rbbcc 0.6.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ebc0f160a61c94cd58882b81c3c58ecc99dfb6317e407cec2dc762c4babc3889
-  data.tar.gz: 36aead215ae4146d841f787939432a7cdb12cb4ad7487c92dd2044b9c5123b47
+  metadata.gz: fb13ef05006088db3a3d16fdf3b5f444cd36a51c1d88278d5ddcb3ccb9e69663
+  data.tar.gz: 9cded3bc218135ef79af4376a8973dedad2e3614ab5c93f49850799842c0e5c2
 SHA512:
-  metadata.gz: 84fe74378f90debecf862251d74b356dc8dde3f1a16da540bdca0255af8b2c7037053a78e0e1abc886014ee481a0320af05eda715976a774bd79dcd7d6d15b47
-  data.tar.gz: 91f4de3770052fc2cd23406f41aaef3796facd018d4d746828532b17ccb00acb75f3b38a08920a2ec446381e16cf7642f6331410db8a05f0098fed6834e971ab
+  metadata.gz: a05af6a130f05942ce7f9901afc8d65434b7b5851483522f875ef3a9d75d1bcb30cafb1b8ce972feea2b273329e736182740d1cc99e561139d82fd1cccd297c4
+  data.tar.gz: '0938ed389aa2b4159618c2c79ebd841e9c74160a8b40877b54075dff9590713f6ccc1d67c27593c13bd0e1bf9fe57d4296eb1a7d58e7f357526de7144e0b8ba4'

data/Gemfile.lock

@@ -1,17 +1,17 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.6.1)
+    rbbcc (0.6.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    coderay (1.1.2)
-    method_source (0.9.2)
-    minitest (5.14.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
+    coderay (1.1.3)
+    method_source (1.0.0)
+    minitest (5.14.2)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
     rake (13.0.1)
 
 PLATFORMS

data/docs/answers/14-strlen_count.rb

@@ -42,5 +42,5 @@ end
 puts("%10s %s" % ["COUNT", "STRING"])
 counts = b.get_table("counts")
 counts.items.sort_by{|k, v| v.to_bcc_value }.each do |k, v|
-  puts("%10d %s" % [v.to_bcc_value, k[0, k.size].unpack("Z*")[0]])
+  puts("%10d %s" % [v.to_bcc_value, k.to_bcc_value.c])
 end

data/examples/collectsyscall.rb

@@ -0,0 +1,155 @@
+#!/usr/bin/env ruby
+#
+# Example to use complecated structure in BPF Map key:
+# This program collects and shows raw syscall usage summary.
+#
+# Usage:
+#     bundle exec ruby examples/collectsyscall.rb
+#
+# Output example:
+#     Collecting syscalls...
+#     ^C
+#     PID=1098(maybe: gmain) --->
+#       inotify_add_watch      4    0.019 ms
+#       poll                   1    0.000 ms
+#
+#     PID=1114(maybe: dbus-daemon) --->
+#       stat                  12    0.021 ms
+#       openat                 3    0.015 ms
+#       getdents               2    0.013 ms
+#       recvmsg                2    0.006 ms
+#       sendmsg                1    0.008 ms
+#       close                  1    0.002 ms
+#       fstat                  1    0.002 ms
+#       epoll_wait             1    0.000 ms
+#
+#     PID=1175(maybe: memcached) --->
+#       epoll_wait             3 2012.455 ms
+#
+#     PID=1213(maybe: redis-server) --->
+#       read                  64    0.736 ms
+#       epoll_wait            32 3782.098 ms
+#       openat                32    1.149 ms
+#       getpid                32    0.074 ms
+#       close                 32    0.045 ms
+#     ....
+
+require 'rbbcc'
+include RbBCC
+
+$pid = nil
+
+if ARGV.size == 2 &&
+   ARGV[0] == '-p'
+  $pid = ARGV[1].to_i
+elsif ARGV[0] == '-h' ||
+      ARGV[0] == '--help'
+  $stderr.puts "Usage: #{$0} [-p PID]"
+  exit 1
+end
+
+SYSCALL_MAP = `ausyscall --dump`
+                .lines
+                .map{|l| l.chomp.split }
+                .each_with_object(Hash.new) {|(k, v), ha| ha[k.to_i] = v }
+
+# if no ausyscall(8) then shows number itself
+# it is included in auditd package (e.g. Ubuntu)
+def to_name(nr)
+  SYSCALL_MAP[nr] || nr.to_s
+end
+
+prog = <<BPF
+#include <uapi/linux/ptrace.h>
+
+struct key_t {
+  u32 pid;
+  u64 syscall_nr;
+};
+struct leaf_t{
+  u64 count;
+  u64 elapsed_ns;
+  u64 enter_ns;
+  char comm[16];
+};
+BPF_HASH(store, struct key_t, struct leaf_t);
+
+TRACEPOINT_PROBE(raw_syscalls, sys_enter) {
+    struct key_t key = {0};
+    struct leaf_t initial = {0}, *val_;
+
+    key.pid = bpf_get_current_pid_tgid();
+    key.syscall_nr = args->id;
+
+    DO_FILTER_BY_PID
+
+    val_ = store.lookup_or_try_init(&key, &initial);
+    if (val_) {
+      struct leaf_t val = *val_;
+      val.count++;
+      val.enter_ns = bpf_ktime_get_ns();
+      bpf_get_current_comm(&val.comm, sizeof(val.comm));
+      store.update(&key, &val);
+    }
+    return 0;
+}
+
+TRACEPOINT_PROBE(raw_syscalls, sys_exit) {
+    struct key_t key = {0};
+    struct leaf_t *val_;
+
+    key.pid = bpf_get_current_pid_tgid();
+    key.syscall_nr = args->id;
+
+    val_ = store.lookup(&key);
+    if (val_) {
+      struct leaf_t val = *val_;
+      u64 delta = bpf_ktime_get_ns() - val.enter_ns;
+      val.enter_ns = 0;
+      val.elapsed_ns += delta;
+      store.update(&key, &val);
+    }
+    return 0;
+}
+BPF
+
+if $pid
+  prog.sub!('DO_FILTER_BY_PID', <<~FILTER)
+    if (key.pid != #{$pid}) return 0;
+  FILTER
+else
+  prog.sub!('DO_FILTER_BY_PID', '')
+end
+
+b = BCC.new(text: prog)
+
+puts "Collecting syscalls..."
+begin
+  sleep(99999999)
+rescue Interrupt
+  puts
+end
+
+info_by_pids = {}
+comms = {}
+store = b.get_table("store")
+store.items.each do |k, v|
+  # require 'pry'; binding.pry
+  info_by_pids[k.pid] ||= {}
+  info_by_pids[k.pid][k.syscall_nr] = {
+    name: to_name(k.syscall_nr),
+    count: v.count,
+    elapsed_ms: v.elapsed_ns / 1000000.0
+  }
+  comms[k.pid] ||= v.comm
+end
+
+pids = info_by_pids.keys.sort
+pids.each do |pid|
+  puts "PID=#{pid}(maybe: #{comms[pid]}) --->"
+  i = info_by_pids[pid]
+  i.to_a.sort_by {|k, v| [-v[:count], -v[:elapsed_ms]] }.each do |nr, record|
+    puts "\t%<name>-20s %<count>3d %<elapsed_ms>8.3f ms" % record
+  end
+  puts
+end

data/exe/rbbcc

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+binpath = File.readlink "/proc/self/exe"
+exec binpath, *ARGV

data/lib/rbbcc/bcc.rb

@@ -121,7 +121,6 @@ module RbBCC
 
       def decode_table_type(desc)
         return desc if desc.is_a?(String)
-
         anon = []
         fields = []
         # e.g. ["bpf_stacktrace", [["ip", "unsigned long long", [127]]], "struct_packed"]
@@ -153,11 +152,37 @@ module RbBCC
             raise("Failed to decode type #{field.inspect}")
           end
         end
+        c = nil
         if data_type == "union"
-          return Fiddle::Importer.union(fields)
+          c = Fiddle::Importer.union(fields)
         else
-          return Fiddle::Importer.struct(fields)
+          c = Fiddle::Importer.struct(fields)
+        end
+
+        fields.each do |field|
+          md = /^char\[(\d+)\] ([_a-zA-Z0-9]+)/.match(field)
+          if md
+            c.alias_method "__super_#{md[2]}", md[2]
+            c.define_method md[2] do
+              # Split the char[] in the place where the first \0 appears
+              raw = __send__("__super_#{md[2]}")
+              raw = raw[0...raw.index(0)] if raw.index(0)
+              raw.pack("c*")
+            end
+          end
+        end
+
+        c.define_singleton_method :original_desc do
+          desc
+        end
+        c.define_singleton_method :fields do
+          fields
+        end
+        orig_name = c.inspect
+        c.define_singleton_method :inspect do
+          orig_name.sub /(?=>$)/, " original_desc=#{desc.inspect}" rescue super
         end
+        c
       end
 
       def sym(addr, pid, show_module: false, show_offset: false, demangle: true)

data/lib/rbbcc/clib.rb

@@ -25,7 +25,7 @@ module RbBCC
     end
 
     extend Fiddle::Importer
-    targets = %w(0.14.0 0.13.0 0.12.0 0.11.0 0.10.0)
+    targets = %w(0.17.0 0.16.0 0.15.0 0.14.0 0.13.0 0.12.0 0.11.0 0.10.0)
     if default_load = ENV['LIBBCC_VERSION']
       targets.unshift(default_load)
       targets.uniq!

data/lib/rbbcc/fiddle_ext.rb

@@ -2,8 +2,17 @@ require 'fiddle'
 require 'fiddle/import'
 
 class Fiddle::Pointer
-  def to_bcc_value
-    case self.size
+  def bcc_value
+    @bcc_value ||= _bcc_value
+  end
+  alias to_bcc_value bcc_value
+
+  def _bcc_value
+    if self.bcc_value_type.is_a?(Class)
+      return self.bcc_value_type.new(self)
+    end
+
+    case self.bcc_size
     when Fiddle::Importer.sizeof("int")
       self[0, self.size].unpack("i!").first
     when Fiddle::Importer.sizeof("long")
@@ -12,4 +21,27 @@ class Fiddle::Pointer
       self[0, self.size].unpack("Z*").first
     end
   end
+
+  def method_missing(name, *a)
+    fields = \
+      if self.respond_to?(:bcc_value_type) && \
+         self.bcc_value_type.respond_to?(:fields)
+        self.bcc_value_type.fields.map{|v| v.split.last.to_sym }
+      else
+        nil
+      end
+    return super unless fields
+
+    if fields.include?(name) && bcc_value.respond_to?(name)
+      bcc_value.send(name)
+    else
+      super
+    end
+  end
+
+  attr_accessor :bcc_value_type
+  attr_writer   :bcc_size
+  def bcc_size
+    @bcc_size || self.size
+  end
 end

data/lib/rbbcc/table.rb

@@ -50,12 +50,13 @@ module RbBCC
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       @bpf, @map_id, @map_fd, @keysize, @leafsize = \
                                         bpf, map_id, map_fd, sizeof(keytype), sizeof(leaftype)
+      @keytype = keytype
       @leaftype = leaftype
       @ttype = Clib.bpf_table_type_id(self.bpf.module, self.map_id)
       @flags = Clib.bpf_table_flags_id(self.bpf.module, self.map_id)
       @name = name
     end
-    attr_reader :bpf, :map_id, :map_fd, :keysize, :leafsize, :leaftype, :ttype, :flags, :name
+    attr_reader :bpf, :map_id, :map_fd, :keysize, :keytype, :leafsize, :leaftype, :ttype, :flags, :name
 
     def next(key)
       next_key = Fiddle::Pointer.malloc(self.keysize)
@@ -86,6 +87,7 @@ module RbBCC
       if res < 0
         nil
       end
+      leaf.bcc_value_type = leaftype
       return leaf
     end
 
@@ -93,8 +95,9 @@ module RbBCC
       self[key] || raise(KeyError, "key not found")
     end
 
-    def []=(_key, leaf)
+    def []=(_key, _leaf)
       key = normalize_key(_key)
+      leaf = normalize_leaf(_leaf)
       res = Clib.bpf_update_elem(self.map_fd, key, leaf, 0)
       if res < 0
         raise SystemCallError.new("Could not update table", Fiddle.last_error)
@@ -186,11 +189,29 @@ module RbBCC
     def normalize_key(key)
       case key
       when Fiddle::Pointer
+        key.bcc_value_type = keytype
+        key.bcc_size = keysize
         key
       when Integer
-        byref(key, keysize)
+        ret = byref(key, keysize)
+        ret.bcc_value_type = keytype
+        ret
       else
-        raise KeyError, "#{key.inspect} must be integer or pointor"
+        raise ArgumentError, "#{key.inspect} must be integer or pointor"
+      end
+    end
+
+    def normalize_leaf(leaf)
+      case leaf
+      when Fiddle::Pointer
+        leaf.bcc_value_type = leaftype
+        leaf
+      when Integer
+        ret = byref(leaf, keysize)
+        ret.bcc_value_type = leaftype
+        ret
+      else
+        raise KeyError, "#{leaf.inspect} must be integer or pointor"
       end
     end
 
@@ -202,6 +223,7 @@ module RbBCC
                  end
       ptr = Fiddle::Pointer.malloc(size)
       ptr[0, size] = [value].pack(pack_fmt)
+      ptr.bcc_size = size
       ptr
     end
   end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.6.1"
+  VERSION = "0.6.2"
 end

data/rbbcc.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  #spec.bindir        = "exe"
-  #spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 end

metadata

@@ -1,19 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.2
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2020-09-14 00:00:00.000000000 Z
+date: 2020-11-19 00:00:00.000000000 Z
 dependencies: []
 description: BCC port for MRI. See https://github.com/iovisor/bcc
 email:
 - udzura@udzura.jp
-executables: []
+executables:
+- rbbcc
 extensions: []
 extra_rdoc_files: []
 files:
@@ -56,6 +57,7 @@ files:
 - examples/charty/Gemfile
 - examples/charty/Gemfile.lock
 - examples/charty/bitehist-unicode.rb
+- examples/collectsyscall.rb
 - examples/dddos.rb
 - examples/disksnoop.rb
 - examples/example.gif
@@ -76,6 +78,7 @@ files:
 - examples/urandomread.rb
 - examples/usdt-test.rb
 - examples/usdt.rb
+- exe/rbbcc
 - lib/rbbcc.rb
 - lib/rbbcc/bcc.rb
 - lib/rbbcc/clib.rb