coderplay/bpf

## bpf

$ sudo   /usr/local/sbin/ply -D  -c 'kprobe:vfs_read{ printf("%v: %v\n", comm(), arg(0)); }'
symtable:
ast:
`-> <script> (type:script/none size:0x0 loc:nowhere)
    `-> kprobe:vfs_read (type:probe/none size:0x0 loc:nowhere)
        `-> <auto>.printf (type:call/none size:0x0 loc:reg/0)
            |-> "%v: %v\n"(type:str/str size:0x8 loc:virtual)
            `-> <rec> (type:rec/none size:0x20 loc:stack/-0x20)
                |-> 0 (type:int/int size:0x8 loc:stack/-0x20)
                |-> <auto>.comm (type:call/str size:0x10 loc:stack/-0x18)
                `-> <auto>.arg (type:call/int size:0x8 loc:stack/-0x8)
                    `-> 0xe (type:int/int size:0x8 loc:virtual)
  0:	mov	ctx, r1
dmp compile_post        : > <int> (int/int/0x8)
  1:	stw	[sp - 0x20], #0x0
  2:	stw	[sp - 0x1c], #0x0
dmp compile_post        : < <int> (int/int/0x8)
dmp compile_post        : > comm (call/str/0x10)
  3:	mov	r0, #0x0
  4:	stdw	[sp - 0x18], r0
  5:	stdw	[sp - 0x10], r0
  6:	mov	r1, sp
  7:	add	r1, #-0x18
  8:	mov	r2, #0x10
  9:	call	get_current_comm
dmp compile_post        : < comm (call/str/0x10)
dmp compile_post        : > arg (call/int/0x8)
 10:	mov	r0, #0x0
 11:	stdw	[sp - 0x8], r0
 12:	mov	r1, sp
 13:	add	r1, #-0x8
 14:	mov	r2, #0x8
 15:	mov	r3, ctx
 16:	add	r3, #0x70
 17:	call	probe_read
dmp compile_post        : < arg (call/int/0x8)
dmp compile_post        : > <rec> (rec/none/0x20)
dmp compile_post        : < <rec> (rec/none/0x20)
dmp compile_post        : > printf (call/none/0)
 18:	call	8
 19:	mov	r3, r0
 20:	mov	r1, ctx
 21:	lddw	r2, r1
 22:	ldw	r0, #0x0
 23:	mov	r4, sp
 24:	add	r4, #-0x20
 25:	mov	r5, #0x20
 26:	call	perf_event_output
dmp compile_post        : < printf (call/none/0)
 27:	mov	r0, #0x0
 28:	exit

	$ sudo /usr/local/sbin/ply -D -c 'kprobe:vfs_read{ printf("%v: %v\n", comm(), arg(0)); }'
	symtable:
	ast:
	`-> <script> (type:script/none size:0x0 loc:nowhere)
	`-> kprobe:vfs_read (type:probe/none size:0x0 loc:nowhere)
	`-> <auto>.printf (type:call/none size:0x0 loc:reg/0)
	\|-> "%v: %v\n"(type:str/str size:0x8 loc:virtual)
	`-> <rec> (type:rec/none size:0x20 loc:stack/-0x20)
	\|-> 0 (type:int/int size:0x8 loc:stack/-0x20)
	\|-> <auto>.comm (type:call/str size:0x10 loc:stack/-0x18)
	`-> <auto>.arg (type:call/int size:0x8 loc:stack/-0x8)
	`-> 0xe (type:int/int size:0x8 loc:virtual)
	0: mov ctx, r1
	dmp compile_post : > <int> (int/int/0x8)
	1: stw [sp - 0x20], #0x0
	2: stw [sp - 0x1c], #0x0
	dmp compile_post : < <int> (int/int/0x8)
	dmp compile_post : > comm (call/str/0x10)
	3: mov r0, #0x0
	4: stdw [sp - 0x18], r0
	5: stdw [sp - 0x10], r0
	6: mov r1, sp
	7: add r1, #-0x18
	8: mov r2, #0x10
	9: call get_current_comm
	dmp compile_post : < comm (call/str/0x10)
	dmp compile_post : > arg (call/int/0x8)
	10: mov r0, #0x0
	11: stdw [sp - 0x8], r0
	12: mov r1, sp
	13: add r1, #-0x8
	14: mov r2, #0x8
	15: mov r3, ctx
	16: add r3, #0x70
	17: call probe_read
	dmp compile_post : < arg (call/int/0x8)
	dmp compile_post : > <rec> (rec/none/0x20)
	dmp compile_post : < <rec> (rec/none/0x20)
	dmp compile_post : > printf (call/none/0)
	18: call 8
	19: mov r3, r0
	20: mov r1, ctx
	21: lddw r2, r1
	22: ldw r0, #0x0
	23: mov r4, sp
	24: add r4, #-0x20
	25: mov r5, #0x20
	26: call perf_event_output
	dmp compile_post : < printf (call/none/0)
	27: mov r0, #0x0
	28: exit