I'm trying to use dtrace on a very new system: Ventura 13.2.1, MBP M2. Any attempt to run it ends up with the terminal and most of macos system gui freezing. (beachballing, I can switch the apps, but not necessarily interact with them, no new process can start) I can't ctrl+c from dtrace, or restart in a nice way. Only long power-button works to power off. No traces are left in the logs as far as I can tell, there's nothing in spin reports, nothing in crash reports. There's a report from a full restart, but it only mentions:

"16673" : {
  "timesThrottled":0,
  "pageIns":939,
  "waitInfo":["thread 154195: mach_msg receive on port set 0x455bc6f06e98c60b"],
  "timesDidThrottle":0,
  "procname":"dtrace",
  "copyOnWriteFaults":79,
  "threadById":{"154192":
    {
      "systemTime":33.911615916000002,
      "system_usec":33911615,
      "kernelFrames":[[1,1742012],[1,1742012],[1,1778052],[1,2167476],[1,2076660],[1,2079988],[1,2073412],[1,2125476],[1,2656208],[1,2596516],[1,5500264],[1,5931364],[1,6995680],[1,1747532],[1,30596],[2,0]],
      "id":154192,
      "basePriority":31,
      "user_usec":91864,
      "dispatch_queue_label":"com.apple.main-thread",
      "schedPriority":54,
      "userFrames":[[12,3745116],[12,929556476],[12,929541340],[458,15648],[12,671312],[2,0]]

and the kernel part:

"154193":{
  "userTime":0,
  "systemTime":8.208e-06,
  "name":"dtrace_fasttrap_cleanup_thread",
  "id":154193,
  "basePriority":46,
  "user_usec":0,
  "system_usec":8,
  "schedPriority":46,
  "kernelFrames":[[1,582920],[1,576644],[1,482176],[1,5791432],[1,2171304],[1,52184]],
  "state":["TH_WAIT","TH_UNINT"],
  "waitEvent":[1,2171180]
}

Which honestly doesn't provide actionable info. The freeze happens every single time, even from running:

dtrace -n 'syscall::open:entry { printf("open\n"); }'

Is there a way to continually trace/log which software is creating and accessing files on my system? I assume these log files would grow very large unless trimmed. I see a bunch of dot files and no way to know what application or installation created these files. For instance in Application Support ~/Library/Application Support/ I have tried using some Terminal commands to get information: od -tx1 file strings man info The impetus for this question is the prevalence of malware, tracking software, caches, etc - so a regular user can know the providence of the files on their system. I believe the system admin term for this process called Auditing. I am aware that many software vendors store license info inside dot files on the system.

Since many versions of MacOS, I got different applications leaving a ghost version only visible at the Finder and Dock level but not at the basic Unix level. Here is the usual error message the Finder does display when trying to start such a ghost application: Meanwhile, Activity Monitor doesn't show any Preview process, and moreover the Unix command ps either: # ps ax | egrep '[ /](PID|Preview)' PID TT STAT TIME COMMAND # Next, the Dock does display a small dot near the application icon, but refuse to force quit the ghost application. ## Tested and failing solutions ## The usual receipe ⌘+⌥+escfrom the Finder doesn't permit to force quit the ghost application. Many not tested ( by their authors ) receipes talk of removing preferences files, but since these files are only open by the running application, this advice can only lead to a waste of time and a loss of working preferences. Killing the Finder or the Dock is possible but doesn’t fix the bad vision of the ghost application. The MacOS cannot shutdown through the Finder menu entry:  > Shut Down... since the Finder cannot get rid of the ghost application it sees as running when it isn't, here Preview. On the other hand, a very basic Unix command permit to get a clean and fast shutdown, since at the Unix level there isn't any application impossible to kill: /usr/bin/sudo shutdown -h now 'Finder see ghost applications' ## Spread of the problem ## From my experience this problem is concerning Yosemite and High Sierra. If you had the same problem on any more recent version of MacOS, could you signal it within the comments. Versions of MacOS exhibiting the problem: - Yosemite - El Capitan - Sierra - High Sierra - Mojave - Big Sur Applications exhibiting the problem: - Preview - Safari - TeamViewer - XQuartz From what I read in different discussion groups, it looks like any application might reach this state of ghost for the Finder and the Dock. It is a very large spectrum problem, and Apple doesn't look to have figured it and doesn't provide any decent workaround or solution ( but the stupid and huge waste of time: reinstall MacOS. Stupid because you can't give such an advice when you don't understand a problem. ) ## Simple workaround ## The application seen as a ghost by the Finder is not the origin of the problem and none of its preference files. A simple demonstration can be obtained by starting it without the Finder: In a Terminal simply enter for example: $ open -n -a Preview.app $ and you will get a fresh new Preview running with all its usual preferences and functions available. This new version will get a new icon within the Dock. ## Analysis of the problem ## Since I didn't find any decent explanation of this problem and no clean fix of it I started my own investigation with the help of the truss command which traces every key event within a Unix process running. First I tried in a Terminal window: $ /usr/bin/sudo dtruss -W Preview and on another Terminal Window I tried to start Preview through: $ open -a Preview.app LSOpenURLsWithRole() failed for the application /Applications/Preview.app with error -600. $ but nothing appeared within the dtruss track, meaning that Preview didn't even start and of course none of its preference files were opened. ## How to furter invistigate this large spectrum bug ## My state of understanding of the problem is that there is a false view of the processes running on MacOS from the Finder and the Dock. What may lead to this corrupted image of the processes on the system? Which tools would be the best suited to further investigate this bug? Where could I find any documentation about this LSOpenURLsWithRole and the meaning of its error codes?

Darwin ME 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 22 19:49:55 PDT 2021; root:xnu-6153.141.35~1/RELEASE_X86_64 x86_64 Im trying to run an executable with dtruss. Even when removing code signing I get failure. The error message is not helpful. codesign --remove-signature ./bin/gcloud sudo dtruss ./bin/gcloud --help dtrace: failed to execute ./bin/gcloud: (os/kern) failure

I've found dtrace to be an invaluable tool for debugging and troubleshooting all sorts of issues, not to mention the two dozen dtrace toolkit scripts shipped *by Apple* as part of El Capitan. On El Cap though, running dtrace usually results in an endless spew of errors making dtrace all but useless.

Edit: my original question, below, assumes there is a secret copy (a cache) of the system preferences settings. I have since learned that is not the case. However, my problem still needed a solution, which I have found and also posted, below. No special Objective-C process is needed. /edit. I want to use the defaults write command to change a checkbox in System Preferences. E.g: defaults write ./com.apple.speech.synthesis.general.prefs TimeAnnouncementPrefs -dict-add TimeAnnouncementsEnabled -bool YES However, the OS caches the preference files, so the defaults command has no effect until the cache is updated. The System Preferences app updates the cache after a change is made in its UI -- so it is possible. Some people have suggested sudo killall cfprefsd but that does not work in Big Sur. Elsewhere, user3439894 has posted a good AppleScript that manipulates the System Preferences UI. But such UI manipulation does not work when the Screen Saver is running. I'd like to figure out how the System Preferences app manages to update the preferences cache. Doing strings of the System Preferences app (at /System/Applications/System\ Preferences.app/Contents/macOS/System\ Preferences) shows a method updateCacheFileWithPrefPane: that might do the job, but I don't know how to call that method. The method, whatever it is, is private, but I only need this for myself (not a public app). Is it possible to use dtrace or dtruss to figure out what the System Preferences app is doing to signal the OS to update its cache for a particular checkbox? I want to write an **Objective-C** program to do the same thing, but I need a dtrace/dtruss expert to help me.

When I use ldd on Linux it tells me right away if something is missing, i.e.

ldd -d some_lib.so
    libexample.so => not found
    libex.2.so => not found
    libm.so.6 => /lib/libm.so.6 (0xf5860000)
    libdl.so.2 => /lib/libdl.so.2 (0xf785b000)
    libc.so.6 => /lib/libc.so.6 (0xf78a9000)
    /lib/ld-linux.so.2 (0x46b4c000)

On Mac OS there is no ldd and people recommend using otool -L, but that shows which shared libraries are expected, not weather or not they are there. Another approach would be to use dtruss, but it requires sudo, and it least in my experience the application behaves very differently when it is being dtrussed, and it fails for an entirely different reason (and before it gets to trying to load the troublesome .dylib). So if you suspect that a shared library is missing, what is the standard approach to finding which one it is on the Mac?

When running some intensive debugging that needs to run on the order of about 5 minutes, I'm finding that dtrace's deadman switch is being triggered regularly and cannot get to the error that is being tracked: dtrace: processing aborted: Abort due to systemic unresponsiveness It appears that I could modify the parameters of deadman with perhaps dtrace_deadman_timeout being the most promising. These can be found here and the slide is as follows: What is the appropriate way to set such parameters on macOS (specifically 10.13.x)?

I need to be able to show and capture the same output that Xcode.app/Contents/Applications/Instruments.app captures while in Terminal.app (in the shell). Is there a dtrace function / script, or some such equivalent, that can be run in order to capture this data directly?

Running dtruss on 10.14.4 (Xcode 10.2) gives me this:

tmp$ sudo dtruss ./ls
dtrace: failed to enable '
 #pragma D option quiet

 ': Failed to enable probe
CSCppMachTaskContainer pid_for_task failed for task 20003, err 5CSCppMachTaskContainer...

This is not a code signing issue (I resigned that ls I'm running). I also already disabled System Integrity Protection so it's not that either. Did anyone see this?

I'm struggling with some kind of a hang that is very elusive. Apple can't seem to isolate the problem after many sysdiagnose submissions. It predominantly happens in instances of Google Chrome, Finder and even Activity Monitor (and other random apps) sometimes when certain actions are taken. The only way to recover is a sudo reboot from the shell. No drives are actually failed or failing as one might expect. This is on a Mac Pro with ECC memory and all RAM is showing as good. I have to think that there's some dtrace tooling that would facilitate tracking down the precise point of the hang. It feels as though it's some form IO failure, but there's no indication of where or how... What options exist for tracking down such issues at a very low level?

I think many of us have been disappointed with the effective demise of fseventer. What is a good dtrace shell based alternative to fseventer that will display all full paths of files being accessed for a defined application?

Is there a dtrace one liner that will run a command, and tell me all the files it tries to open? The Linux strace equivalent of what I'm trying to do is strace -e trace=file -f cat /etc/passwd > /dev/null I am on El Capitan

I seem to have issues with iotop on High Sierra, googling it I find no useful information. The output is garbled and almost unusable. I have SIP disabled for dtrace (I know "I'm not suppose to do that", but it worked fine on previous version of OS X, i.e. > crsutil enable --without dtrace). Example output: 2017 Oct 16 11:46:25, load: 2.45, disk_r: 2520 KB, disk_w: 0 KB UID PID PPID CMD DEVICE MAJ MIN D BYTES 0 182 1 mobileassetd ?? 1 4 R 4096 0 653 340 scep_daemon ?? 1 4 R 81920 0 153 1 sandboxd ?? 1 4 R 167936 0 304 1 mds_stores ?? 1 4 R 831488 120215604 3950 1 IDECacheDeleteAp ?? 1 4 R 1490944 0 0 0 ?? 1 4 1495040 0 0 0 ?? 1 3 8474624 dtrace: 3060 dynamic variable drops with non-empty dirty list dtrace: 2000 dynamic variable drops with non-empty dirty list dtrace: 192 dynamic variable drops with non-empty dirty list The issues as I see them are the dtrace: xxx dynamic drops, missing data (there are processes missing) and last the fact that the indentation is messed up. Googling does not bring me closer to the answer. The only reasonable connection I can find is that the buffer is overflowing (due to disk activity) and to change the buffer policy with the following: #pragma D option bufpolicy=ring But since iotop is already compiled I have a hard time doing any changes to it. Or is the osx / apple version of iotop available somewhere so I can rebuild it with necessary changes? And just for completeness, I built the gnu version of iotop but it wouldn't run and complains that my linux kernel is too old ^^ Anyhow, found this as well: https://apple.stackexchange.com/a/208185/173331 , and the answer details that Apple is doing some funny shit and hiding processes from dtrace, and in effect I might not solve the "all processes are not showing up" issue. (apparently I don't have enough reputation on apple.stackexchange.com to create an "iotop"-tag)

I am trying to compile and use a shared C library as a python module and I am observing that depending on the DYLD_LIBRARY_PATH my code works or it crashes with a cryptic error message. Jul 24 02:44:44 master $ DYLD_LIBRARY_PATH=/opt/local/lib python -c 'import opengm' OKAY Jul 24 02:45:41 master $ DYLD_LIBRARY_PATH= python -c 'import opengm' python(86214,0x7fff70ccdcc0) malloc: *** error for object 0x7fff70177500: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Abort trap I have tried to manually inspect which libraries are common between /usr/lib and /usr/local/lib and /opt/local/lib but I have not been able to find the cause of the crash. One way to figure out the cause of the problem will be to figure out which dylib files do the two processes use? I was not able to figure this using opensnoop or dtruss but maybe I was using those tools wrong. How can I figure out the cause of this crash? **DISCLAIMER:** I posted this same question on [SO](https://stackoverflow.com/questions/38549523) 2 days ago, where it did not receive any replies and only 8 views.

I'm trying to run: $ sudo /usr/bin/newproc.d which suppose to snoop new processes as they are executed, but it fails with the error: > dtrace: failed to compile script /usr/bin/newproc.d: line 22: probe description proc:::exec-success does not match any probes This is on OS X 10.11.2 and as far as I remember, this was working before the upgrade. It seems new OS X doesn't have anymore proc:::exec-success probe as I've checked by: $ sudo dtrace -l | grep proc:::exec-success Failing code of that script (note: this was provided by the system, I haven't changed it): proc:::exec-success { print_pid[pid] = 1; /* This pid emerged from an exec, make a note of that. */ } Is that probe was removed or renamed to different probe? Maybe I could activate it somehow? Otherwise what I can use instead?

I'm trying to run the following command on OS X El Capitan (10.11.4): sudo dtruss /usr/local/bin/mix phoenix.server It fails, saying: > dtrace: failed to execute /usr/local/bin/mix: dtrace cannot control executables signed with restricted entitlements mix is an executable I installed with Homebrew. /usr/local/bin/mix is actually a symlink, but it points to a file nested under /usr/local/Cellar. The [official statement on SIP](https://support.apple.com/en-us/HT204899) says that /usr/local is writable for installers (unlike /usr/ generally). It doesn't say whether SIP allows tracing programs there, but given that I installed this myself, it seems reasonable to be able to trace it. Is there something I can do to allow tracing this program? Ideas I have: - Disable SIP entirely (seems heavy-handed) - Update: I read that one can [disable parts of SIP selectively](http://internals.exposed/blog/dtrace-vs-sip.html) , but as a first step, I [completely disabled it](http://www.macworld.com/article/2986118/security/how-to-modify-system-integrity-protection-in-el-capitan.html) . csrutil status now reports System Integrity Protection status: disabled.. But my original command still fails with the same error. :( - Make Homebrew install everything to a folder under ~ (seems messy) - Update: pretty sure this [would be a bad idea](https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/FAQ.md#why-does-homebrew-prefer-i-install-to-usrlocal) - Ignore Homebrew and compile mix from source into ~, then dtruss the new executable - Update: same failure. **This one really makes no sense to me**. SIP is turned off, the executable isn't "signed" since I compiled it myself, and it's not in a restricted location. :P - Install Linux in a VM. (seriously? do I have to do this?)

In order to diagnose slow terminal interaction (which turned out to be an unrelated problem), I ran sudo opensnoop and saw output like this: dtrace errors I assume this has to do with SIP in El Capitan. Is it something to worry about? How can I dig deeper to understand what the probe IDs correspond to and what processes are causing the errors? What is the action #?

I have something running that is syncing two directories. I want to turn it off but cannot figure out what it is. El Capitan, if that matters. Can someone provide a command or tool that will reliably show the pid (and ideally the command) for every file read and write operation? I assume this is possible with something dtrace-based but have not been able to figure it out. (Login items are empty for the relevant user. Crontab is empty for both the relevant user and root.) Thank you for your help.

I have a problem with my distnoted process that I'm trying to debug. In order to investigate it, I'd like to trace the interprocess communication that's happening on my OS X 10.9.3 (Mavericks) system. I know about dtruss, and I can see things like this: % dtruss -p 263 SYSCALL(args) = return workq_kernreturn(0x20, 0x0, 0x1) = 0 0 kevent64(0x3, 0x7FFF76D54130, 0x1) = 1 0 kevent64(0x3, 0x7FFF76D54130, 0x1) = 1 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 kevent64(0x3, 0x7FFF76D54130, 0x1) = 1 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 thread_selfid(0x10E810000, 0x7FFF783E8258, 0x1010101) = 5185362 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 thread_selfid(0x110219000, 0x7FFF783E8258, 0x1010101) = 5185368 0 workq_kernreturn(0x20, 0x0, 0x1) = 0 0 I have heard that dtrace is available for me to use, but I don't know any good recipes for IPC.