Intel Processor Trace
=====================

Overview
========

Intel Processor Trace (Intel PT) is an extension of Intel Architecture that
collects information about software execution such as control flow, execution
modes and timings and formats it into highly compressed binary packets.
Technical details are documented in the Intel 64 and IA-32 Architectures
Software Developer Manuals, Chapter 36 Intel Processor Trace.

Intel PT is first supported in Intel Core M and 5th generation Intel Core
processors that are based on the Intel micro-architecture code name Broadwell.

Trace data is collected by 'perf record' and stored within the perf.data file.
See below for options to 'perf record'.

Trace data must be 'decoded' which involves walking the object code and matching
the trace data packets. For example a TNT packet only tells whether a
conditional branch was taken or not taken, so to make use of that packet the
decoder must know precisely which instruction was being executed.

Decoding is done on-the-fly.  The decoder outputs samples in the same format as
samples output by perf hardware events, for example as though the "instructions"
or "branches" events had been recorded.  Presently 3 tools support this:
'perf script', 'perf report' and 'perf inject'.  See below for more information
on using those tools.

The main distinguishing feature of Intel PT is that the decoder can determine
the exact flow of software execution.  Intel PT can be used to understand why
and how did software get to a certain point, or behave a certain way.  The
software does not have to be recompiled, so Intel PT works with debug or release
builds, however the executed images are needed - which makes use in JIT-compiled
environments, or with self-modified code, a challenge.  Also symbols need to be
provided to make sense of addresses.

A limitation of Intel PT is that it produces huge amounts of trace data
(hundreds of megabytes per second per core) which takes a long time to decode,
for example two or three orders of magnitude longer than it took to collect.
Another limitation is the performance impact of tracing, something that will
vary depending on the use-case and architecture.


Quickstart
==========

It is important to start small.  That is because it is easy to capture vastly
more data than can possibly be processed.

The simplest thing to do with Intel PT is userspace profiling of small programs.
Data is captured with 'perf record' e.g. to trace 'ls' userspace-only:

	perf record -e intel_pt//u ls

And profiled with 'perf report' e.g.

	perf report

To also trace kernel space presents a problem, namely kernel self-modifying
code.  A fairly good kernel image is available in /proc/kcore but to get an
accurate image a copy of /proc/kcore needs to be made under the same conditions
as the data capture.  A script perf-with-kcore can do that, but beware that the
script makes use of 'sudo' to copy /proc/kcore.  If you have perf installed
locally from the source tree you can do:

	~/libexec/perf-core/perf-with-kcore record pt_ls -e intel_pt// -- ls

which will create a directory named 'pt_ls' and put the perf.data file and
copies of /proc/kcore, /proc/kallsyms and /proc/modules into it.  Then to use
'perf report' becomes:

	~/libexec/perf-core/perf-with-kcore report pt_ls

Because samples are synthesized after-the-fact, the sampling period can be
selected for reporting. e.g. sample every microsecond

	~/libexec/perf-core/perf-with-kcore report pt_ls --itrace=i1usge

See the sections below for more information about the --itrace option.

Beware the smaller the period, the more samples that are produced, and the
longer it takes to process them.

Also note that the coarseness of Intel PT timing information will start to
distort the statistical value of the sampling as the sampling period becomes
smaller.

To represent software control flow, "branches" samples are produced.  By default
a branch sample is synthesized for every single branch.  To get an idea what
data is available you can use the 'perf script' tool with no parameters, which
will list all the samples.

	perf record -e intel_pt//u ls
	perf script

An interesting field that is not printed by default is 'flags' which can be
displayed as follows:

	perf script -Fcomm,tid,pid,time,cpu,event,trace,ip,sym,dso,addr,symoff,flags

The flags are "bcrosyiABEx" which stand for branch, call, return, conditional,
system, asynchronous, interrupt, transaction abort, trace begin, trace end, and
in transaction, respectively.

While it is possible to create scripts to analyze the data, an alternative
approach is available to export the data to a postgresql database.  Refer to
script export-to-postgresql.py for more details, and to script
call-graph-from-postgresql.py for an example of using the database.

As mentioned above, it is easy to capture too much data.  One way to limit the
data captured is to use 'snapshot' mode which is explained further below.
Refer to 'new snapshot option' and 'Intel PT modes of operation' further below.

Another problem that will be experienced is decoder errors.  They can be caused
by inability to access the executed image, self-modified or JIT-ed code, or the
inability to match side-band information (such as context switches and mmaps)
which results in the decoder not knowing what code was executed.

There is also the problem of perf not being able to copy the data fast enough,
resulting in data lost because the buffer was full.  See 'Buffer handling' below
for more details.


perf record
===========

new event
---------

The Intel PT kernel driver creates a new PMU for Intel PT.  PMU events are
selected by providing the PMU name followed by the "config" separated by slashes.
An enhancement has been made to allow default "config" e.g. the option

	-e intel_pt//

will use a default config value.  Currently that is the same as

	-e intel_pt/tsc,noretcomp=0/

which is the same as

	-e intel_pt/tsc=1,noretcomp=0/

Note there are now new config terms - see section 'config terms' further below.

The config terms are listed in /sys/devices/intel_pt/format.  They are bit
fields within the config member of the struct perf_event_attr which is
passed to the kernel by the perf_event_open system call.  They correspond to bit
fields in the IA32_RTIT_CTL MSR.  Here is a list of them and their definitions:

	$ grep -H . /sys/bus/event_source/devices/intel_pt/format/*
	/sys/bus/event_source/devices/intel_pt/format/cyc:config:1
	/sys/bus/event_source/devices/intel_pt/format/cyc_thresh:config:19-22
	/sys/bus/event_source/devices/intel_pt/format/mtc:config:9
	/sys/bus/event_source/devices/intel_pt/format/mtc_period:config:14-17
	/sys/bus/event_source/devices/intel_pt/format/noretcomp:config:11
	/sys/bus/event_source/devices/intel_pt/format/psb_period:config:24-27
	/sys/bus/event_source/devices/intel_pt/format/tsc:config:10

Note that the default config must be overridden for each term i.e.

	-e intel_pt/noretcomp=0/

is the same as:

	-e intel_pt/tsc=1,noretcomp=0/

So, to disable TSC packets use:

	-e intel_pt/tsc=0/

It is also possible to specify the config value explicitly:

	-e intel_pt/config=0x400/

Note that, as with all events, the event is suffixed with event modifiers:

	u	userspace
	k	kernel
	h	hypervisor
	G	guest
	H	host
	p	precise ip

'h', 'G' and 'H' are for virtualization which is not supported by Intel PT.
'p' is also not relevant to Intel PT.  So only options 'u' and 'k' are
meaningful for Intel PT.

perf_event_attr is displayed if the -vv option is used e.g.

	------------------------------------------------------------
	perf_event_attr:
	type                             6
	size                             112
	config                           0x400
	{ sample_period, sample_freq }   1
	sample_type                      IP|TID|TIME|CPU|IDENTIFIER
	read_format                      ID
	disabled                         1
	inherit                          1
	exclude_kernel                   1
	exclude_hv                       1
	enable_on_exec                   1
	sample_id_all                    1
	------------------------------------------------------------
	sys_perf_event_open: pid 31104  cpu 0  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 1  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 2  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 3  group_fd -1  flags 0x8
	------------------------------------------------------------


config terms
------------

The June 2015 version of Intel 64 and IA-32 Architectures Software Developer
Manuals, Chapter 36 Intel Processor Trace, defined new Intel PT features.
Some of the features are reflect in new config terms.  All the config terms are
described below.

tsc		Always supported.  Produces TSC timestamp packets to provide
		timing information.  In some cases it is possible to decode
		without timing information, for example a per-thread context
		that does not overlap executable memory maps.

		The default config selects tsc (i.e. tsc=1).

noretcomp	Always supported.  Disables "return compression" so a TIP packet
		is produced when a function returns.  Causes more packets to be
		produced but might make decoding more reliable.

		The default config does not select noretcomp (i.e. noretcomp=0).

psb_period	Allows the frequency of PSB packets to be specified.

		The PSB packet is a synchronization packet that provides a
		starting point for decoding or recovery from errors.

		Support for psb_period is indicated by:

			/sys/bus/event_source/devices/intel_pt/caps/psb_cyc

		which contains "1" if the feature is supported and "0"
		otherwise.

		Valid values are given by:

			/sys/bus/event_source/devices/intel_pt/caps/psb_periods

		which contains a hexadecimal value, the bits of which represent
		valid values e.g. bit 2 set means value 2 is valid.

		The psb_period value is converted to the approximate number of
		trace bytes between PSB packets as:

			2 ^ (value + 11)

		e.g. value 3 means 16KiB bytes between PSBs

		If an invalid value is entered, the error message
		will give a list of valid values e.g.

			$ perf record -e intel_pt/psb_period=15/u uname
			Invalid psb_period for intel_pt. Valid values are: 0-5

		If MTC packets are selected, the default config selects a value
		of 3 (i.e. psb_period=3) or the nearest lower value that is
		supported (0 is always supported).  Otherwise the default is 0.

		If decoding is expected to be reliable and the buffer is large
		then a large PSB period can be used.

		Because a TSC packet is produced with PSB, the PSB period can
		also affect the granularity to timing information in the absence
		of MTC or CYC.

mtc		Produces MTC timing packets.

		MTC packets provide finer grain timestamp information than TSC
		packets.  MTC packets record time using the hardware crystal
		clock (CTC) which is related to TSC packets using a TMA packet.

		Support for this feature is indicated by:

			/sys/bus/event_source/devices/intel_pt/caps/mtc

		which contains "1" if the feature is supported and
		"0" otherwise.

		The frequency of MTC packets can also be specified - see
		mtc_period below.

mtc_period	Specifies how frequently MTC packets are produced - see mtc
		above for how to determine if MTC packets are supported.

		Valid values are given by:

			/sys/bus/event_source/devices/intel_pt/caps/mtc_periods

		which contains a hexadecimal value, the bits of which represent
		valid values e.g. bit 2 set means value 2 is valid.

		The mtc_period value is converted to the MTC frequency as:

			CTC-frequency / (2 ^ value)

		e.g. value 3 means one eighth of CTC-frequency

		Where CTC is the hardware crystal clock, the frequency of which
		can be related to TSC via values provided in cpuid leaf 0x15.

		If an invalid value is entered, the error message
		will give a list of valid values e.g.

			$ perf record -e intel_pt/mtc_period=15/u uname
			Invalid mtc_period for intel_pt. Valid values are: 0,3,6,9

		The default value is 3 or the nearest lower value
		that is supported (0 is always supported).

cyc		Produces CYC timing packets.

		CYC packets provide even finer grain timestamp information than
		MTC and TSC packets.  A CYC packet contains the number of CPU
		cycles since the last CYC packet. Unlike MTC and TSC packets,
		CYC packets are only sent when another packet is also sent.

		Support for this feature is indicated by:

			/sys/bus/event_source/devices/intel_pt/caps/psb_cyc

		which contains "1" if the feature is supported and
		"0" otherwise.

		The number of CYC packets produced can be reduced by specifying
		a threshold - see cyc_thresh below.

cyc_thresh	Specifies how frequently CYC packets are produced - see cyc
		above for how to determine if CYC packets are supported.

		Valid cyc_thresh values are given by:

			/sys/bus/event_source/devices/intel_pt/caps/cycle_thresholds

		which contains a hexadecimal value, the bits of which represent
		valid values e.g. bit 2 set means value 2 is valid.

		The cyc_thresh value represents the minimum number of CPU cycles
		that must have passed before a CYC packet can be sent.  The
		number of CPU cycles is:

			2 ^ (value - 1)

		e.g. value 4 means 8 CPU cycles must pass before a CYC packet
		can be sent.  Note a CYC packet is still only sent when another
		packet is sent, not at, e.g. every 8 CPU cycles.

		If an invalid value is entered, the error message
		will give a list of valid values e.g.

			$ perf record -e intel_pt/cyc,cyc_thresh=15/u uname
			Invalid cyc_thresh for intel_pt. Valid values are: 0-12

		CYC packets are not requested by default.


new snapshot option
-------------------

The difference between full trace and snapshot from the kernel's perspective is
that in full trace we don't overwrite trace data that the user hasn't collected
yet (and indicated that by advancing aux_tail), whereas in snapshot mode we let
the trace run and overwrite older data in the buffer so that whenever something
interesting happens, we can stop it and grab a snapshot of what was going on
around that interesting moment.

To select snapshot mode a new option has been added:

	-S

Optionally it can be followed by the snapshot size e.g.

	-S0x100000

The default snapshot size is the auxtrace mmap size.  If neither auxtrace mmap size
nor snapshot size is specified, then the default is 4MiB for privileged users
(or if /proc/sys/kernel/perf_event_paranoid < 0), 128KiB for unprivileged users.
If an unprivileged user does not specify mmap pages, the mmap pages will be
reduced as described in the 'new auxtrace mmap size option' section below.

The snapshot size is displayed if the option -vv is used e.g.

	Intel PT snapshot size: %zu


new auxtrace mmap size option
---------------------------

Intel PT buffer size is specified by an addition to the -m option e.g.

	-m,16

selects a buffer size of 16 pages i.e. 64KiB.

Note that the existing functionality of -m is unchanged.  The auxtrace mmap size
is specified by the optional addition of a comma and the value.

The default auxtrace mmap size for Intel PT is 4MiB/page_size for privileged users
(or if /proc/sys/kernel/perf_event_paranoid < 0), 128KiB for unprivileged users.
If an unprivileged user does not specify mmap pages, the mmap pages will be
reduced from the default 512KiB/page_size to 256KiB/page_size, otherwise the
user is likely to get an error as they exceed their mlock limit (Max locked
memory as shown in /proc/self/limits).  Note that perf does not count the first
512KiB (actually /proc/sys/kernel/perf_event_mlock_kb minus 1 page) per cpu
against the mlock limit so an unprivileged user is allowed 512KiB per cpu plus
their mlock limit (which defaults to 64KiB but is not multiplied by the number
of cpus).

In full-trace mode, powers of two are allowed for buffer size, with a minimum
size of 2 pages.  In snapshot mode, it is the same but the minimum size is
1 page.

The mmap size and auxtrace mmap size are displayed if the -vv option is used e.g.

	mmap length 528384
	auxtrace mmap length 4198400


Intel PT modes of operation
---------------------------

Intel PT can be used in 2 modes:
	full-trace mode
	snapshot mode

Full-trace mode traces continuously e.g.

	perf record -e intel_pt//u uname

Snapshot mode captures the available data when a signal is sent e.g.

	perf record -v -e intel_pt//u -S ./loopy 1000000000 &
	[1] 11435
	kill -USR2 11435
	Recording AUX area tracing snapshot

Note that the signal sent is SIGUSR2.
Note that "Recording AUX area tracing snapshot" is displayed because the -v
option is used.

The 2 modes cannot be used together.


Buffer handling
---------------

There may be buffer limitations (i.e. single ToPa entry) which means that actual
buffer sizes are limited to powers of 2 up to 4MiB (MAX_ORDER).  In order to
provide other sizes, and in particular an arbitrarily large size, multiple
buffers are logically concatenated.  However an interrupt must be used to switch
between buffers.  That has two potential problems:
	a) the interrupt may not be handled in time so that the current buffer
	becomes full and some trace data is lost.
	b) the interrupts may slow the system and affect the performance
	results.

If trace data is lost, the driver sets 'truncated' in the PERF_RECORD_AUX event
which the tools report as an error.

In full-trace mode, the driver waits for data to be copied out before allowing
the (logical) buffer to wrap-around.  If data is not copied out quickly enough,
again 'truncated' is set in the PERF_RECORD_AUX event.  If the driver has to
wait, the intel_pt event gets disabled.  Because it is difficult to know when
that happens, perf tools always re-enable the intel_pt event after copying out
data.


Intel PT and build ids
----------------------

By default "perf record" post-processes the event stream to find all build ids
for executables for all addresses sampled.  Deliberately, Intel PT is not
decoded for that purpose (it would take too long).  Instead the build ids for
all executables encountered (due to mmap, comm or task events) are included
in the perf.data file.

To see buildids included in the perf.data file use the command:

	perf buildid-list

If the perf.data file contains Intel PT data, that is the same as:

	perf buildid-list --with-hits


Snapshot mode and event disabling
---------------------------------

In order to make a snapshot, the intel_pt event is disabled using an IOCTL,
namely PERF_EVENT_IOC_DISABLE.  However doing that can also disable the
collection of side-band information.  In order to prevent that,  a dummy
software event has been introduced that permits tracking events (like mmaps) to
continue to be recorded while intel_pt is disabled.  That is important to ensure
there is complete side-band information to allow the decoding of subsequent
snapshots.

A test has been created for that.  To find the test:

	perf test list
	...
	23: Test using a dummy software event to keep tracking

To run the test:

	perf test 23
	23: Test using a dummy software event to keep tracking     : Ok


perf record modes (nothing new here)
------------------------------------

perf record essentially operates in one of three modes:
	per thread
	per cpu
	workload only

"per thread" mode is selected by -t or by --per-thread (with -p or -u or just a
workload).
"per cpu" is selected by -C or -a.
"workload only" mode is selected by not using the other options but providing a
command to run (i.e. the workload).

In per-thread mode an exact list of threads is traced.  There is no inheritance.
Each thread has its own event buffer.

In per-cpu mode all processes (or processes from the selected cgroup i.e. -G
option, or processes selected with -p or -u) are traced.  Each cpu has its own
buffer. Inheritance is allowed.

In workload-only mode, the workload is traced but with per-cpu buffers.
Inheritance is allowed.  Note that you can now trace a workload in per-thread
mode by using the --per-thread option.


Privileged vs non-privileged users
----------------------------------

Unless /proc/sys/kernel/perf_event_paranoid is set to -1, unprivileged users
have memory limits imposed upon them.  That affects what buffer sizes they can
have as outlined above.

Unless /proc/sys/kernel/perf_event_paranoid is set to -1, unprivileged users are
not permitted to use tracepoints which means there is insufficient side-band
information to decode Intel PT in per-cpu mode, and potentially workload-only
mode too if the workload creates new processes.

Note also, that to use tracepoints, read-access to debugfs is required.  So if
debugfs is not mounted or the user does not have read-access, it will again not
be possible to decode Intel PT in per-cpu mode.


sched_switch tracepoint
-----------------------

The sched_switch tracepoint is used to provide side-band data for Intel PT
decoding.  sched_switch events are automatically added. e.g. the second event
shown below

	$ perf record -vv -e intel_pt//u uname
	------------------------------------------------------------
	perf_event_attr:
	type                             6
	size                             112
	config                           0x400
	{ sample_period, sample_freq }   1
	sample_type                      IP|TID|TIME|CPU|IDENTIFIER
	read_format                      ID
	disabled                         1
	inherit                          1
	exclude_kernel                   1
	exclude_hv                       1
	enable_on_exec                   1
	sample_id_all                    1
	------------------------------------------------------------
	sys_perf_event_open: pid 31104  cpu 0  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 1  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 2  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 3  group_fd -1  flags 0x8
	------------------------------------------------------------
	perf_event_attr:
	type                             2
	size                             112
	config                           0x108
	{ sample_period, sample_freq }   1
	sample_type                      IP|TID|TIME|CPU|PERIOD|RAW|IDENTIFIER
	read_format                      ID
	inherit                          1
	sample_id_all                    1
	exclude_guest                    1
	------------------------------------------------------------
	sys_perf_event_open: pid -1  cpu 0  group_fd -1  flags 0x8
	sys_perf_event_open: pid -1  cpu 1  group_fd -1  flags 0x8
	sys_perf_event_open: pid -1  cpu 2  group_fd -1  flags 0x8
	sys_perf_event_open: pid -1  cpu 3  group_fd -1  flags 0x8
	------------------------------------------------------------
	perf_event_attr:
	type                             1
	size                             112
	config                           0x9
	{ sample_period, sample_freq }   1
	sample_type                      IP|TID|TIME|IDENTIFIER
	read_format                      ID
	disabled                         1
	inherit                          1
	exclude_kernel                   1
	exclude_hv                       1
	mmap                             1
	comm                             1
	enable_on_exec                   1
	task                             1
	sample_id_all                    1
	mmap2                            1
	comm_exec                        1
	------------------------------------------------------------
	sys_perf_event_open: pid 31104  cpu 0  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 1  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 2  group_fd -1  flags 0x8
	sys_perf_event_open: pid 31104  cpu 3  group_fd -1  flags 0x8
	mmap size 528384B
	AUX area mmap length 4194304
	perf event ring buffer mmapped per cpu
	Synthesizing auxtrace information
	Linux
	[ perf record: Woken up 1 times to write data ]
	[ perf record: Captured and wrote 0.042 MB perf.data ]

Note, the sched_switch event is only added if the user is permitted to use it
and only in per-cpu mode.

Note also, the sched_switch event is only added if TSC packets are requested.
That is because, in the absence of timing information, the sched_switch events
cannot be matched against the Intel PT trace.


perf script
===========

By default, perf script will decode trace data found in the perf.data file.
This can be further controlled by new option --itrace.


New --itrace option
-------------------

Having no option is the same as

	--itrace

which, in turn, is the same as

	--itrace=ibxe

The letters are:

	i	synthesize "instructions" events
	b	synthesize "branches" events
	x	synthesize "transactions" events
	c	synthesize branches events (calls only)
	r	synthesize branches events (returns only)
	e	synthesize tracing error events
	d	create a debug log
	g	synthesize a call chain (use with i or x)

"Instructions" events look like they were recorded by "perf record -e
instructions".

"Branches" events look like they were recorded by "perf record -e branches". "c"
and "r" can be combined to get calls and returns.

"Transactions" events correspond to the start or end of transactions. The
'flags' field can be used in perf script to determine whether the event is a
tranasaction start, commit or abort.

Error events are new.  They show where the decoder lost the trace.  Error events
are quite important.  Users must know if what they are seeing is a complete
picture or not.

The "d" option will cause the creation of a file "intel_pt.log" containing all
decoded packets and instructions.  Note that this option slows down the decoder
and that the resulting file may be very large.

In addition, the period of the "instructions" event can be specified. e.g.

	--itrace=i10us

sets the period to 10us i.e. one  instruction sample is synthesized for each 10
microseconds of trace.  Alternatives to "us" are "ms" (milliseconds),
"ns" (nanoseconds), "t" (TSC ticks) or "i" (instructions).

"ms", "us" and "ns" are converted to TSC ticks.

The timing information included with Intel PT does not give the time of every
instruction.  Consequently, for the purpose of sampling, the decoder estimates
the time since the last timing packet based on 1 tick per instruction.  The time
on the sample is *not* adjusted and reflects the last known value of TSC.

For Intel PT, the default period is 100us.

Also the call chain size (default 16, max. 1024) for instructions or
transactions events can be specified. e.g.

	--itrace=ig32
	--itrace=xg32

To disable trace decoding entirely, use the option --no-itrace.


dump option
-----------

perf script has an option (-D) to "dump" the events i.e. display the binary
data.

When -D is used, Intel PT packets are displayed.  The packet decoder does not
pay attention to PSB packets, but just decodes the bytes - so the packets seen
by the actual decoder may not be identical in places where the data is corrupt.
One example of that would be when the buffer-switching interrupt has been too
slow, and the buffer has been filled completely.  In that case, the last packet
in the buffer might be truncated and immediately followed by a PSB as the trace
continues in the next buffer.

To disable the display of Intel PT packets, combine the -D option with
--no-itrace.


perf report
===========

By default, perf report will decode trace data found in the perf.data file.
This can be further controlled by new option --itrace exactly the same as
perf script, with the exception that the default is --itrace=igxe.


perf inject
===========

perf inject also accepts the --itrace option in which case tracing data is
removed and replaced with the synthesized events. e.g.

	perf inject --itrace -i perf.data -o perf.data.new