HEX

File: //usr/lib/python3.6/site-packages/bcc/__pycache__/__init__.cpython-36.pyc
3

:�)gh�@s�ddlmZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlm
Z
mZmZmZmZddlmZmZmZmZmZddlmZddlmZmZmZmZmZddl m!Z!dd	l"m#Z#m$Z$dd
l%m&Z&m'Z'ye(Wne)k
�re*Z(YnXdZ+da,dd
�Z-dZ.dZ/dZ0dZ1dZ2dZ3dZ4Gdd�de5�Z6Gdd�d�Z7Gdd�d�Z8Gdd�d�Z9Gdd�d�Z:Gdd�d�Z;Gd d!�d!�Z<Gd"d#�d#�Z=Gd$d%�d%�Z>Gd&d'�d'e5�Z?dS)(�)�print_functionN�)�lib�
bcc_symbol�bcc_symbol_option�bcc_stacktrace_build_id�_SYM_CB_TYPE)�Table�PerfEventArray�RingBuf�BPF_MAP_TYPE_QUEUE�BPF_MAP_TYPE_STACK)�Perf)�get_online_cpus�printb�_assert_is_bytes�	ArgString�
StrcmpRewrite)�__version__)�disassemble_prog�
decode_map)�USDT�
USDTExceptioni�cCstS)N)�_num_open_probes�rr�/usr/lib/python3.6/__init__.py�_get_num_open_probes+srz/sys/kernel/debug/tracing����� c@s$eZdZdd�Zdd�Zdd�ZdS)�SymbolCachecCs tj|tjdtjt���|_dS)N)rZbcc_symcache_new�ct�cast�POINTERr�cache)�self�pidrrr�__init__AszSymbolCache.__init__cCs�t�}|r"tj|j|tj|��}ntj|j|tj|��}|dkrp|jrf|jrfd|jtj	|jtj
�jfSd|dfS|r�|j}tj
tj|��n|j}||jtj	|jtj
�jfS)a�
        Return a tuple of the symbol (function), its offset from the beginning
        of the function, and the module in which it lies. For example:
            ("start_thread", 0x202, "/usr/lib/.../libpthread-2.24.so")
        If the symbol cannot be found but we know which module it is in,
        return the module name and the offset from the beginning of the
        module. If we don't even know the module, return the absolute
        address as the offset.
        rN)rrZbcc_symcache_resolver&r#�byrefZ bcc_symcache_resolve_no_demangle�module�offsetr$�c_char_p�valueZ
demangle_nameZbcc_symbol_free_demangle_name�name)r'�addr�demangle�sym�resZname_resrrr�resolveEs

zSymbolCache.resolvecCs>t|�}t|�}tj�}tj|j||tj|��dkr8dS|jS)Nrr���)rr#�c_ulonglongrZbcc_symcache_resolve_namer&r*r.)r'r+r/r0rrr�resolve_namebszSymbolCache.resolve_nameN)�__name__�
__module__�__qualname__r)r4r7rrrrr"@sr"c@s$eZdZdZdZdZdZdZdZdS)�PerfTyperrr�r�N)	r8r9r:ZHARDWAREZSOFTWARE�
TRACEPOINTZHW_CACHE�RAWZ
BREAKPOINTrrrrr;ksr;c@s4eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdS)�PerfHWConfigrrrr<rr=��r�	N)
r8r9r:Z
CPU_CYCLESZINSTRUCTIONSZCACHE_REFERENCESZCACHE_MISSESZBRANCH_INSTRUCTIONSZ
BRANCH_MISSESZ
BUS_CYCLESZSTALLED_CYCLES_FRONTENDZSTALLED_CYCLES_BACKENDZREF_CPU_CYCLESrrrrr@tsr@c@s8eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dS)
�PerfSWConfigrrrr<rr=rArBrrC�
N)r8r9r:Z	CPU_CLOCKZ
TASK_CLOCKZPAGE_FAULTSZCONTEXT_SWITCHESZCPU_MIGRATIONSZPAGE_FAULTS_MINZPAGE_FAULTS_MAJZALIGNMENT_FAULTSZEMULATION_FAULTSZDUMMYZ
BPF_OUTPUTrrrrrD�srDc@speZdZdZdZdZdZdZd Zd!Z	d"Z
d#Zd$Zd%Z
d&Zd'Zd(Zd)Zd*Zd+Zd,Zd-Zd.Zd/Zd0Zd1Zd2Zd3ZdS)4�PerfEventSampleFormatrrrr<rr=rArBrrCrE���
��r ��������Nrrrrr r!�@��iiiii i@i�iiiiii i@i�i)r8r9r:ZIPZTIDZTIMEZADDRZREADZ	CALLCHAINZIDZCPUZPERIODZ	STREAM_IDr?ZBRANCH_STACKZ	REGS_USERZ
STACK_USERZWEIGHTZDATA_SRCZ
IDENTIFIERZTRANSACTIONZ	REGS_INTRZ	PHYS_ADDRZAUXZCGROUPZDATA_PAGE_SIZEZCODE_PAGE_SIZEZ
WEIGHT_STRUCTrrrrrF�s2rFc@s`eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZdS)�BPFProgTyperrr<rr=rArBrrCrErGrHrIrJrKr rLrM���N)r8r9r:�
SOCKET_FILTER�KPROBE�	SCHED_CLS�	SCHED_ACTr>�XDP�
PERF_EVENT�
CGROUP_SKB�CGROUP_SOCK�LWT_IN�LWT_OUT�LWT_XMIT�SOCK_OPS�SK_SKB�
CGROUP_DEVICE�SK_MSG�RAW_TRACEPOINT�CGROUP_SOCK_ADDRZCGROUP_SOCKOPT�TRACING�LSMrrrrrW�s*rWc@s�eZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(S))�
BPFAttachTyperrrr<rr=rArBrrCrErGrHrIrJrKr rLrMrNrOrPrQrRrSrXrY��rZ��r!�!�"�#�$�%�&N)*r8r9r:ZCGROUP_INET_INGRESSZCGROUP_INET_EGRESSZCGROUP_INET_SOCK_CREATEZCGROUP_SOCK_OPSZSK_SKB_STREAM_PARSERZSK_SKB_STREAM_VERDICTrhZSK_MSG_VERDICTZCGROUP_INET4_BINDZCGROUP_INET6_BINDZCGROUP_INET4_CONNECTZCGROUP_INET6_CONNECTZCGROUP_INET4_POST_BINDZCGROUP_INET6_POST_BINDZCGROUP_UDP4_SENDMSGZCGROUP_UDP6_SENDMSGZ
LIRC_MODE2ZFLOW_DISSECTORZ
CGROUP_SYSCTLZCGROUP_UDP4_RECVMSGZCGROUP_UDP6_RECVMSGZCGROUP_GETSOCKOPTZCGROUP_SETSOCKOPTZTRACE_RAW_TPZTRACE_FENTRYZTRACE_FEXITZ
MODIFY_RETURNZLSM_MACZ
TRACE_ITERZCGROUP_INET4_GETPEERNAMEZCGROUP_INET6_GETPEERNAMEZCGROUP_INET4_GETSOCKNAMEZCGROUP_INET6_GETSOCKNAMEZ
XDP_DEVMAPZCGROUP_INET_SOCK_RELEASEZ
XDP_CPUMAPZ	SK_LOOKUPr_ZSK_SKB_VERDICTrrrrrn�sNrnc@s eZdZdZdZdZdZdZdS)�	XDPActionrrrr<rN)r8r9r:�XDP_ABORTED�XDP_DROP�XDP_PASS�XDP_TX�XDP_REDIRECTrrrrry�s
ryc@s eZdZdZdZd	Zd
ZdZdS)�XDPFlagsrrrr<rNrrrrr )r8r9r:�UPDATE_IF_NOEXIST�SKB_MODE�DRV_MODE�HW_MODE�REPLACErrrrr�s
rc@s�eZdZejZejZejZejZejZej	Z	ej
Z
ejZejZej
Z
ejZejZejZejZejZejZejZejZejZejZejZejZejZejZejZejZ ej!Z"ej#Z$ej%Z&ej'Z(e)j*d�Z+iZ,e-j.�Z/dgddgddgdgdd	gd
�Z0ddd
ddddgZ1dZ2Gdd�de3j4�Z5e3j6ddd�Z7e7j8Z9e3j:e3j;e5�ge9_<e=dd��Z>e=dd��Z?e@Z@Gdd�deA�ZBeCdd��ZDeCd d!��ZEd"d"d#d$ggdd#d%f	d&d'�ZFefd(d)�ZGd�d*d+�ZHd,d-�ZId.d/�ZJd�d0d1�ZKe3jLe3jMe3jNe3jOe3jPe3jQe3j:e3jRe3jSe3jTe3jUe3jVe3jWe3jXe3jYe3jZd2e3j[d2d3�Z\eCd4d5��Z]d�d6d7�Z^d8d9�Z_d:d;�Z`d<d=�Zad>d?�Zbd@dA�ZceCd�dBdC��ZdeCdDdE��ZeeCdFdG��ZfeCdHdI��ZgdJdK�ZheCdLdM��ZidNdO�ZjdPdQ�ZkdRdS�ZldTdU�ZmdVdW�ZndXdY�ZodZd[�Zpd�d\d]�Zqd�d^d_�Zrd`da�Zsdbdc�Ztd�ddde�Zud�dfdg�ZveCd�dhdi��ZweCd�djdk��Zxe=d�dldm��ZyeCdndo��ZzeCdpdq��Z{eCdrds��Z|d�dtdu�Z}d�dvdw�Z~d�dxdy�ZeCdzd{��Z�eCd|d}��Z�eCd~d��Z�d�d�d��Z�d�d�d��Z�d�d�d��Z�d�d�d��Z�d�d�d��Z�d�d�d��Z�eCd�d���Z�eCd�d���Z�eCd�d���Z�d�d�d��Z�d�d��Z�d�d�d��Z�d�d��Z��dd�d��Z��dd�d��Z�eCd�d���Z�eCd�d���Z�eCd�d���Z�d�d��Z��dd�d��Z��d	d�d��Z�d�d��Z��dd�d��Z��d
d�d��Z�d�d��Z��dd�d��Z��dd�d��Z��dd�d��Z��dd�d��Z�eCd�d���Z�eC�dd�d���Z�eC�dd�d���Z�eCd�d���Z�d�dÄZ�d�dńZ�d�dǄZ��dd�dɄZ�d�d˄Z��dd�d̈́Z��dd�dτZ��dd�dфZ�d�dӄZ�d�dՄZ�eCd�dׄ�Z�d�dلZ�d�dۄZ�d�d݄Z�d�d߄Z�d�d�Z�d#S(�BPFs
[^a-zA-Z0-9_]ZtimeZfs�fileZbioZrequestZallocZsk_buffZ
net_device)zlinux/time.hz
linux/fs.hzlinux/blkdev.hzlinux/slab.hzlinux/netdevice.hssys_s
__x64_sys_s__x32_compat_sys_s__ia32_compat_sys_s__arm64_sys_s__s390x_sys_s__s390_sys_rc@s eZdZdejfdejfgZdS)zBPF.timespec�tv_sec�tv_nsecN)r8r9r:r#�c_long�_fields_rrrr�timespec@sr�z
librt.so.1T)Z	use_errnocCsH|j�}|j|jtj|��dkr8tj�}t|tj|���|j	d|j
S)z�monotonic_time()
        Returns the system monotonic time from clock_gettime, using the
        CLOCK_MONOTONIC constant. The time returned is in nanoseconds.
        rge��A)r��_clock_gettime�CLOCK_MONOTONICr#r*�	get_errno�OSError�os�strerrorr�r�)�cls�t�errnorrr�monotonic_timeGs
zBPF.monotonic_timecCsXd}xN|jj�D]@\}}x6|D].}x(|D] }||kr(||kr(|d|7}q(WqWqW|S)a1
        Generates #include statements automatically based on a set of
        recognized types such as sk_buff and bio. The input is all the words
        that appear in the BPF program, and the output is a (possibly empty)
        string of #include statements, such as "#include <linux/fs.h>".
        �z#include <%s>
)�_auto_includes�items)r�Z
program_wordsZheaders�header�keywords�keywordZwordrrr�generate_auto_includesSs

zBPF.generate_auto_includesc@seZdZdd�ZdS)zBPF.FunctioncCs||_||_||_dS)N)�bpfr/�fd)r'r�r/r�rrrr)gszBPF.Function.__init__N)r8r9r:r)rrrr�Functionfsr�cCsb|r^tjj|�s^ttjd�}djtjjtjj|j	���|g�}tjj|�rR|}nt
d|��|S)z1 If filename is invalid, search in ./ of argv[0] r�/zCould not find file %s)r��path�isfiler�sys�argv�join�abspath�dirname�	__bytes__�	Exception)�filenameZargv0r�rrr�
_find_filels"zBPF._find_filecCsrdd�}tjj|�\}}|r*||�rn|SnDxBtjdjtj�D],}|jd�}tjj|j�|�}||�r>|Sq>WdS)a�
        find_exe(bin_path)

        Traverses the PATH environment variable, looking for the first
        directory that contains an executable file named bin_path, and
        returns the full path to that file, or None if no such file
        can be found. This is meant to replace invocations of the
        "which" shell utility, which doesn't have portable semantics
        for skipping aliases.
        cSstjj|�otj|tj�S)N)r�r�r��access�X_OK)�fpathrrr�is_exe�szBPF.find_exe.<locals>.is_exe�PATH�"N)r�r��split�environ�pathsep�stripr��encode)Zbin_pathr�r�Zfnamer�Zexe_filerrr�find_exeys

zBPF.find_exe�NrFc
Cs�t|�}t|�}t|�}|o|s&t�i|_i|_i|_i|_i|_i|_i|_i|_	i|_
d|_d|_t
j|j�||_i|_i|_d|_tjt|��}
x$t|�D]\}}tt|��|
|<q�W|r�tj|�}tj|�}|r�t|dd��}
|
j�}WdQRXtjt|��}x(t|�D]\}}tj|j��||<�qWt j!|t|��}|dk�rZt"d��||}t j#||j|
t|
�||�|_|j�s�t"d|�p�d	��x|D]}|j$||	��q�W|j%�dS)
aZCreate a new BPF module with the given source code.

        Note:
            All fields are marked as optional, but either `src_file` or `text`
            must be supplied, and not both.

        Args:
            src_file (Optional[str]): Path to a source file for the module
            hdr_file (Optional[str]): Path to a helper header file for the `src_file`
            text (Optional[str]): Contents of a source file for the module
            debug (Optional[int]): Flags used for debug prints, can be |'d together
                                   See "Debug flags" for explanation
        N�rb)�modez%can't generate USDT probe arguments; z%possible cause is missing pid when a z&probe in a shared object has multiple Z	locationszFailed to compile BPF module %sz<text>zJcan't generate USDT probe arguments; possible cause is missing pid when a zpcan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple zycan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple locations)&r�AssertionError�
kprobe_fds�
uprobe_fds�tracepoint_fds�raw_tracepoint_fds�kfunc_entry_fds�kfunc_exit_fds�lsm_fds�perf_buffers�open_perf_events�_ringbuf_manager�	tracefile�atexit�register�cleanup�debug�funcs�tablesr+r#r-�len�	enumerate�bytesrr�r��open�read�c_void_pZget_contextrZbcc_usdt_genargsr�Zbpf_module_create_c_from_stringZattach_uprobes�_trace_autoload)r'Zsrc_fileZhdr_file�textr�ZcflagsZ
usdt_contextsZallow_rlimit�deviceZattach_usdt_ignore_pidZcflags_array�i�sr�Z	ctx_array�usdtZ	usdt_textZusdt_contextrrrr)�s^




zBPF.__init__cCsDg}x:tdtj|j��D]$}tj|j|�}|j|j||��qW|S)z�load_funcs(prog_type=KPROBE)

        Load all functions in this BPF module with the given type.
        Returns a list of the function handles.r)�ranger�bpf_num_functionsr+�bpf_function_name�append�	load_func)r'�	prog_type�fnsr��	func_namerrr�
load_funcs�s
zBPF.load_funcsc	
Cst|�}||jkr|j|Stj|j|�s6td|��d}|jt@rJd}n|jt@rXd}tj	|j||tj|j|�tj
|j|�tj|j�tj|j�|dd||�}|dkr�t
j|j�tj�tjkr�td��tjtj��}td||f��tj|||�}||j|<|S)NzUnknown program %srrrz!Need super-user privileges to runz!Failed to load BPF program %s: %s)rr�r�bpf_function_startr+r�r��DEBUG_BPF_REGISTER_STATE�	DEBUG_BPFZ
bcc_func_load�bpf_function_sizeZbpf_module_licenseZbpf_module_kern_versionr�r��	donothingr#r�r��EPERMr�r�r�r�)	r'r�r�r��attach_typeZ	log_levelr��errstr�fnrrrr��s4






z
BPF.load_funccCsJt|�}tj|j|�s"td|��tj|j|�}tj|j|�}tj||�S)zR
        Return the eBPF bytecodes for the specified function as a string
        zUnknown program %s)rrr�r+r�r�r#Z	string_at)r'r��start�sizerrr�	dump_funcsz
BPF.dump_funccCs|j|�}t||�S)N)r�r)r'r�Zbpfstrrrr�disassemble_funcs
zBPF.disassemble_funccCs(||}tj|j|j�}t||||d�S)N)�sizeinfo)r�bpf_table_type_idr+�map_idr)r'Z
table_namer�Z	table_objZ
table_typerrr�decode_table#szBPF.decode_tabler)Z_Bool�charZwchar_tz
unsigned charZshortzunsigned short�intzunsigned intZlongz
unsigned longz	long longzunsigned long long�floatZdoublezlong doubleZ__int128zunsigned __int128cCst|t�rtj|Sg}g}�xN|dD�]@}t|�dkrX|j|dtj|d�f�q(t|�dk�rZt|dt�r�|j|dtj|d�|ddf�n�t|dt�r�|j|dtj|d�|df�n�t|dt��rH|ddk�s
|ddk�s
|ddk�rH|d}|dk�r2d	t|�}|j|�|j|tj|�f�nt	d
t
|���q(t	d
t
|���q(Wtj}d}t|�dk�r�|ddk�r�tj
}n.|ddk�r�tj}n|ddk�r�tj}d}|�r�tt
|d�|ft|d|d
��}ntt
|d�|ft||d��}|S)Nrrrr<�union�structZ
struct_packedr�z__anon%dzFailed to decode type %sFT)�_anonymous_Z_pack_r�)r�r�)�
isinstance�
basestringr��	str2ctyper�r��_decode_table_type�listr�r��strr#�	StructureZUnion�type�dict)ZdescZanon�fieldsr�r/�baseZ	is_packedr�rrrr�;sL

*$


zBPF._decode_table_typec
	Cs�t|�}tj|j|�}tj|j|�}tj|j|�ttgk}|dkrFt�|r�|r�tj	|j|�j
d�}|svtd|��tj
tj|��}|s�tj|j|�j
d�}	|	s�td|��tj
tj|	��}t|||||||d�S)Nrzutf-8z$Failed to load BPF Table %s key descz%Failed to load BPF Table %s leaf desc)�reducer)rrZbpf_table_idr+Zbpf_table_fdr�rr
�KeyErrorZbpf_table_key_desc�decoder�r�r��json�loadsZbpf_table_leaf_descr	)
r'r/ZkeytypeZleaftyperr��map_fdZ
is_queuestackZkey_descZ	leaf_descrrr�	get_tablegs"z
BPF.get_tablecCs$||jkr|j|�|j|<|j|S)N)r�r
)r'�keyrrr�__getitem__zs
zBPF.__getitem__cCs||j|<dS)N)r�)r'rZleafrrr�__setitem__szBPF.__setitem__cCs
t|j�S)N)r�r�)r'rrr�__len__�szBPF.__len__cCs|j|=dS)N)r�)r'rrrr�__delitem__�szBPF.__delitem__cCs
|jj�S)N)r��__iter__)r'rrrr�szBPF.__iter__cCsJt|tj�std��tj|j|||�}|dkrFtdj|tj	|����dS)Nz"arg 1 must be of type BPF.Functionrz7Failed to attach BPF function with attach_type {0}: {1})
r�r�r�r�rZbpf_prog_attachr��formatr�r�)r��
attachable_fdr��flagsr3rrr�attach_func�szBPF.attach_funccCsHt|tj�std��tj|j||�}|dkrDtdj|tj	|����dS)Nz"arg 1 must be of type BPF.Functionrz7Failed to detach BPF function with attach_type {0}: {1})
r�r�r�r�rZbpf_prog_detach2r�rr�r�)r�rr�r3rrr�detach_func�szBPF.detach_funccCs�t|�}t|tj�std��tj|�}|dkrLtjt	j
��}td||f��tj||j�}|dkr�tjt	j
��}td||f��||_
dS)Nz"arg 1 must be of type BPF.Functionrz Failed to open raw device %s: %sz%Failed to attach BPF to device %s: %s)rr�r�r�r�rZbpf_open_raw_sockr�r�r#r�Zbpf_attach_socketr��sock)r��devrr�r3rrr�attach_raw_socket�s
zBPF.attach_raw_socketcCs�dt}y,t|d��}tdd�|D��}WdQRXWn:tk
rn}z|jtjkrV|�tg�}WYdd}~XnXg}d}d}tdd���}�x|D�]}	|	j�j�dd�\}
}|dkr�|d	kr�d}q�n|dkr�|d
kr�d}q�|dk�r
|dkr�d}q�n|d
k�r"d}q�n|dk�r"|d
kr�d}q�|jd��r2q�n:|jd�s�|jd��rLq�n |jd��r\q�nt	j
d|��rlq�|
j�dkr�t	j||�r�||kr�|j
|�q�WWdQRXt|�S)Nz%s/../kprobes/blacklistr�cSsg|]}|j�j�d�qS)r)�rstripr�)�.0�linerrr�
<listcomp>�sz,BPF.get_kprobe_functions.<locals>.<listcomp>rz/proc/kallsymsrr<s__init_begins
__init_endrs__irqentry_text_starts__irqentry_text_ends
_kbl_addr_s__perfsperf_s__SCT__s^.*\.cold(\.\d+)?$�t�w)rr)�TRACEFSr��set�IOErrorr�r�rr��
startswith�re�match�lower�	fullmatchr�)�event_reZblacklist_fileZblacklist_fZ	blacklist�er�Zin_init_sectionZin_irq_sectionZ
avail_filerr�r�rrr�get_kprobe_functions�sZ 


zBPF.get_kprobe_functionscCst|tj�krtd��dS)Nz/Number of open probes would exceed global quota)rr��get_probe_limitr�)r'Znum_new_probesrrr�_check_probe_quota�szBPF._check_probe_quotacCs(tjjd�}|r |j�r t|�StSdS)NZBCC_PROBE_LIMIT)r�r��get�isdigitr��_default_probe_limit)Zenv_probe_limitrrrr*�szBPF.get_probe_limitcCs.||jkri|j|<||j||<td7adS)Nr)r�r)r'�ev_name�fn_namer�rrr�_add_kprobe_fd�s

zBPF._add_kprobe_fdcCs|j||=td8adS)Nr)r�r)r'r/r0rrr�_del_kprobe_fdszBPF._del_kprobe_fdcCs||j|<td7adS)Nr)r�r)r'r/r�rrr�_add_uprobe_fd
s
zBPF._add_uprobe_fdcCs|j|=td8adS)Nr)r�r)r'r/rrr�_del_uprobe_fdszBPF._del_uprobe_fdcCs0x$|jD]}|jd|�dkr|SqW|jdS)Ns%sbpfrrr5)�_syscall_prefixes�ksymname)r'�prefixrrr�get_syscall_prefixszBPF.get_syscall_prefixcCst|�}|j�|S)N)rr8)r'r/rrr�get_syscall_fnname szBPF.get_syscall_fnnamecCs<t|�}x.|jD]$}|j|�r|j|t|�d��SqW|S)N)rr5r"r9r�)r'r/r7rrr�fix_syscall_fnname's

zBPF.fix_syscall_fnnamecCst|�}t|�}t|�}|r�tj|�}|jt|��d}g}x>|D]6}y|j||d�WqB|d7}|j|�YqBXqBW|t|�kr�td|dj|�f��dS|jd�|j	|tj
�}	d|jdd�jd	d�}
tj
|	jd|
||d�}|dk�rtd||f��|j|
||�|S)
Nr)�eventr0rzwFailed to attach BPF program %s to kprobe %s, it's not traceable (either non-existing, inlined, or marked as "notrace")�/sp_�+�_�.)rr�r)r+r��
attach_kprober�r�r�r�r\�replacer�bpf_attach_kprober�r1)r'r;Z	event_offr0r'�matches�failed�probesrr�r/r�rrrr@.s6



zBPF.attach_kprobecCst|�}t|�}t|�}|r�tj|�}d}g}x@|D]8}y|j|||d�Wq4|d7}|j|�Yq4Xq4W|t|�kr�td|dj|�f��dS|jd�|j	|tj
�}	d|jdd�jd	d�}
tj
|	jd|
|d|�}|dkr�td||f��|j|
||�|S)
Nr)r;r0�	maxactiverzzFailed to attach BPF program %s to kretprobe %s, it's not traceable (either non-existing, inlined, or marked as "notrace")r<sr_r=r>r?)rr�r)�attach_kretprober�r�r�r�r+r�r\rArrBr�r1)r'r;r0r'rFrCrDrErr�r/r�rrrrGPs6


zBPF.attach_kretprobecCs8t|�}t|j|j��}x|D]}|j||�q WdS)N)rr�r��keys�detach_kprobe_event_by_fn)r'r/Zfn_namesr0rrr�detach_kprobe_eventrs
zBPF.detach_kprobe_eventcCs�t|�}t|�}||jkr&td|��tj|j||�}|dkrJtd��|j||�t|j|�dkr�tj|�}|dkr�td��dS)NzKprobe %s is not attachedrzFailed to close kprobe FDz Failed to detach BPF from kprobe)rr�r�r�bpf_close_perf_event_fdr2r�Zbpf_detach_kprobe)r'r/r0r3rrrrIxs

zBPF.detach_kprobe_event_by_fncCsHt|�}d|jdd�jdd�}|r:t|�}|j||�n
|j|�dS)Nsp_r=r>r?)rrArIrJ)r'r;r0r/rrr�
detach_kprobe�szBPF.detach_kprobecCsHt|�}d|jdd�jdd�}|r:t|�}|j||�n
|j|�dS)Nsr_r=r>r?)rrArIrJ)r'r;r0r/rrr�detach_kretprobe�szBPF.detach_kretprobecCsnt|�}t|tj�std��tj||j|�}|dkrjtj	�}|t
jkrPtd��ntj
|�}td||f��dS)zt
            This function attaches a BPF function to a device on the device
            driver level (XDP)
        z"arg 1 must be of type BPF.Functionrz-Internal error while attaching BPF to device,z  try increasing the debug level!z%Failed to attach BPF to device %s: %sNzMInternal error while attaching BPF to device, try increasing the debug level!)rr�r�r�r�r�bpf_attach_xdpr�r#r�r�ZEBADMSGr�r�)rr�rr3Zerr_nor�rrr�
attach_xdp�s

zBPF.attach_xdpcCs@t|�}tj|d|�}|dkr<tjtj��}td||f��dS)zw
            This function removes any BPF function from a device on the
            device driver level (XDP)
        rrz'Failed to detach BPF from device %s: %sNr5)rrrNr�r�r#r�r�)rrr3r�rrr�
remove_xdp�szBPF.remove_xdpc
	Cs�t|�}t|�}t�}|dkr"dn|}tj|||p4d|tjdtjt��tj|��dkrnt	d|j
�|j
�f��|j|}tj|jtj
�j}	tj|j�|	|fS)Nrrz.could not determine address of symbol %s in %sr5)rrrZbcc_resolve_symnamer#r$r%rr*r�rr,r+r-r.�bcc_procutils_free)
r�r+Zsymnamer0r(�sym_offr2Zc_pidZnew_addrZmodule_pathrrr�_check_path_symbol�s 

zBPF._check_path_symbolcCs:t|�}tj|d�}|sdStj|tj�j}tj|�|S)Nr)rrZbcc_procutils_which_sor#r$r-r.rQ)Zlibnamer3Zlibpathrrr�find_library�s
zBPF.find_librarycCs�g}tjjtd�}x�tj|�D]t}tjj||�}tjj|�s>qxRtj|�D]D}tjj||�}tjj|�rJd||f}tj|j�|�rJ|j	|�qJWqW|S)N�eventsz%s:%s)
r�r�r�r�listdir�isdirr#r$rr�)�tp_re�resultsZ
events_dir�categoryZcat_dirr;�evt_dir�tprrr�get_tracepoints�szBPF.get_tracepointscCstjjtd||�}tjj|�S)NrU)r�r�r�rrW)rZr;r[rrr�tracepoint_exists�szBPF.tracepoint_existscCs�t|�}t|�}t|�}|rBx tj|�D]}|j||d�q(WdS|j|tj�}|jd�\}}tj|j	||�}|dkr�t
d||f��||j|<|S)a�attach_tracepoint(tp="", tp_re="", fn_name="")

        Run the bpf function denoted by fn_name every time the kernel tracepoint
        specified by 'tp' is hit. The optional parameters pid, cpu, and group_fd
        can be used to filter the probe. The tracepoint specification is simply
        the tracepoint category and the tracepoint name, separated by a colon.
        For example: sched:sched_switch, syscalls:sys_enter_bind, etc.

        Instead of a tracepoint name, a regular expression can be provided in
        tp_re. The program will then attach to tracepoints that match the
        provided regular expression.

        To obtain a list of kernel tracepoints, use the tplist tool or cat the
        file /sys/kernel/debug/tracing/available_events.

        Examples:
            BPF(text).attach_tracepoint(tp="sched:sched_switch", fn_name="on_switch")
            BPF(text).attach_tracepoint(tp_re="sched:.*", fn_name="on_switch")
        )r\r0N�:rz0Failed to attach BPF program %s to tracepoint %s)rr�r]�attach_tracepointr�r>r�rZbpf_attach_tracepointr�r�r�)r'r\rXr0r��tp_category�tp_namer�rrrr`�s
zBPF.attach_tracepointcCs`t|�}||jkrtd|��t|�}|j|tj�}tj|j|�}|dkrRtd��||j|<|S)a�attach_raw_tracepoint(self, tp=b"", fn_name=b"")

        Run the bpf function denoted by fn_name every time the kernel tracepoint
        specified by 'tp' is hit. The bpf function should be loaded as a
        RAW_TRACEPOINT type. The fn_name is the kernel tracepoint name,
        e.g., sched_switch, sys_enter_bind, etc.

        Examples:
            BPF(text).attach_raw_tracepoint(tp="sched_switch", fn_name="on_switch")
        z#Raw tracepoint %s has been attachedrz&Failed to attach BPF to raw tracepoint)	rr�r�r�r�rjrZbpf_attach_raw_tracepointr�)r'r\r0r�r�rrr�attach_raw_tracepoints

zBPF.attach_raw_tracepointcCs:t|�}||jkrtd|��tj|j|�|j|=dS)z�detach_raw_tracepoint(tp="")

        Stop running the bpf function that is attached to the kernel tracepoint
        specified by 'tp'.

        Example: bpf.detach_raw_tracepoint("sched_switch")
        z!Raw tracepoint %s is not attachedN)rr�r�r��close)r'r\rrr�detach_raw_tracepoint)s
	
zBPF.detach_raw_tracepointcCs|j|�s||}|S)N)r")r7r/rrr�
add_prefix8s
zBPF.add_prefixcCs2tj�dkrdStj�sdStjd�dkr.dSdS)NZx86_64FZbpf_trampoline_link_progrTr5)�platform�machiner�bpf_has_kernel_btfr�r6rrrr�
support_kfunc>szBPF.support_kfunccCs"tj�sdStjd�dkrdSdS)NFsbpf_lsm_bpfrTr5)rrir�r6rrrr�support_lsmJs
zBPF.support_lsmcCsFt|�}tjd|�}||jkr*td|��tj|j|�|j|=dS)Nskfunc__z$Kernel entry func %s is not attached)rr�rfr�r�r�rd)r'r0rrr�detach_kfuncSs
zBPF.detach_kfunccCsFt|�}tjd|�}||jkr*td|��tj|j|�|j|=dS)Ns
kretfunc__z#Kernel exit func %s is not attached)rr�rfr�r�r�rd)r'r0rrr�detach_kretfunc\s
zBPF.detach_kretfunccCsbt|�}tjd|�}||jkr*td|��|j|tj�}tj|j	�}|dkrTtd��||j|<|S)Nskfunc__z&Kernel entry func %s has been attachedrz)Failed to attach BPF to entry kernel func)
rr�rfr�r�r�rlr�bpf_attach_kfuncr�)r'r0r�r�rrr�attach_kfunces

zBPF.attach_kfunccCsbt|�}tjd|�}||jkr*td|��|j|tj�}tj|j	�}|dkrTtd��||j|<|S)Ns
kretfunc__z%Kernel exit func %s has been attachedrz(Failed to attach BPF to exit kernel func)
rr�rfr�r�r�rlrrnr�)r'r0r�r�rrr�attach_kretfuncss

zBPF.attach_kretfunccCsFt|�}tjd|�}||jkr*td|��tj|j|�|j|=dS)Nslsm__zLSM %s is not attached)rr�rfr�r�r�rd)r'r0rrr�
detach_lsm�s
zBPF.detach_lsmcCsbt|�}tjd|�}||jkr*td|��|j|tj�}tj|j	�}|dkrTtd��||j|<|S)Nslsm__zLSM %s has been attachedrzFailed to attach LSM)
rr�rfr�r�r�rmrZbpf_attach_lsmr�)r'r0r�r�rrr�
attach_lsm�s

zBPF.attach_lsmcCs$tjd�dkstjd�dkr dSdS)NZbpf_find_raw_tracepointrZbpf_get_raw_tracepointTFr5r5)r�r6rrrr�support_raw_tracepoint�szBPF.support_raw_tracepointcCsZd}t|��D}x<|D]4}|j�jdd�\}}}|jd�d}|dkrdSqWdSQRXdS)	Nz/proc/kallsyms� r�	rZbpf_trace_modulesTF)r�rr�)ZkallsymsZsymsr�_r/rrr� support_raw_tracepoint_in_module�s

z$BPF.support_raw_tracepoint_in_modulecCst|�}t|�}tj||�S)N)rr�kernel_struct_has_field)Zstruct_nameZ
field_namerrrrx�szBPF.kernel_struct_has_fieldcCstt|�}||jkrtd|��tj|j|�}|dkr>td��|jd�\}}tj||�}|dkrhtd��|j|=dS)z�detach_tracepoint(tp="")

        Stop running a bpf function that is attached to the kernel tracepoint
        specified by 'tp'.

        Example: bpf.detach_tracepoint("sched:sched_switch")
        zTracepoint %s is not attachedrz$Failed to detach BPF from tracepointr_N)rr�r�rrKr�Zbpf_detach_tracepoint)r'r\r3rarbrrr�detach_tracepoint�s	
zBPF.detach_tracepointc	
	Cs,tj||||||||�}	|	dkr(td��|	S)Nrz"Failed to attach BPF to perf event)rZbpf_attach_perf_eventr�)
r'�progfd�ev_type�	ev_config�
sample_period�sample_freqr(�cpu�group_fdr3rrr�_attach_perf_event�s

zBPF._attach_perf_eventc	
Cs�t|�}|j|tj�}	i}
|dkrB|j|	j|||||||�|
|<n.x,t�D]"}|j|	j|||||||�|
|<qJW|
|j||f<dS)Nr)rr�r�r`r�r�rr�)r'r{r|r0r}r~r(rr�r�r3r�rrr�attach_perf_event�szBPF.attach_perf_eventcCs.tj|tj|�|||d�}|dkr*td��|S)Nrz&Failed to attach BPF to perf raw event)rZbpf_attach_perf_event_rawr#r*r�)r'rz�attrr(rr�r3rrr�_attach_perf_event_raw�s

zBPF._attach_perf_event_rawc	Cszt|�}|j|tj�}i}|dkr<|j|j||||�||<n(x&t�D]}|j|j||||�||<qDW||j|j|j	f<dS)Nr)
rr�r�r`r�r�rr�r�config)	r'r�r0r(rr�r�r3r�rrr�attach_perf_event_raw�s

zBPF.attach_perf_event_rawcCs|y|j||f}Wn$tk
r6tdj||���YnXd}x|j�D]}tj|�pV|}qFW|dkrltd��|j||f=dS)Nz)Perf event type {} config {} not attachedrz$Failed to detach BPF from perf event)r�rr�r�valuesrrK)r'r{r|Zfdsr3r�rrr�detach_perf_event�szBPF.detach_perf_eventcCstdd�tj||�D��S)NcSsg|]\}}|�qSrr)rr/rvrrrrsz*BPF.get_user_functions.<locals>.<listcomp>)r r�� get_user_functions_and_addresses)r/�sym_rerrr�get_user_functions�szBPF.get_user_functionscCstdd�tj||�D��S)a�
        We are returning addresses here instead of symbol names because it
        turns out that the same name may appear multiple times with different
        addresses, and the same address may appear multiple times with the same
        name. We can't attach a uprobe to the same address more than once, so
        it makes sense to return the unique set of addresses that are mapped to
        a symbol that matches the provided regular expression.
        cSsg|]\}}|�qSrr)rrvZaddressrrrrsz*BPF.get_user_addresses.<locals>.<listcomp>)r r�r�)r/r�rrr�get_user_addressess
zBPF.get_user_addressescsNt|�}t���g���fdd�}tj|t|��}|dkrJtd||f���S)Ncs"|}tj�|�r�j||f�dS)Nr)r#r$r�)Zsym_namer0Zdname)�	addressesr�rr�sym_cbsz4BPF.get_user_functions_and_addresses.<locals>.sym_cbrz"Error %d enumerating symbols in %s)rrZbcc_foreach_function_symbolrr�)r/r�r�r3r)r�r�rr�sz$BPF.get_user_functions_and_addressescCs>|dkr d||jjd|�|fSd||jjd|�||fSdS)Nrs
%s_%s_0x%xr>s
%s_%s_0x%x_%dr5)�_probe_repl�sub)r'r7r�r0r(rrr�_get_uprobe_evname!szBPF._get_uprobe_evnamecCs�|dkst�|dk	r$|dks$td��t|�}t|�}t|�}t|�}|r�tj||�}|jt|��x|D]}	|j||	||d�qhWdStj|||||�\}
}|jd�|j|tj	�}|j
d|
||�}tj|j
d||
||�}
|
dkr�td��|j||
�|S)a�attach_uprobe(name="", sym="", sym_re="", addr=None, fn_name=""
                         pid=-1, sym_off=0)

        Run the bpf function denoted by fn_name every time the symbol sym in
        the library or binary 'name' is encountered. Optional parameters pid,
        cpu, and group_fd can be used to filter the probe.

        If sym_off is given, attach uprobe to offset within the symbol.

        The real address addr may be supplied in place of sym, in which case sym
        must be set to its default value. If the file is a non-PIE executable,
        addr must be a virtual address, otherwise it must be an offset relative
        to the file load address.

        Instead of a symbol name, a regular expression can be provided in
        sym_re. The uprobe will then attach to symbols that match the provided
        regular expression.

        Libraries can be given in the name argument without the lib prefix, or
        with the full path (/usr/lib/...). Binaries can be given only with the
        full path (/bin/sh). If a PID is given, the uprobe will attach to the
        version of the library used by the process.

        Example: BPF(text).attach_uprobe("c", "malloc")
                 BPF(text).attach_uprobe("/usr/bin/python", "main")
        rNz!offset with addr is not supported)r/r0r0r(r�pzFailed to attach BPF to uprobe)r�rr�r�r+r��
attach_uproberSr�r\r�r�bpf_attach_uprober�r�r3)r'r/r2r�r0r0r(rRr��sym_addrr�r�r/r�rrrr�)s.

zBPF.attach_uprobecCs�t|�}t|�}t|�}t|�}|rPx&tj||�D]}|j||||d�q2WdStj||||�\}}|jd�|j|tj�}	|jd|||�}
t	j
|	jd|
|||�}|dkr�td��|j
|
|�|S)a6attach_uretprobe(name="", sym="", sym_re="", addr=None, fn_name=""
                            pid=-1)

        Run the bpf function denoted by fn_name every time the symbol sym in
        the library or binary 'name' finishes execution. See attach_uprobe for
        meaning of additional parameters.
        )r/r0r0r(Nr�rrz!Failed to attach BPF to uretprobe)rr�r��attach_uretproberSr+r�r\r�rr�r�r�r3)r'r/r2r�r0r0r(r�r�r�r/r�rrrr�bs$

zBPF.attach_uretprobecCs^||jkrtd|��tj|j|�}|dkr6td��tj|�}|dkrPtd��|j|�dS)NzUprobe %s is not attachedrz Failed to detach BPF from uprobe)r�r�rrKZbpf_detach_uprober4)r'r/r3rrr�detach_uprobe_event�s

zBPF.detach_uprobe_eventcCsDt|�}t|�}tj|||||�\}}|jd|||�}|j|�dS)z�detach_uprobe(name="", sym="", addr=None, pid=-1)

        Stop running a bpf function that is attached to symbol 'sym' in library
        or binary 'name'.
        r�N)rr�rSr�r�)r'r/r2r0r(rRr�r/rrr�
detach_uprobe�s
zBPF.detach_uprobecCsBt|�}t|�}tj||||�\}}|jd|||�}|j|�dS)z�detach_uretprobe(name="", sym="", addr=None, pid=-1)

        Stop running a bpf function that is attached to symbol 'sym' in library
        or binary 'name'.
        r�N)rr�rSr�r�)r'r/r2r0r(r�r/rrr�detach_uretprobe�s
zBPF.detach_uretprobecCsn�xftdtj|j��D�]N}tj|j|�}|jd�rb|j|tj�}|j	|j
|dd��|jd�q|jd�r�|j|tj�}|j|j
|dd��|jd�q|jd�r�|j|tj
�}|jtd�d�jdd	�}|j||jd
�q|jd��r|j|tj�}|jtd�d�}|j||jd
�q|jd��r6|j|d
�q|jd��rP|j|d
�q|jd�r|j|d
�qWdS)Nrskprobe__r)r;r0skretprobe__rGstracepoint__s__r_)r\r0sraw_tracepoint__skfunc__)r0s
kretfunc__slsm__)r�rr�r+r�r"r�r�r\r@r:r/rGr>r�rAr`rjrcrorprr)r'r�r�r�r\rrrr��s4



zBPF._trace_autoloadcCsN|jsHtdtd�|_|rH|jj�}tj|tj�}tj|tj|tjB�|jS)zWtrace_open(nonblocking=False)

        Open the trace_pipe if not already open
        z
%s/trace_piper�)	r�r�r�fileno�fcntlZF_GETFLZF_SETFLr��
O_NONBLOCK)r'�nonblockingr�Zflrrr�
trace_open�s
zBPF.trace_openc Cs�x|j|�}|r|rd
S|jd�r(q|dd�j�}|dd�}|jd�}y|d|�j�\}}}}Wn$tk
r�}	zwWYdd}	~	XnX|dd�}||dd�}|jd�}
||
dd�}y|t|�t|�|t|�|fStk
�r}	zdSd}	~	XqXqWdS)z�trace_fields(nonblocking=False)

        Read from the kernel debug trace pipe and return a tuple of the
        fields (task, pid, cpu, flags, timestamp, msg) or None if no
        line was read (nonblocking=True)
        NrAsCPU:r rLr_rr�Unknownr�)N)NNNNNNr5)r�rrr�r�r�)�trace_readliner"�lstrip�findr�r�r�r�)r'r�rZtaskZts_endr(rrZtsr(Zsym_end�msgrrr�trace_fields�s*




zBPF.trace_fieldscCs:|j|�}d}y|jd�j�}Wntk
r4YnX|S)z�trace_readline(nonblocking=False)

        Read from the kernel debug trace pipe and return one line
        If nonblocking is False, this will block until ctrl-C is pressed.
        Ni)r��readlinerr!)r'r�Ztracerrrrr��s
zBPF.trace_readlinecCsJxD|r$|jdd�}|sq|j|�}n|jdd�}t|�tjj�qWdS)atrace_print(self, fmt=None)

        Read from the kernel debug trace pipe and print on stdout.
        If fmt is specified, apply as a format string to the output. See
        trace_fields for the members of the tuple
        example: trace_print(fmt="pid {1}, msg = {5}")
        F)r�N)r�rr��printr��stdout�flush)r'Zfmtrrrrr�trace_prints	zBPF.trace_printcCs6|dkr|dkrd}|tjkr,t|�tj|<tj|S)z�_sym_cache(pid)

        Returns a symbol cache for the specified PID.
        The kernel symbol cache is accessed by providing any PID less than zero.
        rrr5r5)r��_sym_cachesr")r(rrr�
_sym_caches

zBPF._sym_cachecCs6tt|��}|jd�d	kr�t�}t�}|j|_|j|_|j|j_t	j
tjt
j|�t
j|��}|dkr�|jr�|jr�d|jt
j|jt
j�j}	}
}q�d|d}	}
}q�|j|jt
j|jt
j�j}	}
}ntj|�j||�\}	}
}|r�|	dk	r�d|
nd}
|	�pd}	|	|
}	|�r*|dk	�r*dtjj|�nd}|	|S)
aysym(addr, pid, show_module=False, show_offset=False)

        Translate a memory address into a function name for a pid, which is
        returned. When show_module is True, the module name is also included.
        When show_offset is True, the instruction offset as a hexadecimal
        number is also included in the string.

        A pid of less than zero will access the kernel symbol cache.

        Example output when both show_module and show_offset are True:
            "start_thread+0x202 [libpthread-2.24.so]"

        Example output when both show_module and show_offset are False:
            "start_thread"
        Zbpf_stack_build_idrrNs+0x%xr�s	[unknown]s [%s]r5)r�rr�rrZstatusZbuild_idr,�urZbcc_buildsymcache_resolver��
_bsymcacher#r*r+r$r-r.r/r�r4r�r��basename)r0r(�show_module�show_offsetr1Z
typeofaddrr2�br3r/r,r+rrrr2$s.

$zBPF.symcCstj|d||d�S)a�ksym(addr)

        Translate a kernel memory address into a kernel function name, which is
        returned. When show_module is True, the module name ("kernel") is also
        included. When show_offset is true, the instruction offset as a
        hexadecimal number is also included in the string.

        Example output when both show_module and show_offset are True:
            "default_idle+0x0 [kernel]"
        rFr5)r�r2)r0r�r�rrr�ksymUszBPF.ksymcCstjd�jd|�S)z�ksymname(name)

        Translate a kernel name into an address. This is the reverse of
        ksym. Returns -1 when the function name is unknown.rNr5)r�r�r7)r/rrrr6cszBPF.ksymnamecCs
t|j�S)z�num_open_kprobes()

        Get the number of open K[ret]probes. Can be useful for scenarios where
        event_re is used while attaching and detaching probes.
        )r�r�)r'rrr�num_open_kprobeskszBPF.num_open_kprobescCs
t|j�S)zInum_open_uprobes()

        Get the number of open U[ret]probes.
        )r�r�)r'rrr�num_open_uprobessszBPF.num_open_uprobescCs
t|j�S)zLnum_open_tracepoints()

        Get the number of open tracepoints.
        )r�r�)r'rrr�num_open_tracepointszszBPF.num_open_tracepointscCsLtjt|j��}x"t|jj��D]\}}|||<q"Wtjt|�||�dS)z�perf_buffer_poll(self)

        Poll from all open perf ring buffers, calling the callback that was
        provided when calling open_perf_buffer for each entry.
        N)r#r�r�r�r�r�rZperf_reader_poll)r'�timeout�readersr��vrrr�perf_buffer_poll�szBPF.perf_buffer_pollcCsJtjt|j��}x"t|jj��D]\}}|||<q"Wtjt|�|�dS)z�perf_buffer_consume(self)

        Consume all open perf buffers, regardless of whether or not
        they currently contain events data. Necessary to catch 'remainder'
        events when wakeup_events > 1 is set in open_perf_buffer
        N)r#r�r�r�r�r�rZperf_reader_consume)r'r�r�r�rrr�perf_buffer_consume�szBPF.perf_buffer_consumecCs|j|�dS)zMkprobe_poll(self)

        Deprecated. Use perf_buffer_poll instead.
        N)r�)r'r�rrr�kprobe_poll�szBPF.kprobe_pollcCsL|js&tj|||�|_|jsHtd��n"tj|j|||�}|dkrHtd��dS)NzCould not open ring bufferr)r�rZbpf_new_ringbufr�Zbpf_add_ringbuf)r'r	r�Zctx�retrrr�_open_ring_buffer�s
zBPF._open_ring_buffercCs |jstd��tj|j|�dS)z�ring_buffer_poll(self)

        Poll from all open ringbuf buffers, calling the callback that was
        provided when calling open_ring_buffer for each entry.
        zNo ring buffers to pollN)r�r�rZbpf_poll_ringbuf)r'r�rrr�ring_buffer_poll�szBPF.ring_buffer_pollcCs|jstd��tj|j�dS)a/ring_buffer_consume(self)

        Consume all open ringbuf buffers, regardless of whether or not
        they currently contain events data. This is best for use cases
        where low latency is desired, but it can impact performance.
        If you are unsure, use ring_buffer_poll instead.
        zNo ring buffers to pollN)r�r�rZbpf_consume_ringbuf)r'rrr�ring_buffer_consume�szBPF.ring_buffer_consumecCstj�S)N)rZbcc_free_memory)r'rrr�free_bcc_memory�szBPF.free_bcc_memorycCsNytjtj|j��Wn2tk
rH}ztdt|��WYdd}~XnXdS)zJadd_module(modname)

        Add a library or exe to buildsym cache
      z&Error adding module to build sym cacheN)rZbcc_buildsymcache_add_moduler�r�r�r�r�r�)�modnamer(rrr�
add_module�szBPF.add_modulecCsdS)zthe do nothing exit handlerNr)r'rrrr��sz
BPF.donothingcCsLx.t|jj��D]\}}tj|j�|j|=qW|jrHtj|j�d|_dS)zvclose(self)

        Closes all associated files descriptors. Attached BPF programs are not
        detached.
        N)	r�r�r�r�rdr�r+rZbpf_module_destroy)r'r/r�rrrrd�sz	BPF.closecCs�x$t|jj��D]\}}|j|�qWx$t|jj��D]\}}|j|�q6Wx$t|jj��D]\}}|j|�q\Wx$t|jj��D]\}}|j	|�q�Wx$t|j
j��D]\}}|j|�q�Wx$t|jj��D]\}}|j
|�q�Wx$t|jj��D]\}}|j|�q�Wt|jj��}x(|D] }t|j|t��r|j|=�qWx(t|jj��D]\}}|j||��qRW|j�r�|jj�d|_|j�|j�r�tj|j�d|_dS)N)r�r�r�rJr�r�r�ryr�rer�rlr�rmr�rqr�rHr�r
r�r�r�rdr�rZbpf_free_ringbuf)r'�kr�Z
table_keysrr{r|rrrr��s6

zBPF.cleanupcCs|S)Nr)r'rrr�	__enter__sz
BPF.__enter__cCs|j�dS)N)r�)r'�exc_typeZexc_valZexc_tbrrr�__exit__szBPF.__exit__r5)Nr5)F)NNN)r)r�rr�r�)r�r�r�r)N)N)r)r)r)r�r�r�)r�r�)r�)r�)r�)r�)r�)r�)r�)r�r5r5r5r5r5)r5r5r�rrr5r5r5r5r5r5r5)r5r�r5r5r5r5r5)r5r5r5)r�r�r�Nr�r5rr5)r�r�r�Nr�r5r5)r�r�Nr5rr5)r�r�Nr5)F)F)F)N)FFT)FFr5)r5r5)r5)Nr5)r5)�r8r9r:rWr[r\r]r^r>r_r`rarbrcrdrerfrgrhrirjrkrlrmryrzr{r|r}r~rr�ZXDP_FLAGS_UPDATE_IF_NOEXISTr�ZXDP_FLAGS_SKB_MODEr�ZXDP_FLAGS_DRV_MODEr�ZXDP_FLAGS_HW_MODEr�ZXDP_FLAGS_REPLACEr#�compiler�r�rZbcc_buildsymcache_newr�r�r5r�r#r�r�ZCDLLZ_librtZ
clock_gettimer�Zc_intr%Zargtypes�classmethodr�r�r	�objectr��staticmethodr�r�r)r�r�r�r�r�Zc_boolZc_charZc_wcharZc_ubyteZc_shortZc_ushortZc_uintr�Zc_ulongZ
c_longlongr6Zc_floatZc_doubleZc_longdoubleZc_int64Zc_uint64r�r�r
rr
rrrrrrr)r+r*r1r2r3r4r8r9r:r@rGrJrIrLrMrOrPrSrTr]r^r`rcrerfrjrkrlrmrorprqrrrsrwrxryr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r2r�r6r�r�r�r�r�r�r�r�r�r�r�r�rdr�r�r�rrrrr��sb

N
 
,
	
B	
"
"
	
	

&

	
	
	


	





8

#
0



#r�)@Z
__future__rr�Zctypesr#r�rr�r#r�r�rgZlibbccrrrrr�tabler	r
rrr
ZperfrZutilsrrrrr�versionrZdisassemblerrrr�rrr��	NameErrorr�r.rrrZ
DEBUG_LLVM_IRr�ZDEBUG_PREPROCESSORZDEBUG_SOURCEr�Z	DEBUG_BTFr�r"r;r@rDrFrWrnryrr�rrrr�<module>sP
+	
*