Usage: dtrace [-aACeFHlqSvVwZ] [-arch i386|x86_64] [-b bufsz] [-c cmd] [-D name[=def]]
[-I path] [-L path] [-o output] [-p pid] [-s script] [-U name]
[-x opt[=val]]
[-P provider [[ predicate ] action ]]
[-m [ provider: ] module [[ predicate ] action ]]
[-f [[ provider: ] module: ] func [[ predicate ] action ]]
[-n [[[ provider: ] module: ] func: ] name [[ predicate ] action ]]
[-i probe-id [[ predicate ] action ]] [ args ... ]
predicate -> '/' D-expression '/'
action -> '{' D-statements '}'
-arch Generate programs and Mach-O files for the specified architecture
-a claim anonymous tracing state
-A generate plist(5) entries for anonymous tracing
-b set trace buffer size
-c run specified command and exit upon its completion
-C run cpp(1) preprocessor on script files
-D define symbol when invoking preprocessor
-e exit after compiling request but prior to enabling probes
-f enable or list probes matching the specified function name
-F coalesce trace output by function
-h generate a header file with definitions for static probes
-H print included files when invoking preprocessor
-i enable or list probes matching the specified probe id
-I add include directory to preprocessor search path
-l list probes matching specified criteria
-L add library directory to library search path
-m enable or list probes matching the specified module name
-n enable or list probes matching the specified probe name
-o set output file
-p grab specified process-ID and cache its symbol tables
-P enable or list probes matching the specified provider name
-q set quiet mode (only output explicitly traced data)
-s enable or list probes according to the specified D script
-S print D compiler intermediate code
-U undefine symbol when invoking preprocessor
-v set verbose mode (report stability attributes, arguments)
-V report DTrace API version
-w permit destructive actions
-x enable or modify compiler and tracing options
-Z permit probe descriptions that match zero probes
probe names are specified using the following:
provider:module:function:name
The provider and name fields are terms to describe the probe, whereas the mod- ule and function fields explain the probe’s software location
provider: Providers are libraries of probes that instrument a specific area of the system (for example, sched) or a mode of tracing (for example, fbt). New providers are written over time and added to newer releases (for example, ip, tcp, perl, python, mysql, and so on).
module: This is the kernel module where the probe is located. For user-land probes, it reflects the shared object library that contains the probe.
function: This is the software function that contains this probe.
name: This is a meaningful name to describe the probe. For example, names such as entry and return are probes that fire at the entry and return of the corresponding function.
例子 dtrace -n 'syscall::read:entry /execname != "dtrace"/ { @reads[execname, fds[arg0].fi_pathname] = count(); }'
//之间的是filter,过滤不需要的
sudo dtrace -l -P ruby86604
ID PROVIDER MODULE FUNCTION NAME
35731 ruby86604 Ruby rb_call0 function-entry
35732 ruby86604 Ruby rb_call0 function-return
35733 ruby86604 Ruby garbage_collect gc-begin
35734 ruby86604 Ruby garbage_collect gc-end
35735 ruby86604 Ruby rb_eval line
35736 ruby86604 Ruby rb_obj_alloc object-create-done
35737 ruby86604 Ruby rb_obj_alloc object-create-start
35738 ruby86604 Ruby garbage_collect object-free
35739 ruby86604 Ruby rb_longjmp raise
35740 ruby86604 Ruby rb_eval rescue
35741 ruby86604 Ruby ruby_dtrace_probe ruby-probe
ruby86604中,数字表示的是进程号, provider都是ruby
-P enable or list probes matching the specified provider name
There are essentially three components to a DTrace invocation:
The probes
An optional predicate
An optional probe clause, containing the actions to take when the probe fires
dtrace -n 'probe /predicate/ { actions }'
Aggregation variables are prefixed with @ and are populated using aggregating functions
1、 rvm use 2.0.0 ; irb
2、 sudo dtrace -l | grep ruby | grep pid( irb的进程号)
d语言提供的内建变量
actions
trace() takes a single argument and prints it:
printf()
tracemem()
copyin()
stringof()
copyinstr()
strlen() and strjoin()
stack(), ustack(), and jstack()
sizeof()
exit()
Speculations
内建的 macro
Variable
Name Type Description
$target pid_t Process ID specified using -p PID or -c command
$1..$N Integer or string Command-line arguments to dtrace(1M)
$$1..$$N String (forced) Command-line arguments to dtrace(1M)
外部变量
External
variables are defined by the operating system (external to DTrace) and
accessed by prefixing the kernel variable name with a backquote. The
kernel inte- ger variable k could be printed using this:
printf("k: %d
", `k);
Aggregations
Aggregations are a special variable type used to summarize data. They are pre- fixed with an at (@) sign and are populated by aggregating functions. The action
@a = count();
DTrace operates in the kernel address space. To access data from the user-land address space associated with a process, copyin() can be used.
trace()
The trace() action takes a single argument and prints it:
sudo dtrace -n 'syscall::fork*: { trace(pid); }'
sudo dtrace -n 'syscall::exec*: { trace(execname); }'
sudo dtrace -n python*:::function-entry
sudo dtrace -n syscall::*read*:entry
sudo dtrace -n 'syscall::read:entry, sys call::write:entry' /fds[arg0].fi_fs == "sockfs"/ { @[execname, pid] = count();}'
sudo dtrace -n 'ruby57003::rb_str_resurrect:string-create { printf("%s", probefunc); trace(arg4); }'
sudo dtrace -ln 'ruby$target::str_new:string-create {}' -p 81737
DTrace runs in kernel-land.
You can examine user-land (process) memory using copyinstr() (and copyin()).
If you forget this, you’ll see “invalid address” (if you’re lucky).
copyin” is a term from kernel code to refer to copying in data from user-land to the kernel)
DTrace allows you to access command-line arguments within the script. $1 is the first argument after all of arguments that dtrace will consume, $2 is the next one, and so on. Hard-coding a pid is unpleasant to do, so you will typically use $1 to pass a particular process ID on the command-line.
sudo dtrace -q -s malloc-pid.d 1313
例子:
- pid provider
sudo dtrace -n 'pid52043::malloc:entry { printf ("Safari asking for %d bytes", arg0); } ‘
sudo dtrace -l -n 'pid$1::malloc:entry' 8880
- which applications are making the most system calls?
sudo dtrace -n ’syscall:::entry{@num[execname] = count();}’
- which system calls is the Ruby making?
- what functions is the ruby calling?
- How much memory is Ruby allocating?
变量范围:
self thread-local
this clause-local
cases :
sudo dtrace -x ustackframes=100 -n 'profile-997 /execname == "mysqld"/ { @[ustack()] = count(); }tick-60s {exit(0);} ‘
sudo dtrace -n 'ruby*:::method-entry
/pid == 96725 && copyinstr(arg1) == "save" /{printf("%s in %s
at %d",copyinstr(arg1), copyinstr(arg2),arg3 )}'
sudo dtrace -n 'ruby*:::method-entry /pid == 96725 /{@count[copyinstr(arg1)] = count() }’ #分析一次操作中, 方法被调用了多少次
sudo dtrace -n 'ruby*:::method-entry /pid == 6438/ {@ss[copyinstr(arg0), copyinstr(arg1)] = count();}'
sudo dtrace -n 'ruby*:::method-entry
/copyinstr(arg1) == "empty?" / { printf("%s in %s at
%d",copyinstr(arg1), copyinstr(arg2),arg3 ) }' -c 'rake
assets:precompile RAILS_ENV=development'
匹配方法的名称(与上例相同)
sudo dtrace -n 'ruby51374:::method-entry /pid==51374 && copyinstr(arg1) == "initialize"/ {printf("%s, %s",copyinstr(arg0), copyinstr(arg1))}’
sudo dtrace -n 'ruby51374:::method-entry /pid==51374 && copyinstr(arg1) == "initialize"/ {printf("%s, %s",copyinstr(arg0), copyinstr(arg1))}’
查看哪些命令是用dtrace写的:
man -k dtrace
当日志很大的时候, 通过过滤日志缩小考察范围:
cat update_course.log | ack "(codes|course_core|plato_core|course_api|course|update|save|callback)" > filter.log
sudo dtrace -s "./ruby_flow_info.d" -p 63369 > ~/Desktop/xxx.log