move a test to passing

vmlinux handler with struct support for only int64 and unsigned uint64 type struct fields.

.gitattributes

@@ -1 +1,3 @@
 tests/c-form/vmlinux.h linguist-vendored
+examples/ linguist-vendored
+BCC-Examples/ linguist-vendored

.github/workflows/python-publish.yml

@@ -33,7 +33,7 @@ jobs:
           python -m build
 
       - name: Upload distributions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: release-dists
           path: dist/
@@ -59,7 +59,7 @@ jobs:
 
     steps:
       - name: Retrieve release distributions
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: release-dists
           path: dist/

BCC-Examples/hello_fields.ipynb

@@ -0,0 +1,83 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "28cf2e27-41e2-461c-a39c-147417141a4e",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, section, bpfglobal, BPF, trace_fields\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "133190e5-5a99-4585-b6e1-91224ed973c2",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_clone\")\n",
+    "def hello_world(ctx: c_void_p) -> c_int64:\n",
+    "    print(\"Hello, World!\")\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "d3934efb-4043-4545-ae4c-c50ec40a24fd",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# header\n",
+    "print(f\"{'TIME(s)':<18} {'COMM':<16} {'PID':<6} {'MESSAGE'}\")\n",
+    "\n",
+    "# format output\n",
+    "while True:\n",
+    "    try:\n",
+    "        (task, pid, cpu, flags, ts, msg) = trace_fields()\n",
+    "    except ValueError:\n",
+    "        continue\n",
+    "    except KeyboardInterrupt:\n",
+    "        exit()\n",
+    "    print(f\"{ts:<18} {task:<16} {pid:<6} {msg}\")"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/hello_perf_output.ipynb

@@ -0,0 +1,110 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "79b74928-f4b4-4320-96e3-d973997de2f4",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, map, struct, section, bpfglobal, BPF\n",
+    "from pythonbpf.helper import ktime, pid, comm\n",
+    "from pythonbpf.maps import PerfEventArray\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "5bdb0329-ae2d-45e8-808e-5ed5b1374204",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@struct\n",
+    "class data_t:\n",
+    "    pid: c_int64\n",
+    "    ts: c_int64\n",
+    "    comm: str(16)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@map\n",
+    "def events() -> PerfEventArray:\n",
+    "    return PerfEventArray(key_size=c_int64, value_size=c_int64)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_clone\")\n",
+    "def hello(ctx: c_void_p) -> c_int64:\n",
+    "    dataobj = data_t()\n",
+    "    dataobj.pid, dataobj.ts = pid(), ktime()\n",
+    "    comm(dataobj.comm)\n",
+    "    events.output(dataobj)\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "4bcc7d57-6cc4-48a3-bbd2-42ad6263afdf",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "start = 0\n",
+    "\n",
+    "\n",
+    "def callback(cpu, event):\n",
+    "    global start\n",
+    "    if start == 0:\n",
+    "        start = event.ts\n",
+    "    ts = (event.ts - start) / 1e9\n",
+    "    print(f\"[CPU {cpu}] PID: {event.pid}, TS: {ts}, COMM: {event.comm.decode()}\")\n",
+    "\n",
+    "\n",
+    "perf = b[\"events\"].open_perf_buffer(callback, struct_name=\"data_t\")\n",
+    "print(\"Starting to poll... (Ctrl+C to stop)\")\n",
+    "print(\"Try running: fork() or clone() system calls to trigger events\")\n",
+    "\n",
+    "try:\n",
+    "    while True:\n",
+    "        b[\"events\"].poll(1000)\n",
+    "except KeyboardInterrupt:\n",
+    "    print(\"Stopping...\")"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/hello_world.ipynb

@@ -0,0 +1,116 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": 9,
+   "id": "7d5d3cfb-39ba-4516-9856-b3bed47a0cef",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 10,
+   "id": "cf1c87aa-e173-4156-8f2d-762225bc6d19",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_clone\")\n",
+    "def hello_world(ctx: c_void_p) -> c_int64:\n",
+    "    print(\"Hello, World!\")\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "b = BPF()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "bd81383d-f75a-4269-8451-3d985d85b124",
+   "metadata": {
+    "scrolled": true
+   },
+   "outputs": [
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "      Cache2 I/O-4716    [003] ...21  8218.000492: bpf_trace_printk: count: 11 with 4716\n",
+      "\n",
+      "      Cache2 I/O-4716    [003] ...21  8218.000499: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      "   WebExtensions-5168    [002] ...21  8219.320392: bpf_trace_printk: count: 13 with 5168\n",
+      "\n",
+      "   WebExtensions-5168    [002] ...21  8219.320399: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      "          python-21155   [001] ...21  8220.933716: bpf_trace_printk: count: 5 with 21155\n",
+      "\n",
+      "          python-21155   [001] ...21  8220.933721: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      "          python-21155   [002] ...21  8221.341290: bpf_trace_printk: count: 6 with 21155\n",
+      "\n",
+      "          python-21155   [002] ...21  8221.341295: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      " Isolated Web Co-5462    [000] ...21  8223.095033: bpf_trace_printk: count: 7 with 5462\n",
+      "\n",
+      " Isolated Web Co-5462    [000] ...21  8223.095043: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      "         firefox-4542    [000] ...21  8227.760067: bpf_trace_printk: count: 8 with 4542\n",
+      "\n",
+      "         firefox-4542    [000] ...21  8227.760080: bpf_trace_printk: Hello, World!\n",
+      "\n",
+      " Isolated Web Co-12404   [003] ...21  8227.917086: bpf_trace_printk: count: 7 with 12404\n",
+      "\n",
+      " Isolated Web Co-12404   [003] ...21  8227.917095: bpf_trace_printk: Hello, World!\n",
+      "\n"
+     ]
+    }
+   ],
+   "source": [
+    "b.load()\n",
+    "b.attach_all()\n",
+    "trace_pipe()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "01e1f25b-decc-425b-a1aa-a5e701082574",
+   "metadata": {},
+   "outputs": [],
+   "source": []
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/sync_count.ipynb

@@ -0,0 +1,107 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "dcab010c-f5e9-446f-9f9f-056cc794ad14",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, map, section, bpfglobal, BPF, trace_fields\n",
+    "from pythonbpf.helper import ktime\n",
+    "from pythonbpf.maps import HashMap\n",
+    "\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "720797e8-9c81-4af6-a385-80f1ec4c0f15",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@map\n",
+    "def last() -> HashMap:\n",
+    "    return HashMap(key=c_int64, value=c_int64, max_entries=2)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_sync\")\n",
+    "def do_trace(ctx: c_void_p) -> c_int64:\n",
+    "    ts_key, cnt_key = 0, 1\n",
+    "    tsp, cntp = last.lookup(ts_key), last.lookup(cnt_key)\n",
+    "    if not cntp:\n",
+    "        last.update(cnt_key, 0)\n",
+    "        cntp = last.lookup(cnt_key)\n",
+    "    if tsp:\n",
+    "        delta = ktime() - tsp\n",
+    "        if delta < 1000000000:\n",
+    "            time_ms = delta // 1000000\n",
+    "            print(f\"{time_ms} {cntp}\")\n",
+    "        last.delete(ts_key)\n",
+    "    else:\n",
+    "        last.update(ts_key, ktime())\n",
+    "    last.update(cnt_key, cntp + 1)\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "78a8b82c-7c5f-43c1-9de1-cd982a0f345b",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "print(\"Tracing for quick sync's... Ctrl-C to end\")\n",
+    "\n",
+    "# format output\n",
+    "start = 0\n",
+    "while True:\n",
+    "    try:\n",
+    "        task, pid, cpu, flags, ts, msg = trace_fields()\n",
+    "        if start == 0:\n",
+    "            start = ts\n",
+    "        ts -= start\n",
+    "        ms, cnt = msg.split()\n",
+    "        print(f\"At time {ts} s: Multiple syncs detected, last {ms} ms ago. Count {cnt}\")\n",
+    "    except KeyboardInterrupt:\n",
+    "        exit()"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/sync_perf_output.ipynb

@@ -0,0 +1,134 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "b0d1ab05-0c1f-4578-9c1b-568202b95a5c",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, map, struct, section, bpfglobal, BPF\n",
+    "from pythonbpf.helper import ktime\n",
+    "from pythonbpf.maps import HashMap, PerfEventArray\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "85e50d0a-f9d8-468f-8e03-f5f7128f05d8",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@struct\n",
+    "class data_t:\n",
+    "    ts: c_int64\n",
+    "    ms: c_int64\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@map\n",
+    "def events() -> PerfEventArray:\n",
+    "    return PerfEventArray(key_size=c_int64, value_size=c_int64)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@map\n",
+    "def last() -> HashMap:\n",
+    "    return HashMap(key=c_int64, value=c_int64, max_entries=1)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_sync\")\n",
+    "def do_trace(ctx: c_void_p) -> c_int64:\n",
+    "    dat, dat.ts, key = data_t(), ktime(), 0\n",
+    "    tsp = last.lookup(key)\n",
+    "    if tsp:\n",
+    "        delta = ktime() - tsp\n",
+    "        if delta < 1000000000:\n",
+    "            dat.ms = delta // 1000000\n",
+    "            events.output(dat)\n",
+    "        last.delete(key)\n",
+    "    else:\n",
+    "        last.update(key, ktime())\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "40bb1107-369f-4be7-9f10-37201900c16b",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "print(\"Tracing for quick sync's... Ctrl-C to end\")\n",
+    "\n",
+    "# format output\n",
+    "start = 0\n",
+    "\n",
+    "\n",
+    "def callback(cpu, event):\n",
+    "    global start\n",
+    "    if start == 0:\n",
+    "        start = event.ts\n",
+    "    event.ts -= start\n",
+    "    print(\n",
+    "        f\"At time {event.ts / 1e9} s: Multiple sync detected, Last sync: {event.ms} ms ago\"\n",
+    "    )\n",
+    "\n",
+    "\n",
+    "perf = b[\"events\"].open_perf_buffer(callback, struct_name=\"data_t\")\n",
+    "print(\"Starting to poll... (Ctrl+C to stop)\")\n",
+    "print(\"Try running: fork() or clone() system calls to trigger events\")\n",
+    "\n",
+    "try:\n",
+    "    while True:\n",
+    "        b[\"events\"].poll(1000)\n",
+    "except KeyboardInterrupt:\n",
+    "    print(\"Stopping...\")"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "94a588d9-3a40-437c-a35b-fc40410f3eb7",
+   "metadata": {},
+   "outputs": [],
+   "source": []
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/sync_perf_output.py

@@ -1,7 +1,6 @@
 from pythonbpf import bpf, map, struct, section, bpfglobal, BPF
 from pythonbpf.helper import ktime
-from pythonbpf.maps import HashMap
+from pythonbpf.maps import HashMap, PerfEventArray
-from pythonbpf.maps import PerfEventArray
 from ctypes import c_void_p, c_int64
 
 

BCC-Examples/sync_timing.ipynb

@@ -0,0 +1,102 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "bfe01ceb-2f27-41b3-b3ba-50ec65cfddda",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, map, section, bpfglobal, BPF, trace_fields\n",
+    "from pythonbpf.helper import ktime\n",
+    "from pythonbpf.maps import HashMap\n",
+    "\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "ddb115f4-20a7-43bc-bb5b-ccbfd6031fc2",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@map\n",
+    "def last() -> HashMap:\n",
+    "    return HashMap(key=c_int64, value=c_int64, max_entries=1)\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_sync\")\n",
+    "def do_trace(ctx: c_void_p) -> c_int64:\n",
+    "    key = 0\n",
+    "    tsp = last.lookup(key)\n",
+    "    if tsp:\n",
+    "        delta = ktime() - tsp\n",
+    "        if delta < 1000000000:\n",
+    "            time_ms = delta // 1000000\n",
+    "            print(f\"{time_ms}\")\n",
+    "        last.delete(key)\n",
+    "    else:\n",
+    "        last.update(key, ktime())\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "e4f46574-9fd8-46e7-9c7b-27a36d07f200",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "print(\"Tracing for quick sync's... Ctrl-C to end\")\n",
+    "\n",
+    "# format output\n",
+    "start = 0\n",
+    "while True:\n",
+    "    try:\n",
+    "        task, pid, cpu, flags, ts, ms = trace_fields()\n",
+    "        if start == 0:\n",
+    "            start = ts\n",
+    "        ts -= start\n",
+    "        print(f\"At time {ts} s: Multiple syncs detected, last {ms} ms ago\")\n",
+    "    except KeyboardInterrupt:\n",
+    "        exit()"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

BCC-Examples/sys_sync.ipynb

@@ -0,0 +1,73 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "bb49598f-b9cc-4ea8-8391-923cad513711",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe\n",
+    "from ctypes import c_void_p, c_int64"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "5da237b0-1c7d-4ec5-8c24-696b1c1d97fa",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "@bpf\n",
+    "@section(\"tracepoint/syscalls/sys_enter_sync\")\n",
+    "def hello_world(ctx: c_void_p) -> c_int64:\n",
+    "    print(\"sys_sync() called\")\n",
+    "    return 0\n",
+    "\n",
+    "\n",
+    "@bpf\n",
+    "@bpfglobal\n",
+    "def LICENSE() -> str:\n",
+    "    return \"GPL\"\n",
+    "\n",
+    "\n",
+    "# Compile and load\n",
+    "b = BPF()\n",
+    "b.load()\n",
+    "b.attach_all()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "e4c218ac-fe47-4fd1-a27b-c07e02f3cd05",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "print(\"Tracing sys_sync()... Ctrl-C to end.\")\n",
+    "trace_pipe()"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.3"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

examples/binops_demo.py

@@ -21,17 +21,17 @@ def last() -> HashMap:
 @section("tracepoint/syscalls/sys_enter_execve")
 def do_trace(ctx: c_void_p) -> c_int64:
     key = 0
-    tsp = last().lookup(key)
+    tsp = last.lookup(key)
     if tsp:
         kt = ktime()
         delta = kt - tsp
         if delta < 1000000000:
             time_ms = delta // 1000000
             print(f"Execve syscall entered within last second, last {time_ms} ms ago")
-        last().delete(key)
+        last.delete(key)
     else:
         kt = ktime()
-        last().update(key, kt)
+        last.update(key, kt)
     return c_int64(0)
 
 

examples/clone_plot.py

@@ -3,7 +3,6 @@ import time
 from pythonbpf import bpf, map, section, bpfglobal, BPF
 from pythonbpf.helper import pid
 from pythonbpf.maps import HashMap
-from pylibbpf import BpfMap
 from ctypes import c_void_p, c_int64, c_uint64, c_int32
 import matplotlib.pyplot as plt
 
@@ -26,14 +25,14 @@ def hist() -> HashMap:
 def hello(ctx: c_void_p) -> c_int64:
     process_id = pid()
     one = 1
-    prev = hist().lookup(process_id)
+    prev = hist.lookup(process_id)
     if prev:
         previous_value = prev + 1
         print(f"count: {previous_value} with {process_id}")
-        hist().update(process_id, previous_value)
+        hist.update(process_id, previous_value)
         return c_int64(0)
     else:
-        hist().update(process_id, one)
+        hist.update(process_id, one)
     return c_int64(0)
 
 
@@ -44,12 +43,12 @@ def LICENSE() -> str:
 
 
 b = BPF()
-b.load_and_attach()
+b.load()
-hist = BpfMap(b, hist)
+b.attach_all()
 print("Recording")
 time.sleep(10)
 
-counts = list(hist.values())
+counts = list(b["hist"].values())
 
 plt.hist(counts, bins=20)
 plt.xlabel("Clone calls per PID")

examples/hello_world.py

@@ -1,4 +1,4 @@
-from pythonbpf import bpf, section, bpfglobal, BPF
+from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe
 from ctypes import c_void_p, c_int64
 
 # Instructions to how to run this program
@@ -21,10 +21,6 @@ def LICENSE() -> str:
 
 
 b = BPF()
-b.load_and_attach()
+b.load()
-if b.is_loaded() and b.is_attached():
+b.attach_all()
-    print("Successfully loaded and attached")
+trace_pipe()
-else:
-    print("Could not load successfully")
-
-# Now cat /sys/kernel/debug/tracing/trace_pipe to see results of the execve syscall.

examples/kprobes.py

@@ -1,4 +1,4 @@
-from pythonbpf import bpf, section, bpfglobal, BPF
+from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe
 from ctypes import c_void_p, c_int64
 
 
@@ -23,7 +23,7 @@ def LICENSE() -> str:
 
 
 b = BPF()
-b.load_and_attach()
+b.load()
-while True:
+b.attach_all()
-    print("running")
+print("running")
-# Now cat /sys/kernel/debug/tracing/trace_pipe to see results of unlink kprobe.
+trace_pipe()

examples/xdp_pass.py

@@ -23,14 +23,14 @@ def count() -> HashMap:
 def hello_world(ctx: c_void_p) -> c_int64:
     key = 0
     one = 1
-    prev = count().lookup(key)
+    prev = count.lookup(key)
     if prev:
         prevval = prev + 1
         print(f"count: {prevval}")
-        count().update(key, prevval)
+        count.update(key, prevval)
         return XDP_PASS
     else:
-        count().update(key, one)
+        count.update(key, one)
 
     return XDP_PASS
 

pythonbpf/allocation_pass.py

@@ -1,6 +1,6 @@
 import ast
 import logging
-
+import ctypes
 from llvmlite import ir
 from .local_symbol import LocalSymbol
 from pythonbpf.helper import HelperHandlerRegistry
@@ -81,7 +81,7 @@ def _allocate_for_call(builder, var_name, rval, local_sym_tab, structs_sym_tab):
         call_type = rval.func.id
 
         # C type constructors
-        if call_type in ("c_int32", "c_int64", "c_uint32", "c_uint64"):
+        if call_type in ("c_int32", "c_int64", "c_uint32", "c_uint64", "c_void_p"):
             ir_type = ctypes_to_ir(call_type)
             var = builder.alloca(ir_type, name=var_name)
             var.align = ir_type.width // 8
@@ -242,19 +242,65 @@ def _allocate_for_attribute(builder, var_name, rval, local_sym_tab, structs_sym_
             )
             field_ir, field = field_type
             # TODO: For now, we only support integer type allocations.
+            # This always assumes first argument of function to be the context struct
+            base_ptr = builder.function.args[0]
+            local_sym_tab[
+                struct_var
+            ].var = base_ptr  # This is repurposing of var to store the pointer of the base type
+            local_sym_tab[struct_var].ir_type = field_ir
 
-            # loaded_value = builder.load(field_ir, align=8)
+            # Determine the actual IR type based on the field's type
-            # #TODO: fatal flaw that this always assumes first argument of function to be the context of what this gets.
+            actual_ir_type = None
-            # base_ptr = builder.function.args[0]
-            # gep_result = builder.gep(
-            #     base_ptr,
-            #     [loaded_value],
-            #     inbounds=False,  # Not using inbounds GEP
-            # )
-            # print("DEBB", loaded_value, base_ptr, gep_result)
-            # Use i64 for allocation since that's what the global variable contains
 
-            actual_ir_type = ir.IntType(64)
+            # Check if it's a ctypes primitive
+            if field.type.__module__ == ctypes.__name__:
+                try:
+                    field_size_bytes = ctypes.sizeof(field.type)
+                    field_size_bits = field_size_bytes * 8
+
+                    if field_size_bits in [8, 16, 32, 64]:
+                        # Special case: struct_xdp_md i32 fields should allocate as i64
+                        # because load_ctx_field will zero-extend them to i64
+                        if (
+                            vmlinux_struct_name == "struct_xdp_md"
+                            and field_size_bits == 32
+                        ):
+                            actual_ir_type = ir.IntType(64)
+                            logger.info(
+                                f"Allocating {var_name} as i64 for i32 field from struct_xdp_md.{field_name} "
+                                "(will be zero-extended during load)"
+                            )
+                        else:
+                            actual_ir_type = ir.IntType(field_size_bits)
+                    else:
+                        logger.warning(
+                            f"Unusual field size {field_size_bits} bits for {field_name}"
+                        )
+                        actual_ir_type = ir.IntType(64)
+                except Exception as e:
+                    logger.warning(
+                        f"Could not determine size for ctypes field {field_name}: {e}"
+                    )
+                    actual_ir_type = ir.IntType(64)
+
+            # Check if it's a nested vmlinux struct or complex type
+            elif field.type.__module__ == "vmlinux":
+                # For pointers to structs, use pointer type (64-bit)
+                if field.ctype_complex_type is not None and issubclass(
+                    field.ctype_complex_type, ctypes._Pointer
+                ):
+                    actual_ir_type = ir.IntType(64)  # Pointer is always 64-bit
+                # For embedded structs, this is more complex - might need different handling
+                else:
+                    logger.warning(
+                        f"Field {field_name} is a nested vmlinux struct, using i64 for now"
+                    )
+                    actual_ir_type = ir.IntType(64)
+            else:
+                logger.warning(
+                    f"Unknown field type module {field.type.__module__} for {field_name}"
+                )
+                actual_ir_type = ir.IntType(64)
 
             # Allocate with the actual IR type, not the GlobalVariable
             var = _allocate_with_type(builder, var_name, actual_ir_type)

pythonbpf/assign_pass.py

@@ -3,6 +3,8 @@ import logging
 from llvmlite import ir
 from pythonbpf.expr import eval_expr
 from pythonbpf.helper import emit_probe_read_kernel_str_call
+from pythonbpf.type_deducer import ctypes_to_ir
+from pythonbpf.vmlinux_parser.dependency_node import Field
 
 logger = logging.getLogger(__name__)
 
@@ -148,7 +150,33 @@ def handle_variable_assignment(
     val, val_type = val_result
     logger.info(f"Evaluated value for {var_name}: {val} of type {val_type}, {var_type}")
     if val_type != var_type:
-        if isinstance(val_type, ir.IntType) and isinstance(var_type, ir.IntType):
+        if isinstance(val_type, Field):
+            logger.info("Handling assignment to struct field")
+            # Special handling for struct_xdp_md i32 fields that are zero-extended to i64
+            # The load_ctx_field already extended them, so val is i64 but val_type.type shows c_uint
+            if (
+                hasattr(val_type, "type")
+                and val_type.type.__name__ == "c_uint"
+                and isinstance(var_type, ir.IntType)
+                and var_type.width == 64
+            ):
+                # This is the struct_xdp_md case - value is already i64
+                builder.store(val, var_ptr)
+                logger.info(
+                    f"Assigned zero-extended struct_xdp_md i32 field to {var_name} (i64)"
+                )
+                return True
+            # TODO: handling only ctype struct fields for now. Handle other stuff too later.
+            elif var_type == ctypes_to_ir(val_type.type.__name__):
+                builder.store(val, var_ptr)
+                logger.info(f"Assigned ctype struct field to {var_name}")
+                return True
+            else:
+                logger.error(
+                    f"Failed to assign ctype struct field to {var_name}: {val_type} != {var_type}"
+                )
+                return False
+        elif isinstance(val_type, ir.IntType) and isinstance(var_type, ir.IntType):
             # Allow implicit int widening
             if val_type.width < var_type.width:
                 val = builder.sext(val, var_type)

pythonbpf/codegen.py

@@ -157,7 +157,7 @@ def compile_to_ir(filename: str, output: str, loglevel=logging.INFO):
 
     module.add_named_metadata("llvm.ident", [f"PythonBPF {VERSION}"])
 
-    module_string = finalize_module(str(module))
+    module_string: str = finalize_module(str(module))
 
     logger.info(f"IR written to {output}")
     with open(output, "w") as f:

pythonbpf/debuginfo/debug_info_generator.py

@@ -184,3 +184,83 @@ class DebugInfoGenerator:
             "DIGlobalVariableExpression",
             {"var": global_var, "expr": self.module.add_debug_info("DIExpression", {})},
         )
+
+    def get_int64_type(self):
+        return self.get_basic_type("long", 64, dc.DW_ATE_signed)
+
+    def create_subroutine_type(self, return_type, param_types):
+        """
+        Create a DISubroutineType given return type and list of parameter types.
+        Equivalent to: !DISubroutineType(types: !{ret, args...})
+        """
+        type_array = [return_type]
+        if isinstance(param_types, (list, tuple)):
+            type_array.extend(param_types)
+        else:
+            type_array.append(param_types)
+        return self.module.add_debug_info("DISubroutineType", {"types": type_array})
+
+    def create_local_variable_debug_info(
+        self, name: str, arg: int, var_type: Any
+    ) -> Any:
+        """
+        Create debug info for a local variable (DILocalVariable) without scope.
+        Example:
+        !DILocalVariable(name: "ctx", arg: 1, file: !3, line: 20, type: !7)
+        """
+        return self.module.add_debug_info(
+            "DILocalVariable",
+            {
+                "name": name,
+                "arg": arg,
+                "file": self.module._file_metadata,
+                "type": var_type,
+            },
+        )
+
+    def add_scope_to_local_variable(self, local_variable_debug_info, scope_value):
+        """
+        Add scope information to an existing local variable debug info object.
+        """
+        # TODO: this is a workaround a flaw in the debug info generation. Fix this if possible in the future.
+        # We should not be touching llvmlite's internals like this.
+        if hasattr(local_variable_debug_info, "operands"):
+            # LLVM metadata operands is a tuple, so we need to rebuild it
+            existing_operands = local_variable_debug_info.operands
+
+            # Convert tuple to list, add scope, convert back to tuple
+            operands_list = list(existing_operands)
+            operands_list.append(("scope", scope_value))
+
+            # Reassign the new tuple
+            local_variable_debug_info.operands = tuple(operands_list)
+
+    def create_subprogram(
+        self, name: str, subroutine_type: Any, retained_nodes: List[Any]
+    ) -> Any:
+        """
+        Create a DISubprogram for a function.
+
+        Args:
+            name: Function name
+            subroutine_type: DISubroutineType for the function signature
+            retained_nodes: List of DILocalVariable nodes for function parameters/variables
+
+        Returns:
+            DISubprogram metadata
+        """
+        return self.module.add_debug_info(
+            "DISubprogram",
+            {
+                "name": name,
+                "scope": self.module._file_metadata,
+                "file": self.module._file_metadata,
+                "type": subroutine_type,
+                # TODO: the following flags do not exist at the moment in our dwarf constants file. We need to add them.
+                # "flags": dc.DW_FLAG_Prototyped | dc.DW_FLAG_AllCallsDescribed,
+                # "spFlags": dc.DW_SPFLAG_Definition | dc.DW_SPFLAG_Optimized,
+                "unit": self.module._debug_compile_unit,
+                "retainedNodes": retained_nodes,
+            },
+            is_distinct=True,
+        )

pythonbpf/expr/expr_pass.py

@@ -12,6 +12,7 @@ from .type_normalization import (
     get_base_type_and_depth,
     deref_to_depth,
 )
+from pythonbpf.vmlinux_parser.assignment_info import Field
 from .vmlinux_registry import VmlinuxHandlerRegistry
 
 logger: Logger = logging.getLogger(__name__)
@@ -279,16 +280,45 @@ def _handle_ctypes_call(
     call_type = expr.func.id
     expected_type = ctypes_to_ir(call_type)
 
-    if val[1] != expected_type:
+    # Extract the actual IR value and type
+    # val could be (value, ir_type) or (value, Field)
+    value, val_type = val
+
+    # If val_type is a Field object (from vmlinux struct), get the actual IR type of the value
+    if isinstance(val_type, Field):
+        # The value is already the correct IR value (potentially zero-extended)
+        # Get the IR type from the value itself
+        actual_ir_type = value.type
+        logger.info(
+            f"Converting vmlinux field {val_type.name} (IR type: {actual_ir_type}) to {call_type}"
+        )
+    else:
+        actual_ir_type = val_type
+
+    if actual_ir_type != expected_type:
         # NOTE: We are only considering casting to and from int types for now
-        if isinstance(val[1], ir.IntType) and isinstance(expected_type, ir.IntType):
+        if isinstance(actual_ir_type, ir.IntType) and isinstance(
-            if val[1].width < expected_type.width:
+            expected_type, ir.IntType
-                val = (builder.sext(val[0], expected_type), expected_type)
+        ):
+            if actual_ir_type.width < expected_type.width:
+                value = builder.sext(value, expected_type)
+                logger.info(
+                    f"Sign-extended from i{actual_ir_type.width} to i{expected_type.width}"
+                )
+            elif actual_ir_type.width > expected_type.width:
+                value = builder.trunc(value, expected_type)
+                logger.info(
+                    f"Truncated from i{actual_ir_type.width} to i{expected_type.width}"
+                )
             else:
-                val = (builder.trunc(val[0], expected_type), expected_type)
+                # Same width, just use as-is (e.g., both i64)
+                pass
         else:
-            raise ValueError(f"Type mismatch: expected {expected_type}, got {val[1]}")
+            raise ValueError(
-    return val
+                f"Type mismatch: expected {expected_type}, got {actual_ir_type} (original type: {val_type})"
+            )
+
+    return value, expected_type
 
 
 def _handle_compare(

pythonbpf/expr/vmlinux_registry.py

@@ -39,6 +39,12 @@ class VmlinuxHandlerRegistry:
             )
         return None
 
+    @classmethod
+    def get_struct_debug_info(cls, name):
+        if cls._handler is None:
+            return False
+        return cls._handler.get_struct_debug_info(name)
+
     @classmethod
     def is_vmlinux_struct(cls, name):
         """Check if a name refers to a vmlinux struct"""

pythonbpf/functions/function_debug_info.py

@@ -0,0 +1,82 @@
+import ast
+
+import llvmlite.ir as ir
+import logging
+from pythonbpf.debuginfo import DebugInfoGenerator
+from pythonbpf.expr import VmlinuxHandlerRegistry
+import ctypes
+
+logger = logging.getLogger(__name__)
+
+
+def generate_function_debug_info(
+    func_node: ast.FunctionDef, module: ir.Module, func: ir.Function
+):
+    generator = DebugInfoGenerator(module)
+    leading_argument = func_node.args.args[0]
+    leading_argument_name = leading_argument.arg
+    annotation = leading_argument.annotation
+    if func_node.returns is None:
+        # TODO: should check if this logic is consistent with function return type handling elsewhere
+        return_type = ctypes.c_int64()
+    elif hasattr(func_node.returns, "id"):
+        return_type = func_node.returns.id
+        if return_type == "c_int32":
+            return_type = generator.get_int32_type()
+        elif return_type == "c_int64":
+            return_type = generator.get_int64_type()
+        elif return_type == "c_uint32":
+            return_type = generator.get_uint32_type()
+        elif return_type == "c_uint64":
+            return_type = generator.get_uint64_type()
+        else:
+            logger.warning(
+                "Return type should be int32, int64, uint32 or uint64 only. Falling back to int64"
+            )
+            return_type = generator.get_int64_type()
+    else:
+        return_type = ctypes.c_int64()
+    # context processing
+    if annotation is None:
+        logger.warning("Type of context of function not found.")
+        return
+    if hasattr(annotation, "id"):
+        ctype_name = annotation.id
+        if ctype_name == "c_void_p":
+            return
+        elif ctype_name.startswith("ctypes"):
+            raise SyntaxError(
+                "The first argument should always be a pointer to a struct or a void pointer"
+            )
+        context_debug_info = VmlinuxHandlerRegistry.get_struct_debug_info(annotation.id)
+
+        # Create pointer to context this must be created fresh for each function
+        # to avoid circular reference issues when the same struct is used in multiple functions
+        pointer_to_context_debug_info = generator.create_pointer_type(
+            context_debug_info, 64
+        )
+
+        # Create subroutine type - also fresh for each function
+        subroutine_type = generator.create_subroutine_type(
+            return_type, pointer_to_context_debug_info
+        )
+
+        # Create local variable - fresh for each function with unique name
+        context_local_variable = generator.create_local_variable_debug_info(
+            leading_argument_name, 1, pointer_to_context_debug_info
+        )
+
+        retained_nodes = [context_local_variable]
+        logger.info(f"Generating debug info for function {func_node.name}")
+
+        # Create subprogram with is_distinct=True to ensure each function gets unique debug info
+        subprogram_debug_info = generator.create_subprogram(
+            func_node.name, subroutine_type, retained_nodes
+        )
+        generator.add_scope_to_local_variable(
+            context_local_variable, subprogram_debug_info
+        )
+        func.set_metadata("dbg", subprogram_debug_info)
+
+    else:
+        logger.error(f"Invalid annotation type for argument '{leading_argument_name}'")

pythonbpf/functions/functions_pass.py

@@ -23,7 +23,7 @@ from pythonbpf.allocation_pass import (
     create_targets_and_rvals,
     LocalSymbol,
 )
-
+from .function_debug_info import generate_function_debug_info
 from .return_utils import handle_none_return, handle_xdp_return, is_xdp_name
 from .function_metadata import get_probe_string, is_global_function, infer_return_type
 
@@ -402,7 +402,7 @@ def process_bpf_chunk(func_node, module, return_type, map_sym_tab, structs_sym_t
     func.linkage = "dso_local"
     func.attributes.add("nounwind")
     func.attributes.add("noinline")
-    func.attributes.add("optnone")
+    # func.attributes.add("optnone")
 
     if func_node.args.args:
         # Only look at the first argument for now
@@ -440,7 +440,7 @@ def func_proc(tree, module, chunks, map_sym_tab, structs_sym_tab):
         func_type = get_probe_string(func_node)
         logger.info(f"Found probe_string of {func_node.name}: {func_type}")
 
-        process_bpf_chunk(
+        func = process_bpf_chunk(
             func_node,
             module,
             ctypes_to_ir(infer_return_type(func_node)),
@@ -448,6 +448,9 @@ def func_proc(tree, module, chunks, map_sym_tab, structs_sym_tab):
             structs_sym_tab,
         )
 
+        logger.info(f"Generating Debug Info for Function {func_node.name}")
+        generate_function_debug_info(func_node, module, func)
+
 
 # TODO: WIP, for string assignment to fixed-size arrays
 def assign_string_to_array(builder, target_array_ptr, source_string_ptr, array_length):

pythonbpf/type_deducer.py

@@ -13,6 +13,11 @@ mapping = {
     "c_float": ir.FloatType(),
     "c_double": ir.DoubleType(),
     "c_void_p": ir.IntType(64),
+    "c_long": ir.IntType(64),
+    "c_ulong": ir.IntType(64),
+    "c_longlong": ir.IntType(64),
+    "c_uint": ir.IntType(32),
+    "c_int": ir.IntType(32),
     # Not so sure about this one
     "str": ir.PointerType(ir.IntType(8)),
 }

pythonbpf/vmlinux_parser/assignment_info.py

@@ -1,12 +1,11 @@
 from enum import Enum, auto
-from typing import Any, Dict, List, Optional, TypedDict
+from typing import Any, Dict, List, Optional
 from dataclasses import dataclass
 import llvmlite.ir as ir
 
 from pythonbpf.vmlinux_parser.dependency_node import Field
 
 
-@dataclass
 class AssignmentType(Enum):
     CONSTANT = auto()
     STRUCT = auto()
@@ -16,7 +15,7 @@ class AssignmentType(Enum):
 
 
 @dataclass
-class FunctionSignature(TypedDict):
+class FunctionSignature:
     return_type: str
     param_types: List[str]
     varargs: bool
@@ -24,7 +23,7 @@ class FunctionSignature(TypedDict):
 
 # Thew name of the assignment will be in the dict that uses this class
 @dataclass
-class AssignmentInfo(TypedDict):
+class AssignmentInfo:
     value_type: AssignmentType
     python_type: type
     value: Optional[Any]
@@ -34,3 +33,4 @@ class AssignmentInfo(TypedDict):
     #   Value is a tuple that contains the global variable representing that field
     #   along with all the information about that field as a Field type.
     members: Optional[Dict[str, tuple[ir.GlobalVariable, Field]]]  # For structs.
+    debug_info: Any

pythonbpf/vmlinux_parser/import_detector.py

@@ -148,6 +148,7 @@ def process_vmlinux_assign(node, module, assignments: dict[str, AssignmentInfo])
                 pointer_level=None,
                 signature=None,
                 members=None,
+                debug_info=None,
             )
             logger.info(
                 f"Added assignment: {target_name} = {node.value.value!r} of type {type(node.value.value)}"

pythonbpf/vmlinux_parser/ir_gen/ir_generation.py

@@ -73,9 +73,8 @@ class IRGenerator:
                             )
 
             # Generate IR first to populate field names
-            self.generated_debug_info.append(
+            struct_debug_info = self.gen_ir(struct, self.generated_debug_info)
-                (struct, self.gen_ir(struct, self.generated_debug_info))
+            self.generated_debug_info.append((struct, struct_debug_info))
-            )
 
             # Fill the assignments dictionary with struct information
             if struct.name not in self.assignments:
@@ -105,6 +104,7 @@ class IRGenerator:
                     pointer_level=None,
                     signature=None,
                     members=members_dict,
+                    debug_info=struct_debug_info,
                 )
                 logger.info(f"Added struct assignment info for {struct.name}")
 

pythonbpf/vmlinux_parser/vmlinux_exports_handler.py

@@ -1,4 +1,6 @@
 import logging
+from typing import Any
+import ctypes
 from llvmlite import ir
 
 from pythonbpf.local_symbol import LocalSymbol
@@ -37,16 +39,25 @@ class VmlinuxHandler:
         """Check if name is a vmlinux enum constant"""
         return (
             name in self.vmlinux_symtab
-            and self.vmlinux_symtab[name]["value_type"] == AssignmentType.CONSTANT
+            and self.vmlinux_symtab[name].value_type == AssignmentType.CONSTANT
         )
 
+    def get_struct_debug_info(self, name: str) -> Any:
+        if (
+            name in self.vmlinux_symtab
+            and self.vmlinux_symtab[name].value_type == AssignmentType.STRUCT
+        ):
+            return self.vmlinux_symtab[name].debug_info
+        else:
+            raise ValueError(f"{name} is not a vmlinux struct type")
+
     def get_vmlinux_struct_type(self, name):
         """Check if name is a vmlinux struct type"""
         if (
             name in self.vmlinux_symtab
-            and self.vmlinux_symtab[name]["value_type"] == AssignmentType.STRUCT
+            and self.vmlinux_symtab[name].value_type == AssignmentType.STRUCT
         ):
-            return self.vmlinux_symtab[name]["python_type"]
+            return self.vmlinux_symtab[name].python_type
         else:
             raise ValueError(f"{name} is not a vmlinux struct type")
 
@@ -54,13 +65,13 @@ class VmlinuxHandler:
         """Check if name is a vmlinux struct"""
         return (
             name in self.vmlinux_symtab
-            and self.vmlinux_symtab[name]["value_type"] == AssignmentType.STRUCT
+            and self.vmlinux_symtab[name].value_type == AssignmentType.STRUCT
         )
 
     def handle_vmlinux_enum(self, name):
         """Handle vmlinux enum constants by returning LLVM IR constants"""
         if self.is_vmlinux_enum(name):
-            value = self.vmlinux_symtab[name]["value"]
+            value = self.vmlinux_symtab[name].value
             logger.info(f"Resolving vmlinux enum {name} = {value}")
             return ir.Constant(ir.IntType(64), value), ir.IntType(64)
         return None
@@ -68,22 +79,11 @@ class VmlinuxHandler:
     def get_vmlinux_enum_value(self, name):
         """Handle vmlinux enum constants by returning LLVM IR constants"""
         if self.is_vmlinux_enum(name):
-            value = self.vmlinux_symtab[name]["value"]
+            value = self.vmlinux_symtab[name].value
             logger.info(f"The value of vmlinux enum {name} = {value}")
             return value
         return None
 
-    def handle_vmlinux_struct(self, struct_name, module, builder):
-        """Handle vmlinux struct initializations"""
-        if self.is_vmlinux_struct(struct_name):
-            # TODO: Implement core-specific struct handling
-            # This will be more complex and depends on the BTF information
-            logger.info(f"Handling vmlinux struct {struct_name}")
-            # Return struct type and allocated pointer
-            # This is a stub, actual implementation will be more complex
-            return None
-        return None
-
     def handle_vmlinux_struct_field(
         self, struct_var_name, field_name, module, builder, local_sym_tab
     ):
@@ -94,28 +94,159 @@ class VmlinuxHandler:
                 f"Attempting to access field {field_name} of possible vmlinux struct {struct_var_name}"
             )
             python_type: type = var_info.metadata
-            globvar_ir, field_data = self.get_field_type(
+            struct_name = python_type.__name__
-                python_type.__name__, field_name
+            globvar_ir, field_data = self.get_field_type(struct_name, field_name)
+            builder.function.args[0].type = ir.PointerType(ir.IntType(8))
+            field_ptr = self.load_ctx_field(
+                builder, builder.function.args[0], globvar_ir, field_data, struct_name
             )
-
             # Return pointer to field and field type
-            return None
+            return field_ptr, field_data
         else:
             raise RuntimeError("Variable accessed not found in symbol table")
 
+    @staticmethod
+    def load_ctx_field(builder, ctx_arg, offset_global, field_data, struct_name=None):
+        """
+        Generate LLVM IR to load a field from BPF context using offset.
+
+        Args:
+            builder: llvmlite IRBuilder instance
+            ctx_arg: The context pointer argument (ptr/i8*)
+            offset_global: Global variable containing the field offset (i64)
+            field_data: contains data about the field
+            struct_name: Name of the struct being accessed (optional)
+        Returns:
+            The loaded value (i64 register or appropriately sized)
+        """
+
+        # Load the offset value
+        offset = builder.load(offset_global)
+
+        # Ensure ctx_arg is treated as i8* (byte pointer)
+        i8_ptr_type = ir.PointerType()
+
+        # Cast ctx_arg to i8* if it isn't already
+        if str(ctx_arg.type) != str(i8_ptr_type):
+            ctx_i8_ptr = builder.bitcast(ctx_arg, i8_ptr_type)
+        else:
+            ctx_i8_ptr = ctx_arg
+
+        # GEP with explicit type - this is the key fix
+        field_ptr = builder.gep(
+            ctx_i8_ptr,
+            [offset],
+            inbounds=False,
+        )
+
+        # Get or declare the BPF passthrough intrinsic
+        module = builder.function.module
+
+        try:
+            passthrough_fn = module.globals.get("llvm.bpf.passthrough.p0.p0")
+            if passthrough_fn is None:
+                raise KeyError
+        except (KeyError, AttributeError):
+            passthrough_type = ir.FunctionType(
+                i8_ptr_type,
+                [ir.IntType(32), i8_ptr_type],
+            )
+            passthrough_fn = ir.Function(
+                module,
+                passthrough_type,
+                name="llvm.bpf.passthrough.p0.p0",
+            )
+
+        # Call passthrough to satisfy BPF verifier
+        verified_ptr = builder.call(
+            passthrough_fn, [ir.Constant(ir.IntType(32), 0), field_ptr], tail=True
+        )
+
+        # Determine the appropriate IR type based on field information
+        int_width = 64  # Default to 64-bit
+        needs_zext = False  # Track if we need zero-extension for xdp_md
+
+        if field_data is not None:
+            # Try to determine the size from field metadata
+            if field_data.type.__module__ == ctypes.__name__:
+                try:
+                    field_size_bytes = ctypes.sizeof(field_data.type)
+                    field_size_bits = field_size_bytes * 8
+
+                    if field_size_bits in [8, 16, 32, 64]:
+                        int_width = field_size_bits
+                        logger.info(f"Determined field size: {int_width} bits")
+
+                        # Special handling for struct_xdp_md i32 fields
+                        # Load as i32 but extend to i64 before storing
+                        if struct_name == "struct_xdp_md" and int_width == 32:
+                            needs_zext = True
+                            logger.info(
+                                "struct_xdp_md i32 field detected, will zero-extend to i64"
+                            )
+                    else:
+                        logger.warning(
+                            f"Unusual field size {field_size_bits} bits, using default 64"
+                        )
+                except Exception as e:
+                    logger.warning(
+                        f"Could not determine field size: {e}, using default 64"
+                    )
+
+            elif field_data.type.__module__ == "vmlinux":
+                # For pointers to structs or complex vmlinux types
+                if field_data.ctype_complex_type is not None and issubclass(
+                    field_data.ctype_complex_type, ctypes._Pointer
+                ):
+                    int_width = 64  # Pointers are always 64-bit
+                    logger.info("Field is a pointer type, using 64 bits")
+                # TODO: Add handling for other complex types (arrays, embedded structs, etc.)
+                else:
+                    logger.warning("Complex vmlinux field type, using default 64 bits")
+
+        # Bitcast to appropriate pointer type based on determined width
+        ptr_type = ir.PointerType(ir.IntType(int_width))
+
+        typed_ptr = builder.bitcast(verified_ptr, ptr_type)
+
+        # Load and return the value
+        value = builder.load(typed_ptr)
+
+        # Zero-extend i32 to i64 for struct_xdp_md fields
+        if needs_zext:
+            value = builder.zext(value, ir.IntType(64))
+            logger.info("Zero-extended i32 value to i64 for struct_xdp_md field")
+
+        return value
+
     def has_field(self, struct_name, field_name):
         """Check if a vmlinux struct has a specific field"""
         if self.is_vmlinux_struct(struct_name):
-            python_type = self.vmlinux_symtab[struct_name]["python_type"]
+            python_type = self.vmlinux_symtab[struct_name].python_type
             return hasattr(python_type, field_name)
         return False
 
     def get_field_type(self, vmlinux_struct_name, field_name):
         """Get the type of a field in a vmlinux struct"""
         if self.is_vmlinux_struct(vmlinux_struct_name):
-            python_type = self.vmlinux_symtab[vmlinux_struct_name]["python_type"]
+            python_type = self.vmlinux_symtab[vmlinux_struct_name].python_type
             if hasattr(python_type, field_name):
-                return self.vmlinux_symtab[vmlinux_struct_name]["members"][field_name]
+                return self.vmlinux_symtab[vmlinux_struct_name].members[field_name]
+            else:
+                raise ValueError(
+                    f"Field {field_name} not found in vmlinux struct {vmlinux_struct_name}"
+                )
+        else:
+            raise ValueError(f"{vmlinux_struct_name} is not a vmlinux struct")
+
+    def get_field_index(self, vmlinux_struct_name, field_name):
+        """Get the type of a field in a vmlinux struct"""
+        if self.is_vmlinux_struct(vmlinux_struct_name):
+            python_type = self.vmlinux_symtab[vmlinux_struct_name].python_type
+            if hasattr(python_type, field_name):
+                return list(
+                    self.vmlinux_symtab[vmlinux_struct_name].members.keys()
+                ).index(field_name)
             else:
                 raise ValueError(
                     f"Field {field_name} not found in vmlinux struct {vmlinux_struct_name}"

tests/c-form/Makefile

@@ -1,19 +1,23 @@
 BPF_CLANG := clang
-CFLAGS := -O0 -emit-llvm -target bpf -c
+CFLAGS := -emit-llvm -target bpf -c
 
 SRC := $(wildcard *.bpf.c)
 LL := $(SRC:.bpf.c=.bpf.ll)
+LL2 := $(SRC:.bpf.c=.bpf.o2.ll)
 OBJ := $(SRC:.bpf.c=.bpf.o)
 
 .PHONY: all clean
 
-all: $(LL) $(OBJ)
+all: $(LL) $(OBJ) $(LL2)
 
 %.bpf.o: %.bpf.c
 	$(BPF_CLANG) -O2 -g -target bpf -c $< -o $@
 
 %.bpf.ll: %.bpf.c
-	$(BPF_CLANG) $(CFLAGS) -g -S $< -o $@
+	$(BPF_CLANG) -O0 $(CFLAGS) -g -S $< -o $@
+
+%.bpf.o2.ll: %.bpf.c
+	$(BPF_CLANG) -O2 $(CFLAGS) -g -S $< -o $@
 
 clean:
-	rm -f $(LL) $(OBJ)
+	rm -f $(LL) $(OBJ) $(LL2)

tests/c-form/i32test.bpf.c

@@ -0,0 +1,15 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+SEC("xdp")
+int print_xdp_data(struct xdp_md *ctx)
+{
+    // 'data' is a pointer to the start of packet data
+    long data = (long)ctx->data;
+
+    bpf_printk("ctx->data = %lld\n", data);
+
+    return XDP_PASS;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/kprobe.bpf.c

@@ -2,18 +2,75 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 
-char LICENSE[] SEC("license") = "Dual BSD/GPL";
+char LICENSE[] SEC("license") = "GPL";
 
 SEC("kprobe/do_unlinkat")
 int kprobe_execve(struct pt_regs *ctx)
 {
     bpf_printk("unlinkat created");
-    return 0;
-}
 
-SEC("kretprobe/do_unlinkat")
+    unsigned long r15 = ctx->r15;
-int kretprobe_execve(struct pt_regs *ctx)
+    bpf_printk("r15: %lld", r15);
-{
+
-    bpf_printk("unlinkat returned\n");
+    unsigned long r14 = ctx->r14;
+    bpf_printk("r14: %lld", r14);
+
+    unsigned long r13 = ctx->r13;
+    bpf_printk("r13: %lld", r13);
+
+    unsigned long r12 = ctx->r12;
+    bpf_printk("r12: %lld", r12);
+
+    unsigned long bp = ctx->bp;
+    bpf_printk("rbp: %lld", bp);
+
+    unsigned long bx = ctx->bx;
+    bpf_printk("rbx: %lld", bx);
+
+    unsigned long r11 = ctx->r11;
+    bpf_printk("r11: %lld", r11);
+
+    unsigned long r10 = ctx->r10;
+    bpf_printk("r10: %lld", r10);
+
+    unsigned long r9 = ctx->r9;
+    bpf_printk("r9: %lld", r9);
+
+    unsigned long r8 = ctx->r8;
+    bpf_printk("r8: %lld", r8);
+
+    unsigned long ax = ctx->ax;
+    bpf_printk("rax: %lld", ax);
+
+    unsigned long cx = ctx->cx;
+    bpf_printk("rcx: %lld", cx);
+
+    unsigned long dx = ctx->dx;
+    bpf_printk("rdx: %lld", dx);
+
+    unsigned long si = ctx->si;
+    bpf_printk("rsi: %lld", si);
+
+    unsigned long di = ctx->di;
+    bpf_printk("rdi: %lld", di);
+
+    unsigned long orig_ax = ctx->orig_ax;
+    bpf_printk("orig_rax: %lld", orig_ax);
+
+    unsigned long ip = ctx->ip;
+    bpf_printk("rip: %lld", ip);
+
+    unsigned long cs = ctx->cs;
+    bpf_printk("cs: %lld", cs);
+
+    unsigned long flags = ctx->flags;
+    bpf_printk("eflags: %lld", flags);
+
+    unsigned long sp = ctx->sp;
+    bpf_printk("rsp: %lld", sp);
+
+    unsigned long ss = ctx->ss;
+    bpf_printk("ss: %lld", ss);
+
     return 0;
 }

tests/c-form/struct_field_tests.bpf.c

@@ -19,9 +19,23 @@ There is no point of
 SEC("tp/syscalls/sys_enter_execve")
 int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx) {
   // Access each argument separately with clear variable assignments
-  long int arg0 = ctx->id;
+  long int id = ctx->id;
-  bpf_printk("args[0]: %d", arg0);
+  bpf_printk("This is context field %d", id);
-
+  /*
+   * the IR to aim for is
+   * %2 = alloca ptr, align 8
+   * store ptr %0, ptr %2, align 8
+   * Above, %0 is the arg pointer
+   * %5 = load ptr, ptr %2, align 8
+   * %6 = getelementptr inbounds %struct.trace_event_raw_sys_enter, ptr %5, i32 0, i32 2
+   * %7 = load i64, ptr @"llvm.trace_event_raw_sys_enter:0:16$0:2:0", align 8
+   * %8 = bitcast ptr %5 to ptr
+   * %9 = getelementptr i8, ptr %8, i64 %7
+   * %10 = bitcast ptr %9 to ptr
+   * %11 = call ptr @llvm.bpf.passthrough.p0.p0(i32 0, ptr %10)
+   * %12 = load i64, ptr %11, align 8, !dbg !101
+   *
+   */
   return 0;
 }
 

tests/failing_tests/vmlinux/args_test.py

@@ -0,0 +1,30 @@
+import logging
+
+from pythonbpf import bpf, section, bpfglobal, compile_to_ir
+from pythonbpf import compile  # noqa: F401
+from vmlinux import TASK_COMM_LEN  # noqa: F401
+from vmlinux import struct_trace_event_raw_sys_enter  # noqa: F401
+from ctypes import c_int64, c_int32, c_void_p  # noqa: F401
+
+
+# from vmlinux import struct_uinput_device
+# from vmlinux import struct_blk_integrity_iter
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_execve")
+def hello_world(ctx: struct_trace_event_raw_sys_enter) -> c_int64:
+    b = ctx.args
+    c = b[0]
+    print(f"This is context args field {c}")
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile_to_ir("args_test.py", "args_test.ll", loglevel=logging.INFO)
+compile()

tests/passing_tests/vmlinux/i32_test.py

@@ -0,0 +1,31 @@
+from ctypes import c_int64, c_void_p
+from pythonbpf import bpf, section, bpfglobal, compile_to_ir, compile
+from vmlinux import struct_xdp_md
+from vmlinux import XDP_PASS
+
+
+@bpf
+@section("xdp")
+def print_xdp_dat2a(ct2x: struct_xdp_md) -> c_int64:
+    data = ct2x.data  # 32-bit field: packet start pointer
+    print(f"ct2x->data = {data}")
+    return c_int64(XDP_PASS)
+
+
+@bpf
+@section("xdp")
+def print_xdp_data(ctx: struct_xdp_md) -> c_int64:
+    data = ctx.data  # 32-bit field: packet start pointer
+    something = c_void_p(data)
+    print(f"ctx->data = {something}")
+    return c_int64(XDP_PASS)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile_to_ir("i32_test.py", "i32_test.ll")
+compile()

tests/passing_tests/vmlinux/i32_test_fail_1.py

@@ -0,0 +1,24 @@
+from ctypes import c_int64
+from pythonbpf import bpf, section, bpfglobal, compile
+from vmlinux import struct_xdp_md
+from vmlinux import XDP_PASS
+import logging
+
+
+@bpf
+@section("xdp")
+def print_xdp_data(ctx: struct_xdp_md) -> c_int64:
+    data = 0
+    data = ctx.data  # 32-bit field: packet start pointer
+    something = 2 + data
+    print(f"ctx->data = {something}")
+    return c_int64(XDP_PASS)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile(logging.INFO)

tests/passing_tests/vmlinux/i32_test_fail_2.py

@@ -0,0 +1,24 @@
+from ctypes import c_int64
+from pythonbpf import bpf, section, bpfglobal, compile, compile_to_ir
+from vmlinux import struct_xdp_md
+from vmlinux import XDP_PASS
+import logging
+
+
+@bpf
+@section("xdp")
+def print_xdp_data(ctx: struct_xdp_md) -> c_int64:
+    data = c_int64(ctx.data)  # 32-bit field: packet start pointer
+    something = 2 + data
+    print(f"ctx->data = {something}")
+    return c_int64(XDP_PASS)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile_to_ir("i32_test_fail_2.py", "i32_test_fail_2.ll")
+compile(logging.INFO)

tests/passing_tests/vmlinux/register_state_dump.py

@@ -0,0 +1,53 @@
+from pythonbpf import bpf, section, bpfglobal, BPF, trace_pipe
+from pythonbpf import compile  # noqa: F401
+from vmlinux import struct_pt_regs
+from ctypes import c_int64, c_int32, c_void_p  # noqa: F401
+
+
+@bpf
+@section("kprobe/do_unlinkat")
+def kprobe_execve(ctx: struct_pt_regs) -> c_int64:
+    r15 = ctx.r15
+    r14 = ctx.r14
+    r13 = ctx.r13
+    r12 = ctx.r12
+    bp = ctx.bp
+    bx = ctx.bx
+    r11 = ctx.r11
+    r10 = ctx.r10
+    r9 = ctx.r9
+    r8 = ctx.r8
+    ax = ctx.ax
+    cx = ctx.cx
+    dx = ctx.dx
+    si = ctx.si
+    di = ctx.di
+    orig_ax = ctx.orig_ax
+    ip = ctx.ip
+    cs = ctx.cs
+    flags = ctx.flags
+    sp = ctx.sp
+    ss = ctx.ss
+
+    print(f"r15={r15} r14={r14} r13={r13}")
+    print(f"r12={r12} rbp={bp} rbx={bx}")
+    print(f"r11={r11} r10={r10} r9={r9}")
+    print(f"r8={r8} rax={ax} rcx={cx}")
+    print(f"rdx={dx} rsi={si} rdi={di}")
+    print(f"orig_rax={orig_ax} rip={ip} cs={cs}")
+    print(f"eflags={flags} rsp={sp} ss={ss}")
+
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+b = BPF()
+b.load()
+b.attach_all()
+
+trace_pipe()

tests/passing_tests/vmlinux/simple_struct_test.py

@@ -44,4 +44,4 @@ def LICENSE() -> str:
 
 
 compile_to_ir("simple_struct_test.py", "simple_struct_test.ll", loglevel=logging.DEBUG)
-# compile()
+compile()

tests/passing_tests/vmlinux/struct_field_access.py

@@ -4,7 +4,7 @@ from pythonbpf import bpf, section, bpfglobal, compile_to_ir
 from pythonbpf import compile  # noqa: F401
 from vmlinux import TASK_COMM_LEN  # noqa: F401
 from vmlinux import struct_trace_event_raw_sys_enter  # noqa: F401
-from ctypes import c_int64, c_void_p  # noqa: F401
+from ctypes import c_int64, c_int32, c_void_p  # noqa: F401
 
 
 # from vmlinux import struct_uinput_device
@@ -14,11 +14,9 @@ from ctypes import c_int64, c_void_p  # noqa: F401
 @bpf
 @section("tracepoint/syscalls/sys_enter_execve")
 def hello_world(ctx: struct_trace_event_raw_sys_enter) -> c_int64:
-    a = 2 + TASK_COMM_LEN + TASK_COMM_LEN
     b = ctx.id
-    print(f"Hello, World{TASK_COMM_LEN} and {a}")
     print(f"This is context field {b}")
-    return c_int64(TASK_COMM_LEN + 2)
+    return c_int64(0)
 
 
 @bpf
@@ -28,4 +26,4 @@ def LICENSE() -> str:
 
 
 compile_to_ir("struct_field_access.py", "struct_field_access.ll", loglevel=logging.INFO)
-# compile()
+compile()

tools/setup.sh

@@ -144,7 +144,8 @@ mkdir -p examples
 cd examples || exit 1
 
 echo "Fetching example files list..."
-FILES=$(curl -s "https://api.github.com/repos/pythonbpf/Python-BPF/contents/examples" | grep -o '"path": "examples/[^"]*"' | awk -F'"' '{print $4}')
+FILES=$(curl -s "https://api.github.com/repos/pythonbpf/Python-BPF/contents/examples" | grep -E -o '"path": "examples/[^"]*(\.md|\.ipynb|\.py)"' | awk -F'"' '{print $4}')
+BCC_EXAMPLES=$(curl -s "https://api.github.com/repos/pythonbpf/Python-BPF/contents/BCC-Examples" | grep -E -o '"path": "BCC-Examples/[^"]*(\.md|\.ipynb|\.py)"' | awk -F'"' '{print $4}')
 
 if [ -z "$FILES" ]; then
     echo "Failed to fetch file list from repository. Using fallback method..."
@@ -166,11 +167,20 @@ if [ -z "$FILES" ]; then
         curl -s -O "https://raw.githubusercontent.com/pythonbpf/Python-BPF/master/examples/$example"
     done
 else
+    mkdir examples && cd examples
     for file in $FILES; do
         filename=$(basename "$file")
         echo "Downloading: $filename"
         curl -s -o "$filename" "https://raw.githubusercontent.com/pythonbpf/Python-BPF/master/$file"
     done
+    cd ..
+    mkdir BCC-Examples && cd BCC-Examples
+    for file in $BCC_EXAMPLES; do
+        filename=$(basename "$file")
+        echo "Downloading: $filename"
+        curl -s -o "$filename" "https://raw.githubusercontent.com/pythonbpf/Python-BPF/master/$file"
+    done
+    cd ..
 fi
 
 cd "$WORK_DIR" || exit 1