1. 05 Oct, 2016 2 commits
    • Sasha Goldshtein's avatar
      stackcount: Support uprobes, tracepoints, and USDT (#730) · 07175d05
      Sasha Goldshtein authored
      * stackcount: Support user-space functions
      
      Add support for user-space functions in `stackcount` by taking an additional
      `-l` command-line parameter specifying the name of the user-space library.
      When a user-space library is specified, `stackcount` attaches to a specific
      process and traces a user-space function with user-space stacks only.
      Regex support for uprobes (similar to what is available for kprobes) is
      not currently provided.
      
      Also add a couple of functions to the `BPF` object for consistency.
      
      * bcc: Support regex in attach_uprobe
      
      attach_kprobe allows a regular expression for the function name,
      while attach_uprobe does not. Add support in libccc for enumerating
      all the function symbols in a binary, and use that in the BPF module
      to attach uprobes according to a regular expression. For example:
      
      ```python
      bpf = BPF(text="...")
      bpf.attach_uprobe(name="c", sym_re=".*write$", fn_name="probe")
      ```
      
      * python: Support regex in attach_tracepoint
      
      Modify attach_tracepoint to take a regex argument, in which case
      it enumerates all tracepoints matching that regex and attaches to
      all of them. The logic for enumerating tracepoints should eventually
      belong in libccc and be shared across all the tools (tplist, trace
      and so on).
      
      * cc: Fix termination condition bug in symbol enumeration
      
      bcc_elf would not terminate the enumeration correctly when the
      user-provided callback returned -1 but there were still more
      sections remaining in the ELF to be enumerated.
      
      * stackcount: Support uprobes and tracepoints
      
      Refactored stackcount and added support for uprobes and tracepoints,
      which also required changes to the BPF module. USDT support still
      pending.
      
      * bcc: Refactor symbol listing to use foreach-style
      
      Refactor symbol listing from paging style to foreach-style with a
      callback function per-symbol. Even though we're now performing a
      callback from C to Python for each symbol, this is preferable to the
      paging approach because we need all the symbols in the current use
      case.
      
      Also refactored `stackcount` slightly; only missing support for USDT
      probes now.
      
      * stackcount: Support per-process displays
      
      For user-space functions, or when requested for kernel-space
      functions or tracepoints, group the output by process. Toggled
      with the -P switch, off by default (except for user-space).
      
      * Fix rebase issues, print pid only when there is one
      
      * stackcount: Add USDT support
      
      Now, stackcount supports USDT tracepoints in addition to
      kernel functions, user functions, and kernel tracepoints.
      The format is the same as with the other general-purpose
      tools (argdist, trace):
      
      ```
      stackcount -p $(pidof node) u:node:gc*
      stackcount -p 185 u:pthread:pthread_create
      ```
      
      * stackcount: Update examples and man page
      
      Add examples and man page documentation for kernel
      tracepoints, USDT tracepoints, and other features.
      
      * stackcount: Change printing format slightly
      
      When -p is specified, don't print the comm and pid. Also,
      when -P is specified for kernel probes (kprobes and
      tracepoints), use -1 for symbol resolution so that we
      don't try to resolve kernel functions as user symbols.
      Finally, print the comm and pid at the end of the stack
      output and not at the beginning.
      07175d05
    • Brendan Gregg's avatar
      fix filelife missing output (#729) · ba404cfe
      Brendan Gregg authored
      ba404cfe
  2. 04 Oct, 2016 7 commits
    • Brendan Gregg's avatar
      update tools map (#727) · 6e60fbc8
      Brendan Gregg authored
      6e60fbc8
    • Brendan Gregg's avatar
      tcptop (#726) · 60393ea5
      Brendan Gregg authored
      60393ea5
    • Sasha Goldshtein's avatar
      trace: Initialize USDT arguments to 0 before reading (#725) · b6db17f5
      Sasha Goldshtein authored
      Fixes #722, in which a USDT probe that has more than
      one location and the type of the argument is a string
      caused trace to potentially access an uninitialized
      stack variable, thereby not passing BPF program
      verification at load time.
      b6db17f5
    • Sasha Goldshtein's avatar
      argdist, trace: Native tracepoint support (#724) · 376ae5c0
      Sasha Goldshtein authored
      * Remove tracepoint.py
      
      The `Tracepoint` class which implements the necessary
      support for the tracepoint kprobe-based hack is no
      longer needed and can be removed.
      
      * argdist: Native tracepoint support
      
      This commit migrates argdist to use the native bcc/BPF
      tracepoint support instead of the hackish kprobe-
      based approach. The resulting programs are cleaner
      and likely more efficient.
      
      As a result of this change, there is a slight API
      change in how argdist is used with tracepoints. To
      access fields from the tracepoint structure, the user
      is expected to use `args->field` directly. This
      leverages most of the built-in bcc support for
      generating the tracepoint probe function.
      
      * trace: Native tracepoint support
      
      This commit migrates trace to use the native bcc/BPF
      tracepoint support instead of the hackish kprobe-
      based approach. The resulting programs are cleaner
      and likely more efficient.
      
      As with argdist, users are now expected to use the
      `args` structure pointer to access the tracepoint's
      arguments.
      
      For example:
      
      ```
      trace 't:irq:irq_handler_entry (args->irq != 27) "irq %d", args->irq'
      ```
      376ae5c0
    • Sasha Goldshtein's avatar
      argdist: Cumulative mode (-c) (#719) · d2f4762a
      Sasha Goldshtein authored
      By default, argdist now clears the histograms or freq
      count maps after each display interval. The new `-c`
      option enables cumulative mode, where maps are not
      cleared at each interval. This fixes #718.
      d2f4762a
    • Sasha Goldshtein's avatar
      trace: Print USDT arg helpers in verbose mode (#723) · f733cacf
      Sasha Goldshtein authored
      When verbose mode is enabled, ask all USDT helper
      objects to print out the argument helper functions,
      which help retrieve the argument values for each
      individual probe location. This can be useful for
      debugging probes; the helper functions are part of
      the loaded BPF program, so they need to be printed
      in verbose mode.
      f733cacf
    • Sasha Goldshtein's avatar
      argdist, trace: Support naked executable names in probes (#720) · ec679711
      Sasha Goldshtein authored
      Fixes the error message from `BPF._find_exe` which would
      occur if argdist or trace had a naked executable name
      not qualified with a path, such as:
      
      ```
      trace 'r:bash:readline "%s", retval'
      ```
      
      This is now supported again.
      ec679711
  3. 03 Oct, 2016 1 commit
  4. 01 Oct, 2016 1 commit
  5. 30 Sep, 2016 3 commits
  6. 28 Sep, 2016 2 commits
  7. 27 Sep, 2016 2 commits
    • Marco Leogrande's avatar
      Fix or hide a few warnings (#695) · d19e0cb0
      Marco Leogrande authored
      * Flag ${LLVM_INCLUDE_DIRS} as a system include directory
      
      g++ supports a -isystem switch, that can be used to mark a given
      directory as a system include directory. Warnings generated by system
      include directories are ignored by default.
      
      This commit hides a long list of warnings, like the following one,
      generated by llvm header files included from ${LLVM_INCLUDE_DIRS}:
      
       /usr/lib/llvm-3.7/include/clang/AST/APValue.h:373:44: warning:
         dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
      Signed-off-by: default avatarMarco Leogrande <marcol@plumgrid.com>
      
      * Fix 'defined but not used' warning
      
      Remove unused function from the USDT probes test.
      
      The warning was:
      
       tests/cc/test_usdt_probes.cc:59:15: warning:
         ‘size_t countsubs(const string&, const string&)’ defined but not used [-Wunused-function]
      Signed-off-by: default avatarMarco Leogrande <marcol@plumgrid.com>
      d19e0cb0
    • Sasha Goldshtein's avatar
      Fix argdist, trace, tplist to use the libbcc USDT support (#698) · 69e361ac
      Sasha Goldshtein authored
      * Allow argdist to enable USDT probes without a pid
      
      The current code would only pass the pid to the USDT
      class, thereby not allowing USDT probes to be enabled
      from the binary path only. If the probe doesn't have
      a semaphore, it can actually be enabled for all
      processes in a uniform fashion -- which is now
      supported.
      
      * Reintroduce USDT support into tplist
      
      To print USDT probe information, tplist needs an API
      to return the probe data, including the number of
      arguments and locations for each probe. This commit
      introduces this API, called bcc_usdt_foreach, and
      invokes it from the revised tplist implementation.
      
      Although the result is not 100% identical to the
      original tplist, which could also print the probe
      argument information, this is not strictly required
      for users of the argdist and trace tools, which is
      why it was omitted for now.
      
      * Fix trace.py tracepoint support
      
      Somehow, the import of the Perf class was omitted
      from tracepoint.py, which would cause failures when
      trace enables kernel tracepoints.
      
      * trace: Native bcc USDT support
      
      trace now works again by using the new bcc USDT support
      instead of the home-grown Python USDT parser. This
      required an additional change in the BPF Python API
      to allow multiple USDT context objects to be passed to
      the constructor in order to support multiple USDT
      probes in a single invocation of trace. Otherwise, the
      USDT-related code in trace was greatly simplified, and
      uses the `bpf_usdt_readarg` macros to obtain probe
      argument values.
      
      One minor inconvenience that was introduced in the bcc
      USDT API is that USDT probes with multiple locations
      that reside in a shared object *must* have a pid
      specified to enable, even if they don't have an
      associated semaphore. The reason is that the bcc USDT
      code figures out which location invoked the probe by
      inspecting `ctx->ip`, which, for shared objects, can
      only be determined when the specific process context is
      available to figure out where the shared object was
      loaded. This limitation did not previously exist,
      because instead of looking at `ctx->ip`, the Python
      USDT reader generated separate code for each probe
      location with an incrementing identifier. It's not a
      very big deal because it only means that some probes
      can't be enabled without specifying a process id, which
      is almost always desired anyway for USDT probes.
      
      argdist has not yet been retrofitted with support for
      multiple USDT probes, and needs to be updated in a
      separate commit.
      
      * argdist: Support multiple USDT probes
      
      argdist now supports multiple USDT probes, as it did
      before the transition to the native bcc USDT support.
      This requires aggregating the USDT objects from each
      probe and passing them together to the BPF constructor
      when the probes are initialized and attached.
      
      Also add a more descriptive exception message to the
      USDT class when it fails to enable a probe.
      69e361ac
  8. 26 Sep, 2016 4 commits
  9. 16 Sep, 2016 2 commits
    • Brendan Gregg's avatar
      Merge pull request #689 from chantra/tcpconnect_port · 0c8c179f
      Brendan Gregg authored
      [tcpconnect] filter traced connection based on destination ports
      0c8c179f
    • chantra's avatar
      [tcpconnect] filter traced connection based on destination ports · 52938058
      chantra authored
      Test:
      While running:
      while [ 1 ]; do nc -w 1 100.127.0.1 80; nc -w 1 100.127.0.1 81; done
      
      root@vagrant:/mnt/bcc# ./tools/tcpconnect.py
      PID    COMM         IP SADDR            DADDR            DPORT
      19978  nc           4  10.0.2.15        100.127.0.1      80
      19979  nc           4  10.0.2.15        100.127.0.1      81
      19980  nc           4  10.0.2.15        100.127.0.1      80
      19981  nc           4  10.0.2.15        100.127.0.1      81
      root@vagrant:/mnt/bcc# ./tools/tcpconnect.py  -P 80
      PID    COMM         IP SADDR            DADDR            DPORT
      19987  nc           4  10.0.2.15        100.127.0.1      80
      19989  nc           4  10.0.2.15        100.127.0.1      80
      19991  nc           4  10.0.2.15        100.127.0.1      80
      19993  nc           4  10.0.2.15        100.127.0.1      80
      19995  nc           4  10.0.2.15        100.127.0.1      80
      root@vagrant:/mnt/bcc# ./tools/tcpconnect.py  -P 80,81
      PID    COMM         IP SADDR            DADDR            DPORT
      8725   nc           4  10.0.2.15        100.127.0.1      80
      8726   nc           4  10.0.2.15        100.127.0.1      81
      8727   nc           4  10.0.2.15        100.127.0.1      80
      8728   nc           4  10.0.2.15        100.127.0.1      81
      8729   nc           4  10.0.2.15        100.127.0.1      80
      
      Fixes #681
      52938058
  10. 14 Sep, 2016 1 commit
  11. 12 Sep, 2016 1 commit
    • davidefdl's avatar
      Fix bpf log buffer for large bpf program: (#680) · 2dece10a
      davidefdl authored
      Use tempfile module to create a temp file
      
      Fix some review input
      
      Fix style check
      
      Style
      
      Style check
      
      Remove builtin module from python test to run fedora ctest
      
      Let the program calling bpf_prog_load to handle the log buffer
      
      Check max instruction before the syscall. Fix other review comment
      2dece10a
  12. 11 Sep, 2016 2 commits
  13. 10 Sep, 2016 2 commits
  14. 09 Sep, 2016 2 commits
  15. 08 Sep, 2016 2 commits
  16. 30 Aug, 2016 1 commit
  17. 29 Aug, 2016 1 commit
  18. 25 Aug, 2016 1 commit
  19. 24 Aug, 2016 3 commits