为什么 sys_futex 上的 kretprobe 调用频率低于相应的 kprobe?
Why is a kretprobe on sys_futex called less often than a corresponding kprobe?
我正在跟踪各种内核函数和系统调用,并在它们之间建立可用于某些性能分析的模式。
我注意到的一件事是,有时,即使在我的简单测试应用程序中,它启动了一些使用一些互斥锁的线程,我也不会收到任何对 kretprobe__sys_futex 的调用,但我会得到kprobe__sys_futex.
很多
我认为这是因为例如一个线程正在调用 sys_futex,然后进入休眠状态或可能终止,但我实际上看到相同的进程连续多次调用 sys_futex,而 return 探测器从未注意到任何事情。
然后我假设问题出在我如何过滤对 kprobe__sys_futex 的调用,所以我使用 BCC/eBPF 做了一个最小的例子来测试这个:
#! /usr/bin/env python
from bcc import BPF
b = BPF(text="""
BPF_HASH(call_count, int, int);
int kprobe__sys_futex() {
int zero = 0;
call_count.lookup_or_init(&zero, &zero);
bpf_trace_printk("futex start\n");
call_count.increment(zero);
return 0;
}
int kretprobe__sys_futex() {
int zero = 0;
int *val_p = call_count.lookup(&zero);
if (val_p != NULL) {
int val = *val_p;
val--;
call_count.update(&zero, &val);
bpf_trace_printk("futex calls with no return: %d\n", val);
} else { bpf_trace_printk("unexpected futex return\n"); }
return 0;
}
""")
b.trace_print()
我注意到在各种应用程序中(一个很好的例子是 mysql-server,即使在空闲时它也会定期进行 futex 操作 - 至少在我的机器上),很多(通常是 10+)futex start 会在来自 return 探测器的消息之前打印。
这是我在 运行 编写此 post:
时离开 运行 几分钟的上述程序的示例跟踪
... hundreds of lines of much the same as below
gdbus-612 [001] .... 211229.997665: 0x00000001: futex start
NetworkManager-541 [001] .... 211229.997667: 0x00000001: futex start
gdbus-612 [001] .... 211229.997670: 0x00000001: futex start
mysqld-697 [001] .... 211230.789205: 0x00000001: futex start
mysqld-697 [001] .... 211230.789227: 0x00000001: futex start
mysqld-703 [001] .... 211230.789251: 0x00000001: futex start
mysqld-703 [001] .... 211230.789253: 0x00000001: futex start
mysqld-704 [001] d... 211230.789258: 0x00000001: futex calls with no return: 3994
mysqld-704 [001] .... 211230.789259: 0x00000001: futex start
mysqld-704 [001] d... 211230.789260: 0x00000001: futex calls with no return: 3994
mysqld-704 [001] .... 211230.789272: 0x00000001: futex start
mysqld-713 [000] .... 211231.037016: 0x00000001: futex start
mysqld-713 [000] .... 211231.037036: 0x00000001: futex start
vmstats-895 [000] .... 211231.464867: 0x00000001: futex start
mysqld-697 [001] .... 211231.790738: 0x00000001: futex start
mysqld-697 [001] .... 211231.790784: 0x00000001: futex start
mysqld-703 [001] .... 211231.790796: 0x00000001: futex start
mysqld-703 [001] .... 211231.790799: 0x00000001: futex start
mysqld-704 [001] d... 211231.790809: 0x00000001: futex calls with no return: 4001
mysqld-704 [001] .... 211231.790812: 0x00000001: futex start
mysqld-704 [001] d... 211231.790814: 0x00000001: futex calls with no return: 4001
如您所见,例如,pid 697 似乎已经调用了 sys_futex 四次而没有 returning 就在这个小跟踪中。
我认为这不是 eBPF 代码中的竞争条件,因为如果您将打印语句设为静音并且只定期打印,对于 sys_write,计数通常会限制在零附近,这会发生数量级比 sys_futex 更频繁(至少在我的系统的工作负载上),所以我预计任何竞争条件都会加剧而不是解决。
我是 运行 内核 4.15.0-43-generic,在 Ubuntu 18.04 LTS 上,它位于 VirtualBox 中。
很高兴提供更多可能有用的上下文!
IOVisor 邮件列表中有一个相关主题:https://lists.iovisor.org/g/iovisor-dev/topic/29702757
这是密件抄送的已知限制(参见 iovisor/bcc#1072)。基本上,对于您的跟踪上下文,活动探测器的最大数量设置得太低,因此您缺少一些 return 探测器。
在 bcc 中,maxactive 值(活动探测的最大数量,请参阅下面的文档摘录)保留为其默认值。由于 Alban Crequy 对 Linux 内核的补丁(参见 iovisor/bcc#1072),通过 debugfs 附加探测器时可以更改 maxactive 值。不过,新的 API 尚未通过密件抄送公开。本周我会尝试发送一个补丁来达到这个效果。
While the probed function is executing, its return address is
stored in an object of type kretprobe_instance. Before calling
register_kretprobe(), the user sets the maxactive field of the
kretprobe struct to specify how many instances of the specified
function can be probed simultaneously. register_kretprobe()
pre-allocates the indicated number of kretprobe_instance objects.
For example, if the function is non-recursive and is called with a
spinlock held, maxactive = 1 should be enough. If the function is
non-recursive and can never relinquish the CPU (e.g., via a semaphore
or preemption), NR_CPUS should be enough. If maxactive <= 0, it is
set to a default value. If CONFIG_PREEMPT is enabled, the default
is max(10, 2*NR_CPUS). Otherwise, the default is NR_CPUS.
我正在跟踪各种内核函数和系统调用,并在它们之间建立可用于某些性能分析的模式。
我注意到的一件事是,有时,即使在我的简单测试应用程序中,它启动了一些使用一些互斥锁的线程,我也不会收到任何对 kretprobe__sys_futex 的调用,但我会得到kprobe__sys_futex.
我认为这是因为例如一个线程正在调用 sys_futex,然后进入休眠状态或可能终止,但我实际上看到相同的进程连续多次调用 sys_futex,而 return 探测器从未注意到任何事情。
然后我假设问题出在我如何过滤对 kprobe__sys_futex 的调用,所以我使用 BCC/eBPF 做了一个最小的例子来测试这个:
#! /usr/bin/env python
from bcc import BPF
b = BPF(text="""
BPF_HASH(call_count, int, int);
int kprobe__sys_futex() {
int zero = 0;
call_count.lookup_or_init(&zero, &zero);
bpf_trace_printk("futex start\n");
call_count.increment(zero);
return 0;
}
int kretprobe__sys_futex() {
int zero = 0;
int *val_p = call_count.lookup(&zero);
if (val_p != NULL) {
int val = *val_p;
val--;
call_count.update(&zero, &val);
bpf_trace_printk("futex calls with no return: %d\n", val);
} else { bpf_trace_printk("unexpected futex return\n"); }
return 0;
}
""")
b.trace_print()
我注意到在各种应用程序中(一个很好的例子是 mysql-server,即使在空闲时它也会定期进行 futex 操作 - 至少在我的机器上),很多(通常是 10+)futex start 会在来自 return 探测器的消息之前打印。
这是我在 运行 编写此 post:
时离开 运行 几分钟的上述程序的示例跟踪... hundreds of lines of much the same as below
gdbus-612 [001] .... 211229.997665: 0x00000001: futex start
NetworkManager-541 [001] .... 211229.997667: 0x00000001: futex start
gdbus-612 [001] .... 211229.997670: 0x00000001: futex start
mysqld-697 [001] .... 211230.789205: 0x00000001: futex start
mysqld-697 [001] .... 211230.789227: 0x00000001: futex start
mysqld-703 [001] .... 211230.789251: 0x00000001: futex start
mysqld-703 [001] .... 211230.789253: 0x00000001: futex start
mysqld-704 [001] d... 211230.789258: 0x00000001: futex calls with no return: 3994
mysqld-704 [001] .... 211230.789259: 0x00000001: futex start
mysqld-704 [001] d... 211230.789260: 0x00000001: futex calls with no return: 3994
mysqld-704 [001] .... 211230.789272: 0x00000001: futex start
mysqld-713 [000] .... 211231.037016: 0x00000001: futex start
mysqld-713 [000] .... 211231.037036: 0x00000001: futex start
vmstats-895 [000] .... 211231.464867: 0x00000001: futex start
mysqld-697 [001] .... 211231.790738: 0x00000001: futex start
mysqld-697 [001] .... 211231.790784: 0x00000001: futex start
mysqld-703 [001] .... 211231.790796: 0x00000001: futex start
mysqld-703 [001] .... 211231.790799: 0x00000001: futex start
mysqld-704 [001] d... 211231.790809: 0x00000001: futex calls with no return: 4001
mysqld-704 [001] .... 211231.790812: 0x00000001: futex start
mysqld-704 [001] d... 211231.790814: 0x00000001: futex calls with no return: 4001
如您所见,例如,pid 697 似乎已经调用了 sys_futex 四次而没有 returning 就在这个小跟踪中。
我认为这不是 eBPF 代码中的竞争条件,因为如果您将打印语句设为静音并且只定期打印,对于 sys_write,计数通常会限制在零附近,这会发生数量级比 sys_futex 更频繁(至少在我的系统的工作负载上),所以我预计任何竞争条件都会加剧而不是解决。
我是 运行 内核 4.15.0-43-generic,在 Ubuntu 18.04 LTS 上,它位于 VirtualBox 中。
很高兴提供更多可能有用的上下文!
IOVisor 邮件列表中有一个相关主题:https://lists.iovisor.org/g/iovisor-dev/topic/29702757
这是密件抄送的已知限制(参见 iovisor/bcc#1072)。基本上,对于您的跟踪上下文,活动探测器的最大数量设置得太低,因此您缺少一些 return 探测器。
在 bcc 中,maxactive 值(活动探测的最大数量,请参阅下面的文档摘录)保留为其默认值。由于 Alban Crequy 对 Linux 内核的补丁(参见 iovisor/bcc#1072),通过 debugfs 附加探测器时可以更改 maxactive 值。不过,新的 API 尚未通过密件抄送公开。本周我会尝试发送一个补丁来达到这个效果。
While the probed function is executing, its return address is stored in an object of type kretprobe_instance. Before calling register_kretprobe(), the user sets the maxactive field of the kretprobe struct to specify how many instances of the specified function can be probed simultaneously. register_kretprobe() pre-allocates the indicated number of kretprobe_instance objects.
For example, if the function is non-recursive and is called with a spinlock held, maxactive = 1 should be enough. If the function is non-recursive and can never relinquish the CPU (e.g., via a semaphore or preemption), NR_CPUS should be enough. If maxactive <= 0, it is set to a default value. If CONFIG_PREEMPT is enabled, the default is max(10, 2*NR_CPUS). Otherwise, the default is NR_CPUS.