Lines Matching +full:container +full:- +full:rules
2 Kprobe-based Event Tracing
8 --------
9 These events are similar to tracepoint-based events. Instead of tracepoints,
13 Unlike the tracepoint-based event, this can be added and removed
28 -------------------------
34 -:[GRP/][EVENT] : Clear a probe
50 @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
56 +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
67 (\*4) "u" means user-space dereference. See :ref:`user_mem_access`.
72 -----
77 or 'x64' is used depends on the architecture (e.g. x86-32 uses x32, and
78 x86-64 uses x64).
82 E.g. 'x16[4]' means an array of x16 (2-byte hex) with 4 elements.
84 apply it to registers/stack-entries etc. (for example, '$stack1:x8[8]' is
89 String type is a special type, which fetches a "null-terminated" string from
90 kernel space. This means it will fail and store NULL if the string container
91 has been paged out. "ustring" type is an alternative of string for user-space.
95 types, <base-type>[1] is equal to <base-type> (e.g. +0(%di):x32[1] is same
99 Bitfield is another special type, which takes 3 parameters, bit-width, bit-
100 offset, and container-size (usually 32). The syntax is::
102 b<bit-width>@<bit-offset>/<container-size>
106 On the other hand, symbol-string type ('symstr') converts the given address to
107 "symbol+offset/symbolsize" style and stores it as a null-terminated string.
115 ------------------
116 Kprobe events supports user-space memory access. For that purpose, you can use
117 either user-space dereference syntax or 'ustring' type.
119 The user-space dereference syntax allows you to access a field of a data
120 structure in user-space. This is done by adding the "u" prefix to the
123 user-space. You can use this for strings too, e.g. +u0(%si):string will read
124 a string from the address in the register %si that is expected to be in user-
128 Note that kprobe-event provides the user-memory access syntax but it doesn't
133 Per-Probe Event Filtering
134 -------------------------
135 Per-probe event filtering feature allows you to set different filter on each
148 You can write filtering rules of this event.
158 ---------------
159 You can check the total number of probe hits and probe miss-hits via
162 the third is the number of probe miss-hits.
165 ---------------------
167 "kprobe_event=" parameter. The parameter accepts a semicolon-delimited
169 The difference is that the probe definition parameters are comma-delimited
180 --------------
188 assigned to each function argument depends on arch-specific ABI. If you unsure
189 the ABI, please try to use probe subcommand of perf-tools (you can find it
219 print fmt: "(%lx) dfd=%lx filename=%lx flags=%lx mode=%lx", REC->__probe_ip,
220 REC->dfd, REC->filename, REC->flags, REC->mode
232 echo -:myprobe >> kprobe_events
256 # TASK-PID CPU# TIMESTAMP FUNCTION
258 …<...>-1447 [001] 1038282.286875: myprobe: (do_sys_open+0x0/0xd6) dfd=3 filename=7fffd1ec4440 flag…
259 …<...>-1447 [001] 1038282.286878: myretprobe: (sys_openat+0xc/0xe <- do_sys_open) $retval=ffffffff…
260 …<...>-1447 [001] 1038282.286885: myprobe: (do_sys_open+0x0/0xd6) dfd=ffffff9c filename=40413c fla…
261 … <...>-1447 [001] 1038282.286915: myretprobe: (sys_open+0x1b/0x1d <- do_sys_open) $retval=3
262 …<...>-1447 [001] 1038282.286969: myprobe: (do_sys_open+0x0/0xd6) dfd=ffffff9c filename=4041c6 fla…
263 … <...>-1447 [001] 1038282.286976: myretprobe: (sys_open+0x1b/0x1d <- do_sys_open) $retval=3
266 Each line shows when the kernel hits an event, and <- SYMBOL means kernel
267 returns from SYMBOL(e.g. "sys_open+0x1b/0x1d <- do_sys_open" means kernel