Current File : //usr/lib/python3/dist-packages/bcc/__pycache__/__init__.cpython-312.pyc
�

fu
��l�ddlmZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlm
Z
mZmZmZmZddlmZmZmZmZmZddlmZddlmZmZmZmZmZddl m!Z!dd	l"m#Z#m$Z$dd
l%m&Z&m'Z'	e(dZ+da,d�Z-d
Z.ej^jae.d�Z1ej^jee1�sdZ1dZ3dZ4dZ5dZ6dZ7dZ8Gd�de9�Z:Gd�d�Z;Gd�d�Z<Gd�d�Z=Gd�d�Z>Gd�d �Z?Gd!�d"�Z@Gd#�d$�ZAGd%�d&�ZBGd'�d(e9�ZCy#e)$re*Z(Y��wxYw))�)�print_functionN�)�lib�
bcc_symbol�bcc_symbol_option�bcc_stacktrace_build_id�_SYM_CB_TYPE)�Table�PerfEventArray�RingBuf�BPF_MAP_TYPE_QUEUE�BPF_MAP_TYPE_STACK)�Perf)�get_online_cpus�printb�_assert_is_bytes�	ArgString�
StrcmpRewrite)�__version__)�disassemble_prog�
decode_map)�USDT�
USDTExceptioni�c��tS�N)�_num_open_probes���./usr/lib/python3/dist-packages/bcc/__init__.py�_get_num_open_probesr +s���rz/sys/kernel/debug�tracingz/sys/kernel/tracing����� c��eZdZd�Zd�Zd�Zy)�SymbolCachec	��tj|tjdtjt
���|_yr)r�bcc_symcache_new�ct�cast�POINTERr�cache)�self�pids  r�__init__zSymbolCache.__init__Ds/���)�)��R�W�W�T�2�:�:�.?�#@�A�C��
rc���t�}|r5tj|j|t	j
|��}n4tj|j|t	j
|��}|dkrb|jrQ|jrEd|jt	j|jtj�jfSd|dfS|r5|j}tjt	j
|��n|j}||jt	j|jtj�jfS)a�
        Return a tuple of the symbol (function), its offset from the beginning
        of the function, and the module in which it lies. For example:
            ("start_thread", 0x202, "/usr/lib/.../libpthread-2.24.so")
        If the symbol cannot be found but we know which module it is in,
        return the module name and the offset from the beginning of the
        module. If we don't even know the module, return the absolute
        address as the offset.
        rN)rr�bcc_symcache_resolver.r+�byref� bcc_symcache_resolve_no_demangle�module�offsetr,�c_char_p�value�
demangle_name�bcc_symbol_free_demangle_name�name)r/�addr�demangle�sym�res�name_ress      r�resolvezSymbolCache.resolveHs����l����*�*�4�:�:�t�R�X�X�c�]�K�C��6�6�t�z�z�4�79�x�x��}�F�C���7��z�z�c�j�j��c�j�j�����
�
�B�K�K�8�>�>�@�@��$��%�%���(�(�H��-�-�b�h�h�s�m�<��x�x�H��#�*�*�b�g�g�c�j�j�"�+�+�&F�&L�&L�M�Mrc���t|�}t|�}tj�}tj|j
||tj|��dkry|jS)Nr���)rr+�c_ulonglongr�bcc_symcache_resolve_namer.r4r9)r/r6r<r=s    r�resolve_namezSymbolCache.resolve_nameesZ��!�&�)����%���~�~����(�(����V�T������ �"#�$���z�z�rN)�__name__�
__module__�__qualname__r1rBrGrrrr(r(Cs��C�N�:rr(c�$�eZdZdZdZdZdZdZdZy)�PerfTyperrr"�r#�N)	rHrIrJ�HARDWARE�SOFTWARE�
TRACEPOINT�HW_CACHE�RAW�
BREAKPOINTrrrrLrLns ���H��H��J��H�
�C��JrrLc�4�eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
Zy)�PerfHWConfigrrr"rMr#rN��r$�	N)
rHrIrJ�
CPU_CYCLES�INSTRUCTIONS�CACHE_REFERENCES�CACHE_MISSES�BRANCH_INSTRUCTIONS�
BRANCH_MISSES�
BUS_CYCLES�STALLED_CYCLES_FRONTEND�STALLED_CYCLES_BACKEND�REF_CPU_CYCLESrrrrVrVws8���J��L����L����M��J������NrrVc�8�eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
y)
�PerfSWConfigrrr"rMr#rNrWrXr$rY�
N)rHrIrJ�	CPU_CLOCK�
TASK_CLOCK�PAGE_FAULTS�CONTEXT_SWITCHES�CPU_MIGRATIONS�PAGE_FAULTS_MIN�PAGE_FAULTS_MAJ�ALIGNMENT_FAULTS�EMULATION_FAULTS�DUMMY�
BPF_OUTPUTrrrrere�s<���I��J��K����N��O��O�����
�E��Jrrec�p�eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZdZdZdZdZy)�PerfEventSampleFormatrr"r#r$r%r&�@��i�iii i@i�iiiiii i@i�iN)rHrIrJ�IP�TID�TIME�ADDR�READ�	CALLCHAIN�ID�CPU�PERIOD�	STREAM_IDrS�BRANCH_STACK�	REGS_USER�
STACK_USER�WEIGHT�DATA_SRC�
IDENTIFIER�TRANSACTION�	REGS_INTR�	PHYS_ADDR�AUX�CGROUP�DATA_PAGE_SIZE�CODE_PAGE_SIZE�
WEIGHT_STRUCTrrrrsrs�s��
�B��C��D��D��D��I�
�B��C��F��I��C��L��I��J��F��H��J��K��I��I��C��F��N��N��Mrrsc�`�eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZy)�BPFProgTyperr"rMr#rNrWrXr$rYrf���
��r%�����N)rHrIrJ�
SOCKET_FILTER�KPROBE�	SCHED_CLS�	SCHED_ACTrQ�XDP�
PERF_EVENT�
CGROUP_SKB�CGROUP_SOCK�LWT_IN�LWT_OUT�LWT_XMIT�SOCK_OPS�SK_SKB�
CGROUP_DEVICE�SK_MSG�RAW_TRACEPOINT�CGROUP_SOCK_ADDR�CGROUP_SOCKOPT�TRACING�LSMrrrr�r��sl���M�
�F��I��I��J�
�C��J��J��K�
�F��G��H��H�
�F��M�
�F��N����N��G�
�Crr�c��eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)y())�
BPFAttachTyperrr"rMr#rNrWrXr$rYrfr�r�r�r�r�r%r�r�������r�r���r���r&�!�"�#�$�%�&N)*rHrIrJ�CGROUP_INET_INGRESS�CGROUP_INET_EGRESS�CGROUP_INET_SOCK_CREATE�CGROUP_SOCK_OPS�SK_SKB_STREAM_PARSER�SK_SKB_STREAM_VERDICTr��SK_MSG_VERDICT�CGROUP_INET4_BIND�CGROUP_INET6_BIND�CGROUP_INET4_CONNECT�CGROUP_INET6_CONNECT�CGROUP_INET4_POST_BIND�CGROUP_INET6_POST_BIND�CGROUP_UDP4_SENDMSG�CGROUP_UDP6_SENDMSG�
LIRC_MODE2�FLOW_DISSECTOR�
CGROUP_SYSCTL�CGROUP_UDP4_RECVMSG�CGROUP_UDP6_RECVMSG�CGROUP_GETSOCKOPT�CGROUP_SETSOCKOPT�TRACE_RAW_TP�TRACE_FENTRY�TRACE_FEXIT�
MODIFY_RETURN�LSM_MAC�
TRACE_ITER�CGROUP_INET4_GETPEERNAME�CGROUP_INET6_GETPEERNAME�CGROUP_INET4_GETSOCKNAME�CGROUP_INET6_GETSOCKNAME�
XDP_DEVMAP�CGROUP_INET_SOCK_RELEASE�
XDP_CPUMAP�	SK_LOOKUPr��SK_SKB_VERDICTrrrr�r��s����������O������M��N������������������J��N��M����������L��L��K��M��G��J�!��!��!��!���J�!���J��I�
�C��Nrr�c� �eZdZdZdZdZdZdZy)�	XDPActionrrr"rMr#N)rHrIrJ�XDP_ABORTED�XDP_DROP�XDP_PASS�XDP_TX�XDP_REDIRECTrrrr�r��s���K��H��H�
�F��Lrr�c� �eZdZdZdZdZdZdZy)�XDPFlagsrr"r#r$r%N)rHrIrJ�UPDATE_IF_NOEXIST�SKB_MODE�DRV_MODE�HW_MODE�REPLACErrrr�r��s�� ���H��H��G��Grr�c	��	�eZdZejZej
ZejZejZejZejZ	ejZ
ejZejZejZ
ejZejZej Zej"Zej$Zej&Zej(Zej*Zej,Zej.Zej2Zej4Zej6Zej8Zej:Zej>Z ejBZ"ejFZ$ejJZ&ejNZ(e)jTd�Z+iZ,e-j\�Z/dgddgddgdgdd	gd
�Z0gd�Z1dZ2Gd
�de3jh�Z5e3jldd��Z7e7jpZ9e3jte3jve5�ge9_<e=d��Z>e=d��Z?e@Z@Gd�deA�ZBeCd��ZDeCd��ZEddddggdddf	d�ZFefd�ZGd�d�ZHd�ZId �ZJd�d!�ZKid"e3j��d#e3j��d$e3j��d%e3j��d&e3j��d'e3j��d(e3jt�d)e3j��d*e3j��d+e3j��d,e3j��d-e3j��d.e3j��d/e3j��d0e3j��d1e3j�d2z�d3e3j�d2z�Z\eCd4��Z]d�d5�Z^d6�Z_d7�Z`d8�Zad9�Zbd:�ZceCd�d;��ZdeCd<��ZeeCd=��ZfeCd>��Zgd?�ZheCd@��ZidA�ZjdB�ZkdC�ZldD�ZmdE�ZndF�ZodG�Zpd�dH�Zqd�dI�ZrdJ�ZsdK�Ztd�dL�Zud�dM�ZveCd�dN��ZweCd�dO��Zxe=d�dP��ZyeCdQ��ZzeCdR��Z{eCdS��Z|d�dT�Z}d�dU�Z~d�dV�ZeCdW��Z�eCdX��Z�eCdY��Z�d�dZ�Z�d�d[�Z�d�d\�Z�d�d]�Z�d�d^�Z�d�d_�Z�eCd`��Z�eCda��Z�eCdb��Z�d�dc�Z�dd�Z�		d�de�Z�df�Z�d�dg�Z�d�dh�Z�eCdi��Z�eCdj��Z�eCdk��Z�dl�Z�		d�dm�Z�		d�dn�Z�do�Z�d�dp�Z�d�dq�Z�dr�Z�d�ds�Z�d�dt�Z�d�du�Z�d�dv�Z�eCdw��Z�eCd�dx��Z�eCd�dy��Z�eCdz��Z�d{�Z�d|�Z�d}�Z�d�d~�Z�d�Z�d�d��Z�d�d��Z�d�d��Z�d��Z�d��Z�eCd���Z�d��Z�d��Z�d��Z�d��Z�d��Z�y)��BPFs
[^a-zA-Z0-9_]�time�fs�file�bio�request�alloc�sk_buff�
net_device)zlinux/time.hz
linux/fs.hzlinux/blkdev.hzlinux/slab.hzlinux/netdevice.h)ssys_s
__x64_sys_s__x32_compat_sys_s__ia32_compat_sys_s__arm64_sys_s__s390x_sys_s__s390_sys_rc�D�eZdZdejfdejfgZy)�BPF.timespec�tv_sec�tv_nsecN)rHrIrJr+�c_long�_fields_rrr�timespecrCs���r�y�y�)�I�r�y�y�+A�B�rrz
librt.so.1T)�	use_errnoc�$�|j�}|j|jtj|��dk7r3tj
�}t
|tj|���|jdz|jzS)z�monotonic_time()
        Returns the system monotonic time from clock_gettime, using the
        CLOCK_MONOTONIC constant. The time returned is in nanoseconds.
        rge��A)r�_clock_gettime�CLOCK_MONOTONICr+r4�	get_errno�OSError�os�strerrorrr)�cls�t�errnos   r�monotonic_timezBPF.monotonic_timeJsj��
�L�L�N�����c�1�1�2�8�8�A�;�?�1�D��L�L�N�E��%����U�!3�4�4��x�x�#�~��	�	�)�)rc��d}|jj�D]%\}}|D]}|D]}||vs�||vs�
|d|zz
}���'|S)a1
        Generates #include statements automatically based on a set of
        recognized types such as sk_buff and bio. The input is all the words
        that appear in the BPF program, and the output is a (possibly empty)
        string of #include statements, such as "#include <linux/fs.h>".
        �z#include <%s>
)�_auto_includes�items)r�
program_words�headers�header�keywords�keyword�words       r�generate_auto_includeszBPF.generate_auto_includesVso���� #� 2� 2� 8� 8� :�	>��F�H�#�
>��)�>�D��$��6��+@��#4�v�#=�=��>�
>�	>�
�rc��eZdZd�Zy)�BPF.Functionc�.�||_||_||_yr)�bpfr<�fd)r/r r<r!s    rr1zBPF.Function.__init__js���D�H��D�I��D�GrN)rHrIrJr1rrr�Functionris��	rr"c��|r�tjj|�s�ttj
d�}dj
tjjtjj|j���|g�}tjj|�r|}|Std|z��|S)z1 If filename is invalid, search in ./ of argv[0] r�/zCould not find file %s)r�path�isfiler�sys�argv�join�abspath�dirname�	__bytes__�	Exception)�filename�argv0rs   r�
_find_filezBPF._find_fileos�����7�7�>�>�(�+�!�#�(�(�1�+�.���I�I�r�w�w���r�w�w���u���?P�/Q�R�T\�]�^���7�7�>�>�!�$� �H���$�$<�x�$G�H�H��rc�h�d�}tjj|�\}}|r||�r|Sytjdjtj�D]M}|jd�}tjj
|j�|�}||�s�K|cSy)a�
        find_exe(bin_path)

        Traverses the PATH environment variable, looking for the first
        directory that contains an executable file named bin_path, and
        returns the full path to that file, or None if no such file
        can be found. This is meant to replace invocations of the
        "which" shell utility, which doesn't have portable semantics
        for skipping aliases.
        c��tjj|�xr$tj|tj�Sr)rr%r&�access�X_OK)�fpaths r�is_exezBPF.find_exe.<locals>.is_exe�s.���7�7�>�>�%�(�*��	�	�%����)�
*r�PATH�"N)rr%�split�environ�pathsep�stripr)�encode)�bin_pathr6r5�fnamer%�exe_files      r�find_exezBPF.find_exe|s���	*��w�w�}�}�X�.���u���h������
�
�6�*�0�0����<�
$���z�z�#����7�7�<�<����
�x�@���(�#�#�O�	
$�
rrNrFc
��t|�}t|�}t|�}|r|rJ�i|_i|_i|_i|_i|_i|_i|_i|_i|_	d|_
d|_tj|j�||_i|_i|_d|_t'j(t+|�z�}
t-|�D]\}}t/t1|��|
|<�|r*t2j5|�}t2j5|�}|r&t7|d��5}
|
j9�}ddd�t'j:t+|�z�}t-|�D]+\}}t'j:|j=��||<�-t?j@|t+|��}|�tCd��||z}t?jD||j|
t+|
�||�|_|j$stCd|xsdz��|D]}|jG||	��|jI�y#1swY��xYw)aZCreate a new BPF module with the given source code.

        Note:
            All fields are marked as optional, but either `src_file` or `text`
            must be supplied, and not both.

        Args:
            src_file (Optional[str]): Path to a source file for the module
            hdr_file (Optional[str]): Path to a helper header file for the `src_file`
            text (Optional[str]): Contents of a source file for the module
            debug (Optional[int]): Flags used for debug prints, can be |'d together
                                   See "Debug flags" for explanation
        N�rb)�modezycan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple locationszFailed to compile BPF module %sz<text>)%r�
kprobe_fds�
uprobe_fds�tracepoint_fds�raw_tracepoint_fds�kfunc_entry_fds�kfunc_exit_fds�lsm_fds�perf_buffers�open_perf_events�_ringbuf_manager�	tracefile�atexit�register�cleanup�debug�funcs�tablesr6r+r8�len�	enumerate�bytesrr�r0�open�read�c_void_p�get_contextr�bcc_usdt_genargsr-�bpf_module_create_c_from_string�attach_uprobes�_trace_autoload)r/�src_file�hdr_file�textrS�cflags�
usdt_contexts�allow_rlimit�device�attach_usdt_ignore_pid�cflags_array�i�sr��	ctx_array�usdt�	usdt_text�usdt_contexts                  rr1zBPF.__init__�s9��"$�H�-��#�H�-����%���X�&�&������� ���"$���!��� ��������� "��� $������������%���
���
����������c�&�k�1�4���f�%�L�D�A�q��y��|�9L�|�A��L���~�~�h�/�H��~�~�h�/�H���h�T�*�
#�d��y�y�{��
#��[�[�3�}�#5�5�8�	� ��/�	;�G�A�t��;�;�t�'7�'7�'9�:�I�a�L�	;��(�(��C�
�4F�G�	����(�)�
)��4����9�9�$�:>�*�*�:F��L�HY�:F��P����{�{��=��AU�X�V�W�W�)�	F�L��'�'��.D�E�	F�	
����9
#�
#�s�5I�Ic���g}tdtj|j��D]C}tj|j|�}|j|j
||���E|S)z�load_funcs(prog_type=KPROBE)

        Load all functions in this BPF module with the given type.
        Returns a list of the function handles.r)�ranger�bpf_num_functionsr6�bpf_function_name�append�	load_func)r/�	prog_type�fnsrj�	func_names     r�
load_funcszBPF.load_funcs�sb�����q�#�/�/����<�=�	=�A��-�-�d�k�k�1�=�I��J�J�t�~�~�i��;�<�	=��
rc��t|�}||jvr|j|Stj|j|�std|z��d}|jtzrd}n|jtzrd}tj|j||tj|j|�tj|j|�tj|j�tj|j�|dd||�}|dkr�tj|j�t!j"�t$j&k(rtd��t)j*t!j"��}td|�d|����t,j/|||�}||j|<|S)N�Unknown program %srr"rz!Need super-user privileges to runzFailed to load BPF program �: )rrTr�bpf_function_startr6r-rS�DEBUG_BPF_REGISTER_STATE�	DEBUG_BPF�
bcc_func_load�bpf_function_size�bpf_module_license�bpf_module_kern_versionrPrQ�	donothingr+r
r�EPERMrr
r�r")	r/rxrvrg�attach_type�	log_levelr!�errstr�fns	         rruz
BPF.load_func�sn��$�Y�/�	���
�
�"��:�:�i�(�(��%�%�d�k�k�9�=��0�9�<�=�=��	��J�J�1�1��I��j�j�9�$��I�
�
�
�t�{�{�I�y��&�&�t�{�{�I�>��%�%�d�k�k�9�=��&�&�t�{�{�3��+�+�D�K�K�8��4��F�K�9����6��O�O�D�N�N�+��|�|�~����,�� C�D�D��[�[�����0�F��&��0�1�
1��\�\�$�	�2�
.�� "��
�
�9���	rc� �t|�}tj|j|�st	d|z��tj|j|�}tj
|j|�}t
j||�S)zR
        Return the eBPF bytecodes for the specified function as a string
        r{)rrr}r6r-r�r+�	string_at)r/rx�start�sizes    r�	dump_funcz
BPF.dump_funcsp��%�Y�/�	��%�%�d�k�k�9�=��0�9�<�=�=��'�'����Y�?���%�%�d�k�k�9�=���|�|�E�4�(�(rc�<�|j|�}t||�Sr)r�r)r/rx�bpfstrs   r�disassemble_funczBPF.disassemble_func"s�����	�*���	�6�2�2rc�~�||}tj|j|j�}t	||||��S)N)�sizeinfo)r�bpf_table_type_idr6�map_idr)r/�
table_namer��	table_obj�
table_types     r�decode_tablezBPF.decode_table&s9����$�	��*�*�4�;�;�	�8H�8H�I�
��*�i��h�O�Or�_Bool�char�wchar_tz
unsigned char�shortzunsigned short�intzunsigned int�longz
unsigned longz	long longzunsigned long long�float�doublezlong double�__int128r"zunsigned __int128c	���t|t�rtj|Sg}g}|dD�]�}t	|�dk(r-|j|dtj
|d�f��?t	|�dk(�r t|dt�r6|j|dtj
|d�|ddzf���t|dt�r1|j|dtj
|d�|df���t|dt�ri|ddk(s|ddk(s|ddk(rQ|d}|dk(rd	t	|�z}|j|�|j|tj
|�f���Wtd
t|�z��td
t|�z��tj}d}t	|�dkDrL|ddk(rtj}n3|ddk(rtj}n|ddk(rtj}d}|r(tt|d�|ft|d|�
��}|Stt|d�|ft||���}|S)Nrr"rrM�union�struct�
struct_packedrz__anon%dzFailed to decode type %sFT)�_anonymous_�_pack_r)r�r)�
isinstance�
basestringr��	str2ctyperVrt�_decode_table_type�listr�r-�strr+�	Structure�Union�type�dict)�desc�anon�fieldsrr<�base�	is_packedrs        rr�zBPF._decode_table_type>sH���d�J�'��=�=��&�&������a��	E�A��1�v��{��
�
�q��t�S�%;�%;�A�a�D�%A�B�C��Q��1���a��d�D�)��M�M�1�Q�4��)?�)?��!��)E��!��Q��)O�"P�Q���!��c�*��M�M�1�Q�4��)?�)?��!��)E�q��t�"L�M���!��j�1��!���(�A�a�D�I�,=��!�� 0�0��Q�4�D��r�z�)�C��I�5�����D�)��M�M�4��)?�)?��)B�"C�D�#�$>��Q��$G�H�H�� :�S��V� C�D�D�'	E�(�|�|���	��t�9�q�=��A�w�(�"��x�x���a��I�%��|�|���a��,�,��|�|�� �	���s�4��7�|�d�W�d�t�A��/!�"�C�
�
��s�4��7�|�d�W�d�t��/!�"�C��
rc	���t|�}tj|j|�}tj|j|�}tj
|j|�ttfv}|dkrt�|si|sgtj|j|�jd�}|std|z��tjtj|��}|sgtj |j|�jd�}	|	std|z��tjtj|	��}t#|||||||��S)Nrzutf-8z$Failed to load BPF Table %s key descz%Failed to load BPF Table %s leaf desc)�reducer)rr�bpf_table_idr6�bpf_table_fdr�r
r�KeyError�bpf_table_key_desc�decoder-r�r��json�loads�bpf_table_leaf_descr
)
r/r<�keytype�leaftyper�r��map_fd�
is_queuestack�key_desc�	leaf_descs
          r�	get_tablez
BPF.get_tablejs!����%���!�!�$�+�+�t�4���!�!�$�+�+�t�4���-�-�d�k�k�6�B�GY�[m�Fn�n�
��A�:��N��}��-�-�d�k�k�4�@�G�G��P�H��� F�� M�N�N��,�,�T�Z�Z��-A�B�G���/�/����T�B�I�I�'�R�I��� G�$� N�O�O��-�-�d�j�j��.C�D�H��T�6�6�7�H�d�G�T�Trc�x�||jvr|j|�|j|<|j|Sr)rUr��r/�keys  r�__getitem__zBPF.__getitem__}s4���d�k�k�!�#�~�~�c�2�D�K�K����{�{�3��rc�"�||j|<yr�rU)r/r��leafs   r�__setitem__zBPF.__setitem__�s������C�rc�,�t|j�Sr)rVrU�r/s r�__len__zBPF.__len__�s���4�;�;��rc��|j|=yrr�r�s  r�__delitem__zBPF.__delitem__�s���K�K��rc�6�|jj�Sr)rU�__iter__r�s rr�zBPF.__iter__�s���{�{�#�#�%�%rc��t|tj�std��t	j
|j|||�}|dkr/tdj|tj|����y)N�"arg 1 must be of type BPF.Functionrz7Failed to attach BPF function with attach_type {0}: {1})
r�r�r"r-r�bpf_prog_attachr!�formatrr
)r��
attachable_fdr��flagsr@s     r�attach_funczBPF.attach_func�sm���"�c�l�l�+��@�A�A��!�!�"�%�%���U�K����7��'�'-�v�k�2�;�;��t�;L�'M�O�
O�rc��t|tj�std��t	j
|j||�}|dkr/tdj|tj|����y)Nr�rz7Failed to detach BPF function with attach_type {0}: {1})
r�r�r"r-r�bpf_prog_detach2r!r�rr
)r�r�r�r@s    r�detach_funczBPF.detach_func�sk���"�c�l�l�+��@�A�A��"�"�2�5�5�-��E����7��'�'-�v�k�2�;�;��t�;L�'M�O�
O�rc���t|�}t|tj�st	d��tj|�}|dkr8tjtj��}t	d|�d|����tj||j�}|dkr8tjtj��}t	d|�d|����||_
y)Nr�rzFailed to open raw device r|�Failed to attach BPF to device )rr�r�r"r-r�bpf_open_raw_sockrr
r+r
�bpf_attach_socketr!�sock)r��devr�r�r@s     r�attach_raw_socketzBPF.attach_raw_socket�s����s�#���"�c�l�l�+��@�A�A��$�$�S�)���!�8��[�[�����0�F��#�v�N�O�O��#�#�D�"�%�%�0����7��[�[�����0�F���F�$�%�
%���rc�<�dtz}	t|d�5}t|D�cgc]#}|j�j	�d��%c}�}ddd�dtz}	t|d�5}t|D�cgc]#}|j�j	�d��%c}�}ddd�g}	d}
d}tdd�5}|D�]}|j�j	�dd\}
}|
dk(r|dk(rd}
�5|
dk(r|d	k(rd
}
�B|dk(r|dk(rd}�O|dk(rd
}�W|dk(r|dk(rd
}�d|jd
�r�v|jd�s|jd�r��|jd�r��tjd|�r��|
j�dvs��tj||�s��|vs��|vs��|	j|���		ddd�t|	�Scc}w#1swY���xYw#t
$r5}|jtjk7r|�tg�}Yd}~���d}~wwxYwcc}w#1swY���xYw#t
$r5}|jtjk7r|�tg�}Yd}~���d}~wwxYw#1swYt|	�SxYw)Nz%s/kprobes/blacklistrCrz%%s/tracing/available_filter_functionsr�/proc/kallsymsrMs__init_begins
__init_endr"s__irqentry_text_starts__irqentry_text_ends
_kbl_addr_s__perfsperf_s__SCT__s^.*.cold(.d+)?$)�t�w)�DEBUGFSrY�set�rstripr9�IOErrorrr��
startswith�re�match�lower�	fullmatchrt)�event_re�blacklist_file�blacklist_f�line�	blacklist�e�avail_filter_file�avail_filter_f�avail_filterrw�in_init_section�in_irq_section�
avail_filerr�s               r�get_kprobe_functionszBPF.get_kprobe_functions�s���/�'�9��	 ��n�d�+�
T�{��k� R�d�����!4�!4�!6�q�!9� R�S�	�
T�D�g�M��	#��'��.�
Z�.�"��#X��D�K�K�M�$7�$7�$9�!�$<�#X�Y��
Z�������
�"�D�
)�1	#�Z�"�0
#���+�+�-�-�-�/��!�4���B�#�a�'��_�,�*+�� �$��)��]�*�*+���"�Q�&��5�5�)*�� ��5�5�)*�� �#�q�(��3�3�)*���
�=�=��/���]�]�9�-����x�1H���]�]�:�.���X�X�0�"�5���G�G�I��-�2�<�<��"�3M��)�+��l�*��J�J�r�N�a0
#�1	#�d�3�x���K!S�
T�
T���	 ��w�w�%�+�+�%����B��I��	 ��$Y�
Z�
Z���	#��w�w�%�+�+�%����r�7�L��	#��1	#�d�3�x��s��G4�
G'�(G"
�	G'�G4�"I�.
H:�8(H5
� H:�'I�CJ�J�0J�5J�:J�"G'�'G1�,G4�4	H2�=*H-�-H2�5H:�:I�?I�	J�*J�J�Jc�V�t|ztj�kDrtd��y)Nz/Number of open probes would exceed global quota)rr��get_probe_limitr-)r/�num_new_probess  r�_check_probe_quotazBPF._check_probe_quota�s*���n�,�s�/B�/B�/D�D��M�N�N�Erc��tjjd�}|r|j�rt	|�St
S)N�BCC_PROBE_LIMIT)rr:�get�isdigitr��_default_probe_limit)�env_probe_limits rrzBPF.get_probe_limits4���*�*�.�.�):�;����6�6�8���'�'�'�'rc�t�||jvri|j|<||j||<tdz
ay�Nr�rEr)r/�ev_name�fn_namer!s    r�_add_kprobe_fdzBPF._add_kprobe_fds:���$�/�/�)�')�D�O�O�G�$�,.����� ��)��A��rc�6�|j||=tdzayrr)r/rrs   r�_del_kprobe_fdzBPF._del_kprobe_fds���O�O�G�$�W�-��A��rc�4�||j|<tdz
ayr�rFr)r/r<r!s   r�_add_uprobe_fdzBPF._add_uprobe_fds�� "�������A��rc�0�|j|=tdzayrr�r/r<s  r�_del_uprobe_fdzBPF._del_uprobe_fds���O�O�D�!��A��rc�x�|jD]}|jd|z�dk7s�|cS|jdS)Ns%sbpfrDr)�_syscall_prefixes�ksymname)r/�prefixs  r�get_syscall_prefixzBPF.get_syscall_prefix$sE���,�,�	�F��}�}�X��.�/�2�5��
�	��%�%�a�(�(rc�>�t|�}|j�|zSr)rrrs  r�get_syscall_fnnamezBPF.get_syscall_fnname-s ����%���&�&�(�4�/�/rc��t|�}|jD]2}|j|�s�|j|t	|�d�cS|Sr)rrr�r!rV)r/r<rs   r�fix_syscall_fnnamezBPF.fix_syscall_fnname4sR����%���,�,�	C�F����v�&��.�.�t�C��K�L�/A�B�B�	C��rc���t|�}t|�}t|�}|r~tj|�}|jt	|��d}g}|D]}	|j||���|t	|�k(r!td|�ddj|��d���y|jd�|j|tj�}	d|jd	d
�jdd
�z}
tj|	jd|
||d�}|dkrtd|�d|�d���|j|
||�|S#|dz
}|j
|�Y��
xYw)Nr��eventrr�Failed to attach BPF program z to kprobe �/�K, it's not traceable (either non-existing, inlined, or marked as "notrace")�p_�+�_�.)rr�rrrV�
attach_kprobertr-r)rur��replacer�bpf_attach_kprober!r)r/r&�	event_offrr��matches�failed�probesr�r�rr!s            rr.zBPF.attach_kprobe;s`�� ��'��"�7�+��#�H�-����.�.�x�8�G��#�#�C��L�1��F��F��
(��(��&�&�T�7�&�C�
(���W��%��!(�#�(�(�6�*:�!<�=�=�
�����"�
�^�^�G�S�Z�Z�
0���%�-�-��d�3�;�;�D�$�G�G��
�
"�
"�2�5�5�!�W�e�Y��
J��
��6��$�e�-�.�
.�	
���G�W�b�1����%(��a�K�F��M�M�$�'�s�E�E#c��t|�}t|�}t|�}|retj|�}d}g}|D]}	|j|||���|t|�k(r!t
d|�ddj|��d���y|jd�|j|tj�}	d|jd	d
�jdd
�z}
tj|	jd|
|d|�}|dkrt
d|�d|�d���|j|
||�|S#|dz
}|j	|�Y��xYw)Nr)r&r�	maxactiverr'z to kretprobe r(r)�r_r+r,r-)rr�r�attach_kretprobertrVr-r)rrur�r/rr0r!r)r/r&rr�r6r2r3r4r�r�rr!s            rr8zBPF.attach_kretprobe]sU�� ��'��"�7�+��#�H�-����.�.�x�8�G��F��F��
(��(��)�)��g�4=�*�?�
(���W��%��!(�#�(�(�6�*:�!<�=�=�
�����"�
�^�^�G�S�Z�Z�
0���%�-�-��d�3�;�;�D�$�G�G��
�
"�
"�2�5�5�!�W�e�Q�	�
J��
��6��$�e�-�.�
.�	
���G�W�b�1����%(��a�K�F��M�M�$�'�s�D/�/E
c��t|�}t|j|j��}|D]}|j	||��yr)rr�rE�keys�detach_kprobe_event_by_fn)r/r�fn_namesrs    r�detach_kprobe_eventzBPF.detach_kprobe_eventsG��"�7�+�������0�5�5�7�8���	=�G��*�*�7�G�<�	=rc�x�t|�}t|�}||jvrtd|z��tj|j||�}|dkrtd��|j||�t
|j|�dk(r&tj|�}|dkrtd��yy)NzKprobe %s is not attachedrzFailed to close kprobe FDz Failed to detach BPF from kprobe)rrEr-r�bpf_close_perf_event_fdrrV�bpf_detach_kprobe)r/rrr@s    rr;zBPF.detach_kprobe_event_by_fn�s���"�7�+��"�7�+���$�/�/�)��7�'�A�B�B��)�)�$�/�/�'�*B�7�*K�L����7��7�8�8����G�W�-��t���w�'�(�A�-��'�'��0�C��Q�w�� B�C�C��.rc���t|�}d|jdd�jdd�z}|rt|�}|j||�y|j|�y)Nr*r+r,r-�rr/r;r=�r/r&rrs    r�
detach_kprobezBPF.detach_kprobe��Y�� ��'���%�-�-��d�3�;�;�D�$�G�G���&�w�/�G��*�*�7�G�<��$�$�W�-rc���t|�}d|jdd�jdd�z}|rt|�}|j||�y|j|�y)Nr7r+r,r-rBrCs    r�detach_kretprobezBPF.detach_kretprobe�rErc�`�t|�}t|tj�st	d��tj||j|�}|dkrXtj�}|tjk(rt	d��tj|�}t	d|�d|����y)zt
            This function attaches a BPF function to a device on the device
            driver level (XDP)
        r�rzMInternal error while attaching BPF to device, try increasing the debug level!r�r|N)rr�r�r"r-r�bpf_attach_xdpr!r+r
r�EBADMSGrr
)r�r�r�r@�err_nor�s      r�
attach_xdpzBPF.attach_xdp�s����s�#���"�c�l�l�+��@�A�A�� � ��b�e�e�U�3����7��\�\�^�F�����&��!7�8�8����V�,���"�F�!,�-�-�rc���t|�}tj|d|�}|dkr8tjtj��}td|�d|����y)zw
            This function removes any BPF function from a device on the
            device driver level (XDP)
        rDrz!Failed to detach BPF from device r|N)rrrIrr
r+r
r-)r�r�r@r�s    r�
remove_xdpzBPF.remove_xdp�sY���s�#��� � ��b�%�0����7��[�[�����0�F��"�F�,�-�
-�rc�@�t|�}t|�}t�}|dk(rdn|}tj|||xsd|t	j
dt	jt��t	j|��dkr-td|j��d|j�����|j|z}t	j
|jtj�j}	tj|j�|	|fS)NrDrz&could not determine address of symbol z in )rrr�bcc_resolve_symnamer+r,r-rr4r-r�r7r6r8r9�bcc_procutils_free)
rr6�symnamer=r0�sym_offr?�c_pid�new_addr�module_paths
          r�_check_path_symbolzBPF._check_path_symbol�s���!�&�)��"�7�+���l���B�Y��C���"�"��G��K�C���G�G�D�"�*�*�%6�7�8��H�H�S�M�	
�

���&�~�~�/�����B�C�
C��:�:��'���g�g�c�j�j�"�+�+�6�<�<�����s�z�z�*��H�$�$rc���t|�}tj|d�}|sytj|tj
�j}tj|�|S�Nr)rr�bcc_procutils_which_sor+r,r8r9rQ)�libnamer@�libpaths   r�find_libraryzBPF.find_library�sQ��"�7�+���(�(��!�4�����'�'�#�r�{�{�+�1�1�����s�#��rc�P�g}tjjtd�}tj|�D]�}tjj||�}tjj|�s�Ctj|�D]�}tjj||�}tjj|�s�C|�d|��}t
j|j�|�s�o|j|j������|S)N�events�:)rr%r)�TRACEFS�listdir�isdirr�r�r�rtr=)�tp_re�results�
events_dir�category�cat_dirr&�evt_dir�tps        r�get_tracepointszBPF.get_tracepoints�s������W�W�\�\�'�8�4�
��
�
�:�.�		4�H��g�g�l�l�:�x�8�G��7�7�=�=��)�����G�,�
4���'�'�,�,�w��6���7�7�=�=��)�%-�u�5�B��x�x������3����r�y�y�{�3�
4�			4��rc��tjjtd||�}tjj	|�S)Nr_)rr%r)rarc)rgr&ris   r�tracepoint_existszBPF.tracepoint_exists�s-���'�'�,�,�w��(�E�B���w�w�}�}�W�%�%rc��t|�}t|�}t|�}|r.tj|�D]}|j||���y|j	|tj
�}|j
d�\}}tj|j||�}|dkrtd|�d|����||j|<|S)a�attach_tracepoint(tp="", tp_re="", fn_name="")

        Run the bpf function denoted by fn_name every time the kernel tracepoint
        specified by 'tp' is hit. The optional parameters pid, cpu, and group_fd
        can be used to filter the probe. The tracepoint specification is simply
        the tracepoint category and the tracepoint name, separated by a colon.
        For example: sched:sched_switch, syscalls:sys_enter_bind, etc.

        Instead of a tracepoint name, a regular expression can be provided in
        tp_re. The program will then attach to tracepoints that match the
        provided regular expression.

        To obtain a list of kernel tracepoints, use the tplist tool or cat the
        file /sys/kernel/debug/tracing/available_events.

        Examples:
            BPF(text).attach_tracepoint(tp="sched:sched_switch", fn_name="on_switch")
            BPF(text).attach_tracepoint(tp_re="sched:.*", fn_name="on_switch")
        �rjrN�:rr'z to tracepoint )rr�rk�attach_tracepointrurQr9r�bpf_attach_tracepointr!r-rG)r/rjrdrr��tp_category�tp_namer!s        rrqzBPF.attach_tracepoint�s���*�b�
!�� ��'��"�7�+����)�)�%�0�
?���&�&�"�g�&�>�
?��
�^�^�G�S�^�^�
4��!#���$����g�
�
&�
&�r�u�u�k�7�
C��
��6��$�b�*�+�
+�"$����B���rc�(�t|�}||jvrtd|z��t|�}|j|tj
�}t
j|j|�}|dkrtd��||j|<|S)a�attach_raw_tracepoint(self, tp=b"", fn_name=b"")

        Run the bpf function denoted by fn_name every time the kernel tracepoint
        specified by 'tp' is hit. The bpf function should be loaded as a
        RAW_TRACEPOINT type. The fn_name is the kernel tracepoint name,
        e.g., sched_switch, sys_enter_bind, etc.

        Examples:
            BPF(text).attach_raw_tracepoint(tp="sched_switch", fn_name="on_switch")
        z#Raw tracepoint %s has been attachedrz&Failed to attach BPF to raw tracepoint)	rrHr-rur�r�r�bpf_attach_raw_tracepointr!)r/rjrr�r!s     r�attach_raw_tracepointzBPF.attach_raw_tracepoints����b�
!��
��(�(�(��A�B�F�G�G�"�7�+��
�^�^�G�S�%7�%7�
8��
�
*�
*�2�5�5�"�
5��
��6��D�E�E�&(�����#��rc��t|�}||jvrtd|z��tj|j|�|j|=y)z�detach_raw_tracepoint(tp="")

        Stop running the bpf function that is attached to the kernel tracepoint
        specified by 'tp'.

        Example: bpf.detach_raw_tracepoint("sched_switch")
        z!Raw tracepoint %s is not attachedN)rrHr-r�close)r/rjs  r�detach_raw_tracepointzBPF.detach_raw_tracepoint6sR���b�
!��
�T�,�,�,��?�"�D�E�E�
����(�(��,�-��#�#�B�'rc�2�|j|�s||z}|Sr)r�)rr<s  r�
add_prefixzBPF.add_prefixEs�����v�&��D�=�D��rc��tj�dk7rytj�sytjd�dk7ryy)N�x86_64F�bpf_trampoline_link_progrDT)�platform�machiner�bpf_has_kernel_btfr�rrrr�
support_kfunczBPF.support_kfuncKs?�������)���%�%�'���<�<�2�3�r�9��rc�`�tj�sytjd�dk7ryy)NFsbpf_lsm_bpfrDT)rr�r�rrrr�support_lsmzBPF.support_lsmWs(���%�%�'���<�<��'�2�-��rc���t|�}tjd|�}||jvrt	d|z��tj|j|�|j|=y)N�kfunc__z$Kernel entry func %s is not attached)rr�r|rIr-rry�r/rs  r�detach_kfunczBPF.detach_kfunc`s`��"�7�+���.�.��W�5���$�.�.�.��B�W�L�M�M�
����%�%�g�.�/�� � ��)rc���t|�}tjd|�}||jvrt	d|z��tj|j|�|j|=y)N�
kretfunc__z#Kernel exit func %s is not attached)rr�r|rJr-rryr�s  r�detach_kretfunczBPF.detach_kretfuncis`��"�7�+���.�.���8���$�-�-�-��A�G�K�L�L�
����$�$�W�-�.�����(rc�<�t|�}tjd|�}||jvrt	d|z��|j|tj�}tj|j�}|dkrt	d��||j|<|S)Nr�z&Kernel entry func %s has been attachedrz)Failed to attach BPF to entry kernel func)
rr�r|rIr-rur�r�bpf_attach_kfuncr!�r/rr�r!s    r�attach_kfunczBPF.attach_kfuncrs���"�7�+���.�.��W�5���d�*�*�*��D�w�N�O�O�
�^�^�G�S�[�[�
1��
�
!�
!�"�%�%�
(��
��6��G�H�H�(*����W�%��rc�<�t|�}tjd|�}||jvrt	d|z��|j|tj�}tj|j�}|dkrt	d��||j|<|S)Nr�z%Kernel exit func %s has been attachedrz(Failed to attach BPF to exit kernel func)
rr�r|rJr-rur�rr�r!r�s    r�attach_kretfunczBPF.attach_kretfunc�s���"�7�+���.�.���8���d�)�)�)��C�g�M�N�N�
�^�^�G�S�[�[�
1��
�
!�
!�"�%�%�
(��
��6��F�G�G�')����G�$��rc���t|�}tjd|�}||jvrt	d|z��tj|j|�|j|=y)N�lsm__zLSM %s is not attached)rr�r|rKr-rryr�s  r�
detach_lsmzBPF.detach_lsm�sZ��"�7�+���.�.��7�3���$�,�,�&��4�w�>�?�?�
������g�&�'��L�L��!rc�<�t|�}tjd|�}||jvrt	d|z��|j|tj�}tj|j�}|dkrt	d��||j|<|S)Nr�zLSM %s has been attachedrzFailed to attach LSM)
rr�r|rKr-rur�r�bpf_attach_lsmr!r�s    r�
attach_lsmzBPF.attach_lsm�s���"�7�+���.�.��7�3���d�l�l�"��6��@�A�A�
�^�^�G�S�W�W�
-��
�
�
����
&��
��6��2�3�3� "����W���rc�f�tjd�dk7stjd�dk7ryy)N�bpf_find_raw_tracepointrD�bpf_get_raw_tracepointTF)r�rrrr�support_raw_tracepointzBPF.support_raw_tracepoint�s.���<�<�1�2�b�8��<�<�0�1�R�7��rc���d}t|�5}|D]I}|j�jdd�\}}}|jd�d}|dk(s�Addd�y	ddd�y#1swYyxYw)	Nr�� r"�	r�bpf_trace_modulesTF)rYr�r9)�kallsyms�symsr��_r<s     r� support_raw_tracepoint_in_modulez$BPF.support_raw_tracepoint_in_module�s���$��
�(�^�	�t��
 ��#�{�{�}�2�2�3��:���A�t��z�z�$�'��*���.�.��	�	�
 �
�
	�	�	�s�AA'�A'�A'�'A0c�Z�t|�}t|�}tj||�Sr)rr�kernel_struct_has_field)�struct_name�
field_names  rr�zBPF.kernel_struct_has_field�s)��&�{�3��%�j�1�
��*�*�;�
�C�Crc�D�t|�}||jvrtd|z��tj|j|�}|dkrtd��|jd�\}}tj||�}|dkrtd��|j|=y)z�detach_tracepoint(tp="")

        Stop running a bpf function that is attached to the kernel tracepoint
        specified by 'tp'.

        Example: bpf.detach_tracepoint("sched:sched_switch")
        zTracepoint %s is not attachedrz$Failed to detach BPF from tracepointrpN)rrGr-rr?r9�bpf_detach_tracepoint)r/rjr@rsrts     r�detach_tracepointzBPF.detach_tracepoint�s����b�
!��
�T�(�(�(��;�b�@�A�A��)�)�$�*=�*=�b�*A�B����7��B�C�C�!#���$����g��'�'��W�=����7��B�C�C�����#rc	
�^�tj||||||||�}	|	dkrtd��|	S)Nrz"Failed to attach BPF to perf event)r�bpf_attach_perf_eventr-)
r/�progfd�ev_type�	ev_config�
sample_period�sample_freqr0�cpu�group_fdr@s
          r�_attach_perf_eventzBPF._attach_perf_event�s<���'�'�����{�C��h�@����7��@�A�A��
rc	�>�t|�}|j|tj�}	i}
|dk\r&|j	|	j
|||||||�|
|<n4t
�D]'}|j	|	j
|||||||�|
|<�)|
|j||f<yrY)rrur�r�r�r!rrM)r/r�r�rr�r�r0r�r�r�r@rjs            r�attach_perf_eventzBPF.attach_perf_event�s���"�7�+��
�^�^�G�S�^�^�
4�����!�8��.�.�r�u�u�g�y�!�;��S�(�D�C��H�%�&�
F���0�0������%�{�C��H�F��A��
F�7:����w�	�2�3rc��tj|tj|�|||d�}|dkrt	d��|S)Nrz&Failed to attach BPF to perf raw event)r�bpf_attach_perf_event_rawr+r4r-)r/r��attrr0r�r�r@s       r�_attach_perf_event_rawzBPF._attach_perf_event_raw�s?���+�+�F�B�H�H�T�N�C��X�q�"����7��D�E�E��
rc�Z�t|�}|j|tj�}i}|dk\r#|j	|j
||||�||<n1t
�D]$}|j	|j
||||�||<�&||j|j|jf<yrY)
rrur�r�r�r!rrMr��config)	r/r�rr0r�r�r�r@rjs	         r�attach_perf_event_rawzBPF.attach_perf_event_raw�s���"�7�+��
�^�^�G�S�^�^�
4�����!�8��2�2�2�5�5�$���h�(�C��H�%�&�
*���4�4�R�U�U�D��Q��*��A��
*�;>����t�y�y�$�+�+�6�7rc��	|j||f}d}|j	�D]}tj|�xs|}�|dk7rtd��|j||f=y#t$rtdj||���wxYw)Nz)Perf event type {} config {} not attachedrz$Failed to detach BPF from perf event)rMr�r-r��valuesrr?)r/r�r��fdsr@r!s      r�detach_perf_eventzBPF.detach_perf_event�s���	%��'�'��)�(<�=�C�
���*�*�,�	9�B��-�-�b�1�8�S�C�	9��!�8��B�C�C��!�!�7�I�"6�7���	%��G�N�N���$�%�
%�	%�s�A#�#%Bc�r�ttj||�D��cgc]\}}|��	c}}�Scc}}wr�r�r�� get_user_functions_and_addresses)r<�sym_rer�s   r�get_user_functionszBPF.get_user_functionss<����8�8��v�F�H�Y�d�A�D�H�I�	I��H��3
c�r�ttj||�D��cgc]\}}|��	c}}�Scc}}w)a�
        We are returning addresses here instead of symbol names because it
        turns out that the same name may appear multiple times with different
        addresses, and the same address may appear multiple times with the same
        name. We can't attach a uprobe to the same address more than once, so
        it makes sense to return the unique set of addresses that are mapped to
        a symbol that matches the provided regular expression.
        r�)r<r�r��addresss    r�get_user_addresseszBPF.get_user_addressess>����8�8��v�F�H���G�G�H�I�	I��Hr�c����t|�}t���g���fd�}tj|t|��}|dkrt	d||fz���S)Nc�\��|}tj�|�r�j||f�yrY)r�r�rt)�sym_namer=�dname�	addressesr�s   ��r�sym_cbz4BPF.get_user_functions_and_addresses.<locals>.sym_cb#s+����E��x�x���&�� � �%���/�rrz"Error %d enumerating symbols in %s)rr�bcc_foreach_function_symbolr	r-)r<r�r�r@r�s `  @rr�z$BPF.get_user_functions_and_addressess\�����%��!�&�)���	�	��-�-�d�L��4H�I����7��@�C��;�N�O�O��rc��|dk(r"d||jjd|�|fzSd||jjd|�||fzS)NrDs
%s_%s_0x%xr,s
%s_%s_0x%x_%d)�_probe_repl�sub)r/rr%r=r0s     r�_get_uprobe_evnamezBPF._get_uprobe_evname.sY���"�9� �F�D�,<�,<�,@�,@��t�,L�d�#S�S�S�$�v�t�/?�/?�/C�/C�D�$�/O�QU�WZ�&[�[�[rc�t�|dk\sJ�|�|dk(sJd��t|�}t|�}t|�}t|�}|rMtj||�}|jt	|��|D]}	|j||	||���ytj
|||||�\}
}|jd�|j|tj�}|jd|
||�}tj|jd||
||�}
|
dkrtd��|j||
�|S)a�attach_uprobe(name="", sym="", sym_re="", addr=None, fn_name=""
                         pid=-1, sym_off=0)

        Run the bpf function denoted by fn_name every time the symbol sym in
        the library or binary 'name' is encountered. Optional parameters pid,
        cpu, and group_fd can be used to filter the probe.

        If sym_off is given, attach uprobe to offset within the symbol.

        The real address addr may be supplied in place of sym, in which case sym
        must be set to its default value. If the file is a non-PIE executable,
        addr must be a virtual address, otherwise it must be an offset relative
        to the file load address.

        Instead of a symbol name, a regular expression can be provided in
        sym_re. The uprobe will then attach to symbols that match the provided
        regular expression.

        Libraries can be given in the name argument without the lib prefix, or
        with the full path (/usr/lib/...). Binaries can be given only with the
        full path (/bin/sh). If a PID is given, the uprobe will attach to the
        version of the library used by the process.

        Example: BPF(text).attach_uprobe("c", "malloc")
                 BPF(text).attach_uprobe("/usr/bin/python", "main")
        rNz!offset with addr is not supported�r<r=rr0r�pzFailed to attach BPF to uprobe)rr�r�rrV�
attach_uproberWrur�r�r�bpf_attach_uprober!r-r)r/r<r?r�r=rr0rSr��sym_addrr%r�rr!s              rr�zBPF.attach_uprobe6sA��:�!�|��|����a�<�D�!D�D�<���%���s�#��!�&�)��"�7�+����.�.�t�V�<�I��#�#�C�	�N�3�%�
=���"�"��8�+2��#�=�
=�
��-�-�d�C��s�G�L���t�����"�
�^�^�G�S�Z�Z�
0���)�)�$��d�C�@��
�
"�
"�2�5�5�!�W�d�D�#�
F��
��6��<�=�=����G�R�(��rc��t|�}t|�}t|�}t|�}|r1tj||�D]}|j||||���ytj	||||�\}}|jd�|j
|tj�}	|jd|||�}
tj|	jd|
|||�}|dkrtd��|j|
|�|S)a6attach_uretprobe(name="", sym="", sym_re="", addr=None, fn_name=""
                            pid=-1)

        Run the bpf function denoted by fn_name every time the symbol sym in
        the library or binary 'name' finishes execution. See attach_uprobe for
        meaning of additional parameters.
        r�Nr�rrz!Failed to attach BPF to uretprobe)rr�r��attach_uretproberWrrur�r�rr�r!r-r)r/r<r?r�r=rr0r�r%r�rr!s            rr�zBPF.attach_uretprobeos�� ��%���s�#��!�&�)��"�7�+����2�2�4��@�
@���%�%�4�h�.5�3�&�@�
@�
��-�-�d�C��s�C���t�����"�
�^�^�G�S�Z�Z�
0���)�)�$��d�C�@��
�
"�
"�2�5�5�!�W�d�D�#�
F��
��6��?�@�@����G�R�(��rc��||jvrtd|z��tj|j|�}|dkrtd��tj|�}|dkrtd��|j|�y)NzUprobe %s is not attachedrz Failed to detach BPF from uprobe)rFr-rr?�bpf_detach_uprober)r/rr@s   r�detach_uprobe_eventzBPF.detach_uprobe_event�s|���$�/�/�)��7�'�A�B�B��)�)�$�/�/�'�*B�C����7��>�?�?��#�#�G�,����7��>�?�?����G�$rc��t|�}t|�}tj|||||�\}}|jd|||�}|j	|�y)z�detach_uprobe(name="", sym="", addr=None, pid=-1)

        Stop running a bpf function that is attached to symbol 'sym' in library
        or binary 'name'.
        r�N�rr�rWr�r�)r/r<r?r=r0rSr%rs        r�
detach_uprobezBPF.detach_uprobe�sX�� ��%���s�#���-�-�d�C��s�G�L���t��)�)�$��d�C�@��� � ��)rc��t|�}t|�}tj||||�\}}|jd|||�}|j	|�y)z�detach_uretprobe(name="", sym="", addr=None, pid=-1)

        Stop running a bpf function that is attached to symbol 'sym' in library
        or binary 'name'.
        r�Nr�)r/r<r?r=r0r%rs       r�detach_uretprobezBPF.detach_uretprobe�sV�� ��%���s�#���-�-�d�C��s�C���t��)�)�$��d�C�@��� � ��)rc���tdtj|j��D�]4}tj|j|�}|jd�rP|j
|tj�}|j|j|dd�|j����|jd�rP|j
|tj�}|j|j|dd�|j����|jd�rg|j
|tj�}|jtd�djdd	�}|j!||j�
���^|jd�rW|j
|tj"�}|jtd�d}|j%||j�
����|jd�r|j'|�
����|jd�r|j)|�
���|jd�s��#|j+|�
���7y)Nrskprobe__r$r%skretprobe__r�stracepoint__s__rprosraw_tracepoint__r�)rr�r�)rqrrrr6rsr�rur�r�r.r#r<r8rQrVr/rqr�rwr�r�r�)r/rjrxr�rjs     rr`zBPF._trace_autoload�s����q�#�/�/����<�=�	3�A��-�-�d�k�k�1�=�I��#�#�K�0��^�^�I�s�z�z�:���"�"��1�1�)�A�B�-�@��G�G�#�%��%�%�n�5��^�^�I�s�z�z�:���%�%��1�1�)�B�C�.�A��G�G�&�%��%�%�o�6��^�^�I�s�~�~�>���W�W�S��1�2�3�;�;�E�4�H���&�&�"�b�g�g�&�>��%�%�&9�:��^�^�I�s�/A�/A�B���W�W�S�!4�5�6�7���*�*�b�"�'�'�*�B��%�%�j�1��!�!�)�!�4��%�%�m�4��$�$�Y�$�7��%�%�h�/����	��2�3	3rc�N�|js�tdtzd�|_|rt|jj�}t	j|tj
�}t	j|tj|tjz�|jS)zWtrace_open(nonblocking=False)

        Open the trace_pipe if not already open
        z
%s/trace_piperC)	rOrYra�fileno�fcntl�F_GETFL�F_SETFLr�
O_NONBLOCK)r/�nonblockingr!�fls    r�
trace_openzBPF.trace_open�sn��
�~�~�!�/�G�";�T�B�D�N���^�^�*�*�,���[�[��U�]�]�3�����B��
�
�r�B�M�M�/A�B��~�~�rc���	|j|�}|s|ry|jd�r�)|ddj�}|dd}|jd�}	|d|j	�\}}}}|dd}||dzd}|jd�}
||
d	zd}	|t
|�t
|�|t|�|fS#t
$r
}	Yd}	~	��d}	~	wwxYw#t
$r
}	Yd}	~	y
d}	~	wwxYw)z�trace_fields(nonblocking=False)

        Read from the kernel debug trace pipe and return a tuple of the
        fields (task, pid, cpu, flags, timestamp, msg) or None if no
        line was read (nonblocking=True)
        )NNNNNNsCPU:Nr%r�rprrDr")�Unknownrrr�gr�)�trace_readliner��lstrip�findr9r-r�r�)r/r�r��task�ts_endr0r�r��tsr��sym_end�msgs            r�trace_fieldszBPF.trace_fields�s����&�&�{�3�D��K�����w�'�����9�#�#�%�D����9�D��Y�Y�t�_�F�
�&*�7�F�m�&9�&9�&;�#��S�%���a��)�C����
��$�D��i�i��o�G��w��{�|�$�C�
D��c�#�h��C��%��r��C�H�H���
���
���
D�C��
D�s$�B6�"C�6	C	�C	�	C�Cc��|j|�}d}	|jd�j�}|S#t$rY|SwxYw)z�trace_readline(nonblocking=False)

        Read from the kernel debug trace pipe and return one line
        If nonblocking is False, this will block until ctrl-C is pressed.
        Nrw)r��readliner�r�)r/r��tracer�s    rr�zBPF.trace_readlinesS������,����	��>�>�$�'�.�.�0�D�����	����	�s�6�	A�Ac���	|r%|jd��}|s�|j|�}n|jd��}t|�tj
j
��c)atrace_print(self, fmt=None)

        Read from the kernel debug trace pipe and print on stdout.
        If fmt is specified, apply as a format string to the output. See
        trace_fields for the members of the tuple
        example: trace_print(fmt="pid {1}, msg = {5}")
        F)r�)r�r�r��printr'�stdout�flush)r/�fmtr�r�s    r�trace_printzBPF.trace_printsa�����*�*�u�*�=���x�!�s�z�z�6�*���*�*�u�*�=���$�K��J�J����rc��|dkr|dk7rd}|tjvrt|�tj|<tj|S)z�_sym_cache(pid)

        Returns a symbol cache for the specified PID.
        The kernel symbol cache is accessed by providing any PID less than zero.
        rrD)r��_sym_cachesr()r0s r�
_sym_cachezBPF._sym_cache$sD����7�s�b�y��C��c�o�o�%�#.�s�#3�C�O�O�C� ����s�#�#rc���tt|��}|jd�dk7�rXt�}t	�}|j
|_|j|_|j|j_tjtjtj|�tj|��}|dkrf|jrS|jrGd|jtj |jtj"�j$}}
}	n�d|d}}
}	nz|j&|jtj |jtj"�j$}}
}	n)tj)|�j+||�\}	}
}|r|	�d|
znd}
|	xsd}	|	|
z}	|r$|�"dt,j.j1|�znd}|	|zS)	aysym(addr, pid, show_module=False, show_offset=False)

        Translate a memory address into a function name for a pid, which is
        returned. When show_module is True, the module name is also included.
        When show_offset is True, the instruction offset as a hexadecimal
        number is also included in the string.

        A pid of less than zero will access the kernel symbol cache.

        Example output when both show_module and show_offset are True:
            "start_thread+0x202 [libpthread-2.24.so]"

        Example output when both show_module and show_offset are False:
            "start_thread"
        �bpf_stack_build_idrDrNs+0x%xrs	[unknown]s [%s])r�r�r�rr�status�build_idr7�ur�bcc_buildsymcache_resolver��
_bsymcacher+r4r6r,r8r9r<rrBrr%�basename)r=r0�show_module�show_offsetr>�
typeofaddrr?�br@r<r7r6s            rr?zBPF.sym1s���(��d��_�
��?�?�/�0�B�6���#�%�'�!��[�[�!�(��}�}�!�*��{�{�!�#�#�*��-�-�c�n�n�.0�h�h�q�k�.0�h�h�s�m�=�#��1�W��z�z�c�j�j�$(�#�*�*�����
�
�B�K�K�8�>�>�!�6�d�'+�D�$�F�F�d�$'�H�H�c�j�j�$&�G�G�C�J�J����$D�$J�$J�!�&�D�"%����!4�!<�!<�T�8�!L�
�$���&1�d�6F��F�"�C���#�|���f�}���v�1��B�G�G�,�,�V�4�4�7:�	��f�}�rc�4�tj|d||d�S)a�ksym(addr)

        Translate a kernel memory address into a kernel function name, which is
        returned. When show_module is True, the module name ("kernel") is also
        included. When show_offset is true, the instruction offset as a
        hexadecimal number is also included in the string.

        Example output when both show_module and show_offset are True:
            "default_idle+0x0 [kernel]"
        rDF)r�r?)r=rrs   r�ksymzBPF.ksymbs���w�w�t�R��k�5�A�Arc�L�tjd�jd|�S)z�ksymname(name)

        Translate a kernel name into an address. This is the reverse of
        ksym. Returns -1 when the function name is unknown.rDN)r�rrG)r<s rrzBPF.ksymnameps ���~�~�b�!�.�.�t�T�:�:rc�,�t|j�S)z�num_open_kprobes()

        Get the number of open K[ret]probes. Can be useful for scenarios where
        event_re is used while attaching and detaching probes.
        )rVrEr�s r�num_open_kprobeszBPF.num_open_kprobesxs���4�?�?�#�#rc�,�t|j�S)zInum_open_uprobes()

        Get the number of open U[ret]probes.
        )rVrFr�s r�num_open_uprobeszBPF.num_open_uprobes�s��
�4�?�?�#�#rc�,�t|j�S)zLnum_open_tracepoints()

        Get the number of open tracepoints.
        )rVrGr�s r�num_open_tracepointszBPF.num_open_tracepoints�s��
�4�&�&�'�'rc��tjt|j�z�}t	|jj��D]
\}}|||<�t
jt|�||�y)z�perf_buffer_poll(self)

        Poll from all open perf ring buffers, calling the callback that was
        provided when calling open_perf_buffer for each entry.
        N)r+r[rVrLrWr�r�perf_reader_poll)r/�timeout�readersrj�vs     r�perf_buffer_pollzBPF.perf_buffer_poll�sf���;�;��T�%6�%6�!7�7�:���d�/�/�6�6�8�9�	�D�A�q��G�A�J�	����S��\�7�G�<rc��tjt|j�z�}t	|jj��D]
\}}|||<�t
jt|�|�y)z�perf_buffer_consume(self)

        Consume all open perf buffers, regardless of whether or not
        they currently contain events data. Necessary to catch 'remainder'
        events when wakeup_events > 1 is set in open_perf_buffer
        N)r+r[rVrLrWr�r�perf_reader_consume)r/r!rjr"s    r�perf_buffer_consumezBPF.perf_buffer_consume�sd���;�;��T�%6�%6�!7�7�:���d�/�/�6�6�8�9�	�D�A�q��G�A�J�	�����G��g�6rc�&�|j|�y)zMkprobe_poll(self)

        Deprecated. Use perf_buffer_poll instead.
        N)r#�r/r s  r�kprobe_pollzBPF.kprobe_poll�s��
	
���g�&rc���|js4tj|||�|_|jstd��ytj|j|||�}|dkrtd��y)NzCould not open ring bufferr)rNr�bpf_new_ringbufr-�bpf_add_ringbuf)r/r�r��ctx�rets     r�_open_ring_bufferzBPF._open_ring_buffer�sr���$�$�$'�$7�$7���C�$H�D�!��(�(�� <�=�=�)��%�%�d�&;�&;�V�R��M�C��Q�w�� <�=�=�rc�r�|jstd��tj|j|�y)z�ring_buffer_poll(self)

        Poll from all open ringbuf buffers, calling the callback that was
        provided when calling open_ring_buffer for each entry.
        �No ring buffers to pollN)rNr-r�bpf_poll_ringbufr(s  r�ring_buffer_pollzBPF.ring_buffer_poll�s/���$�$��5�6�6����T�2�2�G�<rc�p�|jstd��tj|j�y)a/ring_buffer_consume(self)

        Consume all open ringbuf buffers, regardless of whether or not
        they currently contain events data. This is best for use cases
        where low latency is desired, but it can impact performance.
        If you are unsure, use ring_buffer_poll instead.
        r1N)rNr-r�bpf_consume_ringbufr�s r�ring_buffer_consumezBPF.ring_buffer_consume�s-���$�$��5�6�6����� 5� 5�6rc�*�tj�Sr)r�bcc_free_memoryr�s r�free_bcc_memoryzBPF.free_bcc_memory�s���"�"�$�$rc���	tjtj|j	��y#t
$r!}t
dt|�z�Yd}~yd}~wwxYw)zJadd_module(modname)

        Add a library or exe to buildsym cache
      z&Error adding module to build sym cacheN)r�bcc_buildsymcache_add_moduler�rr=r-rr�)�modnamer�s  r�
add_modulezBPF.add_module�sG��?��(�(�������9I�J��
�?�
�6�s�1�v�=�>�>��?�s�25�	A�A�Ac��y)zthe do nothing exit handlerNrr�s rr�z
BPF.donothing�s�rc��t|jj��D]1\}}tj|j
�|j|=�3|jr'tj|j�d|_yy)zvclose(self)

        Closes all associated files descriptors. Attached BPF programs are not
        detached.
        N)	r�rTrrryr!r6r�bpf_module_destroy)r/r<r�s   rryz	BPF.close�sk���T�Z�Z�-�-�/�0�	!�H�D�"��H�H�R�U�U�O��
�
�4� �	!��;�;��"�"�4�;�;�/��D�K�rc�P�t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|jj��D]\}}|j|��t|j j#��}|D]-}t%|j |t&�s�!|j |=�/t|j(j#��D]\}}|j+||��|j,r!|j,j/�d|_|j/�|j0r't3j4|j0�d|_yyr)r�rErr=rFr�rGr�rHrzrIr�rJr�rKr�rUr:r�rrMr�rOryrNr�bpf_free_ringbuf)r/�kr"�
table_keysr�r�r�s       rrRzBPF.cleanup�sA������.�.�0�1�	(�D�A�q��$�$�Q�'�	(�����.�.�0�1�	(�D�A�q��$�$�Q�'�	(���,�,�2�2�4�5�	&�D�A�q��"�"�1�%�	&���0�0�6�6�8�9�	*�D�A�q��&�&�q�)�	*���-�-�3�3�5�6�	!�D�A�q����a� �	!���,�,�2�2�4�5�	$�D�A�q�� � ��#�	$�����+�+�-�.�	�D�A�q��O�O�A��	��$�+�+�*�*�,�-�
��	%�C��$�+�+�c�*�N�;��K�K��$�	%�%)��)>�)>�)C�)C�)E�$F�	7� �W�i��"�"�7�I�6�	7��>�>��N�N� � �"�!�D�N��
�
��� � �� � ��!6�!6�7�$(�D�!�!rc��|Srrr�s r�	__enter__z
BPF.__enter__s���rc�$�|j�yr)rR)r/�exc_type�exc_val�exc_tbs    r�__exit__zBPF.__exit__s�����r)NrD)F)NNN)r)rrrr)rrrrr)rrr)rr)r)rDrDrrrrDrDrD)rDrrDrDrD)rDrD)rrrNrrDr)rrrNrrD)rrNrDr)rrNrD)FFT)FF)rD)�rHrIrJr�r�r�r�r�rQr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r��XDP_FLAGS_UPDATE_IF_NOEXISTr��XDP_FLAGS_SKB_MODEr��XDP_FLAGS_DRV_MODEr��XDP_FLAGS_HW_MODEr��XDP_FLAGS_REPLACEr��compiler�rr�bcc_buildsymcache_newrrrr	r+r�r�CDLL�_librt�
clock_gettimer�c_intr-�argtypes�classmethodrrr
�objectr"�staticmethodr0rAr1ryrur�r�r��c_bool�c_char�c_wchar�c_ubyte�c_short�c_ushort�c_uintr�c_ulong�
c_longlongrE�c_float�c_double�c_longdouble�c_int64�c_uint64r�r�r�r�r�r�r�r�r�r�r�rrrrrrrrr!r#r.r8r=r;rDrGrLrNrWr]rkrmrqrwrzr|r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r`r�r�r�rrr?rrrrrr#r&r)r/r3r6r9r=r�ryrRrFrKrrrr�r�s,�� �-�-�M�
�
�
�F��%�%�I��%�%�I��'�'�J�
�/�/�C��'�'�J��'�'�J��)�)�K�
�
�
�F��!�!�G��#�#�H��#�#�H�
�
�
�F��-�-�M�
�
�
�F� �/�/�N�"�3�3���!�!�G�
�/�/�C��'�'�K��!�!�H��!�!�H�
�
�
�F��)�)�L�"*�"<�"<��!�*�*��!�*�*�� �(�(�� �(�(���"�*�*�-�.�K��K�*��*�*�,�J� ���V�n� �)�,� �	�'��6��N����O�C�2�<�<�C��R�W�W�\�T�
2�F��)�)�N�!�x�x�����H�)=�>�N���	*��	*��
��
� 
�E��6���
��
�����8!$�c��A��R�d�4�#(�N�`$*���@
)�3�P�
��"�)�)�������	�B�J�J��	�"�*�*�	�
	�"�*�*��	�2�;�;�
�	�����	�����	�����	�"�*�*��	�b�m�m��	�r�~�~��	�"�*�*��	�2�;�;��	����� 	�R�Z�Z�!�^�!�"	�b�k�k�A�o�#�I�&�)��)�VU�& �
 � ��&��O��O��O��O��
��
��I��I�VO�
�(��(���
�
�)�0�� �D �D=�D�.�.��-��-�&�
-��
-��%��%�$�����
��
��&��&�$�L�0
(�����
�	��	�����*�)���"�������	��	��D��D�
$�*�CF�EG�:��>�8��I��I��
I��
I��
��
�\�AE�)*�7�rDH���@	%�*�*�3�8�!D�F� �&�
$��
$��.��.�`�B��B��;��;�$�$�(�	=�
7�'�>�=�
7�%��?��?�*��!)�F�rr�)D�
__future__rrP�ctypesr+r�r�rr�rr'r��libbccrrrrr	�tabler
rrr
r�perfr�utilsrrrrr�versionr�disassemblerrrrmrrr��	NameErrorr�rrr r�r%r)ra�exists�
DEBUG_LLVM_IRr�DEBUG_PREPROCESSOR�DEBUG_SOURCEr~�	DEBUG_BTFrYr(rLrVrersr�r�r�r�r�rrr�<module>rws3��&�
����	�	��
��]�]�Y�Y��V�V� �6�%����������
�'�'�,�,�w�	�
*��	�w�w�~�~�g��#�G�
�
��	��������	�)�&�)�V��������8
�
�0(�(�T����P�&�P��}���J��s�2D)�)D3�2D3