Code Spelunking Redux

On a typical operating system, these number in the low
hundreds, and although they can give clues to what
a complex piece of software is doing, they are not the
whole story. Ktrace cannot trace the operating system
itself, which can now be accomplished using DTrace.

When people discuss DTrace they often point out the large number of probes available, which on Mac OS X is more than 23,000. This is somewhat misleading. Not all of the probes are immediately usable, and in reality, having such an embarrassment of riches makes picking the most useful probes for a particular job difficult. A probe is some piece of code in an application, library, or the operating system that can be instrumented to record information on behalf of the user. The probes are broken down into several categories based on what they record. Each probe is delineated by its Provider, Module, Function, and Name. Providers are named after systems such as io, lockstat, proc, profile, syscall, vminfo, and dtrace itself. Several distinct providers are available in Mac OS X,

FIGURE

1

Caller Graph for ip_output()

in_broadcast

ip_dooptions

iptime

icmp_reflect

save_rte

icmp_error

in_rtalloc_ign

ip_rtaddr

ip_forward

in_canforward

ip_ipsec_filtertunnel

ip_ipsec_mtu

ip_srcroute

ip_ipsec_fwd

ip_ipsec_input

ip_next_mtu

icmp_isend

ip_output

ip_input

ip_reass

ip_freef

ip_mloopback

in_cksum

ip_fragment

ip_optcopy

ip_ipsec_output

in_delayed_cksum

ip_localip

ip_insertoptions

30 November/December 2008 ACM QUEUE

rants: feedback@acmqueue.com