Quickies for DTrace
General
- Fixing "file is set-id or unreadable" with space-enabled file names
[permalink]
You might want to run dtrace against an program, which might has a space in the name:dtrace -n 'objc$target:NSUndoManager*:+alloc:entry' -c `pwd`/eClicker Presenter
And then you get the smackdown:dtrace: failed to execute /Users/markd/Library/Developer/.../eClicker: file is set-id or unreadable [Note: the '-c' option requires a full pathname to the file]
But it's right there! The path must be getting passed around, and needs some extra backslashes:dtrace -v -n 'objc$target:NSUndoManager*:-init*:entry' -c ./eClicker\\\ Presenter
(In case the quickies stripped off the backslashes, it's three backslashes, then a space, thenPresenter) - Fixing DIF offset error
[permalink]
Sometimes you might see this error when usingcopyinorcopyinstr:invalid address (0x10c86e3ce) in action #2 at DIF offset
This happens because the page in question hasn't been faulted in yet, or in general isn't available to the kernel or DTrace at this moment. This can happen if you're accessing the data in an:::entryclause before the data is used.To work around this, let the function you're tracing do its work, cause the fault of the data into memory, then access the data in the
:::returnclause. You'll need to hang on the pointer because the function arguments are not passed to:::return:syscall::open:entry { self->filename = arg0; } syscall::open:return /self->filename/ { @files[copyinstr(self->filename)] = count(); self->filename = 0; } END { trunc(@files, 5); } - Seeing what time machine is looking at
[permalink]
Curious what Time Machine is looking at while doing backups? This one-liner will show all of the files that are being opened:sudo dtrace -q -n 'syscall::open*:entry/execname=="backupd"/ { self->name = arg0; }' -n 'syscall::open*:return/execname=="backupd"/ { printf ( "%s opening %s\n ", execname, copyinstr(self->name)) ; self->name = 0}'Or in a more readable form:
syscall::open*:entry /execname=="backupd"/ { self->name = arg0; } syscall::open*:return /execname=="backupd"/ { printf ( "%s opening %s\n", execname, copyinstr(self->name)); self->name = 0; }Note that FileValue will cause errors of the kind "invalid user access in action #2 at DIF offset 24". I don't know how to work around that. - So, what's hammering my network / disk?
[permalink]
Sometimes your harddrive is cheebling, or maybe your DSL modem lights are lit up like a Christmas Tree. The network activity monitor in Mavericks is beyond useless for figuring out exactly who the guilty party is. DTrace to the rescue. Run this rootstyles:# dtrace -n 'syscall::read:entry { @read[execname] = sum(arg2); }' -n 'syscall::read_nocancel:entry { @read[execname] = sum(arg2); }' dtrace: description 'syscall::read:entry ' matched 1 probe dtrace: description 'syscall::read_nocancel:entry ' matched 1 probe ^C ... mdworker 27699995 dbfseventsd 37756854 ocspd 125588322 storeagent 431376595Sure enough, it's the MacAppStore program, downloading updates even though it's been told not to. - Timing stuff
[permalink]
To time stuff in DTrace, get the timestamp (wall-clock time) or vtimestamp (on-CPU time) in theentry. In thereturn, make sure you have a starting timestamp recorded (this avoids race conditions if the script is run if the function is currently in-flight). Then calculate the delta and do something with it (print it, aggregate it, whateva).some:probe:description:entry { self->start = timestamp; } some:probe:description:return /self->start != 0/ { this->delta = timestamp - self->start; trace (this->delta); self->start = 0; }