How to trace system calls of a program in Mac OS X?

Question

I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls.

---

Suggested accepted answer doesn't work for me. This is what I tried:

cd ~
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

error:

codesign --remove-signature ./find
sudo dtruss ./find 
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute ./find: Could not create symbolicator for task

Answer 1

You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.

Answer 2

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.

You can bypass this by making a copy of the executable in your home directory and tracing the copy:

cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).

Answer 3

You might have better luck with ktrace. For example (on Sonoma 14.0):

sudo ktrace trace -S -f C3 -c find .

-f = filter description, C3 = class 3 = DBG_FSYSTEM, -S = print arguments as strings where possible.

On Yosemite it would have been something like sudo ktrace -t cin -c find .

More ktrace filter examples in https://stackoverflow.com/a/76987655.