Andrii Nakryiko wrote:
> It is sometimes desirable to be able to trigger BPF program from user-space
> with minimal overhead. sys_enter would seem to be a good candidate, yet in
> a lot of cases there will be a lot of noise from syscalls triggered by other
> processes on the system. So while searching for low-overhead alternative, I've
> stumbled upon getpgid() syscall, which seems to be specific enough to not
> suffer from accidental syscall by other apps.
>
> This set of benchmarks compares tp, raw_tp w/ filtering by syscall ID, kprobe,
> fentry and fmod_ret with returning error (so that syscall would not be
> executed), to determine the lowest-overhead way. Here are results on my
> machine:
>
> $ for i in base tp rawtp kprobe fentry fmodret; \
> do \
> summary=$(sudo ./bench -w2 -d5 -a trig-$i | \
> tail -n1 | cut -d'(' -f1 | cut -d' ' -f3- ) && \
> printf "%-10s: %s\n" $i "$summary"; \
> done
>
> base : 9.200 ± 0.319M/s
> tp : 6.690 ± 0.125M/s
> rawtp : 8.571 ± 0.214M/s
> kprobe : 6.431 ± 0.048M/s
> fentry : 8.955 ± 0.241M/s
> fmodret : 8.903 ± 0.135M/s
>
> So it seems like fmodret doesn't give much benefit for such lightweight
> syscall. Raw tracepoint is pretty decent despite additional filtering logic,
> but it will be called for any other syscall in the system, which rules it out.
> Fentry, though, seems to be adding the least amoung of overhead and achieves
> 97.3% of performance of baseline no-BPF-attached syscall.
>
> Using getpgid() seems to be preferable to set_task_comm() approach from
> test_overhead, as it's about 2.35x faster in a baseline performance.
>
> Signed-off-by: Andrii Nakryiko <andriin@xxxxxx>
> ---
Nice.
Acked-by: John Fastabend <john.fastabend@xxxxxxxxx>
