dtrace 语法

Usage: dtrace [-aACeFHlqSvVwZ] [-arch i386|x86_64] [-b bufsz] [-c cmd] [-D name[=def]]

[-I path] [-L path] [-o output] [-p pid] [-s script] [-U name]

[-x opt[=val]]

[-P provider [[ predicate ] action ]]

[-m [ provider: ] module [[ predicate ] action ]]

[-f [[ provider: ] module: ] func [[ predicate ] action ]]

[-n [[[ provider: ] module: ] func: ] name [[ predicate ] action ]]

[-i probe-id [[ predicate ] action ]] [ args ... ]

predicate -> '/' D-expression '/'

action -> '{' D-statements '}'

-arch Generate programs and Mach-O files for the specified architecture

-a claim anonymous tracing state

-A generate plist(5) entries for anonymous tracing

-b set trace buffer size

-c run specified command and exit upon its completion

-C run cpp(1) preprocessor on script files

-D define symbol when invoking preprocessor

-e exit after compiling request but prior to enabling probes

-f enable or list probes matching the specified function name

-F coalesce trace output by function

-h generate a header file with definitions for static probes

-H print included files when invoking preprocessor

-i enable or list probes matching the specified probe id

-I add include directory to preprocessor search path

-l list probes matching specified criteria

-L add library directory to library search path

-m enable or list probes matching the specified module name

-n enable or list probes matching the specified probe name

-o set output file

-p grab specified process-ID and cache its symbol tables

-P enable or list probes matching the specified provider name

-q set quiet mode (only output explicitly traced data)

-s enable or list probes according to the specified D script

-S print D compiler intermediate code

-U undefine symbol when invoking preprocessor

-v set verbose mode (report stability attributes, arguments)

-V report DTrace API version

-w permit destructive actions

-x enable or modify compiler and tracing options

-Z permit probe descriptions that match zero probes

probe names are specified using the following:

provider:module:function:name

The provider and name fields are terms to describe the probe, whereas the mod- ule and function fields explain the probe’s software location

provider: Providers are libraries of probes that instrument a specific area of the system (for example, sched) or a mode of tracing (for example, fbt). New providers are written over time and added to newer releases (for example, ip, tcp, perl, python, mysql, and so on).

module: This is the kernel module where the probe is located. For user-land probes, it reflects the shared object library that contains the probe.

function: This is the software function that contains this probe.

name: This is a meaningful name to describe the probe. For example, names such as entry and return are probes that fire at the entry and return of the corresponding function.

例子 dtrace -n 'syscall::read:entry /execname != "dtrace"/ { @reads[execname, fds[arg0].fi_pathname] = count(); }'

//之间的是filter，过滤不需要的

sudo dtrace -l -P ruby86604

ID PROVIDER MODULE FUNCTION NAME

35731 ruby86604 Ruby rb_call0 function-entry

35732 ruby86604 Ruby rb_call0 function-return

35733 ruby86604 Ruby garbage_collect gc-begin

35734 ruby86604 Ruby garbage_collect gc-end

35735 ruby86604 Ruby rb_eval line

35736 ruby86604 Ruby rb_obj_alloc object-create-done

35737 ruby86604 Ruby rb_obj_alloc object-create-start

35738 ruby86604 Ruby garbage_collect object-free

35739 ruby86604 Ruby rb_longjmp raise

35740 ruby86604 Ruby rb_eval rescue

35741 ruby86604 Ruby ruby_dtrace_probe ruby-probe

ruby86604中，数字表示的是进程号， provider都是ruby

-P enable or list probes matching the specified provider name

There are essentially three components to a DTrace invocation:

The probes

An optional predicate

An optional probe clause, containing the actions to take when the probe fires

dtrace -n 'probe /predicate/ { actions }'

Aggregation variables are prefixed with @ and are populated using aggregating functions

https://bugs.ruby-lang.org/projects/ruby/wiki/DTraceProbes 这个页面的内容可以通过

1、 rvm use 2.0.0 ; irb

2、 sudo dtrace -l | grep ruby | grep pid（ irb的进程号）

d语言提供的内建变量

actions

trace() takes a single argument and prints it:

printf()

tracemem()

copyin()

stringof()

copyinstr()

strlen() and strjoin()

stack(), ustack(), and jstack()

sizeof()

exit()

Speculations

内建的 macro

Variable

Name Type Description

$target pid_t Process ID specified using -p PID or -c command

$1..$N Integer or string Command-line arguments to dtrace(1M)

$$1..$$N String (forced) Command-line arguments to dtrace(1M)

外部变量

External
variables are defined by the operating system (external to DTrace) and
accessed by prefixing the kernel variable name with a backquote. The
kernel inte- ger variable k could be printed using this:

printf("k: %d\n", `k);

Aggregations

Aggregations are a special variable type used to summarize data. They are pre- fixed with an at (@) sign and are populated by aggregating functions. The action

@a = count();

DTrace operates in the kernel address space. To access data from the user-land address space associated with a process, copyin() can be used.

trace()

The trace() action takes a single argument and prints it:

sudo dtrace -n 'syscall::fork*: { trace(pid); }'

sudo dtrace -n 'syscall::exec*: { trace(execname); }'

sudo dtrace -n python\*:::function-entry

sudo dtrace -n syscall::*read*:entry

sudo dtrace -n 'syscall::read:entry, sys call::write:entry' /fds[arg0].fi_fs == "sockfs"/ { @[execname, pid] = count();}'

sudo dtrace -n 'ruby57003::rb_str_resurrect:string-create { printf("%s", probefunc); trace(arg4); }'

sudo dtrace -ln 'ruby$target::str_new:string-create {}' -p 81737

DTrace runs in kernel-land.

You can examine user-land (process) memory using copyinstr() (and copyin()).

If you forget this, you’ll see “invalid address” (if you’re lucky).

copyin” is a term from kernel code to refer to copying in data from user-land to the kernel)

DTrace allows you to access command-line arguments within the script. $1 is the first argument after all of arguments that dtrace will consume, $2 is the next one, and so on. Hard-coding a pid is unpleasant to do, so you will typically use $1 to pass a particular process ID on the command-line.

sudo dtrace -q -s malloc-pid.d 1313

例子：

pid provider

sudo dtrace -n 'pid52043::malloc:entry { printf ("Safari asking for %d bytes", arg0); } ‘

sudo dtrace -l -n 'pid$1::malloc:entry' 8880

which applications are making the most system calls?

sudo dtrace -n ’syscall:::entry{@num[execname] = count();}’

which system calls is the Ruby making?

sudo dtrace -n ’syscall:::entry /execname==“ruby”{@num[probefunc] = count();}/‘

what functions is the ruby calling?

dtrace -n ‘pid*:::entry /execname == “ruby”/ {@num[probefunc] = count();}’

How much memory is Ruby allocating?

dtrace -n ‘pid*::malloc*:entry /execname == “ruby”/ {@num[probefunc] = sum(arg0);'

变量范围：

self thread-local

this clause-local

cases :

sudo dtrace -x ustackframes=100 -n 'profile-997 /execname == "mysqld"/ { @[ustack()] = count(); }tick-60s {exit(0);} ‘

sudo dtrace -n 'ruby*:::method-entry
/pid == 96725 && copyinstr(arg1) == "save" /{printf("%s in %s
at %d",copyinstr(arg1), copyinstr(arg2),arg3 )}'

sudo dtrace -n 'ruby*:::method-entry /pid == 96725 /{@count[copyinstr(arg1)] = count() }’ #分析一次操作中，方法被调用了多少次

sudo dtrace -n 'ruby*:::method-entry /pid == 6438/ {@ss[copyinstr(arg0), copyinstr(arg1)] = count();}'

sudo dtrace -n 'ruby*:::method-entry
/copyinstr(arg1) == "empty?" / { printf("%s in %s at
%d",copyinstr(arg1), copyinstr(arg2),arg3 ) }' -c 'rake
assets:precompile RAILS_ENV=development'

匹配方法的名称（与上例相同）
sudo dtrace -n 'ruby51374:::method-entry /pid==51374 &&
copyinstr(arg1) == "initialize"/ {printf("%s, %s",copyinstr(arg0),
copyinstr(arg1))}’

查看哪些命令是用dtrace写的：

man -k dtrace

当日志很大的时候，通过过滤日志缩小考察范围：

sudo dtrace -s "./ruby_flow_info.d" -p 63369 > ~/Desktop/xxx.log

巴特西

dtrace 语法

最新文章

热门文章