1#!/usr/bin/env python 2# @lint-avoid-python-3-compatibility-imports 3# 4# threadsnoop List new thread creation. 5# For Linux, uses BCC, eBPF. Embedded C. 6# 7# Copyright (c) 2019 Brendan Gregg. 8# Licensed under the Apache License, Version 2.0 (the "License"). 9# This was originally created for the BPF Performance Tools book 10# published by Addison Wesley. ISBN-13: 9780136554820 11# When copying or porting, include this comment. 12# 13# 02-Jul-2019 Brendan Gregg Ported from bpftrace to BCC. 14 15from __future__ import print_function 16from bcc import BPF 17 18# load BPF program 19b = BPF(text=""" 20#include <linux/sched.h> 21 22struct data_t { 23 u64 ts; 24 u32 pid; 25 u64 start; 26 char comm[TASK_COMM_LEN]; 27}; 28 29BPF_PERF_OUTPUT(events); 30 31void do_entry(struct pt_regs *ctx) { 32 struct data_t data = {}; 33 data.ts = bpf_ktime_get_ns(); 34 data.pid = bpf_get_current_pid_tgid() >> 32; 35 data.start = PT_REGS_PARM3(ctx); 36 bpf_get_current_comm(&data.comm, sizeof(data.comm)); 37 38 events.perf_submit(ctx, &data, sizeof(data)); 39}; 40""") 41 42# Since version 2.34, pthread features are integrated in libc 43try: 44 b.attach_uprobe(name="pthread", sym="pthread_create", fn_name="do_entry") 45except Exception: 46 b.attach_uprobe(name="c", sym="pthread_create", fn_name="do_entry") 47 48print("%-10s %-7s %-16s %s" % ("TIME(ms)", "PID", "COMM", "FUNC")) 49 50start_ts = 0 51 52# process event 53def print_event(cpu, data, size): 54 global start_ts 55 event = b["events"].event(data) 56 if start_ts == 0: 57 start_ts = event.ts 58 func = b.sym(event.start, event.pid) 59 if (func == "[unknown]"): 60 func = hex(event.start) 61 print("%-10d %-7d %-16s %s" % ((event.ts - start_ts) / 1000000, 62 event.pid, event.comm, func)) 63 64b["events"].open_perf_buffer(print_event) 65while 1: 66 try: 67 b.perf_buffer_poll() 68 except KeyboardInterrupt: 69 exit() 70