uprobe使用简介

背景

准备工作

简单demo

编译

使用uprobe监控函数

添加uprobe探针

运行test_heap

使用simpleperf抓取堆栈

uprobe参数

带有参数和返回值

注册uprobe事件

进阶—入参和返回值同时获取

uprobe/kprobe/tracepoint backtrace

dma_buf基于kprobe

GPU kgsl基于tracepoint

malloc/calloc基于uprobe

小结

背景

最近做项目过程中，基于 uprobe/kprobe ，开发calloc/malloc/realloc、dmabuf、gpu的simpleperf统一抓取和分模块输出。准备写一篇文章介绍一下 uprobe的用法。

准备工作

Android NDK下载：https://developer.android.com/ndk/downloads?hl=zh-cn

简单demo

编写一个android c++程序testmempss.cpp

#include <iostream>
#include <string>
#include <stdlib.h>
#include <unistd.h>

using namespace std;


void foo() {
    printf("hello, uprobe!\n");
}

int main(int argc, char *argv[]) {
    //获取本进程的pid
    pid_t pid = getpid();
    cout << "pid: " << pid << endl;

    for(int i=0 ;i<10;i++){
        //malloc();
        //malloc();
        foo();
        sleep(10);
    }
        
    return 0;
}

编写编译脚本generate.sh

#/bin/bash

export ANDROID_NDK=/home/wj/Downloads/android-ndk-r26b

rm -r build
mkdir build && cd build 

cmake -DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \
    -DANDROID_ABI="arm64-v8a" \
    -DANDROID_NDK=$ANDROID_NDK \
    -DANDROID_PLATFORM=android-26 \
    -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
    ..

make && make install

cd ..

注意 android-ndk-r26b 需要替换成自己本地的目录。

CMakeLists.txt

cmake_minimum_required(VERSION 3.0)
project(test_heap)

add_definitions("-Wall -g")

add_executable(${PROJECT_NAME} testmempss.cpp )

install(TARGETS ${PROJECT_NAME}
  RUNTIME DESTINATION ${PROJECT_SOURCE_DIR})

然后运行./generate.sh即生成可执行文件test_heap，直接push到手机中，并chmod修改权限即可运行

编译

wj@wj:~/WORK/Learning/learning/DT/uprobe$ ls
CMakeLists.txt  generate.sh  testmempss.cpp
wj@wj:~/WORK/Learning/learning/DT/uprobe$ ./generate.sh 
rm: cannot remove 'build': No such file or directory
-- The C compiler identification is Clang 17.0.2
-- The CXX compiler identification is Clang 17.0.2
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /home/wj/Downloads/android-ndk-r26b/toolchains/llvm/prebuilt/linux-x86_64/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /home/wj/Downloads/android-ndk-r26b/toolchains/llvm/prebuilt/linux-x86_64/bin/clang++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /home/wj/WORK/Learning/learning/DT/uprobe/build
[ 50%] Building CXX object CMakeFiles/test_heap.dir/testmempss.cpp.o
[100%] Linking CXX executable test_heap
[100%] Built target test_heap
Consolidate compiler generated dependencies of target test_heap
[100%] Built target test_heap
Install the project...
-- Install configuration: ""
-- Installing: /home/wj/WORK/Learning/learning/DT/uprobe/test_heap

可以看到在当前目录下，生成了 test_heap 文件。将它推到手机中去。

wj@wj:~/WORK/Learning/learning/DT/uprobe$ adb push test_heap /data/local/tmp
test_heap: 1 file pushed. 35.5 MB/s (1315832 bytes in 0.035s)

使用uprobe监控函数

比如我们想要监控程序中函数foo的使用，首先需要获取该函数在程序中的偏移

goku:/ # cd /data/local/tmp/                                                                                                                                                                                      
goku:/data/local/tmp # readelf -s test_heap | grep foo                                                                                                                                                            
  5920: 0000000000040818    28 FUNC    GLOBAL DEFAULT   15 _Z3foov

其中第二列0000000000040818就是偏移

添加uprobe探针

1. adb shell进入手机终端
2. echo 'p:foo /data/local/tmp/test_heap:0x40818' > /sys/kernel/debug/tracing/uprobe_events

如果成功，就可以在uprobe_events中看到以下相关信息：

goku:/data/local/tmp # cat /sys/kernel/debug/tracing/uprobe_events                                                                                                                                                
p:uprobes/foo /data/local/tmp/test_heap:0x0000000000040818

运行test_heap

goku:/data/local/tmp # ./test_heap                                                                                                                                                                                
pid: 519
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
goku:/data/local/tmp # ./test_heap                                                                                                                                                                                
pid: 535
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!
hello, uprobe!

使用simpleperf抓取堆栈

运行test_heap，然后就可以使用simpleperf监控其堆栈

perfdata="/data/local/tmp/perf.data"
pid_test=$(adb shell ps -e| grep test_heap | awk '{print $2}')
adb shell "simpleperf record -e uprobes:foo -p $pid_test --call-graph dwarf -o $perfdata" &

实例堆栈如下所示：

test_heap	3626/3626 [001] 229305.073105: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [001] 229315.076158: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [000] 229325.080823: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [000] 229335.082191: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [000] 229345.086546: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [000] 229355.087169: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

test_heap	3626/3626 [000] 229365.091652: 1 uprobes:foo:
	      64d8ea4818 foo() (/data/local/tmp/test_heap)
	      64d8ea489c main (/data/local/tmp/test_heap)
	      75aecdf9cc __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1891
		common_flags : 0
		common_preempt_count : 1
		common_pid : 3626
		__probe_ip : 433135962136

uprobe参数

arg0，arg1... retval这些内置变量，还有以下变量可以直接使用 - comm：进程名称 - pid：进程pid - tid：线程id - uid：user ID - gid：group ID - nsecs：纳秒时间戳 - cgroup：当前的cgroup ID - func：函数名称
内置了一些函数： - printf：格式化答应你 - str：返回指针的字符串 - system：执行shell命令 - sizeof：变量内存大小 - cat：打印文件内容 - signal：给当前程序发送信号 - time：打印格式化的当前时间 - strftime：格式化时间

带有参数和返回值

如果在向 uprobe_events 文件写入时收到 设备或资源忙 的错误，请将 /sys/kernel/tracing/events/uprobes/enabled 设置为 0，然后重试。

wj@wj:~/Downloads/memoryprofiling-main$ adb shell
goku:/ # echo 0 > /sys/kernel/debug/tracing/events/uprobes/enabled

定义一个函数test_uprobe，有输入参数和返回值

int test_uprobe(int size){
    // printf("the size input is %d",size);
    int tmp=size+1;
    return tmp;
}

int main(int argc, char *argv[]) {
    //获取本进程的pid
    pid_t pid = getpid();
    cout << "pid: " << pid << endl;
    while (1)
    {
       for(int i=1 ;i<10;i++){
        // malloc1();
        // malloc2();

        // void* path=foo(i);
        int tmp=test_uprobe(i);
        cout<< "input:" <<i <<",output :" <<tmp<<endl;
        sleep(2);
        // free_malloc(path);
        }    
    }
    
    return 0;
}

注册uprobe事件

echo 'p:testuprobe /data/test_heap:0x439a4 size=%x0:u64' >> /sys/kernel/debug/tracing/uprobe_events
echo 'r:testuprobe_ret /data/test_heap:0x439a4 retval=$retval:u64' > /sys/kernel/debug/tracing/uprobe_events

启动监控：
echo 1 > /sys/kernel/tracing/events/uprobes/enable

查看是否成功：
adb shell cat /sys/kernel/tracing/trace_pipe|grep testuprobe

以android手机的malloc和free来看就是

1. adb shell
2. 
    echo 'r:uprobes/malloc_ret /apex/com.android.runtime/lib64/bionic/libc.so:0x00000000000515b4 rev=$retval:u64' >> /sys/kernel/debug/tracing/uprobe_events
    echo 'p:uprobes/so_malloc /apex/com.android.runtime/lib64/bionic/libc.so:0x00000000000515b4 size=%x0:u64' >> /sys/kernel/debug/tracing/uprobe_events
    echo 'p:so_free /apex/com.android.runtime/lib64/bionic/libc.so:0x51458 addr=%x0:u64' >> /sys/kernel/debug/tracing/uprobe_events
再使用simpleperf监控即可

这个是将malloc函数的调用和函数的返回分开注册事件的。

进阶—入参和返回值同时获取

需要能看汇编，看所需数据在函数中的偏移

malloc定义：

extern "C" void* malloc(size_t bytes) {
  auto dispatch_table = GetDispatchTable();
  void *result;
  if (__predict_false(dispatch_table != nullptr)) {
    result = dispatch_table->malloc(bytes);
  } else {
    result = Malloc(malloc)(bytes);
  }
  if (__predict_false(result == nullptr)) {
    warning_log("malloc(%zu) failed: returning null pointer", bytes);
    return nullptr;
  }
  return MaybeTagPointer(result);
}

其中

#include "jemalloc.h"
71  #define Malloc(function)  je_ ## function

malloc汇编结果为：

.text:00000000000515B4
.text:00000000000515B4 ; =============== S U B R O U T I N E =======================================
.text:00000000000515B4
.text:00000000000515B4 ; Attributes: bp-based frame fpd=0x20
.text:00000000000515B4
.text:00000000000515B4                 EXPORT malloc
.text:00000000000515B4 malloc                                  ; CODE XREF: j_malloc+C↓j
.text:00000000000515B4                                         ; DATA XREF: LOAD:0000000000002F08↑o ...
.text:00000000000515B4
.text:00000000000515B4 var_20          = -0x20
.text:00000000000515B4 var_10          = -0x10
.text:00000000000515B4
.text:00000000000515B4 ; __unwind {
.text:00000000000515B4                 PACIASP//对函数的返回地址添加验证码
.text:00000000000515B8                 STP             X29, X30, [SP,#var_20]!//将两个通用寄存器的值保存到内存，SP：堆栈寄存器，存放栈的偏移地址
.text:00000000000515BC                 STR             X19, [SP,#0x20+var_10] //把左边寄存器的值村到右边的内存地址中
.text:00000000000515C0                 MOV             X29, SP  //把右边的数值传给左边
.text:00000000000515C4                 ADRL            X8, unk_323058 //将内存地址为`unk_323058`的8个字节的数据加载到寄存器`X8`中
.text:00000000000515CC                 MOV             X19, X0 //将X0传给X19
.text:00000000000515D0                 LDAR            X8, [X8] //将`X8`中存储的内存地址所指向的8个字节的数据加载到`X8`中
.text:00000000000515D4                 CBNZ            X8, loc_51600 //如果寄存器`X8`中的值不为零，则跳转到地址`loc_51600`处执行代码
.text:00000000000515D8                 MOV             X0, X19 //将X19传给X0
.text:00000000000515DC                 BL              je_malloc  //如果X8为0,调用jemalloc
.text:00000000000515E0                 CBZ             X0, loc_51610  //并检查返回值是否为0,如果返回值为零，则跳转到`loc_51610`
.text:00000000000515E4
.text:00000000000515E4 loc_515E4                               ; CODE XREF: malloc+58↓j //jemalloc返回值不为0走这里
.text:00000000000515E4                 ADRP            X8, #(qword_323048+7)@PAGE //将一个64位地址的高16位存储到一个X8中
.text:00000000000515E8                 LDRB            W8, [X8,#(qword_323048+7)@PAGEOFF] //从X8偏移...的位置读取中读取一个字节（8位）的数据存储到W8中
.text:00000000000515EC                 ORR             X0, X0, X8,LSL#56 //将寄存器 `X0` 和寄存器 `X8` 左移56位后的值进行逻辑或运算，并将结果存储到寄存器 `X0` 中
.text:00000000000515F0
.text:00000000000515F0 loc_515F0                               ; CODE XREF: malloc+7C↓j
.text:00000000000515F0                 LDR             X19, [SP,#0x20+var_10] //从地址 `SP+0x30` 中读取一个字的数据存储到X19
.text:00000000000515F4                 LDP             X29, X30, [SP+0x20+var_20],#0x20 //从地址 `SP+0x40` 中读取数据存储到X29和X30
.text:00000000000515F8                 AUTIASP
.text:00000000000515FC                 RET
.text:0000000000051600 ; ---------------------------------------------------------------------------
.text:0000000000051600
.text:0000000000051600 loc_51600                               ; CODE XREF: malloc+20↑j
.text:0000000000051600                 LDR             X8, [X8,#0x18]
.text:0000000000051604                 MOV             X0, X19
.text:0000000000051608                 BLR             X8
.text:000000000005160C                 CBNZ            X0, loc_515E4
.text:0000000000051610
.text:0000000000051610 loc_51610                               ; CODE XREF: malloc+2C↑j
.text:0000000000051610                 NOP
.text:0000000000051614                 ADR             X1, aLibc_0 ; "libc"
.text:0000000000051618                 ADRL            X2, aMallocZuFailed ; "malloc(%zu) failed: returning null poin"...
.text:0000000000051620                 MOV             W0, #5
.text:0000000000051624                 MOV             X3, X19
.text:0000000000051628                 BL              async_safe_format_log
.text:000000000005162C                 MOV             X0, XZR
.text:0000000000051630                 B               loc_515F0
.text:0000000000051630 ; } // starts at 515B4
.text:0000000000051630 ; End of function malloc
.text:0000000000051630

calloc实现：

66  extern "C" void* calloc(size_t n_elements, size_t elem_size) {
67    auto dispatch_table = GetDispatchTable();
68    if (__predict_false(dispatch_table != nullptr)) {
69      return MaybeTagPointer(dispatch_table->calloc(n_elements, elem_size));
70    }
71    void* result = Malloc(calloc)(n_elements, elem_size);
72    if (__predict_false(result == nullptr)) {
73      warning_log("calloc(%zu, %zu) failed: returning null pointer", n_elements, elem_size);
74    }
75    return MaybeTagPointer(result);
76  }

汇编结果为：

:00000000000513A4
.text:00000000000513A4 ; =============== S U B R O U T I N E =======================================
.text:00000000000513A4
.text:00000000000513A4 ; Attributes: bp-based frame
.text:00000000000513A4
.text:00000000000513A4                 EXPORT calloc
.text:00000000000513A4 calloc                                  ; CODE XREF: j_calloc+C↓j
.text:00000000000513A4                                         ; DATA XREF: LOAD:0000000000006A18↑o ...
.text:00000000000513A4
.text:00000000000513A4 var_s0          =  0     //初始化为0
.text:00000000000513A4 var_s10         =  0x10   //初始化为16
.text:00000000000513A4 var_s20         =  0x20   //初始化为32
.text:00000000000513A4
.text:00000000000513A4 ; __unwind {
.text:00000000000513A4                 PACIASP     //将当前的栈指针保存到栈中，并将栈指针设置为当前的程序状态
.text:00000000000513A8                 STP             X29, X30, [SP,#-0x30+var_s0]!   //将寄存器 X29 和 X30 的值保存到栈中，并将栈指针向下移动 48 个字节
.text:00000000000513AC                 STP             X22, X21, [SP,#var_s10]    //将寄存器 X22 和 X21 的值保存到栈中，偏移量为 16 个字节
.text:00000000000513B0                 STP             X20, X19, [SP,#var_s20]    //将寄存器 X20 和 X19 的值保存到栈中，偏移量为 32 个字节
.text:00000000000513B4                 MOV             X29, SP   //将栈指针的值保存到寄存器 X29 中
.text:00000000000513B8                 ADRL            X8, unk_323058    //将地址 `unk_323058` 的低 12 位加载到寄存器 X8 中
.text:00000000000513C0                 MOV             X20, X1    //将第二个参数（即申请内存的大小）保存到寄存器 X20 中
.text:00000000000513C4                 MOV             X21, X0    //将第一个参数（即申请内存的数量）保存到寄存器 X21 中
.text:00000000000513C8                 LDAR            X8, [X8]    //原子性地将地址 `unk_323058` 中的值加载到寄存器 X8 中
.text:00000000000513CC                 CBNZ            X8, loc_51414    //如果寄存器 X8 的值不为零，则跳转到标签 `loc_51414`
.text:00000000000513D0                 MOV             X0, X21    //将第一个参数（即申请内存的数量）保存到寄存器 X0 中
.text:00000000000513D4                 MOV             X1, X20    //将第二个参数（即申请内存的大小）保存到寄存器 X1 中
.text:00000000000513D8                 BL              je_calloc    //调用函数 `je_calloc`
.text:00000000000513DC                 CMP             X0, #0    //将寄存器 X0 和 0 进行比较
.text:00000000000513E0                 MOV             X19, X0    //将函数返回值保存到寄存器 X19 中
.text:00000000000513E4                 CSET            W22, EQ    //如果比较结果为相等，则将寄存器 W22 的值设置为 1，否则设置为 0。
.text:00000000000513E8                 CBZ             X0, loc_51434    //如果寄存器 X0 的值为零，则跳转到标签 `loc_51434`
.text:00000000000513EC
.text:00000000000513EC loc_513EC                               ; CODE XREF: calloc+8C↓j
.text:00000000000513EC                                         ; calloc+B0↓j
.text:00000000000513EC                 ADRP            X8, #(qword_323048+7)@PAGE    //将地址 `qword_323048` 的高 12 位加载到寄存器 X8 中
.text:00000000000513F0                 CMP             W22, #0    //将寄存器 W22 和 0 进行比较
.text:00000000000513F4                 LDRB            W8, [X8,#(qword_323048+7)@PAGEOFF]    //将地址 `qword_323048` 的低 12 位加载到寄存器 W8 中
.text:00000000000513F8                 ORR             X8, X19, X8,LSL#56    //将寄存器 X19 和寄存器 X8 左移 56 位的结果进行或运算，并将结果保存到寄存器 X8 中
.text:00000000000513FC                 CSEL            X0, XZR, X8, NE    //如果寄存器 X8 的值不等于零，则将寄存器 X8 的值保存到寄存器 X0 中，否则将寄存器 XZR（零寄存器）的值保存到寄存器 X0 中
.text:0000000000051400                 LDP             X20, X19, [SP,#var_s20]    //将栈中偏移量为 32 个字节的值加载到寄存器 X20 和 X19 中
.text:0000000000051404                 LDP             X22, X21, [SP,#var_s10]    //将栈中偏移量为 16 个字节的值加载到寄存器 X22 和 X21 中
.text:0000000000051408                 LDP             X29, X30, [SP+var_s0],#0x30    //将栈中偏移量为 0 的值加载到寄存器 X29 和 X30 中，并将栈指针向上移动 48 个字节
.text:000000000005140C                 AUTIASP    //将栈指针设置为之前保存的值
.text:0000000000051410                 RET    //返回函数调用的位置
.text:0000000000051414 ; ---------------------------------------------------------------------------
.text:0000000000051414
.text:0000000000051414 loc_51414                               ; CODE XREF: calloc+28↑j
.text:0000000000051414                 LDR             X8, [X8]
.text:0000000000051418                 MOV             X0, X21
.text:000000000005141C                 MOV             X1, X20
.text:0000000000051420                 BLR             X8
.text:0000000000051424                 CMP             X0, #0
.text:0000000000051428                 MOV             X19, X0
.text:000000000005142C                 CSET            W22, EQ
.text:0000000000051430                 B               loc_513EC
.text:0000000000051434 ; ---------------------------------------------------------------------------
.text:0000000000051434
.text:0000000000051434 loc_51434                               ; CODE XREF: calloc+44↑j
.text:0000000000051434                 NOP
.text:0000000000051438                 ADR             X1, aLibc_0 ; "libc"
.text:000000000005143C                 ADRL            X2, aCallocZuZuFail ; "calloc(%zu, %zu) failed: returning null"...
.text:0000000000051444                 MOV             W0, #5
.text:0000000000051448                 MOV             X3, X21
.text:000000000005144C                 MOV             X4, X20
.text:0000000000051450                 BL              async_safe_format_log
.text:0000000000051454                 B               loc_513EC
.text:0000000000051454 ; } // starts at 513A4
.text:0000000000051454 ; End of function calloc
.text:0000000000051454

uprobe/kprobe/tracepoint backtrace

dma_buf基于kprobe

vendor.qti.camera.provider-service_64	29932/5973 [004] 7744.117480: 1 kprobes:dmabuf_setup:
	ffffffe1f853da48 dma_buf_stats_setup ([kernel.kallsyms])
	ffffffe1f1fbe9ba mem_buf_dma_buf_export [mem_buf_dev] ([kernel.kallsyms])
	ffffffe1f1fdeff2 system_heap_allocate [qcom_dma_heaps] ([kernel.kallsyms])
	ffffffe1f853b5fe dma_heap_buffer_alloc ([kernel.kallsyms])
	ffffffe1f4d46e2e cam_mem_util_get_dma_buf (/vendor/lib/modules/camera.ko)
	ffffffe1f4d4447a cam_mem_mgr_alloc_and_map (/vendor/lib/modules/camera.ko)
	ffffffe1f4d3f50a cam_private_ioctl (/vendor/lib/modules/camera.ko)
	ffffffe1f86af5e6 __video_do_ioctl ([kernel.kallsyms])
	ffffffe1f86aec2a video_usercopy ([kernel.kallsyms])
	ffffffe1f86af33e video_ioctl2 ([kernel.kallsyms])
	ffffffe1f86ae036 v4l2_ioctl ([kernel.kallsyms])
	ffffffe1f7fc6816 __arm64_sys_ioctl ([kernel.kallsyms])
	ffffffe1f7c3db66 invoke_syscall ([kernel.kallsyms])
	ffffffe1f7c3da9e el0_svc_common.llvm.12357336124230101514 ([kernel.kallsyms])
	ffffffe1f7c3d95e do_el0_svc ([kernel.kallsyms])
	ffffffe1f8bde586 el0_svc ([kernel.kallsyms])
	ffffffe1f8bde50e el0t_64_sync_handler ([kernel.kallsyms])
	ffffffe1f7c1157e el0t_64_sync ([kernel.kallsyms])
	      7b8acea6ac __ioctl (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b8aca1574 ioctl (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7ae8aadef8 CSLHwInternalDefaultIoctl2(CSLHwDevice const*, unsigned int, void*, unsigned int, unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a99500 CSLAllocHW(char const*, CSLBufferInfo*, unsigned long, unsigned long, unsigned int, int const*, unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae88541b0 CamX::CmdBufferManager::InitializePool() (/vendor/lib64/hw/camera.qcom.so)
	      7ae8853198 CamX::CmdBufferManager::Initialize(char const*, CamX::ResourceParams const*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a785ec CamX::SensorEarlySetting::CreateCmdBufferManager(char const*, CamX::ResourceParams const*, CamX::CmdBufferManager**) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a73680 CamX::SensorEarlySetting::WokerThread(void*) (/vendor/lib64/hw/camera.qcom.so)
	      7b8acff134 __pthread_start(void*) (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b8ac98ae4 __start_thread (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1877
		common_flags : 1
		common_preempt_count : 1
		common_pid : 5973
		__probe_ip : 18446743944731810376
		comm : vendor.qti.came
		exp_name : qcom,system
		name : 
		size : 4096
		inode : 57385

GPU kgsl基于tracepoint

AlgoFwkThd1	29932/30571 [004] 7745.787151: 1 kgsl:kgsl_mem_alloc:
	ffffffe1f4954fc8 __traceiter_kgsl_mem_alloc (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f4954fc6 __traceiter_kgsl_mem_alloc (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f4935a6a trace_kgsl_mem_alloc (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f493590e gpumem_alloc_entry (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f4935aba kgsl_ioctl_gpuobj_alloc (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f4943d32 kgsl_ioctl_helper (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f4943dc2 kgsl_ioctl (/vendor/lib/modules/msm_kgsl.ko)
	ffffffe1f7fc6816 __arm64_sys_ioctl ([kernel.kallsyms])
	ffffffe1f7c3db66 invoke_syscall ([kernel.kallsyms])
	ffffffe1f7c3da9e el0_svc_common.llvm.12357336124230101514 ([kernel.kallsyms])
	ffffffe1f7c3d95e do_el0_svc ([kernel.kallsyms])
	ffffffe1f8bde586 el0_svc ([kernel.kallsyms])
	ffffffe1f8bde50e el0t_64_sync_handler ([kernel.kallsyms])
	ffffffe1f7c1157e el0t_64_sync ([kernel.kallsyms])
	      7b8acea6ac __ioctl (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b8aca1574 ioctl (/apex/com.android.runtime/lib64/bionic/libc.so)
	      79ad45c218 !!!0000!3a4be7d9bfa8ce1de708d9937123e3!afa4d62ddb! (/vendor/lib64/libgsl.so)
	      79ad461c14 kgsl_sharedmem_alloc (/vendor/lib64/libgsl.so)
	      79ad3371bc gsl_memory_alloc_pure_64 (/vendor/lib64/libgsl.so)
	      7807eb1c8c !!!0000!40109365b924e55012048073801cf8!afa4d62ddb! (/vendor/lib64/libCB.so)
	      7807e464b0 cb_create_context (/vendor/lib64/libCB.so)
	      79d60da274 qCLDrvAPI_clCreateContext (/vendor/lib64/libOpenCL_adreno.so)
	      78b997f6ac libmialgo_depth_arc_hdr.so[+ab6ac] (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      78b997e378 libmialgo_depth_arc_hdr.so[+aa378] (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      78b997f260 libmialgo_depth_arc_hdr.so[+ab260] (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      78b9987cf4 libmialgo_depth_arc_hdr.so[+b3cf4] (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      78b98ebbcc libmialgo_depth_arc_hdr.so[+17bcc] (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      78b98edbdc MialgoDepthArcHdrPreLaunch (/odm/lib64/libmialgo_depth_arc_hdr.so)
	      7939665408 MiDualCamDepthArcTFHdrTFMfnrPlugin::PreLaunchAlgo() (/odm/lib64/camera/plugins/com.xiaomi.plugin.capdepth.so)
	      79396652c8 MiDualCamDepthArcTFHdrTFMfnrPlugin::preProcess(PreProcessInfo) (/odm/lib64/camera/plugins/com.xiaomi.plugin.capdepth.so)
	      7af35b9b14 std::__1::__function::__func<mialgo2::MiaNode::preProcess(mialgo2::PostMiaPreProcParams*)::$_0, std::__1::allocator<mialgo2::MiaNode::preProcess(mialgo2::PostMiaPreProcParams*)::$_0>, void ()>::operator()() (/vendor/lib64/libmialgoengine.so)
	      7af35f0234 mialgo2::ThreadPool::loop(int) (/vendor/lib64/libmialgoengine.so)
	      7af35f1b34 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mialgo2::ThreadPool::addThread()::$_0> >(void*) (/vendor/lib64/libmialgoengine.so)
	      7b8acff134 __pthread_start(void*) (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b8ac98ae4 __start_thread (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1678
		common_flags : 0
		common_preempt_count : 1
		common_pid : 30571
		gpuaddr : 274877935616
		size : 4096
		tgid : 29932
		usage : cl
		id : 2
		flags : 17566208

malloc/calloc基于uprobe

vendor.qti.camera.provider-service_64	29932/29932 [004] 7744.065468: 1 uprobes:so_malloc:
	      7b8ac535f0 malloc (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b9295602c operator new(unsigned long) (/apex/com.android.vndk.v34/lib64/libc++.so)
	      7b929a53f4 std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__grow_by(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long) (/apex/com.android.vndk.v34/lib64/libc++.so)
	      7b929a4e90 std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::append(unsigned long, char) (/apex/com.android.vndk.v34/lib64/libc++.so)
	      7af3350d9c ndk::AParcel_stdStringAllocator(void*, int, char**) (/vendor/lib64/vendor.xiaomi.hardware.quickcamera-V1-ndk_platform.so)
	      7b87474168 AParcel_readString (/system/lib64/libbinder_ndk.so)
	      7af334f1b4 aidl::vendor::xiaomi::hardware::quickcamera::_aidl_vendor_xiaomi_hardware_quickcamera_IQuickCameraService_onTransact(AIBinder*, unsigned int, AParcel const*, AParcel*) (/vendor/lib64/vendor.xiaomi.hardware.quickcamera-V1-ndk_platform.so)
	      7b8746f098 ABBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder_ndk.so)
	      7b8a78e450 android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder.so)
	      7b8a778c90 android::IPCThreadState::executeCommand(int) (/system/lib64/libbinder.so)
	      7b8a7787bc android::IPCThreadState::getAndExecuteCommand() (/system/lib64/libbinder.so)
	      7b8a779130 android::IPCThreadState::joinThreadPool(bool) (/system/lib64/libbinder.so)
	      5a49bb57c0 main (/vendor/bin/hw/vendor.qti.camera.provider-service_64)
	      7b8ac8f99c __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1880
		common_flags : 0
		common_preempt_count : 1
		common_pid : 29932
		__probe_ip : 530609157616
		size : 64
		allocaddr : 12970367453726087296

vendor.qti.camera.provider-service_64	29932/5987 [000] 7744.123767: 1 uprobes:so_malloc:
	      7b8ac535f0 malloc (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b9295602c operator new(unsigned long) (/apex/com.android.vndk.v34/lib64/libc++.so)
	      7ae660ad28 sns_direct_channel_set_client_req* google::protobuf::Arena::CreateMaybeMessage<sns_direct_channel_set_client_req>(google::protobuf::Arena*) (.cfi) (/vendor/lib64/libsnsapi.so)
	      7ae8aedaf0 CamX::NCSDirectChannel::PrepareConfigureReqMsg(CamX::DirectChannelType, CamX::QSEESensorConfig*, CamX::SensorUid&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8aeca30 CamX::NCSDirectChannel::ConfigSensorMuxChannel(CamX::QSEESensorConfig*, CamX::SensorUid&) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8b31250 CamX::NCSIntfQSEE2::RegisterService(void*, CamX::NCSSensorConfig*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8b50ea0 CamX::NCSService::RegisterService(CamX::NCSIntfType, void*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a646bc CamX::XMHwEnvironment::SetupNCSLinkForSensor(int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a63f10 CamX::XMHwEnvironment::DoRegisterNCSSensors(unsigned int, void*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a6b67c void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(unsigned int, void*), unsigned int, CamX::XMHwEnvironment*> >(void*) (/vendor/lib64/hw/camera.qcom.so)
	      7b8acff134 __pthread_start(void*) (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7b8ac98ae4 __start_thread (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1880
		common_flags : 0
		common_preempt_count : 1
		common_pid : 5987
		__probe_ip : 530609157616
		size : 56
		allocaddr : 12970367452500660672

vendor.qti.camera.provider-service_64	29932/29932 [001] 7744.103577: 1 uprobes:so_calloc:
	      7b8ac53400 calloc (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7af7b095ec CamX::Mutex::Create(char const*) (/vendor/lib64/libcamxcommonutils.so)
	      7ae8a8e5cc CSLOpenHW(int*, char const*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a7f858 CSLOpen (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a71cc4 CamX::SensorEarlyInitManager::PrepareAsync(std::__1::vector<int, std::__1::allocator<int> >, unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae9129a14 CamX::HAL3Module::startEarlySetting(unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae910b154 CamX::open(hw_module_t const*, char const*, hw_device_t**) (/vendor/lib64/hw/camera.qcom.so)
	      7af7f64ec0 mihal::VendorCamera::open() (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7f710d4 mihal::VendorMappingCamera::open() (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7dabe44 mihal::CameraManager::open(int) (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7da5b84 (anonymous namespace)::halOpen(hw_module_t const*, char const*, hw_device_t**) (/vendor/lib64/hw/camera.xiaomi.so)
	      7b8a82e6cc android::hardware::camera::common::V1_0::helper::CameraModule::open(char const*, hw_device_t**) (/vendor/lib64/camx.provider-impl.so)
	      7b92acd0a8 android::hardware::camera::device::implementation::CameraDevice::open(std::__1::shared_ptr<aidl::android::hardware::camera::device::ICameraDeviceCallback> const&, std::__1::shared_ptr<aidl::android::hardware::camera::device::ICameraDeviceSession>*) (/vendor/lib64/camx.device-impl.so)
	      7b8afe521c aidl::android::hardware::camera::device::_aidl_android_hardware_camera_device_ICameraDevice_onTransact(AIBinder*, unsigned int, AParcel const*, AParcel*) (.cfi) (/vendor/lib64/android.hardware.camera.device-V2-ndk.so)
	      7b8746f098 ABBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder_ndk.so)
	      7b8a78e450 android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder.so)
	      7b8a778c90 android::IPCThreadState::executeCommand(int) (/system/lib64/libbinder.so)
	      7b8a7787bc android::IPCThreadState::getAndExecuteCommand() (/system/lib64/libbinder.so)
	      7b8a779130 android::IPCThreadState::joinThreadPool(bool) (/system/lib64/libbinder.so)
	      5a49bb57c0 main (/vendor/bin/hw/vendor.qti.camera.provider-service_64)
	      7b8ac8f99c __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1879
		common_flags : 0
		common_preempt_count : 1
		common_pid : 29932
		__probe_ip : 530609157120
		count : 1
		size : 172
		allocaddr : 12970367451351023872

vendor.qti.camera.provider-service_64	29932/29932 [001] 7744.103585: 1 uprobes:so_calloc:
	      7b8ac53400 calloc (/apex/com.android.runtime/lib64/bionic/libc.so)
	      7af7b0b184 CamX::Condition::Create(char const*) (/vendor/lib64/libcamxcommonutils.so)
	      7ae8a8e5d8 CSLOpenHW(int*, char const*) (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a7f858 CSLOpen (/vendor/lib64/hw/camera.qcom.so)
	      7ae8a71cc4 CamX::SensorEarlyInitManager::PrepareAsync(std::__1::vector<int, std::__1::allocator<int> >, unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae9129a14 CamX::HAL3Module::startEarlySetting(unsigned int) (/vendor/lib64/hw/camera.qcom.so)
	      7ae910b154 CamX::open(hw_module_t const*, char const*, hw_device_t**) (/vendor/lib64/hw/camera.qcom.so)
	      7af7f64ec0 mihal::VendorCamera::open() (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7f710d4 mihal::VendorMappingCamera::open() (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7dabe44 mihal::CameraManager::open(int) (/vendor/lib64/hw/camera.xiaomi.so)
	      7af7da5b84 (anonymous namespace)::halOpen(hw_module_t const*, char const*, hw_device_t**) (/vendor/lib64/hw/camera.xiaomi.so)
	      7b8a82e6cc android::hardware::camera::common::V1_0::helper::CameraModule::open(char const*, hw_device_t**) (/vendor/lib64/camx.provider-impl.so)
	      7b92acd0a8 android::hardware::camera::device::implementation::CameraDevice::open(std::__1::shared_ptr<aidl::android::hardware::camera::device::ICameraDeviceCallback> const&, std::__1::shared_ptr<aidl::android::hardware::camera::device::ICameraDeviceSession>*) (/vendor/lib64/camx.device-impl.so)
	      7b8afe521c aidl::android::hardware::camera::device::_aidl_android_hardware_camera_device_ICameraDevice_onTransact(AIBinder*, unsigned int, AParcel const*, AParcel*) (.cfi) (/vendor/lib64/android.hardware.camera.device-V2-ndk.so)
	      7b8746f098 ABBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder_ndk.so)
	      7b8a78e450 android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) (/system/lib64/libbinder.so)
	      7b8a778c90 android::IPCThreadState::executeCommand(int) (/system/lib64/libbinder.so)
	      7b8a7787bc android::IPCThreadState::getAndExecuteCommand() (/system/lib64/libbinder.so)
	      7b8a779130 android::IPCThreadState::joinThreadPool(bool) (/system/lib64/libbinder.so)
	      5a49bb57c0 main (/vendor/bin/hw/vendor.qti.camera.provider-service_64)
	      7b8ac8f99c __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so)
	tracing data:
		common_type : 1879
		common_flags : 0
		common_preempt_count : 1
		common_pid : 29932
		__probe_ip : 530609157120
		count : 1
		size : 64
		allocaddr : 12970367453725605440

参考链接：

https://blog.csdn.net/LiWang112358/article/details/127330218
https://www.cnblogs.com/hellokitty2/p/17092674.html

小结

后续总结更多关于 uprobe/kprobe深入用法。

秒客网

uprobe使用简介

背景

准备工作

简单demo

编译

使用uprobe监控函数

添加uprobe探针

运行test_heap

使用simpleperf抓取堆栈

uprobe参数

带有参数和返回值

注册uprobe事件

进阶—入参和返回值同时获取

uprobe/kprobe/tracepoint backtrace

dma_buf基于kprobe

GPU kgsl基于tracepoint

malloc/calloc基于uprobe

小结

相关文章