% UFTRACE-LIVE(1) Uftrace User Manuals % Namhyung Kim namhyung@gmail.com % Sep, 2018
uftrace-live - Trace functions in a command during live execution
uftrace [live] [options] COMMAND [command-options]
This command runs COMMAND and prints its functions with time and thread info.
This is basically the same as running the uftrace record
and uftrace replay
commands in turn, but it does not save a data file. This command accepts most
options that are accepted by the record or replay commands.
-F FUNC, --filter=FUNC : Set filter to trace selected functions and their children functions. This option can be used more than once. See FILTERS.
-N FUNC, --notrace=FUNC : Set filter not to trace selected functions and their children functions. This option can be used more than once. See FILTERS.
-C FUNC, --caller-filter=FUNC : Set filter to trace callers of selected functions only. This option can be used more than once. See FILTERS.
-T TRG, --trigger=TRG : Set trigger on selected functions. This option can be used more than once. See TRIGGERS.
-D DEPTH, --depth=DEPTH : Set global trace limit in nesting level. See FILTERS.
-t TIME, --time-filter=TIME : Do not show functions which run under the time threshold. If some functions explicitly have the 'trace' trigger applied, those are always traced regardless of execution time. See FILTERS.
-Z SIZE, --size-filter=SIZE : Do not show functions smaller than SIZE bytes. See FILTERS.
-L LOCATION, --loc-filter=LOCATION : Set filter to trace selected source locations. This option can be used more than once. Applies to replay command, not record. See FILTERS.
--no-libcall : Do not record library function invocations. Library calls are normally traced by hooking calls to the resolver function of dynamic linker in the PLT. One can disable it with this option.
--no-event
: Disable event recording which is used by default. Note that explicit event
tracing by --event
option is not affected by this. Implies --no-sched
.
--no-sched : Disable schedule event recording which is used by default.
--match=TYPE
: Use pattern match using TYPE. Possible types are regex
and glob
.
Default is regex
.
--disable
: DEPRECATED. Use --trace=off
instead.
--trace=STATE
: Set uftrace tracing STATE. Possible states are on
and off
. Default is
on
. This is only meaningful when used with a trace_on
trigger or with
the agent
--with-syms=DIR : Read symbol data from the .sym files in DIR directory instead of the binary. This can be useful to deal with stripped binaries. The file name of the main binary should be the same when saved and used.
--list-event : Show available events in the process.
--report : Show live-report before replay.
--record : Do not discard the recorded data.
-p PID, --pid=PID : Switch to client mode. Forward the supported tracing options to a running target with given PID. See AGENT.
-A SPEC, --argument=SPEC : Record function arguments. This option can be used more than once. See ARGUMENTS.
-R SPEC, --retval=SPEC : Record function return values. This option can be used more than once. See ARGUMENTS.
-P FUNC, --patch=FUNC
: Patch FUNC dynamically. This is only applicable binaries built by
gcc with -pg -mfentry -mnop-mcount
or clang with -fxray-instrument
.
This option can be used more than once. See DYNAMIC TRACING.
-U FUNC, --unpatch=FUNC : Do not apply dynamic patching for FUNC. This option can be used more than once. See DYNAMIC TRACING.
-E EVENT, --event=EVENT : Enable event tracing. The event should be available on the system.
-S SCRIPT_PATH, --script=SCRIPT_PATH : Run a given script to do additional work at the entry and exit of function during target program execution. The type of script is detected by the postfix such as '.py' for python. See SCRIPT EXECUTION.
-W, --watch=POINT : Add watch point to display POINT if the value is changed. See WATCH POINT.
-a, --auto-args : Automatically record arguments and return values of known functions. These are usually functions in standard (C language or system) libraries but if debug info is available it includes functions in the user program.
-l, --nest-libcall
: Trace function calls between libraries. By default, uftrace only record
library call from the main executable. Implies --force
.
-k, --kernel
: Trace kernel functions as well as user functions. Only kernel entry/exit
functions will be traced by default. Use the --kernel-depth
option to
override this.
-K DEPTH, --kernel-depth=DEPTH
: Set kernel max function depth separately. Implies --kernel
.
--clock=CLOCK : Set clock source for timestamp recording. CLOCK can be one of 'mono', 'mono_raw', or 'boot'. Default is 'mono'.
--signal=TRG : Set trigger on selected signals rather than functions. But there are restrictions so only a few of trigger actions are support for signals. The available actions are: trace_on, trace_off, finish. This option can be used more than once. See TRIGGERS.
--nop : Do not record and replay any functions. This is a no-op and only meaningful for performance comparisons.
--force
: Allow running uftrace even if some problems occur. When uftrace record
finds no mcount symbol (which is generated by compiler) in the executable,
it quits with an error message since uftrace can not trace the program.
However, it is possible that the user is only interested in functions within
a dynamically-linked library, in which case this option can be used to cause
uftrace to run the program regardless. Also, the -A
/--argument
and
-R
/--retval
options work only for binaries built with -pg
, so uftrace
will normally exit when it tries to run binaries built without that option.
This option ignores the warning and goes on tracing without the argument
and/or return value.
--time
: Print running time of children in time
(1)-style.
-e, --estimate-return : Record only ENTRY data for each function. This option is useful when the target program deals with stack in some way. Normally uftrace modifies task's execution stack frame to hook return from the function. However sometimes it makes troubles and it's hard to handle all the cases properly. This option tells uftrace not to hook return address in order to prevent those problems. The return time is estimated as a half of execution time of two consecutive functions.
--libmcount-path=PATH : Load libmcount libraries from this path. This is mostly for testing purposes.
-b SIZE, --buffer=SIZE : Size of internal buffer in which trace data will be saved. Default size is 128k.
--kernel-buffer=SIZE : Set kernel tracing buffer size. The default value (in the kernel) is 1408k.
--no-pltbind
: Do not bind dynamic symbol address. This option uses the LD_BIND_NOT
environment variable to trace library function calls which might be missing
due to concurrent (first) accesses. It is not meaningful to use this option
with the --no-libcall
option.
--max-stack=DEPTH : Set the max function stack depth for tracing. Default is 1024.
--num-thread=NUM : Use NUM threads to record trace data. Default is 1/4 of online CPUs (but when full kernel tracing is enabled, it will use the full number of CPUs).
--libmcount-single : Use single thread version of libmcount for faster recording. This is ignored if the target program links with the pthread library.
--rt-prio=PRIO : Boost priority of recording threads to real-time (FIFO) with priority of PRIO. This is particularly useful for high-volume data such as full kernel tracing.
--keep-pid
: Retain same pid for traced program. For some daemon processes, it is
important to have same pid when forked. Running under uftrace normally
changes pid as it calls fork() again internally. Note that it might corrupt
terminal setting so it'd be better using it with --no-pager
option.
--no-randomize-addr : Disable ASLR (Address Space Layout Randomization). It makes the target process fix its address space layout.
-g, --agent : Spawn an agent thread in the target. At runtime, the agent receives external commands and can change supported tracing options. See AGENT.
-f FIELD, --output-fields=FIELD : Customize field in the output. Possible values are: duration, tid, time, delta, elapsed and addr. Multiple fields can be set by using comma. Special field of 'none' can be used (solely) to hide all fields. Default is 'duration,tid'. See FIELDS.
--flat : Print flat format rather than C-like format. This is usually for debugging and testing purpose.
--column-view : Show each task in separate column. This makes easy to distinguish functions in different tasks.
--column-offset=DEPTH
: When --column-view
option is used, this option specifies the amount of
offset between each task. Default is 8.
--task-newline : Interleave a new line when task is changed. This makes easy to distinguish functions in different tasks.
--no-comment : Do not show comments of returned functions.
--libname : Show library name along with function name.
--no-args : Do not show function arguments and return value.
-H FUNC, --hide=FUNC : Set filter not to trace selected functions. It doesn't affect their subtrees, but hides only the given functions. This option can be used more than once. See FILTERS.
--kernel-full : Show all kernel functions called outside of user functions.
--kernel-only : Show kernel functions only without user functions.
--event-full : Show all (user) events outside of user functions.
--demangle=TYPE : Demangle C++ symbol names. Possible values are "full", "simple" and "no". Default is "simple" which ignores function arguments and template parameters.
-r RANGE, --time-range=RANGE
: Only show functions executed within the time RANGE. The RANGE can be
<start><stop> (separated by "") and one of <start> and <stop> can
be omitted. The <start> and <stop> are timestamp or elapsed time if
they have <time_unit> postfix, for example '100us'. However, it is
highly recommended to use only elapsed time because there is no way to know
the timestamp before actually running the program. The timestamp or elapsed
time can be shown with -f time
or -f elapsed
option respectively.
The uftrace tool supports filtering out uninteresting functions. Filtering is
highly recommended since it helps users focus on the interesting functions and
reduces the data size. When uftrace is called, it receives two types of function
filter; an opt-in filter with -F
/--filter
and an opt-out filter with
-N
/--notrace
.
These filters can be applied either at record time or replay time. For record
time, they can be added and removed at runtime from the client, see AGENT.
Removing filters is achieved by specifying the @clear
suffix for the -F
/
--filter
or -N
/ --notrace
options.
The first type of filter is opt-in. By default, it doesn't trace anything. But when one of the specified functions is executed, tracing is started. When the function returns, tracing is stopped again.
For example, consider a simple program which calls a()
, b()
and c()
in turn.
$ cat abc.c
void c(void) {
/* do nothing */
}
void b(void) {
c();
}
void a(void) {
b();
}
int main(void) {
a();
return 0;
}
$ gcc -pg -o abc abc.c
Normally uftrace will trace all the functions from main()
to c()
.
$ uftrace live ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
[ 1234] | a() {
[ 1234] | b() {
3.880 us [ 1234] | c();
5.475 us [ 1234] | } /* b */
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
In the above example, the command name live
is explicitly used, but it can be
omitted because uftrace uses live
command by default. So the above command
can be reused as uftrace ./abc
in short.
But when the -F b
filter option is used, it will not trace main()
or a()
but only b()
and c()
.
$ uftrace -F b ./abc
# DURATION TID FUNCTION
[ 1234] | b() {
3.880 us [ 1234] | c();
5.475 us [ 1234] | } /* b */
The second type of filter is opt-out. By default, everything is traced, but when one of the specified functions is executed, tracing stops. When the excluded function returns, tracing is started again.
In the above example, you can omit the function b()
and all calls it makes
with the -N
option.
$ uftrace -N b ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
6.448 us [ 1234] | a();
8.631 us [ 1234] | } /* main */
You can hide the function b()
only without affecting the calls it makes in its
subtree functions with -H
option.
$ uftrace -H b ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
[ 1234] | a() {
3.880 us [ 1234] | c();
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
The above -H
option is especially useful when hiding std namespace functions
in C++ programs by using -H ^std::
option setting.
If users only care about specific functions and want to know how they are called, one can use the caller filter. It makes the function as leaf and records the parent functions to the function.
$ uftrace -C b ./abc
# DURATION TID FUNCTION
[ 1234] | main() {
[ 1234] | a() {
5.475 us [ 1234] | b();
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
In the above example, functions not in the calling path were not shown. Also the function 'c' - which is a child of the function 'b' - is also hidden.
Caller filters can be added and removed from the client at runtime, using the
@clear
suffix for the -C
/ --caller-filter
option.
In addition, you can limit the nesting level of functions with the -D
option.
$ uftrace -D 3 ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
[ 1234] | a() {
5.475 us [ 1234] | b();
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
In the above example, uftrace only prints functions up to a depth of 3, so
leaf function c()
was omitted. Note that the -D
option works with -F
.
Sometimes, it's useful to see long-running functions only. This is good because
there are usually many tiny functions that are not interesting.
The -t
/--time-filter
option implements the time-based filter that only
records functions which run longer than the given threshold. In the above
example, the user might want to see functions running more than
5 micro-seconds like below:
$ uftrace -t 5us ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
[ 1234] | a() {
5.475 us [ 1234] | b();
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
In addition, you can set filter to record selected source locations with -L
option.
$ uftrace -L s-libmain.c --srcline t-lib
# DURATION TID FUNCTION [SOURCE]
[ 5043] | main() { /* /home/uftrace/tests/s-libmain.c:16 */
6.998 us [ 5043] | foo(); /* /home/uftrace/tests/s-libmain.c:11 */
9.393 us [ 5043] | } /* main */
You can set filter with the @hide
suffix not to record selected source locations.
$ uftrace -L s-libmain.c@hide --srcline t-lib
# DURATION TID FUNCTION [SOURCE]
[ 14688] | lib_a() { /* /home/uftrace/tests/s-lib.c:10 */
[ 14688] | lib_b() { /* /home/uftrace/tests/s-lib.c:15 */
1.505 us [ 14688] | lib_c(); /* /home/uftrace/tests/s-lib.c:20 */
2.816 us [ 14688] | } /* lib_b */
3.181 us [ 14688] | } /* lib_a */
The -Z
/--size-filter
option is to filter functions that has small sizes.
It reads ELF symbols size and compare it with the given value. The PLT
functions may have no symbol size in the ELF format, in that case the PLT entry
size will be used as the size of the function.
$ uftrace -Z 100 t-arg
# DURATION TID FUNCTION
[162500] | main() {
12.486 us [162500] | foo();
0.505 us [162500] | many();
[162500] | pass() {
0.283 us [162500] | check();
1.449 us [162500] | } /* pass */
18.478 us [162500] | } /* main */
You can also set triggers on filtered functions. See TRIGGERS section below for details.
When kernel function tracing is enabled, you can also set the filters on kernel
functions by marking the symbol with the @kernel
modifier. The following
example will show all user functions and the (kernel) page fault handler.
$ sudo uftrace -k -F '.*page_fault@kernel' ./abc
# DURATION TID FUNCTION
[14721] | main() {
7.713 us [14721] | __do_page_fault();
6.600 us [14721] | __do_page_fault();
6.544 us [14721] | __do_page_fault();
[14721] | a() {
[14721] | b() {
[14721] | c() {
0.860 us [14721] | getpid();
2.346 us [14721] | } /* c */
2.956 us [14721] | } /* b */
3.340 us [14721] | } /* a */
79.086 us [14721] | } /* main */
The uftrace tool supports triggering actions on selected function calls (with or without filters) and/or signals. Currently supported triggers are listed below. The BNF for trigger specification is as follows:
<trigger> := <symbol> "@" <actions>
<actions> := <action> | <action> "," <actions>
<action> := "depth="<num> | "backtrace" | "trace" | "trace_on" | "trace_off" |
"recover" | "color="<color> | "time="<time_spec> | "read="<read_spec> |
"finish" | "filter" | "notrace" | "hide" | "clear" [ "="<clear_spec> ]
<time_spec> := <num> [ <time_unit> ]
<time_unit> := "ns" | "nsec" | "us" | "usec" | "ms" | "msec" | "s" | "sec" | "m" | "min"
<read_spec> := "proc/statm" | "page-fault" | "pmu-cycle" | "pmu-cache" | "pmu-branch"
<clear_spec> := <action> | <action> "+" <action>
The depth
trigger is to change filter depth during execution of the function.
It can be used to apply different filter depths for different functions. And
the backtrace
trigger is used to print a stack backtrace at replay time.
The color trigger is to change the color of the function in replay output.
The supported colors are red
, green
, blue
, yellow
, magenta
, cyan
,
bold
, and gray
.
The following example shows how triggers work. The global filter maximum depth
is 5, but when function b()
is called, it is changed to 1, so functions below
b()
will not be shown.
$ uftrace -D 5 -T 'b@depth=1' ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main() {
[ 1234] | a() {
5.475 us [ 1234] | b();
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } /* main */
The backtrace
trigger is only meaningful in the replay command.
The trace_on
and trace_off
actions (the _
can be omitted as traceon
and traceoff
) control whether uftrace records the specified functions or not.
The recover
trigger is for some corner cases in which the process accesses the
callstack directly. During tracing of the v8 javascript engine, for example, it
kept getting segfaults in the garbage collection stage. It was because v8
incorporates the return address into compiled code objects(?). The recover
trigger restores the original return address at the function entry point and
resets to the uftrace return hook address again at function exit. This was used
to work around segfaults by setting the recover
trigger on the related
function (specifically ExitFrame::Iterate
)
The time
trigger is to change time filter setting during execution of the
function. It can be used to apply different time filter for different functions.
The read
trigger is to read some information at runtime. The result will be
recorded as (builtin) events at the beginning and the end of a given function.
As of now, the following events are supported:
- "proc/statm": process memory stat from /proc filesystem
- "page-fault": number of page faults using getrusage(2)
- "pmu-cycle": cpu cycles and instructions using Linux perf-event syscall
- "pmu-cache": (cpu) cache-references and misses using Linux perf-event syscall
- "pmu-branch": branch instructions and misses using Linux perf-event syscall
The results are printed as events (comments) like below.
$ uftrace -T a@read=proc/statm ./abc
# DURATION TID FUNCTION
[ 1234] | main() {
[ 1234] | a() {
[ 1234] | /* read:proc/statm (size=6808KB, rss=776KB, shared=712KB) */
[ 1234] | b() {
[ 1234] | c() {
1.448 us [ 1234] | getpid();
10.270 us [ 1234] | } /* c */
11.250 us [ 1234] | } /* b */
[ 1234] | /* diff:proc/statm (size=+4KB, rss=+0KB, shared=+0KB) */
18.380 us [ 1234] | } /* a */
19.537 us [ 1234] | } /* main */
The finish
trigger is to end recording. The process can still run, which
can be useful to trace non-terminating processes like daemon.
The filter
and notrace
triggers have same effect as -F
/--filter
and
-N
/--notrace
options respectively.
The hide
trigger has the same effect as -H
/--hide
option that hides the
given functions, but does not affect to the functions in their subtree unlike
the notrace
trigger.
The clear
trigger is to delete existing actions and it's for agent use case.
It can have optional trigger action names connected by "+" (for example,
-T myfunc@clear=trace+read
). If so it'll delete the specified actions only
otherwise it'll delete all actions.
Triggers only work for user-level functions for now.
The trigger can be used for signals as well. This is done by signal trigger with --signal option. The syntax is similar to function trigger but only "trace_on", "trace_off" and "finish" trigger actions are supported.
$ uftrace --signal 'SIGUSR1@finish' ./some-daemon
The uftrace tool supports recording function arguments and/or return values using the -A/--argument and -R/--retval options respectively. The syntax is very similar to that of triggers:
<argument> := <symbol> [ "@" <specs> ]
<specs> := <spec> | <spec> "," <spec>
<spec> := ( <int_spec> | <float_spec> | <ret_spec> )
<int_spec> := "arg" N [ "/" <format> [ <size> ] ] [ "%" ( <reg> | <stack> ) ]
<float_spec> := "fparg" N [ "/" ( <size> | "80" ) ] [ "%" ( <reg> | <stack> ) ]
<ret_spec> := "retval" [ "/" <format> [ <size> ] ]
<format> := "d" | "i" | "u" | "x" | "o" | "s" | "c" | "f" | "S" | "p"
<size> := "8" | "16" | "32" | "64"
<reg> := <arch-specific register name> # "rdi", "xmm0", "r0", ...
<stack> := "stack" [ "+" ] <offset>
The -A/--argument option takes a symbol name pattern and its optional specs. The spec is started by argN where N is an index of the arguments. The index starts from 1 and corresponds to the argument passing order of the calling convention on the system. Note that the indexes of arguments are separately counted for integer (or pointer) and floating-point type, and they can interfere depending on the calling convention. The argN is for integer arguments and fpargN is for floating-point arguments.
Users can optionally specify a format and size for the arguments and/or return values. The "d" format or without format field, uftrace treats them as 'long int' type for integers and 'double' for floating-point numbers. The "i" format makes it signed integer type and "u" format is for unsigned type. Both are printed as decimal while "x" format makes it printed as hexadecimal, and "o" format makes it printed as octal. The "s" format is for null-terminated string type and "c" format is for character type. The "f" format is for floating-point type and is meaningful only for return value (generally). Note that fpargN doesn't take the format field since it's always floating-point. The "S" format is for std::string, but it only supports libstdc++ library as of yet. Finally, the "p" format is for function pointer. Once the target address is recorded, it will be displayed as function name.
Please beware when using string type arguments since it can crash the program if the (pointer) value is invalid. Actually uftrace tries to keep track of valid ranges of process address space but it might miss some corner cases.
It is also possible to specify a certain register name or stack offset for arguments (but not for return value). The following register names can be used for argument:
- x86: rdi, rsi, rdx, rcx, r8, r9 (for integer), xmm[0-7] (for floating-point)
- arm: r[0-3] (for integer), s[0-15] or d[0-7] (for floating-point)
Examples are shown below:
$ uftrace -A main@arg1/x -R main@retval/i32 ./abc
# DURATION TID FUNCTION
138.494 us [ 1234] | __cxa_atexit();
[ 1234] | main(0x1) {
[ 1234] | a() {
[ 1234] | b() {
3.880 us [ 1234] | c();
5.475 us [ 1234] | } /* b */
6.448 us [ 1234] | } /* a */
8.631 us [ 1234] | } = 0; /* main */
$ uftrace -A puts@arg1/s -R puts@retval ./hello
Hello world
# DURATION TID FUNCTION
1.457 us [21534] | __monstartup();
0.997 us [21534] | __cxa_atexit();
[21534] | main() {
7.226 us [21534] | puts("Hello world") = 12;
8.708 us [21534] | } /* main */
Note that these arguments and return value are recorded only if the executable
was built with the -pg
option. Executables built with -finstrument-functions
will ignore it except for library calls. Recording of arguments and return
values only works with user-level functions for now.
If the target program is built with debug info like DWARF, uftrace can identify number of arguments and their types automatically (when built with libdw). Also arguments and return value of some well-known library functions are provided even if the debug info is not available. In these cases user don't need to specify spec of the arguments and return value manually - just a function name (or pattern) is enough. In fact, manual argspec will suppress the automatic argspec.
For example, the above example can be written like below:
$ uftrace -A . -R main -F main ./hello
Hello world
# DURATION TID FUNCTION
[ 18948] | main(1, 0x7ffeeb7590b8) {
7.183 us [ 18948] | puts("Hello world");
9.832 us [ 18948] | } = 0; /* main */
Note that argument pattern (".") matches to any character so it recorded all (supported) functions. It shows two arguments for "main" and a single string argument for "puts". If you simply want to see all arguments and return values of every functions (if supported), use -a/--auto-args option.
The uftrace allows for user to customize the replay output with a couple of fields. Here the field means info on the left side of the pipe (|) character. By default it uses duration and tid fields, but you can use other fields in any order like:
$ uftrace -f time,delta,duration,tid,addr ./abc
# TIMESTAMP TIMEDELTA DURATION TID ADDRESS FUNCTION
75059.205379813 1.374 us [27804] 4004d0 | __monstartup();
75059.205384184 4.371 us 0.737 us [27804] 4004f0 | __cxa_atexit();
75059.205386655 2.471 us [27804] 4006b1 | main() {
75059.205386838 0.183 us [27804] 400656 | a() {
75059.205386961 0.123 us [27804] 400669 | b() {
75059.205387078 0.117 us [27804] 40067c | c() {
75059.205387264 0.186 us 0.643 us [27804] 4004b0 | getpid();
75059.205388501 1.237 us 1.423 us [27804] 40067c | } /* c */
75059.205388724 0.223 us 1.763 us [27804] 400669 | } /* b */
75059.205388878 0.154 us 2.040 us [27804] 400656 | } /* a */
75059.205389030 0.152 us 2.375 us [27804] 4006b1 | } /* main */
Each field has following meaning:
- tid: task id (obtained by gettid(2))
- duration: function execution time
- time: timestamp at the execution
- delta: difference between two timestamp in a task
- elapsed: elapsed time from the first timestamp
- addr: address of the function
- task: task name (comm)
- module: library or executable name of the function
The default value is 'duration,tid'. If given field name starts with "+", then it'll be appended to the default fields. So "-f +time" is as same as "-f duration,tid,time". And it also accepts a special field name of 'none' which disables the field display and shows function output only.
The uftrace tool supports dynamic function tracing which can be enabled at
runtime (load-time, to be precise) on x86_64 and AArch64. Before recording
functions, normally you need to build the target program with -pg
(or
-finstrument-functions
), incurring some performance impact because all
functions call mcount()
.
With dynamic tracing, you can trace specific functions only given by the
-P
/--patch
option and can also disable specific functions given by the
-U
/--unpatch
option. With capstone disassembly engine, you don't even need
to (re)compile the target with the option above. Now uftrace can analyze the
instructions and (if possible) it can copy them to a different place and rewrite
it to call mcount()
function so that it can be traced by uftrace. After that,
the control is passed to the copied instructions and then returned back to the
remaining instructions.
The following example shows an error message when normally running uftrace. Because the binary doesn't call any instrumentation code (i.e. 'mcount').
$ gcc -o abc tests/s-abc.c
$ uftrace abc
uftrace: /home/namhyung/project/uftrace/cmd-record.c:1305:check_binary
ERROR: Can't find 'mcount' symbol in the 'abc'.
It seems not to be compiled with -pg or -finstrument-functions flag
which generates traceable code. Please check your binary file.
But when the -P a
patch option is used, uftrace can dynamically
trace a()
.
$ uftrace --no-libcall -P a abc
# DURATION TID FUNCTION
0.923 us [19379] | a();
In addition, you can enable all functions using '.' (for glob, '*') that
matches to any character in a regex pattern with P
option.
$ uftrace --no-libcall -P . abc
# DURATION TID FUNCTION
[19387] | main() {
[19387] | a() {
[19387] | b() {
0.940 us [19387] | c();
2.030 us [19387] | } /* b */
2.451 us [19387] | } /* a */
3.289 us [19387] | } /* main */
Note that -U
option has the opposite effect of -P
option so users can
use both for fine-control. The option that comes later will override the formers.
For example if you want to trace all functions but 'a' in the above:
$ uftrace --no-libcall -P . -U a abc
# DURATION TID FUNCTION
[19390] | main() {
[19390] | b() {
0.983 us [19390] | c();
2.012 us [19390] | } /* b */
3.373 us [19390] | } /* main */
The order of the options is important. If you change it like -U a -P .
then
it will trace all the functions since -P .
will take precedence and match everything.
If the capstone is not available, you need to add some more compiler (gcc)
options when building the target program. The gcc 5.1 or more recent versions
provide -mfentry
and -mnop-mcount
options which add instrumentation code
(i.e. calling mcount()
function) at the very beginning of a function and
convert the instruction to a NOP. Then it has almost zero performance overhead
when running in a normal condition. The uftrace can selectively convert it
back to call mcount()
using -P
option.
$ gcc -pg -mfentry -mnop-mcount -o abc-fentry tests/s-abc.c
$ uftrace -P . --no-libcall abc-fentry
# DURATION TID FUNCTION
[ 18973] | main() {
[ 18973] | a() {
[ 18973] | b() {
0.852 us [ 18973] | c();
2.378 us [ 18973] | } /* b */
2.909 us [ 18973] | } /* a */
3.756 us [ 18973] | } /* main */
Clang/LLVM 4.0 provides a dynamic instrumentation technique called
X-ray. It's similar to a combination of
gcc -mfentry -mnop-mcount
and -finstrument-functions
. The uftrace also
supports dynamic tracing on the executables built with the X-ray
.
For example, you can build the target program by clang with the below option
and equally use -P
option for dynamic tracing like below:
$ clang -fxray-instrument -fxray-instruction-threshold=1 -o abc-xray tests/s-abc.c
$ uftrace -P main abc-xray
# DURATION TID FUNCTION
[11093] | main() {
1.659 us [11093] | getpid();
5.963 us [11093] | } /* main */
$ uftrace -P . abc-xray
# DURATION TID FUNCTION
[11098] | main() {
[11098] | a() {
[11098] | b() {
[11098] | c() {
0.753 us [11098] | getpid();
1.430 us [11098] | } /* c */
1.915 us [11098] | } /* b */
2.405 us [11098] | } /* a */
3.005 us [11098] | } /* main */
Recent compilers in both gcc and clang support another useful option
-fpatchable-function-entry=N[,M]
that generates M NOPs before the function
entry and N-M NOPs after the function entry. We can simply use the case when M
is 0 so -fpatchable-function-entry=N
is enough. The number of NOPs required
for dynamic tracing depends on the architecture but x86_64 requires 5 NOPs and
AArch64 requires 2 NOPs to dynamically patch a call instruction for uftrace
recording.
For example in x86_64, you can build the target program and trace as follows.
$ gcc -fpatchable-function-entry=5 -o abc-fpatchable tests/s-abc.c
$ uftrace -P . abc-fpatchable
# DURATION TID FUNCTION
[ 6818] | main() {
[ 6818] | a() {
[ 6818] | b() {
[ 6818] | c() {
0.926 us [ 6818] | getpid();
4.158 us [ 6818] | } /* c */
4.590 us [ 6818] | } /* b */
4.957 us [ 6818] | } /* a */
5.593 us [ 6818] | } /* main */
This feature can also be used by explicitly adding compiler attribute to some
specific functions with __attribute__ ((patchable_function_entry (N,M)))
.
For example, the 'tests/s-abc.c' program can be modified as follows.
static int c(void)
{
return 100000;
}
__attribute__((patchable_function_entry(5)))
static int b(void)
{
return c() + 1;
}
static int a(void)
{
return b() - 1;
}
__attribute__((patchable_function_entry(5)))
int main(void)
{
int ret = 0;
ret += a();
return ret ? 0 : 1;
}
The attribute is added to function 'main' and 'b' only and this program can normally be compiled without any additional compiler options, but the compiler detects the attributes and adds 5 NOPs at the entry of 'main' and 'b'.
$ gcc -o abc tests/s-patchable-abc.c
$ uftrace -P . abc
# DURATION TID FUNCTION
[ 20803] | main() {
0.342 us [ 20803] | b();
1.608 us [ 20803] | } /* main */
With this way, uftrace can selectively trace only the functions user wants by explicitly adding the attribute. This approach can collect trace records in a much less intrusive way compared to tracing the entire functions enabled by compiler flags.
-fpatchable-function-entry=N[,M]
option and its attribute are supported since
gcc-8.1 and clang-10.
This dynamic tracing feature can be used in both x86_64 and AArch64 as of now.
The uftrace tool supports script execution for each function entry and exit. The supported script types are Python 2.7, Python 3 and Lua 5.1 as of now.
The user can write four functions. 'uftrace_entry' and 'uftrace_exit' are executed whenever each function is executed at the entry and exit. However 'uftrace_begin' and 'uftrace_end' are only executed once when the target program begins and ends.
$ cat scripts/simple.py
def uftrace_begin(ctx):
print("program begins...")
def uftrace_entry(ctx):
func = ctx["name"]
print("entry : " + func + "()")
def uftrace_exit(ctx):
func = ctx["name"]
print("exit : " + func + "()")
def uftrace_end():
print("program is finished")
The above script can be executed in record time as follows:
$ uftrace -S scripts/simple.py -F main tests/t-abc
program begins...
entry : main()
entry : a()
entry : b()
entry : c()
entry : getpid()
exit : getpid()
exit : c()
exit : b()
exit : a()
exit : main()
program is finished
# DURATION TID FUNCTION
[10929] | main() {
[10929] | a() {
[10929] | b() {
[10929] | c() {
4.293 us [10929] | getpid();
19.017 us [10929] | } /* c */
27.710 us [10929] | } /* b */
37.007 us [10929] | } /* a */
55.260 us [10929] | } /* main */
The 'ctx' variable is a dictionary type that contains the below information.
/* context information passed to uftrace_entry(ctx) and uftrace_exit(ctx) */
script_context = {
int tid;
int depth;
long timestamp;
long duration; # exit only
long address;
string name;
list args; # entry only (if available)
value retval; # exit only (if available)
};
/* context information passed to uftrace_begin(ctx) */
script_context = {
bool record; # True if it runs at record time, otherwise False
string version; # uftrace version info
list cmds; # execution commands
};
Each field in 'script_context' can be read inside the script.
Please see uftrace-script
(1) for details about scripting.
uftrace supports running an agent inside the traced target, which can modify the
tracing config at runtime. The agent is disabled by default, and is enabled at
start-up using the -g
/--agent
option. The user can interact with the agent
during while the target executes, from uftrace client instance, using the
-p
/--pid
option.
The client currently supports the following features:
- toggle tracing
- call depth filter
- time threshold filter
- opt-in and opt-out filters
- caller filters
Consider the following program, which calls a() -> b() -> c()
twice, and waits
for external input in between.
$ cat abc_abc.c
void c(void) {
/* do nothing */
}
void b(void) {
c();
}
void a(void) {
b();
}
int main(void) {
a();
wait_for_sigusr1();
a();
return 0;
}
$ gcc -pg -o abc_abc abc_abc.c
Tracing can be toggled anytime during execution.
$ uftrace --agent --trace=off abc_abc &
$ uftrace --pid $(pidof abc_abc) --trace=on
$ kill -s SIGUSR1 $(pidof abc_abc)
# DURATION TID FUNCTION
10.508 us [ 30324] | } /* wait_for_sigusr1 */
[ 30324] | a() {
[ 30324] | b() {
0.138 us [ 30324] | c();
0.757 us [ 30324] | } /* b */
1.217 us [ 30324] | } /* a */
12.346 us [ 30324] | } /* main */
The call depth filter can be increased or decreased from the client.
$ uftrace --agent --depth=2 abc_abc &
$ uftrace --pid $(pidof abc_abc) --depth=4
$ kill -s SIGUSR1 $(pidof abc_abc)
# DURATION TID FUNCTION
[ 32384] | main() {
0.324 us [ 32384] | a();
5.081 s [ 32384] | wait_for_sigusr1();
[ 32384] | a() {
[ 32384] | b() {
0.106 us [ 32384] | c();
0.552 us [ 32384] | } /* b */
0.862 us [ 32384] | } /* a */
5.081 s [ 32384] | } /* main */
The time threshold can also be increased or decreased from the client.
$ uftrace --agent --time-filter=0.8us abc_abc &
$ uftrace --pid $(pidof abc_abc) --time-filter=0.5us
$ kill -s SIGUSR1 $(pidof abc_abc)
# DURATION TID FUNCTION
[ 30196] | main() {
0.805 us [ 30196] | a();
6.859 s [ 30196] | wait_for_sigusr1();
[ 30196] | a() {
0.522 us [ 30196] | b();
0.802 us [ 30196] | } /* a */
6.859 s [ 30196] | } /* main */
The agent can enforce opt-in and opt-out filters, as well as caller filters.
$ uftrace --agent --filter=c abc_abc &
$ uftrace --pid $(pidof abc_abc) --filter=a
$ kill -s SIGUSR1 $(pidof abc_abc)
# DURATION TID FUNCTION
0.398 us [ 3679] | c();
[ 3679] | a() {
[ 3679] | b() {
0.163 us [ 3679] | c();
2.099 us [ 3679] | } /* b */
3.655 us [ 3679] | } /* a */
Filters can be removed using the @clear
suffix.
$ uftrace --agent --caller-filter=a abc_abc &
$ uftrace --pid $(pidof abc_abc) --caller-filter=a@clear
$ kill -s SIGUSR1 $(pidof abc_abc)
# DURATION TID FUNCTION
[ 4956] | main() {
0.821 us [ 4956] | a();
10.525 s [ 4956] | wait_for_sigusr1();
[ 4956] | a() {
[ 4956] | b() {
0.116 us [ 4956] | c();
0.573 us [ 4956] | } /* b */
0.806 us [ 4956] | } /* a */
10.525 s [ 4956] | } /* main */
The uftrace watch point is to display certain value only if it's changed. It's conceptually the same as that of a debugger's but only works at function entry and exit so it might miss some updates.
As of now, the following watch points are supported:
- "cpu" : cpu number current task is running on
Like read triggers, the result is displayed as event (comment):
$ uftrace -W cpu tests/t-abc
# DURATION TID FUNCTION
[ 19060] | main() {
[ 19060] | /* watch:cpu (cpu=8) */
[ 19060] | a() {
[ 19060] | b() {
[ 19060] | c() {
2.365 us [ 19060] | getpid();
8.002 us [ 19060] | } /* c */
8.690 us [ 19060] | } /* b */
9.350 us [ 19060] | } /* a */
12.479 us [ 19060] | } /* main */
uftrace-record
(1), uftrace-replay
(1), uftrace-report
(1), uftrace-script
(1)