8 BTF (BPF Type Format) is the metadata format which encodes the debug info
9 related to BPF program/map. The name BTF was used initially to describe data
10 types. The BTF was later extended to include function info for defined
11 subroutines, and line info for source/line information.
13 The debug info is used for map pretty print, function signature, etc. The
14 function signature enables better bpf program/function kernel symbol. The line
15 info helps generate source annotated translated byte code, jited code and
18 The BTF specification contains two parts,
22 The kernel API is the contract between user space and kernel. The kernel
23 verifies the BTF info before using it. The ELF file format is a user space
24 contract between ELF file and libbpf loader.
26 The type and string sections are part of the BTF kernel API, describing the
27 debug info (mostly types related) referenced by the bpf program. These two
28 sections are discussed in details in :ref:`BTF_Type_String`.
32 2. BTF Type and String Encoding
33 *******************************
35 The file ``include/uapi/linux/btf.h`` provides high-level definition of how
36 types/strings are encoded.
38 The beginning of data blob must be::
46 /* All offsets are in bytes relative to the end of this header */
47 __u32 type_off; /* offset of type section */
48 __u32 type_len; /* length of type section */
49 __u32 str_off; /* offset of string section */
50 __u32 str_len; /* length of string section */
53 The magic is ``0xeB9F``, which has different encoding for big and little
54 endian systems, and can be used to test whether BTF is generated for big- or
55 little-endian target. The ``btf_header`` is designed to be extensible with
56 ``hdr_len`` equal to ``sizeof(struct btf_header)`` when a data blob is
62 The first string in the string section must be a null string. The rest of
63 string table is a concatenation of other null-terminated strings.
68 The type id ``0`` is reserved for ``void`` type. The type section is parsed
69 sequentially and type id is assigned to each recognized type starting from id
70 ``1``. Currently, the following types are supported::
72 #define BTF_KIND_INT 1 /* Integer */
73 #define BTF_KIND_PTR 2 /* Pointer */
74 #define BTF_KIND_ARRAY 3 /* Array */
75 #define BTF_KIND_STRUCT 4 /* Struct */
76 #define BTF_KIND_UNION 5 /* Union */
77 #define BTF_KIND_ENUM 6 /* Enumeration */
78 #define BTF_KIND_FWD 7 /* Forward */
79 #define BTF_KIND_TYPEDEF 8 /* Typedef */
80 #define BTF_KIND_VOLATILE 9 /* Volatile */
81 #define BTF_KIND_CONST 10 /* Const */
82 #define BTF_KIND_RESTRICT 11 /* Restrict */
83 #define BTF_KIND_FUNC 12 /* Function */
84 #define BTF_KIND_FUNC_PROTO 13 /* Function Proto */
85 #define BTF_KIND_VAR 14 /* Variable */
86 #define BTF_KIND_DATASEC 15 /* Section */
87 #define BTF_KIND_FLOAT 16 /* Floating point */
88 #define BTF_KIND_DECL_TAG 17 /* Decl Tag */
90 Note that the type section encodes debug info, not just pure types.
91 ``BTF_KIND_FUNC`` is not a type, and it represents a defined subprogram.
93 Each type contains the following common data::
97 /* "info" bits arrangement
98 * bits 0-15: vlen (e.g. # of struct's members)
100 * bits 24-28: kind (e.g. int, ptr, array...etc)
102 * bit 31: kind_flag, currently used by
103 * struct, union and fwd
106 /* "size" is used by INT, ENUM, STRUCT and UNION.
107 * "size" tells the size of the type it is describing.
109 * "type" is used by PTR, TYPEDEF, VOLATILE, CONST, RESTRICT,
110 * FUNC, FUNC_PROTO and DECL_TAG.
111 * "type" is a type_id referring to another type.
119 For certain kinds, the common data are followed by kind-specific data. The
120 ``name_off`` in ``struct btf_type`` specifies the offset in the string table.
121 The following sections detail encoding of each kind.
126 ``struct btf_type`` encoding requirement:
127 * ``name_off``: any valid offset
128 * ``info.kind_flag``: 0
129 * ``info.kind``: BTF_KIND_INT
131 * ``size``: the size of the int type in bytes.
133 ``btf_type`` is followed by a ``u32`` with the following bits arrangement::
135 #define BTF_INT_ENCODING(VAL) (((VAL) & 0x0f000000) >> 24)
136 #define BTF_INT_OFFSET(VAL) (((VAL) & 0x00ff0000) >> 16)
137 #define BTF_INT_BITS(VAL) ((VAL) & 0x000000ff)
139 The ``BTF_INT_ENCODING`` has the following attributes::
141 #define BTF_INT_SIGNED (1 << 0)
142 #define BTF_INT_CHAR (1 << 1)
143 #define BTF_INT_BOOL (1 << 2)
145 The ``BTF_INT_ENCODING()`` provides extra information: signedness, char, or
146 bool, for the int type. The char and bool encoding are mostly useful for
147 pretty print. At most one encoding can be specified for the int type.
149 The ``BTF_INT_BITS()`` specifies the number of actual bits held by this int
150 type. For example, a 4-bit bitfield encodes ``BTF_INT_BITS()`` equals to 4.
151 The ``btf_type.size * 8`` must be equal to or greater than ``BTF_INT_BITS()``
152 for the type. The maximum value of ``BTF_INT_BITS()`` is 128.
154 The ``BTF_INT_OFFSET()`` specifies the starting bit offset to calculate values
155 for this int. For example, a bitfield struct member has:
157 * btf member bit offset 100 from the start of the structure,
158 * btf member pointing to an int type,
159 * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4``
161 Then in the struct memory layout, this member will occupy ``4`` bits starting
162 from bits ``100 + 2 = 102``.
164 Alternatively, the bitfield struct member can be the following to access the
165 same bits as the above:
167 * btf member bit offset 102,
168 * btf member pointing to an int type,
169 * the int type has ``BTF_INT_OFFSET() = 0`` and ``BTF_INT_BITS() = 4``
171 The original intention of ``BTF_INT_OFFSET()`` is to provide flexibility of
172 bitfield encoding. Currently, both llvm and pahole generate
173 ``BTF_INT_OFFSET() = 0`` for all int types.
178 ``struct btf_type`` encoding requirement:
180 * ``info.kind_flag``: 0
181 * ``info.kind``: BTF_KIND_PTR
183 * ``type``: the pointee type of the pointer
185 No additional type data follow ``btf_type``.
190 ``struct btf_type`` encoding requirement:
192 * ``info.kind_flag``: 0
193 * ``info.kind``: BTF_KIND_ARRAY
195 * ``size/type``: 0, not used
197 ``btf_type`` is followed by one ``struct btf_array``::
205 The ``struct btf_array`` encoding:
206 * ``type``: the element type
207 * ``index_type``: the index type
208 * ``nelems``: the number of elements for this array (``0`` is also allowed).
210 The ``index_type`` can be any regular int type (``u8``, ``u16``, ``u32``,
211 ``u64``, ``unsigned __int128``). The original design of including
212 ``index_type`` follows DWARF, which has an ``index_type`` for its array type.
213 Currently in BTF, beyond type verification, the ``index_type`` is not used.
215 The ``struct btf_array`` allows chaining through element type to represent
216 multidimensional arrays. For example, for ``int a[5][6]``, the following type
217 information illustrates the chaining:
220 * [2]: array, ``btf_array.type = [1]``, ``btf_array.nelems = 6``
221 * [3]: array, ``btf_array.type = [2]``, ``btf_array.nelems = 5``
223 Currently, both pahole and llvm collapse multidimensional array into
224 one-dimensional array, e.g., for ``a[5][6]``, the ``btf_array.nelems`` is
225 equal to ``30``. This is because the original use case is map pretty print
226 where the whole array is dumped out so one-dimensional array is enough. As
227 more BTF usage is explored, pahole and llvm can be changed to generate proper
228 chained representation for multidimensional arrays.
230 2.2.4 BTF_KIND_STRUCT
231 ~~~~~~~~~~~~~~~~~~~~~
235 ``struct btf_type`` encoding requirement:
236 * ``name_off``: 0 or offset to a valid C identifier
237 * ``info.kind_flag``: 0 or 1
238 * ``info.kind``: BTF_KIND_STRUCT or BTF_KIND_UNION
239 * ``info.vlen``: the number of struct/union members
240 * ``info.size``: the size of the struct/union in bytes
242 ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_member``.::
250 ``struct btf_member`` encoding:
251 * ``name_off``: offset to a valid C identifier
252 * ``type``: the member type
253 * ``offset``: <see below>
255 If the type info ``kind_flag`` is not set, the offset contains only bit offset
256 of the member. Note that the base type of the bitfield can only be int or enum
257 type. If the bitfield size is 32, the base type can be either int or enum
258 type. If the bitfield size is not 32, the base type must be int, and int type
259 ``BTF_INT_BITS()`` encodes the bitfield size.
261 If the ``kind_flag`` is set, the ``btf_member.offset`` contains both member
262 bitfield size and bit offset. The bitfield size and bit offset are calculated
265 #define BTF_MEMBER_BITFIELD_SIZE(val) ((val) >> 24)
266 #define BTF_MEMBER_BIT_OFFSET(val) ((val) & 0xffffff)
268 In this case, if the base type is an int type, it must be a regular int type:
270 * ``BTF_INT_OFFSET()`` must be 0.
271 * ``BTF_INT_BITS()`` must be equal to ``{1,2,4,8,16} * 8``.
273 The following kernel patch introduced ``kind_flag`` and explained why both
276 https://github.com/torvalds/linux/commit/9d5f9f701b1891466fb3dbb1806ad97716f95cc3#diff-fa650a64fdd3968396883d2fe8215ff3
281 ``struct btf_type`` encoding requirement:
282 * ``name_off``: 0 or offset to a valid C identifier
283 * ``info.kind_flag``: 0
284 * ``info.kind``: BTF_KIND_ENUM
285 * ``info.vlen``: number of enum values
288 ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum``.::
295 The ``btf_enum`` encoding:
296 * ``name_off``: offset to a valid C identifier
302 ``struct btf_type`` encoding requirement:
303 * ``name_off``: offset to a valid C identifier
304 * ``info.kind_flag``: 0 for struct, 1 for union
305 * ``info.kind``: BTF_KIND_FWD
309 No additional type data follow ``btf_type``.
311 2.2.8 BTF_KIND_TYPEDEF
312 ~~~~~~~~~~~~~~~~~~~~~~
314 ``struct btf_type`` encoding requirement:
315 * ``name_off``: offset to a valid C identifier
316 * ``info.kind_flag``: 0
317 * ``info.kind``: BTF_KIND_TYPEDEF
319 * ``type``: the type which can be referred by name at ``name_off``
321 No additional type data follow ``btf_type``.
323 2.2.9 BTF_KIND_VOLATILE
324 ~~~~~~~~~~~~~~~~~~~~~~~
326 ``struct btf_type`` encoding requirement:
328 * ``info.kind_flag``: 0
329 * ``info.kind``: BTF_KIND_VOLATILE
331 * ``type``: the type with ``volatile`` qualifier
333 No additional type data follow ``btf_type``.
335 2.2.10 BTF_KIND_CONST
336 ~~~~~~~~~~~~~~~~~~~~~
338 ``struct btf_type`` encoding requirement:
340 * ``info.kind_flag``: 0
341 * ``info.kind``: BTF_KIND_CONST
343 * ``type``: the type with ``const`` qualifier
345 No additional type data follow ``btf_type``.
347 2.2.11 BTF_KIND_RESTRICT
348 ~~~~~~~~~~~~~~~~~~~~~~~~
350 ``struct btf_type`` encoding requirement:
352 * ``info.kind_flag``: 0
353 * ``info.kind``: BTF_KIND_RESTRICT
355 * ``type``: the type with ``restrict`` qualifier
357 No additional type data follow ``btf_type``.
362 ``struct btf_type`` encoding requirement:
363 * ``name_off``: offset to a valid C identifier
364 * ``info.kind_flag``: 0
365 * ``info.kind``: BTF_KIND_FUNC
367 * ``type``: a BTF_KIND_FUNC_PROTO type
369 No additional type data follow ``btf_type``.
371 A BTF_KIND_FUNC defines not a type, but a subprogram (function) whose
372 signature is defined by ``type``. The subprogram is thus an instance of that
373 type. The BTF_KIND_FUNC may in turn be referenced by a func_info in the
374 :ref:`BTF_Ext_Section` (ELF) or in the arguments to :ref:`BPF_Prog_Load`
377 2.2.13 BTF_KIND_FUNC_PROTO
378 ~~~~~~~~~~~~~~~~~~~~~~~~~~
380 ``struct btf_type`` encoding requirement:
382 * ``info.kind_flag``: 0
383 * ``info.kind``: BTF_KIND_FUNC_PROTO
384 * ``info.vlen``: # of parameters
385 * ``type``: the return type
387 ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_param``.::
394 If a BTF_KIND_FUNC_PROTO type is referred by a BTF_KIND_FUNC type, then
395 ``btf_param.name_off`` must point to a valid C identifier except for the
396 possible last argument representing the variable argument. The btf_param.type
397 refers to parameter type.
399 If the function has variable arguments, the last parameter is encoded with
400 ``name_off = 0`` and ``type = 0``.
405 ``struct btf_type`` encoding requirement:
406 * ``name_off``: offset to a valid C identifier
407 * ``info.kind_flag``: 0
408 * ``info.kind``: BTF_KIND_VAR
410 * ``type``: the type of the variable
412 ``btf_type`` is followed by a single ``struct btf_variable`` with the
419 ``struct btf_var`` encoding:
420 * ``linkage``: currently only static variable 0, or globally allocated
421 variable in ELF sections 1
423 Not all type of global variables are supported by LLVM at this point.
424 The following is currently available:
426 * static variables with or without section attributes
427 * global variables with section attributes
429 The latter is for future extraction of map key/value type id's from a
432 2.2.15 BTF_KIND_DATASEC
433 ~~~~~~~~~~~~~~~~~~~~~~~
435 ``struct btf_type`` encoding requirement:
436 * ``name_off``: offset to a valid name associated with a variable or
437 one of .data/.bss/.rodata
438 * ``info.kind_flag``: 0
439 * ``info.kind``: BTF_KIND_DATASEC
440 * ``info.vlen``: # of variables
441 * ``size``: total section size in bytes (0 at compilation time, patched
442 to actual size by BPF loaders such as libbpf)
444 ``btf_type`` is followed by ``info.vlen`` number of ``struct btf_var_secinfo``.::
446 struct btf_var_secinfo {
452 ``struct btf_var_secinfo`` encoding:
453 * ``type``: the type of the BTF_KIND_VAR variable
454 * ``offset``: the in-section offset of the variable
455 * ``size``: the size of the variable in bytes
457 2.2.16 BTF_KIND_FLOAT
458 ~~~~~~~~~~~~~~~~~~~~~
460 ``struct btf_type`` encoding requirement:
461 * ``name_off``: any valid offset
462 * ``info.kind_flag``: 0
463 * ``info.kind``: BTF_KIND_FLOAT
465 * ``size``: the size of the float type in bytes: 2, 4, 8, 12 or 16.
467 No additional type data follow ``btf_type``.
469 2.2.17 BTF_KIND_DECL_TAG
470 ~~~~~~~~~~~~~~~~~~~~~~~~
472 ``struct btf_type`` encoding requirement:
473 * ``name_off``: offset to a non-empty string
474 * ``info.kind_flag``: 0
475 * ``info.kind``: BTF_KIND_DECL_TAG
477 * ``type``: ``struct``, ``union``, ``func``, ``var`` or ``typedef``
479 ``btf_type`` is followed by ``struct btf_decl_tag``.::
481 struct btf_decl_tag {
485 The ``name_off`` encodes btf_decl_tag attribute string.
486 The ``type`` should be ``struct``, ``union``, ``func``, ``var`` or ``typedef``.
487 For ``var`` or ``typedef`` type, ``btf_decl_tag.component_idx`` must be ``-1``.
488 For the other three types, if the btf_decl_tag attribute is
489 applied to the ``struct``, ``union`` or ``func`` itself,
490 ``btf_decl_tag.component_idx`` must be ``-1``. Otherwise,
491 the attribute is applied to a ``struct``/``union`` member or
492 a ``func`` argument, and ``btf_decl_tag.component_idx`` should be a
493 valid index (starting from 0) pointing to a member or an argument.
498 The following bpf syscall command involves BTF:
499 * BPF_BTF_LOAD: load a blob of BTF data into kernel
500 * BPF_MAP_CREATE: map creation with btf key and value type info.
501 * BPF_PROG_LOAD: prog load with btf function and line info.
502 * BPF_BTF_GET_FD_BY_ID: get a btf fd
503 * BPF_OBJ_GET_INFO_BY_FD: btf, func_info, line_info
504 and other btf related info are returned.
506 The workflow typically looks like:
513 BPF_MAP_CREATE and BPF_PROG_LOAD
520 BPF_{PROG,MAP}_GET_NEXT_ID (get prog/map id's)
523 BPF_{PROG,MAP}_GET_FD_BY_ID (get a prog/map fd)
526 BPF_OBJ_GET_INFO_BY_FD (get bpf_prog_info/bpf_map_info with btf_id)
529 BPF_BTF_GET_FD_BY_ID (get btf_fd) |
532 BPF_OBJ_GET_INFO_BY_FD (get btf) |
535 pretty print types, dump func signatures and line info, etc.
541 Load a blob of BTF data into kernel. A blob of data, described in
542 :ref:`BTF_Type_String`, can be directly loaded into the kernel. A ``btf_fd``
543 is returned to a userspace.
548 A map can be created with ``btf_fd`` and specified key/value type id.::
550 __u32 btf_fd; /* fd pointing to a BTF type data */
551 __u32 btf_key_type_id; /* BTF type_id of the key */
552 __u32 btf_value_type_id; /* BTF type_id of the value */
554 In libbpf, the map can be defined with extra annotation like below:
557 struct bpf_map_def SEC("maps") btf_map = {
558 .type = BPF_MAP_TYPE_ARRAY,
559 .key_size = sizeof(int),
560 .value_size = sizeof(struct ipv_counts),
563 BPF_ANNOTATE_KV_PAIR(btf_map, int, struct ipv_counts);
565 Here, the parameters for macro BPF_ANNOTATE_KV_PAIR are map name, key and
566 value types for the map. During ELF parsing, libbpf is able to extract
567 key/value type_id's and assign them to BPF_MAP_CREATE attributes
575 During prog_load, func_info and line_info can be passed to kernel with proper
576 values for the following attributes:
582 __u32 prog_btf_fd; /* fd pointing to BTF type data */
583 __u32 func_info_rec_size; /* userspace bpf_func_info size */
584 __aligned_u64 func_info; /* func info */
585 __u32 func_info_cnt; /* number of bpf_func_info records */
586 __u32 line_info_rec_size; /* userspace bpf_line_info size */
587 __aligned_u64 line_info; /* line info */
588 __u32 line_info_cnt; /* number of bpf_line_info records */
590 The func_info and line_info are an array of below, respectively.::
592 struct bpf_func_info {
593 __u32 insn_off; /* [0, insn_cnt - 1] */
594 __u32 type_id; /* pointing to a BTF_KIND_FUNC type */
596 struct bpf_line_info {
597 __u32 insn_off; /* [0, insn_cnt - 1] */
598 __u32 file_name_off; /* offset to string table for the filename */
599 __u32 line_off; /* offset to string table for the source line */
600 __u32 line_col; /* line number and column number */
603 func_info_rec_size is the size of each func_info record, and
604 line_info_rec_size is the size of each line_info record. Passing the record
605 size to kernel make it possible to extend the record itself in the future.
607 Below are requirements for func_info:
608 * func_info[0].insn_off must be 0.
609 * the func_info insn_off is in strictly increasing order and matches
612 Below are requirements for line_info:
613 * the first insn in each func must have a line_info record pointing to it.
614 * the line_info insn_off is in strictly increasing order.
616 For line_info, the line number and column number are defined as below:
619 #define BPF_LINE_INFO_LINE_NUM(line_col) ((line_col) >> 10)
620 #define BPF_LINE_INFO_LINE_COL(line_col) ((line_col) & 0x3ff)
622 3.4 BPF_{PROG,MAP}_GET_NEXT_ID
623 ==============================
625 In kernel, every loaded program, map or btf has a unique id. The id won't
626 change during the lifetime of a program, map, or btf.
628 The bpf syscall command BPF_{PROG,MAP}_GET_NEXT_ID returns all id's, one for
629 each command, to user space, for bpf program or maps, respectively, so an
630 inspection tool can inspect all programs and maps.
632 3.5 BPF_{PROG,MAP}_GET_FD_BY_ID
633 ===============================
635 An introspection tool cannot use id to get details about program or maps.
636 A file descriptor needs to be obtained first for reference-counting purpose.
638 3.6 BPF_OBJ_GET_INFO_BY_FD
639 ==========================
641 Once a program/map fd is acquired, an introspection tool can get the detailed
642 information from kernel about this fd, some of which are BTF-related. For
643 example, ``bpf_map_info`` returns ``btf_id`` and key/value type ids.
644 ``bpf_prog_info`` returns ``btf_id``, func_info, and line info for translated
645 bpf byte codes, and jited_line_info.
647 3.7 BPF_BTF_GET_FD_BY_ID
648 ========================
650 With ``btf_id`` obtained in ``bpf_map_info`` and ``bpf_prog_info``, bpf
651 syscall command BPF_BTF_GET_FD_BY_ID can retrieve a btf fd. Then, with
652 command BPF_OBJ_GET_INFO_BY_FD, the btf blob, originally loaded into the
653 kernel with BPF_BTF_LOAD, can be retrieved.
655 With the btf blob, ``bpf_map_info``, and ``bpf_prog_info``, an introspection
656 tool has full btf knowledge and is able to pretty print map key/values, dump
657 func signatures and line info, along with byte/jit codes.
659 4. ELF File Format Interface
660 ****************************
665 The .BTF section contains type and string data. The format of this section is
666 same as the one describe in :ref:`BTF_Type_String`.
673 The .BTF.ext section encodes func_info and line_info which needs loader
674 manipulation before loading into the kernel.
676 The specification for .BTF.ext section is defined at ``tools/lib/bpf/btf.h``
677 and ``tools/lib/bpf/btf.c``.
679 The current header of .BTF.ext section::
681 struct btf_ext_header {
687 /* All offsets are in bytes relative to the end of this header */
694 It is very similar to .BTF section. Instead of type/string section, it
695 contains func_info and line_info section. See :ref:`BPF_Prog_Load` for details
696 about func_info and line_info record format.
698 The func_info is organized as below.::
701 btf_ext_info_sec for section #1 /* func_info for section #1 */
702 btf_ext_info_sec for section #2 /* func_info for section #2 */
705 ``func_info_rec_size`` specifies the size of ``bpf_func_info`` structure when
706 .BTF.ext is generated. ``btf_ext_info_sec``, defined below, is a collection of
707 func_info for each specific ELF section.::
709 struct btf_ext_info_sec {
710 __u32 sec_name_off; /* offset to section name */
712 /* Followed by num_info * record_size number of bytes */
716 Here, num_info must be greater than 0.
718 The line_info is organized as below.::
721 btf_ext_info_sec for section #1 /* line_info for section #1 */
722 btf_ext_info_sec for section #2 /* line_info for section #2 */
725 ``line_info_rec_size`` specifies the size of ``bpf_line_info`` structure when
726 .BTF.ext is generated.
728 The interpretation of ``bpf_func_info->insn_off`` and
729 ``bpf_line_info->insn_off`` is different between kernel API and ELF API. For
730 kernel API, the ``insn_off`` is the instruction offset in the unit of ``struct
731 bpf_insn``. For ELF API, the ``insn_off`` is the byte offset from the
732 beginning of section (``btf_ext_info_sec->sec_name_off``).
737 The .BTF_ids section encodes BTF ID values that are used within the kernel.
739 This section is created during the kernel compilation with the help of
740 macros defined in ``include/linux/btf_ids.h`` header file. Kernel code can
741 use them to create lists and sets (sorted lists) of BTF ID values.
743 The ``BTF_ID_LIST`` and ``BTF_ID`` macros define unsorted list of BTF ID values,
744 with following syntax::
750 resulting in following layout in .BTF_ids section::
752 __BTF_ID__type1__name1__1:
754 __BTF_ID__type2__name2__2:
757 The ``u32 list[];`` variable is defined to access the list.
759 The ``BTF_ID_UNUSED`` macro defines 4 zero bytes. It's used when we
760 want to define unused entry in BTF_ID_LIST, like::
762 BTF_ID_LIST(bpf_skb_output_btf_ids)
763 BTF_ID(struct, sk_buff)
765 BTF_ID(struct, task_struct)
767 The ``BTF_SET_START/END`` macros pair defines sorted list of BTF ID values
768 and their count, with following syntax::
775 resulting in following layout in .BTF_ids section::
779 __BTF_ID__type1__name1__3:
781 __BTF_ID__type2__name2__4:
784 The ``struct btf_id_set set;`` variable is defined to access the list.
786 The ``typeX`` name can be one of following::
788 struct, union, typedef, func
790 and is used as a filter when resolving the BTF ID value.
792 All the BTF ID lists and sets are compiled in the .BTF_ids section and
793 resolved during the linking phase of kernel build by ``resolve_btfids`` tool.
798 5.1 bpftool map pretty print
799 ============================
801 With BTF, the map key/value can be printed based on fields rather than simply
802 raw bytes. This is especially valuable for large structure or if your data
803 structure has bitfields. For example, for the following map,::
805 enum A { A1, A2, A3, A4, A5 };
816 struct bpf_map_def SEC("maps") tmpmap = {
817 .type = BPF_MAP_TYPE_ARRAY,
818 .key_size = sizeof(__u32),
819 .value_size = sizeof(struct tmp_t),
822 BPF_ANNOTATE_KV_PAIR(tmpmap, int, struct tmp_t);
824 bpftool is able to pretty print like below:
840 5.2 bpftool prog dump
841 =====================
843 The following is an example showing how func_info and line_info can help prog
844 dump with better kernel symbol names, function prototypes and line
847 $ bpftool prog dump jited pinned /sys/fs/bpf/test_btf_haskv
849 int test_long_fname_2(struct dummy_tracepoint_args * arg):
850 bpf_prog_44a040bf25481309_test_long_fname_2:
851 ; static int test_long_fname_2(struct dummy_tracepoint_args *arg)
856 f: mov %rbx,0x0(%rbp)
857 13: mov %r13,0x8(%rbp)
858 17: mov %r14,0x10(%rbp)
859 1b: mov %r15,0x18(%rbp)
861 21: mov %rax,0x20(%rbp)
864 27: mov %esi,-0x4(%rbp)
866 2a: mov 0x8(%rdi),%rdi
869 32: je 0x0000000000000070
871 ; counts = bpf_map_lookup_elem(&btf_map, &key);
877 The following is an example of how line_info can help debugging verification
880 /* The code at tools/testing/selftests/bpf/test_xdp_noinline.c
881 * is modified as below.
883 data = (void *)(long)xdp->data;
884 data_end = (void *)(long)xdp->data_end;
886 if (data + 4 > data_end)
889 *(u32 *)data = dst->dst;
891 $ bpftool prog load ./test_xdp_noinline.o /sys/fs/bpf/test_xdp_noinline type xdp
892 ; data = (void *)(long)xdp->data;
893 224: (79) r2 = *(u64 *)(r10 -112)
894 225: (61) r2 = *(u32 *)(r2 +0)
895 ; *(u32 *)data = dst->dst;
896 226: (63) *(u32 *)(r2 +0) = r1
897 invalid access to packet, off=0 size=4, R2(id=0,off=0,r=0)
898 R2 offset is outside of the packet
903 You need latest pahole
905 https://git.kernel.org/pub/scm/devel/pahole/pahole.git/
907 or llvm (8.0 or later). The pahole acts as a dwarf2btf converter. It doesn't
908 support .BTF.ext and btf BTF_KIND_FUNC type yet. For example,::
916 -bash-4.4$ gcc -c -O2 -g t.c
917 -bash-4.4$ pahole -JV t.o
919 [1] STRUCT t kind_flag=1 size=4 vlen=3
920 a type_id=2 bitfield_size=2 bits_offset=0
921 b type_id=2 bitfield_size=3 bits_offset=2
922 c type_id=2 bitfield_size=2 bits_offset=5
923 [2] INT int size=4 bit_offset=0 nr_bits=32 encoding=SIGNED
925 The llvm is able to generate .BTF and .BTF.ext directly with -g for bpf target
926 only. The assembly code (-S) is able to show the BTF encoding in assembly
933 int (*f2)(char q1, __int32 q2, ...);
936 int main() { return 0; }
937 int test() { return 0; }
938 -bash-4.4$ clang -c -g -O2 -target bpf t2.c
939 -bash-4.4$ readelf -S t2.o
941 [ 8] .BTF PROGBITS 0000000000000000 00000247
942 000000000000016e 0000000000000000 0 0 1
943 [ 9] .BTF.ext PROGBITS 0000000000000000 000003b5
944 0000000000000060 0000000000000000 0 0 1
945 [10] .rel.BTF.ext REL 0000000000000000 000007e0
946 0000000000000040 0000000000000010 16 9 8
948 -bash-4.4$ clang -S -g -O2 -target bpf t2.c
951 .section .BTF,"",@progbits
952 .short 60319 # 0xeb9f
960 .long 0 # BTF_KIND_FUNC_PROTO(id = 1)
961 .long 218103808 # 0xd000000
963 .long 83 # BTF_KIND_INT(id = 2)
964 .long 16777216 # 0x1000000
966 .long 16777248 # 0x1000020
968 .byte 0 # string offset=0
969 .ascii ".text" # string offset=1
971 .ascii "/home/yhs/tmp-pahole/t2.c" # string offset=7
973 .ascii "int main() { return 0; }" # string offset=33
975 .ascii "int test() { return 0; }" # string offset=58
977 .ascii "int" # string offset=83
979 .section .BTF.ext,"",@progbits
980 .short 60319 # 0xeb9f
989 .long 1 # FuncInfo section string offset=1
996 .long 1 # LineInfo section string offset=1
1001 .long 7182 # Line 7 Col 14
1005 .long 8206 # Line 8 Col 14
1010 Kernel bpf selftest `test_btf.c` provides extensive set of BTF-related tests.