How to interpret strace output?

Question

I need to profile the performance of an application for which I am using strace. However, I do not really know how to interpret the various system calls the strace emits. Examples of a few of them are below:

(A) lseek(3, 1600, SEEK_SET)                = 1600 (B) write(3, "G_DATA    300        0          "..., 800) = 800 (C) close(3)                                = 0 (D) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b600b179000 (E) munmap(0x2b600b179000, 4096)            = 0 (F) fstat(3, {st_mode=S_IFREG|0644, st_size=1600, ...}) = 0 

I would be grateful if someone could briefly explain in plain English what these lines from (A) to (F) really means in terms of I/O, data transferred, significance on performance etc.

I went through the man pages of strace but still am not very very confident. If you any other pointers for me to read, that would be great.

I have some background on Operating Systems and understand what system calls, memory, virtual memory, Scheduling, etc. are.

Answer 1

In order to understand these, you have to get familiar with the POSIX system calls. They are the interface a user-space program uses to interact with the kernel.

lseek, write, close, mmap, munmap and fstat are all system calls and are documented in section 2 of the linux manual.

Briefly, lseek moves the internal pointer of the supplied file descriptor to the byte with position pointed to by the second argument, starting from SEEK_SET (the beginning), SEEK_CUR (current position) or SEEK_END (the end). Any consecutive read and write calls on the same descriptor will start their action from this position. Note that lseek is not implemented for all kinds of descriptors - it makes sense for a file on disk, but not for a socket or a pipe.

write copies the supplied buffer to kernelspace and returns the number of bytes actually written. Depending on the kind of the descriptor, the kernel may write the data to disk or send it through the network. This is generally a costly operation because it involves transferring this buffer to the kernel.

close closes the supplied descriptor and any associated resources with it in the kernel are freed. Note that each process has a limit on the number of simultaneously open descriptors, so it's sometimes necessary to close descriptors to not reach this limit.

mmap is a complex system call and is used for many purposes including shared memory. The general usage however is to allocate more memory for the process. The malloc and calloc library functions usually use it internally.

munmap frees the mmap'ped memory.

fstat returns various information that the filesystem keeps about a file - size, last modified, permissions, etc.

Answer 2

For each command there is a manual page, you can read it by typing man and the name of C function, e.g. man lseek (also check apropos). They also have description of passed parameters.

Here are short summaries:

• lseek - reposition read/write file offset of the file descriptor
• write - write to a file descriptor from the buffer
• close - delete a descriptor from the per-process object reference table
• mmap - allocate memory, or map files or devices into memory
• munmap - remove a mapping for the specified address range
• fstat - get file status pointed to by path

Please note that interpreting single/random syscals won't be meaningful in terms performance. To test significance on performance of these syscalls, you should use -c parameter which can count time, calls, and errors for each syscall and report the summary. Then you can read more about these which are taking the longest time.

To learn more about output and strace parameters, check man strace.

See also: How to parse strace in shell into plain text?