tricorder-observability / Starship

Starship: next-generation Observability platform built with eBPF+WASM
GNU Affero General Public License v3.0
164 stars 24 forks source link

eBPF: Mysterious null chars in ebpf probe output #21

Open nascentcore-eng opened 1 year ago

nascentcore-eng commented 1 year ago
 20 const bccProgram string = `
 21 #include <linux/ptrace.h>
 22 BPF_PERF_OUTPUT(events);
 23 int sample_probe(struct pt_regs* ctx, int fd, char* buf, size_t count) {
 24   const char word[] = "{\"name\":\"John\", \"age\":30, \"car\":null}";
 25   events.perf_submit(ctx, (void*)word, sizeof(word));
 26   return 0;
 27 }
 28 `

This perf event attached to eBPF would produce trailing null chars. The size should be 38, but actually it's 44, with 6 extra \0 chars.

See src/agent/driver/module_test.go for the actual code.

oojimmy commented 1 year ago

I have added one log line to https://github.com/tricorder-observability/starship-private/blob/main/src/agent/driver/module.go#L92 image

some wired string has been appear image

So I think this is not only padding \x00, but also possible that any character