stap (1) Linux Manual Page

NAME

stap – systemtap script translator/driver

SYNOPSIS

stap [ OPTIONS ] FILENAME [ ARGUMENTS ]
stap [ OPTIONS ] – [ ARGUMENTS ]
stap [ OPTIONS ] -e SCRIPT [ ARGUMENTS ]
stap [ OPTIONS ] -l PROBE [ ARGUMENTS ]
stap [ OPTIONS ] -L PROBE [ ARGUMENTS ]
stap [ OPTIONS ] –dump-probe-types
stap [ OPTIONS ] –dump-probe-aliases
stap [ OPTIONS ] –dump-functions

DESCRIPTION

The stap program is the front-end to the Systemtap tool. It accepts probing instructions written in a simple domain-specific language, translates those instructions into C code, compiles this C code, and loads the resulting module into a running Linux kernel or a DynInst user-space mutator, to perform the requested system trace/probe functions. You can supply the script in a named file (FILENAME), from standard input (use – instead of FILENAME), or from the command line (using -e SCRIPT). The program runs until it is interrupted by the user, or if the script voluntarily invokes the exit() function, or by sufficient number of soft errors.

The language, which is described the SCRIPT LANGUAGE section below, is strictly typed, expressive, declaration free, procedural, prototyping-friendly, and inspired by awk and C. It allows source code points or events in the system to be associated with handlers, which are subroutines that are executed synchronously. It is somewhat similar conceptually to "breakpoint command lists" in the gdb debugger.

DOCUMENTATION OVERVIEW

systemtap comes with a variety of educational, documentation and reference resources. They come online and/or packaged for offline use. For online documentation, see the project web site, https://sourceware.org/systemtap/

man pages
stap (this page)	language syntax, concepts, operation, options
stapprobes	probe points and their $context variables
stapref	quick reference to language syntax
stappaths	list of directories, including books & references
stap-prep	program to install auxiliary dependencies like kernel debuginfo
tapset::*	generated list of tapsets
probe::*	generated list of tapset probe aliases
function::*	generated list of tapset functions
macro::*	generated list of tapset macros
stapvars	some of the tapset global variables
staprun, stapdyn	programs for executing compiled systemtap scripts
systemtap	initscript, boot-time probing
stap-server	compilation server
stapex	a few very basic script examples
books
Beginner’s Guide	tutorial book, language essentials, examples
Tutorial	shorter tutorial, exercises
Language Reference	detailed language manual, covers statistics/analysis
Tapset Reference	the tapset man pages, reformatted into a book
references
example scripts	over a hundred directly usable sysadmin tools, toys, hacks to learn from

OPTIONS

The systemtap translator supports the following options. Any other option prints a list of supported options. Options may be given on the command line, as usual. If the file $SYSTEMTAP_DIR/rc exist, options are also loaded from there and interpreted first. ($SYSTEMTAP_DIR defaults to $HOME/.systemtap if unset.)

In some cases, the default value of an option depends on particular system configuration and thus can’t be mentioned here directly. In some of those cases running "stap –help" might display the default.

–

Use standard input instead of a given FILENAME as probe language input, unless -e SCRIPT is given.

-h –help

Show help message.

-V –version

Show version message.

-p NUM

Stop after pass NUM. The passes are numbered 1-5: parse, elaborate, translate, compile, run. See the PROCESSING section for details.

-v

Increase verbosity for all passes. Produce a larger volume of informative (?) output each time option repeated.

–vp ABCDE

Increase verbosity on a per-pass basis. For example, "–vp 002" adds 2 units of verbosity to pass 3 only. The combination "-v –vp 00004" adds 1 unit of verbosity for all passes, and 4 more for pass 5.

-k

Keep the temporary directory after all processing. This may be useful in order to examine the generated C code, or to reuse the compiled kernel object.

-g

Guru mode. Enable parsing of unsafe expert-level constructs like embedded C.

-P

Prologue-searching mode. This is equivalent to –prologue-searching=always. Activate heuristics to work around incorrect debugging information for function parameter $context variables.

-u

Unoptimized mode. Disable unused code elision and many other optimizations during elaboration / translation.

-w

Suppressed warnings mode. Disables all warning messages.

-W

Treat all warnings as errors.

-b

Use bulk mode (percpu files) for kernel-to-user data transfer. Use the stap-merge program to multiplex them back together later.

-i –interactive

Interactive mode. Enable an interface to build the systemtap script incrementally and interactively.

-t

Collect timing information on the number of times probe executes and average amount of time spent in each probe-point. Also shows the derivation for each probe-point.

-s NUM

Use NUM megabyte buffers for kernel-to-user data transfer. On a multiprocessor in bulk mode, this is a per-processor amount.

-I DIR

Add the given directory to the tapset search directory. See the description of pass 2 for details.

-D NAME=VALUE

Add the given C preprocessor directive to the module Makefile. These can be used to override limit parameters described below.

-B NAME=VALUE

In kernel-runtime mode, add the given make directive to the kernel module build’s make invocation. These can be used to add or override kconfig options. For example, use

-B CONFIG_DEBUG_INFO=y

to add debugging information.

-B FLAG

In dyninst-runtime mode, add the given parameter to the compiler CFLAGS used for building the dyninst shared library. For example, use

-B -g

to add debugging information.

-a ARCH

Use a cross-compilation mode for the given target architecture. This requires access to the cross-compiler and the kernel build tree, and goes along with the

-B CROSS_COMPILE=arch-tool-prefix-
and
-r /build/tree

options.

–modinfo NAME=VALUE

Add the name/value pair as a MODULE_INFO macro call to the generated module. This may be useful to inform or override various module-related checks in the kernel.

-G NAME=VALUE

Sets the value of global variable NAME to VALUE when staprun is invoked. This applies to scalar variables declared global in the script/tapset.

-R DIR

Look for the systemtap runtime sources in the given directory. Your DIR default can be seen using "stap –help".

-r /DIR

Build for kernel in given build tree. Can also be set with the SYSTEMTAP_RELEASE environment variable.

-r RELEASE

Build for kernel in build tree /lib/modules/RELEASE/build. Can also be set with the SYSTEMTAP_RELEASE environment variable.

-m MODULE

Use the given name for the generated kernel object module, instead of a unique randomized name. The generated kernel object module is copied to the current directory.

-d MODULE

Add symbol/unwind information for the given module into the kernel object module. This may enable symbolic tracebacks from those modules/programs, even if they do not have an explicit probe placed into them.

–ldd

Add symbol/unwind information for all user-space shared libraries suspected by ldd to be necessary for user-space binaries being probed or listed with the -d option. Caution: this can make the probe modules considerably larger. Note that this option does not deal with kernel-space modules: see instead –all-modules below.

–all-modules

Equivalent to specifying "-dkernel" and a "-d" for each kernel module that is currently loaded. Caution: this can make the probe modules considerably larger.

-o FILE

Send standard output to named file. In bulk mode, percpu files will start with FILE_ (FILE_cpu with -F) followed by the cpu number. This supports strftime(3) formats for FILE.

-c CMD

Start the probes, run CMD, and exit when CMD finishes. This also has the effect of setting target() to the pid of the command ran.

-x PID

Sets target() to PID. This allows scripts to be written that filter on a specific process. Scripts run independent of the PID’s lifespan.

-e SCRIPT

Run the given SCRIPT specified on the command line.

-E SCRIPT

Run the given SCRIPT specified. This SCRIPT is run in addition to the main script specified, through -e, or as a script file. This option can be repeated to run multiple scripts, and can be used in listing mode (-l/-L).

-l PROBE

Instead of running a probe script, just list all available probe points matching the given single probe point. The pattern may include wildcards and aliases, but not comma-separated multiple probe points. The process result code will indicate failure if there are no matches.

-L PROBE

Similar to "-l", but list probe points and script-level local variables.

-F

Without -o option, load module and start probes, then detach from the module leaving the probes running. With -o option, run staprun in background as a daemon and show its pid.

-S size[,N]

Sets the maximum size of output file and the maximum number of output files. If the size of output file will exceed size , systemtap switches output file to the next file. And if the number of output files exceed N , systemtap removes the oldest output file. You can omit the second argument.

-T TIMEOUT

Exit the script after TIMEOUT seconds.

–skip-badvars

Ignore unresolvable or run-time-inaccessible context variables and substitute with 0, without errors.

–prologue-searching[=WHEN]

Prologue-searching mode. Activate heuristics to work around incorrect debugging information for function parameter $context variables. WHEN can be either "never", "always", or "auto" (i.e. enabled by heuristic). If WHEN is missing, then "always" is assumed. If the option is missing, then "auto" is assumed.

–suppress-handler-errors

Wrap all probe handlers into something like this

try {
    ...
} catch {
    next
}

block, which causes any runtime errors to be quietly suppressed. Suppressed errors do not count against MAXERRORS limits. In this mode, the MAXSKIPPED limits are also suppressed, so that many errors and skipped probes may be accumulated during a script’s runtime. Any overall counts will still be reported at shutdown.

–compatible VERSION

Suppress recent script language or tapset changes which are incompatible with given older version of systemtap. This may be useful if a much older systemtap script fails to run. See the DEPRECATION section for more details.

–check-version

This option is used to check if the active script has any constructs that may be systemtap version specific. See the DEPRECATION section for more details.

–clean-cache

This option prunes stale entries from the cache directory. This is normally done automatically after successful runs, but this option will trigger the cleanup manually and then exit. See the CACHING section for more details about cache limits.

–color[=WHEN], –colour[=WHEN]

This option controls coloring of error messages. WHEN can be either "never", "always", or "auto" (i.e. enable only if at a terminal). If WHEN is missing, then "always" is assumed. If the option is missing, then "auto" is assumed.

Colors can be modified using the SYSTEMTAP_COLORS environment variable. The format must be of the form key1=val1:key2=val2:key3=val3 …etc. Valid keys are "error", "warning", "source", "caret", and "token". Values constitute Select Graphic Rendition (SGR) parameter(s). Consult the documentation of your terminal for the SGRs it supports. As an example, the default colors would be expressed as error=01;31:warning=00;33:source=00;34:caret=01:token=01. If SYSTEMTAP_COLORS is absent, the default colors will be used. If it is empty or invalid, coloring is turned off.

–disable-cache

This option disables all use of the cache directory. No files will be either read from or written to the cache.

–poison-cache

This option treats files in the cache directory as invalid. No files will be read from the cache, but resulting files from this run will still be written to the cache. This is meant as a troubleshooting aid when stap’s cached behavior seems to be misbehaving. If it helped, there is a probably a bug in systemtap that the developers would like you to report.

–privilege[=stapusr | =stapsys | =stapdev]

This option instructs stap to examine the script looking for constructs which are not allowed for the specified privilege level (see UNPRIVILEGED USERS). Compilation fails if any such constructs are used. If stapusr or stapsys are specified when using a compile server (see –use-server), the server will examine the script and, if compilation succeeds, the server will cryptographically sign the resulting kernel module, certifying that is it safe for use by users at the specified privilege level.

If –privilege has not been specified, -pN has not been specified with N < 5, and the invoking user is not root, and is not a member of the group stapdev, then stap will automatically add the appropriate –privilege option to the options already specified.

–unprivileged

This option is equivalent to –privilege=stapusr.

–use-server[=HOSTNAME[:PORT] | =IP_ADDRESS[:PORT] | =CERT_SERIAL]

Specify compile-server(s) to be used for compilation and/or in conjunction with –list-servers and –trust-servers (see below) for listing. If no argument is supplied, then the default in unprivileged mode (see –privilege) is to select compatible servers which are trusted as SSL peers and as module signers and currently online. Otherwise the default is to select compatible servers which are trusted as SSL peers and currently online. –use-server may be specified more than once, in which case a list of servers is accumulated in the order specified. Servers may be specified by host name, ip address, or by certificate serial number (obtained using –list-servers). The latter is most commonly used when adding or revoking trust in a server (see –trust-servers below). If a server is specified by host name or ip address, then an optional port number may be specified. This is useful for accessing servers which are not on the local network or to specify a particular server.

IP addresses may be IPv4 or IPv6 addresses.

If a particular IPv6 address is link local and exists on more than one interface, the intended interface may be specified by appending the address with a percent sign (%) followed by the intended interface name. For example, "fe80::5eff:35ff:fe07:55ca%eth0".

In order to specify a port number with an IPv6 address, it is necessary to enclose the IPv6 address in square brackets ([]) in order to separate the port number from the rest of the address. For example, "[fe80::5eff:35ff:fe07:55ca]:5000" or "[fe80::5eff:35ff:fe07:55ca%eth0]:5000".

If –use-server has not been specified, -pN has not been specified with N < 5, and the invoking user not root, is not a member of the group stapdev, but is a member of the group stapusr, then stap will automatically add –use-server to the options already specified.

–use-server-on-error[=yes|=no]

Instructs stap to retry compilation of a script using a compile server if compilation on the local host fails in a manner which suggests that it might succeed using a server. If this option is not specified, the default is no. If no argument is provided, then the default is yes. Compilation will be retried for certain types of errors (e.g. insufficient data or resources) which may not occur during re-compilation by a compile server. Compile servers will be selected automatically for the re-compilation attempt as if –use-server was specified with no arguments.

–list-servers[=SERVERS]

Display the status of the requested SERVERS, where SERVERS is a comma-separated list of server attributes. The list of attributes is combined to filter the list of servers displayed. Supported attributes are:

all

specifies all known servers (trusted SSL peers, trusted module signers, online servers).

specified

specifies servers specified using –use-server.

online

filters the output by retaining information about servers which are currently online.

trusted

filters the output by retaining information about servers which are trusted as SSL peers.

signer

filters the output by retaining information about servers which are trusted as module signers (see –privilege).

compatible

filters the output by retaining information about servers which are compatible with the current kernel release and architecture.

If no argument is provided, then the default is specified. If no servers were specified using –use-server, then the default servers for –use-server are listed.

Note that –list-servers uses the avahi-daemon service to detect online servers. If this service is not available, then –list-servers will fail to detect any online servers. In order for –list-servers to detect servers listening on IPv6 addresses, the avahi-daemon configuration file /etc/avahi/avahi-daemon.conf must contain an active "use-ipv6=yes" line. The service must be restarted after adding this line in order for IPv6 to be enabled.

–trust-servers[=TRUST_SPEC]

Grant or revoke trust in compile-servers, specified using –use-server as specified by TRUST_SPEC, where TRUST_SPEC is a comma-separated list specifying the trust which is to be granted or revoked. Supported elements are:

ssl

trust the specified servers as SSL peers.

signer

trust the specified servers as module signers (see –privilege). Only root can specify signer.

all-users

grant trust as an ssl peer for all users on the local host. The default is to grant trust as an ssl peer for the current user only. Trust as a module signer is always granted for all users. Only root can specify all-users.

revoke

revoke the specified trust. The default is to grant it.

no-prompt

do not prompt the user for confirmation before carrying out the requested action. The default is to prompt the user for confirmation.

If no argument is provided, then the default is ssl. If no servers were specified using –use-server, then no trust will be granted or revoked.

Unless no-prompt has been specified, the user will be prompted to confirm the trust to be granted or revoked before the operation is performed.

–dump-probe-types

Dumps a list of supported probe types and exits. If –privilege=stapusr is also specified, the list will be limited to probe types available to unprivileged users.

–dump-probe-aliases

Dumps a list of all probe aliases found in library files and exits.

–dump-functions

Dumps a list of all the public functions found in library files and exits. Also includes their parameters and types. A function of type ‘unknown’ indicates a function that does not return a value. Note that not all function/parameter types may be resolved (these are also shown by ‘unknown’). This features is very memory-intensive and thus may not work properly with –use-server if the target server imposes an rlimit on process memory (i.e. through the ~stap-server/.systemtap/rc configuration file, see stap-server(8)).

–remote URL

Set the execution target to the given host. This option may be repeated to target multiple execution targets. Passes 1-4 are completed locally as normal to build the script, and then pass 5 will copy the module to the target and run it. Acceptable URL forms include:

[USER@]HOSTNAME, ssh://[USER@]HOSTNAME

This mode uses ssh, optionally using a username not matching your own. If a custom ssh_config file is in use, add SendEnv LANG to retain internationalization functionality.

libvirt://DOMAIN, libvirt://DOMAIN/LIBVIRT_URI

This mode uses stapvirt to execute the script on a domain managed by libvirt. Optionally, LIBVIRT_URI may be specified to connect to a specific driver and/or a remote host. For example, to connect to the local privileged QEMU driver, use:

--remote libvirt://MyDomain/qemu:///system

See the page at <http://libvirt.org/uri.html> for supported URIs. Also see stapvirt(1) for more information on how to prepare the domain for stap probing.

unix:PATH

This mode connects to a UNIX socket. This can be used with a QEMU virtio-serial port for executing scripts inside a running virtual machine.

direct://

Special loopback mode to run on the local host.

–remote-prefix

Prefix each line of remote output with "N: ", where N is the index of the remote execution target from which the given line originated.

–download-debuginfo[=OPTION]

Enable, disable or set a timeout for the automatic debuginfo downloading feature offered by abrt as specified by OPTION, where OPTION is one of the following:

yes

enable automatic downloading of debuginfo with no timeout. This is the same as not providing an OPTION value to –download-debuginfo

no

explicitly disable automatic downloading of debuginfo. This is the same as not using the option at all.

ask

show abrt output, and ask before continuing download. No timeout will be set.

<timeout>

specify a timeout as a positive number to stop the download if it is taking longer than <timeout> seconds.

–rlimit-as=NUM

Specify the maximum size of the process’s virtual memory (address space), in bytes.

–rlimit-cpu=NUM

Specify the CPU time limit, in seconds.

–rlimit-nproc=NUM

Specify the maximum number of processes that can be created.

–rlimit-stack=NUM

Specify the maximum size of the process stack, in bytes.

–rlimit-fsize=NUM

Specify the maximum size of files that the process may create, in bytes.

–sysroot=DIR

Specify sysroot directory where target files (executables, libraries, etc.) are located. With -r RELEASE, the sysroot will be searched for the appropriate kernel build directory. With -r /DIR, however, the sysroot will not be used to find the kernel build.

–sysenv=VAR=VALUE

Provide an alternate value for an environment variable where the value on a remote system differs. Path variables (e.g. PATH, LD_LIBRARY_PATH) are assumed to be relative to the directory provided by –sysroot, if provided.

–suppress-time-limits

Disable -DSTP_OVERLOAD related options as well as -DMAXACTION and -DMAXTRYLOCK. This option requires guru mode.

–runtime=MODE

Set the pass-5 runtime mode. Valid options are kernel (default) and dyninst. See ALTERNATE RUNTIMES below for more information.

–dyninst

Shorthand for –runtime=dyninst.

–save-uprobes

On machines that require SystemTap to build its own uprobes module (kernels prior to version 3.5), this option instructs SystemTap to also save a copy of the module in the current directory (creating a new "uprobes" directory first).

–target-namespaces=PID

Allow for a set of target namespaces to be set based on the namespaces the given PID is in. This is for namespace-aware tapset functions. If the target namespaces was not set, the target defaults to the stap process’ namespaces.

–monitor=INTERVAL

Enables an interface to display status information about the module(uptime, module name, invoker uid, memory sizes, global variables, list of probes with their statistics). An optional argument INTERVAL can be supplied to set the refresh rate in seconds of the status window. The module can also be controlled by a list of commands using the following keys:

c

Resets all global variables to their initial values or zeroes them if they did not have an initial value.

s

Rotates the attribute used to sort the list of probes.

t

Brings up a prompt to allow toggling(on/off) of probes by index. Probe points are still affected by their conditions.

r

Resumes the script by toggling on all probes.

p

Pauses the script by toggling off all probes.

x

Hides/shows the status window. This allows for more output to be seen.

navigation-keys

The navigation keys can be used to scroll up and down the windows.

Tab

Toggle scrolling between status and output windows.

ARGUMENTS

Any additional arguments on the command line are passed to the script parser for substitution. See below.

SCRIPT LANGUAGE

The systemtap script language resembles awk and C. There are two main outermost constructs: probes and functions. Within these, statements and expressions use C-like operator syntax and precedence.

GENERAL SYNTAX

Whitespace is ignored. Three forms of comments are supported:

# … shell style, to the end of line, except for $# and @#
// … C++ style, to the end of line
/* … C style … */

Literals are either strings enclosed in double-quotes (passing through the usual C escape codes with backslashes, and with adjacent string literals glued together, also as in C), or integers (in decimal, hexadecimal, or octal, using the same notation as in C). All strings are limited in length to some reasonable value (a few hundred bytes). Integers are 64-bit signed quantities, although the parser also accepts (and wraps around) values above positive 2**63.

In addition, script arguments given at the end of the command line may be inserted. Use $1 … $<NN> for insertion unquoted, @1 … @<NN> for insertion as a string literal. The number of arguments may be accessed through $# (as an unquoted number) or through @# (as a quoted number). These may be used at any place a token may begin, including within the preprocessing stage. Reference to an argument number beyond what was actually given is an error.

PREPROCESSING

A simple conditional preprocessing stage is run as a part of parsing. The general form is similar to the cond ? exp1 : exp2 ternary operator:

%( CONDITION %? TRUE-TOKENS %)
%( CONDITION %? TRUE-TOKENS %: FALSE-TOKENS %)

The CONDITION is either an expression whose format is determined by its first keyword, or a string literals comparison or a numeric literals comparison. It can be also composed of many alternatives and conjunctions of CONDITIONs (meant as in previous sentence) using || and && respectively. However, parentheses are not supported yet, so remembering that conjunction takes precedence over alternative is important.

If the first part is the identifier kernel_vr or kernel_v to refer to the kernel version number, with ("2.6.13-1.322FC3smp") or without ("2.6.13") the release code suffix, then the second part is one of the six standard numeric comparison operators <, <=, ==, !=, >, and >=, and the third part is a string literal that contains an RPM-style version-release value. The condition is deemed satisfied if the version of the target kernel (as optionally overridden by the -r option) compares to the given version string. The comparison is performed by the glibc function strverscmp. As a special case, if the operator is for simple equality (==), or inequality (!=), and the third part contains any wildcard characters (* or ? or [), then the expression is treated as a wildcard (mis)match as evaluated by fnmatch.

If, on the other hand, the first part is the identifier arch to refer to the processor architecture (as named by the kernel build system ARCH/SUBARCH), then the second part is one of the two string comparison operators == or !=, and the third part is a string literal for matching it. This comparison is a wildcard (mis)match.

Similarly, if the first part is an identifier like CONFIG_something to refer to a kernel configuration option, then the second part is == or !=, and the third part is a string literal for matching the value (commonly "y" or "m"). Nonexistent or unset kernel configuration options are represented by the empty string. This comparison is also a wildcard (mis)match.

If the first part is the identifier systemtap_v, the test refers to the systemtap compatibility version, which may be overridden for old scripts with the –compatible flag. The comparison operator is as is for kernel_v and the right operand is a version string. See also the DEPRECATION section below.

If the first part is the identifier systemtap_privilege, the test refers to the privilege level that the systemtap script is compiled with. Here the second part is == or !=, and the third part is a string literal, either "stapusr" or "stapsys" or "stapdev".

If the first part is the identifier guru_mode, the test refers to if the systemtap script is compiled with guru_mode. Here the second part is == or !=, and the third part is a number, either 1 or 0.

If the first part is the identifier runtime, the test refers to the systemtap runtime mode. See ALTERNATE RUNTIMES below for more information on runtimes. The second part is one of the two string comparison operators == or !=, and the third part is a string literal for matching it. This comparison is a wildcard (mis)match.

Otherwise, the CONDITION is expected to be a comparison between two string literals or two numeric literals. In this case, the arguments are the only variables usable.

The TRUE-TOKENS and FALSE-TOKENS are zero or more general parser tokens (possibly including nested preprocessor conditionals), and are passed into the input stream if the condition is true or false. For example, the following code induces a parse error unless the target kernel version is newer than 2.6.5:

%( kernel_v <= "2.6.5" %? **ERROR** %) # invalid token sequence

The following code might adapt to hypothetical kernel version drift:

probe kernel.function (
%( kernel_v <= “2.6.12” %? “__mm_do_fault” %:
%( kernel_vr == “2.6.13*smp” %? “do_page_fault” %:
UNSUPPORTED %) %)
) { /* … */ }
%( arch == “ia64” %?
probe syscall.vliw = kernel.function(“vliw_widget”) {}
%)

PREPROCESSOR MACROS

The preprocessor also supports a simple macro facility, run as a separate pass before conditional preprocessing.

Macros are defined using the following construct:

@define NAME %( BODY %)
@define NAME(PARAM_1, PARAM_2, ...) %( BODY %)

Macros, and parameters inside a macro body, are both invoked by prefixing the macro name with an @ symbol:

@define foo %( x %)
@define add(a,b) %( ((@a)+(@b)) %)
   @foo = @add(2,2)

Macro expansion is currently performed in a separate pass before conditional compilation. Therefore, both TRUE- and FALSE-tokens in conditional expressions will be macroexpanded regardless of how the condition is evaluated. This can sometimes lead to errors:

// The following results in a conflict:
% (CONFIG_UTRACE == “y” % ? @define foo % (process.syscall %) % : @define foo % (**ERROR * * %) %)
// The following works properly as expected:
@define foo
% (% (CONFIG_UTRACE == “y” % ? process.syscall % : **ERROR * * %) %)

The first example is incorrect because both @defines are evaluated in a pass prior to the conditional being evaluated.

Normally, a macro definition is local to the file it occurs in. Thus, defining a macro in a tapset does not make it available to the user of the tapset. Publically available library macros can be defined by including .stpm files on the tapset search path. These files may only contain @define constructs, which become visible across all tapsets and user scripts. Optionally, within the .stpm files, a public macro definition can be surrounded by a preprocessor conditional as described above.

CONSTANTS

Tapsets or guru-mode user scripts can access header file constant tokens, typically macros, using built-in @const() operator. The respective header file inclusion is possible either via the tapset library, or using a top-level guru mode embedded-C construct. This results in appropriate embedded C pragma comments setting.

@const("STP_SKIP_BADVARS")

VARIABLES

Identifiers for variables and functions are an alphanumeric sequence, and may include _ and $ characters. They may not start with a plain digit, as in C. Each variable is by default local to the probe or function statement block within which it is mentioned, and therefore its scope and lifetime is limited to a particular probe or function invocation.

Scalar variables are implicitly typed as either string or integer. Associative arrays also have a string or integer value, and a tuple of strings and/or integers serving as a key. Here are a few basic expressions.

var1 = 5 var2 = “bar” array1[pid()] = “name” #single numeric key
array2[“foo”, 4, i++] += 5 #vector of string / num / num keys if ([ “hello”, 5, 4 ] in array2) println(“yes”) #membership test

The translator performs type inference on all identifiers, including array indexes and function parameters. Inconsistent type-related use of identifiers signals an error.

Variables may be declared global, so that they are shared amongst all probes and functions and live as long as the entire systemtap session. There is one namespace for all global variables, regardless of which script file they are found within. Concurrent access to global variables is automatically protected with locks, see the SAFETY AND SECURITY section for more details. A global declaration may be written at the outermost level anywhere, not within a block of code. Global variables which are written but never read will be displayed automatically at session shutdown. The translator will infer for each its value type, and if it is used as an array, its key types. Optionally, scalar globals may be initialized with a string or number literal. The following declaration marks variables as global.

global var1, var2, var3=4

Global variables can also be set as module options. One can do this by either using the -G option, or the module must first be compiled using stap -p4. Global variables can then be set on the command line when calling staprun on the module generated by stap -p4. See staprun(8) for more information.

The scope of a global variable may be limited to a tapset or user script file using private keyword. The global keyword is optional when defining a private global variable. Following declaration marks var1 and var2 private globals.

private global var1=2
private var2

Arrays are limited in size by the MAXMAPENTRIES variable — see the SAFETY AND SECURITY section for details. Optionally, global arrays may be declared with a maximum size in brackets, overriding MAXMAPENTRIES for that array only. Note that this doesn’t indicate the type of keys for the array, just the size.

global tiny_array[10], normal_array, big_array[50000]

Arrays may be configured for wrapping using the ‘%’ suffix. This causes older elements to be overwritten if more elements are inserted than the array can hold. This works for both associative and statistics typed arrays.

global wrapped_array1%[10], wrapped_array2%

Many types of probe points provide context variables, which are run-time values, safely extracted from the kernel or userspace program being probed. These are prefixed with the $ character. The CONTEXT VARIABLES section in stapprobes(3stap) lists what is available for each type of probe point. These context variables become normal string or numeric scalars once they are stored in normal script variables. See the TYPECASTING section below on how to to turn them back into typed pointers for further processing as context variables.

STATEMENTS

Statements enable procedural control flow. They may occur within functions and probe handlers. The total number of statements executed in response to any single probe event is limited to some number defined by the MAXACTION macro in the translated C code, and is in the neighbourhood of 1000.

EXP

Execute the string- or integer-valued expression and throw away the value.

{ STMT1 STMT2 … }

Execute each statement in sequence in this block. Note that separators or terminators are generally not necessary between statements.

;

Null statement, do nothing. It is useful as an optional separator between statements to improve syntax-error detection and to handle certain grammar ambiguities.

if (EXP) STMT1 [ else STMT2 ]

Compare integer-valued EXP to zero. Execute the first (non-zero) or second STMT (zero).

while (EXP) STMT

While integer-valued EXP evaluates to non-zero, execute STMT.

for (EXP1; EXP2; EXP3) STMT

Execute EXP1 as initialization. While EXP2 is non-zero, execute STMT, then the iteration expression EXP3.

foreach (VAR in ARRAY [ limit EXP ]) STMT

Loop over each element of the named global array, assigning current key to VAR. The array may not be modified within the statement. By adding a single + or – operator after the VAR or the ARRAY identifier, the iteration will proceed in a sorted order, by ascending or descending index or value. If the array contains statistics aggregates, adding the desired @operator between the ARRAY identifier and the + or – will specify the sorting aggregate function. See the STATISTICS section below for the ones available. Default is @count. Using the optional limit keyword limits the number of loop iterations to EXP times. EXP is evaluated once at the beginning of the loop.

foreach ([VAR1, VAR2, …] in ARRAY [ limit EXP ]) STMT

Same as above, used when the array is indexed with a tuple of keys. A sorting suffix may be used on at most one VAR or ARRAY identifier.

foreach ([VAR1, VAR2, …] in ARRAY [INDEX1, INDEX2, …] [ limit EXP ]) STMT

Same as above, where iterations are limited to elements in the array where the keys match the index values specified. The symbol * can be used to specify an index and will be treated as a wildcard.

foreach (VAR0 = VAR in ARRAY [ limit EXP ]) STMT

This variant of foreach saves current value into VAR0 on each iteration, so it is the same as ARRAY[VAR]. This also works with a tuple of keys. Sorting suffixes on VAR0 have the same effect as on ARRAY.

foreach (VAR0 = VAR in ARRAY [INDEX1, INDEX2, …] [ limit EXP ]) STMT

Same as above, where iterations are limited to elements in the array where the keys match the index values specified. The symbol * can be used to specify an index and will be treated as a wildcard.

break, continue

Exit or iterate the innermost nesting loop (while or for or foreach) statement.

return EXP

Return EXP value from enclosing function. If the function’s value is not taken anywhere, then a return statement is not needed, and the function will have a special "unknown" type with no return value.

next

Return now from enclosing probe handler. This is especially useful in probe aliases that apply event filtering predicates. When used in functions, the execution will be immediately transferred to the next overloaded function.

try { STMT1 } catch { STMT2 }

Run the statements in the first block. Upon any run-time errors, abort STMT1 and start executing STMT2. Any errors in STMT2 will propagate to outer try/catch blocks, if any.

try { STMT1 } catch(VAR) { STMT2 }

Same as above, plus assign the error message to the string scalar variable VAR.

delete ARRAY[INDEX1, INDEX2, …]

Remove from ARRAY the element specified by the index tuple. If the index tuple contains a * in place of an index, the * is treated as a wildcard and all elements with keys that match the index tuple will be removed from ARRAY. The value will no longer be available, and subsequent iterations will not report the element. It is not an error to delete an element that does not exist.

delete ARRAY

Remove all elements from ARRAY.

delete SCALAR

Removes the value of SCALAR. Integers and strings are cleared to 0 and "" respectively, while statistics are reset to the initial empty state.

EXPRESSIONS

Systemtap supports a number of operators that have the same general syntax, semantics, and precedence as in C and awk. Arithmetic is performed as per typical C rules for signed integers. Division by zero or overflow is detected and results in an error.

binary numeric operators

* / % + – >> << & ^ | && ||

binary string operators

. (string concatenation)

numeric assignment operators

= *= /= %= += -= >>= <<= &= ^= |=

string assignment operators

= .=

unary numeric operators

+ – ! ~ ++ —

binary numeric, string comparison or regex matching operators

< > <= >= == != =~ !~

ternary operator

cond ? exp1 : exp2

grouping operator

( exp )

function call

fn ([ arg1, arg2, … ])

array membership check

exp in array
[exp1, exp2, …] in array
[*, *, … ]in array

REGULAR EXPRESSION MATCHING

The scripting language supports regular expression matching. The basic syntax is as follows:

exp =~ regex
exp !~ regex

(The first operand must be an expression evaluating to a string; the second operand must be a string literal containing a syntactically valid regular expression.)

The regular expression syntax supports most of the features of POSIX Extended Regular Expressions, except for subexpression reuse ("\1") functionality. The ability to capture and extract the contents of the matched string and subexpressions has not yet been implemented.

PROBES

The main construct in the scripting language identifies probes. Probes associate abstract events with a statement block ("probe handler") that is to be executed when any of those events occur. The general syntax is as follows:

probe PROBEPOINT[, PROBEPOINT]{[STMT…]} probe PROBEPOINT[, PROBEPOINT] if (CONDITION)
{
[STMT…]
}

Events are specified in a special syntax called "probe points". There are several varieties of probe points defined by the translator, and tapset scripts may define further ones using aliases. Probe points may be wildcarded, grouped, or listed in preference sequences, or declared optional. More details on probe point syntax and semantics are listed on the stapprobes(3stap) manual page.

The probe handler is interpreted relative to the context of each event. For events associated with kernel code, this context may include variables defined in the source code at that spot. These "context variables" are presented to the script as variables whose names are prefixed with "$". They may be accessed only if the kernel’s compiler preserved them despite optimization. This is the same constraint that a debugger user faces when working with optimized code. In addition, the objects must exist in paged-in memory at the moment of the systemtap probe handler’s execution, because systemtap must not cause (suppresses) any additional paging. Some probe types have very little context. See the stapprobes(3stap) man pages to see the kinds of context variables available at each kind of probe point.

Probes may be decorated with an arming condition, consisting of a simple boolean expression on read-only global script variables. While disarmed (inactive, condition evaluates to false), some probe types reduce or eliminate their run-time overheads. When an arming condition evaluates to true, probes will be soon re-armed, and their probe handlers will start getting called as the events fire. (Some events may be lost during the arming interval. If this is unacceptable, do not use arming conditions for those probes.) Example of the syntax:

probe timer.us(TIMER) if (enabled) {
}

New probe points may be defined using "aliases". Probe point aliases look similar to probe definitions, but instead of activating a probe at the given point, it just defines a new probe point name as an alias to an existing one. There are two types of alias, i.e. the prologue style and the epilogue style which are identified by "=" and "+=" respectively.

For prologue style alias, the statement block that follows an alias definition is implicitly added as a prologue to any probe that refers to the alias. While for the epilogue style alias, the statement block that follows an alias definition is implicitly added as an epilogue to any probe that refers to the alias. For example:

probe syscall.read = kernel.function(“sys_read”)
{
fildes = $fd if (execname() == “init”) next #skip rest of probe
}

defines a new probe point syscall.read, which expands to kernel.function(sys_read), with the given statement as a prologue, which is useful to predefine some variables for the alias user and/or to skip probe processing entirely based on some conditions. And

probe syscall.read += kernel.function(“sys_read”)
{
if (tracethis)
println($fd)
}

defines a new probe point with the given statement as an epilogue, which is useful to take actions based upon variables set or left over by the the alias user. Please note that in each case, the statements in the alias handler block are treated ordinarily, so that variables assigned there constitute mere initialization, not a macro substitution.

An alias is used just like a built-in probe type.

probe syscall.read {
  printf("reading fd=%d
", fildes)
  if (fildes > 10) tracethis = 1
}

FUNCTIONS

Systemtap scripts may define subroutines to factor out common work. Functions take any number of scalar (integer or string) arguments, and must return a single scalar (integer or string). An example function declaration looks like this:

function thisfn (arg1, arg2) {
   return arg1 + arg2
}

Note the general absence of type declarations, which are instead inferred by the translator. However, if desired, a function definition may include explicit type declarations for its return value and/or its arguments. This is especially helpful for embedded-C functions. In the following example, the type inference engine need only infer type type of arg2 (a string).

function thatfn : string(arg1
: long, arg2)
{
return sprint(arg1).arg2
}

Functions may call others or themselves recursively, up to a fixed nesting limit. This limit is defined by the MAXNESTING macro in the translated C code and is in the neighbourhood of 10.

Functions may be marked private using the private keyword to limit their scope to the tapset or user script file they are defined in. An example definition of a private function follows:

private
function three : long()
{
return 3
}

Functions terminating without reaching an explicit return statement will return an implicit 0 or "", determined by type inference.

Functions may be overloaded during both runtime and compile time.

Runtime overloading allows the executed function to be selected while the module is running based on runtime conditions and is achieved using the "next" statement in script functions and STAP_NEXT macro for embedded-C functions. For example,

function f()
{
if (condition)
next;
print(“first function”)
}
function f() %
{
STAP_NEXT;
print(“second function”) %
}
function f()
{
print(“third function”)
}

During a functioncall f(), the execution will transfer to the third function if condition evaluates to true and print "third function". Note that the second function is unconditionally nexted.

Parameter overloading allows the function to be executed to be selected at compile time based on the number of arguments provided to the functioncall. For example,

function g(){print(“first function”)} function g(x){print(“second function”)} g()->”first function” g(1)->”second function”

Note that runtime overloading does not occur in the above example, as exactly one function will be resolved for the functioncall. The use of a next statement inside a function while no more overloads remain will trigger a runtime exception Runtime overloading will only occur if the functions have the same arity, functions with the same name but different number of parameters are completely unrelated.

Execution order is determined by a priority value which may be specified. If no explicit priority is specified, user script functions are given a higher priority than library functions. User script functions and library functions are assigned a default priority value of 0 and 1 respectively. Functions with the same priority are executed in declaration order. For example,

function f() : 3
{
if (condition)
next;
print(“first function”)
}
function f() : 1
{
if (condition)
next;
print(“second function”)
}
function f() : 2
{
print(“third function”)
}

Since the second function has highest priority, it is executed first. The first function is never executed as there no "next" statements in the third function to transfer execution.

PRINTING

There are a set of function names that are specially treated by the translator. They format values for printing to the standard systemtap output stream in a more convenient way (note that data generated in the kernel module need to get transferred to user-space in order to get printed).

  The sprint* variants return the formatted string instead of printing it.

print, sprint

Print one or more values of any type, concatenated directly together.

println, sprintln

Print values like print and sprint, but also append a newline.

printd, sprintd

Take a string delimiter and two or more values of any type, and print the values with the delimiter interposed. The delimiter must be a literal string constant.

printdln, sprintdln

Print values with a delimiter like printd and sprintd, but also append a newline.

printf, sprintf

Take a formatting string and a number of values of corresponding types, and print them all. The format must be a literal string constant.

The printf formatting directives similar to those of C, except that they are fully type-checked by the translator:

%b

Writes a binary blob of the value given, instead of ASCII text. The width specifier determines the number of bytes to write; valid specifiers are %b %1b %2b %4b %8b. Default (%b) is 8 bytes.

%c

Character.

%d,%i

Signed decimal.

%m

Safely reads kernel (without #) or user (with #) memory at the given address, outputs its content. The optional precision specifier (not field width) determines the number of bytes to read – default is 1 byte. %10.4m prints 4 bytes of the memory in a 10-character-wide field. Note, on some architectures user memory can still be read without #.

%M

Same as %m, but outputs in hexadecimal. The minimal size of output is double the optional precision specifier – default is 1 byte (2 hex chars). %10.4M prints 4 bytes of the memory as 8 hexadecimal characters in a 10-character-wide field. %.*M hex-dumps a given number of bytes from a given buffer.

%o

Unsigned octal.

%p

Unsigned pointer address.

%s

String.

%u

Unsigned decimal.

%x

Unsigned hex value, in all lower-case.

%X

Unsigned hex value, in all upper-case.

%%

Writes a %.

The # flag selects the alternate forms. For octal, this prefixes a 0. For hex, this prefixes 0x or 0X, depending on case. For characters, this escapes non-printing values with either C-like escapes or raw octal. In the case of %#m/%#M, this safely accesses user space memory rather than kernel space memory.

Examples:

a = “alice”, b = “bob”, p = 0x1234abcd, i = 123, j = -1, id[a] = 1234, id[b] = 4567 print(“hello”) Prints : hello println(b) Prints : bob
println(a.” is “.sprint(16)) Prints : alice is 16 foreach (name in id) printdln(“|”, strlen(name), name, id[name]) Prints : 5 | alice | 1234
3 | bob | 4567 printf(“%c is %s; %x or %X or %p; %d or %u
”, 97, a, p, p, p, j, j) Prints : a is alice;
1234abcd or 1234ABCD or 0x1234abcd;
– 1 or 18446744073709551615

printf(“2 bytes of kernel buffer at address %p: %2m”, p, p)
Prints:2 byte of kernel buffer at address
0x1234abcd:<binary data> printf(“%4b”, p)
Prints(these values as binary data):0x1234abcd printf(“%#o %#x %#X
”, 1, 2, 3)
Prints:01 0x2 0X3 printf(“%#c %#c %#c
”, 0, 9, 42)
Prints: