Re: [PATCH v4 1/8] tracing: wprobe: Add watchpoint probe event based on hardware breakpoint
From: Randy Dunlap <hidden>
Date: 2025-09-15 00:14:48
Also in:
linux-doc, linux-perf-users, lkml
Hi, On 9/14/25 7:09 AM, Masami Hiramatsu (Google) wrote:
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Add a new probe event for the hardware breakpoint called wprobe-event.
This wprobe allows user to trace (watch) the memory access at the
specified memory address.
The new syntax is;
w[:[GROUP/]EVENT] [r|w|rw]@[ADDR|SYM][:SIZE] [FETCH_ARGs]
User also can use $addr to fetch the accessed address. But no other
variables are supported. To record updated value, use '+0($addr)'.
For example, tracing updates of the jiffies;
/sys/kernel/tracing # echo 'w:my_jiffies w@jiffies' >> dynamic_events
/sys/kernel/tracing # cat dynamic_events
w:wprobes/my_jiffies w@jiffies:4
/sys/kernel/tracing # echo 1 > events/wprobes/my_jiffies/enable
/sys/kernel/tracing # head -n 20 trace | tail -n 5
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
<idle>-0 [000] d.Z1. 206.547317: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130)
<idle>-0 [000] d.Z1. 206.548341: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130)
<idle>-0 [000] d.Z1. 206.549346: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130)
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
Changes in v3:
- Enclose the register-API dependent code in trace_probe.c with
CONFIG_HAVE_FUNCTION_ARG_ACCESS_API.
---
Documentation/trace/index.rst | 1
Documentation/trace/wprobetrace.rst | 69 ++++
include/linux/trace_events.h | 2
kernel/trace/Kconfig | 14 +
kernel/trace/Makefile | 1
kernel/trace/trace.c | 9
kernel/trace/trace.h | 5
kernel/trace/trace_probe.c | 22 +
kernel/trace/trace_probe.h | 8
kernel/trace/trace_wprobe.c | 685 +++++++++++++++++++++++++++++++++++
10 files changed, 813 insertions(+), 3 deletions(-)
create mode 100644 Documentation/trace/wprobetrace.rst
create mode 100644 kernel/trace/trace_wprobe.cquoted hunk ↗ jump to hunk
diff --git a/Documentation/trace/wprobetrace.rst b/Documentation/trace/wprobetrace.rst new file mode 100644 index 000000000000..9774f57e2947 --- /dev/null +++ b/Documentation/trace/wprobetrace.rst@@ -0,0 +1,69 @@ +.. SPDX-License-Identifier: GPL-2.0 + +======================================= +Watchpoint probe (wprobe) Event Tracing +======================================= + +.. Author: Masami Hiramatsu <mhiramat@kernel.org> + +Overview +-------- + +Wprobe event is a dynamic event based on the hardware breakpoint, which is +similar to other probe events, but it is for watching data access. It allows +you to trace which code accesses a specified data. + +As same as other dynamic events, wprobe events are defined via +`dynamic_events` interface file on tracefs. + +Synopsis of wprobe-events +------------------------- +:: + + w:[GRP/][EVENT] SPEC [FETCHARGS] : Probe on data access + + GRP : Group name for wprobe. If omitted, use "wprobes" for it. + EVENT : Event name for wprobe. If omitted, an event name is + generated based on the address or symbol. + SPEC : Breakpoint specification. + [r|w|rw]@<ADDRESS|SYMBOL[+|-OFFS]>[:LENGTH] + + r|w|rw : Access type, r for read, w for write, and rw for both. + Use rw if omitted.
Default is rw if omitted.
+ ADDRESS : Address to trace (hexadecimal). + SYMBOL : Symbol name to trace. + LENGTH : Length of the data to trace in bytes. (1, 2, 4, or 8) + + FETCHARGS : Arguments. Each probe can have up to 128 args. + $addr : Fetch the accessing address. + @ADDR : Fetch memory at ADDR (ADDR should be in kernel) + @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol) + +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*1)(\*2) + \IMM : Store an immediate value to the argument. + NAME=FETCHARG : Set NAME as the argument name of FETCHARG. + FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types + (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types + (x8/x16/x32/x64), "char", "string", "ustring", "symbol", "symstr" + and bitfield are supported. + + (\*1) this is useful for fetching a field of data structures. + (\*2) "u" means user-space dereference. + +For the details of TYPE, see :ref:`kprobetrace documentation <kprobetrace_types>`. + +Usage examples +-------------- +Here is an example to add a wprobe event on a variable `jiffies`. +:: + + # echo 'w:my_jiffies w@jiffies' >> dynamic_events + # cat dynamic_events + w:wprobes/my_jiffies w@jiffies + # echo 1 > events/wprobes/enable + # cat trace | head + # TASK-PID CPU# ||||| TIMESTAMP FUNCTION + # | | | ||||| | | + <idle>-0 [000] d.Z1. 717.026259: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) + <idle>-0 [000] d.Z1. 717.026373: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) + +You can see the code which writes to `jiffies` is `do_timer()`.
I'm having trouble getting from tick_do_update_jiffies64+0xbe/0x130, which I expect is jiffies_64 += ticks; in that function, over to do_timer(), which also updates jiffies_64, but is not called by tick_do_update_jiffies64(). AFAICT, there are no calls to do_timer() in the file (kernel/time/tick-sched.c). Can you explain, please?
quoted hunk ↗ jump to hunk
diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig index d2c79da81e4f..dd8919386425 100644 --- a/kernel/trace/Kconfig +++ b/kernel/trace/Kconfig@@ -807,6 +807,20 @@ config EPROBE_EVENTS convert the type of an event field. For example, turn an address into a string. +config WPROBE_EVENTS + bool "Enable wprobe-based dynamic events" + depends on TRACING + depends on HAVE_HW_BREAKPOINT + select PROBE_EVENTS + select DYNAMIC_EVENTS + default y
Wny default y?
+ help + This allows the user to add watchpoint tracing events based on + hardware breakpoints on the fly via the ftrace interface. + + Those events can be inserted wherever hardware breakpoints can be + set, and record various register and memory values. + config BPF_EVENTS depends on BPF_SYSCALL depends on (KPROBE_EVENTS || UPROBE_EVENTS) && PERF_EVENTS
thanks. -- ~Randy