linux-kernelftracekprobe

Are tracepoints redundant in Linux kernel after kprobes support for ftrace?


What are the use-cases for using tracepoint events when kprobe events support for ftrace is available in Linux kernel? It seems everything that is possible to be done using 'tracepoint events' is possible using kprobe events, since one can set up a kprobe event to at the same point where tracepoint event is available.

Am I missing something?


Solution

  • Since kprobes trace arbitrary functions, tools relying on them may easily break from one Linux version to the next. For instance, the name of the function or one of its arguments can be changed, or the whole function might be removed. This sort of change happens frequently and can break kprobe-based tools.

    Conversely, tracepoints are more stable. They should remain mostly the same and provide the same information. In addition, they are documented; you can find the type and location of information provided by tracepoints in /sys/kernel/debug/tracing:

    # cat /sys/kernel/debug/tracing/events/skb/kfree_skb/format 
    name: kfree_skb
    ID: 1122
    format:
        field:unsigned short common_type;   offset:0;   size:2; signed:0;
        field:unsigned char common_flags;   offset:2;   size:1; signed:0;
        field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
        field:int common_pid;   offset:4;   size:4; signed:1;
    
        field:void * skbaddr;   offset:8;   size:8; signed:0;
        field:void * location;  offset:16;  size:8; signed:0;
        field:unsigned short protocol;  offset:24;  size:2; signed:0;
    
    print fmt: "skbaddr=%p protocol=%u location=%p", REC->skbaddr, REC->protocol, REC->location