廖哥窝

QEMU提供了trace机制跟踪关键内部关键步骤执行流程，用于性能问题排查、了解内部执行流程。详细的使用方法在qemu的文档目录：

qemu-kvm-1.2.0-rc2\docs\tracing.txt

实际使用的过程中有有几点需要作修改方能正常使用：

1. 需要在qemu-kvm命令行里面加trace参数，我们一般用的是libvirt提供的virsh命令，解析虚拟机配置文件后间接操作qemu-kvm，无法加入额外的参数，可以使用命令行的方式执行qemu-kvm，参数参考虚拟机正常运行时ps -aux | grep qemu获取的结果，注意要把-S去掉，不然虚拟机会在启动之前阻塞住。
2. 使用libvirt时，生成的trace文件一般在/var/lib/libvirt/images/下，实在没找到可以使用find / -name trace*pid*命令查找。trace文件一般是已经trace-pid的命令方式存在，文件中的日志信息以二进制格式存在，不能直接查看。
3. 执行./simpletrace.py ../trace-events /var/lib/libvirt/images/trace-16601可以输出可读的跟踪信息。注意：“../trace-events” 指的是“/usr/lwq/soft/kvm/qemu-kvm-1.2.0/trace-events” 而非/tmp/events文件。

tracing.txt原文如下：

= Tracing =

== Introduction ==

This document describes the tracing infrastructure in QEMU and how to use it
for debugging, profiling, and observing execution.

== Quickstart ==

1. Build with the ‘simple’ trace backend:

./configure –enable-trace-backend=simple
make

2. Create a file with the events you want to trace:

echo bdrv_aio_readv > /tmp/events
echo bdrv_aio_writev >> /tmp/events

3. Run the virtual machine to produce a trace file:

qemu -trace events=/tmp/events … # your normal QEMU invocation

4. Pretty-print the binary trace file:

./simpletrace.py trace-events trace-*

== Trace events ==

There is a set of static trace events declared in the “trace-events” source
file. Each trace event declaration names the event, its arguments, and the
format string which can be used for pretty-printing:

qemu_vmalloc(size_t size, void *ptr) “size %zu ptr %p”
qemu_vfree(void *ptr) “ptr %p”

The “trace-events” file is processed by the “tracetool” script during build to
generate code for the trace events. Trace events are invoked directly from
source code like this:

#include “trace.h” /* needed for trace event prototype */

void *qemu_vmalloc(size_t size)
{
void *ptr;
size_t align = QEMU_VMALLOC_ALIGN;

if (size < align) {
align = getpagesize();
}
ptr = qemu_memalign(align, size);
trace_qemu_vmalloc(size, ptr);
return ptr;
}

=== Declaring trace events ===

The “tracetool” script produces the trace.h header file which is included by
every source file that uses trace events. Since many source files include
trace.h, it uses a minimum of types and other header files included to keep the
namespace clean and compile times and dependencies down.

Trace events should use types as follows:

* Use stdint.h types for fixed-size types. Most offsets and guest memory
addresses are best represented with uint32_t or uint64_t. Use fixed-size
types over primitive types whose size may change depending on the host
(32-bit versus 64-bit) so trace events don’t truncate values or break
the build.

* Use void * for pointers to structs or for arrays. The trace.h header
cannot include all user-defined struct declarations and it is therefore
necessary to use void * for pointers to structs.

* For everything else, use primitive scalar types (char, int, long) with the
appropriate signedness.

Format strings should reflect the types defined in the trace event. Take
special care to use PRId64 and PRIu64 for int64_t and uint64_t types,
respectively. This ensures portability between 32- and 64-bit platforms.

=== Hints for adding new trace events ===

1. Trace state changes in the code. Interesting points in the code usually
involve a state change like starting, stopping, allocating, freeing. State
changes are good trace events because they can be used to understand the
execution of the system.

2. Trace guest operations. Guest I/O accesses like reading device registers
are good trace events because they can be used to understand guest
interactions.

3. Use correlator fields so the context of an individual line of trace output
can be understood. For example, trace the pointer returned by malloc and
used as an argument to free. This way mallocs and frees can be matched up.
Trace events with no context are not very useful.

4. Name trace events after their function. If there are multiple trace events
in one function, append a unique distinguisher at the end of the name.

== Generic interface and monitor commands ==

You can programmatically query and control the dynamic state of trace events
through a backend-agnostic interface:

* trace_print_events

* trace_event_set_state
Enables or disables trace events at runtime inside QEMU.
The function returns “true” if the state of the event has been successfully
changed, or “false” otherwise:

#include “trace/control.h”

trace_event_set_state(“virtio_irq”, true); /* enable */
[...]
trace_event_set_state(“virtio_irq”, false); /* disable */

Note that some of the backends do not provide an implementation for this
interface, in which case QEMU will just print a warning.

This functionality is also provided through monitor commands:

* info trace-events
View available trace events and their state. State 1 means enabled, state 0
means disabled.

* trace-event NAME on|off
Enable/disable a given trace event or a group of events having common prefix
through wildcard.

The “-trace events=” command line argument can be used to enable the
events listed in from the very beginning of the program. This file must
contain one event name per line.

A basic wildcard matching is supported in both the monitor command “trace
-event” and the events list file. That means you can enable/disable the events
having a common prefix in a batch. For example, virtio-blk trace events could
be enabled using:
trace-event virtio_blk_* on

== Trace backends ==

The “tracetool” script automates tedious trace event code generation and also
keeps the trace event declarations independent of the trace backend. The trace
events are not tightly coupled to a specific trace backend, such as LTTng or
SystemTap. Support for trace backends can be added by extending the “tracetool”
script.

The trace backend is chosen at configure time and only one trace backend can
be built into the binary:

./configure –trace-backend=simple

For a list of supported trace backends, try ./configure –help or see below.

The following subsections describe the supported trace backends.

=== Nop ===

The “nop” backend generates empty trace event functions so that the compiler
can optimize out trace events completely. This is the default and imposes no
performance penalty.

Note that regardless of the selected trace backend, events with the “disable”
property will be generated with the “nop” backend.

=== Stderr ===

The “stderr” backend sends trace events directly to standard error. This
effectively turns trace events into debug printfs.

This is the simplest backend and can be used together with existing code that
uses DPRINTF().

=== Simpletrace ===

The “simple” backend supports common use cases and comes as part of the QEMU
source tree. It may not be as powerful as platform-specific or third-party
trace backends but it is portable. This is the recommended trace backend
unless you have specific needs for more advanced backends.

The “simple” backend currently does not capture string arguments, it simply
records the char* pointer value instead of the string that is pointed to.

==== Monitor commands ====

* info trace
Display the contents of trace buffer. This command dumps the trace buffer
with simple formatting. For full pretty-printing, use the simpletrace.py
script on a binary trace file.

The trace buffer is written into until full. The full trace buffer is
flushed and emptied. This means the ‘info trace’ will display few or no
entries if the buffer has just been flushed.

* trace-file on|off|flush|setEnable/disable/flush the trace file or set the trace file name.

==== Analyzing trace files ====

The “simple” backend produces binary trace files that can be formatted with the
simpletrace.py script. The script takes the “trace-events” file and the binary
trace:

./simpletrace.py trace-events trace-12345

You must ensure that the same “trace-events” file was used to build QEMU,
otherwise trace event declarations may have changed and output will not be
consistent.

=== LTTng Userspace Tracer ===

The “ust” backend uses the LTTng Userspace Tracer library. There are no
monitor commands built into QEMU, instead UST utilities should be used to list,
enable/disable, and dump traces.

=== SystemTap ===

The “dtrace” backend uses DTrace sdt probes but has only been tested with
SystemTap. When SystemTap support is detected a .stp file with wrapper probes
is generated to make use in scripts more convenient. This step can also be
performed manually after a build in order to change the binary name in the .stp
probes:

scripts/tracetool –dtrace –stap \
–binary path/to/qemu-binary \
–target-type system \
–target-arch x86_64 \
<trace-events >qemu.stp

== Trace event properties ==

Each event in the “trace-events” file can be prefixed with a space-separated
list of zero or more of the following event properties.

=== “disable” ===

If a specific trace event is going to be invoked a huge number of times, this
might have a noticeable performance impact even when the event is
programmatically disabled.

In this case you should declare such event with the “disable” property. This
will effectively disable the event at compile time (by using the “nop” backend),
thus having no performance impact at all on regular builds (i.e., unless you
edit the “trace-events” file).

In addition, there might be cases where relatively complex computations must be
performed to generate values that are only used as arguments for a trace
function. In these cases you can use the macro ‘TRACE_${EVENT_NAME}_ENABLED’ to
guard such computations and avoid its compilation when the event is disabled:

#include “trace.h” /* needed for trace event prototype */

void *qemu_vmalloc(size_t size)
{
void *ptr;
size_t align = QEMU_VMALLOC_ALIGN;

if (size < align) {
align = getpagesize();
}
ptr = qemu_memalign(align, size);
if (TRACE_QEMU_VMALLOC_ENABLED) { /* preprocessor macro */
void *complex;
/* some complex computations to produce the ‘complex’ value */
trace_qemu_vmalloc(size, ptr, complex);
}
return ptr;
}