Mention perf as universal counting tool in llcstat

Improve Python autoload syscall name handling

Added new footer.h header where BPF_LICENSE is set if not defined

Rewrite array accesses

Fix license recognition on GitHub.com

Closes #1757.

tools: remove unnecessary calls to bpf_probe_read

The second file with the license information, COPYRIGHT.txt, contains
the same information as LICENSE.txt, expect for the license's text.
However, it prevents Licensee, the tool used by GitHub to detect
licenses, from working properly as it doesn't know which file to take
into account.

Most of these calls have been rendered useless by a9f96c02 ("Recognize
context member dereferences despite array accesses (#1828)").

Stops at any array accesses on external pointers and tries to rewrite
both the array access and the member dereference if any, in one shot.
With this commit, the following C code is rewritten properly into a
single bpf_probe_read call.

int test(struct pt_regs *ctx, const struct qstr *name) {
    return name->name[1];
}

Based on Yonghong Song's code.

switch some fields from u64 to their natural size u32/u16

Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

based on kernel version, different kernel functions are kprobed.

Ensure dnf point to correct  package name.

* Add interface to Probe's getargs call

This commit allows the Probe instance to generate argument for arbitary
probe function

* Refactor C++ USDT implementation

This commit makes C++ USDT implementation uses the common USDT::Context
and USDT::Probe logic

* Add test case for C++ USDT API

* Improve FollyRequestContextSwitch example

Fix issue #1853.

Commit 7c489469 ("adjust tracepoint field type
based on size") tried to fix the tracepoint format
descrepancy between declared type and actual size is 8.
The type has to be promoted to match the size.

The commit introduced a bug if the field is an array.
For exmaple, block:block_rq_complete tracepoint has
field rwbs:
  field:char rwbs[8];	offset:32;	size:8;	signed:1;

The current implementation will incorrectly translate it
into
  s64 rwbs[8];
since it considers the type is "char".

This patch fixed this issue by checking the field name
and if it is an array, rewriting will be skipped.
Signed-off-by: Yonghong Song <yhs@fb.com>

Leftover from #986.

* Strict version dependencies for debian packages, closes #1770

* Use correct description for libbcc-examples debian package

Fix issue #1845.

The verbose output of argdist.py is broken.
The bpf.open_uprobes/open_kprobes have been
replaced by bpf.uprobe_fds/kprobe_fds.

Fix the argdist.py and add "-v" to the argdist.py test
in test_tools_smoke.py.
Signed-off-by: Yonghong Song <yhs@fb.com>

Leftover from #986.

KeyboardInterrupt exception is not handled anymore. It will be
propagated and handled by the caller.

Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

implement tracepoint based probing for tcpaccept.py.

The helpers.h header specifies the BPF program license as 'GPL'.
However, other GPL-compatible licenses are possible (e.g., Dual BSD/GPL)
or even proprietary licenses (e.g., cachetop can run with a proprietary
license).

With this commit, the user can specify a BPF_LICENSE macro in the source
code:

  #define BPF_LICENSE Custom license

Note it supports multiple words and the absence of quotes. If the BPF
doesn't have a GPL-compatible license and it uses any GPL-only helpers,
the kernel will reject it with:

  cannot call GPL only function from proprietary program

If no license is specified, it will fall back to GPL (the current
behavior before this commit) so that the BCC tools and examples remain
usable.

Updated the documentation with BPF_LICENSE description, licensing error
description, and licenses for each helper.
Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

While changing the stack_id to be signed, I accidentally screwed the
check for an invalid stack_id. Some reason I didn't catch this even in
my tests. This patch fixes the issue (thanks Erick Reyes for reporting).

By the way, one weirdness I see is invalid stack_id is printed as -17
when I print it in python.

When I do bpf_trace_printk, I get these ids:
root@localhost:/# cat /d/tracing/trace_pipe
          <idle>-0     [003] .n.3   942.100225: : sid: 15
          <idle>-0     [002] .n.3   943.140393: : sid: 15
     kworker/3:3-1798  [003] ...3   943.422768: : sid: 6
     kworker/3:3-1798  [003] ...3   943.423419: : sid: 6
     kworker/3:3-1798  [003] ...3   943.423967: : sid: 6
   BootAnimation-650   [003] .n.3   949.840268: : sid: 8
          <idle>-0     [003] .n.3   952.360226: : sid: 15
          <idle>-0     [000] ...3   953.100116: : sid: 11
    Binder:571_3-1469  [000] .n.3   953.513328: : sid: 3
          <idle>-0     [003] .n.3   954.760215: : sid: 15
    Binder:571_3-1469  [000] ...3   955.460271: : sid: 18446744073709551599
          <idle>-0     [003] .n.3   957.420275: : sid: 15
 irq/296-cs35l36-662   [000] ...3   958.422890: : sid: 5
     kworker/1:3-1729  [001] ...3   960.485247: : sid: 18446744073709551599
     kworker/1:3-1729  [001] ...3   960.485888: : sid: 18446744073709551599

As an equivalent, when I do a print of the stack_id from the python
code, I get:
stack_id 15
stack_id 15
stack_id 6
stack_id 6
stack_id 6
stack_id 8
stack_id 15
stack_id 11
stack_id 3
stack_id 15
stack_id -17
stack_id 15
stack_id 5
stack_id -17
stack_id -17

This isn't a big deal since the valid stack_ids match, but still
1.8446744e+19 is -1 in 64-bit speak. So I do find that odd.
Reported-by: Erick Reyes <erickreyes@google.com>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>

This tool detects code sections in the kernel where IRQs or preemption
are disabled for a user-specified amount of time.

Requires a kernel built with CONFIG_DEBUG_PREEMPT and
CONFIG_PREEMPTIRQ_EVENTS.
Signed-off-by: Joel Fernandes <joel@joelfernandes.org>

 fix socket protocol reading

* Fix external pointer propagation in nested dereferences

and fix the count of indirections for addrof of member dereferences
(&A->b).

In nested dereferences, a dereference of an external pointer may give
a new external pointer.  For example, if A is an external pointer,
then *A and A->b should also be considered as external pointers when
appropriate (e.g., in **A or *(A->b)).

In addition, a member dereference is a dereference, so we need to
count it when counting the number of indirections in ProbeChecker.
If we don't, *(&A->b) won't be rewritten correctly as &A->b will be
considered a pointer to an external pointer.

* Tests for the count of indirections in nested dereferences

Fix issue #1830.

After the rewrite, the code approximately becomes
  &({type _val; bpf_probe_read(&_val, sizeof(_val), &(p->m)); _val)

Firstly the rewriting is really unnecessary, and secondly
the compilation will fail since the addressOf cannot take address
of the rvalue _val.

C standard, however, allows the addressOf operand array subscript
expression, e.g.,
  &({type _val; bpf_probe_read(&_val, sizeof(_val), &(p->m)); _val)[0]

This patch intends to fix the problem by avoiding
the rewriting in the first place of addrressOf simple member expression.
It still permits addressOf the array subscript expression.
Signed-off-by: Yonghong Song <yhs@fb.com>

* Fix nested rewrites dereferences

When the rewriter meets a dereference of a member dereference it
fails to properly rewrite them into calls to bpf_probe_read.  The
reason is that Clang is unable to track the position of rewritten
text, but we can accommodate this by inserting text around the
dereference instead of completely rewriting it.  We are already
doing that for member dereference, but not for simple dereference.

* Test for the rewrite of nested dereferences

* Skip instead of bailing out if MemberExpr is not rewritable

* Recognize context member dereferences despite array accesses

For example, the rewriter should recognize, in the following, that
prev is an external pointer retrieved from the context pointer,
despite the access to the second element of the args array.

struct task_struct *prev = (struct task_struct *)ctx->args[1];

The same could be done for the translation of member dereferences to
bpf_probe_read calls, but that would be a little bit more complex (to
retrieve the correct base) and there's currently no tool that would
benefit from it.

* Test for the recognition of ext ptrs from context array

* tools: remove unnecessary bpf_probe_read calls

5d656bc7 made this calls unnecessary.

add __version__  attribute to bcc module

For the test case in this patch below,
 #define _(P) ({typeof(P) val = 0; bpf_probe_read(&val, sizeof(val), &P); val;})
 int count_tcp(struct pt_regs *ctx, struct sk_buff *skb) {
     return _(TCP_SKB_CB(skb)->tcp_gso_size);
 }

The clang AST will consider the whole `_(TCP_SKB_CB(skb)->tcp_gso_size)`
as a MemberExpr during AST traversal. However, it will consider
the start location of the member expression not rewritable.
Without this patch, we will get an error like below:
    /virtual/main.c:15:44: error: expected ';' after return statement
    return _(TCP_SKB_CB(skb)->tcp_gso_size)); _val; });
Basically, the start of bpf_probe_read() rewritingg failed but
later part succeeded, so the code becomes uncompilable.

Previously, we did not see such issues, but as rewriter got
more smarter this bug is exposed.

This patch fixed the issue by preventing rewriting the whole
expression if the start location for the member expression is
not rewritable.
Signed-off-by: Yonghong Song <yhs@fb.com>

* modify ext4slower.py for 4.10+ version

* modify ext4slower.py for 4.10+ version

* #1818

* Trace external pointers through function returns

Surprisingly, the rewriter wasn't able to trace external pointers
returned by inlined functions until now.  This commit fixes it by
adding functions that return an external pointer to ProbeVisitor's
set of external pointers, along with the levels of indirection.

This change requires reversing a few traversals to visit called
functions before they are called.  Then, we check the presence of an
external pointer on return statements and retrieve that information
at the call expression.

* Tests dereferences of ext ptrs returned by inlined func

* tcpdrop: remove unnecessary bpf_probe_read calls

e783567a makes these calls unnecessary.