rbbcc 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69a172609924d64c58b36abca26df8fc707505724961ac16d18355441e1d56ff
-  data.tar.gz: e567230d248ba2c79739efdaa3dab96ce302ace021df1639707ee0c7c11aeaa3
+  metadata.gz: 5b46fa6dd0b99e4a178bc00bad497beab5d72426517f3d7b328c29d492e9e8a1
+  data.tar.gz: a5f84fdc89d50621b3dd06eca22aea243efc1991ec053acece136016ccbdfb64
 SHA512:
-  metadata.gz: 10a1ab7568b5c3798ab9e1e35c083bdcef1acabd08d730033283fbf971f9853154a6bff99c15b58b450a891b7bff450285d29c7e08067a2d63d523294f2a2dcd
-  data.tar.gz: fd5ea7879da82d203f22c6351d45b2811a3d5101d0b7996ad205406131c546a5b86fc85d2644066223e79746bd6ccd34106a791b9e239b013ff2a3787840cc27
+  metadata.gz: 532f1d544b56d82e68d5931aac278bf36a850943c3e78e8851c59e56852ebe4f6a3d974fa6c129544f0c7f895696bd9b894f3d033490faff8c408bbd7deed424
+  data.tar.gz: 03de507c9094d850d77253610d2ffe08e2ee4ad97048e742f4c283ce6d8748de68f019a0e247ac826b5cbcbd48664a359ec57c92113f5f4015bc0c0f1984b482

data/Gemfile.lock

@@ -8,7 +8,7 @@ GIT
 PATH
   remote: .
   specs:
-    rbbcc (0.7.0)
+    rbbcc (0.8.0)
 
 GEM
   remote: https://rubygems.org/

data/examples/hello_ring_buffer.rb

@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+#
+# This is a Hello World example that uses BPF_PERF_OUTPUT.
+# Ported from hello_perf_output.py
+
+require 'rbbcc'
+include RbBCC
+
+# define BPF program
+prog = """
+#include <linux/sched.h>
+
+struct data_t {
+    u32 pid;
+    u64 ts;
+    char comm[TASK_COMM_LEN];
+};
+BPF_RINGBUF_OUTPUT(buffer, 1 << 4);
+
+int hello(struct pt_regs *ctx) {
+    struct data_t data = {};
+
+    data.pid = bpf_get_current_pid_tgid();
+    data.ts = bpf_ktime_get_ns();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    buffer.ringbuf_output(&data, sizeof(data), 0);
+
+    return 0;
+}
+"""
+
+# load BPF program
+b = BCC.new(text: prog)
+b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
+
+# header
+puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
+
+# process event
+start = 0
+print_event = lambda { |ctx, data, size|
+  event = b["buffer"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  # event.comm.pack("c*").sprit
+  puts("%-18.9f %-16s %-6d %s" % [time_s, event.comm, event.pid,
+                                  "Hello, ringbuf!"])
+}
+
+# loop with callback to print_event
+b["buffer"].open_ring_buffer(&print_event)
+
+loop do
+  begin
+    b.ring_buffer_poll()
+    sleep(0.5)
+  rescue Interrupt
+    exit()
+  end
+end

data/examples/syscalluname.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+#
+# syscalluname.rb Example of instrumenting a kernel tracepoint.
+#
+# Copyright 2024 Uchio Kondo
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: %[
+#include <linux/utsname.h>
+
+TRACEPOINT_PROBE(syscalls, sys_enter_newuname) {
+    // args is from
+    // /sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname/format
+    char release[16];
+    bpf_probe_read_user_str(release, 16, args->name->release);
+    // avoid broken data
+    if (release[0] == '5' || release[0] == '6') {
+        bpf_trace_printk("%s\\n", release);
+    }
+    return 0;
+}
+])
+
+# header
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "RELEASE")
+
+# format output
+loop do
+  begin
+    b.trace_fields do |task, pid, cpu, flags, ts, msg|
+      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
+    end
+  rescue Interrupt
+    exit
+  end
+end

data/examples/table.rb

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+require 'rbbcc'
+include RbBCC
+
+b = BCC.new(text: <<CLANG)
+BPF_HASH(the_table_name, int);
+CLANG
+
+table = b.get_table('the_table_name', leaftype: 'int')
+
+table[10] = 1
+table[20] = 2
+puts table[10].to_bcc_value == 1
+puts table[20].to_bcc_value == 2

data/examples/urandomread-explicit.rb

@@ -16,6 +16,8 @@
 # Copyright 2016 Netflix, Inc.
 # Licensed under the Apache License, Version 2.0 (the "License")
 
+# FIXME: random/urandom_read is removed from newer kernel!!
+
 require 'rbbcc'
 include RbBCC
 

data/examples/urandomread.rb

@@ -11,6 +11,8 @@
 # Copyright 2016 Netflix, Inc.
 # Licensed under the Apache License, Version 2.0 (the "License")
 
+# FIXME: random/urandom_read is removed from newer kernel!!
+
 require 'rbbcc'
 include RbBCC
 

data/lib/rbbcc/bcc.rb

@@ -262,6 +262,7 @@ module RbBCC
       @funcs = {}
       @tables = {}
       @perf_buffers = {}
+      @_ringbuf_manager = nil
 
       unless @module
         raise "BPF module not created"
@@ -555,6 +556,21 @@ module RbBCC
       Clib.perf_reader_poll(readers.size, pack, timeout)
     end
 
+    def _open_ring_buffer(map_fd, fn, ctx)
+      buf = Clib.bpf_new_ringbuf(map_fd, fn, ctx)
+      if !buf
+        raise "Could not open ring buffer"
+      end
+      @_ringbuf_manager ||= buf
+    end
+    
+    def ring_buffer_poll(timeout=-1)
+      unless @_ringbuf_manager
+        raise "No ring buffers to poll"
+      end
+      Clib.bpf_poll_ringbuf(@_ringbuf_manager, timeout)
+    end
+    
     def ksymname(name)
       SymbolCache.resolve_global(name)
     end

data/lib/rbbcc/clib.rb

@@ -133,6 +133,11 @@ module RbBCC
     extern 'size_t bpf_perf_event_fields(void *program, const char *event)'
     extern 'char * bpf_perf_event_field(void *program, const char *event, size_t i)'
 
+    # typedef int (*ring_buffer_sample_fn)(void *ctx, void *data, size_t size);
+    extern 'void * bpf_new_ringbuf(int map_fd, void *sample_cb, void *ctx)'
+    extern 'int bpf_poll_ringbuf(void *rb, int timeout_ms)'
+    extern 'void bpf_free_ringbuf(void *rb)'
+
     extern 'void * bcc_usdt_new_frompid(int, char *)'
     extern 'void * bcc_usdt_new_frompath(char *path)'
     extern 'int bcc_usdt_enable_probe(void *, char *, char *)'

data/lib/rbbcc/table.rb

@@ -5,6 +5,61 @@ require 'rbbcc/disp_helper'
 require 'rbbcc/cpu_helper'
 
 module RbBCC
+  module EventTypeSupported
+    def get_event_class
+      ct_mapping = {
+        's8': 'char',
+        'u8': 'unsined char',
+        's8 *': 'char *',
+        's16': 'short',
+        'u16': 'unsigned short',
+        's32': 'int',
+        'u32': 'unsigned int',
+        's64': 'long long',
+        'u64': 'unsigned long long'
+      }
+
+      array_type = /(.+) \[([0-9]+)\]$/
+      fields = []
+      num_fields = Clib.bpf_perf_event_fields(self.bpf.module, @name)
+      num_fields.times do |i|
+        field = Clib.__extract_char(Clib.bpf_perf_event_field(self.bpf.module, @name, i))
+        field_name, field_type = *field.split('#')
+        if field_type =~ /enum .*/
+          field_type = "int" #it is indeed enum...
+        end
+        if _field_type = ct_mapping[field_type.to_sym]
+          field_type = _field_type
+        end
+
+        m = array_type.match(field_type)
+        if m
+          field_type = "#{m[1]}[#{m[2]}]"
+          fields << [field_type, field_name].join(" ")
+        else
+          fields << [field_type, field_name].join(" ")
+        end
+      end
+      klass = Fiddle::Importer.struct(fields)
+      char_ps = fields.select {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
+      unless char_ps.empty?
+        m = Module.new do
+          char_ps.each do |char_p|
+            md = /^char\[(\d+)\] ([_a-zA-Z0-9]+)/.match(char_p)
+            define_method md[2] do
+              # Split the char[] in the place where the first \0 appears
+              raw = super()
+              raw = raw[0...raw.index(0)] if raw.index(0)
+              raw.pack("c*")
+            end
+          end
+        end
+        klass.prepend m
+      end
+      klass
+    end
+  end
+  
   module Table
     BPF_MAP_TYPE_HASH = 1
     BPF_MAP_TYPE_ARRAY = 2
@@ -24,6 +79,17 @@ module RbBCC
     BPF_MAP_TYPE_CPUMAP = 16
     BPF_MAP_TYPE_XSKMAP = 17
     BPF_MAP_TYPE_SOCKHASH = 18
+    BPF_MAP_TYPE_CGROUP_STORAGE = 19
+    BPF_MAP_TYPE_REUSEPORT_SOCKARRAY = 20
+    BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE = 21
+    BPF_MAP_TYPE_QUEUE = 22
+    BPF_MAP_TYPE_STACK = 23
+    BPF_MAP_TYPE_SK_STORAGE = 24
+    BPF_MAP_TYPE_DEVMAP_HASH = 25
+    BPF_MAP_TYPE_STRUCT_OPS = 26
+    BPF_MAP_TYPE_RINGBUF = 27
+    BPF_MAP_TYPE_INODE_STORAGE = 28
+    BPF_MAP_TYPE_TASK_STORAGE = 29
 
     def self.new(bpf, map_id, map_fd, keytype, leaftype, name, **kwargs)
       ttype = Clib.bpf_table_type_id(bpf.module, map_id)
@@ -34,6 +100,8 @@ module RbBCC
         ArrayTable.new(bpf, map_id, map_fd, keytype, leaftype)
       when BPF_MAP_TYPE_PERF_EVENT_ARRAY
         PerfEventArray.new(bpf, map_id, map_fd, keytype, leaftype, name: name)
+      when BPF_MAP_TYPE_RINGBUF
+        RingBuf.new(bpf, map_id, map_fd, keytype, leaftype, name: name)
       when BPF_MAP_TYPE_STACK_TRACE
         StackTrace.new(bpf, map_id, map_fd, keytype, leaftype)
       else
@@ -260,6 +328,8 @@ module RbBCC
   end
 
   class PerfEventArray < TableBase
+    include EventTypeSupported
+    
     def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
       super
       @open_key_fds = {}
@@ -285,60 +355,6 @@ module RbBCC
       end
     end
 
-    private
-    def get_event_class
-      ct_mapping = {
-        's8': 'char',
-        'u8': 'unsined char',
-        's8 *': 'char *',
-        's16': 'short',
-        'u16': 'unsigned short',
-        's32': 'int',
-        'u32': 'unsigned int',
-        's64': 'long long',
-        'u64': 'unsigned long long'
-      }
-
-      array_type = /(.+) \[([0-9]+)\]$/
-      fields = []
-      num_fields = Clib.bpf_perf_event_fields(self.bpf.module, @name)
-      num_fields.times do |i|
-        field = Clib.__extract_char(Clib.bpf_perf_event_field(self.bpf.module, @name, i))
-        field_name, field_type = *field.split('#')
-        if field_type =~ /enum .*/
-          field_type = "int" #it is indeed enum...
-        end
-        if _field_type = ct_mapping[field_type.to_sym]
-          field_type = _field_type
-        end
-
-        m = array_type.match(field_type)
-        if m
-          field_type = "#{m[1]}[#{m[2]}]"
-          fields << [field_type, field_name].join(" ")
-        else
-          fields << [field_type, field_name].join(" ")
-        end
-      end
-      klass = Fiddle::Importer.struct(fields)
-      char_ps = fields.select {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
-      unless char_ps.empty?
-        m = Module.new do
-          char_ps.each do |char_p|
-            md = /^char\[(\d+)\] ([_a-zA-Z0-9]+)/.match(char_p)
-            define_method md[2] do
-              # Split the char[] in the place where the first \0 appears
-              raw = super()
-              raw = raw[0...raw.index(0)] if raw.index(0)
-              raw.pack("c*")
-            end
-          end
-        end
-        klass.prepend m
-      end
-      klass
-    end
-
     def _open_perf_buffer(cpu, callback, page_cnt, lost_cb)
       # bind("void raw_cb_callback(void *, void *, int)")
       fn = Fiddle::Closure::BlockCaller.new(
@@ -382,6 +398,51 @@ module RbBCC
     end
   end
 
+  class RingBuf < TableBase
+    include EventTypeSupported
+    
+    def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
+      super
+      @_ringbuf = nil
+      @_ringbuf_manager = nil
+      @event_class = nil
+    end
+
+    def event(data)
+      @event_class ||= get_event_class
+      ev = @event_class.malloc
+      Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
+      return ev
+    end
+
+    def open_ring_buffer(ctx=nil, &callback)
+      # bind("int ring_buffer_sample_fn(void *, void *, int)")
+      fn = Fiddle::Closure::BlockCaller.new(
+        Fiddle::TYPE_INT,
+        [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT]
+      ) do |_dummy, data, size|
+        begin
+          _ret = callback.call(ctx, data, size)
+          ret = _ret.to_i
+          ret
+        rescue NoMethodError
+          # Callback for ringbufs should _always_ return an integer.
+          # simply fall back to returning 0 when failed
+          0
+        rescue => e
+          if Fiddle.last_error == 32 # EPIPE
+            exit
+          else
+            raise e
+          end
+        end
+      end
+
+      @bpf._open_ring_buffer(@map_fd, fn, ctx)
+      nil
+    end
+  end
+
   class StackTrace < TableBase
     MAX_DEPTH = 127
     BPF_F_STACK_BUILD_ID = (1<<5)

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.7.0"
+  VERSION = "0.8.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Uchio Kondo
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-08-10 00:00:00.000000000 Z
+date: 2024-02-13 00:00:00.000000000 Z
 dependencies: []
 description: BCC port for MRI. See https://github.com/iovisor/bcc
 email:
@@ -72,6 +72,7 @@ files:
 - examples/extract_arg.rb
 - examples/hello_fields.rb
 - examples/hello_perf_output.rb
+- examples/hello_ring_buffer.rb
 - examples/hello_world.rb
 - examples/kvm_hypercall.rb
 - examples/mallocstack.rb
@@ -79,6 +80,8 @@ files:
 - examples/networking/http_filter/http-parse-simple.rb
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
+- examples/syscalluname.rb
+- examples/table.rb
 - examples/tools/bashreadline.rb
 - examples/tools/execsnoop.rb
 - examples/tools/runqlat.rb