RubyGems - rbbcc - Versions diffs - 0.11.6 → 0.11.8 - Mend

rbbcc 0.11.6 → 0.11.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -1
data/lib/rbbcc/table.rb +8 -7
data/lib/rbbcc/version.rb +1 -1
data/rbbcc.gemspec +5 -2
metadata +2 -62
data/docs/README.md +0 -7
data/docs/answers/01-hello-world.rb +0 -16
data/docs/answers/02-sys_sync.rb +0 -18
data/docs/answers/03-hello_fields.rb +0 -33
data/docs/answers/04-sync_timing.rb +0 -46
data/docs/answers/05-sync_count.rb +0 -54
data/docs/answers/06-disksnoop.rb +0 -71
data/docs/answers/07-hello_perf_output.rb +0 -59
data/docs/answers/08-sync_perf_output.rb +0 -60
data/docs/answers/09-bitehist.rb +0 -32
data/docs/answers/10-disklatency.rb +0 -51
data/docs/answers/11-vfsreadlat.c +0 -46
data/docs/answers/11-vfsreadlat.rb +0 -66
data/docs/answers/12-urandomread.rb +0 -38
data/docs/answers/13-disksnoop_fixed.rb +0 -108
data/docs/answers/14-strlen_count.rb +0 -46
data/docs/answers/15-nodejs_http_server.rb +0 -44
data/docs/answers/16-task_switch.c +0 -23
data/docs/answers/16-task_switch.rb +0 -17
data/docs/answers/node-server.js +0 -11
data/docs/getting_started.md +0 -154
data/docs/projects_using_rbbcc.md +0 -43
data/docs/tutorial_bcc_ruby_developer.md +0 -774
data/docs/tutorial_bcc_ruby_developer_japanese.md +0 -770
data/examples/bitehist.rb +0 -46
data/examples/charty/Gemfile +0 -11
data/examples/charty/Gemfile.lock +0 -48
data/examples/charty/bitehist-unicode.rb +0 -87
data/examples/collectsyscall.rb +0 -182
data/examples/dddos.rb +0 -112
data/examples/disksnoop.rb +0 -73
data/examples/dns_blocker.rb +0 -134
data/examples/example.gif +0 -0
data/examples/extract_arg.rb +0 -26
data/examples/hello_fields.rb +0 -32
data/examples/hello_perf_output.rb +0 -64
data/examples/hello_ring_buffer.rb +0 -64
data/examples/hello_world.rb +0 -6
data/examples/kvm_hypercall.rb +0 -69
data/examples/lsm_sockblock.rb +0 -141
data/examples/mallocstack.rb +0 -63
data/examples/networking/http_filter/http-parse-simple.c +0 -114
data/examples/networking/http_filter/http-parse-simple.rb +0 -85
data/examples/pin_maps_a.rb +0 -88
data/examples/pin_maps_b.rb +0 -71
data/examples/py-orig/sockblock.py +0 -119
data/examples/ringbuf_pin_a.rb +0 -51
data/examples/ringbuf_pin_b.rb +0 -29
data/examples/ruby_usdt.rb +0 -105
data/examples/sbrk_trace.rb +0 -204
data/examples/ssl_http_trace.rb +0 -274
data/examples/syscalluname.rb +0 -39
data/examples/table.rb +0 -15
data/examples/tools/bashreadline.rb +0 -83
data/examples/tools/execsnoop.rb +0 -229
data/examples/tools/runqlat.rb +0 -148
data/examples/urandomread-explicit.rb +0 -58
data/examples/urandomread.rb +0 -39
data/examples/usdt-test.rb +0 -6
data/examples/usdt.rb +0 -26

data/examples/ssl_http_trace.rb DELETED Viewed

@@ -1,274 +0,0 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-require "rbbcc"
-include RbBCC
-begin
-  require "http/2"
-rescue LoadError
-  # Fallback for local vendor source
-  local_http2_lib = File.expand_path("../.agent/sources/http-2/lib", __dir__)
-  $LOAD_PATH.unshift(local_http2_lib) unless $LOAD_PATH.include?(local_http2_lib)
-  require "http/2"
-end
-FRAME_TYPE_NAMES = {
-  0x0 => "DATA",
-  0x1 => "HEADERS",
-  0x2 => "PRIORITY",
-  0x3 => "RST_STREAM",
-  0x4 => "SETTINGS",
-  0x5 => "PUSH_PROMISE",
-  0x6 => "PING",
-  0x7 => "GOAWAY",
-  0x8 => "WINDOW_UPDATE",
-  0x9 => "CONTINUATION"
-}.freeze
-HTTP2_PREFACE = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n".b
-HTTP1_METHODS = %w[GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT].freeze
-BPF_TEXT = <<~BPF
-  #include <uapi/linux/ptrace.h>
-  #define MAX_PAYLOAD_SIZE 1024
-  struct event_t {
-      u32 pid;
-      char event_name[8];
-      unsigned char payload[MAX_PAYLOAD_SIZE];
-      u32 data_len;
-      s32 read_ret;
-  };
-  BPF_RINGBUF_OUTPUT(events, 256);
-  int trace_ssl_write(struct pt_regs *ctx) {
-      u32 tgid = bpf_get_current_pid_tgid() >> 32;
-      const char *user_buf = (const char *)PT_REGS_PARM2(ctx);
-      u64 num = (u64)PT_REGS_PARM3(ctx);
-      if (!user_buf || num <= 0) return 0;
-      struct event_t *event = events.ringbuf_reserve(sizeof(struct event_t));
-      if (!event) return 0;
-      event->pid = tgid;
-      __builtin_memcpy(event->event_name, "ssl_w", 6);
-      u32 len = num > MAX_PAYLOAD_SIZE ? MAX_PAYLOAD_SIZE : (u32)num;
-      event->data_len = len;
-      event->read_ret = bpf_probe_read_user(event->payload, len, user_buf);
-      if (event->read_ret < 0) {
-          event->data_len = 0;
-      }
-      events.ringbuf_submit(event, 0);
-      return 0;
-  }
-BPF
-def hex_ascii_dump(payload, width: 16)
-  lines = []
-  payload.bytes.each_slice(width).with_index do |slice, idx|
-    offset = idx * width
-    hex = slice.map { |b| "%02x" % b }.join(" ")
-    ascii = slice.map { |b| b >= 32 && b <= 126 ? b.chr : "." }.join
-    lines << format("%04x  %-#{width * 3 - 1}s  %s", offset, hex, ascii)
-  end
-  lines.join("\n")
-end
-def payload_from_event(event)
-  raw = event.payload
-  bytes = case raw
-          when String
-            raw.b
-          when Array
-            raw.map { |v| v & 0xff }.pack("C*")
-          else
-            if raw.respond_to?(:to_a)
-              raw.to_a.map { |v| v & 0xff }.pack("C*")
-            else
-              raw.to_s.b
-            end
-          end
-  len = [event.data_len.to_i, bytes.bytesize].min
-  bytes.byteslice(0, len) || "".b
-end
-def parse_http2_frames(payload)
-  frames = []
-  i = 0
-  total = payload.bytesize
-  while i + 9 <= total
-    length_bytes = payload.byteslice(i, 3).bytes
-    length = (length_bytes[0] << 16) | (length_bytes[1] << 8) | length_bytes[2]
-    frame_type = payload.getbyte(i + 3)
-    flags = payload.getbyte(i + 4)
-    stream_id = payload.byteslice(i + 5, 4).unpack1("N") & 0x7fff_ffff
-    i += 9
-    break if i + length > total
-    frame_payload = payload.byteslice(i, length)
-    i += length
-    frames << [frame_type, flags, stream_id, frame_payload]
-  end
-  frames
-end
-def extract_headers_fragment(frame_type, flags, frame_payload)
-  return frame_payload if frame_type == 0x9 # CONTINUATION
-  return nil unless frame_type == 0x1 # HEADERS only
-  start_idx = 0
-  end_idx = frame_payload.bytesize
-  if (flags & 0x08) != 0 # PADDED
-    return nil if end_idx.zero?
-    pad_len = frame_payload.getbyte(0)
-    start_idx += 1
-    end_idx = [start_idx, end_idx - pad_len].max
-  end
-  if (flags & 0x20) != 0 # PRIORITY
-    return nil if start_idx + 5 > end_idx
-    start_idx += 5
-  end
-  frame_payload.byteslice(start_idx, end_idx - start_idx) || "".b
-end
-def decode_pseudo_headers_with_hpack(header_block, decompressor)
-  pairs = decompressor.decode(header_block.b)
-  pseudo = {}
-  pairs.each do |k, v|
-    pseudo[k] = v
-  end
-  pseudo
-rescue StandardError => e
-  { ":error" => e.message }
-end
-def maybe_http1_summary(payload)
-  text = payload.force_encoding(Encoding::UTF_8)
-  first_line = text.split("\r\n", 2).first
-  return nil if first_line.nil? || first_line.empty?
-  if HTTP1_METHODS.any? { |m| first_line.start_with?("#{m} ") }
-    return ["request", first_line]
-  end
-  if first_line.start_with?("HTTP/1.1 ") || first_line.start_with?("HTTP/1.0 ")
-    return ["response", first_line]
-  end
-  nil
-rescue ArgumentError, Encoding::UndefinedConversionError, Encoding::InvalidByteSequenceError
-  nil
-end
-def main
-  puts "SSL HTTP tracer (Ruby + ring buffer) を初期化中..."
-  b = BCC.new(text: BPF_TEXT)
-  libssl_path = ENV.fetch("LIBSSL_PATH", "/usr/lib/aarch64-linux-gnu/libssl.so.3")
-  b.attach_uprobe(name: libssl_path, sym: "SSL_write", fn_name: "trace_ssl_write")
-  puts "Attached uprobe: SSL_write (#{libssl_path})"
-  decompressor = HTTP2::Header::Decompressor.new
-  continuation_state = {}
-  b["events"].open_ring_buffer do |_ctx, data, _size|
-    event = b["events"].event(data)
-    event_name = event.event_name.to_s
-    next unless event_name == "ssl_w"
-    payload = payload_from_event(event)
-    puts "[PID: #{event.pid}] len=#{event.data_len} read_ret=#{event.read_ret}"
-    next if event.data_len.to_i <= 0
-    summary = maybe_http1_summary(payload)
-    if summary
-      kind, line = summary
-      puts "[HTTP/1.x #{kind}] #{line}"
-      puts hex_ascii_dump(payload)
-      next
-    end
-    rest = payload
-    if rest.start_with?(HTTP2_PREFACE)
-      puts "[H2] client preface detected"
-      rest = rest.byteslice(HTTP2_PREFACE.bytesize..) || "".b
-    end
-    frames = parse_http2_frames(rest)
-    if frames.empty?
-      puts hex_ascii_dump(payload)
-      next
-    end
-    frames.each do |frame_type, flags, stream_id, frame_payload|
-      frame_name = FRAME_TYPE_NAMES.fetch(frame_type, "UNKNOWN(#{frame_type})")
-      puts "[H2] type=#{frame_name} flags=0x#{format('%02x', flags)} stream=#{stream_id} len=#{frame_payload.bytesize}"
-      case frame_type
-      when 0x1 # HEADERS
-        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
-        if fragment.nil?
-          puts "[HPACK] parse_error=invalid HEADERS payload"
-          next
-        end
-        key = [event.pid.to_i, stream_id]
-        if (flags & 0x04) != 0 # END_HEADERS
-          pseudo = decode_pseudo_headers_with_hpack(fragment, decompressor)
-          if pseudo.key?(":error")
-            puts "[HPACK] decode_error=#{pseudo[":error"]}"
-          else
-            puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
-          end
-        else
-          continuation_state[key] = fragment.dup
-          puts "[HPACK] collecting CONTINUATION fragments"
-        end
-      when 0x9 # CONTINUATION
-        key = [event.pid.to_i, stream_id]
-        fragment = extract_headers_fragment(frame_type, flags, frame_payload)
-        unless continuation_state.key?(key)
-          puts "[HPACK] note=orphan CONTINUATION frame"
-          next
-        end
-        continuation_state[key] << fragment
-        next if (flags & 0x04).zero?
-        header_block = continuation_state.delete(key)
-        pseudo = decode_pseudo_headers_with_hpack(header_block, decompressor)
-        if pseudo.key?(":error")
-          puts "[HPACK] decode_error=#{pseudo[":error"]}"
-        else
-          puts "[HPACK] :method=#{pseudo.fetch(":method", "?")} :path=#{pseudo.fetch(":path", "?")}"
-        end
-      end
-    end
-  end
-  puts "監視開始。Ctrl+C で終了"
-  loop do
-    b.ring_buffer_poll(100)
-  rescue Interrupt
-    puts "\n終了します。"
-    exit(0)
-  end
-end
-main if $PROGRAM_NAME == __FILE__

data/examples/syscalluname.rb DELETED Viewed

@@ -1,39 +0,0 @@
-#!/usr/bin/env ruby
-#
-# syscalluname.rb Example of instrumenting a kernel tracepoint.
-#
-# Copyright 2024 Uchio Kondo
-# Licensed under the Apache License, Version 2.0 (the "License")
-require 'rbbcc'
-include RbBCC
-b = BCC.new(text: %[
-#include <linux/utsname.h>
-TRACEPOINT_PROBE(syscalls, sys_enter_newuname) {
-    // args is from
-    // /sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname/format
-    char release[16];
-    bpf_probe_read_user_str(release, 16, args->name->release);
-    // avoid broken data
-    if (release[0] == '5' || release[0] == '6') {
-        bpf_trace_printk("%s\\n", release);
-    }
-    return 0;
-}
-])
-# header
-printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "RELEASE")
-# format output
-loop do
-  begin
-    b.trace_fields do |task, pid, cpu, flags, ts, msg|
-      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
-    end
-  rescue Interrupt
-    exit
-  end
-end

data/examples/table.rb DELETED Viewed

@@ -1,15 +0,0 @@
-#!/usr/bin/env ruby
-require 'rbbcc'
-include RbBCC
-b = BCC.new(text: <<CLANG)
-BPF_HASH(the_table_name, int);
-CLANG
-table = b.get_table('the_table_name', leaftype: 'int')
-table[10] = 1
-table[20] = 2
-puts table[10].to_bcc_value == 1
-puts table[20].to_bcc_value == 2

data/examples/tools/bashreadline.rb DELETED Viewed

@@ -1,83 +0,0 @@
-#!/usr/bin/env ruby
-#
-# bashreadline  Print entered bash commands from all running shells.
-#               For Linux, uses BCC, eBPF. Embedded C.
-#
-# USAGE: bashreadline [-s SHARED]
-# This works by tracing the readline() function using a uretprobe (uprobes).
-# When you failed to run the script directly with error:
-# `Exception: could not determine address of symbol b'readline'`,
-# you may need specify the location of libreadline.so library
-# with `-s` option.
-#
-# Original bashreadline.py:
-# Copyright 2016 Netflix, Inc.
-# Licensed under the Apache License, Version 2.0 (the "License")
-# And Ruby version follows.
-#
-# 28-Jan-2016    Brendan Gregg   Created bashreadline.py.
-# 12-Feb-2016    Allan McAleavy migrated to BPF_PERF_OUTPUT
-# 05-Jun-2020    Uchio Kondo     Ported bashreadline.rb
-require 'rbbcc'
-require 'optparse'
-include RbBCC
-args = {}
-opts = OptionParser.new
-opts.on("-s", "--shared=LIBREADLINE_PATH"){|v| args[:shared] = v }
-opts.parse!(ARGV)
-name = args[:shared] || "/bin/bash"
-# load BPF program
-bpf_text = <<BPF
-#include <uapi/linux/ptrace.h>
-#include <linux/sched.h>
-struct str_t {
-    u64 pid;
-    char str[80];
-};
-BPF_PERF_OUTPUT(events);
-int printret(struct pt_regs *ctx) {
-    struct str_t data  = {};
-    char comm[TASK_COMM_LEN] = {};
-    u32 pid;
-    if (!PT_REGS_RC(ctx))
-        return 0;
-    pid = bpf_get_current_pid_tgid();
-    data.pid = pid;
-    bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
-    bpf_get_current_comm(&comm, sizeof(comm));
-    if (comm[0] == 'b' && comm[1] == 'a' && comm[2] == 's' && comm[3] == 'h' && comm[4] == 0 ) {
-        events.perf_submit(ctx,&data,sizeof(data));
-    }
-    return 0;
-};
-BPF
-b = BCC.new(text: bpf_text)
-b.attach_uretprobe(name: name, sym: "readline", fn_name: "printret")
-# header
-puts("%-9s %-6s %s" % ["TIME", "PID", "COMMAND"])
-b["events"].open_perf_buffer do |cpu, data, size|
-  event = b["events"].event(data)
-  puts("%-9s %-6d %s" % [
-         Time.now.strftime("%H:%M:%S"),
-         event.pid,
-         event.str
-       ])
-end
-trap(:INT) { puts; exit }
-loop do
-  b.perf_buffer_poll
-end

data/examples/tools/execsnoop.rb DELETED Viewed

@@ -1,229 +0,0 @@
-#!/usr/bin/env ruby
-#
-# execsnoop Trace new processes via exec() syscalls.
-#           For Linux, uses BCC, eBPF. Embedded C.
-# originally from tools/execsnoop.py
-#
-# USAGE: execsnoop [-h] [-t] [-x] [-n NAME]
-#
-# This currently will print up to a maximum of 19 arguments, plus the process
-# name, so 20 fields in total (MAXARG).
-#
-# This won't catch all new processes: an application may fork() but not exec().
-#
-# Copyright 2016 Netflix, Inc.
-# Licensed under the Apache License, Version 2.0 (the "License")
-#
-# 07-Feb-2016   Brendan Gregg   Created execsnoop.py.
-require 'optparse'
-require 'ostruct'
-require 'rbbcc'
-include RbBCC
-examples = <<USAGE
-examples:
-    ./execsnoop.rb           # trace all exec() syscalls
-    ./execsnoop.rb -x        # include failed exec()s
-    ./execsnoop.rb -t        # include timestamps
-    ./execsnoop.rb -q        # add "quotemarks" around arguments
-    ./execsnoop.rb -n main   # only print command lines containing "main"
-    ./execsnoop.rb -l tpkg   # only print command where arguments contains "tpkg"
-USAGE
-args = OpenStruct.new
-parser = OptionParser.new
-parser.banner = <<BANNER
-usage: execsnoop.rb [-h] [-t] [-x] [-q] [-n NAME] [-l LINE]
-                    [--max-args MAX_ARGS]
-Trace exec() syscalls
-optional arguments:
-BANNER
-parser.on("-t", "--timestamp", "include timestamp on output") {|v| args.timestamp = v }
-parser.on("-x", "--fails",     "include failed exec()s") {|v| args.fails = v }
-parser.on("-q", "--quote",     "Add quotemarks (\") around arguments.") {|v| args.quote = v }
-parser.on("-n", "--name NAME", "only print commands matching this name (regex), any arg") {|v| args.name = v }
-parser.on("-l", "--line LINE", "only print commands where arg contains this line (regex)") {|v| args.line = v }
-parser.on("--max-args MAX_ARGS", "maximum number of arguments parsed and displayed, defaults to 20") {|v| args.max_arges = v }
-parser.on("--ebpf") {|v| opt.ebpf = v }
-parser.on_tail("-h", "--help", "show this help message and exit") do
-  puts parser
-  puts
-  puts examples
-  exit
-end
-parser.parse!
-args.max_args ||= "20"
-bpf_text = <<CLANG
-#include <uapi/linux/ptrace.h>
-#include <linux/sched.h>
-#include <linux/fs.h>
-#define ARGSIZE  128
-enum event_type {
-    EVENT_ARG,
-    EVENT_RET,
-};
-struct data_t {
-    u32 pid;  // PID as in the userspace term (i.e. task->tgid in kernel)
-    u32 ppid; // Parent PID as in the userspace term (i.e task->real_parent->tgid in kernel)
-    char comm[TASK_COMM_LEN];
-    enum event_type type;
-    char argv[ARGSIZE];
-    int retval;
-};
-BPF_PERF_OUTPUT(events);
-static int __submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
-{
-    bpf_probe_read(data->argv, sizeof(data->argv), ptr);
-    events.perf_submit(ctx, data, sizeof(struct data_t));
-    return 1;
-}
-static int submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
-{
-    const char *argp = NULL;
-    bpf_probe_read(&argp, sizeof(argp), ptr);
-    if (argp) {
-        return __submit_arg(ctx, (void *)(argp), data);
-    }
-    return 0;
-}
-int syscall__execve(struct pt_regs *ctx,
-    const char __user *filename,
-    const char __user *const __user *__argv,
-    const char __user *const __user *__envp)
-{
-    // create data here and pass to submit_arg to save stack space (#555)
-    struct data_t data = {};
-    struct task_struct *task;
-    data.pid = bpf_get_current_pid_tgid() >> 32;
-    task = (struct task_struct *)bpf_get_current_task();
-    // Some kernels, like Ubuntu 4.13.0-generic, return 0
-    // as the real_parent->tgid.
-    // We use the get_ppid function as a fallback in those cases. (#1883)
-    data.ppid = task->real_parent->tgid;
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-    data.type = EVENT_ARG;
-    __submit_arg(ctx, (void *)filename, &data);
-    // skip first arg, as we submitted filename
-    #pragma unroll
-    for (int i = 1; i < MAXARG; i++) {
-        if (submit_arg(ctx, (void *)&__argv[i], &data) == 0)
-             goto out;
-    }
-    // handle truncated argument list
-    char ellipsis[] = "...";
-    __submit_arg(ctx, (void *)ellipsis, &data);
-out:
-    return 0;
-}
-int do_ret_sys_execve(struct pt_regs *ctx)
-{
-    struct data_t data = {};
-    struct task_struct *task;
-    data.pid = bpf_get_current_pid_tgid() >> 32;
-    task = (struct task_struct *)bpf_get_current_task();
-    // Some kernels, like Ubuntu 4.13.0-generic, return 0
-    // as the real_parent->tgid.
-    // We use the get_ppid function as a fallback in those cases. (#1883)
-    data.ppid = task->real_parent->tgid;
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-    data.type = EVENT_RET;
-    data.retval = PT_REGS_RC(ctx);
-    events.perf_submit(ctx, &data, sizeof(data));
-    return 0;
-}
-CLANG
-EVENT_ARG = 0
-EVENT_RET = 1
-# This is best-effort PPID matching. Short-lived processes may exit
-# before we get a chance to read the PPID.
-# This is a fallback for when fetching the PPID from task->real_parent->tgip
-# returns 0, which happens in some kernel versions.
-def get_ppid(pid)
-  line = File.read("/proc/%d/status" % pid).lines.grep(/^PPid:/)
-  if line.empty?
-    0
-  else
-    line[0].split[1].to_i
-  end
-rescue
-  0
-end
-bpf_text.sub!("MAXARG", args.max_args)
-if args.ebpf
-  puts(bpf_text)
-  exit
-end
-b = BCC.new(text: bpf_text)
-execve_fnname = b.get_syscall_fnname("execve")
-b.attach_kprobe(event: execve_fnname, fn_name: "syscall__execve")
-b.attach_kretprobe(event: execve_fnname, fn_name: "do_ret_sys_execve")
-printf("%-8s", "TIME(s)") if args.timestamp
-printf("%-16s %-6s %-6s %3s %s\n", "PCOMM", "PID", "PPID", "RET", "ARGS")
-start_ts = Time.now.to_f
-argv = []
-b["events"].open_perf_buffer do |cpu, data, size|
-  event = b["events"].event(data)
-  skip = false
-  if event.type == EVENT_ARG
-    argv[event.pid] ||= []
-    argv[event.pid] << event.argv
-  elsif event.type == EVENT_RET
-    skip = true if event.retval != 0 && !args.fails
-    skip = true if args.name && /#{args.name}/ !~ event.comm
-    skip = true if args.line && /#{args.line}/ !~ argv[event.pid].join(' ')
-    if args.quote
-      argv[event.pid] = argv[event.pid].map{|arg| '"' + arg.gsub(/\"/, '\\"') + '"' }
-    end
-    unless skip
-      ppid_ = event.ppid > 0 ? event.ppid : get_ppid(event.pid)
-      ppid = ppid_ > 0 ? ppid_.to_s : "?"
-      # FIXME: get empty argv[pid] in some cases...
-      argv_text = argv[event.pid].join(' ').gsub(/\n/, '\\n') rescue ""
-      printf("%-8.3f", (Time.now.to_f - start_ts)) if args.timestamp
-      printf("%-16s %-6d %-6s %3d %s\n",
-             event.comm, event.pid, ppid, event.retval, argv_text)
-    end
-    argv[event.pid] = nil
-  end
-end
-loop do
-  begin
-    b.perf_buffer_poll()
-  rescue Interrupt
-    exit
-  end
-end