MFC 295930:
Add support for displaying thread IDs to truss(1).

- Consolidate duplicate code for printing the metadata at the start of
each line into a shared function.
- Add an -H option which will log the thread ID of the relevant thread
for each event.

While here, remove some extraneous calls to clock_gettime() in
print_syscall() and print_syscall_ret(). The caller of print_syscall_ret()
always updates the current thread's "after" time before it is called.

MFC 295677,295678:
Fetch the current thread and it's syscall state from the trussinfo object
instead of passing some of that state as arguments to print_syscall() and
print_syscallret(). This just makes the calls of these functions shorter
and easier to read.

MFC 271389,286330,286331,286358,286378,286380,286381,286383,286388,286848,
286849,286857,286860,286913,286914,286937-286940,286962,286963,288405,
288406,288424,288454-288456,288625,288626,288832,288834,288950,288997,
289080:
Merge most of the recent changes to truss in HEAD. The largest effects
are that fork following now uses a single truss process (and thus truss -c
reports counts for the entire tree of processes instead of separate dumps
for each process). truss -c also reports counts for all system calls
instead of only a subset. More system call arguments are also decoded.
System calls should now report the correct number of arguments (instead
of 6), and some platforms that did not properly decode arguments might
now do so (e.g. mips64).

Changes relative to the equivalent commits to HEAD include:
- The ia64 backend was refactored similar to the other backends.
- _umtx_lock/_umtx_unlock entries were updated similar to other system
call entries.
- 10 does not have futimens(), utimensat(), EVFILT_PROCDESC, EVFILT_SENDFILE,
RLIMIT_KQUEUES, O_VERIFY, NOTE_FILE_POLL, or EV_FORCEONESHOT.

271389:
Stop accessing the saved stack pointer by looking past the end of the
array of registers.

286330:
Whitespace fix: remove some spurious spaces before commas.

286331:
Rework get_string() to make it more robust when fetching strings of unknown
length. In particular, instead of blinding fetching 1k blocks, do an initial
fetch up to the end of the current page followed by page-sized fetches up to
the maximum size. Previously if the 1k buffer crossed a page boundary and
the second page was not valid, the entire operation would fail.

286358:
Add recently added values of various flags and enumerations including
kevent filters, kevent flags, flags to mmap, seek locations, fcntl
operations, file flags, socket domains, open flags, resource limits, and
pathconf values.

286378:
Don't mark the fcntl flag argument as an output parameter so that it is
always decoded. Previously the argument was not decoded if fcntl() failed.

286380:
Decode the arguments to mkfifo() and fix an off-by-one error in the arguments
to mknod().

286381:
Decode the arguments passed to the *at() family of system calls. This is
especially useful now that libc's open() always calls openat(). While here,
fix a few other things:
- Decode the mode argument passed to access(), eaccess(), and faccessat().
- Decode the atfd paramete to pretty-print AT_FDCWD.
- Decode the special AT_* flags used with some of the *at() system calls.
- Decode arguments for fchmod(), lchmod(), fchown(), lchown(), eaccess(),
and futimens().
- Decode both of the timeval structures passed to futimes() instead of just
the first one.

286383:
Whitespace fixes to consistently use spaces before }'s and
wrap long lines.

286388:
Consistently use both leading and trailing spaces inside of the {}'s
when pretty-printing structures. Most structures used both spaces,
but some only used a trailing space and some used neither.

286848:
- Decode the arguments for several signal-related system calls: sigpending,
sigqueue, sigreturn, sigsuspend, sigtimedwait, sigwait, sigwaitinfo, and
thr_kill.
- Print signal sets as a structure (with {}'s) and in particular use this to
differentiate empty sets from a NULL pointer.
- Decode arguments for some other system calls: issetugid, pipe2, sysarch
(operations are only decoded for amd64 and i386), and thr_self.

286849:
Decode the optional SOCK_NONBLOCK and SOCK_CLOEXEC flags passed in a
socket type.

286857:
Tidy the linux_socketcall decoding:
- Don't exit if get_struct() fails, instead print the raw pointer value to
match all other argument decoding cases.
- Use an xlat table instead of a home-rolled switch for the operation name.
- Display the nested socketcall args structure as a structure instead of as
two inline arguments.

286860:
Use an xlat table and xlookup() instead of a home-rolled version for the
sigprocmask operation type.

286913:
Change the argument formatting function to use a stdio FILE object opened
with open_memstream() to build the string for each argument. This allows
for more complicated argument building without resorting to intermediate
malloc's, etc.

Related, the strsig*() functions no longer return allocated strings but
use a static global buffer instead.

286914:
Expand the decoding of kevent structures.
- Print the ident value as decimal instead of hexadecimal for filter types
that use "small" values such as file descriptors and PIDs.
- Decode NOTE_* flags in the fflags field of kevents for several system
filter types.

286937:
Use nitems().

286938:
Various style and whitespace fixes.

287939:
Always use %j with an intmax_t cast to print time_t values. time_t is
longer than long on 32-bit platforms with a 64-bit time_t.

286940:
ino_t is unsigned, so use uintmax_t instead of intmax_t when printing it.

286962:
Rework the argv and env string fetching for execve to be more robust.
Before truss would fetch 100 string pointers and happily walk off the end
of the array if it never found a NULL. This also means for a short argv
list it could fail entirely if the 100 string pointers spanned into an
unmapped page.

Instead, fetch page-aligned blocks of string pointers in a loop fetching
each string until a NULL is found.

While here, make use of the open memstream file descriptor instead of
allocating a temporary array. This allows us to fetch each string once
instead of twice.

286963:
Handle the conditional decoding of execve() argument and environment
arrays generically rather than duplicating a hack in all of the backends.
- Add two new system call argument types and use them instead of StringArray
for the argument and environment arguments execve and linux_execve.
- Honor the -a/-e flags in the handling of these new types.
- Instead of printing "<missing argument>" when the decoding is disabled,
print the raw pointer value.

288405:
Decode recently added procctl(2) operations.

288406:
Trim trailing whitespace.

288424:
Several changes to truss.
- Refactor the interface between the ABI-independent code and the
ABI-specific backends. The backends now provide smaller hooks to
fetch system call arguments and return values. The rest of the
system call entry and exit handling that was previously duplicated
among all the backends has been moved to one place.
- Merge the loop when waiting for an event with the loop for handling stops.
This also means not emulating a procfs-like interface on top of ptrace().
Instead, use a single event loop that fetches process events via waitid().
Among other things this allows us to report the full 32-bit exit value.
- Use PT_FOLLOW_FORK to follow new child processes instead of forking a new
truss process for each new child. This allows one truss process to monitor
a tree of processes and truss -c should now display one total for the
entire tree instead of separate summaries per process.
- Use the recently added fields to ptrace_lwpinfo to determine the current
system call number and argument count. The latter is especially useful
and fixes a regression since the conversion from procfs. truss now
generally prints the correct number of arguments for most system calls
rather than printing extra arguments for any call not listed in the
table in syscalls.c.
- Actually check the new ABI when processes call exec. The comments claimed
that this happened but it was not being done (perhaps this was another
regression in the conversion to ptrace()). If the new ABI after exec
is not supported, truss detaches from the process. If truss does not
support the ABI for a newly executed process the process is killed
before it returns from exec.
- Along with the refactor, teach the various ABI-specific backends to
fetch both return values, not just the first. Use this to properly
report the full 64-bit return value from lseek(). In addition, the
handler for "pipe" now pulls the pair of descriptors out of the
return values (which is the true kernel system call interface) but
displays them as an argument (which matches the interface exported by
libc).
- Each ABI handler adds entries to a linker set rather than requiring
a statically defined table of handlers in main.c.
- The arm and mips system call fetching code was changed to follow the
same pattern as amd64 (and the in-kernel handler) of fetching register
arguments first and then reading any remaining arguments from the
stack. This should fix indirect system call arguments on at least
arm.
- The mipsn32 and n64 ABIs will now look for arguments in A4 through A7.
- Use register %ebp for the 6th system call argument for Linux/i386 ABIs
to match the in-kernel argument fetch code.
- For powerpc binaries on a powerpc64 system, fetch the extra arguments
on the stack as 32-bit values that are then copied into the 64-bit
argument array instead of reading the 32-bit values directly into the
64-bit array.

288454:
- Remove extra integer argument from truncate() and ftruncate(). This is
probably fallout from the removal of the extra padding argument before
off_t in 7. However, that padding still exists for 32-bit powerpc, so
use QUAD_ALIGN.
- Fix QUAD_ALIGN to be zero for powerpc64. It should only be set to 1
for 32-bit platforms that add padding to align 64-bit arguments.

288455:
The id_t type used to pass IDs to wait6(2) and procctl(6) is a 64-bit
integer. Fix the argument decoding to treat this as a quad instead of an
int. This includes using QUAD_ALIGN and QUAD_SLOTS as necessary. To
continue printing IDs in decimal, add a new QuadHex argument type that
prints a 64-bit integer in hex, use QuadHex for the existing off_t arguments,
repurpose Quad to print a 64-bit integer in decimal, and use Quad for id_t
arguments.

This fixes the decoding of wait6(2) and procctl(2) on 32-bit platforms.

288456:
Rather than groveling around in a socket address structure for a socket
address's length (and then overriding it if it "looks wrong"), use the
next argument to the system call to determine the length. This is more
reliable since this is what the kernel depends on anyway and is also
simpler.

288625:
Add decoding for struct statfs.

288626:
Style fix.

288832:
Fix tracking of unknown syscalls for 'truss -c'.

This is done by changing get_syscall() to either lookup the known syscall
or add it into the list with the default handlers for printing.

This also simplifies some code to not have to check if the syscall variable
is set or NULL.

288834:
Add decoding for modfind(2)

288950:
Group the decoded system calls by ABI and sort the calls within each ABI.

288997:
Correct a comment.

289080:
Let -c imply -S (hide signal output).

Without this, the signals are shown seemingly randomly in the output before
the final summary is shown. This is especially noticeable when there is
not much output from the application being traced.

MFC r288903:

Fix crash if a process sends itself a SIGTRAP. Just forward it as expected.

This does not match head as the code was rewritten significantly there.

Relnotes: yes

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Make truss thread-aware.

Approved by: kib (mentor)
MFC after: 2 weeks

- Fix detaching under some circumstances.

When truss is detaching from very active process it is possible to
hang on waitpid(2) in restore_proc() forever, because
ptrace(PT_SYSCALL) must be called before detaching, to allow the
debugging process to continue execution. Also when truss called with
'-c' argument, it does not print anything after detach, because it
immediately exits from restore_proc().

To fix these two problems make detaching deferred, but then it is
impossible to detach from a process which does not do any system call.
To fix this issue use sigaction(2) instead of signal(3) to disable
SA_RESTART flag for waitpid(2) that makes it non-restartable. Remove
global variable child_pid, because now detaching is handled in context
where child's pid is known.

Reported by: mjg
Tested by: mjg, swills
Approved by: kib (mentor)
MFC after: 2 weeks

- Remove unused variables.
- Remove redundant return after err(3) call.

Approved by: kib (mentor)

- Style(9) cleanup.

Approved by: kib (mentor)

- Use pid_t type instead of just int.

Approved by: kib (mentor)

Use explicit information from the kernel to detect the traps due to
syscall entry and leave.

Based on submision by: Dan Nelson <dnelson allantgroup com>
MFC after: 1 month

Properly check for errors from waitpid().

Submitted by: gcooper
MFC after: 1 week

Remove setpgid() call before executing child process.

Using a separate process group here is bad, since (for example) job
control in the TTY layer prevents interaction with the TTY, causing the
child process to hang.

Mentioned on: current@
MFC after: 2 weeks

Fix copyright spelling.

PR: 139825
Submitted by: Ruslan Mahmatkhanov

Revert most part of 200420 as requested, as more review and polish is
needed.

Remove unneeded header includes from usr.bin/ except contributed code.

Tested with: make universe

Correct a bug where pr_data should have been assigned.

MFp4: Bugfixes for truss(1):

- Fix logic handling execve(). We will not be able to
obtain information otherwise.
- truss coredump [1].
- truss does not work against itself [2].

PR: bin/58970 [1], bin/45193 [2]
Submitted by: Howard Su
Approved by: re (kensmith)

Make use of ptrace(2) instead of procfs in truss(1), eliminating
yet another need of an available /proc/ mount.

Tested with: make universe
Submitted by: howardsu
Reviewed by: alfred

- Add decoding of kse_release, kevent, sigprocmask, unmount, socket, getrusage,
rename, __getcwd, shutdown, getrlimit, setrlimit, _umtx_lock, _umtx_unlock,
pathconf, truncate, ftruncate, kill

- Decode more arguments of open, mprot, *stat, and fcntl.

- Convert all constant-macro and bitfield decoding to lookup tables; much
cleaner than previous code.

- Print the timestamp of process exit and signal reception when -d or -D are in
use

- Try six times with 1/2 second delay to debug the child

PR: bin/52190 (updated)
Submitted by: Dan Nelson <dnelson@allantgroup.com>
Approved by: alfred

When doing the initial open of the proc via procfs, complain if we are
unable to open the /proc/pid/mem file. Otherwise doing a truss on
a nonexistant pid makes us return success even though no such process
exists.

I've been working on this somewhat so I'm moving the
parts I'm touching to be as style(9) compliant as I can.

Move declarations of Procfd to a header file.

Add FBSDID. Do not \n terminate warnx() argument. fprint() -> warnx().

- Use time.h not sys/time.h.
- Fix printf format errors.

Submitted by: bde

Include <sys/time.h> for the declaration of struct timeval. Do not
depend on namespace pollution in <signal.h>. (truss shouldn't be
using timevals anyway, since it was implemented long after timevals
were obsoleted by timespecs.)

Allow tracking fork()ed children.

PR: bin/25587 (in part)
MFC after: 3 weeks

Parameterize globals.

PR: bin/25587 (in part)
MFC after: 3 weeks

Partial WARNS=1 fizes with NO_WERROR set to prevent world breakage.
Use __FBSDID().

Back out part of previous commit: remove #include <sys/proc.h>.

#include <sys/proc.h> where needed (for the stop event definitions) and
reorder includes everywhere to conform to style(9).

Handle the case where we truss an SUGID program -- in particular, we need
to wake up any processes waiting via PIOCWAIT on process exit, and truss
needs to be more aware that a process may actually disappear while it's
waiting.

Reviewed by: Paul Saab <ps@yahoo-inc.com>

$Id$ -> $FreeBSD$

Calls one or more of malloc(), warn(), err(), syslog(), execlp() or
execvp() in the child branch of a vfork(). Changed to use fork()
instead.

Some of these (mv, find, apply, xargs) might benefit greatly from
being rewritten to use vfork() properly.

PR: Loosely related to bin/8252
Approved by: jkh and bde

Sort Xrefs. Use err(3). Remove uneeded #include.
Correct usage: one of {-p pid, command} is required.
Open output file when command line is fully analyzed: incorrect `truss -o f'
command does not create an empty file anymore.

Add some copyright and license terms, at Jordan's request. Note that
syscall.h just refers to another file for the copyright notice.

Change the ioctls for procfs around a bit; in particular, whever possible,
change from

ioctl(fd, PIOC<foo>, &i);

to

ioctl(fd, PIOC<foo>, i);

This is going from the _IOW to _IO ioctl macro. The kernel, procctl, and
truss must be in synch for it all to work (not doing so will get errors about
inappropriate ioctl's, fortunately). Hopefully I didn't forget anything :).

Use the new PF_LINGER flag -- when this is set in a process' proc structure,
said process will not have its event mask cleared (and be restarted) on
the last close of a procfs/mem file for that pid. This reduces the chance
that a truss-monitored process will be left hanging with these bits set
and nobody looking for it.

This is the least-tested change of all of these, I'm afraid.

err(3) already includes strerror(errno) and a trailing \n

Set the close-on-exec flag in the child; otherwise, it eats up a
file descriptor that it shouldn't.

Truss program. Requires procfs.