rbbcc 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ccce892b1f35442a6a076717e95ff3d0dd1f3ea9b7454042ea1ed6edcafdf3ef
-  data.tar.gz: 928a6c4f96aec375d0d736122fefbbcfcabaafcb5be6ee0945facfcc59c8521a
+  metadata.gz: 7d467cf3f971af1d5a6cc25342768dc87c50edd97cc236fa2610e4de5a49fe45
+  data.tar.gz: 83495ff5a1dc88c671db426690e1075641cb50dd6734f078a8e082f32a148e4e
 SHA512:
-  metadata.gz: 0b9aefc4bec5f184ae268fe4191bb5de1271e52ce8a6198fe38bae9e558dd273f4c893675581c9d0700d67a3e55d5b5a961d145431ed9ca01785ed4e9183af19
-  data.tar.gz: 9b5dabad56e3ee0453473aeca770251ba3453cb0e822503c0ad86fc8016a2768a62444b05191303e6a11bdd88aaf353097d691dc1e59d12cb41bf4d694b68f47
+  metadata.gz: 35f38c830eb046b72da90dddff2e9f6e050a34b0c0bb82c372bdcc144ab82bab3ba3e8ec6450879f3d086f7d4437f99fdb55b54f4b204974c9fa0fb2940892bc
+  data.tar.gz: 9f14a1979cf8892920b443915f5773e743562ae5f391ed0e9bdbaa97d0524932f0c4fa1a5397f4987a0e5c4bf2d404755c6eb55bd0cd6a687279fcce4bc66e63

data/docs/README.md

@@ -2,4 +2,4 @@
 
 * [Getting Started](getting_started.md)
 
-**Please see also [BCC itselfe's README](https://github.com/iovisor/bcc/#readme) and [docs](https://github.com/iovisor/bcc/tree/master/docs).** 
+**Please see also [BCC itself's README](https://github.com/iovisor/bcc/#readme) and [docs](https://github.com/iovisor/bcc/tree/master/docs).** 

data/examples/extract_arg.rb

@@ -5,14 +5,22 @@ include RbBCC
 
 code = <<CLANG
 #include <uapi/linux/ptrace.h>
-int kprobe__sys_execve(struct pt_regs *ctx) {
-  if (!PT_REGS_PARM1(ctx))
-    return 0;
-  char str[80] = {};
-  bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
-  bpf_trace_printk("execve detected: %s\\n", &str);
+#define ARGSIZE 128
+
+// must be syscall__${the_name} ?
+int syscall__execve(struct pt_regs *ctx,
+    const char __user *filename,
+    const char __user *const __user *__argv,
+    const char __user *const __user *__envp)
+{
+  char buf[ARGSIZE] = {};
+  bpf_probe_read(buf, sizeof(buf), (void *)filename);
+  bpf_trace_printk("execve: %s\\n", &buf);
+
   return 0;
 }
 CLANG
 
-BCC.new(text: code).trace_print
+b = BCC.new(text: code)
+b.attach_kprobe(event: b.get_syscall_fnname("execve"), fn_name: "syscall__execve")
+b.trace_print

data/examples/tools/execsnoop.rb

@@ -0,0 +1,229 @@
+#!/usr/bin/env ruby
+#
+# execsnoop Trace new processes via exec() syscalls.
+#           For Linux, uses BCC, eBPF. Embedded C.
+# originally from tools/execsnoop.py
+#
+# USAGE: execsnoop [-h] [-t] [-x] [-n NAME]
+#
+# This currently will print up to a maximum of 19 arguments, plus the process
+# name, so 20 fields in total (MAXARG).
+#
+# This won't catch all new processes: an application may fork() but not exec().
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 07-Feb-2016   Brendan Gregg   Created execsnoop.py.
+
+require 'optparse'
+require 'ostruct'
+require 'rbbcc'
+include RbBCC
+
+examples = <<USAGE
+examples:
+    ./execsnoop.rb           # trace all exec() syscalls
+    ./execsnoop.rb -x        # include failed exec()s
+    ./execsnoop.rb -t        # include timestamps
+    ./execsnoop.rb -q        # add "quotemarks" around arguments
+    ./execsnoop.rb -n main   # only print command lines containing "main"
+    ./execsnoop.rb -l tpkg   # only print command where arguments contains "tpkg"
+USAGE
+
+args = OpenStruct.new
+parser = OptionParser.new
+parser.banner = <<BANNER
+usage: execsnoop.rb [-h] [-t] [-x] [-q] [-n NAME] [-l LINE]
+                    [--max-args MAX_ARGS]
+
+Trace exec() syscalls
+
+optional arguments:
+BANNER
+parser.on("-t", "--timestamp", "include timestamp on output") {|v| args.timestamp = v }
+parser.on("-x", "--fails",     "include failed exec()s") {|v| args.fails = v }
+parser.on("-q", "--quote",     "Add quotemarks (\") around arguments.") {|v| args.quote = v }
+parser.on("-n", "--name NAME", "only print commands matching this name (regex), any arg") {|v| args.name = v }
+parser.on("-l", "--line LINE", "only print commands where arg contains this line (regex)") {|v| args.line = v }
+parser.on("--max-args MAX_ARGS", "maximum number of arguments parsed and displayed, defaults to 20") {|v| args.max_arges = v }
+parser.on("--ebpf") {|v| opt.ebpf = v }
+
+parser.on_tail("-h", "--help", "show this help message and exit") do
+  puts parser
+  puts
+  puts examples
+  exit
+end
+
+parser.parse!
+args.max_arges ||= "20"
+
+bpf_text = <<CLANG
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+
+#define ARGSIZE  128
+
+enum event_type {
+    EVENT_ARG,
+    EVENT_RET,
+};
+
+struct data_t {
+    u32 pid;  // PID as in the userspace term (i.e. task->tgid in kernel)
+    u32 ppid; // Parent PID as in the userspace term (i.e task->real_parent->tgid in kernel)
+    char comm[TASK_COMM_LEN];
+    enum event_type type;
+    char argv[ARGSIZE];
+    int retval;
+};
+
+BPF_PERF_OUTPUT(events);
+
+static int __submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
+{
+    bpf_probe_read(data->argv, sizeof(data->argv), ptr);
+    events.perf_submit(ctx, data, sizeof(struct data_t));
+    return 1;
+}
+
+static int submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
+{
+    const char *argp = NULL;
+    bpf_probe_read(&argp, sizeof(argp), ptr);
+    if (argp) {
+        return __submit_arg(ctx, (void *)(argp), data);
+    }
+    return 0;
+}
+
+int syscall__execve(struct pt_regs *ctx,
+    const char __user *filename,
+    const char __user *const __user *__argv,
+    const char __user *const __user *__envp)
+{
+    // create data here and pass to submit_arg to save stack space (#555)
+    struct data_t data = {};
+    struct task_struct *task;
+
+    data.pid = bpf_get_current_pid_tgid() >> 32;
+
+    task = (struct task_struct *)bpf_get_current_task();
+    // Some kernels, like Ubuntu 4.13.0-generic, return 0
+    // as the real_parent->tgid.
+    // We use the get_ppid function as a fallback in those cases. (#1883)
+    data.ppid = task->real_parent->tgid;
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    data.type = EVENT_ARG;
+
+    __submit_arg(ctx, (void *)filename, &data);
+
+    // skip first arg, as we submitted filename
+    #pragma unroll
+    for (int i = 1; i < MAXARG; i++) {
+        if (submit_arg(ctx, (void *)&__argv[i], &data) == 0)
+             goto out;
+    }
+
+    // handle truncated argument list
+    char ellipsis[] = "...";
+    __submit_arg(ctx, (void *)ellipsis, &data);
+out:
+    return 0;
+}
+
+int do_ret_sys_execve(struct pt_regs *ctx)
+{
+    struct data_t data = {};
+    struct task_struct *task;
+
+    data.pid = bpf_get_current_pid_tgid() >> 32;
+
+    task = (struct task_struct *)bpf_get_current_task();
+    // Some kernels, like Ubuntu 4.13.0-generic, return 0
+    // as the real_parent->tgid.
+    // We use the get_ppid function as a fallback in those cases. (#1883)
+    data.ppid = task->real_parent->tgid;
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    data.type = EVENT_RET;
+    data.retval = PT_REGS_RC(ctx);
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+}
+CLANG
+
+EVENT_ARG = 0
+EVENT_RET = 1
+
+# This is best-effort PPID matching. Short-lived processes may exit
+# before we get a chance to read the PPID.
+# This is a fallback for when fetching the PPID from task->real_parent->tgip
+# returns 0, which happens in some kernel versions.
+def get_ppid(pid)
+  line = File.read("/proc/%d/status" % pid).lines.grep(/^PPid:/)
+  if line.empty?
+    0
+  else
+    line[0].split[1].to_i
+  end
+rescue
+  0
+end
+
+bpf_text.sub!("MAXARG", args.max_args)
+if args.ebpf
+  puts(bpf_text)
+  exit
+end
+
+b = BCC.new(text: bpf_text)
+execve_fnname = b.get_syscall_fnname("execve")
+b.attach_kprobe(event: execve_fnname, fn_name: "syscall__execve")
+b.attach_kretprobe(event: execve_fnname, fn_name: "do_ret_sys_execve")
+
+printf("%-8s", "TIME(s)") if args.timestamp
+printf("%-16s %-6s %-6s %3s %s\n", "PCOMM", "PID", "PPID", "RET", "ARGS")
+
+start_ts = Time.now.to_f
+argv = []
+
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  skip = false
+  if event.type == EVENT_ARG
+    argv[event.pid] ||= []
+    argv[event.pid] << event.argv
+  elsif event.type == EVENT_RET
+    skip = true if event.retval != 0 && !args.fails
+    skip = true if args.name && /#{args.name}/ !~ event.comm
+    skip = true if args.line && /#{args.line}/ !~ argv[event.pid].join(' ')
+    if args.quote
+      argv[event.pid] = argv[event.pid].map{|arg| '"' + arg.gsub(/\"/, '\\"') + '"' }
+    end
+
+    unless skip
+      ppid_ = event.ppid > 0 ? event.ppid : get_ppid(event.pid)
+      ppid = ppid_ > 0 ? ppid_.to_s : "?"
+      # FIXME: get empty argv[pid] in some cases...
+      argv_text = argv[event.pid].join(' ').gsub(/\n/, '\\n') rescue ""
+      printf("%-8.3f", (Time.now.to_f - start_ts)) if args.timestamp
+      printf("%-16s %-6d %-6s %3d %s\n",
+             event.comm, event.pid, ppid, event.retval, argv_text)
+    end
+
+    argv[event.pid] = nil
+  end
+end
+
+loop do
+  begin
+    b.perf_buffer_poll()
+  rescue Interrupt
+    exit
+  end
+end

data/examples/tools/runqlat.rb

@@ -0,0 +1,148 @@
+#!/usr/bin/env ruby
+# @lint-avoid-python-3-compatibility-imports
+#
+# runqlat   Run queue (scheduler) latency as a histogram.
+#           For Linux, uses BCC, eBPF.
+#
+# USAGE: runqlat [-h] [-T] [-m] [-P] [-L] [-p PID] [interval] [count]
+#
+# This measures the time a task spends waiting on a run queue for a turn
+# on-CPU, and shows this time as a histogram. This time should be small, but a
+# task may need to wait its turn due to CPU load.
+#
+# This measures two types of run queue latency:
+# 1. The time from a task being enqueued on a run queue to its context switch
+#    and execution. This traces ttwu_do_wakeup(), wake_up_new_task() ->
+#    finish_task_switch() with either raw tracepoints (if supported) or kprobes
+#    and instruments the run queue latency after a voluntary context switch.
+# 2. The time from when a task was involuntary context switched and still
+#    in the runnable state, to when it next executed. This is instrumented
+#    from finish_task_switch() alone.
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 07-Feb-2016   Brendan Gregg   Created this.
+
+require 'rbbcc'
+include RbBCC
+
+bpf_text = <<TXT
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+#include <linux/nsproxy.h>
+#include <linux/pid_namespace.h>
+
+typedef struct pid_key {
+    u64 id;    // work around
+    u64 slot;
+} pid_key_t;
+
+typedef struct pidns_key {
+    u64 id;    // work around
+    u64 slot;
+} pidns_key_t;
+
+BPF_HASH(start, u32);
+STORAGE
+
+struct rq;
+
+// record enqueue timestamp
+static int trace_enqueue(u32 tgid, u32 pid)
+{
+    if (FILTER || pid == 0)
+        return 0;
+    u64 ts = bpf_ktime_get_ns();
+    start.update(&pid, &ts);
+    return 0;
+}
+TXT
+
+bpf_text_raw_tp = <<TXT
+RAW_TRACEPOINT_PROBE(sched_wakeup)
+{
+    // TP_PROTO(struct task_struct *p)
+    struct task_struct *p = (struct task_struct *)ctx->args[0];
+    return trace_enqueue(p->tgid, p->pid);
+}
+
+RAW_TRACEPOINT_PROBE(sched_wakeup_new)
+{
+    // TP_PROTO(struct task_struct *p)
+    struct task_struct *p = (struct task_struct *)ctx->args[0];
+    return trace_enqueue(p->tgid, p->pid);
+}
+
+RAW_TRACEPOINT_PROBE(sched_switch)
+{
+    // TP_PROTO(bool preempt, struct task_struct *prev, struct task_struct *next)
+    struct task_struct *prev = (struct task_struct *)ctx->args[1];
+    struct task_struct *next = (struct task_struct *)ctx->args[2];
+    u32 pid, tgid;
+
+    // ivcsw: treat like an enqueue event and store timestamp
+    if (prev->state == TASK_RUNNING) {
+        tgid = prev->tgid;
+        pid = prev->pid;
+        if (!(FILTER || pid == 0)) {
+            u64 ts = bpf_ktime_get_ns();
+            start.update(&pid, &ts);
+        }
+    }
+
+    tgid = next->tgid;
+    pid = next->pid;
+    if (FILTER || pid == 0)
+        return 0;
+    u64 *tsp, delta;
+
+    // fetch timestamp and calculate delta
+    tsp = start.lookup(&pid);
+    if (tsp == 0) {
+        return 0;   // missed enqueue
+    }
+    delta = bpf_ktime_get_ns() - *tsp;
+    FACTOR
+
+    // store as histogram
+    STORE
+
+    start.delete(&pid);
+    return 0;
+}
+TXT
+
+is_support_raw_tp = BCC.support_raw_tracepoint
+if is_support_raw_tp
+  bpf_text += bpf_text_raw_tp
+else
+  raise "BCC.support_raw_tracepoint is false; Unsupported kernel version: ${`uname -a`.chomp}"
+end
+
+bpf_text.gsub!('FILTER', '0')
+bpf_text.gsub!('FACTOR', 'delta /= 1000;')
+label = "usecs"
+bpf_text.gsub!('STORAGE', 'BPF_HISTOGRAM(dist);')
+bpf_text.gsub!('STORE',
+        'dist.increment(bpf_log2l(delta));')
+section = ""
+
+b = BCC.new(text: bpf_text)
+
+puts("Tracing run queue latency... Hit Ctrl-C to end.")
+
+# TODO: interval
+loop do
+  begin
+    sleep 1
+  rescue Interrupt
+    puts
+    break
+  end
+end
+
+dist = b.get_table("dist")
+dist.print_log2_hist(label, section_header: section, section_print_fn: :to_i)
+# dist.clear()
+exit

data/examples/urandomread-explicit.rb

@@ -0,0 +1,56 @@
+#!/usr/bin/env ruby
+#
+# urandomread-explicit.rb Example of instrumenting a kernel tracepoint.
+#                         For Linux, uses BCC, BPF. Embedded C.
+# Originally urandomread-explicit.py in BCC
+#
+# This is an older example of instrumenting a tracepoint, which defines
+# the argument struct and makes an explicit call to attach_tracepoint().
+# See urandomread for a newer version that uses TRACEPOINT_PROBE().
+#
+# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support).
+#
+# Test by running this, then in another shell, run:
+#     dd if=/dev/urandom of=/dev/null bs=1k count=5
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+# define BPF program
+bpf_text = <<CLANG
+#include <uapi/linux/ptrace.h>
+
+struct urandom_read_args {
+    // from /sys/kernel/debug/tracing/events/random/urandom_read/format
+    u64 __unused__;
+    u32 got_bits;
+    u32 pool_left;
+    u32 input_left;
+};
+
+int printarg(struct urandom_read_args *args) {
+    bpf_trace_printk("%d\\n", args->got_bits);
+    return 0;
+}
+CLANG
+
+# load BPF program
+b = BCC.new(text: bpf_text)
+b.attach_tracepoint(tp: "random:urandom_read", fn_name: "printarg")
+
+# header
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "GOTBITS")
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/examples/urandomread.rb

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+#
+# urandomread.rb Example of instrumenting a kernel tracepoint.
+#                For Linux, uses BCC, BPF. Embedded C.
+#
+# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support).
+#
+# Test by running this, then in another shell, run:
+#     dd if=/dev/urandom of=/dev/null bs=1k count=5
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: %|
+TRACEPOINT_PROBE(random, urandom_read) {
+    // args is from /sys/kernel/debug/tracing/events/random/urandom_read/format
+    bpf_trace_printk("%d\\n", args->got_bits);
+    return 0;
+}
+|)
+
+# header
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "GOTBITS")
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/lib/rbbcc/bcc.rb

@@ -14,6 +14,20 @@ module RbBCC
 
   class BCC
     class << self
+      def ksym(addr, show_module: false, show_offset: false)
+        self.sym(addr, -1, show_module: show_module, show_offset: show_offset, demangle: false)
+      end
+
+      def ksymname(name)
+        SymbolCache.resolve_global(name)
+      end
+
+      def support_raw_tracepoint
+        # kernel symbol "bpf_find_raw_tracepoint"
+        # indicates raw_tracepint support
+        ksymname("bpf_find_raw_tracepoint") || ksymname("bpf_get_raw_tracepoint")
+      end
+
       def get_kprobe_functions(event_re)
         blacklist = []
         fns = []
@@ -152,6 +166,8 @@ module RbBCC
     def initialize(text:, debug: 0, cflags: [], usdt_contexts: [], allow_rlimit: 0)
       @kprobe_fds = {}
       @uprobe_fds = {}
+      @tracepoint_fds = {}
+      @raw_tracepoint_fds = {}
       @usdt_contexts = usdt_contexts
       if code = gen_args_from_usdt
         text = code + text
@@ -191,12 +207,7 @@ module RbBCC
         return nil
       end
 
-      idx = 0
-      while ptr[idx, 1] != "\x00"
-        idx += 1
-      end
-      ptr.size = idx + 1
-      ptr.to_s
+      Clib.__extract_char ptr
     end
 
     def load_func(func_name, prog_type)
@@ -219,12 +230,52 @@ module RbBCC
       return fnobj
     end
 
+    def attach_tracepoint(tp: "", tp_re: "", fn_name: "")
+      fn = load_func(fn_name, BPF::TRACEPOINT)
+      tp_category, tp_name = tp.split(':')
+      fd = Clib.bpf_attach_tracepoint(fn[:fd], tp_category, tp_name)
+      if fd < 0
+        raise SystemCallError.new("Failed to attach BPF program #{fn_name} to tracepoint #{tp}", Fiddle.last_error)
+      end
+      puts "Attach: #{tp}"
+      @tracepoint_fds[tp] = fd
+      self
+    end
+
+    def attach_raw_tracepoint(tp: "", fn_name: "")
+      if @raw_tracepoint_fds.keys.include?(tp)
+        raise "Raw tracepoint #{tp} has been attached"
+      end
+
+      fn = load_func(fn_name, BPF::RAW_TRACEPOINT)
+      fd = Clib.bpf_attach_raw_tracepoint(fn[:fd], tp)
+      if fd < 0
+        raise SystemCallError.new("Failed to attach BPF program #{fn_name} to raw tracepoint #{tp}", Fiddle.last_error)
+      end
+      puts "Attach: #{tp}"
+      @raw_tracepoint_fds[tp] = fd
+      self
+    end
+
     def attach_kprobe(event:, fn_name:, event_off: 0)
       fn = load_func(fn_name, BPF::KPROBE)
       ev_name = "p_" + event.gsub(/[\+\.]/, "_")
       fd = Clib.bpf_attach_kprobe(fn[:fd], 0, ev_name, event, event_off, 0)
       if fd < 0
-        raise SystemCallError.new(Fiddle.last_error)
+        raise SystemCallError.new("Failed to attach BPF program #{fn_name} to kprobe #{event}", Fiddle.last_error)
+      end
+      puts "Attach: #{ev_name}"
+      @kprobe_fds[ev_name] = fd
+      [ev_name, fd]
+    end
+
+    def attach_kretprobe(event:, fn_name:, event_re: nil, maxactive: 0)
+      # TODO: if event_re ...
+      fn = load_func(fn_name, BPF::KPROBE)
+      ev_name = "r_" + event.gsub(/[\+\.]/, "_")
+      fd = Clib.bpf_attach_kprobe(fn[:fd], 1, ev_name, event, 0, maxactive)
+      if fd < 0
+        raise SystemCallError.new("Failed to attach BPF program #{fn_name} to kretprobe #{event}", Fiddle.last_error)
       end
       puts "Attach: #{ev_name}"
       @kprobe_fds[ev_name] = fd
@@ -261,6 +312,34 @@ module RbBCC
       [ev_name, fd]
     end
 
+    def detach_tracepoint(tp)
+      unless @tracepoint_fds.keys.include?(tp)
+        raise "Tracepoint #{tp} is not attached"
+      end
+      res = Clib.bpf_close_perf_event_fd(@tracepoint_fds[tp])
+      if res < 0
+        raise "Failed to detach BPF from tracepoint"
+      end
+      tp_category, tp_name = tp.split(':')
+      res = Clib.bpf_detach_tracepoint(tp_category, tp_name)
+      if res < 0
+        raise "Failed to detach BPF from tracepoint"
+      end
+      @tracepoint_fds.delete(tp)
+    end
+
+    def detach_raw_tracepoint(tp)
+      unless @raw_tracepoint_fds.keys.include?(tp)
+        raise "Raw tracepoint #{tp} is not attached"
+      end
+      begin
+        File.for_fd(@raw_tracepoint_fds[tp]).close
+      rescue => e
+        warn "Closing fd failed: #{e.inspect}. Ignore and skip"
+      end
+      @tracepoint_fds.delete(tp)
+    end
+
     def detach_kprobe_event(ev_name)
       unless @kprobe_fds.keys.include?(ev_name)
         raise "Event #{ev_name} not registered"
@@ -287,6 +366,18 @@ module RbBCC
       @uprobe_fds.delete(ev_name)
     end
 
+    def num_open_kprobes
+      @kprobe_fds.size
+    end
+
+    def num_open_uprobes
+      @uprobe_fds.size
+    end
+
+    def num_open_tracepoints
+      @tracepoint_fds.size
+    end
+
     def tracefile
       @tracefile ||= File.open("#{TRACEFS}/trace_pipe", "rb")
     end
@@ -335,6 +426,14 @@ module RbBCC
         detach_uprobe_event(k)
       end
 
+      @tracepoint_fds.each do |k, v|
+        detach_tracepoint(k)
+      end
+
+      @raw_tracepoint_fds.each do |k, v|
+        detach_raw_tracepoint(k)
+      end
+
       if @module
         Clib.bpf_module_destroy(@module)
       end
@@ -415,6 +514,26 @@ module RbBCC
             event: fix_syscall_fnname(func_name[8..-1]),
             fn_name: fn[:name]
           )
+        elsif func_name.start_with?("kretprobe__")
+          fn = load_func(func_name, BPF::KPROBE)
+          attach_kretprobe(
+            event: fix_syscall_fnname(func_name[11..-1]),
+            fn_name: fn[:name]
+          )
+        elsif func_name.start_with?("tracepoint__")
+          fn = load_func(func_name, BPF::TRACEPOINT)
+          tp = fn[:name].sub(/^tracepoint__/, "").sub(/__/, ":")
+          attach_tracepoint(
+            tp: tp,
+            fn_name: fn[:name]
+          )
+        elsif func_name.start_with?("raw_tracepoint__")
+          fn = load_func(func_name, BPF::RAW_TRACEPOINT)
+          tp = fn[:name].sub(/^raw_tracepoint__/, "")
+          attach_raw_tracepoint(
+            tp: tp,
+            fn_name: fn[:name]
+          )
         end
       end
     end

data/lib/rbbcc/clib.rb

@@ -38,6 +38,9 @@ module RbBCC
     extern 'int bpf_detach_kprobe(char *)'
     extern 'int bpf_attach_uprobe(int, int, char *, char *, unsigned long, int)'
     extern 'int bpf_detach_uprobe(char *)'
+    extern 'int bpf_attach_tracepoint(int progfd, char *tp_category, char *tp_name)'
+    extern 'int bpf_detach_tracepoint(char *tp_category, char *tp_name)'
+    extern 'int bpf_attach_raw_tracepoint(int progfd, char *tp_name)'
     extern 'int bpf_open_perf_event(unsigned int, unsigned long, int, int)'
     extern 'int bpf_close_perf_event_fd(int)'
     extern 'int bpf_get_first_key(int, void *, int)'

data/lib/rbbcc/table.rb

@@ -279,11 +279,17 @@ module RbBCC
         end
       end
       klass = Fiddle::Importer.struct(fields)
-      if fields.find {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
-        size = $1
+      char_ps = fields.select {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
+      unless char_ps.empty?
         m = Module.new do
-          define_method $2 do
-            super().pack("c#{size}").sub(/\0+$/, "")
+          char_ps.each do |char_p|
+            md = /^char\[(\d+)\] ([_a-zA-Z0-9]+)/.match(char_p)
+            define_method md[2] do
+              # Split the char[] in the place where the first \0 appears
+              raw = super()
+              raw = raw[0...raw.index(0)] if raw.index(0)
+              raw.pack("c*")
+            end
           end
         end
         klass.prepend m

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-21 00:00:00.000000000 Z
+date: 2020-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -81,6 +81,10 @@ files:
 - examples/hello_world.rb
 - examples/kvm_hypercall.rb
 - examples/mallocstack.rb
+- examples/tools/execsnoop.rb
+- examples/tools/runqlat.rb
+- examples/urandomread-explicit.rb
+- examples/urandomread.rb
 - examples/usdt-test.rb
 - examples/usdt.rb
 - lib/rbbcc.rb
@@ -114,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: BCC port for MRI