-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
2942 lines (2261 loc) · 130 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
* What's new in version 4.8, 2022-11-03
- DWARF-related probes (.function, .statement) now merge DWARF and
non-DWARF symbol-table based matches, rather than being either-or.
- The python3 tapset was extended to support python3 3.9, 3.10, and 3.11.
See stapprobes(3stap) for further details on probing python functions.
- A template cve band-aid script is now included, which demonstrates
how to use a new 'livepatch.stp' tapset to standardize activation,
interactive control, and monitoring of systemtap cve band-aids.
- The kernel runtime now uses much less memory when the number of
"possible CPUs" are way more than the online ones. For example,
VMWare guests usually have 128 "possible CPUs" while fewer
CPUs are actually present or online in the guest system.
- The memory allocation size is now irrelevant to the value of
NR_CPUS of the current kernel. It is only subject to the number
of "possible CPUs" or "online CPUs".
- CPU hotplug is supported to the extent that there won't be any
kernel panics or memory corruptions.
- The bpf backend's embedded-code assembler has been improved to
support more conventional assembly syntax with named opcodes. The
opcode names are based on the iovisor bpf-docs documentation at
https://github.com/iovisor/bpf-docs/blob/master/eBPF.md
* What's new in version 4.7, 2022-05-02
- SystemTap now supports an additional method to sign modules on
UEFI/SecureBoot systems. In addition to the existing method of
using a trusted stap-server, the module can also be signed without
using a server by specifying the "stap --sign-module" option. (Key
enrollment still requires a one-time reboot and BIOS conversation.)
https://sourceware.org/systemtap/wiki/SecureBoot
- Includes new tool stap-profile-annotate, combining systemtap &
debuginfod to collect system-wide profiling statistics, and
produce annotated source files for all relevant programs/libraries.
- target processes given with the -c/-x parameters are now always
added to the -d list for possible symbol/unwind data extraction,
for simplifying profiling invocations. Consider --ldd.
- The "subbuf" size for kernel-to-user bulk message passing is fixed
at the page size. Number of such subbufs is affected by the
stap "-s" parameter and amount of free memory available.
* What's new in version 4.6, 2021-11-15
- SystemTap has added support for the 64-bit RISC-V architecture.
- stap-prep now tries to download the main kernel debuginfo file from
a debuginfod server, if configured.
- Updated syscall_any tapset mapping to include newer syscalls.
- syscall_any tapset can be used by the bpf backend.
- SystemTap now uses DynInst to perform a liveness analysis on
target variables and warn when a guru-mode modification to a variable
will have no effect. The liveness analysis is currently done on
x86_64, PowerPC, and AArch64.
- The kernel-user relayfs transport again sorts messages into a total
time order across CPUs. High output-volume scripts may need a
larger "-s BUF" parameter to reliably transfer. "-b" bulk mode
is also available again as an alternative.
- abort() tapset can be used by the bpf backend.
- The bpf backend now supports foreach iteration in multi-key
associative arrays.
* What's new in version 4.5, 2021-05-07
- Java probing support has been updated to work with the latest
versions of the JVM and byteman (PR27739).
- An initial version of the bpf/uconversions.stp tapset provides
tapset functions such as user_long_error() to access values in
userspace.
- Enabled the -c option to work with the bpf backend (PR25177).
- Enum values can now be accessed as $context variables (PR25346).
- Executables for which stap has execute but not read permissions
(--x--x--x) can now be probed with build-id probes and debuginfod.
This allows probing some setuid programs (PR27251).
- Added VMA-tracking support to the stapdyn backend.
- Several concurrency/locking fixes and improvements were made to the
uprobes family of probes and to the transport subsystem. Large
machines with hundreds of CPUs are better supported.
- The kernel runtime now uses procfs as the default namespace for
the relayfs pseudo-files.
- Floating point variables may now be accessed directly as normal
$context variables. 32-bit floats are automatically widened to
doubles. (PR13838)
- A wider variety of SecureBoot MOK keys are now recognized for
more reliable triggering of stap-server module signing. Document
some additional lockdown/secureboot administrative escape options.
(PR26665)
- On startup, stap explains the [man FOO] diagnostic syntax.
* What's new in version 4.4, 2020-11-09
- Make syscall arguments writable again in non-DWARF probes on kernels
that use syscall wrappers to pass arguments via pt_regs (currently
x86_64 4.17+ and aarch64 4.19+).
- Add new syntax for defining aliases with both a prologue and an epilogue:
'probe ALIAS = PROBE { <prologue> }, { <epilogue> }'
- Add @probewrite predicate. @probewrite(var) returns 1 if var has been
written to in the probe handler body and 0 otherwise. The check can
only be used with probes that have an epilogue or prologue.
- Implicit thread local storage variables can now be accessed on
x86_64, ppc64le, and s390x.
- Replaced spinlocks with RCU locks in vma map and utrace task's hash
table lookups which reduces CPU time a lot when there are a lot of
target processes and vma tracker or task finder is enabled. We also
increased the default hash table sizes to reduce hash conflicts.
- stap-prep now avoids downloading kernel debuginfo if a successful
connection to debuginfod server is made.
- The locks required to protect concurrent access to global variables
has been optimized with a "pushdown" algorithm, so that they span
the smallest possible critical region. Formerly, and with
--compatible=4.3, locks always spanned the entire probe handler.
Lock pushdown means much greater potential concurrency between
probes running on different CPUs.
- Systemtap now supports kernel-lockdown configurations that disable
debugfs, by instead using procfs to carry relayfs transport files.
- Systemtap now supports extracting 64-bit floating point and stored
in long type. Also basic floating point arithmetic and comparison
functions are provided in a tapset. More automated syntax coming
soon. e.g.:
probe process.function("foo") {
fp = user_long(& $fp_variable)
println (fp_to_string (fp_add (string_to_fp("3.14"), fp)))
}
* What's new in version 4.3, 2020-06-11
- tapset functions for reading CPU registers and primitives involved with the
process memory maps work in 'probe process.begin'.
- probe aliases starting with nfs.proc support IPv6 as server_ip and client_ip.
Also, ip are represented with string valued now.
- The target of process probes may be specified by hexadecimal buildid
as an alternative to path names. This makes it possible to probe a
variety of versions or aliases of a program, even if they are
running inside containers under a different path name. Works best
with a debuginfod server that publishes the executables / debuginfo.
The following probes glibc.so 2.32-2.fc32.x86_64 from fedora running
anywhere on your machine.
# export DEBUGINFOD_URLS=https://debuginfod.elfutils.org/
# stap -e 'probe process("7ca24d4dc3de9d62d9ad6bb25e5b70a3e57a342f")
.function("*system") { log("hi") }'
- Functions can now be context-sensitive, meaning that they may make
references to $context variables and similar constructs that could
formerly appear only inside probe handlers. This is implemented by
cloning the such functions for each probe.
Only some probe point (dwarf-based user & kernel) types supported.
function foo () { println ($$vars) }
probe kernel.function("do_exit") { foo() }
probe process("/bin/ls").function("main") { foo() }
probe process("/lib*/libc.so.6").mark("*") { foo() }
- Add new tapset function dump_stack() which prints the current
kernel backtrace to the kernel trace buffer (as a thin wrapper
around the kernel C API function dump_stack).
- Almost all of the kmalloc() allocations exceeding 4KB have been
replaced by vmalloc(). This helps stap's kernel runtime work
properly on systems with serious fragmentation in physical memory
address space.
- More $variable resolution errors may be generated, especially for
@var("") constructs that target global variables. These are
duplicate-eliminated by default, but may be seen with verbosity>=2.
- The stapbpf backend now supports try-catch statements, an improved
error tapset and error probes.
- The "Build-id mismatch" condition now becomes a warning, so while
related probes are not inserted, the rest of the script may run.
- The process(EXE).begin probe handlers are now always triggered for
already-running target processes.
- The proc_mem_rss() tapset function now includes the resident shared
memory pages as expected. The old behavior can be restored by the
--compatible=4.2 option on the command line.
- Modules compiled with guru mode for a particular kernel version can
now only be loaded on kernels with exactly matching version
(vermagic string) instead of any kernel whose API matches according
to the modversions mechanism. Use -B CONFIG_MODVERSIONS=y to restore
the prior behaviour.
* What's new in version 4.2, 2019-11-18
- Initial support for multi-dimensional supports has been added to
the stapbpf backend. Note that these arrays cannot be iterated upon
with a foreach loop.
- The stapbpf backend now supports sorting by value in foreach loops.
- The stapbpf backend now supports the concatenation operator for
userspace probes.
- The stapbpf backend now supports the target() function and -x option.
- The gettimeofday_* functions are now provided for the stapbpf backend.
- The values of an array can now be iterated over in foreach loops in
the stapbpf backend. They are no longer defaulted to 0.
- The stapbpf backend now supports order parameterization for begin
and end probes.
- When the -v option is set along with -L option, the output includes
duplicate probe points which are distinguished by their PC address.
- The stapbpf backend now supports stap-exporter extensions.
- The stapbpf backend now supports procfs probes. The implementation
uses FIFO special files in /var/tmp/systemtap-$EFFUSER/MODNAME instead
of the proc filesystem files.
- The eBPF backend now uses bpf raw tracepoints for kernel.trace("*")
probes. These have target variable arguments that match the
arguments available for the traditional linux kernel modules
tracepoints. Support for the older bpf tracepoint arguments can be
forced with a --compatible=4.1 option on the command line.
- New backtracing functions print_[u]backtrace_fileline() have been added
to the tapset. These functions behave similarly to print_[u]backtrace(),
the only difference being that file names and line numbers are added
to the backtrace.
- Now it is possible to issue a backtrace using user specified pc, sp,
and fp which can be used to generate backtraces of different contexts.
This was introduced to get backtraces of user code from within the go
runtime but it can also be used to do things like generating backtraces
of user code from within signal handlers.
- The compiler optimizes out probes with empty handlers. Previously,
warnings were issued but, the probe was not internally removed. For
example, this script now outputs a warning and an error as the only
probe handler is empty:
probe begin {}
Additionally, probe handlers that evaluate to empty are also removed.
For example, in this script, the begin probe is elided as $foo does
not exist, however, an error won't be outputted because atleast one
probe with a non-empty handler exists (probe begin):
probe begin {
print("Protected from elision")
}
probe end {
if (@defined($foo)) { print("Evaluates to empty handler") }
}
- The automatic printing implementation now differentiates between
pointer and integer types, which are printed as hex or decimal
respectively.
- The sys/sdt.h file changes the way i386 registers operands are
sometimes named, due to an ambiguity. A comment block explains.
* What's new in version 4.1, 2019-05-07
- Runtime/tapsets were ported to include up to kernel version 5.1-rc2
- The translator's pass-2 (elaboration) phase has been dramatically
accelerated by eschewing processing of unreferenced parts of the
tapset and embedded-C code.
- New macros @this1, ..., @this8 have been added to the script language.
The macros can be used to save values in entry probes and later retrieve
them in return probes. This can be used in instances where @entry does
not work. For example:
probe tp_syscall.read {
@this1 = buf_uaddr
}
probe tp_syscall.read.return {
buf_uaddr = @this1
printf("%s", user_string(buf_uaddr))
}
- Operator @var() no longer assumes @entry() in return probes.
The old behavior can be restored by the '--compatible 4.0' option.
- Where available (kernel 4.15+), the kernel-module runtime now uses
the kernel-provided ktime_get_real_fast_ns() mechanism for timekeeping
rather than the SystemTap runtime's own timekeeping machinery.
- New stapbpf tapset task.stp with function task_current.
- New stapbpf tapset functions kernel_string, kernel_string_n,
execname, ktime_get_ns.
- A new stapbpf transport layer has been implemented based on perf_events
infrastructure. This transport layer removes some limitations on strings
and printf() that were previously imposed by BPF's trace_printk() mechanism:
- It is now possible to use format-width specifiers in printf().
- It is now possible to use more than three format specifiers in printf().
- It is now possible to use multiple '%s' format specifiers in printf().
- Using stapbpf should no longer trigger a trace_printk()-associated
warning on dmesg.
- In the stapbpf backend, foreach() now supports iteration of arrays
with string keys.
- A preview version of statistical aggregate functionality for stapbpf
is now included. For now, in the stapbpf backend, aggregates only
support @count(), @sum() and @avg() operations.
- Added support for unhandled DWARF operator DW_OP_GNU_parameter_ref in
location expressions for target symbols.
* What's new in version 4.0, 2018-10-13
- Runtime/tapsets were ported to include up to kernel version 4.19-rc
- A new network service, stap-exporter, is included. It glues
systemtap and the web. It allows a prometheus (or compatible
systems such as pcp) to consume metrics exported by systemtap
scripts. Some tapset macros/functions are available to make it
easier to write such scripts. See the stap-exporter(8) man page and
the systemd service.
- When a systemtap module is loaded, the name of the original stap script
is now printed to dmesg by the kernel runtime.
- On some Fedora kernels, the information necessary to automatically
engage in SecureBoot module signing is hidden from systemtap.
Setting the $SYSTEMTAP_SIGN environment variable forces it on.
A running stap-server instance will also be needed.
- Embedded-C functions marked /* guru */ may now be invoked from other
tapset probes / functions, while still being invalid for normal call
from an unprivileged user script.
- The syscall tapset is now updated to work on kernel 4.17+.
Additionally, the tapset now includes an automatic fallback alias to
the sys_enter / sys_exit kernel tracepoints, if no other
kprobe-based mechanism is found. These changes have brought
unavoidable consequences. Raw $target variables for the syscall
arguments and return probes (e.g. @entry($fd), $return, returnval())
may not longer be relied upon. Instead, use the variables defined by
the tapset aliases. For example:
% stap -L syscall.read
syscall.read name:string fd:long buf_uaddr:long count:long argstr:string
% stap -L syscall.read.return
syscall.read.return name:string retval:long retstr:string
to see the available variables for that syscall. See
[man stapprobes] for further details. returnval() in particular is
being deprecated soon; use retval in syscall.*.return probes instead.
- New script language operators @kderef/@uderef and @kregister/@uregister
were added.
@kderef/@uderef (size,address) can be used to dereference integers and
@kregister/@uregister (dwarf#) can be used to access register values.
- A systemd service file has been added for systemtap.service (which
runs a configurable set of scripts automatically on system
startup). The existing /etc/init.d/systemtap init script has been
moved to a new utility command 'systemtap-service' which preserves
functionality such as configuring onboot systemtap scripts via
dracut. See systemtap-service(8) for details.
- The eBPF backend's string support has been improved. Strings
can now be stored in variables, passed as function arguments,
and stored as array keys and values.
- The 3rd operand of the ternary operator '?:' in the script language
now binds tighter than the binary assignment operators like '=' and
'+=', just like the C language. The original operator precedence can
be restored by the '--compatible 3.3' option.
- The script language now supports the use of bare 'return' statements
(without any return values) inside functions which do not return any
values. A trailing semicolon is recommended for such return
statements to avoid any potential ambiguity. The parser treats a
following semicolon (';') or a closing curly bracket ('}') as a
terminator for such bare return statements.
- Parentheses after unary '&' with a target-symbol expression is
now accepted in the script language.
- Tapset functions register() and u_register() now support 8-bit
x86 register names "ah", "al", "bh", "bl", "ch", "cl", "dh", and
"dl" on both x86_64 and i386. And 16-bit x86 registers are now
truly read as 16-bit integers instead of as 32-bit ones.
- The experimental ftrace ring buffer mechanism (STP_USE_RING_BUFFER)
has been deprecated and may be removed in future versions.
* What's new in version 3.3, 2018-06-08
- A new "stap --example FOO.stp" mode searches the example scripts
distributed with systemtap for a file named FOO.stp, so its whole
path does not need to be typed in.
- Systemtap's runtime has learned to deal with several of the
collateral damage from kernel hardening after meltdown/spectre,
including more pointer hiding and relocation. The kptr_restrict
procfs flag is forced on if running on a new enough kernel.
- The "stap --sysroot /PATH" option has received a revamp, so it
works much better against cross-compiled environments.
- The eBPF backend has learned to perform loops - at least in the
userspace "begin/end" probe contexts, so one can iterate across BPF
arrays for reporting. (The linux kernel eBPF interpreter precludes
loops and string processing.) It can also handle much larger probe
handler bodies, with a smarter register spiller/allocator.
- The eBPF backend now supports uprobes, perf counter, timer, and
tracepoint probes.
- An rpm macro %_systemtap_tapsetdir is now defined, to make it
easier for third party packages to add .stp files into the standard
tapset.
- Several low level locking-related fixes were added to the runtime
that used uprobes/tracepoint apis, in order to work more reliably on
rt kernels and on high-cpu-count machines.
- Runtime/tapsets were ported to include up to kernel version 4.16.
(The syscall tapsets are broken on kernel 4.17-rc, and will be fixed
in a next release coming soon; PR23160.)
- Add new built-in tapset function abort() which is similar to exit(),
but it aborts the current probe handler (and any function calls in
it) immediately instead of waiting for its completion. Probe handlers
already running on *other* CPU cores, however, will still continue
to their completion. Unlike error(), abort() cannot be caught by
try {...} catch {...}. Similar to exit(), abort() yeilds the zero
process exit code. It works with both the kernel and dyninst runtimes.
This function can be disabled by the '--compatible 3.3' option.
* What's new in version 3.2, 2017-10-18
- SystemTap now includes an extended Berkeley Packet Filter (eBPF)
backend. This experimental backend does not use kernel modules
and instead produces eBPF programs that are verified by the kernel
and executed by an in-kernel virtual machine. Select this backend
with the new stap option '--runtime=bpf'. For example:
stap --runtime=bpf -e \
'probe kernel.function("sys_open") { printf("hi from stapbpf!\n") }'
Please see the stapbpf(8) man page for more information.
- The regular expression engine now supports extraction of the matched
string and subexpressions using the matched() tapset function:
if ("regexculpicator" =~ "reg(ex.*p).*r") log(matched(1))
-> exculp
- The translator produces better diagnostics for common/annoying case
of missing debuginfo that blocks use of context $variables.
- "stap -k" build trees in $TMPDIR now also include a preprocessed .i form
of the generated module .c code, for problem diagnostics purposes.
- The syscall.execve probes now provide a decoded env_str string vector,
just like the argument vector. Because of this, the unused
__count_envp() and __count_compat_evenp() functions have been
deprecated.
- The task_exe_file() Function has been deprecated and replaced by the
current_exe_file() function.
- A new probe alias input.char allows scripts to access input from stdin
during runtime.
* What's new in version 3.1, 2017-02-17
- Systemtap now needs C++11 to build.
- Syscall and nd_syscall tapsets have been merged in a way that either
dwarf-based, or non-dwarf probe gets automatically used based on
debuginfo availability (e.g. probe syscall.open).
To force use the dwarf based probe, a dw_syscall has been introduced
(e.g. probe dw_syscall.open) and the non-dwarf syscall probes were
left untouched (e.g. nd_syscall.open).
- The syscall tapset files have been reorganized in a way that original
big tapset files carrying many syscall probes were split into smaller
'sysc_' prefixed tapset files. This should reduce the syscall tapset
maintenance burden.
- The powerpc variant of syscall.compat_sysctl got deprecated on favor of
syscall.sysctl32. This aligns the syscall to its respective nd_syscall and
to ia64/s390/x86_64 variants too.
- The syscall.compat_pselect7a (this was actually a typo, but still available
for compatibility purposes with --compatible 1.3) has beed deprecated.
- The 'description_auddr' convenience variable of syscall.add_key has been
deprecated.
- Support has been added for probing python 2 and 3 functions using a
custom python helper module. Python function probes can target
function entry, returns, or specific line numbers.
probe python2.module("myscript").function("foo")
{ println($$parms) }
To run with the custom python helper module, you'd use python's '-m'
option like the following:
stap myscript.stp -c "python -m HelperSDT myscript.py"
- Java method probes now convert all types of java parameters to
strings using the java toString() method before passing them to
systemtap probes; new argN variables copy them into string
variables. Previously, only numeric types were passed, and only by
casting to integers. The previous behaviour is available with
--compatible=3.0 .
3.1: probe java(...).class(...).method(...) { printf("%s", arg1) }
3.0: probe java(...).class(...).method(...) { printf("%d", $arg1) }
- An older defensive measure to suppress kernel kprobes optimizations
since the 3.x era has been disabled for recent kernels. This improves
the performance of kernel function probes. In case of related problems,
please report and work around with:
# echo 0 > /proc/sys/debug/kprobes-optimization
- Context variables in .return probes should be accessed with @entry($var)
rather than $var, to make it clear that entry-time snapshots are being
used. The latter construct now generates a warning. Availability testing
with either @defined(@entry($var)) or @defined($var) works.
- Tapsets containing process probes may now be placed in the special
$prefix/share/systemtap/tapset/PATH/ directory to have their process parameter
prefixed with the location of the tapset. For example,
process("foo").function("NAME") expands to process("/usr/bin/foo").function("NAME")
when placed in $prefix/share/systemtap/tapset/PATH/usr/bin/
This is intended to help write more reusable tapsets for userspace binaries.
- The implementation of "var <<< X" for each aggregate variable is now
specially compiled to compute only the script-requested @op(var) values,
not all potential ones. This speeds up the <<< operations.
- Systemtap now warns if script arguments given on the command line are unused,
instead of mentioned by the script with $n/@n.
- Netfilter tapsets now provide variables data_hex and data_str to display packet
contents in hexadecimal and ASCII respectively.
- Translator now accepts new @const() operator for convenient expressing
constants in tapset code, or guru-mode scripts. See stap(1) for details.
- New -T option allows the script to be terminated after a specified number
of seconds. This is a shortcut for adding the probe, timer {exit()}.
- New installcheck-parallel testsuite feature allows running the tests in
parallel in order to save time. See testsuite/README for details.
- New tapset functions set_user_string(), set_user_string_n(), set_user_long()
set_user_int(), set_user_short(), set_user_char() and set_user_pointer() to
write a value of specified type directly to a user space address.
- New tapset functions user_buffer_quoted(), user_buffer_quoted_error(),
kernel_buffer_quoted(), and kernel_buffer_quoted_error() to print a
buffer of an exact length. These functions can handle '\0' characters
as well.
- New statistics @variance() operator using the Welford's online algorithm
for per-cpu computation, and the Total Variance formula authored by
Niranjan Kamat and Arnab Nandi from the Ohio State University for the
cross-cpu aggregation.
- New command within interactive mode, sample. Allows you to search through
all included example scripts to load for further editing or running. Sample
and example scripts have been moved to /usr/share/systemtap/examples. A
symlink in the former location under $docdir links to it.
* What's new in version 3.0, 2016-03-27
- The new experimental "interactive" mode, specified by "stap -i",
drops you into a command-line prompt where you can build up a script,
run it, edit it, run it again, etc. Type "help" for a list of commands.
- New experimental --monitor[=INTERVAL] option similar to unix "top". This
allows users to see statistics about the running module(uptime, module name,
invoker uid, memory sizes, global variables, and the current probe list
along with their statistics).
An interface is also provided to allow control over the running
module(resetting global variables, sorting the list of probes, deactivating
and reactivating probes).
- The performance of associative arrays have been dramatically
improved, especially for densely filled tables and for multiple
indexes. The hash tables behind these arrays is now sized as a
function of the array maximum size with an optional MAPHASHBIAS
space/time tradeoff knob.
- Add macros @prints to print a scalar aggregate variable, @prints[1-9]
to print an array aggregate (of given index-arity), formatted similarly
to the automatic printing of written-only global variables.
global a, b
probe oneshot { a <<< 1; b[tid()] <<< 2 }
probe end { @prints(a); @prints1(b) }
- Functions may now be overloaded during module runtime using the "next"
statement in script functions and STAP_NEXT macro for embedded-C functions.
They may also be overloaded by number of parameters during compile time.
For example,
Runtime overloading:
function f() { if (condition) next; print("first function") }
function f() %{ STAP_NEXT; print("second function") %}
function f() { print("third function") }
For the given functions above, a functioncall f(), will execute the body of the
third function if condition evaluates to true and print "third function".
Note that the second function is unconditionally nexted.
Parameter overloading:
function g() { print("first function") }
function g(x) { print("second function") }
g() -> "first function"
g(1) -> "second function"
Note that runtime overloading does not occur in the above example as the number
of parameters of the functions differ. The use of a next statement inside a function
while no more overloads remain will trigger a runtime exception. The function
candidates are selected at compile time and is determined by the number of arguments
provided for the functioncall.
- Add Czech version of manual pages.
- The stap compile server will log the stap client's options that are passed
to the server. The options that get logged on the server will include the
script name or the -e script, depending on which is used by the client.
- Embedded-C functions and blocks may now access script level global variables
using the STAP_GLOBAL_GET_* and STAP_GLOBAL_SET_* macros.
To read or write the script global var, the /* pragma:read:var */ or
/* pragma:write:var */ marker must be placed in the embedded-C function or block.
The written type must match the type inferred at script level.
Scalars:
STAP_GLOBAL_SET_var(STAP_GLOBAL_GET_var()+1) -> increments script global var by 1
STAP_GLOBAL_SET_var("hello")
Associative arrays:
STAP_GLOBAL_GET_var(index-1, ..., index-n)
STAP_GLOBAL_SET_var(index-1, ..., index-n, new value)
- Probe point brace expansion is now supported to improve brevity in
specifying probe points. For example,
process.{function("a"), function("b").{call,return}}
=> process.function("a"), process.function("b").call, process.function("b").return
process.{function("*").callees,plt}?
=> process.function("*").callees?, process.plt?
{kernel,module("nfs")}.function("nfs*")!
=> kernel.function("nfs*")!, module("nfs").function("nfs*")!
- Profiling timers at arbitrary frequencies are now provided and perf probes
now support a frequency field as an alternative to sampling counts.
probe timer.profile.freq.hz(N)
probe perf.type(N).config(M).hz(X)
The specified frequency is only accurate up to around 100hz. You may
need to provide a higher value to achieve the desired rate.
- Added support for private global variables and private functions. The scope
of these is limited to the tapset file they are defined in (PR19136).
- New tapset function string_quoted() to quote and \-escape general strings.
String $context variables that are pretty-printed are now processed with
such a quotation engine, falling back to a 0x%x (hex pointer) on errors.
- Functions get_mmap_args() and get_32mmap_args() got deprecated.
* What's new in version 2.9, 2015-10-08
- SystemTap now uses symbols from /proc/kallsyms when kernel debuginfo is not
available.
- New --prologue-searching[=WHEN] option has been added to stap with '-P' being
its short counterpart. Using --prologue-searching=never turns prologue
searching deliberately off working around issue of int_arg() returning wrong
value when a 32-bit userspace binary having debug info is being probed with
active prologue searching (PR18649).
- The powerpc variant of nd_syscall.compat_sysctl got deprecated on favor of
nd_syscall.sysctl32. This aligns the nd_syscall to its respective syscall and
to ia64/s390/x86_64 variants too.
- New tapset function assert(expression, msg) has been added.
- Embedded-C functions may now use the new STAP_PRINTF(fmt, ...)
macro for output.
- New tapset functions fullname_struct_path and fullname_struct_nameidata
resolve full path names from internal kernel struct pointers.
- New tapset functions arch_bytes() and uarch_bytes() to obtain address size
for kernel and user space respectively.
- New tapset function switch_file() allows control over rotation
of output files.
- The [nd_]syscall tapset got autodocumented. Related paragraph got added to PDF
and HTML tapset reference. Also a new tapset::syscall 3stap man page got added.
- Embedded-C functions with parameter arity-0 can now be marked with
the /* stable */ /* pure */ pragmas, if (roughly speaking) the
function is side-effect-free and idempotent. The translator may
execute these speculatively and have their results memoized. This
lets probes with multiple calls to such functions run faster.
Context variable ($foo) getter functions (in non-guru mode), and
numerous tapset functions are now marked as /* stable */ /* pure */.
Several example scripts have been modified to eschew explicit
memoization.
- Callee probe points now support '.return' and '.call' suffix.
For example,
process("proc").function("foo").callee("bar").return
will fire upon returning from bar when called by foo.
process("proc").function("foo").callee("bar").call
will only fire for non-inlined callees.
- The following tapset variables and functions are deprecated in
version 2.9:
- The '__int32_compat' library macro got deprecated in favor of
new '__compat_long' library macro.
- The 'uargs' convenience variable of the 'seccomp' syscall probe
got deprecated in favor of new 'uargs_uaddr' variable.
- SystemTap has reduced its memory consumption by using interned_strings (a
wrapper for boost::string_ref) in place of std::string instances. The change
is to reduce the number of duplicate strings created by replacing them with
interned_strings which act like pointers to existing strings.
For the implementation of interned_string, see stringtable.h
* What's new in version 2.8, 2015-06-17
- SystemTap has improved support for probing golang programs. Work has been
done to be able to handle DWARF information, reporting file names, line
numbers, and column numbers, and tolerance of odd characters in symbol names.
- The function::*, probe::* and new macro::* man pages cross-references the
enclosing tapset::* man page. For example:
function::pn(3stap) mentions tapset::pn(3stap) in the SEE ALSO section
- New stapref(1) man page provides a reference for the scripting language. The
stapref page contains an overview of the features available in the language,
such as keywords, data types, operators and more.
- The @task macro performs the very common @cast to a task_struct.
The embedded-C bodies of task_current() and pid2task() are now wrapped
by @task, which gives them a debuginfo type on the return value. With
autocast type propagation, this removes the need for any explicit @cast
in many places.
Other places which take untyped task pointers as parameters, for
instance, now use @task as well to simplify their code.
- New namespace-aware tapset functions [task_]ns_*() and ia new option
--target-namespaces=PID to denote a target set of namespaces corresponding to
the PID's namespaces. The namespace-aware tapsets will return values
relative to the target namespaces if specified, or the stap process' namespaces.
- Netfilter probes now attempt to decode Spanning Tree Protocol packets
into local variables: probe netfilter.bridge.*, br_* variables,
stp_dump.stp sample script.
- Colorization of error string tokens is made more robust, especially
in presence of $N/@N substitution.
- The following tapset variables and functions are deprecated in
version 2.8:
- The 'hostname_uaddr' variable in the syscall.setdomainname and
nd_syscall.setdomainname probe aliases have been deprecated in
favor of the new 'domainname_uaddr' variable.
- The 'fd' and 'fd_str' variables in the syscall.execveat and
nd_syscall.execveat probe aliases have been deprecated in favor of
the new 'dirfd' and 'dirfd_str' variables.
* What's new in version 2.7, 2015-02-18
- Some systemtap sample scripts are now identified with the "_best" keyword,
because they are generally useful or educational. They are now promoted
within the generated index files.
- Passing strings to and from functions has become faster due to optimization
(passing some strings by reference instead of by value/copy). It may
be disabled by using the unoptimize flag (-u).
To make embedded-C functions eligible for the same optimization, use the pragma
/* unmodified-fnargs */ to indicate that the function body will not modify
the function arguments. Remember to use MAXSTRINGLEN for string length,
rather than sizeof(string_arg) (which might now be a pointer).
- SystemTap now allows .function probes to be specified by their full function
name, file, and declaration line number. Use the .statement probe to probe a
specific line number.
- Tracepoint probes can now also be specified by the target subsystem. For
example, the following are all supported:
probe kernel.trace("sched:sched_switch") --> probe sched_switch found in the
sched subsystem
probe kernel.trace("sched:*") --> probe all tracepoints in sched subsystem
As a result, tapset functions such as pn() will now return a different string
than before. To retain the previous behaviour, use '--compatible=2.6'.
- The following functions are deprecated in release 2.7:
- _adjtx_mode_str(), _statfs_f_type_str(), _waitid_opt_str(),
_internal_wait_opt_str(), and _epoll_events_str().
- New tapset functions [u]symfileline(), [u]symfile() and [u]symline() will
return a string containing the specified portion of the filename:linenumber
match from a given address.
Using these functions may result in large generated modules from stored
address->file:line information.
* What's new in version 2.6, 2014-09-05
- SystemTap now supports on-the-fly arming/disarming of certain probe types:
kprobes, uprobes, and timer.*s(NUM) probes. For example, this probe
probe kernel.function("vfs_read") if (i > 4) { ... }
will automatically register/unregister the associated kprobe on vfs_read
whenever the value of the condition changes (as some probe handler
modifies 'i'). This allows us to avoid probe overhead when we're not
interested. If the arming capability is not relevant/useful, nest the
condition in the normal probe handler:
probe kernel.function("vfs_read") { if (i > 4) { ... } }
- statement("*@file:NNN").nearest probes now available to let systemtap
translate probe to nearest probe-able line to one given if necessary
- process("PATH").library("PATH").plt("NAME").return probes are now supported.
- SystemTap now supports SDT probes with operands that refer to symbols.
- While in listing mode (-l/-L), probes printed are now more consistent
and precise.
- Statement probes now support enumerated linenos to probe discontiguous
linenos using the form:
process.statement("foo@file.c:3,5-7,9")
- Statement counting is now suppressed in the generated c code for probes that
are non-recursive and loop-free. Statement counting can be turned back on in
unoptimize mode (-u).
- SystemTap now asserts that the PID provided for a process probe corresponds
to a running process.
- DWARF process probes can be bound to a specific process using the form:
process(PID).function("*")
- SystemTap now accepts additional scripts through the new -E SCRIPT option.
There still needs to be a main script specified through -e or file in order
to provide an additional script. This makes it feasible to have scripts in
the $HOME/.systemtap/rc file. For example:
-E 'probe begin, end, error { log("systemtap script " . pn()) }'
-E 'probe timer.s(30) { error ("timeout") }
The -E SCRIPT option can also be used in listing mode (-l/-L), such that
probe points for the additional scripts will not listed, but other parts of
the script are still available, such as macros or aliases.
- SystemTap now supports array slicing within foreach loop conditions, delete
statements and membership tests. Wildcards are represented by "*". Examples
of the expressions are:
foreach ([a,b,c] in val[*,2,*])
delete val[*, 2, *]
[*, 2, *] in val
- Integer expressions which are derived from DWARF values, like context $vars,
@cast, and @var, will now carry that type information into subsequent reads.
Such expressions can now use "->" and "[]" operators, as can local variables
which were assigned such values.
foo = $param->foo; printf("x:%d y:%d\n", foo->x, foo->y)
printf("my value is %d\n", ($type == 42 ? $foo : $bar)->value)
printf("my parent pid is %d\n", task_parent(task_current())->tgid)
* What's new in version 2.5, 2014-04-30
- Systemtap now supports backtracing through its own, invoking module.
- Java probes now support backtracing using the print_java_backtrace()
and sprint_java_backtrace() functions.
- Statement probes (e.g. process.statement) are now faster to resolve,
more precise, and work better with inlined functions.
- New switches have been added to help inspect the contents of installed
library files:
stap --dump-functions --> list all library functions and their args
stap --dump-probe-aliases --> list all library probe aliases
- The heuristic algorithms used to search for function-prologue
endings were improved, to cover more optimization (or
lack-of-optimization, or incorrect-debuginfo) cases. These
heuristics are necessary to find $context parameters for some
function-call/entry probes. We recommend programs be built with
CFLAGS+=-grecord-gcc-switches to feed information to the heuristics.
- The stap --use-server option now more correctly supports address:port
type parametrization, for manual use in the absence of avahi.
- A new probe alias "oneshot" allows a single quick script fragment to run,
then exit.
- The argv tapset now merges translate-time and run-time positional
arguments, so all of these work:
stap -e 'probe oneshot {println(argv[1]," ",argv[2])}' hello world
stap -e 'probe oneshot {println(argv[1]," ",argv[2])}' \
-G argv_1=hello -G argv_2=world
staprun hello.ko argv_1=hello argv_2=world
- SystemTap now falls back on the symbol table for probing
functions in processes if the debuginfo is not available.
- SystemTap now supports a %( guru_mode == 0 /* or 1 */ %)
conditional for making dual-use scripts.
- SystemTap now supports UEFI/SecureBoot systems, via
machine-owner-keys maintained by a trusted stap-server on the
network. (Key enrollment requires a one-time reboot and BIOS
conversation.)
https://sourceware.org/systemtap/wiki/SecureBoot
- SystemTap now reports more accurate and succinct errors on type
mismatches.
- Embedded-C functions may use STAP_RETURN(value) instead of the
more wordy STAP_RETVALUE assignment followed by a "goto out".
The macro supports numeric or string values as appropriate.
STAP_ERROR(...) is available to return with a (catchable) error.