btf.rst 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065
  1. =====================
  2. BPF Type Format (BTF)
  3. =====================
  4. 1. Introduction
  5. ===============
  6. BTF (BPF Type Format) is the metadata format which encodes the debug info
  7. related to BPF program/map. The name BTF was used initially to describe data
  8. types. The BTF was later extended to include function info for defined
  9. subroutines, and line info for source/line information.
  10. The debug info is used for map pretty print, function signature, etc. The
  11. function signature enables better bpf program/function kernel symbol. The line
  12. info helps generate source annotated translated byte code, jited code and
  13. verifier log.
  14. The BTF specification contains two parts,
  15. * BTF kernel API
  16. * BTF ELF file format
  17. The kernel API is the contract between user space and kernel. The kernel
  18. verifies the BTF info before using it. The ELF file format is a user space
  19. contract between ELF file and libbpf loader.
  20. The type and string sections are part of the BTF kernel API, describing the
  21. debug info (mostly types related) referenced by the bpf program. These two
  22. sections are discussed in details in :ref:`BTF_Type_String`.
  23. .. _BTF_Type_String:
  24. 2. BTF Type and String Encoding
  25. ===============================
  26. The file ``include/uapi/linux/btf.h`` provides high-level definition of how
  27. types/strings are encoded.
  28. The beginning of data blob must be::
  29. struct btf_header {
  30. __u16 magic;
  31. __u8 version;
  32. __u8 flags;
  33. __u32 hdr_len;
  34. /* All offsets are in bytes relative to the end of this header */
  35. __u32 type_off; /* offset of type section */
  36. __u32 type_len; /* length of type section */
  37. __u32 str_off; /* offset of string section */
  38. __u32 str_len; /* length of string section */
  39. };
  40. The magic is ``0xeB9F``, which has different encoding for big and little
  41. endian systems, and can be used to test whether BTF is generated for big- or
  42. little-endian target. The ``btf_header`` is designed to be extensible with
  43. ``hdr_len`` equal to ``sizeof(struct btf_header)`` when a data blob is
  44. generated.
  45. 2.1 String Encoding
  46. -------------------
  47. The first string in the string section must be a null string. The rest of
  48. string table is a concatenation of other null-terminated strings.
  49. 2.2 Type Encoding
  50. -----------------
  51. The type id ``0`` is reserved for ``void`` type. The type section is parsed
  52. sequentially and type id is assigned to each recognized type starting from id
  53. ``1``. Currently, the following types are supported::
  54. #define BTF_KIND_INT 1 /* Integer */
  55. #define BTF_KIND_PTR 2 /* Pointer */
  56. #define BTF_KIND_ARRAY 3 /* Array */
  57. #define BTF_KIND_STRUCT 4 /* Struct */
  58. #define BTF_KIND_UNION 5 /* Union */
  59. #define BTF_KIND_ENUM 6 /* Enumeration up to 32-bit values */
  60. #define BTF_KIND_FWD 7 /* Forward */
  61. #define BTF_KIND_TYPEDEF 8 /* Typedef */
  62. #define BTF_KIND_VOLATILE 9 /* Volatile */
  63. #define BTF_KIND_CONST 10 /* Const */
  64. #define BTF_KIND_RESTRICT 11 /* Restrict */
  65. #define BTF_KIND_FUNC 12 /* Function */
  66. #define BTF_KIND_FUNC_PROTO 13 /* Function Proto */
  67. #define BTF_KIND_VAR 14 /* Variable */
  68. #define BTF_KIND_DATASEC 15 /* Section */
  69. #define BTF_KIND_FLOAT 16 /* Floating point */
  70. #define BTF_KIND_DECL_TAG 17 /* Decl Tag */
  71. #define BTF_KIND_TYPE_TAG 18 /* Type Tag */
  72. #define BTF_KIND_ENUM64 19 /* Enumeration up to 64-bit values */
  73. Note that the type section encodes debug info, not just pure types.
  74. ``BTF_KIND_FUNC`` is not a type, and it represents a defined subprogram.
  75. Each type contains the following common data::
  76. struct btf_type {
  77. __u32 name_off;
  78. /* "info" bits arrangement
  79. * bits 0-15: vlen (e.g. # of struct's members)
  80. * bits 16-23: unused
  81. * bits 24-28: kind (e.g. int, ptr, array...etc)
  82. * bits 29-30: unused
  83. * bit 31: kind_flag, currently used by
  84. * struct, union, fwd, enum and enum64.
  85. */
  86. __u32 info;
  87. /* "size" is used by INT, ENUM, STRUCT, UNION and ENUM64.
  88. * "size" tells the size of the type it is describing.
  89. *
  90. * "type" is used by PTR, TYPEDEF, VOLATILE, CONST, RESTRICT,
  91. * FUNC, FUNC_PROTO, DECL_TAG and TYPE_TAG.
  92. * "type" is a type_id referring to another type.
  93. */
  94. union {
  95. __u32 size;
  96. __u32 type;
  97. };
  98. };
  99. For certain kinds, the common data are followed by kind-specific data. The
  100. ``name_off`` in ``struct btf_type`` specifies the offset in the string table.
  101. The following sections detail encoding of each kind.
  102. 2.2.1 BTF_KIND_INT
  103. ~~~~~~~~~~~~~~~~~~
  104. ``struct btf_type`` encoding requirement:
  105. * ``name_off``: any valid offset
  106. * ``info.kind_flag``: 0
  107. * ``info.kind``: BTF_KIND_INT
  108. * ``info.vlen``: 0
  109. * ``size``: the size of the int type in bytes.
  110. ``btf_type`` is followed by a ``u32`` with the following bits arrangement::
  111. #define BTF_INT_ENCODING(VAL) (((VAL) & 0x0f000000) >> 24)
  112. #define BTF_INT_OFFSET(VAL) (((VAL) & 0x00ff0000) >> 16)
  113. #define BTF_INT_BITS(VAL) ((VAL) & 0x000000ff)
  114. The ``BTF_INT_ENCODING`` has the following attributes::
  115. #define BTF_INT_SIGNED (1 << 0)
  116. #define BTF_INT_CHAR (1 << 1)
  117. #define BTF_INT_BOOL (1 << 2)
  118. The ``BTF_INT_ENCODING()`` provides extra information: signedness, char, or
  119. bool, for the int type. The char and bool encoding are mostly useful for
  120. pretty print. At most one encoding can be specified for the int type.
  121. The ``BTF_INT_BITS()`` specifies the number of actual bits held by this int
  122. type. For example, a 4-bit bitfield encodes ``BTF_INT_BITS()`` equals to 4.
  123. The ``btf_type.size * 8`` must be equal to or greater than ``BTF_INT_BITS()``
  124. for the type. The maximum value of ``BTF_INT_BITS()`` is 128.
  125. The ``BTF_INT_OFFSET()`` specifies the starting bit offset to calculate values
  126. for this int. For example, a bitfield struct member has:
  127. * btf member bit offset 100 from the start of the structure,
  128. * btf member pointing to an int type,
  129. * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4``
  130. Then in the struct memory layout, this member will occupy ``4`` bits starting
  131. from bits ``100 + 2 = 102``.
  132. Alternatively, the bitfield struct member can be the following to access the
  133. same bits as the above:
  134. * btf member bit offset 102,
  135. * btf member pointing to an int type,
  136. * the int type has ``BTF_INT_OFFSET() = 0`` and ``BTF_INT_BITS() = 4``
  137. The original intention of ``BTF_INT_OFFSET()`` is to provide flexibility of
  138. bitfield encoding. Currently, both llvm and pahole generate
  139. ``BTF_INT_OFFSET() = 0`` for all int types.
  140. 2.2.2 BTF_KIND_PTR
  141. ~~~~~~~~~~~~~~~~~~
  142. ``struct btf_type`` encoding requirement:
  143. * ``name_off``: 0
  144. * ``info.kind_flag``: 0
  145. * ``info.kind``: BTF_KIND_PTR
  146. * ``info.vlen``: 0
  147. * ``type``: the pointee type of the pointer
  148. No additional type data follow ``btf_type``.
  149. 2.2.3 BTF_KIND_ARRAY
  150. ~~~~~~~~~~~~~~~~~~~~
  151. ``struct btf_type`` encoding requirement:
  152. * ``name_off``: 0
  153. * ``info.kind_flag``: 0
  154. * ``info.kind``: BTF_KIND_ARRAY
  155. * ``info.vlen``: 0
  156. * ``size/type``: 0, not used
  157. ``btf_type`` is followed by one ``struct btf_array``::
  158. struct btf_array {
  159. __u32 type;
  160. __u32 index_type;
  161. __u32 nelems;
  162. };
  163. The ``struct btf_array`` encoding:
  164. * ``type``: the element type
  165. * ``index_type``: the index type
  166. * ``nelems``: the number of elements for this array (``0`` is also allowed).
  167. The ``index_type`` can be any regular int type (``u8``, ``u16``, ``u32``,
  168. ``u64``, ``unsigned __int128``). The original design of including
  169. ``index_type`` follows DWARF, which has an ``index_type`` for its array type.
  170. Currently in BTF, beyond type verification, the ``index_type`` is not used.
  171. The ``struct btf_array`` allows chaining through element type to represent
  172. multidimensional arrays. For example, for ``int a[5][6]``, the following type
  173. information illustrates the chaining:
  174. * [1]: int
  175. * [2]: array, ``btf_array.type = [1]``, ``btf_array.nelems = 6``
  176. * [3]: array, ``btf_array.type = [2]``, ``btf_array.nelems = 5``
  177. Currently, both pahole and llvm collapse multidimensional array into
  178. one-dimensional array, e.g., for ``a[5][6]``, the ``btf_array.nelems`` is
  179. equal to ``30``. This is because the original use case is map pretty print
  180. where the whole array is dumped out so one-dimensional array is enough. As
  181. more BTF usage is explored, pahole and llvm can be changed to generate proper
  182. chained representation for multidimensional arrays.
  183. 2.2.4 BTF_KIND_STRUCT
  184. ~~~~~~~~~~~~~~~~~~~~~
  185. 2.2.5 BTF_KIND_UNION
  186. ~~~~~~~~~~~~~~~~~~~~
  187. ``struct btf_type`` encoding requirement:
  188. * ``name_off``: 0 or offset to a valid C identifier
  189. * ``info.kind_flag``: 0 or 1
  190. * ``info.kind``: BTF_KIND_STRUCT or BTF_KIND_UNION
  191. * ``info.vlen``: the number of struct/union members
  192. * ``info.size``: the size of the struct/union in bytes
  193. ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_member``.::
  194. struct btf_member {
  195. __u32 name_off;
  196. __u32 type;
  197. __u32 offset;
  198. };
  199. ``struct btf_member`` encoding:
  200. * ``name_off``: offset to a valid C identifier
  201. * ``type``: the member type
  202. * ``offset``: <see below>
  203. If the type info ``kind_flag`` is not set, the offset contains only bit offset
  204. of the member. Note that the base type of the bitfield can only be int or enum
  205. type. If the bitfield size is 32, the base type can be either int or enum
  206. type. If the bitfield size is not 32, the base type must be int, and int type
  207. ``BTF_INT_BITS()`` encodes the bitfield size.
  208. If the ``kind_flag`` is set, the ``btf_member.offset`` contains both member
  209. bitfield size and bit offset. The bitfield size and bit offset are calculated
  210. as below.::
  211. #define BTF_MEMBER_BITFIELD_SIZE(val) ((val) >> 24)
  212. #define BTF_MEMBER_BIT_OFFSET(val) ((val) & 0xffffff)
  213. In this case, if the base type is an int type, it must be a regular int type:
  214. * ``BTF_INT_OFFSET()`` must be 0.
  215. * ``BTF_INT_BITS()`` must be equal to ``{1,2,4,8,16} * 8``.
  216. The following kernel patch introduced ``kind_flag`` and explained why both
  217. modes exist:
  218. https://github.com/torvalds/linux/commit/9d5f9f701b1891466fb3dbb1806ad97716f95cc3#diff-fa650a64fdd3968396883d2fe8215ff3
  219. 2.2.6 BTF_KIND_ENUM
  220. ~~~~~~~~~~~~~~~~~~~
  221. ``struct btf_type`` encoding requirement:
  222. * ``name_off``: 0 or offset to a valid C identifier
  223. * ``info.kind_flag``: 0 for unsigned, 1 for signed
  224. * ``info.kind``: BTF_KIND_ENUM
  225. * ``info.vlen``: number of enum values
  226. * ``size``: 1/2/4/8
  227. ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum``.::
  228. struct btf_enum {
  229. __u32 name_off;
  230. __s32 val;
  231. };
  232. The ``btf_enum`` encoding:
  233. * ``name_off``: offset to a valid C identifier
  234. * ``val``: any value
  235. If the original enum value is signed and the size is less than 4,
  236. that value will be sign extended into 4 bytes. If the size is 8,
  237. the value will be truncated into 4 bytes.
  238. 2.2.7 BTF_KIND_FWD
  239. ~~~~~~~~~~~~~~~~~~
  240. ``struct btf_type`` encoding requirement:
  241. * ``name_off``: offset to a valid C identifier
  242. * ``info.kind_flag``: 0 for struct, 1 for union
  243. * ``info.kind``: BTF_KIND_FWD
  244. * ``info.vlen``: 0
  245. * ``type``: 0
  246. No additional type data follow ``btf_type``.
  247. 2.2.8 BTF_KIND_TYPEDEF
  248. ~~~~~~~~~~~~~~~~~~~~~~
  249. ``struct btf_type`` encoding requirement:
  250. * ``name_off``: offset to a valid C identifier
  251. * ``info.kind_flag``: 0
  252. * ``info.kind``: BTF_KIND_TYPEDEF
  253. * ``info.vlen``: 0
  254. * ``type``: the type which can be referred by name at ``name_off``
  255. No additional type data follow ``btf_type``.
  256. 2.2.9 BTF_KIND_VOLATILE
  257. ~~~~~~~~~~~~~~~~~~~~~~~
  258. ``struct btf_type`` encoding requirement:
  259. * ``name_off``: 0
  260. * ``info.kind_flag``: 0
  261. * ``info.kind``: BTF_KIND_VOLATILE
  262. * ``info.vlen``: 0
  263. * ``type``: the type with ``volatile`` qualifier
  264. No additional type data follow ``btf_type``.
  265. 2.2.10 BTF_KIND_CONST
  266. ~~~~~~~~~~~~~~~~~~~~~
  267. ``struct btf_type`` encoding requirement:
  268. * ``name_off``: 0
  269. * ``info.kind_flag``: 0
  270. * ``info.kind``: BTF_KIND_CONST
  271. * ``info.vlen``: 0
  272. * ``type``: the type with ``const`` qualifier
  273. No additional type data follow ``btf_type``.
  274. 2.2.11 BTF_KIND_RESTRICT
  275. ~~~~~~~~~~~~~~~~~~~~~~~~
  276. ``struct btf_type`` encoding requirement:
  277. * ``name_off``: 0
  278. * ``info.kind_flag``: 0
  279. * ``info.kind``: BTF_KIND_RESTRICT
  280. * ``info.vlen``: 0
  281. * ``type``: the type with ``restrict`` qualifier
  282. No additional type data follow ``btf_type``.
  283. 2.2.12 BTF_KIND_FUNC
  284. ~~~~~~~~~~~~~~~~~~~~
  285. ``struct btf_type`` encoding requirement:
  286. * ``name_off``: offset to a valid C identifier
  287. * ``info.kind_flag``: 0
  288. * ``info.kind``: BTF_KIND_FUNC
  289. * ``info.vlen``: linkage information (BTF_FUNC_STATIC, BTF_FUNC_GLOBAL
  290. or BTF_FUNC_EXTERN)
  291. * ``type``: a BTF_KIND_FUNC_PROTO type
  292. No additional type data follow ``btf_type``.
  293. A BTF_KIND_FUNC defines not a type, but a subprogram (function) whose
  294. signature is defined by ``type``. The subprogram is thus an instance of that
  295. type. The BTF_KIND_FUNC may in turn be referenced by a func_info in the
  296. :ref:`BTF_Ext_Section` (ELF) or in the arguments to :ref:`BPF_Prog_Load`
  297. (ABI).
  298. Currently, only linkage values of BTF_FUNC_STATIC and BTF_FUNC_GLOBAL are
  299. supported in the kernel.
  300. 2.2.13 BTF_KIND_FUNC_PROTO
  301. ~~~~~~~~~~~~~~~~~~~~~~~~~~
  302. ``struct btf_type`` encoding requirement:
  303. * ``name_off``: 0
  304. * ``info.kind_flag``: 0
  305. * ``info.kind``: BTF_KIND_FUNC_PROTO
  306. * ``info.vlen``: # of parameters
  307. * ``type``: the return type
  308. ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_param``.::
  309. struct btf_param {
  310. __u32 name_off;
  311. __u32 type;
  312. };
  313. If a BTF_KIND_FUNC_PROTO type is referred by a BTF_KIND_FUNC type, then
  314. ``btf_param.name_off`` must point to a valid C identifier except for the
  315. possible last argument representing the variable argument. The btf_param.type
  316. refers to parameter type.
  317. If the function has variable arguments, the last parameter is encoded with
  318. ``name_off = 0`` and ``type = 0``.
  319. 2.2.14 BTF_KIND_VAR
  320. ~~~~~~~~~~~~~~~~~~~
  321. ``struct btf_type`` encoding requirement:
  322. * ``name_off``: offset to a valid C identifier
  323. * ``info.kind_flag``: 0
  324. * ``info.kind``: BTF_KIND_VAR
  325. * ``info.vlen``: 0
  326. * ``type``: the type of the variable
  327. ``btf_type`` is followed by a single ``struct btf_variable`` with the
  328. following data::
  329. struct btf_var {
  330. __u32 linkage;
  331. };
  332. ``struct btf_var`` encoding:
  333. * ``linkage``: currently only static variable 0, or globally allocated
  334. variable in ELF sections 1
  335. Not all type of global variables are supported by LLVM at this point.
  336. The following is currently available:
  337. * static variables with or without section attributes
  338. * global variables with section attributes
  339. The latter is for future extraction of map key/value type id's from a
  340. map definition.
  341. 2.2.15 BTF_KIND_DATASEC
  342. ~~~~~~~~~~~~~~~~~~~~~~~
  343. ``struct btf_type`` encoding requirement:
  344. * ``name_off``: offset to a valid name associated with a variable or
  345. one of .data/.bss/.rodata
  346. * ``info.kind_flag``: 0
  347. * ``info.kind``: BTF_KIND_DATASEC
  348. * ``info.vlen``: # of variables
  349. * ``size``: total section size in bytes (0 at compilation time, patched
  350. to actual size by BPF loaders such as libbpf)
  351. ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_var_secinfo``.::
  352. struct btf_var_secinfo {
  353. __u32 type;
  354. __u32 offset;
  355. __u32 size;
  356. };
  357. ``struct btf_var_secinfo`` encoding:
  358. * ``type``: the type of the BTF_KIND_VAR variable
  359. * ``offset``: the in-section offset of the variable
  360. * ``size``: the size of the variable in bytes
  361. 2.2.16 BTF_KIND_FLOAT
  362. ~~~~~~~~~~~~~~~~~~~~~
  363. ``struct btf_type`` encoding requirement:
  364. * ``name_off``: any valid offset
  365. * ``info.kind_flag``: 0
  366. * ``info.kind``: BTF_KIND_FLOAT
  367. * ``info.vlen``: 0
  368. * ``size``: the size of the float type in bytes: 2, 4, 8, 12 or 16.
  369. No additional type data follow ``btf_type``.
  370. 2.2.17 BTF_KIND_DECL_TAG
  371. ~~~~~~~~~~~~~~~~~~~~~~~~
  372. ``struct btf_type`` encoding requirement:
  373. * ``name_off``: offset to a non-empty string
  374. * ``info.kind_flag``: 0
  375. * ``info.kind``: BTF_KIND_DECL_TAG
  376. * ``info.vlen``: 0
  377. * ``type``: ``struct``, ``union``, ``func``, ``var`` or ``typedef``
  378. ``btf_type`` is followed by ``struct btf_decl_tag``.::
  379. struct btf_decl_tag {
  380. __u32 component_idx;
  381. };
  382. The ``name_off`` encodes btf_decl_tag attribute string.
  383. The ``type`` should be ``struct``, ``union``, ``func``, ``var`` or ``typedef``.
  384. For ``var`` or ``typedef`` type, ``btf_decl_tag.component_idx`` must be ``-1``.
  385. For the other three types, if the btf_decl_tag attribute is
  386. applied to the ``struct``, ``union`` or ``func`` itself,
  387. ``btf_decl_tag.component_idx`` must be ``-1``. Otherwise,
  388. the attribute is applied to a ``struct``/``union`` member or
  389. a ``func`` argument, and ``btf_decl_tag.component_idx`` should be a
  390. valid index (starting from 0) pointing to a member or an argument.
  391. 2.2.18 BTF_KIND_TYPE_TAG
  392. ~~~~~~~~~~~~~~~~~~~~~~~~
  393. ``struct btf_type`` encoding requirement:
  394. * ``name_off``: offset to a non-empty string
  395. * ``info.kind_flag``: 0
  396. * ``info.kind``: BTF_KIND_TYPE_TAG
  397. * ``info.vlen``: 0
  398. * ``type``: the type with ``btf_type_tag`` attribute
  399. Currently, ``BTF_KIND_TYPE_TAG`` is only emitted for pointer types.
  400. It has the following btf type chain:
  401. ::
  402. ptr -> [type_tag]*
  403. -> [const | volatile | restrict | typedef]*
  404. -> base_type
  405. Basically, a pointer type points to zero or more
  406. type_tag, then zero or more const/volatile/restrict/typedef
  407. and finally the base type. The base type is one of
  408. int, ptr, array, struct, union, enum, func_proto and float types.
  409. 2.2.19 BTF_KIND_ENUM64
  410. ~~~~~~~~~~~~~~~~~~~~~~
  411. ``struct btf_type`` encoding requirement:
  412. * ``name_off``: 0 or offset to a valid C identifier
  413. * ``info.kind_flag``: 0 for unsigned, 1 for signed
  414. * ``info.kind``: BTF_KIND_ENUM64
  415. * ``info.vlen``: number of enum values
  416. * ``size``: 1/2/4/8
  417. ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum64``.::
  418. struct btf_enum64 {
  419. __u32 name_off;
  420. __u32 val_lo32;
  421. __u32 val_hi32;
  422. };
  423. The ``btf_enum64`` encoding:
  424. * ``name_off``: offset to a valid C identifier
  425. * ``val_lo32``: lower 32-bit value for a 64-bit value
  426. * ``val_hi32``: high 32-bit value for a 64-bit value
  427. If the original enum value is signed and the size is less than 8,
  428. that value will be sign extended into 8 bytes.
  429. 3. BTF Kernel API
  430. =================
  431. The following bpf syscall command involves BTF:
  432. * BPF_BTF_LOAD: load a blob of BTF data into kernel
  433. * BPF_MAP_CREATE: map creation with btf key and value type info.
  434. * BPF_PROG_LOAD: prog load with btf function and line info.
  435. * BPF_BTF_GET_FD_BY_ID: get a btf fd
  436. * BPF_OBJ_GET_INFO_BY_FD: btf, func_info, line_info
  437. and other btf related info are returned.
  438. The workflow typically looks like:
  439. ::
  440. Application:
  441. BPF_BTF_LOAD
  442. |
  443. v
  444. BPF_MAP_CREATE and BPF_PROG_LOAD
  445. |
  446. V
  447. ......
  448. Introspection tool:
  449. ......
  450. BPF_{PROG,MAP}_GET_NEXT_ID (get prog/map id's)
  451. |
  452. V
  453. BPF_{PROG,MAP}_GET_FD_BY_ID (get a prog/map fd)
  454. |
  455. V
  456. BPF_OBJ_GET_INFO_BY_FD (get bpf_prog_info/bpf_map_info with btf_id)
  457. | |
  458. V |
  459. BPF_BTF_GET_FD_BY_ID (get btf_fd) |
  460. | |
  461. V |
  462. BPF_OBJ_GET_INFO_BY_FD (get btf) |
  463. | |
  464. V V
  465. pretty print types, dump func signatures and line info, etc.
  466. 3.1 BPF_BTF_LOAD
  467. ----------------
  468. Load a blob of BTF data into kernel. A blob of data, described in
  469. :ref:`BTF_Type_String`, can be directly loaded into the kernel. A ``btf_fd``
  470. is returned to a userspace.
  471. 3.2 BPF_MAP_CREATE
  472. ------------------
  473. A map can be created with ``btf_fd`` and specified key/value type id.::
  474. __u32 btf_fd; /* fd pointing to a BTF type data */
  475. __u32 btf_key_type_id; /* BTF type_id of the key */
  476. __u32 btf_value_type_id; /* BTF type_id of the value */
  477. In libbpf, the map can be defined with extra annotation like below:
  478. ::
  479. struct {
  480. __uint(type, BPF_MAP_TYPE_ARRAY);
  481. __type(key, int);
  482. __type(value, struct ipv_counts);
  483. __uint(max_entries, 4);
  484. } btf_map SEC(".maps");
  485. During ELF parsing, libbpf is able to extract key/value type_id's and assign
  486. them to BPF_MAP_CREATE attributes automatically.
  487. .. _BPF_Prog_Load:
  488. 3.3 BPF_PROG_LOAD
  489. -----------------
  490. During prog_load, func_info and line_info can be passed to kernel with proper
  491. values for the following attributes:
  492. ::
  493. __u32 insn_cnt;
  494. __aligned_u64 insns;
  495. ......
  496. __u32 prog_btf_fd; /* fd pointing to BTF type data */
  497. __u32 func_info_rec_size; /* userspace bpf_func_info size */
  498. __aligned_u64 func_info; /* func info */
  499. __u32 func_info_cnt; /* number of bpf_func_info records */
  500. __u32 line_info_rec_size; /* userspace bpf_line_info size */
  501. __aligned_u64 line_info; /* line info */
  502. __u32 line_info_cnt; /* number of bpf_line_info records */
  503. The func_info and line_info are an array of below, respectively.::
  504. struct bpf_func_info {
  505. __u32 insn_off; /* [0, insn_cnt - 1] */
  506. __u32 type_id; /* pointing to a BTF_KIND_FUNC type */
  507. };
  508. struct bpf_line_info {
  509. __u32 insn_off; /* [0, insn_cnt - 1] */
  510. __u32 file_name_off; /* offset to string table for the filename */
  511. __u32 line_off; /* offset to string table for the source line */
  512. __u32 line_col; /* line number and column number */
  513. };
  514. func_info_rec_size is the size of each func_info record, and
  515. line_info_rec_size is the size of each line_info record. Passing the record
  516. size to kernel make it possible to extend the record itself in the future.
  517. Below are requirements for func_info:
  518. * func_info[0].insn_off must be 0.
  519. * the func_info insn_off is in strictly increasing order and matches
  520. bpf func boundaries.
  521. Below are requirements for line_info:
  522. * the first insn in each func must have a line_info record pointing to it.
  523. * the line_info insn_off is in strictly increasing order.
  524. For line_info, the line number and column number are defined as below:
  525. ::
  526. #define BPF_LINE_INFO_LINE_NUM(line_col) ((line_col) >> 10)
  527. #define BPF_LINE_INFO_LINE_COL(line_col) ((line_col) & 0x3ff)
  528. 3.4 BPF_{PROG,MAP}_GET_NEXT_ID
  529. ------------------------------
  530. In kernel, every loaded program, map or btf has a unique id. The id won't
  531. change during the lifetime of a program, map, or btf.
  532. The bpf syscall command BPF_{PROG,MAP}_GET_NEXT_ID returns all id's, one for
  533. each command, to user space, for bpf program or maps, respectively, so an
  534. inspection tool can inspect all programs and maps.
  535. 3.5 BPF_{PROG,MAP}_GET_FD_BY_ID
  536. -------------------------------
  537. An introspection tool cannot use id to get details about program or maps.
  538. A file descriptor needs to be obtained first for reference-counting purpose.
  539. 3.6 BPF_OBJ_GET_INFO_BY_FD
  540. --------------------------
  541. Once a program/map fd is acquired, an introspection tool can get the detailed
  542. information from kernel about this fd, some of which are BTF-related. For
  543. example, ``bpf_map_info`` returns ``btf_id`` and key/value type ids.
  544. ``bpf_prog_info`` returns ``btf_id``, func_info, and line info for translated
  545. bpf byte codes, and jited_line_info.
  546. 3.7 BPF_BTF_GET_FD_BY_ID
  547. ------------------------
  548. With ``btf_id`` obtained in ``bpf_map_info`` and ``bpf_prog_info``, bpf
  549. syscall command BPF_BTF_GET_FD_BY_ID can retrieve a btf fd. Then, with
  550. command BPF_OBJ_GET_INFO_BY_FD, the btf blob, originally loaded into the
  551. kernel with BPF_BTF_LOAD, can be retrieved.
  552. With the btf blob, ``bpf_map_info``, and ``bpf_prog_info``, an introspection
  553. tool has full btf knowledge and is able to pretty print map key/values, dump
  554. func signatures and line info, along with byte/jit codes.
  555. 4. ELF File Format Interface
  556. ============================
  557. 4.1 .BTF section
  558. ----------------
  559. The .BTF section contains type and string data. The format of this section is
  560. same as the one describe in :ref:`BTF_Type_String`.
  561. .. _BTF_Ext_Section:
  562. 4.2 .BTF.ext section
  563. --------------------
  564. The .BTF.ext section encodes func_info and line_info which needs loader
  565. manipulation before loading into the kernel.
  566. The specification for .BTF.ext section is defined at ``tools/lib/bpf/btf.h``
  567. and ``tools/lib/bpf/btf.c``.
  568. The current header of .BTF.ext section::
  569. struct btf_ext_header {
  570. __u16 magic;
  571. __u8 version;
  572. __u8 flags;
  573. __u32 hdr_len;
  574. /* All offsets are in bytes relative to the end of this header */
  575. __u32 func_info_off;
  576. __u32 func_info_len;
  577. __u32 line_info_off;
  578. __u32 line_info_len;
  579. };
  580. It is very similar to .BTF section. Instead of type/string section, it
  581. contains func_info and line_info section. See :ref:`BPF_Prog_Load` for details
  582. about func_info and line_info record format.
  583. The func_info is organized as below.::
  584. func_info_rec_size
  585. btf_ext_info_sec for section #1 /* func_info for section #1 */
  586. btf_ext_info_sec for section #2 /* func_info for section #2 */
  587. ...
  588. ``func_info_rec_size`` specifies the size of ``bpf_func_info`` structure when
  589. .BTF.ext is generated. ``btf_ext_info_sec``, defined below, is a collection of
  590. func_info for each specific ELF section.::
  591. struct btf_ext_info_sec {
  592. __u32 sec_name_off; /* offset to section name */
  593. __u32 num_info;
  594. /* Followed by num_info * record_size number of bytes */
  595. __u8 data[0];
  596. };
  597. Here, num_info must be greater than 0.
  598. The line_info is organized as below.::
  599. line_info_rec_size
  600. btf_ext_info_sec for section #1 /* line_info for section #1 */
  601. btf_ext_info_sec for section #2 /* line_info for section #2 */
  602. ...
  603. ``line_info_rec_size`` specifies the size of ``bpf_line_info`` structure when
  604. .BTF.ext is generated.
  605. The interpretation of ``bpf_func_info->insn_off`` and
  606. ``bpf_line_info->insn_off`` is different between kernel API and ELF API. For
  607. kernel API, the ``insn_off`` is the instruction offset in the unit of ``struct
  608. bpf_insn``. For ELF API, the ``insn_off`` is the byte offset from the
  609. beginning of section (``btf_ext_info_sec->sec_name_off``).
  610. 4.2 .BTF_ids section
  611. --------------------
  612. The .BTF_ids section encodes BTF ID values that are used within the kernel.
  613. This section is created during the kernel compilation with the help of
  614. macros defined in ``include/linux/btf_ids.h`` header file. Kernel code can
  615. use them to create lists and sets (sorted lists) of BTF ID values.
  616. The ``BTF_ID_LIST`` and ``BTF_ID`` macros define unsorted list of BTF ID values,
  617. with following syntax::
  618. BTF_ID_LIST(list)
  619. BTF_ID(type1, name1)
  620. BTF_ID(type2, name2)
  621. resulting in following layout in .BTF_ids section::
  622. __BTF_ID__type1__name1__1:
  623. .zero 4
  624. __BTF_ID__type2__name2__2:
  625. .zero 4
  626. The ``u32 list[];`` variable is defined to access the list.
  627. The ``BTF_ID_UNUSED`` macro defines 4 zero bytes. It's used when we
  628. want to define unused entry in BTF_ID_LIST, like::
  629. BTF_ID_LIST(bpf_skb_output_btf_ids)
  630. BTF_ID(struct, sk_buff)
  631. BTF_ID_UNUSED
  632. BTF_ID(struct, task_struct)
  633. The ``BTF_SET_START/END`` macros pair defines sorted list of BTF ID values
  634. and their count, with following syntax::
  635. BTF_SET_START(set)
  636. BTF_ID(type1, name1)
  637. BTF_ID(type2, name2)
  638. BTF_SET_END(set)
  639. resulting in following layout in .BTF_ids section::
  640. __BTF_ID__set__set:
  641. .zero 4
  642. __BTF_ID__type1__name1__3:
  643. .zero 4
  644. __BTF_ID__type2__name2__4:
  645. .zero 4
  646. The ``struct btf_id_set set;`` variable is defined to access the list.
  647. The ``typeX`` name can be one of following::
  648. struct, union, typedef, func
  649. and is used as a filter when resolving the BTF ID value.
  650. All the BTF ID lists and sets are compiled in the .BTF_ids section and
  651. resolved during the linking phase of kernel build by ``resolve_btfids`` tool.
  652. 5. Using BTF
  653. ============
  654. 5.1 bpftool map pretty print
  655. ----------------------------
  656. With BTF, the map key/value can be printed based on fields rather than simply
  657. raw bytes. This is especially valuable for large structure or if your data
  658. structure has bitfields. For example, for the following map,::
  659. enum A { A1, A2, A3, A4, A5 };
  660. typedef enum A ___A;
  661. struct tmp_t {
  662. char a1:4;
  663. int a2:4;
  664. int :4;
  665. __u32 a3:4;
  666. int b;
  667. ___A b1:4;
  668. enum A b2:4;
  669. };
  670. struct {
  671. __uint(type, BPF_MAP_TYPE_ARRAY);
  672. __type(key, int);
  673. __type(value, struct tmp_t);
  674. __uint(max_entries, 1);
  675. } tmpmap SEC(".maps");
  676. bpftool is able to pretty print like below:
  677. ::
  678. [{
  679. "key": 0,
  680. "value": {
  681. "a1": 0x2,
  682. "a2": 0x4,
  683. "a3": 0x6,
  684. "b": 7,
  685. "b1": 0x8,
  686. "b2": 0xa
  687. }
  688. }
  689. ]
  690. 5.2 bpftool prog dump
  691. ---------------------
  692. The following is an example showing how func_info and line_info can help prog
  693. dump with better kernel symbol names, function prototypes and line
  694. information.::
  695. $ bpftool prog dump jited pinned /sys/fs/bpf/test_btf_haskv
  696. [...]
  697. int test_long_fname_2(struct dummy_tracepoint_args * arg):
  698. bpf_prog_44a040bf25481309_test_long_fname_2:
  699. ; static int test_long_fname_2(struct dummy_tracepoint_args *arg)
  700. 0: push %rbp
  701. 1: mov %rsp,%rbp
  702. 4: sub $0x30,%rsp
  703. b: sub $0x28,%rbp
  704. f: mov %rbx,0x0(%rbp)
  705. 13: mov %r13,0x8(%rbp)
  706. 17: mov %r14,0x10(%rbp)
  707. 1b: mov %r15,0x18(%rbp)
  708. 1f: xor %eax,%eax
  709. 21: mov %rax,0x20(%rbp)
  710. 25: xor %esi,%esi
  711. ; int key = 0;
  712. 27: mov %esi,-0x4(%rbp)
  713. ; if (!arg->sock)
  714. 2a: mov 0x8(%rdi),%rdi
  715. ; if (!arg->sock)
  716. 2e: cmp $0x0,%rdi
  717. 32: je 0x0000000000000070
  718. 34: mov %rbp,%rsi
  719. ; counts = bpf_map_lookup_elem(&btf_map, &key);
  720. [...]
  721. 5.3 Verifier Log
  722. ----------------
  723. The following is an example of how line_info can help debugging verification
  724. failure.::
  725. /* The code at tools/testing/selftests/bpf/test_xdp_noinline.c
  726. * is modified as below.
  727. */
  728. data = (void *)(long)xdp->data;
  729. data_end = (void *)(long)xdp->data_end;
  730. /*
  731. if (data + 4 > data_end)
  732. return XDP_DROP;
  733. */
  734. *(u32 *)data = dst->dst;
  735. $ bpftool prog load ./test_xdp_noinline.o /sys/fs/bpf/test_xdp_noinline type xdp
  736. ; data = (void *)(long)xdp->data;
  737. 224: (79) r2 = *(u64 *)(r10 -112)
  738. 225: (61) r2 = *(u32 *)(r2 +0)
  739. ; *(u32 *)data = dst->dst;
  740. 226: (63) *(u32 *)(r2 +0) = r1
  741. invalid access to packet, off=0 size=4, R2(id=0,off=0,r=0)
  742. R2 offset is outside of the packet
  743. 6. BTF Generation
  744. =================
  745. You need latest pahole
  746. https://git.kernel.org/pub/scm/devel/pahole/pahole.git/
  747. or llvm (8.0 or later). The pahole acts as a dwarf2btf converter. It doesn't
  748. support .BTF.ext and btf BTF_KIND_FUNC type yet. For example,::
  749. -bash-4.4$ cat t.c
  750. struct t {
  751. int a:2;
  752. int b:3;
  753. int c:2;
  754. } g;
  755. -bash-4.4$ gcc -c -O2 -g t.c
  756. -bash-4.4$ pahole -JV t.o
  757. File t.o:
  758. [1] STRUCT t kind_flag=1 size=4 vlen=3
  759. a type_id=2 bitfield_size=2 bits_offset=0
  760. b type_id=2 bitfield_size=3 bits_offset=2
  761. c type_id=2 bitfield_size=2 bits_offset=5
  762. [2] INT int size=4 bit_offset=0 nr_bits=32 encoding=SIGNED
  763. The llvm is able to generate .BTF and .BTF.ext directly with -g for bpf target
  764. only. The assembly code (-S) is able to show the BTF encoding in assembly
  765. format.::
  766. -bash-4.4$ cat t2.c
  767. typedef int __int32;
  768. struct t2 {
  769. int a2;
  770. int (*f2)(char q1, __int32 q2, ...);
  771. int (*f3)();
  772. } g2;
  773. int main() { return 0; }
  774. int test() { return 0; }
  775. -bash-4.4$ clang -c -g -O2 -target bpf t2.c
  776. -bash-4.4$ readelf -S t2.o
  777. ......
  778. [ 8] .BTF PROGBITS 0000000000000000 00000247
  779. 000000000000016e 0000000000000000 0 0 1
  780. [ 9] .BTF.ext PROGBITS 0000000000000000 000003b5
  781. 0000000000000060 0000000000000000 0 0 1
  782. [10] .rel.BTF.ext REL 0000000000000000 000007e0
  783. 0000000000000040 0000000000000010 16 9 8
  784. ......
  785. -bash-4.4$ clang -S -g -O2 -target bpf t2.c
  786. -bash-4.4$ cat t2.s
  787. ......
  788. .section .BTF,"",@progbits
  789. .short 60319 # 0xeb9f
  790. .byte 1
  791. .byte 0
  792. .long 24
  793. .long 0
  794. .long 220
  795. .long 220
  796. .long 122
  797. .long 0 # BTF_KIND_FUNC_PROTO(id = 1)
  798. .long 218103808 # 0xd000000
  799. .long 2
  800. .long 83 # BTF_KIND_INT(id = 2)
  801. .long 16777216 # 0x1000000
  802. .long 4
  803. .long 16777248 # 0x1000020
  804. ......
  805. .byte 0 # string offset=0
  806. .ascii ".text" # string offset=1
  807. .byte 0
  808. .ascii "/home/yhs/tmp-pahole/t2.c" # string offset=7
  809. .byte 0
  810. .ascii "int main() { return 0; }" # string offset=33
  811. .byte 0
  812. .ascii "int test() { return 0; }" # string offset=58
  813. .byte 0
  814. .ascii "int" # string offset=83
  815. ......
  816. .section .BTF.ext,"",@progbits
  817. .short 60319 # 0xeb9f
  818. .byte 1
  819. .byte 0
  820. .long 24
  821. .long 0
  822. .long 28
  823. .long 28
  824. .long 44
  825. .long 8 # FuncInfo
  826. .long 1 # FuncInfo section string offset=1
  827. .long 2
  828. .long .Lfunc_begin0
  829. .long 3
  830. .long .Lfunc_begin1
  831. .long 5
  832. .long 16 # LineInfo
  833. .long 1 # LineInfo section string offset=1
  834. .long 2
  835. .long .Ltmp0
  836. .long 7
  837. .long 33
  838. .long 7182 # Line 7 Col 14
  839. .long .Ltmp3
  840. .long 7
  841. .long 58
  842. .long 8206 # Line 8 Col 14
  843. 7. Testing
  844. ==========
  845. Kernel bpf selftest `test_btf.c` provides extensive set of BTF-related tests.