It was definitely a toy, I transliterated from python bytecode (a stack based vm) into bpf. I also wrote the full code gen stack myself (bpf was simpler back then)
But using llvm and not marrying things to cpython implementation makes this approach way better
Thank you! Ours is a toy for now as well, but I think the idea is pretty good, so we'll continue to work on it. (This was actually a hackathon project, so the code is pretty messy and not something I am proud of)
The "How it works under the hood" section raises more question than it answers. What is the difference between step 3 and step 4? As described, step 3 goes from LLVM IR to BPF (via llc), and step 4 - goes from LLVM IR to eBPF bytecode? That's nonsensical.
I'm the co-author.The code is in a very very bad state right now, but the architecture is pretty ok to explain. In step 3, we translate from the Python frontend to the LLVM IR. In step 4 we compile it down to an object file using the LLVM backend `llc`. This object file gets loaded into the kernel and it is what actually contains the eBPF bytecode.
Does anybody know if something similar exists for Node.js? I'd love to be able to integrate BPF into some of my Node projects with the same kind of approach.
Writing C for eBPF is cumbersome and you'd like to avoid it. Okay, that's reasonable. But I don't think it would be a good idea to write a compiler that emits eBPF binary from (a tiny subset of) Python. Why not just write code in pseudo-Python (or whatever language you're comfortable with) and have it translated by an LLM, and paste it in the source code? That would be much better because there would be fewer layers and a significant reduction in runtime cost.
So, instead of having a defined and documented subset of Python that compiles to eBPF in a deterministic way... use an undefined pseudo language and let the LLM have fun with it without understanding if the result C is correct?
The behavior of CPython and a few other implementations of Python (such as PyPy) is well documented and well understood. The semantics of the tiny subset of Python that this Python-to-eBPF compiler understands is not. For example, inferring from the fact that it statically compiles Python-ish AST to LLVM IR, you can have a rough idea that dynamic elements of Python semantics are unlikely to be compiled, but you cannot know exactly which elements without carefully reading the documentation or source code of the compiler. You can guess globals() or locals() won't work, maybe .__dict__ won't as well, but how about type() or isinstance()? You don't know without digging into the documentation (which may be lacking), because the subset of Python this compiler understands is rather arbitrary.
And also, having an LLM translate Python-ish pseudo code into C does not imply that you cannot examine it before putting it into a program. You can manually review it and make modifications as you want. It just reduces time spent compared with writing C code by hand.
But then we have to write the pseudocode anyway (that cannot be corrected by my IDE, so I don't know if I have pseudomistakes [sorry for the pun]), the LLM 'transpile' (that's not understood at all), and you have to review the C code anyway, so you have to know eBPF code really well.
Are you seriously asking why someone might want to do something guaranteed to behave exactly as they defined it, when they could have an LLM hallucinate code that touches the core of their system, instead?
Just try it. Here’s an example that I know it will work flawlessly for, because I used it for this: at $formerjob, all laptops come with a piece of malware called “connections”, which obnoxiously pops up at some point during the day (stealing window/mouse focus) and asks you some asinine survey question about morale on your team and/or the company values. There are a few good ways to solve this: apparmor/selinux (but this runs the risk of your config file conflicting with the rules shipped by IT), a simple bash script that runs pkill every 5 seconds (too slow and it still steals focus, too fast and your laptop fans start spinning), etc. A better way is to use a bpf hook on execve.
Ask an LLM to write a simple ebpf program which kills any program with a specific name/path. Even crappy local models can handle this with ease.
If you’re talking about more complicated map-based programs, you’re probably right that it will struggle a bit, but it will still figure it out. The eBPF api is not very different than any other C api at the end of the day. It will do fine without the standard library, if you ask it to.
The issue here is the static formal validation the kernel does before loading your eBPF program.
(Even humans don't really know how it works. You need to use specific byte width types and access memory in specific patterns or the validation will fail.)
Looks cool, I like the use of decorators as a means to use essentially turn python into some sort of DSL.
One nitpick: Please include a paragraph/section/infobox explaining what eBPF is and what problems should be solved using it. I am a huge fan of making our tech world more accessible and as such we should think to some degree about people who don't know every acronym.
To be honest, this was really a hackathon project. The code quality is very very bad right now. We will be continuing to work on this to make it much better and we'll be adding documentation as we go as well. Thanks for taking a look :)
Not the original BPF, but its successor in the Linux kernel called eBPF [1]. eBPF's virtual machine has additional registers, and crucially, eBPF programs can make some syscalls, which BPF programs can't.
It was definitely a toy, I transliterated from python bytecode (a stack based vm) into bpf. I also wrote the full code gen stack myself (bpf was simpler back then)
But using llvm and not marrying things to cpython implementation makes this approach way better