snooper: demonstrate task_work and stack unwinding

WITH task_work_schedule_signal():

$ sudo ./snooper `pidof app`
Snooping on tasks for PID 5331...

Task: app_thread (PID=5331, TID=5332)
  No kernel stack
  User stack:
    00007fbc700b90c2: random @ 0x42080+0x42
    00007fbc700b8e7d: rand @ 0x41e70+0xd
    00000000004012df: func_b @ 0x40129a+0x45
    0000000000401283: func_a @ 0x4011f2+0x91
    0000000000401476: thread_func @ 0x4013f6+0x80
    00007fbc7010b39d: <no-symbol>
    00007fbc7019049c: <no-symbol>

Task: app (PID=5331, TID=5331)
  Kernel stack:
    ffffffff813e7e49: hrtimer_nanosleep @ 0xffffffff813e7db0+0x99
    ffffffff813f1c73: common_nsleep @ 0xffffffff813f1c30+0x43
    ffffffff813f2e0d: __x64_sys_clock_nanosleep @ 0xffffffff813f2d50+0xbd
    ffffffff8241a09a: do_syscall_64 @ 0xffffffff8241a030+0x6a
    ffffffff810000b0: entry_SYSCALL_64_after_hwframe @ 0xffffffff81000065+0x4b
  User stack:
    00007fbc70158733: clock_nanosleep @ 0xe16d0+0x63
    00007fbc70164827: nanosleep @ 0xed810+0x17
    00007fbc70176f41: sleep @ 0xfff00+0x41
    0000000000401622: main @ 0x40153c+0xe6
    00007fbc7009ce08: <no-symbol>
    00007fbc7009cecc: __libc_start_main @ 0x25e40+0x8c
    0000000000401105: _start @ 0x4010e0+0x25

WITHOUT task_work_schedule_signal() CANNOT get correct stack trace after
multiple tries:

$ sudo ./snooper `pidof app`
Snooping on tasks for PID 5004...

Task: app_thread (PID=5004, TID=5005)
No kernel stack
User stack (frame pointer unwinding):
00000000004011fd: func_mux @ 0x4011f2+0xb
15c15fd673415a00: <no-symbol>

$ sudo ./snooper `pidof app`
Snooping on tasks for PID 5004...

Task: app_thread (PID=5004, TID=5005)
No kernel stack
User stack (frame pointer unwinding):
00007fcbaf2490a8: random @ 0x42080+0x28
000062cbaf248e7d: <no-symbol>
0000000000401269: func_mux @ 0x4011f2+0x77
00000000004012a6: func_a @ 0x40126e+0x38
000000000040124b: func_mux @ 0x4011f2+0x59
15c15fd673415a00: <no-symbol>

Note that 15c15fd673415a00 is NOT a valid address.

Signed-off-by: Andrii Nakryiko <[email protected]>

Author: anakryiko

examples/c/.gitignore

@@ -16,3 +16,5 @@
 /lsm
 /cmake-build-debug/
 /cmake-build-release/
+/snooper
+compile_commands.json

examples/c/Makefile

@@ -31,7 +31,7 @@ CARGO ?= $(shell which cargo)
 ifeq ($(strip $(CARGO)),)
 BZS_APPS :=
 else
-BZS_APPS := profile
+BZS_APPS := profile snooper
 APPS += $(BZS_APPS)
 # Required by libblazesym
 ALL_LDFLAGS += -lrt -ldl -lpthread -lm

examples/c/snooper.bpf.c

@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+/* Copyright (c) 2025 Meta Platforms, Inc. */
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+#include "snooper.h"
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+struct task_state {
+	struct task_event event;
+	struct bpf_task_work tw;
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 4096);
+	__type(key, __u32);
+	__type(value, struct task_state);
+} task_states SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_RINGBUF);
+	__uint(max_entries, 1024 * 1024);
+} rb SEC(".maps");
+
+/*
+ * Frame pointer-based user stack unwinding.
+ *
+ * On x86_64 with frame pointers enabled (-fno-omit-frame-pointer):
+ *   [rbp + 0]  = saved rbp (previous frame pointer)
+ *   [rbp + 8]  = return address
+ *
+ * We walk the chain of frame pointers to collect return addresses.
+ */
+static int unwind_user_stack(struct task_struct *task, __u64 *stack, int max_depth)
+{
+	struct pt_regs *regs;
+	struct frame {
+		__u64 next_fp;    /* saved frame pointer (rbp) */
+		__u64 ret_addr;   /* return address */
+	} frame;
+	__u64 fp;
+	unsigned i = 0;
+
+	regs = bpf_core_cast((void *)bpf_task_pt_regs(task), struct pt_regs);
+	if (!(regs->cs & 3))
+		return 0; /* not in user space mode */
+
+	stack[0] = regs->ip;
+
+	fp = regs->bp;
+	bpf_for(i, 1, MAX_STACK_DEPTH) {
+		/* read the frame, [fp] = next_fp, [fp+8] = ret_addr */
+		if (bpf_copy_from_user_task(&frame, sizeof(frame), (void *)fp, task, 0))
+			break;
+
+		barrier_var(i);
+		if (i < MAX_STACK_DEPTH)
+			stack[i] = frame.ret_addr;
+
+		fp = frame.next_fp;
+	}
+
+	return i * sizeof(__u64);
+}
+
+static int task_work_cb(struct bpf_map *map, void *key, void *value)
+{
+	struct task_struct *task = bpf_get_current_task_btf();
+	struct task_state *state = value;
+	struct task_event *event = &state->event;
+	__u32 tid = task->pid;
+
+	if (event->tid != task->pid) {
+		bpf_printk("MISMATCHED PID %d != expected %d", task->pid, event->tid);
+		goto cleanup;
+	}
+
+	event->ustack_sz = unwind_user_stack(task, event->ustack, MAX_STACK_DEPTH);
+
+	bpf_ringbuf_output(&rb, event, sizeof(*event), 0);
+
+cleanup:
+	bpf_map_delete_elem(&task_states, key);
+	return 0;
+}
+
+/*
+ * THIS DOESN'T CURRENTLY WORK:
+ * static struct task_state empty_state;
+ *
+ * Verifier will complain:
+ * bpf_task_work cannot be accessed directly by load/store
+ */
+static char empty_state[sizeof(struct task_state)];
+
+SEC("iter.s/task")
+int snoop_tasks(struct bpf_iter__task *ctx)
+{
+	struct seq_file *seq = ctx->meta->seq;
+	struct task_struct *task = ctx->task;
+	struct task_state *state;
+	struct task_event *event;
+	__u32 tid;
+	int err;
+
+	if (!task)
+		return 0;
+
+	tid = task->pid;
+
+	err = bpf_map_update_elem(&task_states, &tid, &empty_state, BPF_NOEXIST);
+	if (err) {
+		bpf_printk("Unexpected error adding task state for %d (%s): %d", tid, task->comm, err);
+		return 0;
+	}
+	state = bpf_map_lookup_elem(&task_states, &tid);
+	if (!state) {
+		bpf_printk("Unexpected error fetching task state for %d (%s): %d", tid, task->comm, err);
+		return 0;
+	}
+
+	event = &state->event;
+	event->pid = task->tgid;
+	event->tid = task->pid;
+	bpf_probe_read_kernel_str(event->comm, TASK_COMM_LEN, task->comm);
+
+	event->kstack_sz = bpf_get_task_stack(task, event->kstack, sizeof(event->kstack), 0);
+
+	err = bpf_task_work_schedule_signal_impl(task, &state->tw, &task_states, task_work_cb, NULL);
+	if (err) {
+		bpf_printk("Unexpected error scheduling task work %d (%s): %d", tid, task->comm, err);
+		bpf_map_delete_elem(&task_states, &tid);
+		return 0;
+	}
+
+	return 0;
+}

examples/c/snooper.c

@@ -0,0 +1,229 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+/* Copyright (c) 2025 Meta Platforms, Inc. */
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+
+#include "snooper.skel.h"
+#include "snooper.h"
+#include "blazesym.h"
+
+static struct blaze_symbolizer *symbolizer;
+static volatile bool exiting = false;
+
+static void sig_handler(int sig)
+{
+	exiting = true;
+}
+
+static void print_frame(const char *name, uintptr_t input_addr, uintptr_t addr,
+			uint64_t offset, const blaze_symbolize_code_info* code_info)
+{
+	if (input_addr != 0) {
+		printf("    %016lx: %s @ 0x%lx+0x%lx", input_addr, name, addr, offset);
+		if (code_info != NULL && code_info->dir != NULL && code_info->file != NULL) {
+			printf(" %s/%s:%u\n", code_info->dir, code_info->file, code_info->line);
+		} else if (code_info != NULL && code_info->file != NULL) {
+			printf(" %s:%u\n", code_info->file, code_info->line);
+		} else {
+			printf("\n");
+		}
+	} else {
+		printf("    %16s  %s", "", name);
+		if (code_info != NULL && code_info->dir != NULL && code_info->file != NULL) {
+			printf("@ %s/%s:%u [inlined]\n", code_info->dir, code_info->file, code_info->line);
+		} else if (code_info != NULL && code_info->file != NULL) {
+			printf("@ %s:%u [inlined]\n", code_info->file, code_info->line);
+		} else {
+			printf("[inlined]\n");
+		}
+	}
+}
+
+static void show_stack_trace(__u64 *stack, int stack_sz, pid_t pid)
+{
+	const struct blaze_symbolize_inlined_fn* inlined;
+	const struct blaze_syms *syms;
+	const struct blaze_sym *sym;
+	int i, j;
+
+	assert(sizeof(uintptr_t) == sizeof(uint64_t));
+
+	if (pid) {
+		struct blaze_symbolize_src_process src = {
+			.type_size = sizeof(src),
+			.pid = pid,
+		};
+
+		syms = blaze_symbolize_process_abs_addrs(symbolizer, &src,
+							 (const uintptr_t *)stack, stack_sz);
+	} else {
+		struct blaze_symbolize_src_kernel src = {
+			.type_size = sizeof(src),
+		};
+
+		syms = blaze_symbolize_kernel_abs_addrs(symbolizer, &src,
+							(const uintptr_t *)stack, stack_sz);
+	}
+
+	if (!syms) {
+		printf("    failed to symbolize addresses: %s\n", blaze_err_str(blaze_err_last()));
+		return;
+	}
+
+	for (i = 0; i < stack_sz; i++) {
+		if (!syms || syms->cnt <= i || syms->syms[i].name == NULL) {
+			printf("    %016llx: <no-symbol>\n", stack[i]);
+			continue;
+		}
+
+		sym = &syms->syms[i];
+		print_frame(sym->name, stack[i], sym->addr, sym->offset, &sym->code_info);
+
+		for (j = 0; j < sym->inlined_cnt; j++) {
+			inlined = &sym->inlined[j];
+			print_frame(inlined->name, 0, 0, 0, &inlined->code_info);
+		}
+	}
+
+	blaze_syms_free(syms);
+}
+
+/* Ringbuf callback for task events */
+static int handle_event(void *ctx, void *data, size_t size)
+{
+	struct task_event *event = data;
+
+	printf("Task: %s (PID=%d, TID=%d)\n", event->comm, event->pid, event->tid);
+
+	/* Show kernel stack trace */
+	if (event->kstack_sz > 0) {
+		printf("  Kernel stack:\n");
+		show_stack_trace(event->kstack, event->kstack_sz / sizeof(__u64), 0);
+	} else if (event->kstack_sz < 0) {
+		printf("  Kernel stack error: %d\n", event->kstack_sz);
+	} else {
+		printf("  No kernel stack\n");
+	}
+
+	/* Show user stack trace */
+	if (event->ustack_sz > 0) {
+		printf("  User stack:\n");
+		show_stack_trace(event->ustack, event->ustack_sz / sizeof(__u64), event->pid);
+	} else if (event->ustack_sz < 0) {
+		printf("  User stack error: %d\n", event->ustack_sz);
+	} else {
+		printf("  No user stack\n");
+	}
+
+	printf("\n");
+	return 0;
+}
+
+static void show_help(const char *progname)
+{
+	printf("Usage: %s <PID>\n", progname);
+	printf("  PID   Process ID to filter tasks (required)\n");
+}
+
+int main(int argc, char **argv)
+{
+	struct ring_buffer *rb = NULL;
+	struct snooper_bpf *skel = NULL;
+	LIBBPF_OPTS(bpf_iter_attach_opts, opts);
+	union bpf_iter_link_info linfo;
+	pid_t pid_filter = 0;
+	int iter_fd = -1;
+	int err = 0;
+	char dummy;
+
+	if (argc < 2) {
+		show_help(argv[0]);
+		return 1;
+	}
+
+	errno = 0;
+	pid_filter = (pid_t)strtol(argv[1], NULL, 10);
+	err = -errno;
+	if (err != 0 || pid_filter <= 0) {
+		fprintf(stderr, "Failed to parse PID '%s'\n", argv[1]);
+		show_help(argv[0]);
+		return 1;
+	}
+
+	signal(SIGINT, sig_handler);
+	signal(SIGTERM, sig_handler);
+
+	skel = snooper_bpf__open_and_load();
+	if (!skel) {
+		fprintf(stderr, "Failed to open and load BPF skeleton\n");
+		err = -1;
+		goto cleanup;
+	}
+
+	symbolizer = blaze_symbolizer_new();
+	if (!symbolizer) {
+		fprintf(stderr, "Failed to create symbolizer\n");
+		err = -1;
+		goto cleanup;
+	}
+
+	rb = ring_buffer__new(bpf_map__fd(skel->maps.rb), handle_event, NULL, NULL);
+	if (!rb) {
+		fprintf(stderr, "Failed to create ring buffer\n");
+		err = -1;
+		goto cleanup;
+	}
+
+	memset(&linfo, 0, sizeof(linfo));
+	linfo.task.pid = pid_filter;
+	opts.link_info = &linfo;
+	opts.link_info_len = sizeof(linfo);
+
+	skel->links.snoop_tasks = bpf_program__attach_iter(skel->progs.snoop_tasks, &opts);
+	if (!skel->links.snoop_tasks) {
+		err = -errno;
+		fprintf(stderr, "Failed to attach BPF iterator\n");
+		goto cleanup;
+	}
+
+	iter_fd = bpf_iter_create(bpf_link__fd(skel->links.snoop_tasks));
+	if (iter_fd < 0) {
+		err = -errno;
+		fprintf(stderr, "Failed to create iterator\n");
+		goto cleanup;
+	}
+
+	printf("Snooping on tasks for PID %d...\n\n", pid_filter);
+
+	/* trigger task iterator program */
+	while (read(iter_fd, &dummy, sizeof(dummy)) > 0) {
+		/* nothing */
+	}
+
+	while (!exiting) {
+		err = ring_buffer__poll(rb, 100 /* timeout */);
+		if (err < 0 && err != -EINTR) {
+			fprintf(stderr, "Error polling ring buffer: %d\n", err);
+			break;
+		}
+		if (err == 0)
+			break;
+	}
+
+cleanup:
+	if (iter_fd >= 0)
+		close(iter_fd);
+	ring_buffer__free(rb);
+	snooper_bpf__destroy(skel);
+	blaze_symbolizer_free(symbolizer);
+
+	return err < 0 ? -err : 0;
+}