ftrace
, perf
, SystemTap
, ktap
and others. In this article I will tell you what they (mechanisms) give, how they work, and next time we will look at specific tools.
[etn] $ perf list tracepointt | wc -l 1271
[etn] $ perf list tracepoint | grep "kmalloc" kmem: kmalloc [Tracepoint event]
__do_kmalloc
:
/** * __do_kmalloc - allocate memory * @size: how many bytes of memory are required. * @flags: the type of memory to allocate (see kmalloc). * @caller: function caller for debug tracking of the caller */ static __always_inline void *__do_kmalloc(size_t size, gfp_t flags, unsigned long caller) { struct kmem_cache *cachep; void *ret; cachep = kmalloc_slab(size, flags); if (unlikely(ZERO_OR_NULL_PTR(cachep))) return cachep; ret = slab_alloc(cachep, flags, caller); trace_kmalloc(caller, ret, size, cachep->size, flags); return ret; }
trace_kmalloc
is tracepoint.
[~] # mount -t debugfs none / sys / kernel / debug [~] # cd / sys / kernel / debug / tracing / [tracing] # echo 1> events / kmem / kmalloc / enable [tracing] # tail trace bash-10921 [000] .... 1127940.937139: kmalloc: call_site = ffffffff8122f0f5 ptr = ffff8800aaecb900 bytes_req = 48 bytes_alloc = 64 gfp_flags = GFP_KERNEL bash-10921 [000] .... 1127940.937139: kmalloc: call_site = ffffffff8122f084 ptr = ffff8800ca008800 bytes_req = 2048 bytes_alloc = 2048 gfp_flags = GFP_KERNEL | GFP_NOWARN | GFP_NORETRY bash-10921 [000] .... 1127940.937139: kmalloc: call_site = ffffffff8122f084 ptr = ffff8800aaecbd80 bytes_req = 64 bytes_alloc = 64 gfp_flags = GFP_KERNEL | GFP_NOWARN | GFP_NORETRY tail-11005 [001] .... 1127940.937451: kmalloc: call_site = ffffffff81219297 ptr = ffff8800aecf5f00 bytes_req = 240 bytes_alloc = 256 gfp_flags = GFP_KERNEL | GFP_ZERO tail-11005 [000] .... 1127940.937518: kmalloc: call_site = ffffffff81267801 ptr = ffff880123e8bd80 bytes_req = 128 bytes_alloc = 128 gfp_flags = GFP_KERNEL tail-11005 [000] .... 1127940.937519: kmalloc: call_site = ffffffff81267786 ptr = ffff880077faca00 bytes_req = 504 bytes_alloc = 512 gfp_flags = GFP_KERNEL
enable
file.
CONFIG_MODULE_SIG
enabled (almost always yes) and no private key for the signature (it is in the kernel vendor of your distribution). See heartbreaking details in lkml [1] , [2] .
ftrace
or perf
.
kprobes
is a mechanism for dynamic instrumentation of the code. With kprobes, you can interrupt the execution of a nuclear code anywhere , call your handler, do what you want in it and go back as if nothing had happened.
int 3
for x86).setjmp/longjmp
(hence the name), that is, more lightweight.ssize_t etn_write (struct file * filp, const char __user * buf, size_t count, loff_t * f_pos)
root @ etn: ~ # tail -F /var/log/kern.log Jan 1 00:00:42 etn kernel: [42.923717] ETN JPROBE: jprobe_init: 46: Planted jprobe at bf00f7a8, handler addr bf071000 Jan 1 00:00:43 etn kernel: [43.194840] ETN JPROBE: trace_etn_write: 23: Writing 2 bytes at offset 4 Jan 1 00:00:43 etn kernel: [43.201827] ETN JPROBE: trace_etn_write: 23: Writing 2 bytes at offset 4
ebp
), you need to write a kernel module, debug, load perf
program - you will be told about the program separately.
perf
program was written. With its help, you can see which iron events are available to us.
$ perf list pmu hw sw cache branch-instructions OR cpu / branch-instructions / [Kernel PMU event] branch-misses OR cpu / branch-misses / [Kernel PMU event] bus-cycles OR cpu / bus-cycles / [Kernel PMU event] cache-misses OR cpu / cache-misses / [Kernel PMU event] cache-references OR cpu / cache-references / [Kernel PMU event] cpu-cycles OR cpu / cpu-cycles / [Kernel PMU event] instructions OR cpu / instructions / [Kernel PMU event] cpu-cycles OR cycles [Hardware event] instructions [Hardware event] cache-references [Hardware event] cache-misses [Hardware event] branch-instructions OR branches [Hardware event] branch-misses [Hardware event] bus-cycles [Hardware event] ref-cycles [Hardware event] cpu-clock [Software event] task-clock [Software event] page-faults OR faults [Software event] OR-cs [Software event] cpu-migrations OR migrations [Software event] minor-faults [Software event] major-faults [Software event] alignment-faults [Software event] emulation-faults [Software event] dummy [Software event] L1-dcache-loads [Hardware cache event] L1-dcache-load-misses [Hardware cache event] L1-dcache-stores [Hardware cache event] L1-dcache-store-misses [Hardware cache event] L1-dcache-prefetches [Hardware cache event] L1-icache-loads [Hardware cache event] L1-icache-load-misses [Hardware cache event] LLC-loads [Hardware cache event] LLC-load-misses [Hardware cache event] LLC-stores [Hardware cache event] LLC-store-misses [Hardware cache event] dTLB-loads [Hardware cache event] dTLB-load-misses [Hardware cache event] dTLB-stores [Hardware cache event] dTLB-store-misses [Hardware cache event] iTLB-loads [Hardware cache event] iTLB-load-misses [Hardware cache event] branch-loads [Hardware cache event] branch-load-misses [Hardware cache event]
root @ etn: ~ # perf list pmu hw sw cache cpu-cycles OR cycles [Hardware event] instructions [Hardware event] cache-references [Hardware event] cache-misses [Hardware event] branch-instructions OR branches [Hardware event] branch-misses [Hardware event] stalled-cycles-frontend OR idle-cycles-frontend [Hardware event] stalled-cycles-backend OR idle-cycles-backend [Hardware event] ref-cycles [Hardware event] cpu-clock [Software event] task-clock [Software event] page-faults OR faults [Software event] OR-cs [Software event] cpu-migrations OR migrations [Software event] minor-faults [Software event] major-faults [Software event] alignment-faults [Software event] emulation-faults [Software event] dummy [Software event] L1-dcache-loads [Hardware cache event] L1-dcache-load-misses [Hardware cache event] L1-dcache-stores [Hardware cache event] L1-dcache-store-misses [Hardware cache event] L1-icache-load-misses [Hardware cache event] dTLB-load-misses [Hardware cache event] dTLB-store-misses [Hardware cache event] iTLB-load-misses [Hardware cache event] branch-loads [Hardware cache event] branch-load-misses [Hardware cache event]
perf_event_open
was made, to which you send the event itself and the config, which describes what you want to do with this event. In response, you get a file descriptor from which you can read the data collected by perf
on the event.
perf
provides many different features, such as grouping events, filtering, outputting to different formats, analyzing collected profiles, etc. Therefore, perf
now shoves everything that is possible: from tracepoint to eBPF and to the point that all ftrace
they want to make part of perf
[3] [4] .
perf
itself deserves a separate article, so for the seed I will show a simple example.
root @ etn: ~ # perf timechart record apt-get update ... root @ etn: ~ # perf timechart -i perf.data -o timechart.svg
ftrace
, perf
and SystemTap
, but more on that another time.
Source: https://habr.com/ru/post/261003/