runtime: implement userspace USDT

eunomia-bpf / bpftime

Userspace eBPF runtime for fast Uprobe & Syscall hook & Extensions

https://eunomia.dev/bpftime/

MIT License

744 stars 73 forks source link

runtime: implement userspace USDT #139

Closed Officeyutong closed 7 months ago

Officeyutong commented 7 months ago

Closes #135

On x86_64, a usdt tracepoint was corresponded to a nop instruction in the code. So we may hook this instruction to implement userspace USDT I've tested with GumInvocationListener of frida gum, it works well when attached to the address of the nop instruction.

So things we need to add USDT support are:

logic to parse ELF and extract USDT definitions

Other logics would be similar to uprobe, and can even be reused

Officeyutong commented 7 months ago

According to libbpf's description to usdt https://github.com/libbpf/libbpf/blob/f81eef23b33c0dbf923e863a72ce51ea4d32e291/src/usdt.c#L24

The implementation of attach type usdt is just plain uprobes, attached to the specified nop instruction. libbpf handles all other things, including parse ELF and figure out tracepoints, resolving tracepoint arguments in the ebpf side, and so on, through two internal maps (bpf_usdt_specs and bpf_usdt_ip_to_spec_id, where the latter is only needed if bpf cookie is not supported)

So the thing we need to do is

Implement bpf cookie
Test directly with usdt programs, and check if it can work. If it can't work, just fix bugs. We should have already supported USDT

caizixian commented 7 months ago

This looks great! Thanks!

Would you mind also checking whether this works with bpftrace (I remember seeing somewhere that you can use bpftrace with bpftime as the runtime)?

Officeyutong commented 7 months ago

This looks great! Thanks!

Would you mind also checking whether this works with bpftrace (I remember seeing somewhere that you can use bpftrace with bpftime as the runtime)?

Ok, I'll also check it

Officeyutong commented 7 months ago

USDT is almost working now. Bpftrace is pending for testing

yunwei37 commented 7 months ago

Maybe we can get this PR merged first if the libbpf example in example/usdt_minimal/README.md is working?

After that, we can:

check and fix bpftrace
update documents.

Officeyutong commented 7 months ago

Maybe we can get this PR merged first if the libbpf example in example/usdt_minimal/README.md is working?

After that, we can:

check and fix bpftrace

update documents.

It's OK to merge now