Format function definitions in bpf_helper_handler

Use HelperHandleRegitry
Create HelperProcessorRegistry
2025-12-31 21:06:25 +00:00 · 2025-10-01 04:04:32 +05:30 · 2025-10-01 03:53:11 +05:30 · 2025-10-01 03:07:36 +05:30 · 2025-09-30 23:57:31 +05:30 · 2025-09-30 23:51:05 +05:30
54 changed files with 327455 additions and 882 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+tests/c-form/vmlinux.h linguist-vendored
--- a/.gitignore
+++ b/.gitignore
@ -5,4 +5,5 @@
 .vscode/
 __pycache__/
 *.ll
-*.o
+*.o
+.ipynb_checkpoints/
--- a/README.md
+++ b/README.md
@ -1,71 +1,183 @@
 # Python-BPF
-<p align="center">
-<a href="https://www.python.org/downloads/release/python-3080/"><img src="https://img.shields.io/badge/python-3.8-blue.svg"></a>
-<a href="https://pypi.org/project/pythonbpf"><img src="https://badge.fury.io/py/pythonbpf.svg"></a>
-</p>

-This is an LLVM IR generator for eBPF programs in Python. We use llvmlite to generate LLVM IR from pure Python. This is then compiled to LLVM object files, which can be loaded into the kernel for execution. We do not rely on BCC to do our compilation.
+Python-BPF is an LLVM IR generator for eBPF programs written in Python. It uses [llvmlite](https://github.com/numba/llvmlite) to generate LLVM IR and then compiles to LLVM object files. These object files can be loaded into the kernel for execution. Unlike BCC, Python-BPF performs compilation without relying on its infrastructure.

-# DO NOT USE IN PRODUCTION. IN DEVELOPMENT.
+> **Note**: This project is under active development and not ready for production use.

-##  Installation
- Have `clang` installed.
- `pip install pythonbpf`
+---
+
+## Overview
+
+* Generate eBPF programs directly from Python.
+* Compile to LLVM object files for kernel execution.
+* Built with `llvmlite` for IR generation.
+* Supports maps, helpers, and global definitions for BPF.
+* Companion project: [pylibbpf](https://github.com/pythonbpf/pylibbpf), which provides the bindings required for object loading and execution.
+
+---
+
+## Installation
+
+Dependencies:
+
+* `clang`
+* Python ≥ 3.8
+
+Install via pip:
+
+```bash
+pip install pythonbpf pylibbpf
+```
+
+---
+
+## Example Usage

-## Usage
 ```python
-# pythonbpf_example.py
-from pythonbpf import bpf, map, bpfglobal, section, compile
-from pythonbpf.helpers import bpf_ktime_get_ns
+import time
+from pythonbpf import bpf, map, section, bpfglobal, BPF
+from pythonbpf.helpers import pid
 from pythonbpf.maps import HashMap
+from pylibbpf import *
+from ctypes import c_void_p, c_int64, c_uint64, c_int32
+import matplotlib.pyplot as plt

-from ctypes import c_void_p, c_int64, c_int32, c_uint64
+# This program attaches an eBPF tracepoint to sys_enter_clone,
+# counts per-PID clone syscalls, stores them in a hash map,
+# and then plots the distribution as a histogram using matplotlib.
+# It provides a quick view of process creation activity over 10 seconds.

@bpf
@map
-def last() -> HashMap:
-    return HashMap(key_type=c_uint64, value_type=c_uint64, max_entries=1)
+def hist() -> HashMap:
+    return HashMap(key=c_int32, value=c_uint64, max_entries=4096)

@bpf
-@section("tracepoint/syscalls/sys_enter_execve")
-def hello(ctx: c_void_p) -> c_int32:
-    print("entered")
-    return c_int32(0)
-
-@bpf
-@section("tracepoint/syscalls/sys_exit_execve")
-def hello_again(ctx: c_void_p) -> c_int64:
-    print("exited")
-    key = 0
-    tsp = last().lookup(key)
-    print(tsp)
-    ts = bpf_ktime_get_ns()
+@section("tracepoint/syscalls/sys_enter_clone")
+def hello(ctx: c_void_p) -> c_int64:
+    process_id = pid()
+    one = 1
+    prev = hist().lookup(process_id)
+    if prev:
+        previous_value = prev + 1
+        print(f"count: {previous_value} with {process_id}")
+        hist().update(process_id, previous_value)
+        return c_int64(0)
+    else:
+        hist().update(process_id, one)
    return c_int64(0)

+
@bpf
@bpfglobal
 def LICENSE() -> str:
    return "GPL"

-def some_normal_function():
-    print("normal function")

-# compiles and dumps object file in the same directory
-compile()
+b = BPF()
+b.load_and_attach()
+hist = BpfMap(b, hist)
+print("Recording")
+time.sleep(10)
+
+counts = list(hist.values())
+
+plt.hist(counts, bins=20)
+plt.xlabel("Clone calls per PID")
+plt.ylabel("Frequency")
+plt.title("Syscall clone counts")
+plt.show()
 ```
- Run `python pythonbpf_example.py` to get the compiled object file that can be then loaded into the kernel.
+---
+
+## Architecture
+
+Python-BPF provides a complete pipeline to write, compile, and load eBPF programs in Python:
+
+1. **Python Source Code**
+
+   * Users write BPF programs in Python using decorators like `@bpf`, `@map`, `@section`, and `@bpfglobal`.
+   * Maps (hash maps), helpers (e.g., `ktime`, `deref`), and tracepoints are defined using Python constructs, preserving a syntax close to standard Python.
+
+2. **AST Generation**
+
+   * The Python `ast` module parses the source code into an Abstract Syntax Tree (AST).
+   * Decorators and type annotations are captured to determine BPF maps, tracepoints, and global variables.
+
+3. **LLVM IR Emission**
+
+   * The AST is transformed into LLVM Intermediate Representation (IR) using `llvmlite`.
+   * IR captures BPF maps, control flow, assignments, and calls to helper functions.
+   * Debug information is emitted for easier inspection.
+
+4. **LLVM Object File Compilation**
+
+   * The LLVM IR (`.ll`) is compiled into a BPF target object file (`.o`) using `llc -march=bpf -O2`.
+   * This produces a kernel-loadable ELF object file containing the BPF bytecode.
+
+5. **libbpf Integration (via pylibbpf)**
+
+   * The compiled object file can be loaded into the kernel using `pylibbpf`.
+   * Maps, tracepoints, and program sections are initialized, and helper functions are resolved.
+   * Programs are attached to kernel hooks (e.g., syscalls) for execution.
+
+6. **Execution in Kernel**
+
+   * The kernel executes the loaded eBPF program.
+   * Hash maps, helpers, and global variables behave as defined in the Python source.
+   * Output can be read via BPF maps, helper functions, or trace printing.
+
+This architecture eliminates the need for embedding C code in Python, allowing full Python tooling support while generating true BPF object files ready for kernel execution.
+
+---

 ## Development
- Make a virtual environment and activate it using `python3 -m venv .venv && source .venv/bin/activate`.  
- Run `make install` to install the required dependencies.  
- Run `make` to see the compilation output of the example.  
- Run `check.sh` to check if generated object file passes through the verifier inside the examples directory.  
- Run `make` in the `examples/c-form` directory to modify the example C BPF program to check the actual LLVM IR generated by clang.

-### Development Notes
- Run ` ./check.sh check execve2.o;` in examples folder to check if the object code passes the verifier.
- Run ` ./check.sh run execve2.o;` in examples folder to run the object code using `bpftool`.
+1. Create a virtual environment and activate it:
+
+   ```bash
+   python3 -m venv .venv
+   source .venv/bin/activate
+   ```
+
+2. Install dependencies:
+
+   ```bash
+   make install
+   ```
+
+3. Build and test examples:
+
+   ```bash
+   make
+   ```
+
+4. Verify an object file with the kernel verifier:
+
+   ```bash
+   ./check.sh check execve2.o
+   ```
+
+5. Run an object file using `bpftool`:
+
+   ```bash
+   ./check.sh run execve2.o
+   ```
+
+6. Explore LLVM IR output from clang in `examples/c-form` by running `make`.
+
+---
+
+## Resources
+
+* [Video demonstration](https://youtu.be/eMyLW8iWbks)
+* [Slide deck](https://docs.google.com/presentation/d/1DsWDIVrpJhM4RgOETO9VWqUtEHo3-c7XIWmNpi6sTSo/edit?usp=sharing)
+
+---

 ## Authors
- [@r41k0u](https://github.com/r41k0u)
- [@varun-r-mallya](https://github.com/varun-r-mallya)
+
+* [@r41k0u](https://github.com/r41k0u)
+* [@varun-r-mallya](https://github.com/varun-r-mallya)
+
+---
--- a/TODO.md
+++ b/TODO.md
@ -0,0 +1,9 @@
+## Short term
+
+- Implement enough functionality to port the BCC tutorial examples in PythonBPF
+
+
+## Long term
+
+- Refactor the codebase to be better than a hackathon project
+- Port to C++ and use actual LLVM?
--- a/examples/binops_demo.py
+++ b/examples/binops_demo.py
@ -0,0 +1,52 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helpers import ktime
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64, c_uint64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: python examples/binops_demo.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/binops_demo.py
+# 4. Start up any program and watch the output
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_execve")
+def do_trace(ctx: c_void_p) -> c_int64:
+    key = 0
+    tsp = last().lookup(key)
+    if tsp:
+        kt = ktime()
+        delta = (kt - tsp)
+        if delta < 1000000000:
+            time_ms = (delta // 1000000)
+            print(f"Execve syscall entered within last second, last {time_ms} ms ago")
+        last().delete(key)
+    else:
+        kt = ktime()
+        last().update(key, kt)
+    return c_int64(0)
+
+@bpf
+@section("tracepoint/syscalls/sys_exit_execve")
+def do_exit(ctx: c_void_p) -> c_int64:
+    va = 8
+    nm = 5 ^ va
+    al = 6 & 3
+    ru = (nm + al)
+    print(f"this is a variable {ru}")
+    return c_int64(0)
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile()
--- a/examples/blk_request.py
+++ b/examples/blk_request.py
@ -0,0 +1,27 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helpers import ktime, deref
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64, c_int32, c_uint64
+
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
+
+@bpf
+@section("blk_start_request")
+def trace_start(ctx: c_void_p) -> c_int32:
+    ts = ktime()
+    print("req started")
+    return c_int32(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile()
--- a/examples/c-form/ex2.bpf.c
+++ b/examples/c-form/ex2.bpf.c
@ -1,19 +0,0 @@
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-#define u64 unsigned long long
-#define u32 unsigned int
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(max_entries, 1);
-    __type(key, u32);
-    __type(value, u64);
-} last SEC(".maps");
-
-SEC("tracepoint/syscalls/sys_enter_execve")
-int hello(struct pt_regs *ctx) {
-    bpf_printk("Hello, World!\n");
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/clone-matplotlib.ipynb
+++ b/examples/clone-matplotlib.ipynb
--- a/examples/clone_plot.py
+++ b/examples/clone_plot.py
@ -0,0 +1,56 @@
+import time
+
+from pythonbpf import bpf, map, section, bpfglobal, BPF
+from pythonbpf.helpers import pid
+from pythonbpf.maps import HashMap
+from pylibbpf import *
+from ctypes import c_void_p, c_int64, c_uint64, c_int32
+import matplotlib.pyplot as plt
+
+# This program attaches an eBPF tracepoint to sys_enter_clone,
+# counts per-PID clone syscalls, stores them in a hash map,
+# and then plots the distribution as a histogram using matplotlib.
+# It provides a quick view of process creation activity over 10 seconds.
+# Everything is done with Python only code and with the new pylibbpf library.
+# Run `sudo /path/to/python/binary/ clone_plot.py`
+
+@bpf
+@map
+def hist() -> HashMap:
+    return HashMap(key=c_int32, value=c_uint64, max_entries=4096)
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_clone")
+def hello(ctx: c_void_p) -> c_int64:
+    process_id = pid()
+    one = 1
+    prev = hist().lookup(process_id)
+    if prev:
+        previous_value = prev + 1
+        print(f"count: {previous_value} with {process_id}")
+        hist().update(process_id, previous_value)
+        return c_int64(0)
+    else:
+        hist().update(process_id, one)
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+b = BPF()
+b.load_and_attach()
+hist = BpfMap(b, hist)
+print("Recording")
+time.sleep(10)
+
+counts = list(hist.values())
+
+plt.hist(counts, bins=20)
+plt.xlabel("Clone calls per PID")
+plt.ylabel("Frequency")
+plt.title("Syscall clone counts")
+plt.show()
--- a/examples/execve2.py
+++ b/examples/execve2.py
@ -1,35 +0,0 @@
-from pythonbpf.decorators import bpf, map, section, bpfglobal
-from ctypes import c_void_p, c_int64, c_int32, c_uint64
-from pythonbpf.helpers import ktime
-from pythonbpf.maps import HashMap
-
-
-@bpf
-@map
-def last() -> HashMap:
-    return HashMap(key_type=c_uint64, value_type=c_uint64, max_entries=1)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_enter_execve")
-def hello(ctx: c_void_p) -> c_int32:
-    print("entered")
-    print("multi constant support")
-    return c_int32(0)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_exit_execve")
-def hello_again(ctx: c_void_p) -> c_int64:
-    print("exited")
-    key = 0
-    tsp = last().lookup(key)
-    print(tsp)
-    ts = ktime()
-    return c_int64(0)
-
-
-@bpf
-@bpfglobal
-def LICENSE() -> str:
-    return "GPL"
--- a/examples/execve3.py
+++ b/examples/execve3.py
@ -1,60 +0,0 @@
-from pythonbpf import bpf, map, section, bpfglobal, compile
-from pythonbpf.helpers import ktime
-from pythonbpf.maps import HashMap
-
-from ctypes import c_void_p, c_int64, c_int32, c_uint64
-
-
-@bpf
-@map
-def last() -> HashMap:
-    return HashMap(key_type=c_uint64, value_type=c_uint64, max_entries=3)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_enter_execve")
-def hello(ctx: c_void_p) -> c_int32:
-    print("entered")
-    print("multi constant support")
-    return c_int32(0)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_exit_execve")
-def hello_again(ctx: c_void_p) -> c_int64:
-    print("exited")
-    key = 0
-    tsp = last().lookup(key)
-#    if tsp:
-#        delta = (bpf_ktime_get_ns() - tsp.value)
-#        if delta < 1000000000:
-#            print("execve called within last second")
-#        last().delete(key)
-    x = 1
-    y = False
-    if x > 0:
-        if x < 2:
-            print(f"we prevailed {x}")
-        else:
-            print(f"we did not prevail {x}")
-    ts = ktime()
-    last().update(key, ts)
-
-    st = "st"
-    last().update(key, ts)
-
-    keena = 2 + 1
-    # below breaks
-    # keela = keena + 1
-    # TODO: binops evaluate but into a random register and dont get assigned.
-    keema = 8 * 9
-    keesa = 10 - 11
-    keeda = 10 / 5
-    return c_int64(0)
-
-@bpf
-@bpfglobal
-def LICENSE() -> str:
-    return "GPL"
-
-compile()
--- a/examples/hello_world.py
+++ b/examples/hello_world.py
@ -1,15 +1,28 @@
-# This is what it is going to look like
-# pylint: disable-all# type: ignore
-from pythonbpf.decorators import tracepoint, syscalls, bpfglobal, bpf
-from ctypes import c_void_p, c_int32
+from pythonbpf import bpf, section, bpfglobal, compile, BPF
+from ctypes import c_void_p, c_int64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: sudo python examples/hello_world.py
+# 4. Start up any program and watch the output
+

@bpf
-@tracepoint(syscalls.sys_clone)
-def trace_clone(ctx: c_void_p) -> c_int32:
+@section("tracepoint/syscalls/sys_enter_execve")
+def hello_world(ctx: c_void_p) -> c_int64:
    print("Hello, World!")
-    return c_int32(0)
+    return c_int64(0)

@bpf
@bpfglobal
 def LICENSE() -> str:
    return "GPL"
+
+b = BPF()
+b.load_and_attach()
+if b.is_loaded() and b.is_attached():
+    print("Successfully loaded and attached")
+else:
+    print("Could not load successfully")
+
+# Now cat /sys/kernel/debug/tracing/trace_pipe to see results of the execve syscall.
--- a/examples/struct_and_perf.py
+++ b/examples/struct_and_perf.py
@ -0,0 +1,41 @@
+from pythonbpf import bpf, map, struct, section, bpfglobal, compile
+from pythonbpf.helpers import ktime, pid
+from pythonbpf.maps import PerfEventArray
+
+from ctypes import c_void_p, c_int64, c_int32, c_uint64
+
+
+@bpf
+@struct
+class data_t:
+    pid: c_uint64
+    ts: c_uint64
+    comm: str(16)
+
+
+@bpf
+@map
+def events() -> PerfEventArray:
+    return PerfEventArray(key_size=c_int32, value_size=c_int32)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_clone")
+def hello(ctx: c_void_p) -> c_int32:
+    dataobj = data_t()
+    strobj = "hellohellohello"
+    dataobj.pid = pid()
+    dataobj.ts = ktime()
+    # dataobj.comm = strobj
+    print(f"clone called at {dataobj.ts} by pid {dataobj.pid}, comm {strobj}")
+    events.output(dataobj)
+    return c_int32(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile()
--- a/examples/sys_sync.py
+++ b/examples/sys_sync.py
@ -0,0 +1,44 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helper.helpers import ktime
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64, c_uint64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: python examples/sys_sync.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/sys_sync.o
+# 4. Start a Python repl and `import os` and then keep entering `os.sync()` to see reponses.
+
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_sync")
+def do_trace(ctx: c_void_p) -> c_int64:
+    key = 0
+    tsp = last().lookup(key)
+    if tsp:
+        kt = ktime()
+        delta = (kt - tsp)
+        if delta < 1000000000:
+            time_ms = (delta // 1000000)
+            print(f"sync called within last second, last {time_ms} ms ago")
+        last().delete(key)
+    else:
+        kt = ktime()
+        last().update(key, kt)
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile()
--- a/examples/vmlinux.py
+++ b/examples/vmlinux.py
--- a/examples/xdp_pass.py
+++ b/examples/xdp_pass.py
@ -0,0 +1,41 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helpers import XDP_PASS
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: python examples/xdp_pass.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/xdp_pass.o
+# 4. Attach object file to any network device with something like ./check.sh xdp examples/xdp_pass.o tailscale0
+# 5. send traffic through the device and observe effects
+
+@bpf
+@map
+def count() -> HashMap:
+    return HashMap(key=c_int64, value=c_int64, max_entries=1)
+
+
+@bpf
+@section("xdp")
+def hello_world(ctx: c_void_p) -> c_int64:
+    key = 0
+    one = 1
+    prev = count().lookup(key)
+    if prev:
+        prevval = prev + 1
+        print(f"count: {prevval}")
+        count().update(key, prevval)
+        return XDP_PASS
+    else:
+        count().update(key, one)
+
+    return XDP_PASS
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+compile()
--- a/pyproject.toml
+++ b/pyproject.toml
@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

 [project]
 name = "pythonbpf"
-version = "0.1.1"
+version = "0.1.3"
 description = "Reduced Python frontend for eBPF"
 authors = [
  { name = "r41k0u", email="pragyanshchaturvedi18@gmail.com" },
@ -16,7 +16,8 @@ requires-python = ">=3.8"

 dependencies = [
  "llvmlite",
-  "astpretty"
+  "astpretty",
+  "pylibbpf"
 ]

 [tool.setuptools.packages.find]
--- a/pythonbpf/init.py
+++ b/pythonbpf/init.py
@ -1,2 +1,2 @@
-from .decorators import bpf, map, section, bpfglobal
-from .codegen import compile_to_ir, compile
+from .decorators import bpf, map, section, bpfglobal, struct
+from .codegen import compile_to_ir, compile, BPF
--- a/pythonbpf/binary_ops.py
+++ b/pythonbpf/binary_ops.py
@ -1,35 +1,82 @@
 import ast
 from llvmlite import ir

-def handle_binary_op(rval, module, builder, func, local_sym_tab, map_sym_tab):
+
+def recursive_dereferencer(var, builder):
+    """ dereference until primitive type comes out"""
+    if var.type == ir.PointerType(ir.PointerType(ir.IntType(64))):
+        a = builder.load(var)
+        return recursive_dereferencer(a, builder)
+    elif var.type == ir.PointerType(ir.IntType(64)):
+        a = builder.load(var)
+        return recursive_dereferencer(a, builder)
+    elif var.type == ir.IntType(64):
+        return var
+    else:
+        raise TypeError(f"Unsupported type for dereferencing: {var.type}")
+
+
+def handle_binary_op(rval, module, builder, var_name, local_sym_tab, map_sym_tab, func):
+    print(module)
    left = rval.left
    right = rval.right
    op = rval.op

+    # Handle left operand
    if isinstance(left, ast.Name):
-        left = local_sym_tab[left.id]
+        if left.id in local_sym_tab:
+            left = recursive_dereferencer(local_sym_tab[left.id][0], builder)
+        else:
+            raise SyntaxError(f"Undefined variable: {left.id}")
    elif isinstance(left, ast.Constant):
        left = ir.Constant(ir.IntType(64), left.value)
    else:
-        print("Unsupported left operand type")
+        raise SyntaxError("Unsupported left operand type")

    if isinstance(right, ast.Name):
-        right = local_sym_tab[right.id]
+        if right.id in local_sym_tab:
+            right = recursive_dereferencer(local_sym_tab[right.id][0], builder)
+        else:
+            raise SyntaxError(f"Undefined variable: {right.id}")
    elif isinstance(right, ast.Constant):
        right = ir.Constant(ir.IntType(64), right.value)
    else:
-        SyntaxError("Unsupported right operand type")
+        raise SyntaxError("Unsupported right operand type")
+
+    print(f"left is {left}, right is {right}, op is {op}")

    if isinstance(op, ast.Add):
-        result = builder.add(left, right)
+        builder.store(builder.add(left, right),
+                      local_sym_tab[var_name][0])
    elif isinstance(op, ast.Sub):
-        result = builder.sub(left, right)
+        builder.store(builder.sub(left, right),
+                      local_sym_tab[var_name][0])
    elif isinstance(op, ast.Mult):
-        result = builder.mul(left, right)
+        builder.store(builder.mul(left, right),
+                      local_sym_tab[var_name][0])
    elif isinstance(op, ast.Div):
-        result = builder.sdiv(left, right)
+        builder.store(builder.sdiv(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.Mod):
+        builder.store(builder.srem(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.LShift):
+        builder.store(builder.shl(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.RShift):
+        builder.store(builder.lshr(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.BitOr):
+        builder.store(builder.or_(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.BitXor):
+        builder.store(builder.xor(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.BitAnd):
+        builder.store(builder.and_(left, right),
+                      local_sym_tab[var_name][0])
+    elif isinstance(op, ast.FloorDiv):
+        builder.store(builder.udiv(left, right),
+                      local_sym_tab[var_name][0])
    else:
-        result = "fuck type errors"
-        SyntaxError("Unsupported binary operation")
-
-    return result
+        raise SyntaxError("Unsupported binary operation")
--- a/pythonbpf/bpf_helper_handler.py
+++ b/pythonbpf/bpf_helper_handler.py
@ -1,306 +0,0 @@
-import ast
-from llvmlite import ir
-from .expr_pass import eval_expr
-
-
-def bpf_ktime_get_ns_emitter(call, map_ptr, module, builder, func, local_sym_tab=None):
-    """
-    Emit LLVM IR for bpf_ktime_get_ns helper function call.
-    """
-    # func is an arg to just have a uniform signature with other emitters
-    helper_id = ir.Constant(ir.IntType(64), 5)
-    fn_type = ir.FunctionType(ir.IntType(64), [], var_arg=False)
-    fn_ptr_type = ir.PointerType(fn_type)
-    fn_ptr = builder.inttoptr(helper_id, fn_ptr_type)
-    result = builder.call(fn_ptr, [], tail=False)
-    return result
-
-
-def bpf_map_lookup_elem_emitter(call, map_ptr, module, builder, local_sym_tab=None):
-    """
-    Emit LLVM IR for bpf_map_lookup_elem helper function call.
-    """
-    if call.args and len(call.args) != 1:
-        raise ValueError("Map lookup expects exactly one argument, got "
-                         f"{len(call.args)}")
-    key_arg = call.args[0]
-    if isinstance(key_arg, ast.Name):
-        key_name = key_arg.id
-        if local_sym_tab and key_name in local_sym_tab:
-            key_ptr = local_sym_tab[key_name]
-        else:
-            raise ValueError(
-                f"Key variable {key_name} not found in local symbol table.")
-    elif isinstance(key_arg, ast.Constant) and isinstance(key_arg.value, int):
-        # handle constant integer keys
-        key_val = key_arg.value
-        key_type = ir.IntType(64)
-        key_ptr = builder.alloca(key_type)
-        key_ptr.align = key_type // 8
-        builder.store(ir.Constant(key_type, key_val), key_ptr)
-    else:
-        raise NotImplementedError(
-            "Only simple variable names are supported as keys in map lookup.")
-
-    if key_ptr is None:
-        raise ValueError("Key pointer is None.")
-
-    map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
-
-    fn_type = ir.FunctionType(
-        ir.PointerType(),  # Return type: void*
-        [ir.PointerType(), ir.PointerType()],  # Args: (void*, void*)
-        var_arg=False
-    )
-    fn_ptr_type = ir.PointerType(fn_type)
-
-    # Helper ID 1 is bpf_map_lookup_elem
-    fn_addr = ir.Constant(ir.IntType(64), 1)
-    fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
-
-    result = builder.call(fn_ptr, [map_void_ptr, key_ptr], tail=False)
-
-    return result
-
-
-def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None):
-    if not hasattr(func, "_fmt_counter"):
-        func._fmt_counter = 0
-
-    if not call.args:
-        raise ValueError("print expects at least one argument")
-
-    if isinstance(call.args[0], ast.JoinedStr):
-        fmt_parts = []
-        exprs = []
-
-        for value in call.args[0].values:
-            if isinstance(value, ast.Constant):
-                if isinstance(value.value, str):
-                    fmt_parts.append(value.value)
-                elif isinstance(value.value, int):
-                    fmt_parts.append("%lld")
-                    exprs.append(ir.Constant(ir.IntType(64), value.value))
-                else:
-                    raise NotImplementedError(
-                        "Only string and integer constants are supported in f-string.")
-            elif isinstance(value, ast.FormattedValue):
-                # Assume int for now
-                fmt_parts.append("%d")
-                if isinstance(value.value, ast.Name):
-                    exprs.append(value.value)
-                else:
-                    raise NotImplementedError(
-                        "Only simple variable names are supported in formatted values.")
-            else:
-                raise NotImplementedError(
-                    "Unsupported value type in f-string.")
-
-        fmt_str = "".join(fmt_parts) + "\n" + "\0"
-        fmt_name = f"{func.name}____fmt{func._fmt_counter}"
-        func._fmt_counter += 1
-
-        fmt_gvar = ir.GlobalVariable(
-            module, ir.ArrayType(ir.IntType(8), len(fmt_str)), name=fmt_name)
-        fmt_gvar.global_constant = True
-        fmt_gvar.initializer = ir.Constant(
-            ir.ArrayType(ir.IntType(8), len(fmt_str)),
-            bytearray(fmt_str.encode("utf8"))
-        )
-        fmt_gvar.linkage = "internal"
-        fmt_gvar.align = 1
-
-        fmt_ptr = builder.bitcast(fmt_gvar, ir.PointerType())
-
-        args = [fmt_ptr, ir.Constant(ir.IntType(32), len(fmt_str))]
-
-        # Only 3 args supported in bpf_printk
-        if len(exprs) > 3:
-            print(
-                "Warning: bpf_printk supports up to 3 arguments, extra arguments will be ignored.")
-
-        for expr in exprs[:3]:
-            val = eval_expr(func, module, builder, expr, local_sym_tab, None)
-            if val:
-                if isinstance(val.type, ir.PointerType):
-                    val = builder.ptrtoint(val, ir.IntType(64))
-                elif isinstance(val.type, ir.IntType):
-                    if val.type.width < 64:
-                        val = builder.sext(val, ir.IntType(64))
-                else:
-                    print(
-                        "Warning: Only integer and pointer types are supported in bpf_printk arguments. Others will be converted to 0.")
-                    val = ir.Constant(ir.IntType(64), 0)
-                args.append(val)
-            else:
-                print(
-                    "Warning: Failed to evaluate expression for bpf_printk argument. It will be converted to 0.")
-                args.append(ir.Constant(ir.IntType(64), 0))
-
-        fn_type = ir.FunctionType(ir.IntType(
-            64), [ir.PointerType(), ir.IntType(32)], var_arg=True)
-        fn_ptr_type = ir.PointerType(fn_type)
-        fn_addr = ir.Constant(ir.IntType(64), 6)
-        fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
-        return builder.call(fn_ptr, args, tail=True)
-
-    for arg in call.args:
-        if isinstance(arg, ast.Constant) and isinstance(arg.value, str):
-            fmt_str = arg.value + "\n" + "\0"
-            fmt_name = f"{func.name}____fmt{func._fmt_counter}"
-            func._fmt_counter += 1
-
-            fmt_gvar = ir.GlobalVariable(
-                module, ir.ArrayType(ir.IntType(8), len(fmt_str)), name=fmt_name)
-            fmt_gvar.global_constant = True
-            fmt_gvar.initializer = ir.Constant(     # type: ignore
-                ir.ArrayType(ir.IntType(8), len(fmt_str)),
-                bytearray(fmt_str.encode("utf8"))
-            )
-            fmt_gvar.linkage = "internal"
-            fmt_gvar.align = 1      # type: ignore
-
-            fmt_ptr = builder.bitcast(fmt_gvar, ir.PointerType())
-
-            fn_type = ir.FunctionType(ir.IntType(
-                64), [ir.PointerType(), ir.IntType(32)], var_arg=True)
-            fn_ptr_type = ir.PointerType(fn_type)
-            fn_addr = ir.Constant(ir.IntType(64), 6)
-            fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
-
-            builder.call(fn_ptr, [fmt_ptr, ir.Constant(
-                ir.IntType(32), len(fmt_str))], tail=True)
-
-
-def bpf_map_update_elem_emitter(call, map_ptr, module, builder, local_sym_tab=None):
-    """
-    Emit LLVM IR for bpf_map_update_elem helper function call.
-    Expected call signature: map.update(key, value, flags=0)
-    """
-    if not call.args or len(call.args) < 2 or len(call.args) > 3:
-        raise ValueError("Map update expects 2 or 3 arguments (key, value, flags), got "
-                         f"{len(call.args)}")
-
-    key_arg = call.args[0]
-    value_arg = call.args[1]
-    flags_arg = call.args[2] if len(call.args) > 2 else None
-
-    # Handle key
-    if isinstance(key_arg, ast.Name):
-        key_name = key_arg.id
-        if local_sym_tab and key_name in local_sym_tab:
-            key_ptr = local_sym_tab[key_name]
-        else:
-            raise ValueError(
-                f"Key variable {key_name} not found in local symbol table.")
-    elif isinstance(key_arg, ast.Constant) and isinstance(key_arg.value, int):
-        # Handle constant integer keys
-        key_val = key_arg.value
-        key_type = ir.IntType(64)
-        key_ptr = builder.alloca(key_type)
-        key_ptr.align = key_type.width // 8
-        builder.store(ir.Constant(key_type, key_val), key_ptr)
-    else:
-        raise NotImplementedError(
-            "Only simple variable names and integer constants are supported as keys in map update.")
-
-    # Handle value
-    if isinstance(value_arg, ast.Name):
-        value_name = value_arg.id
-        if local_sym_tab and value_name in local_sym_tab:
-            value_ptr = local_sym_tab[value_name]
-        else:
-            raise ValueError(
-                f"Value variable {value_name} not found in local symbol table.")
-    elif isinstance(value_arg, ast.Constant) and isinstance(value_arg.value, int):
-        # Handle constant integers
-        value_val = value_arg.value
-        value_type = ir.IntType(64)
-        value_ptr = builder.alloca(value_type)
-        value_ptr.align = value_type.width // 8
-        builder.store(ir.Constant(value_type, value_val), value_ptr)
-    else:
-        raise NotImplementedError(
-            "Only simple variable names and integer constants are supported as values in map update.")
-
-    # Handle flags argument (defaults to 0)
-    if flags_arg is not None:
-        if isinstance(flags_arg, ast.Constant) and isinstance(flags_arg.value, int):
-            flags_val = flags_arg.value
-        elif isinstance(flags_arg, ast.Name):
-            flags_name = flags_arg.id
-            if local_sym_tab and flags_name in local_sym_tab:
-                # Assume it's a stored integer value, load it
-                flags_ptr = local_sym_tab[flags_name]
-                flags_val = builder.load(flags_ptr)
-            else:
-                raise ValueError(
-                    f"Flags variable {flags_name} not found in local symbol table.")
-        else:
-            raise NotImplementedError(
-                "Only integer constants and simple variable names are supported as flags in map update.")
-    else:
-        flags_val = 0
-
-    if key_ptr is None or value_ptr is None:
-        raise ValueError("Key pointer or value pointer is None.")
-
-    map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
-    fn_type = ir.FunctionType(
-        ir.IntType(64),
-        [ir.PointerType(), ir.PointerType(), ir.PointerType(), ir.IntType(64)],
-        var_arg=False
-    )
-    fn_ptr_type = ir.PointerType(fn_type)
-
-    # helper id
-    fn_addr = ir.Constant(ir.IntType(64), 2)
-    fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
-
-    if isinstance(flags_val, int):
-        flags_const = ir.Constant(ir.IntType(64), flags_val)
-    else:
-        flags_const = flags_val
-
-    result = builder.call(
-        fn_ptr, [map_void_ptr, key_ptr, value_ptr, flags_const], tail=False)
-
-    return result
-
-
-helper_func_list = {
-    "lookup": bpf_map_lookup_elem_emitter,
-    "print": bpf_printk_emitter,
-    "ktime": bpf_ktime_get_ns_emitter,
-    "update": bpf_map_update_elem_emitter,
-}
-
-
-def handle_helper_call(call, module, builder, func, local_sym_tab=None, map_sym_tab=None):
-    if isinstance(call.func, ast.Name):
-        func_name = call.func.id
-        if func_name in helper_func_list:
-            # it is not a map method call
-            return helper_func_list[func_name](call, None, module, builder, func, local_sym_tab)
-        else:
-            raise NotImplementedError(
-                f"Function {func_name} is not implemented as a helper function.")
-    elif isinstance(call.func, ast.Attribute):
-        # likely a map method call
-        if isinstance(call.func.value, ast.Call) and isinstance(call.func.value.func, ast.Name):
-            map_name = call.func.value.func.id
-            method_name = call.func.attr
-            if map_sym_tab and map_name in map_sym_tab:
-                map_ptr = map_sym_tab[map_name]
-                if method_name in helper_func_list:
-                    return helper_func_list[method_name](
-                        call, map_ptr, module, builder, local_sym_tab)
-                else:
-                    raise NotImplementedError(
-                        f"Map method {method_name} is not implemented as a helper function.")
-            else:
-                raise ValueError(
-                    f"Map variable {map_name} not found in symbol tables.")
-        else:
-            raise NotImplementedError(
-                "Attribute not supported for map method calls.")
--- a/pythonbpf/codegen.py
+++ b/pythonbpf/codegen.py
@ -2,18 +2,25 @@ import ast
 from llvmlite import ir
 from .license_pass import license_processing
 from .functions_pass import func_proc
-from .maps_pass import maps_proc
+from pythonbpf.maps import maps_proc
+from .structs import structs_proc
 from .globals_pass import globals_processing
+from .debuginfo import DW_LANG_C11, DwarfBehaviorEnum
 import os
 import subprocess
 import inspect
 from pathlib import Path
+from pylibbpf import BpfProgram
+import tempfile
+
+VERSION = "v0.1.3"
+

 def find_bpf_chunks(tree):
    """Find all functions decorated with @bpf in the AST."""
    bpf_functions = []
    for node in ast.walk(tree):
-        if isinstance(node, ast.FunctionDef):
+        if isinstance(node, ast.FunctionDef) or isinstance(node, ast.ClassDef):
            for decorator in node.decorator_list:
                if isinstance(decorator, ast.Name) and decorator.id == "bpf":
                    bpf_functions.append(node)
@ -27,10 +34,11 @@ def processor(source_code, filename, module):

    bpf_chunks = find_bpf_chunks(tree)
    for func_node in bpf_chunks:
-        print(f"Found BPF function: {func_node.name}")
+        print(f"Found BPF function/struct: {func_node.name}")

+    structs_sym_tab = structs_proc(tree, module, bpf_chunks)
    map_sym_tab = maps_proc(tree, module, bpf_chunks)
-    func_proc(tree, module, bpf_chunks, map_sym_tab)
+    func_proc(tree, module, bpf_chunks, map_sym_tab, structs_sym_tab)

    license_processing(tree, module)
    globals_processing(tree, module)
@ -45,49 +53,53 @@ def compile_to_ir(filename: str, output: str):
    module.triple = "bpf"

    if not hasattr(module, '_debug_compile_unit'):
-        module._file_metadata = module.add_debug_info("DIFile", {       # type: ignore
+        module._file_metadata = module.add_debug_info("DIFile", {  # type: ignore
            "filename": filename,
            "directory": os.path.dirname(filename)
        })
-        
-        module._debug_compile_unit = module.add_debug_info("DICompileUnit", {       # type: ignore
-            "language": 29,  # DW_LANG_C11
-            "file": module._file_metadata,      # type: ignore
-            "producer": "PythonBPF DSL Compiler",
-            "isOptimized": True,
+
+        module._debug_compile_unit = module.add_debug_info("DICompileUnit", {  # type: ignore
+            "language": DW_LANG_C11,
+            "file": module._file_metadata,  # type: ignore
+            "producer": f"PythonBPF {VERSION}",
+            "isOptimized": True,  # TODO: This is probably not true
+            # TODO: add a global field here that keeps track of all the globals. Works without it, but I think it might
+            # be required for kprobes.
            "runtimeVersion": 0,
            "emissionKind": 1,
            "splitDebugInlining": False,
            "nameTableKind": 0
        }, is_distinct=True)

-        module.add_named_metadata("llvm.dbg.cu", module._debug_compile_unit)        # type: ignore
+        module.add_named_metadata(
+            "llvm.dbg.cu", module._debug_compile_unit)  # type: ignore

    processor(source, filename, module)

-    wchar_size = module.add_metadata([ir.Constant(ir.IntType(32), 1),
+    wchar_size = module.add_metadata([DwarfBehaviorEnum.ERROR_IF_MISMATCH,
                                      "wchar_size",
                                      ir.Constant(ir.IntType(32), 4)])
-    frame_pointer = module.add_metadata([ir.Constant(ir.IntType(32), 7),
+    frame_pointer = module.add_metadata([DwarfBehaviorEnum.OVERRIDE_USE_LARGEST,
                                         "frame-pointer",
                                         ir.Constant(ir.IntType(32), 2)])
    # Add Debug Info Version (3 = DWARF v3, which LLVM expects)
-    debug_info_version = module.add_metadata([ir.Constant(ir.IntType(32), 2),
+    debug_info_version = module.add_metadata([DwarfBehaviorEnum.WARNING_IF_MISMATCH,
                                              "Debug Info Version",
                                              ir.Constant(ir.IntType(32), 3)])

-    # Add explicit DWARF version (4 is common, works with LLVM BPF backend)
-    dwarf_version = module.add_metadata([ir.Constant(ir.IntType(32), 2),
+    # Add explicit DWARF version 5
+    dwarf_version = module.add_metadata([DwarfBehaviorEnum.OVERRIDE_USE_LARGEST,
                                         "Dwarf Version",
-                                         ir.Constant(ir.IntType(32), 4)])
+                                         ir.Constant(ir.IntType(32), 5)])

    module.add_named_metadata("llvm.module.flags", wchar_size)
    module.add_named_metadata("llvm.module.flags", frame_pointer)
    module.add_named_metadata("llvm.module.flags", debug_info_version)
    module.add_named_metadata("llvm.module.flags", dwarf_version)

-    module.add_named_metadata("llvm.ident", ["llvmlite PythonBPF v0.0.1"])
+    module.add_named_metadata("llvm.ident", [f"PythonBPF {VERSION}"])

+    print(f"IR written to {output}")
    with open(output, "w") as f:
        f.write(f"source_filename = \"{filename}\"\n")
        f.write(str(module))
@ -95,6 +107,7 @@ def compile_to_ir(filename: str, output: str):

    return output

+
 def compile():
    # Look one level up the stack to the caller of this function
    caller_frame = inspect.stack()[1]
@ -110,4 +123,22 @@ def compile():
        str(ll_file), "-o", str(o_file)
    ], check=True)

-    print(f"Object written to {o_file}")
+    print(f"Object written to {o_file}, {ll_file} can be removed")
+
+
+def BPF() -> BpfProgram:
+    caller_frame = inspect.stack()[1]
+    src = inspect.getsource(caller_frame.frame)
+    with tempfile.NamedTemporaryFile(mode="w+", delete=True, suffix=".py") as f, \
+            tempfile.NamedTemporaryFile(mode="w+", delete=True, suffix=".ll") as inter, \
+            tempfile.NamedTemporaryFile(mode="w+", delete=False, suffix=".o") as obj_file:
+        f.write(src)
+        f.flush()
+        source = f.name
+        compile_to_ir(source, str(inter.name))
+        subprocess.run([
+            "llc", "-march=bpf", "-filetype=obj", "-O2",
+            str(inter.name), "-o", str(obj_file.name)
+        ], check=True)
+
+        return BpfProgram(str(obj_file.name))
--- a/pythonbpf/debuginfo/init.py
+++ b/pythonbpf/debuginfo/init.py
@ -0,0 +1,3 @@
+from .dwarf_constants import *
+from .dtypes import *
+from .debug_info_generator import DebugInfoGenerator
--- a/pythonbpf/debuginfo/debug_info_generator.py
+++ b/pythonbpf/debuginfo/debug_info_generator.py
@ -0,0 +1,92 @@
+"""
+Debug information generation module for Python-BPF
+Provides utilities for generating DWARF/BTF debug information
+"""
+
+from . import dwarf_constants as dc
+from typing import Dict, Any, List, Optional, Union
+
+
+class DebugInfoGenerator:
+    def __init__(self, module):
+        self.module = module
+        self._type_cache = {}  # Cache for common debug types
+
+    def get_basic_type(self, name: str, size: int, encoding: int) -> Any:
+        """Get or create a basic type with caching"""
+        key = (name, size, encoding)
+        if key not in self._type_cache:
+            self._type_cache[key] = self.module.add_debug_info("DIBasicType", {
+                "name": name,
+                "size": size,
+                "encoding": encoding
+            })
+        return self._type_cache[key]
+
+    def get_uint32_type(self) -> Any:
+        """Get debug info for unsigned 32-bit integer"""
+        return self.get_basic_type("unsigned int", 32, dc.DW_ATE_unsigned)
+
+    def get_uint64_type(self) -> Any:
+        """Get debug info for unsigned 64-bit integer"""
+        return self.get_basic_type("unsigned long long", 64, dc.DW_ATE_unsigned)
+
+    def create_pointer_type(self, base_type: Any, size: int = 64) -> Any:
+        """Create a pointer type to the given base type"""
+        return self.module.add_debug_info("DIDerivedType", {
+            "tag": dc.DW_TAG_pointer_type,
+            "baseType": base_type,
+            "size": size
+        })
+
+    def create_array_type(self, base_type: Any, count: int) -> Any:
+        """Create an array type of the given base type with specified count"""
+        subrange = self.module.add_debug_info("DISubrange", {"count": count})
+        return self.module.add_debug_info("DICompositeType", {
+            "tag": dc.DW_TAG_array_type,
+            "baseType": base_type,
+            "size": self._compute_array_size(base_type, count),
+            "elements": [subrange]
+        })
+
+    @staticmethod
+    def _compute_array_size(base_type: Any, count: int) -> int:
+        # Extract size from base_type if possible
+        # For simplicity, assuming base_type has a size attribute
+        return getattr(base_type, "size", 32) * count
+
+    def create_struct_member(self, name: str, base_type: Any, offset: int) -> Any:
+        """Create a struct member with the given name, type, and offset"""
+        return self.module.add_debug_info("DIDerivedType", {
+            "tag": dc.DW_TAG_member,
+            "name": name,
+            "file": self.module._file_metadata,
+            "baseType": base_type,
+            "size": getattr(base_type, "size", 64),
+            "offset": offset
+        })
+
+    def create_struct_type(self, members: List[Any], size: int, is_distinct: bool) -> Any:
+        """Create a struct type with the given members and size"""
+        return self.module.add_debug_info("DICompositeType", {
+            "tag": dc.DW_TAG_structure_type,
+            "file": self.module._file_metadata,
+            "size": size,
+            "elements": members,
+        }, is_distinct=is_distinct)
+
+    def create_global_var_debug_info(self, name: str, var_type: Any, is_local: bool = False) -> Any:
+        """Create debug info for a global variable"""
+        global_var = self.module.add_debug_info("DIGlobalVariable", {
+            "name": name,
+            "scope": self.module._debug_compile_unit,
+            "file": self.module._file_metadata,
+            "type": var_type,
+            "isLocal": is_local,
+            "isDefinition": True
+        }, is_distinct=True)
+
+        return self.module.add_debug_info("DIGlobalVariableExpression", {
+            "var": global_var,
+            "expr": self.module.add_debug_info("DIExpression", {})
+        })
--- a/pythonbpf/debuginfo/dtypes.py
+++ b/pythonbpf/debuginfo/dtypes.py
@ -0,0 +1,6 @@
+import llvmlite.ir as ir
+
+class DwarfBehaviorEnum:
+    ERROR_IF_MISMATCH = ir.Constant(ir.IntType(32), 1)
+    WARNING_IF_MISMATCH = ir.Constant(ir.IntType(32), 2)
+    OVERRIDE_USE_LARGEST = ir.Constant(ir.IntType(32), 7)
--- a/pythonbpf/debuginfo/dwarf_constants.py
+++ b/pythonbpf/debuginfo/dwarf_constants.py
--- a/pythonbpf/decorators.py
+++ b/pythonbpf/decorators.py
@ -9,11 +9,19 @@ def bpfglobal(func):
    func._is_bpfglobal = True
    return func

+
 def map(func):
    """Decorator to mark a function as a BPF map."""
    func._is_map = True
    return func

+
+def struct(cls):
+    """Decorator to mark a class as a BPF struct."""
+    cls._is_struct = True
+    return cls
+
+
 def section(name: str):
    def wrapper(fn):
        fn._section = name
--- a/pythonbpf/expr_pass.py
+++ b/pythonbpf/expr_pass.py
@ -2,48 +2,99 @@ import ast
 from llvmlite import ir


-def eval_expr(func, module, builder, expr, local_sym_tab, map_sym_tab):
-    print(f"Evaluating expression: {expr}")
+def eval_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_sym_tab=None, local_var_metadata=None):
+    print(f"Evaluating expression: {ast.dump(expr)}")
+    print(local_var_metadata)
    if isinstance(expr, ast.Name):
        if expr.id in local_sym_tab:
-            var = local_sym_tab[expr.id]
+            var = local_sym_tab[expr.id][0]
            val = builder.load(var)
-            return val
+            return val, local_sym_tab[expr.id][1]  # return value and type
        else:
            print(f"Undefined variable {expr.id}")
            return None
    elif isinstance(expr, ast.Constant):
        if isinstance(expr.value, int):
-            return ir.Constant(ir.IntType(64), expr.value)
+            return ir.Constant(ir.IntType(64), expr.value), ir.IntType(64)
        elif isinstance(expr.value, bool):
-            return ir.Constant(ir.IntType(1), int(expr.value))
+            return ir.Constant(ir.IntType(1), int(expr.value)), ir.IntType(1)
        else:
            print("Unsupported constant type")
            return None
    elif isinstance(expr, ast.Call):
        # delayed import to avoid circular dependency
-        from .bpf_helper_handler import helper_func_list, handle_helper_call
+        from pythonbpf.helper import HelperHandlerRegistry, handle_helper_call

        if isinstance(expr.func, ast.Name):
-            # check for helpers first
-            if expr.func.id in helper_func_list:
+            # check deref
+            if expr.func.id == "deref":
+                print(f"Handling deref {ast.dump(expr)}")
+                if len(expr.args) != 1:
+                    print("deref takes exactly one argument")
+                    return None
+                arg = expr.args[0]
+                if isinstance(arg, ast.Call) and isinstance(arg.func, ast.Name) and arg.func.id == "deref":
+                    print("Multiple deref not supported")
+                    return None
+                if isinstance(arg, ast.Name):
+                    if arg.id in local_sym_tab:
+                        arg = local_sym_tab[arg.id][0]
+                    else:
+                        print(f"Undefined variable {arg.id}")
+                        return None
+                if arg is None:
+                    print("Failed to evaluate deref argument")
+                    return None
+                # Since we are handling only name case, directly take type from sym tab
+                val = builder.load(arg)
+                return val, local_sym_tab[expr.args[0].id][1]
+
+            # check for helpers
+            if expr.func.id in HelperHandlerRegistry._handlers:
                return handle_helper_call(
-                    expr, module, builder, func, local_sym_tab, map_sym_tab)
+                    expr, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
        elif isinstance(expr.func, ast.Attribute):
+            print(f"Handling method call: {ast.dump(expr.func)}")
            if isinstance(expr.func.value, ast.Call) and isinstance(expr.func.value.func, ast.Name):
                method_name = expr.func.attr
-                if method_name in helper_func_list:
+                if method_name in HelperHandlerRegistry._handlers:
                    return handle_helper_call(
-                        expr, module, builder, func, local_sym_tab, map_sym_tab)
+                        expr, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
+            elif isinstance(expr.func.value, ast.Name):
+                obj_name = expr.func.value.id
+                method_name = expr.func.attr
+                if obj_name in map_sym_tab:
+                    if method_name in HelperHandlerRegistry._handlers:
+                        return handle_helper_call(
+                            expr, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
+    elif isinstance(expr, ast.Attribute):
+        if isinstance(expr.value, ast.Name):
+            var_name = expr.value.id
+            attr_name = expr.attr
+            if var_name in local_sym_tab:
+                var_ptr, var_type = local_sym_tab[var_name]
+                print(f"Loading attribute "
+                      f"{attr_name} from variable {var_name}")
+                print(f"Variable type: {var_type}, Variable ptr: {var_ptr}")
+                print(local_var_metadata)
+                if local_var_metadata and var_name in local_var_metadata:
+                    metadata = structs_sym_tab[local_var_metadata[var_name]]
+                    if attr_name in metadata.fields:
+                        gep = metadata.gep(builder, var_ptr, attr_name)
+                        val = builder.load(gep)
+                        field_type = metadata.field_type(attr_name)
+                        return val, field_type
    print("Unsupported expression evaluation")
    return None


-def handle_expr(func, module, builder, expr, local_sym_tab, map_sym_tab):
+def handle_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata):
    """Handle expression statements in the function body."""
    print(f"Handling expression: {ast.dump(expr)}")
+    print(local_var_metadata)
    call = expr.value
    if isinstance(call, ast.Call):
-        eval_expr(func, module, builder, call, local_sym_tab, map_sym_tab)
+        eval_expr(func, module, builder, call, local_sym_tab,
+                  map_sym_tab, structs_sym_tab, local_var_metadata)
    else:
        print("Unsupported expression type")
--- a/pythonbpf/functions_pass.py
+++ b/pythonbpf/functions_pass.py
@ -2,11 +2,13 @@ from llvmlite import ir
 import ast


-from .bpf_helper_handler import helper_func_list, handle_helper_call
+from .helper import HelperHandlerRegistry, handle_helper_call
 from .type_deducer import ctypes_to_ir
 from .binary_ops import handle_binary_op
 from .expr_pass import eval_expr, handle_expr

+local_var_metadata = {}
+

 def get_probe_string(func_node):
    """Extract the probe string from the decorator of the function node."""
@ -25,7 +27,7 @@ def get_probe_string(func_node):
    return "helper"


-def handle_assign(func, module, builder, stmt, map_sym_tab, local_sym_tab):
+def handle_assign(func, module, builder, stmt, map_sym_tab, local_sym_tab, structs_sym_tab):
    """Handle assignment statements in the function body."""
    if len(stmt.targets) != 1:
        print("Unsupported multiassignment")
@ -34,28 +36,68 @@ def handle_assign(func, module, builder, stmt, map_sym_tab, local_sym_tab):
    num_types = ("c_int32", "c_int64", "c_uint32", "c_uint64")

    target = stmt.targets[0]
-    if not isinstance(target, ast.Name):
+    print(f"Handling assignment to {ast.dump(target)}")
+    if not isinstance(target, ast.Name) and not isinstance(target, ast.Attribute):
        print("Unsupported assignment target")
        return
-    var_name = target.id
+    var_name = target.id if isinstance(target, ast.Name) else target.value.id
    rval = stmt.value
-    if isinstance(rval, ast.Constant):
+    if isinstance(target, ast.Attribute):
+        # struct field assignment
+        field_name = target.attr
+        if var_name in local_sym_tab and var_name in local_var_metadata:
+            struct_type = local_var_metadata[var_name]
+            struct_info = structs_sym_tab[struct_type]
+
+            if field_name in struct_info.fields:
+                field_ptr = struct_info.gep(
+                    builder, local_sym_tab[var_name][0], field_name)
+                val = eval_expr(func, module, builder, rval,
+                                local_sym_tab, map_sym_tab, structs_sym_tab)
+                if isinstance(struct_info.field_type(field_name), ir.ArrayType) and val[1] == ir.PointerType(ir.IntType(8)):
+                    # TODO: Figure it out, not a priority rn
+                    # Special case for string assignment to char array
+                    # str_len = struct_info["field_types"][field_idx].count
+                    # assign_string_to_array(builder, field_ptr, val[0], str_len)
+                    # print(f"Assigned to struct field {var_name}.{field_name}")
+                    pass
+                if val is None:
+                    print("Failed to evaluate struct field assignment")
+                    return
+                print(field_ptr)
+                builder.store(val[0], field_ptr)
+                print(f"Assigned to struct field {var_name}.{field_name}")
+                return
+    elif isinstance(rval, ast.Constant):
        if isinstance(rval.value, bool):
            if rval.value:
                builder.store(ir.Constant(ir.IntType(1), 1),
-                              local_sym_tab[var_name])
+                              local_sym_tab[var_name][0])
            else:
                builder.store(ir.Constant(ir.IntType(1), 0),
-                              local_sym_tab[var_name])
+                              local_sym_tab[var_name][0])
            print(f"Assigned constant {rval.value} to {var_name}")
        elif isinstance(rval.value, int):
            # Assume c_int64 for now
            # var = builder.alloca(ir.IntType(64), name=var_name)
            # var.align = 8
            builder.store(ir.Constant(ir.IntType(64), rval.value),
-                          local_sym_tab[var_name])
+                          local_sym_tab[var_name][0])
            # local_sym_tab[var_name] = var
            print(f"Assigned constant {rval.value} to {var_name}")
+        elif isinstance(rval.value, str):
+            str_val = rval.value.encode('utf-8') + b'\x00'
+            str_const = ir.Constant(ir.ArrayType(
+                ir.IntType(8), len(str_val)), bytearray(str_val))
+            global_str = ir.GlobalVariable(
+                module, str_const.type, name=f"{var_name}_str")
+            global_str.linkage = 'internal'
+            global_str.global_constant = True
+            global_str.initializer = str_const
+            str_ptr = builder.bitcast(
+                global_str, ir.PointerType(ir.IntType(8)))
+            builder.store(str_ptr, local_sym_tab[var_name][0])
+            print(f"Assigned string constant '{rval.value}' to {var_name}")
        else:
            print("Unsupported constant type")
    elif isinstance(rval, ast.Call):
@ -67,40 +109,65 @@ def handle_assign(func, module, builder, stmt, map_sym_tab, local_sym_tab):
                # var = builder.alloca(ir_type, name=var_name)
                # var.align = ir_type.width // 8
                builder.store(ir.Constant(
-                    ir_type, rval.args[0].value), local_sym_tab[var_name])
+                    ir_type, rval.args[0].value), local_sym_tab[var_name][0])
                print(f"Assigned {call_type} constant "
                      f"{rval.args[0].value} to {var_name}")
                # local_sym_tab[var_name] = var
-            elif call_type in helper_func_list:
+            elif call_type in HelperHandlerRegistry._handlers:
                # var = builder.alloca(ir.IntType(64), name=var_name)
                # var.align = 8
                val = handle_helper_call(
-                    rval, module, builder, None, local_sym_tab, map_sym_tab)
-                builder.store(val, local_sym_tab[var_name])
+                    rval, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
+                builder.store(val[0], local_sym_tab[var_name][0])
                # local_sym_tab[var_name] = var
                print(f"Assigned constant {rval.func.id} to {var_name}")
+            elif call_type == "deref" and len(rval.args) == 1:
+                print(f"Handling deref assignment {ast.dump(rval)}")
+                val = eval_expr(func, module, builder, rval,
+                                local_sym_tab, map_sym_tab, structs_sym_tab)
+                if val is None:
+                    print("Failed to evaluate deref argument")
+                    return
+                print(f"Dereferenced value: {val}, storing in {var_name}")
+                builder.store(val[0], local_sym_tab[var_name][0])
+                # local_sym_tab[var_name] = var
+                print(f"Dereferenced and assigned to {var_name}")
+            elif call_type in structs_sym_tab and len(rval.args) == 0:
+                struct_info = structs_sym_tab[call_type]
+                ir_type = struct_info.ir_type
+                # var = builder.alloca(ir_type, name=var_name)
+                # Null init
+                builder.store(ir.Constant(ir_type, None),
+                              local_sym_tab[var_name][0])
+                local_var_metadata[var_name] = call_type
+                print(f"Assigned struct {call_type} to {var_name}")
+                # local_sym_tab[var_name] = var
            else:
                print(f"Unsupported assignment call type: {call_type}")
        elif isinstance(rval.func, ast.Attribute):
-            if isinstance(rval.func.value, ast.Call) and isinstance(rval.func.value.func, ast.Name):
+            print(f"Assignment call attribute: {ast.dump(rval.func)}")
+            if isinstance(rval.func.value, ast.Name):
+                # TODO: probably a struct access
+                print(f"TODO STRUCT ACCESS {ast.dump(rval)}")
+            elif isinstance(rval.func.value, ast.Call) and isinstance(rval.func.value.func, ast.Name):
                map_name = rval.func.value.func.id
                method_name = rval.func.attr
                if map_name in map_sym_tab:
                    map_ptr = map_sym_tab[map_name]
-                    if method_name in helper_func_list:
+                    if method_name in HelperHandlerRegistry._handlers:
                        val = handle_helper_call(
-                            rval, module, builder, func, local_sym_tab, map_sym_tab)
+                            rval, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
                        # var = builder.alloca(ir.IntType(64), name=var_name)
                        # var.align = 8
-                        builder.store(val, local_sym_tab[var_name])
+                        builder.store(val[0], local_sym_tab[var_name][0])
                        # local_sym_tab[var_name] = var
            else:
                print("Unsupported assignment call structure")
        else:
            print("Unsupported assignment call function type")
    elif isinstance(rval, ast.BinOp):
-        handle_binary_op(rval, module, builder, func,
-                         local_sym_tab, map_sym_tab)
+        handle_binary_op(rval, module, builder, var_name,
+                         local_sym_tab, map_sym_tab, func)
    else:
        print("Unsupported assignment value type")

@ -116,20 +183,29 @@ def handle_cond(func, module, builder, cond, local_sym_tab, map_sym_tab):
            return None
    elif isinstance(cond, ast.Name):
        if cond.id in local_sym_tab:
-            var = local_sym_tab[cond.id]
+            var = local_sym_tab[cond.id][0]
            val = builder.load(var)
+            if val.type != ir.IntType(1):
+                # Convert nonzero values to true, zero to false
+                if isinstance(val.type, ir.PointerType):
+                    # For pointer types, compare with null pointer
+                    zero = ir.Constant(val.type, None)
+                else:
+                    # For integer types, compare with zero
+                    zero = ir.Constant(val.type, 0)
+                val = builder.icmp_signed("!=", val, zero)
            return val
        else:
            print(f"Undefined variable {cond.id} in condition")
            return None
    elif isinstance(cond, ast.Compare):
        lhs = eval_expr(func, module, builder, cond.left,
-                        local_sym_tab, map_sym_tab)
+                        local_sym_tab, map_sym_tab)[0]
        if len(cond.ops) != 1 or len(cond.comparators) != 1:
            print("Unsupported complex comparison")
            return None
        rhs = eval_expr(func, module, builder,
-                        cond.comparators[0], local_sym_tab, map_sym_tab)
+                        cond.comparators[0], local_sym_tab, map_sym_tab)[0]
        op = cond.ops[0]

        if lhs.type != rhs.type:
@ -163,7 +239,7 @@ def handle_cond(func, module, builder, cond, local_sym_tab, map_sym_tab):
        return None


-def handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab):
+def handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab, structs_sym_tab=None):
    """Handle if statements in the function body."""
    print("Handling if statement")
    start = builder.block.parent
@ -184,7 +260,7 @@ def handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab):
    builder.position_at_end(then_block)
    for s in stmt.body:
        process_stmt(func, module, builder, s,
-                     local_sym_tab, map_sym_tab, False)
+                     local_sym_tab, map_sym_tab, structs_sym_tab, False)
    if not builder.block.is_terminated:
        builder.branch(merge_block)

@ -192,23 +268,27 @@ def handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab):
        builder.position_at_end(else_block)
        for s in stmt.orelse:
            process_stmt(func, module, builder, s,
-                         local_sym_tab, map_sym_tab, False)
+                         local_sym_tab, map_sym_tab, structs_sym_tab, False)
        if not builder.block.is_terminated:
            builder.branch(merge_block)

    builder.position_at_end(merge_block)


-def process_stmt(func, module, builder, stmt, local_sym_tab, map_sym_tab, did_return, ret_type=ir.IntType(64)):
+def process_stmt(func, module, builder, stmt, local_sym_tab, map_sym_tab, structs_sym_tab, did_return, ret_type=ir.IntType(64)):
    print(f"Processing statement: {ast.dump(stmt)}")
    if isinstance(stmt, ast.Expr):
-        handle_expr(func, module, builder, stmt, local_sym_tab, map_sym_tab)
+        print(local_var_metadata)
+        handle_expr(func, module, builder, stmt, local_sym_tab,
+                    map_sym_tab, structs_sym_tab, local_var_metadata)
    elif isinstance(stmt, ast.Assign):
-        handle_assign(func, module, builder, stmt, map_sym_tab, local_sym_tab)
+        handle_assign(func, module, builder, stmt, map_sym_tab,
+                      local_sym_tab, structs_sym_tab)
    elif isinstance(stmt, ast.AugAssign):
        raise SyntaxError("Augmented assignment not supported")
    elif isinstance(stmt, ast.If):
-        handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab)
+        handle_if(func, module, builder, stmt, map_sym_tab,
+                  local_sym_tab, structs_sym_tab)
    elif isinstance(stmt, ast.Return):
        if stmt.value is None:
            builder.ret(ir.Constant(ir.IntType(32), 0))
@ -222,21 +302,30 @@ def process_stmt(func, module, builder, stmt, local_sym_tab, map_sym_tab, did_re
                builder.ret(ir.Constant(
                    ret_type, stmt.value.args[0].value))
                did_return = True
+        elif isinstance(stmt.value, ast.Name):
+            if stmt.value.id == "XDP_PASS":
+                builder.ret(ir.Constant(ret_type, 2))
+                did_return = True
+            elif stmt.value.id == "XDP_DROP":
+                builder.ret(ir.Constant(ret_type, 1))
+                did_return = True
+            else:
+                raise ValueError("Failed to evaluate return expression")
        else:
-            print("Unsupported return value")
+            raise ValueError("Unsupported return value")
    return did_return


-def process_func_body(module, builder, func_node, func, ret_type, map_sym_tab):
-    """Process the body of a bpf function"""
-    # TODO: A lot.  We just have print -> bpf_trace_printk for now
-    did_return = False
-
-    local_sym_tab = {}
-
-    # pre-allocate dynamic variables
-    for stmt in func_node.body:
-        if isinstance(stmt, ast.Assign):
+def allocate_mem(module, builder, body, func, ret_type, map_sym_tab, local_sym_tab, structs_sym_tab):
+    for stmt in body:
+        if isinstance(stmt, ast.If):
+            if stmt.body:
+                local_sym_tab = allocate_mem(
+                    module, builder, stmt.body, func, ret_type, map_sym_tab, local_sym_tab, structs_sym_tab)
+            if stmt.orelse:
+                local_sym_tab = allocate_mem(
+                    module, builder, stmt.orelse, func, ret_type, map_sym_tab, local_sym_tab, structs_sym_tab)
+        elif isinstance(stmt, ast.Assign):
            if len(stmt.targets) != 1:
                print("Unsupported multiassignment")
                continue
@ -255,13 +344,27 @@ def process_func_body(module, builder, func_node, func, ret_type, map_sym_tab):
                        var.align = ir_type.width // 8
                        print(
                            f"Pre-allocated variable {var_name} of type {call_type}")
-                    elif call_type in helper_func_list:
+                    elif call_type in HelperHandlerRegistry._handlers:
                        # Assume return type is int64 for now
                        ir_type = ir.IntType(64)
                        var = builder.alloca(ir_type, name=var_name)
                        var.align = ir_type.width // 8
                        print(
                            f"Pre-allocated variable {var_name} for helper")
+                    elif call_type == "deref" and len(rval.args) == 1:
+                        # Assume return type is int64 for now
+                        ir_type = ir.IntType(64)
+                        var = builder.alloca(ir_type, name=var_name)
+                        var.align = ir_type.width // 8
+                        print(
+                            f"Pre-allocated variable {var_name} for deref")
+                    elif call_type in structs_sym_tab:
+                        struct_info = structs_sym_tab[call_type]
+                        ir_type = struct_info.ir_type
+                        var = builder.alloca(ir_type, name=var_name)
+                        local_var_metadata[var_name] = call_type
+                        print(
+                            f"Pre-allocated variable {var_name} for struct {call_type}")
                elif isinstance(rval.func, ast.Attribute):
                    ir_type = ir.PointerType(ir.IntType(64))
                    var = builder.alloca(ir_type, name=var_name)
@ -285,25 +388,51 @@ def process_func_body(module, builder, func_node, func, ret_type, map_sym_tab):
                    var.align = ir_type.width // 8
                    print(
                        f"Pre-allocated variable {var_name} of type c_int64")
+                elif isinstance(rval.value, str):
+                    ir_type = ir.PointerType(ir.IntType(8))
+                    var = builder.alloca(ir_type, name=var_name)
+                    var.align = 8
+                    print(
+                        f"Pre-allocated variable {var_name} of type string")
                else:
-                    print("Unsupported constant type")
+                    print(f"Unsupported constant type")
                    continue
+            elif isinstance(rval, ast.BinOp):
+                # Assume c_int64 for now
+                ir_type = ir.IntType(64)
+                var = builder.alloca(ir_type, name=var_name)
+                var.align = ir_type.width // 8
+                print(
+                    f"Pre-allocated variable {var_name} of type c_int64")
            else:
                print("Unsupported assignment value type")
                continue
-            local_sym_tab[var_name] = var
+            local_sym_tab[var_name] = (var, ir_type)
+    return local_sym_tab
+
+
+def process_func_body(module, builder, func_node, func, ret_type, map_sym_tab, structs_sym_tab):
+    """Process the body of a bpf function"""
+    # TODO: A lot.  We just have print -> bpf_trace_printk for now
+    did_return = False
+
+    local_sym_tab = {}
+
+    # pre-allocate dynamic variables
+    local_sym_tab = allocate_mem(
+        module, builder, func_node.body, func, ret_type, map_sym_tab, local_sym_tab, structs_sym_tab)

    print(f"Local symbol table: {local_sym_tab.keys()}")

    for stmt in func_node.body:
        did_return = process_stmt(func, module, builder, stmt, local_sym_tab,
-                                  map_sym_tab, did_return, ret_type)
+                                  map_sym_tab, structs_sym_tab, did_return, ret_type)

    if not did_return:
        builder.ret(ir.Constant(ir.IntType(32), 0))


-def process_bpf_chunk(func_node, module, return_type, map_sym_tab):
+def process_bpf_chunk(func_node, module, return_type, map_sym_tab, structs_sym_tab):
    """Process a single BPF chunk (function) and emit corresponding LLVM IR."""

    func_name = func_node.name
@ -336,19 +465,16 @@ def process_bpf_chunk(func_node, module, return_type, map_sym_tab):
    block = func.append_basic_block(name="entry")
    builder = ir.IRBuilder(block)

-    process_func_body(module, builder, func_node, func, ret_type, map_sym_tab)
-
+    process_func_body(module, builder, func_node, func,
+                      ret_type, map_sym_tab, structs_sym_tab)
    return func


-def func_proc(tree, module, chunks, map_sym_tab):
+def func_proc(tree, module, chunks, map_sym_tab, structs_sym_tab):
    for func_node in chunks:
        is_global = False
        for decorator in func_node.decorator_list:
-            if isinstance(decorator, ast.Name) and decorator.id == "map":
-                is_global = True
-                break
-            elif isinstance(decorator, ast.Name) and decorator.id == "bpfglobal":
+            if isinstance(decorator, ast.Name) and decorator.id in ("map", "bpfglobal", "struct"):
                is_global = True
                break
        if is_global:
@ -357,7 +483,7 @@ def func_proc(tree, module, chunks, map_sym_tab):
        print(f"Found probe_string of {func_node.name}: {func_type}")

        process_bpf_chunk(func_node, module, ctypes_to_ir(
-            infer_return_type(func_node)), map_sym_tab)
+            infer_return_type(func_node)), map_sym_tab, structs_sym_tab)


 def infer_return_type(func_node: ast.FunctionDef):
@ -416,3 +542,51 @@ def infer_return_type(func_node: ast.FunctionDef):
                raise ValueError("Conflicting return types:"
                                 f"{found_type} vs {t}")
    return found_type or "None"
+
+# For string assignment to fixed-size arrays
+
+
+def assign_string_to_array(builder, target_array_ptr, source_string_ptr, array_length):
+    """
+    Copy a string (i8*) to a fixed-size array ([N x i8]*)
+    """
+    # Create a loop to copy characters one by one
+    entry_block = builder.block
+    copy_block = builder.append_basic_block("copy_char")
+    end_block = builder.append_basic_block("copy_end")
+
+    # Create loop counter
+    i = builder.alloca(ir.IntType(32))
+    builder.store(ir.Constant(ir.IntType(32), 0), i)
+
+    # Start the loop
+    builder.branch(copy_block)
+
+    # Copy loop
+    builder.position_at_end(copy_block)
+    idx = builder.load(i)
+    in_bounds = builder.icmp_unsigned(
+        '<', idx, ir.Constant(ir.IntType(32), array_length))
+    builder.cbranch(in_bounds, copy_block, end_block)
+
+    with builder.if_then(in_bounds):
+        # Load character from source
+        src_ptr = builder.gep(source_string_ptr, [idx])
+        char = builder.load(src_ptr)
+
+        # Store character in target
+        dst_ptr = builder.gep(
+            target_array_ptr, [ir.Constant(ir.IntType(32), 0), idx])
+        builder.store(char, dst_ptr)
+
+        # Increment counter
+        next_idx = builder.add(idx, ir.Constant(ir.IntType(32), 1))
+        builder.store(next_idx, i)
+
+    builder.position_at_end(end_block)
+
+    # Ensure null termination
+    last_idx = ir.Constant(ir.IntType(32), array_length - 1)
+    null_ptr = builder.gep(
+        target_array_ptr, [ir.Constant(ir.IntType(32), 0), last_idx])
+    builder.store(ir.Constant(ir.IntType(8), 0), null_ptr)
--- a/pythonbpf/helper/init.py
+++ b/pythonbpf/helper/init.py
@ -0,0 +1,2 @@
+from .helper_utils import HelperHandlerRegistry
+from .bpf_helper_handler import handle_helper_call
--- a/pythonbpf/helper/bpf_helper_handler.py
+++ b/pythonbpf/helper/bpf_helper_handler.py
@ -0,0 +1,535 @@
+import ast
+from llvmlite import ir
+from pythonbpf.expr_pass import eval_expr
+from enum import Enum
+from .helper_utils import HelperHandlerRegistry
+
+
+class BPFHelperID(Enum):
+    BPF_MAP_LOOKUP_ELEM = 1
+    BPF_MAP_UPDATE_ELEM = 2
+    BPF_MAP_DELETE_ELEM = 3
+    BPF_KTIME_GET_NS = 5
+    BPF_PRINTK = 6
+    BPF_GET_CURRENT_PID_TGID = 14
+    BPF_PERF_EVENT_OUTPUT = 25
+
+
+@HelperHandlerRegistry.register("ktime")
+def bpf_ktime_get_ns_emitter(call, map_ptr, module, builder, func,
+                             local_sym_tab=None, struct_sym_tab=None,
+                             local_var_metadata=None):
+    """
+    Emit LLVM IR for bpf_ktime_get_ns helper function call.
+    """
+    # func is an arg to just have a uniform signature with other emitters
+    helper_id = ir.Constant(ir.IntType(64), BPFHelperID.BPF_KTIME_GET_NS.value)
+    fn_type = ir.FunctionType(ir.IntType(64), [], var_arg=False)
+    fn_ptr_type = ir.PointerType(fn_type)
+    fn_ptr = builder.inttoptr(helper_id, fn_ptr_type)
+    result = builder.call(fn_ptr, [], tail=False)
+    return result, ir.IntType(64)
+
+
+@HelperHandlerRegistry.register("lookup")
+def bpf_map_lookup_elem_emitter(call, map_ptr, module, builder, func,
+                                local_sym_tab=None, struct_sym_tab=None,
+                                local_var_metadata=None):
+    """
+    Emit LLVM IR for bpf_map_lookup_elem helper function call.
+    """
+    if call.args and len(call.args) != 1:
+        raise ValueError("Map lookup expects exactly one argument, got "
+                         f"{len(call.args)}")
+    key_arg = call.args[0]
+    if isinstance(key_arg, ast.Name):
+        key_name = key_arg.id
+        if local_sym_tab and key_name in local_sym_tab:
+            key_ptr = local_sym_tab[key_name][0]
+        else:
+            raise ValueError(
+                f"Key variable {key_name} not found in local symbol table.")
+    elif isinstance(key_arg, ast.Constant) and isinstance(key_arg.value, int):
+        # handle constant integer keys
+        key_val = key_arg.value
+        key_type = ir.IntType(64)
+        key_ptr = builder.alloca(key_type)
+        key_ptr.align = key_type // 8
+        builder.store(ir.Constant(key_type, key_val), key_ptr)
+    else:
+        raise NotImplementedError(
+            "Only simple variable names are supported as keys in map lookup.")
+
+    if key_ptr is None:
+        raise ValueError("Key pointer is None.")
+
+    map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
+
+    fn_type = ir.FunctionType(
+        ir.PointerType(),  # Return type: void*
+        [ir.PointerType(), ir.PointerType()],  # Args: (void*, void*)
+        var_arg=False
+    )
+    fn_ptr_type = ir.PointerType(fn_type)
+
+    # Helper ID 1 is bpf_map_lookup_elem
+    fn_addr = ir.Constant(ir.IntType(
+        64), BPFHelperID.BPF_MAP_LOOKUP_ELEM.value)
+    fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+
+    result = builder.call(fn_ptr, [map_void_ptr, key_ptr], tail=False)
+
+    return result, ir.PointerType()
+
+
+@HelperHandlerRegistry.register("print")
+def bpf_printk_emitter(call, map_ptr, module, builder, func,
+                       local_sym_tab=None, struct_sym_tab=None,
+                       local_var_metadata=None):
+    if not hasattr(func, "_fmt_counter"):
+        func._fmt_counter = 0
+
+    if not call.args:
+        raise ValueError("print expects at least one argument")
+
+    if isinstance(call.args[0], ast.JoinedStr):
+        fmt_parts = []
+        exprs = []
+
+        for value in call.args[0].values:
+            print("Value in f-string:", ast.dump(value))
+            if isinstance(value, ast.Constant):
+                if isinstance(value.value, str):
+                    fmt_parts.append(value.value)
+                elif isinstance(value.value, int):
+                    fmt_parts.append("%lld")
+                    exprs.append(ir.Constant(ir.IntType(64), value.value))
+                else:
+                    raise NotImplementedError(
+                        "Only string and integer constants are supported in f-string.")
+            elif isinstance(value, ast.FormattedValue):
+                print("Formatted value:", ast.dump(value))
+                # TODO: Dirty handling here, only checks for int or str
+                if isinstance(value.value, ast.Name):
+                    if local_sym_tab and value.value.id in local_sym_tab:
+                        var_ptr, var_type = local_sym_tab[value.value.id]
+                        if isinstance(var_type, ir.IntType):
+                            fmt_parts.append("%lld")
+                            exprs.append(value.value)
+                        elif var_type == ir.PointerType(ir.IntType(8)):
+                            # Case with string
+                            fmt_parts.append("%s")
+                            exprs.append(value.value)
+                        else:
+                            raise NotImplementedError(
+                                "Only integer and pointer types are supported in formatted values.")
+                    else:
+                        raise ValueError(
+                            f"Variable {value.value.id} not found in local symbol table.")
+                elif isinstance(value.value, ast.Attribute):
+                    # object field access from struct
+                    if (isinstance(value.value.value, ast.Name) and
+                        local_sym_tab and
+                            value.value.value.id in local_sym_tab):
+                        var_name = value.value.value.id
+                        field_name = value.value.attr
+                        if local_var_metadata and var_name in local_var_metadata:
+                            var_type = local_var_metadata[var_name]
+                            if var_type in struct_sym_tab:
+                                struct_info = struct_sym_tab[var_type]
+                                if field_name in struct_info.fields:
+                                    field_type = struct_info.field_type(
+                                        field_name)
+                                    if isinstance(field_type, ir.IntType):
+                                        fmt_parts.append("%lld")
+                                        exprs.append(value.value)
+                                    elif field_type == ir.PointerType(ir.IntType(8)):
+                                        fmt_parts.append("%s")
+                                        exprs.append(value.value)
+                                    else:
+                                        raise NotImplementedError(
+                                            "Only integer and pointer types are supported in formatted values.")
+                                else:
+                                    raise ValueError(
+                                        f"Field {field_name} not found in struct {var_type}.")
+                            else:
+                                raise ValueError(
+                                    f"Struct type {var_type} for variable {var_name} not found in struct symbol table.")
+                        else:
+                            raise ValueError(
+                                f"Metadata for variable {var_name} not found in local variable metadata.")
+                    else:
+                        raise ValueError(
+                            f"Variable {value.value.value.id} not found in local symbol table.")
+                else:
+                    raise NotImplementedError(
+                        "Only simple variable names are supported in formatted values.")
+            else:
+                raise NotImplementedError(
+                    "Unsupported value type in f-string.")
+
+        fmt_str = "".join(fmt_parts) + "\n" + "\0"
+        fmt_name = f"{func.name}____fmt{func._fmt_counter}"
+        func._fmt_counter += 1
+
+        fmt_gvar = ir.GlobalVariable(
+            module, ir.ArrayType(ir.IntType(8), len(fmt_str)), name=fmt_name)
+        fmt_gvar.global_constant = True
+        fmt_gvar.initializer = ir.Constant(                 # type: ignore
+            ir.ArrayType(ir.IntType(8), len(fmt_str)),
+            bytearray(fmt_str.encode("utf8"))
+        )
+        fmt_gvar.linkage = "internal"
+        fmt_gvar.align = 1              # type: ignore
+
+        fmt_ptr = builder.bitcast(fmt_gvar, ir.PointerType())
+
+        args = [fmt_ptr, ir.Constant(ir.IntType(32), len(fmt_str))]
+
+        # Only 3 args supported in bpf_printk
+        if len(exprs) > 3:
+            print(
+                "Warning: bpf_printk supports up to 3 arguments, extra arguments will be ignored.")
+
+        for expr in exprs[:3]:
+            print(f"{ast.dump(expr)}")
+            val, _ = eval_expr(func, module, builder,
+                               expr, local_sym_tab, None, struct_sym_tab, local_var_metadata)
+            if val:
+                if isinstance(val.type, ir.PointerType):
+                    val = builder.ptrtoint(val, ir.IntType(64))
+                elif isinstance(val.type, ir.IntType):
+                    if val.type.width < 64:
+                        val = builder.sext(val, ir.IntType(64))
+                else:
+                    print(
+                        "Warning: Only integer and pointer types are supported in bpf_printk arguments. Others will be converted to 0.")
+                    val = ir.Constant(ir.IntType(64), 0)
+                args.append(val)
+            else:
+                print(
+                    "Warning: Failed to evaluate expression for bpf_printk argument. It will be converted to 0.")
+                args.append(ir.Constant(ir.IntType(64), 0))
+        fn_type = ir.FunctionType(ir.IntType(
+            64), [ir.PointerType(), ir.IntType(32)], var_arg=True)
+        fn_ptr_type = ir.PointerType(fn_type)
+        fn_addr = ir.Constant(ir.IntType(64), 6)
+        fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+        return builder.call(fn_ptr, args, tail=True)
+
+    for arg in call.args:
+        if isinstance(arg, ast.Constant) and isinstance(arg.value, str):
+            fmt_str = arg.value + "\n" + "\0"
+            fmt_name = f"{func.name}____fmt{func._fmt_counter}"
+            func._fmt_counter += 1
+
+            fmt_gvar = ir.GlobalVariable(
+                module, ir.ArrayType(ir.IntType(8), len(fmt_str)), name=fmt_name)
+            fmt_gvar.global_constant = True
+            fmt_gvar.initializer = ir.Constant(     # type: ignore
+                ir.ArrayType(ir.IntType(8), len(fmt_str)),
+                bytearray(fmt_str.encode("utf8"))
+            )
+            fmt_gvar.linkage = "internal"
+            fmt_gvar.align = 1      # type: ignore
+
+            fmt_ptr = builder.bitcast(fmt_gvar, ir.PointerType())
+
+            fn_type = ir.FunctionType(ir.IntType(
+                64), [ir.PointerType(), ir.IntType(32)], var_arg=True)
+            fn_ptr_type = ir.PointerType(fn_type)
+            fn_addr = ir.Constant(ir.IntType(64), BPFHelperID.BPF_PRINTK.value)
+            fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+
+            builder.call(fn_ptr, [fmt_ptr, ir.Constant(
+                ir.IntType(32), len(fmt_str))], tail=True)
+    return None
+
+
+@HelperHandlerRegistry.register("update")
+def bpf_map_update_elem_emitter(call, map_ptr, module, builder, func,
+                                local_sym_tab=None, struct_sym_tab=None,
+                                local_var_metadata=None):
+    """
+    Emit LLVM IR for bpf_map_update_elem helper function call.
+    Expected call signature: map.update(key, value, flags=0)
+    """
+    if (not call.args or
+        len(call.args) < 2 or
+            len(call.args) > 3):
+        raise ValueError("Map update expects 2 or 3 arguments (key, value, flags), got "
+                         f"{len(call.args)}")
+
+    key_arg = call.args[0]
+    value_arg = call.args[1]
+    flags_arg = call.args[2] if len(call.args) > 2 else None
+
+    # Handle key
+    if isinstance(key_arg, ast.Name):
+        key_name = key_arg.id
+        if local_sym_tab and key_name in local_sym_tab:
+            key_ptr = local_sym_tab[key_name][0]
+        else:
+            raise ValueError(
+                f"Key variable {key_name} not found in local symbol table.")
+    elif isinstance(key_arg, ast.Constant) and isinstance(key_arg.value, int):
+        # Handle constant integer keys
+        key_val = key_arg.value
+        key_type = ir.IntType(64)
+        key_ptr = builder.alloca(key_type)
+        key_ptr.align = key_type.width // 8
+        builder.store(ir.Constant(key_type, key_val), key_ptr)
+    else:
+        raise NotImplementedError(
+            "Only simple variable names and integer constants are supported as keys in map update.")
+
+    # Handle value
+    if isinstance(value_arg, ast.Name):
+        value_name = value_arg.id
+        if local_sym_tab and value_name in local_sym_tab:
+            value_ptr = local_sym_tab[value_name][0]
+        else:
+            raise ValueError(
+                f"Value variable {value_name} not found in local symbol table.")
+    elif isinstance(value_arg, ast.Constant) and isinstance(value_arg.value, int):
+        # Handle constant integers
+        value_val = value_arg.value
+        value_type = ir.IntType(64)
+        value_ptr = builder.alloca(value_type)
+        value_ptr.align = value_type.width // 8
+        builder.store(ir.Constant(value_type, value_val), value_ptr)
+    else:
+        raise NotImplementedError(
+            "Only simple variable names and integer constants are supported as values in map update.")
+
+    # Handle flags argument (defaults to 0)
+    if flags_arg is not None:
+        if isinstance(flags_arg, ast.Constant) and isinstance(flags_arg.value, int):
+            flags_val = flags_arg.value
+        elif isinstance(flags_arg, ast.Name):
+            flags_name = flags_arg.id
+            if local_sym_tab and flags_name in local_sym_tab:
+                # Assume it's a stored integer value, load it
+                flags_ptr = local_sym_tab[flags_name][0]
+                flags_val = builder.load(flags_ptr)
+            else:
+                raise ValueError(
+                    f"Flags variable {flags_name} not found in local symbol table.")
+        else:
+            raise NotImplementedError(
+                "Only integer constants and simple variable names are supported as flags in map update.")
+    else:
+        flags_val = 0
+
+    if key_ptr is None or value_ptr is None:
+        raise ValueError("Key pointer or value pointer is None.")
+
+    map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
+    fn_type = ir.FunctionType(
+        ir.IntType(64),
+        [ir.PointerType(), ir.PointerType(), ir.PointerType(), ir.IntType(64)],
+        var_arg=False
+    )
+    fn_ptr_type = ir.PointerType(fn_type)
+
+    # helper id
+    fn_addr = ir.Constant(ir.IntType(
+        64), BPFHelperID.BPF_MAP_UPDATE_ELEM.value)
+    fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+
+    if isinstance(flags_val, int):
+        flags_const = ir.Constant(ir.IntType(64), flags_val)
+    else:
+        flags_const = flags_val
+
+    result = builder.call(
+        fn_ptr, [map_void_ptr, key_ptr, value_ptr, flags_const], tail=False)
+
+    return result, None
+
+
+@HelperHandlerRegistry.register("delete")
+def bpf_map_delete_elem_emitter(call, map_ptr, module, builder, func,
+                                local_sym_tab=None, struct_sym_tab=None,
+                                local_var_metadata=None):
+    """
+    Emit LLVM IR for bpf_map_delete_elem helper function call.
+    Expected call signature: map.delete(key)
+    """
+    # Check for correct number of arguments
+    if not call.args or len(call.args) != 1:
+        raise ValueError("Map delete expects exactly 1 argument (key), got "
+                         f"{len(call.args)}")
+
+    key_arg = call.args[0]
+
+    # Handle key argument
+    if isinstance(key_arg, ast.Name):
+        key_name = key_arg.id
+        if local_sym_tab and key_name in local_sym_tab:
+            key_ptr = local_sym_tab[key_name][0]
+        else:
+            raise ValueError(
+                f"Key variable {key_name} not found in local symbol table.")
+    elif isinstance(key_arg, ast.Constant) and isinstance(key_arg.value, int):
+        # Handle constant integer keys
+        key_val = key_arg.value
+        key_type = ir.IntType(64)
+        key_ptr = builder.alloca(key_type)
+        key_ptr.align = key_type.width // 8
+        builder.store(ir.Constant(key_type, key_val), key_ptr)
+    else:
+        raise NotImplementedError(
+            "Only simple variable names and integer constants are supported as keys in map delete.")
+
+    if key_ptr is None:
+        raise ValueError("Key pointer is None.")
+
+    # Cast map pointer to void*
+    map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
+
+    # Define function type for bpf_map_delete_elem
+    fn_type = ir.FunctionType(
+        ir.IntType(64),  # Return type: int64 (status code)
+        [ir.PointerType(), ir.PointerType()],  # Args: (void*, void*)
+        var_arg=False
+    )
+    fn_ptr_type = ir.PointerType(fn_type)
+
+    # Helper ID 3 is bpf_map_delete_elem
+    fn_addr = ir.Constant(ir.IntType(
+        64), BPFHelperID.BPF_MAP_DELETE_ELEM.value)
+    fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+
+    # Call the helper function
+    result = builder.call(fn_ptr, [map_void_ptr, key_ptr], tail=False)
+
+    return result, None
+
+
+@HelperHandlerRegistry.register("pid")
+def bpf_get_current_pid_tgid_emitter(call, map_ptr, module, builder, func,
+                                     local_sym_tab=None, struct_sym_tab=None,
+                                     local_var_metadata=None):
+    """
+    Emit LLVM IR for bpf_get_current_pid_tgid helper function call.
+    """
+    # func is an arg to just have a uniform signature with other emitters
+    helper_id = ir.Constant(ir.IntType(
+        64), BPFHelperID.BPF_GET_CURRENT_PID_TGID.value)
+    fn_type = ir.FunctionType(ir.IntType(64), [], var_arg=False)
+    fn_ptr_type = ir.PointerType(fn_type)
+    fn_ptr = builder.inttoptr(helper_id, fn_ptr_type)
+    result = builder.call(fn_ptr, [], tail=False)
+
+    # Extract the lower 32 bits (PID) using bitwise AND with 0xFFFFFFFF
+    mask = ir.Constant(ir.IntType(64), 0xFFFFFFFF)
+    pid = builder.and_(result, mask)
+    return pid, ir.IntType(64)
+
+
+def bpf_perf_event_output_handler(call, map_ptr, module, builder, func,
+                                  local_sym_tab=None, struct_sym_tab=None,
+                                  local_var_metadata=None):
+    if len(call.args) != 1:
+        raise ValueError("Perf event output expects exactly one argument (data), got "
+                         f"{len(call.args)}")
+    data_arg = call.args[0]
+    ctx_ptr = func.args[0]  # First argument to the function is ctx
+
+    if isinstance(data_arg, ast.Name):
+        data_name = data_arg.id
+        if local_sym_tab and data_name in local_sym_tab:
+            data_ptr = local_sym_tab[data_name][0]
+        else:
+            raise ValueError(
+                f"Data variable {data_name} not found in local symbol table.")
+        # Check is data_name is a struct
+        if local_var_metadata and data_name in local_var_metadata:
+            data_type = local_var_metadata[data_name]
+            if data_type in struct_sym_tab:
+                struct_info = struct_sym_tab[data_type]
+                size_val = ir.Constant(ir.IntType(64), struct_info.size)
+            else:
+                raise ValueError(
+                    f"Struct type {data_type} for variable {data_name} not found in struct symbol table.")
+        else:
+            raise ValueError(
+                f"Metadata for variable {data_name} not found in local variable metadata.")
+
+        # BPF_F_CURRENT_CPU is -1 in 32 bit
+        flags_val = ir.Constant(ir.IntType(64), 0xFFFFFFFF)
+
+        map_void_ptr = builder.bitcast(map_ptr, ir.PointerType())
+        data_void_ptr = builder.bitcast(data_ptr, ir.PointerType())
+        fn_type = ir.FunctionType(
+            ir.IntType(64),
+            [ir.PointerType(ir.IntType(8)), ir.PointerType(), ir.IntType(64),
+             ir.PointerType(), ir.IntType(64)],
+            var_arg=False
+        )
+        fn_ptr_type = ir.PointerType(fn_type)
+
+        # helper id
+        fn_addr = ir.Constant(ir.IntType(
+            64), BPFHelperID.BPF_PERF_EVENT_OUTPUT.value)
+        fn_ptr = builder.inttoptr(fn_addr, fn_ptr_type)
+
+        result = builder.call(
+            fn_ptr, [ctx_ptr, map_void_ptr, flags_val, data_void_ptr, size_val], tail=False)
+        return result, None
+    else:
+        raise NotImplementedError(
+            "Only simple object names are supported as data in perf event output.")
+
+
+def handle_helper_call(call, module, builder, func,
+                       local_sym_tab=None, map_sym_tab=None,
+                       struct_sym_tab=None, local_var_metadata=None):
+    print(local_var_metadata)
+    if isinstance(call.func, ast.Name):
+        func_name = call.func.id
+        hdl_func = HelperHandlerRegistry.get_handler(func_name)
+        if hdl_func:
+            # it is not a map method call
+            return hdl_func(call, None, module, builder, func, local_sym_tab, struct_sym_tab, local_var_metadata)
+        else:
+            raise NotImplementedError(
+                f"Function {func_name} is not implemented as a helper function.")
+    elif isinstance(call.func, ast.Attribute):
+        # likely a map method call
+        if isinstance(call.func.value, ast.Call) and isinstance(call.func.value.func, ast.Name):
+            map_name = call.func.value.func.id
+            method_name = call.func.attr
+            if map_sym_tab and map_name in map_sym_tab:
+                map_ptr = map_sym_tab[map_name]
+                hdl_func = HelperHandlerRegistry.get_handler(method_name)
+                if hdl_func:
+                    print(local_var_metadata)
+                    return hdl_func(
+                        call, map_ptr, module, builder, func, local_sym_tab, struct_sym_tab, local_var_metadata)
+                else:
+                    raise NotImplementedError(
+                        f"Map method {method_name} is not implemented as a helper function.")
+            else:
+                raise ValueError(
+                    f"Map variable {map_name} not found in symbol tables.")
+        elif isinstance(call.func.value, ast.Name):
+            obj_name = call.func.value.id
+            method_name = call.func.attr
+            if map_sym_tab and obj_name in map_sym_tab:
+                map_ptr = map_sym_tab[obj_name]
+                hdl_func = HelperHandlerRegistry.get_handler(method_name)
+                if hdl_func:
+                    return hdl_func(
+                        call, map_ptr, module, builder, func, local_sym_tab, struct_sym_tab, local_var_metadata)
+                else:
+                    raise NotImplementedError(
+                        f"Map method {method_name} is not implemented as a helper function.")
+            else:
+                raise ValueError(
+                    f"Map variable {obj_name} not found in symbol tables.")
+        else:
+            raise NotImplementedError(
+                "Attribute not supported for map method calls.")
+    return None
--- a/pythonbpf/helper/helper_utils.py
+++ b/pythonbpf/helper/helper_utils.py
@ -0,0 +1,16 @@
+class HelperHandlerRegistry:
+    """Registry for BPF helpers"""
+    _handlers = {}
+
+    @classmethod
+    def register(cls, helper_name):
+        """Decorator to register a handler function for a helper"""
+        def decorator(func):
+            cls._handlers[helper_name] = func
+            return func
+        return decorator
+
+    @classmethod
+    def get_handler(cls, helper_name):
+        """Get the handler function for a helper"""
+        return cls._handlers.get(helper_name)
--- a/pythonbpf/helpers.py
+++ b/pythonbpf/helpers.py
@ -1,5 +1,15 @@
 import ctypes

-
 def ktime():
    return ctypes.c_int64(0)
+
+def pid():
+    return ctypes.c_int32(0)
+
+def deref(ptr):
+    "dereference a pointer"
+    result = ctypes.cast(ptr, ctypes.POINTER(ctypes.c_void_p)).contents.value
+    return result if result is not None else 0
+
+XDP_DROP = ctypes.c_int64(1)
+XDP_PASS = ctypes.c_int64(2)
--- a/pythonbpf/maps/init.py
+++ b/pythonbpf/maps/init.py
@ -0,0 +1,2 @@
+from .maps import HashMap, PerfEventArray
+from .maps_pass import maps_proc
--- a/pythonbpf/maps/maps.py
+++ b/pythonbpf/maps/maps.py
@ -1,7 +1,7 @@
 class HashMap:
-    def __init__(self, key_type, value_type, max_entries):
-        self.key_type = key_type
-        self.value_type = value_type
+    def __init__(self, key, value, max_entries):
+        self.key = key
+        self.value = value
        self.max_entries = max_entries
        self.entries = {}

@ -10,16 +10,26 @@ class HashMap:
            return self.entries[key]
        else:
            return None
-            
+
    def delete(self, key):
        if key in self.entries:
            del self.entries[key]
        else:
            raise KeyError(f"Key {key} not found in map")
-    
+
    # TODO: define the flags that can be added
    def update(self, key, value, flags=None):
        if key in self.entries:
            self.entries[key] = value
        else:
            raise KeyError(f"Key {key} not found in map")
+
+
+class PerfEventArray:
+    def __init__(self, key_size, value_size):
+        self.key_type = key_size
+        self.value_type = value_size
+        self.entries = {}
+
+    def output(self, data):
+        pass  # Placeholder for output method
--- a/pythonbpf/maps/maps_pass.py
+++ b/pythonbpf/maps/maps_pass.py
@ -0,0 +1,183 @@
+import ast
+from llvmlite import ir
+from enum import Enum
+from .maps_utils import MapProcessorRegistry
+from ..debuginfo import dwarf_constants as dc, DebugInfoGenerator
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def maps_proc(tree, module, chunks):
+    """ Process all functions decorated with @map to find BPF maps """
+    map_sym_tab = {}
+    for func_node in chunks:
+        if is_map(func_node):
+            print(f"Found BPF map: {func_node.name}")
+            map_sym_tab[func_node.name] = process_bpf_map(func_node, module)
+    return map_sym_tab
+
+
+def is_map(func_node):
+    return any(
+        isinstance(decorator, ast.Name) and decorator.id == "map"
+        for decorator in func_node.decorator_list
+    )
+
+
+class BPFMapType(Enum):
+    HASH = 1
+    PERF_EVENT_ARRAY = 4
+
+
+def create_bpf_map(module, map_name, map_params):
+    """Create a BPF map in the module with given parameters and debug info"""
+
+    # Create the anonymous struct type for BPF map
+    map_struct_type = ir.LiteralStructType(
+        [ir.PointerType() for _ in range(len(map_params))])
+
+    # Create the global variable
+    map_global = ir.GlobalVariable(module, map_struct_type, name=map_name)
+    map_global.linkage = 'dso_local'
+    map_global.global_constant = False
+    map_global.initializer = ir.Constant(
+        map_struct_type, None)
+    map_global.section = ".maps"
+    map_global.align = 8
+
+    # Generate debug info for BTF
+    create_map_debug_info(module, map_global, map_name, map_params)
+
+    logger.info(f"Created BPF map: {map_name} with params {map_params}")
+    return map_global
+
+
+def create_map_debug_info(module, map_global, map_name, map_params):
+    """Generate debug information metadata for BPF map"""
+    generator = DebugInfoGenerator(module)
+
+    uint_type = generator.get_uint32_type()
+    ulong_type = generator.get_uint64_type()
+    array_type = generator.create_array_type(uint_type, map_params.get("type", BPFMapType.HASH).value)
+    type_ptr = generator.create_pointer_type(array_type, 64)
+    key_ptr = generator.create_pointer_type(array_type if "key_size" in map_params else ulong_type, 64)
+    value_ptr = generator.create_pointer_type(array_type if "value_size" in map_params else ulong_type, 64)
+
+
+    elements_arr = []
+
+    # Create struct members
+    # scope field does not appear for some reason
+    cnt = 0
+    for elem in map_params:
+        if elem == "max_entries":
+            continue
+        if elem == "type":
+            ptr = type_ptr
+        elif "key" in elem:
+            ptr = key_ptr
+        else:
+            ptr = value_ptr
+        # TODO: the best way to do this is not 64, but get the size each time. this will not work for structs.
+        member = generator.create_struct_member(elem, ptr, cnt * 64)
+        elements_arr.append(member)
+        cnt += 1
+
+    if "max_entries" in map_params:
+        max_entries_array = generator.create_array_type(uint_type, map_params["max_entries"])
+        max_entries_ptr = generator.create_pointer_type(max_entries_array, 64)
+        max_entries_member = generator.create_struct_member("max_entries", max_entries_ptr, cnt * 64)
+        elements_arr.append(max_entries_member)
+
+    # Create the struct type
+    struct_type = generator.create_struct_type(elements_arr, 64 * len(elements_arr), is_distinct=True)
+
+    # Create global variable debug info
+    global_var = generator.create_global_var_debug_info(map_name, struct_type, is_local=False)
+
+    # Attach debug info to the global variable
+    map_global.set_metadata("dbg", global_var)
+
+    return global_var
+
+
+@MapProcessorRegistry.register("HashMap")
+def process_hash_map(map_name, rval, module):
+    """Process a BPF_HASH map declaration"""
+    logger.info(f"Processing HashMap: {map_name}")
+    map_params = {"type": BPFMapType.HASH}
+
+    # Assuming order: key_type, value_type, max_entries
+    if len(rval.args) >= 1 and isinstance(rval.args[0], ast.Name):
+        map_params["key"] = rval.args[0].id
+    if len(rval.args) >= 2 and isinstance(rval.args[1], ast.Name):
+        map_params["value"] = rval.args[1].id
+    if len(rval.args) >= 3 and isinstance(rval.args[2], ast.Constant):
+        const_val = rval.args[2].value
+        if isinstance(const_val, (int, str)):  # safe check
+            map_params["max_entries"] = const_val
+
+    for keyword in rval.keywords:
+        if keyword.arg == "key" and isinstance(keyword.value, ast.Name):
+            map_params["key"] = keyword.value.id
+        elif keyword.arg == "value" and isinstance(keyword.value, ast.Name):
+            map_params["value"] = keyword.value.id
+        elif (keyword.arg == "max_entries" and
+              isinstance(keyword.value, ast.Constant)):
+            const_val = keyword.value.value
+            if isinstance(const_val, (int, str)):
+                map_params["max_entries"] = const_val
+
+    logger.info(f"Map parameters: {map_params}")
+    return create_bpf_map(module, map_name, map_params)
+
+
+@MapProcessorRegistry.register("PerfEventArray")
+def process_perf_event_map(map_name, rval, module):
+    """Process a BPF_PERF_EVENT_ARRAY map declaration"""
+    logger.info(f"Processing PerfEventArray: {map_name}")
+    map_params = {"type": BPFMapType.PERF_EVENT_ARRAY}
+
+    if len(rval.args) >= 1 and isinstance(rval.args[0], ast.Name):
+        map_params["key_size"] = rval.args[0].id
+    if len(rval.args) >= 2 and isinstance(rval.args[1], ast.Name):
+        map_params["value_size"] = rval.args[1].id
+
+    for keyword in rval.keywords:
+        if keyword.arg == "key_size" and isinstance(keyword.value, ast.Name):
+            map_params["key_size"] = keyword.value.id
+        elif (keyword.arg == "value_size" and
+              isinstance(keyword.value, ast.Name)):
+            map_params["value_size"] = keyword.value.id
+
+    logger.info(f"Map parameters: {map_params}")
+    return create_bpf_map(module, map_name, map_params)
+
+
+def process_bpf_map(func_node, module):
+    """Process a BPF map (a function decorated with @map)"""
+    map_name = func_node.name
+    logger.info(f"Processing BPF map: {map_name}")
+
+    # For now, assume single return statement
+    return_stmt = None
+    for stmt in func_node.body:
+        if isinstance(stmt, ast.Return):
+            return_stmt = stmt
+            break
+    if return_stmt is None:
+        raise ValueError("BPF map must have a return statement")
+
+    rval = return_stmt.value
+
+    if isinstance(rval, ast.Call) and isinstance(rval.func, ast.Name):
+        handler = MapProcessorRegistry.get_processor(rval.func.id)
+        if handler:
+            return handler(map_name, rval, module)
+        else:
+            logger.warning(f"Unknown map type "
+                           f"{rval.func.id}, defaulting to HashMap")
+            return process_hash_map(map_name, rval, module)
+    else:
+        raise ValueError("Function under @map must return a map")
--- a/pythonbpf/maps/maps_utils.py
+++ b/pythonbpf/maps/maps_utils.py
@ -0,0 +1,16 @@
+class MapProcessorRegistry:
+    """Registry for map processor functions"""
+    _processors = {}
+
+    @classmethod
+    def register(cls, map_type_name):
+        """Decorator to register a processor function for a map type"""
+        def decorator(func):
+            cls._processors[map_type_name] = func
+            return func
+        return decorator
+
+    @classmethod
+    def get_processor(cls, map_type_name):
+        """Get the processor function for a map type"""
+        return cls._processors.get(map_type_name)
--- a/pythonbpf/maps_pass.py
+++ b/pythonbpf/maps_pass.py
@ -1,227 +0,0 @@
-import ast
-from llvmlite import ir
-from .type_deducer import ctypes_to_ir
-from . import dwarf_constants as dc
-
-map_sym_tab = {}
-
-
-def maps_proc(tree, module, chunks):
-    for func_node in chunks:
-        # Check if this function is a map
-        is_map = False
-        for decorator in func_node.decorator_list:
-            if isinstance(decorator, ast.Name) and decorator.id == "map":
-                is_map = True
-                break
-        if is_map:
-            print(f"Found BPF map: {func_node.name}")
-            process_bpf_map(func_node, module)
-            continue
-    return map_sym_tab
-
-
-def create_bpf_map(module, map_name, map_params):
-    """Create a BPF map in the module with the given parameters and debug info"""
-
-    # Create the anonymous struct type for BPF map
-    map_struct_type = ir.LiteralStructType([
-        ir.PointerType(),
-        ir.PointerType(),
-        ir.PointerType(),
-        ir.PointerType()
-    ])
-
-    # Create the global variable
-    map_global = ir.GlobalVariable(module, map_struct_type, name=map_name)
-    map_global.linkage = 'dso_local'
-    map_global.global_constant = False
-    map_global.initializer = ir.Constant(map_struct_type, None)     # type: ignore
-    map_global.section = ".maps"
-    map_global.align = 8        # type: ignore
-
-    # Generate debug info for BTF
-    create_map_debug_info(module, map_global, map_name, map_params)
-
-    print(f"Created BPF map: {map_name}")
-    map_sym_tab[map_name] = map_global
-    return map_global
-
-def create_map_debug_info(module, map_global, map_name, map_params):
-    """Generate debug information metadata for BPF map"""
-    file_metadata = module._file_metadata
-    compile_unit = module._debug_compile_unit
-
-    # Create basic type for unsigned int (32-bit)
-    uint_type = module.add_debug_info("DIBasicType", {
-        "name": "unsigned int",
-        "size": 32,
-        "encoding": dc.DW_ATE_unsigned
-    })
-
-    # Create basic type for unsigned long long (64-bit)
-    ulong_type = module.add_debug_info("DIBasicType", {
-        "name": "unsigned long long",
-        "size": 64,
-        "encoding": dc.DW_ATE_unsigned
-    })
-
-    # Create array type for map type field (array of 1 unsigned int)
-    array_subrange = module.add_debug_info("DISubrange", {"count": 1})
-    array_type = module.add_debug_info("DICompositeType", {
-        "tag": dc.DW_TAG_array_type,
-        "baseType": uint_type,
-        "size": 32,
-        "elements": [array_subrange]
-    })
-    
-    array_subrange_max_entries = module.add_debug_info("DISubrange", {"count": map_params["max_entries"]})
-    array_type_max_entries = module.add_debug_info("DICompositeType", {
-        "tag": dc.DW_TAG_array_type,
-        "baseType": uint_type,
-        "size": 32,
-        "elements": [array_subrange_max_entries]
-    })
-
-    # Create pointer types
-    type_ptr = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_pointer_type,
-        "baseType": array_type,
-        "size": 64
-    })
-
-    max_entries_ptr = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_pointer_type,
-        "baseType": array_type_max_entries,
-        "size": 64
-    })
-
-    key_ptr = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_pointer_type,
-        "baseType": uint_type,  # Adjust based on actual key type
-        "size": 64
-    })
-
-    value_ptr = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_pointer_type,
-        "baseType": ulong_type,  # Adjust based on actual value type
-        "size": 64
-    })
-
-    # Create struct members
-    # scope field does not appear for some reason
-    type_member = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_member,
-        "name": "type",
-        "file": file_metadata,
-        "baseType": type_ptr,
-        "size": 64,
-        "offset": 0
-    })
-
-    max_entries_member = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_member,
-        "name": "max_entries",
-        "file": file_metadata,
-        "baseType": max_entries_ptr,
-        "size": 64,
-        "offset": 64
-    })
-
-    key_member = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_member,
-        "name": "key",
-        "file": file_metadata,
-        "baseType": key_ptr,
-        "size": 64,
-        "offset": 128
-    })
-
-    value_member = module.add_debug_info("DIDerivedType", {
-        "tag": dc.DW_TAG_member,
-        "name": "value",
-        "file": file_metadata,
-        "baseType": value_ptr,
-        "size": 64,
-        "offset": 192
-    })
-
-    # Create the struct type
-    struct_type = module.add_debug_info("DICompositeType", {
-        "tag": dc.DW_TAG_structure_type,
-        "file": file_metadata,
-        "size": 256,  # 4 * 64-bit pointers
-        "elements": [type_member, max_entries_member, key_member, value_member]
-    }, is_distinct=True)
-
-    # Create global variable debug info
-    global_var = module.add_debug_info("DIGlobalVariable", {
-        "name": map_name,
-        "scope": compile_unit,
-        "file": file_metadata,
-        "type": struct_type,
-        "isLocal": False,
-        "isDefinition": True
-    }, is_distinct=True)
-
-    # Create global variable expression
-    global_var_expr = module.add_debug_info("DIGlobalVariableExpression", {
-        "var": global_var,
-        "expr": module.add_debug_info("DIExpression", {})
-    })
-
-    # Attach debug info to the global variable
-    map_global.set_metadata("dbg", global_var_expr)
-
-    return global_var_expr
-
-
-def process_hash_map(map_name, rval, module):
-    print(f"Creating HashMap map: {map_name}")
-    map_params: dict[str, object] = {"map_type": "HASH"}
-
-    # Assuming order: key_type, value_type, max_entries
-    if len(rval.args) >= 1 and isinstance(rval.args[0], ast.Name):
-        map_params["key_type"] = rval.args[0].id
-    if len(rval.args) >= 2 and isinstance(rval.args[1], ast.Name):
-        map_params["value_type"] = rval.args[1].id
-    if len(rval.args) >= 3 and isinstance(rval.args[2], ast.Constant):
-        const_val = rval.args[2].value
-        if isinstance(const_val, (int, str)):  # safe check
-            map_params["max_entries"] = const_val
-
-    for keyword in rval.keywords:
-        if keyword.arg == "key_type" and isinstance(keyword.value, ast.Name):
-            map_params["key_type"] = keyword.value.id
-        elif keyword.arg == "value_type" and isinstance(keyword.value, ast.Name):
-            map_params["value_type"] = keyword.value.id
-        elif keyword.arg == "max_entries" and isinstance(keyword.value, ast.Constant):
-            const_val = keyword.value.value
-            if isinstance(const_val, (int, str)):
-                map_params["max_entries"] = const_val
-
-    print(f"Map parameters: {map_params}")
-    return create_bpf_map(module, map_name, map_params)
-
-
-def process_bpf_map(func_node, module):
-    """Process a BPF map (a function decorated with @map)"""
-    map_name = func_node.name
-    print(f"Processing BPF map: {map_name}")
-
-    # For now, assume single return statement
-    return_stmt = None
-    for stmt in func_node.body:
-        if isinstance(stmt, ast.Return):
-            return_stmt = stmt
-            break
-    if return_stmt is None:
-        raise ValueError("BPF map must have a return statement")
-
-    rval = return_stmt.value
-
-    # Handle only HashMap maps
-    if isinstance(rval, ast.Call) and isinstance(rval.func, ast.Name) and rval.func.id == "HashMap":
-        process_hash_map(map_name, rval, module)
-    else:
-        raise ValueError("Function under @map must return a map")
--- a/pythonbpf/structs/init.py
+++ b/pythonbpf/structs/init.py
@ -0,0 +1 @@
+from .structs_pass import structs_proc
--- a/pythonbpf/structs/struct_type.py
+++ b/pythonbpf/structs/struct_type.py
@ -0,0 +1,31 @@
+from llvmlite import ir
+
+
+class StructType:
+    def __init__(self, ir_type, fields, size):
+        self.ir_type = ir_type
+        self.fields = fields
+        self.size = size
+
+    def field_idx(self, field_name):
+        return list(self.fields.keys()).index(field_name)
+
+    def field_type(self, field_name):
+        return self.fields[field_name]
+
+    def gep(self, builder, ptr, field_name):
+        idx = self.field_idx(field_name)
+        return builder.gep(ptr, [ir.Constant(ir.IntType(32), 0),
+                                 ir.Constant(ir.IntType(32), idx)],
+                           inbounds=True)
+
+    def field_size(self, field_name):
+        fld = self.fields[field_name]
+        if isinstance(fld, ir.ArrayType):
+            return fld.count * (fld.element.width // 8)
+        elif isinstance(fld, ir.IntType):
+            return fld.width // 8
+        elif isinstance(fld, ir.PointerType):
+            return 8
+
+        raise TypeError(f"Unsupported field type: {fld}")
--- a/pythonbpf/structs/structs_pass.py
+++ b/pythonbpf/structs/structs_pass.py
@ -0,0 +1,97 @@
+import ast
+import logging
+from llvmlite import ir
+from pythonbpf.type_deducer import ctypes_to_ir
+from .struct_type import StructType
+
+logger = logging.getLogger(__name__)
+
+# TODO: Shall we allow the following syntax:
+# struct MyStruct:
+#     field1: int
+#     field2: str(32)
+# Where int is mapped to c_uint64?
+# Shall we just int64, int32 and uint32 similarly?
+
+
+def structs_proc(tree, module, chunks):
+    """ Process all class definitions to find BPF structs """
+    structs_sym_tab = {}
+    for cls_node in chunks:
+        if is_bpf_struct(cls_node):
+            print(f"Found BPF struct: {cls_node.name}")
+            struct_info = process_bpf_struct(cls_node, module)
+            structs_sym_tab[cls_node.name] = struct_info
+    return structs_sym_tab
+
+
+def is_bpf_struct(cls_node):
+    return any(
+        isinstance(decorator, ast.Name) and decorator.id == "struct"
+        for decorator in cls_node.decorator_list
+    )
+
+
+def process_bpf_struct(cls_node, module):
+    """ Process a single BPF struct definition """
+
+    fields = parse_struct_fields(cls_node)
+    field_types = list(fields.values())
+    total_size = calc_struct_size(field_types)
+    struct_type = ir.LiteralStructType(field_types)
+    logger.info(f"Created struct {cls_node.name} with fields {fields.keys()}")
+    return StructType(struct_type, fields, total_size)
+
+
+def parse_struct_fields(cls_node):
+    """ Parse fields of a struct class node """
+    fields = {}
+
+    for item in cls_node.body:
+        if isinstance(item, ast.AnnAssign) and \
+           isinstance(item.target, ast.Name):
+            fields[item.target.id] = get_type_from_ann(item.annotation)
+        else:
+            logger.error(f"Unsupported struct field: {ast.dump(item)}")
+            raise TypeError(f"Unsupported field in {ast.dump(cls_node)}")
+    return fields
+
+
+def get_type_from_ann(annotation):
+    """ Convert an AST annotation node to an LLVM IR type for struct fields"""
+    if isinstance(annotation, ast.Call) and \
+       isinstance(annotation.func, ast.Name):
+        if annotation.func.id == "str":
+            # Char array
+            # Assumes constant integer argument
+            length = annotation.args[0].value
+            return ir.ArrayType(ir.IntType(8), length)
+    elif isinstance(annotation, ast.Name):
+        # Int type, written as c_int64, c_uint32, etc.
+        return ctypes_to_ir(annotation.id)
+
+    raise TypeError(f"Unsupported annotation type: {ast.dump(annotation)}")
+
+
+def calc_struct_size(field_types):
+    """ Calculate total size of the struct with alignment and padding """
+    curr_offset = 0
+    for ftype in field_types:
+        if isinstance(ftype, ir.IntType):
+            fsize = ftype.width // 8
+            alignment = fsize
+        elif isinstance(ftype, ir.ArrayType):
+            fsize = ftype.count * (ftype.element.width // 8)
+            alignment = ftype.element.width // 8
+        elif isinstance(ftype, ir.PointerType):
+            # We won't encounter this rn, but for the future
+            fsize = 8
+            alignment = 8
+        else:
+            raise TypeError(f"Unsupported field type: {ftype}")
+
+        padding = (alignment - (curr_offset % alignment)) % alignment
+        curr_offset += padding + fsize
+
+    final_padding = (8 - (curr_offset % 8)) % 8
+    return curr_offset + final_padding
--- a/pythonbpf/trace.py
+++ b/pythonbpf/trace.py
@ -1,54 +0,0 @@
-class TraceEvent:
-    def __init__(self, timestamp, comm, pid, cpu, flags, message):
-        """Represents a parsed trace pipe event"""
-        self.timestamp = timestamp  # float: timestamp in seconds
-        self.comm = comm            # str: command name
-        self.pid = pid              # int: process ID
-        self.cpu = cpu              # int: CPU number
-        self.flags = flags          # str: trace flags
-        self.message = message      # str: the actual message
-
-    def __iter__(self):
-        """Allow unpacking like the original BCC tuple"""
-        yield self.comm
-        yield self.pid
-        yield self.cpu
-        yield self.flags
-        yield self.timestamp
-        yield self.message
-
-
-class TraceReader:
-    def __init__(self, trace_pipe_path="/sys/kernel/debug/tracing/trace_pipe"):
-        self.trace_pipe_path = trace_pipe_path
-        self.file = None
-
-    def __enter__(self):
-        self.file = open(self.trace_pipe_path, "r")
-        return self
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        if self.file:
-            self.file.close()
-
-    def __iter__(self):
-        while True:
-            event = self.trace_fields()
-            if event:
-                yield event
-
-    def trace_fields(self):
-        """Read and parse one line from the trace pipe"""
-        if not self.file:
-            self.file = open(self.trace_pipe_path, "r")
-        line = self.file.readline()
-        if not line:
-            return None
-        # Parse the line into components (simplified)
-        # Real implementation would need more robust parsing
-        parts = self._parse_trace_line(line)
-        return TraceEvent(*parts)
-
-    def _parse_trace_line(self, line):
-        # TODO: Implement
-        pass
--- a/examples/c-form/Makefile
+++ b/examples/c-form/Makefile
--- a/tests/c-form/ex2.bpf.c
+++ b/tests/c-form/ex2.bpf.c
@ -0,0 +1,12 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#define u64 unsigned long long
+#define u32 unsigned int
+
+SEC("xdp")
+int hello(struct xdp_md *ctx) {
+    bpf_printk("Hello, World!\n");
+    return XDP_PASS;
+}
+
+char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex3-2.bpf.c
+++ b/examples/c-form/ex3-2.bpf.c
--- a/examples/c-form/ex3.bpf.c
+++ b/examples/c-form/ex3.bpf.c
--- a/examples/c-form/ex4.bpf.c
+++ b/examples/c-form/ex4.bpf.c
--- a/tests/c-form/ex5.bpf.c
+++ b/tests/c-form/ex5.bpf.c
@ -0,0 +1,25 @@
+#define __TARGET_ARCH_arm64
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+// Map: key = struct request*, value = u64 timestamp
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, struct request *);
+    __type(value, u64);
+    __uint(max_entries, 1024);
+} start SEC(".maps");
+
+// Attach to kprobe for blk_start_request
+SEC("kprobe/blk_start_request")
+int BPF_KPROBE(trace_start, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
--- a/tests/c-form/ex6.bpf.c
+++ b/tests/c-form/ex6.bpf.c
@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+
+#define TASK_COMM_LEN 16
+
+// Define output data structure
+struct data_t {
+    __u32 pid;
+    __u64 ts;
+//    char comm[TASK_COMM_LEN];
+};
+
+// Define a perf event output map
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(__u32));
+    __uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+SEC("tracepoint/syscalls/sys_enter_clone")
+int hello(struct pt_regs *ctx)
+{
+    struct data_t data = {};
+    
+    // Get PID (lower 32 bits of the 64-bit value returned)
+    data.pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;
+    
+    // Get timestamp
+    data.ts = bpf_ktime_get_ns();
+    
+    // Get current process name
+//    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    
+    // Submit data to userspace via perf event
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, 
+                         &data, sizeof(data));
+    
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
--- a/tests/c-form/ex7.bpf.c
+++ b/tests/c-form/ex7.bpf.c
@ -0,0 +1,47 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct trace_entry {
+  short unsigned int type;
+  unsigned char flags;
+  unsigned char preempt_count;
+  int pid;
+};
+
+struct trace_event_raw_sys_enter {
+  struct trace_entry ent;
+  long int id;
+  long unsigned int args[6];
+  char __data[0];
+};
+
+struct event {
+  __u32 pid;
+  __u32 uid;
+  __u64 ts;
+};
+
+struct {
+  __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+  __uint(key_size, sizeof(int));
+  __uint(value_size, sizeof(int));
+} events SEC(".maps");
+
+SEC("tp/syscalls/sys_enter_setuid")
+int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx) {
+  struct event data = {};
+
+  // Extract UID from the syscall arguments
+  data.uid = (unsigned int)ctx->args[0];
+  data.ts = bpf_ktime_get_ns();
+  data.pid = bpf_get_current_pid_tgid() >> 32;
+
+  bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
+
+  return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
--- a/tests/c-form/ex8.bpf.c
+++ b/tests/c-form/ex8.bpf.c
@ -0,0 +1,47 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <linux/blkdev.h>
+#define __TARGET_ARCH_aarch64 
+#define u64 unsigned long long
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, struct request *);
+    __type(value, u64);
+} start SEC(".maps");
+
+SEC("kprobe/blk_start_request")
+int BPF_KPROBE(trace_start_req, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+SEC("kprobe/blk_mq_start_request")
+int BPF_KPROBE(trace_start_mq, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+SEC("kprobe/blk_account_io_completion")
+int BPF_KPROBE(trace_completion, struct request *req)
+{
+    u64 *tsp, delta;
+    
+    tsp = bpf_map_lookup_elem(&start, &req);
+    if (tsp) {
+        delta = bpf_ktime_get_ns() - *tsp;
+        bpf_printk("%d %x %d\n", req->__data_len, 
+                  req->cmd_flags, delta / 1000);
+        bpf_map_delete_elem(&start, &req);
+    }
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/example.bpf.c
+++ b/examples/c-form/example.bpf.c
--- a/tests/c-form/vmlinux.h
+++ b/tests/c-form/vmlinux.h
--- a/examples/check.sh
+++ b/examples/check.sh
@ -22,11 +22,23 @@ case "$1" in
        sudo rm -f "$PIN_PATH"
        echo "[+] Stopped"
        ;;
+    xdp)
+        echo "[*] Loading and running $FILE"
+        sudo bpftool net detach xdp dev $3
+        sudo bpftool prog load "$FILE" "$PIN_PATH" type xdp
+        sudo bpftool net attach xdp pinned "$PIN_PATH" dev $3
+        echo "[+] Program loaded. Press Ctrl+C to stop"
+        sudo cat /sys/kernel/debug/tracing/trace_pipe
+        sudo bpftool net detach xdp dev $3
+        sudo rm -rf "$PIN_PATH"
+        echo "[+] Stopped"
+        ;;
    *)
        echo "Usage: $0 <check|run|stop> <file.o>"
        echo "Examples:"
        echo "  $0 check program.bpf.o"
        echo "  $0 run program.bpf.o"
+        echo "  $0 xdp program.bpf.o wlp6s0"
        echo "  $0 stop"
        exit 1
        ;;
--- a/tools/compile.py
+++ b/tools/compile.py
@ -1,20 +0,0 @@
-#!/usr/bin/env python3
-import argparse, subprocess, os
-from pythonbpf import codegen
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument("source", help="Python BPF program")
-    args = parser.parse_args()
-
-    ll_file = os.path.splitext(args.source)[0] + ".ll"
-    o_file = os.path.splitext(args.source)[0] + ".o"
-
-    print(f"[+] Compiling {args.source} → {ll_file}")
-    codegen.compile_to_ir(args.source, ll_file)
-
-    print("[+] Running llc -march=bpf")
-    subprocess.run(["llc", "-march=bpf", "-filetype=obj", "-O2", ll_file, "-o", o_file], check=True)
-
-if __name__ == "__main__":
-    main()
Author	SHA1	Message	Date
Pragyansh Chaturvedi	168ab29be3	Format function definitions in bpf_helper_handler	2025-10-01 04:04:32 +05:30
Pragyansh Chaturvedi	61f6743f0a	Use HelperHandleRegitry	2025-10-01 03:53:11 +05:30
Pragyansh Chaturvedi	6cd07498fe	Create HelperProcessorRegistry	2025-10-01 03:07:36 +05:30
Pragyansh Chaturvedi	7e45864552	Move helper scripts to a new dir, make temp fixes to allow this	2025-09-30 23:57:31 +05:30
Pragyansh Chaturvedi	fa2ff0a242	Use BPFHelperID Enums in bpf_helper_handler	2025-09-30 23:51:05 +05:30
Pragyansh Chaturvedi	c1466a5bca	Add BPFHelperID enum to bpf_helper_handler	2025-09-30 23:43:29 +05:30
Pragyansh Chaturvedi	44b95b69ca	Add __init__.py under structs/, fix imports	2025-09-30 23:26:18 +05:30
varun-r-mallya	0e1cbb30b7	attribute out vmlinux	2025-09-30 21:10:20 +05:30
varunrmallya	f489129949	Merge pull request #9 from pythonbpf/refactor Cleanup and rename examples	2025-09-30 21:07:06 +05:30
varun-r-mallya	0d0a318e46	cleanup and rename	2025-09-30 21:05:07 +05:30
varun-r-mallya	18811933bf	cleanup stray files and add return paths	2025-09-30 20:52:41 +05:30
varunrmallya	912d0c8eac	Merge pull request #8 from pythonbpf/refactor Add dwarf module	2025-09-30 20:39:48 +05:30
varun-r-mallya	b88888fc68	Add DebugInfoGenerator functions instead of obscene looking debug information directly	2025-09-30 20:37:02 +05:30
varun-r-mallya	e80486975f	Add DebugInfoGenerator class	2025-09-30 20:31:00 +05:30
varun-r-mallya	63944c5f93	add todo for global addition to debug compile unit.	2025-09-30 20:28:35 +05:30
varun-r-mallya	ce9be8750d	add dwarf behaviour conditions	2025-09-30 20:26:38 +05:30
varun-r-mallya	6afcffb4ed	add debug module	2025-09-30 20:18:26 +05:30
varun-r-mallya	af004cb864	janitorial	2025-09-30 20:09:04 +05:30
Pragyansh Chaturvedi	980f2af414	Merge pull request #6 from pythonbpf/refactor-maps Refactor maps_pass	2025-09-30 19:58:32 +05:30
Pragyansh Chaturvedi	87908e8713	Remove backslash for multiline conditions in maps	2025-09-30 19:57:58 +05:30
Pragyansh Chaturvedi	0f3cc434a3	Fix return for unknown map types	2025-09-30 19:55:37 +05:30
Pragyansh Chaturvedi	d943b78a25	Add __init__ to maps to improve imports	2025-09-30 19:51:28 +05:30
Pragyansh Chaturvedi	744aa3fbdf	Use logger instead of prints in map_pass	2025-09-30 19:44:29 +05:30
Pragyansh Chaturvedi	9fa362ec6a	Remove global map_sym_tab	2025-09-30 19:29:45 +05:30
Pragyansh Chaturvedi	ca51b7ce01	Fix invalid member func for MapProcessorRegistry	2025-09-30 19:10:25 +05:30
Pragyansh Chaturvedi	2e005f6eb5	Create MapProcessorRegistry to add more maps	2025-09-30 19:08:56 +05:30
Pragyansh Chaturvedi	cbc6b93cd8	restructure maps dir, fix imports	2025-09-30 19:01:46 +05:30
Pragyansh Chaturvedi	9ae1b6ce15	Fix usage of map_params to use BPFMapType	2025-09-30 13:28:18 +05:30
Pragyansh Chaturvedi	1a1f2cf634	create BPFMapType enum	2025-09-30 12:20:07 +05:30
Pragyansh Chaturvedi	0d691865bc	Add is_map in maps_pass	2025-09-30 11:44:12 +05:30
varunrmallya	0fb1cafd20	Revise README for clarity and additional details Updated README.md to enhance project description, installation instructions, and usage examples.	2025-09-30 03:05:27 +05:30
Pragyansh Chaturvedi	1adf7d7fcc	Merge pull request #5 from pythonbpf/struct_refactor Struct refactor	2025-09-30 02:01:58 +05:30
Pragyansh Chaturvedi	3ded17bf8b	Fix size calc for ArrayType in structs	2025-09-30 01:59:18 +05:30
Pragyansh Chaturvedi	715442d7bf	fix struct usage in expr_pass	2025-09-30 01:59:17 +05:30
Pragyansh Chaturvedi	e464a3fdd5	fix struct usage in handle_helper_functions	2025-09-30 01:59:16 +05:30
Pragyansh Chaturvedi	fed4c179e6	fix struct usage in functions_pass	2025-09-30 01:59:15 +05:30
Pragyansh Chaturvedi	32c22c3148	fix struct imports	2025-09-30 01:59:14 +05:30
Pragyansh Chaturvedi	4557b094e1	Use StructType in struct_pass, fix indexing	2025-09-30 01:59:13 +05:30
Pragyansh Chaturvedi	84500305db	Move structs_pass under structs, create StructType	2025-09-30 01:59:12 +05:30
Pragyansh Chaturvedi	0d21f84529	Remove redundant functions from struct_pass	2025-09-30 01:59:11 +05:30
Pragyansh Chaturvedi	5bcc02a931	add parser_struct_fields	2025-09-30 01:59:10 +05:30
Pragyansh Chaturvedi	fe91a176e2	fix structs_proc	2025-09-30 01:59:09 +05:30
Pragyansh Chaturvedi	083ee21e38	structs_pass cleanup	2025-09-30 01:59:06 +05:30
varun-r-mallya	ea5a1ab2de	add jupyter notebook support	2025-09-27 12:24:49 +05:30
Pragyansh Chaturvedi	de5cc438ab	Allow access from struct fields	2025-09-26 23:02:51 +05:30
varun-r-mallya	8c2196c05c	bump version Signed-off-by: varun-r-mallya <varunrmallya@gmail.com>	2025-09-26 22:48:17 +05:30
Pragyansh Chaturvedi	a2f86d680d	Merge pull request #4 from varun-r-mallya/type_system Type system and strings	2025-09-26 18:27:10 +05:30
Pragyansh Chaturvedi	0f365be65e	Add some support for strings in structs	2025-09-26 18:26:07 +05:30
Pragyansh Chaturvedi	4ebf0480dd	tweak commit to add placeholder string	2025-09-26 04:54:01 +05:30
Pragyansh Chaturvedi	b9ddecd6b1	Add string as a primitve to struct defs	2025-09-26 04:44:38 +05:30
Pragyansh Chaturvedi	737c4d3039	Support storing and printing string type	2025-09-26 04:17:29 +05:30
Pragyansh Chaturvedi	da8a495da7	Fix handle_cond for new symtab convention	2025-09-26 04:05:37 +05:30
Pragyansh Chaturvedi	ee03ac04d0	Fix printk handler to comply with new symtab convention	2025-09-26 01:02:10 +05:30
Pragyansh Chaturvedi	51595f9ec2	Add types returns to bpf helpers	2025-09-26 00:28:10 +05:30
Pragyansh Chaturvedi	4cf284a81f	provide type as weel in eval_expr	2025-09-26 00:24:10 +05:30
Pragyansh Chaturvedi	1517f6e052	Fix local_sym_tab accesses in expr_pass	2025-09-25 23:54:04 +05:30
Pragyansh Chaturvedi	95f360059b	Fix local_sym_tab accesses in binary_ops	2025-09-25 23:53:04 +05:30
Pragyansh Chaturvedi	dad57bd340	Fix local_sym_tab accesses in bpf_helper_handler	2025-09-25 23:51:08 +05:30
Pragyansh Chaturvedi	529b0bde19	Fix local_sym_tab accesses in functions_pass	2025-09-25 23:49:28 +05:30
Pragyansh Chaturvedi	943697ac9f	Pass down type info in local_sym_tab	2025-09-25 23:43:19 +05:30
Pragyansh Chaturvedi	ba90af9ff2	Allocate space for string consts	2025-09-25 22:24:55 +05:30
Pragyansh Chaturvedi	35969c4ff7	Add string example	2025-09-25 22:15:14 +05:30
Pragyansh Chaturvedi	9e87ee52f2	Move relevant vmlinux files to ex7.bpf.c	2025-09-25 00:10:39 +05:30
Pragyansh Chaturvedi	d0be8893eb	Add setuid C example	2025-09-24 23:48:42 +05:30
varun-r-mallya	dda05bd044	Add matplotlib example	2025-09-23 20:36:15 +05:30
varun-r-mallya	28e6f97708	add support for compilation with pylibbpf Signed-off-by: varun-r-mallya <varunrmallya@gmail.com>	2025-09-21 18:05:43 +05:30
Pragyansh Chaturvedi	a1bc813ec5	Small fix to enum va	2025-09-21 17:58:51 +05:30
Pragyansh Chaturvedi	fefd6840c8	finish perf_event_output helper integration	2025-09-21 17:50:58 +05:30
Pragyansh Chaturvedi	79f0949abc	Fix calling conventions changed by structs	2025-09-21 16:19:12 +05:30
Pragyansh Chaturvedi	a1371697cc	overhaul handle_helper_calls	2025-09-21 16:10:29 +05:30
Pragyansh Chaturvedi	3c976b88d3	pass down structs_sym_tab	2025-09-21 15:20:41 +05:30
Pragyansh Chaturvedi	69a86c2433	Add perf_event_output boilerplate	2025-09-21 15:14:55 +05:30
varun-r-mallya	6b92a16ca1	update release for pylibbpf Signed-off-by: varun-r-mallya <varunrmallya@gmail.com>	2025-09-21 12:31:26 +05:30
Pragyansh Chaturvedi	12b8bf698b	Add struct field access stub - too sleepy to debug	2025-09-21 05:27:34 +05:30
Pragyansh Chaturvedi	0f9a4078ee	Complete struct field assignment	2025-09-21 05:22:00 +05:30
Pragyansh Chaturvedi	36c2c0b695	Add struct malloc, add struct instantiation to example	2025-09-21 04:48:50 +05:30
Pragyansh Chaturvedi	63c44fa48c	Pass down structs_sym_tab	2025-09-21 04:28:44 +05:30
Pragyansh Chaturvedi	c79dc635d7	Add process_bpf_struct	2025-09-21 04:23:54 +05:30
Pragyansh Chaturvedi	9fc939cb8e	Add structs_pass, tweak functions_pass to respect structs	2025-09-21 03:29:05 +05:30
Pragyansh Chaturvedi	780f53cd3f	Make bpf structs discoverable during chunk exploration	2025-09-21 03:17:23 +05:30
Pragyansh Chaturvedi	48c0a1f506	Add struct to init to allow inclusion	2025-09-21 03:14:29 +05:30
Pragyansh Chaturvedi	8e231845ef	Add struct example and decorator	2025-09-21 03:01:13 +05:30
Pragyansh Chaturvedi	d01c7ad8ba	change README accordingly	2025-09-20 04:31:11 +05:30
Pragyansh Chaturvedi	a124476583	big overhaul of debug info and params passed to maps	2025-09-20 04:30:08 +05:30
Pragyansh Chaturvedi	73862f0084	Make max_entries optional in map BTF, add PerfEventArray to execve5	2025-09-20 03:15:09 +05:30
Pragyansh Chaturvedi	b8fdc16b4f	Add PerfEventArray class	2025-09-20 02:57:27 +05:30
Pragyansh Chaturvedi	4fd8bee8e7	Add IR and debug info generation for multiple MAP types	2025-09-20 02:53:49 +05:30
Pragyansh Chaturvedi	67fc3f9562	Add map type support to process_bpf_map	2025-09-20 02:19:17 +05:30
Pragyansh Chaturvedi	69d0cf2e0e	Add process_perf_event_map	2025-09-20 02:10:11 +05:30
Pragyansh Chaturvedi	b0f18229d9	Add PID helper	2025-09-19 22:58:16 +05:30
Pragyansh Chaturvedi	95727e3374	init execve5.py to emulate ex6.bpf.c	2025-09-19 22:35:47 +05:30
Pragyansh Chaturvedi	079288265f	Format integers in fstrings to display as u64	2025-09-19 22:34:19 +05:30
Pragyansh Chaturvedi	efd6083caf	Add custom struct C example	2025-09-19 22:06:20 +05:30
Pragyansh Chaturvedi	4797c007a0	Define arch in C example	2025-09-19 04:22:36 +05:30
Pragyansh Chaturvedi	b2413644e4	Add generated vmlinux.py from ctypeslib	2025-09-19 04:16:17 +05:30
Pragyansh Chaturvedi	af32758048	Add vmlinux.h	2025-09-19 04:15:54 +05:30
Pragyansh Chaturvedi	cb11d60fcc	Add barebones python skeleton for kfuncs	2025-09-19 04:15:39 +05:30
Pragyansh Chaturvedi	1967332175	Add kprobe and vmlinux example	2025-09-19 04:15:13 +05:30
Pragyansh Chaturvedi	224e6ba781	Add basic TODO.md	2025-09-18 01:51:01 +05:30
Pragyansh Chaturvedi	62db39db74	Add presentation and video links to README	2025-09-18 01:47:24 +05:30
varun-r-mallya	cc5f720406	Support simple XDP	2025-09-13 19:58:01 +05:30
varun-r-mallya	9f858bd159	Add recursive dereferencing and get example working	2025-09-13 00:12:04 +05:30
varun-r-mallya	ca203a1fdd	support referencing other variables inside binops	2025-09-12 23:05:52 +05:30
Pragyansh Chaturvedi	a09e4e1bb6	Add deref(), add delete helper, refactor pre-alloc	2025-09-12 04:26:27 +05:30
Pragyansh Chaturvedi	0950d0550c	Add side by side view	2025-09-12 04:25:08 +05:30