rbbcc 0.3.1 → 0.6.0

data/docs/answers/09-bitehist.rb

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<BPF)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HISTOGRAM(dist);
+
+int kprobe__blk_account_io_completion(struct pt_regs *ctx, struct request *req)
+{
+  dist.increment(bpf_log2l(req->__data_len / 1024));
+  return 0;
+}
+BPF
+
+# header
+puts("Tracing... Hit Ctrl-C to end.")
+
+# trace until Ctrl-C
+begin
+  loop { sleep 0.1 }
+rescue Interrupt
+  puts
+end
+
+# output
+b["dist"].print_log2_hist("kbytes")

data/docs/answers/10-disklatency.rb

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: <<BPF)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HASH(start, struct request *);
+BPF_HISTOGRAM(dist);
+
+// note this program mixes R/W
+// For next step, handle req->cmd_flags and prepare hist hash per op.
+
+void trace_start(struct pt_regs *ctx, struct request *req) {
+  // stash start timestamp by request ptr
+  u64 ts = bpf_ktime_get_ns();
+
+  start.update(&req, &ts);
+}
+
+void trace_completion(struct pt_regs *ctx, struct request *req) {
+  u64 *tsp, delta;
+
+  tsp = start.lookup(&req);
+  if (tsp != 0) {
+    delta = bpf_ktime_get_ns() - *tsp;
+    dist.increment(bpf_log2l(delta / 1000)); // us
+    start.delete(&req);
+  }
+}
+BPF
+
+b.attach_kprobe(event: "blk_start_request", fn_name: "trace_start") if BCC.get_kprobe_functions('blk_start_request')
+b.attach_kprobe(event: "blk_mq_start_request", fn_name: "trace_start")
+b.attach_kprobe(event: "blk_account_io_completion", fn_name: "trace_completion")
+
+# header
+puts("Tracing... Hit Ctrl-C to end.")
+
+# trace until Ctrl-C
+begin
+  loop { sleep 0.1 }
+rescue Interrupt
+  puts
+end
+
+# output
+b["dist"].print_log2_hist("usec")

data/docs/answers/11-vfsreadlat.c

@@ -0,0 +1,46 @@
+/*
+ * From: https://github.com/iovisor/bcc/blob/master/examples/tracing/vfsreadlat.c
+ *
+ * vfsreadlat.c		VFS read latency distribution.
+ *			For Linux, uses BCC, eBPF. See .py/.rb file.
+ *
+ * Copyright (c) 2013-2015 PLUMgrid, http://plumgrid.com
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * 15-Aug-2015	Brendan Gregg	Created this.
+ */
+
+#include <uapi/linux/ptrace.h>
+
+BPF_HASH(start, u32);
+BPF_HISTOGRAM(dist);
+
+int do_entry(struct pt_regs *ctx)
+{
+  u32 pid;
+  u64 ts, *val;
+
+  pid = bpf_get_current_pid_tgid();
+  ts = bpf_ktime_get_ns();
+  start.update(&pid, &ts);
+  return 0;
+}
+
+int do_return(struct pt_regs *ctx)
+{
+  u32 pid;
+  u64 *tsp, delta;
+
+  pid = bpf_get_current_pid_tgid();
+  tsp = start.lookup(&pid);
+
+  if (tsp != 0) {
+    delta = bpf_ktime_get_ns() - *tsp;
+    dist.increment(bpf_log2l(delta / 1000));
+    start.delete(&pid);
+  }
+
+  return 0;
+}

data/docs/answers/11-vfsreadlat.rb

@@ -0,0 +1,66 @@
+#!/usr/bin/env ruby
+#
+# Original: from vfsreadlat.py
+# Copyright (c) 2015 Brendan Gregg.
+# Licensed under the Apache License, Version 2.0 (the "License")
+# Ruby version follows.
+#
+# vfsreadlat.rb		VFS read latency distribution.
+#			For Linux, uses BCC, eBPF. See .c file.
+#
+# Written as a basic example of a function latency distribution histogram.
+#
+# USAGE: vfsreadlat.rb [interval [count]]
+#
+# The default interval is 5 seconds. A Ctrl-C will print the partially
+# gathered histogram then exit.
+
+require "rbbcc"
+include RbBCC
+
+def usage
+  puts("USAGE: %s [interval [count]]" % $0)
+  exit
+end
+
+# arguments
+interval = 5
+count = -1
+if ARGV.size > 0
+  begin
+    interval = ARGV[0].to_i
+    raise if interval == 0
+    count = ARGV[1].to_i if ARGV[1]
+  rescue	=> e # also catches -h, --help
+    usage()
+  end
+end
+
+# load BPF program
+b = BCC.new(src_file: "11-vfsreadlat.c")
+b.attach_kprobe(event: "vfs_read", fn_name: "do_entry")
+b.attach_kretprobe(event: "vfs_read", fn_name: "do_return")
+
+# header
+print("Tracing... Hit Ctrl-C to end.")
+
+# output
+cycle = 0
+do_exit = false
+loop do
+  if count > 0
+    cycle += 1
+    exit if cycle > count
+  end
+
+  begin
+    sleep(interval)
+  rescue Interrupt
+    do_exit = true
+  end
+
+  puts
+  b["dist"].print_log2_hist("usecs")
+  b["dist"].clear
+  exit if do_exit
+end

data/docs/answers/12-urandomread.rb

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+#
+# urandomread.rb Example of instrumenting a kernel tracepoint.
+#                For Linux, uses BCC, BPF. Embedded C.
+#
+# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support).
+#
+# Test by running this, then in another shell, run:
+#     dd if=/dev/urandom of=/dev/null bs=1k count=5
+#
+# Original urandomread.py Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+# Ruby version follows.
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: <<BPF)
+TRACEPOINT_PROBE(random, urandom_read) {
+    // args is from /sys/kernel/debug/tracing/events/random/urandom_read/format
+    bpf_trace_printk("%d\\n", args->got_bits);
+    return 0;
+}
+BPF
+
+# header
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "GOTBITS"])
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/docs/answers/13-disksnoop_fixed.rb

@@ -0,0 +1,108 @@
+#!/usr/bin/env ruby
+#
+# disksnoop_fixed.rb	Trace block device I/O: basic version of iosnoop.
+#		For Linux, uses BCC, eBPF. Embedded C.
+# This is ported from original disksnoop.py
+#
+# Written as a basic example of tracing latency.
+#
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 11-Aug-2015	Brendan Gregg	Created disksnoop.py
+
+=begin
+name: block_rq_issue
+ID: 1093
+format:
+        field:unsigned short common_type;       offset:0;       size:2; signed:0;
+        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
+        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
+        field:int common_pid;   offset:4;       size:4; signed:1;
+
+        field:dev_t dev;        offset:8;       size:4; signed:0;
+        field:sector_t sector;  offset:16;      size:8; signed:0;
+        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
+        field:unsigned int bytes;       offset:28;      size:4; signed:0;
+        field:char rwbs[8];     offset:32;      size:8; signed:1;
+        field:char comm[16];    offset:40;      size:16;        signed:1;
+        field:__data_loc char[] cmd;    offset:56;      size:4; signed:1;
+
+print fmt: "%d,%d %s %u (%s) %llu + %u [%s]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, REC->bytes, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->comm
+
+name: block_rq_complete
+ID: 1095
+format:
+        field:unsigned short common_type;       offset:0;       size:2; signed:0;
+        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
+        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
+        field:int common_pid;   offset:4;       size:4; signed:1;
+
+        field:dev_t dev;        offset:8;       size:4; signed:0;
+        field:sector_t sector;  offset:16;      size:8; signed:0;
+        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
+        field:int error;        offset:28;      size:4; signed:1;
+        field:char rwbs[8];     offset:32;      size:8; signed:1;
+        field:__data_loc char[] cmd;    offset:40;      size:4; signed:1;
+
+print fmt: "%d,%d %s (%s) %llu + %u [%d]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->error
+
+in kernel 5.0.
+This implementation shows the count of sector.
+=end
+
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<CLANG)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HASH(start, u32);
+
+TRACEPOINT_PROBE(block, block_rq_issue) {
+  // stash start timestamp by request ptr
+  u64 ts = bpf_ktime_get_ns();
+  u32 tid = bpf_get_current_pid_tgid();
+
+  start.update(&tid, &ts);
+  return 0;
+}
+
+TRACEPOINT_PROBE(block, block_rq_complete) {
+  u64 *tsp, delta;
+  u32 tid = bpf_get_current_pid_tgid();
+
+  tsp = start.lookup(&tid);
+  if (tsp != 0) {
+    char dst[8];
+    int i;
+    delta = bpf_ktime_get_ns() - *tsp;
+    if (bpf_probe_read_str(dst, sizeof(dst), args->rwbs) < 0) {
+      dst[0] = '?';
+      for(i = 1; i < sizeof(dst); ++i)
+        dst[i] = 0;
+    }
+    bpf_trace_printk("%d %s %d\\n", args->nr_sector,
+        dst, delta / 1000);
+    start.delete(&tid);
+  }
+  return 0;
+}
+CLANG
+
+# header
+puts("%-18s %-8s %-7s %8s" % ["TIME(s)", "RWBS", "SECTORS", "LAT(ms)"])
+
+# format output
+loop do
+  begin
+    task, pid, cpu, flags, ts, msg = b.trace_fields
+    sector_s, rwbs, us_s = msg.split
+    ms = us_s.to_i.to_f / 1000
+
+    puts("%-18.9f %-8s %-7s %8.2f" % [ts, rwbs, sector_s, ms])
+  rescue Interrupt
+    exit
+  end
+end

data/docs/answers/14-strlen_count.rb

@@ -0,0 +1,46 @@
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<BPF)
+#include <uapi/linux/ptrace.h>
+
+struct key_t {
+    char c[80];
+};
+BPF_HASH(counts, struct key_t);
+
+int count(struct pt_regs *ctx) {
+    if (!PT_REGS_PARM1(ctx))
+        return 0;
+
+    struct key_t key = {};
+    u64 zero = 0, *val;
+
+    bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
+    // could also use `counts.increment(key)`
+    val = counts.lookup_or_try_init(&key, &zero);
+    if (val) {
+      (*val)++;
+    }
+    return 0;
+};
+BPF
+b.attach_uprobe(name: "c", sym: "strlen", fn_name: "count")
+
+# header
+print("Tracing strlen()... Hit Ctrl-C to end.")
+
+# sleep until Ctrl-C
+begin
+  sleep(99999999)
+rescue Interrupt
+  puts
+end
+
+# print output
+puts("%10s %s" % ["COUNT", "STRING"])
+counts = b.get_table("counts")
+counts.items.sort_by{|k, v| v.to_bcc_value }.each do |k, v|
+  puts("%10d %s" % [v.to_bcc_value, k[0, k.size].unpack("Z*")[0]])
+end

data/docs/answers/15-nodejs_http_server.rb

@@ -0,0 +1,44 @@
+require 'rbbcc'
+include RbBCC
+
+if ARGV.size != 1
+  print("USAGE: #{$0} PID")
+  exit()
+end
+pid = ARGV[0]
+debug = !!ENV['DEBUG']
+
+# load BPF program
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+int do_trace(struct pt_regs *ctx) {
+    uint64_t addr;
+    char path[128]={0};
+    bpf_usdt_readarg(6, ctx, &addr);
+    bpf_probe_read(&path, sizeof(path), (void *)addr);
+    bpf_trace_printk("path:%s\\n", path);
+    return 0;
+};
+BPF
+
+# enable USDT probe from given PID
+u = USDT.new(pid: pid.to_i)
+u.enable_probe(probe: "http__server__request", fn_name: "do_trace")
+if debug
+  puts(u.get_text)
+  puts(bpf_text)
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "ARGS"])
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/docs/answers/16-task_switch.c

@@ -0,0 +1,23 @@
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct key_t {
+    u32 prev_pid;
+    u32 curr_pid;
+};
+
+BPF_HASH(stats, struct key_t, u64, 1024);
+int count_sched(struct pt_regs *ctx, struct task_struct *prev) {
+    struct key_t key = {};
+    u64 zero = 0, *val;
+
+    key.curr_pid = bpf_get_current_pid_tgid();
+    key.prev_pid = prev->pid;
+
+    // could also use `stats.increment(key);`
+    val = stats.lookup_or_try_init(&key, &zero);
+    if (val) {
+      (*val)++;
+    }
+    return 0;
+}