Chapter 3. Understanding How SystemTap Works

3.1. Architecture
3.2. SystemTap Scripts
3.2.1. Event
3.2.2. SystemTap Handler/Body
3.3. Basic SystemTap Handler Constructs
3.3.1. Variables
3.3.2. Target Variables
3.3.3. Conditional Statements
3.3.4. Command-Line Arguments
3.4. Associative Arrays
3.5. Array Operations in SystemTap
3.5.1. Assigning an Associated Value
3.5.2. Reading Values From Arrays
3.5.3. Incrementing Associated Values
3.5.4. Processing Multiple Elements in an Array
3.5.5. Clearing/Deleting Arrays and Array Elements
3.5.6. Using Arrays in Conditional Statements
3.5.7. Computing for Statistical Aggregates
3.6. Tapsets
SystemTap allows users to write and reuse simple scripts to deeply examine the activities of a running Linux system. These scripts can be designed to extract data, filter it, and summarize it quickly (and safely), enabling the diagnosis of complex performance (or even functional) problems.
The essential idea behind a SystemTap script is to name events, and to give them handlers. When SystemTap runs the script, SystemTap monitors for the event; once the event occurs, the Linux kernel then runs the handler as a quick sub-routine, then resumes.
There are several kind of events; entering/exiting a function, timer expiration, session termination, etc. A handler is a series of script language statements that specify the work to be done whenever the event occurs. This work normally includes extracting data from the event context, storing them into internal variables, and printing results.

3.1. Architecture

A SystemTap session begins when you run a SystemTap script. This session occurs in the following fashion:

Procedure 3.1. SystemTap Session

  1. First, SystemTap checks the script against the existing tapset library (normally in /usr/share/systemtap/tapset/ for any tapsets used. SystemTap will then substitute any located tapsets with their corresponding definitions in the tapset library.
  2. SystemTap then translates the script to C, running the system C compiler to create a kernel module from it. The tools that perform this step are contained in the systemtap package (refer to Section 2.1.1, “Installing SystemTap” for more information).
  3. SystemTap loads the module, then enables all the probes (events and handlers) in the script. The staprun in the systemtap-runtime package (refer to Section 2.1.1, “Installing SystemTap” for more information) provides this functionality.
  4. As the events occur, their corresponding handlers are executed.
  5. Once the SystemTap session is terminated, the probes are disabled, and the kernel module is unloaded.
This sequence is driven from a single command-line program: stap. This program is SystemTap's main front-end tool. For more information about stap, refer to man stap (once SystemTap is properly installed on your machine).