stap
[
OPTIONS
]
FILENAME
[
ARGUMENTS
]
stap
[
OPTIONS
]
-
[
ARGUMENTS
]
stap
[
OPTIONS
]
-e SCRIPT
[
ARGUMENTS
]
stap
[
OPTIONS
]
-l PROBE
[
ARGUMENTS
]
stap
[
OPTIONS
]
-L PROBE
[
ARGUMENTS
]
stap
[
OPTIONS
]
--dump-probe-types
stap
[
OPTIONS
]
--dump-probe-aliases
stap
[
OPTIONS
]
--dump-functions
The stap program is the front-end to the Systemtap tool. It accepts probing instructions written in a simple domain-specific language, translates those instructions into C code, compiles this C code, and loads the resulting module into a running Linux kernel or a Dyninst user-space mutator, to perform the requested system trace/probe functions. You can supply the script in a named file (FILENAME), from standard input (use - instead of FILENAME), or from the command line (using -e SCRIPT). The program runs until it is interrupted by the user, or if the script voluntarily invokes the exit() function, or by sufficient number of soft errors.
The language, which is described the SCRIPT LANGUAGE section below, is strictly typed, expressive, declaration free, procedural, prototyping-friendly, and inspired by awk and C. It allows source code points or events in the system to be associated with handlers, which are subroutines that are executed synchronously. It is somewhat similar conceptually to "breakpoint command lists" in the gdb debugger.
systemtap comes with a variety of educational, documentation and reference resources. They come online and/or packaged for offline use. Some systemtap diagnostic warning/error messages specially suggest reading a man page by including a string like [man error::pass5]. For online documentation, see the project web site, https://sourceware.org/systemtap/
man pages | |
stap (this page) | language syntax, concepts, operation, options |
error::* | further explanation of error conditions |
warning::* | further explanation of warning conditions |
stapprobes | probe points and their $context variables |
stapref | quick reference to language syntax |
stappaths |
list of directories, including books & references
|
stap-prep |
program to install auxiliary dependencies like kernel debuginfo
|
tapset::* | generated list of tapsets |
probe::* | generated list of tapset probe aliases |
function::* | generated list of tapset functions |
macro::* | generated list of tapset macros |
stapvars | some of the tapset global variables |
staprun, stapdyn, stapbpf | programs for executing compiled systemtap scripts |
systemtap | initscript, boot-time probing |
stap-server | compilation server |
stapex | a few very basic script examples |
books | |
Beginner's Guide | tutorial book, language essentials, examples |
Tutorial | shorter tutorial, exercises |
Language Reference | detailed language manual, covers statistics/analysis |
Tapset Reference | the tapset man pages, reformatted into a book |
references | |
example scripts |
over a hundred directly usable sysadmin tools, toys, hacks to learn from
|
In some cases, the default value of an option depends on particular system configuration and thus can't be mentioned here directly. In some of those cases running "stap --help" might display the default.
-B CONFIG_DEBUG_INFO=y
to add debugging information.
-B -g
to add debugging information.
-B CROSS_COMPILE=arch-tool-prefix- and -r /build/tree
options.
probe FOO { if (pid() != target()) next; .... }
% stap -e 'probe syscall.* { }' [...] % stap -l 'syscall.*' syscall.accept [...] syscall.writev
% stap -L 'process("/lib64/libpython*.so.*").mark("*")' process("/usr/lib64/libpython2.7.so.1.0").mark("function__entry") $arg1:long $arg2:long $arg3:long process("/usr/lib64/libpython2.7.so.1.0").mark("function__return") $arg1:long $arg2:long $arg3:long process("/usr/lib64/libpython3.6m.so.1.0").mark("function__entry") $arg1:long $arg2:long $arg3:long process("/usr/lib64/libpython3.6m.so.1.0").mark("function__return") $arg1:long $arg2:long $arg3:long process("/usr/lib64/libpython3.6m.so.1.0").mark("gc__done") $arg1:long process("/usr/lib64/libpython3.6m.so.1.0").mark("gc__start") $arg1:long process("/usr/lib64/libpython3.6m.so.1.0").mark("line") $arg1:long $arg2:long $arg3:long
try { ... } catch { next }
block, which causes any runtime errors to be quietly suppressed. Suppressed errors do not count against MAXERRORS limits. In this mode, the MAXSKIPPED limits are also suppressed, so that many errors and skipped probes may be accumulated during a script's runtime. Any overall counts will still be reported at shutdown.
Colors can be modified using the SYSTEMTAP_COLORS environment variable. The format must be of the form key1=val1:key2=val2:key3=val3 ...etc. Valid keys are "error", "warning", "source", "caret", and "token". Values constitute Select Graphic Rendition (SGR) parameter(s). Consult the documentation of your terminal for the SGRs it supports. As an example, the default colors would be expressed as error=01;31:warning=00;33:source=00;34:caret=01:token=01. If SYSTEMTAP_COLORS is absent, the default colors will be used. If it is empty or invalid, coloring is turned off.
If --privilege has not been specified, -pN has not been specified with N < 5, and the invoking user is not root, and is not a member of the group stapdev, then stap will automatically add the appropriate --privilege option to the options already specified.
IP addresses may be IPv4 or IPv6 addresses.
If a particular IPv6 address is link local and exists on more than one interface, the intended interface may be specified by appending the address with a percent sign (%) followed by the intended interface name. For example, "fe80::5eff:35ff:fe07:55ca%eth0".
In order to specify a port number with an IPv6 address, it is necessary to enclose the IPv6 address in square brackets ([]) in order to separate the port number from the rest of the address. For example, "[fe80::5eff:35ff:fe07:55ca]:5000" or "[fe80::5eff:35ff:fe07:55ca%eth0]:5000".
If --use-server has not been specified, -pN has not been specified with N < 5, and the invoking user not root, is not a member of the group stapdev, but is a member of the group stapusr, then stap will automatically add --use-server to the options already specified.
Note that --list-servers uses the avahi-daemon service to detect online servers. If this service is not available, then --list-servers will fail to detect any online servers. In order for --list-servers to detect servers listening on IPv6 addresses, the avahi-daemon configuration file /etc/avahi/avahi-daemon.conf must contain an active "use-ipv6=yes" line. The service must be restarted after adding this line in order for IPv6 to be enabled.
--remote libvirt://MyDomain/qemu:///system
See the page at <http://libvirt.org/uri.html> for supported URIs. Also see stapvirt(1) for more information on how to prepare the domain for stap probing.
Any additional arguments on the command line are passed to the script parser for substitution. See below.
The systemtap script language resembles awk and C. There are two main outermost constructs: probes and functions. Within these, statements and expressions use C-like operator syntax and precedence.
In addition, script arguments given at the end of the command line may be inserted. Use $1 ... $<NN> for insertion unquoted, @1 ... @<NN> for insertion as a string literal. The number of arguments may be accessed through $# (as an unquoted number) or through @# (as a quoted number). These may be used at any place a token may begin, including within the preprocessing stage. Reference to an argument number beyond what was actually given is an error.
%( CONDITION %? TRUE-TOKENS %) %( CONDITION %? TRUE-TOKENS %: FALSE-TOKENS %)
The CONDITION is either an expression whose format is determined by its first keyword, or a string literals comparison or a numeric literals comparison. It can be also composed of many alternatives and conjunctions of CONDITIONs (meant as in previous sentence) using || and && respectively. However, parentheses are not supported yet, so remembering that conjunction takes precedence over alternative is important.
If the first part is the identifier kernel_vr or kernel_v to refer to the kernel version number, with ("2.6.13-1.322FC3smp") or without ("2.6.13") the release code suffix, then the second part is one of the six standard numeric comparison operators <, <=, ==, !=, >, and >=, and the third part is a string literal that contains an RPM-style version-release value. The condition is deemed satisfied if the version of the target kernel (as optionally overridden by the -r option) compares to the given version string. The comparison is performed by the glibc function strverscmp. As a special case, if the operator is for simple equality (==), or inequality (!=), and the third part contains any wildcard characters (* or ? or [), then the expression is treated as a wildcard (mis)match as evaluated by fnmatch.
If, on the other hand, the first part is the identifier arch to refer to the processor architecture (as named by the kernel build system ARCH/SUBARCH), then the second part is one of the two string comparison operators == or !=, and the third part is a string literal for matching it. This comparison is a wildcard (mis)match.
Similarly, if the first part is an identifier like CONFIG_something to refer to a kernel configuration option, then the second part is == or !=, and the third part is a string literal for matching the value (commonly "y" or "m"). Nonexistent or unset kernel configuration options are represented by the empty string. This comparison is also a wildcard (mis)match.
If the first part is the identifier systemtap_v, the test refers to the systemtap compatibility version, which may be overridden for old scripts with the --compatible flag. The comparison operator is as is for kernel_v and the right operand is a version string. See also the DEPRECATION section below.
If the first part is the identifier systemtap_privilege, the test refers to the privilege level that the systemtap script is compiled with. Here the second part is == or !=, and the third part is a string literal, either "stapusr" or "stapsys" or "stapdev".
If the first part is the identifier guru_mode, the test refers to if the systemtap script is compiled with guru_mode. Here the second part is == or !=, and the third part is a number, either 1 or 0.
If the first part is the identifier runtime, the test refers to the systemtap runtime mode. See ALTERNATE RUNTIMES below for more information on runtimes. The second part is one of the two string comparison operators == or !=, and the third part is a string literal for matching it. This comparison is a wildcard (mis)match.
Otherwise, the CONDITION is expected to be a comparison between two string literals or two numeric literals. In this case, the arguments are the only variables usable.
The TRUE-TOKENS and FALSE-TOKENS are zero or more general parser
tokens (possibly including nested preprocessor conditionals), and are
passed into the input stream if the condition is true or false. For
example, the following code induces a parse error unless the target
kernel version is newer than 2.6.5:
%( kernel_v <= "2.6.5" %? **ERROR** %) # invalid token sequence
The following code might adapt to hypothetical kernel version drift:
probe kernel.function ( %( kernel_v <= "2.6.12" %? "__mm_do_fault" %: %( kernel_vr == "2.6.13*smp" %? "do_page_fault" %: UNSUPPORTED %) %) ) { /* ... */ } %( arch == "ia64" %? probe syscall.vliw = kernel.function("vliw_widget") {} %)
Macros are defined using the following construct:
@define NAME %( BODY %) @define NAME(PARAM_1, PARAM_2, ...) %( BODY %)
Macros, and parameters inside a macro body, are both invoked by
prefixing the macro name with an @ symbol:
@define foo %( x %) @define add(a,b) %( ((@a)+(@b)) %) @foo = @add(2,2)
Macro expansion is currently performed in a separate pass before
conditional compilation. Therefore, both TRUE- and FALSE-tokens in
conditional expressions will be macroexpanded regardless of how the
condition is evaluated. This can sometimes lead to errors:
// The following results in a conflict: %( CONFIG_UPROBE == "y" %? @define foo %( process.syscall %) %: @define foo %( **ERROR** %) %) // The following works properly as expected: @define foo %( %( CONFIG_UPROBE == "y" %? process.syscall %: **ERROR** %) %)
The first example is incorrect because both @defines are evaluated in a pass prior to the conditional being evaluated.
Normally, a macro definition is local to the file it occurs in. Thus, defining a macro in a tapset does not make it available to the user of the tapset. Publically available library macros can be defined by including .stpm files on the tapset search path. These files may only contain @define constructs, which become visible across all tapsets and user scripts. Optionally, within the .stpm files, a public macro definition can be surrounded by a preprocessor conditional as described above.
@const("STP_SKIP_BADVARS")
Scalar variables are implicitly typed as either string or integer.
Associative arrays also have a string or integer value, and a
tuple of strings and/or integers serving as a key. Here are a
few basic expressions.
var1 = 5 var2 = "bar" array1 [pid()] = "name" # single numeric key array2 ["foo",4,i++] += 5 # vector of string/num/num keys if (["hello",5,4] in array2) println ("yes") # membership test
The translator performs type inference on all identifiers, including array indexes and function parameters. Inconsistent type-related use of identifiers signals an error.
Variables may be declared global, so that they are shared amongst all
probes and functions and live as long as the entire systemtap session. There is one
namespace for all global variables, regardless of which script file
they are found within. Concurrent access to global variables is
automatically protected with locks, see the
SAFETY AND SECURITY
section for more details. A global declaration may be written at the
outermost level anywhere, not within a block of code. Global
variables which are written but never read will be displayed
automatically at session shutdown. The translator will
infer for each its value type, and if it is used as an array, its key
types. Optionally, scalar globals may be initialized with a string
or number literal. The following declaration marks variables as global.
global var1, var2, var3=4
Global variables can also be set as module options. One can do this by either using the -G option, or the module must first be compiled using stap -p4. Global variables can then be set on the command line when calling staprun on the module generated by stap -p4. See staprun(8) for more information.
The scope of a global variable may be limited to a tapset or
user script file using private keyword. The global keyword is optional when
defining a private global variable. Following declaration marks var1 and var2
private globals.
private global var1=2 private var2
Arrays are limited in size by the MAXMAPENTRIES variable -- see the
SAFETY AND SECURITY
section for details. Optionally, global arrays may be declared with a
maximum size in brackets, overriding MAXMAPENTRIES for that array only.
Note that this doesn't indicate the type of keys for the array, just the
size.
global tiny_array[10], normal_array, big_array[50000]
Arrays may be configured for wrapping using the '%' suffix. This
causes older elements to be overwritten if more elements are inserted
than the array can hold. This works for both associative and statistics
typed arrays.
global wrapped_array1%[10], wrapped_array2%
Many types of probe points provide context variables, which are run-time values, safely extracted from the kernel or userspace program being probed. These are prefixed with the $ character. The CONTEXT VARIABLES section in stapprobes(3stap) lists what is available for each type of probe point. These context variables become normal string or numeric scalars once they are stored in normal script variables. See the TYPECASTING section below on how to to turn them back into typed pointers for further processing as context variables. There is some automation to help!
exp =~ regex exp !~ regex
(The first operand must be an expression evaluating to a string; the second operand must be a string literal containing a syntactically valid regular expression.)
The regular expression syntax supports POSIX Extended Regular Expression features as documented in grep(1) except for subexpression reuse ("\1") functionality.
After a successful match, the contents of the matched
string and subexpressions can be extracted using the
matched() and ngroups() tapset functions as follows:
if ("an example string" =~ "str(ing)") { matched(0) // -> returns "string", the matched substring matched(1) // -> returns "ing", the 1st matched subexpression ngroups() // -> returns 2, the number of matched groups }
probe PROBEPOINT [, PROBEPOINT] { [STMT ...] } probe PROBEPOINT [, PROBEPOINT] if (CONDITION) { [STMT ...] }
Events are specified in a special syntax called "probe points". There are several varieties of probe points defined by the translator, and tapset scripts may define further ones using aliases. Probe points may be wildcarded, grouped, or listed in preference sequences, or declared optional. More details on probe point syntax and semantics are listed on the stapprobes(3stap) manual page.
The probe handler is interpreted relative to the context of each event. For events associated with kernel code, this context may include variables defined in the source code at that spot. These "context variables" are presented to the script as variables whose names are prefixed with "$". They may be accessed only if the kernel's compiler preserved them despite optimization. This is the same constraint that a debugger user faces when working with optimized code. In addition, the objects must exist in paged-in memory at the moment of the systemtap probe handler's execution, because systemtap must not cause (suppresses) any additional paging. Some probe types have very little context. See the stapprobes(3stap) man pages to see the kinds of context variables available at each kind of probe point. As of systemtap version 4.3, functions called from the handlers of some probe point types may also refer to context variables. These are treated as if a clone of that function was inlined into the calling probe handler and $variables evaluated in its context.
Probes may be decorated with an
arming condition,
consisting of a simple boolean expression on read-only global script
variables. While disarmed (inactive, condition evaluates to false), some probe
types reduce or eliminate their run-time overheads. When an arming
condition evaluates to true, probes will be
soon
re-armed, and their probe handlers will start getting called as the
events fire. (Some events may be lost during the arming interval. If
this is unacceptable, do not use arming conditions for those probes.)
Example of the syntax:
probe timer.us(TIMER) if (enabled) { }
New probe points may be defined using "aliases". Probe point aliases look similar to probe definitions, but instead of activating a probe at the given point, it just defines a new probe point name as an alias to an existing one. There are two types of alias, i.e. the prologue style and the epilogue style which are identified by "=" and "+=" respectively.
For prologue style alias, the statement block that follows an alias
definition is implicitly added as a prologue to any probe that refers
to the alias. While for the epilogue style alias, the statement block
that follows an alias definition is implicitly added as an epilogue to
any probe that refers to the alias. For example:
probe syscall.read = kernel.function("sys_read") { fildes = $fd if (execname() == "init") next # skip rest of probe }
defines a new probe point
syscall.read,
which expands to
kernel.function(sys_read),
with the given statement as a prologue, which is useful to predefine
some variables for the alias user and/or to skip probe processing
entirely based on some conditions. And
probe syscall.read += kernel.function("sys_read") { if (tracethis) println ($fd) }
defines a new probe point with the given statement as an epilogue, which is useful to take actions based upon variables set or left over by the the alias user. Please note that in each case, the statements in the alias handler block are treated ordinarily, so that variables assigned there constitute mere initialization, not a macro substitution.
Aliases can also be defined to include both a prologue and an epilogue.
probe syscall.read = kernel.function("sys_read") { fildes = $fd if (execname() == "init") next },{ if (tracethis) println ($fd) }
An alias is used just like a built-in probe type.
probe syscall.read { printf("reading fd=%d\n", fildes) if (fildes > 10) tracethis = 1 }
Probes with an alias can make use of the @probewrite predicate. This check is used to detect whether a script variable or target variable has been written to in the probe handler body.
In the following example, @probewrite(var) expands to 1 because var has been
written to in the probe handler body and consequently, the conditional statement
will run.
probe foo = begin { var = 0 }, { if (@probewrite(var)) println(var) } probe foo { var = 1 }
function thisfn (arg1, arg2) { return arg1 + arg2 }
Note the general absence of type declarations, which are instead
inferred by the translator. However, if desired, a function
definition may include explicit type declarations for its return value
and/or its arguments. This is especially helpful for embedded-C
functions. In the following example, the type inference engine need
only infer type type of arg2 (a string).
function thatfn:string (arg1:long, arg2) { return sprint(arg1) . arg2 }
Functions may call others or themselves recursively, up to a fixed nesting limit. This limit is defined by the MAXNESTING macro in the translated C code and is in the neighbourhood of 10.
Functions may be marked private using the private keyword to limit their scope
to the tapset or user script file they are defined in. An example definition of
a private function follows:
private function three:long () { return 3 }
Functions terminating without reaching an explicit return statement will return an implicit 0 or "", determined by type inference.
Functions may be overloaded during both runtime and compile time.
Runtime overloading allows the executed function to be selected while the module is running based on runtime conditions and is achieved using the "next" statement in script functions and STAP_NEXT macro for embedded-C functions. For example,
function f() { if (condition) next; print("first function") } function f() %{ STAP_NEXT; print("second function") %} function f() { print("third function") }
During a functioncall f(), the execution will transfer to the third function if condition evaluates to true and print "third function". Note that the second function is unconditionally nexted.
Parameter overloading allows the function to be executed to be selected at compile time based on the number of arguments provided to the functioncall. For example,
function g() { print("first function") } function g(x) { print("second function") } g() -> "first function" g(1) -> "second function"
Note that runtime overloading does not occur in the above example, as exactly one function will be resolved for the functioncall. The use of a next statement inside a function while no more overloads remain will trigger a runtime exception Runtime overloading will only occur if the functions have the same arity, functions with the same name but different number of parameters are completely unrelated.
Execution order is determined by a priority value which may be specified. If no explicit priority is specified, user script functions are given a higher priority than library functions. User script functions and library functions are assigned a default priority value of 0 and 1 respectively. Functions with the same priority are executed in declaration order. For example,
function f():3 { if (condition) next; print("first function") } function f():1 { if (condition) next; print("second function") } function f():2 { print("third function") }
Since the second function has highest priority, it is executed first. The first function is never executed as there no "next" statements in the third function to transfer execution.
There are a set of function names that are specially treated by the translator. They format values for printing to the standard systemtap output stream in a more convenient way (note that data generated in the kernel module need to get transferred to user-space in order to get printed).
The
sprint*
variants return the formatted string instead of printing it.
The printf formatting directives similar to those of C, except that they are fully type-checked by the translator:
The # flag selects the alternate forms. For octal, this prefixes a 0. For hex, this prefixes 0x or 0X, depending on case. For characters, this escapes non-printing values with either C-like escapes or raw octal. In the case of %#m/%#M, this safely accesses user space memory rather than kernel space memory.
Examples:
a = "alice", b = "bob", p = 0x1234abcd, i = 123, j = -1, id[a] = 1234, id[b] = 4567 print("hello") Prints: hello println(b) Prints: bob\n println(a . " is " . sprint(16)) Prints: alice is 16 foreach (name in id) printdln("|", strlen(name), name, id[name]) Prints: 5|alice|1234\n3|bob|4567 printf("%c is %s; %x or %X or %p; %d or %u\n",97,a,p,p,p,j,j) Prints: a is alice; 1234abcd or 1234ABCD or 0x1234abcd; -1 or 18446744073709551615\n printf("2 bytes of kernel buffer at address %p: %2m", p, p) Prints: 2 byte of kernel buffer at address 0x1234abcd: <binary data> printf("%4b", p) Prints (these values as binary data): 0x1234abcd printf("%#o %#x %#X\n", 1, 2, 3) Prints: 01 0x2 0X3 printf("%#c %#c %#c\n", 0, 9, 42) Prints: \000 \t *
The aggregation operator is
<<<,
and resembles an assignment, or a C++ output-streaming operation.
The left operand specifies a scalar or array-index lvalue, which must
be declared global. The right operand is a numeric expression. The
meaning is intuitive: add the given number to the pile of numbers to
compute statistics of. (The specific list of statistics to gather
is given separately, by the extraction functions.)
foo <<< 1 stats[pid()] <<< memsize
The extraction functions are also special. For each appearance of a distinct extraction function operating on a given identifier, the translator arranges to compute a set of statistics that satisfy it. The statistics system is thereby "on-demand". Each execution of an extraction function causes the aggregation to be computed for that moment across all processors.
Here is the set of extractor functions. The first argument of each is the same style of lvalue used on the left hand side of the accumulate operation. The @count(v), @sum(v), @min(v), @max(v), @avg(v), @variance(v[, b]) extractor functions compute the number/total/minimum/maximum/average/variance of all accumulated values. The resulting values are all simple integers. Arrays containing aggregates may be sorted and iterated. See the foreach construct above.
Variance uses Welford's online algorithm. The calculations are based on integer arithmetic, and so may suffer from low precision and overflow. To improve this, @variance(v[, b]) accepts an optional parameter b, the bit-shift, ranging from 0 (default) to 62, for internal scaling. Only one value of bit-shift may be used with given global variable. A larger bitshift value increases precision, but increases the likelihood of overflow.
$ stap -e \ > 'global x probe oneshot { for(i=1;i<=5;i++) x<<<i println(@variance(x)) }' 12 $ stap -e \ > 'global x probe oneshot { for(i=1;i<=5;i++) x<<<i println(@variance(x,1)) }' 2 $ python3 -c 'import statistics; print(statistics.variance([1, 2, 3, 4, 5]))' 2.5 $
Overflow (from internal multiplication of large numbers) may occur and may cause a negative variance result. Consider normalizing your input data. Adding or subtracting a fixed value from all variance inputs preserves the original variance. Dividing the variance inputs by a fixed value shrinks the original variance by that value squared.
Histograms are also available, but are more complicated because they have a vector rather than scalar value. @hist_linear(v,start,stop,interval) represents a linear histogram from "start" to "stop" (inclusive) by increments of "interval". The interval must be positive. Similarly, @hist_log(v) represents a base-2 logarithmic histogram. Printing a histogram with the print family of functions renders a histogram object as a tabular "ASCII art" bar chart.
probe timer.profile { x[1] <<< pid() x[2] <<< uid() y <<< tid() } global x // an array containing aggregates global y // a scalar probe end { foreach ([i] in x @count+) { printf ("x[%d]: avg %d = sum %d / count %d\n", i, @avg(x[i]), @sum(x[i]), @count(x[i])) println (@hist_log(x[i])) } println ("y:") println (@hist_log(y)) }
The counts of each histogram bucket may be individually accessed via the [index] operator. Each bucket is addressed from 1 through N (for each natural bucket). In addition bucket #0 counts all the samples beneath the start value, and bucket #N+1 counts all the samples above the stop value. Histogram buckets (including the two out-of-range buckets) may also be iterated with foreach.
global x probe oneshot { x <<< -100 x <<< 1 x <<< 2 x <<< 3 x <<< 100 foreach (bucket in @hist_linear(x,1,3,1)) // expecting 1 out-of-range-low bucket // 3 payload buckets // 1 out-of-range-high bucket printf("bucket %d count %d\n", bucket, @hist_linear(x,1,3,1)[bucket]) }
The translator attempts to track DWARF typing associated with script variables assigned from addresses of context $variables, @cast or @var operators. Depending on the complexity of the script code, this association may pass to related variables, so that -> and [] operators may be used on them, just as on the original context variable. For example:
foo = $param->foo; printf("x:%d y:%d\n", foo->x, foo->y) printf("my value is %d\n", ($type == 42 ? $foo : $bar)->value) printf("my parent pid is %d\n", task_parent(task_current())->tgid)
However, if this association heuristic doesn't work for a script,
using the
@cast()
operator tells the translator how to interpret the number as a typed pointer.
@cast(p, "type_name"[, "module"])->member
This will interpret p as a pointer to a struct/union named type_name and dereference the member value. Further ->subfield expressions may be appended to dereference more levels. Note that for direct dereferencing of a pointer {kernel,user}_{char,int,...}($p) should be used. (Refer to stapfuncs(5) for more details.) NOTE: the same dereferencing operator -> is used to refer to both direct containment or pointer indirection. Systemtap automatically determines which. The optional module tells the translator where to look for information about that type. Multiple modules may be specified as a list with : separators. If the module is not specified, it will default either to the probe module for dwarf probes, or to "kernel" for functions and all other probes types.
Previously up to systemtap version 4.2, "kernel" was inferred if unspecified. Use --compatible=4.2 to activate this default.
The translator can create its own module with type information from a header
surrounded by angle brackets, in case normal debuginfo is not available. For
kernel headers, prefix it with "kernel" to use the appropriate build system.
All other headers are built with default GCC parameters into a user module.
Multiple headers may be specified in sequence to resolve a codependency.
@cast(tv, "timeval", "<sys/time.h>")->tv_sec @cast(task, "task_struct", "kernel<linux/sched.h>")->tgid @cast(task, "task_struct", "kernel<linux/sched.h><linux/fs_struct.h>")->fs->umask
Values acquired by @cast may be pretty-printed by the $ and $$ suffix operators, the same way as described in the CONTEXT VARIABLES section of the stapprobes(3stap) manual page.
When in guru mode, the translator will also allow scripts to assign new values to members of typecasted pointers.
Typecasting is also useful in the case of
void*
members whose type may be determinable at runtime.
probe foo { if ($var->type == 1) { value = @cast($var->data, "type1")->bar } else { value = @cast($var->data, "type2")->baz } print(value) }
Another place where embedded code is permitted is as a function body. In this case, the script language body is replaced entirely by a piece of C code enclosed again between %{ and %} markers. This C code may do anything reasonable and safe. There are a number of undocumented but complex safety constraints on atomicity, concurrency, resource consumption, and run time limits, so this is an advanced technique.
The memory locations set aside for input and output values
are made available to it using macros
STAP_ARG_*
and
STAP_RETVALUE.
Errors may be signalled with STAP_ERROR. Output may be written with
STAP_PRINTF. The function may return early with STAP_RETURN.
Here are some examples:
function integer_ops (val) %{ STAP_PRINTF("%d\n", STAP_ARG_val); STAP_RETVALUE = STAP_ARG_val + 1; if (STAP_RETVALUE == 4) STAP_ERROR("wrong guess: %d", (int) STAP_RETVALUE); if (STAP_RETVALUE == 3) STAP_RETURN(0); STAP_RETVALUE ++; %} function string_ops (val) %{ strlcpy (STAP_RETVALUE, STAP_ARG_val, MAXSTRINGLEN); strlcat (STAP_RETVALUE, "one", MAXSTRINGLEN); if (strcmp (STAP_RETVALUE, "three-two-one")) STAP_RETURN("parameter should be three-two-"); %} function no_ops () %{ STAP_RETURN(); /* function inferred with no return value */ %}
The function argument and return value types have to be inferred by the translator from the call sites in order for this to work. The user should examine C code generated for ordinary script-language functions in order to write compatible embedded-C ones.
The last place where embedded code is permitted is as an expression rvalue.
In this case, the C code enclosed between
%{ and %}
markers is interpreted as an ordinary expression value. It is assumed
to be a normal 64-bit signed number, unless the marker
/* string */
is included, in which case it's treated as a string.
function add_one (val) { return val + %{ 1 %} } function add_string_two (val) { return val . %{ /* string */ "two" %} } @define SOME_STAP_MACRO %( %{ SOME_C_MACRO %} %) probe begin { printf("SOME_C_MACRO has value: %d\n", @SOME_STAP_MACRO); }
The embedded-C code may contain markers to assert optimization and safety properties.
Script level global variables may be accessed in embedded-C functions and
blocks. To read or write the global variable
var
, the
/* pragma:read:var */
or
/* pragma:write:var */
marker must be first placed in the embedded-C function or block. This provides
the macros
STAP_GLOBAL_GET_*
and
STAP_GLOBAL_SET_*
macros to allow reading and writing, respectively. For example:
global var global var2[100] function increment() %{ /* pragma:read:var */ /* pragma:write:var */ /* pragma:read:var2 */ /* pragma:write:var2 */ STAP_GLOBAL_SET_var(STAP_GLOBAL_GET_var()+1); //var++ STAP_GLOBAL_SET_var2(1, 1, STAP_GLOBAL_GET_var2(1, 1)+1); //var2[1,1]++ %}
Variables may be read and set in both embedded-C functions and expressions. Strings returned from embedded-C code are decayed to pointers. Variables must also be assigned at script level to allow for type inference. Map assignment does not return the value written, so chaining does not work.
@kderef(SIZE, addr) @uderef(SIZE, addr)
This will interpret addr as a kernel/user address and read SIZE bytes starting at that address. SIZE should be either 1, 2, 4 or 8 bytes.
@kregister(0) @uregister(5)
In pass 2, the translator analyzes the input script to resolve symbols and types. References to variables, functions, and probe aliases that are unresolved internally are satisfied by searching through the parsed tapset script files. If any tapset script file is selected because it defines an unresolved symbol, then the entirety of that file is added to the translator's resolution queue. This process iterates until all symbols are resolved and a subset of tapset script files is selected.
Next, all probe point descriptions are validated against the wide variety supported by the translator. Probe points that refer to code locations ("synchronous probe points") require the appropriate kernel debugging information to be installed. In the associated probe handlers, target-side variables (whose names begin with "$") are found and have their run-time locations decoded.
Next, all probes and functions are analyzed for optimization opportunities, in order to remove variables, expressions, and functions that have no useful value and no side-effect. Embedded-C functions are assumed to have side-effects unless they include the magic string /* pure */. Since this optimization can hide latent code errors such as type mismatches or invalid $context variables, it sometimes may be useful to disable the optimizations with the -u option.
Finally, all variable, function, parameter, array, and index types are inferred from context (literals and operators). Stopping the translator after pass 2 causes it to list all the probes, functions, and variables, along with all inferred types. Any inconsistent or unresolved types cause an error.
In pass 3, the translator writes C code that represents the actions of all selected script files, and creates a Makefile to build that into a kernel object. These files are placed into a temporary directory. Stopping the translator at this point causes it to print the contents of the C file.
In pass 4, the translator invokes the Linux kernel build system to create the actual kernel object file. This involves running make in the temporary directory, and requires a kernel module build system (headers, config and Makefiles) to be installed in the usual spot /lib/modules/VERSION/build. Stopping the translator after pass 4 is the last chance before running the kernel object. This may be useful if you want to archive the file.
In pass 5, the translator invokes the systemtap auxiliary program staprun program for the given kernel object. This program arranges to load the module then communicates with it, copying trace data from the kernel into temporary files, until the user sends an interrupt signal. Any run-time error encountered by the probe handlers, such as running out of memory, division by zero, exceeding nesting or runtime limits, results in a soft error indication. Soft errors in excess of MAXERRORS block of all subsequent probes (except error-handling probes), and terminate the session. Finally, staprun unloads the module, and cleans up.
One should avoid killing the stap process forcibly, for example with SIGKILL, because the stapio process (a child process of the stap process) and the loaded module may be left running on the system. If this happens, send SIGTERM or SIGINT to any remaining stapio processes, then use rmmod to unload the systemtap module.
Systemtap may be used as a powerful administrative tool. It can expose kernel internal data structures and potentially private user information. (In dyninst runtime mode, this is not the case, see the ALTERNATE RUNTIMES section below.)
The translator asserts many safety constraints during compilation and more during run-time. It aims to ensure that no handler routine can run for very long, allocate boundless memory, perform unsafe operations, or in unintentionally interfere with the system. Uses of script global variables are automatically read/write locked as appropriate, to protect against manipulation by concurrent probe handlers. Locks are taken so as to run the global-variable manipulation portion of probe handlers atomically (locks are taken all-or-none). Deadlocks are detected with timeouts. Use the -t flag to receive reports of excessive lock contention. Experimenting with scripts is therefore generally safe. The guru-mode -g option allows administrators to bypass most safety measures, which permits invasive or state-changing operations, embedded-C code, and increases the risk of upset. By default, overload prevention is turned on for all modules. If you would like to disable overload processing, use the --suppress-time-limits option.
Errors that are caught at run time normally result in a clean script shutdown and a pass-5 error message. The --suppress-handler-errors option lets scripts tolerate soft errors without shutting down.
For the normal linux-kernel-module runtime, to run the kernel objects systemtap builds, a user must be one of the following:
The root user or a user who is a member of both the stapdev and stapusr groups can build and run any systemtap script.
A user who is a member of both the stapsys and stapusr groups can only use pre-built modules under the following conditions:
Members of only the stapusr group can only use pre-built modules under the following conditions:
or
The kernel modules generated by stap program are run by the staprun program. The latter is a part of the Systemtap package, dedicated to module loading and unloading (but only in the white zone), and kernel-to-user data transfer. Since staprun does not perform any additional security checks on the kernel objects it is given, it would be unwise for a system administrator to add untrusted users to the stapdev or stapusr groups.
If the current system has SecureBoot turned on in the UEFI firmware,
all kernel modules must be signed. (Some kernels may allow disabling
SecureBoot long after booting with a key sequence such as SysRq-X,
making it unnecessary to sign modules.) There are two ways to sign a
systemtap module. The systemtap compile server
can sign modules with a MOK (Machine Owner Key) that it has in common
with a client system. For example:
stap --use-server=HOSTNAME:PORT -e 'SCRIPT' # If there is no mok key in common with the server's systemtap mok key # list and the client's mok database then the user is directed by stap # to invoke: sudo mokutil --import signing_key.x509 # then after rebooting the system: stap --use-server=HOSTNAME:PORT -e 'SCRIPT' # will use the server to build and sign the module and the module will run # on the client
Another way to sign modules is to use the stap
FI--sign-moduleFR option, which uses a MOK on the client system
without using a server.
For example:
stap --sign-module -e 'SCRIPT' # If there is no systemtap mok key in the system mok database # then the user is directed by stap to invoke: sudo mokutil --import /home/USER/.systemtap/ssl/server/moks/FINGERPRINT/signing_key.x509 # then after rebooting the system: stap --sign-module -e 'SCRIPT' # will sign and run the module
See the following wiki page for more details:
Some kernels do not let systemtap guess whether module module signing is in effect. On such machines, set the SYSTEMTAP_SIGN environment variable to any value while running stap.
global big[10000],little[5]
or denoted with
%
to make them wrap-around (replace old entries) automatically, as in
global big%
or both.
With scripts that contain probes on any interrupt path, it is possible that those interrupts may occur in the middle of another probe handler. The probe in the interrupt handler would be skipped in this case to avoid reentrance. To work around this issue, execute stap with the option -DINTERRUPTIBLE=0 to mask interrupts throughout the probe handler. This does add some extra overhead to the probes, but it may prevent reentrance for common problem cases. However, probes in NMI handlers and in the callpath of the stap runtime may still be skipped due to reentrance.
In case something goes wrong with stap or staprun after a probe has already started running, one may safely kill both user processes, and remove the active probe kernel module with rmmod. Any pending trace messages may be lost.
Systemtap exposes kernel internal data structures and potentially private user information. Because of this, use of systemtap's full capabilities are restricted to root and to users who are members of the groups stapdev and stapusr.
However, a restricted set of systemtap's features can be made available to trusted, unprivileged users. These users are members of the group stapusr only, or members of the groups stapusr and stapsys. These users can load systemtap modules which have been compiled and certified by a trusted systemtap compile-server. See the descriptions of the options --privilege and --use-server. See README.unprivileged in the systemtap source code for information about setting up a trusted compile server.
The restrictions enforced when --privilege=stapsys is specified are designed to prevent unprivileged users from:
The restrictions enforced when --privilege=stapusr is specified are designed to prevent unprivileged users from:
A member of only the group stapusr may use only the following probes:
Additional restrictions are placed on members of only the group stapusr:
-a, -B, -D, -I, -r, -R
SYSTEMTAP_RUNTIME SYSTEMTAP_TAPSET SYSTEMTAP_DEBUGINFO_PATH
There are two categories of unprivileged tapset functions. The first
category consists of utility functions that are unconditionally
available to all users; these include such things as:
cpu:long () exit () str_replace:string (prnt_str:string, srch_str:string, rplc_str:string)
The second category consists of so-called
myproc-unprivileged
functions that can only gather information within their own
processes. Scripts that wish to use these functions must test the
result of the tapset function is_myproc and only call these
functions if the result is 1. The script will exit immediately if any
of these functions are called by an unprivileged user within a probe
within a process which is not owned by that user. Examples of
myproc-unprivileged
functions include:
print_usyms (stk:string) user_int:long (addr:long) usymname:string (addr:long)
A compile error is triggered when any function not in either of the above categories is used by members of only the group stapusr.
No other built-in tapset functions may be used by members of only the group stapusr.
As described above, systemtap's default runtime mode involves building and loading kernel modules, with various security tradeoffs presented. Systemtap now includes two new prototype backends: --runtime=dyninst and --runtime=bpf.
--runtime=dyninst uses Dyninst to instrument a user's own processes
at runtime. This backend does not use kernel modules, and does not require
root privileges, but is restricted with respect to the kinds of probes and
other constructs that a script may use. dyninst runtime operates in
target-attach mode, so it does require a -c COMMAND or -x PID
process. For example:
stap --runtime=dyninst -c 'stap -V' \ -e 'probe process.function("main") { println("hi from dyninst!") }'
It may be necessary to disable a conflicting selinux check with
# setsebool allow_execstack 1
--runtime=bpf compiles the user script into extended Berkeley Packet Filter (eBPF) programs instead of a kernel module. eBPF programs are verified by the kernel for safety and are executed by an in-kernel virtual machine. This runtime is in an early stage of development and currently lacks support for a number of features available in the default runtime. Please see the stapbpf(8) man page for more information.
The systemtap translator generally returns with a success code of 0 if the requested script was processed and executed successfully through the requested pass. Otherwise, errors may be printed to stderr and a failure code is returned. Use -v or -vp N to increase (global or per-pass) verbosity to identify the source of the trouble.
In listings mode (-l and -L), error messages are normally suppressed. A success code of 0 is returned if at least one matching probe was found.
A script executing in pass 5 that is interrupted with ^C / SIGINT is considered to be successful.
Over time, some features of the script language and the tapset library may undergo incompatible changes, so that a script written against an old version of systemtap may no longer run. In these cases, it may help to run systemtap with the --compatible VERSION flag, specifying the last known working version. Running systemtap with the --check-version flag will output a warning if any possible incompatible elements have been parsed. Deprecation historical details may be found in the NEWS file.
The purpose of deprecation facility is to improve the experience of scripts written for newer versions of systemtap (by adding better alternatives and removing conflicting or messy older alternatives), while at the same time permitting scripts written for older versions of systemtap to continue running. Deprecation is thus intended a service to users (and an inconvenience to systemtap's developers), rather than the other way around.
Please note that underscore-prefixed identifiers in the tapset sometimes undergo such changes that are difficult to preserve compatibility for, even with the deprecation mechanisms. Avoid relying on these in your scripts; instead propose them for promotion to non-underscored status.
stapprobes(3stap), function::*(3stap), probe::*(3stap), tapset::*(3stap), stappaths(7), staprun(8), stapdyn(8), systemtap(8), stapvars(3stap), stapex(3stap), stap-server(8), stap-prep(1), stapref(1), awk(1), gdb(1)
error::reporting(7stap), https://sourceware.org/systemtap/wiki/HowToReportBugs