the BPF maps and pointers were previously
implicitly dereferenced whenever an operation
on them required a value and not a pointer.
the upside is that accessing map element data
didn’t require an explicit operation, the downside
is that it wasn’t possible to get the value
explicitly.

this makes it possible to dereference any pointer
and materialize the value in the register as long
as it’s shorter than register width using `ptr[0]`
element access operator.

the DW LD_ABS|IND is prohibited, so it is
implemented as a double W load with shift.
this is slow as it also has to undo the ntohl
semantics of W loads, but makes dissection of
64bit fields with absolute addressing possible 

the direct access to packet is implemented as
a `load_bytes(off, var)` built-in for basic support,
there is no implicit data loader using it yet

the packet can now use indirect addressing mode
using NET_OFF to read from network protocol off

it has convenience dissectors for IPv4 and IPv6,
that can be used like:

```
local net = pkt.net_off
if net.ver == 4 then
    local ip = net.ip
else
    local ip6 = net.ip6
end
```

Free demangle_name after use

docs: update list of XDP compatible drivers

Add missing nfp driver to the list.

While we're at it, add name and pointers for other drivers for which XDP
support is known to exist, but has not yet been pushed to the main
kernel branch.

Note that e1000e is not available online at this date, the link points
to an email stating that the patch could be provided upon request.

Extend cpp table API

* KVM hypercall analysis example

* Update README with KVM analysis example

When events were lost, we used to print a message to stderr, which is less useful.
Now, we allow attaching an optional callback that would be invoked when events
are lost, allowing the user's program to perform some additional processing.

Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it>

Before this commit there was not a specify way to handle a map of type
array. A workaround was to use it as a hash table with int as key type.

This commit creates a new class (BPFArrayTable) that allows to get and
update the value of an element.
Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it>

This commit extends the api for hash tables allowing to get, update and
delete elements
Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it>

RFC: rework of shared table into multiple classes

Add table_storage.h to list of installed files for external c++ linking.
Signed-off-by: Brenden Blanco <bblanco@gmail.com>

Adds a reference to the ts_ member, for use by BPF class to access the
storage object and perform lookups.

Note that get_hash_table/get_stack_table don't have an error return, so
failure to lookup the table name will result in undefined behavior
(which is actually the case prior to this commit as well).

Also update indentation per clang-format
Signed-off-by: Brenden Blanco <bblanco@gmail.com>

Adds a TableStorage class for use by language frontends to store/access
references to loaded bpf maps. Includes support for shared and
namespaced maps, in a directory-like hierarchy.

Add a FileDesc helper class to automatically wrap open file descriptors.
The object prevents implicit copying of the fd (allows only
rvalue/move()), and takes care of the close() call.

Add a reference implementation of a TableStorageImpl that performs the
current default behavior expected by BPF_TABLE_PUBLIC, which is to share
maps between BPFModules in the same-process only. A stub implementation
for bpffs is started.

Update b/clang frontends to use this new class.

Also included is a framework for extracting the type information of maps
in an extensible way. Migrate BMapDeclVisitor to use this as the first
consumer.
Signed-off-by: Brenden Blanco <bblanco@gmail.com>

update tools diagram

funcslower: Trace slow kernel or user function calls

stacksnoop: Retire and move to examples/tracing

This tool attaches to entry and return points of specified
functions and traces function calls slower than a given threshold.

Resolves #915.

Move stacksnoop to examples/tracing. Originally we considered
leaving a script that redirects to the `trace` tool, but decided
not to. Any users of stacksnoop can migrate directly to `trace`.

Resolves #737.

Inserts element in map only if it does not already exist. Throws a
warning during rewriter step if used on a BPF array.

* Add an option to resolve address without demangling

* Expose new no-demangling option to Python

Fix some documentation mistakes

* tools: add tcptracer

This allows tracking TCP connections by tracking TCP connects, closes
and accepts.

This is different from existing tools like tcpconnect or tcpaccept in
that:

* It includes more information like network namespace or source ports
for tcpconnects or remote ports for tcpaccepts
* It traces tcp_close allowing to see when a connection ends
* It only shows information about established connections

* tcptracer: add to README

* tcptracer: add example

* tcptracer: add man page

* cc: bcc function to detect the language of a process

bcc_procutils_language looks into /proc/$pid/cmdline, /proc/$pid/exe,
and /proc/$pid/maps to determine the language.
Python wrapper takes a list of candidate languages; if the detected
language is not part of the list, None is returned.

* u* tools: automatically detect the language

Uses the detect_language bcc helper. -l switch can override the
detected language. In uthreads and ucalls, the language can be
overwritten to 'none' to trace pthreads and syscalls respectively.

All tools use the -l switch to set the language, for consistency.

Improve helper Macros

* Bcc should look at mountns during symbol resolution.

Allow bcc to resolve symbols in processes that have mappings in a
different mount namespace.  This allows us to obtain stack traces from
the host when our target resides in a container.  With this change it's
possible to get stacks from targets that used to show up as unknown.

* When searching for perf-map files look in container, and then host.

Allow perf-map files to exist either in the container under the pid
that's specific to the container's pid namespace, or in the host
container using the pid that's specific to the initial pid namespace.
This lets us store the perf-map either in the continer or on the host,
depending upon which is easier for the person performing the debugging.

* Allow bcc to place uprobes and USDT probes in containers.

The uprobe/usdt mechanism uses the target's inode in order to determine
where to place the probe.  The inode lookup occurs at the time the file
path is written to uprobe_events.  If bpf_attach_uprobe() has been
passed a pid, and that pid is in a different mount namespace from the
caller, attempt to switch to the victim's mount namespace so that we can
select the correct inode for the probe.

* Add unit tests for the container improvements code.