root / docs / tracing.txt @ 8f642117
History | View | Annotate | Download (8.2 kB)
1 |
= Tracing = |
---|---|
2 |
|
3 |
== Introduction == |
4 |
|
5 |
This document describes the tracing infrastructure in QEMU and how to use it |
6 |
for debugging, profiling, and observing execution. |
7 |
|
8 |
== Quickstart == |
9 |
|
10 |
1. Build with the 'simple' trace backend: |
11 |
|
12 |
./configure --trace-backend=simple |
13 |
make |
14 |
|
15 |
2. Create a file with the events you want to trace: |
16 |
|
17 |
echo bdrv_aio_readv > /tmp/events |
18 |
echo bdrv_aio_writev >> /tmp/events |
19 |
|
20 |
3. Run the virtual machine to produce a trace file: |
21 |
|
22 |
qemu -trace events=/tmp/events ... # your normal QEMU invocation |
23 |
|
24 |
4. Pretty-print the binary trace file: |
25 |
|
26 |
./simpletrace.py trace-events trace-* |
27 |
|
28 |
== Trace events == |
29 |
|
30 |
There is a set of static trace events declared in the "trace-events" source |
31 |
file. Each trace event declaration names the event, its arguments, and the |
32 |
format string which can be used for pretty-printing: |
33 |
|
34 |
qemu_malloc(size_t size, void *ptr) "size %zu ptr %p" |
35 |
qemu_free(void *ptr) "ptr %p" |
36 |
|
37 |
The "trace-events" file is processed by the "tracetool" script during build to |
38 |
generate code for the trace events. Trace events are invoked directly from |
39 |
source code like this: |
40 |
|
41 |
#include "trace.h" /* needed for trace event prototype */ |
42 |
|
43 |
void *qemu_malloc(size_t size) |
44 |
{ |
45 |
void *ptr; |
46 |
if (!size && !allow_zero_malloc()) { |
47 |
abort(); |
48 |
} |
49 |
ptr = oom_check(malloc(size ? size : 1)); |
50 |
trace_qemu_malloc(size, ptr); /* <-- trace event */ |
51 |
return ptr; |
52 |
} |
53 |
|
54 |
=== Declaring trace events === |
55 |
|
56 |
The "tracetool" script produces the trace.h header file which is included by |
57 |
every source file that uses trace events. Since many source files include |
58 |
trace.h, it uses a minimum of types and other header files included to keep the |
59 |
namespace clean and compile times and dependencies down. |
60 |
|
61 |
Trace events should use types as follows: |
62 |
|
63 |
* Use stdint.h types for fixed-size types. Most offsets and guest memory |
64 |
addresses are best represented with uint32_t or uint64_t. Use fixed-size |
65 |
types over primitive types whose size may change depending on the host |
66 |
(32-bit versus 64-bit) so trace events don't truncate values or break |
67 |
the build. |
68 |
|
69 |
* Use void * for pointers to structs or for arrays. The trace.h header |
70 |
cannot include all user-defined struct declarations and it is therefore |
71 |
necessary to use void * for pointers to structs. |
72 |
|
73 |
* For everything else, use primitive scalar types (char, int, long) with the |
74 |
appropriate signedness. |
75 |
|
76 |
Format strings should reflect the types defined in the trace event. Take |
77 |
special care to use PRId64 and PRIu64 for int64_t and uint64_t types, |
78 |
respectively. This ensures portability between 32- and 64-bit platforms. |
79 |
|
80 |
=== Hints for adding new trace events === |
81 |
|
82 |
1. Trace state changes in the code. Interesting points in the code usually |
83 |
involve a state change like starting, stopping, allocating, freeing. State |
84 |
changes are good trace events because they can be used to understand the |
85 |
execution of the system. |
86 |
|
87 |
2. Trace guest operations. Guest I/O accesses like reading device registers |
88 |
are good trace events because they can be used to understand guest |
89 |
interactions. |
90 |
|
91 |
3. Use correlator fields so the context of an individual line of trace output |
92 |
can be understood. For example, trace the pointer returned by malloc and |
93 |
used as an argument to free. This way mallocs and frees can be matched up. |
94 |
Trace events with no context are not very useful. |
95 |
|
96 |
4. Name trace events after their function. If there are multiple trace events |
97 |
in one function, append a unique distinguisher at the end of the name. |
98 |
|
99 |
5. If specific trace events are going to be called a huge number of times, this |
100 |
might have a noticeable performance impact even when the trace events are |
101 |
programmatically disabled. In this case you should declare the trace event |
102 |
with the "disable" property, which will effectively disable it at compile |
103 |
time (using the "nop" backend). |
104 |
|
105 |
== Generic interface and monitor commands == |
106 |
|
107 |
You can programmatically query and control the dynamic state of trace events |
108 |
through a backend-agnostic interface: |
109 |
|
110 |
* trace_print_events |
111 |
|
112 |
* trace_event_set_state |
113 |
Enables or disables trace events at runtime inside QEMU. |
114 |
The function returns "true" if the state of the event has been successfully |
115 |
changed, or "false" otherwise: |
116 |
|
117 |
#include "trace/control.h" |
118 |
|
119 |
trace_event_set_state("virtio_irq", true); /* enable */ |
120 |
[...] |
121 |
trace_event_set_state("virtio_irq", false); /* disable */ |
122 |
|
123 |
Note that some of the backends do not provide an implementation for this |
124 |
interface, in which case QEMU will just print a warning. |
125 |
|
126 |
This functionality is also provided through monitor commands: |
127 |
|
128 |
* info trace-events |
129 |
View available trace events and their state. State 1 means enabled, state 0 |
130 |
means disabled. |
131 |
|
132 |
* trace-event NAME on|off |
133 |
Enable/disable a given trace event. |
134 |
|
135 |
The "-trace events=<file>" command line argument can be used to enable the |
136 |
events listed in <file> from the very beginning of the program. This file must |
137 |
contain one event name per line. |
138 |
|
139 |
== Trace backends == |
140 |
|
141 |
The "tracetool" script automates tedious trace event code generation and also |
142 |
keeps the trace event declarations independent of the trace backend. The trace |
143 |
events are not tightly coupled to a specific trace backend, such as LTTng or |
144 |
SystemTap. Support for trace backends can be added by extending the "tracetool" |
145 |
script. |
146 |
|
147 |
The trace backend is chosen at configure time and only one trace backend can |
148 |
be built into the binary: |
149 |
|
150 |
./configure --trace-backend=simple |
151 |
|
152 |
For a list of supported trace backends, try ./configure --help or see below. |
153 |
|
154 |
The following subsections describe the supported trace backends. |
155 |
|
156 |
=== Nop === |
157 |
|
158 |
The "nop" backend generates empty trace event functions so that the compiler |
159 |
can optimize out trace events completely. This is the default and imposes no |
160 |
performance penalty. |
161 |
|
162 |
Note that regardless of the selected trace backend, events with the "disable" |
163 |
property will be generated with the "nop" backend. |
164 |
|
165 |
=== Stderr === |
166 |
|
167 |
The "stderr" backend sends trace events directly to standard error. This |
168 |
effectively turns trace events into debug printfs. |
169 |
|
170 |
This is the simplest backend and can be used together with existing code that |
171 |
uses DPRINTF(). |
172 |
|
173 |
=== Simpletrace === |
174 |
|
175 |
The "simple" backend supports common use cases and comes as part of the QEMU |
176 |
source tree. It may not be as powerful as platform-specific or third-party |
177 |
trace backends but it is portable. This is the recommended trace backend |
178 |
unless you have specific needs for more advanced backends. |
179 |
|
180 |
The "simple" backend currently does not capture string arguments, it simply |
181 |
records the char* pointer value instead of the string that is pointed to. |
182 |
|
183 |
==== Monitor commands ==== |
184 |
|
185 |
* info trace |
186 |
Display the contents of trace buffer. This command dumps the trace buffer |
187 |
with simple formatting. For full pretty-printing, use the simpletrace.py |
188 |
script on a binary trace file. |
189 |
|
190 |
The trace buffer is written into until full. The full trace buffer is |
191 |
flushed and emptied. This means the 'info trace' will display few or no |
192 |
entries if the buffer has just been flushed. |
193 |
|
194 |
* trace-file on|off|flush|set <path> |
195 |
Enable/disable/flush the trace file or set the trace file name. |
196 |
|
197 |
==== Analyzing trace files ==== |
198 |
|
199 |
The "simple" backend produces binary trace files that can be formatted with the |
200 |
simpletrace.py script. The script takes the "trace-events" file and the binary |
201 |
trace: |
202 |
|
203 |
./simpletrace.py trace-events trace-12345 |
204 |
|
205 |
You must ensure that the same "trace-events" file was used to build QEMU, |
206 |
otherwise trace event declarations may have changed and output will not be |
207 |
consistent. |
208 |
|
209 |
=== LTTng Userspace Tracer === |
210 |
|
211 |
The "ust" backend uses the LTTng Userspace Tracer library. There are no |
212 |
monitor commands built into QEMU, instead UST utilities should be used to list, |
213 |
enable/disable, and dump traces. |
214 |
|
215 |
=== SystemTap === |
216 |
|
217 |
The "dtrace" backend uses DTrace sdt probes but has only been tested with |
218 |
SystemTap. When SystemTap support is detected a .stp file with wrapper probes |
219 |
is generated to make use in scripts more convenient. This step can also be |
220 |
performed manually after a build in order to change the binary name in the .stp |
221 |
probes: |
222 |
|
223 |
scripts/tracetool --dtrace --stap \ |
224 |
--binary path/to/qemu-binary \ |
225 |
--target-type system \ |
226 |
--target-arch x86_64 \ |
227 |
<trace-events >qemu.stp |