Re: Describing howto read the eBPF generated ELF binary


Jesper Dangaard Brouer
 

On Tue, 7 Mar 2017 12:07:40 +0100
Jesper Dangaard Brouer via iovisor-dev <iovisor-dev@...> wrote:

On Mon, 6 Mar 2017 16:14:06 -0800
Alexei Starovoitov via iovisor-dev <iovisor-dev@...> wrote:

On Mon, Mar 6, 2017 at 10:29 AM, Jesper Dangaard Brouer
<jbrouer@...> wrote:
On Mon, 6 Mar 2017 09:11:46 -0800
Alexei Starovoitov via iovisor-dev <iovisor-dev@...> wrote:

On Mon, Mar 6, 2017 at 3:53 AM, Jesper Dangaard Brouer
<jbrouer@...> wrote:
Hi All,

I've added a section to my eBPF documentation, about how to read the
eBPF generated ELF binary, and deduct the size of the compiled program
(mostly for kernel/samples/bpf).

https://prototype-kernel.readthedocs.io/en/latest/bpf/troubleshooting.html#elf-binary
https://github.com/netoptimizer/prototype-kernel/commit/079352102cb0ba

Can someone validate what I've saying is true? (commit inlined below
sign, to make is as easy as possible for people to correct me).

And anything else users can use the readelf output for?

--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer

commit 079352102cb0ba12141ecd28c216ec5ac5290192
Author: Jesper Dangaard Brouer <brouer@...>
Date: Fri Feb 24 12:10:45 2017 +0100

doc: eBPF describe howto read the eBPF generated ELF binary

Signed-off-by: Jesper Dangaard Brouer <brouer@...>

diff --git a/kernel/Documentation/bpf/troubleshooting.rst b/kernel/Documentation/bpf/troubleshooting.rst
index b6f3b6fe9501..39ebffae4142 100644
--- a/kernel/Documentation/bpf/troubleshooting.rst
+++ b/kernel/Documentation/bpf/troubleshooting.rst
@@ -15,6 +15,41 @@ see system call `setrlimit(2)`_.
The ``bpf_create_map`` call will return errno EPERM (Operation not
permitted) when the RLIMIT_MEMLOCK memory size limit is exceeded.

-
.. _setrlimit(2): http://man7.org/linux/man-pages/man2/setrlimit.2.html

+ELF binary
+==========
+
+The binary containing the eBPF program, which got generated by the
+LLVM compiler, is an ELF binary. For samples/bpf/ this is the file
+named xxx_kern.o.
+
+To answer questions like how big is my eBPF program, it is possible to
+use a tool like ``readelf``. ::
+
+ $ readelf -SW xdp_ddos01_blacklist_kern.o
+ There are 8 section headers, starting at offset 0x398:
+
+ Section Headers:
+ [Nr] Name Type Address Off Size ES Flg Lk Inf Al
+ [ 0] NULL 0000000000000000 000000 000000 00 0 0 0
+ [ 1] .strtab STRTAB 0000000000000000 000320 000072 00 0 0 1
+ [ 2] .text PROGBITS 0000000000000000 000040 000000 00 AX 0 0 4
+ [ 3] xdp_prog PROGBITS 0000000000000000 000040 0001b8 00 AX 0 0 8
+ [ 4] .relxdp_prog REL 0000000000000000 000300 000020 10 7 3 8
+ [ 5] maps PROGBITS 0000000000000000 0001f8 000028 00 WA 0 0 4
+ [ 6] license PROGBITS 0000000000000000 000220 000004 00 WA 0 0 1
+ [ 7] .symtab SYMTAB 0000000000000000 000228 0000d8 18 1 5 8
+ Key to Flags:
+ W (write), A (alloc), X (execute), M (merge), S (strings)
+ I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
+ O (extra OS processing required) o (OS specific), p (processor specific)
+
+From the output, we can see the programmer choose to name the XDP
+program section "xdp_prog". From this line ([ 3]) the size column
+shows the size 0001b8 in hex, which is easily converted on the cmdline
+to 440 bytes::
+
+ $ echo $((0x0001b8))
+ 440
hmm. i think instead of clarifying bpf elf output is doing the opposite.
at least i'm completely lost in the above text.
What all of the above suppose to mean?
That what I'm implicit asking you ;-)

why is it useful to do readelf? and look at hex ?
What other tools exists to help me understand the contents of the LLVM
compiled binary _kern.o ?
The best is to use
llvm-objdump -S prog_kern.o
Hmmm, what version of LLVM have the -S option?
Added a section, so I/we will document this feature later:
https://github.com/netoptimizer/prototype-kernel/commit/8cec9cebb7b
https://prototype-kernel.readthedocs.io/en/latest/bpf/troubleshooting.html#llvm-disassemble-support


$ llvm-objdump -S xdp_ddos01_blacklist_kern.o
llvm-objdump: Unknown command line argument '-S'. Try: 'llvm-objdump -help'
llvm-objdump: Did you mean '-D'?

$ llvm-objdump --version | egrep 'version|bpf'
LLVM version 3.8.1
bpf - BPF (host endian)
bpfeb - BPF (big endian)
bpfel - BPF (little endian)

I would really like some command tool, to inspect eBPF-ELF program
with, available in a distro version, in this case Fedora 25.


it will show section names, asm code and original C code
if compiled with -g
And the option -g is supplied to the CLANG program (not LLC).


It's important to mention that .o is a normal elf file,
but the doc doesn't need to go into elf details.
Okay.


Is there an easier way to answer my question:
Q: how big is my eBPF program?
in llvm-objdump output you'll see something like:
139: 85 00 00 00 01 00 00 00 call 1
140: b7 00 00 00 00 00 00 00 r0 = 0
141: 95 00 00 00 00 00 00 00 exit

so this particular program has 141 instructions.
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.