newer kernels with BPF_FUNC_get_func_ip can get a correct value with bpf_get_func_ip, but for older kernels we look directly at the hardware ip reg and it appears to only be off by one on x86 architectures.
Make the - 1 we use to find function pointers architecture dependant to fix non-x86 runs.
Tested by forcing has_bpf_get_func_ip to false.
Fixes: #32
Took me a bit more than a week, sorry for the delay.
We don't seem to have any arch-specific code in retsnoop itself (most of it is in libbpf/src/bpf_tracing.h which is part of libbpf) so I wasn't sure what to use, but PT_REGS_IP is actually defined in bpf_tracing.h so we can use the defines set there. If you can think of something better happy to adjust anything.
I've tested on x86_64 with a newer kernel by manually adjusting the toggle, and on older aarch64.
newer kernels with BPF_FUNC_get_func_ip can get a correct value with bpf_get_func_ip, but for older kernels we look directly at the hardware ip reg and it appears to only be off by one on x86 architectures.
Make the
- 1we use to find function pointers architecture dependant to fix non-x86 runs.Tested by forcing has_bpf_get_func_ip to false.
Fixes: #32
Took me a bit more than a week, sorry for the delay. We don't seem to have any arch-specific code in retsnoop itself (most of it is in libbpf/src/bpf_tracing.h which is part of libbpf) so I wasn't sure what to use, but PT_REGS_IP is actually defined in bpf_tracing.h so we can use the defines set there. If you can think of something better happy to adjust anything.
I've tested on x86_64 with a newer kernel by manually adjusting the toggle, and on older aarch64.