strings in predicates failures

[brendangregg]

There's two invocations here that fail differently, but I think one bug may be responsible.

To start with, this works:

# bpftrace -e 'tracepoint:syscalls:sys_enter_write /pid == 23506/ { printf("hi\n"); }'
Attaching 1 probe...
hi
hi
hi

That's the PID of a bash shell. Matching on the process name, and including -v:

# bpftrace -v -e 'tracepoint:syscalls:sys_enter_write /comm == "bash"/ { printf("hi\n"); }'
Attaching 1 probe...

Error log: 
0: (bf) r6 = r1
1: (b7) r1 = 0
2: (7b) *(u64 *)(r10 -16) = r1
3: (7b) *(u64 *)(r10 -24) = r1
4: (bf) r7 = r10
5: (07) r7 += -24
6: (bf) r1 = r7
7: (b7) r2 = 16
8: (85) call bpf_get_current_comm#16
9: (bf) r1 = r10
10: (07) r1 += -5
11: (b7) r2 = 8
12: (bf) r3 = r7
13: (85) call bpf_probe_read#4
invalid stack type R1 off=-5 access_size=8

Error loading program: tracepoint:syscalls:sys_enter_write

Ok, looks like an alignment issue of the "bash" string.

Now changing the action performed:

# bpftrace -e 'tracepoint:syscalls:sys_enter_write /comm == "bash"/ { printf("%d\n", 123); }'
Attaching 1 probe...
^C

This time it compiles, but no events fire.

[mmarchini]

The problem doesn't seem to be restricted to predicates, using if (comm == "bash") doesn't work as well.

[danobi]

I'm hitting this as well. Another test case (because more is always better):

$ sudo ./build/src/bpftrace -e 'tracepoint:syscalls:sys_enter_read /comm == "a.out"/ { printf("hit\n") }'                                                                                   
chdir(/lib/modules/4.18.9-200.fc28.x86_64/build): No such file or directory
definitions.h:9:3: error: unknown type name 'u64'
definitions.h:11:3: error: unknown type name 'size_t'
Attaching 1 probe...
Error loading program: tracepoint:syscalls:sys_enter_read (try -v)

$ sudo ./build/src/bpftrace -e 'tracepoint:syscalls:sys_enter_read /comm == "a.out"/ { printf("hit %d\n", args->fd) }'
chdir(/lib/modules/4.18.9-200.fc28.x86_64/build): No such file or directory
definitions.h:9:3: error: unknown type name 'u64'
definitions.h:11:3: error: unknown type name 'size_t'
Attaching 1 probe...
^C

[danobi]

Super annoying bug, working on this now.

[williangaspar]

@danobi, do you still working on this?

[danobi]

@williangaspar it's still on my todo list. Feel free to take it from me if you want

[tyroguru]

Yes, this is super annoying so a fix would be good to see soon. We do need more than this though for pattern matching in a predicate. I often need to do the equivalent of 't:syscall:whatever/comm == "hhvm*" as I am interested in a range of processes whose name begins with "hhvm". In DTrace you could do something like /strstr(execname, "hhvm") != NULL/ if my memory serves me right.

[williangaspar]

By the error message, it seems comm is trying to do a jump too far.

[mmarchini]

@tyroguru this seems like a useful feature. Do you mind opening another issue for it?

[danobi]

👍