systemtap安裝使用

依賴

#內核需要安裝對應版本的符號表
dpkg -i linux-image-5.3.15-2019051601-generic-dbgsym_5.3.15-2019051601.jeff_arm64.ddeb
# On modern Fedora, install general optional build-requisites:
yum-builddep systemtap
# On modern Debian/Ubuntu, similarly:
apt build-dep systemtap

下載編譯

git clone git://sourceware.org/git/systemtap.git
cd systemtap
./configure
make all && make install

驗證命令

# stap -V
Systemtap translator/driver (version 4.3/0.170, commit release-4.2-52-g29a13cd09151 + changes)
Copyright (C) 2005-2019 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
tested kernel versions: 2.6.32 ... 5.4-rc6
enabled features: BOOST_STRING_REF BPF PYTHON2 NLS

查找名字中包含init的內核函數：

stap -l 'kernel.function("*init*")'

查找名字中包含init的內核函數和變量：

stap -L 'kernel.function("*init*")'

執行測試命令

stap -ve 'probe vfs.read {printf("read performed\n"); exit()}'

執行測試腳本

stap -gv test.stap

測試腳本

# cat test.stp 
#!/usr/bin/stap
global count
probe begin
{
    log("begin to probe")
}
probe syscall.open.call
{
    printf ("%s(%d) open %s \n", execname(), pid(), filename)
}
probe kernel.function("do_sys_open").return
{
    printf("do_sys_open %d\n", $return)
}
probe syscall.read.return
{
    count++
    printf("return %s %d %s\n", name, retval, retstr)
}
#exit after 10ms
probe timer.ms(10)
{
    printf("invoke syscall.read times:%d\n", count)
    exit()
}
probe end
{
    log("end to probe")
}