Previous blog post on how to trace Firefox IO using bpftrace via official page_fault_user tracepoint left me a bit unsatisfied with how complicated it turned out. Complexity has potential to be error-prone and the syscall-tracing dependency makes it impossible to trace IO within the main executable.
I decided to try reimplement the trace using my old approach of tracing ext4 functions that handle page-faults. This turned out to be much more robust. This is now documented on my github. It’s ugly in that it’s dependent on internal kernel structures, but it catches 100% of the IO and requires no post-trace syscall-correlation/fudging.
So far I’m super happy with possibilities that EBPF/bpftrace opens up for kernel tracing. Hoping to try user-space tracing next.