rbbcc 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83335da3fa30d52d38210f68efa6cf19cb5d44143ecc58ecdc6d4df30560303e
-  data.tar.gz: 75d0c97a8624a72928b4195bd830257c79e6a5e883058d9ae5c6c53512fccb1b
+  metadata.gz: d39196324559279beb78acb224f5d1e4b8d327bec531a9f0fc821787c89703cf
+  data.tar.gz: 932e49ca5f9225eb7eaca7beea106efb7a54279a9c4570a12b4d2cc7da0fd1e5
 SHA512:
-  metadata.gz: a634d67b7b8a322ac433825bdbf376e7ef3ebe30f2e43dc477eb6f52c14fbc812bf04a286a6e9af30ad3ffc999fe370c2bdfe0fee56608e501618973873f74a7
-  data.tar.gz: 9b9cc3a877ab56ec8ceb516b0fc576fe981784e8689ec026974e429cecbe6e82d6da06e74d7473d9e38819b50e2d430c01801d1deecaee3bc197900a91d93684
+  metadata.gz: 6ab268845839b5b566b66a75bf0fefeea5fc6bda9cc0b451d5617f09d7a03d389be2075901924ef3bfaf05af840afb295721d878547a58d5d2d5404c1fbbe880
+  data.tar.gz: e387413acd3d1720e990f0cb11d69f4f5629559d37d46c784bd1e454a38badcae2997def0807dd512e486de0988fc1750dbffcba87a0d5a1b819380a64d066bf

data/.gitignore

@@ -7,3 +7,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+
+.ruby-version
+
+/examples/work/*

data/Dockerfile

@@ -0,0 +1,15 @@
+FROM rubylang/ruby:2.6.3-bionic
+
+RUN set -ex; \
+    echo "deb [trusted=yes] http://repo.iovisor.org/apt/bionic bionic-nightly main" > /etc/apt/sources.list.d/iovisor.list; \
+    apt-get update -y; \
+    deps="auditd bcc-tools curl gcc git libelf1 libbcc-examples"; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y $deps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*;
+
+RUN gem install rbbcc
+COPY ./misc/rbbcc-dfm-ruby /usr/bin/rbbcc-dfm-ruby
+RUN chmod a+x /usr/bin/rbbcc-dfm-ruby
+
+ENTRYPOINT ["ruby"]

data/Dockerfile.dfm-example

@@ -0,0 +1,9 @@
+# Please follow your Docker for Mac kernel build
+FROM linuxkit/kernel:4.9.184 AS ksrc
+
+FROM udzura/rbbcc:0.0.2
+
+COPY --from=ksrc /kernel-dev.tar /
+RUN tar xf kernel-dev.tar && rm -f kernel-dev.tar
+
+ENTRYPOINT ["rbbcc-dfm-ruby"]

data/Gemfile.lock

@@ -1,11 +1,16 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.0.1)
+    rbbcc (0.0.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    coderay (1.1.2)
+    method_source (0.9.2)
+    pry (0.12.2)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
     rake (10.5.0)
 
 PLATFORMS
@@ -13,6 +18,7 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (~> 2.0)
+  pry
   rake (~> 10.0)
   rbbcc!
 

data/README.md

@@ -41,6 +41,59 @@ RbBCC::BCC.new(text: code).trace_print
 
 See examples (both in rbbcc and BCC)
 
+## Trying with docker
+
+[`udzura/rbbcc:${version}` is available.](https://hub.docker.com/r/udzura/rbbcc)
+
+* On generic linux:
+
+```console
+$ docker run --privileged \
+    -v/lib/modules:/lib/modules \
+    -v/sys:/sys \
+    -v/usr/src:/usr/src \
+    -v`pwd`:/opt \
+    -ti \
+    udzura/rbbcc:0.0.2 /opt/hello_world.rb
+Found fnc: kprobe__sys_clone
+Attach: p_sys_clone
+
+            bash-20113 [000] ....   377.602655: 0x00000001: Hello, World!
+            bash-20113 [000] ....   385.367309: 0x00000001: Hello, World!
+            bash-20113 [000] ....   391.203779: 0x00000001: Hello, World!
+            curl-20316 [001] ....   391.218226: 0x00000001: Hello, World!
+            bash-20113 [000] ....   402.528271: 0x00000001: Hello, World!
+ docker-containe-20236 [000] ....   403.090058: 0x00000001: Hello, World!
+...
+```
+
+* On Docker for Mac:
+  * Docker for Mac host does not have heders file in `/usr/src`, so you should extract headers in each container inside.
+
+```console
+### I have prepared an example Dockerfile
+$ docker build -t udzura/rbbcc:0.0.2-dfm -f Dockerfile.dfm-example .
+$ docker run --privileged \
+    -v/lib/modules:/lib/modules \
+    -v`pwd`/examples:/opt \
+    -ti \
+    udzura/rbbcc:0.0.2-dfm /opt/hello_world.rb
+...
+ containerd-shim-4932  [002] d...  1237.795421: : Hello, World!
+           httpd-4958  [000] d...  1237.795666: : Hello, World!
+           httpd-4958  [000] d...  1237.795794: : Hello, World!
+           httpd-4967  [000] d...  1237.795988: : Hello, World!
+           httpd-4967  [000] d...  1237.796211: : Hello, World!
+           httpd-4967  [000] d...  1237.796289: : Hello, World!
+           httpd-4967  [000] d...  1237.796325: : Hello, World!
+           <...>-5025  [003] d...  1237.796956: : Hello, World!
+            runc-5025  [003] d...  1237.797133: : Hello, World!
+           httpd-4967  [000] d...  1237.797156: : Hello, World!
+           httpd-4967  [000] d...  1237.797198: : Hello, World!
+           httpd-4967  [000] d...  1237.797340: : Hello, World!
+            runc-5025  [003] d...  1237.797464: : Hello, World!
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/examples/bitehist.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/env ruby
+#
+# bitehist.rb, ported from bitehist.py. See license on that file
+#
+# Written as a basic example of using histograms to show a distribution.
+#
+# A Ctrl-C will print the gathered histogram then exit.
+#
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: <<CLANG)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HISTOGRAM(dist);
+BPF_HISTOGRAM(dist_linear);
+
+int kprobe__blk_account_io_completion(struct pt_regs *ctx, struct request *req)
+{
+  dist.increment(bpf_log2l(req->__data_len / 1024));
+  dist_linear.increment(req->__data_len / 1024);
+  return 0;
+}
+CLANG
+
+puts "Tracing... Hit Ctrl-C to end."
+
+loop do
+  begin
+    sleep 0.1
+  rescue Interrupt
+    puts
+    break
+  end
+end
+
+puts "log2 histogram"
+puts "~~~~~~~~~~~~~~"
+b["dist"].print_log2_hist("kbytes")
+
+puts
+puts "linear histogram"
+puts "~~~~~~~~~~~~~~~~"
+b["dist_linear"].print_linear_hist("kbytes")

data/examples/dddos.rb

@@ -0,0 +1,112 @@
+#!/usr/bin/env ruby
+#
+# dddos.rb	DDOS dectection system, ported from python code.
+#
+# Written as a basic tracing example of using ePBF
+# to detect a potential DDOS attack against a system.
+#
+# See Copyright and License on bcc project:
+#     examples/tracing/dddos.py
+#
+# 14-Jan-2019 Jugurtha BELKALEM Created dddos.py.
+
+require 'rbbcc'
+include RbBCC
+
+prog = """
+#include <linux/skbuff.h>
+#include <uapi/linux/ip.h>
+
+#define MAX_NB_PACKETS 1000
+#define LEGAL_DIFF_TIMESTAMP_PACKETS 1000000
+
+BPF_HASH(rcv_packets);
+
+struct detectionPackets {
+    u64 nb_ddos_packets;
+};
+
+BPF_PERF_OUTPUT(events);
+
+int detect_ddos(struct pt_regs *ctx, void *skb){
+    struct detectionPackets detectionPacket = {};
+
+    // Used to count number of received packets
+    u64 rcv_packets_nb_index = 0, rcv_packets_nb_inter=1, *rcv_packets_nb_ptr;
+
+    // Used to measure elapsed time between 2 successive received packets
+    u64 rcv_packets_ts_index = 1, rcv_packets_ts_inter=0, *rcv_packets_ts_ptr;
+
+    /* The algorithm analyses packets received by ip_rcv function
+    * and measures the difference in reception time between each packet.
+    * DDOS flooders send millions of packets such that difference of
+    * timestamp between 2 successive packets is so small
+    * (which is not like regular applications behaviour).
+    * This script looks for this difference in time and if it sees
+    * more than MAX_NB_PACKETS succesive packets with a difference
+    * of timestamp between each one of them less than
+    * LEGAL_DIFF_TIMESTAMP_PACKETS ns,
+    * ------------------ It Triggers an ALERT -----------------
+    * Those settings must be adapted depending on regular network traffic
+    * -------------------------------------------------------------------
+    * Important: this is a rudimentary intrusion detection system, one can
+    * test a real case attack using hping3. However; if regular network
+    * traffic increases above predefined detection settings, a false
+    * positive alert will be triggered (an example would be the
+      case of large file downloads).
+    */
+    rcv_packets_nb_ptr = rcv_packets.lookup(&rcv_packets_nb_index);
+    rcv_packets_ts_ptr = rcv_packets.lookup(&rcv_packets_ts_index);
+    if(rcv_packets_nb_ptr != 0 && rcv_packets_ts_ptr != 0){
+        rcv_packets_nb_inter = *rcv_packets_nb_ptr;
+        rcv_packets_ts_inter = bpf_ktime_get_ns() - *rcv_packets_ts_ptr;
+        if(rcv_packets_ts_inter < LEGAL_DIFF_TIMESTAMP_PACKETS){
+            rcv_packets_nb_inter++;
+        } else {
+            rcv_packets_nb_inter = 0;
+        }
+        if(rcv_packets_nb_inter > MAX_NB_PACKETS){
+            detectionPacket.nb_ddos_packets = rcv_packets_nb_inter;
+            events.perf_submit(ctx, &detectionPacket, sizeof(detectionPacket));
+        }
+    }
+    rcv_packets_ts_inter = bpf_ktime_get_ns();
+    rcv_packets.update(&rcv_packets_nb_index, &rcv_packets_nb_inter);
+    rcv_packets.update(&rcv_packets_ts_index, &rcv_packets_ts_inter);
+    return 0;
+}
+"""
+
+# Loads eBPF program
+b = BCC.new(text: prog)
+
+# Attach kprobe to kernel function and sets detect_ddos as kprobe handler
+b.attach_kprobe(event: "ip_rcv", fn_name: "detect_ddos")
+
+DetectionTimestamp = \
+  Fiddle::Importer.struct(["unsigned long long nb_ddos_packets"])
+
+# Show message when ePBF stats
+puts("DDOS detector started ... Hit Ctrl-C to end!")
+
+puts("%-26s %-10s" % ["TIME(s)", "MESSAGE"])
+
+trigger_alert_event = lambda { |cpu, data, size|
+  # data is raw Fiddle::Pointer instance
+  event = DetectionTimestamp.malloc
+  Fiddle::Pointer.new(event.to_ptr)[0, DetectionTimestamp.size] = data[0, DetectionTimestamp.size]
+  puts("%-26s %s %d" % [
+         Time.now,
+         "DDOS Attack => nb of packets up to now : ",
+         event.nb_ddos_packets])
+}
+
+# loop with callback to trigger_alert_event
+b["events"].open_perf_buffer(&trigger_alert_event)
+loop do
+  begin
+    b.perf_buffer_poll
+  rescue Interrupt
+    exit
+  end
+end

data/examples/hello_perf_output.rb

@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+#
+# This is a Hello World example that uses BPF_PERF_OUTPUT.
+# Ported from hello_perf_output.py
+
+require 'rbbcc'
+include RbBCC
+
+# define BPF program
+prog = """
+#include <linux/sched.h>
+
+// define output data structure in C
+struct data_t {
+    u32 pid;
+    u64 ts;
+    char comm[TASK_COMM_LEN];
+};
+BPF_PERF_OUTPUT(events);
+
+int hello(struct pt_regs *ctx) {
+    struct data_t data = {};
+
+    data.pid = bpf_get_current_pid_tgid();
+    data.ts = bpf_ktime_get_ns();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+}
+"""
+
+# load BPF program
+b = BCC.new(text: prog)
+b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
+
+# header
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
+
+# process event
+start = 0
+print_event = lambda { |cpu, data, size|
+  event = b["events"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  # event.comm.pack("c*").sprit
+  puts("%-18.9f %-16s %-6d %s" % [time_s, event.comm, event.pid,
+                                  "Hello, perf_output!"])
+}
+
+# loop with callback to print_event
+b["events"].open_perf_buffer(&print_event)
+
+loop do
+  begin
+    b.perf_buffer_poll()
+  rescue Interrupt
+    exit()
+  end
+end

data/lib/rbbcc/bcc.rb

@@ -1,4 +1,5 @@
 require 'rbbcc/consts'
+require 'rbbcc/table'
 require 'rbbcc/symbol_cache'
 
 module RbBCC
@@ -28,6 +29,8 @@ module RbBCC
         allow_rlimit
       )
       @funcs = {}
+      @tables = {}
+      @perf_buffers = {}
 
       unless @module
         raise "BPF module not created"
@@ -43,7 +46,7 @@ module RbBCC
 
       at_exit { self.cleanup }
     end
-    attr_reader :module
+    attr_reader :module, :perf_buffers
 
     def gen_args_from_usdt
       ptr = Clib.bcc_usdt_genargs(@usdt_contexts.map(&:context).pack('J*'), @usdt_contexts.size)
@@ -177,6 +180,58 @@ module RbBCC
       end
     end
 
+    attr_reader :tables
+    def get_table(name, keytype: nil, leaftype: nil, reducer: nil)
+      map_id = Clib.bpf_table_id(@module, name)
+      map_fd = Clib.bpf_table_fd(@module, name)
+
+      raise KeyError, "map not found" if map_fd < 0
+      unless keytype
+        key_desc = Clib.bpf_table_key_desc(@module, name)
+        raise("Failed to load BPF Table #{name} key desc") if key_desc.null?
+        keytype = eval(key_desc.to_extracted_char_ptr) # XXX: parse as JSON?
+      end
+
+      unless leaftype
+        leaf_desc = Clib.bpf_table_leaf_desc(@module, name)
+        raise("Failed to load BPF Table #{name} leaf desc") if leaf_desc.null?
+        leaftype = eval(leaf_desc.to_extracted_char_ptr)
+      end
+      return Table.new(self, map_id, map_fd, keytype, leaftype, name, reducer: reducer)
+    end
+
+    def [](key)
+      self.tables[key] ||= get_table(key)
+    end
+
+    def []=(key, value)
+      self.tables[key] = value
+    end
+
+    def perf_buffer_poll(timeout=-1)
+      readers = self.perf_buffers.values
+      readers.each {|r| r.size = Clib::PerfReader.size }
+      pack = readers.map{|r| r[0, Clib::PerfReader.size] }.pack('p*')
+      Clib.perf_reader_poll(readers.size, pack, timeout)
+    end
+
+    def ksymname(name)
+      SymbolCache.resolve_global(name)
+    end
+
+    def get_syscall_prefix
+      SYSCALL_PREFIXES.each do |prefix|
+        if ksymname("%sbpf" % prefix)
+          return prefix
+        end
+      end
+      SYSCALL_PREFIXES[0]
+    end
+
+    def get_syscall_fnname(name)
+      get_syscall_prefix + name
+    end
+
     private
     def trace_autoload!
       (0..Clib.bpf_num_functions(@module)).each do |i|

data/lib/rbbcc/clib.rb

@@ -13,7 +13,8 @@ module RbBCC
     end
 
     extend Fiddle::Importer
-    dlload "libbcc.so.0"
+    dlload "libbcc.so.0.10.0"
+    typealias "size_t", "int"
 
     extern 'void * bpf_module_create_c_from_string(char *, unsigned int, char **, int, long)'
     extern 'int bpf_num_functions(void *)'
@@ -25,6 +26,13 @@ module RbBCC
     extern 'int bpf_function_size(void *, char *)'
     extern 'char * bpf_module_license(void *)'
     extern 'unsigned int bpf_module_kern_version(void *)'
+    extern 'int bpf_table_fd(void *, char *)'
+    extern 'int bpf_table_id(void *, char *)'
+    extern 'int bpf_table_type_id(void *, int)'
+    extern 'int bpf_table_flags_id(void *, int)'
+    extern 'char * bpf_table_key_desc(void *, char *)'
+    extern 'char * bpf_table_leaf_desc(void *, char *)'
+    extern 'int bpf_update_elem(int fd, void *key, void *value, unsigned long long flags)'
 
     extern 'int bpf_attach_kprobe(int, int, char *, char *, unsigned long, int)'
     extern 'int bpf_detach_kprobe(char *)'
@@ -32,6 +40,35 @@ module RbBCC
     extern 'int bpf_detach_uprobe(char *)'
     extern 'int bpf_open_perf_event(unsigned int, unsigned long, int, int)'
     extern 'int bpf_close_perf_event_fd(int)'
+    extern 'int bpf_get_first_key(int, void *, int)'
+    extern 'int bpf_get_next_key(int, void *, void *)'
+    extern 'int bpf_lookup_elem(int fd, void *key, void *value)'
+    extern 'size_t bpf_table_max_entries_id(void *program, size_t id)'
+
+    # FIXME: This size of struct will change in future version
+    # and no struct member info in header. This is hacky
+    PerfReader = struct(
+      [
+        "void * raw_cb",
+        "void * lost_cb",
+        "void * cb_cookie",
+        "void * buf",
+        "int buf_size",
+        "void * base",
+        "int rb_use_state",
+        "int rb_read_tid",
+        "int page_size",
+        "int page_cnt",
+        "int fd"
+      ]
+    )
+
+    #typedef void (*perf_reader_raw_cb)(void *cb_cookie, void *raw, int raw_size);
+    #typedef void (*perf_reader_lost_cb)(void *cb_cookie, uint64_t lost);
+    extern 'void * bpf_open_perf_buffer(void *raw_cb, void *lost_cb, void *cb_cookie, int pid, int cpu, int page_cnt)'
+    extern 'int perf_reader_fd(void *reader)'
+    extern 'size_t bpf_perf_event_fields(void *program, const char *event)'
+    extern 'char * bpf_perf_event_field(void *program, const char *event, size_t i)'
 
     extern 'void * bcc_usdt_new_frompid(int, char *)'
     extern 'int bcc_usdt_enable_probe(void *, char *, char *)'
@@ -50,5 +87,13 @@ module RbBCC
     extern 'int bcc_symcache_resolve(void *, unsigned long, void *)'
     extern 'int bcc_symcache_resolve_no_demangle(void *, unsigned long, void *)'
     extern 'int bcc_symcache_resolve_name(void *, char *, char *, unsigned long long *)'
+
+    extern 'int perf_reader_poll(int num_readers, struct perf_reader **readers, int timeout)'
+  end
+end
+
+class Fiddle::Pointer
+  def to_extracted_char_ptr
+    RbBCC::Clib.__extract_char(self)
   end
 end

data/lib/rbbcc/cpu_helper.rb

@@ -0,0 +1,29 @@
+module RbBCC
+  module CPUHelper
+    module_function
+    def get_online_cpus
+      return _read_cpu_range('/sys/devices/system/cpu/online')
+    end
+
+    def get_possible_cpus
+      return _read_cpu_range('/sys/devices/system/cpu/possible')
+    end
+
+    # formatted like: '0,2-4,7-10'
+    def _read_cpu_range(path)
+      cpus = nil
+      File.open(path, 'r') do |f|
+        tmp = f.read.split(',').map do |range|
+          if range.include?('-')
+            start, end_ = *range.split('-')
+            (start.to_i..end_.to_i).to_a
+          else
+            range.to_i
+          end
+        end
+        cpus = tmp.flatten
+      end
+      cpus
+    end
+  end
+end

data/lib/rbbcc/disp_helper.rb

@@ -0,0 +1,98 @@
+# FIXME: These should be class attributes?
+$stars_max = 40
+$log2_index_max = 65
+$linear_index_max = 1025
+
+module RbBCC
+  # They're directly ported from table.py
+  # They might be more looked like Ruby code
+  module DisplayHelper
+    def stars(val, val_max, width)
+      i = 0
+      text = ""
+      while true
+        break if (i > (width * val.to_f / val_max) - 1) || (i > width - 1)
+        text += "*"
+        i += 1
+      end
+      if val > val_max
+        text = text[0...-1] + "+"
+      end
+      return text
+    end
+
+    def print_log2_hist(vals, val_type, strip_leading_zero)
+      stars_max = $stars_max
+      log2_dist_max = 64
+      idx_max = -1
+      val_max = 0
+
+      vals.each_with_index do |v, i|
+        idx_max = i if v > 0
+        val_max = v if v > val_max
+      end
+
+      if idx_max <= 32
+        header = "     %-19s : count     distribution"
+        body = "%10d -> %-10d : %-8d |%-*s|"
+        stars = stars_max
+      else
+        header = "               %-29s : count     distribution"
+        body = "%20d -> %-20d : %-8d |%-*s|"
+        stars = stars_max / 2
+      end
+
+      if idx_max > 0
+        puts(header % val_type)
+      end
+
+      (1...(idx_max + 1)).each do |i|
+        low = (1 << i) >> 1
+        high = (1 << i) - 1
+        if (low == high)
+          low -= 1
+        end
+        val = vals[i]
+
+        if strip_leading_zero
+          if val
+            puts(body % [low, high, val, stars,
+                          stars(val, val_max, stars)])
+            strip_leading_zero = false
+          end
+        else
+          puts(body % [low, high, val, stars,
+                        stars(val, val_max, stars)])
+        end
+      end
+    end
+
+    def print_linear_hist(vals, val_type)
+      stars_max = $stars_max
+      log2_dist_max = 64
+      idx_max = -1
+      val_max = 0
+
+      vals.each_with_index do |v, i|
+        idx_max = i if v > 0
+        val_max = v if v > val_max
+      end
+
+      header = "     %-13s : count     distribution"
+      body = "        %-10d : %-8d |%-*s|"
+      stars = stars_max
+
+      if idx_max >= 0
+        puts(header % val_type);
+      end
+
+      (0...(idx_max + 1)).each do |i|
+        val = vals[i]
+        puts(body % [i, val, stars,
+                     stars(val, val_max, stars)])
+      end
+    end
+  end
+
+  extend DisplayHelper
+end

data/lib/rbbcc/fiddle_ext.rb

@@ -0,0 +1,15 @@
+require 'fiddle'
+require 'fiddle/import'
+
+class Fiddle::Pointer
+  def to_bcc_value
+    case self.size
+    when Fiddle::Importer.sizeof("int")
+      self[0, self.size].unpack("i!").first
+    when Fiddle::Importer.sizeof("long")
+      self[0, self.size].unpack("l!").first
+    else
+      self[0, self.size].unpack("Z*").first
+    end
+  end
+end

data/lib/rbbcc/table.rb

@@ -0,0 +1,329 @@
+require 'rbbcc/clib'
+require 'fiddle'
+require 'enumerator'
+require 'rbbcc/disp_helper'
+require 'rbbcc/cpu_helper'
+
+module RbBCC
+  module Table
+    BPF_MAP_TYPE_HASH = 1
+    BPF_MAP_TYPE_ARRAY = 2
+    BPF_MAP_TYPE_PROG_ARRAY = 3
+    BPF_MAP_TYPE_PERF_EVENT_ARRAY = 4
+    BPF_MAP_TYPE_PERCPU_HASH = 5
+    BPF_MAP_TYPE_PERCPU_ARRAY = 6
+    BPF_MAP_TYPE_STACK_TRACE = 7
+    BPF_MAP_TYPE_CGROUP_ARRAY = 8
+    BPF_MAP_TYPE_LRU_HASH = 9
+    BPF_MAP_TYPE_LRU_PERCPU_HASH = 10
+    BPF_MAP_TYPE_LPM_TRIE = 11
+    BPF_MAP_TYPE_ARRAY_OF_MAPS = 12
+    BPF_MAP_TYPE_HASH_OF_MAPS = 13
+    BPF_MAP_TYPE_DEVMAP = 14
+    BPF_MAP_TYPE_SOCKMAP = 15
+    BPF_MAP_TYPE_CPUMAP = 16
+    BPF_MAP_TYPE_XSKMAP = 17
+    BPF_MAP_TYPE_SOCKHASH = 18
+
+    def self.new(bpf, map_id, map_fd, keytype, leaftype, name, **kwargs)
+      ttype = Clib.bpf_table_type_id(bpf.module, map_id)
+      case ttype
+      when BPF_MAP_TYPE_HASH
+      when BPF_MAP_TYPE_ARRAY
+        ArrayTable.new(bpf, map_id, map_fd, keytype, leaftype)
+      when BPF_MAP_TYPE_PERF_EVENT_ARRAY
+        PerfEventArray.new(bpf, map_id, map_fd, keytype, leaftype, name: name)
+      else
+        raise "Unknown table type #{ttype}"
+      end
+    end
+  end
+
+  class TableBase
+    include Fiddle::Importer
+    include CPUHelper
+    include Enumerable
+
+    def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
+      @bpf, @map_id, @map_fd, @keysize, @leafsize = \
+        bpf, map_id, map_fd, sizeof(keytype), sizeof(leaftype)
+      @ttype = Clib.bpf_table_type_id(self.bpf.module, self.map_id)
+      @flags = Clib.bpf_table_flags_id(self.bpf.module, self.map_id)
+      @name = name
+    end
+    attr_reader :bpf, :map_id, :map_fd, :keysize, :leafsize, :ttype, :flags, :name
+
+    def next(key)
+      next_key = Fiddle::Pointer.malloc(self.keysize)
+
+      if !key
+        res = Clib.bpf_get_first_key(self.map_fd, next_key,
+                                     next_key.size)
+      else
+        unless key.is_a?(Fiddle::Pointer)
+          raise TypeError, key.inspect
+        end
+        res = Clib.bpf_get_next_key(self.map_fd, key,
+                                    next_key)
+      end
+
+      if res < 0
+        raise StopIteration
+      end
+
+      return next_key
+    end
+
+    def [](key)
+      leaf = Fiddle::Pointer.malloc(self.leafsize)
+      res = Clib.bpf_lookup_elem(self.map_fd, key, leaf)
+      if res < 0
+        nil
+      end
+      return leaf
+    end
+
+    def fetch(key)
+      self[key] || raise(KeyError, "key not found")
+    end
+
+    def []=(key, leaf)
+      res = Clib.bpf_update_elem(self.map_fd, key, leaf, 0)
+      if res < 0
+        raise SystemCallError.new("Could not update table", Fiddle.last_error)
+      end
+      res
+    end
+
+    def each_key
+      k = nil
+      keys = []
+      loop do
+        k = self.next(k)
+        keys << k
+        yield k
+      end
+      keys
+    end
+
+    def each_value
+      each_key {|key| yield(self[key]) if self[key] }
+    end
+
+    def each_pair
+      each_key {|key| yield(key, self[key]) if self[key] }
+    end
+    alias each each_pair
+
+    def values
+      enum_for(:each_value).to_a
+    end
+
+    def items
+      enum_for(:each_pair).to_a
+    end
+
+    def print_log2_hist(val_type="value",
+                        section_header: "Bucket ptr",
+                        section_print_fn: nil,
+                        bucket_fn: nil,
+                        strip_leading_zero: false,
+                        bucket_sort_fn: nil)
+      if structured_key?
+        raise NotImplementedError
+      else
+        vals = Array.new($log2_index_max) { 0 }
+        each_pair do |k, v|
+          vals[k.to_bcc_value] = v.to_bcc_value
+        end
+        RbBCC.print_log2_hist(vals, val_type, strip_leading_zero)
+      end
+      nil
+    end
+
+    def print_linear_hist(val_type="value",
+                          section_header: "Bucket ptr",
+                          section_print_fn: nil,
+                          bucket_fn: nil,
+                          bucket_sort_fn: nil)
+      if structured_key?
+        raise NotImplementedError
+      else
+        vals = Array.new($linear_index_max) { 0 }
+        each_pair do |k, v|
+          vals[k.to_bcc_value] = v.to_bcc_value
+        end
+        RbBCC.print_linear_hist(vals, val_type)
+      end
+      nil
+    end
+
+    def structured_key?
+      false # TODO: implement me in the future
+    end
+
+    private
+    def byref(value, size=sizeof("int"))
+      pack_fmt = case size
+                 when sizeof("int") ; "i!"
+                 when sizeof("long"); "l!"
+                 else               ; "Z*"
+                 end
+      ptr = Fiddle::Pointer.malloc(size)
+      ptr[0, size] = [value].pack(pack_fmt)
+      ptr
+    end
+  end
+
+  class ArrayTable < TableBase
+    def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
+      super
+      @max_entries = Clib.bpf_table_max_entries_id(bpf.module, map_id)
+    end
+
+    # We now emulate the Array class of Ruby
+    def size
+      @max_entries
+    end
+    alias length size
+
+    def [](key)
+      super(normalize_key(key))
+    end
+
+    def each(&b)
+      each_value do |v|
+        b.call(v.to_bcc_value)
+      end
+    end
+
+    private
+    def normalize_key(key)
+      case key
+      when Fiddle::Pointer
+        key
+      when Integer
+        byref(key, keysize)
+      else
+        raise KeyError, "#{key.inspect} must be integer or pointor"
+      end
+    end
+  end
+
+  class PerfEventArray < TableBase
+    def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
+      super
+      @open_key_fds = {}
+      @event_class = nil
+      @_cbs = {}
+      @_open_key_fds = {}
+    end
+
+    def event(data)
+      @event_class ||= get_event_class
+      ev = @event_class.malloc
+      Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
+      return ev
+    end
+
+    def open_perf_buffer(page_cnt: 8, lost_cb: nil, &callback)
+      if page_cnt & (page_cnt - 1) != 0
+        raise "Perf buffer page_cnt must be a power of two"
+      end
+
+      get_online_cpus.each do |i|
+        _open_perf_buffer(i, callback, page_cnt, lost_cb)
+      end
+    end
+
+    private
+    def get_event_class
+      ct_mapping = {
+        's8': 'char',
+        'u8': 'unsined char',
+        's8 *': 'char *',
+        's16': 'short',
+        'u16': 'unsigned short',
+        's32': 'int',
+        'u32': 'unsigned int',
+        's64': 'long long',
+        'u64': 'unsigned long long'
+      }
+
+      array_type = /(.+) \[([0-9]+)\]$/
+      fields = []
+      num_fields = Clib.bpf_perf_event_fields(self.bpf.module, @name)
+      num_fields.times do |i|
+        field = Clib.__extract_char(Clib.bpf_perf_event_field(self.bpf.module, @name, i))
+        field_name, field_type = *field.split('#')
+        if field_type =~ /enum .*/
+          field_type = "int" #it is indeed enum...
+        end
+        if _field_type = ct_mapping[field_type.to_sym]
+          field_type = _field_type
+        end
+
+        m = array_type.match(field_type)
+        if m
+          field_type = "#{m[1]}[#{m[2]}]"
+          fields << [field_type, field_name].join(" ")
+        else
+          fields << [field_type, field_name].join(" ")
+        end
+      end
+      klass = Fiddle::Importer.struct(fields)
+      if fields.find {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
+        size = $1
+        m = Module.new do
+          define_method $2 do
+            super().pack("c#{size}").sub(/\0+$/, "")
+          end
+        end
+        klass.prepend m
+      end
+      klass
+    end
+
+    def _open_perf_buffer(cpu, callback, page_cnt, lost_cb)
+      # bind("void raw_cb_callback(void *, void *, int)")
+      fn = Fiddle::Closure::BlockCaller.new(
+        Fiddle::TYPE_VOID,
+        [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT]
+      ) do |_dummy, data, size|
+        begin
+          callback.call(cpu, data, size)
+        rescue => e
+          if Fiddle.last_error == 32 # EPIPE
+            exit
+          else
+            raise e
+          end
+        end
+      end
+      lost_fn = Fiddle::Closure::BlockCaller.new(
+        Fiddle::TYPE_VOID,
+        [Fiddle::TYPE_VOIDP, Fiddle::TYPE_ULONG]
+      ) do |_dummy, lost|
+        begin
+          lost_cb(lost)
+        rescue => e
+          if Fiddle.last_error == 32 # EPIPE
+            exit
+          else
+            raise e
+          end
+        end
+      end if lost_cb
+      reader = Clib.bpf_open_perf_buffer(fn, lost_fn, nil, -1, cpu, page_cnt)
+      if !reader || reader.null?
+        raise "Could not open perf buffer"
+      end
+      fd = Clib.perf_reader_fd(reader)
+
+      self[byref(cpu, @keysize)] = byref(fd, @leafsize)
+      self.bpf.perf_buffers[[object_id, cpu]] = reader
+      @_cbs[cpu] = [fn, lost_fn]
+      @_open_key_fds[cpu] = -1
+    end
+  end
+end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.0.2"
+  VERSION = "0.1.0"
 end

data/lib/rbbcc.rb

@@ -1,3 +1,4 @@
+require "rbbcc/fiddle_ext"
 require "rbbcc/bcc"
 require "rbbcc/clib"
 require "rbbcc/usdt"

data/misc/rbbcc-dfm-ruby

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+if ! mount | grep debug ; then
+  mount -t debugfs none /sys/kernel/debug
+fi
+exec ruby "$@"

data/rbbcc.gemspec

@@ -23,4 +23,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "pry"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-02 00:00:00.000000000 Z
+date: 2019-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: BCC port for MRI. See https://github.com/iovisor/bcc
 email:
 - udzura@udzura.jp
@@ -46,6 +60,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- Dockerfile
+- Dockerfile.dfm-example
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -53,8 +69,11 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- examples/bitehist.rb
+- examples/dddos.rb
 - examples/example.gif
 - examples/extract_arg.rb
+- examples/hello_perf_output.rb
 - examples/hello_world.rb
 - examples/usdt-test.rb
 - examples/usdt.rb
@@ -62,9 +81,14 @@ files:
 - lib/rbbcc/bcc.rb
 - lib/rbbcc/clib.rb
 - lib/rbbcc/consts.rb
+- lib/rbbcc/cpu_helper.rb
+- lib/rbbcc/disp_helper.rb
+- lib/rbbcc/fiddle_ext.rb
 - lib/rbbcc/symbol_cache.rb
+- lib/rbbcc/table.rb
 - lib/rbbcc/usdt.rb
 - lib/rbbcc/version.rb
+- misc/rbbcc-dfm-ruby
 - rbbcc.gemspec
 homepage: https://github.com/udzura/rbbcc
 licenses: []