Kernel Function Instrumentation

- NOTE: ''KFI has been renamed to KFT (Kernel Function Trace) starting with the patches for kernel version 2.6.12. If you are using a recent kernel, version 2.6.12 or later, please see the KernelFunctionTrace page insteadof this one.''

Introduction
Kernel Function Instrumentation (KFI) is a kernel function tracing system, which uses the "-finstrument-functions" capability of the gcc compiler to add instrumentation callouts to every function entry and exit. The KFI system provides for capturing these callouts and generating a trace of events, with timing details. KFI is excellent at providing a good timing overview of kernel procedures, allowing you to see where time is spent in functions and sub-routines in the kernel.

The main mode of operation with KFI is to use the system with a dynamic trace configuration. That is, you can set a trace configuration after kernel startup, using the  interface, and retrieve trace data immediately. However, another (special) mode of operation is available, called STATIC_RUN mode, where the configuration for a KFI run is configured and compiled statically into the kernel. This mode is useful for getting a trace of kernel operation during system bootup (before user space is running).

The KFI configuration lets you specify how to automatically start and stop a trace, whether to include interrupts as part of the trace, and whether to filter the trace data by various criteria (for minimum function duration, only certain listed functions, etc.) KFI trace data is retrieved by reading from   after the trace is complete.

Tools are supplied to convert numeric trace data to kernel symbols, and to process and analyze the data in a KFI trace.

Basic Use
Documentation for KFI is available (as of 2.6.11) in Documentation/kfi.txt, after applying the kfi-2.patch.

Here's a presentation about KFI usage:
 * attachment:omap-serial_init.trace.txt - Sample trace used with presentation
 * attachment:omap-serial_init.trace.txt - Sample trace used with presentation

For prior releases of KFI, see ["KFIDocs"]

Patches

 * Patch for CELF kernel (based on linux-2.4.20): attachment:kfi-24-test4.patch
 * Patch for Linux 2.6.7 (for x86 only): attachment:kfi-26-test1.patch
 * Patch for Linux 2.6.8.1: see the PatchArchive page
 * Patch for Linux 2.6.11: see the PatchArchive page (or just download attachment:kfi-2.patch)

KFI utilities

 * User-space programs: attachment:kfi-0.8.tar.gz (for KFI version 1)

For KFI version 2 and above, the only user-space programs are scripts, which are now located in the kernel  directory:
 * addr2sym - script to convert function addresses to symbols in the trace data
 * kd - kfi dump - does filtering, sorting, and analysis of KFI trace logs

See Documentation/kfi.txt for instructions on using these programs.

How To Use

 * download both the patch
 * apply the patch in the kernel top-level directory:
 * patch -p1 <kfi-2.patch
 * read the rest of the instructions in the Documentation/kfi.txt file. (my apologies for being lazy!)

Adding platform support for the kfi clock source
The current patch (from Sep 2004), uses sched_clock as the clock source for kfi_readclock. sched_clock is new in the 2.6 kernel, and returns a 64-bit value containing nanoseconds (not necessarily relative to any particular time base, but assumed to be monotonically increasing, and relatively frequency-stable.)

If your platform has good support for sched_clock, then KFI should work for you unmodified. If not, you may wish to do one of two things:
 * improve support for sched_clock in your board port, or
 * write a custom kfi_readclock routine.

A "good" sched_clock routine will provide at least microsecond resolution on return values. Some architectures have sched_clock returning values based on the  variable, which on many embedded platforms only has resolution to 10 milliseconds.

There are some sample custom kfi_readclock routines in the current patch (one for x86 using the TSC, and one for PPC using the TBU.

Issues
Here is a list of things that need more work:
 * may need to add noinstrument attributes for some time-critical code (need to check this)
 * maybe can check "Function Trace in KDB" patch for help with this
 * would like a tutorial on the configuration language for defining a tracing run
 * documentation needs lots of work
 * should especially document how to do a dynamic trace

Overhead
Mitsubishi measured the overhead of KFI. The period is from start_kernel to smp_init. Platform was: SH7751R 240MHz (Memory Clock 80MHz)

Similar technologies
There are other technologies for doing call traces or kernel profiling that are similar to KFI. Some of these are mentioned on the KernelInstrumentation page.

One that is very similar is a kernel trace mechanism for use with KDB. A patch was posted to LKML in January of 2002. See the message: http://www.uwsg.iu.edu/hypermail/linux/kernel/0201.3/0888.html

Filter Q&A
Tim asked the question:

Q. Is there a way to adjust the trigger or filters to reduce the memory usage?

A. Todd Poynor from MontaVista answered:

The above filters out only those routines that take less than 1 microsecond. We usually are not interested in routines that execute so quickly, and instead use something like "filter mintime 500" to filter out routines taking less than 500 microseconds.

I didn't track down the original log file being discussed, but if the "quiet" command line parameter wasn't used then even a 500us filter may include a lot of calls for serial console printks.

The filters don't affect memory usage so far as I understand. You can set the amount of memory used for a static run by specifying "logsize ", where  is the number of entries, in kfistatic.conf.

Q. Is it possible to specifically omit certain routines with a filter.

A. I believe there's a filter for including only certain routines (rather than excluding certain routines). It shouldn't normally be necessary, but if there's a routine that matches the time filtering suggested above and is called so often as to be a problem, then adding attribute "__noinstrument" to the function definition and recompiling will exclude it; see drivers/char/kfi.c for an example.

Sample results
Here is an excerpt from a KFI log trace (processed with addr2sym). It shows all functions which lasted longer than 500 microseconds, from when the kernel entered start_kernel to when it entered to_userspace.

kfi log output (excerpt)
The log is attached here: attachment:kfiboot-9.lst

A Delta value of 0 usually means the exit from the routine was not seen.

kfi log analysis with 'kd'
Below is a  dump of the data from the above log.

For the purpose of finding areas of big time in the kernel, the functions with high "Local" time are important. For example,  is called 156 times, resulting in 619 milliseconds of duration. Other time-consuming routines were:,  ,.

The top line showing schedule called 192 times and lasting over 5 seconds, is accounted wrong due to the switch in execution control inside the schedule routine. (The count of 192 calls is correct, but the duration is wrong.)