Understanding Linux System Calls

System calls are mechanisms in which user programs request privileged operations through the kernel interface. The workflow is: 1. User programs call encapsulation functions; 2. Set system call numbers and parameters to registers; 3. Execute syscall instructions and fall into kernel state; 4. Execute corresponding processing functions in the check table; 5. Return to user state after execution. You can use strace tool to track, directly call the syscall() function or check the unitd.h header file to view the call number. You need to note that the difference between system calls and library functions is whether they enter the kernel state, and frequent calls will affect performance. You should optimize by merging I/O, using mmap and epoll methods, and understanding system calls will help you master the underlying operating mechanism of Linux.

Linux system calls (System Calls) are the core mechanism for user programs to interact with the kernel. They provide applications with interfaces to access underlying hardware and operating system services, such as file operations, process control, network communication, etc. Understanding the working principle of system calls will help you to deeply understand the operating mechanism of Linux system and are of great significance to system programming, performance tuning and troubleshooting.

What is a system call?

System calls are a set of interfaces provided by the operating system kernel, allowing programs in user space to request the kernel to perform certain privileged operations. Since user programs cannot directly access the hardware or execute sensitive instructions (such as modifying memory management units, operating device registers, etc.), these tasks must be "delegated" to the kernel through system calls.

Common system calls include:

• open() : Open the file
• read() / write() : read or write a file or device
• fork() / execve() : Create a process and execute a program
• exit() : terminates the current process
• socket() / bind() / send() : perform network communication
• mmap() : Memory mapped files or allocated memory

These functions look like normal C library functions, but internally trigger a switch from user state to kernel state.

How do system calls work?

The essence of system calls is that the user-state program falls into the kernel state through soft interrupts or special instructions , and the kernel executes the corresponding functions before returning to the user state.

The basic process is as follows:

1. User program calls encapsulation function
   For example, if you call write(fd, buf, len) in the C library, this function is just a wrapper.

2. Set system call number and parameters
   Put the system call number (such as __NR_write ) into a specific register (such as rax ), and put the parameters into rdi , rsi , rdx , etc.

3. Triggering instructions to get stuck in the kernel
   Use the syscall directive (x86-64) or int 0x80 (old method) to enter the kernel state.

4. Kernel searches and executes system call processing functions
   The kernel finds the corresponding function in the system call table ( sys_call_table ) according to the system call number, such as sys_write() .

5. Return to user status after execution
   The result is returned through the register (usually rax ) while restoring the user state context.

⚠️ Note: User programs cannot directly call kernel functions such as sys_write , and must be redirected through the syscall instruction.

How to view system calls?

In actual development or debugging, there are many ways to observe system call behavior:

1. Use strace tool

strace is the most commonly used system call tracking tool, which can display all system calls, their parameters and return values during program execution.

 strace ls

Output example:

 execve("/bin/ls", ["ls"], 0x7ff5a5b5b30) = 0
brk(NULL) = 0x55a3b7c5b000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9d2b3ed000
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

This can help you understand the real operation behind a command.

2. Use syscall() function directly in the program

Although it is generally enough to use glibc to encapsulate functions, you can also call syscall() directly:

 #include <sys/syscall.h>
#include <unistd.h>

int main() {
    syscall(SYS_write, 1, "Hello\n", 6);
    return 0;
}

This is equivalent to write(1, "Hello\n", 6); , but bypasses the encapsulation of the C library.

3. View /usr/include/asm/unistd.h or online documentation

System call numbers of different architectures are defined in the header file. For example, the call number of x86-64 can be found in asm/unistd_64.h .

System calls vs library functions

Beginners often confuse system calls and library functions. The key difference is:

✅ Note: printf is not a system call, it will eventually call write() to trigger the system call.

Tips: Performance Impact of System Calls

Frequent system calls affect program performance because the context is switched every time. Optimization suggestions include:

• Merge small write() calls and use buffered batch output
• Use mmap instead of read/write to process large files
• Use mechanisms such as epoll to reduce the number of system calls for network I/O

In high-performance services, reducing the number of system calls is often a key optimization point.

Basically that's it. System calls are the "foundation" of Linux programs. Although most of them are encapsulated by advanced APIs in daily development, they are a core concept that cannot be avoided when in-depth system programming. Understanding it will make you more clear about what is happening to the program at the bottom.

The above is the detailed content of Understanding Linux System Calls. For more information, please follow other related articles on the PHP Chinese website!