目录
参考
- perf_event内核框架
- tracepoint events
- software events
- hardware events
- perf_event_open系统调用内核源码分析
- perf_event_open 简介
内核版本
Linux 6.5
作者
pengdonglin137@163.com
正文
初始化
应用调用perf_event_open系统调用让内核创建perf_event时,内核创建了一个匿名文件,这个文件的file结构体的fops是perf_fops:
static const struct file_operations perf_fops = { .llseek = no_llseek, .release = perf_release, .read = perf_read, .poll = perf_poll, .unlocked_ioctl = perf_ioctl, .compat_ioctl = perf_compat_ioctl, .mmap = perf_mmap, .fasync = perf_fasync, };
应用在得到fd后,通过调用mmap来让内核分配ring buffer,用perf_buffer结构体表示,并且将ring buffer也映射给用户,后续应用和内核就可以通过共享内存的方式实现数据共享。跟这段缓冲区对应的vma的vm_ops是perf_mmap_vmops.
内核对mmap的长度的规定是必须满足1+2^n个页,其中第1个页只是用来存放结构体perf_event_mmap_page,其中存放的是元信息,后面的2^n个页用来存放具体的采样数据。
如果应用在mmap时设置了可写,那么perf_buffer的overwrite为0,表示内核在向缓冲区写数据时与需要跟应用进行同步,防止出现内容被覆盖的情况,当然如果应用读取不及时,会造成缓冲区满的情况,此时新数据将无法写入,发生overflow。
在perf_mmap中分配ring buffer的实现如下:
struct perf_buffer *rb; rb = rb_alloc(nr_pages, event->attr.watermark ? event->attr.wakeup_watermark : 0, event->cpu, flags); ring_buffer_attach(event, rb); perf_event_update_time(event); perf_event_init_userpage(event); perf_event_update_userpage(event);
调用rb_alloc分配出perf_buffer后,在ring_buffer_attach中会将rb赋值给perf_event的rb成员,分配缓冲区有两种实现方法,在编译时决定,一种是一页一页分配,这种方式会出现页之间的虚拟地址不连续,所以需要通过data_pages[]数组来记录每个页的地址,页的数量记录在rb->nr_pages中;第二种是调用vmalloc一次分配完毕,这样所有这些页的虚拟地址是连续的,此时nr_pages固定设置为1,即只需要data_pages[0],记录首地址即可,下图这种是连续的情况:
此外,内核调用perf_event_alloc来分配perf_event时,如果没有指定overflow_handler处理函数,那么内核会根据应用传递的参数设置默认的handler,假如应用没有要求按backwrite的写方向,那么handler就是perf_event_output_forward。
内核写
void perf_event_output_forward(struct perf_event *event, struct perf_sample_data *data, struct pt_regs *regs) { __perf_event_output(event, data, regs, perf_output_begin_forward); }
__perf_event_output
static __always_inline int __perf_event_output(struct perf_event *event, struct perf_sample_data *data, struct pt_regs *regs, int (*output_begin)(struct perf_output_handle *, struct perf_sample_data *, struct perf_event *, unsigned int)) { struct perf_output_handle handle; struct perf_event_header header; int err; /* protect the callchain buffers */ rcu_read_lock(); // 根据perf_event的设置以及当前的上下文来填充perf_sample_data,此时还没进ring buffer缓冲区 perf_prepare_sample(data, event, regs); // 填充perf_event_header,在缓冲区里内容是通过一个个以perf_event_header为首的结构体组成 perf_prepare_header(&header, data, event, regs); // perf_output_begin_forward,更新handle,其中记录的是要写入的地址 err = output_begin(&handle, data, event, header.size); if (err) goto exit; // 根据handle中记录的位置信息,将header、data等写入到缓冲区 perf_output_sample(&handle, &header, data, event); // 更新data_head,同时处理唤醒 perf_output_end(&handle); exit: rcu_read_unlock(); return err; }
perf_output_begin_forward
这个函数的作用是更新handle中操作缓冲区的成员,如addr表示要写入的位置,size表示剩余空间大小,page表示要写入的page的数组索引号。
- perf_output_begin_forward
int perf_output_begin_forward(struct perf_output_handle *handle, struct perf_sample_data *data, struct perf_event *event, unsigned int size) { return __perf_output_begin(handle, data, event, size, false); }
__perf_output_begin
static __always_inline int __perf_output_begin(struct perf_output_handle *handle, struct perf_sample_data *data, struct perf_event *event, unsigned int size, bool backward) { struct perf_buffer *rb; unsigned long tail, offset, head; int have_lost, page_shift; struct { struct perf_event_header header; u64 id; u64 lost; } lost_event; rcu_read_lock(); /* * For inherited events we send all the output towards the parent. */ if (event->parent) event = event->parent; rb = rcu_dereference(event->rb); if (unlikely(!rb)) goto out; if (unlikely(rb->paused)) { if (rb->nr_pages) { local_inc(&rb->lost); atomic64_inc(&event->lost_samples); } goto out; } handle->rb = rb; handle->event = event; have_lost = local_read(&rb->lost); if (unlikely(have_lost)) { size += sizeof(lost_event); if (event->attr.sample_id_all) size += event->id_header_size; } // 关闭抢占,同时将rb->nest加1,同时记录rb->wakeup到handle中,用于处理是否需要唤醒应用 perf_output_get_handle(handle); do { /* 这里data_tail在内核这边是只读,由应用负责更新,初始值为0 */ tail = READ_ONCE(rb->user_page->data_tail); // head表示要写入的位置对应的偏移量,初始值为0 // 在这个循环中,offset记录head推进之间的值,用来检查在此期间rb->head是否有更新 offset = head = local_read(&rb->head); // 如果overwrite是0,那么表示内核在写入之前需要检查应用是否已经读走,防止数据被覆盖 // 当应用在mmap时设置了可写权限,那么overwrite就是0,如果是只读的话,即overwrite是1, // 内核可以放心地覆盖缓冲区的数据,不关心应用是否已经读走 // 下面ring_buffer_has_space就是用来判断是否有足够的空间容纳size字节数据: // (tail - head + 1)& (perf_data_size(rb) - 1)>= size // 如果空间无法容纳,返回0,否则返回1 if (!rb->overwrite) { if (unlikely(!ring_buffer_has_space(head, tail, perf_data_size(rb), size, backward))) goto fail; // 空间不足 } /* * The above forms a control dependency barrier separating the * @tail load above from the data stores below. Since the @tail * load is required to compute the branch to fail below. * * A, matches D; the full memory barrier userspace SHOULD issue * after reading the data and before storing the new tail * position. * * See perf_output_put_handle(). */ if (!backward) head += size; else head -= size; // 这里判断rb->head是否跟offset相等,如果相等,那么将head赋值给rb->head,返回offset // 据此判断在计算head期间rb->head是否发生了更新 // 这个while循环退出后,rb->head以及head指向下一个可写的位置,offset表示head推进之前的值 } while (local_cmpxchg(&rb->head, offset, head) != offset); // 到这里,rb->head表示下一个要写入的位置,而offset表示当前要写入的位置 if (backward) { offset = head; head = (u64)(-head); } /* * We rely on the implied barrier() by local_cmpxchg() to ensure * none of the data stores below can be lifted up by the compiler. */ if (unlikely(head - local_read(&rb->wakeup) > rb->watermark)) local_add(rb->watermark, &rb->wakeup); // page_shift用于表示ring buffer的data区的大小,即2^n * PAGE_SIZE page_shift = PAGE_SHIFT + page_order(rb); // 计算data区的page索引号,data区有2^n个page组成,这里会计算offset对应的是哪个page // 这里可以看到,head都是单调递增,导致offset此时可能已经超过缓冲区大小,需要处理wrap handle->page = (offset >> page_shift) & (rb->nr_pages - 1); // 计算页内偏移,同时处理了回绕 offset &= (1UL << page_shift) - 1; // 这里会兼容两种缓冲区分配方式,一种是一页一页分配,这种方式会出现页之间的虚拟地址不连续, // 通过data_pages[]数组记录每个页的地址,页的数量记录在rb->nr_pages中;第二种是调用vmalloc // 一次分配完毕,这样所有这些页的虚拟地址是连续的,此时nr_pages固定设置为1,即只需要data_pages[0] // 记录首地址即可,具体参考rb_alloc // 如果是虚拟地址连续的情况,因为nr_pages是1,所以上面计算得到的handle->page是0,所以下面 // 下面就是rb->data_pages[0] + offset,从而得到要写入的地址 // 如果是不连续的情况,上面handle->page计算得到offset所在的page的索引,下面再得到要写入的位置 handle->addr = rb->data_pages[handle->page] + offset; // 计算缓冲区剩余空空间大小,offset记录的是当前要写入的偏移量,尚未写入,这里只是计算写入位置信息 handle->size = (1UL << page_shift) - offset; // 如果发生过因为缓冲区空间不足导致无法写入,上面会把have_lost设置为发生lost的次数 // 下面会往ring buffer中写入一个PERF_RECORD_LOST的记录 if (unlikely(have_lost)) { lost_event.header.size = sizeof(lost_event); lost_event.header.type = PERF_RECORD_LOST; lost_event.header.misc = 0; lost_event.id = event->id; // 发生lost的事件的perf_event的id lost_event.lost = local_xchg(&rb->lost, 0); // lost的次数 /* XXX mostly redundant; @data is already fully initializes */ perf_event_header__init_id(&lost_event.header, data, event); perf_output_put(handle, lost_event); perf_event__output_id_sample(event, handle, data); } return 0; fail: // 空间不足导致写入失败,记录这种情况发生的次数 local_inc(&rb->lost); // perf_event之间可以共享perf buffer,还需要单独再记录每个perf event发生lost的次数 atomic64_inc(&event->lost_samples); perf_output_put_handle(handle); out: rcu_read_unlock(); return -ENOSPC; }
perf_output_sample
这个函数用来根据传入的header、data等来填充缓冲区。这里暂时不打算分析,只是关心其中具体写缓冲区的函数:perf_output_put
以下面的调用为例:
perf_output_put(handle, data->time);
这个函数的作用是将data->time成员的内容写入到handle描述的缓冲区中。
展开后得到:
perf_output_copy(handle, &data->time, sizeof(data->time));
这样看上去会更加清楚。
perf_output_copy的定义如下:
unsigned int perf_output_copy(struct perf_output_handle *handle, const void *buf, unsigned int len) { return __output_copy(handle, buf, len); }
其中__output_copy进一步展开后得到:
static inline unsigned long memcpy_common(void *dst, const void *src, unsigned long n) { memcpy(dst, src, n); return 0; } static inline unsigned long __output_copy(struct perf_output_handle *handle, const void *buf, unsigned long len) { unsigned long size, written; do { // 保证不越界 size = min(handle->size, len); // 将buf中的内容拷贝到handle->addr指向的缓冲区中,参考上面对__perf_output_begin的分析,拷贝的字节数是size written = memcpy_common(handle->addr, buf, size); written = size - written; // 如果成功写完 len -= written; // 向前推进地址 handle->addr += written; if (true) buf += written; // 写完后,更新缓冲区空闲空间字节数 handle->size -= written; // 如果size为0,表示缓冲区用完,此时需要回绕到开头,从而实现ring buffer的功能 if (!handle->size) { struct perf_buffer *rb = handle->rb; // 更新要写入的page的数组索引 handle->page++; // 对于连续缓冲区的情况,nr_pages是0,所以会将handle->page设置为0,因为此时只有data_pages[0] handle->page &= rb->nr_pages - 1; // 重新得到下一个要写入的位置 handle->addr = rb->data_pages[handle->page]; // data区的大小,即2^n * PAGE_SIZE handle->size = ((1UL) << 12) << page_order(rb); } } while (len && written == size); return len; }
在perf_output_sample函数的最后有下面的逻辑:
if (!event->attr.watermark) { int wakeup_events = event->attr.wakeup_events; if (wakeup_events) { struct perf_buffer *rb = handle->rb; int events = local_inc_return(&rb->events); if (events >= wakeup_events) { local_sub(wakeup_events, &rb->events); local_inc(&rb->wakeup); } } }
其中wakeup_events表示每累计多少次event就唤醒一次,上面的逻辑比较简单,当次数累计够了,其中会对rb->wakeup递增,在perf_output_put_handle中会根据这个值是否有变化来判断是否需要唤醒应用。
perf_output_put_handle
- perf_output_end
void perf_output_end(struct perf_output_handle *handle) { perf_output_put_handle(handle); rcu_read_unlock(); }
- perf_output_put_handle
static void perf_output_put_handle(struct perf_output_handle *handle) { struct perf_buffer *rb = handle->rb; unsigned long head; unsigned int nest; /* * If this isn't the outermost nesting, we don't have to update * @rb->user_page->data_head. */ nest = READ_ONCE(rb->nest); if (nest > 1) { WRITE_ONCE(rb->nest, nest - 1); goto out; } again: /* * In order to avoid publishing a head value that goes backwards, * we must ensure the load of @rb->head happens after we've * incremented @rb->nest. * * Otherwise we can observe a @rb->head value before one published * by an IRQ/NMI happening between the load and the increment. */ barrier(); head = local_read(&rb->head); /* * IRQ/NMI can happen here and advance @rb->head, causing our * load above to be stale. */ /* * Since the mmap() consumer (userspace) can run on a different CPU: * * kernel user * * if (LOAD ->data_tail) { LOAD ->data_head * (A) smp_rmb() (C) * STORE $data LOAD $data * smp_wmb() (B) smp_mb() (D) * STORE ->data_head STORE ->data_tail * } * * Where A pairs with D, and B pairs with C. * * In our case (A) is a control dependency that separates the load of * the ->data_tail and the stores of $data. In case ->data_tail * indicates there is no room in the buffer to store $data we do not. * * D needs to be a full barrier since it separates the data READ * from the tail WRITE. * * For B a WMB is sufficient since it separates two WRITEs, and for C * an RMB is sufficient since it separates two READs. * * See perf_output_begin(). */ smp_wmb(); /* B, matches C */ // 将head更新到perf_event_mmap_page中,需要注意的是,这个值是单调递增,需要应用 // 自己处理回绕的问题,此外,这个值表示下一个要写入的位置,而不是刚刚写入的记录的 // 位置,所以需要应用自己备份 WRITE_ONCE(rb->user_page->data_head, head); /* * We must publish the head before decrementing the nest count, * otherwise an IRQ/NMI can publish a more recent head value and our * write will (temporarily) publish a stale value. */ barrier(); WRITE_ONCE(rb->nest, 0); /* * Ensure we decrement @rb->nest before we validate the @rb->head. * Otherwise we cannot be sure we caught the 'last' nested update. */ barrier(); if (unlikely(head != local_read(&rb->head))) { WRITE_ONCE(rb->nest, 1); goto again; } if (handle->wakeup != local_read(&rb->wakeup)) perf_output_wakeup(handle); out: preempt_enable(); }
唤醒应用
在内核写完一个事件后,最后在调用perf_output_put_handle时,如果发现需要唤醒应用,那么会调用perf_output_wakeup。
static void perf_output_wakeup(struct perf_output_handle *handle) { atomic_set(&handle->rb->poll, EPOLLIN); handle->event->pending_wakeup = 1; irq_work_queue(&handle->event->pending_irq); }
在分配perf_event时,给pending_irq设置的是perf_pending_irq:
static void perf_pending_irq(struct irq_work *entry) { struct perf_event *event = container_of(entry, struct perf_event, pending_irq); int rctx; /* * If we 'fail' here, that's OK, it means recursion is already disabled * and we won't recurse 'further'. */ rctx = perf_swevent_get_recursion_context(); /* * The wakeup isn't bound to the context of the event -- it can happen * irrespective of where the event is. */ if (event->pending_wakeup) { event->pending_wakeup = 0; // 应用如果在poll的话,会被唤醒 perf_event_wakeup(event); } __perf_pending_irq(event); if (rctx >= 0) perf_swevent_put_recursion_context(rctx); }
应用读
参考: https://www.cnblogs.com/pengdonglin137/p/17989602
下面两个参考链接中给出了data_tail如何使用。
