dtracy – dynamic tracing language

dtracy [ –d ] prog

Dtracy is a language for dynamic tracing of the kernel. Essentially, it allows the user to define small programs in kernel space that are triggered by certain events (known as probes) upon which they are executed.

Dtracy uses an awk(1) inspired syntax. A dtracy program is a series of statements of one of the following forms
probes { actions }
probes if predicate { actions }

Probes is a comma–separated list of probes, such as sys:pwrite:entry. Each probe name consists of any number of parts separated by :. If a part is omitted (e.g. qsys::entry), it matches all probes that match the remaining parts. If the probe name is enclosed in quotation marks, the wildcards * and ? are available, e.g. "sys:*stat:entry".

Predicate, if specified, is an expression that must evaluate to a non–zero value for the actions to be executed.

Actions is a semicolon–separated list of statements of one of the following forms:
print a, b, ...
printf "fmt", a, b, ...
@name[index] = aggregation–expr

Expressions follow C syntax and semantics and all C operators (including casts) are supported. Available integer types are u8, u16, u32, u64, s8, s16, s32 and s64; they correspond to the C types u8int, etc. Additionally, a string type string is available.

Expressions can use the following variables
probe         name of the probe that was triggered
pid          PID of the process triggering the probe
arg0, arg1, ...   for a syscall probe, the syscall arguments (cast to s64)
time         timestamp when the probe was triggered
machno        CPU number on which the probe was triggered

Print prints all its arguments, separated by spaces and followed by a newline. Printf prints its arguments using a format string with print(2) syntax. However, there is no need to specify the argument size, e.g. %d works for all integer types.

Statements of the form @name[index] = aggregation–expr collect statistics using a data structure referred to as an aggregation. Each time the statement is evaluated adds another datapoint to the aggregation, which will be printed in tabular form when dtracy finishes. Index is effectively a label for the datapoint; statistics are evaluated over all datapoints of the same index.

Aggregation–expr specifies the type of statistic to be collected. Available options are
count()    number of datapoints
avg(expr)   average
sum(expr)   sum
min(expr)   minimum
max(expr)   maximum
std(expr)   average and standard deviation

sys:: { print probe, pid, arg0, arg1 }

The world's worst syscall tracer.
sys:pread:entry if pid == 42 { printf "time %d, fd %d\n", time, arg0 }

Every time the process with PID 42 executes pread(2), write down the timestamp and the file descriptor used.
sys:open:entry { print (string)arg0 }

Print the names of files as they are being opened.
sys:pread:entry { @size[pid] = avg(arg2) }

Determine the average pread buffer size for each process.



Dtracy appeared in 9front in November, 2018.