DTrace Introduction
DTrace is Solaris 10's new Dynamic Tracing facility. It allows us to peer into the innards of running processes and customize our view to exclude extraneous information and close in on the source of a problem.
DTrace also has capabilities that allow us to examine a crash dump or trace the boot process.
A number of freely available scripts have been made available as the DTrace Toolkit. The toolkit provides both programming examples and also extremely useful tools for different types of system monitoring.
The DTrace facility provides data to a number of consumers, including commands such as
dtrace
and lockstat
, as well as programs calling libraries that access DTrace through the dtrace
kernel driver. Probes
DTrace is built on a foundation of objects called probes. Probes are event handlers that fire when their particular event occurs. DTrace can bind a particular action to the probe to make use of the information.
Probes report on a variety of information about their event. For example, a probe for a kernel function may report on arguments, global variables, timestamps, stack traces, currently running processes or the thread that called the function.
Kernel modules that enable probes are packaged into sets known as providers. In a DTrace context, a module is a kernel module (for kernel probes) or a library name (for applications). A function in DTrace refers to the function associated with a probe, if it belongs to a program location.
Probes may be uniquely addressed by a combination of the provider, module, function and name. These are frequently organized into a 4-tuple when invoked by the
dtrace
command. Alternatively, each probe has a unique integer identifier, which can vary depending on Solaris patch level.
These numbers, as well as the provider, module, function and name, can be listed out through the
dtrace -l
command. The list will vary from system to system, depending on what is installed. Probes can be listed by function, module or name by specifying it with the -f
, -m
or -n
options, respectively. Running a
dtrace
without a -l
, but with a -f
, -m
or -n
option, enables all matching probes. All the probes in a provider can be enabled by using the -P
option. An individual probe can be enabled by using its 4-tuple with the -n
option. (Note: Do not enable more probes than necessary. If too many probes are enabled, it may adversely impact performance. This is particularly true of
sched
probes.) Some probes do not list a module or function. These are called "unanchored" probes. Their 4-tuple just omits the nonexistent information.
Providers
Providers are kernel modules that create related groups of probes. The most commonly referenced providers are:
fbt
: (Function Boundary Tracing) Implements probes at the entry and return points of almost all kernel functions.io
: Implements probes for I/O-related events.pid
: Implements probes for user-level processes at entry, return and instruction.proc
: Implements probes for process creation and life-cycle events.profile
: Implements timer-driven probes.sched
: Implements probes for scheduling-related events.sdt
: (Statistically Defined Tracing) Implements programmer-defined probes at arbitrary locations and names within code. Obviously, the programmer should define names whose meaning is intuitively clear.syscall
: Implements entry and return probes for all system calls.sysinfo
: Probes for updates to the sys kstat.vminfo
: Probes for updates to the vm kstat.
Command Components
The dtrace command has several components:
- A 4-tuple identifier:provider:module :function:name
Leaving any of these blank is equivalent to using a wildcard match. (If left blank, the left-most members of the 4-tuple are optional.) - A predicate determines whether the action should be taken. They are enclosed in slashes: /predicate/. The predicate is a C-style relational expression which must evaluate to an integer or pointer. If omitted, the action is executed when the probe fires. Some predicate examples are:
- executable name matches csh:
/execname == "csh"/
- process ID does not match 1234:
/pid != 1234/
arg0
is 1 andarg1
is not 0:/arg0 == 1 && arg1 !=0/
- An action (in the D scripting language) to be taken when the probe fires and the predicate is satisfied. Typically, this is listed in curly brackets: {}
D Scripting Language
In order to deal with operations that can become confusing on a single command line, a D script can be saved to a file and run as desired. A D script will have one or more probe clauses, which consist of one or more probe-descriptions, along with the associated predicates and actions:
#!/usr/sbin/dtrace -s
probe-description[, probe-description...]/
predicate/
{
action; [action; ...]}
The probe-description section consists of one or more 4-tuple identifiers. If the predicate line is not present, it is the same as a predicate that is always true. The action(s) specified are to be run if the probe fires and the predicate is true.
Each recording action dumps data to a trace buffer. By default, this is the principal buffer.
D Variables
D specifies both associative arrays and scalar variables. Storage for these variables is not pre-allocated. It is allocated when a non-zero value is assigned and deallocated when a zero value is assigned.
D defines several built-in variables, which are frequently used in creating predicates and actions. The most commonly used built-in variables for D are the following:
args[]
: Theargs[]
array contains the arguments, specified from 0 to the number of arguments less one. These can also be specified byargn
, where this is then+1
th argument.curpsinfo
:psinfo
structure of current process.curthread
: pointer to the current thread'skthread_t
execname
: Current executable namepid
: Current process IDppid
: Parent process IDprobefunc
: function name of the current probeprobemod
: module name of the current probeprobename
: name of the current probetimestamp
: Time since boot in ns
Listing Probes
You can list all DTrace probes by passing the
-l option to the dtrace command:# To count all the probes that are available on your system, you can type the following command:
#
dtrace -l | wc -ldtrace -l