I can run strace on a command like sleep 1and see what files it's accessing like this:
strace -e trace=file -o strace.log sleep 1However, on my machine, many of the calls have a return value of -1indicating that the file does not exist. For example:
$ grep '= -1 ENOENT' strace.log | headaccess("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)I'm not really interested in the files that don't exist,I want to know what files the process actually found and read from.Aside from grep -v '=-1 ENOENT',how can I reliably filter out failed calls?
Addendum
I was surprised to learnthat strace has had this feature in the works since 2002in the form of the -z flag, which is an alias for -e status=successful,fully functional since version 5.2(2019-07-12),also available as --successful-onlysince version 5.6 (2020-04-07).
Also available since version 5.2 is the complement of -z, the -Z flag,which is an alias for -e status=failed,available as --failed-only since version 5.6.
The -z flag was first added in a commit from 2002 and released in version 4.5.18 (2008-08-28),bit it had never been documented because it was not working properly.
Relevant links:
only seeing successful system calls
Sat Nov 2 23:07:23 UTC 2002
When using strace I sometimes like to see the system calls which work (instead of all the system calls).
I've been porting this patch for years, it seems very useful.
With the -z option, you don't see opens on files which aren't there (very useful tracking down what a program actually does, instead of trying to do).
https://lists.strace.io/pipermail/strace-devel/2002-November/000232.html
strace: -z option doesn't work properly
Date: Sun, 12 Jan 2003 09:33:01 UTC
tracing only failing syscalls
Created: 2004-03-19
[strace-4.15] Proposal: Output Staging for -z Option (print successful syscalls only) / Patch included
Tue Jan 17 09:35:54 UTC 2017
https://lists.strace.io/pipermail/strace-devel/2017-January/005941.html
[PATCH v1] Implemented output staging for failed/successful syscalls
Wed Jan 18 16:01:20 UTC 2017
https://lists.strace.io/pipermail/strace-devel/2017-January/005950.html
Fix -z option
Feb 28, 2018
[PATCH 0/3] Stage output for -z and new -Z options
Mon Apr 1 21:13:02 UTC 2019
https://lists.strace.io/pipermail/strace-devel/2019-April/008706.html
strace -z flag
Mon Jun 10 05:29:19 UTC 2019
https://lists.strace.io/pipermail/strace-devel/2019-June/008808.html