Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

deftracepoint

deftracepoint reads a kernel tracepoint format file at macroexpand time and generates zero-cost accessor macros for each field.

Syntax

(deftracepoint category/event-name [field1 field2 ...])

category/event-name is a symbol like sched/sched-switch. Hyphens are converted to underscores for the filesystem lookup.

field1, field2, ... optionally restrict which fields to import. If omitted, all non-common_ fields are imported.

How it works

At macroexpand time, Whistler reads the tracefs format file at:

/sys/kernel/tracing/events/{category}/{event}/format

It parses each field declaration to extract the name, byte offset, size, signedness, and array dimensions. For each selected field, it generates a macro:

(tp-FIELD)  ;; expands to (ctx-load TYPE OFFSET)

The tp- prefix is fixed. Types are inferred from the field size:

SizeUnsignedSigned
1u8i8
2u16i16
4u32i32
8u64i64

Array fields additionally generate a -ptr accessor:

(tp-FIELD-ptr)  ;; expands to (+ (ctx-load u64 0) OFFSET)

This gives you a pointer into the tracepoint context buffer, suitable for probe-read-kernel or probe-read-str.

Examples

Import specific fields from sched_process_fork:

(deftracepoint sched/sched-process-fork parent-pid child-pid)

;; Now available:
;; (tp-parent-pid) -> (ctx-load u32 24)   ; exact offset from format file
;; (tp-child-pid)  -> (ctx-load u32 28)

Import all fields from sched_switch:

(deftracepoint sched/sched-switch)

;; Generates tp-prev-comm, tp-prev-comm-ptr, tp-prev-pid,
;; tp-prev-prio, tp-prev-state, tp-next-comm, tp-next-comm-ptr,
;; tp-next-pid, tp-next-prio

Use in a tracepoint program:

(defprog trace-fork (:type :tracepoint
                     :section "tracepoint/sched/sched_process_fork"
                     :license "GPL")
  (setf (getmap ppid-map (tp-child-pid)) (tp-parent-pid))
  0)

Permissions

The format file must be readable by the compiling user. If running without root:

sudo chmod a+r /sys/kernel/tracing/events/sched/sched_process_fork/format

If the file is not found, Whistler also checks the debugfs fallback path at /sys/kernel/debug/tracing/events/.