€•,Š      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ%/translations/zh_CN/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/zh_TW/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/it_IT/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/ja_JP/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/ko_KR/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/sp_SP/trace/eprobetrace”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒ?/var/lib/git/docbuild/linux/Documentation/trace/eprobetrace.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ"Eprobe - Event-based Probe Tracing”h]”hŒ"Eprobe - Event-based Probe Tracing”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ
field_list”“”)”}”(hhh]”hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhhÐhŸh³h K ubhŒ
field_body”“”)”}”(hŒ%Steven Rostedt <rostedt@goodmis.org>
”h]”hŒ	paragraph”“”)”}”(hŒ$Steven Rostedt <rostedt@goodmis.org>”h]”(hŒSteven Rostedt <”…””}”(hhëhžhhŸNh NubhŒ	reference”“”)”}”(hŒrostedt@goodmis.org”h]”hŒrostedt@goodmis.org”…””}”(hhõhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:rostedt@goodmis.org”uh1hóhhëubhŒ>”…””}”(hhëhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Khhåubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhhÐubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÎhŸh³h KhhËhžhubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhh¶hžhhŸh³h KubhŒbullet_list”“”)”}”(hhh]”hŒ	list_item”“”)”}”(hŒWritten for v6.17
”h]”hê)”}”(hŒWritten for v6.17”h]”hŒWritten for v6.17”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K	hj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj#  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j!  hŸh³h K	hh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒOverview”h]”hŒOverview”…””}”(hjK  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjH  hžhhŸh³h Kubhê)”}”(hŒ®Eprobes are dynamic events that are placed on existing events to either
dereference a field that is a pointer, or simply to limit what fields are
recorded in the trace event.”h]”hŒ®Eprobes are dynamic events that are placed on existing events to either
dereference a field that is a pointer, or simply to limit what fields are
recorded in the trace event.”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KhjH  hžhubhê)”}”(hŒiEprobes depend on kprobe events so to enable this feature, build your kernel
with CONFIG_EPROBE_EVENTS=y.”h]”hŒiEprobes depend on kprobe events so to enable this feature, build your kernel
with CONFIG_EPROBE_EVENTS=y.”…””}”(hjg  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KhjH  hžhubhê)”}”(hŒDEprobes are created via the /sys/kernel/tracing/dynamic_events file.”h]”hŒDEprobes are created via the /sys/kernel/tracing/dynamic_events file.”…””}”(hju  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KhjH  hžhubhµ)”}”(hhh]”(hº)”}”(hŒSynopsis of eprobe_events”h]”hŒSynopsis of eprobe_events”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjƒ  hžhhŸh³h KubhŒliteral_block”“”)”}”(hX   e[:[EGRP/][EEVENT]] GRP.EVENT [FETCHARGS]     : Set a probe
 -:[EGRP/][EEVENT]                             : Clear a probe

EGRP           : Group name of the new event. If omitted, use "eprobes" for it.
EEVENT         : Event name. If omitted, the event name is generated and will
                 be the same event name as the event it attached to.
GRP            : Group name of the event to attach to.
EVENT          : Event name of the event to attach to.

FETCHARGS      : Arguments. Each probe can have up to 128 args.
 $FIELD        : Fetch the value of the event field called FIELD.
 @ADDR         : Fetch memory at ADDR (ADDR should be in kernel)
 @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
 $comm         : Fetch current task comm.
 +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
 \IMM          : Store an immediate value to the argument.
 NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
 FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
                 (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
                 (x8/x16/x32/x64), VFS layer common type(%pd/%pD), "char",
                 "string", "ustring", "symbol", "symstr" and "bitfield" are
                 supported.”h]”hX   e[:[EGRP/][EEVENT]] GRP.EVENT [FETCHARGS]     : Set a probe
 -:[EGRP/][EEVENT]                             : Clear a probe

EGRP           : Group name of the new event. If omitted, use "eprobes" for it.
EEVENT         : Event name. If omitted, the event name is generated and will
                 be the same event name as the event it attached to.
GRP            : Group name of the event to attach to.
EVENT          : Event name of the event to attach to.

FETCHARGS      : Arguments. Each probe can have up to 128 args.
 $FIELD        : Fetch the value of the event field called FIELD.
 @ADDR         : Fetch memory at ADDR (ADDR should be in kernel)
 @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
 $comm         : Fetch current task comm.
 +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
 \IMM          : Store an immediate value to the argument.
 NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
 FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
                 (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
                 (x8/x16/x32/x64), VFS layer common type(%pd/%pD), "char",
                 "string", "ustring", "symbol", "symstr" and "bitfield" are
                 supported.”…””}”hj–  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Khjƒ  hžhubeh}”(h]”Œsynopsis-of-eprobe-events”ah ]”h"]”Œsynopsis of eprobe_events”ah$]”h&]”uh1h´hjH  hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒTypes”h]”hŒTypes”…””}”(hj¯  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj¬  hžhhŸh³h K3ubhê)”}”(hŒmThe FETCHARGS above is very similar to the kprobe events as described in
Documentation/trace/kprobetrace.rst.”h]”hŒmThe FETCHARGS above is very similar to the kprobe events as described in
Documentation/trace/kprobetrace.rst.”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K4hj¬  hžhubhê)”}”(hŒýThe difference between eprobes and kprobes FETCHARGS is that eprobes has a
$FIELD command that returns the content of the event field of the event
that is attached. Eprobes do not have access to registers, stacks and function
arguments that kprobes has.”h]”hŒýThe difference between eprobes and kprobes FETCHARGS is that eprobes has a
$FIELD command that returns the content of the event field of the event
that is attached. Eprobes do not have access to registers, stacks and function
arguments that kprobes has.”…””}”(hjË  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K7hj¬  hžhubhê)”}”(hŒoIf a field argument is a pointer, it may be dereferenced just like a memory
address using the FETCHARGS syntax.”h]”hŒoIf a field argument is a pointer, it may be dereferenced just like a memory
address using the FETCHARGS syntax.”…””}”(hjÙ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K<hj¬  hžhubeh}”(h]”Œtypes”ah ]”h"]”Œtypes”ah$]”h&]”uh1h´hjH  hžhhŸh³h K3ubhµ)”}”(hhh]”(hº)”}”(hŒAttaching to dynamic events”h]”hŒAttaching to dynamic events”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjï  hžhhŸh³h KAubhê)”}”(hŒ×Eprobes may attach to dynamic events as well as to normal events. It may
attach to a kprobe event, a synthetic event or a fprobe event. This is useful
if the type of a field needs to be changed. See Example 2 below.”h]”hŒ×Eprobes may attach to dynamic events as well as to normal events. It may
attach to a kprobe event, a synthetic event or a fprobe event. This is useful
if the type of a field needs to be changed. See Example 2 below.”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KChjï  hžhubeh}”(h]”Œattaching-to-dynamic-events”ah ]”h"]”Œattaching to dynamic events”ah$]”h&]”uh1h´hjH  hžhhŸh³h KAubeh}”(h]”Œoverview”ah ]”h"]”Œoverview”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒUsage examples”h]”hŒUsage examples”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KHubhµ)”}”(hhh]”(hº)”}”(hŒ	Example 1”h]”hŒ	Example 1”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj/  hžhhŸh³h KKubhê)”}”(hŒ¼The basic usage of eprobes is to limit the data that is being recorded into
the tracing buffer. For example, a common event to trace is the sched_switch
trace event. That has a format of::”h]”hŒ»The basic usage of eprobes is to limit the data that is being recorded into
the tracing buffer. For example, a common event to trace is the sched_switch
trace event. That has a format of:”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KMhj/  hžhubj•  )”}”(hXÖ  field:unsigned short common_type;       offset:0;       size:2; signed:0;
field:unsigned char common_flags;       offset:2;       size:1; signed:0;
field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
field:int common_pid;   offset:4;       size:4; signed:1;

field:char prev_comm[16];       offset:8;       size:16;        signed:0;
field:pid_t prev_pid;   offset:24;      size:4; signed:1;
field:int prev_prio;    offset:28;      size:4; signed:1;
field:long prev_state;  offset:32;      size:8; signed:1;
field:char next_comm[16];       offset:40;      size:16;        signed:0;
field:pid_t next_pid;   offset:56;      size:4; signed:1;
field:int next_prio;    offset:60;      size:4; signed:1;”h]”hXÖ  field:unsigned short common_type;       offset:0;       size:2; signed:0;
field:unsigned char common_flags;       offset:2;       size:1; signed:0;
field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
field:int common_pid;   offset:4;       size:4; signed:1;

field:char prev_comm[16];       offset:8;       size:16;        signed:0;
field:pid_t prev_pid;   offset:24;      size:4; signed:1;
field:int prev_prio;    offset:28;      size:4; signed:1;
field:long prev_state;  offset:32;      size:8; signed:1;
field:char next_comm[16];       offset:40;      size:16;        signed:0;
field:pid_t next_pid;   offset:56;      size:4; signed:1;
field:int next_prio;    offset:60;      size:4; signed:1;”…””}”hjN  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h KQhj/  hžhubhê)”}”(hX‡  The first four fields are common to all events and can not be limited. But the
rest of the event has 60 bytes of information. It records the names of the
previous and next tasks being scheduled out and in, as well as their pids and
priorities. It also records the state of the previous task. If only the pids
of the tasks are of interest, why waste the ring buffer with all the other
fields?”h]”hX‡  The first four fields are common to all events and can not be limited. But the
rest of the event has 60 bytes of information. It records the names of the
previous and next tasks being scheduled out and in, as well as their pids and
priorities. It also records the state of the previous task. If only the pids
of the tasks are of interest, why waste the ring buffer with all the other
fields?”…””}”(hj\  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K^hj/  hžhubhê)”}”(hŒAn eprobe can limit what gets recorded. Note, it does not help in performance,
as all the fields are recorded in a temporary buffer to process the eprobe.
::”h]”hŒšAn eprobe can limit what gets recorded. Note, it does not help in performance,
as all the fields are recorded in a temporary buffer to process the eprobe.”…””}”(hjj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kehj/  hžhubj•  )”}”(hX$  # echo 'e:sched/switch sched.sched_switch prev=$prev_pid:u32 next=$next_pid:u32' >> /sys/kernel/tracing/dynamic_events
# echo 1 > /sys/kernel/tracing/events/sched/switch/enable
# cat /sys/kernel/tracing/trace

# tracer: nop
#
# entries-in-buffer/entries-written: 2721/2721   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
    sshd-session-1082    [004] d..4.  5041.239906: switch: (sched.sched_switch) prev=1082 next=0
            bash-1085    [001] d..4.  5041.240198: switch: (sched.sched_switch) prev=1085 next=141
   kworker/u34:5-141     [001] d..4.  5041.240259: switch: (sched.sched_switch) prev=141 next=1085
          <idle>-0       [004] d..4.  5041.240354: switch: (sched.sched_switch) prev=0 next=1082
            bash-1085    [001] d..4.  5041.240385: switch: (sched.sched_switch) prev=1085 next=141
   kworker/u34:5-141     [001] d..4.  5041.240410: switch: (sched.sched_switch) prev=141 next=1085
            bash-1085    [001] d..4.  5041.240478: switch: (sched.sched_switch) prev=1085 next=0
    sshd-session-1082    [004] d..4.  5041.240526: switch: (sched.sched_switch) prev=1082 next=0
          <idle>-0       [001] d..4.  5041.247524: switch: (sched.sched_switch) prev=0 next=90
          <idle>-0       [002] d..4.  5041.247545: switch: (sched.sched_switch) prev=0 next=16
     kworker/1:1-90      [001] d..4.  5041.247580: switch: (sched.sched_switch) prev=90 next=0
       rcu_sched-16      [002] d..4.  5041.247591: switch: (sched.sched_switch) prev=16 next=0
          <idle>-0       [002] d..4.  5041.257536: switch: (sched.sched_switch) prev=0 next=16
       rcu_sched-16      [002] d..4.  5041.257573: switch: (sched.sched_switch) prev=16 next=0”h]”hX$  # echo 'e:sched/switch sched.sched_switch prev=$prev_pid:u32 next=$next_pid:u32' >> /sys/kernel/tracing/dynamic_events
# echo 1 > /sys/kernel/tracing/events/sched/switch/enable
# cat /sys/kernel/tracing/trace

# tracer: nop
#
# entries-in-buffer/entries-written: 2721/2721   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
    sshd-session-1082    [004] d..4.  5041.239906: switch: (sched.sched_switch) prev=1082 next=0
            bash-1085    [001] d..4.  5041.240198: switch: (sched.sched_switch) prev=1085 next=141
   kworker/u34:5-141     [001] d..4.  5041.240259: switch: (sched.sched_switch) prev=141 next=1085
          <idle>-0       [004] d..4.  5041.240354: switch: (sched.sched_switch) prev=0 next=1082
            bash-1085    [001] d..4.  5041.240385: switch: (sched.sched_switch) prev=1085 next=141
   kworker/u34:5-141     [001] d..4.  5041.240410: switch: (sched.sched_switch) prev=141 next=1085
            bash-1085    [001] d..4.  5041.240478: switch: (sched.sched_switch) prev=1085 next=0
    sshd-session-1082    [004] d..4.  5041.240526: switch: (sched.sched_switch) prev=1082 next=0
          <idle>-0       [001] d..4.  5041.247524: switch: (sched.sched_switch) prev=0 next=90
          <idle>-0       [002] d..4.  5041.247545: switch: (sched.sched_switch) prev=0 next=16
     kworker/1:1-90      [001] d..4.  5041.247580: switch: (sched.sched_switch) prev=90 next=0
       rcu_sched-16      [002] d..4.  5041.247591: switch: (sched.sched_switch) prev=16 next=0
          <idle>-0       [002] d..4.  5041.257536: switch: (sched.sched_switch) prev=0 next=16
       rcu_sched-16      [002] d..4.  5041.257573: switch: (sched.sched_switch) prev=16 next=0”…””}”hjx  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kihj/  hžhubhê)”}”(hŒpNote, without adding the "u32" after the prev_pid and next_pid, the values
would default showing in hexadecimal.”h]”hŒtNote, without adding the â€œu32â€ after the prev_pid and next_pid, the values
would default showing in hexadecimal.”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kˆhj/  hžhubeh}”(h]”Œ	example-1”ah ]”h"]”Œ	example 1”ah$]”h&]”uh1h´hj  hžhhŸh³h KKubhµ)”}”(hhh]”(hº)”}”(hŒ	Example 2”h]”hŒ	Example 2”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjœ  hžhhŸh³h KŒubhê)”}”(hX]  If a specific system call is to be recorded but the syscalls events are not
enabled, the raw_syscalls can still be used (syscalls are system call
events are not normal events, but are created from the raw_syscalls events
within the kernel). In order to trace the openat system call, one can create
an event probe on top of the raw_syscalls event:
::”h]”hXZ  If a specific system call is to be recorded but the syscalls events are not
enabled, the raw_syscalls can still be used (syscalls are system call
events are not normal events, but are created from the raw_syscalls events
within the kernel). In order to trace the openat system call, one can create
an event probe on top of the raw_syscalls event:”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KŽhjœ  hžhubj•  )”}”(hX»  # cd /sys/kernel/tracing
# cat events/raw_syscalls/sys_enter/format
name: sys_enter
ID: 395
format:
       field:unsigned short common_type;       offset:0;       size:2; signed:0;
       field:unsigned char common_flags;       offset:2;       size:1; signed:0;
       field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
       field:int common_pid;   offset:4;       size:4; signed:1;

       field:long id;  offset:8;       size:8; signed:1;
       field:unsigned long args[6];    offset:16;      size:48;        signed:0;

print fmt: "NR %ld (%lx, %lx, %lx, %lx, %lx, %lx)", REC->id, REC->args[0], REC->args[1], REC->args[2], REC->args[3], REC->args[4], REC->args[5]”h]”hX»  # cd /sys/kernel/tracing
# cat events/raw_syscalls/sys_enter/format
name: sys_enter
ID: 395
format:
       field:unsigned short common_type;       offset:0;       size:2; signed:0;
       field:unsigned char common_flags;       offset:2;       size:1; signed:0;
       field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
       field:int common_pid;   offset:4;       size:4; signed:1;

       field:long id;  offset:8;       size:8; signed:1;
       field:unsigned long args[6];    offset:16;      size:48;        signed:0;

print fmt: "NR %ld (%lx, %lx, %lx, %lx, %lx, %lx)", REC->id, REC->args[0], REC->args[1], REC->args[2], REC->args[3], REC->args[4], REC->args[5]”…””}”hj»  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h K•hjœ  hžhubhê)”}”(hŒ.From the source code, the sys_openat() has:
::”h]”hŒ+From the source code, the sys_openat() has:”…””}”(hjÉ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K¤hjœ  hžhubj•  )”}”(hŒ‰int sys_openat(int dirfd, const char *path, int flags, mode_t mode)
{
       return my_syscall4(__NR_openat, dirfd, path, flags, mode);
}”h]”hŒ‰int sys_openat(int dirfd, const char *path, int flags, mode_t mode)
{
       return my_syscall4(__NR_openat, dirfd, path, flags, mode);
}”…””}”hj×  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h K§hjœ  hžhubhê)”}”(hŒ@The path is the second parameter, and that is what is wanted.
::”h]”hŒ=The path is the second parameter, and that is what is wanted.”…””}”(hjå  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K¬hjœ  hžhubj•  )”}”(hŒ\# echo 'e:openat raw_syscalls.sys_enter nr=$id filename=+8($args):ustring' >> dynamic_events”h]”hŒ\# echo 'e:openat raw_syscalls.sys_enter nr=$id filename=+8($args):ustring' >> dynamic_events”…””}”hjó  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h K¯hjœ  hžhubhê)”}”(hŒsThis is being run on x86_64 where the word size is 8 bytes and the openat
system call __NR_openat is set at 257.
::”h]”hŒpThis is being run on x86_64 where the word size is 8 bytes and the openat
system call __NR_openat is set at 257.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K±hjœ  hžhubj•  )”}”(hŒ1# echo 'nr == 257' > events/eprobes/openat/filter”h]”hŒ1# echo 'nr == 257' > events/eprobes/openat/filter”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kµhjœ  hžhubhê)”}”(hŒ.Now enable the event and look at the trace.
::”h]”hŒ+Now enable the event and look at the trace.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K·hjœ  hžhubj•  )”}”(hXï  # echo 1 > events/eprobes/openat/enable
# cat trace

# tracer: nop
#
# entries-in-buffer/entries-written: 4/4   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
             cat-1298    [003] ...2.  2060.875970: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.876197: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.879126: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.879639: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)”h]”hXï  # echo 1 > events/eprobes/openat/enable
# cat trace

# tracer: nop
#
# entries-in-buffer/entries-written: 4/4   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
             cat-1298    [003] ...2.  2060.875970: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.876197: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.879126: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)
             cat-1298    [003] ...2.  2060.879639: openat: (raw_syscalls.sys_enter) nr=0x101 filename=(fault)”…””}”hj+  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kºhjœ  hžhubhê)”}”(hX  The filename shows "(fault)". This is likely because the filename has not been
pulled into memory yet and currently trace events cannot fault in memory that
is not present. When an eprobe tries to read memory that has not been faulted
in yet, it will show the "(fault)" text.”h]”hX  The filename shows â€œ(fault)â€. This is likely because the filename has not been
pulled into memory yet and currently trace events cannot fault in memory that
is not present. When an eprobe tries to read memory that has not been faulted
in yet, it will show the â€œ(fault)â€ text.”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÎhjœ  hžhubhê)”}”(hX  To get around this, as the kernel will likely pull in this filename and make
it present, attaching it to a synthetic event that can pass the address of the
filename from the entry of the event to the end of the event, this can be used
to show the filename when the system call returns.”h]”hX  To get around this, as the kernel will likely pull in this filename and make
it present, attaching it to a synthetic event that can pass the address of the
filename from the entry of the event to the end of the event, this can be used
to show the filename when the system call returns.”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÓhjœ  hžhubhê)”}”(hŒRemove the old eprobe::”h]”hŒRemove the old eprobe:”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KØhjœ  hžhubj•  )”}”(hŒK# echo 1 > events/eprobes/openat/enable
# echo '-:openat' >> dynamic_events”h]”hŒK# echo 1 > events/eprobes/openat/enable
# echo '-:openat' >> dynamic_events”…””}”hjc  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h KÚhjœ  hžhubhê)”}”(hŒEThis time make an eprobe where the address of the filename is saved::”h]”hŒDThis time make an eprobe where the address of the filename is saved:”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÝhjœ  hžhubj•  )”}”(hŒ^# echo 'e:openat_start raw_syscalls.sys_enter nr=$id filename=+8($args):x64' >> dynamic_events”h]”hŒ^# echo 'e:openat_start raw_syscalls.sys_enter nr=$id filename=+8($args):x64' >> dynamic_events”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kßhjœ  hžhubhê)”}”(hŒZCreate a synthetic event that passes the address of the filename to the
end of the event::”h]”hŒYCreate a synthetic event that passes the address of the filename to the
end of the event:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Káhjœ  hžhubj•  )”}”(hX  # echo 's:filename u64 file' >> dynamic_events
# echo 'hist:keys=common_pid:f=filename if nr == 257' > events/eprobes/openat_start/trigger
# echo 'hist:keys=common_pid:file=$f:onmatch(eprobes.openat_start).trace(filename,$file) if id == 257' > events/raw_syscalls/sys_exit/trigger”h]”hX  # echo 's:filename u64 file' >> dynamic_events
# echo 'hist:keys=common_pid:f=filename if nr == 257' > events/eprobes/openat_start/trigger
# echo 'hist:keys=common_pid:file=$f:onmatch(eprobes.openat_start).trace(filename,$file) if id == 257' > events/raw_syscalls/sys_exit/trigger”…””}”hj›  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kähjœ  hžhubhê)”}”(hŒšNow that the address of the filename has been passed to the end of the
system call, create another eprobe to attach to the exit event to show the
string::”h]”hŒ™Now that the address of the filename has been passed to the end of the
system call, create another eprobe to attach to the exit event to show the
string:”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kèhjœ  hžhubj•  )”}”(hXK  # echo 'e:openat synthetic.filename filename=+0($file):ustring' >> dynamic_events
# echo 1 > events/eprobes/openat/enable
# cat trace

# tracer: nop
#
# entries-in-buffer/entries-written: 4/4   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
             cat-1331    [001] ...5.  2944.787977: openat: (synthetic.filename) filename="/etc/ld.so.cache"
             cat-1331    [001] ...5.  2944.788480: openat: (synthetic.filename) filename="/lib/x86_64-linux-gnu/libc.so.6"
             cat-1331    [001] ...5.  2944.793426: openat: (synthetic.filename) filename="/usr/lib/locale/locale-archive"
             cat-1331    [001] ...5.  2944.831362: openat: (synthetic.filename) filename="trace"”h]”hXK  # echo 'e:openat synthetic.filename filename=+0($file):ustring' >> dynamic_events
# echo 1 > events/eprobes/openat/enable
# cat trace

# tracer: nop
#
# entries-in-buffer/entries-written: 4/4   #P:8
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
             cat-1331    [001] ...5.  2944.787977: openat: (synthetic.filename) filename="/etc/ld.so.cache"
             cat-1331    [001] ...5.  2944.788480: openat: (synthetic.filename) filename="/lib/x86_64-linux-gnu/libc.so.6"
             cat-1331    [001] ...5.  2944.793426: openat: (synthetic.filename) filename="/usr/lib/locale/locale-archive"
             cat-1331    [001] ...5.  2944.831362: openat: (synthetic.filename) filename="trace"”…””}”hj·  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h Kìhjœ  hžhubeh}”(h]”Œ	example-2”ah ]”h"]”Œ	example 2”ah$]”h&]”uh1h´hj  hžhhŸh³h KŒubhµ)”}”(hhh]”(hº)”}”(hŒ	Example 3”h]”hŒ	Example 3”…””}”(hjÐ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÍ  hžhhŸh³h Mubhê)”}”(hŒxIf syscall trace events are available, the above would not need the first
eprobe, but it would still need the last one::”h]”hŒwIf syscall trace events are available, the above would not need the first
eprobe, but it would still need the last one:”…””}”(hjÞ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h MhjÍ  hžhubj•  )”}”(hX…  # echo 's:filename u64 file' >> dynamic_events
# echo 'hist:keys=common_pid:f=filename' > events/syscalls/sys_enter_openat/trigger
# echo 'hist:keys=common_pid:file=$f:onmatch(syscalls.sys_enter_openat).trace(filename,$file)' > events/syscalls/sys_exit_openat/trigger
# echo 'e:openat synthetic.filename filename=+0($file):ustring' >> dynamic_events
# echo 1 > events/eprobes/openat/enable”h]”hX…  # echo 's:filename u64 file' >> dynamic_events
# echo 'hist:keys=common_pid:f=filename' > events/syscalls/sys_enter_openat/trigger
# echo 'hist:keys=common_pid:file=$f:onmatch(syscalls.sys_enter_openat).trace(filename,$file)' > events/syscalls/sys_exit_openat/trigger
# echo 'e:openat synthetic.filename filename=+0($file):ustring' >> dynamic_events
# echo 1 > events/eprobes/openat/enable”…””}”hjì  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j”  hŸh³h MhjÍ  hžhubhê)”}”(hŒ4And this would produce the same result as Example 2.”h]”hŒ4And this would produce the same result as Example 2.”…””}”(hjú  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h MhjÍ  hžhubeh}”(h]”Œ	example-3”ah ]”h"]”Œ	example 3”ah$]”h&]”uh1h´hj  hžhhŸh³h Mubeh}”(h]”Œusage-examples”ah ]”h"]”Œusage examples”ah$]”h&]”uh1h´hh¶hžhhŸh³h KHubeh}”(h]”Œ eprobe-event-based-probe-tracing”ah ]”h"]”Œ"eprobe - event-based probe tracing”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jC  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j  j  j  j  j©  j¦  jì  jé  j  j  j  j  j™  j–  jÊ  jÇ  j  j
  uŒ	nametypes”}”(j  ‰j  ‰j©  ‰jì  ‰j  ‰j  ‰j™  ‰jÊ  ‰j  ‰uh}”(j  h¶j  jH  j¦  jƒ  jé  j¬  j  jï  j  j  j–  j/  jÇ  jœ  j
  jÍ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”(hŒsystem_message”“”)”}”(hhh]”hê)”}”(hŒfPossible title underline, too short for the title.
Treating it as ordinary text because it's so short.”h]”hŒhPossible title underline, too short for the title.
Treating it as ordinary text because itâ€™s so short.”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhj§  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œline”K¥Œsource”h³uh1j¥  hjœ  hžhhŸh³h K¥ubj¦  )”}”(hhh]”hê)”}”(hŒfPossible title underline, too short for the title.
Treating it as ordinary text because it's so short.”h]”hŒhPossible title underline, too short for the title.
Treating it as ordinary text because itâ€™s so short.”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”jÀ  Œline”K­Œsource”h³uh1j¥  hjœ  hžhhŸh³h K­ubj¦  )”}”(hhh]”hê)”}”(hŒfPossible title underline, too short for the title.
Treating it as ordinary text because it's so short.”h]”hŒhPossible title underline, too short for the title.
Treating it as ordinary text because itâ€™s so short.”…””}”(hjá  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhjÞ  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”jÀ  Œline”K¸Œsource”h³uh1j¥  hjœ  hžhhŸh³h K¸ubeŒtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.