2 .TH STAP 1 @DATE@ "Red Hat"
4 stap \- systemtap script translator/driver
71 program is the front-end to the Systemtap tool. It accepts probing
72 instructions (written in a simple scripting language), translates
73 those instructions into C code, compiles this C code, and loads the
74 resulting kernel module into a running Linux kernel to perform the
75 requested system trace/probe functions. You can supply the script in
76 a named file, from standard input, or from the command line. The
77 program runs until it is interrupted by the user, or if the script
78 voluntarily invokes the
80 function, or by sufficient number of soft errors.
82 The language, which is described in a later section, is strictly typed,
83 declaration free, procedural, and inspired by
85 It allows source code points or events in the kernel to be associated
86 with handlers, which are subroutines that are executed synchronously. It is
87 somewhat similar conceptually to "breakpoint command lists" in the
91 This manual corresponds to version @VERSION@.
94 The systemtap translator supports the following options. Any other option
95 prints a list of supported options.
101 Show version message.
104 Stop after pass NUM. The passes are numbered 1-5: parse, elaborate,
105 translate, compile, run. See the
110 Increase verbosity for all passes. Produce a larger volume of
111 informative (?) output each time option repeated.
114 Increase verbosity on a per-pass basis. For example, "\-\-vp\ 002"
115 adds 2 units of verbosity to pass 3 only. The combination "\-v\ \-\-vp\ 00004"
116 adds 1 unit of verbosity for all passes, and 4 more for pass 5.
119 Keep the temporary directory after all processing. This may be useful
120 in order to examine the generated C code, or to reuse the compiled
124 Guru mode. Enable parsing of unsafe expert-level constructs like
128 Prologue-searching mode. Activate heuristics to work around incorrect
129 debugging information for $target variables.
132 Unoptimized mode. Disable unused code elision during elaboration.
135 Suppressed warnings mode. Disables all warning messages.
138 Use bulk mode (percpu files) for kernel-to-user data transfer.
141 Collect timing information on the number of times probe executes
142 and average amount of time spent in each probe.
145 Use NUM megabyte buffers for kernel-to-user data transfer. On a
146 multiprocessor in bulk mode, this is a per-processor amount.
149 Add the given directory to the tapset search directory. See the
150 description of pass 2 for details.
152 .BI \-D " NAME=VALUE"
153 Add the given C preprocessor directive to the module Makefile. These can
154 be used to override limit parameters described below.
156 .BI \-B " NAME=VALUE"
157 Add the given make directive to the kernel module build's make invocation.
158 These can be used to add or override kconfig options.
161 Look for the systemtap runtime sources in the given directory.
164 Build for kernel in given build tree. Can also be set with the
166 environment variable.
169 Build for kernel in build tree
170 .BR /lib/modules/RELEASE/build .
171 Can also be set with the
173 environment variable.
176 Use the given name for the generated kernel object module, instead
177 of a unique randomized name. The generated kernel object module is
178 copied to the current directory.
181 Add symbol/unwind information for the given module into the kernel object
182 module. This may enable symbolic tracebacks from those modules/programs,
183 even if they do not have an explicit probe placed into them.
186 Add symbol/unwind information for all shared libraries suspected by
187 ldd to be necessary for user-space binaries being probe or listed with
188 the \-d option. Caution: this can make the probe modules considerably
192 Send standard output to named file. In bulk mode, percpu files will
193 start with FILE_ (FILE_cpu with -F) followed by the cpu number.
194 This supports strftime(3) formats for FILE.
197 Start the probes, run CMD, and exit when CMD finishes.
200 Sets target() to PID. This allows scripts to be written that filter on
204 Instead of running a probe script, just list all available probe
205 points matching the given pattern. The pattern may include wildcards
209 Similar to "-l", but list probe points and script-level local variables.
212 Without -o option, load module and start probes, then detach from the module
213 leaving the probes running.
214 With -o option, run staprun in background as a daemon and show its pid.
217 Sets the maximum size of output file and the maximum number of output files.
218 If the size of output file will exceed
220 , systemtap switches output file to the next file. And if the number of
223 , systemtap removes the oldest output file. You can omit the second argument.
224 .\" PR6864: disable temporarily
227 .\"For names and addresses of functions to probe,
228 .\"consult the symbol tables in the kernel and modules.
229 .\"This can be useful if your kernel and/or modules were compiled
230 .\"without debugging information, or the function you want to probe
231 .\"is in an assembly-language file built without debugging information.
233 .\".B "MAKING DO WITH SYMBOL TABLES"
234 .\"section for more information.
236 .\".BI \-\-kmap [=FILE]
237 .\"For names and addresses of kernel functions to probe,
238 .\"consult the symbol table in the indicated text file.
239 .\"The default is /boot/System.map-VERSION.
240 .\"The contents of this file should be in the form of the default output from
242 .\"Only symbols of type T or t are used.
243 .\"If you specify /proc/kallsyms or some other file in that format,
244 .\"where lines for module symbols contain a fourth column,
245 .\"reading of the symbol table stops with the first module symbol
246 .\"(which should be right after the last kernel symbol).
249 .\"the symbol table in each module's .ko file will also be consulted.
251 .\".B "MAKING DO WITH SYMBOL TABLES"
252 .\"section for more information.
253 .\" --ignore-{vmlinux,dwarf} shouldn't be visible
256 Ignore out of context variables and substitute with literal 0.
259 .BI \-\-compatible VERSION
260 Suppress recent script language or tapset changes which are incompatible
261 with given older version of systemtap. This may be useful if a much older
262 systemtap script fails to run.
266 Any additional arguments on the command line are passed to the script
267 parser for substitution. See below.
271 The systemtap script language resembles
273 There are two main outermost constructs: probes and functions. Within
274 these, statements and expressions use C-like operator syntax and
278 Whitespace is ignored. Three forms of comments are supported:
281 .BR # " ... shell style, to the end of line, except for $# and @#"
283 .BR // " ... C++ style, to the end of line"
285 .BR /* " ... C style ... " */
287 Literals are either strings enclosed in double-quotes (passing through
288 the usual C escape codes with backslashes), or integers (in decimal,
289 hexadecimal, or octal, using the same notation as in C). All strings
290 are limited in length to some reasonable value (a few hundred bytes).
291 Integers are 64-bit signed quantities, although the parser also accepts
292 (and wraps around) values above positive 2**63.
294 In addition, script arguments given at the end of the command line may
297 for insertion unquoted,
299 for insertion as a string literal. The number of arguments may be accessed
302 (as an unquoted number) or through
304 (as a quoted number). These may be used at any place a token may begin,
305 including within the preprocessing stage. Reference to an argument
306 number beyond what was actually given is an error.
309 A simple conditional preprocessing stage is run as a part of parsing.
310 The general form is similar to the
311 .RB cond " ? " exp1 " : " exp2
314 .BR %( " CONDITION " %? " TRUE-TOKENS " %)
315 .BR %( " CONDITION " %? " TRUE-TOKENS " %: " FALSE-TOKENS " %)
317 The CONDITION is either an expression whose format is determined by its
318 first keyword, or a string literals comparison or a numeric literals
319 comparison. It can be also composed of many alternatives and conjunctions
320 of CONDITIONs (meant as in previous sentence) using || and && respectively.
321 However, parentheses are not supported yet, so remembering that conjunction
322 takes precedence over alternative is important.
324 If the first part is the identifier
325 .BR kernel_vr " or " kernel_v
326 to refer to the kernel version number, with ("2.6.13\-1.322FC3smp") or
327 without ("2.6.13") the release code suffix, then
328 the second part is one of the six standard numeric comparison operators
329 .BR < ", " <= ", " == ", " != ", " > ", and " >= ,
330 and the third part is a string literal that contains an RPM-style
331 version-release value. The condition is deemed satisfied if the
332 version of the target kernel (as optionally overridden by the
334 option) compares to the given version string. The comparison is
335 performed by the glibc function
337 As a special case, if the operator is for simple equality
341 and the third part contains any wildcard characters
342 .RB ( * " or " ? " or " [ "),"
343 then the expression is treated as a wildcard (mis)match as evaluated
347 If, on the other hand, the first part is the identifier
349 to refer to the processor architecture (as named by the kernel
350 build system ARCH/SUBARCH), then the second
351 part is one of the two string comparison operators
353 and the third part is a string literal for matching it. This
354 comparison is a wildcard (mis)match.
356 Similarly, if the first part is an identifier like
358 to refer to a kernel configuration option, then the second part is
360 and the third part is a string literal for matching the value
361 (commonly "y" or "m"). Nonexistent or unset kernel configuration
362 options are represented by the empty string. This comparison is also
363 a wildcard (mis)match.
365 Otherwise, the CONDITION is expected to be a comparison between two string
366 literals or two numeric literals. In this case, the arguments are the only
369 The TRUE-TOKENS and FALSE-TOKENS are zero or more general parser
370 tokens (possibly including nested preprocessor conditionals), and are
371 passed into the input stream if the condition is true or false. For
372 example, the following code induces a parse error unless the target
373 kernel version is newer than 2.6.5:
375 %( kernel_v <= "2.6.5" %? **ERROR** %) # invalid token sequence
377 The following code might adapt to hypothetical kernel version drift:
379 probe kernel.function (
380 %( kernel_v <= "2.6.12" %? "__mm_do_fault" %:
381 %( kernel_vr == "2.6.13*smp" %? "do_page_fault" %:
386 probe syscall.vliw = kernel.function("vliw_widget") {}
391 Identifiers for variables and functions are an alphanumeric sequence,
392 and may include "_" and "$" characters. They may not start with a
393 plain digit, as in C. Each variable is by default local to the probe
394 or function statement block within which it is mentioned, and therefore
395 its scope and lifetime is limited to a particular probe or function
397 .\" XXX add statistics type here once it's supported
399 Scalar variables are implicitly typed as either string or integer.
400 Associative arrays also have a string or integer value, and a
401 tuple of strings and/or integers serving as a key. Here are a
402 few basic expressions.
406 array1 [pid()] = "name" # single numeric key
407 array2 ["foo",4,i++] += 5 # vector of string/num/num keys
408 if (["hello",5,4] in array2) println ("yes") # membership test
411 The translator performs
413 on all identifiers, including array indexes and function parameters.
414 Inconsistent type-related use of identifiers signals an error.
416 Variables may be declared global, so that they are shared amongst all
417 probes and live as long as the entire systemtap session. There is one
418 namespace for all global variables, regardless of which script file
419 they are found within. A global declaration may be written at the
420 outermost level anywhere, not within a block of code. Global
421 variables which are written but never read will be displayed
422 automatically at session shutdown. The translator will
423 infer for each its value type, and if it is used as an array, its key
424 types. Optionally, scalar globals may be initialized with a string
425 or number literal. The following declaration marks variables as global.
427 .BR global " var1" , " var2" , " var3=4"
430 Global variables can also be set as module options. To do this, the
431 module must first be compiled using stap \-p4. Global variables can
432 then be set on the command line when calling staprun on the
433 module generated by stap \-p4. See
435 for more information.
439 Arrays are limited in size by the MAXMAPENTRIES variable -- see the
440 .B SAFETY AND SECURITY
441 section for details. Optionally, global arrays may be declared with a
442 maximum size in brackets, overriding MAXMAPENTRIES for that array only.
443 Note that this doesn't indicate the type of keys for the array, just the
446 .BR global " tiny_array[10]" , " normal_array" , " big_array[50000]"
448 .\" XXX add statistics type here once it's supported
451 Statements enable procedural control flow. They may occur within
452 functions and probe handlers. The total number of statements executed
453 in response to any single probe event is limited to some number
454 defined by a macro in the translated C code, and is in the
455 neighbourhood of 1000.
458 Execute the string- or integer-valued expression and throw away
461 .BR { " STMT1 STMT2 ... " }
462 Execute each statement in sequence in this block. Note that
463 separators or terminators are generally not necessary between statements.
466 Null statement, do nothing. It is useful as an optional separator between
467 statements to improve syntax-error detection and to handle certain
470 .BR if " (EXP) STMT1 [ " else " STMT2 ]"
471 Compare integer-valued EXP to zero. Execute the first (non-zero)
472 or second STMT (zero).
474 .BR while " (EXP) STMT"
475 While integer-valued EXP evaluates to non-zero, execute STMT.
477 .BR for " (EXP1; EXP2; EXP3) STMT"
478 Execute EXP1 as initialization. While EXP2 is non-zero, execute
479 STMT, then the iteration expression EXP3.
481 .BR foreach " (VAR " in " ARRAY [ "limit " EXP ]) STMT"
482 Loop over each element of the named global array, assigning current
483 key to VAR. The array may not be modified within the statement.
486 operator after the VAR or the ARRAY identifier, the iteration will
487 proceed in a sorted order, by ascending or descending index or value.
490 keyword limits the number of loop iterations to EXP times. EXP is
491 evaluated once at the beginning of the loop.
493 .BR foreach " ([VAR1, VAR2, ...] " in " ARRAY [ "limit " EXP ]) STMT"
494 Same as above, used when the array is indexed with a tuple of keys.
495 A sorting suffix may be used on at most one VAR or ARRAY identifier.
497 .BR break ", " continue
498 Exit or iterate the innermost nesting loop
499 .RB ( while " or " for " or " foreach )
503 Return EXP value from enclosing function. If the function's value is
504 not taken anywhere, then a return statement is not needed, and the
505 function will have a special "unknown" type with no return value.
508 Return now from enclosing probe handler. This is especially useful in
509 probe aliases that apply event filtering predicates.
511 .BR try " { STMT1 } " catch " { STMT2 }"
512 Run the statements in the first block. Upon any run-time errors, abort
513 STMT1 and start executing STMT2. Any errors in STMT2 will propagate to
514 outer try/catch blocks, if any.
516 .BR try " { STMT1 } " catch "(VAR) { STMT2 }"
517 Same as above, plus assign the error message to the string scalar variable VAR.
519 .BR delete " ARRAY[INDEX1, INDEX2, ...]"
520 Remove from ARRAY the element specified by the index tuple. The value will no
521 longer be available, and subsequent iterations will not report the element.
522 It is not an error to delete an element that does not exist.
525 Remove all elements from ARRAY.
528 Removes the value of SCALAR. Integers and strings are cleared to 0 and ""
529 respectively, while statistics are reset to the initial empty state.
532 Systemtap supports a number of operators that have the same general syntax,
533 semantics, and precedence as in C and awk. Arithmetic is performed as per
534 typical C rules for signed integers. Division by zero or overflow is
535 detected and results in an error.
537 binary numeric operators
538 .B * / % + \- >> << & ^ | && ||
540 binary string operators
542 (string concatenation)
544 numeric assignment operators
545 .B = *= /= %= += \-= >>= <<= &= ^= |=
547 string assignment operators
550 unary numeric operators
553 binary numeric or string comparison operators
557 .RB cond " ? " exp1 " : " exp2
563 .RB "fn " ( "[ arg1, arg2, ... ]" )
565 array membership check
568 .BR "[" exp1 ", " exp2 ", " ... "] in " array
571 The main construct in the scripting language identifies probes.
572 Probes associate abstract events with a statement block ("probe
573 handler") that is to be executed when any of those events occur. The
574 general syntax is as follows:
576 .BR probe " PROBEPOINT [" , " PROBEPOINT] " { " [STMT ...] " }
579 Events are specified in a special syntax called "probe points". There
580 are several varieties of probe points defined by the translator, and
581 tapset scripts may define further ones using aliases. These are
583 .IR stapprobes (3stap)
586 The probe handler is interpreted relative to the context of each
587 event. For events associated with kernel code, this context may
592 at that spot. These "target variables" are presented to the script as
593 variables whose names are prefixed with "$". They may be accessed
594 only if the kernel's compiler preserved them despite optimization.
595 This is the same constraint that a debugger user faces when working
596 with optimized code. Some other events have very little context.
598 .IR stapprobes (3stap)
599 man pages to see the kinds of context variables available at each kind
602 New probe points may be defined using "aliases". Probe point aliases
603 look similar to probe definitions, but instead of activating a probe
604 at the given point, it just defines a new probe point name as an alias
605 to an existing one. There are two types of alias, i.e. the prologue
606 style and the epilogue style which are identified by "=" and "+="
609 For prologue style alias, the statement block that follows an alias
610 definition is implicitly added as a prologue to any probe that refers
611 to the alias. While for the epilogue style alias, the statement block
612 that follows an alias definition is implicitly added as an epilogue to
613 any probe that refers to the alias. For example:
616 probe syscall.read = kernel.function("sys_read") {
618 if (execname == "init") next # skip rest of probe
621 defines a new probe point
627 .IR kernel.function("sys_read") ,
629 with the given statement as a prologue, which is useful to predefine
630 some variables for the alias user and/or to skip probe processing
631 entirely based on some conditions. And
633 probe syscall.read += kernel.function("sys_read") {
634 if (tracethis) println ($fd)
637 defines a new probe point with the given statement as an epilogue, which
638 is useful to take actions based upon variables set or left over by the
641 An alias is used just like a built-in probe type.
644 printf("reading fd=%d\n", fildes)
645 if (fildes > 10) tracethis = 1
650 Systemtap scripts may define subroutines to factor out common work.
651 Functions take any number of scalar (integer or string) arguments, and
652 must return a single scalar (integer or string). An example function
653 declaration looks like this:
655 function thisfn (arg1, arg2) {
659 Note the general absence of type declarations, which are instead
660 inferred by the translator. However, if desired, a function
661 definition may include explicit type declarations for its return value
662 and/or its arguments. This is especially helpful for embedded-C
663 functions. In the following example, the type inference engine need
664 only infer type type of arg2 (a string).
666 function thatfn:string (arg1:long, arg2) {
667 return sprint(arg1) . arg2
670 Functions may call others or themselves
671 recursively, up to a fixed nesting limit. This limit is defined by
672 a macro in the translated C code and is in the neighbourhood of 10.
675 There are a set of function names that are specially treated by the
676 translator. They format values for printing to the standard systemtap
677 output stream in a more convenient way. The
679 variants return the formatted string instead of printing it.
681 .BR print ", " sprint
682 Print one or more values of any type, concatenated directly together.
684 .BR println ", " sprintln
686 .IR print " and " sprint ,
687 but also append a newline.
689 .BR printd ", " sprintd
690 Take a string delimiter and two or more values of any type, and print the
691 values with the delimiter interposed. The delimiter must be a literal
694 .BR printdln ", " sprintdln
695 Print values with a delimiter like
696 .IR printd " and " sprintd ,
697 but also append a newline.
699 .BR printf ", " sprintf
700 Take a formatting string and a number of values of corresponding types,
701 and print them all. The format must be a literal string constant.
705 formatting directives similar to those of C, except that they are
706 fully type-checked by the translator:
710 Writes a binary blob of the value given, instead of ASCII text. The width specifier determines the number of bytes to write; valid specifiers are %b %1b %2b %4b %8b. Default (%b) is 8 bytes.
719 Safely reads kernel memory at the given address, outputs its content. The precision specifier determines the number of bytes to read. Default is 1 byte.
722 Same as %m, but outputs in hexadecimal. The minimal size of output is double the precision specifier.
728 Unsigned pointer address.
737 Unsigned hex value, in all lower-case.
740 Unsigned hex value, in all upper-case.
748 a = "alice", b = "bob", p = 0x1234abcd, i = 123, j = -1, id[a] = 1234, id[b] = 4567
753 println(a . " is " . sprint(16))
755 foreach (name in id) printdln("|", strlen(name), name, id[name])
756 Prints: 5|alice|1234\\n3|bob|4567
757 printf("%c is %s; %x or %X or %p; %d or %u\\n",97,a,p,p,p,j,j)
758 Prints: a is alice; 1234abcd or 1234ABCD or 0x1234abcd; -1 or 18446744073709551615\\n
759 printf("2 bytes of kernel buffer at address %p: %2m", p, p)
760 Prints: 2 byte of kernel buffer at address 0x1234abcd: <binary data>
762 Prints (these values as binary data): 0x1234abcd
766 It is often desirable to collect statistics in a way that avoids the
767 penalties of repeatedly exclusive locking the global variables those
768 numbers are being put into. Systemtap provides a solution using a
769 special operator to accumulate values, and several pseudo-functions to
770 extract the statistical aggregates.
772 The aggregation operator is
774 and resembles an assignment, or a C++ output-streaming operation.
775 The left operand specifies a scalar or array-index lvalue, which must
776 be declared global. The right operand is a numeric expression. The
777 meaning is intuitive: add the given number to the pile of numbers to
778 compute statistics of. (The specific list of statistics to gather
779 is given separately, by the extraction functions.)
782 stats[pid()] <<< memsize
785 The extraction functions are also special. For each appearance of a
786 distinct extraction function operating on a given identifier, the
787 translator arranges to compute a set of statistics that satisfy it.
788 The statistics system is thereby "on-demand". Each execution of
789 an extraction function causes the aggregation to be computed for
790 that moment across all processors.
792 Here is the set of extractor functions. The first argument of each is
793 the same style of lvalue used on the left hand side of the accumulate
795 .IR @count(v) ", " @sum(v) ", " @min(v) ", " @max(v) ", " @avg(v)
796 extractor functions compute the number/total/minimum/maximum/average
797 of all accumulated values. The resulting values are all simple
800 Histograms are also available, but are more complicated because they
801 have a vector rather than scalar value.
802 .I @hist_linear(v,start,stop,interval)
803 represents a linear histogram from "start" to "stop" by increments
804 of "interval". The interval must be positive. Similarly,
806 represents a base-2 logarithmic histogram. Printing a histogram
809 family of functions renders a histogram object as a tabular
810 "ASCII art" bar chart.
816 printf ("avg %d = sum %d / count %d\\n",
817 @avg(x), @sum(x), @count(x))
823 Once a pointer has been saved into a script integer variable, the
824 translator loses the type information necessary to access members from
825 that pointer. Using the
827 operator tells the translator how to read a pointer.
829 @cast(p, "type_name"[, "module"])->member
834 as a pointer to a struct/union named
840 expressions may be appended to dereference more levels.
843 the same dereferencing operator
845 is used to refer to both direct containment or pointer indirection.
846 Systemtap automatically determines which. The optional
848 tells the translator where to look for information about that type.
849 Multiple modules may be specified as a list with
851 separators. If the module is not specified, it will default either to
852 the probe module for dwarf probes, or to "kernel" for functions and all
855 The translator can create its own module with type information from a header
856 surrounded by angle brackets, in case normal debuginfo is not available. For
857 kernel headers, prefix it with "kernel" to use the appropriate build system.
858 All other headers are build with default GCC parameters into a user module.
859 Multiple headers may be specified in sequence to resolve a codependency.
861 @cast(tv, "timeval", "<sys/time.h>")->tv_sec
862 @cast(task, "task_struct", "kernel<linux/sched.h>")->tgid
863 @cast(task, "task_struct",
864 "kernel<linux/sched.h><linux/fs_struct.h>")->fs->umask
867 When in guru mode, the translator will also allow scripts to assign new
868 values to members of typecasted pointers.
870 Typecasting is also useful in the case of
872 members whose type may be determinable at runtime.
875 if ($var->type == 1) {
876 value = @cast($var->data, "type1")->bar
878 value = @cast($var->data, "type2")->baz
885 When in guru mode, the translator accepts embedded code in the
886 script. Such code is enclosed between
890 markers, and is transcribed verbatim, without analysis, in some
891 sequence, into the generated C code. At the outermost level, this may
894 instructions, and any auxiliary definitions for use by other embedded
897 The other place where embedded code is permitted is as a function body.
898 In this case, the script language body is replaced entirely by a piece
899 of C code enclosed again between
902 This C code may do anything reasonable and safe. There are a number
903 of undocumented but complex safety constraints on atomicity,
904 concurrency, resource consumption, and run time limits, so this
905 is an advanced technique.
907 The memory locations set aside for input and output values
908 are made available to it using a macro
910 Here are some examples:
912 function add_one (val) %{
913 THIS\->__retvalue = THIS\->val + 1;
915 function add_one_str (val) %{
916 strlcpy (THIS\->__retvalue, THIS\->val, MAXSTRINGLEN);
917 strlcat (THIS\->__retvalue, "one", MAXSTRINGLEN);
920 The function argument and return value types have to be inferred by
921 the translator from the call sites in order for this to work. The
922 user should examine C code generated for ordinary script-language
923 functions in order to write compatible embedded-C ones.
926 A set of builtin functions and probe point aliases are provided
927 by the scripts installed under the
929 .IR @prefix@/share/systemtap/tapset
931 directory. These are described in the
932 .IR stapfuncs "(3stap) and " stapprobes (3stap)
936 The translator begins pass 1 by parsing the given input script,
937 and all scripts (files named
939 found in a tapset directory. The directories listed
942 are processed in sequence, each processed in "guru mode". For each
943 directory, a number of subdirectories are also searched. These
944 subdirectories are derived from the selected kernel version (the
947 in order to allow more kernel-version-specific scripts to override less
948 specific ones. For example, for a kernel version
950 the following patterns would be searched, in sequence:
951 .IR 2.6.12\-23.FC3/*.stp ,
956 Stopping the translator after pass 1 causes it to print the parse trees.
959 In pass 2, the translator analyzes the input script to resolve symbols
960 and types. References to variables, functions, and probe aliases that
961 are unresolved internally are satisfied by searching through the
962 parsed tapset scripts. If any tapset script is selected because it
963 defines an unresolved symbol, then the entirety of that script is
964 added to the translator's resolution queue. This process iterates
965 until all symbols are resolved and a subset of tapset scripts is
968 Next, all probe point descriptions are validated
969 against the wide variety supported by the translator. Probe points that
970 refer to code locations ("synchronous probe points") require the
971 appropriate kernel debugging information to be installed. In the
972 associated probe handlers, target-side variables (whose names begin
973 with "$") are found and have their run-time locations decoded.
975 Next, all probes and functions are analyzed for optimization
976 opportunities, in order to remove variables, expressions, and
977 functions that have no useful value and no side-effect. Embedded-C
978 functions are assumed to have side-effects unless they include the
981 Since this optimization can hide latent code errors such as type
982 mismatches or invalid $target variables, it sometimes may be useful
983 to disable the optimizations with the
987 Finally, all variable, function, parameter, array, and index types are
988 inferred from context (literals and operators). Stopping the
989 translator after pass 2 causes it to list all the probes, functions,
990 and variables, along with all inferred types. Any inconsistent or
991 unresolved types cause an error.
994 In pass 3, the translator writes C code that represents the actions
995 of all selected script files, and creates a
997 to build that into a kernel object. These files are placed into a
998 temporary directory. Stopping the translator at this point causes
999 it to print the contents of the C file.
1002 In pass 4, the translator invokes the Linux kernel build system to
1003 create the actual kernel object file. This involves running
1005 in the temporary directory, and requires a kernel module build
1006 system (headers, config and Makefiles) to be installed in the usual
1008 .IR /lib/modules/VERSION/build .
1009 Stopping the translator after pass 4 is the last chance before
1010 running the kernel object. This may be useful if you want to
1014 In pass 5, the translator invokes the systemtap auxiliary program
1016 program for the given kernel object. This program arranges to load
1017 the module then communicates with it, copying trace data from the
1018 kernel into temporary files, until the user sends an interrupt signal.
1019 Any run-time error encountered by the probe handlers, such as running
1020 out of memory, division by zero, exceeding nesting or runtime limits,
1021 results in a soft error indication. Soft errors in excess of
1022 MAXERRORS block of all subsequent probes (except error-handling
1023 probes), and terminate the session. Finally,
1025 unloads the module, and cleans up.
1027 .SS ABNORMAL TERMINATION
1029 One should avoid killing the stap process forcibly, for example with
1030 SIGKILL, because the stapio process (a child process of the stap
1031 process) and the loaded module may be left running on the system. If
1032 this happens, send SIGTERM or SIGINT to any remaining stapio
1033 processes, then use rmmod to unload the systemtap module.
1039 manual page for a collection of samples.
1042 The systemtap translator caches the pass 3 output (the generated C
1043 code) and the pass 4 output (the compiled kernel module) if pass 4
1044 completes successfully. This cached output is reused if the same
1045 script is translated again assuming the same conditions exist (same kernel
1046 version, same systemtap version, etc.). Cached files are stored in
1048 .I $SYSTEMTAP_DIR/cache
1049 directory. The cache can be limited by having the file
1051 placed in the cache directory (shown above) containing only an ASCII
1052 integer representing how many MiB the cache should not exceed. Note that
1053 this is a 'soft' limit in that the cache will be cleaned after a new entry
1054 is added, so the total cache size may temporarily exceed this limit. In the
1055 absence of this file, a default will be created with the limit set to 64MiB.
1057 .SH SAFETY AND SECURITY
1058 Systemtap is an administrative tool. It exposes kernel internal data
1059 structures and potentially private user information.
1061 either root privileges
1063 To actually run the kernel objects it builds, a user must be one of
1078 group can only use modules under the following conditions:
1080 The module is located in
1081 the /lib/modules/VERSION/systemtap directory. This directory
1082 must be owned by root and not be world writable.
1084 The module has been signed by a trusted signer. Trusted signers are normally
1085 systemtap compile servers which sign modules when the --unprivileged option is
1086 specified by the client. See the
1088 manual page for a for more information.
1090 The kernel modules generated by
1092 program are run by the
1094 program. The latter is a part of the Systemtap package, dedicated to
1095 module loading and unloading (but only in the white zone), and
1096 kernel-to-user data transfer. Since
1098 does not perform any additional security checks on the kernel objects
1099 it is given, it would be unwise for a system administrator to add
1100 untrusted users to the
1106 The translator asserts certain safety constraints. It aims to ensure
1107 that no handler routine can run for very long, allocate memory,
1108 perform unsafe operations, or in unintentionally interfere with the
1109 kernel. Use of script global variables is suitably locked to protect
1110 against manipulation by concurrent probe handlers. Use of guru mode
1111 constructs such as embedded C can violate these constraints, leading
1112 to kernel crash or data corruption.
1114 The resource use limits are set by macros in the generated C code.
1115 These may be overridden with the
1117 flag. A selection of these is as follows:
1120 Maximum number of nested function calls. Default determined by
1121 script analysis, with a bonus 10 slots added for recursive
1125 Maximum length of strings, default 128.
1128 Maximum number of iterations to wait for locks on global variables
1129 before declaring possible deadlock and skipping the probe, default 1000.
1132 Maximum number of statements to execute during any single probe hit
1133 (with interrupts disabled),
1136 MAXACTION_INTERRUPTIBLE
1137 Maximum number of statements to execute during any single probe hit
1138 which is executed with interrupts enabled (such as begin/end probes),
1139 default (MAXACTION * 10).
1142 Maximum number of rows in any single global array, default 2048.
1145 Maximum number of soft errors before an exit is triggered, default 0, which
1146 means that the first error will exit the script.
1149 Maximum number of skipped probes before an exit is triggered, default 100.
1150 Running systemtap with \-t (timing) mode gives more details about skipped
1151 probes. With the default \-DINTERRUPTIBLE=1 setting, probes skipped due to
1152 reentrancy are not accumulated against this limit.
1155 Minimum number of free kernel stack bytes required in order to
1156 run a probe handler, default 1024. This number should be large enough
1157 for the probe handler's own needs, plus a safety margin.
1160 Maximum number of concurrently armed user-space probes (uprobes), default
1161 somewhat larger than the number of user-space probe points named in the script.
1162 This pool needs to be potentialy large because individual uprobe objects (about
1163 64 bytes each) are allocated for each process for each matching script-level probe.
1166 Maximum amount of memory (in kilobytes) that the systemtap module
1167 should use, default unlimited. The memory size includes the size of
1168 the module itself, plus any additional allocations. This only tracks
1169 direct allocations by the systemtap runtime. This does not track
1170 indirect allocations (as done by kprobes/uprobes/etc. internals).
1173 Size of procfs probe read buffers (in bytes). Defaults to
1175 This value can be overridden on a per-procfs file basis using the
1177 .I .maxsize(MAXSIZE)
1180 With scripts that contain probes on any interrupt path, it is possible that
1181 those interrupts may occur in the middle of another probe handler. The probe
1182 in the interrupt handler would be skipped in this case to avoid reentrance.
1183 To work around this issue, execute stap with the option
1184 .BR \-DINTERRUPTIBLE=0
1185 to mask interrupts throughout the probe handler. This does add some extra
1186 overhead to the probes, but it may prevent reentrance for common problem
1187 cases. However, probes in NMI handlers and in the callpath of the stap
1188 runtime may still be skipped due to reentrance.
1191 Multiple scripts can write data into a relay buffer concurrently. A host
1192 script provides an interface for accessing its relay buffer to guest scripts.
1193 Then, the output of the guests are merged into the output of the host.
1194 To run a script as a host, execute stap with
1195 .BR \-DRELAYHOST[=name]
1198 identifies your host script among several hosts.
1199 While running the host, execute stap with
1200 .BR \-DRELAYGUEST[=name]
1201 to add a guest script to the host.
1202 Note that you must unload guests before unloading a host. If there are some
1203 guests connected to the host, unloading the host will be failed.
1206 In case something goes wrong with
1207 .IR stap " or " staprun
1208 after a probe has already started running, one may safely kill both
1209 user processes, and remove the active probe kernel module with
1211 Any pending trace messages may be lost.
1214 In addition to the methods outlined above, the generated kernel module
1215 also uses overload processing to make sure that probes can't run for
1216 too long. If more than STP_OVERLOAD_THRESHOLD cycles (default
1217 500000000) have been spent in all the probes on a single cpu during
1218 the last STP_OVERLOAD_INTERVAL cycles (default 1000000000), the probes
1219 have overloaded the system and an exit is triggered.
1221 By default, overload processing is turned on for all modules. If you
1222 would like to disable overload processing, define STP_NO_OVERLOAD.
1224 .\" PR6864: disable temporarily
1225 .\".SH MAKING DO WITH SYMBOL TABLES
1226 .\"Systemtap performs best when it has access to the debugging information
1227 .\"associated with your kernel and modules.
1228 .\"However, if this information is not available,
1229 .\"systemtap can still support probing of function entries and returns
1230 .\"using symbols read from vmlinux and/or the modules in /lib/modules.
1231 .\"Systemtap can also read the kernel symbol table from a text file
1232 .\"such as /boot/System.map or /proc/kallsyms.
1239 .\"If systemtap finds relevant debugging information,
1240 .\"it will use it even if you specify
1245 .\"Without debugging information, systemtap cannot support the
1246 .\"following types of language constructs:
1248 .\"probe specifications that refer to source files or line numbers
1250 .\"probe specifications that refer to inline functions
1252 .\"statements that refer to $target variables
1254 .\"statements that refer to @cast() variables
1256 .\"tapset-defined variables defined using any of the above constructs.
1257 .\"In particular, at this writing,
1258 .\"the prologue blocks for certain aliases in the syscall tapset
1259 .\"(e.g., syscall.open) contain "if" statements that refer to $target variables.
1260 .\"If your script refers to any such aliases,
1261 .\"systemtap must have access to the kernel's debugging information.
1263 .\"Most T and t symbols correspond to function entry points, but some do not.
1264 .\"Based only on the symbol table, systemtap cannot tell the difference.
1265 .\"Placing return probes on symbols that aren't entry points
1266 .\"will most likely lead to kernel stack corruption.
1269 .\" consider autoconf-substituting these directories
1272 Systemtap data directory for cached systemtap files, unless overridden
1275 environment variable.
1278 Temporary directory for systemtap files, including translated C code
1281 @prefix@/share/systemtap/tapset
1282 The automatic tapset search directory, unless overridden by
1285 environment variable.
1287 @prefix@/share/systemtap/runtime
1288 The runtime sources, unless overridden by the
1289 .I SYSTEMTAP_RUNTIME
1290 environment variable.
1292 /lib/modules/VERSION/build
1293 The location of kernel module building infrastructure.
1295 @prefix@/lib/debug/lib/modules/VERSION
1296 The location of kernel debugging information when packaged into the
1297 .IR kernel\-debuginfo
1298 RPM, unless overridden by the
1299 .I SYSTEMTAP_DEBUGINFO_PATH
1300 environment variable. The default value for this variable is
1301 .IR \+:.debug:/usr/lib/debug:build .
1302 Elfutils searches vmlinux in this path and it interprets the path as a base
1303 directory of which various subdirectories will be searched for finding modules.
1305 @prefix@/bin/staprun
1306 The auxiliary program supervising module loading, interaction, and
1310 .IR stapprobes (3stap),
1311 .IR stapfuncs (3stap),
1313 .IR stapvars (3stap),
1315 .IR stap-client (8),
1316 .IR stap-server (8),
1321 Use the Bugzilla link of the project web page or our mailing list.
1323 .BR http://sources.redhat.com/systemtap/ , <systemtap@sources.redhat.com> .