RubyGems - rbbcc - Versions diffs - 0.11.4 → 0.11.6 - Mend

rbbcc 0.11.4 → 0.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4f674b42de394618b5c86e8b57a5d0edbf3132310eb11547f789ce098baa0f2
-  data.tar.gz: a0d5a695da3347a3ad3752c650436f8f96386db7231c724b5f2af428383d60e9
+  metadata.gz: 4bd5c0ae3d72c8e4e931d4ecb48872212c1389dd56897a5c16ca3626a1a7a725
+  data.tar.gz: c117a487cbc4c1b5fed3df4eea8813d4b6c16ea3c6dcd306e41b504fb2776bc3
 SHA512:
-  metadata.gz: '069947eb933d84024ba9b951fb8ca08768947bf13ce88b40b3d3dba1f99adc66dcb7e1a5c45deb7cddc4d28e476eddb877454e4e61b15a8ff1f85b2299bc0657'
-  data.tar.gz: 0bba44088c66da0893a64e34e238e94c951c676838604ba43ad019f37bdcbae9b4eb586173e11e8f1919fd691334349155c9325ff98e634282afcb7c712c2ca4
+  metadata.gz: 1c11515d0a7b919ffaa6c0001cc74b96f0bbc217e07fa46c2fe6b37398499a6cb81fac23425e45f32b8802b6b90a6c107f845ef3b610ea7838d8b29178129adc
+  data.tar.gz: 253c500eebc928aa13327496b4cdb96f844a91df06aa5c4bf85561a1958f2c181f792e24262b1ae9d5ac0562796ffb475ae178b2a88a8451f17e50f6c1f7f727

data/.gitignore CHANGED Viewed

@@ -7,6 +7,8 @@
 /pkg/
 /spec/reports/
 /tmp/
+/.agent
+/.claude
 .ruby-version

data/Gemfile CHANGED Viewed

@@ -7,6 +7,7 @@ gem "bundler", "~> 2.0"
 gem "rake", "~> 13.0"
 gem "pry", "~> 0.12"
 gem "minitest", "~> 5"
+gem "http-2", "~> 1.1"
 #group :omnibus_package do
 #  gem "appbundler"

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.11.4)
+    rbbcc (0.11.6)
       fiddle
 GEM
@@ -9,6 +9,7 @@ GEM
   specs:
     coderay (1.1.3)
     fiddle (1.1.8)
+    http-2 (1.1.3)
     io-console (0.8.2)
     method_source (1.1.0)
     minitest (5.27.0)
@@ -28,6 +29,7 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 2.0)
+  http-2 (~> 1.1)
   minitest (~> 5)
   pry (~> 0.12)
   rake (~> 13.0)

data/examples/ringbuf_pin_a.rb ADDED Viewed

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+require 'rbbcc'
+include RbBCC
+PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
+if File.exist?(PIN_PATH)
+  puts "Removing old pinned map at #{PIN_PATH}..."
+  File.unlink(PIN_PATH)
+end
+bpf_text = <<~CLANG
+#include <uapi/linux/ptrace.h>
+struct data_t {
+    u32 pid;
+    char comm[16];
+};
+BPF_RINGBUF_OUTPUT(events, 4);
+int trace_uname(struct pt_regs *ctx) {
+    struct data_t *data = events.ringbuf_reserve(sizeof(struct data_t));
+    if (!data) return 0;
+    data->pid = bpf_get_current_pid_tgid() >> 32;
+    bpf_get_current_comm(&data->comm, sizeof(data->comm));
+    events.ringbuf_submit(data, 0);
+    return 0;
+}
+CLANG
+puts "Process A (Ruby): Loading BPF and attaching tracepoint..."
+b = BCC.new(text: bpf_text)
+b.attach_tracepoint(tp: "syscalls:sys_enter_newuname", fn_name: "trace_uname")
+puts "Process A (Ruby): Pinning ringbuf map to #{PIN_PATH}..."
+b["events"].pin!(PIN_PATH)
+puts "\n[Process A Active] Kept alive to feed events. Press Ctrl+C to stop."
+begin
+  loop do
+    sleep 1
+  end
+ensure
+  if File.exist?(PIN_PATH)
+    puts "\nUnpinning map..."
+    File.unlink(PIN_PATH)
+  end
+end

data/examples/ringbuf_pin_b.rb ADDED Viewed

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+require 'rbbcc'
+include RbBCC
+PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
+type = "struct data_t {
+    u32 pid;
+    char comm[16];
+};"
+puts "Process B (Ruby): Initializing consumer client..."
+buf = RingBuf.from_pin(PIN_PATH, type, 4)
+# ring_buffer listner
+buf.open_ring_buffer do |cpu, data, size|
+  event = buf.event(data)
+  puts "[Process B Captured] PID: #{event.pid.to_s.ljust(6)} | COMMAND: #{event.comm}"
+end
+puts "\n[Process B Active] Successfully hooked to pinned map (FD: #{buf.map_fd}). Listening for events...\n\n"
+begin
+  loop do
+    buf.ring_buffer_poll()
+  end
+rescue Interrupt
+  puts "\nExiting Process B."
+end

data/examples/ssl_http_trace.rb ADDED Viewed

@@ -0,0 +1,274 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require "rbbcc"
+include RbBCC
+begin
+  require "http/2"
+rescue LoadError
+  # Fallback for local vendor source
+  local_http2_lib = File.expand_path("../.agent/sources/http-2/lib", __dir__)
+  $LOAD_PATH.unshift(local_http2_lib) unless $LOAD_PATH.include?(local_http2_lib)
+  require "http/2"
+end
+FRAME_TYPE_NAMES = {
+  0x0 => "DATA",
+  0x1 => "HEADERS",
+  0x2 => "PRIORITY",
+  0x3 => "RST_STREAM",
+  0x4 => "SETTINGS",
+  0x5 => "PUSH_PROMISE",
+  0x6 => "PING",
+  0x7 => "GOAWAY",
+  0x8 => "WINDOW_UPDATE",
+  0x9 => "CONTINUATION"
+}.freeze
+HTTP2_PREFACE = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n".b
+HTTP1_METHODS = %w[GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT].freeze
+BPF_TEXT = <<~BPF
+  #include <uapi/linux/ptrace.h>
+  #define MAX_PAYLOAD_SIZE 1024
+  struct event_t {
+      u32 pid;
+      char event_name[8];
+      unsigned char payload[MAX_PAYLOAD_SIZE];
+      u32 data_len;
+      s32 read_ret;
+  };
+  BPF_RINGBUF_OUTPUT(events, 256);
+  int trace_ssl_write(struct pt_regs *ctx) {
+      u32 tgid = bpf_get_current_pid_tgid() >> 32;
+      const char *user_buf = (const char *)PT_REGS_PARM2(ctx);
+      u64 num = (u64)PT_REGS_PARM3(ctx);
+      if (!user_buf || num <= 0) return 0;
+      struct event_t *event = events.ringbuf_reserve(sizeof(struct event_t));
+      if (!event) return 0;
+      event->pid = tgid;
+      __builtin_memcpy(event->event_name, "ssl_w", 6);
+      u32 len = num > MAX_PAYLOAD_SIZE ? MAX_PAYLOAD_SIZE : (u32)num;
+      event->data_len = len;
+      event->read_ret = bpf_probe_read_user(event->payload, len, user_buf);
+      if (event->read_ret < 0) {
+          event->data_len = 0;
+      }
+      events.ringbuf_submit(event, 0);
+      return 0;
+  }
+BPF
+def hex_ascii_dump(payload, width: 16)
+  lines = []
+  payload.bytes.each_slice(width).with_index do |slice, idx|
+    offset = idx * width
+    hex = slice.map { |b| "%02x" % b }.join(" ")
+    ascii = slice.map { |b| b >= 32 && b <= 126 ? b.chr : "." }.join
+    lines << format("%04x  %-#{width * 3 - 1}s  %s", offset, hex, ascii)
+  end
+  lines.join("\n")
+end
+def payload_from_event(event)
+  raw = event.payload
+  bytes = case raw
+          when String
+            raw.b
+          when Array
+            raw.map { |v| v & 0xff }.pack("C*")
+          else
+            if raw.respond_to?(:to_a)
+              raw.to_a.map { |v| v & 0xff }.pack("C*")
+            else
+              raw.to_s.b
+            end
+          end
+  len = [event.data_len.to_i, bytes.bytesize].min
+  bytes.byteslice(0, len) || "".b
+end
+def parse_http2_frames(payload)
+  frames = []
+  i = 0
+  total = payload.bytesize
+  while i + 9 <= total
+    length_bytes = payload.byteslice(i, 3).bytes
+    length = (length_bytes[0] << 16) | (length_bytes[1] << 8) | length_bytes[2]
+    frame_type = payload.getbyte(i + 3)
+    flags = payload.getbyte(i + 4)
+    stream_id = payload.byteslice(i + 5, 4).unpack1("N") & 0x7fff_ffff
+    i += 9
+    break if i + length > total
+    frame_payload = payload.byteslice(i, length)
+    i += length
+    frames << [frame_type, flags, stream_id, frame_payload]
+  end
+  frames
+end
+def extract_headers_fragment(frame_type, flags, frame_payload)
+  return frame_payload if frame_type == 0x9 # CONTINUATION
+  return nil unless frame_type == 0x1 # HEADERS only
+  start_idx = 0
+  end_idx = frame_payload.bytesize
+  if (flags & 0x08) != 0 # PADDED
+    return nil if end_idx.zero?
+    pad_len = frame_payload.getbyte(0)
+    start_idx += 1
+    end_idx = [start_idx, end_idx - pad_len].max
+  end
+  if (flags & 0x20) != 0 # PRIORITY
+    return nil if start_idx + 5 > end_idx
+    start_idx += 5
+  end
+  frame_payload.byteslice(start_idx, end_idx - start_idx) || "".b
+end
+def decode_pseudo_headers_with_hpack(header_block, decompressor)
+  pairs = decompressor.decode(header_block.b)
+  pseudo = {}
+  pairs.each do |k, v|
+    pseudo[k] = v
+  end
+  pseudo
+rescue StandardError => e
+  { ":error" => e.message }
+end
+def maybe_http1_summary(payload)
+  text = payload.force_encoding(Encoding::UTF_8)
+  first_line = text.split("\r\n", 2).first
+  return nil if first_line.nil? || first_line.empty?
+  if HTTP1_METHODS.any? { |m| first_line.start_with?("#{m} ") }
+    return ["request", first_line]
+  end
+  if first_line.start_with?("HTTP/1.1 ") || first_line.start_with?("HTTP/1.0 ")
+    return ["response", first_line]
+  end
+  nil
+rescue ArgumentError, Encoding::UndefinedConversionError, Encoding::InvalidByteSequenceError
+  nil
+end
+def main
+  puts "SSL HTTP tracer (Ruby + ring buffer) を初期化中..."
+  b = BCC.new(text: BPF_TEXT)
+  libssl_path = ENV.fetch("LIBSSL_PATH", "/usr/lib/aarch64-linux-gnu/libssl.so.3")
+  b.attach_uprobe(name: libssl_path, sym: "SSL_write", fn_name: "trace_ssl_write")
+  puts "Attached uprobe: SSL_write (#{libssl_path})"
+  decompressor = HTTP2::Header::Decompressor.new
+  continuation_state = {}
+  b["events"].open_ring_buffer do |_ctx, data, _size|
+    event = b["events"].event(data)
+    event_name = event.event_name.to_s
+    next unless event_name == "ssl_w"
+    payload = payload_from_event(event)
+    puts "[PID: #{event.pid}] len=#{event.data_len} read_ret=#{event.read_ret}"
+    next if event.data_len.to_i <= 0
+    summary = maybe_http1_summary(payload)
+    if summary
+      kind, line = summary
+      puts "[HTTP/1.x #{kind}] #{line}"
+      puts hex_ascii_dump(payload)
+      next
+    end
+    rest = payload
+    if rest.start_with?(HTTP2_PREFACE)
+      puts "[H2] client preface detected"
+      rest = rest.byteslice(HTTP2_PREFACE.bytesize..) || "".b
+    end
+    frames = parse_http2_frames(rest)
+    if frames.empty?
+      puts hex_ascii_dump(payload)
+      next
+    end
+    frames.each do |frame_type, flags, stream_id, frame_payload|
+      frame_name = FRAME_TYPE_NAMES.fetch(frame_type, "UNKNOWN(#{frame_type})")
+      puts "[H2] type=#{frame_name} flags=0x#{format('%02x', flags)} stream=#{stream_id} len=#{frame_payload.bytesize}"
+      case frame_type
+      when 0x1 # HEADERS
+        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
+        if fragment.nil?
+          puts "[HPACK] parse_error=invalid HEADERS payload"
+          next
+        end
+        key = [event.pid.to_i, stream_id]
+        if (flags & 0x04) != 0 # END_HEADERS
+          pseudo = decode_pseudo_headers_with_hpack(fragment, decompressor)
+          if pseudo.key?(":error")
+            puts "[HPACK] decode_error=#{pseudo[":error"]}"
+          else
+            puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
+          end
+        else
+          continuation_state[key] = fragment.dup
+          puts "[HPACK] collecting CONTINUATION fragments"
+        end
+      when 0x9 # CONTINUATION
+        key = [event.pid.to_i, stream_id]
+        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
+        unless continuation_state.key?(key)
+          puts "[HPACK] note=orphan CONTINUATION frame"
+          next
+        end
+        continuation_state[key] << fragment
+        next if (flags & 0x04).zero?
+        header_block = continuation_state.delete(key)
+        pseudo = decode_pseudo_headers_with_hpack(header_block, decompressor)
+        if pseudo.key?(":error")
+          puts "[HPACK] decode_error=#{pseudo[":error"]}"
+        else
+          puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
+        end
+      end
+    end
+  end
+  puts "監視開始。Ctrl+C で終了"
+  loop do
+    b.ring_buffer_poll(100)
+  rescue Interrupt
+    puts "\n終了します。"
+    exit(0)
+  end
+end
+main if $PROGRAM_NAME == __FILE__

data/lib/rbbcc/bcc.rb CHANGED Viewed

@@ -607,7 +607,10 @@ module RbBCC
     end
     def _open_ring_buffer(map_fd, fn, ctx)
-      buf = Clib.bpf_new_ringbuf(map_fd, fn, ctx)
+      # Avoid GC'ing function pointer
+      @_ring_buffer_fns ||= []
+      @_ring_buffer_fns << fn
+      buf = Clib.bpf_new_ringbuf(map_fd, @_ring_buffer_fns[-1], ctx)
       if !buf
         raise "Could not open ring buffer"
       end

data/lib/rbbcc/consts.rb CHANGED Viewed

@@ -1,5 +1,9 @@
 module RbBCC
-  module BPF
+  class BCC
+  end
+  BPF = BCC # avoid confuse from python port
+  class BPF
     # From bpf_prog_type in uapi/linux/bpf.h
     SOCKET_FILTER = 1
     KPROBE = 2

data/lib/rbbcc/table.rb CHANGED Viewed

@@ -40,6 +40,8 @@ module RbBCC
           fields << [field_type, field_name].join(" ")
         end
       end
+      return nil if fields.empty?
       klass = Fiddle::Importer.struct(fields)
       char_ps = fields.select {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
       unless char_ps.empty?
@@ -280,6 +282,11 @@ module RbBCC
       false # TODO: implement me in the future
     end
+    # Just a wrapper to BCC class method
+    def pin!(path)
+      BCC.pin!(self.map_fd, path)
+    end
     private
     def normalize_key(key)
       case key
@@ -368,7 +375,7 @@ module RbBCC
     end
     def event(data)
-      @event_class ||= get_event_class
+      @event_class ||= (get_event_class || self.leaftype)
       ev = @event_class.malloc
       Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
       return ev
@@ -429,7 +436,28 @@ module RbBCC
   class RingBuf < TableBase
     include EventTypeSupported
+    # Make a dynamic BCC program to load the pinned ringbuf map
+    def self.from_pin(path, leaftype, size, name: "events")
+      map_fd = Clib.bpf_obj_get(path)
+      if map_fd < 0
+        raise SystemCallError.new("Could not open pinned map", Fiddle.last_error)
+      end
+      leaftype_typename = case leaftype
+      when /\Astruct\s+(\w+)\s+{/m
+        "struct #{Regexp.last_match(1)}"
+      else
+        leaftype
+      end
+      prog = <<~CLANG
+        #{leaftype}
+        BPF_TABLE_PINNED("ringbuf", u32, #{leaftype_typename}, #{name}, #{size}, "#{path}");
+      CLANG
+      b = BCC.new(text: prog)
+      b[name.to_s]
+    end
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       super
       @_ringbuf = nil
@@ -438,7 +466,7 @@ module RbBCC
     end
     def event(data)
-      @event_class ||= get_event_class
+      @event_class ||= (get_event_class || self.leaftype)
       ev = @event_class.malloc
       Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
       return ev
@@ -470,6 +498,10 @@ module RbBCC
       @bpf._open_ring_buffer(@map_fd, fn, ctx)
       nil
     end
+    def ring_buffer_poll(timeout=-1)
+      @bpf.ring_buffer_poll(timeout)
+    end
   end
   class StackTrace < TableBase

data/lib/rbbcc/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.11.4"
+  VERSION = "0.11.6"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.11.4
+  version: 0.11.6
 platform: ruby
 authors:
 - Uchio Kondo
@@ -99,8 +99,11 @@ files:
 - examples/pin_maps_a.rb
 - examples/pin_maps_b.rb
 - examples/py-orig/sockblock.py
+- examples/ringbuf_pin_a.rb
+- examples/ringbuf_pin_b.rb
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
+- examples/ssl_http_trace.rb
 - examples/syscalluname.rb
 - examples/table.rb
 - examples/tools/bashreadline.rb