[HN Gopher] DTrace-on-Windows
___________________________________________________________________
DTrace-on-Windows
Author : thunderbong
Score : 100 points
Date : 2022-08-19 10:27 UTC (12 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| tobinfekkes wrote:
| Yesterday, Bryan Cantrill was on the homepage for learning via
| screaming at a server, now he's back here for an equally useful
| contribution :)
| stevemk14ebr wrote:
| While amazing, this Microsoft implementation has some
| limitations. See my adaptation / reimplementation here
| https://github.com/mandiant/STrace
| 4ad wrote:
| Yours doesn't even support the D language, which is the most
| useful part of DTrace.
|
| Also it lacks the most important property of DTrace -- safety.
| With DTrace you can't crash the machine. Unless I am
| misunderstanding something, your code doesn't have this
| property.
| stevemk14ebr wrote:
| Yes, you do misunderstand. The D language is terrible, it has
| no loops, no functions, it is not a usable language beyond
| basic scripts. The _good_ part of the windows implementation
| is the kernel interfaces, which is what my design uses. The
| entire point of this research was to discard the D language.
|
| My implementation(s) allow you to use C++ 17, or Web Assembly
| instead. These are significantly more powerful languages. The
| Web Assembly scripts are a demonstration of using the same
| 'safe' architecture as DTrace. While the C++17 DLL system is
| a demonstration of an 'unsafe' but more powerful design.
|
| If you think DTrace can't crash the system, you are mistaken.
| adamrezich wrote:
| to clarify for the uninitiated like myself: this "D" is not
| the Walter Bright "D", but a language specifically for
| DTrace.
| anaisbetts wrote:
| Windows since Vista actually has a similar tool called ETW that
| is insanely powerful and worth a look as well. It also has its
| own analyzer tool called XPerf to help you understand the data
| you capture.
| 4ad wrote:
| ETW is not similar at all to DTrace, a fact explained in the
| README of the linked repository.
|
| I am not privy to Microsoft's decision to port (and ship!)
| DTrace to Windows, but I would imagine its advantages compared
| to ETW had something to do with it...
| anaisbetts wrote:
| It is similar in the types of problems you would try to solve
| with both tools, and the data that you can collect - not in
| their design. Both allow you to gather extremely detailed
| performance and trace information about a running system,
| without having to explicitly stop/restart running processes.
| 4ad wrote:
| > without having to explicitly stop/restart running
| processes.
|
| With DTrace you not only don't have to restart processes,
| but you don't have to _recompile_ them. ETW is glorified
| logging. Logging is useful, but dynamic tracing is
| transformatively different. I can 't recompile the Windows
| kernel to add missing ETW probes, but I can use DTrace to
| probe it just fine.
| 0mp wrote:
| It's pretty cool to see it forked off the OpenDTrace repository
| on GitHub.
| jongalloway2 wrote:
| Blog post with more info (2019):
| https://techcommunity.microsoft.com/t5/windows-kernel-intern...
| flakiness wrote:
| Why now, and why DTrace (vs BPF)? Looking at the doc [1]:
|
| > Check that you are running a supported version of Windows. The
| current download of DTrace is supported in the Insider builds of
| 20H1 Windows after version 18980 and Windows Server Build 18975.
| Installing this version of DTrace on older versions of Windows
| can lead to system instability and is not recommended. The
| archived version of DTrace for 19H1 is available at Archived
| Download DTrace on Windows. Note that this version of DTrace is
| no longer supported.
|
| So it's not "now", but has been there for a while. Also it might
| not be very helpful to align with BPF anyway as the kernel itself
| is totally different thus any tool reuse wouldn't be very
| practical.
|
| [1] https://docs.microsoft.com/en-us/windows-
| hardware/drivers/de...
| stevemk14ebr wrote:
| Dtrace was added to windows before the bpf system was. This is
| a bit over two years old now.
| flakiness wrote:
| You made me realize that Windows does supprot BPF! I saw that
| before but forgot about that. Thanks for the reminder! Such a
| crazy operating system (an applause.)
|
| https://cloudblogs.microsoft.com/opensource/2021/05/10/makin.
| ..
| 0mp wrote:
| It probably helps that OpenDTrace has a published specification
| that you can use to not only to reimplement bits of DTrace from
| scratch but also to agree on a common behavior across many
| operating systems: https://www.cl.cam.ac.uk/techreports/UCAM-
| CL-TR-924.pdf
| CoastalCoder wrote:
| My impression is that on open-source operating systems, some of
| DTrace's / eBPF's value lies in the ability to monitor kernel
| internals.
|
| If that's true, is DTrace as valuable on Windows, where computer
| owners don't have access to the OS's source code?
|
| For example, I'd love to use a tool like DTrace to monitor
| if/when/what telemetry data is being gathered and sent to
| Microsoft. But I imagine that's not possible for regular people
| like me.
| 4ad wrote:
| Fortunately, Microsoft publishes symbols for the Windows
| kernel.
| wicket wrote:
| > One of the more useful debugging advances that have arrived in
| the last decade is DTrace.
|
| DTrace arrived over 17 years ago with the launch of Solaris 10.
| EddySchauHai wrote:
| Where do you guys learn about using eBPF? It'd be really useful
| for my work, I think, but then most intros I see start with
| 'Recompile the Linux distro' or something and that just seems too
| much effort to get going?
| FooBarWidget wrote:
| I wrote an intro for bpftrace:
| https://www.joyfulbikeshedding.com/blog/2019-01-31-full-syst...
___________________________________________________________________
(page generated 2022-08-19 23:01 UTC)