问题

我使用cilium ebpf包来编写一个用于获取goroutine id的ebpf程序，但是失败了。我的uprobe.c文件如下所示：

SEC("uprobe/runtime.newproc1")
int uprobe_runtime_newproc1(struct pt_regs *ctx) {
    u32 key     = 2;
    u64 initval = 1, *valp;

    valp = bpf_map_lookup_elem(&uprobe_map, &key);
    if (!valp) {
        bpf_map_update_elem(&uprobe_map, &key, &initval, BPF_ANY);
        return 0;
    }
    __sync_fetch_and_add(valp, 1);

    struct g* goroutine_struct = (void *)PT_REGS_PARM4(ctx);

    // retrieve output parameter
    s64 goid = 0;
    bpf_probe_read(&goid, sizeof(goid), &goroutine_struct->goid);

    bpf_printk("bpf_printk bpf_probe_read goroutine_struct->goid: %lld", goid);

    struct g gs;
    bpf_probe_read(&gs, sizeof(gs), (void *)PT_REGS_PARM4(ctx));
    bpf_printk("bpf_printk bpf_probe_read goroutine_struct.goid: %lld", gs.goid);

    // test
    void* ptr = (void *)PT_REGS_PARM4(ctx);
    s64 goid2 = 0;
    bpf_probe_read(&goid2, sizeof(goid2), (void *)(ptr+152));
    bpf_printk("bpf_printk bpf_probe_read goid2: %lld", goid2);

    return 0;
}

goroutine.h文件如下所示：

#include "common.h"

struct stack  {
    u64 lo;
    u64 hi;
};

struct gobuf  {
    u64 sp;
    u64 pc;
    u64 g;
    u64 ctxt;
    u64 ret;
    u64 lr;
    u64 bp;
};

struct g {
    struct stack stack;
    u64 stackguard0;
    u64 stackguard1;

    u64 _panic;
    u64 _defer;
    u64 m;
    struct gobuf sched ;
    u64 syscallsp;
    u64 syscallpc;
    u64 stktopsp;
    u64 param;
    u32 atomicstatus;
    u32 stackLock;
    s64 goid;          // 这里就是goroutine id！
};

当我运行程序时，cat /sys/kernel/debug/tracing/trace_pipe输出如下，得到了错误的goroutine id：

<...>-1336127 [000] d... 20113210.986990: bpf_trace_printk: bpf_printk bpf_probe_read goroutine_struct->goid: 4938558469562467144
<...>-1336127 [000] d... 20113210.986998: bpf_trace_printk: bpf_printk bpf_probe_read goroutine_struct.goid: 4938558469562467144
<...>-1336127 [000] d... 20113210.986998: bpf_trace_printk: bpf_printk bpf_probe_read goid2: 4938558469562467144

根据你的描述，你认为问题的关键在于将golang结构体g转换为goroutine.h时出错。你是否需要帮助？

英文:

I use cilium ebpf pakage to write a ebpf program for getting the goroutine id.
but failed. my uprobe.c like this :
I think the key problem is that golang struct g trans to goroutine.h is wrong. can anyone help?

uprobe.c

SEC(&quot;uprobe/runtime.newproc1&quot;)
int uprobe_runtime_newproc1(struct pt_regs *ctx) {
	u32 key     = 2;
	u64 initval = 1, *valp;

	valp = bpf_map_lookup_elem(&amp;uprobe_map, &amp;key);
	if (!valp) {
		bpf_map_update_elem(&amp;uprobe_map, &amp;key, &amp;initval, BPF_ANY);
		return 0;
	}
	__sync_fetch_and_add(valp, 1);

	struct g* goroutine_struct = (void *)PT_REGS_PARM4(ctx);

    // retrieve output parameter
    s64 goid = 0;
    bpf_probe_read(&amp;goid, sizeof(goid), &amp;goroutine_struct-&gt;goid);

    bpf_printk(&quot;bpf_printk bpf_probe_read goroutine_struct-&gt;goid: %lld&quot;, goid);


    struct g gs;
    bpf_probe_read(&amp;gs, sizeof(gs), (void *)PT_REGS_PARM4(ctx));
    bpf_printk(&quot;bpf_printk bpf_probe_read goroutine_struct.goid: %lld&quot;, gs.goid);

    // test
    void* ptr = (void *)PT_REGS_PARM4(ctx);
    s64 goid2 = 0;
    bpf_probe_read(&amp;goid2, sizeof(goid2), (void *)(ptr+152));
    bpf_printk(&quot;bpf_printk bpf_probe_read goid2: %lld&quot;, goid2);

	return 0;
}

goroutine.h

#include &quot;common.h&quot;



struct stack  {
	u64 lo;
	u64 hi;
};

struct gobuf  {
	u64 sp;
	u64 pc;
	u64 g;
	u64 ctxt;
	u64 ret;
	u64 lr;
	u64 bp;
};


/*
go version go1.17.2 linux/amd64

type stack struct {
	lo uintptr
	hi uintptr
}

type gobuf struct {
	sp   uintptr
	pc   uintptr
	g    uintptr
	ctxt uintptr
	ret  uintptr
	lr   uintptr
	bp   uintptr
}

type g struct {	
	stack       stack   // offset known to runtime/cgo
	stackguard0 uintptr // offset known to liblink
	stackguard1 uintptr // offset known to liblink

	_panic    *_panic // innermost panic - offset known to liblink
	_defer    *_defer // innermost defer
	m         *m      // current m; offset known to arm liblink
	sched     gobuf
	syscallsp uintptr // if status==Gsyscall, syscallsp = sched.sp to use during gc
	syscallpc uintptr // if status==Gsyscall, syscallpc = sched.pc to use during gc
	stktopsp  uintptr // expected sp at top of stack, to check in traceback
	
	param        unsafe.Pointer
	atomicstatus uint32
	stackLock    uint32 // sigprof/scang lock; TODO: fold in to atomicstatus
	goid         int64
}

*/
struct g {
	struct stack stack;
	u64 stackguard0;
	u64 stackguard1;

	u64 _panic;
	u64 _defer;
	u64 m;
	struct gobuf sched ;
	u64 syscallsp;
	u64 syscallpc;
	u64 stktopsp;
	u64 param;
	u32 atomicstatus;
	u32 stackLock;
	s64 goid;          // Here it is!
};

When I run my program , cat /sys/kernel/debug/tracing/trace_pipe output like this , get the wrong go id:

&lt;...&gt;-1336127 [000] d... 20113210.986990: bpf_trace_printk: bpf_printk bpf_probe_read goroutine_struct-&gt;goid: 4938558469562467144
&lt;...&gt;-1336127 [000] d... 20113210.986998: bpf_trace_printk: bpf_printk bpf_probe_read goroutine_struct.goid: 4938558469562467144
&lt;...&gt;-1336127 [000] d... 20113210.986998: bpf_trace_printk: bpf_printk bpf_probe_read goid2: 4938558469562467144
Blockquote

答案1

得分: 1

我找到了一个解决方案：

我的 Golang 版本是 1.17.2，amd64 架构。amd64 架构使用以下 9 个寄存器来传递整数参数和结果：RAX、RBX、RCX、RDI、RSI、R8、R9、R10、R11。
在 Go 1.17.2 中，runtime.newproc1 函数有 5 个参数。callergp *g 是第 4 个参数。当我使用 gdb 调试我的用户空间程序时，它使用 rdi 寄存器来保存 callergp *g 的指针地址。所以使用 PT_REGS_PARM1 是正确的方式，因为 (#define PT_REGS_PARM1(x) ((x)->rdi))。
最后，代码如下：

    SEC("uprobe/runtime.newproc1")
    int uprobe_runtime_newproc1(struct pt_regs *ctx) {
        u32 key     = 2;
        u64 initval = 1, *valp;

        valp = bpf_map_lookup_elem(&uprobe_map, &key);
        if (!valp) {
            bpf_map_update_elem(&uprobe_map, &key, &initval, BPF_ANY);
            return 0;
        }
        __sync_fetch_and_add(valp, 1);

        // retrieve output parameter
        struct g gs;
        bpf_probe_read(&gs, sizeof(gs), (void *)PT_REGS_PARM1(ctx));
        bpf_printk("uprobe_runtime_newproc1 bpf_printk bpf_probe_read goroutine_struct.goid: %lld", gs.goid);

        return 0;
    }

英文:

I found a solution:

my golang version is 1.17.2, amd64. and the amd64 architecture uses the following sequence of 9 registers for integer arguments and results:
RAX, RBX, RCX, RDI, RSI, R8, R9, R10, R11
runtime.newproc1 which in go 1.17.2 has 5 args. callergp *g is the 4th. when I gdb my userspace program, it use rdi register to save ptr addr of callergp *g.
so use PT_REGS_PARM1 is the right way. because (#define PT_REGS_PARM1(x) ((x)->rdi))
after all, the code like this :

    SEC(&quot;uprobe/runtime.newproc1&quot;)
    int uprobe_runtime_newproc1(struct pt_regs *ctx) {
    	u32 key     = 2;
    	u64 initval = 1, *valp;
    
    	valp = bpf_map_lookup_elem(&amp;uprobe_map, &amp;key);
    	if (!valp) {
    		bpf_map_update_elem(&amp;uprobe_map, &amp;key, &amp;initval, BPF_ANY);
    		return 0;
    	}
    	__sync_fetch_and_add(valp, 1);
    
        // retrieve output parameter
        struct g gs;
        bpf_probe_read(&amp;gs, sizeof(gs), (void *)PT_REGS_PARM1(ctx));
        bpf_printk(&quot;uprobe_runtime_newproc1 bpf_printk bpf_probe_read goroutine_struct.goid: %lld&quot;, gs.goid);
    
    	return 0;
    }

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

how to get goroutine id with ebpf

问题

答案1

使用引用并发地处理结构体的切片

在Go中重定向到页面的问题

如何在Golang的Thrift服务器中获取客户端的IP地址

将接口元素添加到Golang接口中

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论