Filter out failed syscalls from strace log

Question

I can run strace on a command like sleep 1 and see what files it's accessing like this:

strace -e trace=file -o strace.log sleep 1

However, on my machine, many of the calls have a return value of -1 indicating that the file does not exist. For example:

$ grep '= -1 ENOENT' strace.log | head
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

I'm not really interested in the files that don't exist, I want to know what files the process actually found and read from. Aside from grep -v '=-1 ENOENT', how can I reliably filter out failed calls?

Addendum

I was surprised to learn that strace has had this feature in the works since 2002 in the form of the -z flag, which is an alias for -e status=successful, fully functional since version 5.2 (2019-07-12), also available as --successful-only since version 5.6 (2020-04-07).

Also available since version 5.2 is the complement of -z, the -Z flag, which is an alias for -e status=failed, available as --failed-only since version 5.6.

The -z flag was first added in a commit from 2002 and released in version 4.5.18 (2008-08-28), bit it had never been documented because it was not working properly.

Relevant links:

• only seeing successful system calls

  Sat Nov 2 23:07:23 UTC 2002

  When using strace I sometimes like to see the system calls which work (instead of all the system calls).

  I've been porting this patch for years, it seems very useful.

  With the -z option, you don't see opens on files which aren't there (very useful tracking down what a program actually does, instead of trying to do).

  https://lists.strace.io/pipermail/strace-devel/2002-November/000232.html

• strace: -z option doesn't work properly

  Date: Sun, 12 Jan 2003 09:33:01 UTC

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=176376

• tracing only failing syscalls

  Created: 2004-03-19

  https://sourceforge.net/p/strace/feature-requests/3/

• [strace-4.15] Proposal: Output Staging for -z Option (print successful syscalls only) / Patch included

  Tue Jan 17 09:35:54 UTC 2017

  https://lists.strace.io/pipermail/strace-devel/2017-January/005941.html

• [PATCH v1] Implemented output staging for failed/successful syscalls

  Wed Jan 18 16:01:20 UTC 2017

  https://lists.strace.io/pipermail/strace-devel/2017-January/005950.html

• Fix -z option

  Feb 28, 2018

  https://github.com/strace/strace/issues/49

• [PATCH 0/3] Stage output for -z and new -Z options

  Mon Apr 1 21:13:02 UTC 2019

  https://lists.strace.io/pipermail/strace-devel/2019-April/008706.html

• strace -z flag

  Mon Jun 10 05:29:19 UTC 2019

  https://lists.strace.io/pipermail/strace-devel/2019-June/008808.html

Answer 1

Apart from post-processing the strace output, there isn’t anything available to ignore failed system calls in strace. It wouldn’t be too hard to add, look at the syscall_exiting_trace function in syscall.c.

If you’d rather pursue the post-processing angle, Ole Tange has already taken care of that for you in a more comprehensive way than you’re likely to get here: the tracefile tool will run strace and filter out the information you’re after in a nicely readable fashion. See List the files accessed by a program for details. Another answer to that question lists other possible approaches, including LoggedFS which I find very useful.

Another option is to use SystemTap; for example

#!/usr/bin/env stap

global stored_filename, stored_path

probe syscall.open {
  stored_filename = filename
}

probe syscall.open.return {
  if (execname() == "cat" && $return >= 0) {
    printf("opened %s\n", stored_filename)
  }
}

probe syscall.openat {
  stored_filename = filename
  stored_path = dfd_str
}

probe syscall.openat.return {
  if (execname() == "cat" && $return >= 0) {
    printf("opened %s in %s\n", stored_filename, stored_path)
  }
}

will show the name of any file successfully opened by any cat process.

Answer 2

Possible solution:

strace -e trace=file sleep 1 2>&1 | grep -v "= -1 ENOENT" > strace.log

strace by default prints to stderr so redirect it to stdout.

Answer 3

A slightly more reliable pattern (i.e. slightly less risk of skipping the wrong lines by accident) could be

| grep -v "= -1 ENOENT [(]No such file or directory[)]$"

I.e. copy-paste the end of line, "escaping" the brackets (which might otherwise be treated as special characters), and add the special character $ to the end which "anchors" the pattern to the end of the line.

I can't find any better option in man strace. Quick and dirty text manipulation hacks are the Unix Way :-P.

It's almost certainly possible to do what you want with a custom gdb script. However that's more work, and I don't have such a script prepared.

Another question references a tracefile script, which you would run with the -e option. This is still implemented by parsing the output of strace, and so it does not appear to be entirely reliable either, but I guess it's possible you'd prefer it. https://gitlab.com/ole.tange/tangetools/blob/master/tracefile/tracefile