From 85a62d6cd8e56c71e3037776907d4b95f85fab7e Mon Sep 17 00:00:00 2001
From: varun-r-mallya <varunrmallya@gmail.com>
Date: Sat, 1 Nov 2025 08:13:22 +0530
Subject: [PATCH] add example and support unsigned i64

---
 pythonbpf/type_deducer.py                     |  1 +
 tests/c-form/kprobe.bpf.c                     | 71 +++++++++++++++++--
 .../vmlinux/register_state_dump.py            | 53 ++++++++++++++
 .../vmlinux/struct_field_access.py            |  0
 4 files changed, 118 insertions(+), 7 deletions(-)
 create mode 100644 tests/passing_tests/vmlinux/register_state_dump.py
 rename tests/{failing_tests => passing_tests}/vmlinux/struct_field_access.py (100%)

diff --git a/pythonbpf/type_deducer.py b/pythonbpf/type_deducer.py
index 3f9c6a8..a6834a9 100644
--- a/pythonbpf/type_deducer.py
+++ b/pythonbpf/type_deducer.py
@@ -14,6 +14,7 @@ mapping = {
     "c_double": ir.DoubleType(),
     "c_void_p": ir.IntType(64),
     "c_long": ir.IntType(64),
+    "c_ulong": ir.IntType(64),
     "c_longlong": ir.IntType(64),
     # Not so sure about this one
     "str": ir.PointerType(ir.IntType(8)),
diff --git a/tests/c-form/kprobe.bpf.c b/tests/c-form/kprobe.bpf.c
index d2d588d..51d8b49 100644
--- a/tests/c-form/kprobe.bpf.c
+++ b/tests/c-form/kprobe.bpf.c
@@ -2,18 +2,75 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 
-char LICENSE[] SEC("license") = "Dual BSD/GPL";
+char LICENSE[] SEC("license") = "GPL";
 
 SEC("kprobe/do_unlinkat")
 int kprobe_execve(struct pt_regs *ctx)
 {
     bpf_printk("unlinkat created");
-    return 0;
-}
 
-SEC("kretprobe/do_unlinkat")
-int kretprobe_execve(struct pt_regs *ctx)
-{
-    bpf_printk("unlinkat returned\n");
+    unsigned long r15 = ctx->r15;
+    bpf_printk("r15: %lld", r15);
+
+    unsigned long r14 = ctx->r14;
+    bpf_printk("r14: %lld", r14);
+
+    unsigned long r13 = ctx->r13;
+    bpf_printk("r13: %lld", r13);
+
+    unsigned long r12 = ctx->r12;
+    bpf_printk("r12: %lld", r12);
+
+    unsigned long bp = ctx->bp;
+    bpf_printk("rbp: %lld", bp);
+
+    unsigned long bx = ctx->bx;
+    bpf_printk("rbx: %lld", bx);
+
+    unsigned long r11 = ctx->r11;
+    bpf_printk("r11: %lld", r11);
+
+    unsigned long r10 = ctx->r10;
+    bpf_printk("r10: %lld", r10);
+
+    unsigned long r9 = ctx->r9;
+    bpf_printk("r9: %lld", r9);
+
+    unsigned long r8 = ctx->r8;
+    bpf_printk("r8: %lld", r8);
+
+    unsigned long ax = ctx->ax;
+    bpf_printk("rax: %lld", ax);
+
+    unsigned long cx = ctx->cx;
+    bpf_printk("rcx: %lld", cx);
+
+    unsigned long dx = ctx->dx;
+    bpf_printk("rdx: %lld", dx);
+
+    unsigned long si = ctx->si;
+    bpf_printk("rsi: %lld", si);
+
+    unsigned long di = ctx->di;
+    bpf_printk("rdi: %lld", di);
+
+    unsigned long orig_ax = ctx->orig_ax;
+    bpf_printk("orig_rax: %lld", orig_ax);
+
+    unsigned long ip = ctx->ip;
+    bpf_printk("rip: %lld", ip);
+
+    unsigned long cs = ctx->cs;
+    bpf_printk("cs: %lld", cs);
+
+    unsigned long flags = ctx->flags;
+    bpf_printk("eflags: %lld", flags);
+
+    unsigned long sp = ctx->sp;
+    bpf_printk("rsp: %lld", sp);
+
+    unsigned long ss = ctx->ss;
+    bpf_printk("ss: %lld", ss);
+
     return 0;
 }
diff --git a/tests/passing_tests/vmlinux/register_state_dump.py b/tests/passing_tests/vmlinux/register_state_dump.py
new file mode 100644
index 0000000..fc9557a
--- /dev/null
+++ b/tests/passing_tests/vmlinux/register_state_dump.py
@@ -0,0 +1,53 @@
+from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe
+from pythonbpf import compile  # noqa: F401
+from vmlinux import struct_pt_regs
+from ctypes import c_int64, c_int32, c_void_p  # noqa: F401
+
+
+@bpf
+@section("kprobe/do_unlinkat")
+def kprobe_execve(ctx: struct_pt_regs) -> c_int64:
+    r15 = ctx.r15
+    r14 = ctx.r14
+    r13 = ctx.r13
+    r12 = ctx.r12
+    bp = ctx.bp
+    bx = ctx.bx
+    r11 = ctx.r11
+    r10 = ctx.r10
+    r9 = ctx.r9
+    r8 = ctx.r8
+    ax = ctx.ax
+    cx = ctx.cx
+    dx = ctx.dx
+    si = ctx.si
+    di = ctx.di
+    orig_ax = ctx.orig_ax
+    ip = ctx.ip
+    cs = ctx.cs
+    flags = ctx.flags
+    sp = ctx.sp
+    ss = ctx.ss
+
+    print(f"r15={r15} r14={r14} r13={r13}")
+    print(f"r12={r12} rbp={bp} rbx={bx}")
+    print(f"r11={r11} r10={r10} r9={r9}")
+    print(f"r8={r8} rax={ax} rcx={cx}")
+    print(f"rdx={dx} rsi={si} rdi={di}")
+    print(f"orig_rax={orig_ax} rip={ip} cs={cs}")
+    print(f"eflags={flags} rsp={sp} ss={ss}")
+
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+b = BPF()
+b.load()
+b.attach_all()
+
+trace_pipe()
diff --git a/tests/failing_tests/vmlinux/struct_field_access.py b/tests/passing_tests/vmlinux/struct_field_access.py
similarity index 100%
rename from tests/failing_tests/vmlinux/struct_field_access.py
rename to tests/passing_tests/vmlinux/struct_field_access.py