121

I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls.

Suggested accepted answer doesn't work for me. This is what I tried:

cd ~
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

error:

codesign --remove-signature ./find
sudo dtruss ./find 
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute ./find: Could not create symbolicator for task
Charlie Parker
  • 5,884
  • 57
  • 198
  • 323
Michaël Le Barbier
  • 6,103
  • 5
  • 28
  • 57
  • 2
    A quick search for *strace osx* gave me [this four year old blog post](https://opensourcehacker.com/2011/12/02/osx-strace-equivalent-dtruss-seeing-inside-applications-what-they-do-and-why-they-hang/). It should be easy to find other alternatives using the same search. – Some programmer dude Jun 25 '15 at 08:54
  • @JoachimPileborg Nice point. I went another way, starting with *apropos trace* and searching from that. I overlooked *dtruss* and *dtrace* because all outcomes I have found were about a trace utility for the *D* language. – Michaël Le Barbier Jun 25 '15 at 09:16
  • 2
    Just a note, FreeBSD ships with [truss(1)](https://www.freebsd.org/cgi/man.cgi?query=truss&manpath=FreeBSD+12.2-RELEASE+and+Ports), not strace. – Mateusz Piotrowski Dec 11 '20 at 14:18
  • did you try the `strace` provided by `brew`? e.g. https://formulae.brew.sh/formula/strace – Charlie Parker Jun 13 '22 at 17:35
  • 2
    @CharlieParker it only supports Linux, not macOS (some people use `brew` on Linux). – talz Sep 05 '22 at 12:42

3 Answers3

105

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.

You can bypass this by making a copy of the executable in your home directory and tracing the copy:

cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).

Brian Peterson
  • 2,800
  • 6
  • 29
  • 36
  • In my case after copying of the executable the bug that I wanted to debug stopped happening ..( – Nakilon Oct 20 '17 at 08:14
  • 2
    Probably my bug is really SIP-related so that's a success too. – Nakilon Oct 21 '17 at 03:13
  • 25
    Not working on macOS 10.15.4. Had to execute `codesign --remove-signature ./find` first. – Anmol Singh Jaggi Jun 10 '20 at 11:28
  • 2
    MacOs does not executes the program after its signature is removed. I get error something like this `cannot open this program, source is untrusted` – Anum Sheraz Jun 17 '22 at 15:07
  • @CharlieParker Homebrew also works on Linux. :) strace is for Linux. – ahmet alp balkan Aug 30 '22 at 01:45
  • Does not work for me on MacOS Monterey with `ls`: `dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute ./ls: Could not create symbolicator for task ` – talz Sep 05 '22 at 12:38
  • 2
    does work for me, I get this error: ``` dtrace: failed to execute ./find: Could not create symbolicator for task ``` – Charlie Parker Feb 23 '23 at 19:46
84

You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.

Michaël Le Barbier
  • 6,103
  • 5
  • 28
  • 57
jspcal
  • 50,847
  • 7
  • 72
  • 76
  • 32
    dtruss did work then (June '15) but was broken by the System Integrity Protection regime of El Capitan. – Olsonist Feb 25 '17 at 22:09
  • 5
    @Olsonist Same issue with dtrace: `the current security restriction (rootless enabled) prevent dtrace from attaching to an executable not signed with the [com.apple.security.get-task-allow] entitlement` – Nakilon Oct 17 '17 at 02:52
  • 5
    It is possible to disable SIP https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html – mttrb Oct 17 '17 at 02:55
  • 2
    Also see https://stackoverflow.com/questions/33476432/is-there-a-workaround-for-dtrace-cannot-control-executables-signed-with-restri – mttrb Oct 17 '17 at 02:56
  • Adding a real example is helpful for testing, thanks. – Brian Peterson Dec 15 '21 at 20:01
  • curious, is there something wrong with using the `strace` provided by `brew`? e.g. https://formulae.brew.sh/formula/strace – Charlie Parker Jun 13 '22 at 17:34
  • 2
    @CharlieParker strace is only available for Linux. – Anum Sheraz Jun 17 '22 at 15:05
  • 2
    this answer fails: ``` dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute find: Operation not permitted ``` – Charlie Parker Feb 23 '23 at 19:49
0

You might have better luck with ktrace. For example (on recent macOS):

sudo ktrace trace -S -f C3 -c find .

-f = filter description, C3 = class 3 = DBG_FSYSTEM, -S = print arguments as strings where possible.

On Yosemite it would have been something like sudo ktrace -t cin -c find .

More ktrace filter examples in https://stackoverflow.com/a/76987655.

sengi
  • 101
  • 5