| Age | Commit message (Collapse) | Author |
|---|
|
Audit of sysinfo(2): int sysinfo(struct sysinfo *info) returns overall
system statistics into a single userspace output pointer (not an fd or
path) and returns 0/-1. The existing classification was already correct
(KindNull, FamilyMisc, UNCLASSIFIED return) and docs/generated artifacts
are consistent; no behavior change was needed.
Add dedicated lock-in regression tests mirroring the rt_sigpending audit:
- TestGenerateSysinfoHandler: enter emits a null_event and captures no
args; exit emits a ret_event with ctx->ret tagged UNCLASSIFIED.
- TestClassifyRetSysinfoUnclassified: the 0/-1 status is never a byte
count.
- family_test.go: assert sysinfo/newuname/sysfs stay in FamilyMisc, with
a note that ustat is FamilyFS (matched by the 'stat' name marker) and
is intentionally not grouped here.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
utime(2) and utimes(2) change a file's access/modification times by a real
filesystem path (filename at args[0]). The path was already captured
(KindPathname), but both syscalls fell through to FamilyMisc instead of
joining their siblings utimensat/futimesat in FamilyFS. Add them to
fsSyscalls and regenerate; the only generated change is trace IDs
1034-1037 flipping FamilyMisc -> FamilyFS.
Lock-in coverage:
- family_test.go asserts utime/utimes/utimensat/futimesat are all FamilyFS.
- classify_test.go + FormatUtime fixture assert utime is KindPathname with
PathnameField "filename" (path captured even though it is a char* string,
unlike domain/host name args).
- New ioworkload scenarios utime-basic/utimes/enoent and integration tests
TestUtimeBasic/Utimes/Enoent verify the path is captured at runtime,
including on the ENOENT error path.
Docs updated: moved utime/utimes from Misc to FS in
docs/syscall-tracing-plan.md to keep the drift tests green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of rt_sigpending(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindNull: int rt_sigpending(sigset_t *set, size_t sigsetsize). args[0] is
a userspace output pointer to a sigset_t (a signal mask, not a traced I/O
resource) and args[1] is the byte size; neither is an fd or path. The enter
handler emits a null_event and must not capture either arg. Added
TestGenerateRtSigpendingHandler with a negative assertion guarding against
any ctx->args[] capture in the enter handler.
- Exit ret_type=UNCLASSIFIED: rt_sigpending returns 0/-1, a status code, not
a byte count, so it must never be tagged READ/WRITE/TRANSFER. Added an exit
handler assertion plus TestClassifyRetRtSigpendingUnclassified.
- FamilySignals: shares the family with the whole rt_sig* group plus
kill/pause/sigaltstack/tkill/tgkill. Added lock-in family cases asserting
every rt_sig* sibling alongside rt_sigpending in TestClassifySyscallFamily.
No classification/codegen/doc changes were required; mage generate produces
no diff. Full ./internal/... passes (only the known pre-existing flake
TestCleanupLeakedWorkloadTempDirCaughtByAssertion fails, unrelated).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sendmsg(2) found the tracing implementation already correct:
enter is an fd_event with fd=args[0] (the kernel tracepoint first field
is 'int fd'), family is Network, and the exit is WRITE_CLASSIFIED so the
bytes-sent return value is counted as written, consistent with the
send/sendto/write siblings and distinct from recvmsg (read side) and the
deferred sendmmsg batch variant.
Add TestClassifySendmsgWriteByteCount as a lock-in regression test
pinning KindFd + FamilyNetwork + WRITE_CLASSIFIED, with recvmsg and
sendmmsg contrast cases to guard against read/write and batch
misclassification.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sched_getattr confirmed it is correctly classified as
FamilySched + KindNull, consistent with its siblings (sched_setattr,
sched_getparam, sched_getscheduler). The syscall's first argument is a
pid_t (a process/thread id), not a file descriptor, and the kernel
tracepoint field is named "pid" rather than "fd", so the fd heuristic
never applies; the name-only classification table also short-circuits
before any field inspection.
Add TestClassifySchedGetattrPidNotFd as a regression guard that pins
KindNull and FamilySched using the real kernel field layout, explicitly
asserting the pid arg is never treated as an fd, plus sibling
consistency. No behavior or generated-artifact changes (mage generate
produces no diff).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the set_mempolicy_home_node(2) NUMA syscall (task mz) confirmed
it is correctly classified: KindNull (name-only, ior does not capture the
addr/len range), FamilyMemory (matching its siblings set_mempolicy, mbind,
migrate_pages, move_pages and docs/syscall-tracing-plan.md), and an
Unclassified return (0/-1 with no byte count).
Add lock-in tests so the classification cannot silently drift:
- family_test.go asserts FamilyMemory for set_mempolicy_home_node and its
NUMA siblings, with a note that get_mempolicy is the lone sibling still
on FamilySecurity (tracked separately, out of scope here).
- retclassify_test.go asserts the exit stays UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
The Linux Security Module introspection syscalls lsm_list_modules,
lsm_get_self_attr and lsm_set_self_attr (Linux 6.8+) were classified as
FamilyMisc while every sibling LSM/security syscall (landlock_*, keyctl,
add_key, request_key, seccomp) is FamilySecurity. This audited
inconsistency is fixed by adding the three lsm_* entries to the
syscallFamilies map; their kind stays KindNull (args are userspace
pointers + flags, no fd/path) and the exit remains a ret_event.
Docs (syscall-tracing-plan.md) updated accordingly, generated artifacts
regenerated via mage generate, and lock-in family assertions added to
TestClassifySyscallPairEmitsAllFamilies.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of process_madvise(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindFd with fd=args[0]: the first arg is a pidfd (a PID file descriptor
selecting the target process), not an address, so it must NOT be treated
like madvise(2) (KindMem, addr=args[0]). Extended the enter-handler test
with a negative assertion guarding against the KindMem addr wiring.
- Exit ret_type=UNCLASSIFIED: process_madvise returns the number of bytes
advised, but that is advisory accounting, not real I/O data movement, so it
stays UNCLASSIFIED like madvise(2). Added an exit-handler assertion plus
TestClassifyRetProcessMadviseUnclassified.
- FamilyMemory: shares the family with madvise/process_mrelease/process_vm_*
siblings rather than FamilyIPC (pidfd_* lifecycle). Added family lock-in
cases in family_test.go.
No classification/codegen changes were required; mage generate produces no
diff. Full ./internal/... passes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sync_file_range(2) confirmed the existing tracing is correct:
classified as KindFd (FS family) with fd from args[0] per the kernel
tracepoint format, and an UNCLASSIFIED ret (int 0/-1, no userspace
bytes transferred) - identical to siblings fsync/fdatasync/fadvise64/
readahead. The byte range/offset/flags are intentionally not captured
for fd-kind syscalls.
Add SyncFileRangeFailureTest to lock in the EBADF path: the enter
fd_event still pairs with the exit ret_event carrying ret=-9, and the
eventloop synthesizes a placeholder FdFile (unknown name, O_NONE flags)
for the never-opened bogus fd rather than dropping file metadata.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of setdomainname(2): its first arg is a const char *name, but that
name is the NIS/YP domain-name string, not a filesystem path. The name-only
classification table pins it to KindNull, which short-circuits before the
field-based path heuristic that would otherwise treat a const char *name arg
as KindPathname. Classification, family (Misc), docs, and existing tests all
already matched; this adds a dedicated lock-in test asserting KindNull, an
empty PathnameField, and kind+family parity with the sibling sethostname.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the rseq(2) syscall confirmed the existing classification is
correct and consistent with its siblings:
- KindNull: the rseq argument is a userspace struct pointer (not an fd or
filesystem path), and args[2] flags are intentionally not captured, in
line with the KindNull convention shared with set_robust_list and
membarrier. (Already covered by classify_test.go.)
- FamilyMisc: rseq is not in the explicit family table and falls through
to Misc, grouped with its closest per-thread sibling
set_robust_list/get_robust_list (also Misc).
- Return value is int 0/-1 with no byte count, so its exit stays
UNCLASSIFIED.
Add lock-in tests for the family and return-value classification (kind
was already covered) so a future drift in either is caught.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sched_get_priority_min(2): the syscall takes a single int policy
scheduling-policy enum (not an fd or path) and returns the minimum static
priority for that policy, or -1 on error. ior classifies it as KindNull in
FamilySched, consistent with every sibling sched_* syscall and the man page.
Add TestGenerateSchedGetPriorityMinHandler (covering the identical sibling
sched_get_priority_max too) to lock in that the enter handler emits a
null_event without capturing the int policy arg, that the family is
FamilySched, and that a live exit handler emitting EXIT_RET_EVENT is
generated since this syscall returns (unlike the noreturn exit syscalls).
No classification change was required, so generated artifacts are unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of mincore(2) confirmed the existing tracing is correct: KindMem +
FamilyMemory, with addr=args[0], length=args[1], and both flags and length2
held at zero. args[2] is the userspace 'vec' output pointer, not a flags
value, so it is correctly NOT wired into ev->flags.
Add TestGenerateMemHandlerMincore to lock in this wiring and explicitly guard
against the historical mistake of mapping args[2] onto ev->flags the way
flags-bearing siblings (madvise/mlock2/mseal) do.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of madvise(2) (int madvise(void *addr, size_t length, int advice))
confirmed the existing classification and BPF wiring are correct: KindMem /
FamilyMemory, addr=args[0], length=args[1], advice (flags-like) at args[2],
length2=0, and the int return captured generically as UNCLASSIFIED. This is
correctly distinct from process_madvise(2) (KindFd, pidfd at args[0]).
Unlike its KindMem siblings (mprotect, mlock2, brk, map_shadow_stack), madvise
lacked a dedicated handler-field lock-in test. Add TestGenerateMemHandlerMadvise
with positive field assertions plus negative guards: advice must come from
args[2] (not args[0]/addr), length2 must stay zero (no second region), and the
exit must return ctx->ret as UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the x86 CET map_shadow_stack syscall (Linux 6.6+,
void *map_shadow_stack(unsigned long addr, unsigned long size,
unsigned int flags)) confirmed the existing tracing is correct:
KindMem / FamilyMemory classification, memFieldSpec wires
addr=args[0], length=args[1] (size), flags=args[2], length2=0, and
the return (mapped address or -errno) is captured generically as
ev->ret like every other KindMem exit. Docs and classify tests
already match.
The only gap was the lack of a codegen lock-in test for the BPF
handler field wiring, which mlock2/remap_file_pages/mprotect/brk all
have. Add TestGenerateMemHandlerMapShadowStack to guard against
future drift.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Commit 49b1641 reclassified the futex syscalls (futex, futex_requeue,
futex_wait, futex_waitv, futex_wake) from FamilyMisc to FamilyIPC in the
generated family map but left docs/syscall-tracing-plan.md listing them
under Misc. This drift broke
TestSyscallTracingPlanFamiliesStayInSyncWithGeneratedMap.
Move the 5 futex syscalls into the documented IPC list (alphabetical
order) and drop the stale Misc entries so the documented family
membership matches the generated map again. The IPC rationale is already
recorded in internal/generate/family.go (futexes are shared-memory
synchronization/IPC primitives alongside the System V semaphores).
Fixes regression tracked by task t10.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit and exit_group never return to userspace, so their sys_exit
tracepoints can never fire. The generator previously emitted matching
EXIT_RET_EVENT handlers anyway, producing dead code in the generated BPF
program. classifySyscall now skips exit-handler emission for noreturn
syscalls via isNoreturnSyscall, and the regenerated artifacts drop the
sys_exit_exit / sys_exit_exit_group handlers (enter handlers are kept).
Tests updated to match the new reality:
- TestGenerateExitNoreturnHandlers asserts no exit handler is emitted.
- TestClassifySyscallPairEmitsAllFamilies exempts noreturn syscalls from
the exit-handler-required assertion while staying strict for all others.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of gettimeofday(2) confirmed the existing implementation is
correct: it is classified KindNull (userspace timeval/timezone pointer
args, not fd/path) and FamilyTime alongside its clock_gettime/
settimeofday/time siblings; its exit emits a plain ret_event carrying
the int 0/-1 return as UNCLASSIFIED. mage generate produces no diff.
Add lock-in tests mirroring prior syscall audits:
- family_test.go asserts sys_enter/exit_gettimeofday => FamilyTime
- retclassify_test.go asserts gettimeofday exit stays UNCLASSIFIED
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of futex_wake found that the futex family syscalls (futex,
futex_wait, futex_wake, futex_requeue, futex_waitv) were absent from the
syscallFamilies map and fell through to FamilyMisc. Per futex(2) ("fast
user-space locking"), these are shared-memory synchronization/IPC
primitives, conceptually identical to the System V semaphores
(semop/semget) already tagged FamilyIPC. Group them under IPC so
per-family aggregation/reporting bins them with the other synchronization
primitives.
Argument and return-value handling were already correct: futex_wake's
first arg (uaddr) is a userspace pointer, captured via KindFutex
(null_event), and the exit ret_event records the woken-waiter count
(>=0) or -1 on error.
Add lock-in unit tests in family_test.go and regenerate the C/Go
artifacts (generated_tracepoints.go, generated_types.go).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the getpeername(2) syscall confirmed the tracing pipeline already
matches the man page: FamilyNetwork + KindFd (sockfd at args[0]) on enter, and
a plain ret_event (int 0/-1) on exit. The enter classification was already
covered by TestClassifySocketFdSyscallsByName, but the exit path (resolved via
the generic 'ret' field matcher) had no dedicated assertion. Add
TestClassifyExitGetpeername to pin sys_exit_getpeername -> KindRet so future
classifier changes cannot silently regress it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit(2) and exit_group(2) take a single int status arg and never return.
ior classifies both as KindNull (FamilyProcess): the enter handler emits a
null_event without capturing the status arg, and the kernel-exposed
sys_exit_{exit,exit_group} EXIT_RET_EVENT handlers are emitted but never
fire at runtime. Audit confirmed the implementation already matches the
man page; this adds a lock-in test documenting the noreturn behavior.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audited epoll_create/epoll_create1 against man 2 epoll_create.
Implementation already correct: both classify as KindEventfd (fd-creating),
epoll_create(size) hardcodes flags=0 (no flags arg), epoll_create1(flags)
reads ctx->args[0], and exit captures the returned fd via ev->ret.
Add FormatEpollCreate1/FormatExitEpollCreate1 fixtures and
TestGenerateEpollCreate1HandlerUsesArg0Flags as the positive counterpart to
the existing TestGenerateEpollCreateHandlerUsesZeroFlags negative test,
asserting the enter handler captures args[0] as flags rather than 0.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of ioperm(2) confirmed the syscall is traced correctly: classified
as KindNull (name-only enter, no arg decoding) with the exit handler
capturing the raw int return value, matching the man-page semantics
(int ioperm(unsigned long from, unsigned long num, int turn_on) -> 0/-1).
ioperm and its x86 port/CPU-state siblings (iopl, modify_ldt) are not in
the explicit family table and intentionally fall through to Misc. Add
explicit family-classification assertions so a future regression that
accidentally remaps them is caught. No implementation change was needed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
close_range was captured as a single-fd fd_event carrying only first, so
the runtime evicted every tracked fd >= first, ignoring the last upper
bound and the flags. Bounded calls wrongly dropped still-open higher fds,
and CLOSE_RANGE_CLOEXEC (which keeps fds open) was treated as a full close.
Reclassify close_range to the two_fd_event kind, mapping fd_a/fd_b/extra to
first/last/flags. The runtime now closes only the inclusive [first, last]
range (a negative last from ~0U means unbounded) and skips eviction when
CLOSE_RANGE_CLOEXEC is set or the syscall fails.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
