1. 30 7月, 2019 22 次提交
    • A
      perf trace beauty: Add BPF augmenter for the 'rename' syscall · cfa9ac73
      Arnaldo Carvalho de Melo 提交于
      I.e. two strings:
      
        # perf trace -e rename
        systemd/1 rename("/run/systemd/units/.#invocation:dnf-makecache.service970761b7f2840dcc", "/run/systemd/units/invocation:dnf-makecache.service") = 0
        systemd-journa/715 rename("/run/systemd/journal/streams/.#9:17539785BJDblc", "/run/systemd/journal/streams/9:17539785") = 0
        mv/1936 rename("/tmp/build/perf/fd/.array.o.tmp", "/tmp/build/perf/fd/.array.o.cmd") = 0
        sh/1949 rename("/tmp/build/perf/.cpu.o.tmp", "/tmp/build/perf/.cpu.o.cmd") = 0
        mv/1954 rename("/tmp/build/perf/fs/.tracing_path.o.tmp", "/tmp/build/perf/fs/.tracing_path.o.cmd") = 0
        mv/1963 rename("/tmp/build/perf/common-cmds.h+", "/tmp/build/perf/common-cmds.h") = 0
        :1975/1975 rename("/tmp/build/perf/.exec-cmd.o.tmp", "/tmp/build/perf/.exec-cmd.o.cmd") = 0
        mv/1979 rename("/tmp/build/perf/fs/.fs.o.tmp", "/tmp/build/perf/fs/.fs.o.cmd") = 0
        mv/2005 rename("/tmp/build/perf/.debug.o.tmp", "/tmp/build/perf/.debug.o.cmd") = 0
        mv/2012 rename("/tmp/build/perf/.str_error_r.o.tmp", "/tmp/build/perf/.str_error_r.o.cmd") = 0
        mv/2019 rename("/tmp/build/perf/.help.o.tmp", "/tmp/build/perf/.help.o.cmd") = 0
        mv/2031 rename("/tmp/build/perf/.trace-seq.o.tmp", "/tmp/build/perf/.trace-seq.o.cmd") = 0
        make/2038  ... [continued]: rename())             = 0
        :2038/2038 rename("/tmp/build/perf/.event-plugin.o.tmp", "/tmp/build/perf/.event-plugin.o.cmd") ...
        ar/2035 rename("/tmp/build/perf/stzwBX3a", "/tmp/build/perf/libapi.a") = 0
        mv/2051 rename("/tmp/build/perf/.parse-utils.o.tmp", "/tmp/build/perf/.parse-utils.o.cmd") = 0
        mv/2069 rename("/tmp/build/perf/.subcmd-config.o.tmp", "/tmp/build/perf/.subcmd-config.o.cmd") = 0
        make/2080 rename("/tmp/build/perf/.parse-filter.o.tmp", "/tmp/build/perf/.parse-filter.o.cmd") = 0
        mv/2099 rename("/tmp/build/perf/.pager.o.tmp", "/tmp/build/perf/.pager.o.cmd") = 0
        :2124/2124 rename("/tmp/build/perf/.sigchain.o.tmp", "/tmp/build/perf/.sigchain.o.cmd") = 0
        make/2140 rename("/tmp/build/perf/.event-parse.o.tmp", "/tmp/build/perf/.event-parse.o.cmd") = 0
        mv/2164 rename("/tmp/build/perf/.kbuffer-parse.o.tmp", "/tmp/build/perf/.kbuffer-parse.o.cmd") = 0
        sh/2174 rename("/tmp/build/perf/.run-command.o.tmp", "/tmp/build/perf/.run-command.o.cmd") = 0
        mv/2190 rename("/tmp/build/perf/.tep_strerror.o.tmp", "/tmp/build/perf/.tep_strerror.o.cmd") = 0
        :2261/2261 rename("/tmp/build/perf/.event-parse-api.o.tmp", "/tmp/build/perf/.event-parse-api.o.cmd") = 0
        :2480/2480 rename("/tmp/build/perf/stLv3kG2", "/tmp/build/perf/libtraceevent.a") = 0
        ^C#
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-6hh2rl27uri6gsxhmk6q3hx5@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      cfa9ac73
    • A
      perf trace beauty: Beautify bind's sockaddr arg · 247dd65b
      Arnaldo Carvalho de Melo 提交于
      By reusing the "connect" BPF collector.
      
      Testing it system wide and stopping/starting sshd:
      
        # perf trace -e bind
        LLVM: dumping /home/acme/git/perf/tools/perf/examples/bpf/augmented_raw_syscalls.o
        DNS Res~er #18/15132 bind(243, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #19/4833 bind(247, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #19/4833 bind(238, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #18/15132 bind(243, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #18/10327 bind(258, { .family: PF_NETLINK }, 12)  = 0
        :6507/6507 bind(24, { .family: PF_NETLINK }, 12)   = 0
        DNS Res~er #19/4833 bind(238, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #18/15132 bind(242, { .family: PF_NETLINK }, 12)  = 0
        sshd/6514 bind(3, { .family: PF_NETLINK }, 12)    = 0
        sshd/6514 bind(5, { .family: PF_INET, port: 22, addr: 0.0.0.0 }, 16) = 0
        sshd/6514 bind(7, { .family: PF_INET6, port: 22, addr: :: }, 28) = 0
        DNS Res~er #18/10327 bind(229, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #18/15132 bind(231, { .family: PF_NETLINK }, 12)  = 0
        DNS Res~er #19/4833 bind(229, { .family: PF_NETLINK }, 12)  = 0
        ^C#
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-m2hmxqrckxxw2ciki0tu889u@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      247dd65b
    • A
      perf trace beauty: Beautify 'sendto's sockaddr arg · 3c475bc0
      Arnaldo Carvalho de Melo 提交于
      By just writing the collector in the augmented_raw_syscalls.c BPF
      program:
      
        # perf trace -e sendto
        <SNIP>
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        Socket Thread/3573 sendto(247, 0x7fb32d49c000, 120, NONE, { .family: PF_UNSPEC }, NULL) = 120
        DNS Res~er #18/11374 sendto(242, 0x7fb342cfe420, 20, NONE, { .family: PF_NETLINK }, 0xc) = 20
        DNS Res~er #18/11374 sendto(242, 0x7fb342cfcca0, 42, MSG_NOSIGNAL, { .family: PF_UNSPEC }, NULL) = 42
        DNS Res~er #18/11374 sendto(242, 0x7fb342cfcccc, 42, MSG_NOSIGNAL, { .family: PF_UNSPEC }, NULL) = 42
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        Socket Thread/3573 sendto(242, 0x7fb308bb1c08, 296, NONE, { .family: PF_UNSPEC }, NULL) = 296
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ping/23492 sendto(3, 0x56253bbef700, 64, NONE, { .family: PF_INET, port: 0, addr: 10.10.161.32 }, 0x10) = 64
        ^C
        #
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-p0l0rlvq19v5zf8qc2x2itow@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      3c475bc0
    • A
      perf trace beauty: Do not try to use the fd->pathname beautifier for bind/connect fd arg · ef969ca6
      Arnaldo Carvalho de Melo 提交于
      Doesn't make sense and also we now beautify the sockaddr, which provides
      enough info:
      
        # trace -e close,socket,connec* ssh www.bla.com
        <SNIP>
        close(5)                                = 0
        socket(PF_INET, SOCK_DGRAM|CLOEXEC|NONBLOCK, IPPROTO_IP) = 5
        connect(5, { .family: PF_INET, port: 53, addr: 192.168.44.1 }, 16) = 0
        close(5)                                = 0
        socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
        ^C#
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-h9drpb7ail808d2mh4n7tla4@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      ef969ca6
    • A
      perf trace beauty: Disable fd->pathname when close() not enabled · 79d725cd
      Arnaldo Carvalho de Melo 提交于
      As we invalidate the fd->pathname table in the SCA_CLOSE_FD beautifier,
      if we don't have it we may end up keeping an fd->pathname association
      that then gets misprinted.
      
      The previous behaviour continues when the close() syscall is enabled,
      which may still be a a problem if we lose records (i.e. we may lose a
      'close' record and then get that fd reused by socket()) but then the
      tool will notify that records are being lost and the user will be warned
      that some of the heuristics will fall apart.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-b7t6h8sq9lebemvfy2zh3qq1@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      79d725cd
    • A
      perf trace beauty: Make connect's addrlen be printed as an int, not hex · 1d862752
      Arnaldo Carvalho de Melo 提交于
        # perf trace -e connec* ssh www.bla.com
        connect(3</var/lib/sss/mc/passwd>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(3</var/lib/sss/mc/passwd>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(4<socket:[16610959]>, { .family: PF_LOCAL, path: /var/lib/sss/pipes/nss }, 110) = 0
        connect(7, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(7, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(5, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(5</usr/lib64/libnss_mdns4_minimal.so.2>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        connect(5</usr/lib64/libnss_mdns4_minimal.so.2>, { .family: PF_INET, port: 53, addr: 192.168.44.1 }, 16) = 0
        connect(5</usr/lib64/libnss_mdns4_minimal.so.2>, { .family: PF_INET, port: 22, addr: 146.112.61.108 }, 16) = 0
        connect(5</usr/lib64/libnss_mdns4_minimal.so.2>, { .family: PF_INET6, port: 22, addr: ::ffff:146.112.61.108 }, 28) = 0
        ^Cconnect(5</usr/lib64/libnss_mdns4_minimal.so.2>, { .family: PF_INET, port: 22, addr: 146.112.61.108 }, 16) = -1 (unknown) (INTERNAL ERROR: strerror_r(512, [buf], 128)=22)
        #
      
      Argh, the SCA_FD needs to invalidate its cache when close is done...
      
      It works if the 'close' syscall is not filtered out ;-\
      
        # perf trace -e close,connec* ssh www.bla.com
        close(3)                                = 0
        close(3</usr/lib64/libpcre2-8.so.0.8.0>) = 0
        close(3)                                = 0
        close(3</usr/lib64/libkrb5.so.3.3>)     = 0
        close(3</usr/lib64/libkrb5.so.3.3>)     = 0
        close(3)                                = 0
        close(3</usr/lib64/libk5crypto.so.3.1>) = 0
        close(3</usr/lib64/libk5crypto.so.3.1>) = 0
        close(3</usr/lib64/libcom_err.so.2.1>)  = 0
        close(3</usr/lib64/libcom_err.so.2.1>)  = 0
        close(3)                                = 0
        close(3</usr/lib64/libkrb5support.so.0.1>) = 0
        close(3</usr/lib64/libkrb5support.so.0.1>) = 0
        close(3</usr/lib64/libkeyutils.so.1.8>) = 0
        close(3</usr/lib64/libkeyutils.so.1.8>) = 0
        close(3)                                = 0
        close(3)                                = 0
        close(3)                                = 0
        close(3)                                = 0
        close(4)                                = 0
        close(3)                                = 0
        close(3)                                = 0
        connect(3</etc/nsswitch.conf>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        close(3</etc/nsswitch.conf>)            = 0
        connect(3</usr/lib64/libnss_sss.so.2>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 110) = -1 ENOENT (No such file or directory)
        close(3</usr/lib64/libnss_sss.so.2>)    = 0
        close(3</usr/lib64/libnss_sss.so.2>)    = 0
        close(3)                                = 0
        close(3)                                = 0
        connect(4<socket:[16616519]>, { .family: PF_LOCAL, path: /var/lib/sss/pipes/nss }, 110) = 0
        ^C
        #
      
      Will disable this beautifier when 'close' is filtered out...
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-ekuiciyx4znchvy95c8p1yyi@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      1d862752
    • A
      perf augmented_raw_syscalls: Augment sockaddr arg in 'connect' · 212b9ab6
      Arnaldo Carvalho de Melo 提交于
      We already had a beautifier for an augmented sockaddr payload, but that
      was when we were hooking on each syscalls:sys_enter_foo tracepoints,
      since now we're almost doing that by doing a tail call from
      raw_syscalls:sys_enter, its almost the same, we can reuse it straight
      away.
      
        # perf trace -e connec* ssh www.bla.com
        connect(3</var/lib/sss/mc/passwd>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(3</var/lib/sss/mc/passwd>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(4<socket:[16604782]>, { .family: PF_LOCAL, path: /var/lib/sss/pipes/nss }, 0x6e) = 0
        connect(7, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(7, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(5</etc/hosts>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(5</etc/hosts>, { .family: PF_LOCAL, path: /var/run/nscd/socket }, 0x6e) = -1 ENOENT (No such file or directory)
        connect(5</etc/hosts>, { .family: PF_INET, port: 53, addr: 192.168.44.1 }, 0x10) = 0
        connect(5</etc/hosts>, { .family: PF_INET, port: 22, addr: 146.112.61.108 }, 0x10) = 0
        connect(5</etc/hosts>, { .family: PF_INET6, port: 22, addr: ::ffff:146.112.61.108 }, 0x1c) = 0
        ^C#
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-5xkrbcpjsgnr3zt1aqdd7nvc@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      212b9ab6
    • A
      perf augmented_raw_syscalls: Rename augmented_args_filename to augmented_args_payload · 6f563674
      Arnaldo Carvalho de Melo 提交于
      It'll get other stuff in there than just filenames, starting with
      sockaddr for 'connect' and 'bind'.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-bsexidtsn91ehdpzcd6n5fm9@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      6f563674
    • A
      perf trace: Look for default name for entries in the syscalls prog array · 8b8044e5
      Arnaldo Carvalho de Melo 提交于
      I.e. just look for "!syscalls:sys_enter_" or "exit_" plus the syscall
      name, that way we need just to add entries to the
      augmented_raw_syscalls.c BPF source to add handlers.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-6xavwddruokp6ohs7tf4qilb@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      8b8044e5
    • A
      perf augmented_raw_syscalls: Support copying two string syscall args · 8d5da264
      Arnaldo Carvalho de Melo 提交于
      Starting with the renameat and renameat2 syscall, that both receive as
      second and fourth parameters a pathname:
      
        # perf trace -e rename* mv one ANOTHER
        LLVM: dumping /home/acme/git/perf/tools/perf/examples/bpf/augmented_raw_syscalls.o
        mv: cannot stat 'one': No such file or directory
        renameat2(AT_FDCWD, "one", AT_FDCWD, "ANOTHER", RENAME_NOREPLACE) = -1 ENOENT (No such file or directory)
        #
      
      Since the per CPU scratch buffer map has space for two maximum sized
      pathnames, the verifier is satisfied that there will be no overrun.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-x2uboyg5kx2wqeru288209b6@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      8d5da264
    • A
      perf augmented_raw_syscalls: Switch to using BPF_MAP_TYPE_PROG_ARRAY · bf134ca6
      Arnaldo Carvalho de Melo 提交于
      Trying to control what arguments to copy, which ones were strings, etc
      all from userspace via maps went nowhere, lots of difficulties to get
      the verifier satisfied, so use what the fine BPF guys designed for such
      a syscall handling mechanism: bpf_tail_call + BPF_MAP_TYPE_PROG_ARRAY.
      
      The series leading to this should have explained it thoroughly, but the
      end result, explained via gdb should help understand this:
      
        Breakpoint 1, syscall_arg__scnprintf_filename (bf=0xc002b1 "", size=2031, arg=0x7fffffff7970) at builtin-trace.c:1268
        1268	{
        (gdb) n
        1269		unsigned long ptr = arg->val;
        (gdb) n
        1271		if (arg->augmented.args)
        (gdb) n
        1272			return syscall_arg__scnprintf_augmented_string(arg, bf, size);
        (gdb) s
        syscall_arg__scnprintf_augmented_string (arg=0x7fffffff7970, bf=0xc002b1 "", size=2031) at builtin-trace.c:1251
        1251	{
        (gdb) n
        1252		struct augmented_arg *augmented_arg = arg->augmented.args;
        (gdb) n
        1253		size_t printed = scnprintf(bf, size, "\"%.*s\"", augmented_arg->size, augmented_arg->value);
        (gdb) n
        1258		int consumed = sizeof(*augmented_arg) + augmented_arg->size;
        (gdb) p bf
        $1 = 0xc002b1 "\"/etc/ld.so.cache\""
        (gdb) bt
        #0  syscall_arg__scnprintf_augmented_string (arg=0x7fffffff7970, bf=0xc002b1 "\"/etc/ld.so.cache\"", size=2031) at builtin-trace.c:1258
        #1  0x0000000000492634 in syscall_arg__scnprintf_filename (bf=0xc002b1 "\"/etc/ld.so.cache\"", size=2031, arg=0x7fffffff7970) at builtin-trace.c:1272
        #2  0x0000000000493cd7 in syscall__scnprintf_val (sc=0xc0de68, bf=0xc002b1 "\"/etc/ld.so.cache\"", size=2031, arg=0x7fffffff7970, val=140737354091036) at builtin-trace.c:1689
        #3  0x000000000049404f in syscall__scnprintf_args (sc=0xc0de68, bf=0xc002a7 "AT_FDCWD, \"/etc/ld.so.cache\"", size=2041, args=0x7ffff6cbf1ec "\234\377\377\377", augmented_args=0x7ffff6cbf21c, augmented_args_size=28, trace=0x7fffffffa170,
            thread=0xbff940) at builtin-trace.c:1756
        #4  0x0000000000494a97 in trace__sys_enter (trace=0x7fffffffa170, evsel=0xbe1900, event=0x7ffff6cbf1a0, sample=0x7fffffff7b00) at builtin-trace.c:1975
        #5  0x0000000000496ff1 in trace__handle_event (trace=0x7fffffffa170, event=0x7ffff6cbf1a0, sample=0x7fffffff7b00) at builtin-trace.c:2685
        #6  0x0000000000497edb in __trace__deliver_event (trace=0x7fffffffa170, event=0x7ffff6cbf1a0) at builtin-trace.c:3029
        #7  0x000000000049801e in trace__deliver_event (trace=0x7fffffffa170, event=0x7ffff6cbf1a0) at builtin-trace.c:3056
        #8  0x00000000004988de in trace__run (trace=0x7fffffffa170, argc=2, argv=0x7fffffffd660) at builtin-trace.c:3258
        #9  0x000000000049c2d3 in cmd_trace (argc=2, argv=0x7fffffffd660) at builtin-trace.c:4220
        #10 0x00000000004dcb6c in run_builtin (p=0xa18e00 <commands+576>, argc=5, argv=0x7fffffffd660) at perf.c:304
        #11 0x00000000004dcdd9 in handle_internal_command (argc=5, argv=0x7fffffffd660) at perf.c:356
        #12 0x00000000004dcf20 in run_argv (argcp=0x7fffffffd4bc, argv=0x7fffffffd4b0) at perf.c:400
        #13 0x00000000004dd28c in main (argc=5, argv=0x7fffffffd660) at perf.c:522
        (gdb)
        (gdb) continue
        Continuing.
        openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
      
      Now its a matter of automagically assigning the BPF programs copying
      syscall arg pointers to functions that are "open"-like (i.e. that need
      only the first syscall arg copied as a string), or "openat"-like (2nd
      arg, etc).
      
      End result in tool output:
      
        # perf trace -e open* ls /tmp/notthere
        LLVM: dumping /home/acme/git/perf/tools/perf/examples/bpf/augmented_raw_syscalls.o
        openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
        openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = ls: cannot access '/tmp/notthere'-1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY: No such file or directory) =
        -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
        #
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-snc7ry99cl6r0pqaspjim98x@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      bf134ca6
    • A
      perf augmented_raw_syscalls: Add handler for "openat" · 236dd583
      Arnaldo Carvalho de Melo 提交于
      I.e. for a syscall that has its second argument being a string, its
      difficult these days to find 'open' being used in the wild :-)
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-yf3kbzirqrukd3fb2sp5qx4p@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      236dd583
    • A
      perf trace: Handle raw_syscalls:sys_enter just like the BPF_OUTPUT augmented event · b119970a
      Arnaldo Carvalho de Melo 提交于
      So, we use a PERF_COUNT_SW_BPF_OUTPUT to output the augmented sys_enter
      payload, i.e. to output more than just the raw syscall args, and if
      something goes wrong when handling an unfiltered syscall, we bail out
      and just return 1 in the bpf program associated with
      raw_syscalls:sys_enter, meaning, don't filter that tracepoint, in which
      case what will appear in the perf ring buffer isn't the BPF_OUTPUT
      event, but the original raw_syscalls:sys_enter event with its normal
      payload.
      
      Now that we're switching to using a bpf_tail_call +
      BPF_MAP_TYPE_PROG_ARRAY we're going to use this in the common case, so a
      bug where raw_syscalls:sys_enter wasn't being handled by
      trace__sys_enter() surfaced and for  that case, instead of using the
      strace-like augmenter (trace__sys_enter()), we continued to use the
      normal generic tracepoint handler:
      
        (gdb) p evsel
        $2 = (struct perf_evsel *) 0xc03e40
        (gdb) p evsel->name
        $3 = 0xbc56c0 "raw_syscalls:sys_enter"
        (gdb) p ((struct perf_evsel *) 0xc03e40)->name
        $4 = 0xbc56c0 "raw_syscalls:sys_enter"
        (gdb) p ((struct perf_evsel *) 0xc03e40)->handler
        $5 = (void *) 0x495eb3 <trace__event_handler>
      
      This resulted in this:
      
           0.027 raw_syscalls:sys_enter:NR 12 (0, 7fcfcac64c9b, 4d, 7fcfcac64c9b, 7fcfcac6ce00, 19)
           ... [continued]: brk())                = 0x563b88677000
      
      I.e. only the sys_exit tracepoint was being properly handled, but since
      the sys_enter went to the generic trace__event_handler() we printed it
      using libtraceevent's formatter instead of 'perf trace's strace-like
      one.
      
      Fix it by setting trace__sys_enter() as the handler for
      raw_syscalls:sys_enter and setup the tp_field tracepoint field
      accessors.
      
      Now, to test it we just make raw_syscalls:sys_enter return 1 right after
      checking if the pid is filtered, making it not use
      bpf_perf_output_event() but rather ask for the tracepoint not to be
      filtered and the result is the expected one:
      
        brk(NULL)                               = 0x556f42d6e000
      
      I.e. raw_syscalls:sys_enter returns 1, gets handled by
      trace__sys_enter() and gets it combined with the raw_syscalls:sys_exit
      in a strace-like way.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-0mkocgk31nmy0odknegcby4z@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      b119970a
    • A
      perf trace: Put the per-syscall entry/exit prog_array BPF map infrastructure in place · 3803a229
      Arnaldo Carvalho de Melo 提交于
      I.e. look for "syscalls_sys_enter" and "syscalls_sys_exit" BPF maps of
      type PROG_ARRAY and populate it with the handlers as specified per
      syscall, for now only 'open' is wiring it to something, in time all
      syscalls that need to copy arguments entering a syscall or returning
      from one will set these to the right handlers, reusing when possible
      pre-existing ones.
      
      Next step is to use bpf_tail_call() into that.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-t0p4u43i9vbpzs1xtowna3gb@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      3803a229
    • A
      perf trace: Allow specifying the bpf prog to augment specific syscalls · 6ff8fff4
      Arnaldo Carvalho de Melo 提交于
      This is a step in the direction of being able to use a
      BPF_MAP_TYPE_PROG_ARRAY to handle syscalls that need to copy pointer
      payloads in addition to the raw tracepoint syscall args.
      
      There is a first example in
      tools/perf/examples/bpf/augmented_raw_syscalls.c for the 'open' syscall.
      
      Next step is to introduce the prog array map and use this 'open'
      augmenter, then use that augmenter in other syscalls that also only copy
      the first arg as a string, and then show how to use with a syscall that
      reads more than one filename, like 'rename', etc.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-pys4v57x5qqrybb4cery2mc8@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      6ff8fff4
    • A
      perf trace: Add BPF handler for unaugmented syscalls · 5834da7f
      Arnaldo Carvalho de Melo 提交于
      Will be used to assign to syscalls that don't need augmentation, i.e.
      those with just integer args.
      
      All syscalls will be in a BPF_MAP_TYPE_PROG_ARRAY, and the
      bpf_tail_call() keyed by the syscall id will either find nothing in
      place, which means the syscall is being filtered, or a function that
      will either add things like filenames to the ring buffer, right after
      the raw syscall args, or be this unaugmented handler that will just
      return 1, meaning don't filter the original
      raw_syscalls:sys_{enter,exit} tracepoint.
      
      For now it is not really being used, this is just leg work to break the
      patch into smaller pieces.
      
      It introduces a trace__find_bpf_program_by_title() helper that in turn
      uses libbpf's bpf_object__find_program_by_title() on the BPF object with
      the __augmented_syscalls__ map. "title" is how libbpf calls the SEC()
      argument for functions, i.e. the ELF section that follows a convention
      to specify what BPF program (a function with this SEC() marking) should
      be connected to which tracepoint, kprobes, etc.
      
      In perf anything that is of the form SEC("sys:event_name") will be
      connected to that tracepoint by perf's BPF loader.
      
      In this case its something that will be bpf_tail_call()ed from either
      the "raw_syscalls:sys_enter" or "raw_syscall:sys_exit" tracepoints, so
      its named "!raw_syscalls:unaugmented" to convey that idea, i.e. its not
      going to be directly attached to a tracepoint, thus it starts with a
      "!".
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-meucpjx2u0slpkayx56lxqq6@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      5834da7f
    • A
      perf trace: Order -e syscalls table · 83e69b92
      Arnaldo Carvalho de Melo 提交于
      The ev_qualifier is an array with the syscall ids passed via -e on the
      command line, sort it as we'll search it when setting up the
      BPF_MAP_TYPE_PROG_ARRAY.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-c8hprylp3ai6e0z9burn2r3s@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      83e69b92
    • A
      perf trace: Look up maps just on the __augmented_syscalls__ BPF object · 5ca0b7f5
      Arnaldo Carvalho de Melo 提交于
      We can conceivably have multiple BPF object files for other purposes, so
      better look just on the BPF object containing the __augmented_syscalls__
      map for all things augmented_syscalls related.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-3jt8knkuae9lt705r1lns202@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      5ca0b7f5
    • A
      perf trace: Add pointer to BPF object containing __augmented_syscalls__ · c8c80570
      Arnaldo Carvalho de Melo 提交于
      So that we can use it when looking for other components of that object
      file, such as other programs to add to the BPF_MAP_TYPE_PROG_ARRAY and
      use with bpf_tail_call().
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-1ibmz7ouv6llqxajy7m8igtd@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      c8c80570
    • A
      perf evsel: Store backpointer to attached bpf_object · af4a0991
      Arnaldo Carvalho de Melo 提交于
      We may want to get to this bpf_object, to search for other BPF programs,
      etc.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-3y8hrb6lszjfi23vjlic3cib@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      af4a0991
    • A
      perf bpf: Do not attach a BPF prog to a tracepoint if its name starts with ! · 2620b7e3
      Arnaldo Carvalho de Melo 提交于
      With BPF_MAP_TYPE_PROG_ARRAY + bpf_tail_call() we want to have BPF
      programs, i.e. functions in a object file that perf's BPF loader
      shouldn't try to attach to anything, i.e. "!syscalls:sys_enter_open"
      should just stay there, not be attached to a tracepoint with that name,
      it'll be used by, for instance, 'perf trace' to associate with syscalls
      that copy, in addition to the syscall raw args, a filename pointed by
      the first arg, i.e. multiple syscalls that need copying the same pointer
      arg in the same way, as a filename, for instance, will share the same
      BPF program/function.
      
      Right now when perf's BPF loader sees a function with a name
      "sys:name" it'll look for a tracepoint and will associate that BPF
      program with it, say:
      
        SEC("raw_syscalls:sys_enter")
        int sys_enter(struct syscall_enter_args *args)
        {
           //SNIP
        }
      
      Will crate a perf_evsel tracepoint event and then associate with it that
      BPF program.
      
      This convention at some point will switch to the one used by the BPF
      loader in libbpf, but to experiment with BPF_MAP_TYPE_PROG_ARRAY in
      'perf trace' lets do this, that will not require changing too much
      stuff.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-lk6dasjr1yf9rtvl292b2hpc@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      2620b7e3
    • A
      perf include bpf: Add bpf_tail_call() prototype · 941a7658
      Arnaldo Carvalho de Melo 提交于
      Will be used together with BPF_MAP_TYPE_PROG_ARRAY in
      tools/perf/examples/bpf/augmented_raw_syscalls.c.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-pd1bpy8i31nta6jqwdex871g@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      941a7658
  2. 29 7月, 2019 4 次提交
  3. 26 7月, 2019 1 次提交
    • A
      tools include UAPI: Sync x86's syscalls_64.tbl and generic unistd.h to pick up... · 820571af
      Arnaldo Carvalho de Melo 提交于
      tools include UAPI: Sync x86's syscalls_64.tbl and generic unistd.h to pick up clone3 and pidfd_open
      
        05a70a8e ("unistd: protect clone3 via __ARCH_WANT_SYS_CLONE3")
        8f3220a8 ("arch: wire-up clone3() syscall")
        7615d9e1 ("arch: wire-up pidfd_open()")
      
      Silencing the following tools/perf build warnings
      
        Warning: Kernel ABI header at 'tools/include/uapi/asm-generic/unistd.h' differs from latest version at 'include/uapi/asm-generic/unistd.h'
        diff -u tools/include/uapi/asm-generic/unistd.h include/uapi/asm-generic/unistd.h
        Warning: Kernel ABI header at 'tools/perf/arch/x86/entry/syscalls/syscall_64.tbl' differs from latest version at 'arch/x86/entry/syscalls/syscall_64.tbl'
        diff -u tools/perf/arch/x86/entry/syscalls/syscall_64.tbl arch/x86/entry/syscalls/syscall_64.tbl
      
      Now 'perf trace -e pidfd*,clone*' will trace those syscalls as well as the
      others with those prefixes.
      
        $ diff -u /tmp/build/perf/arch/x86/include/generated/asm/syscalls_64.c.before /tmp/build/perf/arch/x86/include/generated/asm/syscalls_64.c
        --- /tmp/build/perf/arch/x86/include/generated/asm/syscalls_64.c.before	2019-07-26 12:24:55.020944201 -0300
        +++ /tmp/build/perf/arch/x86/include/generated/asm/syscalls_64.c	2019-07-26 12:25:03.919047217 -0300
        @@ -344,5 +344,7 @@
              [431] = "fsconfig",
              [432] = "fsmount",
              [433] = "fspick",
        +     [434] = "pidfd_open",
        +     [435] = "clone3",
         };
        -#define SYSCALLTBL_x86_64_MAX_ID 433
        +#define SYSCALLTBL_x86_64_MAX_ID 435
        $
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Cc: Christian Brauner <christian@brauner.io>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Luis Cláudio Gonçalves <lclaudio@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-0isnnqxtr1ihz6p8wzjiy47d@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      820571af
  4. 23 7月, 2019 9 次提交
  5. 15 7月, 2019 1 次提交
  6. 13 7月, 2019 1 次提交
  7. 11 7月, 2019 2 次提交