Improve user symbol resolution #2386
Conversation
|
CI failed, can you debug it? |
|
I looked into that, one issue is codegen tests, because there is now one more attribute of the usym event (that one is easily fixable), other issue is ustack runtime tests failing with segfault (that one will be a little bit more difficult, since it doesn't happen on my system). Also there is another problem with the PR, that is that the necessary BCC fix was reverted in iovisor/bcc#4270 (it turned that |
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
8133e9d
to
6f969a6
Compare
There was a problem hiding this comment.
Overall, these are very nice changes!
What I'm missing here, though, are better explanations of why the given approaches are necessary - this should appear in the PR description, in commit messages, and in code comments, too. Perhaps even a single-place summary of all the considered scenarios and corresponding solutions could be useful.
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
6f969a6
to
bc4d07e
Compare
|
I opened iovisor/bcc#4319 to implement necessary functionality for the symcache preloading to work correctly. |
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
2 times, most recently
from
58756c1
to
618cd0e
Compare
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
2 times, most recently
from
e5f628d
to
5af39fa
Compare
lenticularis39
requested review from
ajor,
danobi,
fbs and
BurntBrunch
as code owners
|
Rebased and changed caching by PID, which is required for per-process symbol cache preloading, to optional (see the last commit for details). |
lenticularis39
requested review from
viktormalik
and removed request for
BurntBrunch,
fbs,
danobi and
ajor
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
5af39fa
to
ae62e0b
Compare
|
I love this PR, thanks so much for doing it - it solves so many problems I've had with user symbols over the years! I'd suggest that we make "PER_PID" the default caching behaviour when ASLR is enabled, and leave it up to users to disable the cache if they feel it's using too much memory.
|
There was a problem hiding this comment.
I also updated the ELF symbol resolution logic to work with addresses with non-zero offsets
Did you have an example of where this was causing symbolication problems? It'd be useful to check that in as a test-case.
I have a slight concern about the impact this pre-caching will have on startup time when tracing huge programs. I'll do a little bit of testing on this to satisfy myself.
The issue is in general
OK. The bcc symcache pre-loading is not a issue, since it only loads the symbols when |
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
3 times, most recently
from
bcff44b
to
90dddb6
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Oops, I forgot to change the main offset in the test to a more generic pattern, causing the test to fail with a different compiler. |
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
90dddb6
to
ae9abd0
Compare
Extend caching usym tables by program (used when ASLR is disabled) with caching by PID, which is used when ASLR is enabled. Without ASLR all instances of one program share the same memory layout, hence it can be stored once per-program.
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
ae9abd0
to
b37abdd
Compare
In addition to resolving usyms from the running process, an alternative is implemented that reads the program binary via libelf. This is useful for cases when the usym resolution happens after the process exists. This approach does not work for dynamically loaded symbols or processes with ASLR enabled, in these cases usym resolution falls back to using BCC symcache. Implementation notes: - To access the program binary, a "probe id" (distinct from the AST probe id) is generated in resource analyzer, and passed via usym/ustack events into the userspace when the associated perf event fires. If the probe contains only one attach point, and therefore one program, this allows the binary to be identified even for exited processes. - ustack perf event was changed from pid/stack id packed integer to struct to fit the probe id.
While attaching a uprobe using symbol resultions, look for running instances of the program targeted by the uprobe and create a BCC symcache for each of them. This enables bpftrace to resolve usyms for processes running at the time of attaching the probe even when ASLR is on and the process is gone at the time when the print event fires.
Change BPFTRACE_CACHE_USER_SYMBOLS values from 0 and 1 to PER_PID, PER_PROGRAM, and NONE. The values 0 and 1 are still supported, meaning NONE and default (see below), for compatibility. The new default is PER_PROGRAM when ASLR is disabled and PER_PID if ASLR is enabled. NONE option can be used to save memory in case the number of traced processes is high.
Note: test for ASLR enabled is disabled because of race condition, see iovisor/bcc#4319.
Better symbol resolution
lenticularis39
force-pushed
the
even-better-symbol-resolution
branch
from
b37abdd
to
1588195
Compare
|
Rebased and fixed failing test added by #2625. |
Pulls the following versions of BPF packages: - bpftrace: 0.19.1 - libbpf: 1.2.2 - bcc: 0.28-gb8b943a1 (commit b8b943a1) This version of bpftrace speeds up symbol resolution [1] and fixes ustack symbolication on 32-bit systems [2]. [1] bpftrace/bpftrace#2386 [2] iovisor/bcc#4775
Pulls the following versions of BPF packages: - bpftrace: 0.19.1 - libbpf: 1.2.2 - bcc: 0.28-gb8b943a1 (commit b8b943a1) This version of bpftrace speeds up symbol resolution [1] and fixes ustack symbolication on 32-bit systems [2]. [1] bpftrace/bpftrace#2386 [2] iovisor/bcc#4775
This PR contains three related improvements of usym resolution (edit: added purpose of the changes):
The latter two provide a partial fix of #2284.
Checklist
man/adoc/bpftrace.adocand if needed indocs/reference_guide.mdCHANGELOG.md