Re: bpftrace ustack() pid packing

Home Messages Hashtags Subgroups

Brendan Gregg #1689 On Tue, May 28, 2019 at 11:35 AM Daniel Xu <dxu@...> wrote: I'm reading through codegen_llvm.cpp[0] and I noticed that ustack map keys are packed with a PID. From what I understand, if you run bpftrace -e 'uprobe:/lib64/libc.so.6:usleep /comm == "a.out"/ { @[ustack(2)] = count() }' and a.out has forked, it would cause duplicate stack traces to be outputted. This has caused some confusion in the past with users. I'm wondering what the intention behind PID packing is. The stack ID returned by ustack() points to a stack as a list of addresses. That gets translated sometime later in user-space by bpftrace. At that point you just have an address, and you need to know which PID it belongs to, so you can lookup that processes's address mappings. If BPF one day can save the stack as a list of strings in the kernel (meaning the kernel must support user-space symbol lookup), then we wouldn't need the PID (this has been discussed before). I don't know about this fork problem you mention. Brendan Thanks, Daniel --- [0]: https://github.com/iovisor/bpftrace/blob/master/src/ast/codegen_llvm.cpp#L748-L756
More All Messages By This Member

Join {iovisor-dev@lists.iovisor.org to automatically receive all group messages.