This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How do uprobes work?
- From: fche at redhat dot com (Frank Ch. Eigler)
- To: Evan Klitzke <evan at eklitzke dot org>
- Cc: systemtap at sourceware dot org
- Date: Thu, 26 May 2016 11:11:23 -0400
- Subject: Re: How do uprobes work?
- Authentication-results: sourceware.org; auth=none
- References: <CAKuwthhAKDkQZPsEsefoMtULZJMUpFeKX5LxKNAhW2-WxUAh7Q at mail dot gmail dot com>
Hi -
evan wrote:
> [...]
> I'm interested in learning more about how uprobes work with systemtap.
> [...]
> If I had to guess I'd speculate that similar to a GDB breakpoint,
> the nop for a probed process is replaced with a trap instruction,
> and then the kernel knows that a trap generated at that address is
> intended for systemtap [...]
That's exactly right. uprobes are a intra-kernel API, so see
the related files in the linux kernel, e.g.:
include/linux/uprobes.h
arch/x86/kernel/uprobes.c
The same intra-kernel API is also used by perf probe, though the
operational model of that tool is quite different from systemtap.
> Another related question: when I run a systemtap script to trace a
> userspace process, what functionality exactly is running in the
> kernel and what is running in userspace? [...]
In the normal systemtap case, all probing & processing & analysis runs
in kernel space, so a user's probe handler code has access to a huge
amount of live state, some of which may even be changeable. Output
strings are relayed to userspace for printing. stap --runtime=dyninst
has a different model. perf also has a very different,
quick&dirty-trace-from-kernel analyze-later-in-userspace model.
- FChE