1.2 Providers and Probes

In the preceding examples, you learnt to use two simple probes named BEGIN and END. DTrace probes come from a set of kernel modules called providers, each of which performs a particular kind of instrumentation to create probes. When you use DTrace, each provider is given an opportunity to publish the probes it can provide to the DTrace framework. You can then enable and bind your tracing actions to any of the probes that have been published. To list all of the available probes on your system, type the command:

# dtrace -l 
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
    4    dt_test           dt_test                                   test
    5    syscall                                                read entry
    6    syscall                                                read return
    7    syscall                                               write entry
... many lines of output omitted ... 
#

It might take some time to display all of the output. To count all the probes, type the command:

# dtrace -l | wc -l
4097

You might observe a different total on your machine, as the number of probes varies depending on your operating platform, the software you have installed, and the provider modules that you have loaded. Notice that each probe has the two names we mentioned earlier, an integer ID and a human-readable name. The human readable name is composed of four parts, shown as separate columns in the dtrace output. The four parts of a probe name are:

provider

The name of the DTrace provider that is publishing this probe. For kernel probes, the provider name typically corresponds to the name of the DTrace kernel module that performs the instrumentation to enable the probe. For probes in user-space, it is the provider name that was defined for the program or library appended with the process ID of the running executable.

module

If this probe corresponds to a specific program location, the name of the kernel module, library, or user-space program in which the probe is located.

function

If this probe corresponds to a specific program location, the name of the program function in which the probe is located.

name

The final component of the probe name is a name that gives you some idea of the probe's semantic meaning, such as BEGIN or END.

When writing out the full human-readable name of a probe, write all four parts of the name separated by colons like this:

provider:module:function:name

Notice that some of the probes in the list do not have a module and function, such as the BEGIN and END probes used earlier. Some probes leave these two fields blank because these probes do not correspond to any specific instrumented program function or location. Instead, these probes refer to a more abstract concept like the idea of the end of your tracing request. A probe that has a module and function as part of its name is known as an anchored probe, and one that does not is known as an unanchored probe.

By convention, if you do not specify all of the fields of a probe name, DTrace matches your request to all of the probes that have matching values in the parts of the name that you do specify. In other words, when you used the probe name BEGIN earlier, you were actually telling DTrace to match any probe whose name field is BEGIN, regardless of the value of the provider, module, and function fields. As it happens, there is only one probe matching that description, so the result is the same. But you now know that the true name of the BEGIN probe is dtrace:::BEGIN, which indicates that this probe is provided by the DTrace framework itself and is not anchored to any function. Therefore, the hello.d program could have been written as follows and would produce the same result:

dtrace:::BEGIN
{
  trace("hello, world");
  exit(0);
}

Now that you understand where probes originate from and how they are named, we are going to learn a little more about what happens when you enable probes and ask DTrace to do something, and then we will return to our whirlwind tour of D.