Support DWARF for uprobes.

[kroemeke]

Hello,

Is there a way to read the type definition / structs etc from DWARF data of the binary itself ? This is how it works with perf probe - where it seems to transparently have all required definitions.

Thanks,
Marek

[yonghong-song]

Currently bcc does not read dwarf data, hence it not able to match local variables vs. registers.
Recently, the kprobe for func+offset is supported at API level.

commit 651d690abf10fcb93c6aa711a9fb4b5406e36a77
Author: Sandipan Das <sandipan@linux.vnet.ibm.com>
Date:   Tue May 29 23:30:22 2018 +0530

    Add support for attaching kprobes at custom offsets
    
    Currently, attach_kprobe() only allows kprobes to be attached
    to an arch-dependent default location usually in the prologue
    of the function corresponding to the event.
    
    With these changes, one can attach a kprobe at a custom offset
    from the start of the function.
    
    Signed-off-by: Sandipan Das <sandipan@linux.vnet.ibm.com>

If you can look at dwarf itself to figure out the register <-> local_variable relation, you can use this feature.

[yonghong-song]

The same for uprobe, bcc does not read dwarf data....

[palmtenor]

Although BCC does not read DWARF data:

• If you want to use DWARF to find the address of the function to probe, you can just find it out in user space and directly attach uprobe to that address
• If you want to use DWARF data to read function argument in BPF program, you can also figure it out (register, memory offset, etc.), share those with BPF program with either BPF map or hard-coded Cflags at compilation time, and then just run BPF program regularly

Neither of them are ideal, but should unblock you for now

[kroemeke]

Thanks for hints - what I'm after is traversing a pretty big structure - http://lxr.nginx.org/source/src/http/ngx_http_request.h#0371 , which consists of other big structs, which are made of other structs and typedefs etc... (so few hundred lines + dependency hell to get it right by hand) - for now I'm trying to extract this using gdb and include in by bcc tool - but it seems very counter productive.

[yonghong-song]

Do we have any external tool to give such information (at a particular insn, the register corresponding to which variable)?

[kroemeke]

Perf is able to do this with uprobes when binary has dwarf, for example :

root@dupa:~# perf probe -x /usr/local/nginx/sbin/nginx --add 'ngx_http_lua_ffi_set_resp_status URI=r->uri.data:string STATUS=status PEER=r->upstream->peer.name->data:string'
root@dupa:~# perf trace --no-sys --ev probe_nginx:*
0.000 probe_nginx:ngx_http_lua_ffi_set_resp_status:(5652af759860) URI="/test1" STATUS=520 PEER="unix:/socks/nginx2.sock")

[jaysoncena]

Do we have any external tool to give such information (at a particular insn, the register corresponding to which variable)?

Are the output from this command enough?

$ objdump --dwarf=info <exe>

[kroemeke]

I've made a PoC that uses pyelftools library to parse the DWARF data, then it patches the probe C code offsets using jinja2 templating in python (only struct members for now as this is PoC only). This is very slow, first iteration ugly code - just to see if this is feasable - seems to work. https://github.com/kroemeke/bcc_dwarf_poc

[yonghong-song]

@kroemeke Thanks! This is a very useful demonstration. I guess more complex use cases, e.g., print out local variable at a particular line, may need more human intervention.