1trace(8) System Manager's Manual trace(8)
2
6 trace - Trace a function and print its arguments or return value,
7 optionally evaluating a filter. Uses Linux eBPF/bcc.
8
10 trace [-h] [-b BUFFER_PAGES] [-p PID] [-L TID] [-v] [-Z STRING_SIZE]
11 [-S]
12 [-M MAX_EVENTS] [-t] [-T] [-C] [-K] [-U] [-a] [-I header]
13 probe [probe ...]
14
16 trace probes functions you specify and displays trace messages if a
17 particular condition is met. You can control the message format to dis‐
18 play function arguments and return values.
19 Since this uses BPF, only the root user can use this tool.
21
23 CONFIG_BPF and bcc.
24
26 -h Print usage message.
27 -p PID Trace only functions in the process PID.
29 -L TID Trace only functions in the thread TID.
31 -v Display the generated BPF program, for debugging purposes.
33 -z STRING_SIZE
35 When collecting string arguments (of type char*), collect up to
36 STRING_SIZE characters. Longer strings will be truncated.
37 -S If set, trace messages from trace's own process. By default,
39 this is off to avoid tracing storms -- for example, if you trace
40 the write system call, and consider that trace is writing to the
41 standard output.
42 -M MAX_EVENTS
44 Print up to MAX_EVENTS trace messages and then exit.
45 -t Print times relative to the beginning of the trace (offsets), in
47 seconds.
48 -T Print the time column.
50 -C Print CPU id.
52 -K Print the kernel stack for each event.
54 -U Print the user stack for each event. -a Print virtual address
56 in kernel and user stacks.
57 -I header
59 Additional header files to include in the BPF program. This is
60 needed if your filter or print expressions use types or data
61 structures that are not available in the standard headers. For
62 example: 'linux/mm.h'
63 probe [probe ...]
65 One or more probes that attach to functions, filter conditions,
66 and print information. See PROBE SYNTAX below.
67
69 The general probe syntax is as follows:
70 [{p,r}]:[library]:function[(signature)] [(predicate)] ["format
72 string"[, arguments]]
73 {t:category:event,u:library:probe} [(predicate)] ["format string"[,
75 arguments]]
76 {[{p,r}],t,u}
78 Probe type - "p" for function entry, "r" for function return,
79 "t" for kernel tracepoint, "u" for USDT probe. The default probe
80 type is "p".
81 [library]
83 Library containing the probe. Specify the full path to the .so
84 or executable file where the function to probe resides. Alterna‐
85 tively, you can specify just the lib name: for example, "c"
86 refers to libc. If no library name is specified, the kernel is
87 assumed. Also, you can specify an executable name (without a
88 full path) if it is in the PATH. For example, "bash".
89 category
91 The tracepoint category. For example, "sched" or "irq".
92 function
94 The function to probe.
95 signature
97 The optional signature of the function to probe. This can make
98 it easier to access the function's arguments, instead of using
99 the "arg1", "arg2" etc. argument specifiers. For example,
100 "(struct timespec *ts)" in the signature position lets you use
101 "ts" in the filter or print expressions.
102 event The tracepoint event. For example, "block_rq_complete".
104 probe The USDT probe name. For example, "pthread_create".
106 [(predicate)]
108 The filter applied to the captured data. Only if the filter
109 evaluates as true, the trace message will be printed. The filter
110 can use any valid C expression that refers to the argument val‐
111 ues: arg1, arg2, etc., or to the return value retval in a return
112 probe. If necessary, use C cast operators to coerce the argu‐
113 ments to the desired type. For example, if arg1 is of type int,
114 use the expression ((int)arg1 < 0) to trace only invocations
115 where arg1 is negative. Note that only arg1-arg6 are supported,
116 and only if the function is using the standard x86_64 convention
117 where the first six arguments are in the RDI, RSI, RDX, RCX, R8,
118 R9 registers. If no predicate is specified, all function invoca‐
119 tions are traced.
120 The predicate expression may also use the STRCMP pseudo-function
122 to compare a predefined string to a string argument. For exam‐
123 ple: STRCMP("test", arg1). The order of arguments is important:
124 the first argument MUST be a quoted literal string, and the sec‐
125 ond argument can be a runtime string, most typically an argu‐
126 ment.
127 ["format string"[, arguments]]
129 A printf-style format string that will be used for the trace
130 message. You can use the following format specifiers: %s, %d,
131 %u, %lld, %llu, %hd, %hu, %c, %x, %llx -- with the same seman‐
132 tics as printf's. Make sure to pass the exact number of argu‐
133 ments as there are placeholders in the format string. The format
134 specifier replacements may be any C expressions, and may refer
135 to the same special keywords as in the predicate (arg1, arg2,
136 etc.).
137 In addition to the above format specifiers, you can also use %K
139 and %U when the expression is an address that potentially points
140 to executable code (i.e., a symbol). trace will resolve %K spec‐
141 ifiers to a kernel symbol, such as vfs__read, and will resolve
142 %U specifiers to a user-space symbol in that process, such as
143 sprintf.
144 In tracepoints, both the predicate and the arguments may refer
146 to the tracepoint format structure, which is stored in the spe‐
147 cial "args" variable. For example, the block:block_rq_complete
148 tracepoint can print or filter by args->nr_sector. To discover
149 the format of your tracepoint, use the tplist tool.
150 In USDT probes, the arg1, ..., argN variables refer to the
152 probe's arguments. To determine which arguments your probe has,
153 use the tplist tool.
154 The predicate expression and the format specifier replacements
156 for printing may also use the following special keywords: $pid,
157 $tgid to refer to the current process' pid and tgid; $uid, $gid
158 to refer to the current user's uid and gid; $cpu to refer to the
159 current processor number.
160
162 Trace all invocations of the open system call with the name of the file
163 being opened:
164 # trace '::do_sys_open "%s", arg2'
165 Trace all invocations of the read system call where the number of bytes
167 requested is greater than 20,000:
168 # trace '::sys_read (arg3 > 20000) "read %d bytes", arg3'
169 Trace all malloc calls and print the size of the requested allocation:
171 # trace ':c:malloc "size = %d", arg1'
172 Trace returns from the readline function in bash and print the return
174 value as a string:
175 # trace 'r:bash:readline "%s", retval'
176 Trace the block:block_rq_complete tracepoint and print the number of
178 sectors completed:
179 # trace 't:block:block_rq_complete "%d sectors", args->nr_sec‐
180 tor'
181 Trace the pthread_create USDT probe from the pthread library and print
183 the address of the thread's start function:
184 # trace 'u:pthread:pthread_create "start addr = %llx", arg3'
185 Trace the nanosleep system call and print the sleep duration in
187 nanoseconds:
188 # trace 'p::SyS_nanosleep(struct timespec *ts) sleep for %lld ns
189 , ts->tv_nsec'
190
192 This is from bcc.
193 https://github.com/iovisor/bcc
195 Also look in the bcc distribution for a companion _examples.txt file
197 containing example usage, output, and commentary for this tool.
198
200 Linux
201
203 Unstable - in development.
204
206 Sasha Goldshtein
207USER COMMANDS 2016-02-18 trace(8)