{"id":410,"date":"2017-04-07T20:55:07","date_gmt":"2017-04-07T20:55:07","guid":{"rendered":"http:\/\/halobates.de\/blog\/?p=410"},"modified":"2024-07-23T20:24:38","modified_gmt":"2024-07-23T20:24:38","slug":"cheat-sheet-for-intel-processor-trace-with-linux-perf-and-gdb","status":"publish","type":"post","link":"http:\/\/halobates.de\/blog\/p\/410","title":{"rendered":"Cheat sheet for Intel Processor Trace with Linux perf and gdb"},"content":{"rendered":"

What is Processor Trace<\/h1>\n

Intel Processor Trace (PT) traces program execution (every branch) with low overhead.<\/p>\n

This is a cheat sheet of how to use PT with perf for common tasks<\/p>\n

It is not a full introduction to PT. Please read Adding PT to Linux perf<\/a> or the links from the general PT reference page<\/a>.<\/p>\n

PT support in hardware<\/h1>\n\n\n\n\n\n\n
CPU<\/td>\nSupport<\/td>\n<\/tr>\n
Broadwell (5th generation Core, Xeon v4)<\/td>\nMore overhead. No fine grained timing.<\/td>\n<\/tr>\n
Skylake (6th generation Core, Xeon v5)<\/td>\nFine grained timing. Address filtering.<\/td>\n<\/tr>\n
Goldmont (Apollo Lake, Denverton)<\/td>\nFine grained timing. Address filtering.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

PT support in Linux<\/h1>\n

PT is supported in Linux perf, which is integrated in the Linux kernel.
\nIt can be used through the “perf” command or through gdb.<\/p>\n

There are also other tools that support PT: VTune<\/a>, simple-pt<\/a>, gdb, JTAG debuggers.<\/p>\n

In general it is best to use the newest kernel and the newest Linux perf tools. If that is not possible older tools and kernels can be used. Newer tools can be used on an older kernel, but may not support all features<\/p>\n\n\n\n\n\n\n\n\n\n\n
Linux version<\/td>\nSupport<\/td>\n<\/tr>\n
Linux 4.1<\/td>\nInitial PT driver<\/td>\n<\/tr>\n
Linux 4.2<\/td>\nSupport for Skylake and Goldmont<\/td>\n<\/tr>\n
Linux 4.3<\/td>\nInitial user tools support in Linux perf<\/td>\n<\/tr>\n
Linux 4.5<\/td>\nSupport for JIT decoding using agent<\/td>\n<\/tr>\n
Linux 4.6<\/td>\nBug fixes. Support address filtering.<\/td>\n<\/tr>\n
Linux 4.8<\/td>\nBug fixes.<\/td>\n<\/tr>\n
Linux 4.10<\/td>\nBug fixes. Support for PTWRITE and power tracing<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Many commands require recent perf tools, you may need to update them rom a recent kernel tree.<\/p>\n

This article covers mainly Linux perf and briefly gdb.<\/p>\n

Preparations<\/h1>\n

Only needed once.<\/p>\n

Allow seeing kernel symbols (as root)<\/p>\n


\necho kernel.kptr_restrict=0' >> \/etc\/sysctl.conf
\nsysctl -p
\n<\/code><\/p>\n

Basic perf command lines for recording PT<\/h1>\n

ls \/sys\/devices\/intel_pt\/format<\/code><\/p>\n

Check if PT is supported and what capabilities.<\/p>\n

perf record -e intel_pt\/\/ program<\/code><\/p>\n

Trace program<\/p>\n

perf record -e intel_pt\/\/ -a sleep 1<\/code><\/p>\n

Trace whole system for 1 second<\/p>\n

perf record -C 0 -e intel_pt\/\/ -a sleep 1<\/code><\/p>\n

Trace CPU 0 for 1 second<\/p>\n

perf record --pid $(pidof program) -e intel_pt\/\/<\/code><\/p>\n

Trace already running program.<\/p>\n

perf has to save the data to disk. The CPU can execute branches much faster than than the disk can keep up, so there will be some data loss for code that executes
\nmany instructions. perf has no way to slow down the CPU, so when trace bandwidth > disk bandwidth there will be gaps in the trace. Because of this it is usually not a good idea
\nto try to save a long trace, but work with shorter traces. Long traces also take a lot of time to decode.<\/p>\n

When decoding kernel data the decoder usually has to run as root.
\nAn alternative is to use the perf-with-kcore.sh script included with perf<\/p>\n

perf script --ns --itrace=cr<\/code><\/p>\n

Record program execution and display function call graph.<\/p>\n

perf script by defaults “samples” the data (only dumps a sample every 100us).
\nThis can be configured using the –itrace option (see reference below)<\/p>\n

Install xed<\/a> first.<\/p>\n

perf script --itrace=i0ns --ns -F time,pid,comm,sym,symoff,insn,ip | xed -F insn: -S \/proc\/kallsyms -64<\/code><\/p>\n

Show every assembly instruction executed with disassembler.<\/p>\n

For this it is also useful to get more accurate time stamps (see below)<\/p>\n

perf script --itrace=i0ns --ns -F time,sym,srcline,ip <\/code><\/p>\n

Show source lines executed (requires debug information)<\/p>\n

perf script --itrace=s1Mi0ns .... <\/code><\/p>\n

Often initialization code is not interesting. Skip initial 1M instructions while decoding:<\/p>\n

perf script --time 1.000,2.000 ...<\/code><\/p>\n

Slice trace into different time regions Generally the time stamps need to be looked up first in the trace, as they are absolute.<\/p>\n

perf report --itrace=g32l64i100us --branch-history<\/code><\/p>\n

Print hot paths every 100us as call graph histograms<\/p>\n

Install Flame graph tools<\/a> first.<\/p>\n


\nperf script --itrace=i100usg | stackcollapse-perf.pl > workload.folded
\nflamegraph.pl workloaded.folded > workload.svg
\ngoogle-chrome workload.svg
\n<\/code><\/p>\n

Generate flame graph from execution, sampled every 100us<\/p>\n

Other ways to record data<\/h1>\n

perf record -a -e intel_pt\/\/ sleep 1<\/code><\/p>\n

Capture whole system for 1 second<\/p>\n

Use snapshot mode<\/p>\n

This collects data, but does not continuously save it all to disk. When an event of interest happens a data dump of the current buffer can be triggered by sending a SIGUSR2 signal to the perf process.<\/p>\n


\nperf record -a -e --snapshot intel_pt\/\/ sleep 1
\nPERF_PID=$!
\n*execute workload*<\/code><\/p>\n

<\/code><\/p>\n

*event happens*
\nkill -USR2 $PERF_PID<\/code><\/p>\n

<\/code><\/p>\n

*end of recording*
\nkill $PERF_PID>
\n<\/code><\/p>\n

Record kernel only, complete system<\/p>\n

perf record -a -e intel_pt\/\/k sleep 1<\/code><\/p>\n

Record user space only, complete system<\/p>\n

perf record -a -e intel_pt\/\/u <\/code><\/p>\n

Enable fine grained timing (needs Skylake\/Goldmont, adds more overhead)<\/p>\n

perf record -a -e intel_pt\/cyc=1,cyc_thresh=2\/ ...<\/code><\/p>\n


\necho $[100*1024*1024] > \/proc\/sys\/kernel\/perf_event_mlock_kb
\nperf record -m 512,100000 -e intel_pt\/\/ ...
\n<\/code><\/p>\n

Increase perf buffer to limit data loss<\/p>\n


\nperf record -e intel_pt\/\/ --filter 'filter main @ \/path\/to\/program' ...
\n<\/code><\/p>\n

Only record main function in program<\/p>\n


\nperf record -e intel_pt\/\/ -a --filter 'filter sys_write' program
\n<\/code><\/p>\n

Filter kernel code (needs 4.11+ kernel)<\/p>\n


\nperf record -e intel_pt\/\/ -a\u00a0 --filter 'stop func2 @ program' program
\n<\/code><\/p>\n

Stop tracing at func2.<\/p>\n


\nperf archive
\nrsync -r ~\/.debug perf.data other-system:
\n<\/code><\/p>\n

Transfer data to a trace on another system. May also require using perf-with-kcore.sh if decoding
\nkernel.<\/p>\n

Using gdb<\/h1>\n

Requires a new enough gdb built with libipt. For user space only.<\/p>\n


\ngdb program
\nstart
\nrecord btrace pt # cannot be done before start. has to be redone every re-start
\ncont<\/code><\/p>\n


\n<\/code><\/p>\n

record instruction-history \/m\t# show instructions
\nrecord function-call-history\t\t# show functions executed
\nreverse-step\u00a0 \u00a0# step backwards in time
\n<\/code><\/p>\n

For more information on gdb pt see the gdb documentation<\/a><\/p>\n

References<\/h1>\n

The perf PT documentation<\/a><\/p>\n

Reference for –itrace option (from perf documentation)<\/p>\n


\ni synthesize \"instructions\" events
\nb synthesize \"branches\" events
\nx synthesize \"transactions\" events
\nc synthesize branches events (calls only)
\nr synthesize branches events (returns only)
\ne synthesize tracing error events
\nd create a debug log
\ng synthesize a call chain (use with i or x)
\nl synthesize last branch entries (use with i or x)
\ns skip initial number of events
\n<\/code><\/p>\n

Reference for –filter option (from perf documentation)<\/p>\n

<\/code><\/p>\n

A hardware trace PMU advertises its ability to accept a number of
\naddress filters by specifying a non-zero value in
\n\/sys\/bus\/event_source\/devices\/ \/nr_addr_filters.<\/code><\/p>\n

Address filters have the format:<\/code><\/p>\n

<\/code><\/code><\/p>\n

filter|start|stop|tracestop [\/ ] [@]<\/p>\n

<\/code><\/code><\/p>\n

Where:
\n– ‘filter’: defines a region that will be traced.
\n– ‘start’: defines an address at which tracing will begin.
\n– ‘stop’: defines an address at which tracing will stop.
\n– ‘tracestop’: defines a region in which tracing will stop.<\/p>\n

<\/code><\/code><\/p>\n

is the name of the object file, is the offset to the
\ncode to trace in that file, and is the size of the region to
\ntrace. ‘start’ and ‘stop’ filters need not specify a .<\/p>\n

<\/code><\/code><\/p>\n

If no object file is specified then the kernel is assumed, in which case
\nthe start address must be a current kernel memory address.<\/p>\n

<\/code><\/code><\/p>\n

can also be specified by providing the name of a symbol. If the
\nsymbol name is not unique, it can be disambiguated by inserting #n where
\n‘n’ selects the n’th symbol in address order. Alternately #0, #g or #G
\nselect only a global symbol. can also be specified by providing
\nthe name of a symbol, in which case the size is calculated to the end
\nof that symbol. For ‘filter’ and ‘tracestop’ filters, if is
\nomitted and is a symbol, then the size is calculated to the end
\nof that symbol.<\/p>\n

<\/code><\/code><\/p>\n

If is omitted and is ‘*’, then the start and size will
\nbe calculated from the first and last symbols, i.e. to trace the whole
\nfile.
\nIf symbol names (or ‘*’) are provided, they must be surrounded by white
\nspace.<\/p>\n

<\/code><\/code><\/p>\n

The filter passed to the kernel is not necessarily the same as entered.
\nTo see the filter that is passed, use the -v option.<\/p>\n

<\/code><\/code><\/p>\n

The kernel may not be able to configure a trace region if it is not
\nwithin a single mapping. MMAP events (or \/proc\/ \/maps) can be
\nexamined to determine if that is a possibility.<\/p>\n


\n<\/code><\/p>\n

<\/code><\/p>\n

Multiple filters can be separated with space or comma.
\n<\/code><\/p>\n

v2: Fix some typos\/broken links<\/p>\n

v3: Update gdb commands<\/p>\n","protected":false},"excerpt":{"rendered":"

What is Processor Trace Intel Processor Trace (PT) traces program execution (every branch) with low overhead. This is a cheat sheet of how to use PT with perf for common tasks It is not a full introduction to PT. Please read Adding PT to Linux perf or the links from the general PT reference page. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,14,12,18,17,11],"tags":[],"_links":{"self":[{"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/posts\/410"}],"collection":[{"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/comments?post=410"}],"version-history":[{"count":23,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/posts\/410\/revisions"}],"predecessor-version":[{"id":445,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/posts\/410\/revisions\/445"}],"wp:attachment":[{"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/media?parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/categories?post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/halobates.de\/blog\/wp-json\/wp\/v2\/tags?post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}