remove demos and add examples

Signed-off-by: varun-r-mallya <varunrmallya@gmail.com>

.gitignore

@@ -5,4 +5,5 @@
 .vscode/
 __pycache__/
 *.ll
-*.o
+*.o
+.ipynb_checkpoints/

examples/execve5.py

@@ -26,10 +26,10 @@ def hello(ctx: c_void_p) -> c_int32:
     ts = ktime()
     process_id = pid()
     strobj = "hellohellohello"
-    dataobj.pid = process_id
-    dataobj.ts = ts
+    dataobj.pid = pid()
+    dataobj.ts = ktime()
     # dataobj.comm = strobj
-    print(f"clone called at {ts} by pid {process_id}, comm {strobj}")
+    print(f"clone called at {dataobj.ts} by pid {dataobj.pid}, comm {strobj}")
     events.output(dataobj)
     return c_int32(0)
 

examples/pybpf0.py

@@ -0,0 +1,35 @@
+from pythonbpf import bpf, section, bpfglobal, BPF
+import sys
+from ctypes import c_void_p, c_int64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. `sudo /path/to/venv/bin/python ./python-bpf/demo/pybpf0.py`
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_execve")
+def hello_world(ctx: c_void_p) -> c_int64:
+    print("Hello, World!")
+    return c_int64(0)
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+b = BPF()
+b.load_and_attach()
+
+def main():
+    try:
+        with open("/sys/kernel/debug/tracing/trace_pipe", "r") as f:
+            for line in f:
+                sys.stdout.write(line)
+                sys.stdout.flush()
+    except KeyboardInterrupt:
+        pass
+    except PermissionError:
+        sys.stderr.write("Need root privileges to read trace_pipe\n")
+
+if __name__ == "__main__":
+    main()

examples/pybpf1.py

@@ -0,0 +1,41 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helpers import XDP_PASS
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: python demo/pybpf1.py
+# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf1.o
+# 4. Attach object file to any network device with something like ./check.sh xdp ../demo/pybpf1.o tailscale0
+# 5. send traffic through the device and observe effects
+
+@bpf
+@map
+def count() -> HashMap:
+    return HashMap(key=c_int64, value=c_int64, max_entries=1)
+
+
+@bpf
+@section("xdp")
+def hello_world(ctx: c_void_p) -> c_int64:
+    key = 0
+    one = 1
+    prev = count().lookup(key)
+    if prev:
+        prevval = prev + 1
+        print(f"count: {prevval}")
+        count().update(key, prevval)
+        return XDP_PASS
+    else:
+        count().update(key, one)
+
+    return XDP_PASS
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+compile()

examples/pybpf2.py

@@ -0,0 +1,43 @@
+from pythonbpf import bpf, map, section, bpfglobal, compile
+from pythonbpf.helpers import ktime
+from pythonbpf.maps import HashMap
+
+from ctypes import c_void_p, c_int64, c_uint64
+
+# Instructions to how to run this program
+# 1. Install PythonBPF: pip install pythonbpf
+# 2. Run the program: python demo/pybpf2.py
+# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf2.o
+# 4. Start a Python repl and `import os` and then keep entering `os.sync()` to see reponses.
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_sync")
+def do_trace(ctx: c_void_p) -> c_int64:
+    key = 0
+    tsp = last().lookup(key)
+    if tsp:
+        kt = ktime()
+        delta = (kt - tsp)
+        if delta < 1000000000:
+            time_ms = (delta // 1000000)
+            print(f"sync called within last second, last {time_ms} ms ago")
+        last().delete(key)
+    else:
+        kt = ktime()
+        last().update(key, kt)
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+compile()

examples/pybpf3.py

@@ -0,0 +1,49 @@
+from pythonbpf import *
+from pylibbpf import *
+import sys
+from ctypes import c_void_p, c_int64, c_uint64
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_clone")
+def do_trace(ctx: c_void_p) -> c_int64:
+    key = 0
+    tsp = last().lookup(key)
+    if tsp:
+        kt = ktime()
+        delta = (kt - tsp)
+        if delta < 1000000000:
+            time_ms = (delta // 1000000)
+            print(f"Clone syscall entered within last second, last {time_ms} ms ago")
+        last().delete(key)
+    else:
+        kt = ktime()
+        last().update(key, kt)
+    return c_int64(0)
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+b = BPF()
+# autoattaches tracepoints
+b.load_and_attach()
+
+def main():
+    try:
+        with open("/sys/kernel/debug/tracing/trace_pipe", "r") as f:
+            for line in f:
+                sys.stdout.write(line)
+                sys.stdout.flush()
+    except KeyboardInterrupt:
+        pass
+    except PermissionError:
+        sys.stderr.write("Need root privileges to read trace_pipe\n")
+
+if __name__ == "__main__":
+    main()

examples/pybpf4.py

@@ -0,0 +1,62 @@
+import time
+
+from pythonbpf import bpf, map, section, bpfglobal, BPF
+from pythonbpf.helpers import pid
+from pythonbpf.maps import HashMap
+from pylibbpf import BpfMap
+
+from ctypes import c_void_p, c_int64, c_uint64, c_int32
+import matplotlib.pyplot as plt
+
+# This program attaches an eBPF tracepoint to sys_enter_clone,
+# counts per-PID clone syscalls, stores them in a hash map,
+# and then plots the distribution as a histogram using matplotlib.
+# It provides a quick view of process creation activity over 10 seconds.
+# Everything is done with Python only code and with the new pylibbpf library.
+# Run `sudo /path/to/python/binary/ pybpf4.py`
+
+@bpf
+@map
+def hist() -> HashMap:
+    return HashMap(key=c_int32, value=c_uint64, max_entries=4096)
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_clone")
+def hello(ctx: c_void_p) -> c_int64:
+    process_id = pid()
+    one = 1
+    prev = hist().lookup(process_id)
+    if prev:
+        previous_value = prev + 1
+        print(f"count: {previous_value} with {process_id}")
+        hist().update(process_id, previous_value)
+        return c_int64(0)
+    else:
+        hist().update(process_id, one)
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+b = BPF()
+b.load_and_attach()
+hist = BpfMap(b, hist)
+print("Recording")
+time.sleep(10)
+
+counts = list(hist.values())
+x = 0
+for key in hist.keys():
+    if hist[key] > 40:
+        x += 1
+        print(f"PID {key} called clone() >40 times")
+
+print(f"Total PIDs with clone() >40 times: {x}")
+plt.hist(counts, bins=20)
+plt.xlabel("Clone calls per PID")
+plt.ylabel("Number of processes that called clone() x times in last 10 seconds")
+plt.title("x")
+plt.show()

pythonbpf/bpf_helper_handler.py

@@ -3,7 +3,7 @@ from llvmlite import ir
 from .expr_pass import eval_expr
 
 
-def bpf_ktime_get_ns_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, local_var_metadata=None):
+def bpf_ktime_get_ns_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, struct_sym_tab=None, local_var_metadata=None):
     """
     Emit LLVM IR for bpf_ktime_get_ns helper function call.
     """
@@ -63,7 +63,7 @@ def bpf_map_lookup_elem_emitter(call, map_ptr, module, builder, func, local_sym_
     return result, ir.PointerType()
 
 
-def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, local_var_metadata=None):
+def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, struct_sym_tab=None, local_var_metadata=None):
     if not hasattr(func, "_fmt_counter"):
         func._fmt_counter = 0
 
@@ -101,10 +101,42 @@ def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None,
                         else:
                             raise NotImplementedError(
                                 "Only integer and pointer types are supported in formatted values.")
-                        print("Formatted value variable:", var_ptr, var_type)
                     else:
                         raise ValueError(
                             f"Variable {value.value.id} not found in local symbol table.")
+                elif isinstance(value.value, ast.Attribute):
+                    # object field access from struct
+                    if isinstance(value.value.value, ast.Name) and local_sym_tab and value.value.value.id in local_sym_tab:
+                        var_name = value.value.value.id
+                        field_name = value.value.attr
+                        if local_var_metadata and var_name in local_var_metadata:
+                            var_type = local_var_metadata[var_name]
+                            if var_type in struct_sym_tab:
+                                struct_info = struct_sym_tab[var_type]
+                                if field_name in struct_info["fields"]:
+                                    field_index = struct_info["fields"][field_name]
+                                    field_type = struct_info["field_types"][field_index]
+                                    if isinstance(field_type, ir.IntType):
+                                        fmt_parts.append("%lld")
+                                        exprs.append(value.value)
+                                    elif field_type == ir.PointerType(ir.IntType(8)):
+                                        fmt_parts.append("%s")
+                                        exprs.append(value.value)
+                                    else:
+                                        raise NotImplementedError(
+                                            "Only integer and pointer types are supported in formatted values.")
+                                else:
+                                    raise ValueError(
+                                        f"Field {field_name} not found in struct {var_type}.")
+                            else:
+                                raise ValueError(
+                                    f"Struct type {var_type} for variable {var_name} not found in struct symbol table.")
+                        else:
+                            raise ValueError(
+                                f"Metadata for variable {var_name} not found in local variable metadata.")
+                    else:
+                        raise ValueError(
+                            f"Variable {value.value.value.id} not found in local symbol table.")
                 else:
                     raise NotImplementedError(
                         "Only simple variable names are supported in formatted values.")
@@ -119,12 +151,12 @@ def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None,
         fmt_gvar = ir.GlobalVariable(
             module, ir.ArrayType(ir.IntType(8), len(fmt_str)), name=fmt_name)
         fmt_gvar.global_constant = True
-        fmt_gvar.initializer = ir.Constant(
+        fmt_gvar.initializer = ir.Constant(                 # type: ignore
             ir.ArrayType(ir.IntType(8), len(fmt_str)),
             bytearray(fmt_str.encode("utf8"))
         )
         fmt_gvar.linkage = "internal"
-        fmt_gvar.align = 1
+        fmt_gvar.align = 1              # type: ignore
 
         fmt_ptr = builder.bitcast(fmt_gvar, ir.PointerType())
 
@@ -136,8 +168,9 @@ def bpf_printk_emitter(call, map_ptr, module, builder, func, local_sym_tab=None,
                 "Warning: bpf_printk supports up to 3 arguments, extra arguments will be ignored.")
 
         for expr in exprs[:3]:
+            print(f"{ast.dump(expr)}")
             val, _ = eval_expr(func, module, builder,
-                               expr, local_sym_tab, None)
+                               expr, local_sym_tab, None, struct_sym_tab, local_var_metadata)
             if val:
                 if isinstance(val.type, ir.PointerType):
                     val = builder.ptrtoint(val, ir.IntType(64))
@@ -339,7 +372,7 @@ def bpf_map_delete_elem_emitter(call, map_ptr, module, builder, func, local_sym_
     return result, None
 
 
-def bpf_get_current_pid_tgid_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, local_var_metadata=None):
+def bpf_get_current_pid_tgid_emitter(call, map_ptr, module, builder, func, local_sym_tab=None, struct_sym_tab=None, local_var_metadata=None):
     """
     Emit LLVM IR for bpf_get_current_pid_tgid helper function call.
     """
@@ -420,11 +453,12 @@ helper_func_list = {
 
 
 def handle_helper_call(call, module, builder, func, local_sym_tab=None, map_sym_tab=None, struct_sym_tab=None, local_var_metadata=None):
+    print(local_var_metadata)
     if isinstance(call.func, ast.Name):
         func_name = call.func.id
         if func_name in helper_func_list:
             # it is not a map method call
-            return helper_func_list[func_name](call, None, module, builder, func, local_sym_tab)
+            return helper_func_list[func_name](call, None, module, builder, func, local_sym_tab, struct_sym_tab, local_var_metadata)
         else:
             raise NotImplementedError(
                 f"Function {func_name} is not implemented as a helper function.")

pythonbpf/codegen.py

@@ -10,6 +10,7 @@ import subprocess
 import inspect
 from pathlib import Path
 from pylibbpf import BpfProgram
+import tempfile
 
 
 def find_bpf_chunks(tree):
@@ -122,14 +123,17 @@ def compile():
 
 def BPF() -> BpfProgram:
     caller_frame = inspect.stack()[1]
-    caller_file = Path(caller_frame.filename).resolve()
-    ll_file = Path("/tmp") / caller_file.with_suffix(".ll").name
-    o_file = Path("/tmp") / caller_file.with_suffix(".o").name
-    compile_to_ir(str(caller_file), str(ll_file))
+    src = inspect.getsource(caller_frame.frame)
+    with tempfile.NamedTemporaryFile(mode="w+", delete=True, suffix=".py") as f, \
+        tempfile.NamedTemporaryFile(mode="w+", delete=True, suffix=".ll") as inter, \
+        tempfile.NamedTemporaryFile(mode="w+", delete=False, suffix=".o") as obj_file:
+        f.write(src)
+        f.flush()
+        source = f.name
+        compile_to_ir(source, str(inter.name))
+        subprocess.run([
+            "llc", "-march=bpf", "-filetype=obj", "-O2",
+            str(inter.name), "-o", str(obj_file.name)
+        ], check=True)
 
-    subprocess.run([
-        "llc", "-march=bpf", "-filetype=obj", "-O2",
-        str(ll_file), "-o", str(o_file)
-    ], check=True)
-
-    return BpfProgram(str(o_file))
+        return BpfProgram(str(obj_file.name))

pythonbpf/expr_pass.py

@@ -4,6 +4,7 @@ from llvmlite import ir
 
 def eval_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_sym_tab=None, local_var_metadata=None):
     print(f"Evaluating expression: {ast.dump(expr)}")
+    print(local_var_metadata)
     if isinstance(expr, ast.Name):
         if expr.id in local_sym_tab:
             var = local_sym_tab[expr.id][0]
@@ -66,6 +67,25 @@ def eval_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_s
                     if method_name in helper_func_list:
                         return handle_helper_call(
                             expr, module, builder, func, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata)
+    elif isinstance(expr, ast.Attribute):
+        if isinstance(expr.value, ast.Name):
+            var_name = expr.value.id
+            attr_name = expr.attr
+            if var_name in local_sym_tab:
+                var_ptr, var_type = local_sym_tab[var_name]
+                print(f"Loading attribute "
+                      f"{attr_name} from variable {var_name}")
+                print(f"Variable type: {var_type}, Variable ptr: {var_ptr}")
+                print(local_var_metadata)
+                if local_var_metadata and var_name in local_var_metadata:
+                    metadata = structs_sym_tab[local_var_metadata[var_name]]
+                    if attr_name in metadata["fields"]:
+                        field_idx = metadata["fields"][attr_name]
+                        gep = builder.gep(var_ptr, [ir.Constant(ir.IntType(32), 0),
+                                                    ir.Constant(ir.IntType(32), field_idx)])
+                        val = builder.load(gep)
+                        field_type = metadata["field_types"][field_idx]
+                        return val, field_type
     print("Unsupported expression evaluation")
     return None
 
@@ -73,6 +93,7 @@ def eval_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_s
 def handle_expr(func, module, builder, expr, local_sym_tab, map_sym_tab, structs_sym_tab, local_var_metadata):
     """Handle expression statements in the function body."""
     print(f"Handling expression: {ast.dump(expr)}")
+    print(local_var_metadata)
     call = expr.value
     if isinstance(call, ast.Call):
         eval_expr(func, module, builder, call, local_sym_tab,

pythonbpf/functions_pass.py

@@ -282,6 +282,7 @@ def handle_if(func, module, builder, stmt, map_sym_tab, local_sym_tab, structs_s
 def process_stmt(func, module, builder, stmt, local_sym_tab, map_sym_tab, structs_sym_tab, did_return, ret_type=ir.IntType(64)):
     print(f"Processing statement: {ast.dump(stmt)}")
     if isinstance(stmt, ast.Expr):
+        print(local_var_metadata)
         handle_expr(func, module, builder, stmt, local_sym_tab,
                     map_sym_tab, structs_sym_tab, local_var_metadata)
     elif isinstance(stmt, ast.Assign):

pythonbpf/structs_pass.py

@@ -1,7 +1,6 @@
 import ast
 from llvmlite import ir
 from .type_deducer import ctypes_to_ir
-from . import dwarf_constants as dc
 
 structs_sym_tab = {}