parca-agent VS ebpf

If that's true, you should probably update the docs. Everything I could find implied dotnet, jvm, python were still unsupported. For example, the roadmap section of the readme mentions most of these but nothing mentions dotnet. However I did find your tickets and a demo being merged in which makes it seem maybe supported?

Ticket: https://github.com/parca-dev/parca-agent/issues/161

Demo: https://github.com/parca-dev/parca-demo/pull/18

Couldn't see any advantages to this over https://github.com/parca-dev/parca-agent. Which uses eBPF so it can be used with non-instrumented apps and code paths.

The pervasive lack of frame pointers is the reason why we've developed a custom format derived from DWARF unwind information thanks to some insights: DWARF unwind information is incredible flexible, it supports many arches and allows restoring any arbitrary register. But we only need 3: the frame pointer, the stack pointer, and in non-x86 the return address.

In addition, this encoding doesn't use that many bytes, but unfortunately reading and parsing that information is quite expensive.

For that reason I've developed a new unwinder that uses custom unwind information derived from DWARF (https://www.polarsignals.com/blog/posts/2022/11/29/profiling..., previously discussed in https://news.ycombinator.com/item?id=33788794) that runs in BPF. This new compact representation can be binary searched easily and each unwind row has a size of 16 bytes. I are currently working on reducing it down to ~10 bytes.

All the code is fully OSS (Apache 2.0 for userspace and GPL for BPF), and part of the Parca project (https://github.com/parca-dev/parca-agent).

We've also given some talks in FOSDEM going deeper into how we made it scale for many big processes.

I find this surprising! Was this for off the shelf applications or some custom binaries?

As mentioned above, we see DWARF expressions such as `DW_CFA_def_cfa_expression` on the regular. See the "Test Plan" section and commit messages of the PR that introduced support for this particular opcode [0]

[0]: https://github.com/parca-dev/parca-agent/pull/1058

Let's see an example perf map file for NodeJS. The runtimes out there output this file with more or less the same format, more or less!

The good news is we got you covered. If you are using Parca Agent, we already do the heavy lifting for you to symbolize captured stack traces. And we keep extending our support for the different languages and runtimes.

Oh, no I don't mean that arbitrary Go compiles to eBPF. Apologies if I gave that impression. I meant that there are libraries that let you compose eBPF programs in other languages. But you're still putting together an eBPF program, just like you can assemble JSON with Go but you can't compile an arbitrary Go program to JSON.

Cilium's eBPF library is the Go one I had in mind: https://github.com/cilium/ebpf

Here's an example from that repo: https://github.com/cilium/ebpf/tree/main/examples/ringbuffer

The whole BPF verifier and development process is so botched, it's ridiculous. It's like maintainers decided to make this as hard as possible out of pettiness and "they have to use C APIs instead" or something.

- Loading an eBPF module without the CAP_BPF (and in some cases without the CAP_NET_ADMIN which you need for XDP) capabilities will generate a "unknown/invalid memory access" error which is super useless as an error message.

- In my personal opinion a bytecode format for both little endian (bpfel) and big endian (bpfeb) machines is kinda unnecessary. I mean, it's a virtual bytecode format for a reason, right!?

- Compiling eBPF via clang to the bpf bytecode format without debug symbols will make every following error message down the line utterly useless. Took me a while to figure out what "unknown scalar" really means. If you forget that "-g" flag you're totally fucked.

- Anything pointer related that eBPF verifier itself doesn't support will lead to "unknown scalar" errors which are actually out of bounds errors most of the time (e.g. have to use if pointer < size(packet) around it), which only happen in the verification process and can only be shown using the bpftool. If you miss them, good luck getting a better error message out of the kernel while loading the module.

- The bpftool maintainer is kind of unfriendly, he's telling you to read a book about the bytecode format if your code doesn't compile and you're asking about examples on how to use pointers inside a BPF codebase because it seems to enforce specific rules in terms of what kind of method (__always_static) are allowed to modify or allocate memory. There's a lot of limitations that are documented _nowhere_ on the internet, and seemingly all developers are supposed to know them by reading the bpftool codebase itself!? Who's the audience for using the bpftool then? Developers of the bpftool itself?

- The BCC tools (bpf compiler collection) are still using examples that can't compile on an up-to-date kernel. [1] If you don't have the old headers, you'll find a lot of issues that show you the specific git hash where the "bpf-helpers.h" file was still inside the kernel codebase.

- The libbpf repo contain also examples that won't compile. Especially the xdp related ones [2]

- There's also an ongoing migration of all projects (?) to xdp-tools, which seems to be redundant in terms of bpf related topics, but also has only a couple examples that somehow work [3]

- Literally the only userspace eBPF generation framework that worked outside a super outdated enterprise linux environment is the cilium ebpf project [4], but only because they're using the old "bpf-helpers.h" file that are meanwhile removed from the kernel itself. [5] They're also incomplete for things like the new "__u128" and "__bpf_helper_methods" syntax which are sometimes missing.

- The only working examples that can also be used for reference on "what's available" in terms of eBPF and kernel userspace APIs is a forked repo of the bootlin project [6] which literally taught me how to use eBPF in practice.

- All other (official?) examples show you how to make a bpf_printk call, but _none_ of them show you how to even interact with bpf maps (whose syntax changed like 5 times over the course of the last years, and 4 of them don't run through the verifier, obviously). They're also somewhat documented in the wiki of the libbpf project, without further explanation on why or what [7]. Without that bootlin repo I still would have no idea other than how to make a print inside a "kretprobe". Anything more advanced is totally undocumented.

- OpenSnitch even has a workflow that copies their own codebase inside the kernel codebase, just to make it compile - because all other ways are too redundant or too broken. Not kidding you. [8]

Note that none of any BPF related projects uses any kind of reliable version scheme, and none of those project uses anything "modern" like conan (or whatever) as a package manager. Because that would have been too easy to use, and too easy on documenting on what breaks when. /s

Overall I have to say, BPF was the worst development experience I ever had. Writing a kernel module is _easier_ than writing a BPF module, because then you have at least reliable tooling. In the BPF world, anything will and can break at any unpredictable moment. If you compare that to the experience of other development environments like say, JVM or even the JS world, where debuggers that interact with JIT compilers are the norm, well ... then you've successfully been transferred back to the PTSD moments of the 90s.

Honestly I don't know how people can use BPF and say "yeah this has been a great experience and I love it" and not realize how broken the tooling is on every damn level.

I totally recommend reading the book [9] and watching the YouTube videos of Liz Rice [10]. They're awesome, and they show you how to tackle some of the problems I mentioned. I think that without her work, BPF would have had zero chance of success.

What's missing in the BPF world is definitely better tooling, better error messages (e.g. "did you forget to do this?" or even "unexpected statement" would be sooooo much better than the current state), and an easier way to debug an eBPF program. Documentation on what's available and what is not is also necessary, because it's impossible to find out right now. If I am not allowed to use pointers or whatever, then say so in the beginning.

[1] https://github.com/iovisor/bcc

[2] https://github.com/libbpf/libbpf

[3] https://github.com/xdp-project/xdp-tools

[4] https://github.com/cilium/ebpf/

[5] https://github.com/cilium/ebpf/tree/master/examples/headers

[6] https://elixir.bootlin.com/linux/latest/source/tools/testing...

[7] https://github.com/libbpf/libbpf/wiki/Libbpf-1.0-migration-g...

[8] https://github.com/evilsocket/opensnitch/blob/master/ebpf_pr...

[9] https://isovalent.com/learning-ebpf/

[10] (e.g.) https://www.youtube.com/watch?v=L3_AOFSNKK8

Hey there! Of course. There are a few good examples here and here. Yes, they're specific tools (which I, by the way, do recommend), but you can have a look at the BPF code here as well.

ebpf-go by Cilium which is a pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.

cilium is probably the best one that has the widest use and is supported by cloudflare.

libbpfgo ebpf

Go library that provides utilities for loading, compiling, and debugging eBPF programs [https://github.com/cilium/ebpf]

The error I get is "could not import github.com/cilium/ebpf (no package for import github.com/cilium/ebpf". I have the variable lsp-go-library-directories-include-go-modules set to t and the directory $GOPATH/pkg/mod/github.com/cilium/[email protected] exists and has the correct code in it. What am I missing to make LSP pick up these libraries?

If you want to run something like monitoring or diagnostic code, maybe you could achieve something like this with eBPF (see https://github.com/cilium/ebpf).