Alexey Ivanov | cc01a9c | 2019-01-16 09:50:46 -0800 | [diff] [blame] | 1 | #!/usr/bin/python |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 2 | # |
| 3 | # trace Trace a function and print a trace message based on its |
| 4 | # parameters, with an optional filter. |
| 5 | # |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 6 | # usage: trace [-h] [-p PID] [-L TID] [-v] [-Z STRING_SIZE] [-S] [-c cgroup_path] |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 7 | # [-M MAX_EVENTS] [-s SYMBOLFILES] [-T] [-t] [-K] [-U] [-a] [-I header] |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 8 | # [-A] |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 9 | # probe [probe ...] |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 10 | # |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 11 | # Licensed under the Apache License, Version 2.0 (the "License") |
| 12 | # Copyright (C) 2016 Sasha Goldshtein. |
| 13 | |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 14 | from __future__ import print_function |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 15 | from bcc import BPF, USDT, StrcmpRewrite |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 16 | from functools import partial |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 17 | from time import strftime |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 18 | import time |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 19 | import argparse |
| 20 | import re |
| 21 | import ctypes as ct |
| 22 | import os |
| 23 | import traceback |
| 24 | import sys |
| 25 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 26 | class Probe(object): |
| 27 | probe_count = 0 |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 28 | streq_index = 0 |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 29 | max_events = None |
| 30 | event_count = 0 |
| 31 | first_ts = 0 |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 32 | first_ts_real = None |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 33 | print_time = False |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 34 | print_unix_timestamp = False |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 35 | use_localtime = True |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 36 | time_field = False |
| 37 | print_cpu = False |
Mirek Klimos | e538228 | 2018-01-26 14:52:50 -0800 | [diff] [blame] | 38 | print_address = False |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 39 | tgid = -1 |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 40 | pid = -1 |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 41 | uid = -1 |
Mark Drayton | 5f5687e | 2017-02-20 18:13:03 +0000 | [diff] [blame] | 42 | page_cnt = None |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 43 | build_id_enabled = False |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 44 | aggregate = False |
| 45 | symcount = {} |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 46 | |
| 47 | @classmethod |
| 48 | def configure(cls, args): |
| 49 | cls.max_events = args.max_events |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 50 | cls.print_time = args.timestamp or args.time |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 51 | cls.print_unix_timestamp = args.unix_timestamp |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 52 | cls.use_localtime = not args.timestamp |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 53 | cls.time_field = cls.print_time and (not cls.use_localtime) |
| 54 | cls.print_cpu = args.print_cpu |
Mirek Klimos | e538228 | 2018-01-26 14:52:50 -0800 | [diff] [blame] | 55 | cls.print_address = args.address |
Sasha Goldshtein | 60c4192 | 2017-02-09 04:19:53 -0500 | [diff] [blame] | 56 | cls.first_ts = BPF.monotonic_time() |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 57 | cls.first_ts_real = time.time() |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 58 | cls.tgid = args.tgid or -1 |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 59 | cls.pid = args.pid or -1 |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 60 | cls.uid = args.uid or -1 |
Mark Drayton | 5f5687e | 2017-02-20 18:13:03 +0000 | [diff] [blame] | 61 | cls.page_cnt = args.buffer_pages |
Nikita V. Shirokov | 3953c70 | 2018-07-27 16:13:47 -0700 | [diff] [blame] | 62 | cls.bin_cmp = args.bin_cmp |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 63 | cls.build_id_enabled = args.sym_file_list is not None |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 64 | cls.aggregate = args.aggregate |
| 65 | if cls.aggregate and cls.max_events is None: |
| 66 | raise ValueError("-M/--max-events should be specified" |
| 67 | " with -A/--aggregate") |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 68 | |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 69 | def __init__(self, probe, string_size, kernel_stack, user_stack, |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 70 | cgroup_map_name, name, msg_filter): |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 71 | self.usdt = None |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 72 | self.streq_functions = "" |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 73 | self.raw_probe = probe |
| 74 | self.string_size = string_size |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 75 | self.kernel_stack = kernel_stack |
| 76 | self.user_stack = user_stack |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 77 | self.probe_user_list = set() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 78 | Probe.probe_count += 1 |
| 79 | self._parse_probe() |
| 80 | self.probe_num = Probe.probe_count |
| 81 | self.probe_name = "probe_%s_%d" % \ |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 82 | (self._display_function(), self.probe_num) |
Paul Chaignon | 956ca1c | 2017-03-04 20:07:56 +0100 | [diff] [blame] | 83 | self.probe_name = re.sub(r'[^A-Za-z0-9_]', '_', |
| 84 | self.probe_name) |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 85 | self.cgroup_map_name = cgroup_map_name |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 86 | if name is None: |
| 87 | # An empty bytestring is always contained in the command |
| 88 | # name so this will always succeed. |
| 89 | self.name = b'' |
| 90 | else: |
| 91 | self.name = name.encode('ascii') |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 92 | self.msg_filter = msg_filter |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 93 | # compiler can generate proper codes for function |
| 94 | # signatures with "syscall__" prefix |
| 95 | if self.is_syscall_kprobe: |
| 96 | self.probe_name = "syscall__" + self.probe_name[6:] |
| 97 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 98 | def __str__(self): |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 99 | return "%s:%s:%s FLT=%s ACT=%s/%s" % (self.probe_type, |
| 100 | self.library, self._display_function(), self.filter, |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 101 | self.types, self.values) |
| 102 | |
| 103 | def is_default_action(self): |
| 104 | return self.python_format == "" |
| 105 | |
| 106 | def _bail(self, error): |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 107 | raise ValueError("error in probe '%s': %s" % |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 108 | (self.raw_probe, error)) |
| 109 | |
| 110 | def _parse_probe(self): |
| 111 | text = self.raw_probe |
| 112 | |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 113 | # There might be a function signature preceding the actual |
| 114 | # filter/print part, or not. Find the probe specifier first -- |
| 115 | # it ends with either a space or an open paren ( for the |
| 116 | # function signature part. |
| 117 | # opt. signature |
| 118 | # probespec | rest |
| 119 | # --------- ---------- -- |
| 120 | (spec, sig, rest) = re.match(r'([^ \t\(]+)(\([^\(]*\))?(.*)', |
| 121 | text).groups() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 122 | |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 123 | self._parse_spec(spec) |
Paul Chaignon | 956ca1c | 2017-03-04 20:07:56 +0100 | [diff] [blame] | 124 | # Remove the parens |
| 125 | self.signature = sig[1:-1] if sig else None |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 126 | if self.signature and self.probe_type in ['u', 't']: |
| 127 | self._bail("USDT and tracepoint probes can't have " + |
| 128 | "a function signature; use arg1, arg2, " + |
| 129 | "... instead") |
| 130 | |
| 131 | text = rest.lstrip() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 132 | # If we now have a (, wait for the balanced closing ) and that |
| 133 | # will be the predicate |
| 134 | self.filter = None |
| 135 | if len(text) > 0 and text[0] == "(": |
| 136 | balance = 1 |
| 137 | for i in range(1, len(text)): |
| 138 | if text[i] == "(": |
| 139 | balance += 1 |
| 140 | if text[i] == ")": |
| 141 | balance -= 1 |
| 142 | if balance == 0: |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 143 | self._parse_filter(text[:i + 1]) |
| 144 | text = text[i + 1:] |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 145 | break |
| 146 | if self.filter is None: |
| 147 | self._bail("unmatched end of predicate") |
| 148 | |
| 149 | if self.filter is None: |
| 150 | self.filter = "1" |
| 151 | |
| 152 | # The remainder of the text is the printf action |
| 153 | self._parse_action(text.lstrip()) |
| 154 | |
Ferenc Fejes | d7b427e | 2020-08-01 21:18:57 +0200 | [diff] [blame] | 155 | def _parse_offset(self, func_and_offset): |
| 156 | func, offset_str = func_and_offset.split("+") |
| 157 | try: |
| 158 | if "x" in offset_str or "X" in offset_str: |
| 159 | offset = int(offset_str, 16) |
| 160 | else: |
| 161 | offset = int(offset_str) |
| 162 | except ValueError: |
| 163 | self._bail("invalid offset format " + |
| 164 | " '%s', must be decimal or hexadecimal" % offset_str) |
| 165 | |
| 166 | return func, offset |
| 167 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 168 | def _parse_spec(self, spec): |
| 169 | parts = spec.split(":") |
| 170 | # Two special cases: 'func' means 'p::func', 'lib:func' means |
| 171 | # 'p:lib:func'. Other combinations need to provide an empty |
| 172 | # value between delimiters, e.g. 'r::func' for a kretprobe on |
| 173 | # the function func. |
| 174 | if len(parts) == 1: |
| 175 | parts = ["p", "", parts[0]] |
| 176 | elif len(parts) == 2: |
| 177 | parts = ["p", parts[0], parts[1]] |
| 178 | if len(parts[0]) == 0: |
| 179 | self.probe_type = "p" |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 180 | elif parts[0] in ["p", "r", "t", "u"]: |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 181 | self.probe_type = parts[0] |
| 182 | else: |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 183 | self._bail("probe type must be '', 'p', 't', 'r', " + |
| 184 | "or 'u', but got '%s'" % parts[0]) |
Ferenc Fejes | d7b427e | 2020-08-01 21:18:57 +0200 | [diff] [blame] | 185 | self.offset = 0 |
| 186 | if "+" in parts[-1]: |
| 187 | parts[-1], self.offset = self._parse_offset(parts[-1]) |
| 188 | |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 189 | if self.probe_type == "t": |
| 190 | self.tp_category = parts[1] |
| 191 | self.tp_event = parts[2] |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 192 | self.library = "" # kernel |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 193 | self.function = "" # from TRACEPOINT_PROBE |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 194 | elif self.probe_type == "u": |
Fuji Goro | 2162516 | 2020-03-08 08:16:54 +0000 | [diff] [blame] | 195 | # u:<library>[:<provider>]:<probe> where :<provider> is optional |
| 196 | self.library = parts[1] |
| 197 | self.usdt_name = ":".join(parts[2:]) |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 198 | self.function = "" # no function, just address |
| 199 | # We will discover the USDT provider by matching on |
| 200 | # the USDT name in the specified library |
| 201 | self._find_usdt_probe() |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 202 | else: |
vkhromov | 5a2b39e | 2017-07-14 20:42:29 +0100 | [diff] [blame] | 203 | self.library = ':'.join(parts[1:-1]) |
| 204 | self.function = parts[-1] |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 205 | |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 206 | # only x64 syscalls needs checking, no other syscall wrapper yet. |
| 207 | self.is_syscall_kprobe = False |
| 208 | if self.probe_type == "p" and len(self.library) == 0 and \ |
| 209 | self.function[:10] == "__x64_sys_": |
| 210 | self.is_syscall_kprobe = True |
| 211 | |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 212 | def _find_usdt_probe(self): |
Sasha Goldshtein | dd04536 | 2016-11-13 05:07:38 -0800 | [diff] [blame] | 213 | target = Probe.pid if Probe.pid and Probe.pid != -1 \ |
| 214 | else Probe.tgid |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 215 | self.usdt = USDT(path=self.library, pid=target) |
Fuji Goro | 2162516 | 2020-03-08 08:16:54 +0000 | [diff] [blame] | 216 | |
| 217 | parts = self.usdt_name.split(":") |
| 218 | if len(parts) == 1: |
| 219 | provider_name = None |
| 220 | usdt_name = parts[0].encode("ascii") |
| 221 | else: |
| 222 | provider_name = parts[0].encode("ascii") |
| 223 | usdt_name = parts[1].encode("ascii") |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 224 | for probe in self.usdt.enumerate_probes(): |
Fuji Goro | 2162516 | 2020-03-08 08:16:54 +0000 | [diff] [blame] | 225 | if ((not provider_name or probe.provider == provider_name) |
| 226 | and probe.name == usdt_name): |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 227 | return # Found it, will enable later |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 228 | self._bail("unrecognized USDT probe %s" % self.usdt_name) |
| 229 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 230 | def _parse_filter(self, filt): |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 231 | self.filter = self._rewrite_expr(filt) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 232 | |
| 233 | def _parse_types(self, fmt): |
| 234 | for match in re.finditer( |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 235 | r'[^%]%(s|u|d|lu|llu|ld|lld|hu|hd|x|lx|llx|c|K|U)', fmt): |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 236 | self.types.append(match.group(1)) |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 237 | fmt = re.sub(r'([^%]%)(u|d|lu|llu|ld|lld|hu|hd)', r'\1d', fmt) |
| 238 | fmt = re.sub(r'([^%]%)(x|lx|llx)', r'\1x', fmt) |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 239 | fmt = re.sub('%K|%U', '%s', fmt) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 240 | self.python_format = fmt.strip('"') |
| 241 | |
| 242 | def _parse_action(self, action): |
| 243 | self.values = [] |
| 244 | self.types = [] |
| 245 | self.python_format = "" |
| 246 | if len(action) == 0: |
| 247 | return |
| 248 | |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 249 | action = action.strip() |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 250 | match = re.search(r'(\".*?\"),?(.*)', action) |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 251 | if match is None: |
| 252 | self._bail("expected format string in \"s") |
| 253 | |
| 254 | self.raw_format = match.group(1) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 255 | self._parse_types(self.raw_format) |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 256 | for part in re.split('(?<!"),', match.group(2)): |
| 257 | part = self._rewrite_expr(part) |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 258 | if len(part) > 0: |
| 259 | self.values.append(part) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 260 | |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 261 | aliases_arg = { |
Naveen N. Rao | 4afa96a | 2016-05-03 14:54:21 +0530 | [diff] [blame] | 262 | "arg1": "PT_REGS_PARM1(ctx)", |
| 263 | "arg2": "PT_REGS_PARM2(ctx)", |
| 264 | "arg3": "PT_REGS_PARM3(ctx)", |
| 265 | "arg4": "PT_REGS_PARM4(ctx)", |
| 266 | "arg5": "PT_REGS_PARM5(ctx)", |
| 267 | "arg6": "PT_REGS_PARM6(ctx)", |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 268 | } |
| 269 | |
| 270 | aliases_indarg = { |
Prashant Bhole | 05765ee | 2018-12-28 01:47:56 +0900 | [diff] [blame] | 271 | "arg1": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 272 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM1(_ctx))); _val;})", |
Xiaozhou Liu | 25a0ef3 | 2019-01-14 14:14:43 +0800 | [diff] [blame] | 273 | "arg2": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 274 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM2(_ctx))); _val;})", |
Xiaozhou Liu | 25a0ef3 | 2019-01-14 14:14:43 +0800 | [diff] [blame] | 275 | "arg3": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 276 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM3(_ctx))); _val;})", |
Xiaozhou Liu | 25a0ef3 | 2019-01-14 14:14:43 +0800 | [diff] [blame] | 277 | "arg4": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 278 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM4(_ctx))); _val;})", |
Xiaozhou Liu | 25a0ef3 | 2019-01-14 14:14:43 +0800 | [diff] [blame] | 279 | "arg5": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 280 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM5(_ctx))); _val;})", |
Xiaozhou Liu | 25a0ef3 | 2019-01-14 14:14:43 +0800 | [diff] [blame] | 281 | "arg6": "({u64 _val; struct pt_regs *_ctx = (struct pt_regs *)PT_REGS_PARM1(ctx);" |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 282 | " bpf_probe_read_kernel(&_val, sizeof(_val), &(PT_REGS_PARM6(_ctx))); _val;})", |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 283 | } |
| 284 | |
| 285 | aliases_common = { |
| 286 | "retval": "PT_REGS_RC(ctx)", |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 287 | "$uid": "(unsigned)(bpf_get_current_uid_gid() & 0xffffffff)", |
| 288 | "$gid": "(unsigned)(bpf_get_current_uid_gid() >> 32)", |
| 289 | "$pid": "(unsigned)(bpf_get_current_pid_tgid() & 0xffffffff)", |
| 290 | "$tgid": "(unsigned)(bpf_get_current_pid_tgid() >> 32)", |
Yonghong Song | f92fef2 | 2018-01-24 20:51:46 -0800 | [diff] [blame] | 291 | "$cpu": "bpf_get_smp_processor_id()", |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 292 | "$task": "((struct task_struct *)bpf_get_current_task())" |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 293 | } |
| 294 | |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 295 | def _rewrite_expr(self, expr): |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 296 | # Find the occurances of any arg[1-6]@user. Use it later to |
| 297 | # identify bpf_probe_read_user |
| 298 | for matches in re.finditer(r'(arg[1-6])(@user)', expr): |
| 299 | if matches.group(1).strip() not in self.probe_user_list: |
| 300 | self.probe_user_list.add(matches.group(1).strip()) |
| 301 | # Remove @user occurrences from arg before resolving to its |
| 302 | # corresponding aliases. |
| 303 | expr = re.sub(r'(arg[1-6])@user', r'\1', expr) |
| 304 | rdict = StrcmpRewrite.rewrite_expr(expr, |
| 305 | self.bin_cmp, self.library, |
| 306 | self.probe_user_list, self.streq_functions, |
| 307 | Probe.streq_index) |
| 308 | expr = rdict["expr"] |
| 309 | self.streq_functions = rdict["streq_functions"] |
| 310 | Probe.streq_index = rdict["probeid"] |
| 311 | alias_to_check = Probe.aliases_indarg \ |
| 312 | if self.is_syscall_kprobe \ |
| 313 | else Probe.aliases_arg |
| 314 | # For USDT probes, we replace argN values with the |
| 315 | # actual arguments for that probe obtained using |
| 316 | # bpf_readarg_N macros emitted at BPF construction. |
| 317 | if not self.probe_type == "u": |
| 318 | for alias, replacement in alias_to_check.items(): |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 319 | expr = expr.replace(alias, replacement) |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 320 | for alias, replacement in Probe.aliases_common.items(): |
| 321 | expr = expr.replace(alias, replacement) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 322 | return expr |
| 323 | |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 324 | p_type = {"u": ct.c_uint, "d": ct.c_int, "lu": ct.c_ulong, |
| 325 | "ld": ct.c_long, |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 326 | "llu": ct.c_ulonglong, "lld": ct.c_longlong, |
| 327 | "hu": ct.c_ushort, "hd": ct.c_short, |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 328 | "x": ct.c_uint, "lx": ct.c_ulong, "llx": ct.c_ulonglong, |
| 329 | "c": ct.c_ubyte, |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 330 | "K": ct.c_ulonglong, "U": ct.c_ulonglong} |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 331 | |
| 332 | def _generate_python_field_decl(self, idx, fields): |
| 333 | field_type = self.types[idx] |
| 334 | if field_type == "s": |
| 335 | ptype = ct.c_char * self.string_size |
| 336 | else: |
| 337 | ptype = Probe.p_type[field_type] |
| 338 | fields.append(("v%d" % idx, ptype)) |
| 339 | |
| 340 | def _generate_python_data_decl(self): |
| 341 | self.python_struct_name = "%s_%d_Data" % \ |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 342 | (self._display_function(), self.probe_num) |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 343 | fields = [] |
| 344 | if self.time_field: |
| 345 | fields.append(("timestamp_ns", ct.c_ulonglong)) |
| 346 | if self.print_cpu: |
| 347 | fields.append(("cpu", ct.c_int)) |
| 348 | fields.extend([ |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 349 | ("tgid", ct.c_uint), |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 350 | ("pid", ct.c_uint), |
| 351 | ("comm", ct.c_char * 16) # TASK_COMM_LEN |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 352 | ]) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 353 | for i in range(0, len(self.types)): |
| 354 | self._generate_python_field_decl(i, fields) |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 355 | if self.kernel_stack: |
| 356 | fields.append(("kernel_stack_id", ct.c_int)) |
| 357 | if self.user_stack: |
| 358 | fields.append(("user_stack_id", ct.c_int)) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 359 | return type(self.python_struct_name, (ct.Structure,), |
| 360 | dict(_fields_=fields)) |
| 361 | |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 362 | c_type = {"u": "unsigned int", "d": "int", |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 363 | "lu": "unsigned long", "ld": "long", |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 364 | "llu": "unsigned long long", "lld": "long long", |
| 365 | "hu": "unsigned short", "hd": "short", |
yonghong-song | f720257 | 2018-09-19 08:50:59 -0700 | [diff] [blame] | 366 | "x": "unsigned int", "lx": "unsigned long", |
| 367 | "llx": "unsigned long long", |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 368 | "c": "char", "K": "unsigned long long", |
| 369 | "U": "unsigned long long"} |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 370 | fmt_types = c_type.keys() |
| 371 | |
| 372 | def _generate_field_decl(self, idx): |
| 373 | field_type = self.types[idx] |
| 374 | if field_type == "s": |
| 375 | return "char v%d[%d];\n" % (idx, self.string_size) |
| 376 | if field_type in Probe.fmt_types: |
| 377 | return "%s v%d;\n" % (Probe.c_type[field_type], idx) |
| 378 | self._bail("unrecognized format specifier %s" % field_type) |
| 379 | |
| 380 | def _generate_data_decl(self): |
| 381 | # The BPF program will populate values into the struct |
| 382 | # according to the format string, and the Python program will |
| 383 | # construct the final display string. |
| 384 | self.events_name = "%s_events" % self.probe_name |
| 385 | self.struct_name = "%s_data_t" % self.probe_name |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 386 | self.stacks_name = "%s_stacks" % self.probe_name |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 387 | stack_type = "BPF_STACK_TRACE" if self.build_id_enabled is False \ |
| 388 | else "BPF_STACK_TRACE_BUILDID" |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 389 | stack_table = "%s(%s, 1024);" % (stack_type, self.stacks_name) \ |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 390 | if (self.kernel_stack or self.user_stack) else "" |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 391 | data_fields = "" |
| 392 | for i, field_type in enumerate(self.types): |
| 393 | data_fields += " " + \ |
| 394 | self._generate_field_decl(i) |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 395 | time_str = "u64 timestamp_ns;" if self.time_field else "" |
| 396 | cpu_str = "int cpu;" if self.print_cpu else "" |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 397 | kernel_stack_str = " int kernel_stack_id;" \ |
| 398 | if self.kernel_stack else "" |
| 399 | user_stack_str = " int user_stack_id;" \ |
| 400 | if self.user_stack else "" |
| 401 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 402 | text = """ |
| 403 | struct %s |
| 404 | { |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 405 | %s |
| 406 | %s |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 407 | u32 tgid; |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 408 | u32 pid; |
| 409 | char comm[TASK_COMM_LEN]; |
| 410 | %s |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 411 | %s |
| 412 | %s |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 413 | u32 uid; |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 414 | }; |
| 415 | |
| 416 | BPF_PERF_OUTPUT(%s); |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 417 | %s |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 418 | """ |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 419 | return text % (self.struct_name, time_str, cpu_str, data_fields, |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 420 | kernel_stack_str, user_stack_str, |
| 421 | self.events_name, stack_table) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 422 | |
| 423 | def _generate_field_assign(self, idx): |
| 424 | field_type = self.types[idx] |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 425 | expr = self.values[idx].strip() |
| 426 | text = "" |
| 427 | if self.probe_type == "u" and expr[0:3] == "arg": |
Sasha Goldshtein | 3a5256f | 2017-02-20 15:42:57 +0000 | [diff] [blame] | 428 | arg_index = int(expr[3]) |
| 429 | arg_ctype = self.usdt.get_probe_arg_ctype( |
| 430 | self.usdt_name, arg_index - 1) |
| 431 | text = (" %s %s = 0;\n" + |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 432 | " bpf_usdt_readarg(%s, ctx, &%s);\n") \ |
Sasha Goldshtein | 3a5256f | 2017-02-20 15:42:57 +0000 | [diff] [blame] | 433 | % (arg_ctype, expr, expr[3], expr) |
Sumanth Korikkar | 7f6066d | 2020-05-20 10:49:56 -0500 | [diff] [blame] | 434 | probe_read_func = "bpf_probe_read_kernel" |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 435 | if field_type == "s": |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 436 | if self.library: |
| 437 | probe_read_func = "bpf_probe_read_user" |
| 438 | else: |
| 439 | alias_to_check = Probe.aliases_indarg \ |
| 440 | if self.is_syscall_kprobe \ |
| 441 | else Probe.aliases_arg |
| 442 | for arg, alias in alias_to_check.items(): |
| 443 | if alias == expr and arg in self.probe_user_list: |
| 444 | probe_read_func = "bpf_probe_read_user" |
| 445 | break |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 446 | return text + """ |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 447 | if (%s != 0) { |
yonghong-song | 61484e1 | 2018-09-17 22:24:31 -0700 | [diff] [blame] | 448 | void *__tmp = (void *)%s; |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 449 | %s(&__data.v%d, sizeof(__data.v%d), __tmp); |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 450 | } |
Sumanth Korikkar | 7cbd074 | 2020-04-27 09:09:28 -0500 | [diff] [blame] | 451 | """ % (expr, expr, probe_read_func, idx, idx) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 452 | if field_type in Probe.fmt_types: |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 453 | return text + " __data.v%d = (%s)%s;\n" % \ |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 454 | (idx, Probe.c_type[field_type], expr) |
| 455 | self._bail("unrecognized field type %s" % field_type) |
| 456 | |
Teng Qin | 0615bff | 2016-09-28 08:19:40 -0700 | [diff] [blame] | 457 | def _generate_usdt_filter_read(self): |
| 458 | text = "" |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 459 | if self.probe_type != "u": |
| 460 | return text |
yonghong-song | 2da3426 | 2018-06-13 06:12:22 -0700 | [diff] [blame] | 461 | for arg, _ in Probe.aliases_arg.items(): |
| 462 | if not (arg in self.filter): |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 463 | continue |
| 464 | arg_index = int(arg.replace("arg", "")) |
| 465 | arg_ctype = self.usdt.get_probe_arg_ctype( |
Sasha Goldshtein | dcf1675 | 2017-01-17 07:40:57 +0000 | [diff] [blame] | 466 | self.usdt_name, arg_index - 1) |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 467 | if not arg_ctype: |
| 468 | self._bail("Unable to determine type of {} " |
| 469 | "in the filter".format(arg)) |
| 470 | text += """ |
Teng Qin | 0615bff | 2016-09-28 08:19:40 -0700 | [diff] [blame] | 471 | {} {}_filter; |
| 472 | bpf_usdt_readarg({}, ctx, &{}_filter); |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 473 | """.format(arg_ctype, arg, arg_index, arg) |
| 474 | self.filter = self.filter.replace( |
| 475 | arg, "{}_filter".format(arg)) |
Teng Qin | 0615bff | 2016-09-28 08:19:40 -0700 | [diff] [blame] | 476 | return text |
| 477 | |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 478 | def generate_program(self, include_self): |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 479 | data_decl = self._generate_data_decl() |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 480 | if Probe.pid != -1: |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 481 | pid_filter = """ |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 482 | if (__pid != %d) { return 0; } |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 483 | """ % Probe.pid |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 484 | # uprobes can have a built-in tgid filter passed to |
| 485 | # attach_uprobe, hence the check here -- for kprobes, we |
| 486 | # need to do the tgid test by hand: |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 487 | elif len(self.library) == 0 and Probe.tgid != -1: |
| 488 | pid_filter = """ |
| 489 | if (__tgid != %d) { return 0; } |
| 490 | """ % Probe.tgid |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 491 | elif not include_self: |
| 492 | pid_filter = """ |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 493 | if (__tgid == %d) { return 0; } |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 494 | """ % os.getpid() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 495 | else: |
| 496 | pid_filter = "" |
| 497 | |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 498 | if Probe.uid != -1: |
| 499 | uid_filter = """ |
| 500 | if (__uid != %d) { return 0; } |
| 501 | """ % Probe.uid |
| 502 | else: |
| 503 | uid_filter = "" |
| 504 | |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 505 | if self.cgroup_map_name is not None: |
| 506 | cgroup_filter = """ |
| 507 | if (%s.check_current_task(0) <= 0) { return 0; } |
| 508 | """ % self.cgroup_map_name |
| 509 | else: |
| 510 | cgroup_filter = "" |
| 511 | |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 512 | prefix = "" |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 513 | signature = "struct pt_regs *ctx" |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 514 | if self.signature: |
| 515 | signature += ", " + self.signature |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 516 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 517 | data_fields = "" |
| 518 | for i, expr in enumerate(self.values): |
| 519 | data_fields += self._generate_field_assign(i) |
| 520 | |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 521 | if self.probe_type == "t": |
| 522 | heading = "TRACEPOINT_PROBE(%s, %s)" % \ |
| 523 | (self.tp_category, self.tp_event) |
| 524 | ctx_name = "args" |
| 525 | else: |
| 526 | heading = "int %s(%s)" % (self.probe_name, signature) |
| 527 | ctx_name = "ctx" |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 528 | |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 529 | time_str = """ |
| 530 | __data.timestamp_ns = bpf_ktime_get_ns();""" if self.time_field else "" |
| 531 | cpu_str = """ |
| 532 | __data.cpu = bpf_get_smp_processor_id();""" if self.print_cpu else "" |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 533 | stack_trace = "" |
| 534 | if self.user_stack: |
| 535 | stack_trace += """ |
| 536 | __data.user_stack_id = %s.get_stackid( |
Yonghong Song | 90f2086 | 2019-11-27 09:16:23 -0800 | [diff] [blame] | 537 | %s, BPF_F_USER_STACK |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 538 | );""" % (self.stacks_name, ctx_name) |
| 539 | if self.kernel_stack: |
| 540 | stack_trace += """ |
| 541 | __data.kernel_stack_id = %s.get_stackid( |
Yonghong Song | 90f2086 | 2019-11-27 09:16:23 -0800 | [diff] [blame] | 542 | %s, 0 |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 543 | );""" % (self.stacks_name, ctx_name) |
| 544 | |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 545 | text = heading + """ |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 546 | { |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 547 | u64 __pid_tgid = bpf_get_current_pid_tgid(); |
| 548 | u32 __tgid = __pid_tgid >> 32; |
| 549 | u32 __pid = __pid_tgid; // implicit cast to u32 for bottom half |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 550 | u32 __uid = bpf_get_current_uid_gid(); |
| 551 | %s |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 552 | %s |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 553 | %s |
Teng Qin | 0615bff | 2016-09-28 08:19:40 -0700 | [diff] [blame] | 554 | %s |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 555 | %s |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 556 | if (!(%s)) return 0; |
| 557 | |
| 558 | struct %s __data = {0}; |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 559 | %s |
| 560 | %s |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 561 | __data.tgid = __tgid; |
| 562 | __data.pid = __pid; |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 563 | __data.uid = __uid; |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 564 | bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); |
| 565 | %s |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 566 | %s |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 567 | %s.perf_submit(%s, &__data, sizeof(__data)); |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 568 | return 0; |
| 569 | } |
| 570 | """ |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 571 | text = text % (pid_filter, uid_filter, cgroup_filter, prefix, |
Teng Qin | 0615bff | 2016-09-28 08:19:40 -0700 | [diff] [blame] | 572 | self._generate_usdt_filter_read(), self.filter, |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 573 | self.struct_name, time_str, cpu_str, data_fields, |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 574 | stack_trace, self.events_name, ctx_name) |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 575 | |
Sasha Goldshtein | f4797b0 | 2016-10-17 01:44:56 -0700 | [diff] [blame] | 576 | return self.streq_functions + data_decl + "\n" + text |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 577 | |
| 578 | @classmethod |
| 579 | def _time_off_str(cls, timestamp_ns): |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 580 | offset = 1e-9 * (timestamp_ns - cls.first_ts) |
| 581 | if cls.print_unix_timestamp: |
| 582 | return "%.6f" % (offset + cls.first_ts_real) |
| 583 | else: |
| 584 | return "%.6f" % offset |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 585 | |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 586 | def _display_function(self): |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 587 | if self.probe_type == 'p' or self.probe_type == 'r': |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 588 | return self.function |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 589 | elif self.probe_type == 'u': |
| 590 | return self.usdt_name |
| 591 | else: # self.probe_type == 't' |
| 592 | return self.tp_event |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 593 | |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 594 | def _stack_to_string(self, bpf, stack_id, tgid): |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 595 | if stack_id < 0: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 596 | return (" %d" % stack_id) |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 597 | |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 598 | stackstr = '' |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 599 | stack = list(bpf.get_table(self.stacks_name).walk(stack_id)) |
| 600 | for addr in stack: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 601 | stackstr += ' ' |
Mirek Klimos | e538228 | 2018-01-26 14:52:50 -0800 | [diff] [blame] | 602 | if Probe.print_address: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 603 | stackstr += ("%16x " % addr) |
| 604 | symstr = bpf.sym(addr, tgid, show_module=True, show_offset=True) |
| 605 | stackstr += ('%s\n' % (symstr.decode('utf-8'))) |
| 606 | |
| 607 | return stackstr |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 608 | |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 609 | def _format_message(self, bpf, tgid, values): |
| 610 | # Replace each %K with kernel sym and %U with user sym in tgid |
Rafael Fonseca | aee5ecf | 2017-02-08 16:14:31 +0100 | [diff] [blame] | 611 | kernel_placeholders = [i for i, t in enumerate(self.types) |
| 612 | if t == 'K'] |
| 613 | user_placeholders = [i for i, t in enumerate(self.types) |
| 614 | if t == 'U'] |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 615 | for kp in kernel_placeholders: |
Sasha Goldshtein | 0155385 | 2017-02-09 03:58:09 -0500 | [diff] [blame] | 616 | values[kp] = bpf.ksym(values[kp], show_offset=True) |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 617 | for up in user_placeholders: |
Sasha Goldshtein | 1e34f4e | 2017-02-09 00:21:49 -0500 | [diff] [blame] | 618 | values[up] = bpf.sym(values[up], tgid, |
Sasha Goldshtein | 0155385 | 2017-02-09 03:58:09 -0500 | [diff] [blame] | 619 | show_module=True, show_offset=True) |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 620 | return self.python_format % tuple(values) |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 621 | |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 622 | def print_aggregate_events(self): |
| 623 | for k, v in sorted(self.symcount.items(), key=lambda item: \ |
| 624 | item[1], reverse=True): |
| 625 | print("%s-->COUNT %d\n\n" % (k, v), end="") |
| 626 | |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 627 | def print_event(self, bpf, cpu, data, size): |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 628 | # Cast as the generated structure type and display |
| 629 | # according to the format string in the probe. |
| 630 | event = ct.cast(data, ct.POINTER(self.python_struct)).contents |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 631 | if self.name not in event.comm: |
tty5 | 9ce7b7e | 2019-12-04 22:49:38 +0800 | [diff] [blame] | 632 | return |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 633 | values = map(lambda i: getattr(event, "v%d" % i), |
| 634 | range(0, len(self.values))) |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 635 | msg = self._format_message(bpf, event.tgid, values) |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 636 | if self.msg_filter and self.msg_filter not in msg: |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 637 | return |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 638 | eventstr = '' |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 639 | if Probe.print_time: |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 640 | time = strftime("%H:%M:%S") if Probe.use_localtime else \ |
| 641 | Probe._time_off_str(event.timestamp_ns) |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 642 | if Probe.print_unix_timestamp: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 643 | eventstr += ("%-17s " % time[:17]) |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 644 | else: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 645 | eventstr += ("%-8s " % time[:8]) |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 646 | if Probe.print_cpu: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 647 | eventstr += ("%-3s " % event.cpu) |
| 648 | eventstr += ("%-7d %-7d %-15s %-16s %s\n" % |
jeromemarchand | b96ebcd | 2018-10-10 01:58:15 +0200 | [diff] [blame] | 649 | (event.tgid, event.pid, |
| 650 | event.comm.decode('utf-8', 'replace'), |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 651 | self._display_function(), msg)) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 652 | |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 653 | if self.kernel_stack: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 654 | eventstr += self._stack_to_string(bpf, event.kernel_stack_id, -1) |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 655 | if self.user_stack: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 656 | eventstr += self._stack_to_string(bpf, event.user_stack_id, event.tgid) |
| 657 | |
| 658 | if self.aggregate is False: |
| 659 | print(eventstr, end="") |
| 660 | if self.kernel_stack or self.user_stack: |
Sasha Goldshtein | accd4cf | 2016-10-11 07:56:13 -0700 | [diff] [blame] | 661 | print("") |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 662 | else: |
| 663 | if eventstr in self.symcount: |
| 664 | self.symcount[eventstr] += 1 |
| 665 | else: |
| 666 | self.symcount[eventstr] = 1 |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 667 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 668 | Probe.event_count += 1 |
| 669 | if Probe.max_events is not None and \ |
| 670 | Probe.event_count >= Probe.max_events: |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 671 | if self.aggregate: |
| 672 | self.print_aggregate_events() |
| 673 | sys.stdout.flush() |
| 674 | exit() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 675 | |
| 676 | def attach(self, bpf, verbose): |
| 677 | if len(self.library) == 0: |
| 678 | self._attach_k(bpf) |
| 679 | else: |
| 680 | self._attach_u(bpf) |
| 681 | self.python_struct = self._generate_python_data_decl() |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 682 | callback = partial(self.print_event, bpf) |
Mark Drayton | 5f5687e | 2017-02-20 18:13:03 +0000 | [diff] [blame] | 683 | bpf[self.events_name].open_perf_buffer(callback, |
| 684 | page_cnt=self.page_cnt) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 685 | |
| 686 | def _attach_k(self, bpf): |
| 687 | if self.probe_type == "r": |
| 688 | bpf.attach_kretprobe(event=self.function, |
| 689 | fn_name=self.probe_name) |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 690 | elif self.probe_type == "p": |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 691 | bpf.attach_kprobe(event=self.function, |
Ferenc Fejes | d7b427e | 2020-08-01 21:18:57 +0200 | [diff] [blame] | 692 | fn_name=self.probe_name, |
| 693 | event_off=self.offset) |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 694 | # Note that tracepoints don't need an explicit attach |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 695 | |
| 696 | def _attach_u(self, bpf): |
| 697 | libpath = BPF.find_library(self.library) |
| 698 | if libpath is None: |
| 699 | # This might be an executable (e.g. 'bash') |
Sasha Goldshtein | ec67971 | 2016-10-04 18:33:36 +0300 | [diff] [blame] | 700 | libpath = BPF.find_exe(self.library) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 701 | if libpath is None or len(libpath) == 0: |
| 702 | self._bail("unable to find library %s" % self.library) |
| 703 | |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 704 | if self.probe_type == "u": |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 705 | pass # Was already enabled by the BPF constructor |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 706 | elif self.probe_type == "r": |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 707 | bpf.attach_uretprobe(name=libpath, |
| 708 | sym=self.function, |
| 709 | fn_name=self.probe_name, |
Sasha Goldshtein | b630092 | 2017-01-16 18:43:11 +0000 | [diff] [blame] | 710 | pid=Probe.tgid) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 711 | else: |
| 712 | bpf.attach_uprobe(name=libpath, |
| 713 | sym=self.function, |
| 714 | fn_name=self.probe_name, |
Ferenc Fejes | d7b427e | 2020-08-01 21:18:57 +0200 | [diff] [blame] | 715 | pid=Probe.tgid, |
| 716 | sym_off=self.offset) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 717 | |
| 718 | class Tool(object): |
Mark Drayton | 5f5687e | 2017-02-20 18:13:03 +0000 | [diff] [blame] | 719 | DEFAULT_PERF_BUFFER_PAGES = 64 |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 720 | examples = """ |
| 721 | EXAMPLES: |
| 722 | |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 723 | trace do_sys_open |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 724 | Trace the open syscall and print a default trace message when entered |
Ferenc Fejes | d7b427e | 2020-08-01 21:18:57 +0200 | [diff] [blame] | 725 | trace kfree_skb+0x12 |
| 726 | Trace the kfree_skb kernel function after the instruction on the 0x12 offset |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 727 | trace 'do_sys_open "%s", arg2@user' |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 728 | Trace the open syscall and print the filename being opened @user is |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 729 | added to arg2 in kprobes to ensure that char * should be copied from |
| 730 | the userspace stack to the bpf stack. If not specified, previous |
| 731 | behaviour is expected. |
| 732 | |
| 733 | trace 'do_sys_open "%s", arg2@user' -n main |
tty5 | 9ce7b7e | 2019-12-04 22:49:38 +0800 | [diff] [blame] | 734 | Trace the open syscall and only print event that process names containing "main" |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 735 | trace 'do_sys_open "%s", arg2@user' --uid 1001 |
| 736 | Trace the open syscall and only print event that processes with user ID 1001 |
| 737 | trace 'do_sys_open "%s", arg2@user' -f config |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 738 | Trace the open syscall and print the filename being opened filtered by "config" |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 739 | trace 'sys_read (arg3 > 20000) "read %d bytes", arg3' |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 740 | Trace the read syscall and print a message for reads >20000 bytes |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 741 | trace 'r::do_sys_open "%llx", retval' |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 742 | Trace the return from the open syscall and print the return value |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 743 | trace 'c:open (arg2 == 42) "%s %d", arg1, arg2' |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 744 | Trace the open() call from libc only if the flags (arg2) argument is 42 |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 745 | trace 'c:malloc "size = %d", arg1' |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 746 | Trace malloc calls and print the size being allocated |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 747 | trace 'p:c:write (arg1 == 1) "writing %d bytes to STDOUT", arg3' |
| 748 | Trace the write() call from libc to monitor writes to STDOUT |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 749 | trace 'r::__kmalloc (retval == 0) "kmalloc failed!"' |
Sasha Goldshtein | 8acd015 | 2016-02-22 02:25:03 -0800 | [diff] [blame] | 750 | Trace returns from __kmalloc which returned a null pointer |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 751 | trace 'r:c:malloc (retval) "allocated = %x", retval' |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 752 | Trace returns from malloc and print non-NULL allocated buffers |
Sasha Goldshtein | 376ae5c | 2016-10-04 19:49:57 +0300 | [diff] [blame] | 753 | trace 't:block:block_rq_complete "sectors=%d", args->nr_sector' |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 754 | Trace the block_rq_complete kernel tracepoint and print # of tx sectors |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 755 | trace 'u:pthread:pthread_create (arg4 != 0)' |
| 756 | Trace the USDT probe pthread_create when its 4th argument is non-zero |
Fuji Goro | 2162516 | 2020-03-08 08:16:54 +0000 | [diff] [blame] | 757 | trace 'u:pthread:libpthread:pthread_create (arg4 != 0)' |
| 758 | Ditto, but the provider name "libpthread" is specified. |
Sasha Goldshtein | 23e72b8 | 2017-01-17 08:49:36 +0000 | [diff] [blame] | 759 | trace 'p::SyS_nanosleep(struct timespec *ts) "sleep for %lld ns", ts->tv_nsec' |
| 760 | Trace the nanosleep syscall and print the sleep duration in ns |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 761 | trace -c /sys/fs/cgroup/system.slice/workload.service '__x64_sys_nanosleep' '__x64_sys_clone' |
| 762 | Trace nanosleep/clone syscall calls only under workload.service |
| 763 | cgroup hierarchy. |
Yonghong Song | f4470dc | 2017-12-13 14:12:13 -0800 | [diff] [blame] | 764 | trace -I 'linux/fs.h' \\ |
| 765 | 'p::uprobe_register(struct inode *inode) "a_ops = %llx", inode->i_mapping->a_ops' |
| 766 | Trace the uprobe_register inode mapping ops, and the symbol can be found |
| 767 | in /proc/kallsyms |
| 768 | trace -I 'kernel/sched/sched.h' \\ |
| 769 | 'p::__account_cfs_rq_runtime(struct cfs_rq *cfs_rq) "%d", cfs_rq->runtime_remaining' |
| 770 | Trace the cfs scheduling runqueue remaining runtime. The struct cfs_rq is defined |
| 771 | in kernel/sched/sched.h which is in kernel source tree and not in kernel-devel |
| 772 | package. So this command needs to run at the kernel source tree root directory |
| 773 | so that the added header file can be found by the compiler. |
tehnerd | 86293f0 | 2018-01-23 21:21:58 -0800 | [diff] [blame] | 774 | trace -I 'net/sock.h' \\ |
| 775 | 'udpv6_sendmsg(struct sock *sk) (sk->sk_dport == 13568)' |
| 776 | Trace udpv6 sendmsg calls only if socket's destination port is equal |
| 777 | to 53 (DNS; 13568 in big endian order) |
Yonghong Song | f92fef2 | 2018-01-24 20:51:46 -0800 | [diff] [blame] | 778 | trace -I 'linux/fs_struct.h' 'mntns_install "users = %d", $task->fs->users' |
| 779 | Trace the number of users accessing the file system of the current task |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 780 | trace -s /lib/x86_64-linux-gnu/libc.so.6,/bin/ping 'p:c:inet_pton' -U |
| 781 | Trace inet_pton system call and use the specified libraries/executables for |
| 782 | symbol resolution. |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 783 | """ |
| 784 | |
| 785 | def __init__(self): |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 786 | parser = argparse.ArgumentParser(description="Attach to " + |
| 787 | "functions and print trace messages.", |
| 788 | formatter_class=argparse.RawDescriptionHelpFormatter, |
| 789 | epilog=Tool.examples) |
Mark Drayton | 5f5687e | 2017-02-20 18:13:03 +0000 | [diff] [blame] | 790 | parser.add_argument("-b", "--buffer-pages", type=int, |
| 791 | default=Tool.DEFAULT_PERF_BUFFER_PAGES, |
| 792 | help="number of pages to use for perf_events ring buffer " |
| 793 | "(default: %(default)d)") |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 794 | # we'll refer to the userspace concepts of "pid" and "tid" by |
| 795 | # their kernel names -- tgid and pid -- inside the script |
| 796 | parser.add_argument("-p", "--pid", type=int, metavar="PID", |
| 797 | dest="tgid", help="id of the process to trace (optional)") |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 798 | parser.add_argument("-L", "--tid", type=int, metavar="TID", |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 799 | dest="pid", help="id of the thread to trace (optional)") |
evilpan | f32f772 | 2021-12-11 00:58:51 +0800 | [diff] [blame] | 800 | parser.add_argument("--uid", type=int, metavar="UID", |
| 801 | dest="uid", help="id of the user to trace (optional)") |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 802 | parser.add_argument("-v", "--verbose", action="store_true", |
| 803 | help="print resulting BPF program code before executing") |
| 804 | parser.add_argument("-Z", "--string-size", type=int, |
| 805 | default=80, help="maximum size to read from strings") |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 806 | parser.add_argument("-S", "--include-self", |
| 807 | action="store_true", |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 808 | help="do not filter trace's own pid from the trace") |
| 809 | parser.add_argument("-M", "--max-events", type=int, |
| 810 | help="number of events to print before quitting") |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 811 | parser.add_argument("-t", "--timestamp", action="store_true", |
| 812 | help="print timestamp column (offset from trace start)") |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 813 | parser.add_argument("-u", "--unix-timestamp", action="store_true", |
| 814 | help="print UNIX timestamp instead of offset from trace start, requires -t") |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 815 | parser.add_argument("-T", "--time", action="store_true", |
| 816 | help="print time column") |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 817 | parser.add_argument("-C", "--print_cpu", action="store_true", |
| 818 | help="print CPU id") |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 819 | parser.add_argument("-c", "--cgroup-path", type=str, |
| 820 | metavar="CGROUP_PATH", dest="cgroup_path", |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 821 | help="cgroup path") |
tty5 | 9ce7b7e | 2019-12-04 22:49:38 +0800 | [diff] [blame] | 822 | parser.add_argument("-n", "--name", type=str, |
| 823 | help="only print process names containing this name") |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 824 | parser.add_argument("-f", "--msg-filter", type=str, dest="msg_filter", |
| 825 | help="only print the msg of event containing this string") |
Nikita V. Shirokov | 3953c70 | 2018-07-27 16:13:47 -0700 | [diff] [blame] | 826 | parser.add_argument("-B", "--bin_cmp", action="store_true", |
| 827 | help="allow to use STRCMP with binary values") |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 828 | parser.add_argument('-s', "--sym_file_list", type=str, |
| 829 | metavar="SYM_FILE_LIST", dest="sym_file_list", |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 830 | help="coma separated list of symbol files to use \ |
| 831 | for symbol resolution") |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 832 | parser.add_argument("-K", "--kernel-stack", |
| 833 | action="store_true", help="output kernel stack trace") |
| 834 | parser.add_argument("-U", "--user-stack", |
| 835 | action="store_true", help="output user stack trace") |
Mirek Klimos | e538228 | 2018-01-26 14:52:50 -0800 | [diff] [blame] | 836 | parser.add_argument("-a", "--address", action="store_true", |
| 837 | help="print virtual address in stacks") |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 838 | parser.add_argument(metavar="probe", dest="probes", nargs="+", |
| 839 | help="probe specifier (see examples)") |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 840 | parser.add_argument("-I", "--include", action="append", |
| 841 | metavar="header", |
ShelbyFrances | f5dbbdb | 2017-02-08 05:56:52 +0300 | [diff] [blame] | 842 | help="additional header files to include in the BPF program " |
Yonghong Song | f4470dc | 2017-12-13 14:12:13 -0800 | [diff] [blame] | 843 | "as either full path, " |
| 844 | "or relative to current working directory, " |
| 845 | "or relative to default kernel header search path") |
zhenwei pi | 047541c | 2022-01-13 19:56:32 +0800 | [diff] [blame] | 846 | parser.add_argument("-A", "--aggregate", action="store_true", |
| 847 | help="aggregate amount of each trace") |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 848 | parser.add_argument("--ebpf", action="store_true", |
| 849 | help=argparse.SUPPRESS) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 850 | self.args = parser.parse_args() |
Mark Drayton | aa6c916 | 2016-11-03 15:36:29 +0000 | [diff] [blame] | 851 | if self.args.tgid and self.args.pid: |
Yonghong Song | f4470dc | 2017-12-13 14:12:13 -0800 | [diff] [blame] | 852 | parser.error("only one of -p and -L may be specified") |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 853 | if self.args.cgroup_path is not None: |
| 854 | self.cgroup_map_name = "__cgroup" |
| 855 | else: |
| 856 | self.cgroup_map_name = None |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 857 | |
| 858 | def _create_probes(self): |
| 859 | Probe.configure(self.args) |
| 860 | self.probes = [] |
| 861 | for probe_spec in self.args.probes: |
| 862 | self.probes.append(Probe( |
Teng Qin | 6b0ed37 | 2016-09-29 21:30:13 -0700 | [diff] [blame] | 863 | probe_spec, self.args.string_size, |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 864 | self.args.kernel_stack, self.args.user_stack, |
tty5 | 5cf529e | 2019-12-06 17:52:56 +0800 | [diff] [blame] | 865 | self.cgroup_map_name, self.args.name, self.args.msg_filter)) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 866 | |
| 867 | def _generate_program(self): |
| 868 | self.program = """ |
| 869 | #include <linux/ptrace.h> |
| 870 | #include <linux/sched.h> /* For TASK_COMM_LEN */ |
| 871 | |
| 872 | """ |
Sasha Goldshtein | 4725a72 | 2016-10-18 20:54:47 +0300 | [diff] [blame] | 873 | for include in (self.args.include or []): |
ShelbyFrances | f5dbbdb | 2017-02-08 05:56:52 +0300 | [diff] [blame] | 874 | if include.startswith((".", "/")): |
| 875 | include = os.path.abspath(include) |
| 876 | self.program += "#include \"%s\"\n" % include |
| 877 | else: |
| 878 | self.program += "#include <%s>\n" % include |
Sasha Goldshtein | b950d6f | 2016-03-21 04:06:15 -0700 | [diff] [blame] | 879 | self.program += BPF.generate_auto_includes( |
Sasha Goldshtein | fd60d55 | 2016-03-01 12:15:34 -0800 | [diff] [blame] | 880 | map(lambda p: p.raw_probe, self.probes)) |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 881 | if self.cgroup_map_name is not None: |
| 882 | self.program += "BPF_CGROUP_ARRAY(%s, 1);\n" % \ |
| 883 | self.cgroup_map_name |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 884 | for probe in self.probes: |
| 885 | self.program += probe.generate_program( |
Sasha Goldshtein | 3e39a08 | 2016-03-24 08:39:47 -0700 | [diff] [blame] | 886 | self.args.include_self) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 887 | |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 888 | if self.args.verbose or self.args.ebpf: |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 889 | print(self.program) |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 890 | if self.args.ebpf: |
| 891 | exit() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 892 | |
| 893 | def _attach_probes(self): |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 894 | usdt_contexts = [] |
| 895 | for probe in self.probes: |
| 896 | if probe.usdt: |
| 897 | # USDT probes must be enabled before the BPF object |
| 898 | # is initialized, because that's where the actual |
| 899 | # uprobe is being attached. |
| 900 | probe.usdt.enable_probe( |
| 901 | probe.usdt_name, probe.probe_name) |
Sasha Goldshtein | f733cac | 2016-10-04 18:39:01 +0300 | [diff] [blame] | 902 | if self.args.verbose: |
| 903 | print(probe.usdt.get_text()) |
Sasha Goldshtein | 69e361a | 2016-09-27 19:40:00 +0300 | [diff] [blame] | 904 | usdt_contexts.append(probe.usdt) |
| 905 | self.bpf = BPF(text=self.program, usdt_contexts=usdt_contexts) |
vijunag | 9924e64 | 2019-01-23 12:35:33 +0530 | [diff] [blame] | 906 | if self.args.sym_file_list is not None: |
| 907 | print("Note: Kernel bpf will report stack map with ip/build_id") |
| 908 | map(lambda x: self.bpf.add_module(x), self.args.sym_file_list.split(',')) |
yonghong-song | c2a530b | 2019-10-20 09:35:55 -0700 | [diff] [blame] | 909 | |
| 910 | # if cgroup filter is requested, update the cgroup array map |
| 911 | if self.cgroup_map_name is not None: |
| 912 | cgroup_array = self.bpf.get_table(self.cgroup_map_name) |
| 913 | cgroup_array[0] = self.args.cgroup_path |
| 914 | |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 915 | for probe in self.probes: |
| 916 | if self.args.verbose: |
| 917 | print(probe) |
| 918 | probe.attach(self.bpf, self.args.verbose) |
| 919 | |
| 920 | def _main_loop(self): |
| 921 | all_probes_trivial = all(map(Probe.is_default_action, |
| 922 | self.probes)) |
| 923 | |
| 924 | # Print header |
Sasha Goldshtein | 49d50ba | 2016-12-19 10:17:38 +0000 | [diff] [blame] | 925 | if self.args.timestamp or self.args.time: |
Maik Riechert | 3a0d3c4 | 2019-05-23 17:57:10 +0100 | [diff] [blame] | 926 | col_fmt = "%-17s " if self.args.unix_timestamp else "%-8s " |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 927 | print(col_fmt % "TIME", end="") |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 928 | if self.args.print_cpu: |
Jonathan Giddy | ec0691e | 2021-02-21 09:44:26 +0000 | [diff] [blame] | 929 | print("%-3s " % "CPU", end="") |
Teng Qin | c200b6c | 2017-12-16 00:15:55 -0800 | [diff] [blame] | 930 | print("%-7s %-7s %-15s %-16s %s" % |
| 931 | ("PID", "TID", "COMM", "FUNC", |
| 932 | "-" if not all_probes_trivial else "")) |
Alban Crequy | 8bb4e47 | 2019-12-21 16:09:53 +0100 | [diff] [blame] | 933 | sys.stdout.flush() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 934 | |
| 935 | while True: |
Teng Qin | dbf0029 | 2018-02-28 21:47:50 -0800 | [diff] [blame] | 936 | self.bpf.perf_buffer_poll() |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 937 | |
| 938 | def run(self): |
| 939 | try: |
| 940 | self._create_probes() |
| 941 | self._generate_program() |
| 942 | self._attach_probes() |
| 943 | self._main_loop() |
| 944 | except: |
Sasha Goldshtein | 2febc29 | 2017-02-13 20:25:32 -0500 | [diff] [blame] | 945 | exc_info = sys.exc_info() |
| 946 | sys_exit = exc_info[0] is SystemExit |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 947 | if self.args.verbose: |
| 948 | traceback.print_exc() |
Sasha Goldshtein | 2febc29 | 2017-02-13 20:25:32 -0500 | [diff] [blame] | 949 | elif not sys_exit: |
| 950 | print(exc_info[1]) |
| 951 | exit(0 if sys_exit else 1) |
Sasha Goldshtein | 38847f0 | 2016-02-22 02:19:24 -0800 | [diff] [blame] | 952 | |
| 953 | if __name__ == "__main__": |
Sasha Goldshtein | f41ae86 | 2016-10-19 01:14:30 +0300 | [diff] [blame] | 954 | Tool().run() |