fix(exitsnoop): get the correct 'DURATION_NS' (#59)

src/8-exitsnoop/README.md

@@ -60,47 +60,49 @@ struct event {
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
 #include "exitsnoop.h"
+
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
 struct {
- __uint(type, BPF_MAP_TYPE_RINGBUF);
- __uint(max_entries, 256 * 1024);
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024);
 } rb SEC(".maps");
 
 SEC("tp/sched/sched_process_exit")
 int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 {
- struct task_struct *task;
- struct event *e;
- pid_t pid, tid;
- u64 id, ts, *start_ts, duration_ns = 0;
- 
- /* get PID and TID of exiting thread/process */
- id = bpf_get_current_pid_tgid();
- pid = id >> 32;
- tid = (u32)id;
+    struct task_struct *task;
+    struct event *e;
+    pid_t pid, tid;
+    u64 id, ts, *start_ts, start_time = 0;
+    
+    /* get PID and TID of exiting thread/process */
+    id = bpf_get_current_pid_tgid();
+    pid = id >> 32;
+    tid = (u32)id;
 
- /* ignore thread exits */
- if (pid != tid)
-  return 0;
+    /* ignore thread exits */
+    if (pid != tid)
+        return 0;
 
- /* reserve sample from BPF ringbuf */
- e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
- if (!e)
-  return 0;
+    /* reserve sample from BPF ringbuf */
+    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+    if (!e)
+        return 0;
 
- /* fill out the sample with data */
- task = (struct task_struct *)bpf_get_current_task();
+    /* fill out the sample with data */
+    task = (struct task_struct *)bpf_get_current_task();
+    start_time = BPF_CORE_READ(task, start_time);
 
- e->duration_ns = duration_ns;
- e->pid = pid;
- e->ppid = BPF_CORE_READ(task, real_parent, tgid);
- e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
- bpf_get_current_comm(&e->comm, sizeof(e->comm));
+    e->duration_ns = bpf_ktime_get_ns() - start_time;
+    e->pid = pid;
+    e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+    e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
+    bpf_get_current_comm(&e->comm, sizeof(e->comm));
 
- /* send data to user-space for post-processing */
- bpf_ringbuf_submit(e, 0);
- return 0;
+    /* send data to user-space for post-processing */
+    bpf_ringbuf_submit(e, 0);
+    return 0;
 }
 ```
 

src/8-exitsnoop/README_en.md

@@ -60,47 +60,49 @@ Source File: exitsnoop.bpf.c
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
 #include "exitsnoop.h"
+
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
 struct {
- __uint(type, BPF_MAP_TYPE_RINGBUF);
- __uint(max_entries, 256 * 1024);
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024);
 } rb SEC(".maps");
 
 SEC("tp/sched/sched_process_exit")
 int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 {
-  struct task_struct *task;
-  struct event *e;
-  pid_t pid, tid;
-  u64 id, ts, *start_ts, duration_ns = 0;
-  
-  /* get PID and TID of exiting thread/process */
-  id = bpf_get_current_pid_tgid();
-  pid = id >> 32;
-  format: rawtid = (u32)id;
+    struct task_struct *task;
+    struct event *e;
+    pid_t pid, tid;
+    u64 id, ts, *start_ts, start_time = 0;
+    
+    /* get PID and TID of exiting thread/process */
+    id = bpf_get_current_pid_tgid();
+    pid = id >> 32;
+    tid = (u32)id;
 
-  /* ignore thread exits */
-  if (pid != tid)
+    /* ignore thread exits */
+    if (pid != tid)
+        return 0;
+
+    /* reserve sample from BPF ringbuf */
+    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+    if (!e)
+        return 0;
+
+    /* fill out the sample with data */
+    task = (struct task_struct *)bpf_get_current_task();
+    start_time = BPF_CORE_READ(task, start_time);
+
+    e->duration_ns = bpf_ktime_get_ns() - start_time;
+    e->pid = pid;
+    e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+    e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
+    bpf_get_current_comm(&e->comm, sizeof(e->comm));
+
+    /* send data to user-space for post-processing */
+    bpf_ringbuf_submit(e, 0);
     return 0;
-
-  /* reserve sample from BPF ringbuf */
-  e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
-  if (!e)
-    return 0;
-
-  /* fill out the sample with data */
-  task = (struct task_struct *)bpf_get_current_task();
-
-  e->duration_ns = duration_ns;
-  e->pid = pid;
-  e->ppid = BPF_CORE_READ(task, real_parent, tgid);
-  e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
-  bpf_get_current_comm(&e->comm, sizeof(e->comm));
-
-  /* send data to user-space for post-processing */
-  bpf_ringbuf_submit(e, 0);
-  return 0;
 }
 ```
 

src/8-exitsnoop/exitsnoop.bpf.c

@@ -19,7 +19,7 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 	struct task_struct *task;
 	struct event *e;
 	pid_t pid, tid;
-	u64 id, ts, *start_ts, duration_ns = 0;
+	u64 id, ts, *start_ts, start_time = 0;
 	
 	/* get PID and TID of exiting thread/process */
 	id = bpf_get_current_pid_tgid();
@@ -37,8 +37,9 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 
 	/* fill out the sample with data */
 	task = (struct task_struct *)bpf_get_current_task();
+	start_time = BPF_CORE_READ(task, start_time);
 
-	e->duration_ns = duration_ns;
+	e->duration_ns = bpf_ktime_get_ns() - start_time;
 	e->pid = pid;
 	e->ppid = BPF_CORE_READ(task, real_parent, tgid);
 	e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;