linux/Documentation/tracers/mmiotrace.txt
<<
>>
Prefs
   1                In-kernel memory-mapped I/O tracing
   2
   3
   4Home page and links to optional user space tools:
   5
   6        http://nouveau.freedesktop.org/wiki/MmioTrace
   7
   8MMIO tracing was originally developed by Intel around 2003 for their Fault
   9Injection Test Harness. In Dec 2006 - Jan 2007, using the code from Intel,
  10Jeff Muizelaar created a tool for tracing MMIO accesses with the Nouveau
  11project in mind. Since then many people have contributed.
  12
  13Mmiotrace was built for reverse engineering any memory-mapped IO device with
  14the Nouveau project as the first real user. Only x86 and x86_64 architectures
  15are supported.
  16
  17Out-of-tree mmiotrace was originally modified for mainline inclusion and
  18ftrace framework by Pekka Paalanen <pq@iki.fi>.
  19
  20
  21Preparation
  22-----------
  23
  24Mmiotrace feature is compiled in by the CONFIG_MMIOTRACE option. Tracing is
  25disabled by default, so it is safe to have this set to yes. SMP systems are
  26supported, but tracing is unreliable and may miss events if more than one CPU
  27is on-line, therefore mmiotrace takes all but one CPU off-line during run-time
  28activation. You can re-enable CPUs by hand, but you have been warned, there
  29is no way to automatically detect if you are losing events due to CPUs racing.
  30
  31
  32Usage Quick Reference
  33---------------------
  34
  35$ mount -t debugfs debugfs /debug
  36$ echo mmiotrace > /debug/tracing/current_tracer
  37$ cat /debug/tracing/trace_pipe > mydump.txt &
  38Start X or whatever.
  39$ echo "X is up" > /debug/tracing/trace_marker
  40$ echo nop > /debug/tracing/current_tracer
  41Check for lost events.
  42
  43
  44Usage
  45-----
  46
  47Make sure debugfs is mounted to /debug. If not, (requires root privileges)
  48$ mount -t debugfs debugfs /debug
  49
  50Check that the driver you are about to trace is not loaded.
  51
  52Activate mmiotrace (requires root privileges):
  53$ echo mmiotrace > /debug/tracing/current_tracer
  54
  55Start storing the trace:
  56$ cat /debug/tracing/trace_pipe > mydump.txt &
  57The 'cat' process should stay running (sleeping) in the background.
  58
  59Load the driver you want to trace and use it. Mmiotrace will only catch MMIO
  60accesses to areas that are ioremapped while mmiotrace is active.
  61
  62During tracing you can place comments (markers) into the trace by
  63$ echo "X is up" > /debug/tracing/trace_marker
  64This makes it easier to see which part of the (huge) trace corresponds to
  65which action. It is recommended to place descriptive markers about what you
  66do.
  67
  68Shut down mmiotrace (requires root privileges):
  69$ echo nop > /debug/tracing/current_tracer
  70The 'cat' process exits. If it does not, kill it by issuing 'fg' command and
  71pressing ctrl+c.
  72
  73Check that mmiotrace did not lose events due to a buffer filling up. Either
  74$ grep -i lost mydump.txt
  75which tells you exactly how many events were lost, or use
  76$ dmesg
  77to view your kernel log and look for "mmiotrace has lost events" warning. If
  78events were lost, the trace is incomplete. You should enlarge the buffers and
  79try again. Buffers are enlarged by first seeing how large the current buffers
  80are:
  81$ cat /debug/tracing/buffer_size_kb
  82gives you a number. Approximately double this number and write it back, for
  83instance:
  84$ echo 128000 > /debug/tracing/buffer_size_kb
  85Then start again from the top.
  86
  87If you are doing a trace for a driver project, e.g. Nouveau, you should also
  88do the following before sending your results:
  89$ lspci -vvv > lspci.txt
  90$ dmesg > dmesg.txt
  91$ tar zcf pciid-nick-mmiotrace.tar.gz mydump.txt lspci.txt dmesg.txt
  92and then send the .tar.gz file. The trace compresses considerably. Replace
  93"pciid" and "nick" with the PCI ID or model name of your piece of hardware
  94under investigation and your nick name.
  95
  96
  97How Mmiotrace Works
  98-------------------
  99
 100Access to hardware IO-memory is gained by mapping addresses from PCI bus by
 101calling one of the ioremap_*() functions. Mmiotrace is hooked into the
 102__ioremap() function and gets called whenever a mapping is created. Mapping is
 103an event that is recorded into the trace log. Note, that ISA range mappings
 104are not caught, since the mapping always exists and is returned directly.
 105
 106MMIO accesses are recorded via page faults. Just before __ioremap() returns,
 107the mapped pages are marked as not present. Any access to the pages causes a
 108fault. The page fault handler calls mmiotrace to handle the fault. Mmiotrace
 109marks the page present, sets TF flag to achieve single stepping and exits the
 110fault handler. The instruction that faulted is executed and debug trap is
 111entered. Here mmiotrace again marks the page as not present. The instruction
 112is decoded to get the type of operation (read/write), data width and the value
 113read or written. These are stored to the trace log.
 114
 115Setting the page present in the page fault handler has a race condition on SMP
 116machines. During the single stepping other CPUs may run freely on that page
 117and events can be missed without a notice. Re-enabling other CPUs during
 118tracing is discouraged.
 119
 120
 121Trace Log Format
 122----------------
 123
 124The raw log is text and easily filtered with e.g. grep and awk. One record is
 125one line in the log. A record starts with a keyword, followed by keyword
 126dependant arguments. Arguments are separated by a space, or continue until the
 127end of line. The format for version 20070824 is as follows:
 128
 129Explanation     Keyword Space separated arguments
 130---------------------------------------------------------------------------
 131
 132read event      R       width, timestamp, map id, physical, value, PC, PID
 133write event     W       width, timestamp, map id, physical, value, PC, PID
 134ioremap event   MAP     timestamp, map id, physical, virtual, length, PC, PID
 135iounmap event   UNMAP   timestamp, map id, PC, PID
 136marker          MARK    timestamp, text
 137version         VERSION the string "20070824"
 138info for reader LSPCI   one line from lspci -v
 139PCI address map PCIDEV  space separated /proc/bus/pci/devices data
 140unk. opcode     UNKNOWN timestamp, map id, physical, data, PC, PID
 141
 142Timestamp is in seconds with decimals. Physical is a PCI bus address, virtual
 143is a kernel virtual address. Width is the data width in bytes and value is the
 144data value. Map id is an arbitrary id number identifying the mapping that was
 145used in an operation. PC is the program counter and PID is process id. PC is
 146zero if it is not recorded. PID is always zero as tracing MMIO accesses
 147originating in user space memory is not yet supported.
 148
 149For instance, the following awk filter will pass all 32-bit writes that target
 150physical addresses in the range [0xfb73ce40, 0xfb800000[
 151
 152$ awk '/W 4 / { adr=strtonum($5); if (adr >= 0xfb73ce40 &&
 153adr < 0xfb800000) print; }'
 154
 155
 156Tools for Developers
 157--------------------
 158
 159The user space tools include utilities for:
 160- replacing numeric addresses and values with hardware register names
 161- replaying MMIO logs, i.e., re-executing the recorded writes
 162
 163
 164