Re: BPF runtime for systemtap

Brendan Gregg

On Tue, Jun 14, 2016 at 1:06 PM, Richard Henderson <rth@...> wrote:
I'm pleased to be able to announce an initial implementation of an (e)bpf
backend for systemtap. For the subset of systemtap probes that can use
kprobes, we can use a bpf filter instead of loading a kernel module.

As this implementation is young, there are a number of limitations. Neither
string nor stats types are supported. Both require enhancements to the set
of builtin functions supported in kernel. The stap bpf loader still needs
improvement with respect to its use of the event subsystem.

We're using the same intermediate file format that is supported by the llvm
bpf backend. I have some improvements to submit for the llvm bpf backend as

The code can be reviewed at

git:// rth/bpf
Great! Is there a hello world example in there somewhere? I found this:

# ./stapbpf/stapbpf -h
Usage: ./stapbpf/stapbpf [-v][-w][-V][-h] [-o FILE] <bpf-file>
-h, --help Show this help text
-v, --verbose Increase verbosity
-V, --version Show version
-w Suppress warnings
-o FILE Send output to FILE

But I didn't see an explicit BPF example or bpf-file. Is it implicit?
Should I be able to run a stap one-liner with some -v's and see it
switches to using BPF, if I restrain myself to what's supported so
far? Eg, since you mentioned kprobes, how about?:

stap -ve 'probe kprobe.function("vfs_fsync") { println(pointer_arg(2)) }'


Join to automatically receive all group messages.