Deploying to gh-pages from @ eunomia-bpf/bpf-developer-tutorial@31c92abad8 🚀

8-exitsnoop/exitsnoop.bpf.c

@@ -19,7 +19,7 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 	struct task_struct *task;
 	struct event *e;
 	pid_t pid, tid;
-	u64 id, ts, *start_ts, duration_ns = 0;
+	u64 id, ts, *start_ts, start_time = 0;
 	
 	/* get PID and TID of exiting thread/process */
 	id = bpf_get_current_pid_tgid();
@@ -37,8 +37,9 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 
 	/* fill out the sample with data */
 	task = (struct task_struct *)bpf_get_current_task();
+	start_time = BPF_CORE_READ(task, start_time);
 
-	e->duration_ns = duration_ns;
+	e->duration_ns = bpf_ktime_get_ns() - start_time;
 	e->pid = pid;
 	e->ppid = BPF_CORE_READ(task, real_parent, tgid);
 	e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;

8-exitsnoop/index.html

@@ -212,47 +212,49 @@ struct event {
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
 #include "exitsnoop.h"
+
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
 struct {
- __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
- __uint(max_entries, 256 * 1024);
+    __uint(max_entries, 256 * 1024);
 } rb SEC(".maps");
 
 SEC("tp/sched/sched_process_exit")
 int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 {
- struct task_struct *task;
+    struct task_struct *task;
- struct event *e;
+    struct event *e;
- pid_t pid, tid;
+    pid_t pid, tid;
- u64 id, ts, *start_ts, duration_ns = 0;
+    u64 id, ts, *start_ts, start_time = 0;
     
- /* get PID and TID of exiting thread/process */
+    /* get PID and TID of exiting thread/process */
- id = bpf_get_current_pid_tgid();
+    id = bpf_get_current_pid_tgid();
- pid = id >> 32;
+    pid = id >> 32;
- tid = (u32)id;
+    tid = (u32)id;
 
- /* ignore thread exits */
+    /* ignore thread exits */
- if (pid != tid)
+    if (pid != tid)
-  return 0;
+        return 0;
 
- /* reserve sample from BPF ringbuf */
+    /* reserve sample from BPF ringbuf */
- e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
- if (!e)
+    if (!e)
-  return 0;
+        return 0;
 
- /* fill out the sample with data */
+    /* fill out the sample with data */
- task = (struct task_struct *)bpf_get_current_task();
+    task = (struct task_struct *)bpf_get_current_task();
+    start_time = BPF_CORE_READ(task, start_time);
 
- e->duration_ns = duration_ns;
+    e->duration_ns = bpf_ktime_get_ns() - start_time;
- e->pid = pid;
+    e->pid = pid;
- e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+    e->ppid = BPF_CORE_READ(task, real_parent, tgid);
- e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
+    e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
- bpf_get_current_comm(&e->comm, sizeof(e->comm));
+    bpf_get_current_comm(&e->comm, sizeof(e->comm));
 
- /* send data to user-space for post-processing */
+    /* send data to user-space for post-processing */
- bpf_ringbuf_submit(e, 0);
+    bpf_ringbuf_submit(e, 0);
- return 0;
+    return 0;
 }
 </code></pre>
 <p>这段代码展示了如何使用 exitsnoop 监控进程退出事件并使用 ring buffer 向用户态打印输出：</p>

print.html

@@ -1050,47 +1050,49 @@ struct event {
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
 #include "exitsnoop.h"
+
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
 struct {
- __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
- __uint(max_entries, 256 * 1024);
+    __uint(max_entries, 256 * 1024);
 } rb SEC(".maps");
 
 SEC("tp/sched/sched_process_exit")
 int handle_exit(struct trace_event_raw_sched_process_template* ctx)
 {
- struct task_struct *task;
+    struct task_struct *task;
- struct event *e;
+    struct event *e;
- pid_t pid, tid;
+    pid_t pid, tid;
- u64 id, ts, *start_ts, duration_ns = 0;
+    u64 id, ts, *start_ts, start_time = 0;
     
- /* get PID and TID of exiting thread/process */
+    /* get PID and TID of exiting thread/process */
- id = bpf_get_current_pid_tgid();
+    id = bpf_get_current_pid_tgid();
- pid = id >> 32;
+    pid = id >> 32;
- tid = (u32)id;
+    tid = (u32)id;
 
- /* ignore thread exits */
+    /* ignore thread exits */
- if (pid != tid)
+    if (pid != tid)
-  return 0;
+        return 0;
 
- /* reserve sample from BPF ringbuf */
+    /* reserve sample from BPF ringbuf */
- e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
- if (!e)
+    if (!e)
-  return 0;
+        return 0;
 
- /* fill out the sample with data */
+    /* fill out the sample with data */
- task = (struct task_struct *)bpf_get_current_task();
+    task = (struct task_struct *)bpf_get_current_task();
+    start_time = BPF_CORE_READ(task, start_time);
 
- e->duration_ns = duration_ns;
+    e->duration_ns = bpf_ktime_get_ns() - start_time;
- e->pid = pid;
+    e->pid = pid;
- e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+    e->ppid = BPF_CORE_READ(task, real_parent, tgid);
- e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
+    e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
- bpf_get_current_comm(&e->comm, sizeof(e->comm));
+    bpf_get_current_comm(&e->comm, sizeof(e->comm));
 
- /* send data to user-space for post-processing */
+    /* send data to user-space for post-processing */
- bpf_ringbuf_submit(e, 0);
+    bpf_ringbuf_submit(e, 0);
- return 0;
+    return 0;
 }
 </code></pre>
 <p>这段代码展示了如何使用 exitsnoop 监控进程退出事件并使用 ring buffer 向用户态打印输出：</p>