The bcc project [1], mostly known for its collection of Linux tracing tools, is a framework to ease the development of BPF programs for Linux. Indeed, in its recent releases, the Linux kernel can be extended with small BPF bytecode programs whose memory and fault safety is statically verified at load time. These programs are usually written in a subset of C and compiled to the BPF bytecode. To access kernel memory they must use special functions, called helpers.
The bcc framework provides Python, Lua, and C++ wrappers to install and interact with these programs, as well as syntactic sugar for the C subset. In particular, bcc allows developers to access kernel memory as easily as they would access the BPF stack. C programs are transparently rewritten at load time, before their compilation to BPF bytecode, to translate all dereferences of pointers to kernel memory (called external pointers) into calls to the appropriate helpers.
In this talk, after providing the necessary background on BPF, we will discuss bcc's use of Clang to track external pointers throughout the code and rewrite their dereferences. We will describe the problems we had to overcome with code examples and detail the limitations of the current implementation. Among other things [2], bcc performs three traversals of the AST to track external pointers across BPF programs (through persistent data structures), follows external pointers through assignments, return values, and structure members, and keeps track of their indirections levels.
1 - https://github.com/iovisor/bcc
2 - https://github.com/iovisor/bcc/blob/master/src/cc/frontends/clang/b_frontend_action.cc