Random Tech Thoughts

The title above is not random


Notes taken from


On Debian 6

  • aptitude install systemtap
  • aptitude install linux-headers-2.6.32-5-amd64 linux-headers-2.6.32-5-amd6-dbg
    • Kernel debug information is needed if you want to probe system calls. Otherwise, system tap will report not matched probe found.

Add user to the stapusr and stapdev group to give them permission.

sudo adduser user stapusr
sudo adduser user stapdev

Essential idea

  • events and handlers
    • Whenever a specified event occurs, the Linux kernel runs the handler as if it were a quick subroutine, then resumes.
    • Event example: enter/exit a function, timer expiring
  • How it works
    • Handler are Awk- and C-like scripts
    • Translated to C, create a kernel module by the system C compiler
    • When loaded, activate all the probed events
    • When the script terminates, unload the module
  • Script primary construct:

    probe event { handler }
  • Can embed C code in scripts

    • Compiled with stap -g (guru mode)
    • Syntax %{ embedded C %}

Tapsets = probe libraries

  • Provides abstraction of common probepoints
  • Provide values, functions for use in script
  • Not runnable (probe aliases)


  • syscall.*
  • process.*

Using tapset

Without syscall tapset

probe kernel.funcion("sys_*") { syscalls[probefunc()]++ }

Using syscall tapset

probe syscall.* { syscalls[name]++ }

Safety features

  • Restrictions for handlers:

    • Can not run for long
    • Can not allocate memory
    • Can not perform unsafe accesses/computations
  • Locking to ensure correctness

Getting help

  • man stapfuncs for details of predefined functions

Script Language

Command line arguments

Doc on sourceware, guess this is from fedora.

  • Use $1, $2, or @1, @1, etc. to refer to the 1st, 2nd, … command line argument
    • $ for integer command-line argument
    • @ for string command-line argument