Printf debugging evolved — Real-time tracing without stopping your application.
GhostScope is a runtime tracing tool that brings the simplicity of printf debugging to production systems.
"The most effective debugging tool is still careful thought, coupled with judiciously placed print statements." — Brian Kernighan
Imagine navigating a vast, uncharted forest of binary data — memory addresses, register values, stack frames — all meaningless numbers without context. DWARF debug information is our map: it tells us that stack address RSP-0x18 stores local variable count, heap address 0x5621a8c0 is a user object with string pointer user.name at offset +0x20; it tracks where each variable lives throughout program execution — parameter x is in register RDI now but will move to stack offset RSP-0x10 later.
With this map in hand, GhostScope leverages eBPF and uprobe technology to safely extract binary data from any instruction point in your running program. The combination is powerful: DWARF reveals the meaning of every byte in the process's virtual address space, while eBPF safely retrieves exactly what we need. The result? You can print variable values (local or global), function arguments, complex data structures, even stack backtraces from any point in your program — all without stopping or modifying it.
GhostScope transforms compiled binaries into observable systems. Place trace points at function entries, specific source lines, or anywhere in between. Print local variables, global variables, function parameters, complex nested structures, even stack backtraces. All with the simplicity of printf debugging, but the power of modern tracing.
The demo below shows GhostScope tracing an nginx worker process with debug information. You can see how GhostScope supports conditional logic, easily extracts information from complex data structures, and operates without disrupting the process.
Real-time tracing of a running nginx worker process
Zero Overhead One context switch + eBPF execution |
Real-Time Tracing Live trace streaming |
DWARF-Aware Full debug info support |
Built with Rust Memory safe & blazing fast |
GhostScope is currently in early development and under active iteration. While we strive for data accuracy, trace information may be incorrect or incomplete in certain scenarios, primarily due to unsupported features.
Recommendation: Use GhostScope's collected data as an auxiliary reference for troubleshooting, not as the sole source of truth. Cross-validate with other debugging tools before making critical decisions.
We are continuously improving stability and accuracy, and look forward to removing this disclaimer in future versions.
|
|
|
We welcome contributions! Whether it's bug reports, feature requests, documentation improvements, or code contributions, we appreciate your help in making GhostScope better.
Please see our Contributing Guide for:
- Code of Conduct
- Development workflow
- Coding standards
- How to submit pull requests
GhostScope is licensed under the GNU General Public License.
Built with amazing open source projects:
- Aya - eBPF library for Rust (using its loader functionality)
- LLVM - Compiler infrastructure
- Inkwell - Safe LLVM bindings for Rust
- Gimli - DWARF parser
- Ratatui - Terminal UI framework
- Tokio - Async runtime
- Pest - PEG parser generator
Inspired by and learned from:
- GDB - DWARF parsing optimizations
- bpftrace - eBPF tracing techniques
- cgdb - TUI design and user experience
Special thanks to these excellent resources that taught us a lot:
Blog Posts:
Books: