feat: Add Python stack profiler using eBPF for enhanced performance analysis

Author: yunwei37

src/46-xdp-test/README.md

@@ -18,11 +18,11 @@ Traditional BPF_PROG_RUN operates in "dry run" mode - packets are processed but
 
 ### Live Frames Mode: Real Packet Injection
 
-In Linux 5.18+, the kernel introduced **live frames mode** via the `BPF_F_TEST_XDP_LIVE_FRAMES` flag. This fundamentally changes BPF_PROG_RUN behavior. When enabled, XDP_TX actions don't just return - they actually transmit packets on the wire through the specified network interface. This turns BPF_PROG_RUN into a powerful packet generator.
+In Linux 5.18+, the kernel introduced live frames mode via the `BPF_F_TEST_XDP_LIVE_FRAMES` flag. This fundamentally changes BPF_PROG_RUN behavior. When enabled, XDP_TX actions don't just return; they actually transmit packets on the wire through the specified network interface. This turns BPF_PROG_RUN into a powerful packet generator.
 
 Here's how it works: Your userspace program constructs a packet (Ethernet frame with IP header, UDP payload, etc.) and passes it to `bpf_prog_test_run()` with live frames enabled. The XDP program receives this packet in its `xdp_md` context. If the program returns `XDP_TX`, the kernel transmits the packet through the network driver as if it arrived on the interface and was reflected back. The packet appears on the wire with full hardware offload support (checksumming, segmentation, etc.).
 
-This enables several powerful use cases. **Network stack stress testing**: Flood your system with millions of packets per second to find breaking points in the network stack, driver, or application layer. **XDP program benchmarking**: Measure how many packets per second your XDP program can process under realistic load without external packet generators. **Protocol fuzzing**: Generate malformed packets or unusual protocol sequences to test robustness. **Synthetic traffic generation**: Create realistic traffic patterns for testing load balancers, firewalls, or intrusion detection systems.
+This enables several powerful use cases. Network stack stress testing floods your system with millions of packets per second to find breaking points in the network stack, driver, or application layer. XDP program benchmarking measures how many packets per second your XDP program can process under realistic load without external packet generators. Protocol fuzzing generates malformed packets or unusual protocol sequences to test robustness. Synthetic traffic generation creates realistic traffic patterns for testing load balancers, firewalls, or intrusion detection systems.
 
 ### The XDP_TX Reflection Loop
 

src/trace/python-stack-profiler/.gitignore

@@ -0,0 +1,18 @@
+# Build outputs
+*.o
+*.bpf.o
+*.skel.h
+python-stack
+
+# Output directory
+.output/
+
+# Editor files
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+
+# Temporary files
+*.tmp

src/trace/python-stack-profiler/Makefile

@@ -0,0 +1,94 @@
+APP := python-stack
+
+THIRD_PARTY_PATH := ../../third_party
+
+# Architecture detection
+ARCH := $(shell uname -m | sed 's/x86_64/x86/' | sed 's/aarch64/arm64/')
+
+# VMLINUX header path
+VMLINUX_DIR := $(THIRD_PARTY_PATH)/vmlinux/$(ARCH)
+VMLINUX_BTF_H := $(VMLINUX_DIR)/vmlinux.h
+
+# Libbpf
+LIBBPF_SRC := $(abspath $(THIRD_PARTY_PATH)/libbpf/src)
+LIBBPF_OBJ := $(abspath $(THIRD_PARTY_PATH)/libbpf/src/staticobjs/libbpf.a)
+LIBBPF_OBJDIR := $(abspath $(THIRD_PARTY_PATH)/libbpf/src/staticobjs)
+
+# BPF Code
+CLANG ?= clang
+BPFTOOL ?= $(abspath $(THIRD_PARTY_PATH)/bpftool/src/bpftool)
+
+INCLUDES := -I$(LIBBPF_SRC) -I$(THIRD_PARTY_PATH)/bpftool/include/uapi -I$(VMLINUX_DIR)
+CFLAGS := -g -Wall
+
+ALL_LDFLAGS := $(LDFLAGS)
+
+APPS = $(APP)
+
+# BPF source
+BPF_SRC := $(APP).bpf.c
+
+# BPF object and skeleton
+BPF_OBJ := $(APP).bpf.o
+BPF_SKEL := $(APP).skel.h
+
+# Userspace source
+USER_SRC := $(APP).c
+USER_OBJ := $(APP).o
+
+.PHONY: all
+all: $(APPS)
+
+# Build libbpf
+$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.c) $(wildcard $(LIBBPF_SRC)/*.h)
+	@echo "Building libbpf..."
+	$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 OBJDIR=$(LIBBPF_OBJDIR)
+
+# Build bpftool
+$(BPFTOOL):
+	@echo "Building bpftool..."
+	$(MAKE) -C $(THIRD_PARTY_PATH)/bpftool/src
+
+# Generate vmlinux.h if needed
+$(VMLINUX_BTF_H):
+	@if [ ! -f $(VMLINUX_BTF_H) ]; then \
+		echo "Generating $(VMLINUX_BTF_H)..."; \
+		mkdir -p $(VMLINUX_DIR); \
+		$(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > $(VMLINUX_BTF_H); \
+	fi
+
+# Build BPF object
+$(BPF_OBJ): $(BPF_SRC) $(LIBBPF_OBJ) $(VMLINUX_BTF_H)
+	@echo "Building BPF object: $(BPF_OBJ)"
+	$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) $(INCLUDES) -c $(BPF_SRC) -o $(BPF_OBJ)
+
+# Generate BPF skeleton
+$(BPF_SKEL): $(BPF_OBJ) $(BPFTOOL)
+	@echo "Generating BPF skeleton: $(BPF_SKEL)"
+	$(BPFTOOL) gen skeleton $(BPF_OBJ) > $(BPF_SKEL)
+
+# Build userspace program
+$(USER_OBJ): $(USER_SRC) $(BPF_SKEL)
+	@echo "Building userspace object: $(USER_OBJ)"
+	$(CC) $(CFLAGS) $(INCLUDES) -c $(USER_SRC) -o $(USER_OBJ)
+
+# Link final binary
+$(APP): $(USER_OBJ) $(LIBBPF_OBJ)
+	@echo "Linking $(APP)..."
+	$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@
+
+# Clean
+.PHONY: clean
+clean:
+	rm -f $(BPF_OBJ) $(BPF_SKEL) $(USER_OBJ) $(APP)
+	rm -f *.o *.skel.h
+
+# Help
+.PHONY: help
+help:
+	@echo "Makefile for $(APP)"
+	@echo ""
+	@echo "Targets:"
+	@echo "  all      - Build everything (default)"
+	@echo "  clean    - Remove generated files"
+	@echo "  help     - Show this help"

src/trace/python-stack-profiler/README.md

@@ -0,0 +1,93 @@
+# eBPF Tutorial: Python Stack Profiler
+
+Profile Python applications at the OS level using eBPF to capture native and Python call stacks, helping identify performance bottlenecks in Python programs including data science workloads, web servers, and ML inference.
+
+> The complete source code: <https://github.com/eunomia-bpf/bpf-developer-tutorial/tree/main/src/trace/python-stack-profiler>
+
+## Overview
+
+Python profiling traditionally relies on instrumentation (cProfile) or sampling within the interpreter (py-spy). These approaches have limitations:
+- **cProfile**: High overhead, requires code modification
+- **py-spy**: Samples from userspace, may miss short-lived functions
+- **perf**: Captures native stacks but can't see Python function names
+
+This tutorial shows how to use eBPF to capture both native C stacks AND Python interpreter stacks, giving you complete visibility into where your Python application spends time.
+
+## What You'll Learn
+
+1. How to attach eBPF probes to Python processes
+2. Walking Python interpreter frame structures from kernel space
+3. Extracting Python function names, filenames, and line numbers
+4. Combining native and Python stacks for complete profiling
+5. Generating flamegraphs for Python applications
+
+## Prerequisites
+
+- Linux kernel 5.15+ (for BPF ring buffer support)
+- Python 3.8+ running on your system
+- Root access (for loading eBPF programs)
+- Understanding of stack traces and profiling concepts
+
+## Building and Running
+
+```bash
+make
+sudo ./python-stack
+```
+
+## How It Works
+
+The profiler samples Python processes at a regular interval (e.g., 49Hz to avoid lock-step with scheduler). For each sample:
+
+1. **Capture native stack**: Use BPF stack helpers to get kernel and userspace stacks
+2. **Identify Python threads**: Check if the process is running Python interpreter
+3. **Walk Python frames**: Read PyFrameObject chain from CPython internals
+4. **Extract symbols**: Get function names, filenames, line numbers from PyCodeObject
+5. **Aggregate data**: Count stack occurrences for flamegraph generation
+
+## Python Internals
+
+CPython's frame structure (simplified):
+
+```c
+struct _frame {
+    struct _frame *f_back;      // Previous frame
+    PyCodeObject *f_code;       // Code object
+    int f_lineno;               // Current line number
+};
+
+struct PyCodeObject {
+    PyObject *co_filename;      // Source filename
+    PyObject *co_name;          // Function name
+};
+```
+
+## Example Output
+
+```
+python-script.py:main;process_data;expensive_function 247
+python-script.py:main;load_model;torch.load 189
+python-script.py:main;preprocess;np.array 156
+```
+
+Each line shows the stack trace and sample count.
+
+## Use Cases
+
+- **ML/AI workloads**: Profile PyTorch, TensorFlow, NumPy operations
+- **Web servers**: Find bottlenecks in Flask, Django, FastAPI
+- **Data processing**: Optimize pandas, polars operations
+- **General Python**: Any Python application performance analysis
+
+## Next Steps
+
+- Extend to capture GIL contention
+- Add Python object allocation tracking
+- Integrate with other eBPF metrics (CPU, memory)
+- Build flamegraph visualization
+
+## References
+
+- [CPython Internals](https://realpython.com/cpython-source-code-guide/)
+- [Python Frame Objects](https://docs.python.org/3/c-api/frame.html)
+- [eBPF Stack Traces](https://www.brendangregg.com/blog/2016-01-20/ebpf-offcpu-flame-graph.html)