systemtap 的十个知识点

1. 验证stap 安装好了
    sudo stap -e 'probe begin { print("ok") exit()}'
 
2. 支持的探针点列表
 
begin The startup of the systemtap session.
end The end of the systemtap session.
kernel.function("sys_open") The entry to the function named sys_open in the kernel.
syscall.close.return The return from the close system call.
module("ext3").statement(0xdeadbeef) The addressed instruction in the ext3 filesystem driver.
timer.ms(200) A timer that fires every 200 milliseconds.
timer.profile A timer that fires periodically on every CPU.
perf.hw.cache_misses A particular number of CPU cache misses have occurred.
procfs("status").read A process trying to read a synthetic file.
process("a.out").statement("*@main.c:200") Line 200 of the a.out program.
kernel.function("*@net/socket.c") 表示net文件夹socket.c文件的所有函数

3. 可能常用到的一些变量 

tid() The id of the current thread.
pid() The process (task group) id of the current thread.
uid() The id of the current user.
execname() The name of the current process.
cpu() The current cpu number.
gettimeofday_s() Number of seconds since epoch.
get_cycles() Snapshot of hardware cycle counter.
pp() A string describing the probe point being currently handled.
ppfunc() If known, the the function name in which this probe was placed.
$$vars If available, a pretty-printed listing of all local variables in scope.
print_backtrace() If possible, print a kernel backtrace.
print_ubacktrace() If possible, print a user-space backtrace.

 

4. 控制结构表达式

if ( EXPR) STATEMENT [else STATEMENT] if/else statement
while ( EXPR) STATEMENT while loop
for ( A; B; C) STATEMENT for loop

 

5. 链接字符串使用.

"hello" . "-" . "world" = hello-world

  

6. 关于变量
    1) 不用指定变量类型,系统会自己推导
    2) Target variables 是指内核函数中的变量
    3)  操作:
you can take their address (the & operator), pretty-print structures (the $ and $$ suffix), prettyprint 
multiple variables in scope (the $$vars and related variables), or cast pointers to their types (the @cast 
operator)
 
     4)  @defined( 检查是否定义,一般用在不同版本的内核判断某变量是否存在
 7. 关于强大的map,支持N元组作为key
global a declare global scalar or array variable 这个既可以当单个值变量也可以当做数组,完全看后来你如何使用
global b[400] declare array, reserving space for up to 400 tuples 明确定义数组,因为默认size有限,有时候需要自定义大小
processusage [uid(),execname()] ++ update a statistic 支持若干元组作为key

  访问内部元素,可以按照key/value排序,并限定访问个数

foreach (x = [a,b] in foo) { fuss_with(x) } simple loop in arbitrary sequence
foreach ([a,b] in foo+ limit 5) { } loop in increasing sequence of value, stop
after 5
foreach ([a-,b] in foo) { } loop in decreasing sequence of first key

  

8. 统计功能
a <<< delta_timestamp 可以认为a是一个大数组,这个动作就是向里面append元素
可以对a做各种统计操作,比如@max, @count, @avg, and @sum @hist_log and @hist_linear
 
9. 关于tapset和别名
可以认为tapset里面的别名就是一段预处理代码,最后出现的probe可以引用之前probe里面定义的各种变量。
Another probe that names the new probe point will create an actual probe, with the handler of the alias prepended.
比如,tapset里面有syscall.open的定义,
probe syscall.open = kernel.function("compat_sys_open").call ?,
                     kernel.function("sys32_open").call ?,
                     kernel.function("sys_open").call ?
{
    name = "open"
    filename = user_string_quoted($filename)
    flags = $flags
    mode = $mode
    if (flags & 64)
        argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
            _sys_open_flag_str($flags), $mode)
    else
        argstr = sprintf("%s, %s", user_string_quoted($filename),
            _sys_open_flag_str($flags))
}
如果我们在外面直接写
probe syscall.open 
{
 这里可以直接使用filename, 比如printf("%s", filename)因为syscall.open已经定义了。
}
 
10. 嵌入c语言
 
# cat embedded-C.stp
%{
#include <linux/sched.h>
#include <linux/list.h>
%}
function task_execname_by_pid:string (pid:long) %{
struct task_struct *p;
struct list_head *_p, *_n;
list_for_each_safe(_p, _n, &current->tasks) {
p = list_entry(_p, struct task_struct, tasks);
if (p->pid == (int)STAP_ARG_pid)
snprintf(STAP_RETVALUE, MAXSTRINGLEN, "%s", p->comm);
}
%}

  

 

来自: Systemtap tutorial

 
补充:
1. 编译后到目标机运行:
stap -r 2.6.18-92.1.10.el5 -e 'probe vfs.read {exit()}' -m simple
staprun simple.ko

  

posted on 2014-03-06 20:29  RaymondSQ  阅读(1324)  评论(0编辑  收藏  举报