| Age | Commit message (Collapse) | Author |
|---|
|
Audit of sched_get_priority_min(2): the syscall takes a single int policy
scheduling-policy enum (not an fd or path) and returns the minimum static
priority for that policy, or -1 on error. ior classifies it as KindNull in
FamilySched, consistent with every sibling sched_* syscall and the man page.
Add TestGenerateSchedGetPriorityMinHandler (covering the identical sibling
sched_get_priority_max too) to lock in that the enter handler emits a
null_event without capturing the int policy arg, that the family is
FamilySched, and that a live exit handler emitting EXIT_RET_EVENT is
generated since this syscall returns (unlike the noreturn exit syscalls).
No classification change was required, so generated artifacts are unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of mincore(2) confirmed the existing tracing is correct: KindMem +
FamilyMemory, with addr=args[0], length=args[1], and both flags and length2
held at zero. args[2] is the userspace 'vec' output pointer, not a flags
value, so it is correctly NOT wired into ev->flags.
Add TestGenerateMemHandlerMincore to lock in this wiring and explicitly guard
against the historical mistake of mapping args[2] onto ev->flags the way
flags-bearing siblings (madvise/mlock2/mseal) do.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of madvise(2) (int madvise(void *addr, size_t length, int advice))
confirmed the existing classification and BPF wiring are correct: KindMem /
FamilyMemory, addr=args[0], length=args[1], advice (flags-like) at args[2],
length2=0, and the int return captured generically as UNCLASSIFIED. This is
correctly distinct from process_madvise(2) (KindFd, pidfd at args[0]).
Unlike its KindMem siblings (mprotect, mlock2, brk, map_shadow_stack), madvise
lacked a dedicated handler-field lock-in test. Add TestGenerateMemHandlerMadvise
with positive field assertions plus negative guards: advice must come from
args[2] (not args[0]/addr), length2 must stay zero (no second region), and the
exit must return ctx->ret as UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the x86 CET map_shadow_stack syscall (Linux 6.6+,
void *map_shadow_stack(unsigned long addr, unsigned long size,
unsigned int flags)) confirmed the existing tracing is correct:
KindMem / FamilyMemory classification, memFieldSpec wires
addr=args[0], length=args[1] (size), flags=args[2], length2=0, and
the return (mapped address or -errno) is captured generically as
ev->ret like every other KindMem exit. Docs and classify tests
already match.
The only gap was the lack of a codegen lock-in test for the BPF
handler field wiring, which mlock2/remap_file_pages/mprotect/brk all
have. Add TestGenerateMemHandlerMapShadowStack to guard against
future drift.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Commit 49b1641 reclassified the futex syscalls (futex, futex_requeue,
futex_wait, futex_waitv, futex_wake) from FamilyMisc to FamilyIPC in the
generated family map but left docs/syscall-tracing-plan.md listing them
under Misc. This drift broke
TestSyscallTracingPlanFamiliesStayInSyncWithGeneratedMap.
Move the 5 futex syscalls into the documented IPC list (alphabetical
order) and drop the stale Misc entries so the documented family
membership matches the generated map again. The IPC rationale is already
recorded in internal/generate/family.go (futexes are shared-memory
synchronization/IPC primitives alongside the System V semaphores).
Fixes regression tracked by task t10.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit and exit_group never return to userspace, so their sys_exit
tracepoints can never fire. The generator previously emitted matching
EXIT_RET_EVENT handlers anyway, producing dead code in the generated BPF
program. classifySyscall now skips exit-handler emission for noreturn
syscalls via isNoreturnSyscall, and the regenerated artifacts drop the
sys_exit_exit / sys_exit_exit_group handlers (enter handlers are kept).
Tests updated to match the new reality:
- TestGenerateExitNoreturnHandlers asserts no exit handler is emitted.
- TestClassifySyscallPairEmitsAllFamilies exempts noreturn syscalls from
the exit-handler-required assertion while staying strict for all others.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of gettimeofday(2) confirmed the existing implementation is
correct: it is classified KindNull (userspace timeval/timezone pointer
args, not fd/path) and FamilyTime alongside its clock_gettime/
settimeofday/time siblings; its exit emits a plain ret_event carrying
the int 0/-1 return as UNCLASSIFIED. mage generate produces no diff.
Add lock-in tests mirroring prior syscall audits:
- family_test.go asserts sys_enter/exit_gettimeofday => FamilyTime
- retclassify_test.go asserts gettimeofday exit stays UNCLASSIFIED
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of futex_wake found that the futex family syscalls (futex,
futex_wait, futex_wake, futex_requeue, futex_waitv) were absent from the
syscallFamilies map and fell through to FamilyMisc. Per futex(2) ("fast
user-space locking"), these are shared-memory synchronization/IPC
primitives, conceptually identical to the System V semaphores
(semop/semget) already tagged FamilyIPC. Group them under IPC so
per-family aggregation/reporting bins them with the other synchronization
primitives.
Argument and return-value handling were already correct: futex_wake's
first arg (uaddr) is a userspace pointer, captured via KindFutex
(null_event), and the exit ret_event records the woken-waiter count
(>=0) or -1 on error.
Add lock-in unit tests in family_test.go and regenerate the C/Go
artifacts (generated_tracepoints.go, generated_types.go).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the getpeername(2) syscall confirmed the tracing pipeline already
matches the man page: FamilyNetwork + KindFd (sockfd at args[0]) on enter, and
a plain ret_event (int 0/-1) on exit. The enter classification was already
covered by TestClassifySocketFdSyscallsByName, but the exit path (resolved via
the generic 'ret' field matcher) had no dedicated assertion. Add
TestClassifyExitGetpeername to pin sys_exit_getpeername -> KindRet so future
classifier changes cannot silently regress it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit(2) and exit_group(2) take a single int status arg and never return.
ior classifies both as KindNull (FamilyProcess): the enter handler emits a
null_event without capturing the status arg, and the kernel-exposed
sys_exit_{exit,exit_group} EXIT_RET_EVENT handlers are emitted but never
fire at runtime. Audit confirmed the implementation already matches the
man page; this adds a lock-in test documenting the noreturn behavior.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audited epoll_create/epoll_create1 against man 2 epoll_create.
Implementation already correct: both classify as KindEventfd (fd-creating),
epoll_create(size) hardcodes flags=0 (no flags arg), epoll_create1(flags)
reads ctx->args[0], and exit captures the returned fd via ev->ret.
Add FormatEpollCreate1/FormatExitEpollCreate1 fixtures and
TestGenerateEpollCreate1HandlerUsesArg0Flags as the positive counterpart to
the existing TestGenerateEpollCreateHandlerUsesZeroFlags negative test,
asserting the enter handler captures args[0] as flags rather than 0.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of ioperm(2) confirmed the syscall is traced correctly: classified
as KindNull (name-only enter, no arg decoding) with the exit handler
capturing the raw int return value, matching the man-page semantics
(int ioperm(unsigned long from, unsigned long num, int turn_on) -> 0/-1).
ioperm and its x86 port/CPU-state siblings (iopl, modify_ldt) are not in
the explicit family table and intentionally fall through to Misc. Add
explicit family-classification assertions so a future regression that
accidentally remaps them is caught. No implementation change was needed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
close_range was captured as a single-fd fd_event carrying only first, so
the runtime evicted every tracked fd >= first, ignoring the last upper
bound and the flags. Bounded calls wrongly dropped still-open higher fds,
and CLOSE_RANGE_CLOEXEC (which keeps fds open) was treated as a full close.
Reclassify close_range to the two_fd_event kind, mapping fd_a/fd_b/extra to
first/last/flags. The runtime now closes only the inclusive [first, last]
range (a negative last from ~0U means unbounded) and skips eviction when
CLOSE_RANGE_CLOEXEC is set or the syscall fails.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Wire a real statsengine.Engine as the aggregate sink in five new tests
to verify the full drain path (source -> drainer -> filter -> engine ->
snapshot), closing the coverage gap where BPF aggregate decode, filter
gating, or stats ingestion could break while the existing sampling test
still passed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
The C struct syscall_aggregate (maps.h) is manually mirrored as
rawSyscallAggregate in Go. Add a test that parses the C definition and
asserts field names, types, sizes, and offsets match the Go struct so
any future schema change is caught at test time.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Snapshot.NonIOFamilies, Snapshot.NonIOFamiliesCount, and
types.IsNonIOSyscallFamily encoded a TUI tab concept in core packages.
Move this filtering into internal/tui/dashboard/nonio.go as unexported
helpers so the dashboard owns its own grouping policy and
Snapshot.Families remains the neutral core API.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
epoll_create(size) was recording size (args[0]) as flags — hardcode to
0 since the syscall has no flags argument. pidfd_open(pid, flags) was
recording pid (args[0]) as flags — use args[1] instead.
Add test fixtures and codegen tests that verify the correct argument
indexes and reject the old wrong ones. Regenerate generated_tracepoints.c.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Default aggregate-only sampling (rate 0) for futex* and clock_gettime
causes BPF to suppress ring-buffer events. In -plain, -flamegraph, and
headless -parquet modes there is no aggregate sink, so these probes
would emit no rows even when explicitly selected. Promote those defaults
to rate 1 during flag resolution; user-explicit overrides are preserved.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
When -tps provides an explicit regex but no -trace-* dimension selectors
are given, skip the implicit FS-only syscall allowlist so that non-FS
tracepoints (e.g. nanosleep) matched by the regex are still attached.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Generated exit handlers now pass the explicit enter trace ID
(SYS_ENTER_X) to ior_on_syscall_exit instead of relying on the
implicit enter_id == exit_id + 1 arithmetic invariant. filter.c
compares directly against the passed enter ID.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Replace the large switch in generateExtra with an extraEmitters
registry (map[TracepointKind]extraEmitter) and convert six inner
switch-on-name helpers to table-driven lookups:
- generateExtraMem -> memFieldOverrides table
- generateExtraEventfd -> eventfdFlagsExpr table
- generateExtraTwoFd -> twoFdOverrides + twoFdDefault
- generateExtraPoll -> pollOverrides + pollTimeoutBody(style)
- generateExtraSleep -> sleepTimespecPtr table
- generateExtraKeyctl -> keyctlOverrides table
Adding a new syscall kind or variant now requires only a table
entry instead of editing switch arms with raw C string literals.
Generated BPF C output is behaviorally equivalent; all existing
tests pass unchanged.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Move aggregate drain scheduling, filter compatibility policy,
trace-ID allowlisting, and warning construction into a dedicated
aggregateDrainer type. eventLoop now only creates and ticks it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
