INTERPOSE_FUNCTION(fopen),
INTERPOSE_FUNCTION(fread),
INTERPOSE_FUNCTION(fwrite),
INTERPOSE_FUNCTION(fclose),

...

I found that only hook fopen/fclose.

What version of macOS did you test on?

Please show your hooks for fopen, fread, fwrite and fclose.

How did you generate your "backtrace" output? It's not at all clear from the output itself.

I just wrote my own hook library with interpose hooks for fopen, fread, fwrite and fclose, and I didn't have problems with any of them. I tested on macOS 11.1 with Firefox and Safari. Neither app alone uses all of these functions. But both together do use all of them, and I saw log messages for all of them.

I don't have Microsoft Word, so I can't test with it.

Here's the hook library I tested with.

Please answer all the questions I asked above. And here's another question:

What were you doing when you generated the "backtraces"? Were you printing a document?

What version of macOS did you test on?

Please show your hooks for fopen, fread, fwrite and fclose.

How did you generate your "backtrace" output? It's not at all clear from the output itself.

10.15.7

Here's my code.
static FILE *Hooked_fopen(const char * __restrict filename, const char * __restrict mode)
{
FILE *f = fopen(filename, mode);
//dosometing...
return f;
}

static size_t Hooked_fread(char * buf, size_t size, size_t count, FILE * stream)
{
size_t retval = fread(ptr, size, nitems, stream);
//dosometing...
return retval;
}

static size_t Hooked_fwrite(const void* buf, size_t size, size_t count, FILE* stream)
{
size_t retval = fwrite(buf, size, count, stream);
//dosometing...
return retval;
}

static int Hooked_fclose( FILE *stream )
{
int iRet=fclose(stream);
//dosometing...
return iRet;
}

attribute((used)) static const hook_desc user_hooks[]
attribute((section("__DATA, __hook"))) =
{
INTERPOSE_FUNCTION(fopen),
INTERPOSE_FUNCTION(fread),
INTERPOSE_FUNCTION(fwrite),
INTERPOSE_FUNCTION(fclose)
}

I used Instruments in Xcode. Xcode->open developer Tool->Instruments. Then choose "File Activity". Press the record button and Click "Filesystem Activity" when recording is finished.
I'll test your code use other app.
Thank you Steven for your reply

I retested with LogVithFormat. It shows OK, Seems I encounted some other problems in my code. I don't know why Instruments didn't show Hooked_fread/Hooked_fwrite callstack. But anyway. Thank you very much.

I don't know why Instruments didn't show Hooked_fread/Hooked_fwrite callstack.

I don't either. I played around with the "File Activity" Instrument, but I wasn't able to learn anything interesting. The main problem is that "File Activity" doesn't track calls to fopen(), fread(), fwrite() or fclose(). Instead it tracks much lower level calls (__open_nocancel(), __read_nocancel(), __write_nocancel() and __close_nocancel()), which might or might not be called from these higher level ones.

So HookCase might be failing to hook some calls to fread() and fwrite(), but your bug report certainly doesn't show it, in any reproducible way.

I'll keep this possibility in mind for the future. But in the meantime I'm going to close this bug.

In general, if you think an interpose hook might be missing some calls, you should try a patch hook instead. As best I can tell, it's impossible for a patch hook to miss calls.