
BPF Theremin, Tetris, and Typewriters - brendangregg
http://www.brendangregg.com/blog/2019-12-22/bpf-theremin.html
======
bobbiechen
Only tangentially related, but if you're interested in the theremin there's
OpenTheremin
[http://www.gaudi.ch/OpenTheremin/index.php](http://www.gaudi.ch/OpenTheremin/index.php),
which is fairly fun to play around and make spooky noises with. Turns out
actually playing music takes way more coordination than I have though.

------
taneq
For other people like me who aren't super familiar with the Linux kernel, BPF
is a packet filtering API which evolved into a kind of kernel scripting
language: [http://www.brendangregg.com/bpf-performance-tools-
book.html#...](http://www.brendangregg.com/bpf-performance-tools-
book.html#BPF)

(Posting since it took me some digging to find out).

~~~
Animats
Now, a new way to run user programs in the kernel of a general purpose OS!
What could possibly go wrong?

------
denormalfloat
I want to like BPF, but so few of my problems are in the kernel. Performance
problems are usually at the application layer, either in my code or my
dependencies. Even in the rare case that it something outside of my control
(like the compiler, or the nature of the data), it's almost never the kernel.
Lastly, when it is the kernel's fault, there's usually a sysctl or other knob
to turn to fix it. Real kernel problems, such as some missing functionality,
are usually better resolved by committing changes to the kernel itself, not so
much on demand filters. BPF is a solution in search of problems.

~~~
ryanpetrich
BPF programs can be attached to uprobes and thus much of the same tooling
applies to userspace as well.

~~~
brendangregg
That and user stack traces.

For many of the kernel tracing tools, I'll add user stack traces as needed for
the user context. TCP connections and latency _with_ the Java code paths
responsible; ditto for disk I/O, memory growth, lock contention, etc. If
you've ever had a network problem, a disk I/O problem, a memory problem, etc,
BPF can give you new insights that are unavailable from user-space tooling.

~~~
denormalfloat
But that's also why BPF doesn't seem to have a place in this world. Anything
surfaced by a BPF program should probably be surfaced by a proper kernel
module or syscall. As far as I can tell, the utility of BPF tracing is solely
between the time a bug comes up, and a few weeks later when a kernel upgrade
exposes this info anyways.

~~~
rhinoceraptor
Neither of your suggestions really get at the point of eBPF. That is, to
safely (goodbye kernel modules) and dynamically (goodbye syscalls) instrument
the kernel.

