1. 26 Sep, 2017 4 commits
    • Kirill Smelkov's avatar
      bpf_probe_read*: src argument should be const void *. · e628b509
      Kirill Smelkov authored
      For the following program:
      
          #include <linux/interrupt.h>
      
          // remember t(last-interrupt) on interface
          int kprobe__handle_irq_event_percpu(struct pt_regs *ctx, struct irq_desc *desc) {
              const char *irqname = desc->action->name;
      
              char c;
      
              bpf_probe_read(&c, 1, &irqname[0]);
              if (c != 'e') return 0;
      
              bpf_probe_read(&c, 1, &irqname[1]);
              if (c != 't') return 0;
      
              ...
      
      LLVM gives warnings because irqaction->name is `const char *`:
      
          /virtual/main.c:10:27: warning: passing 'const char *' to parameter of type 'void *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
              bpf_probe_read(&c, 1, &irqname[0]);
                                    ^~~~~~~~~~~
          /virtual/main.c:13:27: warning: passing 'const char *' to parameter of type 'void *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
              bpf_probe_read(&c, 1, &irqname[1]);
                                    ^~~~~~~~~~~
          ...
      
      Instead of adding casts in source everywhere fix bpf_probe_read* signature to
      indicate the memory referenced by src won't be modified, as it should be.
      
      P.S.
      
      bpf_probe_read_str was in fact already marked so in several places in comments
      but not in actual signature.
      e628b509
    • Kirill Smelkov's avatar
      hardirqs, softirqs: Fix distribution mode units handling · dfd10cd2
      Kirill Smelkov authored
      Even if units was μs and thus factor=1000 `hardirqs -d` and `softirqs
      -d` were printing actual data in nanoseconds but with distribution unit
      labeled as "usecs", e.g.:
      
          softirq = sched
               usecs               : count     distribution
                   0 -> 1          : 0        |                                        |
                   2 -> 3          : 0        |                                        |
                   4 -> 7          : 0        |                                        |
                   8 -> 15         : 0        |                                        |
                  16 -> 31         : 0        |                                        |
                  32 -> 63         : 0        |                                        |
                  64 -> 127        : 0        |                                        |
                 128 -> 255        : 0        |                                        |
                 256 -> 511        : 0        |                                        |
                 512 -> 1023       : 0        |                                        |
                1024 -> 2047       : 6        |*****                                   |
                2048 -> 4095       : 3        |**                                      |
                4096 -> 8191       : 8        |*******                                 |
                8192 -> 16383      : 31       |*****************************           |
               16384 -> 32767      : 42       |****************************************|
               32768 -> 65535      : 18       |*****************                       |
      
      Fix it.
      
      NOTE: not putting "/ FACTOR" into common code because for counting mode
      we do not want to round intermediate results as e.g. there could be lots
      of say 0.5μs interrupts that should be all accounted as N*0.5, not N*0.0.
      dfd10cd2
    • Kirill Smelkov's avatar
      execsnoop: Fix -x handling · 3514bb12
      Kirill Smelkov authored
      Execsnoop's documentation says -x/--fails means "also include failed
      exec()s". However it was programmed to instead skip successful execs on
      -x and without -x show all - successful and unsuccessful ones.
      
      The logic was broken in 5b47e0f8 ("execsnoop: use BPF_PERF_OUTPUT
      instead of trace pipe").
      
      Fix it.
      
      P.S. current test_tools_smoke.py only provides basic infrastructure for
      testing whether tool's BPF program won't break, without anything related
      to options handling, so unfortunately the patch comes without
      corresponding test.
      3514bb12
    • Paul Chaignon's avatar
      BCC macro for the creation of LPM trie maps (#1359) · 649e7f02
      Paul Chaignon authored
      LPM trie maps require the BPF_F_NO_PREALLOC flag on creation. The
      need for this flag is not obvious at first; this new macro should
      help avoid the mistake.
      649e7f02
  2. 25 Sep, 2017 1 commit
  3. 21 Sep, 2017 6 commits
  4. 20 Sep, 2017 3 commits
  5. 15 Sep, 2017 2 commits
  6. 13 Sep, 2017 1 commit
  7. 12 Sep, 2017 2 commits
  8. 09 Sep, 2017 2 commits
  9. 08 Sep, 2017 4 commits
  10. 07 Sep, 2017 4 commits
    • 4ast's avatar
      Merge pull request #1336 from palmtenor/noinstance · 6aec3099
      4ast authored
      Do not create instance for kprobe
      6aec3099
    • Brendan Gregg's avatar
      Merge pull request #1333 from samuelnair/fix-py-tut · 08dbf13f
      Brendan Gregg authored
      Fix for bug in lesson 4 of the Python developer tutorial
      08dbf13f
    • Alexei Starovoitov's avatar
      annotate program tag · 4f47e3b5
      Alexei Starovoitov authored
      during debug of production systems it's difficult to trace back
      the kernel reported 'bpf_prog_4985bb0bd6c69631' symbols to the source code
      of the program, hence teach bcc to store the main function source
      in the /var/tmp/bcc/bpf_prog_4985bb0bd6c69631/ directory.
      
      This program tag is stable. Every time the script is called the tag
      will be the same unless source code of the program changes.
      During active development of bcc scripts the /var/tmp/bcc/ dir can
      get a bunch of stale tags. The users have to trim that dir manually.
      
      Python scripts can be modified to use this feature too, but probably
      need to be gated by the flag. For c++ api I think it makes sense
      to store the source code always, since the cost is minimal and
      c++ api is used by long running services.
      
      Example:
      $ ./examples/cpp/LLCStat
      $ ls -l /var/tmp/bcc/bpf_prog_4985bb0bd6c69631/
      total 16
      -rw-r--r--. 1 root root 226 Sep  1 17:30 on_cache_miss.c
      -rw-r--r--. 1 root root 487 Sep  1 17:30 on_cache_miss.rewritten.c
      -rw-r--r--. 1 root root 224 Sep  1 17:30 on_cache_ref.c
      -rw-r--r--. 1 root root 484 Sep  1 17:30 on_cache_ref.rewritten.c
      
      Note that there are two .c files there, since two different
      bpf programs have exactly the same bytecode hence same prog_tag.
      
      $ cat /var/tmp/bcc/bpf_prog_4985bb0bd6c69631/on_cache_miss.c
      int on_cache_miss(struct bpf_perf_event_data *ctx) {
          struct event_t key = {};
          get_key(&key);
      
          u64 zero = 0, *val;
          val = miss_count.lookup_or_init(&key, &zero);
      ...
      Signed-off-by: default avatarAlexei Starovoitov <ast@fb.com>
      4f47e3b5
    • Alexei Starovoitov's avatar
      add helpers to access program tag · b1df37c8
      Alexei Starovoitov authored
      bpf_obj_get_info() to retreive prog_tag from the kernel based on prog_fd (kernel 4.13+)
      bpf_prog_compute_tag() to compute prog_tag from a set of bpf_insns (kernel independent)
      bpf_prog_get_tag() to retrieve prog_tag from /proc/pid/fdinfo/fd (kernel 4.10+)
      Signed-off-by: default avatarAlexei Starovoitov <ast@fb.com>
      b1df37c8
  11. 05 Sep, 2017 4 commits
  12. 04 Sep, 2017 6 commits
  13. 03 Sep, 2017 1 commit