[FEATURE] Merge the BPF_TYPE_UPROBE_OVERRIDE and BPF_TYPE_UPROBE

eunomia-bpf / bpftime

Userspace eBPF runtime for Observability, Network & General Extensions Framework

https://eunomia.dev/bpftime/

MIT License

801 stars 75 forks source link

[FEATURE] Merge the BPF_TYPE_UPROBE_OVERRIDE and BPF_TYPE_UPROBE #118

Open yunwei37 opened 10 months ago

yunwei37 commented 10 months ago

Is your feature request related to a problem? Please describe.

currently we have types for BPF_TYPE_UPROBE_OVERRIDE and BPF_TYPE_UPROBE, implemented with different mechanism. I think there is no need to keep them both. We can just make the uprobe able to use bpf_override_return.

Describe the solution you'd like

remove BPF_TYPE_UPROBE_OVERRIDE and make BPF_TYPE_UPROBE using frida replace.

Describe alternatives you've considered

Is it better not to change them? I'm not sure.

Officeyutong commented 9 months ago

Benchmark the performance and decide whether to merge them

Officeyutong commented 9 months ago

According to my test using https://github.com/Officeyutong/bpftime/blob/benchmark-118/runtime/benchmark.cpp

The benchmarked function is as followed:

extern "C" __attribute__((optnone)) uint64_t uprobe_test_func(uint64_t a,
                                  uint64_t b)
{
    return a + b;
}

Run without any probing: 5ns per call
Run with uprobe (gum invocation listener): 310ns per call
Run with uprobe override (gum_interceptor_replace): 447ns per call

All results are averaged with 1e8 calls

So uprobe override is 44% slower than uprobe, we may not merge them

yunwei37 commented 9 months ago

I'm curious, why is the BPF_TYPE_UPROBE_OVERRIDE so slow?