
Writing eBPF tracing tools in Rust - weinzierl
https://jvns.ca/blog/2018/02/05/rust-bcc/
======
roblabla
This blog showcasts a way to orchestrate eBPF scripts in Rust, but the eBPF
itself is still written in C. That's super cool, but if combined with [0], we
would gain the ability to write the eBPF script itself in Rust.

[0]: [https://unhandledexpression.com/2018/02/02/poc-compiling-
to-...](https://unhandledexpression.com/2018/02/02/poc-compiling-to-ebpf-from-
rust/)

~~~
emmelaich
That article writes

> ... the kernel, it then checks it, verifying, for example, that there are no
> loops, ...

I thought that loops weren't possible in eBPF at all. Am I wrong?

~~~
jvns
My understanding of this isn't as good as it could be (I haven't read the spec
for the eBPF instruction set in
[https://www.kernel.org/doc/Documentation/networking/filter.t...](https://www.kernel.org/doc/Documentation/networking/filter.txt)
yet).

But my understanding is that there's a "jump" instruction in the BPF
instruction set and what the verifier does is ensures that all jumps go
forwards and not backwards.

This 2014 LWN article
[https://lwn.net/Articles/603983/](https://lwn.net/Articles/603983/) says that
the verifier in the kernel is responsible for verifying there are no loops:

> The verifier looks for a number of things. It tracks the state of every eBPF
> register and will not allow their values to be read if they have not been
> set. To the extent possible, the type of the value stored in each register
> is also tracked. Load and store instructions can only operate with registers
> containing the right type of data (a "context" pointer, for example), and
> all operations are bounds-checked. The verifier also disallows any program
> containing loops, thus ensuring that all programs will terminate.

~~~
emmelaich
Thanks. Follow on question :-)

Would it be useful to have an intermediate language "eBPF assembler" rather
than do it in C or Rust?

~~~
jvns
I don't know about assemblers exactly, but you might be interested in
[https://wkz.github.io/ply/](https://wkz.github.io/ply/), it's a smaller
language inspired by dtrace.

A nice thing about using C is that you can #include C header files, so you
have access to all the constants defined in those files.

~~~
lathiat
There is also work going on for Python to EBPF; the idea being that you can
have both the script and the BPF code in Python like many of the BCC tools
currently do:
[https://github.com/facebookresearch/py2bpf](https://github.com/facebookresearch/py2bpf)

