rbbcc 0.3.1 → 0.4.0

data/docs/answers/13-disksnoop_fixed.rb

@@ -0,0 +1,108 @@
+#!/usr/bin/env ruby
+#
+# disksnoop_fixed.rb	Trace block device I/O: basic version of iosnoop.
+#		For Linux, uses BCC, eBPF. Embedded C.
+# This is ported from original disksnoop.py
+#
+# Written as a basic example of tracing latency.
+#
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 11-Aug-2015	Brendan Gregg	Created disksnoop.py
+
+=begin
+name: block_rq_issue
+ID: 1093
+format:
+        field:unsigned short common_type;       offset:0;       size:2; signed:0;
+        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
+        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
+        field:int common_pid;   offset:4;       size:4; signed:1;
+
+        field:dev_t dev;        offset:8;       size:4; signed:0;
+        field:sector_t sector;  offset:16;      size:8; signed:0;
+        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
+        field:unsigned int bytes;       offset:28;      size:4; signed:0;
+        field:char rwbs[8];     offset:32;      size:8; signed:1;
+        field:char comm[16];    offset:40;      size:16;        signed:1;
+        field:__data_loc char[] cmd;    offset:56;      size:4; signed:1;
+
+print fmt: "%d,%d %s %u (%s) %llu + %u [%s]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, REC->bytes, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->comm
+
+name: block_rq_complete
+ID: 1095
+format:
+        field:unsigned short common_type;       offset:0;       size:2; signed:0;
+        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
+        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
+        field:int common_pid;   offset:4;       size:4; signed:1;
+
+        field:dev_t dev;        offset:8;       size:4; signed:0;
+        field:sector_t sector;  offset:16;      size:8; signed:0;
+        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
+        field:int error;        offset:28;      size:4; signed:1;
+        field:char rwbs[8];     offset:32;      size:8; signed:1;
+        field:__data_loc char[] cmd;    offset:40;      size:4; signed:1;
+
+print fmt: "%d,%d %s (%s) %llu + %u [%d]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->error
+
+in kernel 5.0.
+This implementation shows the count of sector.
+=end
+
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<CLANG)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HASH(start, u32);
+
+TRACEPOINT_PROBE(block, block_rq_issue) {
+  // stash start timestamp by request ptr
+  u64 ts = bpf_ktime_get_ns();
+  u32 tid = bpf_get_current_pid_tgid();
+
+  start.update(&tid, &ts);
+  return 0;
+}
+
+TRACEPOINT_PROBE(block, block_rq_complete) {
+  u64 *tsp, delta;
+  u32 tid = bpf_get_current_pid_tgid();
+
+  tsp = start.lookup(&tid);
+  if (tsp != 0) {
+    char dst[8];
+    int i;
+    delta = bpf_ktime_get_ns() - *tsp;
+    if (bpf_probe_read_str(dst, sizeof(dst), args->rwbs) < 0) {
+      dst[0] = '?';
+      for(i = 1; i < sizeof(dst); ++i)
+        dst[i] = 0;
+    }
+    bpf_trace_printk("%d %s %d\\n", args->nr_sector,
+        dst, delta / 1000);
+    start.delete(&tid);
+  }
+  return 0;
+}
+CLANG
+
+# header
+puts("%-18s %-8s %-7s %8s" % ["TIME(s)", "RWBS", "SECTORS", "LAT(ms)"])
+
+# format output
+loop do
+  begin
+    task, pid, cpu, flags, ts, msg = b.trace_fields
+    sector_s, rwbs, us_s = msg.split
+    ms = us_s.to_i.to_f / 1000
+
+    puts("%-18.9f %-8s %-7s %8.2f" % [ts, rwbs, sector_s, ms])
+  rescue Interrupt
+    exit
+  end
+end

data/docs/answers/14-strlen_count.rb

@@ -0,0 +1,46 @@
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<BPF)
+#include <uapi/linux/ptrace.h>
+
+struct key_t {
+    char c[80];
+};
+BPF_HASH(counts, struct key_t);
+
+int count(struct pt_regs *ctx) {
+    if (!PT_REGS_PARM1(ctx))
+        return 0;
+
+    struct key_t key = {};
+    u64 zero = 0, *val;
+
+    bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
+    // could also use `counts.increment(key)`
+    val = counts.lookup_or_try_init(&key, &zero);
+    if (val) {
+      (*val)++;
+    }
+    return 0;
+};
+BPF
+b.attach_uprobe(name: "c", sym: "strlen", fn_name: "count")
+
+# header
+print("Tracing strlen()... Hit Ctrl-C to end.")
+
+# sleep until Ctrl-C
+begin
+  sleep(99999999)
+rescue Interrupt
+  puts
+end
+
+# print output
+puts("%10s %s" % ["COUNT", "STRING"])
+counts = b.get_table("counts")
+counts.items.sort_by{|k, v| v.to_bcc_value }.each do |k, v|
+  puts("%10d %s" % [v.to_bcc_value, k[0, k.size].unpack("Z*")[0]])
+end

data/docs/answers/15-nodejs_http_server.rb

@@ -0,0 +1,44 @@
+require 'rbbcc'
+include RbBCC
+
+if ARGV.size != 1
+  print("USAGE: #{$0} PID")
+  exit()
+end
+pid = ARGV[0]
+debug = !!ENV['DEBUG']
+
+# load BPF program
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+int do_trace(struct pt_regs *ctx) {
+    uint64_t addr;
+    char path[128]={0};
+    bpf_usdt_readarg(6, ctx, &addr);
+    bpf_probe_read(&path, sizeof(path), (void *)addr);
+    bpf_trace_printk("path:%s\\n", path);
+    return 0;
+};
+BPF
+
+# enable USDT probe from given PID
+u = USDT.new(pid: pid.to_i)
+u.enable_probe(probe: "http__server__request", fn_name: "do_trace")
+if debug
+  puts(u.get_text)
+  puts(bpf_text)
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "ARGS"])
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/docs/answers/16-task_switch.c

@@ -0,0 +1,23 @@
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct key_t {
+    u32 prev_pid;
+    u32 curr_pid;
+};
+
+BPF_HASH(stats, struct key_t, u64, 1024);
+int count_sched(struct pt_regs *ctx, struct task_struct *prev) {
+    struct key_t key = {};
+    u64 zero = 0, *val;
+
+    key.curr_pid = bpf_get_current_pid_tgid();
+    key.prev_pid = prev->pid;
+
+    // could also use `stats.increment(key);`
+    val = stats.lookup_or_try_init(&key, &zero);
+    if (val) {
+      (*val)++;
+    }
+    return 0;
+}

data/docs/answers/16-task_switch.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+# Original task_switch.rb Copyright (c) PLUMgrid, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(src_file: "16-task_switch.c")
+b.attach_kprobe(event: "finish_task_switch", fn_name: "count_sched")
+
+# generate many schedule events
+100.times { sleep 0.01 }
+
+b["stats"].each do |_k, v|
+  k = _k[0, 8].unpack("i! i!") # Handling pointer without type!!
+  puts("task_switch[%5d->%5d]=%u" % [k[0], k[1], v.to_bcc_value])
+end

data/docs/answers/node-server.js

@@ -0,0 +1,11 @@
+var http = require("http");
+
+var server = http.createServer(function (req, res) {
+    res.writeHead(200, {"Content-Type": "text/plain"});
+    res.end("Sample node.js server, returns contents in any path.\n");
+});
+
+var port = process.env.PORT || 8081;
+server.listen(port, function() {
+    console.log("Do curl http://localhost:" + port);
+});

data/docs/projects_using_rbbcc.md

@@ -0,0 +1,43 @@
+# Projects Using RbBCC
+
+## bpfql
+
+[bpfql](https://github.com/udzura/bpfql) is a tool to run an eBPF tracing query, using YAML or Ruby DSL.
+
+```ruby
+BPFQL do
+  select "*"
+  from "tracepoint:random:urandom_read"
+  where "comm", is: "ruby"
+end
+```
+
+```console
+$ sudo bundle exec bpfql examples/random.rb
+Found fnc: tracepoint__random__urandom_read
+Attach: random:urandom_read
+TS                 COMM             PID    GOT_BITS POOL_LEFT INPUT_LEFT
+0.000000000        ruby             32485  128      0        2451
+0.002465663        ruby             32485  128      0        2451
+^CExiting bpfql...
+```
+
+See [its repo](https://github.com/udzura/bpfql) for more details.
+
+## rack-ebpf and rack application tracing
+
+[rack-ebpf](https://github.com/udzura/rack-ebpf) is a rack middleware that invoke USDT probes every time start/end the requests.
+
+Combine this rack middleware and `rack-ebpf-run` command, we can trace and analyze system stats per request.
+
+e.g.
+
+* Count of syscall invocations(like read, write) per request
+* Consumed time for syscall ops(like read, write) per request
+* Created Ruby objects per request, using Ruby itself's USDT (this requires ruby itself as `--enable-dtrace` build)
+
+For detailed usage, see [rack-ebpf's repo](https://github.com/udzura/rack-ebpf)
+
+----
+
+Also we're going to prepare some BCC tools made with Ruby. TBA!