NAME¶

stacksnoop - Print kernel stack traces for kernel functions. Uses Linux eBPF/bcc.

SYNOPSIS¶

stacksnoop [-h] [-p PID] [-s] [-v] function

DESCRIPTION¶

stacksnoop traces a given kernel function and for each call, prints the kernel stack back trace for that call. This shows the ancestry of function calls, and is a quick way to investigate low frequency kernel functions and their cause. For high frequency kernel functions, see stackcount.

This tool only works on Linux 4.6+. Stack traces are obtained using the new BPF_STACK_TRACE` APIs. For kernels older than 4.6, see the version under tools/old.

REQUIREMENTS¶

CONFIG_BPF and bcc.

OPTIONS¶

-h

Print usage message.

-s

Show address offsets.

-v

Print more fields.

-p PID

Trace this process ID only (filtered in-kernel).

function

Kernel function name.

EXAMPLES¶

Print kernel stack traces for each call to ext4_sync_fs:

# stacksnoop ext4_sync_fs

Also show the symbol offsets:

# stacksnoop -s ext4_sync_fs

Show extra columns:

# stacksnoop -v ext4_sync_fs

Only trace when PID 185 is on-CPU:

# stacksnoop -p 185 ext4_sync_fs

FIELDS¶

TIME(s)

Time of the call, in seconds.

STACK

Kernel stack trace. The first column shows "ip" for instruction pointer, and "r#" for each return pointer in the stack. The second column is the stack trace as hexadecimal. The third column is the translated kernel symbol names.

OVERHEAD¶

This can have significant overhead if frequently called functions (> 1000/s) are traced, and is only intended for low frequency function calls. This is because details including the stack trace for every call is passed to user space and processed. See stackcount for higher frequency calls, which performs in-kernel summaries.

SOURCE¶

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS¶

Linux

STABILITY¶

Unstable - in development.

AUTHOR¶

Brendan Gregg

SEE ALSO¶

stackcount(8)