Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / bbfd6ea27f1894a98e15ce9fed162ae78c1584ae / . / tools / argdist_example.txt
blob: dec9e6fafc985f646afb22668c1a08fb71c85d11 [file] [log] [blame]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]1Demonstrations of argdist.
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]2
3
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]4argdist probes functions you specify and collects parameter values into a
5histogram or a frequency count. This can be used to understand the distribution
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]6of values a certain parameter takes, filter and print interesting parameters
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]7without attaching a debugger, and obtain general execution statistics on
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]8various functions.
9
10For example, suppose you want to find what allocation sizes are common in
11your application:
12
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]13# ./argdist -p 2420 -c -C 'p:c:malloc(size_t size):size_t:size'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]14[01:42:29]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]15p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]16 COUNT EVENT
17[01:42:30]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]18p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]19 COUNT EVENT
20[01:42:31]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]21p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]22 COUNT EVENT
23 1 size = 16
24[01:42:32]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]25p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]26 COUNT EVENT
27 2 size = 16
28[01:42:33]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]29p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]30 COUNT EVENT
31 3 size = 16
32[01:42:34]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]33p:c:malloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]34 COUNT EVENT
35 4 size = 16
36^C
37
38It seems that the application is allocating blocks of size 16. The COUNT
39column contains the number of occurrences of a particular event, and the
40EVENT column describes the event. In this case, the "size" parameter was
41probed and its value was 16, repeatedly.
42
43Now, suppose you wanted a histogram of buffer sizes passed to the write()
44function across the system:
45
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]46# ./argdist -c -H 'p:c:write(int fd, void *buf, size_t len):size_t:len'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]47[01:45:22]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]48p:c:write(int fd, void *buf, size_t len):size_t:len
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]49 len : count distribution
50 0 -> 1 : 0 | |
51 2 -> 3 : 2 |************* |
52 4 -> 7 : 0 | |
53 8 -> 15 : 2 |************* |
54 16 -> 31 : 0 | |
55 32 -> 63 : 6 |****************************************|
56[01:45:23]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]57p:c:write(int fd, void *buf, size_t len):size_t:len
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]58 len : count distribution
59 0 -> 1 : 0 | |
60 2 -> 3 : 11 |*************** |
61 4 -> 7 : 0 | |
62 8 -> 15 : 4 |***** |
63 16 -> 31 : 0 | |
64 32 -> 63 : 28 |****************************************|
65 64 -> 127 : 12 |***************** |
66[01:45:24]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]67p:c:write(int fd, void *buf, size_t len):size_t:len
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]68 len : count distribution
69 0 -> 1 : 0 | |
70 2 -> 3 : 21 |**************** |
71 4 -> 7 : 0 | |
72 8 -> 15 : 6 |**** |
73 16 -> 31 : 0 | |
74 32 -> 63 : 52 |****************************************|
75 64 -> 127 : 26 |******************** |
76^C
77
78It seems that most writes fall into three buckets: very small writes of 2-3
79bytes, medium writes of 32-63 bytes, and larger writes of 64-127 bytes.
80
81But these are writes across the board -- what if you wanted to focus on writes
82to STDOUT?
83
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]84# ./argdist -c -H 'p:c:write(int fd, void *buf, size_t len):size_t:len:fd==1'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]85[01:47:17]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]86p:c:write(int fd, void *buf, size_t len):size_t:len:fd==1
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]87 len : count distribution
88 0 -> 1 : 0 | |
89 2 -> 3 : 0 | |
90 4 -> 7 : 0 | |
91 8 -> 15 : 1 |****************************************|
92 16 -> 31 : 0 | |
93 32 -> 63 : 1 |****************************************|
94[01:47:18]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]95p:c:write(int fd, void *buf, size_t len):size_t:len:fd==1
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]96 len : count distribution
97 0 -> 1 : 0 | |
98 2 -> 3 : 0 | |
99 4 -> 7 : 0 | |
100 8 -> 15 : 2 |************* |
101 16 -> 31 : 0 | |
102 32 -> 63 : 3 |******************** |
103 64 -> 127 : 6 |****************************************|
104[01:47:19]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]105p:c:write(int fd, void *buf, size_t len):size_t:len:fd==1
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]106 len : count distribution
107 0 -> 1 : 0 | |
108 2 -> 3 : 0 | |
109 4 -> 7 : 0 | |
110 8 -> 15 : 3 |********* |
111 16 -> 31 : 0 | |
112 32 -> 63 : 5 |*************** |
113 64 -> 127 : 13 |****************************************|
114^C
115
116The "fd==1" part is a filter that is applied to every invocation of write().
117Only if the filter condition is true, the value is recorded.
118
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]119You can also use argdist to trace kernel functions. For example, suppose you
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]120wanted a histogram of kernel allocation (kmalloc) sizes across the system,
121printed twice with 3 second intervals:
122
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]123# ./argdist -i 3 -n 2 -H 'p::__kmalloc(size_t size):size_t:size'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]124[01:50:00]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]125p::__kmalloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]126 size : count distribution
127 0 -> 1 : 0 | |
128 2 -> 3 : 0 | |
129 4 -> 7 : 0 | |
130 8 -> 15 : 6 |****************************************|
131[01:50:03]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]132p::__kmalloc(size_t size):size_t:size
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]133 size : count distribution
134 0 -> 1 : 0 | |
135 2 -> 3 : 0 | |
136 4 -> 7 : 0 | |
137 8 -> 15 : 22 |****************************************|
138 16 -> 31 : 0 | |
139 32 -> 63 : 0 | |
140 64 -> 127 : 5 |********* |
141 128 -> 255 : 2 |*** |
142
143Occasionally, numeric information isn't enough and you want to capture strings.
144What are the strings printed by puts() across the system?
145
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]146# ./argdist -i 10 -n 1 -C 'p:c:puts(char *str):char*:str'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]147[01:53:54]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]148p:c:puts(char *str):char*:str
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]149 COUNT EVENT
150 2 str = Press ENTER to start.
151
152It looks like the message "Press ENTER to start." was printed twice during the
15310 seconds we were tracing.
154
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]155What about reads? You could trace gets() across the system and print the
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]156strings input by the user (note how "r" is used instead of "p" to attach a
157probe to the function's return):
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]158
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]159# ./argdist -i 10 -n 1 -C 'r:c:gets():char*:(char*)$retval:$retval!=0'
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]160[02:12:23]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]161r:c:gets():char*:$retval:$retval!=0
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]162 COUNT EVENT
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]163 1 (char*)$retval = hi there
164 3 (char*)$retval = sasha
165 8 (char*)$retval = hello
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]166
167Similarly, we could get a histogram of the error codes returned by read():
168
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]169# ./argdist -i 10 -c 1 -H 'r:c:read()'
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]170[02:15:36]
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]171r:c:read()
172 retval : count distribution
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]173 0 -> 1 : 29 |****************************************|
174 2 -> 3 : 11 |*************** |
175 4 -> 7 : 0 | |
176 8 -> 15 : 3 |**** |
177 16 -> 31 : 2 |** |
178 32 -> 63 : 22 |****************************** |
179 64 -> 127 : 5 |****** |
180 128 -> 255 : 0 | |
181 256 -> 511 : 1 |* |
182 512 -> 1023 : 1 |* |
183 1024 -> 2047 : 0 | |
184 2048 -> 4095 : 2 |** |
185
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]186In return probes, you can also trace the latency of the function (unless it is
187recursive) and the parameters it had on entry. For example, we can identify
188which processes are performing slow synchronous filesystem reads -- say,
189longer than 0.1ms (100,000ns):
190
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]191# ./argdist -C 'r::__vfs_read():u32:$PID:$latency > 100000'
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]192[01:08:48]
193r::__vfs_read():u32:$PID:$latency > 100000
194 COUNT EVENT
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]195 1 $PID = 10457
196 21 $PID = 2780
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]197[01:08:49]
198r::__vfs_read():u32:$PID:$latency > 100000
199 COUNT EVENT
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]200 1 $PID = 10457
201 21 $PID = 2780
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]202^C
203
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]204It looks like process 2780 performed 21 slow reads.
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]205
206Occasionally, entry parameter values are also interesting. For example, you
207might be curious how long it takes malloc() to allocate memory -- nanoseconds
208per byte allocated. Let's go:
209
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]210# ./argdist -H 'r:c:malloc(size_t size):u64:$latency/$entry(size);ns per byte' -n 1 -i 10
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]211[01:11:13]
212 ns per byte : count distribution
213 0 -> 1 : 0 | |
214 2 -> 3 : 4 |***************** |
215 4 -> 7 : 3 |************* |
216 8 -> 15 : 2 |******** |
217 16 -> 31 : 1 |**** |
218 32 -> 63 : 0 | |
219 64 -> 127 : 7 |******************************* |
220 128 -> 255 : 1 |**** |
221 256 -> 511 : 0 | |
222 512 -> 1023 : 1 |**** |
223 1024 -> 2047 : 1 |**** |
224 2048 -> 4095 : 9 |****************************************|
225 4096 -> 8191 : 1 |**** |
226
227It looks like a tri-modal distribution. Some allocations are extremely cheap,
228and take 2-15 nanoseconds per byte. Other allocations are slower, and take
22964-127 nanoseconds per byte. And some allocations are slower still, and take
230multiple microseconds per byte.
231
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]232You could also group results by more than one field. For example, __kmalloc
233takes an additional flags parameter that describes how to allocate memory:
234
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]235# ./argdist -c -C 'p::__kmalloc(size_t size, gfp_t flags):gfp_t,size_t:flags,size'
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]236[03:42:29]
237p::__kmalloc(size_t size, gfp_t flags):gfp_t,size_t:flags,size
238 COUNT EVENT
239 1 flags = 16, size = 152
240 2 flags = 131280, size = 8
241 7 flags = 131280, size = 16
242[03:42:30]
243p::__kmalloc(size_t size, gfp_t flags):gfp_t,size_t:flags,size
244 COUNT EVENT
245 1 flags = 16, size = 152
246 6 flags = 131280, size = 8
247 19 flags = 131280, size = 16
248[03:42:31]
249p::__kmalloc(size_t size, gfp_t flags):gfp_t,size_t:flags,size
250 COUNT EVENT
251 2 flags = 16, size = 152
252 10 flags = 131280, size = 8
253 31 flags = 131280, size = 16
254[03:42:32]
255p::__kmalloc(size_t size, gfp_t flags):gfp_t,size_t:flags,size
256 COUNT EVENT
257 2 flags = 16, size = 152
258 14 flags = 131280, size = 8
259 43 flags = 131280, size = 16
260^C
261
262The flags value must be expanded by hand, but it's still helpful to eliminate
263certain kinds of allocations or visually group them together.
264
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]265argdist also has basic support for kernel tracepoints. It is sometimes more
266convenient to use tracepoints because they are documented and don't vary a lot
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]267between kernel versions. For example, let's trace the net:net_dev_start_xmit
268tracepoint and print out the protocol field from the tracepoint structure:
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]269
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]270# argdist -C 't:net:net_dev_start_xmit():u16:args->protocol'
271[13:01:49]
272t:net:net_dev_start_xmit():u16:args->protocol
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]273 COUNT EVENT
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]274 8 args->protocol = 2048
275^C
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]276
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]277Note that to discover the format of the net:net_dev_start_xmit tracepoint, you
278use the tplist tool (tplist -v net:net_dev_start_xmit).
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]279
Sasha Goldshteinc8f752f2016-10-17 02:18:43 -0700[diff] [blame]280
281Occasionally, it is useful to filter certain expressions by string. This is not
282trivially supported by BPF, but argdist provides a STRCMP helper you can use in
283filter expressions. For example, to get a histogram of latencies opening a
284specific file, run this:
285
286# argdist -c -H 'r:c:open(char *file):u64:$latency/1000:STRCMP("test.txt",$entry(file))'
287[02:16:38]
288[02:16:39]
289[02:16:40]
290 $latency/1000 : count distribution
291 0 -> 1 : 0 | |
292 2 -> 3 : 0 | |
293 4 -> 7 : 0 | |
294 8 -> 15 : 0 | |
295 16 -> 31 : 2 |****************************************|
296[02:16:41]
297 $latency/1000 : count distribution
298 0 -> 1 : 0 | |
299 2 -> 3 : 0 | |
300 4 -> 7 : 0 | |
301 8 -> 15 : 1 |********** |
302 16 -> 31 : 4 |****************************************|
303[02:16:42]
304 $latency/1000 : count distribution
305 0 -> 1 : 0 | |
306 2 -> 3 : 0 | |
307 4 -> 7 : 0 | |
308 8 -> 15 : 1 |******** |
309 16 -> 31 : 5 |****************************************|
310[02:16:43]
311 $latency/1000 : count distribution
312 0 -> 1 : 0 | |
313 2 -> 3 : 0 | |
314 4 -> 7 : 0 | |
315 8 -> 15 : 1 |******** |
316 16 -> 31 : 5 |****************************************|
317
318
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]319Here's a final example that finds how many write() system calls are performed
320by each process on the system:
321
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]322# argdist -c -C 'p:c:write():int:$PID;write per process' -n 2
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]323[06:47:18]
324write by process
325 COUNT EVENT
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]326 3 $PID = 8889
327 7 $PID = 7615
328 7 $PID = 2480
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]329[06:47:19]
330write by process
331 COUNT EVENT
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]332 9 $PID = 8889
333 23 $PID = 7615
334 23 $PID = 2480
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]335
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]336
337USAGE message:
338
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]339# argdist -h
340usage: argdist [-h] [-p PID] [-z STRING_SIZE] [-i INTERVAL] [-n COUNT] [-v]
Sasha Goldshtein4725a722016-10-18 20:54:47 +0300[diff] [blame]341 [-c] [-T TOP] [-H specifier] [-C[specifier] [-I header]
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]342
343Trace a function and display a summary of its parameter values.
344
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]345optional arguments:
346 -h, --help show this help message and exit
347 -p PID, --pid PID id of the process to trace (optional)
348 -z STRING_SIZE, --string-size STRING_SIZE
349 maximum string size to read from char* arguments
Sasha Goldshtein0a9783b2016-02-11 11:21:01 -0800[diff] [blame]350 -i INTERVAL, --interval INTERVAL
351 output interval, in seconds
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]352 -n COUNT, --number COUNT
Sasha Goldshtein0a9783b2016-02-11 11:21:01 -0800[diff] [blame]353 number of outputs
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]354 -v, --verbose print resulting BPF program code before executing
Sasha Goldshteind2f47622016-10-04 18:40:15 +0300[diff] [blame]355 -c, --cumulative do not clear histograms and freq counts at each interval
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]356 -T TOP, --top TOP number of top results to show (not applicable to
357 histograms)
Sasha Goldshtein4725a722016-10-18 20:54:47 +0300[diff] [blame]358 -H specifier, --histogram specifier
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]359 probe specifier to capture histogram of (see examples
360 below)
Sasha Goldshtein4725a722016-10-18 20:54:47 +0300[diff] [blame]361 -C specifier, --count specifier
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]362 probe specifier to capture count of (see examples
363 below)
Sasha Goldshtein4725a722016-10-18 20:54:47 +0300[diff] [blame]364 -I header, --include header
Sasha Goldshtein7983d6b2016-02-13 23:14:18 -0800[diff] [blame]365 additional header files to include in the BPF program
Yonghong Songf4470dc2017-12-13 14:12:13 -0800[diff] [blame]366 as either full path, or relative to current working directory,
367 or relative to default kernel header search path
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]368
369Probe specifier syntax:
Sasha Goldshtein3e39a082016-03-24 08:39:47 -0700[diff] [blame]370 {p,r,t,u}:{[library],category}:function(signature)[:type[,type...]:expr[,expr...][:filter]][#label]
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]371Where:
Sasha Goldshtein3e39a082016-03-24 08:39:47 -0700[diff] [blame]372 p,r,t,u -- probe at function entry, function exit, kernel tracepoint,
373 or USDT probe
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]374 in exit probes: can use $retval, $entry(param), $latency
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]375 library -- the library that contains the function
376 (leave empty for kernel functions)
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]377 category -- the category of the kernel tracepoint (e.g. net, sched)
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]378 signature -- the function's parameters, as in the C header
Sasha Goldshteincc27edf2016-02-14 03:49:01 -0800[diff] [blame]379 type -- the type of the expression to collect (supports multiple)
380 expr -- the expression to collect (supports multiple)
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]381 filter -- the filter that is applied to collected values
382 label -- the label for this probe in the resulting output
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]383
384EXAMPLES:
385
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]386argdist -H 'p::__kmalloc(u64 size):u64:size'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]387 Print a histogram of allocation sizes passed to kmalloc
388
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]389argdist -p 1005 -C 'p:c:malloc(size_t size):size_t:size:size==16'
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]390 Print a frequency count of how many times process 1005 called malloc
391 with an allocation size of 16 bytes
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]392
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]393argdist -C 'r:c:gets():char*:$retval#snooped strings'
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]394 Snoop on all strings returned by gets()
395
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]396argdist -H 'r::__kmalloc(size_t size):u64:$latency/$entry(size)#ns per byte'
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]397 Print a histogram of nanoseconds per byte from kmalloc allocations
398
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]399argdist -C 'p::__kmalloc(size_t size, gfp_t flags):size_t:size:flags&GFP_ATOMIC'
Sasha Goldshtein7983d6b2016-02-13 23:14:18 -0800[diff] [blame]400 Print frequency count of kmalloc allocation sizes that have GFP_ATOMIC
401
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]402argdist -p 1005 -C 'p:c:write(int fd):int:fd' -T 5
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]403 Print frequency counts of how many times writes were issued to a
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]404 particular file descriptor number, in process 1005, but only show
405 the top 5 busiest fds
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]406
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]407argdist -p 1005 -H 'r:c:read()'
Sasha Goldshtein8058eb12016-02-11 02:17:22 -0800[diff] [blame]408 Print a histogram of error codes returned by read() in process 1005
409
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]410argdist -C 'r::__vfs_read():u32:$PID:$latency > 100000'
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]411 Print frequency of reads by process where the latency was >0.1ms
412
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]413argdist -H 'r::__vfs_read(void *file, void *buf, size_t count):size_t:$entry(count):$latency > 1000000'
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]414 Print a histogram of read sizes that were longer than 1ms
415
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]416argdist -H \
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]417 'p:c:write(int fd, const void *buf, size_t count):size_t:count:fd==1'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]418 Print a histogram of buffer sizes passed to write() across all
419 processes, where the file descriptor was 1 (STDOUT)
420
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]421argdist -C 'p:c:fork()#fork calls'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]422 Count fork() calls in libc across all processes
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]423 Can also use funccount.py, which is easier and more flexible
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]424
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]425argdist -H 't:block:block_rq_complete():u32:args->nr_sector'
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]426 Print histogram of number of sectors in completing block I/O requests
427
Sasha Goldshtein376ae5c2016-10-04 19:49:57 +0300[diff] [blame]428argdist -C 't:irq:irq_handler_entry():int:args->irq'
Sasha Goldshteinfd60d552016-03-01 12:15:34 -0800[diff] [blame]429 Aggregate interrupts by interrupt request (IRQ)
430
Sasha Goldshtein3e39a082016-03-24 08:39:47 -0700[diff] [blame]431argdist -C 'u:pthread:pthread_start():u64:arg2' -p 1337
432 Print frequency of function addresses used as a pthread start function,
433 relying on the USDT pthread_start probe in process 1337
434
Sasha Goldshtein4725a722016-10-18 20:54:47 +0300[diff] [blame]435argdist -H 'p:c:sleep(u32 seconds):u32:seconds' \
436 -H 'p:c:nanosleep(struct timespec *req):long:req->tv_nsec'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]437 Print histograms of sleep() and nanosleep() parameter values
438
Sasha Goldshtein7df65da2016-02-14 05:12:27 -0800[diff] [blame]439argdist -p 2780 -z 120 \
Sasha Goldshtein5e4e1f42016-02-12 06:52:19 -0800[diff] [blame]440 -C 'p:c:write(int fd, char* buf, size_t len):char*:buf:fd==1'
Sasha Goldshtein4cd70632016-02-11 01:55:11 -0800[diff] [blame]441 Spy on writes to STDOUT performed by process 2780, up to a string size
Sasha Goldshteine3501152016-02-13 03:56:29 -0800[diff] [blame]442 of 120 characters
Yonghong Songf4470dc2017-12-13 14:12:13 -0800[diff] [blame]443
444argdist -I 'kernel/sched/sched.h' \
445 -C 'p::__account_cfs_rq_runtime(struct cfs_rq *cfs_rq):s64:cfs_rq->runtime_remaining'
446 Trace on the cfs scheduling runqueue remaining runtime. The struct cfs_rq is defined
447 in kernel/sched/sched.h which is in kernel source tree and not in kernel-devel
448 package. So this command needs to run at the kernel source tree root directory
449 so that the added header file can be found by the compiler.