Take name of called function in eBPF











up vote
0
down vote

favorite












I'd like to trace functions of the particular PID and collect some stats (total calls, total times, etc.), and it's not completely clear for me how to create BPF_HASH with pairs of funcname+my_struct.



Is there any way to obtain names of called functions in BPF program?



I suppose I should read IP register using "PT_REGS_IP(ctx)" but I don't completely understand how translate the value to human-readable string.



At the moment BPF program looks in the following way:



#include <uapi/linux/ptrace.h>

#include <linux/sched.h>



struct data_t {

    u32 pid;

    u64 delta;

    u64 start;

} __attribute__((packed));



BPF_HASH(faddr, u64, struct data_t);

BPF_PERF_OUTPUT(events);



int do_entry(struct pt_regs *ctx) {

    struct data_t *data;

    data->start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, data);



    return 0;

}



int do_return(struct pt_regs *ctx) {

    struct data_t *data;

    u64 ip = PT_REGS_IP(ctx);

    data = faddr.lookup(&ip);



    if (data->start == 0)

        return 0;       // missed start



    data->delta = bpf_ktime_get_ns() - data->start;

    data->pid = bpf_get_current_pid_tgid();



    events.perf_submit(ctx, &data, sizeof(data));

    faddr.delete(&ip);



    return 0;

}


But at startup I got:



error: <unknown>:0:0: in function do_entry i32 (%struct.pt_regs*): A call to built-in function 'abort' is not supported.





trace bpf







share|improve this question






















  • Could you please provide the commands you use to compile, then load and attach your program as well?
    – Qeole
    Nov 19 at 17:26










  • Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
    – lesovsky
    Nov 20 at 5:20








  • 1




    It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
    – pchaigno
    Nov 20 at 16:11










  • ok, will do in next questions.
    – lesovsky
    Nov 21 at 5:25















up vote
0
down vote

favorite












I'd like to trace functions of the particular PID and collect some stats (total calls, total times, etc.), and it's not completely clear for me how to create BPF_HASH with pairs of funcname+my_struct.



Is there any way to obtain names of called functions in BPF program?



I suppose I should read IP register using "PT_REGS_IP(ctx)" but I don't completely understand how translate the value to human-readable string.



At the moment BPF program looks in the following way:



#include <uapi/linux/ptrace.h>

#include <linux/sched.h>



struct data_t {

    u32 pid;

    u64 delta;

    u64 start;

} __attribute__((packed));



BPF_HASH(faddr, u64, struct data_t);

BPF_PERF_OUTPUT(events);



int do_entry(struct pt_regs *ctx) {

    struct data_t *data;

    data->start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, data);



    return 0;

}



int do_return(struct pt_regs *ctx) {

    struct data_t *data;

    u64 ip = PT_REGS_IP(ctx);

    data = faddr.lookup(&ip);



    if (data->start == 0)

        return 0;       // missed start



    data->delta = bpf_ktime_get_ns() - data->start;

    data->pid = bpf_get_current_pid_tgid();



    events.perf_submit(ctx, &data, sizeof(data));

    faddr.delete(&ip);



    return 0;

}


But at startup I got:



error: <unknown>:0:0: in function do_entry i32 (%struct.pt_regs*): A call to built-in function 'abort' is not supported.





trace bpf







share|improve this question






















  • Could you please provide the commands you use to compile, then load and attach your program as well?
    – Qeole
    Nov 19 at 17:26










  • Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
    – lesovsky
    Nov 20 at 5:20








  • 1




    It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
    – pchaigno
    Nov 20 at 16:11










  • ok, will do in next questions.
    – lesovsky
    Nov 21 at 5:25













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'd like to trace functions of the particular PID and collect some stats (total calls, total times, etc.), and it's not completely clear for me how to create BPF_HASH with pairs of funcname+my_struct.



Is there any way to obtain names of called functions in BPF program?



I suppose I should read IP register using "PT_REGS_IP(ctx)" but I don't completely understand how translate the value to human-readable string.



At the moment BPF program looks in the following way:



#include <uapi/linux/ptrace.h>

#include <linux/sched.h>



struct data_t {

    u32 pid;

    u64 delta;

    u64 start;

} __attribute__((packed));



BPF_HASH(faddr, u64, struct data_t);

BPF_PERF_OUTPUT(events);



int do_entry(struct pt_regs *ctx) {

    struct data_t *data;

    data->start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, data);



    return 0;

}



int do_return(struct pt_regs *ctx) {

    struct data_t *data;

    u64 ip = PT_REGS_IP(ctx);

    data = faddr.lookup(&ip);



    if (data->start == 0)

        return 0;       // missed start



    data->delta = bpf_ktime_get_ns() - data->start;

    data->pid = bpf_get_current_pid_tgid();



    events.perf_submit(ctx, &data, sizeof(data));

    faddr.delete(&ip);



    return 0;

}


But at startup I got:



error: <unknown>:0:0: in function do_entry i32 (%struct.pt_regs*): A call to built-in function 'abort' is not supported.





trace bpf







share|improve this question













I'd like to trace functions of the particular PID and collect some stats (total calls, total times, etc.), and it's not completely clear for me how to create BPF_HASH with pairs of funcname+my_struct.



Is there any way to obtain names of called functions in BPF program?



I suppose I should read IP register using "PT_REGS_IP(ctx)" but I don't completely understand how translate the value to human-readable string.



At the moment BPF program looks in the following way:



#include <uapi/linux/ptrace.h>

#include <linux/sched.h>



struct data_t {

    u32 pid;

    u64 delta;

    u64 start;

} __attribute__((packed));



BPF_HASH(faddr, u64, struct data_t);

BPF_PERF_OUTPUT(events);



int do_entry(struct pt_regs *ctx) {

    struct data_t *data;

    data->start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, data);



    return 0;

}



int do_return(struct pt_regs *ctx) {

    struct data_t *data;

    u64 ip = PT_REGS_IP(ctx);

    data = faddr.lookup(&ip);



    if (data->start == 0)

        return 0;       // missed start



    data->delta = bpf_ktime_get_ns() - data->start;

    data->pid = bpf_get_current_pid_tgid();



    events.perf_submit(ctx, &data, sizeof(data));

    faddr.delete(&ip);



    return 0;

}


But at startup I got:



error: <unknown>:0:0: in function do_entry i32 (%struct.pt_regs*): A call to built-in function 'abort' is not supported.





trace bpf




trace bpf






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 19 at 11:43









lesovsky

276




276












  • Could you please provide the commands you use to compile, then load and attach your program as well?
    – Qeole
    Nov 19 at 17:26










  • Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
    – lesovsky
    Nov 20 at 5:20








  • 1




    It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
    – pchaigno
    Nov 20 at 16:11










  • ok, will do in next questions.
    – lesovsky
    Nov 21 at 5:25


















  • Could you please provide the commands you use to compile, then load and attach your program as well?
    – Qeole
    Nov 19 at 17:26










  • Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
    – lesovsky
    Nov 20 at 5:20








  • 1




    It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
    – pchaigno
    Nov 20 at 16:11










  • ok, will do in next questions.
    – lesovsky
    Nov 21 at 5:25
















Could you please provide the commands you use to compile, then load and attach your program as well?
– Qeole
Nov 19 at 17:26




Could you please provide the commands you use to compile, then load and attach your program as well?
– Qeole
Nov 19 at 17:26












Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
– lesovsky
Nov 20 at 5:20






Sorry for incompleteness. The full code examples can be found in my previous question, there example of traced C program and example of main Go program. C program should be compiled with debug symbols (gcc -g), go program compiled with defaults (go build)
– lesovsky
Nov 20 at 5:20






1




1




It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
– pchaigno
Nov 20 at 16:11




It's best if you can provide a minimal, reproducible example program in each question, even if that means having some duplicate content between questions. The userspace code is necessary to run your BPF program and someone who wants to reproduce may not have read your previous question.
– pchaigno
Nov 20 at 16:11












ok, will do in next questions.
– lesovsky
Nov 21 at 5:25




ok, will do in next questions.
– lesovsky
Nov 21 at 5:25












1 Answer
1






active

oldest

votes

















up vote
2
down vote













You have an error in your do_entry function. You're trying to dereference a null pointer:



struct data_t *data;

data->start = bpf_ktime_get_ns();


The following should work better:



int do_entry(struct pt_regs *ctx) {

    struct data_t data = {}; // initializes data with zeros.

    data.start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, &data);

    return 0;

}


I don't understand why the error message mentions abort though. I'll ask around.




How to translate memory addresses to function names will depend on the userspace library you're using. If you're using bcc, there's a ksym method you can use. I don't know if there's an equivalent in gobpf.




You have at least one other error, in do_return:



data = faddr.lookup(&ip);

if (data->start == 0)

    return 0;       // missed start


You will need to check data is not null before dereferencing it. Otherwise, the verifier will reject your program.



data = faddr.lookup(&ip);

if (!data || data->start == 0)

    return 0;       // missed start





share|improve this answer





















  • I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
    – lesovsky
    Nov 20 at 5:19












  • error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
    – lesovsky
    Nov 20 at 5:31










  • changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
    – lesovsky
    Nov 20 at 5:38










  • anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
    – lesovsky
    Nov 20 at 6:06








  • 1




    I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
    – pchaigno
    Nov 21 at 9:17











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373927%2ftake-name-of-called-function-in-ebpf%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













You have an error in your do_entry function. You're trying to dereference a null pointer:



struct data_t *data;

data->start = bpf_ktime_get_ns();


The following should work better:



int do_entry(struct pt_regs *ctx) {

    struct data_t data = {}; // initializes data with zeros.

    data.start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, &data);

    return 0;

}


I don't understand why the error message mentions abort though. I'll ask around.




How to translate memory addresses to function names will depend on the userspace library you're using. If you're using bcc, there's a ksym method you can use. I don't know if there's an equivalent in gobpf.




You have at least one other error, in do_return:



data = faddr.lookup(&ip);

if (data->start == 0)

    return 0;       // missed start


You will need to check data is not null before dereferencing it. Otherwise, the verifier will reject your program.



data = faddr.lookup(&ip);

if (!data || data->start == 0)

    return 0;       // missed start





share|improve this answer





















  • I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
    – lesovsky
    Nov 20 at 5:19












  • error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
    – lesovsky
    Nov 20 at 5:31










  • changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
    – lesovsky
    Nov 20 at 5:38










  • anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
    – lesovsky
    Nov 20 at 6:06








  • 1




    I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
    – pchaigno
    Nov 21 at 9:17















up vote
2
down vote













You have an error in your do_entry function. You're trying to dereference a null pointer:



struct data_t *data;

data->start = bpf_ktime_get_ns();


The following should work better:



int do_entry(struct pt_regs *ctx) {

    struct data_t data = {}; // initializes data with zeros.

    data.start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, &data);

    return 0;

}


I don't understand why the error message mentions abort though. I'll ask around.




How to translate memory addresses to function names will depend on the userspace library you're using. If you're using bcc, there's a ksym method you can use. I don't know if there's an equivalent in gobpf.




You have at least one other error, in do_return:



data = faddr.lookup(&ip);

if (data->start == 0)

    return 0;       // missed start


You will need to check data is not null before dereferencing it. Otherwise, the verifier will reject your program.



data = faddr.lookup(&ip);

if (!data || data->start == 0)

    return 0;       // missed start





share|improve this answer





















  • I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
    – lesovsky
    Nov 20 at 5:19












  • error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
    – lesovsky
    Nov 20 at 5:31










  • changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
    – lesovsky
    Nov 20 at 5:38










  • anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
    – lesovsky
    Nov 20 at 6:06








  • 1




    I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
    – pchaigno
    Nov 21 at 9:17













up vote
2
down vote










up vote
2
down vote









You have an error in your do_entry function. You're trying to dereference a null pointer:



struct data_t *data;

data->start = bpf_ktime_get_ns();


The following should work better:



int do_entry(struct pt_regs *ctx) {

    struct data_t data = {}; // initializes data with zeros.

    data.start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, &data);

    return 0;

}


I don't understand why the error message mentions abort though. I'll ask around.




How to translate memory addresses to function names will depend on the userspace library you're using. If you're using bcc, there's a ksym method you can use. I don't know if there's an equivalent in gobpf.




You have at least one other error, in do_return:



data = faddr.lookup(&ip);

if (data->start == 0)

    return 0;       // missed start


You will need to check data is not null before dereferencing it. Otherwise, the verifier will reject your program.



data = faddr.lookup(&ip);

if (!data || data->start == 0)

    return 0;       // missed start





share|improve this answer












You have an error in your do_entry function. You're trying to dereference a null pointer:



struct data_t *data;

data->start = bpf_ktime_get_ns();


The following should work better:



int do_entry(struct pt_regs *ctx) {

    struct data_t data = {}; // initializes data with zeros.

    data.start = bpf_ktime_get_ns();

    u64 ip = PT_REGS_IP(ctx);

    faddr.update(&ip, &data);

    return 0;

}


I don't understand why the error message mentions abort though. I'll ask around.




How to translate memory addresses to function names will depend on the userspace library you're using. If you're using bcc, there's a ksym method you can use. I don't know if there's an equivalent in gobpf.




You have at least one other error, in do_return:



data = faddr.lookup(&ip);

if (data->start == 0)

    return 0;       // missed start


You will need to check data is not null before dereferencing it. Otherwise, the verifier will reject your program.



data = faddr.lookup(&ip);

if (!data || data->start == 0)

    return 0;       // missed start






share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 19 at 21:45









pchaigno

3,4501926




3,4501926












  • I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
    – lesovsky
    Nov 20 at 5:19












  • error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
    – lesovsky
    Nov 20 at 5:31










  • changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
    – lesovsky
    Nov 20 at 5:38










  • anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
    – lesovsky
    Nov 20 at 6:06








  • 1




    I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
    – pchaigno
    Nov 21 at 9:17


















  • I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
    – lesovsky
    Nov 20 at 5:19












  • error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
    – lesovsky
    Nov 20 at 5:31










  • changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
    – lesovsky
    Nov 20 at 5:38










  • anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
    – lesovsky
    Nov 20 at 6:06








  • 1




    I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
    – pchaigno
    Nov 21 at 9:17
















I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
– lesovsky
Nov 20 at 5:19






I've replaced pointer to variable and fix mistake in do_return(), but got something strange that I haven't seen before: $ go build timings.go $ sudo ./timings bpf: Failed to load program: Permission denied 0: (bf) r6 = r1 1: (79) r1 = *(u64 *)(r6 +128) 2: (7b) *(u64 *)(r10 -16) = r1 3: (18) r1 = 0xffff8fcad7999800 ... a lot of similar messages here ... 96: (b7) r5 = 8 97: (85) call bpf_perf_event_output#25 invalid indirect read from stack off -8+0 size 8 Failed to load do_return: error loading BPF program: permission denied
– lesovsky
Nov 20 at 5:19














error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
– lesovsky
Nov 20 at 5:31




error affected by ameba_events.perf_submit(ctx, &data, sizeof(data));
– lesovsky
Nov 20 at 5:31












changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
– lesovsky
Nov 20 at 5:38




changing it to ameba_events.perf_submit(ctx, data, sizeof(data)); fixes it.
– lesovsky
Nov 20 at 5:38












anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
– lesovsky
Nov 20 at 6:06






anyway, reading through PT_REGS_IP(ctx) in do_entry and do_return, returns different values and I can't use these values as key in BPF_HASH. Maybe is it possible to translate address into a function name inside the BPF program and use string as hash key?
– lesovsky
Nov 20 at 6:06






1




1




I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
– pchaigno
Nov 21 at 9:17




I'm not sure I see the issue with having several functions to trace. As long as you're sure the do_return is called right after the do_entry, you can retrieve the IP value from the map without errors. Maybe we can discuss this with examples in a chat (IRC?) or in another SO question?
– pchaigno
Nov 21 at 9:17


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373927%2ftake-name-of-called-function-in-ebpf%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Paul Cézanne

Image
Pour l’article ayant un titre homophone, voir Sézanne. Paul Cézanne.mw-parser-output .entete.artiste{background-image:url("//upload.wikimedia.org/wikipedia/commons/f/f3/Picto_infobox_artiste.png")} Autoportrait vers 1861 Naissance 19 janvier 1839 Aix-en-Provence (France) Décès 22 octobre 1906 (à 67 ans) Aix-en-Provence (France) Nationalité Française Activité Peintre Formation Académie de Charles Suisse Maître Joseph Gilbert, Antoine Guillemet, Camille Pissarro Mouvement Impressionnisme postimpressionnisme Influencé par Eugène Delacroix, Gustave Courbet, Véronèse A influencé Braque, Picasso, Matisse Conjoint Hortense Fiquet (depuis 1886) Enfant Paul Cézanne  ( d ) Œuvres principales La Montagne Sainte-Victoire, Portrait de madame Cézanne signature modifier - modifier le code - modifier Wikidata Paul Cézanne , né le 19 janvier 1839 à Aix-en-Provence et mort le 22 octobre 1906 dans la mê...
Read more

UIScrollView CustomStickyHeader Resize height generates problems when scroll is too fast

Image
0 I have been trying for a while to create a UIViewController that has a CustomStickyHeader and a UITableView. The idea I have been following is use the UITableView scrolling for changing the header view with the value of the contentOffset. The layout for the ViewController (AlbumsViewController) looks like: The UItableView Scrolling functions from the delegate are implemented like that: func scrollViewDidScroll(_ scrollView: UIScrollView) { let endReached = contentTableView.contentOffset.y >= (contentTableView.contentSize.height - contentTableView.frame.size.height) let isUP = lastContentOffset > scrollView.contentOffset.y if scrollView.contentOffset.y < 0 { headerHeightConstraint.constant += abs(scrollView.contentOffset.y) } else{ if !endReached{ ...
Read more

Angular material date-picker (MatDatepicker) auto completes the date on focus out

Image
3 3 I am using angular material/mat-datepicker in my project and whenever the user enters one digit inside of it, and goes out of focus - the date picker is auto completing with a random date. Example Just enter 1 and go out of focus, or enter 5/5/20 The date picker is adding date automatically Update : Also I am using reactive forms and I'm validating the input with that approach Can I disable this ? angular datepicker angular-material angular6 angular-material-datetimepicker share | improve this question edited Nov 20 '18 at 13:21 ...
Read more