bpftrace-notes
installation
sudo snap install bpftrace
sudo snap connect bpftrace:system-trace or
sudo apt install bpftrace build bpftrace from source code
sudo apt-get update
sudo apt-get install -y bison cmake flex g++ git libelf-dev zlib1g-dev libfl-dev systemtap-sdt-dev binutils-dev
sudo apt-get install -y llvm-7-dev llvm-7-runtime libclang-7-dev clang-7
sudo apt-get install libgtest libgtest-dev libgmock-dev
git clone https://github.com/iovisor/bpftrace
mkdir bpftrace/build; cd bpftrace/build;
cmake -DCMAKE_BUILD_TYPE=Release ..
make -j8
sudo make installbpftrace + uprobe
sudo bpftrace -e 'uprobe:/lib/x86_64-linux-gnu/libc.so.6:fopen { printf("fopen: %s\n", str(arg0)); }'
sudo bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/libva.so.2.1200.0:vaInitialize { printf("vaInitialize: %d\n", arg0); }'
sudo bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/libva.so.2.1200.0:vaCreateContext { printf("config = %d, w = %d, h = %d\n", arg1, arg2, arg3); }'
sudo bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so:mos_gem_context_create_ext { printf("mos_gem_context_create_ext\n"); }'
sudo bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so:do_exec2 { printf("do_exec2\n"); }'
sudo bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0:drmIoctl { printf("drmIoctl: fd = %d, request = %ld\n", arg0, arg1); }'bpftrace + kprobe
Lesson 1. Listing Probes
sudo bpftrace -l 'tracepoint:syscalls:sys_enter_*'Lesson 2. Hello World
sudo bpftrace -e 'BEGIN { printf("hello world\n"); }'Lesson 3. File Opens
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
# list function parameters
sudo bpftrace -vl tracepoint:i915:i915_request_queue
tracepoint:i915:i915_request_queue
u32 dev;
u64 ctx;
u16 class;
u16 instance;
u32 seqno;
u32 flags;
sudo bpftrace -e 'tracepoint:i915:i915_request_queue { printf("[%s-%d], %d, %llx\n", comm, pid, args->dev, args->ctx); }'Lesson 4. Syscall Counts By Process
sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
sudo bpftrace -e 'tracepoint:i915:i915_request_queue { @[comm] = count(); }'
# @[ffmpeg]: 100
# @[code]: 342
# @[gnome-shell]: 369
# @[Xorg]: 407
Lesson 5. Distribution of read() Bytes
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_read /pid >= 5000/ { @bytes = hist(args->ret); }'
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_read /pid >= 5845/ { @bytes = hist(args->ret); }'Lesson 6. Kernel Dynamic Tracing of read() Bytes
sudo bpftrace -e 'kretprobe:vfs_read { @bytes = lhist(retval, 0, 2000, 200); }'
sudo bpftrace -e 'kprobe:i915_gem_create_ioctl { printf("[%s-%d]\n", comm, pid); }'Lesson 12. Kernel Struct Tracing
sudo bpftrace path.btsudo bpftrace -e 'kprobe:vfs_read { @start[tid] = nsecs; } kretprobe:vfs_read /@start[tid]/ { @ns[comm] = hist(nsecs - @start[tid]); delete(@start[tid]); }'
sudo bpftrace -e 'kprobe:i915_gem_create_ioctl { printf("[%s-%d]\n", comm, pid); }'
bpftrace permission denied issue
try running snap connect bpftrace:system-trace to enable bpftrace to access system tracing (see http://smackerelofopinion.blogspot.com/2018/11/high-level-tracing-with-bpftrace.html)
reference
One-Liner Tutorial https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md