0001 ===================================
0002 In-kernel memory-mapped I/O tracing
0003 ===================================
0004
0005
0006 Home page and links to optional user space tools:
0007
0008 https://nouveau.freedesktop.org/wiki/MmioTrace
0009
0010 MMIO tracing was originally developed by Intel around 2003 for their Fault
0011 Injection Test Harness. In Dec 2006 - Jan 2007, using the code from Intel,
0012 Jeff Muizelaar created a tool for tracing MMIO accesses with the Nouveau
0013 project in mind. Since then many people have contributed.
0014
0015 Mmiotrace was built for reverse engineering any memory-mapped IO device with
0016 the Nouveau project as the first real user. Only x86 and x86_64 architectures
0017 are supported.
0018
0019 Out-of-tree mmiotrace was originally modified for mainline inclusion and
0020 ftrace framework by Pekka Paalanen <pq@iki.fi>.
0021
0022
0023 Preparation
0024 -----------
0025
0026 Mmiotrace feature is compiled in by the CONFIG_MMIOTRACE option. Tracing is
0027 disabled by default, so it is safe to have this set to yes. SMP systems are
0028 supported, but tracing is unreliable and may miss events if more than one CPU
0029 is on-line, therefore mmiotrace takes all but one CPU off-line during run-time
0030 activation. You can re-enable CPUs by hand, but you have been warned, there
0031 is no way to automatically detect if you are losing events due to CPUs racing.
0032
0033
0034 Usage Quick Reference
0035 ---------------------
0036 ::
0037
0038 $ mount -t debugfs debugfs /sys/kernel/debug
0039 $ echo mmiotrace > /sys/kernel/debug/tracing/current_tracer
0040 $ cat /sys/kernel/debug/tracing/trace_pipe > mydump.txt &
0041 Start X or whatever.
0042 $ echo "X is up" > /sys/kernel/debug/tracing/trace_marker
0043 $ echo nop > /sys/kernel/debug/tracing/current_tracer
0044 Check for lost events.
0045
0046
0047 Usage
0048 -----
0049
0050 Make sure debugfs is mounted to /sys/kernel/debug.
0051 If not (requires root privileges)::
0052
0053 $ mount -t debugfs debugfs /sys/kernel/debug
0054
0055 Check that the driver you are about to trace is not loaded.
0056
0057 Activate mmiotrace (requires root privileges)::
0058
0059 $ echo mmiotrace > /sys/kernel/debug/tracing/current_tracer
0060
0061 Start storing the trace::
0062
0063 $ cat /sys/kernel/debug/tracing/trace_pipe > mydump.txt &
0064
0065 The 'cat' process should stay running (sleeping) in the background.
0066
0067 Load the driver you want to trace and use it. Mmiotrace will only catch MMIO
0068 accesses to areas that are ioremapped while mmiotrace is active.
0069
0070 During tracing you can place comments (markers) into the trace by
0071 $ echo "X is up" > /sys/kernel/debug/tracing/trace_marker
0072 This makes it easier to see which part of the (huge) trace corresponds to
0073 which action. It is recommended to place descriptive markers about what you
0074 do.
0075
0076 Shut down mmiotrace (requires root privileges)::
0077
0078 $ echo nop > /sys/kernel/debug/tracing/current_tracer
0079
0080 The 'cat' process exits. If it does not, kill it by issuing 'fg' command and
0081 pressing ctrl+c.
0082
0083 Check that mmiotrace did not lose events due to a buffer filling up. Either::
0084
0085 $ grep -i lost mydump.txt
0086
0087 which tells you exactly how many events were lost, or use::
0088
0089 $ dmesg
0090
0091 to view your kernel log and look for "mmiotrace has lost events" warning. If
0092 events were lost, the trace is incomplete. You should enlarge the buffers and
0093 try again. Buffers are enlarged by first seeing how large the current buffers
0094 are::
0095
0096 $ cat /sys/kernel/debug/tracing/buffer_size_kb
0097
0098 gives you a number. Approximately double this number and write it back, for
0099 instance::
0100
0101 $ echo 128000 > /sys/kernel/debug/tracing/buffer_size_kb
0102
0103 Then start again from the top.
0104
0105 If you are doing a trace for a driver project, e.g. Nouveau, you should also
0106 do the following before sending your results::
0107
0108 $ lspci -vvv > lspci.txt
0109 $ dmesg > dmesg.txt
0110 $ tar zcf pciid-nick-mmiotrace.tar.gz mydump.txt lspci.txt dmesg.txt
0111
0112 and then send the .tar.gz file. The trace compresses considerably. Replace
0113 "pciid" and "nick" with the PCI ID or model name of your piece of hardware
0114 under investigation and your nickname.
0115
0116
0117 How Mmiotrace Works
0118 -------------------
0119
0120 Access to hardware IO-memory is gained by mapping addresses from PCI bus by
0121 calling one of the ioremap_*() functions. Mmiotrace is hooked into the
0122 __ioremap() function and gets called whenever a mapping is created. Mapping is
0123 an event that is recorded into the trace log. Note that ISA range mappings
0124 are not caught, since the mapping always exists and is returned directly.
0125
0126 MMIO accesses are recorded via page faults. Just before __ioremap() returns,
0127 the mapped pages are marked as not present. Any access to the pages causes a
0128 fault. The page fault handler calls mmiotrace to handle the fault. Mmiotrace
0129 marks the page present, sets TF flag to achieve single stepping and exits the
0130 fault handler. The instruction that faulted is executed and debug trap is
0131 entered. Here mmiotrace again marks the page as not present. The instruction
0132 is decoded to get the type of operation (read/write), data width and the value
0133 read or written. These are stored to the trace log.
0134
0135 Setting the page present in the page fault handler has a race condition on SMP
0136 machines. During the single stepping other CPUs may run freely on that page
0137 and events can be missed without a notice. Re-enabling other CPUs during
0138 tracing is discouraged.
0139
0140
0141 Trace Log Format
0142 ----------------
0143
0144 The raw log is text and easily filtered with e.g. grep and awk. One record is
0145 one line in the log. A record starts with a keyword, followed by keyword-
0146 dependent arguments. Arguments are separated by a space, or continue until the
0147 end of line. The format for version 20070824 is as follows:
0148
0149 Explanation Keyword Space-separated arguments
0150 ---------------------------------------------------------------------------
0151
0152 read event R width, timestamp, map id, physical, value, PC, PID
0153 write event W width, timestamp, map id, physical, value, PC, PID
0154 ioremap event MAP timestamp, map id, physical, virtual, length, PC, PID
0155 iounmap event UNMAP timestamp, map id, PC, PID
0156 marker MARK timestamp, text
0157 version VERSION the string "20070824"
0158 info for reader LSPCI one line from lspci -v
0159 PCI address map PCIDEV space-separated /proc/bus/pci/devices data
0160 unk. opcode UNKNOWN timestamp, map id, physical, data, PC, PID
0161
0162 Timestamp is in seconds with decimals. Physical is a PCI bus address, virtual
0163 is a kernel virtual address. Width is the data width in bytes and value is the
0164 data value. Map id is an arbitrary id number identifying the mapping that was
0165 used in an operation. PC is the program counter and PID is process id. PC is
0166 zero if it is not recorded. PID is always zero as tracing MMIO accesses
0167 originating in user space memory is not yet supported.
0168
0169 For instance, the following awk filter will pass all 32-bit writes that target
0170 physical addresses in the range [0xfb73ce40, 0xfb800000]
0171 ::
0172
0173 $ awk '/W 4 / { adr=strtonum($5); if (adr >= 0xfb73ce40 &&
0174 adr < 0xfb800000) print; }'
0175
0176
0177 Tools for Developers
0178 --------------------
0179
0180 The user space tools include utilities for:
0181 - replacing numeric addresses and values with hardware register names
0182 - replaying MMIO logs, i.e., re-executing the recorded writes
0183
0184
