auto attach BPF functions to kprobes about bcc HOT 12 CLOSED

I should note that attach_kprobe() could stay around. This would be an optional shortcut.

from bcc.

I am hesitant to instrument the C syntax in the way mentioned (sched:sched_process_fork). Though we mangle a little bit the programs that are created, they are still all valid C syntax. If/when we go down the route of a custom tracing language, then this can be introduced.

That said, there is an optimization in the api to be done without changing the supported C syntax. What do you think about this compromise:

BPF(text='int sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); }').attach_kprobe("sys_clone").trace_print()

The change to support a single function BPF module is a pretty small diff:

diff --git a/src/python/bcc/__init__.py b/src/python/bcc/__init__.py
index 36ef17e..013da1a 100644
--- a/src/python/bcc/__init__.py
+++ b/src/python/bcc/__init__.py
@@ -468,6 +468,13 @@ class BPF(object):
                         cpu=cpu, group_fd=group_fd)
             return

+        # If fn_name is omitted, auto-detect the function in singular case
+        if not fn_name:
+            if len(self.funcs) == 1:
+                fn_name = self.funcs.items()[0][0]
+            else:
+                raise Exception("Missing parameter fn_name not provided")
+
         fn = self.load_func(fn_name, BPF.KPROBE)
         ev_name = "p_" + event.replace("+", "_")
         desc = "p:kprobes/%s %s" % (ev_name, event)

from bcc.

Ok, it looks like an improvement. Although could the attach_kprobe() be dropped as well?

from bcc.

Sure, the precondition will be that the C function name is matching the event.

BPF(text='void sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); }').trace_print()

from bcc.

Let me know how #194 looks, which it seems Alexei has already merged :)

from bcc.

Ok, let me know how this approach seems to you.

from bcc.

All changes in, please close if it looks good to you.

from bcc.

This works well for disksnoop.c, but the next script I tried was bitehist.c, which doesn't use any trace_*() functions, and the kprobe doesn't attach.

from bcc.

For this my thinking was that it is a fair ask to have the user call attach_kprobe directly as before. Otherwise, b._trace_autoload() should work just fine too.

from bcc.

I think funccount is a good example of wanting to run attach_kprobe(), as it's a custom activity. But the bitehist.c usage is simple, like disksnoop.c, and it seems unintuitive to need to switch how it's attached because of how it's later on consumed.

funccount switches how it's attached because the kprobe__ shortcut is insufficient. That one makes sense.

from bcc.

Fair enough. Let me move _trace_autoload into the BPF constructor.

from bcc.

thanks!

from bcc.