How to interpret strace output?

mkc picture mkc · Jun 13, 2011 · Viewed 36.8k times · Source

I need to profile the performance of an application for which I am using strace. However, I do not really know how to interpret the various system calls the strace emits. Examples of a few of them are below:

(A) lseek(3, 1600, SEEK_SET)                = 1600
(B) write(3, "G_DATA    300        0          "..., 800) = 800
(C) close(3)                                = 0
(D) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b600b179000
(E) munmap(0x2b600b179000, 4096)            = 0
(F) fstat(3, {st_mode=S_IFREG|0644, st_size=1600, ...}) = 0

I would be grateful if someone could briefly explain in plain English what these lines from (A) to (F) really means in terms of I/O, data transferred, significance on performance etc.

I went through the man pages of strace but still am not very very confident. If you any other pointers for me to read, that would be great.

I have some background on Operating Systems and understand what system calls, memory, virtual memory, Scheduling, etc. are.

Answer

Blagovest Buyukliev picture Blagovest Buyukliev · Jun 13, 2011

In order to understand these, you have to get familiar with the POSIX system calls. They are the interface a user-space program uses to interact with the kernel.

lseek, write, close, mmap, munmap and fstat are all system calls and are documented in section 2 of the linux manual.

Briefly, lseek moves the internal pointer of the supplied file descriptor to the byte with position pointed to by the second argument, starting from SEEK_SET (the beginning), SEEK_CUR (current position) or SEEK_END (the end). Any consecutive read and write calls on the same descriptor will start their action from this position. Note that lseek is not implemented for all kinds of descriptors - it makes sense for a file on disk, but not for a socket or a pipe.

write copies the supplied buffer to kernelspace and returns the number of bytes actually written. Depending on the kind of the descriptor, the kernel may write the data to disk or send it through the network. This is generally a costly operation because it involves transferring this buffer to the kernel.

close closes the supplied descriptor and any associated resources with it in the kernel are freed. Note that each process has a limit on the number of simultaneously open descriptors, so it's sometimes necessary to close descriptors to not reach this limit.

mmap is a complex system call and is used for many purposes including shared memory. The general usage however is to allocate more memory for the process. The malloc and calloc library functions usually use it internally.

munmap frees the mmap'ped memory.

fstat returns various information that the filesystem keeps about a file - size, last modified, permissions, etc.