[HN Gopher] DTrace-on-Windows ___________________________________________________________________ DTrace-on-Windows Author : thunderbong Score : 100 points Date : 2022-08-19 10:27 UTC (12 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | tobinfekkes wrote: | Yesterday, Bryan Cantrill was on the homepage for learning via | screaming at a server, now he's back here for an equally useful | contribution :) | stevemk14ebr wrote: | While amazing, this Microsoft implementation has some | limitations. See my adaptation / reimplementation here | https://github.com/mandiant/STrace | 4ad wrote: | Yours doesn't even support the D language, which is the most | useful part of DTrace. | | Also it lacks the most important property of DTrace -- safety. | With DTrace you can't crash the machine. Unless I am | misunderstanding something, your code doesn't have this | property. | stevemk14ebr wrote: | Yes, you do misunderstand. The D language is terrible, it has | no loops, no functions, it is not a usable language beyond | basic scripts. The _good_ part of the windows implementation | is the kernel interfaces, which is what my design uses. The | entire point of this research was to discard the D language. | | My implementation(s) allow you to use C++ 17, or Web Assembly | instead. These are significantly more powerful languages. The | Web Assembly scripts are a demonstration of using the same | 'safe' architecture as DTrace. While the C++17 DLL system is | a demonstration of an 'unsafe' but more powerful design. | | If you think DTrace can't crash the system, you are mistaken. | adamrezich wrote: | to clarify for the uninitiated like myself: this "D" is not | the Walter Bright "D", but a language specifically for | DTrace. | anaisbetts wrote: | Windows since Vista actually has a similar tool called ETW that | is insanely powerful and worth a look as well. It also has its | own analyzer tool called XPerf to help you understand the data | you capture. | 4ad wrote: | ETW is not similar at all to DTrace, a fact explained in the | README of the linked repository. | | I am not privy to Microsoft's decision to port (and ship!) | DTrace to Windows, but I would imagine its advantages compared | to ETW had something to do with it... | anaisbetts wrote: | It is similar in the types of problems you would try to solve | with both tools, and the data that you can collect - not in | their design. Both allow you to gather extremely detailed | performance and trace information about a running system, | without having to explicitly stop/restart running processes. | 4ad wrote: | > without having to explicitly stop/restart running | processes. | | With DTrace you not only don't have to restart processes, | but you don't have to _recompile_ them. ETW is glorified | logging. Logging is useful, but dynamic tracing is | transformatively different. I can 't recompile the Windows | kernel to add missing ETW probes, but I can use DTrace to | probe it just fine. | 0mp wrote: | It's pretty cool to see it forked off the OpenDTrace repository | on GitHub. | jongalloway2 wrote: | Blog post with more info (2019): | https://techcommunity.microsoft.com/t5/windows-kernel-intern... | flakiness wrote: | Why now, and why DTrace (vs BPF)? Looking at the doc [1]: | | > Check that you are running a supported version of Windows. The | current download of DTrace is supported in the Insider builds of | 20H1 Windows after version 18980 and Windows Server Build 18975. | Installing this version of DTrace on older versions of Windows | can lead to system instability and is not recommended. The | archived version of DTrace for 19H1 is available at Archived | Download DTrace on Windows. Note that this version of DTrace is | no longer supported. | | So it's not "now", but has been there for a while. Also it might | not be very helpful to align with BPF anyway as the kernel itself | is totally different thus any tool reuse wouldn't be very | practical. | | [1] https://docs.microsoft.com/en-us/windows- | hardware/drivers/de... | stevemk14ebr wrote: | Dtrace was added to windows before the bpf system was. This is | a bit over two years old now. | flakiness wrote: | You made me realize that Windows does supprot BPF! I saw that | before but forgot about that. Thanks for the reminder! Such a | crazy operating system (an applause.) | | https://cloudblogs.microsoft.com/opensource/2021/05/10/makin. | .. | 0mp wrote: | It probably helps that OpenDTrace has a published specification | that you can use to not only to reimplement bits of DTrace from | scratch but also to agree on a common behavior across many | operating systems: https://www.cl.cam.ac.uk/techreports/UCAM- | CL-TR-924.pdf | CoastalCoder wrote: | My impression is that on open-source operating systems, some of | DTrace's / eBPF's value lies in the ability to monitor kernel | internals. | | If that's true, is DTrace as valuable on Windows, where computer | owners don't have access to the OS's source code? | | For example, I'd love to use a tool like DTrace to monitor | if/when/what telemetry data is being gathered and sent to | Microsoft. But I imagine that's not possible for regular people | like me. | 4ad wrote: | Fortunately, Microsoft publishes symbols for the Windows | kernel. | wicket wrote: | > One of the more useful debugging advances that have arrived in | the last decade is DTrace. | | DTrace arrived over 17 years ago with the launch of Solaris 10. | EddySchauHai wrote: | Where do you guys learn about using eBPF? It'd be really useful | for my work, I think, but then most intros I see start with | 'Recompile the Linux distro' or something and that just seems too | much effort to get going? | FooBarWidget wrote: | I wrote an intro for bpftrace: | https://www.joyfulbikeshedding.com/blog/2019-01-31-full-syst... ___________________________________________________________________ (page generated 2022-08-19 23:01 UTC)