1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
|
.\" -*- nroff -*-
.TH STAP 1 @DATE@ "Red Hat"
.SH NAME
stap \- systemtap script translator/driver
.\" macros
.de SAMPLE
.br
.RS
.nf
.nh
..
.de ESAMPLE
.hy
.fi
.RE
..
.SH SYNOPSIS
.br
.B stap
[
.I OPTIONS
]
.I FILENAME
[
.I ARGUMENTS
]
.br
.B stap
[
.I OPTIONS
]
.B \-
[
.I ARGUMENTS
]
.br
.B stap
[
.I OPTIONS
]
.BI \-e " SCRIPT"
[
.I ARGUMENTS
]
.br
.B stap
[
.I OPTIONS
]
.BI \-l " PROBE"
[
.I ARGUMENTS
]
.br
.B stap
[
.I OPTIONS
]
.BI \-L " PROBE"
[
.I ARGUMENTS
]
.SH DESCRIPTION
The
.IR stap
program is the front-end to the Systemtap tool. It accepts probing
instructions (written in a simple scripting language), translates
those instructions into C code, compiles this C code, and loads the
resulting kernel module into a running Linux kernel to perform the
requested system trace/probe functions. You can supply the script in
a named file, from standard input, or from the command line. The
program runs until it is interrupted by the user, or if the script
voluntarily invokes the
.I exit()
function, or by sufficient number of soft errors.
.PP
The language, which is described in a later section, is strictly typed,
declaration free, procedural, and inspired by
.IR awk .
It allows source code points or events in the kernel to be associated
with handlers, which are subroutines that are executed synchronously. It is
somewhat similar conceptually to "breakpoint command lists" in the
.IR gdb
debugger.
.PP
This manual corresponds to version @VERSION@.
.SH OPTIONS
The systemtap translator supports the following options. Any other option
prints a list of supported options.
.TP
.B \-h
Show help message.
.TP
.B \-V
Show version message.
.TP
.BI \-p " NUM"
Stop after pass NUM. The passes are numbered 1-5: parse, elaborate,
translate, compile, run. See the
.B PROCESSING
section for details.
.TP
.B \-v
Increase verbosity for all passes. Produce a larger volume of
informative (?) output each time option repeated.
.TP
.B \-\-vp ABCDE
Increase verbosity on a per-pass basis. For example, "\-\-vp\ 002"
adds 2 units of verbosity to pass 3 only. The combination "\-v\ \-\-vp\ 00004"
adds 1 unit of verbosity for all passes, and 4 more for pass 5.
.TP
.B \-k
Keep the temporary directory after all processing. This may be useful
in order to examine the generated C code, or to reuse the compiled
kernel object.
.TP
.B \-g
Guru mode. Enable parsing of unsafe expert-level constructs like
embedded C.
.TP
.B \-P
Prologue-searching mode. Activate heuristics to work around incorrect
debugging information for $target variables.
.TP
.B \-u
Unoptimized mode. Disable unused code elision during elaboration.
.TP
.B \-w
Suppressed warnings mode. Disables all warning messages.
.TP
.BI \-b
Use bulk mode (percpu files) for kernel-to-user data transfer.
.TP
.B \-t
Collect timing information on the number of times probe executes
and average amount of time spent in each probe.
.TP
.BI \-s NUM
Use NUM megabyte buffers for kernel-to-user data transfer. On a
multiprocessor in bulk mode, this is a per-processor amount.
.TP
.BI \-I " DIR"
Add the given directory to the tapset search directory. See the
description of pass 2 for details.
.TP
.BI \-D " NAME=VALUE"
Add the given C preprocessor directive to the module Makefile. These can
be used to override limit parameters described below.
.TP
.BI \-B " NAME=VALUE"
Add the given make directive to the kernel module build's make invocation.
These can be used to add or override kconfig options.
.TP
.BI \-R " DIR"
Look for the systemtap runtime sources in the given directory.
.TP
.BI \-r " /DIR"
Build for kernel in given build tree. Can also be set with the
.I SYSTEMTAP_RELEASE
environment variable.
.TP
.BI \-r " RELEASE"
Build for kernel in build tree
.BR /lib/modules/RELEASE/build .
Can also be set with the
.I SYSTEMTAP_RELEASE
environment variable.
.TP
.BI \-m " MODULE"
Use the given name for the generated kernel object module, instead
of a unique randomized name. The generated kernel object module is
copied to the current directory.
.TP
.BI \-d " MODULE"
Add symbol/unwind information for the given module into the kernel object
module. This may enable symbolic tracebacks from those modules/programs,
even if they do not have an explicit probe placed into them.
.TP
.BI \-o " FILE"
Send standard output to named file. In bulk mode, percpu files will
start with FILE_ (FILE_cpu with -F) followed by the cpu number.
This supports strftime(3) formats for FILE.
.TP
.BI \-c " CMD"
Start the probes, run CMD, and exit when CMD finishes.
.TP
.BI \-x " PID"
Sets target() to PID. This allows scripts to be written that filter on
a specific process.
.TP
.BI \-l " PROBE"
Instead of running a probe script, just list all available probe
points matching the given pattern. The pattern may include wildcards
and aliases.
.TP
.BI \-L " PROBE"
Similar to "-l", but list probe points and script-level local variables.
.TP
.BI \-F
Without -o option, load module and start probes, then detach from the module
leaving the probes running.
With -o option, run staprun in background as a daemon and show its pid.
.TP
.BI \-S " size[,N]"
Sets the maximum size of output file and the maximum number of output files.
If the size of output file will exceed
.B size
, systemtap switches output file to the next file. And if the number of
output files exceed
.B N
, systemtap removes the oldest output file. You can omit the second argument.
.TP
.B \-\-kelf
For names and addresses of functions to probe,
consult the symbol tables in the kernel and modules.
This can be useful if your kernel and/or modules were compiled
without debugging information, or the function you want to probe
is in an assembly-language file built without debugging information.
See the
.B "MAKING DO WITH SYMBOL TABLES"
section for more information.
.TP
.BI \-\-kmap [=FILE]
For names and addresses of kernel functions to probe,
consult the symbol table in the indicated text file.
The default is /boot/System.map-VERSION.
The contents of this file should be in the form of the default output from
.IR nm (1).
Only symbols of type T or t are used.
If you specify /proc/kallsyms or some other file in that format,
where lines for module symbols contain a fourth column,
reading of the symbol table stops with the first module symbol
(which should be right after the last kernel symbol).
As with
.BR \-\-kelf ,
the symbol table in each module's .ko file will also be consulted.
See the
.B "MAKING DO WITH SYMBOL TABLES"
section for more information.
.TP
.B \-\-ignore\-vmlinux
For testing, act as though neither the uncompressed kernel (vmlinux)
nor the kernel debugging information can be found.
.TP
.B \-\-ignore\-dwarf
For testing, act as though vmlinux and modules lack debugging information.
.TP
.B \-\-skip\-badvars
Ignore out of context variables and substitute with literal 0.
.SH ARGUMENTS
Any additional arguments on the command line are passed to the script
parser for substitution. See below.
.SH SCRIPT LANGUAGE
The systemtap script language resembles
.IR awk .
There are two main outermost constructs: probes and functions. Within
these, statements and expressions use C-like operator syntax and
precedence.
.SS GENERAL SYNTAX
Whitespace is ignored. Three forms of comments are supported:
.RS
.br
.BR # " ... shell style, to the end of line, except for $# and @#"
.br
.BR // " ... C++ style, to the end of line"
.br
.BR /* " ... C style ... " */
.RE
Literals are either strings enclosed in double-quotes (passing through
the usual C escape codes with backslashes), or integers (in decimal,
hexadecimal, or octal, using the same notation as in C). All strings
are limited in length to some reasonable value (a few hundred bytes).
Integers are 64-bit signed quantities, although the parser also accepts
(and wraps around) values above positive 2**63.
.PP
In addition, script arguments given at the end of the command line may
be inserted. Use
.B $1 ... $<NN>
for insertion unquoted,
.B @1 ... @<NN>
for insertion as a string literal. The number of arguments may be accessed
through
.B $#
(as an unquoted number) or through
.B @#
(as a quoted number). These may be used at any place a token may begin,
including within the preprocessing stage. Reference to an argument
number beyond what was actually given is an error.
.SS PREPROCESSING
A simple conditional preprocessing stage is run as a part of parsing.
The general form is similar to the
.RB cond " ? " exp1 " : " exp2
ternary operator:
.SAMPLE
.BR %( " CONDITION " %? " TRUE-TOKENS " %)
.BR %( " CONDITION " %? " TRUE-TOKENS " %: " FALSE-TOKENS " %)
.ESAMPLE
The CONDITION is either an expression whose format is determined by its
first keyword, or a string literals comparison or a numeric literals
comparison. It can be also composed of many alternatives and conjunctions
of CONDITIONs (meant as in previous sentence) using || and && respectively.
However, parentheses are not supported yet, so remembering that conjunction
takes precedence over alternative is important.
.PP
If the first part is the identifier
.BR kernel_vr " or " kernel_v
to refer to the kernel version number, with ("2.6.13\-1.322FC3smp") or
without ("2.6.13") the release code suffix, then
the second part is one of the six standard numeric comparison operators
.BR < ", " <= ", " == ", " != ", " > ", and " >= ,
and the third part is a string literal that contains an RPM-style
version-release value. The condition is deemed satisfied if the
version of the target kernel (as optionally overridden by the
.BR \-r
option) compares to the given version string. The comparison is
performed by the glibc function
.BR strverscmp .
As a special case, if the operator is for simple equality
.RB ( == ),
or inequality
.RB ( != ),
and the third part contains any wildcard characters
.RB ( * " or " ? " or " [ "),"
then the expression is treated as a wildcard (mis)match as evaluated
by
.BR fnmatch .
.PP
If, on the other hand, the first part is the identifier
.BR arch
to refer to the processor architecture (as named by the kernel
build system ARCH/SUBARCH), then the second
part is one of the two string comparison operators
.BR == " or " != ,
and the third part is a string literal for matching it. This
comparison is a wildcard (mis)match.
.PP
Similarly, if the first part is an identifier like
.BR CONFIG_something
to refer to a kernel configuration option, then the second part is
.BR == " or " != ,
and the third part is a string literal for matching the value
(commonly "y" or "m"). Nonexistent or unset kernel configuration
options are represented by the empty string. This comparison is also
a wildcard (mis)match.
.PP
Otherwise, the CONDITION is expected to be a comparison between two string
literals or two numeric literals. In this case, the arguments are the only
variables usable.
.PP
The TRUE-TOKENS and FALSE-TOKENS are zero or more general parser
tokens (possibly including nested preprocessor conditionals), and are
pasted into the input stream if the condition is true or false. For
example, the following code induces a parse error unless the target
kernel version is newer than 2.6.5:
.SAMPLE
%( kernel_v <= "2.6.5" %? **ERROR** %) # invalid token sequence
.ESAMPLE
The following code might adapt to hypothetical kernel version drift:
.SAMPLE
probe kernel.function (
%( kernel_v <= "2.6.12" %? "__mm_do_fault" %:
%( kernel_vr == "2.6.13*smp" %? "do_page_fault" %:
UNSUPPORTED %) %)
) { /* ... */ }
%( arch == "ia64" %?
probe syscall.vliw = kernel.function("vliw_widget") {}
%)
.ESAMPLE
.SS VARIABLES
Identifiers for variables and functions are an alphanumeric sequence,
and may include "_" and "$" characters. They may not start with a
plain digit, as in C. Each variable is by default local to the probe
or function statement block within which it is mentioned, and therefore
its scope and lifetime is limited to a particular probe or function
invocation.
.\" XXX add statistics type here once it's supported
.PP
Scalar variables are implicitly typed as either string or integer.
Associative arrays also have a string or integer value, and a
a tuple of strings and/or integers serving as a key. Here are a
few basic expressions.
.SAMPLE
var1 = 5
var2 = "bar"
array1 [pid()] = "name" # single numeric key
array2 ["foo",4,i++] += 5 # vector of string/num/num keys
if (["hello",5,4] in array2) println ("yes") # membership test
.ESAMPLE
.PP
The translator performs
.I type inference
on all identifiers, including array indexes and function parameters.
Inconsistent type-related use of identifiers signals an error.
.PP
Variables may be declared global, so that they are shared amongst all
probes and live as long as the entire systemtap session. There is one
namespace for all global variables, regardless of which script file
they are found within. A global declaration may be written at the
outermost level anywhere, not within a block of code. Global
variables which are written but never read will be displayed
automatically at session shutdown. The following
declaration marks a few variables as global. The translator will
infer for each its value type, and if it is used as an array, its key
types. Optionally, scalar globals may be initialized with a string
or number literal.
.RS
.BR global " var1" , " var2" , " var3=4"
.RE
.PP
Arrays are limited in size by the MAXMAPENTRIES variable -- see the
.B SAFETY AND SECURITY
section for details. Optionally, global arrays may be declared with a
maximum size in brackets, overriding MAXMAPENTRIES for that array only.
Note that this doesn't indicate the type of keys for the array, just the
size.
.RS
.BR global " tiny_array[10]" , " normal_array" , " big_array[50000]"
.RE
.\" XXX add statistics type here once it's supported
.SS STATEMENTS
Statements enable procedural control flow. They may occur within
functions and probe handlers. The total number of statements executed
in response to any single probe event is limited to some number
defined by a macro in the translated C code, and is in the
neighbourhood of 1000.
.TP
EXP
Execute the string- or integer-valued expression and throw away
the value.
.TP
.BR { " STMT1 STMT2 ... " }
Execute each statement in sequence in this block. Note that
separators or terminators are generally not necessary between statements.
.TP
.BR ;
Null statement, do nothing. It is useful as an optional separator between
statements to improve syntax-error detection and to handle certain
grammar ambiguities.
.TP
.BR if " (EXP) STMT1 [ " else " STMT2 ]"
Compare integer-valued EXP to zero. Execute the first (non-zero)
or second STMT (zero).
.TP
.BR while " (EXP) STMT"
While integer-valued EXP evaluates to non-zero, execute STMT.
.TP
.BR for " (EXP1; EXP2; EXP3) STMT"
Execute EXP1 as initialization. While EXP2 is non-zero, execute
STMT, then the iteration expression EXP3.
.TP
.BR foreach " (VAR " in " ARRAY [ "limit " EXP ]) STMT"
Loop over each element of the named global array, assigning current
key to VAR. The array may not be modified within the statement.
By adding a single
.BR + " or " \-
operator after the VAR or the ARRAY identifier, the iteration will
proceed in a sorted order, by ascending or descending index or value.
Using the optional
.BR limit
keyword limits the number of loop iterations to EXP times. EXP is
evaluated once at the beginning of the loop.
.TP
.BR foreach " ([VAR1, VAR2, ...] " in " ARRAY [ "limit " EXP ]) STMT"
Same as above, used when the array is indexed with a tuple of keys.
A sorting suffix may be used on at most one VAR or ARRAY identifier.
.TP
.BR break ", " continue
Exit or iterate the innermost nesting loop
.RB ( while " or " for " or " foreach )
statement.
.TP
.BR return " EXP"
Return EXP value from enclosing function. If the function's value is
not taken anywhere, then a return statement is not needed, and the
function will have a special "unknown" type with no return value.
.TP
.BR next
Return now from enclosing probe handler.
.TP
.BR delete " ARRAY[INDEX1, INDEX2, ...]"
Remove from ARRAY the element specified by the index tuple. The value will no
longer be available, and subsequent iterations will not report the element.
It is not an error to delete an element that does not exist.
.TP
.BR delete " ARRAY"
Remove all elements from ARRAY.
.TP
.BR delete " SCALAR"
Removes the value of SCALAR. Integers and strings are cleared to 0 and ""
respectively, while statistics are reset to the initial empty state.
.SS EXPRESSIONS
Systemtap supports a number of operators that have the same general syntax,
semantics, and precedence as in C and awk. Arithmetic is performed as per
typical C rules for signed integers. Division by zero or overflow is
detected and results in an error.
.TP
binary numeric operators
.B * / % + \- >> << & ^ | && ||
.TP
binary string operators
.B .
(string concatenation)
.TP
numeric assignment operators
.B = *= /= %= += \-= >>= <<= &= ^= |=
.TP
string assignment operators
.B = .=
.TP
unary numeric operators
.B + \- ! ~ ++ \-\-
.TP
binary numeric or string comparison operators
.B < > <= >= == !=
.TP
ternary operator
.RB cond " ? " exp1 " : " exp2
.TP
grouping operator
.BR ( " exp " )
.TP
function call
.RB "fn " ( "[ arg1, arg2, ... ]" )
.TP
array membership check
.RB exp " in " array
.br
.BR "[" exp1 ", " exp2 ", " ... "] in " array
.SS PROBES
The main construct in the scripting language identifies probes.
Probes associate abstract events with a statement block ("probe
handler") that is to be executed when any of those events occur. The
general syntax is as follows:
.SAMPLE
.BR probe " PROBEPOINT [" , " PROBEPOINT] " { " [STMT ...] " }
.ESAMPLE
.PP
Events are specified in a special syntax called "probe points". There
are several varieties of probe points defined by the translator, and
tapset scripts may define further ones using aliases. These are
listed in the
.IR stapprobes (3stap)
manual pages.
.PP
The probe handler is interpreted relative to the context of each
event. For events associated with kernel code, this context may
include
.I variables
defined in the
.I source code
at that spot. These "target variables" are presented to the script as
variables whose names are prefixed with "$". They may be accessed
only if the kernel's compiler preserved them despite optimization.
This is the same constraint that a debugger user faces when working
with optimized code. Some other events have very little context.
.PP
New probe points may be defined using "aliases". Probe point aliases
look similar to probe definitions, but instead of activating a probe
at the given point, it just defines a new probe point name as an alias
to an existing one. There are two types of alias, i.e. the prologue
style and the epilogue style which are identified by "=" and "+="
respectively.
.PP
For prologue style alias, the statement block that follows an alias
definition is implicitly added as a prologue to any probe that refers
to the alias. While for the epilogue style alias, the statement block
that follows an alias definition is implicitly added as an epilogue to
any probe that refers to the alias. For example:
.SAMPLE
probe syscall.read = kernel.function("sys_read") {
fildes = $fd
if (execname == "init") next # skip rest of probe
}
.ESAMPLE
defines a new probe point
.nh
.IR syscall.read ,
.hy
which expands to
.nh
.IR kernel.function("sys_read") ,
.hy
with the given statement as a prologue, which is useful to predefine
some variables for the alias user and/or to skip probe processing
entirely based on some conditions. And
.SAMPLE
probe syscall.read += kernel.function("sys_read") {
if (tracethis) println ($fd)
}
.ESAMPLE
defines a new probe point with the given statement as an epilogue, which
is useful to take actions based upon variables set or left over by the
the alias user.
An alias is used just like a built-in probe type.
.SAMPLE
probe syscall.read {
printf("reading fd=%d\n", fildes)
if (fildes > 10) tracethis = 1
}
.ESAMPLE
.SS FUNCTIONS
Systemtap scripts may define subroutines to factor out common work.
Functions take any number of scalar (integer or string) arguments, and
must return a single scalar (integer or string). An example function
declaration looks like this:
.SAMPLE
function thisfn (arg1, arg2) {
return arg1 + arg2
}
.ESAMPLE
Note the general absence of type declarations, which are instead
inferred by the translator. However, if desired, a function
definition may include explicit type declarations for its return value
and/or its arguments. This is especially helpful for embedded-C
functions. In the following example, the type inference engine need
only infer type type of arg2 (a string).
.SAMPLE
function thatfn:string (arg1:long, arg2) {
return sprint(arg1) . arg2
}
.ESAMPLE
Functions may call others or themselves
recursively, up to a fixed nesting limit. This limit is defined by
a macro in the translated C code and is in the neighbourhood of 10.
.SS PRINTING
There are a set of function names that are specially treated by the
translator. They format values for printing to the standard systemtap
output stream in a more convenient way. The
.IR sprint*
variants return the formatted string instead of printing it.
.TP
.BR print ", " sprint
Print one or more values of any type, concatenated directly together.
.TP
.BR println ", " sprintln
Print values like
.IR print " and " sprint ,
but also append a newline.
.TP
.BR printd ", " sprintd
Take a string delimiter and two or more values of any type, and print the
values with the delimiter interposed. The delimiter must be a literal
string constant.
.TP
.BR printdln ", " sprintdln
Print values with a delimiter like
.IR printd " and " sprintd ,
but also append a newline.
.TP
.BR printf ", " sprintf
Take a formatting string and a number of values of corresponding types,
and print them all. The format must be a literal string constant.
.PP
The
.IR printf
formatting directives similar to those of C, except that they are
fully type-checked by the translator:
.RS
.TP
%b
Writes a binary blob of the value given, instead of ASCII text. The width specifier determines the number of bytes to write; valid specifiers are %b %1b %2b %4b %8b. Default (%b) is 8 bytes.
.TP
%c
Character.
.TP
%d,%i
Signed decimal.
.TP
%m
Safely reads kernel memory at the given address, outputs its content. The precision specifier determines the number of bytes to read. Default is 1 byte.
.TP
%M
Same as %m, but outputs in hexadecimal. The minimal size of output is double the precision specifier.
.TP
%o
Unsigned octal.
.TP
%p
Unsigned pointer address.
.TP
%s
String.
.TP
%u
Unsigned decimal.
.TP
%x
Unsigned hex value, in all lower-case.
.TP
%X
Unsigned hex value, in all upper-case.
.TP
%%
Writes a %.
.RE
.PP
Examples:
.SAMPLE
a = "alice", b = "bob", p = 0x1234abcd, i = 123, j = -1, id[a] = 1234, id[b] = 4567
print("hello")
Prints: hello
println(b)
Prints: bob\\n
println(a . " is " . sprint(16))
Prints: alice is 16
foreach (name in id) printdln("|", strlen(name), name, id[name])
Prints: 5|alice|1234\\n3|bob|4567
printf("%c is %s; %x or %X or %p; %d or %u\\n",97,a,p,p,p,j,j)
Prints: a is alice; 1234abcd or 1234ABCD or 0x1234abcd; -1 or 18446744073709551615\\n
printf("2 bytes of kernel buffer at address %p: %2m", p, p)
Prints: 2 byte of kernel buffer at address 0x1234abcd: <binary data>
printf("%4b", p)
Prints (these values as binary data): 0x1234abcd
.ESAMPLE
.SS STATISTICS
It is often desirable to collect statistics in a way that avoids the
penalties of repeatedly exclusive locking the global variables those
numbers are being put into. Systemtap provides a solution using a
special operator to accumulate values, and several pseudo-functions to
extract the statistical aggregates.
.PP
The aggregation operator is
.IR <<< ,
and resembles an assignment, or a C++ output-streaming operation.
The left operand specifies a scalar or array-index lvalue, which must
be declared global. The right operand is a numeric expression. The
meaning is intuitive: add the given number to the pile of numbers to
compute statistics of. (The specific list of statistics to gather
is given separately, by the extraction functions.)
.SAMPLE
foo <<< 1
stats[pid()] <<< memsize
.ESAMPLE
.PP
The extraction functions are also special. For each appearance of a
distinct extraction function operating on a given identifier, the
translator arranges to compute a set of statistics that satisfy it.
The statistics system is thereby "on-demand". Each execution of
an extraction function causes the aggregation to be computed for
that moment across all processors.
.PP
Here is the set of extractor functions. The first argument of each is
the same style of lvalue used on the left hand side of the accumulate
operation. The
.IR @count(v) ", " @sum(v) ", " @min(v) ", " @max(v) ", " @avg(v)
extractor functions compute the number/total/minimum/maximum/average
of all accumulated values. The resulting values are all simple
integers.
.PP
Histograms are also available, but are more complicated because they
have a vector rather than scalar value.
.I @hist_linear(v,start,stop,interval)
represents a linear histogram from "start" to "stop" by increments
of "interval". The interval must be positive. Similarly,
.I @hist_log(v)
represents a base-2 logarithmic histogram. Printing a histogram
with the
.I print
family of functions renders a histogram object as a tabular
"ASCII art" bar chart.
.SAMPLE
probe foo {
x <<< $value
}
probe end {
printf ("avg %d = sum %d / count %d\\n",
@avg(x), @sum(x), @count(x))
print (@hist_log(v))
}
.ESAMPLE
.SS TYPECASTING
Once a pointer has been saved into a script integer variable, the
translator loses the type information necessary to access members from
that pointer. Using the
.I @cast()
operator tells the translator how to read a pointer.
.SAMPLE
@cast(p, "type_name"[, "module"])->member
.ESAMPLE
.PP
This will interpret
.I p
as a pointer to a struct/union named
.I type_name
and dereference the
.I member
value. The optional
.I module
tells the translator where to look for information about that type.
Multiple modules may be specified as a list with
.IR :
separators. If the module is not specified, it will default either to
the probe module for dwarf probes, or to "kernel" for functions and all
other probes types.
.PP
The translator can create its own module with type information from a header
surrounded by angle brackets, in case normal debuginfo is not available. For
kernel headers, prefix it with "kernel" to use the appropriate build system.
All other headers are build with default GCC parameters into a user module.
.SAMPLE
@cast(tv, "timeval", "<sys/time.h>")->tv_sec
@cast(task, "task_struct", "kernel<linux/sched.h>")->tgid
.ESAMPLE
.PP
When in guru mode, the translator will also allow scripts to assign new
values to members of typecasted pointers.
.PP
Typecasting is also useful in the case of
.I void*
members whose type may be determinable at runtime.
.SAMPLE
probe foo {
if ($var->type == 1) {
value = @cast($var->data, "type1")->bar
} else {
value = @cast($var->data, "type2")->baz
}
print(value)
}
.ESAMPLE
.SS EMBEDDED C
When in guru mode, the translator accepts embedded code in the
script. Such code is enclosed between
.IR %{
and
.IR %}
markers, and is transcribed verbatim, without analysis, in some
sequence, into the generated C code. At the outermost level, this may
be useful to add
.IR #include
instructions, and any auxiliary definitions for use by other embedded
code.
.PP
The other place where embedded code is permitted is as a function body.
In this case, the script language body is replaced entirely by a piece
of C code enclosed again between
.IR %{ " and " %}
markers.
This C code may do anything reasonable and safe. There are a number
of undocumented but complex safety constraints on atomicity,
concurrency, resource consumption, and run time limits, so this
is an advanced technique.
.PP
The memory locations set aside for input and output values
are made available to it using a macro
.IR THIS .
Here are some examples:
.SAMPLE
function add_one (val) %{
THIS\->__retvalue = THIS\->val + 1;
%}
function add_one_str (val) %{
strlcpy (THIS\->__retvalue, THIS\->val, MAXSTRINGLEN);
strlcat (THIS\->__retvalue, "one", MAXSTRINGLEN);
%}
.ESAMPLE
The function argument and return value types have to be inferred by
the translator from the call sites in order for this to work. The
user should examine C code generated for ordinary script-language
functions in order to write compatible embedded-C ones.
.SS BUILT-INS
A set of builtin functions and probe point aliases are provided
by the scripts installed under the
.nh
.IR @prefix@/share/systemtap/tapset
.hy
directory. These are described in the
.IR stapfuncs "(3stap) and " stapprobes (3stap)
manual pages.
.SH PROCESSING
The translator begins pass 1 by parsing the given input script,
and all scripts (files named
.IR *.stp )
found in a tapset directory. The directories listed
with
.BR \-I
are processed in sequence, each processed in "guru mode". For each
directory, a number of subdirectories are also searched. These
subdirectories are derived from the selected kernel version (the
.BR \-R
option),
in order to allow more kernel-version-specific scripts to override less
specific ones. For example, for a kernel version
.IR 2.6.12\-23.FC3
the following patterns would be searched, in sequence:
.IR 2.6.12\-23.FC3/*.stp ,
.IR 2.6.12/*.stp ,
.IR 2.6/*.stp ,
and finally
.IR *.stp
Stopping the translator after pass 1 causes it to print the parse trees.
.PP
In pass 2, the translator analyzes the input script to resolve symbols
and types. References to variables, functions, and probe aliases that
are unresolved internally are satisfied by searching through the
parsed tapset scripts. If any tapset script is selected because it
defines an unresolved symbol, then the entirety of that script is
added to the translator's resolution queue. This process iterates
until all symbols are resolved and a subset of tapset scripts is
selected.
.PP
Next, all probe point descriptions are validated
against the wide variety supported by the translator. Probe points that
refer to code locations ("synchronous probe points") require the
appropriate kernel debugging information to be installed. In the
associated probe handlers, target-side variables (whose names begin
with "$") are found and have their run-time locations decoded.
.PP
Next, all probes and functions are analyzed for optimization
opportunities, in order to remove variables, expressions, and
functions that have no useful value and no side-effect. Embedded-C
functions are assumed to have side-effects unless they include the
magic string
.BR /*\ pure\ */ .
Since this optimization can hide latent code errors such as type
mismatches or invalid $target variables, it sometimes may be useful
to disable the optimizations with the
.BR \-u
option.
.PP
Finally, all variable, function, parameter, array, and index types are
inferred from context (literals and operators). Stopping the
translator after pass 2 causes it to list all the probes, functions,
and variables, along with all inferred types. Any inconsistent or
unresolved types cause an error.
.PP
In pass 3, the translator writes C code that represents the actions
of all selected script files, and creates a
.IR Makefile
to build that into a kernel object. These files are placed into a
temporary directory. Stopping the translator at this point causes
it to print the contents of the C file.
.PP
In pass 4, the translator invokes the Linux kernel build system to
create the actual kernel object file. This involves running
.IR make
in the temporary directory, and requires a kernel module build
system (headers, config and Makefiles) to be installed in the usual
spot
.IR /lib/modules/VERSION/build .
Stopping the translator after pass 4 is the last chance before
running the kernel object. This may be useful if you want to
archive the file.
.PP
In pass 5, the translator invokes the systemtap auxiliary program
.I staprun
program for the given kernel object. This program arranges to load
the module then communicates with it, copying trace data from the
kernel into temporary files, until the user sends an interrupt signal.
Any run-time error encountered by the probe handlers, such as running
out of memory, division by zero, exceeding nesting or runtime limits,
results in a soft error indication. Soft errors in excess of
MAXERRORS block of all subsequent probes (except error-handling
probes), and terminate the session. Finally,
.I staprun
unloads the module, and cleans up.
.SS ABNORMAL TERMINATION
One should avoid killing the stap process forcibly, for example with
SIGKILL, because the stapio process (a child process of the stap
process) and the loaded module may be left running on the system. If
this happens, send SIGTERM or SIGINT to any remaining stapio
processes, then use rmmod to unload the systemtap module.
.SH EXAMPLES
See the
.IR stapex (3stap)
manual page for a collection of samples.
.SH CACHING
The systemtap translator caches the pass 3 output (the generated C
code) and the pass 4 output (the compiled kernel module) if pass 4
completes successfully. This cached output is reused if the same
script is translated again assuming the same conditions exist (same kernel
version, same systemtap version, etc.). Cached files are stored in
the
.I $SYSTEMTAP_DIR/cache
directory. The cache can be limited by having the file
.I cache_mb_limit
placed in the cache directory (shown above) containing only an ASCII
integer representing how many MiB the cache should not exceed. Note that
this is a 'soft' limit in that the cache will be cleaned after a new entry
is added, so the total cache size may temporarily exceed this limit. In the
absence of this file, a default will be created with the limit set to 64MiB.
.SH SAFETY AND SECURITY
Systemtap is an administrative tool. It exposes kernel internal data
structures and potentially private user information.
It acquires
either root privileges
To actually run the kernel objects it builds, a user must be one of
the following:
.IP \(bu 4
the root user;
.IP \(bu 4
a member of the
.I stapdev
group; or
.IP \(bu 4
a member of the
.I stapusr
group.
.PP
Members of the
.I stapusr
group can only use modules under the following conditions:
.IP \(bu 4
The module is located in
the /lib/modules/VERSION/systemtap directory. This directory
must be owned by root and not be world writable.
.IP \(bu 4
The module has been signed by a trusted signer. Trusted signers are normally
systemtap compile servers which sign modules when the --unprivileged option is
specified by the client. See the
.IR stap-server (8)
manual page for a for more information.
.PP
The kernel modules generated by
.I stap
program are run by the
.IR staprun
program. The latter is a part of the Systemtap package, dedicated to
module loading and unloading (but only in the white zone), and
kernel-to-user data transfer. Since
.IR staprun
does not perform any additional security checks on the kernel objects
it is given, it would be unwise for a system administrator to add
untrusted users to the
.I stapdev
or
.I stapusr
groups.
.PP
The translator asserts certain safety constraints. It aims to ensure
that no handler routine can run for very long, allocate memory,
perform unsafe operations, or in unintentionally interfere with the
kernel. Use of script global variables is suitably locked to protect
against manipulation by concurrent probe handlers. Use of guru mode
constructs such as embedded C can violate these constraints, leading
to kernel crash or data corruption.
.PP
The resource use limits are set by macros in the generated C code.
These may be overridden with the
.BR \-D
flag. A selection of these is as follows:
.TP
MAXNESTING
Maximum number of nested function calls. Default determined by
script analysis, with a bonus 10 slots added for recursive
scripts.
.TP
MAXSTRINGLEN
Maximum length of strings, default 128.
.TP
MAXTRYLOCK
Maximum number of iterations to wait for locks on global variables
before declaring possible deadlock and skipping the probe, default 1000.
.TP
MAXACTION
Maximum number of statements to execute during any single probe hit
(with interrupts disabled),
default 1000.
.TP
MAXACTION_INTERRUPTIBLE
Maximum number of statements to execute during any single probe hit
which is executed with interrupts enabled (such as begin/end probes),
default (MAXACTION * 10).
.TP
MAXMAPENTRIES
Maximum number of rows in any single global array, default 2048.
.TP
MAXERRORS
Maximum number of soft errors before an exit is triggered, default 0, which
means that the first error will exit the script.
.TP
MAXSKIPPED
Maximum number of skipped probes before an exit is triggered, default 100.
Running systemtap with \-t (timing) mode gives more details about skipped
probes. With the default \-DINTERRUPTIBLE=1 setting, probes skipped due to
reentrancy are not accumulated against this limit.
.TP
MINSTACKSPACE
Minimum number of free kernel stack bytes required in order to
run a probe handler, default 1024. This number should be large enough
for the probe handler's own needs, plus a safety margin.
.TP
MAXUPROBES
Maximum number of concurrently armed user-space probes (uprobes), default
somewhat larger than the number of user-space probe points named in the script.
This pool needs to be potentialy large because individual uprobe objects (about
64 bytes each) are allocated for each process for each matching script-level probe.
.PP
With scripts that contain probes on any interrupt path, it is possible that
those interrupts may occur in the middle of another probe handler. The probe
in the interrupt handler would be skipped in this case to avoid reentrance.
To work around this issue, execute stap with the option
.BR \-DINTERRUPTIBLE=0
to mask interrupts throughout the probe handler. This does add some extra
overhead to the probes, but it may prevent reentrance for common problem
cases. However, probes in NMI handlers and in the callpath of the stap
runtime may still be skipped due to reentrance.
.PP
Multiple scripts can write data into a relay buffer concurrently. A host
script provides an interface for accessing its relay buffer to guest scripts.
Then, the output of the guests are merged into the output of the host.
To run a script as a host, execute stap with
.BR \-DRELAYHOST[=name]
option. The
.BR name
identifies your host script among several hosts.
While running the host, execute stap with
.BR \-DRELAYGUEST[=name]
to add a guest script to the host.
Note that you must unload guests before unloading a host. If there are some
guests connected to the host, unloading the host will be failed.
.PP
In case something goes wrong with
.IR stap " or " staprun
after a probe has already started running, one may safely kill both
user processes, and remove the active probe kernel module with
.IR rmmod .
Any pending trace messages may be lost.
.PP
In addition to the methods outlined above, the generated kernel module
also uses overload processing to make sure that probes can't run for
too long. If more than STP_OVERLOAD_THRESHOLD cycles (default
500000000) have been spent in all the probes on a single cpu during
the last STP_OVERLOAD_INTERVAL cycles (default 1000000000), the probes
have overloaded the system and an exit is triggered.
.PP
By default, overload processing is turned on for all modules. If you
would like to disable overload processing, define STP_NO_OVERLOAD.
.SH MAKING DO WITH SYMBOL TABLES
Systemtap performs best when it has access to the debugging information
associated with your kernel and modules.
However, if this information is not available,
systemtap can still support probing of function entries and returns
using symbols read from vmlinux and/or the modules in /lib/modules.
Systemtap can also read the kernel symbol table from a text file
such as /boot/System.map or /proc/kallsyms.
See the
.B \-\-kelf
and
.B \-\-kmap
options.
.PP
If systemtap finds relevant debugging information,
it will use it even if you specify
.B \-\-kelf
or
.BR \-\-kmap .
.PP
Without debugging information, systemtap cannot support the
following types of language constructs:
.IP \(bu 4
probe specifications that refer to source files or line numbers
.IP \(bu 4
probe specifications that refer to inline functions
.IP \(bu 4
statements that refer to $target variables
.IP \(bu 4
statements that refer to @cast() variables
.IP \(bu 4
tapset-defined variables defined using any of the above constructs.
In particular, at this writing,
the prologue blocks for certain aliases in the syscall tapset
(e.g., syscall.open) contain "if" statements that refer to $target variables.
If your script refers to any such aliases,
systemtap must have access to the kernel's debugging information.
.PP
Most T and t symbols correspond to function entry points, but some do not.
Based only on the symbol table, systemtap cannot tell the difference.
Placing return probes on symbols that aren't entry points
will most likely lead to kernel stack corruption.
.SH FILES
.\" consider autoconf-substituting these directories
.TP
~/.systemtap
Systemtap data directory for cached systemtap files, unless overridden
by the
.I SYSTEMTAP_DIR
environment variable.
.TP
/tmp/stapXXXXXX
Temporary directory for systemtap files, including translated C code
and kernel object.
.TP
@prefix@/share/systemtap/tapset
The automatic tapset search directory, unless overridden by
the
.I SYSTEMTAP_TAPSET
environment variable.
.TP
@prefix@/share/systemtap/runtime
The runtime sources, unless overridden by the
.I SYSTEMTAP_RUNTIME
environment variable.
.TP
/lib/modules/VERSION/build
The location of kernel module building infrastructure.
.TP
@prefix@/lib/debug/lib/modules/VERSION
The location of kernel debugging information when packaged into the
.IR kernel\-debuginfo
RPM, unless overridden by the
.I SYSTEMTAP_DEBUGINFO_PATH
environment variable. The default value for this variable is
.IR \+:.debug:/usr/lib/debug:build .
Elfutils searches vmlinux in this path and it interprets the path as a base
directory of which various subdirectories will be searched for finding modules.
.TP
@prefix@/bin/staprun
The auxiliary program supervising module loading, interaction, and
unloading.
.SH SEE ALSO
.IR stapprobes (3stap),
.IR stapfuncs (3stap),
.IR stapvars (3stap),
.IR stapex (3stap),
.IR stap-client (8),
.IR stap-server (8),
.IR awk (1),
.IR gdb (1)
.SH BUGS
Use the Bugzilla link off of the project web page or our mailing list.
.nh
.BR http://sources.redhat.com/systemtap/ , <systemtap@sources.redhat.com> .
.hy
|