1. 17 Oct, 2016 1 commit
    • Sasha Goldshtein's avatar
      trace: STRCMP helper function · f4797b0c
      Sasha Goldshtein authored
      `trace` filters and print expressions can now use the
      magic STRCMP helper function to compare strings. The first
      string must be a compile-time constant literal string,
      such as "test", and the second string can be determined at
      runtime (e.g., from a function argument). The codegen for
      STRCMP is on a case-by-case basis for each literal string,
      and it generates an inline function with a constant-length
      loop that compares the string's characters. This is a
      decent workaround until we get something more reasonable
      from the kernel side, such as a `bpf_strcmp` helper.
      
      Usage example:
      
      ```
      trace 'p:c:open (STRCMP("test.txt", arg1)) "%s", arg1'
      ``
      f4797b0c
  2. 19 Oct, 2016 6 commits
    • Brendan Gregg's avatar
      Merge pull request #763 from goldshtn/enhanced-funccount · 56ddca09
      Brendan Gregg authored
      funccount: Generalized for uprobes, tracepoints, and USDT
      56ddca09
    • Sasha Goldshtein's avatar
      python: Fix kprobe quota test breakage, add uprobes · 367234ad
      Sasha Goldshtein authored
      As part of the funccount work, the kprobe quota test doesn't fail
      early when adding multiple kprobes at once (with `event_re`), but
      rather only when the 1000th probe is being added. Revert to the old
      behavior, which fixes the `test_probe_quota` test. Add similar test
      for uprobes, `test_uprobe_quota`, which tests the recently-added
      uprobe regex support.
      367234ad
    • Sasha Goldshtein's avatar
      funccount: Generalize for uprobes, tracepoints, and USDT · ff3b9f37
      Sasha Goldshtein authored
      This commit updates `funccount` to support attaching to a set of
      user functions, kernel tracepoints, or USDT probes using familiar
      syntax. Along the way, the implementation has been updated to use
      a separate BPF function for each target function, because using
      the instruction pointer to determine the function name doesn't
      work for anything other than kprobes. Even though the BPF program
      can now be potentially larger, testing with 40-50 attach points
      shows no significant overhead compared to the previous version.
      
      Examples of what's now possible:
      
      ```
      funccount t:block:*
      funccount u:node:gc*
      funccount -r 'c:(read|write)$'
      funccount -p 142 u:ruby:object__create
      ```
      ff3b9f37
    • Sasha Goldshtein's avatar
      bcc: Make regex helpers publicly accessible · e84febdf
      Sasha Goldshtein authored
      Make the `get_user_functions`, `get_kprobe_functions`, and
      `get_tracepoints` methods publicly accessible from the BPF class.
      These can then be used by tools that need to do their own work
      before attaching programs to a set of functions or tracepoints.
      e84febdf
    • Sasha Goldshtein's avatar
      b778ccd9
    • Brendan Gregg's avatar
      ac297c1e
  3. 18 Oct, 2016 9 commits
    • Brendan Gregg's avatar
      add output notes to doc (#765) · 5845ef9c
      Brendan Gregg authored
      5845ef9c
    • Sasha Goldshtein's avatar
      Tools lint cleanup (#764) · f41ae861
      Sasha Goldshtein authored
      * argdist: linter cleanup
      
      * cpudist: linter cleanup
      
      * execsnoop: linter cleanup
      
      * funclatency: linter cleanup
      
      * gethostlatency: linter cleanup
      
      * hardirqs: linter cleanup
      
      * memleak: linter cleanup
      
      * mountsnoop: linter cleanup
      
      * offcputime: linter cleanup
      
      * softirqs: linter cleanup
      
      * solisten: linter cleanup and u+x mode
      
      * stacksnoop: linter cleanup
      
      * tplist: linter cleanup
      
      * trace: linter cleanup
      f41ae861
    • Brenden Blanco's avatar
      Merge pull request #752 from goldshtn/mysqld-slower-fix · 78a3341c
      Brenden Blanco authored
      mysqld_slower: Fix breakage after USDT API change
      78a3341c
    • Brendan Gregg's avatar
      add slabratetop (#759) · 203b4c91
      Brendan Gregg authored
      203b4c91
    • Sasha Goldshtein's avatar
      trace, argdist: -I switch for trace and miscellaneous fixes (#761) · 4725a726
      Sasha Goldshtein authored
      * trace: Additional include files support
      
      Similarly to `argdist`, `trace` now has a `-I` option for adding
      include files that can be used in filter and print expressions.
      This also required a slight modification to `argdist`'s syntax
      for consistency: where previously we would allow `-I header1 header2`,
      we now require `-I header1 -I header2` to avoid any mixups with
      which argument is a header file and which is a probe for `trace`.
      
      This is very unlikely to break anyone, because I haven't seen the
      `-I` option used at all, not to mention extensively with multiple
      headers.
      
      Also made sure the man and example pages are up to date.
      
      * argdist: Update -C and -H switches for consistency
      
      This commit updates `argdist`'s `-H` and `-C` switches for consistency
      with the `-I` switch and `trace`'s switches. Specifically, each probe
      needs an explicit `-C` or `-H` specifier in front of it. This also
      allows safe and understandable mixing of histogram and counting probes,
      for example:
      
      ```
      argdist -C 'p:c:write()' -H 'p::vfs__write(int fd, const void *buf, size_t size):size_t:size#write sizes'
      ```
      
      * trace: Fix stack trace support for tracepoints
      
      Tracepoint probes don't have a `ctx` argument, it's called `args`
      instead. The recently-added stack trace support code didn't take
      this into account, and consequently didn't work for tracepoints.
      This commit fixes the issue, so we can now do things like
      `trace -K t:block:block_rq_complete`.
      4725a726
    • Brenden Blanco's avatar
      Merge pull request #701 from dkronst/master · 2035edb3
      Brenden Blanco authored
      Making selection of kernel headers type automatic
      2035edb3
    • Sasha Goldshtein's avatar
      cc: Support glob+offset format in USDT arguments (#753) · 163a73fa
      Sasha Goldshtein authored
      Modern versions of USDT probes (such as what's found in
      PostgreSQL when compiled with `--enable-dtrace`) may have
      the offset listed after the global symbol for USDT
      arguments of the format `4@symbol+8(%rip)`. This commit
      extends the argument parser to support these cases, adds
      tests for these cases, and makes sure that in case of a
      parse error, the parser always moves forward and consumes
      at least one character. Presently, the parser would get
      stuck on the problematic position and enter an infinite
      loop.
      163a73fa
    • Brenden Blanco's avatar
      Merge pull request #754 from iovisor/dkalani_dev · 6ac44b5a
      Brenden Blanco authored
      Add vxlan gbp header
      6ac44b5a
    • Dina Goldshtein's avatar
      Support filtering by process ID in the filesystem slower tools (#756) · c8b9ae3a
      Dina Goldshtein authored
      * Filter by process ID in ex4slower
      
      * Updated the rest of the tools to filter by process ID
      c8b9ae3a
  4. 17 Oct, 2016 2 commits
  5. 16 Oct, 2016 2 commits
  6. 15 Oct, 2016 1 commit
  7. 11 Oct, 2016 1 commit
    • Sasha Goldshtein's avatar
      trace: Add %K and %U format specifiers (#742) · accd4cf5
      Sasha Goldshtein authored
      The %K and %U format specifiers can be used in a trace
      format string to resolve kernel and user symbols,
      respectively. For example, the pthread_create USDT probe
      has an argument pointing to the new thread's function.
      To trace pthread_create and print the symbolic name of
      the new thread's function, use:
      
      ```
      trace 'u:pthread:pthread_create "%U", arg3'
      ```
      
      The %U specifier resolves addresses in the event's process,
      while the %K specifier resolves kernel addresses.
      accd4cf5
  8. 10 Oct, 2016 2 commits
  9. 09 Oct, 2016 1 commit
    • Eric W's avatar
      Update INSTALL.md · 65445f12
      Eric W authored
      Quickstart leaves out installing the examples.
      65445f12
  10. 06 Oct, 2016 5 commits
    • Marco Leogrande's avatar
      Fix #735 (#736) · 0c461c98
      Marco Leogrande authored
      GCC 6 behaves slightly differently when using -isystem, and our use of
      that parameter is causing a build failure. Avoid using -isystem on
      gcc6+ for now, until that compiler becomes a bit more mainstream and
      we can debug further.
      
      Failure had been introuced in d19e0cb0.
      Signed-off-by: default avatarMarco Leogrande <marcol@plumgrid.com>
      0c461c98
    • Sasha Goldshtein's avatar
      funclatency: user functions support (#733) · a466c469
      Sasha Goldshtein authored
      * bcc: Allow custom bucket formatting for histogram keys
      
      When histogram keys are complex structures (`ct.Structure`
      created from C struct), they can't be used as dictionary keys
      for counting purposes without a custom hashing function.
      Allow the user to provide such hashing function when calling
      `print_log_hist` to print the histogram.
      
      * bcc: Allow regular expression in attach_uretprobe
      
      Similarly to `attach_uprobe`, `attach_uretprobe` now supports
      taking a regular expression.
      
      * funclatency: Support user functions
      
      funclatency now supports user functions (including regular
      expressions) in addition to kernel functions. When multiple
      processes are traced, the output is always per-function, per-
      process. When a single process is traced, the output can be
      combined for all traced functions (as with kernel functions).
      
      Usage examples:
      
      ```
      funclatency pthread:*mutex* -p 6449 -F
      funclatency c:read
      funclatency dd:* -p $(pidof dd) -uF
      ```
      a466c469
    • Sasha Goldshtein's avatar
      Update Clang download in INSTALL.md for FC (#732) · db287f59
      Sasha Goldshtein authored
      FC23 and FC24 need Clang 3.9.0 because of ABI changes in the C++
      runtime library. Split the installation instructions to FC22 and
      FC23/24.
      db287f59
    • Sasha Goldshtein's avatar
      tplist: Print USDT locations and arguments (#734) · 6e91a74b
      Sasha Goldshtein authored
      * cc: Add USDT location and argument reporting
      
      libbcc now exposes USDT location and argument information using
      two new APIs: `bcc_usdt_get_location` and `bcc_usdt_get_argument`.
      
      * python: Retrieve USDT locations and arguments
      
      Add wrappers in the libbcc.py file to access the new APIs for
      retrieving USDT location and argument information. Also add
      high-level classes in usdt.py to access this information and
      format arguments and locations in a shape suitable for display.
      
      * tplist: Print USDT locations and arguments
      
      Add super-verbose mode (-vv) to tplist where it prints USDT locations
      and arguments including full detail on registers, offsets, and global
      identifier offsets.
      6e91a74b
    • Marek Vavruša's avatar
      src/lua: LuaJIT BPF compiler, examples, tests (#652) · 676f357a
      Marek Vavruša authored
      this is initial commit of LuaJIT bytecode to BPF
      compiler project that enables writing both kernel
      and user-part of the code as Lua
      676f357a
  11. 05 Oct, 2016 3 commits
    • Sasha Goldshtein's avatar
      stackcount: Support uprobes, tracepoints, and USDT (#730) · 07175d05
      Sasha Goldshtein authored
      * stackcount: Support user-space functions
      
      Add support for user-space functions in `stackcount` by taking an additional
      `-l` command-line parameter specifying the name of the user-space library.
      When a user-space library is specified, `stackcount` attaches to a specific
      process and traces a user-space function with user-space stacks only.
      Regex support for uprobes (similar to what is available for kprobes) is
      not currently provided.
      
      Also add a couple of functions to the `BPF` object for consistency.
      
      * bcc: Support regex in attach_uprobe
      
      attach_kprobe allows a regular expression for the function name,
      while attach_uprobe does not. Add support in libccc for enumerating
      all the function symbols in a binary, and use that in the BPF module
      to attach uprobes according to a regular expression. For example:
      
      ```python
      bpf = BPF(text="...")
      bpf.attach_uprobe(name="c", sym_re=".*write$", fn_name="probe")
      ```
      
      * python: Support regex in attach_tracepoint
      
      Modify attach_tracepoint to take a regex argument, in which case
      it enumerates all tracepoints matching that regex and attaches to
      all of them. The logic for enumerating tracepoints should eventually
      belong in libccc and be shared across all the tools (tplist, trace
      and so on).
      
      * cc: Fix termination condition bug in symbol enumeration
      
      bcc_elf would not terminate the enumeration correctly when the
      user-provided callback returned -1 but there were still more
      sections remaining in the ELF to be enumerated.
      
      * stackcount: Support uprobes and tracepoints
      
      Refactored stackcount and added support for uprobes and tracepoints,
      which also required changes to the BPF module. USDT support still
      pending.
      
      * bcc: Refactor symbol listing to use foreach-style
      
      Refactor symbol listing from paging style to foreach-style with a
      callback function per-symbol. Even though we're now performing a
      callback from C to Python for each symbol, this is preferable to the
      paging approach because we need all the symbols in the current use
      case.
      
      Also refactored `stackcount` slightly; only missing support for USDT
      probes now.
      
      * stackcount: Support per-process displays
      
      For user-space functions, or when requested for kernel-space
      functions or tracepoints, group the output by process. Toggled
      with the -P switch, off by default (except for user-space).
      
      * Fix rebase issues, print pid only when there is one
      
      * stackcount: Add USDT support
      
      Now, stackcount supports USDT tracepoints in addition to
      kernel functions, user functions, and kernel tracepoints.
      The format is the same as with the other general-purpose
      tools (argdist, trace):
      
      ```
      stackcount -p $(pidof node) u:node:gc*
      stackcount -p 185 u:pthread:pthread_create
      ```
      
      * stackcount: Update examples and man page
      
      Add examples and man page documentation for kernel
      tracepoints, USDT tracepoints, and other features.
      
      * stackcount: Change printing format slightly
      
      When -p is specified, don't print the comm and pid. Also,
      when -P is specified for kernel probes (kprobes and
      tracepoints), use -1 for symbol resolution so that we
      don't try to resolve kernel functions as user symbols.
      Finally, print the comm and pid at the end of the stack
      output and not at the beginning.
      07175d05
    • Dror Kronstein's avatar
      Merge branch 'master' into master · 799cda9b
      Dror Kronstein authored
      799cda9b
    • Brendan Gregg's avatar
      fix filelife missing output (#729) · ba404cfe
      Brendan Gregg authored
      ba404cfe
  12. 04 Oct, 2016 7 commits
    • Brendan Gregg's avatar
      update tools map (#727) · 6e60fbc8
      Brendan Gregg authored
      6e60fbc8
    • Brendan Gregg's avatar
      tcptop (#726) · 60393ea5
      Brendan Gregg authored
      60393ea5
    • Sasha Goldshtein's avatar
      trace: Initialize USDT arguments to 0 before reading (#725) · b6db17f5
      Sasha Goldshtein authored
      Fixes #722, in which a USDT probe that has more than
      one location and the type of the argument is a string
      caused trace to potentially access an uninitialized
      stack variable, thereby not passing BPF program
      verification at load time.
      b6db17f5
    • Sasha Goldshtein's avatar
      argdist, trace: Native tracepoint support (#724) · 376ae5c0
      Sasha Goldshtein authored
      * Remove tracepoint.py
      
      The `Tracepoint` class which implements the necessary
      support for the tracepoint kprobe-based hack is no
      longer needed and can be removed.
      
      * argdist: Native tracepoint support
      
      This commit migrates argdist to use the native bcc/BPF
      tracepoint support instead of the hackish kprobe-
      based approach. The resulting programs are cleaner
      and likely more efficient.
      
      As a result of this change, there is a slight API
      change in how argdist is used with tracepoints. To
      access fields from the tracepoint structure, the user
      is expected to use `args->field` directly. This
      leverages most of the built-in bcc support for
      generating the tracepoint probe function.
      
      * trace: Native tracepoint support
      
      This commit migrates trace to use the native bcc/BPF
      tracepoint support instead of the hackish kprobe-
      based approach. The resulting programs are cleaner
      and likely more efficient.
      
      As with argdist, users are now expected to use the
      `args` structure pointer to access the tracepoint's
      arguments.
      
      For example:
      
      ```
      trace 't:irq:irq_handler_entry (args->irq != 27) "irq %d", args->irq'
      ```
      376ae5c0
    • Sasha Goldshtein's avatar
      argdist: Cumulative mode (-c) (#719) · d2f4762a
      Sasha Goldshtein authored
      By default, argdist now clears the histograms or freq
      count maps after each display interval. The new `-c`
      option enables cumulative mode, where maps are not
      cleared at each interval. This fixes #718.
      d2f4762a
    • Sasha Goldshtein's avatar
      trace: Print USDT arg helpers in verbose mode (#723) · f733cacf
      Sasha Goldshtein authored
      When verbose mode is enabled, ask all USDT helper
      objects to print out the argument helper functions,
      which help retrieve the argument values for each
      individual probe location. This can be useful for
      debugging probes; the helper functions are part of
      the loaded BPF program, so they need to be printed
      in verbose mode.
      f733cacf
    • Sasha Goldshtein's avatar
      argdist, trace: Support naked executable names in probes (#720) · ec679711
      Sasha Goldshtein authored
      Fixes the error message from `BPF._find_exe` which would
      occur if argdist or trace had a naked executable name
      not qualified with a path, such as:
      
      ```
      trace 'r:bash:readline "%s", retval'
      ```
      
      This is now supported again.
      ec679711