Feature #TASK_QT-21111 【私有发版】上传offcpu文件

ebpftracer/ebpf/ebpf.c

@@ -54,6 +54,7 @@
 #include "l7/l7.c"
 //#include "l7/gotls.c"
 //#include "l7/openssl.c"
+#include "sys_cpu/offcpu.c"
 #include "utrace/go/net/server.probe.bpf.c"
 #include "utrace/go/net/client.probe.bpf.c"
 #include "utrace/go/net/stack.probe.bpf.c"

ebpftracer/ebpf/sys_cpu/offcpu.c

@@ -1,12 +1,393 @@
-// 事件数据结构
-struct sched_switch_event {
-    __u64 timestamp;          // 事件发生时间（纳秒）
-    __u32 cpu;               // 发生切换的CPU核心
-    __u32 prev_pid;          // 被切换出的进程PID
-    __u32 next_pid;          // 被切换入的进程PID
-    char prev_comm[TASK_COMM_LEN];  // 被切换出的进程名
-    char next_comm[TASK_COMM_LEN];  // 被切换入的进程名
-    __u32 prev_state;        // 前一个进程的状态
-    __u64 prev_runtime;      // 前一个进程的运行时间（纳秒）
-    __u64 next_runtime;      // 下一个进程的累计运行时间（纳秒）
-};
+
+SEC("tracepoint/sched/sched_switch")
+int handle_sched_switch(struct trace_event_raw_sched_switch *ctx)
+{
+    // struct sched_switch_event event = {};
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.cpu = bpf_get_smp_processor_id();
+    // event.prev_pid = ctx->prev_pid;
+    // event.next_pid = ctx->next_pid;
+    // event.prev_state = ctx->prev_state;
+    
+    // // 获取进程名
+    // bpf_get_current_comm(event.prev_comm, sizeof(event.prev_comm));
+    // bpf_probe_read_str(event.next_comm, sizeof(event.next_comm), (void *)ctx->next_comm);
+    
+    // // 输出事件
+    // bpf_perf_event_output(ctx, &sched_events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+    
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_sendmsg")
+int handle_sys_exit_sendmsg(struct sys_exit_sendmsg_ctx *ctx)
+{
+    // struct sendmsg_event event = {};
+    // __u64 pid_tgid = bpf_get_current_pid_tgid();
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.pid = pid_tgid >> 32;
+    // event.tid = (__u32)pid_tgid;
+    // event.ret = ctx->ret;
+    
+    // // 如果返回值大于0，表示成功发送的字节数
+    // if (ctx->ret > 0) {
+    //     event.bytes_sent = (__u64)ctx->ret;
+    // } else {
+    //     event.bytes_sent = 0;
+    // }
+    
+    // // 获取进程名
+    // bpf_get_current_comm(event.comm, sizeof(event.comm));
+    
+    // // 输出事件
+    // bpf_perf_event_output(ctx, &sendmsg_events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+    
+    return 0;
+}
+
+// sys_exit_write tracepoint处理函数
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx)
+{
+
+}
+
+// sys_exit_writev tracepoint处理函数
+SEC("tracepoint/syscalls/sys_exit_writev")
+int handle_sys_exit_writev(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct writev_event *event;
+    // struct task_struct *task;
+    // u64 ts = bpf_ktime_get_ns();
+    // u64 id = bpf_get_current_pid_tgid();
+    // u32 tid = (u32)id;
+    
+    // // 分配事件缓冲区
+    // event = bpf_ringbuf_reserve(&events, sizeof(*event), 0);
+    // if (!event) {
+    //     return 0;
+    // }
+
+    // // 获取当前任务结构体
+    // task = (struct task_struct *)bpf_get_current_task();
+
+    // // 从map中获取sys_enter时保存的参数
+    // struct writev_event *enter_event = bpf_map_lookup_elem(&writev_args, &tid);
+    // if (enter_event) {
+    //     event->fd = enter_event->fd;
+    //     event->args[0] = enter_event->args[0];  // fd
+    //     event->args[1] = enter_event->args[1];  // iov
+    //     event->args[2] = enter_event->args[2];  // iovcnt
+    //     event->iovcnt = enter_event->iovcnt;
+    //     bpf_map_delete_elem(&writev_args, &tid);
+    // } else {
+    //     event->fd = 0;
+    //     event->args[0] = 0;
+    //     event->args[1] = 0;
+    //     event->args[2] = 0;
+    //     event->iovcnt = 0;
+    // }
+
+    // // 填充事件数据
+    // event->timestamp = ts;
+    // event->pid = id >> 32;       // PID
+    // event->tid = tid;            // TID
+    // event->retval = ctx->ret;    // 系统调用返回值
+    
+    // // 读取进程名
+    // bpf_probe_read_kernel_str(event->comm, sizeof(event->comm), BPF_CORE_READ(task, comm));
+
+    // // 提交事件到用户空间
+    // bpf_ringbuf_submit(event, 0);
+    return 0;
+}
+
+// sys_exit_sendmmsg tracepoint处理函数
+SEC("tracepoint/syscalls/sys_exit_sendmmsg")
+int handle_sys_exit_sendmmsg(struct trace_event_raw_sys_exit *ctx)
+{
+    return 0;
+}
+
+// sys_exit_sendto tracepoint处理函数
+SEC("tracepoint/syscalls/sys_exit_sendto")
+int handle_sys_exit_sendto(struct trace_event_raw_sys_exit *ctx)
+{
+    return 0;
+}
+
+// 捕获sys_enter_read以获取参数
+SEC("tracepoint/syscalls/sys_enter_read")
+int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_readv")
+int handle_sys_enter_readv(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0; 
+}
+
+SEC("tracepoint/syscalls/sys_enter_recvmsg")
+int handle_sys_enter_recvmsg(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_recvfrom")
+int handle_sys_enter_recvfrom(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+//以上为网络部分监控函数原型
+
+SEC("tracepoint/syscalls/sys_enter_epoll_wait")
+int handle_sys_enter_epoll_wait(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_epoll_pwait")
+int handle_sys_enter_epoll_pwait(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_epoll_pwait2")
+int handle_sys_enter_epoll_pwait2(struct trace_event_raw_sys_enter *ctx)
+{
+    return 0;
+}
+
+//以上为epoll timewait部分监控函数原型          
+
+SEC("tracepoint/syscalls/sys_exit_futex")
+int handle_sys_exit_futex(struct trace_event_raw_sys_exit *ctx)
+{
+    return 0;
+}
+
+//以上为futex time
+
+#if defined(__TARGET_ARCH_x86)
+SEC("tracepoint/syscalls/sys_enter_open")
+int sys_enter_open(struct trace_event_raw_sys_enter__stub* ctx)
+{
+	return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_open")
+int sys_exit_open(struct trace_event_raw_sys_exit__stub* ctx)
+{
+	return 0;
+}
+#endif
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int sys_enter_openat(struct trace_event_raw_sys_enter__stub* ctx)
+{
+	return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int sys_exit_openat(struct trace_event_raw_sys_exit__stub* ctx)
+{
+	return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_read")
+int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // // 填充通用事件数据
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.size = ctx->ret > 0 ? ctx->ret : 0;
+    // event.op = OP_READ;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.size = ctx->ret > 0 ? ctx->ret : 0;
+    // event.op = OP_WRITE;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_close")
+int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.op = OP_CLOSE;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_fsync")
+int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.op = OP_FSYNC;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_fdatasync")
+int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.op = OP_FDATASYNC;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_pread64")
+int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.size = ctx->ret > 0 ? ctx->ret : 0;
+    // event.offset = get_syscall_arg(ctx, 3);
+    // event.op = OP_PREAD;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_pwrite64")
+int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx)
+{
+    // struct file_event event = {};
+    // fill_common_event_fields(&event, ctx);
+    // event.fd = get_syscall_arg(ctx, 0);
+    // event.size = ctx->ret > 0 ? ctx->ret : 0;
+    // event.offset = get_syscall_arg(ctx, 3);
+    // event.op = OP_PWRITE;
+    
+    // submit_event(&event);
+    return 0;
+}
+
+//以上为file time
+
+// handle_mm_fault kprobe 监控
+KPROG(handle_mm_fault) (struct pt_regs *ctx)
+{
+    // struct mm_fault_event event = {};
+    // __u64 pid_tgid = bpf_get_current_pid_tgid();
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.pid = pid_tgid >> 32;
+    // event.tid = (__u32)pid_tgid;
+    
+    // // 获取函数参数
+    // struct mm_fault_args args = {};
+    // bpf_probe_read(&args, sizeof(args), (void *)PT_REGS_PARM1(ctx));
+    
+    // event.fault_addr = args.address;
+    // event.fault_flags = args.flags;
+    
+    // // 根据地址和标志判断故障类型
+    // // 这里简化处理，实际可以根据更多信息判断
+    // if (args.address & 0x1000) {  // 简化的大页判断
+    //     event.fault_type = 1;  // major fault
+    // } else {
+    //     event.fault_type = 0;  // minor fault
+    // }
+    
+    // // 获取进程名
+    // bpf_get_current_comm(event.comm, sizeof(event.comm));
+    
+    // // 输出事件
+    // bpf_perf_event_output(ctx, &mm_fault_events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+    
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_mmap")
+int handle_sys_enter_mmap(struct trace_event_raw_sys_enter *ctx)
+{
+    // struct mmap_event event = {};
+    // u64 id = bpf_get_current_pid_tgid();
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.pid = id >> 32;
+    // event.tid = (u32)id;
+    // bpf_get_current_comm(&event.comm, sizeof(event.comm));
+    
+    // event.addr = (void *)ctx->args[0];      // 映射起始地址
+    // event.length = (size_t)ctx->args[1];    // 映射长度
+    // event.prot = (int)ctx->args[2];         // 保护标志
+    // event.flags = (int)ctx->args[3];        // 映射标志
+    // event.fd = (int)ctx->args[4];           // 文件描述符
+    // event.offset = (off_t)ctx->args[5];     // 文件偏移
+    
+    // // 存储参数供exit时使用
+    // bpf_map_update_elem(&mmap_args, &event.tid, &event, BPF_ANY);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_munmap")
+int handle_sys_enter_munmap(struct trace_event_raw_sys_enter *ctx)
+{
+    // struct munmap_event event = {};
+    // u64 id = bpf_get_current_pid_tgid();
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.pid = id >> 32;
+    // event.tid = (u32)id;
+    // bpf_get_current_comm(&event.comm, sizeof(event.comm));
+    
+    // event.addr = (void *)ctx->args[0];      // 解除映射的起始地址
+    // event.length = (size_t)ctx->args[1];    // 解除映射的长度
+    
+    // // 存储参数供exit时使用
+    // bpf_map_update_elem(&munmap_args, &event.tid, &event, BPF_ANY);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_brk")
+int handle_sys_enter_brk(struct trace_event_raw_sys_enter *ctx)
+{
+    // struct brk_event event = {};
+    // u64 id = bpf_get_current_pid_tgid();
+    
+    // event.timestamp = bpf_ktime_get_ns();
+    // event.pid = id >> 32;
+    // event.tid = (u32)id;
+    // bpf_get_current_comm(&event.comm, sizeof(event.comm));
+    
+    // event.addr = (void *)ctx->args[0];      // 新的program break地址
+    
+    // // 存储参数供exit时使用
+    // bpf_map_update_elem(&brk_args, &event.tid, &event, BPF_ANY);
+    return 0;
+}
+
+
+//以上为mem time
+
+
+