Are these syscall numbers the same on every architecture?

No. The numbers shown are for x86-64 (the values in the rax register). Other architectures such as ARM64, x86 (32-bit) and RISC-V use different syscall numbers, though the names and semantics are largely shared. Always check the per-arch table for portable code.

How does a syscall report an error?

At the raw syscall level on x86-64, a return value between -4095 and -1 is a negated errno. The C library wrapper converts this: it returns -1 and sets the global errno variable to the positive error code, so userland code checks errno after a -1 result.

What is the difference between fork, vfork and clone?

clone is the low-level primitive that creates a new task and lets you choose which resources (memory, file descriptors, namespaces) are shared via flags. fork is clone with copy-on-write memory and no sharing; vfork suspends the parent and shares memory until the child execs or exits. Threads are clone with CLONE_VM | CLONE_FILES set.

Why use openat instead of open?

openat takes a directory file descriptor plus a relative path, which avoids race conditions where the directory could be swapped between resolving the path and opening the file. The *at family (openat, fstatat, unlinkat) is the modern, race-safe way to operate relative to a directory.

How can I see which syscalls a program makes?

Use strace on Linux to trace syscalls and their arguments and return values in real time, for example strace -f ./program. For aggregate counts use strace -c, and for a specific syscall use -e trace=openat to filter.

Linux System Calls Reference

Linux system calls, the kernel boundary

Every time a program reads a file, allocates memory, spawns a process or opens a socket, it crosses from user space into the kernel through a system call. On x86-64, the syscall number goes in the rax register, arguments in rdi, rsi, rdx, r10, r8, r9, and the syscall instruction transfers control to the kernel. This reference lists the most common syscalls with their number, C signature and category so you can decode an strace log or write inline assembly without leaving the page.

How it works

A syscall is dispatched by number. The kernel’s syscall table maps rax to a handler, the handler runs in kernel mode, and the result comes back in rax. At the raw level a return value in the range -4095 to -1 is a negated errno — the glibc wrapper detects this, returns -1 and sets errno to the positive code. Successful calls return a non-negative value: a count of bytes, a new file descriptor, a pointer (from mmap), or 0.

Syscalls group into families. Process calls (fork, clone, execve, exit_group, wait4) manage the process lifecycle. File calls (open/openat, read, write, close, lseek, stat) move data through file descriptors. Memory calls (mmap, munmap, mprotect, brk) manage the address space. Network calls (socket, bind, listen, accept, connect, sendto, recvfrom) drive sockets. Signal calls (kill, rt_sigaction, rt_sigprocmask) deliver and handle asynchronous notifications.

Tips and examples

Prefer the *at variants (openat, unlinkat, fstatat) for race-free path resolution relative to a directory file descriptor.
strace -c ./prog gives a histogram of which syscalls dominate — useful when a program feels slow or chatty.
The numbers here are x86-64 specific. The canonical table lives at arch/x86/entry/syscalls/syscall_64.tbl in the kernel source.

Linux System Calls Reference

Email me this result

Linux system calls, the kernel boundary

How it works

Tips and examples