Sunday, December 9, 2007

DTrace on Mac

In my search for some help on tracing calls, I found this interesting link:
http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html

ktrace for some reason, isn't providing us the information needed for tracing the shutdown call. Attaching to the process using debugger also resulted into nowhere as the stacks were too many to analyze and we couldn't really nail down the problem.

Some interesting snippets of this link:



You interact with DTrace by writing small programs in the D programming language. These D programs can be saved in text files and run like shell scripts, or they can stretched out right on the command line for quick, ad-hoc use (or if you simply want to impress your friends). An example D script that totals all the system calls made for each process on the system is shown in Listing 1.

Listing 1: syscalls_per_proc.d

Totals up all the system calls made for each process

syscall:::entry
{
  @[execname] = count();
}
.
.
.


And this:

File activity

It can be enlightening to see which files are accessed on a system. For example, you may see that Foo.app is frequently writing to some file, or maybe that Bar.app is calling stat(2) on a log file every 10ms. This information can help you debug your own programs, or perhaps better understand the system in general. Below we use a small D script to print out the name of each file as it's opened.

$ sudo dtrace -s /dev/stdin
syscall::open*:entry
{
  printf("%s %s", execname, copyinstr(arg0));
}
^D
dtrace: script '/dev/stdin' matched 3 probes
CPU     ID      FUNCTION:NAME
 0  17584      open:entry Finder /.vol/234881026/562669
 0  17584      open:entry Finder /.vol/234881026/562669
 1  17584      open:entry iChatAgent /Users/jgm/Library/Caches/...
 0  17584      open:entry iChatAgent /Users/jgm/Library/Caches/...
 1  17584      open:entry iChat /System/Library/PrivateFrameworks/...


^C

This script sets a probe at the entry to all system calls having names beginning with "open". DTrace tells us that our probe description matched three probes. They are: open, open_extended, and open_nocancel. Our action statement prints out the name of the process (execname) that caused the probe to fire, and the first argument (arg0) to the function that matched the probe. Notice that we need to use the copyinstr function here rather than just printing arg0 directly. This is because D scripts execute in the kernel's address space, but the pathname argument to open is stored in user space. We could also modify our D script so that it shows us which files are accessed most often, as follows.

$ sudo dtrace -s /dev/stdin syscall::open*:entry { @[copyinstr(arg0)] = count(); }


...



Although Apple provides no documentation for this, Sun systems has sufficient docs on this.

And oh yes, this article is also courtesy - Greg Miller.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)