Tracepoints

Tracepoint programs attach to stable kernel tracepoints. Unlike kprobes, tracepoints are part of the kernel ABI and less likely to change between versions.

Section Name

The section follows the format "tracepoint/category/event":

(defprog trace-fork (:type :tracepoint
                     :section "tracepoint/sched/sched_process_fork")
  0)

deftracepoint

Each tracepoint has a format file under tracefs that describes its fields. deftracepoint reads this format at compile time and generates typed accessor functions automatically:

(deftracepoint sched/sched-process-fork parent-pid child-pid)

This generates zero-argument accessor macros prefixed with tp-. For sched_process_fork, the above generates (tp-parent-pid) and (tp-child-pid). Each expands to a ctx-load at the correct offset, read from the kernel's format file at /sys/kernel/tracing/events/sched/sched_process_fork/format.

Example: Track Process Forks

Record parent and child PIDs for every fork:

(deftracepoint sched/sched-process-fork parent-pid child-pid)

(defstruct fork-event
  (parent-pid u32)
  (child-pid u32))

(defmap events :type :ringbuf
  :max-entries (* 256 1024))

(defprog trace-fork (:type :tracepoint
                     :section "tracepoint/sched/sched_process_fork")
  (with-ringbuf (e events (sizeof fork-event))
    (setf (fork-event-parent-pid e) (tp-parent-pid)
          (fork-event-child-pid e) (tp-child-pid)))
  0)

The tp-parent-pid and tp-child-pid accessors are zero-argument macros generated by deftracepoint. They read from the correct offsets in the tracepoint context structure, so there is no need to manually define field offsets.