rbbcc 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d39196324559279beb78acb224f5d1e4b8d327bec531a9f0fc821787c89703cf
-  data.tar.gz: 932e49ca5f9225eb7eaca7beea106efb7a54279a9c4570a12b4d2cc7da0fd1e5
+  metadata.gz: ccce892b1f35442a6a076717e95ff3d0dd1f3ea9b7454042ea1ed6edcafdf3ef
+  data.tar.gz: 928a6c4f96aec375d0d736122fefbbcfcabaafcb5be6ee0945facfcc59c8521a
 SHA512:
-  metadata.gz: 6ab268845839b5b566b66a75bf0fefeea5fc6bda9cc0b451d5617f09d7a03d389be2075901924ef3bfaf05af840afb295721d878547a58d5d2d5404c1fbbe880
-  data.tar.gz: e387413acd3d1720e990f0cb11d69f4f5629559d37d46c784bd1e454a38badcae2997def0807dd512e486de0988fc1750dbffcba87a0d5a1b819380a64d066bf
+  metadata.gz: 0b9aefc4bec5f184ae268fe4191bb5de1271e52ce8a6198fe38bae9e558dd273f4c893675581c9d0700d67a3e55d5b5a961d145431ed9ca01785ed4e9183af19
+  data.tar.gz: 9b5dabad56e3ee0453473aeca770251ba3453cb0e822503c0ad86fc8016a2768a62444b05191303e6a11bdd88aaf353097d691dc1e59d12cb41bf4d694b68f47

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.0.2)
+    rbbcc (0.1.1)
 
 GEM
   remote: https://rubygems.org/
@@ -23,4 +23,4 @@ DEPENDENCIES
   rbbcc!
 
 BUNDLED WITH
-   2.0.2
+   2.1.0

data/docs/README.md

@@ -0,0 +1,5 @@
+# RbBCC Docs
+
+* [Getting Started](getting_started.md)
+
+**Please see also [BCC itselfe's README](https://github.com/iovisor/bcc/#readme) and [docs](https://github.com/iovisor/bcc/tree/master/docs).** 

data/docs/getting_started.md

@@ -0,0 +1,154 @@
+# Getting Started
+
+RbBCC is a project to utilize the power of eBPF/BCC from Ruby.
+
+## Setup
+
+RbBCC requires `libbcc.so` version **0.10.0**(we plan to support newer version of libbcc, but it may be done after rbbcc 1.0...).
+
+BTW we do not need to install header files, becuase current version of RbBCC uses the functionality of libbcc via ffi(We use MRI's standard library **fiddle**, not external gems).
+
+We can install this shared library via package `libbcc` from official iovisor project repo:
+
+```console
+# e.g. In Ubuntu:
+$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
+$ echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
+$ sudo apt-get update
+$ sudo apt-get install libbcc
+```
+
+For more imformation, see [bcc's official doc](https://github.com/iovisor/bcc/blob/master/INSTALL.md).
+
+After installed libbcc, you can create project hierarchy like:
+
+```
+.
+├── Gemfile
+└── tools
+    └── hello_world.rb
+```
+
+with `Gemfile` below:
+
+```ruby
+source "https://rubygems.org"
+
+gem "rbbcc"
+```
+
+Then run `bundle install`.
+
+### With docker
+
+_TBD_
+
+## Hello world from Linux kernel!
+
+Creating `tools/hello_world.rb` as:
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'rbbcc'
+include RbBCC
+
+text = <<CLANG
+int kprobe__sys_clone(void *ctx)
+{
+  bpf_trace_printk("Hello, World!\\n");
+  return 0;
+}
+CLANG
+
+b = BCC.new(text: text)
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "value")
+
+b.trace_fields do |task, pid, cpu, flags, ts, msg|
+  printf("%-18.9f %-16s %-6d %s", ts, task, pid, msg)
+end
+```
+
+Then invoke this Ruby script. BCC requires to run as a priveleged user.
+
+```console
+$ sudo bundle exec ruby tools/hello_world.rb                                       
+Found fnc: kprobe__sys_clone
+Attach: p___x64_sys_clone
+TIME(s)            COMM             PID    value
+```
+
+Open another terminal and hit commands, like `curl https://www.ruby-lang.org/`.
+
+Then RbBCC process displays what kind of program invokes another program with message `Hello, World`.
+
+```console
+TIME(s)            COMM             PID    value
+109979.625639000   bash             7591   Hello, World!
+109979.632267000   curl             29098  Hello, World!
+109981.467914000   bash             7591   Hello, World!
+109981.474290000   curl             29100  Hello, World!
+109984.913358000   bash             7591   Hello, World!
+109984.921165000   curl             29102  Hello, World!
+...
+```
+
+These lines are displayed by a kernel hook of `clone(2)(internally: sys_clone)` call. The bash command like `curl, grep, ping...` internally call `sys_clone` to fork new processes, and RbBCC traces these kernel calls with a very small cost.
+
+Then, change the Ruby(and internal C) codes into this like:
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'rbbcc'
+include RbBCC
+
+text = <<CLANG
+#include <uapi/linux/ptrace.h>
+
+int printret(struct pt_regs *ctx) {
+  char str[80] = {};
+  u32 pid;
+  if (!PT_REGS_RC(ctx))
+      return 0;
+  pid = bpf_get_current_pid_tgid();
+  bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_RC(ctx));
+  bpf_trace_printk("[%d]input: %s\\n", pid, str);
+
+  return 0;
+};
+CLANG
+
+b = BCC.new(text: text)
+b.attach_uretprobe(name: "/bin/bash", sym: "readline", fn_name: "printret")
+
+printf("%-18s %-16s %s\n", "TIME(s)", "COMM", "value")
+b.trace_fields do |task, pid, cpu, flags, ts, msg|
+  printf("%-18.9f %-16s %s", ts, task, msg)
+end
+```
+
+Run again:
+
+```console
+$ sudo bundle exec ruby tools/hello_world.rb                                       
+Found fnc: printret
+Attach: p__bin_bash_0xad900
+TIME(s)            COMM             value
+```
+
+And open another "bash" terminal again. When you hit a command to this bash in any session, any input strings are snooped and shown in the tracing process. This is all of the trace result of return in `readline()` function from user program "bash". RbBCC can detect where and how it occurs.
+
+```console
+TIME(s)            COMM             value
+1554.284390000     bash             [5457]input: curl localhost
+1559.425699000     bash             [5457]input: ping 8.8.8.8
+1565.805870000     bash             [5457]input: sudo cat /etc/passwd
+...
+```
+
+----
+
+For more use case and information. Please see [`examples`](../examples/) directory and (especially for C API) BCC's official document.
+
+* [bcc Reference Guide](https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md)

data/examples/disksnoop.rb

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+#
+# disksnoop.rb	Trace block device I/O: basic version of iosnoop.
+#		For Linux, uses BCC, eBPF. Embedded C.
+# This is ported from original disksnoop.py
+#
+# Written as a basic example of tracing latency.
+#
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 11-Aug-2015	Brendan Gregg	Created disksnoop.py
+
+require 'rbbcc'
+include RbBCC
+
+REQ_WRITE = 1		# from include/linux/blk_types.h
+
+# load BPF program
+b = BCC.new(text: <<CLANG)
+#include <uapi/linux/ptrace.h>
+#include <linux/blkdev.h>
+
+BPF_HASH(start, struct request *);
+
+void trace_start(struct pt_regs *ctx, struct request *req) {
+  // stash start timestamp by request ptr
+  u64 ts = bpf_ktime_get_ns();
+
+  start.update(&req, &ts);
+}
+
+void trace_completion(struct pt_regs *ctx, struct request *req) {
+  u64 *tsp, delta;
+
+  tsp = start.lookup(&req);
+  if (tsp != 0) {
+    delta = bpf_ktime_get_ns() - *tsp;
+    bpf_trace_printk("%d %x %d\\n", req->__data_len,
+        req->cmd_flags, delta / 1000);
+    start.delete(&req);
+  }
+}
+CLANG
+
+if BCC.get_kprobe_functions('blk_start_request')
+  b.attach_kprobe(event: "blk_start_request", fn_name: "trace_start")
+end
+b.attach_kprobe(event: "blk_mq_start_request", fn_name: "trace_start")
+b.attach_kprobe(event: "blk_account_io_completion", fn_name: "trace_completion")
+
+# header
+puts("%-18s %-2s %-7s %8s" % ["TIME(s)", "T", "BYTES", "LAT(ms)"])
+
+# format output
+loop do
+  begin
+    task, pid, cpu, flags, ts, msg = b.trace_fields
+    bytes_s, bflags_s, us_s = msg.split
+
+    if (bflags_s.to_i(16) & REQ_WRITE).nonzero?
+      type_s = "W"
+    elsif bytes_s == "0" # see blk_fill_rwbs() for logic
+      type_s = "M"
+    else
+      type_s = "R"
+    end
+    ms = us_s.to_i.to_f / 1000
+
+    puts("%-18.9f %-2s %-7s %8.2f" % [ts, type_s, bytes_s, ms])
+  rescue Interrupt
+    exit
+  end
+end

data/examples/hello_fields.rb

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+#
+# This is a Hello World example that formats output as fields.
+
+require 'rbbcc'
+include RbBCC
+
+# define BPF program
+prog = <<CLANG
+int hello(void *ctx) {
+    bpf_trace_printk("Hello, World!\\n");
+    return 0;
+}
+CLANG
+
+# load BPF program
+b = BCC.new(text: prog)
+b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
+
+# header
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/examples/kvm_hypercall.rb

@@ -0,0 +1,69 @@
+#!/usr/bin/python
+#
+# kvm_hypercall.rb - TODO: it is still not tested
+# See original kvm_hypercall.py and txt
+#
+# Demonstrates stateful kvm_entry and kvm_exit recording along with the
+# associated hypercall when exit_reason is VMCALL. See kvm_hypercall.txt
+# for usage
+#
+# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support)
+#
+# Copyright (c) 2017 ShiftLeft Inc.
+#
+# Author(s):
+#   Suchakrapani Sharma <suchakra@shiftleft.io>
+
+require 'rbbcc'
+include RbBCC
+
+# load BPF program
+b = BCC.new(text: <<CLANG)
+#define EXIT_REASON 18
+BPF_HASH(start, u8, u8);
+
+TRACEPOINT_PROBE(kvm, kvm_exit) {
+    u8 e = EXIT_REASON;
+    u8 one = 1;
+    if (args->exit_reason == EXIT_REASON) {
+        bpf_trace_printk("KVM_EXIT exit_reason : %d\\n", args->exit_reason);
+        start.update(&e, &one);
+    }
+    return 0;
+}
+
+TRACEPOINT_PROBE(kvm, kvm_entry) {
+    u8 e = EXIT_REASON;
+    u8 zero = 0;
+    u8 *s = start.lookup(&e);
+    if (s != NULL && *s == 1) {
+        bpf_trace_printk("KVM_ENTRY vcpu_id : %u\\n", args->vcpu_id);
+        start.update(&e, &zero);
+    }
+    return 0;
+}
+
+TRACEPOINT_PROBE(kvm, kvm_hypercall) {
+    u8 e = EXIT_REASON;
+    u8 zero = 0;
+    u8 *s = start.lookup(&e);
+    if (s != NULL && *s == 1) {
+        bpf_trace_printk("HYPERCALL nr : %d\\n", args->nr);
+    }
+    return 0;
+};
+CLANG
+
+# header
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "EVENT"])
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/examples/mallocstack.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+#
+# mallocstacks  Trace malloc() calls in a process and print the full
+#               stack trace for all callsites.
+#               For Linux, uses BCC, eBPF. Embedded C.
+#
+# This script is a basic example of the new Linux 4.6+ BPF_STACK_TRACE
+# table API.
+#
+# Copyright 2016 GitHub, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+if ARGV.size == 0
+  $stderr.puts("USAGE: mallocstacks PID")
+  exit
+end
+pid = ARGV[0].to_i
+
+# load BPF program
+b = BCC.new(text: <<CLANG)
+#include <uapi/linux/ptrace.h>
+
+BPF_HASH(calls, int);
+BPF_STACK_TRACE(stack_traces, 1024);
+
+int alloc_enter(struct pt_regs *ctx, size_t size) {
+    int key = stack_traces.get_stackid(ctx,
+        BPF_F_USER_STACK|BPF_F_REUSE_STACKID);
+    if (key < 0)
+        return 0;
+
+    // could also use `calls.increment(key, size);`
+    u64 zero = 0, *val;
+    val = calls.lookup_or_init(&key, &zero);
+    if (val)
+      (*val) += size;
+    return 0;
+};
+CLANG
+
+b.attach_uprobe(name: "c", sym: "malloc", fn_name: "alloc_enter", pid: pid)
+puts("Attaching to malloc in pid %d, Ctrl+C to quit." % pid)
+
+# sleep until Ctrl-C
+loop do
+  begin
+    sleep 1
+  rescue Interrupt
+    break # pass
+  end
+end
+calls = b.get_table("calls")
+stack_traces = b.get_table("stack_traces")
+
+calls.items.sort_by{|k, v| v.to_bcc_value }.reverse.each do |(k, v)|
+  puts("%d bytes allocated at:" % v.to_bcc_value)
+  stack_traces.walk(k) do |addr|
+    puts("\t%s" % BCC.sym(addr, pid, show_offset: true))
+  end
+end

data/lib/rbbcc/bcc.rb

@@ -13,6 +13,142 @@ module RbBCC
   TRACEFS = "/sys/kernel/debug/tracing"
 
   class BCC
+    class << self
+      def get_kprobe_functions(event_re)
+        blacklist = []
+        fns = []
+        File.open(File.expand_path("../kprobes/blacklist", TRACEFS), "rb") do |blacklist_f|
+          blacklist = blacklist_f.each_line.map { |line|
+            line.rstrip.split[1]
+          }.uniq
+        end
+        in_init_section = 0
+        in_irq_section = 0
+        File.open("/proc/kallsyms", "rb") do |avail_file|
+          avail_file.each_line do |line|
+            t, fn = line.rstrip.split[1,2]
+            # Skip all functions defined between __init_begin and
+            # __init_end
+            if in_init_section == 0
+              if fn == '__init_begin'
+                in_init_section = 1
+                next
+              elsif in_init_section == 1
+                if fn == '__init_end'
+                  in_init_section = 2
+                  next
+                end
+              end
+              # Skip all functions defined between __irqentry_text_start and
+              # __irqentry_text_end
+              if in_irq_section == 0
+                if fn == '__irqentry_text_start'
+                  in_irq_section = 1
+                  next
+                elsif in_irq_section == 1
+                  if fn == '__irqentry_text_end'
+                    in_irq_section = 2
+                    next
+                  end
+                end
+              end
+              # All functions defined as NOKPROBE_SYMBOL() start with the
+              # prefix _kbl_addr_*, blacklisting them by looking at the name
+              # allows to catch also those symbols that are defined in kernel
+              # modules.
+              if fn.start_with?('_kbl_addr_')
+                next
+              # Explicitly blacklist perf-related functions, they are all
+              # non-attachable.
+              elsif fn.start_with?('__perf') || fn.start_with?('perf_')
+                next
+              # Exclude all gcc 8's extra .cold functions
+              elsif fn =~ /^.*\.cold\.\d+$/
+                next
+              end
+              if %w(t w).include?(t.downcase) \
+                 && /#{event_re}/ =~ fn \
+                 && !blacklist.include?(fn)
+                fns << fn
+              end
+            end
+          end
+        end
+        fns = fns.uniq
+        return fns.empty? ? nil : fns
+      end
+
+      def check_path_symbol(module_, symname, addr, pid)
+        sym = Clib::BCCSymbol.malloc
+        c_pid = pid == -1 ? 0 : pid
+        if Clib.bcc_resolve_symname(module_, symname, (addr || 0x0), c_pid, nil, sym) < 0
+          raise("could not determine address of symbol %s" % symname)
+        end
+        module_path = Clib.__extract_char sym.module
+        # XXX: need to free char* in ruby ffi?
+        Clib.bcc_procutils_free(sym.module)
+        return module_path, sym.offset
+      end
+
+      def decode_table_type(desc)
+        return desc if desc.is_a?(String)
+
+        anon = []
+        fields = []
+        # e.g. ["bpf_stacktrace", [["ip", "unsigned long long", [127]]], "struct_packed"]
+        name, typedefs, data_type = desc
+        typedefs.each do |field|
+          case field.size
+          when 2
+            fields << "#{decode_table_type(field[1])} #{field[0]}"
+          when 3
+            ftype = field.last
+            if ftype.is_a?(Array)
+              fields << "#{decode_table_type(field[1])}[#{ftype[0]}] #{field[0]}"
+            elsif ftype.is_a?(Integer)
+              warn("Warning: Ruby fiddle does not support bitfield member, ignoring")
+              warn("Adding member `#{field[1]} #{field[0]}:#{ftype}'")
+              fields << "#{decode_table_type(field[1])} #{field[0]}"
+            elsif %w(union struct struct_packed).in?(ftype)
+              name = field[0]
+              if name.empty?
+                name = "__anon%d" % anon.size
+                anon << name
+              end
+              # FIXME: nested struct
+              fields << "#{decode_table_type(field)} #{name}"
+            else
+              raise("Failed to decode type #{field.inspect}")
+            end
+          else
+            raise("Failed to decode type #{field.inspect}")
+          end
+        end
+        if data_type == "union"
+          return Fiddle::Importer.union(fields)
+        else
+          return Fiddle::Importer.struct(fields)
+        end
+      end
+
+      def sym(addr, pid, show_module: false, show_offset: false, demangle: true)
+        # FIXME: case of typeofaddr.find('bpf_stack_build_id')
+        #s = Clib::BCCSymbol.malloc
+        #b = Clib::BCCStacktraceBuildID.malloc
+        #b.status = addr.status
+        #b.build_id = addr.build_id
+        #b.u = addr.offset
+        #Clib.bcc_buildsymcache_resolve(BPF.bsymcache, b, s)
+
+        name, offset_, module_ = SymbolCache.cache(pid).resolve(addr, demangle)
+        offset = (show_offset && name) ? ("+0x%x" % offset_) : ""
+        name = name || "[unknown]"
+        name = name + offset
+        module_ = (show_module && module_) ? " [#{File.basename.basename(module_)}]" : ""
+        return name + module_
+      end
+    end
+
     def initialize(text:, debug: 0, cflags: [], usdt_contexts: [], allow_rlimit: 0)
       @kprobe_fds = {}
       @uprobe_fds = {}
@@ -96,9 +232,26 @@ module RbBCC
     end
 
     def attach_uprobe(name: "", sym: "", addr: nil, fn_name: "", pid: -1)
+      path, addr = BCC.check_path_symbol(name, sym, addr, pid)
+
+      fn = load_func(fn_name, BPF::KPROBE)
+      ev_name = to_uprobe_evname("p", path, addr, pid)
+      fd = Clib.bpf_attach_uprobe(fn[:fd], 0, ev_name, path, addr, pid)
+      if fd < 0
+        raise SystemCallError.new(Fiddle.last_error)
+      end
+      puts "Attach: #{ev_name}"
+
+      @uprobe_fds[ev_name] = fd
+      [ev_name, fd]
+    end
+
+    def attach_uretprobe(name: "", sym: "", addr: nil, fn_name: "", pid: -1)
+      path, addr = BCC.check_path_symbol(name, sym, addr, pid)
+
       fn = load_func(fn_name, BPF::KPROBE)
-      ev_name = to_uprobe_evname("p", name, addr, pid)
-      fd = Clib.bpf_attach_uprobe(fn[:fd], 0, ev_name, name, addr, pid)
+      ev_name = to_uprobe_evname("r", path, addr, pid)
+      fd = Clib.bpf_attach_uprobe(fn[:fd], 1, ev_name, path, addr, pid)
       if fd < 0
         raise SystemCallError.new(Fiddle.last_error)
       end
@@ -155,15 +308,22 @@ module RbBCC
     end
 
     def trace_fields(&do_each_line)
+      ret = []
       while buf = trace_readline
         next if buf.start_with? "CPU:"
         task = buf[0..15].lstrip()
-        meta, _addr, msg = buf[17..-1].split(": ")
+        meta, _addr, msg = buf[17..-1].split(": ", 3)
         pid, cpu, flags, ts = meta.split(" ")
         cpu = cpu[1..-2]
 
-        do_each_line.call(task, pid, cpu, flags, ts, msg)
+        if do_each_line
+          do_each_line.call(task, pid, cpu, flags, ts, msg)
+        else
+          ret = [task, pid, cpu, flags, ts, msg]
+          break
+        end
       end
+      ret
     end
 
     def cleanup
@@ -189,13 +349,14 @@ module RbBCC
       unless keytype
         key_desc = Clib.bpf_table_key_desc(@module, name)
         raise("Failed to load BPF Table #{name} key desc") if key_desc.null?
-        keytype = eval(key_desc.to_extracted_char_ptr) # XXX: parse as JSON?
+        keytype = BCC.decode_table_type(eval(key_desc.to_extracted_char_ptr))
       end
 
       unless leaftype
         leaf_desc = Clib.bpf_table_leaf_desc(@module, name)
         raise("Failed to load BPF Table #{name} leaf desc") if leaf_desc.null?
-        leaftype = eval(leaf_desc.to_extracted_char_ptr)
+
+        leaftype = BCC.decode_table_type(eval(leaf_desc.to_extracted_char_ptr))
       end
       return Table.new(self, map_id, map_fd, keytype, leaftype, name, reducer: reducer)
     end

data/lib/rbbcc/clib.rb

@@ -81,14 +81,32 @@ module RbBCC
                          "const char *module",
                          "unsigned long offset"
                  ])
-
+    BCCSymbolOption = struct([
+                               'int use_debug_file',
+                               'int check_debug_file_crc',
+                               'unsigned int use_symbol_type'
+                             ])
+    BCCIPOffsetUnion = union(['unsigned long long offset', 'unsigned long long ip'])
+    BCCStacktraceBuildID = \
+      struct([
+               'unsigned int status',
+               'unsigned char[20] build_id',
+               'unsigned long long u' # truly union
+             ])
+    extern 'int bcc_resolve_symname(char *module, char *symname,
+                        unsigned long long addr, int pid,
+                        struct bcc_symbol_option* option,
+                        struct bcc_symbol *sym)'
     extern 'void * bcc_symcache_new(int, void *)'
     extern 'void bcc_free_symcache(void *, int)'
     extern 'int bcc_symcache_resolve(void *, unsigned long, void *)'
     extern 'int bcc_symcache_resolve_no_demangle(void *, unsigned long, void *)'
     extern 'int bcc_symcache_resolve_name(void *, char *, char *, unsigned long long *)'
+    extern 'void bcc_symbol_free_demangle_name(struct bcc_symbol *sym)'
 
     extern 'int perf_reader_poll(int num_readers, struct perf_reader **readers, int timeout)'
+
+    extern 'void bcc_procutils_free(const char *ptr)'
   end
 end
 

data/lib/rbbcc/symbol_cache.rb

@@ -24,21 +24,21 @@ module RbBCC
     end
 
     def resolve(addr, demangle)
-      sym = Clib::BCCSymcache.malloc
+      sym = Clib::BCCSymbol.malloc
       ret = if demangle
               Clib.bcc_symcache_resolve(@cache, addr, sym)
             else
               Clib.bcc_symcache_resolve_no_demangle(@cache, addr, sym)
             end
-      if res < 0
+      if ret < 0
         return [nil, addr, nil]
       end
 
       if demangle
-        name_res = sym.demangle_name
-        # Clib.bcc_symbol_free_demangle_name(sym)
+        name_res = Clib.__extract_char(sym.demangle_name)
+        Clib.bcc_symbol_free_demangle_name(sym)
       else
-        name_res = sym.name
+        name_res = Clib.__extract_char(sym.name)
       end
 
       return [name_res, sym.offset, Clib.__extract_char(sym.module)]

data/lib/rbbcc/table.rb

@@ -29,10 +29,13 @@ module RbBCC
       ttype = Clib.bpf_table_type_id(bpf.module, map_id)
       case ttype
       when BPF_MAP_TYPE_HASH
+        HashTable.new(bpf, map_id, map_fd, keytype, leaftype)
       when BPF_MAP_TYPE_ARRAY
         ArrayTable.new(bpf, map_id, map_fd, keytype, leaftype)
       when BPF_MAP_TYPE_PERF_EVENT_ARRAY
         PerfEventArray.new(bpf, map_id, map_fd, keytype, leaftype, name: name)
+      when BPF_MAP_TYPE_STACK_TRACE
+        StackTrace.new(bpf, map_id, map_fd, keytype, leaftype)
       else
         raise "Unknown table type #{ttype}"
       end
@@ -46,12 +49,13 @@ module RbBCC
 
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       @bpf, @map_id, @map_fd, @keysize, @leafsize = \
-        bpf, map_id, map_fd, sizeof(keytype), sizeof(leaftype)
+                                        bpf, map_id, map_fd, sizeof(keytype), sizeof(leaftype)
+      @leaftype = leaftype
       @ttype = Clib.bpf_table_type_id(self.bpf.module, self.map_id)
       @flags = Clib.bpf_table_flags_id(self.bpf.module, self.map_id)
       @name = name
     end
-    attr_reader :bpf, :map_id, :map_fd, :keysize, :leafsize, :ttype, :flags, :name
+    attr_reader :bpf, :map_id, :map_fd, :keysize, :leafsize, :leaftype, :ttype, :flags, :name
 
     def next(key)
       next_key = Fiddle::Pointer.malloc(self.keysize)
@@ -175,6 +179,9 @@ module RbBCC
     end
   end
 
+  class HashTable < TableBase
+  end
+
   class ArrayTable < TableBase
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       super
@@ -326,4 +333,33 @@ module RbBCC
       @_open_key_fds[cpu] = -1
     end
   end
+
+  class StackTrace < TableBase
+    MAX_DEPTH = 127
+    BPF_F_STACK_BUILD_ID = (1<<5)
+    BPF_STACK_BUILD_ID_EMPTY =  0 #can't get stacktrace
+    BPF_STACK_BUILD_ID_VALID = 1 #valid build-id,ip
+    BPF_STACK_BUILD_ID_IP = 2 #fallback to ip
+
+    def get_stack(stack_id)
+      key = stack_id.is_a?(Fiddle::Pointer) ? stack_id : byref(stack_id, @keysize)
+      leaftype.new(self[stack_id])
+    end
+
+    def walk(stack_id, resolve: nil, &blk)
+      addrs = if (flags & BPF_F_STACK_BUILD_ID).nonzero?
+                get_stack(stack_id).trace[0..MAX_DEPTH]
+              else
+                get_stack(stack_id).ip[0..MAX_DEPTH]
+              end
+      addrs.each do |addr|
+        break if addr.zero?
+        if resolve
+          blk.call(resolve.call(addr))
+        else
+          blk.call(addr)
+        end
+      end
+    end
+  end
 end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-17 00:00:00.000000000 Z
+date: 2019-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -69,12 +69,18 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- docs/README.md
+- docs/getting_started.md
 - examples/bitehist.rb
 - examples/dddos.rb
+- examples/disksnoop.rb
 - examples/example.gif
 - examples/extract_arg.rb
+- examples/hello_fields.rb
 - examples/hello_perf_output.rb
 - examples/hello_world.rb
+- examples/kvm_hypercall.rb
+- examples/mallocstack.rb
 - examples/usdt-test.rb
 - examples/usdt.rb
 - lib/rbbcc.rb