
Spying on a Ruby process's memory allocations with eBPF - petercooper
https://jvns.ca/blog/2018/01/31/spying-on-a-ruby-process-s-memory-allocations/
======
Lio
One of the nice things I’ve found about running ruby code on jruby is having
all the great profiling tools.

Eg VisualVM

I think it was just a case of passing a JRUBY_OPT option and opening a port on
my container.

------
dcow
As someone who's really interested in eBPF (tiny in-kernel vm..tell me more)
but has never looked deeper than a few LWN articles, what are the advantages
of an eBPF approach to this problem? You could achieve the same thing with
ptrace, right? I've heard performance is good. Is the main advantage that eBPF
already has _interesting_ hooks for you to build off of whereas you'd
basically have to write a ruby debugger (or do something invasive) to achieve
the same result traditionally?

 _edit:_ ptrace not pattach

~~~
khuey
Do you mean ptrace? One of the advantages of eBPF is that it runs in the
kernel so you don't need to context switch to another user space process. A
number of syscalls are significantly cheaper than a user space context switch.
The rr debugger[0], which needs to process all syscalls, uses an eBPF based
filter to select certain simple syscalls for in-process handling and avoid
context switching through ptrace.

[0] [http://rr-project.org/](http://rr-project.org/)

------
blinkingled
Very well written and simpler explanation of eBPF. @brendangregg you should
add a link to this from your Linux performance blog along with all the other
great stuff.

I am still unclear about the copying maps to call Ruby class name function.
Might have to give that a reread.

------
sebazzz
Is this a security risk? It looks like a Spectre (as in: Reading other process
memory) build in by design.

~~~
unmole
eBPF has a _verifier_ to ensure that (Apart from other things) programs don't
access memory they aren't supposed to.

~~~
matthewmacleod
Worth noting though that one of the Spectre PoCs actually used eBPF in order
to access kernel memory! Though of course, of the CPU were working correctly,
this wouldn’t be a big deal.

