ARM MTE stack sanitizer.

[android-x86/external-llvm.git] / docs / XRayFDRFormat.rst

======================================
XRay Flight Data Recorder Trace Format
======================================

:Version: 1 as of 2017-07-20

.. contents::
   :local:


Introduction
============

When gathering XRay traces in Flight Data Recorder mode, each thread of an
application will claim buffers to fill with trace data, which at some point
is finalized and flushed.

A goal of the profiler is to minimize overhead, the flushed data directly
corresponds to the buffer.

This document describes the format of a trace file.


General
=======

Each trace file corresponds to a sequence of events in a particular thread.

The file has a header followed by a sequence of discriminated record types.

The endianness of byte fields matches the endianess of the platform which
produced the trace file.


Header Section
==============

A trace file begins with a 32 byte header.

+-------------------+-----------------+----------------------------------------+
| Field             | Size (bytes)    | Description                            |
+===================+=================+========================================+
| version           | ``2``           | Anticipates versioned  readers. This   |
|                   |                 | document describes the format when     |
|                   |                 | version == 1                           |
+-------------------+-----------------+----------------------------------------+
| type              | ``2``           | An enumeration encoding the type of    |
|                   |                 | trace. Flight Data Recorder mode       |
|                   |                 | traces have type == 1                  |
+-------------------+-----------------+----------------------------------------+
| bitfield          | ``4``           | Holds parameters that are not aligned  |
|                   |                 | to bytes. Further described below.     |
+-------------------+-----------------+----------------------------------------+
| cycle_frequency   | ``8``           | The frequency in hertz of the CPU      |
|                   |                 | oscillator used to measure duration of |
|                   |                 | events in ticks.                       |
+-------------------+-----------------+----------------------------------------+
| buffer_size       | ``8``           | The size in bytes of the data portion  |
|                   |                 | of the trace following the header.     |
+-------------------+-----------------+----------------------------------------+
| reserved          | ``8``           | Reserved for future use.               |
+-------------------+-----------------+----------------------------------------+

The bitfield parameter of the file header is composed of the following fields.

+-------------------+----------------+-----------------------------------------+
| Field             | Size (bits)    | Description                             |
+===================+================+=========================================+
| constant_tsc      | ``1``          | Whether the platform's timestamp        |
|                   |                | counter used to record ticks between    |
|                   |                | events ticks at a constant frequency    |
|                   |                | despite CPU frequency changes.          |
|                   |                | 0 == non-constant. 1 == constant.       |
+-------------------+----------------+-----------------------------------------+
| nonstop_tsc       | ``1``          | Whether the tsc continues to count      |
|                   |                | despite whether the CPU is in a low     |
|                   |                | power state. 0 == stop. 1 == non-stop.  |
+-------------------+----------------+-----------------------------------------+
| reserved          | ``30``         | Not meaningful.                         |
+-------------------+----------------+-----------------------------------------+


Data Section
============

Following the header in a trace is a data section with size matching the
buffer_size field in the header.

The data section is a stream of elements of different types.

There are a few categories of data in the sequence.

- ``Function Records``: Function Records contain the timing of entry into and
  exit from function execution. Function Records have 8 bytes each.

- ``Metadata Records``: Metadata records serve many purposes. Mostly, they
  capture information that may be too costly to record for each function, but
  that is required to contextualize the fine-grained timings. They also are used
  as markers for user-defined Event Data payloads. Metadata records have 16
  bytes each.

- ``Event Data``: Free form data may be associated with events that are traced
  by the binary and encode data defined by a handler function. Event data is
  always preceded with a marker record which indicates how large it is.

- ``Function Arguments``: The arguments to some functions are included in the
  trace. These are either pointer addresses or primitives that are read and
  logged independently of their types in a high level language. To the tracer,
  they are all numbers. Function Records that have attached arguments will
  indicate their presence on the function entry record. We only support logging
  contiguous function argument sequences starting with argument zero, which will
  be the "this" pointer for member function invocations. For example, we don't
  support logging the first and third argument.

A reader of the memory format must maintain a state machine. The format makes no
attempt to pad for alignment, and it is not seekable.


Function Records
----------------

Function Records have an 8 byte layout. This layout encodes information to
reconstruct a call stack of instrumented function and their durations.

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bits)  | Description                                   |
+===============+==============+===============================================+
| discriminant  | ``1``        | Indicates whether a reader should read a      |
|               |              | Function or Metadata record. Set to ``0`` for |
|               |              | Function records.                             |
+---------------+--------------+-----------------------------------------------+
| action        | ``3``        | Specifies whether the function is being       |
|               |              | entered, exited, or is a non-standard entry   |
|               |              | or exit produced by optimizations.            |
+---------------+--------------+-----------------------------------------------+
| function_id   | ``28``       | A numeric ID for the function. Resolved to a  |
|               |              | name via the xray instrumentation map. The    |
|               |              | instrumentation map is built by xray at       |
|               |              | compile time into an object file and pairs    |
|               |              | the function ids to addresses. It is used for |
|               |              | patching and as a lookup into the binary's    |
|               |              | symbols to obtain names.                      |
+---------------+--------------+-----------------------------------------------+
| tsc_delta     | ``32``       | The number of ticks of the timestamp counter  |
|               |              | since a previous record recorded a delta or   |
|               |              | other TSC resetting event.                    |
+---------------+--------------+-----------------------------------------------+

On little-endian machines, the bitfields are ordered from least significant bit
bit to most significant bit. A reader can read an 8 bit value and apply the mask
``0x01`` for the discriminant. Similarly, they can read 32 bits and unsigned
shift right by ``0x04`` to obtain the function_id field.

On big-endian machine, the bitfields are written in order from most significant
bit to least significant bit. A reader would read an 8 bit value and unsigned
shift right by 7 bits for the discriminant. The function_id field could be
obtained by reading a 32 bit value and applying the mask ``0x0FFFFFFF``.

Function action types are as follows.

+---------------+--------------+-----------------------------------------------+
| Type          | Number       | Description                                   |
+===============+==============+===============================================+
| Entry         | ``0``        | Typical function entry.                       |
+---------------+--------------+-----------------------------------------------+
| Exit          | ``1``        | Typical function exit.                        |
+---------------+--------------+-----------------------------------------------+
| Tail_Exit     | ``2``        | An exit from a function due to tail call      |
|               |              | optimization.                                 |
+---------------+--------------+-----------------------------------------------+
| Entry_Args    | ``3``        | A function entry that records arguments.      |
+---------------+--------------+-----------------------------------------------+

Entry_Args records do not contain the arguments themselves. Instead, metadata
records for each of the logged args follow the function record in the stream.


Metadata Records
----------------

Interspersed throughout the buffer are 16 byte Metadata records. For typically
instrumented binaries, they will be sparser than Function records, and they
provide a fuller picture of the binary execution state.

Metadata record layout is partially record dependent, but they share a common
structure.

The same bit field rules described for function records apply to the first byte
of MetadataRecords. Within this byte, little endian machines use lsb to msb
ordering and big endian machines use msb to lsb ordering.

+---------------+--------------+-----------------------------------------------+
| Field         | Size         | Description                                   |
+===============+==============+===============================================+
| discriminant  | ``1 bit``    | Indicates whether a reader should read a      |
|               |              | Function or Metadata record. Set to ``1`` for |
|               |              | Metadata records.                             |
+---------------+--------------+-----------------------------------------------+
| record_kind   | ``7 bits``   | The type of Metadata record.                  |
+---------------+--------------+-----------------------------------------------+
| data          | ``15 bytes`` | A data field used differently for each record |
|               |              | type.                                         |
+---------------+--------------+-----------------------------------------------+

Here is a table of the enumerated record kinds.

+--------+---------------------------+
| Number | Type                      |
+========+===========================+
| 0      | NewBuffer                 |
+--------+---------------------------+
| 1      | EndOfBuffer               |
+--------+---------------------------+
| 2      | NewCPUId                  |
+--------+---------------------------+
| 3      | TSCWrap                   |
+--------+---------------------------+
| 4      | WallTimeMarker            |
+--------+---------------------------+
| 5      | CustomEventMarker         |
+--------+---------------------------+
| 6      | CallArgument              |
+--------+---------------------------+


NewBuffer Records
-----------------

Each buffer begins with a NewBuffer record immediately after the header.
It records the thread ID of the thread that the trace belongs to.

Its data segment is as follows.

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| thread_Id     | ``2``        | Thread ID for buffer.                         |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``13``       | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


WallClockTime Records
---------------------

Following the NewBuffer record, each buffer records an absolute time as a frame
of reference for the durations recorded by timestamp counter deltas.

Its data segment is as follows.

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| seconds       | ``8``        | Seconds on absolute timescale. The starting   |
|               |              | point is unspecified and depends on the       |
|               |              | implementation and platform configured by the |
|               |              | tracer.                                       |
+---------------+--------------+-----------------------------------------------+
| microseconds  | ``4``        | The microsecond component of the time.        |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``3``        | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


NewCpuId Records
----------------

Each function entry invokes a routine to determine what CPU is executing.
Typically, this is done with readtscp, which reads the timestamp counter at the
same time.

If the tracing detects that the execution has switched CPUs or if this is the
first instrumented entry point, the tracer will output a NewCpuId record.

Its data segment is as follows.

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| cpu_id        | ``2``        | CPU Id.                                       |
+---------------+--------------+-----------------------------------------------+
| absolute_tsc  | ``8``        | The absolute value of the timestamp counter.  |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``5``        | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


TSCWrap Records
---------------

Since each function record uses a 32 bit value to represent the number of ticks
of the timestamp counter since the last reference, it is possible for this value
to overflow, particularly for sparsely instrumented binaries.

When this delta would not fit into a 32 bit representation, a reference absolute
timestamp counter record is written in the form of a TSCWrap record.

Its data segment is as follows.

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| absolute_tsc  | ``8``        | Timestamp counter value.                      |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``7``        | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


CallArgument Records
--------------------

Immediately following an Entry_Args type function record, there may be one or
more CallArgument records that contain the traced function's parameter values.

The order of the CallArgument Record sequency corresponds one to one with the
order of the function parameters.

CallArgument data segment:

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| argument      | ``8``        | Numeric argument (may be pointer address).    |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``7``        | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


CustomEventMarker Records
-------------------------

XRay provides the feature of logging custom events. This may be leveraged to
record tracing info for RPCs or similarly trace data that is application
specific.

Custom Events themselves are an unstructured (application defined) segment of
memory with arbitrary size within the buffer. They are preceded by
CustomEventMarkers to indicate their presence and size.

CustomEventMarker data segment:

+---------------+--------------+-----------------------------------------------+
| Field         | Size (bytes) | Description                                   |
+===============+==============+===============================================+
| event_size    | ``4``        | Size of preceded event.                       |
+---------------+--------------+-----------------------------------------------+
| absolute_tsc  | ``8``        | A timestamp counter of the event.             |
+---------------+--------------+-----------------------------------------------+
| reserved      | ``3``        | Unused.                                       |
+---------------+--------------+-----------------------------------------------+


EndOfBuffer Records
-------------------

An EndOfBuffer record type indicates that there is no more trace data in this
buffer. The reader is expected to seek past the remaining buffer_size expressed
before the start of buffer and look for either another header or EOF.


Format Grammar and Invariants
=============================

Not all sequences of Metadata records and Function records are valid data. A
sequence should be parsed as a state machine. The expectations for a valid
format can be expressed as a context free grammar.

This is an attempt to explain the format with statements in EBNF format.

- Format := Header ThreadBuffer* EOF

- ThreadBuffer := NewBuffer WallClockTime NewCPUId BodySequence* End

- BodySequence := NewCPUId | TSCWrap | Function | CustomEvent

- Function := (Function_Entry_Args CallArgument*) | Function_Other_Type

- CustomEvent := CustomEventMarker CustomEventUnstructuredMemory

- End := EndOfBuffer RemainingBufferSizeToSkip


Function Record Order
---------------------

There are a few clarifications that may help understand what is expected of
Function records.

- Functions with an Exit are expected to have a corresponding Entry or
  Entry_Args function record precede them in the trace.

- Tail_Exit Function records record the Function ID of the function whose return
  address the program counter will take. In other words, the final function that
  would be popped off of the call stack if tail call optimization was not used.

- Not all functions marked for instrumentation are necessarily in the trace. The
  tracer uses heuristics to preserve the trace for non-trivial functions.

- Not every entry must have a traced Exit or Tail Exit. The buffer may run out
  of space or the program may request for the tracer to finalize toreturn the
  buffer before an instrumented function exits.