Skip to content

Add real-time output for funccount execution trace mode#54

Merged
saimizi merged 1 commit intomainfrom
feature/trace_func_call
Jan 17, 2026
Merged

Add real-time output for funccount execution trace mode#54
saimizi merged 1 commit intomainfrom
feature/trace_func_call

Conversation

@saimizi
Copy link
Owner

@saimizi saimizi commented Jan 17, 2026

Summary

This PR implements real-time output for funccount's -e (execution trace) option. Previously, the -e option would only display results at the end of tracing. Now, function call events are printed immediately as they occur.

Changes

BPF Layer (funccount/bpf/funccount.bpf.c)

  • Modified to send full exectrace_event struct (40 bytes) through perf buffer for exec mode
  • Stack mode continues to send only PID (4 bytes) for backward compatibility
  • Events are discriminated by size in userspace

Userspace Layer (funccount/funccount.rs)

  • Rewrote perf buffer callback to handle both event types (4-byte PID vs 40-byte full event)
  • Added real-time symbol resolution (kernel and userspace)
  • Events print immediately with timestamp, PID, command name, and function name
  • Implemented count limit support (-c flag) with early exit
  • Post-processing skipped for exec mode (all output already printed in real-time)
  • Created SymbolAnalyzer early for real-time symbol resolution
  • Added shared atomic state for thread-safe count tracking

Bug Fix

  • Used flexible size check (>= 40 instead of == 40) to handle struct padding from kernel-userspace boundary

Features

✅ Real-time output - events print as they occur
✅ Count limit support - honors -c flag to stop after N events
✅ Symbol resolution - resolves kernel and userspace symbols before printing
✅ Relative timestamps - works with -r flag
✅ Backward compatible - stack trace mode unchanged
✅ Multi-CPU safe - uses atomic operations for thread safety

Test Plan

Tested with:

  • sudo funccount -e k:vfs_read - Basic real-time trace
  • sudo funccount -e -c 10 k:vfs_read - Count limit
  • sudo funccount -e -r k:vfs_read - Relative timestamps
  • sudo funccount k:vfs_read - Stack mode (backward compatibility verified)

🤖 Generated with Claude Code

@saimizi @claude
Add real-time output for funccount execution trace mode
0cb8ac0 
Modify funccount's -e option to print events immediately as they occur
instead of only displaying results at the end of tracing.

Changes:
- BPF: Send full exectrace_event (40 bytes) via perf buffer for exec mode
- BPF: Keep sending PID (4 bytes) for stack mode (backward compatible)
- Userspace: Rewrite perf buffer callback to handle both event types
- Userspace: Add real-time symbol resolution and immediate printing
- Userspace: Support count limit (-c) with early exit
- Userspace: Skip post-processing for exec mode
- Fix: Use flexible size check (>= 40) to handle struct padding

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@saimizi saimizi merged commit d94a3a2 into main Jan 17, 2026
3 checks passed
@saimizi saimizi deleted the feature/trace_func_call branch January 17, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saimizi