The other day I learned that Instruments.app can record file system activity on macOS!
strace is great, but…
One of the things I always use strace on Linux for is tracing a process to see, for example, which global config files it’s reading—it’s so simple, just
strace -- git status 2> trace.logand then look through the logs to see where it’s looking for files. For example, I discovered that git installed via Homebrew reads out of /home/linuxbrew/.linuxbrew/etc/gitconfig instead of /etc/gitconfig this way!
I’m sure you know how frustrating it is to think your program works one way when it’s actually doing something else entirely… strace makes it easy to figure out when your program works a different way without having to traipse through the program’s source code.
… but since macOS shipped System Integrity Protection, I haven’t been able to get the macOS alternatives like dtrace or dtruss to work.
Instruments.app can trace arbitrary programs!
Using the “Filesystem Activity” instrument in Instruments.app, I can run a program and see all the file system activity the program does!
There is also a “System Call Trace” instrument, but unlike strace it doesn’t seem to record arguments and return values of syscalls—only the File System activity records arguments and return values for file system syscalls. So it’s not a complete alternative to strace but at least it’s better than trying to figure out how to work around System Integrity Protection.
While I was searching the internet trying to figure out whether Instruments.app could trace file system activity, I also stumbled on this great post:
→ Did you know about Instruments?
It’s full of more great tips!