what is examples

Author: bfredl

README.md

@@ -1,11 +1,36 @@
 Eiri
 =======
 
-Minimal self-contained eBPF/uprobe based tracer.
+Minimal self-contained eBPF/kprobe based tracer.
 
-Work in progress. Currently can attach to USDT probes in ELF files and run
+Work in progress. Currently can attach to kprobes as well as USDT probes in ELF files and run
 simple eBPF programs defined in a custom IR format. ringbuf output gets printed as raw bytes to stderr.
 
+Very simple output is supported. in form of a single count (stored as a bpf array map) or dumping byte values in a bpf ringbuf map
+
+Examples
+-----
+
+use array map as simple counter:
+```
+map $count array 4 8 1
+
+func $main MIT
+  %key = alloc
+  store [%key] 0
+  %map = map $count
+  %aa = call map_lookup_elem %map %key
+  eq %aa 0 :exit
+:doit
+  xadd [%aa] 1
+:exit
+  ret 0
+end
+
+attach $main kprobe __x64_sys_write
+```
+
+dump userland stack into ringbuf:
 ```
 map $ringbuf ringbuf 0 0 4096
 
@@ -23,5 +48,5 @@ end
 
 elf $neovim /home/bfredl/dev/neovim/build/bin/nvim
 
-attach $neovim flushy $main
+attach usdt $neovim xfree
 ```

count.ir

@@ -1,7 +1,5 @@
 map $count array 4 8 1
 
-elf $neovim /home/bfredl/dev/neovim/build/bin/nvim
-
 func $main MIT
   %key = alloc
   store [%key] 0
@@ -14,4 +12,4 @@ func $main MIT
   ret 0
 end
 
-attach $main usdt $neovim xfree
+attach $main kprobe __x64_sys_write

src/Parser.zig

@@ -219,6 +219,17 @@ pub fn toplevel(self: *Self, exec: bool) !void {
 fn get_probe(self: *Self, exec: bool) !fd_t {
     _ = self.nonws();
     const kind = try self.identifier();
+    if (mem.eql(u8, kind, "kprobe")) {
+        _ = self.nonws();
+        const func = try self.identifier();
+        _ = self.nonws();
+        const offset = self.num() orelse 0;
+
+        if (!exec) return 55;
+        // TODO: share this, like a non-savage
+        const kprobe_type = try bpfUtil.getKprobeType();
+        return bpfUtil.perf_open_probe_cstr(kprobe_type, func, offset);
+    }
     if (mem.eql(u8, kind, "usdt")) {
         const elf_name = try require(try self.objname(), "elf name");
         _ = self.nonws();
@@ -229,7 +240,7 @@ fn get_probe(self: *Self, exec: bool) !fd_t {
         if (!exec) return 55;
         // TODO: share this, like a non-savage
         const uprobe_type = try bpfUtil.getUprobeType();
-        return bpfUtil.perf_open_uprobe(uprobe_type, elf.fname, sdt.h.pc);
+        return bpfUtil.perf_open_probe_cstr(uprobe_type, elf.fname, sdt.h.pc);
     } else {
         return error.ParseError;
     }

src/bpfUtil.zig

@@ -67,25 +67,20 @@ pub fn perf_attach_bpf(target: fd_t, prog: fd_t) !void {
     }
 }
 
-pub fn perf_open_uprobe(uprobe_type: u32, uprobe_path: []const u8, uprobe_offset: u64) !fd_t {
-    // TODO: .size should be the default (stage2 bug)
+pub fn perf_open_probe(probe_type: u32, config1: u64, config2: u64) !fd_t {
     var attr = linux.perf_event_attr{};
 
     // TODO: use /sys/devices/system/cpu/online
     // but not needed for uprobe/kprobe???
 
     // the type value is dynamic and might be outside the defined values of
     // PERF.TYPE. praxis or zig std correctness issue
-    attr.type = @intToEnum(PERF.TYPE, uprobe_type);
+    attr.type = @intToEnum(PERF.TYPE, probe_type);
     attr.sample_period_or_freq = 1;
     attr.wakeup_events_or_watermark = 1;
-    var path_buf: [512]u8 = undefined;
-    if (uprobe_path.len > 511) return error.InvalidProgram;
-    mem.copy(u8, &path_buf, uprobe_path);
-    path_buf[uprobe_path.len] = 0;
 
-    attr.config1 = @ptrToInt(&path_buf);
-    attr.config2 = uprobe_offset;
+    attr.config1 = config1;
+    attr.config2 = config2;
 
     const rc = linux.perf_event_open(&attr, -1, 0, -1, 0);
     return switch (errno(rc)) {
@@ -98,8 +93,18 @@ pub fn perf_open_uprobe(uprobe_type: u32, uprobe_path: []const u8, uprobe_offset
     };
 }
 
-pub fn getUprobeType() !u32 {
-    const fil = try std.fs.openFileAbsolute("/sys/bus/event_source/devices/uprobe/type", .{});
+// makes a null-terminated copy of config1, maximum size: 511 bytes (+ added nul byte)
+pub fn perf_open_probe_cstr(uprobe_type: u32, config1: []const u8, config2: u64) !fd_t {
+    var config1_buf: [512]u8 = undefined;
+    if (config1.len > 511) return error.InvalidProgram;
+    mem.copy(u8, &config1_buf, config1);
+    config1_buf[config1.len] = 0;
+
+    return perf_open_probe(uprobe_type, @ptrToInt(&config1_buf), config2);
+}
+
+pub fn getProbeTypeFromPath(path: []const u8) !u32 {
+    const fil = try std.fs.openFileAbsolute(path, .{});
     defer fil.close();
 
     const reader = fil.reader();
@@ -108,6 +113,14 @@ pub fn getUprobeType() !u32 {
     return std.fmt.parseInt(u32, line, 10);
 }
 
+pub fn getKprobeType() !u32 {
+    return getProbeTypeFromPath("/sys/bus/event_source/devices/kprobe/type");
+}
+
+pub fn getUprobeType() !u32 {
+    return getProbeTypeFromPath("/sys/bus/event_source/devices/uprobe/type");
+}
+
 pub const pt_regs_amd64 = enum(u8) {
     r15,
     r14,

stack.ir

@@ -12,6 +12,6 @@ func $main GPL
   ret 0
 end
 
-elf $neovim /home/bfredl/dev/neovim/build/bin/nvim
 
+elf $neovim /home/bfredl/dev/neovim/build/bin/nvim
 attach $main usdt $neovim xfree