bcc: Can't use syscall tracepoints

 # ./tools/trace.py t:syscalls:sys_enter_newfstat
Ioctl(PERF_EVENT_IOC_SET_BPF): Invalid argument
Failed to attach BPF to tracepoint

Here’s newfstat.py:

#!/usr/bin/python

from __future__ import print_function
from bcc import BPF

# load BPF program
b = BPF(text="""
TRACEPOINT_PROBE(syscalls, sys_enter_newfstat) {
    bpf_trace_printk("%d\\n", args->fd);
    return 0;
};
""", debug=0)

# header
print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "FD"))

# format output
while 1:
    try:
        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
    except ValueError:
        continue
    print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))

output:

# ./newfstat.py 
ioctl(PERF_EVENT_IOC_SET_BPF): Invalid argument
Traceback (most recent call last):
  File "./newfstat.py", line 12, in <module>
    """, debug=0)
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 212, in __init__
    self._trace_autoload()
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 767, in _trace_autoload
    self.attach_tracepoint(tp=tp, fn_name=fn.name)
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 585, in attach_tracepoint
    raise Exception("Failed to attach BPF to tracepoint")
Exception: Failed to attach BPF to tracepoint

Testing on 4.8-rc4. Same problem with other syscall tracepoints.

I can use kprobes as a workaround in the meantime, but this should be a nice example of using tracepoints…

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 3
  • Comments: 34 (10 by maintainers)

Commits related to this issue

Most upvoted comments

You’re right, thanks! Tracing sys_* and SyS_* produces the desired result. Now just need to fix a bug in BPF.get_kprobe_functions that returns the same function name multiple times.

The patch has been pushed into net-next. It should be available for 4.13. Close the issue.

hmm. looks like syscalls:sys_(enter|exit)_* are not considered proper ‘tracepoint’ from kernel point of view, though perf thinks they are.