probe kernel.function("*@net/socket.c").return { }
You can run this script as is, though with e m pty handlers ther e will be no out put. Put the t wo lines into a
new file. Run stap -v FILE. Terminate it any time with ^C. (The -v op tion tells systemtap to p rint more
verbose messages during its processing. Try the -h op tion to see more o ptions.)
2.2 What to print
Since you ar e interested in each function that was entered and exited, a line should be printed for each,
containing the function name. In order to make that list easy to read, systemtap should indent the lines so
that functions called by other traced functions are nested deeper. To tell each single process apart f rom any
others that may be running concurrently, systemtap should also print the process I D in the line.
Systemtap provides a variety of such cont extual data, ready for for m atting. They usually app ear as function
calls within the handler, like you already saw in Figure 1. See the stapfuncs man page for those functions
and more de fined in the tapset library, but here’s a sampling:
tid() The id of the current thread.
pid() The process (task group) id of t he current thread.
uid() The id of the current user.
execname() The name of t he current process.
cpu() The current cpu number.
gettimeofday_s() Number of seconds since epoch.
get_cycles() Snapshot o f hardware cycle counter.
pp() A string describing the probe point b eing currently handled.
probefunc() If known, the name of the function in wh ich this p robe was placed.
The values returned may be strings or numbers. The print() built-in function accepts either as its sole
argument. Or, you can use the C-style printf() built-in, whose formatting argument may include %s for a
string, %d for a number. printf and other f unctions take comma-separated arguments. Don’t fo rget a "\n"
at the end.
A particularly handy function in the tapset library is thread_indent. Given an indentation delta parameter, it
stores internally an indentation counter for each thread (tid()), and r eturns a string with some generic trace
data plus an appropriate number of indentation spaces. That generic data includes a timestamp (number
of microseconds since the initial indentation for the thread), a process name and the thread id itself. It
therefor e gives an idea not only about what functions were called, but who called them, and how long they
took. Figure 3 shows the finished script. It lacks a call to the exit() function, so you need to interrupt it
with ^C when you want the tracing to stop.
2.3 Exercises
1. Use the -p2 o ption to systemtap to list all the kerne l functions named with the word “nit” in them. The
probe handlers might as well be empty.
2. Trace some system calls (use syscall.NAME and .return probe points), with the same thread_indent
probe handler as in Figure 3. Interpret the results.
4