Random DTrace Tip: You Can’t Trace sbrk Because It’s Not A Syscall

The DTrace syscall provider is one of the most useful (and most used)
providers. Typically, people use the syscall provider to log and aggregate
any subset (or the entire set) of system calls made by an application.

For instance,

dtrace -n 'syscall::brk:entry {@[arg0] = count();}'

will trace all the brk system calls made, and count the number of times that
an argument was passed to it.

However,

dtrace -n 'syscall::sbrk:entry {@[arg0] = count();}'

will not work.

This is because, while brk() and sbrk() are valid Unix interfaces, used to
modify the size of the calling process’s data segment, they aren’t system
calls. They are functions in the standard C library that comes with Illumos (or
some other DTrace-enhanced system), that wrap around a system call.

In our case, Illumos only supports a system call that is identified as brk.

] dtrace -l -n 'syscall:::entry' | grep brk
72078   syscall                     brk entry

As it turns out, both the sbrk() function and brk() function are
implemented in terms of the brk system call.

] dtrace -n 'sycall::brk:entry {@[ustack()] = count();}'
...SNIP...
libc.so.1`_brk_unlocked+0xa
libc.so.1`sbrk+0x2e
libc.so.1`_morecore+0x119
libc.so.1`_malloc_unlocked+0x189
libc.so.1`malloc+0x2e
libc.so.1`_findbuf+0x84
libc.so.1`_ndoprnt+0x91
libc.so.1`vfprintf+0x9f
dtrace`oprintf+0xa2
dtrace`main+0x1607
dtrace`0x4034bc
  1
...SNIP...

If you want to get the argument that’s passed to sbrk() you’ll have to use
the pid provider, like so:

] dtrace -p $PID -n 'pid$target::sbrk:entry {@[arg0] = count();}'
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s