rbbcc 0.11.6 → 0.11.8

data/examples/pin_maps_a.rb

@@ -1,88 +0,0 @@
-#!/usr/bin/env ruby
-#
-# pin_maps_a.rb
-# Program A: create HashMap/ArrayMap, hook execve, count up, and pin maps.
-#
-# Usage (root):
-#   sudo ruby examples/pin_maps_a.rb --pin-dir /sys/fs/bpf/rbbcc_pin_demo
-
-require 'rbbcc'
-require 'optparse'
-require 'fileutils'
-
-include RbBCC
-
-BPF_TEXT = <<~CLANG
-  BPF_HASH(pin_hash_map, u32, u64, 1024);
-  BPF_ARRAY(pin_array_map, u64, 1);
-
-  int trace_execve(void *ctx) {
-    u64 zero = 0;
-    u32 pid = bpf_get_current_pid_tgid();
-    u32 idx = 0;
-    u64 *hval;
-    u64 *aval;
-
-    hval = pin_hash_map.lookup_or_try_init(&pid, &zero);
-    if (hval) {
-      __sync_fetch_and_add(hval, 1);
-    }
-
-    aval = pin_array_map.lookup(&idx);
-    if (aval) {
-      __sync_fetch_and_add(aval, 1);
-    }
-
-    return 0;
-  }
-CLANG
-
-options = {
-  pin_dir: '/sys/fs/bpf/rbbcc_pin_demo'
-}
-
-OptionParser.new do |opts|
-  opts.banner = 'Usage: pin_maps_a.rb [options]'
-
-  opts.on('--pin-dir DIR', 'Pin directory under bpffs') do |v|
-    options[:pin_dir] = v
-  end
-end.parse!
-
-b = BCC.new(text: BPF_TEXT)
-b.attach_kprobe(
-  event: b.get_syscall_fnname('execve'),
-  fn_name: 'trace_execve'
-)
-
-hash_map = b['pin_hash_map']
-array_map = b['pin_array_map']
-
-# Initialize global counter slot.
-array_map[0] = 0
-
-FileUtils.mkdir_p(options[:pin_dir])
-hash_path = File.join(options[:pin_dir], 'pin_hash_map')
-array_path = File.join(options[:pin_dir], 'pin_array_map')
-
-File.unlink(hash_path) if File.exist?(hash_path)
-File.unlink(array_path) if File.exist?(array_path)
-
-BCC.pin!(hash_map.map_fd, hash_path)
-BCC.pin!(array_map.map_fd, array_path)
-
-puts 'Pinned maps created.'
-puts "  hash map:  #{hash_path}"
-puts "  array map: #{array_path}"
-puts 'kprobe attached to execve. Run some commands in another terminal.'
-puts 'Press Ctrl-C to stop Program A.'
-
-begin
-  loop do
-    sleep 1
-    total = array_map[0]&.to_bcc_value || 0
-    puts "execve total count: #{total}"
-  end
-rescue Interrupt
-  puts '\nStopping Program A...'
-end

data/examples/pin_maps_b.rb

@@ -1,71 +0,0 @@
-#!/usr/bin/env ruby
-#
-# pin_maps_b.rb
-# Program B: open pinned HashMap/ArrayMap with from_pin and read/update values.
-#
-# Usage (root):
-#   sudo ruby examples/pin_maps_b.rb --pin-dir /sys/fs/bpf/rbbcc_pin_demo
-
-require 'rbbcc'
-require 'optparse'
-
-include RbBCC
-
-options = {
-  pin_dir: '/sys/fs/bpf/rbbcc_pin_demo'
-}
-
-OptionParser.new do |opts|
-  opts.banner = 'Usage: pin_maps_b.rb [options]'
-
-  opts.on('--pin-dir DIR', 'Pin directory under bpffs') do |v|
-    options[:pin_dir] = v
-  end
-end.parse!
-
-hash_path = File.join(options[:pin_dir], 'pin_hash_map')
-array_path = File.join(options[:pin_dir], 'pin_array_map')
-
-unless File.exist?(hash_path) && File.exist?(array_path)
-  abort("Pinned map files are missing. Run pin_maps_a.rb first: #{options[:pin_dir]}")
-end
-
-# Explicitly pass key/leaf type and size; no type detection is performed.
-hash_map = HashTable.from_pin(
-  hash_path,
-  'unsigned int',
-  'unsigned long long',
-  keysize: 4,
-  leafsize: 8
-)
-array_map = ArrayTable.from_pin(
-  array_path,
-  'unsigned int',
-  'unsigned long long',
-  keysize: 4,
-  leafsize: 8
-)
-
-puts 'Loaded pinned maps.'
-puts "  hash map fd:  #{hash_map.map_fd}"
-puts "  array map fd: #{array_map.map_fd}"
-puts "  hash ttype:   #{hash_map.ttype}"
-puts "  array ttype:  #{array_map.ttype}"
-
-puts 'Read existing values:'
-puts "  hash[1] = #{hash_map[1]&.to_bcc_value.inspect}"
-puts "  hash[2] = #{hash_map[2]&.to_bcc_value.inspect}"
-puts "  array[0] = #{array_map[0]&.to_bcc_value.inspect}"
-puts "  array[1] = #{array_map[1]&.to_bcc_value.inspect}"
-
-hash_map[3] = 1
-array_map[0] = (array_map[0]&.to_bcc_value || 0) + 1
-
-puts 'Updated values:'
-puts "  hash[3] = #{hash_map[3]&.to_bcc_value.inspect}"
-puts "  array[0] = #{array_map[0]&.to_bcc_value.inspect}"
-
-puts 'Iterate hash entries:'
-hash_map.each_pair do |k, v|
-  puts "  #{k.to_bcc_value} => #{v.to_bcc_value}"
-end

data/examples/py-orig/sockblock.py

@@ -1,119 +0,0 @@
-from bcc import BPF, lib
-import socket
-import ctypes
-import os
-
-# 1. C言語側のプログラム
-program = r"""
-#include <linux/lsm_hooks.h>
-#include <linux/socket.h>
-#include <uapi/asm-generic/errno-base.h>
-
-struct data_t {
-    u32 pid;
-    int family;
-    int type;
-    int is_warning;
-    int is_blocked;
-    char comm[16];
-};
-
-BPF_PERF_OUTPUT(events);
-
-// モード保存用マップ (Index 0 を使用)
-// 1: blockモード, 0: previewモード
-BPF_ARRAY(config_map, u32, 1);
-
-LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
-{
-    u32 pid = bpf_get_current_pid_tgid() >> 32;
-    struct data_t data = {};
-    
-    // マップから現在のモードを取得
-    u32 key = 0;
-    u32 *mode = config_map.lookup(&key);
-    int is_block_mode = (mode && *mode == 1);
-
-    data.pid = pid;
-    data.family = family;
-    data.type = type;
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-    if (family == AF_ALG) {
-        data.is_blocked = is_block_mode;
-        data.is_warning = 1;
-
-        // ログデータを送信
-        events.perf_submit(ctx, &data, sizeof(data));
-
-        // blockモードならエラーを返してシステムコールを失敗させる
-        if (is_block_mode) {
-            return -EPERM; // -1 (Operation not permitted)
-        }
-    } else {
-        data.is_blocked = 0;
-        data.is_warning = 0;
-
-        // ログデータを送信
-        events.perf_submit(ctx, &data, sizeof(data));
-    }
-
-    return 0;
-}
-"""
-
-# 定数解決用
-families = {getattr(socket, n): n for n in dir(socket) if n.startswith('AF_')}
-types = {getattr(socket, n): n for n in dir(socket) if n.startswith('SOCK_')}
-
-def print_event(cpu, data, size):
-    event = b["events"].event(data)
-
-    family_str = families.get(event.family, f"AF_UNKNOWN({event.family})")
-    type_str = types.get(event.type, f"SOCK_UNKNOWN({event.type})")
-    
-    print(f"PID: {event.pid:<7} | COMM: {event.comm.decode('utf-8'):<15} | "
-          f"FAMILY: {family_str:<12} | TYPE: {type_str}")
-
-    if event.is_warning:
-        mode_str = "BLOCK" if event.is_blocked else "PREVIEW"
-        status = "!! REJECTED !!" if event.is_blocked else "WARNING"
-        
-        print(f"[{mode_str}] {status}: PID {event.pid} ({event.comm.decode()}) "
-            f"tried to create AF_ALG socket.")
-
-# 2. ロードと設定
-try:
-    b = BPF(text=program)
-    
-    # --- モード設定 ---
-    # 1 を書き込むと blockモード、0 だと previewモード
-    mode = 0
-    config_table = b.get_table("config_map")
-    config_table[ctypes.c_uint32(0)] = ctypes.c_uint32(mode)
-
-    # Mapの永続化 - ユーザ空間からモードを変更できるようにするため
-    map_path = "/sys/fs/bpf/my_config_map"
-    if os.path.exists(map_path):
-        os.remove(map_path)
-    print(f"Pinning config map to -> {map_path}")
-    map_fd = config_table.get_fd()
-    res = lib.bpf_obj_pin(map_fd, ctypes.c_char_p(map_path.encode()))
-    if res != 0:
-        raise Exception(f"Failed to pin map to {map_path}: {os.strerror(-res)}")
-
-    # -----------------
-
-    print(f"LSM BPF started in {'BLOCK' if mode == 1 else 'PREVIEW'} mode.")
-    print("Tracing AF_ALG creation... Press Ctrl-C to exit.")
-    
-    b["events"].open_perf_buffer(print_event)
-    
-    while True:
-        try:
-            b.perf_buffer_poll()
-        except KeyboardInterrupt:
-            exit()
-
-except Exception as e:
-    print(f"Failed: {e}")

data/examples/ringbuf_pin_a.rb

@@ -1,51 +0,0 @@
-#!/usr/bin/env ruby
-require 'rbbcc'
-include RbBCC
-
-PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
-
-if File.exist?(PIN_PATH)
-  puts "Removing old pinned map at #{PIN_PATH}..."
-  File.unlink(PIN_PATH)
-end
-
-bpf_text = <<~CLANG
-#include <uapi/linux/ptrace.h>
-
-struct data_t {
-    u32 pid;
-    char comm[16];
-};
-
-BPF_RINGBUF_OUTPUT(events, 4);
-
-int trace_uname(struct pt_regs *ctx) {
-    struct data_t *data = events.ringbuf_reserve(sizeof(struct data_t));
-    if (!data) return 0;
-
-    data->pid = bpf_get_current_pid_tgid() >> 32;
-    bpf_get_current_comm(&data->comm, sizeof(data->comm));
-
-    events.ringbuf_submit(data, 0);
-    return 0;
-}
-CLANG
-
-puts "Process A (Ruby): Loading BPF and attaching tracepoint..."
-b = BCC.new(text: bpf_text)
-b.attach_tracepoint(tp: "syscalls:sys_enter_newuname", fn_name: "trace_uname")
-
-puts "Process A (Ruby): Pinning ringbuf map to #{PIN_PATH}..."
-b["events"].pin!(PIN_PATH)
-
-puts "\n[Process A Active] Kept alive to feed events. Press Ctrl+C to stop."
-begin
-  loop do
-    sleep 1
-  end
-ensure
-  if File.exist?(PIN_PATH)
-    puts "\nUnpinning map..."
-    File.unlink(PIN_PATH)
-  end
-end

data/examples/ringbuf_pin_b.rb

@@ -1,29 +0,0 @@
-#!/usr/bin/env ruby
-require 'rbbcc'
-include RbBCC
-
-PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
-
-type = "struct data_t {
-    u32 pid;
-    char comm[16];
-};"
-
-puts "Process B (Ruby): Initializing consumer client..."
-buf = RingBuf.from_pin(PIN_PATH, type, 4)
-
-# ring_buffer listner
-buf.open_ring_buffer do |cpu, data, size|
-  event = buf.event(data)
-  puts "[Process B Captured] PID: #{event.pid.to_s.ljust(6)} | COMMAND: #{event.comm}"
-end
-
-puts "\n[Process B Active] Successfully hooked to pinned map (FD: #{buf.map_fd}). Listening for events...\n\n"
-
-begin
-  loop do
-    buf.ring_buffer_poll()
-  end
-rescue Interrupt
-  puts "\nExiting Process B."
-end

data/examples/ruby_usdt.rb

@@ -1,105 +0,0 @@
-#!/usr/bin/env ruby
-# To run this example, please build the target ruby with an `--enable-dtrace` option in advance.
-# To build via rbenv, sample command is:
-#     $ RUBY_CONFIGURE_OPTS='--enable-dtrace' rbenv install 2.7.0
-#
-# Example autput:
-#     # bundle exec ruby examples/ruby_usdt.rb $(pidof irb)
-#     TIME(s)            COMM   KLASS                    PATH
-#     0.000000000        irb    Struct::Key              /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
-#     0.000055206        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.000088588        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000117740        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000126697        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000213388        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.000225678        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000243638        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.000254680        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
-#     0.000264707        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000275579        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000282438        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.000326136        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
-#     0.001353621        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.001385320        irb    IRB::Color::SymbolState  /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
-#     0.001397043        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
-#     0.001416420        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001423861        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001462010        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001478995        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.001487499        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
-#     0.001496666        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001508224        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001515143        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
-#     0.001556170        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
-#     0.001726273        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.001946948        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
-#     0.001956585        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
-
-require 'rbbcc'
-include RbBCC
-
-pid = ARGV[0] || begin
-  puts("USAGE: #{$0} PID")
-  exit()
-end
-debug = !!ENV['DEBUG']
-
-bpf_text = <<BPF
-#include <uapi/linux/ptrace.h>
-#include <linux/sched.h>
-
-struct data_t {
-    u64 ts;
-    char comm[TASK_COMM_LEN];
-    char klass[64];
-    char path[256];
-};
-BPF_PERF_OUTPUT(events);
-
-int do_trace_create_object(struct pt_regs *ctx) {
-    struct data_t data = {};
-    uint64_t addr, addr2;
-
-    data.ts = bpf_ktime_get_ns();
-
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-    bpf_usdt_readarg_p(1, ctx, &data.klass, sizeof(data.klass));
-    bpf_usdt_readarg_p(2, ctx, &data.path, sizeof(data.path));
-
-    events.perf_submit(ctx, &data, sizeof(data));
-
-    return 0;
-};
-BPF
-
-u = USDT.new(pid: pid.to_i)
-u.enable_probe(probe: "object__create", fn_name: "do_trace_create_object")
-if debug
-  puts(u.get_text)
-  puts(bpf_text)
-end
-
-# initialize BPF
-b = BCC.new(text: bpf_text, usdt_contexts: [u])
-
-puts("%-18s %-6s %-24s %s" % ["TIME(s)", "COMM", "KLASS", "PATH"])
-
-# process event
-start = 0
-b["events"].open_perf_buffer do |cpu, data, size|
-  event = b["events"].event(data)
-  if start == 0
-    start = event.ts
-  end
-
-  time_s = ((event.ts - start).to_f) / 1000000000
-  puts(
-    "%-18.9f %-6s %-24s %s" %
-    [time_s, event.comm, event.klass, event.path]
-  )
-end
-
-Signal.trap(:INT) { puts "\nDone."; exit }
-loop do
-  b.perf_buffer_poll()
-end

data/examples/sbrk_trace.rb

@@ -1,204 +0,0 @@
-#!/usr/bin/env ruby
-# Trace example for libc's USDT:
-# - memory_sbrk_more
-# - memory_sbrk_less
-# - memory_mallopt_free_dyn_thresholds
-# Description is here: https://www.gnu.org/software/libc/manual/html_node/Memory-Allocation-Probes.html
-#
-# Example output:
-# bundle exec ruby examples/sbrk_trace.rb -c ruby
-# !! Trace start.
-# [       0.000000000] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x55f34b979000 size=135168
-# [       0.036549804] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9760000 size=135168
-# [       0.036804183] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9781000 size=143360
-# [       0.036855378] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97a0000 size=16384
-# [       0.036931376] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97a0000 size=147456
-# [       0.036940382] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97c0000 size=16384
-# [       0.037022971] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97c0000 size=151552
-# [       0.038602464] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97e5000 size=204800
-# [       0.039398297] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9817000 size=135168
-# [       0.039909594] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9838000 size=135168
-# [       0.040536005] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9859000 size=163840
-# ...
-
-require 'rbbcc'
-include RbBCC
-
-def usage
-  puts("USAGE: #{$0} [-p PID|-c COMM]")
-  exit()
-end
-
-def find_libc_location
-  if File.exist?('/lib/x86_64-linux-gnu/libc.so.6')
-    '/lib/x86_64-linux-gnu/libc.so.6'
-  else
-    `find /lib/ -name 'libc.so*' | tail -1`.chomp
-  end
-end
-
-usage if ARGV.size != 0 && ARGV.size != 2
-
-pid = comm = nil
-path = find_libc_location
-case ARGV[0]
-when '-p', '--pid'
-  pid = ARGV[1].to_i
-when '-c', '--comm'
-  comm = ARGV[1]
-when nil
-  # nop
-else
-  usage
-end
-
-debug = !!ENV['DEBUG']
-
-bpf_text = <<BPF
-#include <uapi/linux/ptrace.h>
-#include <linux/sched.h>
-
-struct data_t {
-    u32 type;
-    u64 ts;
-    u32 pid;
-    char comm[TASK_COMM_LEN];
-    u64 addr;
-    u32 sbrk_size;
-    u32 adjusted_mmap;
-    u32 trim_thresholds;
-};
-BPF_PERF_OUTPUT(events);
-
-static inline bool streq(uintptr_t str) {
-    char needle[] = "{{NEEDLE}}";
-    char haystack[sizeof(needle)];
-    bpf_probe_read(&haystack, sizeof(haystack), (void *)str);
-    for (int i = 0; i < sizeof(needle) - 1; ++i) {
-        if (needle[i] != haystack[i]) {
-            return false;
-        }
-    }
-    return true;
-}
-
-#define PROBE_TYPE_more 1
-#define PROBE_TYPE_less 2
-#define PROBE_TYPE_free 3
-
-{{FUNC_MORE}}
-
-{{FUNC_LESS}}
-
-int trace_memory_free(struct pt_regs *ctx) {
-    struct data_t data = {};
-    long buf;
-
-    data.type = PROBE_TYPE_free;
-    data.ts = bpf_ktime_get_ns();
-    data.pid = bpf_get_current_pid_tgid();
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-    {{NEEDLE_START}}
-    bpf_usdt_readarg(1, ctx, &buf);
-    data.adjusted_mmap = buf;
-
-    bpf_usdt_readarg(2, ctx, &buf);
-    data.trim_thresholds = buf;
-
-    events.perf_submit(ctx, &data, sizeof(data));
-    {{NEEDLE_END}}
-
-    return 0;
-};
-
-BPF
-
-trace_fun_sbrk = <<FUNC
-int trace_memory_sbrk_{{TYPE}}(struct pt_regs *ctx) {
-    struct data_t data = {};
-    long buf;
-
-    data.type = PROBE_TYPE_{{TYPE}};
-    data.ts = bpf_ktime_get_ns();
-    data.pid = bpf_get_current_pid_tgid();
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-    {{NEEDLE_START}}
-    bpf_usdt_readarg(1, ctx, &buf);
-    data.addr = buf;
-
-    bpf_usdt_readarg(2, ctx, &buf);
-    data.sbrk_size = buf;
-
-    events.perf_submit(ctx, &data, sizeof(data));
-    {{NEEDLE_END}}
-
-    return 0;
-};
-FUNC
-
-PROBE_TYPE_more = 1
-PROBE_TYPE_less = 2
-PROBE_TYPE_free = 3
-PROBE_MAP = {
-  PROBE_TYPE_more => 'memory_sbrk_more',
-  PROBE_TYPE_less => 'memory_sbrk_less',
-  PROBE_TYPE_free => 'memory_mallopt_free_dyn_thresholds'
-}
-
-bpf_text.sub!('{{FUNC_MORE}}', trace_fun_sbrk.gsub('{{TYPE}}', 'more'))
-bpf_text.sub!('{{FUNC_LESS}}', trace_fun_sbrk.gsub('{{TYPE}}', 'less'))
-
-if comm
-  bpf_text.sub!('{{NEEDLE}}', comm)
-  bpf_text.gsub!('{{NEEDLE_START}}', "if(streq((uintptr_t)data.comm)) {")
-  bpf_text.gsub!('{{NEEDLE_END}}', "}")
-else
-  bpf_text.sub!('{{NEEDLE}}', "")
-  bpf_text.gsub!('{{NEEDLE_START}}', "")
-  bpf_text.gsub!('{{NEEDLE_END}}', "")
-end
-
-u = USDT.new(pid: pid, path: path)
-u.enable_probe(probe: "memory_sbrk_more", fn_name: "trace_memory_sbrk_more")
-u.enable_probe(probe: "memory_sbrk_less", fn_name: "trace_memory_sbrk_less")
-if pid
-  # FIXME: Only available when PID is specified
-  # otherwise got an error:
-  #     bpf: Failed to load program: Invalid argument
-  #     last insn is not an exit or jmp
-  # It seems libbcc won't generate proper readarg helper
-  u.enable_probe(probe: "memory_mallopt_free_dyn_thresholds", fn_name: "trace_memory_free")
-end
-
-# initialize BPF
-b = BCC.new(text: bpf_text, usdt_contexts: [u])
-
-puts "!! Trace start."
-# process event
-start = 0
-b["events"].open_perf_buffer do |cpu, data, size|
-  event = b["events"].event(data)
-  if start == 0
-    start = event.ts
-  end
-
-  time_s = ((event.ts - start).to_f) / 1000000000
-  if [PROBE_TYPE_more, PROBE_TYPE_less].include?(event.type)
-    puts(
-      "[%18.9f] pid=%d comm=%s probe=%s addr=%#x size=%d" %
-      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.addr, event.sbrk_size]
-    )
-  else
-    puts(
-      "[%18.9f] pid=%d comm=%s probe=%s adjusted_mmap=%d trim_thresholds=%d" %
-      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.adjusted_mmap, event.trim_thresholds]
-    )
-  end
-end
-
-Signal.trap(:INT) { puts "\n!! Done."; exit }
-loop do
-  b.perf_buffer_poll()
-end