rbbcc 0.4.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6eda25040fa0dc56bed7b9d672af03ab3f6dbd70a4ebca3e5310331c1f9098c
-  data.tar.gz: ef43f8bd481718f9baf21e2ba79c2a3d35b18d2767fc9572d436338244e83731
+  metadata.gz: fb13ef05006088db3a3d16fdf3b5f444cd36a51c1d88278d5ddcb3ccb9e69663
+  data.tar.gz: 9cded3bc218135ef79af4376a8973dedad2e3614ab5c93f49850799842c0e5c2
 SHA512:
-  metadata.gz: f9e19d1eb21813f2aef023ca6bb8c71e51052bf1dfe6b66013e4918129b8f538390098fca5f60f50fbba305482e2f23c2d378ca2f8b7422dc34c31e2d70bf8c3
-  data.tar.gz: 4f506d2a3350304fcad7de75d02b832c11a204588540ca8d210322fa7aef677587b855f2fa64fbeba3a63ba5a35c6a50f480b6d8095f6b081d4e12d383eca0b5
+  metadata.gz: a05af6a130f05942ce7f9901afc8d65434b7b5851483522f875ef3a9d75d1bcb30cafb1b8ce972feea2b273329e736182740d1cc99e561139d82fd1cccd297c4
+  data.tar.gz: '0938ed389aa2b4159618c2c79ebd841e9c74160a8b40877b54075dff9590713f6ccc1d67c27593c13bd0e1bf9fe57d4296eb1a7d58e7f357526de7144e0b8ba4'

data/.semaphore/semaphore.yml

@@ -10,10 +10,12 @@ blocks:
       jobs:
         - name: ruby test
           matrix:
+            - env_var: RUBY_VERSION
+              values: [ "2.6.5", "2.6.6", "2.7.1" ]
             - env_var: LIBBCC_VERSION
               values: [ "0.12.0", "0.11.0", "0.10.0" ]
           commands:
             - sem-version c 7
-            - sem-version ruby 2.6.5
+            - sem-version ruby $RUBY_VERSION
             - checkout
             - ./semaphore.sh

data/Gemfile

@@ -2,3 +2,8 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in rbbcc.gemspec
 gemspec
+
+gem "bundler", "~> 2.0"
+gem "rake", "~> 13.0"
+gem "pry", "~> 0.12"
+gem "minitest", ">= 5"

data/Gemfile.lock

@@ -1,17 +1,17 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.4.0)
+    rbbcc (0.6.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    coderay (1.1.2)
-    method_source (0.9.2)
-    minitest (5.14.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
+    coderay (1.1.3)
+    method_source (1.0.0)
+    minitest (5.14.2)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
     rake (13.0.1)
 
 PLATFORMS
@@ -19,10 +19,10 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (~> 2.0)
-  minitest
-  pry
+  minitest (>= 5)
+  pry (~> 0.12)
   rake (~> 13.0)
   rbbcc!
 
 BUNDLED WITH
-   2.1.0
+   2.1.4

data/docs/answers/14-strlen_count.rb

@@ -42,5 +42,5 @@ end
 puts("%10s %s" % ["COUNT", "STRING"])
 counts = b.get_table("counts")
 counts.items.sort_by{|k, v| v.to_bcc_value }.each do |k, v|
-  puts("%10d %s" % [v.to_bcc_value, k[0, k.size].unpack("Z*")[0]])
+  puts("%10d %s" % [v.to_bcc_value, k.to_bcc_value.c])
 end

data/examples/collectsyscall.rb

@@ -0,0 +1,155 @@
+#!/usr/bin/env ruby
+#
+# Example to use complecated structure in BPF Map key:
+# This program collects and shows raw syscall usage summary.
+#
+# Usage:
+#     bundle exec ruby examples/collectsyscall.rb
+#
+# Output example:
+#     Collecting syscalls...
+#     ^C
+#     PID=1098(maybe: gmain) --->
+#       inotify_add_watch      4    0.019 ms
+#       poll                   1    0.000 ms
+#
+#     PID=1114(maybe: dbus-daemon) --->
+#       stat                  12    0.021 ms
+#       openat                 3    0.015 ms
+#       getdents               2    0.013 ms
+#       recvmsg                2    0.006 ms
+#       sendmsg                1    0.008 ms
+#       close                  1    0.002 ms
+#       fstat                  1    0.002 ms
+#       epoll_wait             1    0.000 ms
+#
+#     PID=1175(maybe: memcached) --->
+#       epoll_wait             3 2012.455 ms
+#
+#     PID=1213(maybe: redis-server) --->
+#       read                  64    0.736 ms
+#       epoll_wait            32 3782.098 ms
+#       openat                32    1.149 ms
+#       getpid                32    0.074 ms
+#       close                 32    0.045 ms
+#     ....
+
+require 'rbbcc'
+include RbBCC
+
+$pid = nil
+
+if ARGV.size == 2 &&
+   ARGV[0] == '-p'
+  $pid = ARGV[1].to_i
+elsif ARGV[0] == '-h' ||
+      ARGV[0] == '--help'
+  $stderr.puts "Usage: #{$0} [-p PID]"
+  exit 1
+end
+
+SYSCALL_MAP = `ausyscall --dump`
+                .lines
+                .map{|l| l.chomp.split }
+                .each_with_object(Hash.new) {|(k, v), ha| ha[k.to_i] = v }
+
+# if no ausyscall(8) then shows number itself
+# it is included in auditd package (e.g. Ubuntu)
+def to_name(nr)
+  SYSCALL_MAP[nr] || nr.to_s
+end
+
+prog = <<BPF
+#include <uapi/linux/ptrace.h>
+
+struct key_t {
+  u32 pid;
+  u64 syscall_nr;
+};
+struct leaf_t{
+  u64 count;
+  u64 elapsed_ns;
+  u64 enter_ns;
+  char comm[16];
+};
+BPF_HASH(store, struct key_t, struct leaf_t);
+
+TRACEPOINT_PROBE(raw_syscalls, sys_enter) {
+    struct key_t key = {0};
+    struct leaf_t initial = {0}, *val_;
+
+    key.pid = bpf_get_current_pid_tgid();
+    key.syscall_nr = args->id;
+
+    DO_FILTER_BY_PID
+
+    val_ = store.lookup_or_try_init(&key, &initial);
+    if (val_) {
+      struct leaf_t val = *val_;
+      val.count++;
+      val.enter_ns = bpf_ktime_get_ns();
+      bpf_get_current_comm(&val.comm, sizeof(val.comm));
+      store.update(&key, &val);
+    }
+    return 0;
+}
+
+TRACEPOINT_PROBE(raw_syscalls, sys_exit) {
+    struct key_t key = {0};
+    struct leaf_t *val_;
+
+    key.pid = bpf_get_current_pid_tgid();
+    key.syscall_nr = args->id;
+
+    val_ = store.lookup(&key);
+    if (val_) {
+      struct leaf_t val = *val_;
+      u64 delta = bpf_ktime_get_ns() - val.enter_ns;
+      val.enter_ns = 0;
+      val.elapsed_ns += delta;
+      store.update(&key, &val);
+    }
+    return 0;
+}
+BPF
+
+if $pid
+  prog.sub!('DO_FILTER_BY_PID', <<~FILTER)
+    if (key.pid != #{$pid}) return 0;
+  FILTER
+else
+  prog.sub!('DO_FILTER_BY_PID', '')
+end
+
+b = BCC.new(text: prog)
+
+puts "Collecting syscalls..."
+begin
+  sleep(99999999)
+rescue Interrupt
+  puts
+end
+
+info_by_pids = {}
+comms = {}
+store = b.get_table("store")
+store.items.each do |k, v|
+  # require 'pry'; binding.pry
+  info_by_pids[k.pid] ||= {}
+  info_by_pids[k.pid][k.syscall_nr] = {
+    name: to_name(k.syscall_nr),
+    count: v.count,
+    elapsed_ms: v.elapsed_ns / 1000000.0
+  }
+  comms[k.pid] ||= v.comm
+end
+
+pids = info_by_pids.keys.sort
+pids.each do |pid|
+  puts "PID=#{pid}(maybe: #{comms[pid]}) --->"
+  i = info_by_pids[pid]
+  i.to_a.sort_by {|k, v| [-v[:count], -v[:elapsed_ms]] }.each do |nr, record|
+    puts "\t%<name>-20s %<count>3d %<elapsed_ms>8.3f ms" % record
+  end
+  puts
+end

data/examples/ruby_usdt.rb

@@ -0,0 +1,105 @@
+#!/usr/bin/env ruby
+# To run this example, please build the target ruby with an `--enable-dtrace` option in advance.
+# To build via rbenv, sample command is:
+#     $ RUBY_CONFIGURE_OPTS='--enable-dtrace' rbenv install 2.7.0
+#
+# Example autput:
+#     # bundle exec ruby examples/ruby_usdt.rb $(pidof irb)
+#     TIME(s)            COMM   KLASS                    PATH
+#     0.000000000        irb    Struct::Key              /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
+#     0.000055206        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000088588        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000117740        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000126697        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000213388        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000225678        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000243638        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000254680        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
+#     0.000264707        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000275579        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000282438        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000326136        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
+#     0.001353621        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001385320        irb    IRB::Color::SymbolState  /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
+#     0.001397043        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
+#     0.001416420        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001423861        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001462010        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001478995        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001487499        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
+#     0.001496666        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001508224        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001515143        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001556170        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
+#     0.001726273        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001946948        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001956585        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
+
+require 'rbbcc'
+include RbBCC
+
+pid = ARGV[0] || begin
+  puts("USAGE: #{$0} PID")
+  exit()
+end
+debug = !!ENV['DEBUG']
+
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct data_t {
+    u64 ts;
+    char comm[TASK_COMM_LEN];
+    char klass[64];
+    char path[256];
+};
+BPF_PERF_OUTPUT(events);
+
+int do_trace_create_object(struct pt_regs *ctx) {
+    struct data_t data = {};
+    uint64_t addr, addr2;
+
+    data.ts = bpf_ktime_get_ns();
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    bpf_usdt_readarg_p(1, ctx, &data.klass, sizeof(data.klass));
+    bpf_usdt_readarg_p(2, ctx, &data.path, sizeof(data.path));
+
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+};
+BPF
+
+u = USDT.new(pid: pid.to_i)
+u.enable_probe(probe: "object__create", fn_name: "do_trace_create_object")
+if debug
+  puts(u.get_text)
+  puts(bpf_text)
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts("%-18s %-6s %-24s %s" % ["TIME(s)", "COMM", "KLASS", "PATH"])
+
+# process event
+start = 0
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  puts(
+    "%-18.9f %-6s %-24s %s" %
+    [time_s, event.comm, event.klass, event.path]
+  )
+end
+
+Signal.trap(:INT) { puts "\nDone."; exit }
+loop do
+  b.perf_buffer_poll()
+end

data/examples/sbrk_trace.rb

@@ -0,0 +1,204 @@
+#!/usr/bin/env ruby
+# Trace example for libc's USDT:
+# - memory_sbrk_more
+# - memory_sbrk_less
+# - memory_mallopt_free_dyn_thresholds
+# Description is here: https://www.gnu.org/software/libc/manual/html_node/Memory-Allocation-Probes.html
+#
+# Example output:
+# bundle exec ruby examples/sbrk_trace.rb -c ruby
+# !! Trace start.
+# [       0.000000000] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x55f34b979000 size=135168
+# [       0.036549804] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9760000 size=135168
+# [       0.036804183] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9781000 size=143360
+# [       0.036855378] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97a0000 size=16384
+# [       0.036931376] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97a0000 size=147456
+# [       0.036940382] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97c0000 size=16384
+# [       0.037022971] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97c0000 size=151552
+# [       0.038602464] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97e5000 size=204800
+# [       0.039398297] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9817000 size=135168
+# [       0.039909594] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9838000 size=135168
+# [       0.040536005] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9859000 size=163840
+# ...
+
+require 'rbbcc'
+include RbBCC
+
+def usage
+  puts("USAGE: #{$0} [-p PID|-c COMM]")
+  exit()
+end
+
+def find_libc_location
+  if File.exist?('/lib/x86_64-linux-gnu/libc.so.6')
+    '/lib/x86_64-linux-gnu/libc.so.6'
+  else
+    `find /lib -name 'libc.so*' | grep -v musl | head -1`.chomp
+  end
+end
+
+usage if ARGV.size != 0 && ARGV.size != 2
+
+pid = comm = nil
+path = find_libc_location
+case ARGV[0]
+when '-p', '--pid'
+  pid = ARGV[1].to_i
+when '-c', '--comm'
+  comm = ARGV[1]
+when nil
+  # nop
+else
+  usage
+end
+
+debug = !!ENV['DEBUG']
+
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct data_t {
+    u32 type;
+    u64 ts;
+    u32 pid;
+    char comm[TASK_COMM_LEN];
+    u64 addr;
+    u32 sbrk_size;
+    u32 adjusted_mmap;
+    u32 trim_thresholds;
+};
+BPF_PERF_OUTPUT(events);
+
+static inline bool streq(uintptr_t str) {
+    char needle[] = "{{NEEDLE}}";
+    char haystack[sizeof(needle)];
+    bpf_probe_read(&haystack, sizeof(haystack), (void *)str);
+    for (int i = 0; i < sizeof(needle) - 1; ++i) {
+        if (needle[i] != haystack[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+
+#define PROBE_TYPE_more 1
+#define PROBE_TYPE_less 2
+#define PROBE_TYPE_free 3
+
+{{FUNC_MORE}}
+
+{{FUNC_LESS}}
+
+int trace_memory_free(struct pt_regs *ctx) {
+    struct data_t data = {};
+    long buf;
+
+    data.type = PROBE_TYPE_free;
+    data.ts = bpf_ktime_get_ns();
+    data.pid = bpf_get_current_pid_tgid();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    {{NEEDLE_START}}
+    bpf_usdt_readarg(1, ctx, &buf);
+    data.adjusted_mmap = buf;
+
+    bpf_usdt_readarg(2, ctx, &buf);
+    data.trim_thresholds = buf;
+
+    events.perf_submit(ctx, &data, sizeof(data));
+    {{NEEDLE_END}}
+
+    return 0;
+};
+
+BPF
+
+trace_fun_sbrk = <<FUNC
+int trace_memory_sbrk_{{TYPE}}(struct pt_regs *ctx) {
+    struct data_t data = {};
+    long buf;
+
+    data.type = PROBE_TYPE_{{TYPE}};
+    data.ts = bpf_ktime_get_ns();
+    data.pid = bpf_get_current_pid_tgid();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    {{NEEDLE_START}}
+    bpf_usdt_readarg(1, ctx, &buf);
+    data.addr = buf;
+
+    bpf_usdt_readarg(2, ctx, &buf);
+    data.sbrk_size = buf;
+
+    events.perf_submit(ctx, &data, sizeof(data));
+    {{NEEDLE_END}}
+
+    return 0;
+};
+FUNC
+
+PROBE_TYPE_more = 1
+PROBE_TYPE_less = 2
+PROBE_TYPE_free = 3
+PROBE_MAP = {
+  PROBE_TYPE_more => 'memory_sbrk_more',
+  PROBE_TYPE_less => 'memory_sbrk_less',
+  PROBE_TYPE_free => 'memory_mallopt_free_dyn_thresholds'
+}
+
+bpf_text.sub!('{{FUNC_MORE}}', trace_fun_sbrk.gsub('{{TYPE}}', 'more'))
+bpf_text.sub!('{{FUNC_LESS}}', trace_fun_sbrk.gsub('{{TYPE}}', 'less'))
+
+if comm
+  bpf_text.sub!('{{NEEDLE}}', comm)
+  bpf_text.gsub!('{{NEEDLE_START}}', "if(streq((uintptr_t)data.comm)) {")
+  bpf_text.gsub!('{{NEEDLE_END}}', "}")
+else
+  bpf_text.sub!('{{NEEDLE}}', "")
+  bpf_text.gsub!('{{NEEDLE_START}}', "")
+  bpf_text.gsub!('{{NEEDLE_END}}', "")
+end
+
+u = USDT.new(pid: pid, path: path)
+u.enable_probe(probe: "memory_sbrk_more", fn_name: "trace_memory_sbrk_more")
+u.enable_probe(probe: "memory_sbrk_less", fn_name: "trace_memory_sbrk_less")
+if pid
+  # FIXME: Only available when PID is specified
+  # otherwise got an error:
+  #     bpf: Failed to load program: Invalid argument
+  #     last insn is not an exit or jmp
+  # It seems libbcc won't generate proper readarg helper
+  u.enable_probe(probe: "memory_mallopt_free_dyn_thresholds", fn_name: "trace_memory_free")
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts "!! Trace start."
+# process event
+start = 0
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  if [PROBE_TYPE_more, PROBE_TYPE_less].include?(event.type)
+    puts(
+      "[%18.9f] pid=%d comm=%s probe=%s addr=%#x size=%d" %
+      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.addr, event.sbrk_size]
+    )
+  else
+    puts(
+      "[%18.9f] pid=%d comm=%s probe=%s adjusted_mmap=%d trim_thresholds=%d" %
+      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.adjusted_mmap, event.trim_thresholds]
+    )
+  end
+end
+
+Signal.trap(:INT) { puts "\n!! Done."; exit }
+loop do
+  b.perf_buffer_poll()
+end

data/examples/tools/bashreadline.rb

@@ -0,0 +1,83 @@
+#!/usr/bin/env ruby
+#
+# bashreadline  Print entered bash commands from all running shells.
+#               For Linux, uses BCC, eBPF. Embedded C.
+#
+# USAGE: bashreadline [-s SHARED]
+# This works by tracing the readline() function using a uretprobe (uprobes).
+# When you failed to run the script directly with error:
+# `Exception: could not determine address of symbol b'readline'`,
+# you may need specify the location of libreadline.so library
+# with `-s` option.
+#
+# Original bashreadline.py:
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+# And Ruby version follows.
+#
+# 28-Jan-2016    Brendan Gregg   Created bashreadline.py.
+# 12-Feb-2016    Allan McAleavy migrated to BPF_PERF_OUTPUT
+# 05-Jun-2020    Uchio Kondo     Ported bashreadline.rb
+
+require 'rbbcc'
+require 'optparse'
+include RbBCC
+
+args = {}
+opts = OptionParser.new
+opts.on("-s", "--shared=LIBREADLINE_PATH"){|v| args[:shared] = v }
+opts.parse!(ARGV)
+
+name = args[:shared] || "/bin/bash"
+
+# load BPF program
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct str_t {
+    u64 pid;
+    char str[80];
+};
+
+BPF_PERF_OUTPUT(events);
+
+int printret(struct pt_regs *ctx) {
+    struct str_t data  = {};
+    char comm[TASK_COMM_LEN] = {};
+    u32 pid;
+    if (!PT_REGS_RC(ctx))
+        return 0;
+    pid = bpf_get_current_pid_tgid();
+    data.pid = pid;
+    bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
+
+    bpf_get_current_comm(&comm, sizeof(comm));
+    if (comm[0] == 'b' && comm[1] == 'a' && comm[2] == 's' && comm[3] == 'h' && comm[4] == 0 ) {
+        events.perf_submit(ctx,&data,sizeof(data));
+    }
+
+
+    return 0;
+};
+BPF
+
+b = BCC.new(text: bpf_text)
+b.attach_uretprobe(name: name, sym: "readline", fn_name: "printret")
+
+# header
+puts("%-9s %-6s %s" % ["TIME", "PID", "COMMAND"])
+
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  puts("%-9s %-6d %s" % [
+         Time.now.strftime("%H:%M:%S"),
+         event.pid,
+         event.str
+       ])
+end
+
+trap(:INT) { puts; exit }
+loop do
+  b.perf_buffer_poll
+end

data/exe/rbbcc

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+binpath = File.readlink "/proc/self/exe"
+exec binpath, *ARGV

data/lib/rbbcc/bcc.rb

@@ -1,6 +1,7 @@
 require 'rbbcc/consts'
 require 'rbbcc/table'
 require 'rbbcc/symbol_cache'
+require 'rbbcc/debug'
 
 module RbBCC
   SYSCALL_PREFIXES = [
@@ -120,7 +121,6 @@ module RbBCC
 
       def decode_table_type(desc)
         return desc if desc.is_a?(String)
-
         anon = []
         fields = []
         # e.g. ["bpf_stacktrace", [["ip", "unsigned long long", [127]]], "struct_packed"]
@@ -152,11 +152,37 @@ module RbBCC
             raise("Failed to decode type #{field.inspect}")
           end
         end
+        c = nil
         if data_type == "union"
-          return Fiddle::Importer.union(fields)
+          c = Fiddle::Importer.union(fields)
         else
-          return Fiddle::Importer.struct(fields)
+          c = Fiddle::Importer.struct(fields)
+        end
+
+        fields.each do |field|
+          md = /^char\[(\d+)\] ([_a-zA-Z0-9]+)/.match(field)
+          if md
+            c.alias_method "__super_#{md[2]}", md[2]
+            c.define_method md[2] do
+              # Split the char[] in the place where the first \0 appears
+              raw = __send__("__super_#{md[2]}")
+              raw = raw[0...raw.index(0)] if raw.index(0)
+              raw.pack("c*")
+            end
+          end
         end
+
+        c.define_singleton_method :original_desc do
+          desc
+        end
+        c.define_singleton_method :fields do
+          fields
+        end
+        orig_name = c.inspect
+        c.define_singleton_method :inspect do
+          orig_name.sub /(?=>$)/, " original_desc=#{desc.inspect}" rescue super
+        end
+        c
       end
 
       def sym(addr, pid, show_module: false, show_offset: false, demangle: true)
@@ -217,11 +243,18 @@ module RbBCC
           text = code + text
         end
 
+
+        cflags_safe = if cflags.empty? or !cflags[-1].nil?
+                        cflags + [nil]
+                      else
+                        cflags
+                      end
+
         @module = Clib.bpf_module_create_c_from_string(
           text,
           debug,
-          cflags.pack('p*'),
-          cflags.size,
+          cflags_safe.pack("p*"),
+          cflags_safe.size,
           allow_rlimit
         )
       end
@@ -282,7 +315,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new("Failed to attach BPF program #{fn_name} to tracepoint #{tp}", Fiddle.last_error)
       end
-      puts "Attach: #{tp}"
+      Util.debug "Attach: #{tp}"
       @tracepoint_fds[tp] = fd
       self
     end
@@ -297,7 +330,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new("Failed to attach BPF program #{fn_name} to raw tracepoint #{tp}", Fiddle.last_error)
       end
-      puts "Attach: #{tp}"
+      Util.debug "Attach: #{tp}"
       @raw_tracepoint_fds[tp] = fd
       self
     end
@@ -309,7 +342,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new("Failed to attach BPF program #{fn_name} to kprobe #{event}", Fiddle.last_error)
       end
-      puts "Attach: #{ev_name}"
+      Util.debug "Attach: #{ev_name}"
       @kprobe_fds[ev_name] = fd
       [ev_name, fd]
     end
@@ -322,7 +355,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new("Failed to attach BPF program #{fn_name} to kretprobe #{event}", Fiddle.last_error)
       end
-      puts "Attach: #{ev_name}"
+      Util.debug "Attach: #{ev_name}"
       @kprobe_fds[ev_name] = fd
       [ev_name, fd]
     end
@@ -336,7 +369,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new(Fiddle.last_error)
       end
-      puts "Attach: #{ev_name}"
+      Util.debug "Attach: #{ev_name}"
 
       @uprobe_fds[ev_name] = fd
       [ev_name, fd]
@@ -351,7 +384,7 @@ module RbBCC
       if fd < 0
         raise SystemCallError.new(Fiddle.last_error)
       end
-      puts "Attach: #{ev_name}"
+      Util.debug "Attach: #{ev_name}"
 
       @uprobe_fds[ev_name] = fd
       [ev_name, fd]
@@ -552,7 +585,7 @@ module RbBCC
         else
           next
         end
-        puts "Found fnc: #{func_name}"
+        Util.debug "Found fnc: #{func_name}"
         if func_name.start_with?("kprobe__")
           fn = load_func(func_name, BPF::KPROBE)
           attach_kprobe(

data/lib/rbbcc/clib.rb

@@ -25,7 +25,7 @@ module RbBCC
     end
 
     extend Fiddle::Importer
-    targets = %w(0.12.0 0.11.0 0.10.0)
+    targets = %w(0.17.0 0.16.0 0.15.0 0.14.0 0.13.0 0.12.0 0.11.0 0.10.0)
     if default_load = ENV['LIBBCC_VERSION']
       targets.unshift(default_load)
       targets.uniq!
@@ -120,10 +120,11 @@ module RbBCC
     extern 'char * bpf_perf_event_field(void *program, const char *event, size_t i)'
 
     extern 'void * bcc_usdt_new_frompid(int, char *)'
+    extern 'void * bcc_usdt_new_frompath(char *path)'
     extern 'int bcc_usdt_enable_probe(void *, char *, char *)'
     extern 'char * bcc_usdt_genargs(void **, int)'
     extern 'void bcc_usdt_foreach_uprobe(void *, void *)'
-
+    extern 'void bcc_usdt_close(void *usdt)'
     BCCSymbol = struct([
                          "const char *name",
                          "const char *demangle_name",

data/lib/rbbcc/debug.rb

@@ -0,0 +1,17 @@
+if ENV['RBBCC_DEBUG'] || ENV['BCC_DEBUG']
+  module RbBCC
+    module Util
+      def self.debug(msg)
+        puts msg
+      end
+    end
+  end
+else
+  module RbBCC
+    module Util
+      def self.debug(msg)
+        # nop
+      end
+    end
+  end
+end

data/lib/rbbcc/fiddle_ext.rb

@@ -2,8 +2,17 @@ require 'fiddle'
 require 'fiddle/import'
 
 class Fiddle::Pointer
-  def to_bcc_value
-    case self.size
+  def bcc_value
+    @bcc_value ||= _bcc_value
+  end
+  alias to_bcc_value bcc_value
+
+  def _bcc_value
+    if self.bcc_value_type.is_a?(Class)
+      return self.bcc_value_type.new(self)
+    end
+
+    case self.bcc_size
     when Fiddle::Importer.sizeof("int")
       self[0, self.size].unpack("i!").first
     when Fiddle::Importer.sizeof("long")
@@ -12,4 +21,27 @@ class Fiddle::Pointer
       self[0, self.size].unpack("Z*").first
     end
   end
+
+  def method_missing(name, *a)
+    fields = \
+      if self.respond_to?(:bcc_value_type) && \
+         self.bcc_value_type.respond_to?(:fields)
+        self.bcc_value_type.fields.map{|v| v.split.last.to_sym }
+      else
+        nil
+      end
+    return super unless fields
+
+    if fields.include?(name) && bcc_value.respond_to?(name)
+      bcc_value.send(name)
+    else
+      super
+    end
+  end
+
+  attr_accessor :bcc_value_type
+  attr_writer   :bcc_size
+  def bcc_size
+    @bcc_size || self.size
+  end
 end

data/lib/rbbcc/table.rb

@@ -50,12 +50,13 @@ module RbBCC
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       @bpf, @map_id, @map_fd, @keysize, @leafsize = \
                                         bpf, map_id, map_fd, sizeof(keytype), sizeof(leaftype)
+      @keytype = keytype
       @leaftype = leaftype
       @ttype = Clib.bpf_table_type_id(self.bpf.module, self.map_id)
       @flags = Clib.bpf_table_flags_id(self.bpf.module, self.map_id)
       @name = name
     end
-    attr_reader :bpf, :map_id, :map_fd, :keysize, :leafsize, :leaftype, :ttype, :flags, :name
+    attr_reader :bpf, :map_id, :map_fd, :keysize, :keytype, :leafsize, :leaftype, :ttype, :flags, :name
 
     def next(key)
       next_key = Fiddle::Pointer.malloc(self.keysize)
@@ -86,6 +87,7 @@ module RbBCC
       if res < 0
         nil
       end
+      leaf.bcc_value_type = leaftype
       return leaf
     end
 
@@ -93,8 +95,9 @@ module RbBCC
       self[key] || raise(KeyError, "key not found")
     end
 
-    def []=(_key, leaf)
+    def []=(_key, _leaf)
       key = normalize_key(_key)
+      leaf = normalize_leaf(_leaf)
       res = Clib.bpf_update_elem(self.map_fd, key, leaf, 0)
       if res < 0
         raise SystemCallError.new("Could not update table", Fiddle.last_error)
@@ -186,11 +189,29 @@ module RbBCC
     def normalize_key(key)
       case key
       when Fiddle::Pointer
+        key.bcc_value_type = keytype
+        key.bcc_size = keysize
         key
       when Integer
-        byref(key, keysize)
+        ret = byref(key, keysize)
+        ret.bcc_value_type = keytype
+        ret
       else
-        raise KeyError, "#{key.inspect} must be integer or pointor"
+        raise ArgumentError, "#{key.inspect} must be integer or pointor"
+      end
+    end
+
+    def normalize_leaf(leaf)
+      case leaf
+      when Fiddle::Pointer
+        leaf.bcc_value_type = leaftype
+        leaf
+      when Integer
+        ret = byref(leaf, keysize)
+        ret.bcc_value_type = leaftype
+        ret
+      else
+        raise KeyError, "#{leaf.inspect} must be integer or pointor"
       end
     end
 
@@ -202,6 +223,7 @@ module RbBCC
                  end
       ptr = Fiddle::Pointer.malloc(size)
       ptr[0, size] = [value].pack(pack_fmt)
+      ptr.bcc_size = size
       ptr
     end
   end

data/lib/rbbcc/usdt.rb

@@ -4,15 +4,21 @@ module RbBCC
   USDTProbe = Struct.new(:binpath, :fn_name, :addr, :pid)
 
   class USDT
-    # TODO path:
-    def initialize(pid:)
+    def initialize(pid: nil, path: nil)
       @pid = pid
-      @context = Clib.bcc_usdt_new_frompid(pid, nil)
+      @path = path
+      if pid
+        @context = Clib.bcc_usdt_new_frompid(pid, path)
+      elsif path
+        @context = Clib.bcc_usdt_new_frompath(path)
+      else
+        raise "Either a pid or a binary path must be specified"
+      end
       if !@context || @context.null?
         raise SystemCallError.new(Fiddle.last_error)
       end
     end
-    attr_reader :pid, :context
+    attr_reader :pid, :path, :context
 
     def enable_probe(probe:, fn_name:)
       ret = Clib.bcc_usdt_enable_probe(@context, probe, fn_name)
@@ -33,5 +39,16 @@ module RbBCC
 
       return probes
     end
+
+    private
+    def __del__
+      lambda { Clib.bcc_usdt_close(@context); Util.debug("USDT GC'ed.") }
+    end
+  end
+end
+
+at_exit do
+  ObjectSpace.each_object(RbBCC::USDT) do |o|
+    o.send(:__del__).call
   end
 end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.4.1"
+  VERSION = "0.6.2"
 end

data/rbbcc.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |spec|
   spec.version       = RbBCC::VERSION
   spec.authors       = ["Uchio Kondo"]
   spec.email         = ["udzura@udzura.jp"]
+  spec.license       = "Apache-2.0"
 
   spec.summary       = %q{BCC port for MRI}
   spec.description   = %q{BCC port for MRI. See https://github.com/iovisor/bcc}
@@ -17,12 +18,7 @@ Gem::Specification.new do |spec|
   spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  #spec.bindir        = "exe"
-  #spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-
-  spec.add_development_dependency "bundler", "~> 2.0"
-  spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "pry"
-  spec.add_development_dependency "minitest"
 end

metadata

@@ -1,75 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.6.2
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2020-03-20 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+date: 2020-11-19 00:00:00.000000000 Z
+dependencies: []
 description: BCC port for MRI. See https://github.com/iovisor/bcc
 email:
 - udzura@udzura.jp
-executables: []
+executables:
+- rbbcc
 extensions: []
 extra_rdoc_files: []
 files:
@@ -112,6 +57,7 @@ files:
 - examples/charty/Gemfile
 - examples/charty/Gemfile.lock
 - examples/charty/bitehist-unicode.rb
+- examples/collectsyscall.rb
 - examples/dddos.rb
 - examples/disksnoop.rb
 - examples/example.gif
@@ -123,17 +69,22 @@ files:
 - examples/mallocstack.rb
 - examples/networking/http_filter/http-parse-simple.c
 - examples/networking/http_filter/http-parse-simple.rb
+- examples/ruby_usdt.rb
+- examples/sbrk_trace.rb
+- examples/tools/bashreadline.rb
 - examples/tools/execsnoop.rb
 - examples/tools/runqlat.rb
 - examples/urandomread-explicit.rb
 - examples/urandomread.rb
 - examples/usdt-test.rb
 - examples/usdt.rb
+- exe/rbbcc
 - lib/rbbcc.rb
 - lib/rbbcc/bcc.rb
 - lib/rbbcc/clib.rb
 - lib/rbbcc/consts.rb
 - lib/rbbcc/cpu_helper.rb
+- lib/rbbcc/debug.rb
 - lib/rbbcc/disp_helper.rb
 - lib/rbbcc/fiddle_ext.rb
 - lib/rbbcc/symbol_cache.rb
@@ -144,7 +95,8 @@ files:
 - rbbcc.gemspec
 - semaphore.sh
 homepage: https://github.com/udzura/rbbcc
-licenses: []
+licenses:
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -161,7 +113,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: BCC port for MRI