RubyGems - rbbcc - Versions diffs - 0.11.4 → 0.11.5 - Mend

rbbcc 0.11.4 → 0.11.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4f674b42de394618b5c86e8b57a5d0edbf3132310eb11547f789ce098baa0f2
-  data.tar.gz: a0d5a695da3347a3ad3752c650436f8f96386db7231c724b5f2af428383d60e9
+  metadata.gz: 4757d8938ba54c8aaab6d26a1d8cf824c325b8591130d1cf65ee13c0e411e99f
+  data.tar.gz: e41edc20c58336f5aa3e1670f2f001a9cdc829291a8bd63ab53d309790b81f5c
 SHA512:
-  metadata.gz: '069947eb933d84024ba9b951fb8ca08768947bf13ce88b40b3d3dba1f99adc66dcb7e1a5c45deb7cddc4d28e476eddb877454e4e61b15a8ff1f85b2299bc0657'
-  data.tar.gz: 0bba44088c66da0893a64e34e238e94c951c676838604ba43ad019f37bdcbae9b4eb586173e11e8f1919fd691334349155c9325ff98e634282afcb7c712c2ca4
+  metadata.gz: 43cb1ba2fa891fc6fd970b5a48b45c28d9fff967e25ef02ed5cb7b09ddc96a91dc0e4740dbc59b9bc78f312613b76f6b7f68de9ee41bf860caddf1fb0a948c15
+  data.tar.gz: e6e8321874553ba7df4f0529477d6bea3a35f4956b704bd32bfeb409d7f43a1a59f4f9484619891e1351ed278eee42c4edda7a17d176c3b911e4c5a1dee5716a

data/.gitignore CHANGED Viewed

@@ -7,6 +7,8 @@
 /pkg/
 /spec/reports/
 /tmp/
+/.agent
+/.claude
 .ruby-version

data/Gemfile CHANGED Viewed

@@ -7,6 +7,7 @@ gem "bundler", "~> 2.0"
 gem "rake", "~> 13.0"
 gem "pry", "~> 0.12"
 gem "minitest", "~> 5"
+gem "http-2", "~> 1.1"
 #group :omnibus_package do
 #  gem "appbundler"

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.11.4)
+    rbbcc (0.11.5)
       fiddle
 GEM
@@ -9,6 +9,7 @@ GEM
   specs:
     coderay (1.1.3)
     fiddle (1.1.8)
+    http-2 (1.1.3)
     io-console (0.8.2)
     method_source (1.1.0)
     minitest (5.27.0)
@@ -28,6 +29,7 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 2.0)
+  http-2 (~> 1.1)
   minitest (~> 5)
   pry (~> 0.12)
   rake (~> 13.0)

data/examples/ssl_http_trace.rb ADDED Viewed

@@ -0,0 +1,274 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require "rbbcc"
+include RbBCC
+begin
+  require "http/2"
+rescue LoadError
+  # Fallback for local vendor source
+  local_http2_lib = File.expand_path("../.agent/sources/http-2/lib", __dir__)
+  $LOAD_PATH.unshift(local_http2_lib) unless $LOAD_PATH.include?(local_http2_lib)
+  require "http/2"
+end
+FRAME_TYPE_NAMES = {
+  0x0 => "DATA",
+  0x1 => "HEADERS",
+  0x2 => "PRIORITY",
+  0x3 => "RST_STREAM",
+  0x4 => "SETTINGS",
+  0x5 => "PUSH_PROMISE",
+  0x6 => "PING",
+  0x7 => "GOAWAY",
+  0x8 => "WINDOW_UPDATE",
+  0x9 => "CONTINUATION"
+}.freeze
+HTTP2_PREFACE = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n".b
+HTTP1_METHODS = %w[GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT].freeze
+BPF_TEXT = <<~BPF
+  #include <uapi/linux/ptrace.h>
+  #define MAX_PAYLOAD_SIZE 1024
+  struct event_t {
+      u32 pid;
+      char event_name[8];
+      unsigned char payload[MAX_PAYLOAD_SIZE];
+      u32 data_len;
+      s32 read_ret;
+  };
+  BPF_RINGBUF_OUTPUT(events, 256);
+  int trace_ssl_write(struct pt_regs *ctx) {
+      u32 tgid = bpf_get_current_pid_tgid() >> 32;
+      const char *user_buf = (const char *)PT_REGS_PARM2(ctx);
+      u64 num = (u64)PT_REGS_PARM3(ctx);
+      if (!user_buf || num <= 0) return 0;
+      struct event_t *event = events.ringbuf_reserve(sizeof(struct event_t));
+      if (!event) return 0;
+      event->pid = tgid;
+      __builtin_memcpy(event->event_name, "ssl_w", 6);
+      u32 len = num > MAX_PAYLOAD_SIZE ? MAX_PAYLOAD_SIZE : (u32)num;
+      event->data_len = len;
+      event->read_ret = bpf_probe_read_user(event->payload, len, user_buf);
+      if (event->read_ret < 0) {
+          event->data_len = 0;
+      }
+      events.ringbuf_submit(event, 0);
+      return 0;
+  }
+BPF
+def hex_ascii_dump(payload, width: 16)
+  lines = []
+  payload.bytes.each_slice(width).with_index do |slice, idx|
+    offset = idx * width
+    hex = slice.map { |b| "%02x" % b }.join(" ")
+    ascii = slice.map { |b| b >= 32 && b <= 126 ? b.chr : "." }.join
+    lines << format("%04x  %-#{width * 3 - 1}s  %s", offset, hex, ascii)
+  end
+  lines.join("\n")
+end
+def payload_from_event(event)
+  raw = event.payload
+  bytes = case raw
+          when String
+            raw.b
+          when Array
+            raw.map { |v| v & 0xff }.pack("C*")
+          else
+            if raw.respond_to?(:to_a)
+              raw.to_a.map { |v| v & 0xff }.pack("C*")
+            else
+              raw.to_s.b
+            end
+          end
+  len = [event.data_len.to_i, bytes.bytesize].min
+  bytes.byteslice(0, len) || "".b
+end
+def parse_http2_frames(payload)
+  frames = []
+  i = 0
+  total = payload.bytesize
+  while i + 9 <= total
+    length_bytes = payload.byteslice(i, 3).bytes
+    length = (length_bytes[0] << 16) | (length_bytes[1] << 8) | length_bytes[2]
+    frame_type = payload.getbyte(i + 3)
+    flags = payload.getbyte(i + 4)
+    stream_id = payload.byteslice(i + 5, 4).unpack1("N") & 0x7fff_ffff
+    i += 9
+    break if i + length > total
+    frame_payload = payload.byteslice(i, length)
+    i += length
+    frames << [frame_type, flags, stream_id, frame_payload]
+  end
+  frames
+end
+def extract_headers_fragment(frame_type, flags, frame_payload)
+  return frame_payload if frame_type == 0x9 # CONTINUATION
+  return nil unless frame_type == 0x1 # HEADERS only
+  start_idx = 0
+  end_idx = frame_payload.bytesize
+  if (flags & 0x08) != 0 # PADDED
+    return nil if end_idx.zero?
+    pad_len = frame_payload.getbyte(0)
+    start_idx += 1
+    end_idx = [start_idx, end_idx - pad_len].max
+  end
+  if (flags & 0x20) != 0 # PRIORITY
+    return nil if start_idx + 5 > end_idx
+    start_idx += 5
+  end
+  frame_payload.byteslice(start_idx, end_idx - start_idx) || "".b
+end
+def decode_pseudo_headers_with_hpack(header_block, decompressor)
+  pairs = decompressor.decode(header_block.b)
+  pseudo = {}
+  pairs.each do |k, v|
+    pseudo[k] = v
+  end
+  pseudo
+rescue StandardError => e
+  { ":error" => e.message }
+end
+def maybe_http1_summary(payload)
+  text = payload.force_encoding(Encoding::UTF_8)
+  first_line = text.split("\r\n", 2).first
+  return nil if first_line.nil? || first_line.empty?
+  if HTTP1_METHODS.any? { |m| first_line.start_with?("#{m} ") }
+    return ["request", first_line]
+  end
+  if first_line.start_with?("HTTP/1.1 ") || first_line.start_with?("HTTP/1.0 ")
+    return ["response", first_line]
+  end
+  nil
+rescue ArgumentError, Encoding::UndefinedConversionError, Encoding::InvalidByteSequenceError
+  nil
+end
+def main
+  puts "SSL HTTP tracer (Ruby + ring buffer) を初期化中..."
+  b = BCC.new(text: BPF_TEXT)
+  libssl_path = ENV.fetch("LIBSSL_PATH", "/usr/lib/aarch64-linux-gnu/libssl.so.3")
+  b.attach_uprobe(name: libssl_path, sym: "SSL_write", fn_name: "trace_ssl_write")
+  puts "Attached uprobe: SSL_write (#{libssl_path})"
+  decompressor = HTTP2::Header::Decompressor.new
+  continuation_state = {}
+  b["events"].open_ring_buffer do |_ctx, data, _size|
+    event = b["events"].event(data)
+    event_name = event.event_name.to_s
+    next unless event_name == "ssl_w"
+    payload = payload_from_event(event)
+    puts "[PID: #{event.pid}] len=#{event.data_len} read_ret=#{event.read_ret}"
+    next if event.data_len.to_i <= 0
+    summary = maybe_http1_summary(payload)
+    if summary
+      kind, line = summary
+      puts "[HTTP/1.x #{kind}] #{line}"
+      puts hex_ascii_dump(payload)
+      next
+    end
+    rest = payload
+    if rest.start_with?(HTTP2_PREFACE)
+      puts "[H2] client preface detected"
+      rest = rest.byteslice(HTTP2_PREFACE.bytesize..) || "".b
+    end
+    frames = parse_http2_frames(rest)
+    if frames.empty?
+      puts hex_ascii_dump(payload)
+      next
+    end
+    frames.each do |frame_type, flags, stream_id, frame_payload|
+      frame_name = FRAME_TYPE_NAMES.fetch(frame_type, "UNKNOWN(#{frame_type})")
+      puts "[H2] type=#{frame_name} flags=0x#{format('%02x', flags)} stream=#{stream_id} len=#{frame_payload.bytesize}"
+      case frame_type
+      when 0x1 # HEADERS
+        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
+        if fragment.nil?
+          puts "[HPACK] parse_error=invalid HEADERS payload"
+          next
+        end
+        key = [event.pid.to_i, stream_id]
+        if (flags & 0x04) != 0 # END_HEADERS
+          pseudo = decode_pseudo_headers_with_hpack(fragment, decompressor)
+          if pseudo.key?(":error")
+            puts "[HPACK] decode_error=#{pseudo[":error"]}"
+          else
+            puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
+          end
+        else
+          continuation_state[key] = fragment.dup
+          puts "[HPACK] collecting CONTINUATION fragments"
+        end
+      when 0x9 # CONTINUATION
+        key = [event.pid.to_i, stream_id]
+        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
+        unless continuation_state.key?(key)
+          puts "[HPACK] note=orphan CONTINUATION frame"
+          next
+        end
+        continuation_state[key] << fragment
+        next if (flags & 0x04).zero?
+        header_block = continuation_state.delete(key)
+        pseudo = decode_pseudo_headers_with_hpack(header_block, decompressor)
+        if pseudo.key?(":error")
+          puts "[HPACK] decode_error=#{pseudo[":error"]}"
+        else
+          puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
+        end
+      end
+    end
+  end
+  puts "監視開始。Ctrl+C で終了"
+  loop do
+    b.ring_buffer_poll(100)
+  rescue Interrupt
+    puts "\n終了します。"
+    exit(0)
+  end
+end
+main if $PROGRAM_NAME == __FILE__

data/lib/rbbcc/bcc.rb CHANGED Viewed

@@ -607,7 +607,10 @@ module RbBCC
     end
     def _open_ring_buffer(map_fd, fn, ctx)
-      buf = Clib.bpf_new_ringbuf(map_fd, fn, ctx)
+      # Avoid GC'ing function pointer
+      @_ring_buffer_fns ||= []
+      @_ring_buffer_fns << fn
+      buf = Clib.bpf_new_ringbuf(map_fd, @_ring_buffer_fns[-1], ctx)
       if !buf
         raise "Could not open ring buffer"
       end

data/lib/rbbcc/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.11.4"
+  VERSION = "0.11.5"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.11.4
+  version: 0.11.5
 platform: ruby
 authors:
 - Uchio Kondo
@@ -101,6 +101,7 @@ files:
 - examples/py-orig/sockblock.py
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
+- examples/ssl_http_trace.rb
 - examples/syscalluname.rb
 - examples/table.rb
 - examples/tools/bashreadline.rb