On Tue, Jul 06, 2021 at 01:26:46PM -0700, Andrii Nakryiko wrote: SNIP > > > > > > > > It's a 10x speed up. And a good chunk of those 2.7 seconds is in some > > > > preparatory steps not related to fentry/fexit stuff. > > > > > > > > It's not exactly apples-to-apples, though, because the limitations you > > > > have right now prevents attaching both fentry and fexit programs to > > > > the same set of kernel functions. This makes it pretty useless for a > > > > > > hum, you could do link_update with fexit program on the link fd, > > > like in the selftest, right? > > > > Hm... I didn't realize we can attach two different prog FDs to the > > same link, honestly (and was too lazy to look through selftests > > again). I can try that later. But it's actually quite a > > counter-intuitive API (I honestly assumed that link_update can be used > > to add more BTF IDs, but not change prog_fd). Previously bpf_link was > > always associated with single BPF prog FD. It would be good to keep > > that property in the final version, but we can get back to that later. > > Ok, I'm back from PTO and as a warm-up did a two-line change to make > retsnoop work end-to-end using this bpf_link_update() approach. See > [0]. I still think it's a completely confusing API to do > bpf_link_update() to have both fexit and fentry, but it worked for > this experiment. we need the same set of functions, and we have 'fd' representing that ;-) but that could hopefully go away with the new approach > > BTW, adding ~900 fexit attachments is barely noticeable, which is > great, means that attachment is instantaneous. right I see similar not noticable time in bpftrace as well thanks for testing that, jirka > > real 0m2.739s > user 0m0.351s > sys 0m2.370s > > [0] https://github.com/anakryiko/retsnoop/commit/c915d729d6e98f83601e432e61cb1bdf476ceefb > SNIP
