Re: [RFC PATCH bpf-next 00/12] bpf: Introduce static-defined tracing probe for BPF

[Xu Kuohai]

On 6/29/2026 10:14 AM, Leon Hwang wrote:
> Hi Kuohai,
>
> On 28/6/26 06:51, Xu Kuohai wrote:
> > From: Xu Kuohai <xukuohai@xxxxxxxxxx>
> >
> > This series introduces static-defined tracing probes for BPF programs.
> > BPF SDT (static-defined tracing) works similarly to USDT. User defines
>
>
> At first glance, the SDT idea looks cool to me.
>
> However, what's your purpose of introducing SDT?

Well, the purpose is to add a dynamic, zero-overhead tracing mechanism for
bpf, not just at function entry, but anywhere inside the prog source code.

> If to provide points in bpf progs to be traced, like tracepoints in
> kernel functions, I think subprog+fentry is an alternative approach.
> Comparing with SDT, subprog+fentry requires a function call at run time,
> instead of a NOP like SDT.
>
> For example,
>
> #define __sink(expr) asm volatile("" : "+g"(expr))
>
> static __noinline void my_trace(int len, int ret)
> {
> 	__sink(len);
> 	__sink(ret);
> }
>
> SEC("xdp")
> int xdp_prog(struct xdp_md *ctx)
> {
> 	int len = ctx->data_end - ctx->data;
> 	int ret = XDP_DROP;
> 	...
> 	my_trace(len, ret);
> 	...
> }
>
> 'my_trace' can be traced using fentry to inspect the details of 'xdp_prog'.
>
> Furthermore, if users don't want a function call at run time, e.g. they
> don't want to call 'my_trace' at run time in production, they can patch
> the callsite of 'my_trace' with NOP before loading 'xdp_prog', and drop
> the subprog 'my_trace' in their user space application. This elimination
> is approachable, since it is used heavily in bpfsnoop [1].

Sounds like the subprog+fentry you described gives a good evidance for real
demand of dyanmic tracing inside function body.

IIUC, even though the CALL instruction at the callsite is patched to NOP at
runtime, the argument preparation instructions - r1 = len, r2 = ctx - remain
in the callsite. For SDT, the argument preparation is recorded as metadata
out of line, and is never executed.

And I think SDT is cleaner and easier to use. User just declares the prototype
and insert the probe, no need to hack with subprog+fentry.

> However, this elimination is not easy to understand. Want me to show > mored etails about this elimination?

That would be appreciated, thanks.

> Link:
> [1] https://github.com/bpfsnoop/bpfsnoop
>
> Thanks,
> Leon