1===================== 2BPF Type Format (BTF) 3===================== 4 51. Introduction 6=============== 7 8BTF (BPF Type Format) is the metadata format which encodes the debug info 9related to BPF program/map. The name BTF was used initially to describe data 10types. The BTF was later extended to include function info for defined 11subroutines, and line info for source/line information. 12 13The debug info is used for map pretty print, function signature, etc. The 14function signature enables better bpf program/function kernel symbol. The line 15info helps generate source annotated translated byte code, jited code and 16verifier log. 17 18The BTF specification contains two parts, 19 * BTF kernel API 20 * BTF ELF file format 21 22The kernel API is the contract between user space and kernel. The kernel 23verifies the BTF info before using it. The ELF file format is a user space 24contract between ELF file and libbpf loader. 25 26The type and string sections are part of the BTF kernel API, describing the 27debug info (mostly types related) referenced by the bpf program. These two 28sections are discussed in details in :ref:`BTF_Type_String`. 29 30.. _BTF_Type_String: 31 322. BTF Type and String Encoding 33=============================== 34 35The file ``include/uapi/linux/btf.h`` provides high-level definition of how 36types/strings are encoded. 37 38The beginning of data blob must be:: 39 40 struct btf_header { 41 __u16 magic; 42 __u8 version; 43 __u8 flags; 44 __u32 hdr_len; 45 46 /* All offsets are in bytes relative to the end of this header */ 47 __u32 type_off; /* offset of type section */ 48 __u32 type_len; /* length of type section */ 49 __u32 str_off; /* offset of string section */ 50 __u32 str_len; /* length of string section */ 51 }; 52 53The magic is ``0xeB9F``, which has different encoding for big and little 54endian systems, and can be used to test whether BTF is generated for big- or 55little-endian target. The ``btf_header`` is designed to be extensible with 56``hdr_len`` equal to ``sizeof(struct btf_header)`` when a data blob is 57generated. 58 592.1 String Encoding 60------------------- 61 62The first string in the string section must be a null string. The rest of 63string table is a concatenation of other null-terminated strings. 64 652.2 Type Encoding 66----------------- 67 68The type id ``0`` is reserved for ``void`` type. The type section is parsed 69sequentially and type id is assigned to each recognized type starting from id 70``1``. Currently, the following types are supported:: 71 72 #define BTF_KIND_INT 1 /* Integer */ 73 #define BTF_KIND_PTR 2 /* Pointer */ 74 #define BTF_KIND_ARRAY 3 /* Array */ 75 #define BTF_KIND_STRUCT 4 /* Struct */ 76 #define BTF_KIND_UNION 5 /* Union */ 77 #define BTF_KIND_ENUM 6 /* Enumeration up to 32-bit values */ 78 #define BTF_KIND_FWD 7 /* Forward */ 79 #define BTF_KIND_TYPEDEF 8 /* Typedef */ 80 #define BTF_KIND_VOLATILE 9 /* Volatile */ 81 #define BTF_KIND_CONST 10 /* Const */ 82 #define BTF_KIND_RESTRICT 11 /* Restrict */ 83 #define BTF_KIND_FUNC 12 /* Function */ 84 #define BTF_KIND_FUNC_PROTO 13 /* Function Proto */ 85 #define BTF_KIND_VAR 14 /* Variable */ 86 #define BTF_KIND_DATASEC 15 /* Section */ 87 #define BTF_KIND_FLOAT 16 /* Floating point */ 88 #define BTF_KIND_DECL_TAG 17 /* Decl Tag */ 89 #define BTF_KIND_TYPE_TAG 18 /* Type Tag */ 90 #define BTF_KIND_ENUM64 19 /* Enumeration up to 64-bit values */ 91 92Note that the type section encodes debug info, not just pure types. 93``BTF_KIND_FUNC`` is not a type, and it represents a defined subprogram. 94 95Each type contains the following common data:: 96 97 struct btf_type { 98 __u32 name_off; 99 /* "info" bits arrangement 100 * bits 0-15: vlen (e.g. # of struct's members) 101 * bits 16-23: unused 102 * bits 24-28: kind (e.g. int, ptr, array...etc) 103 * bits 29-30: unused 104 * bit 31: kind_flag, currently used by 105 * struct, union, fwd, enum and enum64. 106 */ 107 __u32 info; 108 /* "size" is used by INT, ENUM, STRUCT, UNION and ENUM64. 109 * "size" tells the size of the type it is describing. 110 * 111 * "type" is used by PTR, TYPEDEF, VOLATILE, CONST, RESTRICT, 112 * FUNC, FUNC_PROTO, DECL_TAG and TYPE_TAG. 113 * "type" is a type_id referring to another type. 114 */ 115 union { 116 __u32 size; 117 __u32 type; 118 }; 119 }; 120 121For certain kinds, the common data are followed by kind-specific data. The 122``name_off`` in ``struct btf_type`` specifies the offset in the string table. 123The following sections detail encoding of each kind. 124 1252.2.1 BTF_KIND_INT 126~~~~~~~~~~~~~~~~~~ 127 128``struct btf_type`` encoding requirement: 129 * ``name_off``: any valid offset 130 * ``info.kind_flag``: 0 131 * ``info.kind``: BTF_KIND_INT 132 * ``info.vlen``: 0 133 * ``size``: the size of the int type in bytes. 134 135``btf_type`` is followed by a ``u32`` with the following bits arrangement:: 136 137 #define BTF_INT_ENCODING(VAL) (((VAL) & 0x0f000000) >> 24) 138 #define BTF_INT_OFFSET(VAL) (((VAL) & 0x00ff0000) >> 16) 139 #define BTF_INT_BITS(VAL) ((VAL) & 0x000000ff) 140 141The ``BTF_INT_ENCODING`` has the following attributes:: 142 143 #define BTF_INT_SIGNED (1 << 0) 144 #define BTF_INT_CHAR (1 << 1) 145 #define BTF_INT_BOOL (1 << 2) 146 147The ``BTF_INT_ENCODING()`` provides extra information: signedness, char, or 148bool, for the int type. The char and bool encoding are mostly useful for 149pretty print. At most one encoding can be specified for the int type. 150 151The ``BTF_INT_BITS()`` specifies the number of actual bits held by this int 152type. For example, a 4-bit bitfield encodes ``BTF_INT_BITS()`` equals to 4. 153The ``btf_type.size * 8`` must be equal to or greater than ``BTF_INT_BITS()`` 154for the type. The maximum value of ``BTF_INT_BITS()`` is 128. 155 156The ``BTF_INT_OFFSET()`` specifies the starting bit offset to calculate values 157for this int. For example, a bitfield struct member has: 158 159 * btf member bit offset 100 from the start of the structure, 160 * btf member pointing to an int type, 161 * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4`` 162 163Then in the struct memory layout, this member will occupy ``4`` bits starting 164from bits ``100 + 2 = 102``. 165 166Alternatively, the bitfield struct member can be the following to access the 167same bits as the above: 168 169 * btf member bit offset 102, 170 * btf member pointing to an int type, 171 * the int type has ``BTF_INT_OFFSET() = 0`` and ``BTF_INT_BITS() = 4`` 172 173The original intention of ``BTF_INT_OFFSET()`` is to provide flexibility of 174bitfield encoding. Currently, both llvm and pahole generate 175``BTF_INT_OFFSET() = 0`` for all int types. 176 1772.2.2 BTF_KIND_PTR 178~~~~~~~~~~~~~~~~~~ 179 180``struct btf_type`` encoding requirement: 181 * ``name_off``: 0 182 * ``info.kind_flag``: 0 183 * ``info.kind``: BTF_KIND_PTR 184 * ``info.vlen``: 0 185 * ``type``: the pointee type of the pointer 186 187No additional type data follow ``btf_type``. 188 1892.2.3 BTF_KIND_ARRAY 190~~~~~~~~~~~~~~~~~~~~ 191 192``struct btf_type`` encoding requirement: 193 * ``name_off``: 0 194 * ``info.kind_flag``: 0 195 * ``info.kind``: BTF_KIND_ARRAY 196 * ``info.vlen``: 0 197 * ``size/type``: 0, not used 198 199``btf_type`` is followed by one ``struct btf_array``:: 200 201 struct btf_array { 202 __u32 type; 203 __u32 index_type; 204 __u32 nelems; 205 }; 206 207The ``struct btf_array`` encoding: 208 * ``type``: the element type 209 * ``index_type``: the index type 210 * ``nelems``: the number of elements for this array (``0`` is also allowed). 211 212The ``index_type`` can be any regular int type (``u8``, ``u16``, ``u32``, 213``u64``, ``unsigned __int128``). The original design of including 214``index_type`` follows DWARF, which has an ``index_type`` for its array type. 215Currently in BTF, beyond type verification, the ``index_type`` is not used. 216 217The ``struct btf_array`` allows chaining through element type to represent 218multidimensional arrays. For example, for ``int a[5][6]``, the following type 219information illustrates the chaining: 220 221 * [1]: int 222 * [2]: array, ``btf_array.type = [1]``, ``btf_array.nelems = 6`` 223 * [3]: array, ``btf_array.type = [2]``, ``btf_array.nelems = 5`` 224 225Currently, both pahole and llvm collapse multidimensional array into 226one-dimensional array, e.g., for ``a[5][6]``, the ``btf_array.nelems`` is 227equal to ``30``. This is because the original use case is map pretty print 228where the whole array is dumped out so one-dimensional array is enough. As 229more BTF usage is explored, pahole and llvm can be changed to generate proper 230chained representation for multidimensional arrays. 231 2322.2.4 BTF_KIND_STRUCT 233~~~~~~~~~~~~~~~~~~~~~ 2342.2.5 BTF_KIND_UNION 235~~~~~~~~~~~~~~~~~~~~ 236 237``struct btf_type`` encoding requirement: 238 * ``name_off``: 0 or offset to a valid C identifier 239 * ``info.kind_flag``: 0 or 1 240 * ``info.kind``: BTF_KIND_STRUCT or BTF_KIND_UNION 241 * ``info.vlen``: the number of struct/union members 242 * ``info.size``: the size of the struct/union in bytes 243 244``btf_type`` is followed by ``info.vlen`` number of ``struct btf_member``.:: 245 246 struct btf_member { 247 __u32 name_off; 248 __u32 type; 249 __u32 offset; 250 }; 251 252``struct btf_member`` encoding: 253 * ``name_off``: offset to a valid C identifier 254 * ``type``: the member type 255 * ``offset``: <see below> 256 257If the type info ``kind_flag`` is not set, the offset contains only bit offset 258of the member. Note that the base type of the bitfield can only be int or enum 259type. If the bitfield size is 32, the base type can be either int or enum 260type. If the bitfield size is not 32, the base type must be int, and int type 261``BTF_INT_BITS()`` encodes the bitfield size. 262 263If the ``kind_flag`` is set, the ``btf_member.offset`` contains both member 264bitfield size and bit offset. The bitfield size and bit offset are calculated 265as below.:: 266 267 #define BTF_MEMBER_BITFIELD_SIZE(val) ((val) >> 24) 268 #define BTF_MEMBER_BIT_OFFSET(val) ((val) & 0xffffff) 269 270In this case, if the base type is an int type, it must be a regular int type: 271 272 * ``BTF_INT_OFFSET()`` must be 0. 273 * ``BTF_INT_BITS()`` must be equal to ``{1,2,4,8,16} * 8``. 274 275The following kernel patch introduced ``kind_flag`` and explained why both 276modes exist: 277 278 https://github.com/torvalds/linux/commit/9d5f9f701b1891466fb3dbb1806ad97716f95cc3#diff-fa650a64fdd3968396883d2fe8215ff3 279 2802.2.6 BTF_KIND_ENUM 281~~~~~~~~~~~~~~~~~~~ 282 283``struct btf_type`` encoding requirement: 284 * ``name_off``: 0 or offset to a valid C identifier 285 * ``info.kind_flag``: 0 for unsigned, 1 for signed 286 * ``info.kind``: BTF_KIND_ENUM 287 * ``info.vlen``: number of enum values 288 * ``size``: 1/2/4/8 289 290``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum``.:: 291 292 struct btf_enum { 293 __u32 name_off; 294 __s32 val; 295 }; 296 297The ``btf_enum`` encoding: 298 * ``name_off``: offset to a valid C identifier 299 * ``val``: any value 300 301If the original enum value is signed and the size is less than 4, 302that value will be sign extended into 4 bytes. If the size is 8, 303the value will be truncated into 4 bytes. 304 3052.2.7 BTF_KIND_FWD 306~~~~~~~~~~~~~~~~~~ 307 308``struct btf_type`` encoding requirement: 309 * ``name_off``: offset to a valid C identifier 310 * ``info.kind_flag``: 0 for struct, 1 for union 311 * ``info.kind``: BTF_KIND_FWD 312 * ``info.vlen``: 0 313 * ``type``: 0 314 315No additional type data follow ``btf_type``. 316 3172.2.8 BTF_KIND_TYPEDEF 318~~~~~~~~~~~~~~~~~~~~~~ 319 320``struct btf_type`` encoding requirement: 321 * ``name_off``: offset to a valid C identifier 322 * ``info.kind_flag``: 0 323 * ``info.kind``: BTF_KIND_TYPEDEF 324 * ``info.vlen``: 0 325 * ``type``: the type which can be referred by name at ``name_off`` 326 327No additional type data follow ``btf_type``. 328 3292.2.9 BTF_KIND_VOLATILE 330~~~~~~~~~~~~~~~~~~~~~~~ 331 332``struct btf_type`` encoding requirement: 333 * ``name_off``: 0 334 * ``info.kind_flag``: 0 335 * ``info.kind``: BTF_KIND_VOLATILE 336 * ``info.vlen``: 0 337 * ``type``: the type with ``volatile`` qualifier 338 339No additional type data follow ``btf_type``. 340 3412.2.10 BTF_KIND_CONST 342~~~~~~~~~~~~~~~~~~~~~ 343 344``struct btf_type`` encoding requirement: 345 * ``name_off``: 0 346 * ``info.kind_flag``: 0 347 * ``info.kind``: BTF_KIND_CONST 348 * ``info.vlen``: 0 349 * ``type``: the type with ``const`` qualifier 350 351No additional type data follow ``btf_type``. 352 3532.2.11 BTF_KIND_RESTRICT 354~~~~~~~~~~~~~~~~~~~~~~~~ 355 356``struct btf_type`` encoding requirement: 357 * ``name_off``: 0 358 * ``info.kind_flag``: 0 359 * ``info.kind``: BTF_KIND_RESTRICT 360 * ``info.vlen``: 0 361 * ``type``: the type with ``restrict`` qualifier 362 363No additional type data follow ``btf_type``. 364 3652.2.12 BTF_KIND_FUNC 366~~~~~~~~~~~~~~~~~~~~ 367 368``struct btf_type`` encoding requirement: 369 * ``name_off``: offset to a valid C identifier 370 * ``info.kind_flag``: 0 371 * ``info.kind``: BTF_KIND_FUNC 372 * ``info.vlen``: 0 373 * ``type``: a BTF_KIND_FUNC_PROTO type 374 375No additional type data follow ``btf_type``. 376 377A BTF_KIND_FUNC defines not a type, but a subprogram (function) whose 378signature is defined by ``type``. The subprogram is thus an instance of that 379type. The BTF_KIND_FUNC may in turn be referenced by a func_info in the 380:ref:`BTF_Ext_Section` (ELF) or in the arguments to :ref:`BPF_Prog_Load` 381(ABI). 382 3832.2.13 BTF_KIND_FUNC_PROTO 384~~~~~~~~~~~~~~~~~~~~~~~~~~ 385 386``struct btf_type`` encoding requirement: 387 * ``name_off``: 0 388 * ``info.kind_flag``: 0 389 * ``info.kind``: BTF_KIND_FUNC_PROTO 390 * ``info.vlen``: # of parameters 391 * ``type``: the return type 392 393``btf_type`` is followed by ``info.vlen`` number of ``struct btf_param``.:: 394 395 struct btf_param { 396 __u32 name_off; 397 __u32 type; 398 }; 399 400If a BTF_KIND_FUNC_PROTO type is referred by a BTF_KIND_FUNC type, then 401``btf_param.name_off`` must point to a valid C identifier except for the 402possible last argument representing the variable argument. The btf_param.type 403refers to parameter type. 404 405If the function has variable arguments, the last parameter is encoded with 406``name_off = 0`` and ``type = 0``. 407 4082.2.14 BTF_KIND_VAR 409~~~~~~~~~~~~~~~~~~~ 410 411``struct btf_type`` encoding requirement: 412 * ``name_off``: offset to a valid C identifier 413 * ``info.kind_flag``: 0 414 * ``info.kind``: BTF_KIND_VAR 415 * ``info.vlen``: 0 416 * ``type``: the type of the variable 417 418``btf_type`` is followed by a single ``struct btf_variable`` with the 419following data:: 420 421 struct btf_var { 422 __u32 linkage; 423 }; 424 425``struct btf_var`` encoding: 426 * ``linkage``: currently only static variable 0, or globally allocated 427 variable in ELF sections 1 428 429Not all type of global variables are supported by LLVM at this point. 430The following is currently available: 431 432 * static variables with or without section attributes 433 * global variables with section attributes 434 435The latter is for future extraction of map key/value type id's from a 436map definition. 437 4382.2.15 BTF_KIND_DATASEC 439~~~~~~~~~~~~~~~~~~~~~~~ 440 441``struct btf_type`` encoding requirement: 442 * ``name_off``: offset to a valid name associated with a variable or 443 one of .data/.bss/.rodata 444 * ``info.kind_flag``: 0 445 * ``info.kind``: BTF_KIND_DATASEC 446 * ``info.vlen``: # of variables 447 * ``size``: total section size in bytes (0 at compilation time, patched 448 to actual size by BPF loaders such as libbpf) 449 450``btf_type`` is followed by ``info.vlen`` number of ``struct btf_var_secinfo``.:: 451 452 struct btf_var_secinfo { 453 __u32 type; 454 __u32 offset; 455 __u32 size; 456 }; 457 458``struct btf_var_secinfo`` encoding: 459 * ``type``: the type of the BTF_KIND_VAR variable 460 * ``offset``: the in-section offset of the variable 461 * ``size``: the size of the variable in bytes 462 4632.2.16 BTF_KIND_FLOAT 464~~~~~~~~~~~~~~~~~~~~~ 465 466``struct btf_type`` encoding requirement: 467 * ``name_off``: any valid offset 468 * ``info.kind_flag``: 0 469 * ``info.kind``: BTF_KIND_FLOAT 470 * ``info.vlen``: 0 471 * ``size``: the size of the float type in bytes: 2, 4, 8, 12 or 16. 472 473No additional type data follow ``btf_type``. 474 4752.2.17 BTF_KIND_DECL_TAG 476~~~~~~~~~~~~~~~~~~~~~~~~ 477 478``struct btf_type`` encoding requirement: 479 * ``name_off``: offset to a non-empty string 480 * ``info.kind_flag``: 0 481 * ``info.kind``: BTF_KIND_DECL_TAG 482 * ``info.vlen``: 0 483 * ``type``: ``struct``, ``union``, ``func``, ``var`` or ``typedef`` 484 485``btf_type`` is followed by ``struct btf_decl_tag``.:: 486 487 struct btf_decl_tag { 488 __u32 component_idx; 489 }; 490 491The ``name_off`` encodes btf_decl_tag attribute string. 492The ``type`` should be ``struct``, ``union``, ``func``, ``var`` or ``typedef``. 493For ``var`` or ``typedef`` type, ``btf_decl_tag.component_idx`` must be ``-1``. 494For the other three types, if the btf_decl_tag attribute is 495applied to the ``struct``, ``union`` or ``func`` itself, 496``btf_decl_tag.component_idx`` must be ``-1``. Otherwise, 497the attribute is applied to a ``struct``/``union`` member or 498a ``func`` argument, and ``btf_decl_tag.component_idx`` should be a 499valid index (starting from 0) pointing to a member or an argument. 500 5012.2.18 BTF_KIND_TYPE_TAG 502~~~~~~~~~~~~~~~~~~~~~~~~ 503 504``struct btf_type`` encoding requirement: 505 * ``name_off``: offset to a non-empty string 506 * ``info.kind_flag``: 0 507 * ``info.kind``: BTF_KIND_TYPE_TAG 508 * ``info.vlen``: 0 509 * ``type``: the type with ``btf_type_tag`` attribute 510 511Currently, ``BTF_KIND_TYPE_TAG`` is only emitted for pointer types. 512It has the following btf type chain: 513:: 514 515 ptr -> [type_tag]* 516 -> [const | volatile | restrict | typedef]* 517 -> base_type 518 519Basically, a pointer type points to zero or more 520type_tag, then zero or more const/volatile/restrict/typedef 521and finally the base type. The base type is one of 522int, ptr, array, struct, union, enum, func_proto and float types. 523 5242.2.19 BTF_KIND_ENUM64 525~~~~~~~~~~~~~~~~~~~~~~ 526 527``struct btf_type`` encoding requirement: 528 * ``name_off``: 0 or offset to a valid C identifier 529 * ``info.kind_flag``: 0 for unsigned, 1 for signed 530 * ``info.kind``: BTF_KIND_ENUM64 531 * ``info.vlen``: number of enum values 532 * ``size``: 1/2/4/8 533 534``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum64``.:: 535 536 struct btf_enum64 { 537 __u32 name_off; 538 __u32 val_lo32; 539 __u32 val_hi32; 540 }; 541 542The ``btf_enum64`` encoding: 543 * ``name_off``: offset to a valid C identifier 544 * ``val_lo32``: lower 32-bit value for a 64-bit value 545 * ``val_hi32``: high 32-bit value for a 64-bit value 546 547If the original enum value is signed and the size is less than 8, 548that value will be sign extended into 8 bytes. 549 5503. BTF Kernel API 551================= 552 553The following bpf syscall command involves BTF: 554 * BPF_BTF_LOAD: load a blob of BTF data into kernel 555 * BPF_MAP_CREATE: map creation with btf key and value type info. 556 * BPF_PROG_LOAD: prog load with btf function and line info. 557 * BPF_BTF_GET_FD_BY_ID: get a btf fd 558 * BPF_OBJ_GET_INFO_BY_FD: btf, func_info, line_info 559 and other btf related info are returned. 560 561The workflow typically looks like: 562:: 563 564 Application: 565 BPF_BTF_LOAD 566 | 567 v 568 BPF_MAP_CREATE and BPF_PROG_LOAD 569 | 570 V 571 ...... 572 573 Introspection tool: 574 ...... 575 BPF_{PROG,MAP}_GET_NEXT_ID (get prog/map id's) 576 | 577 V 578 BPF_{PROG,MAP}_GET_FD_BY_ID (get a prog/map fd) 579 | 580 V 581 BPF_OBJ_GET_INFO_BY_FD (get bpf_prog_info/bpf_map_info with btf_id) 582 | | 583 V | 584 BPF_BTF_GET_FD_BY_ID (get btf_fd) | 585 | | 586 V | 587 BPF_OBJ_GET_INFO_BY_FD (get btf) | 588 | | 589 V V 590 pretty print types, dump func signatures and line info, etc. 591 592 5933.1 BPF_BTF_LOAD 594---------------- 595 596Load a blob of BTF data into kernel. A blob of data, described in 597:ref:`BTF_Type_String`, can be directly loaded into the kernel. A ``btf_fd`` 598is returned to a userspace. 599 6003.2 BPF_MAP_CREATE 601------------------ 602 603A map can be created with ``btf_fd`` and specified key/value type id.:: 604 605 __u32 btf_fd; /* fd pointing to a BTF type data */ 606 __u32 btf_key_type_id; /* BTF type_id of the key */ 607 __u32 btf_value_type_id; /* BTF type_id of the value */ 608 609In libbpf, the map can be defined with extra annotation like below: 610:: 611 612 struct { 613 __uint(type, BPF_MAP_TYPE_ARRAY); 614 __type(key, int); 615 __type(value, struct ipv_counts); 616 __uint(max_entries, 4); 617 } btf_map SEC(".maps"); 618 619During ELF parsing, libbpf is able to extract key/value type_id's and assign 620them to BPF_MAP_CREATE attributes automatically. 621 622.. _BPF_Prog_Load: 623 6243.3 BPF_PROG_LOAD 625----------------- 626 627During prog_load, func_info and line_info can be passed to kernel with proper 628values for the following attributes: 629:: 630 631 __u32 insn_cnt; 632 __aligned_u64 insns; 633 ...... 634 __u32 prog_btf_fd; /* fd pointing to BTF type data */ 635 __u32 func_info_rec_size; /* userspace bpf_func_info size */ 636 __aligned_u64 func_info; /* func info */ 637 __u32 func_info_cnt; /* number of bpf_func_info records */ 638 __u32 line_info_rec_size; /* userspace bpf_line_info size */ 639 __aligned_u64 line_info; /* line info */ 640 __u32 line_info_cnt; /* number of bpf_line_info records */ 641 642The func_info and line_info are an array of below, respectively.:: 643 644 struct bpf_func_info { 645 __u32 insn_off; /* [0, insn_cnt - 1] */ 646 __u32 type_id; /* pointing to a BTF_KIND_FUNC type */ 647 }; 648 struct bpf_line_info { 649 __u32 insn_off; /* [0, insn_cnt - 1] */ 650 __u32 file_name_off; /* offset to string table for the filename */ 651 __u32 line_off; /* offset to string table for the source line */ 652 __u32 line_col; /* line number and column number */ 653 }; 654 655func_info_rec_size is the size of each func_info record, and 656line_info_rec_size is the size of each line_info record. Passing the record 657size to kernel make it possible to extend the record itself in the future. 658 659Below are requirements for func_info: 660 * func_info[0].insn_off must be 0. 661 * the func_info insn_off is in strictly increasing order and matches 662 bpf func boundaries. 663 664Below are requirements for line_info: 665 * the first insn in each func must have a line_info record pointing to it. 666 * the line_info insn_off is in strictly increasing order. 667 668For line_info, the line number and column number are defined as below: 669:: 670 671 #define BPF_LINE_INFO_LINE_NUM(line_col) ((line_col) >> 10) 672 #define BPF_LINE_INFO_LINE_COL(line_col) ((line_col) & 0x3ff) 673 6743.4 BPF_{PROG,MAP}_GET_NEXT_ID 675------------------------------ 676 677In kernel, every loaded program, map or btf has a unique id. The id won't 678change during the lifetime of a program, map, or btf. 679 680The bpf syscall command BPF_{PROG,MAP}_GET_NEXT_ID returns all id's, one for 681each command, to user space, for bpf program or maps, respectively, so an 682inspection tool can inspect all programs and maps. 683 6843.5 BPF_{PROG,MAP}_GET_FD_BY_ID 685------------------------------- 686 687An introspection tool cannot use id to get details about program or maps. 688A file descriptor needs to be obtained first for reference-counting purpose. 689 6903.6 BPF_OBJ_GET_INFO_BY_FD 691-------------------------- 692 693Once a program/map fd is acquired, an introspection tool can get the detailed 694information from kernel about this fd, some of which are BTF-related. For 695example, ``bpf_map_info`` returns ``btf_id`` and key/value type ids. 696``bpf_prog_info`` returns ``btf_id``, func_info, and line info for translated 697bpf byte codes, and jited_line_info. 698 6993.7 BPF_BTF_GET_FD_BY_ID 700------------------------ 701 702With ``btf_id`` obtained in ``bpf_map_info`` and ``bpf_prog_info``, bpf 703syscall command BPF_BTF_GET_FD_BY_ID can retrieve a btf fd. Then, with 704command BPF_OBJ_GET_INFO_BY_FD, the btf blob, originally loaded into the 705kernel with BPF_BTF_LOAD, can be retrieved. 706 707With the btf blob, ``bpf_map_info``, and ``bpf_prog_info``, an introspection 708tool has full btf knowledge and is able to pretty print map key/values, dump 709func signatures and line info, along with byte/jit codes. 710 7114. ELF File Format Interface 712============================ 713 7144.1 .BTF section 715---------------- 716 717The .BTF section contains type and string data. The format of this section is 718same as the one describe in :ref:`BTF_Type_String`. 719 720.. _BTF_Ext_Section: 721 7224.2 .BTF.ext section 723-------------------- 724 725The .BTF.ext section encodes func_info and line_info which needs loader 726manipulation before loading into the kernel. 727 728The specification for .BTF.ext section is defined at ``tools/lib/bpf/btf.h`` 729and ``tools/lib/bpf/btf.c``. 730 731The current header of .BTF.ext section:: 732 733 struct btf_ext_header { 734 __u16 magic; 735 __u8 version; 736 __u8 flags; 737 __u32 hdr_len; 738 739 /* All offsets are in bytes relative to the end of this header */ 740 __u32 func_info_off; 741 __u32 func_info_len; 742 __u32 line_info_off; 743 __u32 line_info_len; 744 }; 745 746It is very similar to .BTF section. Instead of type/string section, it 747contains func_info and line_info section. See :ref:`BPF_Prog_Load` for details 748about func_info and line_info record format. 749 750The func_info is organized as below.:: 751 752 func_info_rec_size 753 btf_ext_info_sec for section #1 /* func_info for section #1 */ 754 btf_ext_info_sec for section #2 /* func_info for section #2 */ 755 ... 756 757``func_info_rec_size`` specifies the size of ``bpf_func_info`` structure when 758.BTF.ext is generated. ``btf_ext_info_sec``, defined below, is a collection of 759func_info for each specific ELF section.:: 760 761 struct btf_ext_info_sec { 762 __u32 sec_name_off; /* offset to section name */ 763 __u32 num_info; 764 /* Followed by num_info * record_size number of bytes */ 765 __u8 data[0]; 766 }; 767 768Here, num_info must be greater than 0. 769 770The line_info is organized as below.:: 771 772 line_info_rec_size 773 btf_ext_info_sec for section #1 /* line_info for section #1 */ 774 btf_ext_info_sec for section #2 /* line_info for section #2 */ 775 ... 776 777``line_info_rec_size`` specifies the size of ``bpf_line_info`` structure when 778.BTF.ext is generated. 779 780The interpretation of ``bpf_func_info->insn_off`` and 781``bpf_line_info->insn_off`` is different between kernel API and ELF API. For 782kernel API, the ``insn_off`` is the instruction offset in the unit of ``struct 783bpf_insn``. For ELF API, the ``insn_off`` is the byte offset from the 784beginning of section (``btf_ext_info_sec->sec_name_off``). 785 7864.2 .BTF_ids section 787-------------------- 788 789The .BTF_ids section encodes BTF ID values that are used within the kernel. 790 791This section is created during the kernel compilation with the help of 792macros defined in ``include/linux/btf_ids.h`` header file. Kernel code can 793use them to create lists and sets (sorted lists) of BTF ID values. 794 795The ``BTF_ID_LIST`` and ``BTF_ID`` macros define unsorted list of BTF ID values, 796with following syntax:: 797 798 BTF_ID_LIST(list) 799 BTF_ID(type1, name1) 800 BTF_ID(type2, name2) 801 802resulting in following layout in .BTF_ids section:: 803 804 __BTF_ID__type1__name1__1: 805 .zero 4 806 __BTF_ID__type2__name2__2: 807 .zero 4 808 809The ``u32 list[];`` variable is defined to access the list. 810 811The ``BTF_ID_UNUSED`` macro defines 4 zero bytes. It's used when we 812want to define unused entry in BTF_ID_LIST, like:: 813 814 BTF_ID_LIST(bpf_skb_output_btf_ids) 815 BTF_ID(struct, sk_buff) 816 BTF_ID_UNUSED 817 BTF_ID(struct, task_struct) 818 819The ``BTF_SET_START/END`` macros pair defines sorted list of BTF ID values 820and their count, with following syntax:: 821 822 BTF_SET_START(set) 823 BTF_ID(type1, name1) 824 BTF_ID(type2, name2) 825 BTF_SET_END(set) 826 827resulting in following layout in .BTF_ids section:: 828 829 __BTF_ID__set__set: 830 .zero 4 831 __BTF_ID__type1__name1__3: 832 .zero 4 833 __BTF_ID__type2__name2__4: 834 .zero 4 835 836The ``struct btf_id_set set;`` variable is defined to access the list. 837 838The ``typeX`` name can be one of following:: 839 840 struct, union, typedef, func 841 842and is used as a filter when resolving the BTF ID value. 843 844All the BTF ID lists and sets are compiled in the .BTF_ids section and 845resolved during the linking phase of kernel build by ``resolve_btfids`` tool. 846 8475. Using BTF 848============ 849 8505.1 bpftool map pretty print 851---------------------------- 852 853With BTF, the map key/value can be printed based on fields rather than simply 854raw bytes. This is especially valuable for large structure or if your data 855structure has bitfields. For example, for the following map,:: 856 857 enum A { A1, A2, A3, A4, A5 }; 858 typedef enum A ___A; 859 struct tmp_t { 860 char a1:4; 861 int a2:4; 862 int :4; 863 __u32 a3:4; 864 int b; 865 ___A b1:4; 866 enum A b2:4; 867 }; 868 struct { 869 __uint(type, BPF_MAP_TYPE_ARRAY); 870 __type(key, int); 871 __type(value, struct tmp_t); 872 __uint(max_entries, 1); 873 } tmpmap SEC(".maps"); 874 875bpftool is able to pretty print like below: 876:: 877 878 [{ 879 "key": 0, 880 "value": { 881 "a1": 0x2, 882 "a2": 0x4, 883 "a3": 0x6, 884 "b": 7, 885 "b1": 0x8, 886 "b2": 0xa 887 } 888 } 889 ] 890 8915.2 bpftool prog dump 892--------------------- 893 894The following is an example showing how func_info and line_info can help prog 895dump with better kernel symbol names, function prototypes and line 896information.:: 897 898 $ bpftool prog dump jited pinned /sys/fs/bpf/test_btf_haskv 899 [...] 900 int test_long_fname_2(struct dummy_tracepoint_args * arg): 901 bpf_prog_44a040bf25481309_test_long_fname_2: 902 ; static int test_long_fname_2(struct dummy_tracepoint_args *arg) 903 0: push %rbp 904 1: mov %rsp,%rbp 905 4: sub $0x30,%rsp 906 b: sub $0x28,%rbp 907 f: mov %rbx,0x0(%rbp) 908 13: mov %r13,0x8(%rbp) 909 17: mov %r14,0x10(%rbp) 910 1b: mov %r15,0x18(%rbp) 911 1f: xor %eax,%eax 912 21: mov %rax,0x20(%rbp) 913 25: xor %esi,%esi 914 ; int key = 0; 915 27: mov %esi,-0x4(%rbp) 916 ; if (!arg->sock) 917 2a: mov 0x8(%rdi),%rdi 918 ; if (!arg->sock) 919 2e: cmp $0x0,%rdi 920 32: je 0x0000000000000070 921 34: mov %rbp,%rsi 922 ; counts = bpf_map_lookup_elem(&btf_map, &key); 923 [...] 924 9255.3 Verifier Log 926---------------- 927 928The following is an example of how line_info can help debugging verification 929failure.:: 930 931 /* The code at tools/testing/selftests/bpf/test_xdp_noinline.c 932 * is modified as below. 933 */ 934 data = (void *)(long)xdp->data; 935 data_end = (void *)(long)xdp->data_end; 936 /* 937 if (data + 4 > data_end) 938 return XDP_DROP; 939 */ 940 *(u32 *)data = dst->dst; 941 942 $ bpftool prog load ./test_xdp_noinline.o /sys/fs/bpf/test_xdp_noinline type xdp 943 ; data = (void *)(long)xdp->data; 944 224: (79) r2 = *(u64 *)(r10 -112) 945 225: (61) r2 = *(u32 *)(r2 +0) 946 ; *(u32 *)data = dst->dst; 947 226: (63) *(u32 *)(r2 +0) = r1 948 invalid access to packet, off=0 size=4, R2(id=0,off=0,r=0) 949 R2 offset is outside of the packet 950 9516. BTF Generation 952================= 953 954You need latest pahole 955 956 https://git.kernel.org/pub/scm/devel/pahole/pahole.git/ 957 958or llvm (8.0 or later). The pahole acts as a dwarf2btf converter. It doesn't 959support .BTF.ext and btf BTF_KIND_FUNC type yet. For example,:: 960 961 -bash-4.4$ cat t.c 962 struct t { 963 int a:2; 964 int b:3; 965 int c:2; 966 } g; 967 -bash-4.4$ gcc -c -O2 -g t.c 968 -bash-4.4$ pahole -JV t.o 969 File t.o: 970 [1] STRUCT t kind_flag=1 size=4 vlen=3 971 a type_id=2 bitfield_size=2 bits_offset=0 972 b type_id=2 bitfield_size=3 bits_offset=2 973 c type_id=2 bitfield_size=2 bits_offset=5 974 [2] INT int size=4 bit_offset=0 nr_bits=32 encoding=SIGNED 975 976The llvm is able to generate .BTF and .BTF.ext directly with -g for bpf target 977only. The assembly code (-S) is able to show the BTF encoding in assembly 978format.:: 979 980 -bash-4.4$ cat t2.c 981 typedef int __int32; 982 struct t2 { 983 int a2; 984 int (*f2)(char q1, __int32 q2, ...); 985 int (*f3)(); 986 } g2; 987 int main() { return 0; } 988 int test() { return 0; } 989 -bash-4.4$ clang -c -g -O2 -target bpf t2.c 990 -bash-4.4$ readelf -S t2.o 991 ...... 992 [ 8] .BTF PROGBITS 0000000000000000 00000247 993 000000000000016e 0000000000000000 0 0 1 994 [ 9] .BTF.ext PROGBITS 0000000000000000 000003b5 995 0000000000000060 0000000000000000 0 0 1 996 [10] .rel.BTF.ext REL 0000000000000000 000007e0 997 0000000000000040 0000000000000010 16 9 8 998 ...... 999 -bash-4.4$ clang -S -g -O2 -target bpf t2.c 1000 -bash-4.4$ cat t2.s 1001 ...... 1002 .section .BTF,"",@progbits 1003 .short 60319 # 0xeb9f 1004 .byte 1 1005 .byte 0 1006 .long 24 1007 .long 0 1008 .long 220 1009 .long 220 1010 .long 122 1011 .long 0 # BTF_KIND_FUNC_PROTO(id = 1) 1012 .long 218103808 # 0xd000000 1013 .long 2 1014 .long 83 # BTF_KIND_INT(id = 2) 1015 .long 16777216 # 0x1000000 1016 .long 4 1017 .long 16777248 # 0x1000020 1018 ...... 1019 .byte 0 # string offset=0 1020 .ascii ".text" # string offset=1 1021 .byte 0 1022 .ascii "/home/yhs/tmp-pahole/t2.c" # string offset=7 1023 .byte 0 1024 .ascii "int main() { return 0; }" # string offset=33 1025 .byte 0 1026 .ascii "int test() { return 0; }" # string offset=58 1027 .byte 0 1028 .ascii "int" # string offset=83 1029 ...... 1030 .section .BTF.ext,"",@progbits 1031 .short 60319 # 0xeb9f 1032 .byte 1 1033 .byte 0 1034 .long 24 1035 .long 0 1036 .long 28 1037 .long 28 1038 .long 44 1039 .long 8 # FuncInfo 1040 .long 1 # FuncInfo section string offset=1 1041 .long 2 1042 .long .Lfunc_begin0 1043 .long 3 1044 .long .Lfunc_begin1 1045 .long 5 1046 .long 16 # LineInfo 1047 .long 1 # LineInfo section string offset=1 1048 .long 2 1049 .long .Ltmp0 1050 .long 7 1051 .long 33 1052 .long 7182 # Line 7 Col 14 1053 .long .Ltmp3 1054 .long 7 1055 .long 58 1056 .long 8206 # Line 8 Col 14 1057 10587. Testing 1059========== 1060 1061Kernel bpf selftest `test_btf.c` provides extensive set of BTF-related tests. 1062