BPF runtime for systemtap

BPF runtime for systemtap

[Richard Henderson]

I'm pleased to be able to announce an initial implementation of an (e)bpf 
backend for systemtap.  For the subset of systemtap probes that can use 
kprobes, we can use a bpf filter instead of loading a kernel module.

As this implementation is young, there are a number of limitations.  Neither 
string nor stats types are supported.  Both require enhancements to the set of 
builtin functions supported in kernel.  The stap bpf loader still needs 
improvement with respect to its use of the event subsystem.

We're using the same intermediate file format that is supported by the llvm bpf 
backend.  I have some improvements to submit for the llvm bpf backend as well.

The code can be reviewed at

   git://sourceware.org/git/systemtap.git rth/bpf


r~

Re: BPF runtime for systemtap

[Brendan Gregg]

On Tue, Jun 14, 2016 at 1:06 PM, Richard Henderson <rth@redhat.com> wrote:
> I'm pleased to be able to announce an initial implementation of an (e)bpf
> backend for systemtap.  For the subset of systemtap probes that can use
> kprobes, we can use a bpf filter instead of loading a kernel module.
>
> As this implementation is young, there are a number of limitations.  Neither
> string nor stats types are supported.  Both require enhancements to the set
> of builtin functions supported in kernel.  The stap bpf loader still needs
> improvement with respect to its use of the event subsystem.
>
> We're using the same intermediate file format that is supported by the llvm
> bpf backend.  I have some improvements to submit for the llvm bpf backend as
> well.
>
> The code can be reviewed at
>
>   git://sourceware.org/git/systemtap.git rth/bpf

Great! Is there a hello world example in there somewhere? I found this:

# ./stapbpf/stapbpf -h
Usage: ./stapbpf/stapbpf [-v][-w][-V][-h] [-o FILE] <bpf-file>
  -h, --help       Show this help text
  -v, --verbose    Increase verbosity
  -V, --version    Show version
  -w               Suppress warnings
  -o FILE          Send output to FILE

But I didn't see an explicit BPF example or bpf-file. Is it implicit?
Should I be able to run a stap one-liner with some -v's and see it
switches to using BPF, if I restrain myself to what's supported so
far? Eg, since you mentioned kprobes, how about?:

stap -ve 'probe kprobe.function("vfs_fsync") { println(pointer_arg(2)) }'

Brendan

Re: BPF runtime for systemtap

[Frank Ch. Eigler]

brendan.d.gregg wrote:

> [...]
> Great! Is there a hello world example in there somewhere? I found this:
> [...]

Yup.  Here is a smoke test.  (A great many other things are not yet
working.)

% sudo ./stap  -v  --runtime=bpf -e 'global foo
    probe kprobe.function("vfs_read"), kprobe.function("do_select") { foo++ } 
    probe begin { printf("systemtap starting probe\n") }
    probe end { printf("systemtap ending probe\n"); printf("foo = %d\n", foo) }'

Pass 1: parsed user script and 35 library scripts using 198460virt/15804res/6416shr/9208data kb, in 0usr/0sys/71real ms.
Pass 2: analyzed script: 4 probes, 0 functions, 0 embeds, 1 global using 198460virt/15804res/6416shr/9208data kb, in 0usr/0sys/0real ms.
Pass 4: compiled BPF into "stap_32349.bo" in 0usr/0sys/0real ms.
Pass 5: starting run.
systemtap starting probe
^Csystemtap ending probe
foo = 108812
Pass 5: run completed in 0usr/10sys/2525real ms.