BCC currently requires exactly matching headers. Sometimes this is quite
inconvenient especially if the kernel version is only very slightly
different such as updates in a stable kernel. This patch gives the user
the flexibility to override the the LINUX_VERSION_CODE provided in the
linux kernel headers, so that the eBPF program may load. We also print a
message when this is done, so that the user is warned about the override
happening and that results may be unpredictable.

Also updated the docs.
Signed-off-by: Joel Fernandes <joel@joelfernandes.org>

BPF_MAP_TYPE_LPM_TRIE supports element deletion since kernel commit
e454cf595853 ("bpf: Implement map_delete_elem for BPF_MAP_TYPE_LPM_TRIE")
which is available in 4.15 kernels onwards.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>

* tools: use printb for more python3 compat

Switch to printb in killsnoop and wakeuptime

* tests: use subproceess sleep to trigger test

In some python implementations, time.sleep uses select instead of
nanosleep and hence won't trigger the bpf kprobe.

* tools: remove explicit python3 shebang

Use an ambiguous python invocation in the shebang line. Instead, rely on
packaging stage to mangle the line to specify a python version.

* cmake: add ENABLE_LLVM_SHARED option

This adds an option to specify that only the dynamic libraries should be
used to link bcc. This is most likely to be used in systems that don't
build/provide the llvm-static and clang-static package options
(fedora-based).

* rpm: enable llvm_shared and python3 build options

Enable rpm packaging with two new features:
 - shared-only packaging (no static linking)
 - python3
To enable these build features (off by default), run:
 RPM_WITH_OPTS="--with llvm_shared --with python3" ./scripts/build-rpm.sh

* rpm: protect python3-bcc package declaration

Don't define python3-bcc if --with python3 isn't explicitly specified.

* specs: only build python3 if requested

* man: compress man pages

* specs: enable python3 by default in fc28+/rh8+

- Enable llvm_shared and python3 --with options by default in new fedora
- Fix string quoting
- Update spec changelog

add usdt calls to libbcc static library

This fix adds additional accounting logic to the http_filter examples ("simple"
and "complete") that make sure to shift the pointer for the IP body/payload to
the correct offset before accessing TCP header fields. This is done by taking
into account the IP header length field. Previously, the IP header length field
was used, but it was done later in processing, after TCP header values were
extracted using the size of the BCC `proto.h` `struct ip_t` a static offset.

Prior to this, it was possible to evade HTTP detection by injecting IP options
data into the IP header that would spoof parts of the TCP header and shift the
real one down, as done in the scapy snippet below:

```Python
IP(
  dst=target[0],
  options=struct.pack(">BBHHHB",130,11,8080,0,0,0),
)/TCP(
  ...
)
```

Prevents the following error when tracing a java program that contains
non-ascii method name:

Traceback (most recent call last):
  File "/usr/share/bcc/tools/lib/ucalls", line 305, in <module>
    data = get_data()   # [(function, (num calls, latency in ns))]
  File "/usr/share/bcc/tools/lib/ucalls", line 266, in get_data
    bpf["counts"].items()))
  File "/usr/share/bcc/tools/lib/ucalls", line 264, in <lambda>
    kv[0].method.decode(),
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc4 in position 11: ordinal not in range(128)
Signed-off-by: Jerome Marchand <jmarchan@redhat.com>

* [profile.py]: adding support to collect profile only from specified CPU

Summary:
sometime it is usefull to collect stack only from single cpu
for example you have single core saturated while others dont and you
want to know whats going on there. in this diff i'm adding this ability
(network related code could be example of when single core is saturated
as usually you have 1 to 1 mappng between rx queue and cpu)

example of generated code w/ CPU specified:

./tools/profile.py -C 14 2 --ebpf
Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.

struct key_t {
    u32 pid;
    u64 kernel_ip;
    u64 kernel_ret_ip;
    int user_stack_id;
    int kernel_stack_id;
    char name[TASK_COMM_LEN];
};
BPF_HASH(counts, struct key_t);
BPF_STACK_TRACE(stack_traces, 16384);

// This code gets a bit complex. Probably not suitable for casual hacking.

int do_perf_event(struct bpf_perf_event_data *ctx) {

    if (bpf_get_smp_processor_id() != 14)
        return 0;

    u32 pid = bpf_get_current_pid_tgid() >> 32;
...

and w/o

./tools/profile.py  2 --ebpf
Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.

struct key_t {
    u32 pid;
    u64 kernel_ip;
    u64 kernel_ret_ip;
    int user_stack_id;
    int kernel_stack_id;
    char name[TASK_COMM_LEN];
};
BPF_HASH(counts, struct key_t);
BPF_STACK_TRACE(stack_traces, 16384);

// This code gets a bit complex. Probably not suitable for casual hacking.

int do_perf_event(struct bpf_perf_event_data *ctx) {

    u32 pid = bpf_get_current_pid_tgid() >> 32;
    if (!(1))
        return 0;
...

* addressing comments

* adding change in man

[tools/execsnoop] Try to get parent PID from current task's real parent.

tcptop: fix display of received bytes, reduce syscalls (fixes #1871)

bpf_get_current_task is only available in 4.8 and above.
Signed-off-by: David Calavera <david.calavera@gmail.com>

the keys variable was a reference to ipv4_recv_bytes, and after merging
the keys of ipv4_send_bytes the original ipv4_recv_bytes BPF table also
contained all keys, therefore the `if k in ipv4_recv_bytes` check a few
lines below always evaluates to true

with this commit all BPF tables are copied to userspace as dicts once
(to reduce the number of syscalls) and the keys are merged in a new dict

Signed-off-by: David Calavera <david.calavera@gmail.com>

fix get_table_offline for percpu hash table

Signed-off-by: David Calavera <david.calavera@gmail.com>

Fallback to read the PPid from /proc if the real parent's TGID is 0.
Signed-off-by: David Calavera <david.calavera@gmail.com>

Use get_value() instead of lookup() as the value as in the case of
percpu tables the ValueType is an std::vector that has to be resized
before performing the lookup function.

Add also some testing for it.

Solves https://github.com/iovisor/bcc/issues/1860Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it>

debian: add llvm6.0 as possible dependency

Mention perf as universal counting tool in llcstat

Improve Python autoload syscall name handling

Added new footer.h header where BPF_LICENSE is set if not defined

Rewrite array accesses

Fix license recognition on GitHub.com

In recent Ubuntu, llvm 6 is available. Use that as control file
dependency option.

Closes #1757.

tools: remove unnecessary calls to bpf_probe_read

The second file with the license information, COPYRIGHT.txt, contains
the same information as LICENSE.txt, expect for the license's text.
However, it prevents Licensee, the tool used by GitHub to detect
licenses, from working properly as it doesn't know which file to take
into account.

Most of these calls have been rendered useless by a9f96c02 ("Recognize
context member dereferences despite array accesses (#1828)").

Stops at any array accesses on external pointers and tries to rewrite
both the array access and the member dereference if any, in one shot.
With this commit, the following C code is rewritten properly into a
single bpf_probe_read call.

int test(struct pt_regs *ctx, const struct qstr *name) {
    return name->name[1];
}

Based on Yonghong Song's code.

switch some fields from u64 to their natural size u32/u16

Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>

based on kernel version, different kernel functions are kprobed.

Ensure dnf point to correct  package name.

* Add interface to Probe's getargs call

This commit allows the Probe instance to generate argument for arbitary
probe function

* Refactor C++ USDT implementation

This commit makes C++ USDT implementation uses the common USDT::Context
and USDT::Probe logic

* Add test case for C++ USDT API

* Improve FollyRequestContextSwitch example

Fix issue #1853.

Commit 7c489469 ("adjust tracepoint field type
based on size") tried to fix the tracepoint format
descrepancy between declared type and actual size is 8.
The type has to be promoted to match the size.

The commit introduced a bug if the field is an array.
For exmaple, block:block_rq_complete tracepoint has
field rwbs:
  field:char rwbs[8];	offset:32;	size:8;	signed:1;

The current implementation will incorrectly translate it
into
  s64 rwbs[8];
since it considers the type is "char".

This patch fixed this issue by checking the field name
and if it is an array, rewriting will be skipped.
Signed-off-by: Yonghong Song <yhs@fb.com>

Leftover from #986.

* Strict version dependencies for debian packages, closes #1770

* Use correct description for libbcc-examples debian package