search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.3k stars 3.85k forks source link

ucalls -S option does not work with newer kernels #2052

Open wcohen opened 5 years ago

wcohen commented 5 years ago

When experimenting with ucalls I discovered the -S (--syscalls) option does not work with newer Linux kernels. The code has a regular expression to find the functions to instrument:

syscallregex = "^[Ss]y[Ss].*"

This is not going to match the syscall function names for newer kernels. Wouldn't it be more efficient to implement the syscall instrumentation using the raw_syscalls:sys_enter and raw_syscalls:sys_exit tracepoints and map the syscall number like syscount.py does?

yonghong-song commented 5 years ago

Here, we try to attach to ALL syscalls, so I agree that maybe just using raw_syscalls tracepoint is a good idea. Do you want to give a try and submit a pull request?

With the current implementation, you can get the syscall prefix with BPF method get_syscall_prefix and then form the regex properly.

wcohen commented 5 years ago

Hi, I tried the suggestion of using get_syscall_prefix() for the syscall_regex and it does attach probes in various places and the output does contain information for the various syscalls. However, I noticed that there were some complaints about invalid arguments:

$ sudo /usr/share/bcc/tools/lib/ucalls -SL $(pgrep dnf) cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument cannot attach kprobe, Invalid argument Attached 764 kernel probes for syscall tracing.

I noticed that the developer tutorial (https://github.com/iovisor/bcc/blob/master/docs/tutorial_bcc_python_developer.md) suffers from the same proble of using the raw sys_* name rather than the prefix and are not going to work with the newer kernels.

I will take a look at using the raw_syscall entry/exit later this week.

wcohen commented 5 years ago

I have two patches on https://github.com/wcohen/bcc/tree/wcohen/efficiency that convert ucalls.py to use the tracepoints in place of the multitudes of kprobes/kretprobes. Should I request a pull from the branch on git hub?

yonghong-song commented 5 years ago

@wcohen please do send out a pull request.