libbpf-tools: add statsnoop
Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>
diff --git a/libbpf-tools/.gitignore b/libbpf-tools/.gitignore
index 33391e9..f1305ba 100644
--- a/libbpf-tools/.gitignore
+++ b/libbpf-tools/.gitignore
@@ -23,6 +23,7 @@
/runqlen
/runqslower
/softirqs
+/statsnoop
/syscount
/tcpconnect
/tcpconnlat
diff --git a/libbpf-tools/Makefile b/libbpf-tools/Makefile
index 9ffbcad..3b43c30 100644
--- a/libbpf-tools/Makefile
+++ b/libbpf-tools/Makefile
@@ -40,6 +40,7 @@
runqlen \
runqslower \
softirqs \
+ statsnoop \
syscount \
tcpconnect \
tcpconnlat \
diff --git a/libbpf-tools/statsnoop.bpf.c b/libbpf-tools/statsnoop.bpf.c
new file mode 100644
index 0000000..3b37343
--- /dev/null
+++ b/libbpf-tools/statsnoop.bpf.c
@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (c) 2021 Hengqi Chen
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "statsnoop.h"
+
+#define MAX_ENTRIES 10240
+
+const volatile pid_t target_pid = 0;
+const volatile bool trace_failed_only = false;
+
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, MAX_ENTRIES);
+ __type(key, __u32);
+ __type(value, const char *);
+} values SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+ __uint(key_size, sizeof(__u32));
+ __uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+static int probe_entry(void *ctx, const char *pathname)
+{
+ __u64 id = bpf_get_current_pid_tgid();
+ __u32 pid = id >> 32;
+ __u32 tid = (__u32)id;
+
+ if (!pathname)
+ return 0;
+
+ if (target_pid && target_pid != pid)
+ return 0;
+
+ bpf_map_update_elem(&values, &tid, &pathname, BPF_ANY);
+ return 0;
+};
+
+static int probe_return(void *ctx, int ret)
+{
+ __u64 id = bpf_get_current_pid_tgid();
+ __u32 pid = id >> 32;
+ __u32 tid = (__u32)id;
+ const char **pathname;
+ struct event event = {};
+
+ pathname = bpf_map_lookup_elem(&values, &tid);
+ if (!pathname)
+ return 0;
+
+ if (trace_failed_only && ret >= 0) {
+ bpf_map_delete_elem(&values, &tid);
+ return 0;
+ }
+
+ event.pid = pid;
+ event.ts_ns = bpf_ktime_get_ns();
+ event.ret = ret;
+ bpf_get_current_comm(&event.comm, sizeof(event.comm));
+ bpf_probe_read_user_str(event.pathname, sizeof(event.pathname), *pathname);
+
+ bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+ bpf_map_delete_elem(&values, &tid);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_statfs")
+int handle_statfs_entry(struct trace_event_raw_sys_enter *ctx)
+{
+ return probe_entry(ctx, (const char *)ctx->args[0]);
+}
+
+SEC("tracepoint/syscalls/sys_exit_statfs")
+int handle_statfs_return(struct trace_event_raw_sys_exit *ctx)
+{
+ return probe_return(ctx, (int)ctx->ret);
+}
+
+SEC("tracepoint/syscalls/sys_enter_newstat")
+int handle_newstat_entry(struct trace_event_raw_sys_enter *ctx)
+{
+ return probe_entry(ctx, (const char *)ctx->args[0]);
+}
+
+SEC("tracepoint/syscalls/sys_exit_newstat")
+int handle_newstat_return(struct trace_event_raw_sys_exit *ctx)
+{
+ return probe_return(ctx, (int)ctx->ret);
+}
+
+char LICENSE[] SEC("license") = "GPL";
diff --git a/libbpf-tools/statsnoop.c b/libbpf-tools/statsnoop.c
new file mode 100644
index 0000000..3ec6ac2
--- /dev/null
+++ b/libbpf-tools/statsnoop.c
@@ -0,0 +1,186 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+// Copyright (c) 2021 Hengqi Chen
+//
+// Based on statsnoop(8) from BCC by Brendan Gregg.
+// 09-May-2021 Hengqi Chen Created this.
+#include <argp.h>
+#include <errno.h>
+#include <signal.h>
+#include <time.h>
+
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+#include "statsnoop.h"
+#include "statsnoop.skel.h"
+#include "trace_helpers.h"
+
+#define PERF_BUFFER_PAGES 16
+#define PERF_POLL_TIMEOUT_MS 100
+#define warn(...) fprintf(stderr, __VA_ARGS__)
+
+static volatile sig_atomic_t exiting = 0;
+
+static pid_t target_pid = 0;
+static bool trace_failed_only = false;
+static bool emit_timestamp = false;
+
+const char *argp_program_version = "statsnoop 0.1";
+const char *argp_program_bug_address =
+ "https://github.com/iovisor/bcc/tree/master/libbpf-tools";
+const char argp_program_doc[] =
+"Trace stat syscalls.\n"
+"\n"
+"USAGE: statsnoop [-h] [-t] [-x] [-p PID]\n"
+"\n"
+"EXAMPLES:\n"
+" statsnoop # trace all stat syscalls\n"
+" statsnoop -t # include timestamps\n"
+" statsnoop -x # only show failed stats\n"
+" statsnoop -p 1216 # only trace PID 1216\n";
+
+static const struct argp_option opts[] = {
+ {"pid", 'p', "PID", 0, "Process ID to trace"},
+ {"failed", 'x', NULL, 0, "Only show failed stats"},
+ {"timestamp", 't', NULL, 0, "Include timestamp on output"},
+ {NULL, 'h', NULL, OPTION_HIDDEN, "Show the full help"},
+ {},
+};
+
+static error_t parse_arg(int key, char *arg, struct argp_state *state)
+{
+ long pid;
+
+ switch (key) {
+ case 'p':
+ errno = 0;
+ pid = strtol(arg, NULL, 10);
+ if (errno || pid <= 0) {
+ warn("Invalid PID: %s\n", arg);
+ argp_usage(state);
+ }
+ target_pid = pid;
+ break;
+ case 'x':
+ trace_failed_only = true;
+ break;
+ case 't':
+ emit_timestamp = true;
+ break;
+ case 'h':
+ argp_state_help(state, stderr, ARGP_HELP_STD_HELP);
+ break;
+ default:
+ return ARGP_ERR_UNKNOWN;
+ }
+ return 0;
+}
+
+static void sig_int(int signo)
+{
+ exiting = 1;
+}
+
+static void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
+{
+ static __u64 start_timestamp = 0;
+ const struct event *e = data;
+ int fd, err;
+ double ts = 0.0;
+
+ if (e->ret >= 0) {
+ fd = e->ret;
+ err = 0;
+ } else {
+ fd = -1;
+ err = -e->ret;
+ }
+ if (!start_timestamp)
+ start_timestamp = e->ts_ns;
+ if (emit_timestamp) {
+ ts = (double)(e->ts_ns - start_timestamp) / 1000000000;
+ printf("%-14.9f ", ts);
+ }
+ printf("%-7d %-20s %-4d %-4d %-s\n", e->pid, e->comm, fd, err, e->pathname);
+}
+
+static void handle_lost_events(void *ctx, int cpu, __u64 lost_cnt)
+{
+ warn("lost %llu events on CPU #%d\n", lost_cnt, cpu);
+}
+
+int main(int argc, char **argv)
+{
+ static const struct argp argp = {
+ .options = opts,
+ .parser = parse_arg,
+ .doc = argp_program_doc,
+ };
+ struct perf_buffer_opts pb_opts;
+ struct perf_buffer *pb = NULL;
+ struct statsnoop_bpf *obj;
+ int err;
+
+ err = argp_parse(&argp, argc, argv, 0, NULL, NULL);
+ if (err)
+ return err;
+
+ err = bump_memlock_rlimit();
+ if (err) {
+ warn("failed to increase rlimit: %d\n", err);
+ return 1;
+ }
+
+ obj = statsnoop_bpf__open();
+ if (!obj) {
+ warn("failed to open BPF object\n");
+ return 1;
+ }
+
+ obj->rodata->target_pid = target_pid;
+ obj->rodata->trace_failed_only = trace_failed_only;
+
+ err = statsnoop_bpf__load(obj);
+ if (err) {
+ warn("failed to load BPF object: %d\n", err);
+ goto cleanup;
+ }
+
+ err = statsnoop_bpf__attach(obj);
+ if (err) {
+ warn("failed to attach BPF programs: %d\n", err);
+ goto cleanup;
+ }
+
+ pb_opts.sample_cb = handle_event;
+ pb_opts.lost_cb = handle_lost_events;
+ pb = perf_buffer__new(bpf_map__fd(obj->maps.events), PERF_BUFFER_PAGES,
+ &pb_opts);
+ err = libbpf_get_error(pb);
+ if (err) {
+ warn("failed to open perf buffer: %d\n", err);
+ goto cleanup;
+ }
+
+ if (signal(SIGINT, sig_int) == SIG_ERR) {
+ warn("can't set signal handler: %s\n", strerror(-errno));
+ goto cleanup;
+ }
+
+ if (emit_timestamp)
+ printf("%-14s ", "TIME(s)");
+ printf("%-7s %-20s %-4s %-4s %-s\n",
+ "PID", "COMM", "RET", "ERR", "PATH");
+
+ while (1) {
+ if ((err = perf_buffer__poll(pb, PERF_POLL_TIMEOUT_MS)) < 0)
+ break;
+ if (exiting)
+ goto cleanup;
+ }
+ warn("error polling perf buffer: %d\n", err);
+
+cleanup:
+ statsnoop_bpf__destroy(obj);
+
+ return err != 0;
+}
diff --git a/libbpf-tools/statsnoop.h b/libbpf-tools/statsnoop.h
new file mode 100644
index 0000000..37f0111
--- /dev/null
+++ b/libbpf-tools/statsnoop.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
+#ifndef __STATSNOOP_H
+#define __STATSNOOP_H
+
+#define TASK_COMM_LEN 16
+#define NAME_MAX 255
+
+struct event {
+ __u64 ts_ns;
+ __u32 pid;
+ int ret;
+ char comm[TASK_COMM_LEN];
+ char pathname[NAME_MAX];
+};
+
+#endif /* __STATSNOOP_H */