Unable to reproduce “open_perf_output.py” properly #4
Description
When I try to reproduce open_perf_output.py on my ubuntu, something wrong occured. I can't find anyone else who meets the same problem on Google, so maybe somebody here can help me?
My python version is 3.8.10 and ubuntu version is 20.04. Here is the code:
from bcc import BPF
prog = """
#include <uapi/linux/limits.h> // NAME_MAX
// # include <uapi/linux/ptrace.h>
// # include <linux/sched.h>
struct event_data_t {
u32 pid;
char fname[NAME_MAX]; // max of filename
};
BPF_PERF_OUTPUT(open_events);
int trace_syscall_open(struct pt_regs *ctx, const char __user *filename, int flags) {
u32 pid = bpf_get_current_pid_tgid() >> 32;
struct event_data_t evt = {};
evt.pid = pid;
bpf_probe_read(&evt.fname, sizeof(evt.fname), (void *)filename);
open_events.perf_submit(ctx, &evt, sizeof(evt));
return 0;
}
"""
b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("open"), fn_name="trace_syscall_open")
def print_event(cpu, data, size):
event = b["open_events"].event(data)
print("Rcv Event %d, %s"%(event.pid, event.fname))
b["open_events"].open_perf_buffer(print_event)
while True:
try:
print("try")
b.perf_buffer_poll()
print("poll")
except KeyboardInterrupt:
print("exit")
exit()
This error will occur unless I add uapi/linux/ptrace.h and linux/sched.h to the prog. Here is the error info:
`/virtual/main.c:28:35: error: incomplete definition of type 'struct pt_regs'
const char __user *filename = ctx->di; int flags = ctx->si;
~~~^
/virtual/include/bcc/helpers.h:1194:8: note: forward declaration of 'struct pt_regs'
struct pt_regs;
^
/virtual/main.c:28:56: error: incomplete definition of type 'struct pt_regs'
const char __user *filename = ctx->di; int flags = ctx->si;
~~~^
/virtual/include/bcc/helpers.h:1194:8: note: forward declaration of 'struct pt_regs'
struct pt_regs;
^
2 errors generated.
Traceback (most recent call last):
File "/home/wch/Desktop/perf.py", line 42, in <module>
b = BPF(text=prog)
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 475, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>`
And after I add these headers, the code can be compiled but still can't get the correct result. It will be blocked at b.perf_buffer_poll() . At the same time opensnoop.py can work normally.
What's more, when I change b.attach_kprobe(event=b.get_syscall_fnname("open"), fn_name="trace_syscall_open") to b.attach_kprobe(event=b.get_syscall_fnname("read"), fn_name="trace_syscall_open"), it can work but can't out put the right event.fname.
-------------------------------------------------------------------------3.10---------------------------------------------------------------
I solve this problem by replacing event=b.get_syscall_fnname("open") with event="do_sys_open" , because I find when using b.get_syscall_fnname("open") the result is '__x64_sys_open'. Maybe it can't work when using a wrong parameter?I'm still confused.