have the errno symbol and error string appended.網絡
open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory)app
Signals are printed as a signal symbol and a signal string. An excerpt from stracing and interrupting the command ``sleep 666'' is:socket
sigsuspend([] <unfinished ...>
--- SIGINT (Interrupt) ---
+++ killed by SIGINT +++tcp
- 能夠對特定的系統調用或者幾組系統調用進行過濾
- 能夠經過統計特定系統調用的調用次數、耗費的時間、成功和失敗的次數來配置(profile)系統調用的使用I
- 跟蹤發送給進程的信號量
- 能夠經過pid附着(attach)到任何運行的進程
1) 找出程序在startup的時候讀取的哪一個config文件?
- $ strace php 2>&1 | grep php.ini
- open("/usr/local/bin/php.ini", O_RDONLY) = -1 ENOENT (No such file or directory)
- open("/usr/local/lib/php.ini", O_RDONLY) = 4
- lstat64("/usr/local/lib/php.ini", {st_mode=S_IFLNK|0777, st_size=27, ...}) = 0
- readlink("/usr/local/lib/php.ini", "/usr/local/Zend/etc/php.ini", 4096) = 27
- lstat64("/usr/local/Zend/etc/php.ini", {st_mode=S_IFREG|0664, st_size=40971, ...}) = 0
- $ strace -e open php 2>&1 | grep php.ini
- open("/usr/local/bin/php.ini", O_RDONLY) = -1 ENOENT (No such file or directory)
- open("/usr/local/lib/php.ini", O_RDONLY) = 4
-e expr -- a qualifying expression: option=[!]all or option=[!]val1[,val2]...
options: trace, abbrev, verbose, raw, signal, read, write
2) 爲何這個程序沒有打開個人文件?
- $ strace -e open,access 2>&1 | grep your-filename
3) 某個進程如今在作什麼?
某個進程忽然佔用了不少CPU? 或者某個進程看起來像hanging了?
- root@dev:~# strace -p 15427
- Process 15427 attached - interrupt to quit
- futex(0x402f4900, FUTEX_WAIT, 2, NULL
- Process 15427 detached
"strace -p"很是有用,它減小了不少猜想工做,也不須要從新啓動應用。
-p pid -- trace process with process id PID, may be repeated
4) 是誰偷走了時間?
- root@dev:~# strace -c -p 11084
- Process 11084 attached - interrupt to quit
- Process 11084 detached
- % time seconds usecs/call calls errors syscall
- ------ ----------- ----------- --------- --------- ----------------
- 94.59 0.001014 48 21 select
- 2.89 0.000031 1 21 getppid
- 2.52 0.000027 1 21 time
- ------ ----------- ----------- --------- --------- ----------------
- 100.00 0.001072 63 total
- root@dev:~#
-c -- count time, calls, and errors for each syscall and report summary
-C -- like -c but also print regular output
在執行strace -c -p命令之後,等到你關注的時間到了後,按ctrl-c退出,strace會列出如上的profiling數據。
你也能夠運行"start to finish",這裏是"ls"
- root@dev:~# strace -c >/dev/null ls
- % time seconds usecs/call calls errors syscall
- ------ ----------- ----------- --------- --------- ----------------
- 23.62 0.000205 103 2 getdents64
- 18.78 0.000163 15 11 1 open
- 15.09 0.000131 19 7 read
- 12.79 0.000111 7 16 old_mmap
- 7.03 0.000061 6 11 close
- 4.84 0.000042 11 4 munmap
- 4.84 0.000042 11 4 mmap2
- 4.03 0.000035 6 6 6 access
- 3.80 0.000033 3 11 fstat64
- 1.38 0.000012 3 4 brk
- 0.92 0.000008 3 3 3 ioctl
- 0.69 0.000006 6 1 uname
- 0.58 0.000005 5 1 set_thread_area
- 0.35 0.000003 3 1 write
- 0.35 0.000003 3 1 rt_sigaction
- 0.35 0.000003 3 1 fcntl64
- 0.23 0.000002 2 1 getrlimit
- 0.23 0.000002 2 1 set_tid_address
- 0.12 0.000001 1 1 rt_sigprocmask
- ------ ----------- ----------- --------- --------- ----------------
- 100.00 0.000868 87 10 total
5) 爲何 沒法鏈接到服務器?
下面是跟蹤"nc"鏈接到 80端口的例子
- $ strace -e poll,select,connect,recvfrom,sendto nc 80
- sendto(3, "\\24\\0\\0\\0\\26\\0\\1\\3\\255\\373NH\\0\\0\\0\\0\\0\\0\\0\\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
- connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
- connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
- connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
- poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
- sendto(3, "\\213\\321\\1\\0\\0\\1\\0\\0\\0\\0\\0\\0\\3www\\4news\\3com\\0\\0\\34\\0\\1", 30, MSG_NOSIGNAL, NULL, 0) = 30
- poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
- recvfrom(3, "\\213\\321\\201\\200\\0\\1\\0\\1\\0\\1\\0\\0\\3www\\4news\\3com\\0\\0\\34\\0\\1\\300\\f"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) = 153
- connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
- poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
- sendto(3, "k\\374\\1\\0\\0\\1\\0\\0\\0\\0\\0\\0\\3www\\4news\\3com\\0\\0\\1\\0\\1", 30, MSG_NOSIGNAL, NULL, 0) = 30
- poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
- recvfrom(3, "k\\374\\201\\200\\0\\1\\0\\2\\0\\0\\0\\0\\3www\\4news\\3com\\0\\0\\1\\0\\1\\300\\f"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) = 106
- connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
- poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
- sendto(3, "\\\\\\2\\1\\0\\0\\1\\0\\0\\0\\0\\0\\0\\3www\\4news\\3com\\0\\0\\1\\0\\1", 30, MSG_NOSIGNAL, NULL, 0) = 30
- poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
- recvfrom(3, "\\\\\\2\\201\\200\\0\\1\\0\\2\\0\\0\\0\\0\\3www\\4news\\3com\\0\\0\\1\\0\\1\\300\\f"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) = 106
- connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("")}, 16) = -1 EINPROGRESS (Operation now in progress)
- select(4, NULL, [3], NULL, NULL) = 1 (out [3])
注意到嘗試鏈接/var/run/nscd/socket?這意味着nc首先嚐試鏈接NSCD--the Name Service Cache Daemon--它一般用來基於NIS,YP,LDAP或者相似的目錄協議提供域名查詢。在這裏它失敗了。
而後它鏈接DNS(DNS是port 53,因此"sin_port=htons(53)")。而後它調用了"sendto()「,發送包含的DNS 包。而後讀迴響應。不知爲什麼,它嘗試了三次,最後一次有細微的卻別,我猜是它十一個CNAME(別名),屢次請求多是nc故意的。
Notice the connection attempts to /var/run/nscd/socket? They mean nc first tries to connect to NSCD - the Name Service Cache Daemon - which is usually used in setups that rely on NIS, YP, LDAP or similar directory protocols for name lookups. In this case the connects fails.
It then moves on to DNS (DNS is port 53, hence the "sin_port=htons(53)" in the following connect. You can see it then does a "sendto()" call, sending a DNS packet that contains It then reads back a packet. For whatever reason it tries three times, the last with a slightly different request. My best guess why in this case is that is a CNAME (an "alias"), and the multiple requests may just be an artifact of how nc deals with that.
Then in the end, it finally issues a connect() to the IP it found. Notice it returns EINPROGRESS. That means the connect was non-blocking - nc wants to go on processing. It then calls select(), which succeeds when the connection was successful.
Try adding "read" and "write" to the list of syscalls given to strace and enter a string when connected, and you'll get something like this:
- read(0, "test\\n", 1024) = 5
- write(3, "test\\n", 5) = 5
- poll([{fd=3, events=POLLIN, revents=POLLIN}, {fd=0, events=POLLIN}], 2, -1) = 1
- read(3, "
早些年,若是你知道有個 strace 命令,就很牛了,而如今你們基本都知道 strace 了,若是你遇到性能問題求助別人,十有八九會建議你用 strace 掛上去看看,不過當你掛上去了,看着滿屏翻滾的字符,卻十有八九看不出個因此然。本文經過一個簡單的案例,向你展現一下在用 strace 診斷問題時的一些套路。
以下真實案例,若有雷同,實屬必然!讓咱們看一臺高負載服務器的 top 結果:

技巧:運行 top 時,按「1」打開 CPU 列表,按「shift+p」以 CPU 排序。
在本例中你們很容易發現 CPU 主要是被若干個 PHP 進程佔用了,同時 PHP 進程佔用的比較多的內存,不過系統內存尚有結餘,SWAP 也不嚴重,這並非問題主因。
不過在 CPU 列表中能看到 CPU 主要消耗在內核態「sy」,而不是用戶態「us」,和咱們的經驗不符。Linux 操做系統有不少用來跟蹤程序行爲的工具,內核態的函數調用跟蹤用「strace」,用戶態的函數調用跟蹤用「ltrace」,因此這裏咱們應該用「strace」:
不過若是直接用 strace 跟蹤某個進程的話,那麼等待你的每每是滿屏翻滾的字符,想從這裏看出問題的癥結並非一件容易的事情,好在 strace 能夠按操做彙總時間:

strace -cp
很明顯,咱們能看到 CPU 主要被 clone 操做消耗了,還能夠單獨跟蹤一下 clone:
shell> strace -T -e clone -p <PID>

strace -T -e clone -p(查看大圖)
很明顯,一個 clone 操做須要幾百毫秒,至於 clone 的含義,參考 man 文檔:
clone() creates a new process, in a manner similar to fork(2). It is actually a library function layered on top of the underlying clone() system call, hereinafter referred to as sys_clone. A description of sys_clone is given towards the end of this page.
Unlike fork(2), these calls allow the child process to share parts of its execution context with the calling process, such as the memory space, the table of file descriptors, and the table of signal handlers. (Note that on this manual page, 「calling process」 normally corresponds to 「parent process」. But see the description of CLONE_PARENT below.)
簡單來講,就是建立一個新進程。那麼在 PHP 裏何時會出現此類系統調用呢?查詢業務代碼看到了 exec 函數,經過以下命令驗證它確實會致使 clone 系統調用:
shell> strace -eclone php -r 'exec("ls");
最後再考你們一個題:若是咱們用 strace 跟蹤一個進程,輸出結果不多,是否是說明進程很空閒?其實試試 ltrace,可能會發現別有洞天。記住有內核態和用戶態之分。
strace -f -e trace=read,write -p 17151 -o log #跟蹤進程17151及子進程中read和write系統調用,輸出到log文件.
-e expr
qualifier只能是 trace,abbrev,verbose,raw,signal,read,write其中之一.value是用來限定的符號或數字.默認的 qualifier是 trace.感嘆號是否認符號.例如:
-eopen等價於 -e trace=open,表示只跟蹤open調用.而-etrace!=open表示跟蹤除了open之外的其餘調用.有兩個特殊的符號 all 和 none.
-e trace=
只跟蹤指定的系統 調用.例如:-e trace=open,close,rean,write表示只跟蹤這四個系統調用.默認的爲set=all.
-e trace=file
-e trace=process
-e trace=network
-e strace=signal
跟蹤全部與系統信號有關的 系統調用
-e trace=ipc
-e abbrev=
設定 strace輸出的系統調用的結果集.-v 等與 abbrev=none.默認爲abbrev=all.
-e raw=
將指 定的系統調用的參數以十六進制顯示.
-e signal=
指定跟蹤的系統信號.默認爲all.如 signal=!SIGIO(或者signal=!io),表示不跟蹤SIGIO信號.
-e read=
輸出從指定文件中讀出 的數據.例如:
-e read=,
-e write=
strace -o output.txt -T -tt -e trace=all -p 28979
上面的含義是 跟蹤28979進程的全部系統調用(-e trace=all),並統計系統調用的花費時間,以及開始時間(並以可視化的時分秒格式顯示),最後將記錄結果存在output.txt文件裏面。
strace [ -dffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] ... [ -ofile ] [-ppid ] ... [ -sstrsize ] [ -uusername ] [ -Evar=val ] ... [ -Evar ]... [ command [ arg ... ] ]
strace -c [ -eexpr ] ... [ -Ooverhead ] [ -Ssortby ] [ command [ arg... ] ]