swananan
diff --git a/‎docs/configuration.md‎
Lines changed: 8 additions & 0 deletions b/‎docs/configuration.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎docs/scripting.md‎
Lines changed: 24 additions & 2 deletions b/‎docs/scripting.md‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎docs/zh/configuration.md‎
Lines changed: 9 additions & 0 deletions b/‎docs/zh/configuration.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/zh/scripting.md‎
Lines changed: 24 additions & 2 deletions b/‎docs/zh/scripting.md‎
Lines changed: 24 additions & 2 deletions
@@ -289,6 +289,12 @@ proc_module_offsets_max_entries = 4096  # Default
 # Increase to dump more bytes per argument.
 mem_dump_cap = 4096
 
+# Compare cap for built-in comparisons (strncmp/starts_with/memcmp).
+# Controls the maximum number of bytes compared per call.
+# Effective compare length is min(max(len, 0), compare_cap).
+# Default: 64 bytes.
+compare_cap = 64
+
 # Maximum size of a single trace event (bytes). Applies to PerfEventArray accumulation buffer.
 max_trace_event_size = 32768
 
@@ -364,6 +370,7 @@ max_entries = 10000
 [ebpf]
 ringbuf_size = 1048576  # 1MB buffer for high event rates
 mem_dump_cap = 4096     # Larger per-arg dump
+compare_cap = 64        # Max bytes for built-in compares (strncmp/memcmp)
 max_trace_event_size = 65536  # Larger event size for big formatted prints
 proc_module_offsets_max_entries = 8192  # Support many modules
 
@@ -379,6 +386,7 @@ enable_console_logging = false
 [ebpf]
 ringbuf_size = 131072  # 128KB minimal buffer
 mem_dump_cap = 512
+compare_cap = 32       # Smaller compare cap for minimal overhead
 max_trace_event_size = 16384
 proc_module_offsets_max_entries = 1024  # Single process only
 
 
@@ -364,7 +364,7 @@ Performance and safety notes:
 
 - Comparisons are compiled into bounded, branch-light checks to be verifier-friendly on most kernels. Still, placing many string comparisons in a single probe or attaching at extremely hot sites may add CPU and verifier load.
 - Prefer attaching at less-hot lines/functions if you only need occasional confirmation (e.g., update sites for a string field), or split multiple heavy comparisons into separate trace points.
-- Builtins (`strncmp`/`starts_with`) cap read length to 64 bytes for safety (see `STRING_BUILTIN_READ_CAP` in `ghostscope-compiler/src/ebpf/expression.rs`).
+- Builtins (`strncmp`/`starts_with`) cap read length by `ebpf.compare_cap` (default 64 bytes).
   CString equality reads only `L+1` bytes (no extra cap beyond the literal length).
 
 // Floats are not supported in GhostScope scripts.
@@ -379,12 +379,21 @@ Supported built-ins (phase 1):
   - Does not require a terminating NUL within `n` bytes.
   - `expr` may be a DWARF `char*`, `char[N]`, or a generic pointer expression; GhostScope performs a bounded user-memory read and compares bytes.
   - Any read failure evaluates to `false`.
-  - Read length is capped at 64 bytes; if `n` exceeds the cap or the available array size, it is truncated. See `STRING_BUILTIN_READ_CAP` in `ghostscope-compiler/src/ebpf/expression.rs`.
+  - Read length is capped by configuration `ebpf.compare_cap` (default 64 bytes). If `n` exceeds the cap or the available array size, it is truncated.
 
 - `starts_with(expr, "lit")`
   - Equivalent to `strncmp(expr, "lit", len("lit"))`.
   - Same failure and safety semantics as above.
 
+- `memcmp(expr_a, expr_b, len)`
+  - Boolean variant: returns `true` iff the first `len` bytes at `expr_a` and `expr_b` are identical.
+  - Pointer vs pointer only; for literal comparisons against strings, use `strncmp`/`starts_with` instead.
+  - `len` can be a script integer expression; negative values clamp to 0, and a configurable cap (`ebpf.compare_cap`, default 64) applies. The effective compare length is `min(max(len,0), CAP)`.
+  - No NUL-terminator semantics; compares raw bytes only.
+  - Any read failure on either side evaluates to `false`.
+  - If `len == 0`, the result is `true` and no user-memory read is performed (fast-path).
+  - Implementation is verifier-friendly: reads are bounded and comparisons are accumulated without early exits.
+
 Verifier friendliness and performance:
 - Compiles to branch-light byte comparisons (e.g., XOR/OR accumulation) to avoid verifier state explosion.
 - Avoid packing many large string checks into a single very hot probe; consider splitting trace points or using less-hot sites when possible.
@@ -408,6 +417,19 @@ trace globals_program.c:32 {
 trace process_record {
     print "rec_http:{}", strncmp(record, "HTTP", 4); // record: struct* -> false
 }
+
+// Raw memory equality between two pointers
+trace globals_program.c:32 {
+    // Equal bytes
+    if memcmp(&lib_pattern[0], &lib_pattern[0], 16) { print "EQ"; } else { print "NE"; }
+    // Different due to offset
+    if memcmp(&lib_pattern[0], &lib_pattern[1], 16) { print "EQ2"; } else { print "NE2"; }
+    // len=0 → true
+    if memcmp(&lib_pattern[0], &lib_pattern[1], 0) { print "Z0"; }
+    // Dynamic length from script variable
+    let n = 10;
+    if memcmp(&lib_pattern[0], &lib_pattern[0], n) { print "DYN_EQ"; }
+}
 ```
 ```
 
 
@@ -287,6 +287,11 @@ proc_module_offsets_max_entries = 4096  # 默认
 # 扩展格式占位符（{:x}/{:s}）单个参数的内存转储上限（字节）。
 mem_dump_cap = 4096
 
+# 内置比较（strncmp/starts_with/memcmp）的最大比较字节数。
+# 实际比较长度为 min(max(len, 0), compare_cap)。
+# 默认：64 字节。
+compare_cap = 64
+
 # 单条 trace 事件的最大大小（字节）。适用于 PerfEventArray 累计缓冲区。
 max_trace_event_size = 32768
 
@@ -361,6 +366,8 @@ max_entries = 10000
 # 针对高频事件跟踪优化
 [ebpf]
 ringbuf_size = 1048576  # 1MB 缓冲区用于高事件率
+mem_dump_cap = 4096     # 单参数转储上限更高
+compare_cap = 64        # 内置比较最大比较字节数（strncmp/memcmp）
 proc_module_offsets_max_entries = 8192  # 支持更多模块
 
 [general]
@@ -374,6 +381,8 @@ enable_console_logging = false
 # 生产环境最小资源占用
 [ebpf]
 ringbuf_size = 131072  # 128KB 最小缓冲区
+mem_dump_cap = 512
+compare_cap = 32       # 降低内置比较上限以减小开销
 proc_module_offsets_max_entries = 1024  # 仅单进程
 
 [general]
 
@@ -251,19 +251,28 @@ print "tail={:s.n$}", p;          // 长度来自变量 n
 
 ## 内置函数
 
-GhostScope 提供两个字符串内置函数，用于高效、对 verifier 友好的比较：
+GhostScope 提供若干对 verifier 友好的内置比较函数：
 
 - `strncmp(expr, "lit", n)`
   - 将 `expr` 指向的内存前 `n` 个字节与字面量 `lit` 比较。
   - 在 `n` 字节内不要求出现终止符 `\0`。
   - `expr` 可为 DWARF 的 `char*`、`char[N]`，也可为通用指针；GhostScope 会做有界的用户态内存读取并按字节比较。
   - 任何读取失败均返回 `false`。
-  - 为安全起见比较长度固定上限为 64 字节（编译器常量 `STRING_BUILTIN_READ_CAP`，见 `ghostscope-compiler/src/ebpf/expression.rs`）；若 `n` 超过上限或数组可用长度，会自动裁剪。
+  - 比较长度由配置 `ebpf.compare_cap` 控制（默认 64 字节）；若 `n` 超过上限或数组可用长度，会自动裁剪。
 
 - `starts_with(expr, "lit")`
   - 等价于 `strncmp(expr, "lit", len("lit"))`。
   - 失败与安全语义同上。
 
+- `memcmp(expr_a, expr_b, len)`
+  - 布尔语义：若 `expr_a` 与 `expr_b` 所指内存的前 `len` 个字节完全一致，返回 `true`，否则 `false`。
+  - 仅支持指针对指针；若需与字符串字面量比较，请使用 `strncmp`/`starts_with`。
+  - `len` 支持脚本整数表达式；负值会被钳为 0，并受配置上限 `ebpf.compare_cap`（默认 64 字节）裁剪。有效比较长度为 `min(max(len,0), CAP)`。
+  - 不涉及 NUL 终止；按原始字节比较。
+  - 任一侧读取失败均按 `false` 处理。
+  - 若 `len == 0`，结果为 `true`，且不会执行任何用户内存读取（快速路径）。
+  - 实现为固定上界、无早退的按字节累积比较，便于通过 verifier。
+
 Verifier 友好与性能：
 - 内置函数生成的比较逻辑尽量少分支（如按字节 XOR/OR 累积），降低 verifier 状态数量。
 - 避免在极热的探针里塞入大量大字符串比较；必要时拆分脚本或选择不那么热的落点。
@@ -287,6 +296,19 @@ trace globals_program.c:32 {
 trace process_record {
     print "rec_http:{}", strncmp(record, "HTTP", 4); // record: struct* -> false
 }
+
+// 两个指针之间的原始内存等值比较
+trace globals_program.c:32 {
+    // 完全相等
+    if memcmp(&lib_pattern[0], &lib_pattern[0], 16) { print "EQ"; } else { print "NE"; }
+    // 偏移后产生差异
+    if memcmp(&lib_pattern[0], &lib_pattern[1], 16) { print "EQ2"; } else { print "NE2"; }
+    // len=0 → true
+    if memcmp(&lib_pattern[0], &lib_pattern[1], 0) { print "Z0"; }
+    // 动态长度来自脚本变量
+    let n = 10;
+    if memcmp(&lib_pattern[0], &lib_pattern[0], n) { print "DYN_EQ"; }
+}
 ```
 
 ## 条件语句