vivarium 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 150b5b98d7555e1954b0002ca2224b1e445b799fa5d163ab4bbcbc8cac42ea74
-  data.tar.gz: 5984b875d3fab3600c86f9e1d961a0c1ab84945f1c1ea76e78e72248ec2fd9f7
+  metadata.gz: 6549be32807adc904ffe18fbefc055600cf14c85c68b106a3abfd7dce354e8b1
+  data.tar.gz: 1f9c961424d4712b2c43ad3df8d81ee679ea2190acaa8ea24e78a4f88b92f452
 SHA512:
-  metadata.gz: 17847e5f3852628e8bc58f4a31fc4e934b0b06d35d7961ac811d27d34ffcb4a8f17fd9e9c7f61253b9e7d37db09ee9d06354be637f8953c4bd1827baf8d3e0e7
-  data.tar.gz: 1980ac521ccd83eadb68bbbb5b6cb6a6053f3737c2b8c7aaeded5b9ace3563b34666da472bfe133204caf5889a4e77febea2c9069900e4f040a728a6f609b75a
+  metadata.gz: ebe88587a6328a37703899da2f0c8275f9321d7ea34e1af9806dccfaf929a6ee45bce68378356aeb2171708936b74ebb33545ada8a7eace2774aa60783b31b24
+  data.tar.gz: f707b190642345628ddf613038942a87cd95585877b45a264e13ffb1c243da0b7576712d6b5e5eb65e336dab06ff95a01f329b383bdb0007aec879629c30d2eb

data/examples/dlopen_demo.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "fiddle"
+require "vivarium"
+
+FILTER = {
+  include_events: %w[dlopen mmap_exec]
+}.freeze
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#      (dlopen uprobe is attached automatically when libc is found)
+#   2) Run this script: bundle exec ruby examples/dlopen_demo.rb
+#
+# Expected output: "DL dlopen" and "DL mmap_exec" events for each
+# library loaded via Fiddle.dlopen.
+#
+# You can disable the dlopen uprobe with `sudo vivariumd --no-dlopen-trace`
+# or point at a specific libc with `sudo vivariumd --libc /lib/x86_64-linux-gnu/libc.so.6`.
+
+Vivarium.observe(filter: FILTER) do
+  # libm: math functions — almost universally available
+  begin
+    libm = Fiddle.dlopen("libm.so.6")
+    sin_fn = Fiddle::Function.new(libm["sin"], [Fiddle::TYPE_DOUBLE], Fiddle::TYPE_DOUBLE)
+    puts "[dlopen_demo] sin(PI/4) = #{sin_fn.call(Math::PI / 4).round(6)}"
+    libm.close
+  rescue Fiddle::DLError => e
+    warn "[dlopen_demo] libm: #{e.message}"
+  end
+
+  # libsqlite3: a common library that may not be loaded at startup
+  begin
+    libsqlite3 = Fiddle.dlopen("libsqlite3.so.0")
+    puts "[dlopen_demo] libsqlite3 loaded: version = #{Fiddle::Function.new(libsqlite3["sqlite3_libversion"], [], Fiddle::TYPE_VOIDP).call}"
+    libsqlite3.close
+  rescue Fiddle::DLError => e
+    warn "[dlopen_demo] libsqlite3: #{e.message}"
+  end
+
+  # Spawn a child process that also calls dlopen — its events should
+  # appear under a PROC node in the tree (descendant PID tracking).
+  # Unbundle so Bundler does not spawn anything.
+  Bundler.with_unbundled_env do
+    system("ruby -e 'require \"fiddle\"; Fiddle.dlopen(\"libm.so.6\").close'")
+  end
+end
+
+puts "[dlopen_demo] done"

data/examples/drop_demo.rb

@@ -0,0 +1,76 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Standalone demo: shows what DROP warning nodes look like in the TreeRenderer
+# output. Does NOT require BPF or vivariumd — constructs RawEvent objects
+# directly and feeds them to TreeRenderer.
+#
+# Usage:
+#   ruby examples/drop_demo.rb
+
+$LOAD_PATH.unshift File.join(__dir__, "..", "lib")
+
+require "vivarium"
+require "vivarium/correlator"
+require "vivarium/tree_renderer"
+require "vivarium/display_filter"
+
+t0  = 1_000_000_000  # base ktime_ns
+pid = Process.pid
+tid = Process.pid
+
+# span_start payload: method_name (128B) + file_name (120B) + lineno (8B)
+span_start_payload = "MyClass#my_method".ljust(Vivarium::SPAN_METHOD_SIZE, "\x00") +
+                     "drop_demo.rb".ljust(Vivarium::SPAN_FILE_SIZE, "\x00") +
+                     [10].pack("q<")
+
+events = [
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0,
+    pid: pid, tid: tid,
+    event_name: "span_start",
+    payload: span_start_payload,
+    dropped_since_last: 0
+  ),
+  # This event carries drop info: 5 events were lost before it arrived
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 10_000_000,
+    pid: pid, tid: tid,
+    event_name: "path_open",
+    payload: "/etc/passwd\x00".b.ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 5
+  ),
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 20_000_000,
+    pid: pid, tid: tid,
+    event_name: "dns_req",
+    payload: "\x06google\x03com\x00".b.ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 0
+  ),
+  # Another burst: 12 events dropped just before this sock_connect
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 25_000_000,
+    pid: pid, tid: tid,
+    event_name: "sock_connect",
+    payload: [2, 443, 0x7f000001, 0].pack("S<nNN").ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 12
+  ),
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 30_000_000,
+    pid: pid, tid: tid,
+    event_name: "span_stop",
+    payload: "\x00" * Vivarium::EVENT_PAYLOAD_SIZE,
+    dropped_since_last: 0
+  ),
+]
+
+Vivarium::TreeRenderer.new(
+  events: events,
+  observer_pid: pid,
+  main_tid: tid,
+  session_start_iso: "2026-06-02T00:00:00.000Z",
+  session_start_ktime: t0,
+  session_stop_iso: "2026-06-02T00:00:00.030Z",
+  session_stop_ktime: t0 + 30_000_000,
+  dest: $stdout
+).render

data/lib/vivarium/correlator.rb

@@ -6,7 +6,7 @@ require "time"
 module Vivarium
   class Correlator
     RawEvent = Struct.new(
-      :ktime_ns, :pid, :tid, :event_name, :payload,
+      :ktime_ns, :pid, :tid, :event_name, :payload, :dropped_since_last,
       keyword_init: true
     )
 
@@ -17,22 +17,21 @@ module Vivarium
         u32 tid;
         char event_name[16];
         char payload[256];
+        u64 dropped_since_last;
       };
     C
 
     POLL_TIMEOUT_MS = 200
 
-    def initialize(pin_dir:, observer_pid:, main_tid:, method_id_queue:, filter: nil, dest: $stdout)
+    def initialize(pin_dir:, observer_pid:, main_tid:, filter: nil, dest: $stdout)
       @pin_dir = pin_dir
       @observer_pid = observer_pid
       @main_tid = main_tid
-      @method_id_queue = method_id_queue
       @filter = filter
       @dest = dest
 
       @events = []
       @events_mutex = Mutex.new
-      @method_table = {}
       @stop_flag = false
       @started = false
 
@@ -65,15 +64,12 @@ module Vivarium
       @session_stop_ktime = Vivarium.monotonic_ktime_ns
 
       3.times { safe_poll(50) }
-      drain_method_id_queue
 
       events_snapshot = @events_mutex.synchronize { @events.dup }
-      method_table_snapshot = @method_table.dup
       @stopped = true
 
       TreeRenderer.new(
         events: events_snapshot,
-        method_table: method_table_snapshot,
         observer_pid: @observer_pid,
         main_tid: @main_tid,
         session_start_iso: @session_start_iso,
@@ -90,7 +86,6 @@ module Vivarium
     def run
       until @stop_flag
         safe_poll(POLL_TIMEOUT_MS)
-        drain_method_id_queue
       end
     end
 
@@ -104,11 +99,12 @@ module Vivarium
       bytes = data[0, size].to_s.b
       bytes = bytes.ljust(Vivarium::EVENT_STRUCT_SIZE, "\x00") if bytes.bytesize < Vivarium::EVENT_STRUCT_SIZE
 
-      ktime_ns = bytes[Vivarium::EVENT_TS_OFFSET, Vivarium::EVENT_TS_SIZE].unpack1("Q<")
-      pid = bytes[Vivarium::EVENT_PID_OFFSET, 4].unpack1("L<")
-      tid = bytes[Vivarium::EVENT_TID_OFFSET, 4].unpack1("L<")
-      event_name = Vivarium.c_string(bytes[Vivarium::EVENT_NAME_OFFSET, Vivarium::EVENT_NAME_SIZE])
-      payload = bytes[Vivarium::EVENT_PAYLOAD_OFFSET, Vivarium::EVENT_PAYLOAD_SIZE].to_s.b
+      ktime_ns           = bytes[Vivarium::EVENT_TS_OFFSET,      Vivarium::EVENT_TS_SIZE].unpack1("Q<")
+      pid                = bytes[Vivarium::EVENT_PID_OFFSET,     4].unpack1("L<")
+      tid                = bytes[Vivarium::EVENT_TID_OFFSET,     4].unpack1("L<")
+      event_name         = Vivarium.c_string(bytes[Vivarium::EVENT_NAME_OFFSET, Vivarium::EVENT_NAME_SIZE])
+      payload            = bytes[Vivarium::EVENT_PAYLOAD_OFFSET, Vivarium::EVENT_PAYLOAD_SIZE].to_s.b
+      dropped_since_last = bytes[Vivarium::EVENT_DROPPED_OFFSET, 8].unpack1("Q<")
 
       @events_mutex.synchronize do
         @events << RawEvent.new(
@@ -116,24 +112,13 @@ module Vivarium
           pid: pid,
           tid: tid,
           event_name: event_name,
-          payload: payload
+          payload: payload,
+          dropped_since_last: dropped_since_last
         )
       end
     rescue StandardError => e
       warn "[vivarium correlator] capture error: #{e.class}: #{e.message}"
     end
 
-    def drain_method_id_queue
-      loop do
-        msg = begin
-          @method_id_queue.pop(true)
-        rescue ThreadError
-          return
-        end
-
-        method_id, signature = msg
-        @method_table[method_id] = signature
-      end
-    end
   end
 end

data/lib/vivarium/tree_renderer.rb

@@ -22,12 +22,13 @@ module Vivarium
     ].to_set.freeze
 
     UPROBE_EVENT_NAMES = %w[ssl_write].to_set.freeze
+    DL_EVENT_NAMES = %w[dlopen mmap_exec].to_set.freeze
 
     SYNTHETIC_SPAN_NAME = "<no-span>"
     UNRESOLVED_METHOD_PREFIX = "<method_id="
 
     Span = Struct.new(
-      :tid, :method_id, :file_id, :lineno, :start_ktime, :stop_ktime, :exit_kind,
+      :tid, :method_name, :file_name, :lineno, :start_ktime, :stop_ktime, :exit_kind,
       :events, :descendant_pids, :synthetic, :raised,
       keyword_init: true
     ) do
@@ -51,11 +52,10 @@ module Vivarium
     EventNode = Struct.new(:kind, :name, :target, :offset_ns, :child_proc, keyword_init: true)
     ProcNode = Struct.new(:pid, :comm, :parent_pid, :children, keyword_init: true)
 
-    def initialize(events:, method_table:, observer_pid:, main_tid:,
+    def initialize(events:, observer_pid:, main_tid:,
                    session_start_iso:, session_start_ktime:,
                    session_stop_iso:, session_stop_ktime:, filter: nil, dest:)
       @events = events
-      @method_table = method_table
       @observer_pid = observer_pid
       @main_tid = main_tid
       @session_start_iso = session_start_iso
@@ -67,7 +67,6 @@ module Vivarium
 
       @pid_comm = { observer_pid => "ruby" }
       @pid_parent = {}
-      @unresolved_method_ids = []
     end
 
     def render
@@ -100,11 +99,11 @@ module Vivarium
       events.each do |ev|
         case ev.event_name
         when "span_start"
-          mid, fid, lno = read_span_payload(ev.payload)
+          method_name, file_name, lno = read_span_payload(ev.payload)
           span = Span.new(
             tid: ev.tid,
-            method_id: mid,
-            file_id: fid,
+            method_name: method_name,
+            file_name: file_name,
             lineno: lno,
             start_ktime: ev.ktime_ns,
             stop_ktime: nil,
@@ -194,8 +193,8 @@ module Vivarium
     def synthetic_span(start_ktime, stop_ktime)
       Span.new(
         tid: @main_tid,
-        method_id: nil,
-        file_id: nil,
+        method_name: nil,
+        file_name: nil,
         lineno: nil,
         start_ktime: start_ktime,
         stop_ktime: stop_ktime,
@@ -261,9 +260,6 @@ module Vivarium
     end
 
     def print_warnings
-      @unresolved_method_ids.uniq.each do |mid|
-        @dest.puts format("# warning method_id=0x%016X unresolved at render time", mid & 0xFFFF_FFFF_FFFF_FFFF)
-      end
     end
 
     def print_observer_proc(spans)
@@ -300,30 +296,23 @@ module Vivarium
 
     def span_file_info(span)
       return "" if span.synthetic
-      return "" unless span.file_id && span.file_id != -1
-
-      file_name = Vivarium::Usdt.get_file_name(span.file_id)
-      return "" unless file_name
+      return "" if span.file_name.nil? || span.file_name.empty?
 
       lno = span.lineno && span.lineno > 0 ? ":#{span.lineno}" : ""
-      "  at=#{File.basename(file_name)}#{lno}"
+      "  at=#{File.basename(span.file_name)}#{lno}"
     end
 
     def span_display_name(span)
       return SYNTHETIC_SPAN_NAME if span.synthetic
-      return SYNTHETIC_SPAN_NAME if span.method_id.nil?
-
-      name = @method_table[span.method_id]
-      name ||= Vivarium::Usdt.get_method_name(span.method_id)
-      return name if name
+      return SYNTHETIC_SPAN_NAME if span.method_name.nil? || span.method_name.empty?
 
-      @unresolved_method_ids << span.method_id
-      format("#{UNRESOLVED_METHOD_PREFIX}0x%016X>", span.method_id & 0xFFFF_FFFF_FFFF_FFFF)
+      span.method_name
     end
 
     def build_span_children(span)
       proc_node_by_pid = {}
       root_children = []
+      prev_event_ktime = span.start_ktime
 
       span.events.each do |ev|
         target_text = nil
@@ -353,6 +342,7 @@ module Vivarium
           )
 
           parent_container = container_for_pid(ev.pid, span, proc_node_by_pid, root_children)
+          maybe_inject_drop_node(parent_container, ev, span, prev_event_ktime)
           append_event(parent_container, ev_node)
         else
           ev_node = EventNode.new(
@@ -363,12 +353,11 @@ module Vivarium
             child_proc: nil
           )
 
-          if ev.pid == @observer_pid && ev.tid == span.tid
-            append_event(root_children, ev_node)
+          container = if ev.pid == @observer_pid && ev.tid == span.tid
+            root_children
           elsif (node = proc_node_by_pid[ev.pid])
-            append_event(node.children, ev_node)
+            node.children
           else
-            # event from a descendant pid we haven't materialized — synthesize a stub PROC node
             stub = ProcNode.new(
               pid: ev.pid,
               comm: @pid_comm[ev.pid] || "?",
@@ -376,14 +365,19 @@ module Vivarium
               children: []
             )
             proc_node_by_pid[ev.pid] = stub
-            append_event(stub.children, ev_node)
             root_children << stub
+            stub.children
           end
 
+          maybe_inject_drop_node(container, ev, span, prev_event_ktime)
+          append_event(container, ev_node)
+
           if ev.event_name == EXEC_EVENT_NAME && (node = proc_node_by_pid[ev.pid])
             node.comm = @pid_comm[ev.pid] || node.comm
           end
         end
+
+        prev_event_ktime = ev.ktime_ns
       end
 
       # Interleave child spans by start time among the event/proc nodes
@@ -429,6 +423,23 @@ module Vivarium
       container << ev_node
     end
 
+    def maybe_inject_drop_node(container, ev, span, prev_event_ktime = nil)
+      n = ev.dropped_since_last.to_i
+      return if n.zero?
+
+      # Show the start of the drop window (= time of last good event).
+      # The end is implicitly ev.ktime_ns (shown on the following event line).
+      drop_start_ns = prev_event_ktime ? (prev_event_ktime - span.start_ktime) : nil
+
+      container << EventNode.new(
+        kind: "DROP",
+        name: "dropped_events",
+        target: "#{n} event(s) lost (ringbuf overflow)",
+        offset_ns: drop_start_ns,
+        child_proc: nil
+      )
+    end
+
     def print_nodes(nodes, prefix)
       visible_nodes = nodes.select do |node|
         !node.is_a?(Span) || span_visible?(node)
@@ -491,6 +502,7 @@ module Vivarium
       return "EXCP" if ev.event_name == "span_raise"
       return "USDT" if SPAN_EVENT_NAMES.include?(ev.event_name)
       return "SSL" if ev.event_name == SSL_WRITE_EVENT_NAME
+      return "DL" if DL_EVENT_NAMES.include?(ev.event_name)
       return "LSM" if LSM_EVENT_NAMES.include?(ev.event_name)
       return "TP" if TP_EVENT_NAMES.include?(ev.event_name)
 
@@ -523,28 +535,20 @@ module Vivarium
 
     def render_raise_target(ev)
       bytes = ev.payload.to_s.b
-      return "-" if bytes.bytesize < 8
-
-      error_id = bytes[0, 8].unpack1("q<")
-      message_id = bytes.bytesize >= 16 ? bytes[8, 8].unpack1("q<") : -1
-      file_id = bytes.bytesize >= 24 ? bytes[16, 8].unpack1("q<") : -1
-      lineno = bytes.bytesize >= 32 ? bytes[24, 8].unpack1("q<") : -1
-
-      error_name = Vivarium::Usdt.get_error_name(error_id) ||
-                   format("0x%016X", error_id & 0xFFFF_FFFF_FFFF_FFFF)
-
-      parts = ["error=#{error_name}"]
-
-      if message_id != -1
-        msg = Vivarium::Usdt.get_message_name(message_id)
-        parts << "message=#{msg.inspect}" if msg
-      end
-
-      if file_id != -1 && (file_name = Vivarium::Usdt.get_file_name(file_id))
-        lno = lineno && lineno > 0 ? ":#{lineno}" : ""
+      return "-" if bytes.empty?
+
+      slot = Vivarium::SPAN_RAISE_SLOT_SIZE
+      error_name = Vivarium.c_string(bytes[0, slot])
+      message    = Vivarium.c_string(bytes[slot, slot])
+      file_name  = Vivarium.c_string(bytes[slot * 2, slot])
+      lineno     = bytes.bytesize > Vivarium::SPAN_RAISE_LINENO_OFFSET ? bytes[Vivarium::SPAN_RAISE_LINENO_OFFSET, 8].unpack1("q<") : -1
+
+      parts = ["error=#{error_name.empty? ? '?' : error_name}"]
+      parts << "message=#{message.inspect}" unless message.empty?
+      unless file_name.empty?
+        lno = lineno > 0 ? ":#{lineno}" : ""
         parts << "at=#{File.basename(file_name)}#{lno}"
       end
-
       parts.join(" ")
     end
 
@@ -564,12 +568,12 @@ module Vivarium
 
     def read_span_payload(payload)
       bytes = payload.to_s.b
-      return [0, -1, -1] if bytes.bytesize < 8
+      return [nil, nil, -1] if bytes.empty?
 
-      method_id = bytes[0, 8].unpack1("q<")
-      file_id = bytes.bytesize >= 16 ? bytes[8, 8].unpack1("q<") : -1
-      lineno = bytes.bytesize >= 24 ? bytes[16, 8].unpack1("q<") : -1
-      [method_id, file_id, lineno]
+      method_name = Vivarium.c_string(bytes[0, Vivarium::SPAN_METHOD_SIZE])
+      file_name   = Vivarium.c_string(bytes[Vivarium::SPAN_METHOD_SIZE, Vivarium::SPAN_FILE_SIZE])
+      lineno      = bytes.bytesize > Vivarium::SPAN_LINENO_OFFSET ? bytes[Vivarium::SPAN_LINENO_OFFSET, 8].unpack1("q<") : -1
+      [method_name, file_name, lineno]
     end
 
     def read_proc_fork_child_pid(payload)

data/lib/vivarium/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vivarium
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

data/lib/vivarium.rb

@@ -24,14 +24,24 @@ module Vivarium
   EVENT_TS_SIZE = 8
   PROC_EXEC_SLOT_SIZE = 64
   PROC_EXEC_SLOT_COUNT = 4
-  EVENT_STRUCT_SIZE = 288
+  EVENT_STRUCT_SIZE = 296
   EVENT_TS_OFFSET = 0
   EVENT_PID_OFFSET = 8
   EVENT_TID_OFFSET = 12
   EVENT_NAME_OFFSET = 16
   EVENT_PAYLOAD_OFFSET = 32
+  EVENT_DROPPED_OFFSET = 288
   EVENTS_RINGBUF_PAGES = 256
 
+  SPAN_METHOD_SIZE     = 128
+  SPAN_FILE_SIZE       = 120
+  SPAN_LINENO_OFFSET   = SPAN_METHOD_SIZE + SPAN_FILE_SIZE  # 248
+  SPAN_FILE_ARG_MAX    = SPAN_FILE_SIZE - 1
+
+  SPAN_RAISE_SLOT_SIZE     = 80
+  SPAN_RAISE_LINENO_OFFSET = SPAN_RAISE_SLOT_SIZE * 3        # 240
+  SPAN_RAISE_FILE_ARG_MAX  = SPAN_RAISE_SLOT_SIZE - 1
+
   SSL_WRITE_PAYLOAD_DATA_LEN_OFFSET = 0
   SSL_WRITE_PAYLOAD_CAP_LEN_OFFSET = 4
   SSL_WRITE_PAYLOAD_DATA_OFFSET = 8
@@ -52,6 +62,16 @@ module Vivarium
     "/usr/lib/libssl.so.1.1"
   ].freeze
 
+  LIBC_SEARCH_PATHS = [
+    "/lib/x86_64-linux-gnu/libc.so.6",
+    "/lib/aarch64-linux-gnu/libc.so.6",
+    "/usr/lib/x86_64-linux-gnu/libc.so.6",
+    "/usr/lib/aarch64-linux-gnu/libc.so.6",
+    "/lib64/libc.so.6",
+    "/usr/lib64/libc.so.6",
+    "/lib/libc.so.6",
+  ].freeze
+
   SPAN_ALLOWCLASSES = [
     Socket,
     BasicSocket,
@@ -79,6 +99,7 @@ module Vivarium
   EVENT_SEVERITY_HIGH = %w[
     capable_check bprm_creds setid_change task_kill
     ptrace_check sb_mount kernel_read_file
+    dlopen
   ].freeze
 
   CAPABILITY_NAMES = {
@@ -137,6 +158,16 @@ module Vivarium
     str[0, nul]
   end
 
+  def self.tail_fit_string(value, max_bytes, marker: "...")
+    str = value.to_s.b
+    return str if str.bytesize <= max_bytes
+    return str.byteslice(-max_bytes, max_bytes) || "" if max_bytes <= marker.bytesize
+
+    tail_size = max_bytes - marker.bytesize
+    tail = str.byteslice(-tail_size, tail_size) || ""
+    "#{marker}#{tail}"
+  end
+
   def self.event_severity(event_name)
     EVENT_SEVERITY_HIGH.include?(event_name.to_s) ? "high" : "medium"
   end
@@ -463,6 +494,8 @@ module Vivarium
     when "ssl_write"
       decoded = decode_ssl_write_payload(event.payload)
       "data_len=#{decoded[:data_len]} cap_len=#{decoded[:cap_len]}"
+    when "dlopen", "mmap_exec"
+      strip_to_first_null(event.payload).inspect
     else
       strip_to_first_null(event.payload).inspect
     end
@@ -619,12 +652,14 @@ module Vivarium
         u32 tid;
         char event_name[16];
         char payload[#{EVENT_PAYLOAD_SIZE}];
+        u64 dropped_since_last;
       };
 
       BPF_HASH(config_root_targets, u32, u8, 1024);
       BPF_HASH(config_spawned_targets, u32, u8, 8192);
       BPF_HASH(dns_connected_tids, u32, u8, 8192);
       BPF_RINGBUF_OUTPUT(events, #{EVENTS_RINGBUF_PAGES});
+      BPF_ARRAY(drop_counter, u64, 1);
 
       static __always_inline int target_enabled(u32 pid, u32 tid)
       {
@@ -666,14 +701,27 @@ module Vivarium
 
       static __always_inline void submit_event(struct event_t *src)
       {
+        u32 key = 0;
+        u64 *cnt;
+
         struct event_t *ev = events.ringbuf_reserve(sizeof(struct event_t));
         if (!ev) {
+          cnt = drop_counter.lookup(&key);
+          if (cnt) {
+            __sync_fetch_and_add(cnt, 1);
+          }
           return;
         }
 
         __builtin_memcpy(ev, src, sizeof(*ev));
         ev->ktime_ns = bpf_ktime_get_ns();
         ev->tid = (u32)bpf_get_current_pid_tgid();
+        ev->dropped_since_last = 0;
+
+        cnt = drop_counter.lookup(&key);
+        if (cnt && *cnt > 0) {
+          ev->dropped_since_last = __sync_lock_test_and_set(cnt, 0);
+        }
 
         events.ringbuf_submit(ev, 0);
       }
@@ -807,6 +855,39 @@ module Vivarium
         return 0;
       }
 
+      LSM_PROBE(mmap_file, struct file *file, unsigned long reqprot,
+                unsigned long prot, unsigned long flags)
+      {
+        if (!file) {
+          return 0;
+        }
+        if (!((prot | reqprot) & 0x04)) {   /* PROT_EXEC */
+          return 0;
+        }
+
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        int path_ret;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "mmap_exec", 10);
+
+        path_ret = bpf_d_path(&file->f_path, ev.payload, sizeof(ev.payload));
+        if (path_ret < 0) {
+          if (ev.payload[0] == 0) {
+            __builtin_memcpy(ev.payload, "<path_error>", 13);
+          }
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1332,19 +1413,19 @@ module Vivarium
           return 0;
         }
 
-        u64 method_id = 0;
-        u64 file_id = 0;
-        u64 lineno = 0;
-        bpf_usdt_readarg(1, ctx, &method_id);
-        bpf_usdt_readarg(2, ctx, &file_id);
+        u64 method_str_ptr = 0;
+        u64 file_str_ptr = 0;
+        s64 lineno = 0;
+        bpf_usdt_readarg(1, ctx, &method_str_ptr);
+        bpf_usdt_readarg(2, ctx, &file_str_ptr);
         bpf_usdt_readarg(3, ctx, &lineno);
 
         struct event_t ev = {};
         ev.pid = pid;
         __builtin_memcpy(ev.event_name, "span_start", 11);
-        __builtin_memcpy(&ev.payload[0], &method_id, sizeof(method_id));
-        __builtin_memcpy(&ev.payload[8], &file_id, sizeof(file_id));
-        __builtin_memcpy(&ev.payload[16], &lineno, sizeof(lineno));
+        bpf_probe_read_user_str(&ev.payload[0], #{SPAN_METHOD_SIZE}, (void*)method_str_ptr);
+        bpf_probe_read_user_str(&ev.payload[#{SPAN_METHOD_SIZE}], #{SPAN_FILE_SIZE}, (void*)file_str_ptr);
+        __builtin_memcpy(&ev.payload[#{SPAN_LINENO_OFFSET}], &lineno, sizeof(lineno));
         submit_event(&ev);
         return 0;
       }
@@ -1359,19 +1440,19 @@ module Vivarium
           return 0;
         }
 
-        u64 method_id = 0;
-        u64 file_id = 0;
-        u64 lineno = 0;
-        bpf_usdt_readarg(1, ctx, &method_id);
-        bpf_usdt_readarg(2, ctx, &file_id);
+        u64 method_str_ptr = 0;
+        u64 file_str_ptr = 0;
+        s64 lineno = 0;
+        bpf_usdt_readarg(1, ctx, &method_str_ptr);
+        bpf_usdt_readarg(2, ctx, &file_str_ptr);
         bpf_usdt_readarg(3, ctx, &lineno);
 
         struct event_t ev = {};
         ev.pid = pid;
         __builtin_memcpy(ev.event_name, "span_stop", 10);
-        __builtin_memcpy(&ev.payload[0], &method_id, sizeof(method_id));
-        __builtin_memcpy(&ev.payload[8], &file_id, sizeof(file_id));
-        __builtin_memcpy(&ev.payload[16], &lineno, sizeof(lineno));
+        bpf_probe_read_user_str(&ev.payload[0], #{SPAN_METHOD_SIZE}, (void*)method_str_ptr);
+        bpf_probe_read_user_str(&ev.payload[#{SPAN_METHOD_SIZE}], #{SPAN_FILE_SIZE}, (void*)file_str_ptr);
+        __builtin_memcpy(&ev.payload[#{SPAN_LINENO_OFFSET}], &lineno, sizeof(lineno));
         submit_event(&ev);
         return 0;
       }
@@ -1412,6 +1493,32 @@ module Vivarium
         return 0;
       }
 
+      int on_dlopen(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        const char *filename = (const char *)PT_REGS_PARM1(ctx);
+        if (!filename) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "dlopen", 7);
+
+        if (bpf_probe_read_user_str(ev.payload, sizeof(ev.payload), filename) < 0) {
+          __builtin_memcpy(ev.payload, "<path_error>", 13);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       int on_span_raise(struct pt_regs *ctx)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1422,31 +1529,34 @@ module Vivarium
           return 0;
         }
 
-        u64 error_id = 0;
-        u64 message_id = 0;
-        u64 file_id = 0;
-        u64 lineno = 0;
-        bpf_usdt_readarg(1, ctx, &error_id);
-        bpf_usdt_readarg(2, ctx, &message_id);
-        bpf_usdt_readarg(3, ctx, &file_id);
+        u64 error_str_ptr = 0;
+        u64 message_str_ptr = 0;
+        u64 file_str_ptr = 0;
+        s64 lineno = 0;
+        bpf_usdt_readarg(1, ctx, &error_str_ptr);
+        bpf_usdt_readarg(2, ctx, &message_str_ptr);
+        bpf_usdt_readarg(3, ctx, &file_str_ptr);
         bpf_usdt_readarg(4, ctx, &lineno);
 
         struct event_t ev = {};
         ev.pid = pid;
         __builtin_memcpy(ev.event_name, "span_raise", 11);
-        __builtin_memcpy(&ev.payload[0], &error_id, sizeof(error_id));
-        __builtin_memcpy(&ev.payload[8], &message_id, sizeof(message_id));
-        __builtin_memcpy(&ev.payload[16], &file_id, sizeof(file_id));
-        __builtin_memcpy(&ev.payload[24], &lineno, sizeof(lineno));
+        bpf_probe_read_user_str(&ev.payload[0], #{SPAN_RAISE_SLOT_SIZE}, (void*)error_str_ptr);
+        bpf_probe_read_user_str(&ev.payload[#{SPAN_RAISE_SLOT_SIZE}], #{SPAN_RAISE_SLOT_SIZE}, (void*)message_str_ptr);
+        bpf_probe_read_user_str(&ev.payload[#{SPAN_RAISE_SLOT_SIZE * 2}], #{SPAN_RAISE_SLOT_SIZE}, (void*)file_str_ptr);
+        __builtin_memcpy(&ev.payload[#{SPAN_RAISE_LINENO_OFFSET}], &lineno, sizeof(lineno));
         submit_event(&ev);
         return 0;
       }
     CLANG
 
-    def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil)
-      @pin_dir = pin_dir
-      @ssl_trace = ssl_trace
-      @libssl_path = libssl_path
+    def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                   dlopen_trace: true, libc_path: nil)
+      @pin_dir      = pin_dir
+      @ssl_trace    = ssl_trace
+      @libssl_path  = libssl_path
+      @dlopen_trace = dlopen_trace
+      @libc_path    = libc_path
     end
 
     def run
@@ -1459,6 +1569,7 @@ module Vivarium
         .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
         .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
+      require "vivarium_usdt"
       usdt_so_path = ENV.fetch("VIVARIUM_USDT_SO_PATH") { Vivarium.locate_vivarium_usdt_so }
       usdt = RbBCC::USDT.new(path: usdt_so_path)
       usdt.enable_probe(probe: "start_probe", fn_name: "on_span_start")
@@ -1468,6 +1579,7 @@ module Vivarium
       bpf = RbBCC::BCC.new(text: program, usdt_contexts: [usdt])
 
       attach_ssl_write_uprobe(bpf) if @ssl_trace
+      attach_dlopen_uprobe(bpf) if @dlopen_trace
 
       config_root_targets = bpf["config_root_targets"]
       config_spawned_targets = bpf["config_spawned_targets"]
@@ -1526,6 +1638,39 @@ module Vivarium
       LIBSSL_SEARCH_PATHS.find { |p| File.exist?(p) }
     end
 
+    def attach_dlopen_uprobe(bpf)
+      path = resolve_libc_path
+      unless path
+        warn "[vivariumd] libc not found; dlopen uprobe disabled " \
+             "(set --libc PATH or VIVARIUM_LIBC_PATH to override)"
+        return
+      end
+
+      bpf.attach_uprobe(name: path, sym: "dlopen", fn_name: "on_dlopen")
+      puts "[vivariumd] dlopen uprobe attached via #{path}"
+    rescue StandardError => e
+      warn "[vivariumd] dlopen uprobe attach failed: #{e.class}: #{e.message}"
+    end
+
+    def resolve_libc_path
+      if @libc_path
+        return @libc_path if File.exist?(@libc_path)
+
+        warn "[vivariumd] --libc path does not exist: #{@libc_path}"
+        return nil
+      end
+
+      env_path = ENV["VIVARIUM_LIBC_PATH"]
+      if env_path && !env_path.empty?
+        return env_path if File.exist?(env_path)
+
+        warn "[vivariumd] VIVARIUM_LIBC_PATH does not exist: #{env_path}"
+        return nil
+      end
+
+      LIBC_SEARCH_PATHS.find { |p| File.exist?(p) }
+    end
+
     def ensure_root!
       return if Process.uid.zero?
 
@@ -1680,20 +1825,18 @@ module Vivarium
     pid = Process.pid
     store.register_pid(pid)
 
-    method_id_queue = Thread::Queue.new
     main_tid = gettid
 
     correlator = Correlator.new(
       pin_dir: pin_dir,
       observer_pid: pid,
       main_tid: main_tid,
-      method_id_queue: method_id_queue,
       filter: filter,
       dest: dest
     )
     correlator.start
 
-    tracer = build_observe_tracepoint(method_id_queue)
+    tracer = build_observe_tracepoint
     tracer.enable
 
     session = ObservationSession.new(
@@ -1710,20 +1853,18 @@ module Vivarium
     pid = Process.pid
     store.register_pid(pid)
 
-    method_id_queue = Thread::Queue.new
     main_tid = gettid
 
     correlator = Correlator.new(
       pin_dir: pin_dir,
       observer_pid: pid,
       main_tid: main_tid,
-      method_id_queue: method_id_queue,
       filter: filter,
       dest: dest
     )
     correlator.start
 
-    tracer = build_observe_tracepoint(method_id_queue)
+    tracer = build_observe_tracepoint
     tracer.enable
 
     yield
@@ -1733,20 +1874,19 @@ module Vivarium
     correlator&.stop
   end
 
-  def self.build_observe_tracepoint(method_id_queue)
+  def self.build_observe_tracepoint
     allow_classes = SPAN_ALLOWCLASSES
     allowlist = SPAN_ALLOWLIST
     TracePoint.new(:call, :c_call, :return, :c_return, :raise) do |tp|
       if tp.event == :raise
         # FIXME: handle threaded events in the future
-        if tp.raised_exception.kind_of?(ThreadError)
-          next
-        end
+        next if tp.raised_exception.kind_of?(ThreadError)
 
+        file_arg = tail_fit_string(tp.path, SPAN_RAISE_FILE_ARG_MAX)
         Vivarium::Usdt.raise(
           tp.raised_exception.class.to_s,
           tp.raised_exception.message.to_s,
-          file: tp.path,
+          file: file_arg,
           lineno: tp.lineno
         )
         next
@@ -1758,12 +1898,12 @@ module Vivarium
         allow_classes.any? { |klass| tp.defined_class == klass.singleton_class }
       next unless is_target
 
+      file_arg = tail_fit_string(tp.path, SPAN_FILE_ARG_MAX)
       case tp.event
       when :call, :c_call
-        method_id = Vivarium::Usdt.start(tp.defined_class.to_s, tp.method_id.to_s, file: tp.path, lineno: tp.lineno)
-        method_id_queue << [method_id, signature]
+        Vivarium::Usdt.start(tp.defined_class.to_s, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
       when :return, :c_return
-        Vivarium::Usdt.stop(tp.defined_class.to_s, tp.method_id.to_s, file: tp.path, lineno: tp.lineno)
+        Vivarium::Usdt.stop(tp.defined_class.to_s, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
       end
     end
   end
@@ -1794,9 +1934,11 @@ module Vivarium
   end
 
   def self.run_daemon!(argv = ARGV)
-    options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil }
+    options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                dlopen_trace: true, libc_path: nil }
     OptionParser.new do |opts|
-      opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH]"
+      opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH] " \
+                    "[--no-dlopen-trace] [--libc PATH]"
       opts.on("--pin-dir PATH", "Pinned map directory") { |v| options[:pin_dir] = v }
       opts.on("--[no-]ssl-trace", "Attach OpenSSL SSL_write uprobe (default: enabled)") do |v|
         options[:ssl_trace] = v
@@ -1804,12 +1946,20 @@ module Vivarium
       opts.on("--libssl PATH", "Path to libssl.so to attach SSL_write to") do |v|
         options[:libssl_path] = v
       end
+      opts.on("--[no-]dlopen-trace", "Attach libc dlopen uprobe (default: enabled)") do |v|
+        options[:dlopen_trace] = v
+      end
+      opts.on("--libc PATH", "Path to libc.so for dlopen uprobe") do |v|
+        options[:libc_path] = v
+      end
     end.parse!(argv)
 
     Daemon.new(
       pin_dir: options[:pin_dir],
       ssl_trace: options[:ssl_trace],
-      libssl_path: options[:libssl_path]
+      libssl_path: options[:libssl_path],
+      dlopen_trace: options[:dlopen_trace],
+      libc_path: options[:libc_path]
     ).run
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Uchio Kondo
@@ -29,14 +29,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: ostruct
   requirement: !ruby/object:Gem::Requirement
@@ -64,6 +64,8 @@ files:
 - CONTEXT.md
 - README.md
 - Rakefile
+- examples/dlopen_demo.rb
+- examples/drop_demo.rb
 - examples/execve_demo.rb
 - examples/file_operation_demo.rb
 - examples/network_client_demo.rb