Lines Matching +full:container +full:- +full:rules
2 Kprobe-based Event Tracing
8 --------
9 These events are similar to tracepoint-based events. Instead of tracepoints,
13 Unlike the tracepoint-based event, this can be added and removed
28 -------------------------
34 -:[GRP/][EVENT] : Clear a probe
50 @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
56 +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
72 (\*4) "u" means user-space dereference. See :ref:`user_mem_access`.
75 -------------------------------
86 -----
91 or 'x64' is used depends on the architecture (e.g. x86-32 uses x32, and
92 x86-64 uses x64).
96 E.g. 'x16[4]' means an array of x16 (2-byte hex) with 4 elements.
98 apply it to registers/stack-entries etc. (for example, '$stack1:x8[8]' is
103 String type is a special type, which fetches a "null-terminated" string from
104 kernel space. This means it will fail and store NULL if the string container
105 has been paged out. "ustring" type is an alternative of string for user-space.
109 types, <base-type>[1] is equal to <base-type> (e.g. +0(%di):x32[1] is same
113 Bitfield is another special type, which takes 3 parameters, bit-width, bit-
114 offset, and container-size (usually 32). The syntax is::
116 b<bit-width>@<bit-offset>/<container-size>
120 On the other hand, symbol-string type ('symstr') converts the given address to
121 "symbol+offset/symbolsize" style and stores it as a null-terminated string.
132 ------------------
133 Kprobe events supports user-space memory access. For that purpose, you can use
134 either user-space dereference syntax or 'ustring' type.
136 The user-space dereference syntax allows you to access a field of a data
137 structure in user-space. This is done by adding the "u" prefix to the
140 user-space. You can use this for strings too, e.g. +u0(%si):string will read
141 a string from the address in the register %si that is expected to be in user-
145 Note that kprobe-event provides the user-memory access syntax but it doesn't
150 Per-Probe Event Filtering
151 -------------------------
152 Per-probe event filtering feature allows you to set different filter on each
165 You can write filtering rules of this event.
175 ---------------
176 You can check the total number of probe hits and probe miss-hits via
179 the third is the number of probe miss-hits.
182 ---------------------
184 "kprobe_event=" parameter. The parameter accepts a semicolon-delimited
186 The difference is that the probe definition parameters are comma-delimited
197 --------------
205 assigned to each function argument depends on arch-specific ABI. If you unsure
206 the ABI, please try to use probe subcommand of perf-tools (you can find it
236 print fmt: "(%lx) dfd=%lx filename=%lx flags=%lx mode=%lx", REC->__probe_ip,
237 REC->dfd, REC->filename, REC->flags, REC->mode
249 echo -:myprobe >> kprobe_events
273 # TASK-PID CPU# TIMESTAMP FUNCTION
275 …<...>-1447 [001] 1038282.286875: myprobe: (do_sys_open+0x0/0xd6) dfd=3 filename=7fffd1ec4440 flag…
276 …<...>-1447 [001] 1038282.286878: myretprobe: (sys_openat+0xc/0xe <- do_sys_open) $retval=ffffffff…
277 …<...>-1447 [001] 1038282.286885: myprobe: (do_sys_open+0x0/0xd6) dfd=ffffff9c filename=40413c fla…
278 … <...>-1447 [001] 1038282.286915: myretprobe: (sys_open+0x1b/0x1d <- do_sys_open) $retval=3
279 …<...>-1447 [001] 1038282.286969: myprobe: (do_sys_open+0x0/0xd6) dfd=ffffff9c filename=4041c6 fla…
280 … <...>-1447 [001] 1038282.286976: myretprobe: (sys_open+0x1b/0x1d <- do_sys_open) $retval=3
283 Each line shows when the kernel hits an event, and <- SYMBOL means kernel
284 returns from SYMBOL(e.g. "sys_open+0x1b/0x1d <- do_sys_open" means kernel