| Age | Commit message (Collapse) | Author |
|---|
|
Classification correctness (which family/kind/return-class a syscall maps
to) is verified by inspection against the man pages and the classifier
rules, not by dedicated unit tests. The tracing-relevant outcome — which
fd/path/byte-count the generated BPF C actually captures — is covered by
the GenerateTracepointsC codegen tests and the end-to-end integration
tests, all of which are retained.
Removed:
- internal/generate/family_test.go (ClassifySyscallFamily / .Family table)
- internal/generate/retclassify_test.go (ClassifyRet read/write/transfer/
unclassified tables)
- ~70 pure-classification tests trimmed from classify_test.go, keeping only
the GenerateTracepointsC codegen/tracing tests plus the shared helpers
(mustParseAll, mqFormats, phaseAFormats, syntheticEnter/Exit, itoa) used
by codegen_test.go.
- pure-classification funcs interleaved in codegen_test.go
(TestClassifyRet*Unclassified, TestClassifyTkillFallsThroughToNull,
Test{Mkdirat,Rmdir}FamilyAndKindMatchSiblings).
Kept all TestGenerate* handler tests (they assert the generated BPF C
captures the correct fd/path/arg-index/return classification), the
isNoreturnSyscall tests, docs-drift guards, eventloop dispatch tests, and
the integration suite — so every affected syscall still has tracing
coverage. No tracing gaps discovered.
generate package: go test (incl. -race) green; mage build green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the arch_prctl(2) syscall found the tracing implementation
already correct and consistent with the man page:
- enter classifies as KindNull (op/addr never captured as fd/path)
- exit is a ret_event with UNCLASSIFIED ret_type (int 0/-1 status)
- family is Process (deliberately, unlike its x86 siblings
ioperm/iopl/modify_ldt which are Misc), in sync with the docs and
the tracepoints drift tests
Add dedicated lock-in tests mirroring the prior iopl audit, using the
real kernel tracepoint fields (option/arg2 on enter, ret on exit) so
the heuristics are proven safe even without the name-only mapping.
Also add explicit FamilyProcess assertions for arch_prctl and
personality to guard against drift toward Misc.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of setsockopt(2) found the tracing implementation already correct:
sockfd captured at ctx->args[0] (KindFd), exit ret_event UNCLASSIFIED, and
FamilyNetwork — matching the man page and the bind/connect/getsockname/
getpeername/getsockopt siblings, with generated C/Go and docs all consistent.
Add lock-in tests mirroring prior per-syscall audits:
- TestClassifySetsockoptEnterFd: enter is KindFd with no pathname capture,
asserted against the real sockfd/level/optname/optval/optlen fields.
- TestClassifyExitSetsockoptUnclassifiedRet: exit is KindRet + UNCLASSIFIED
(0/-1 status, not a byte count).
- TestClassifyExitGetsockoptUnclassifiedRet: same for the read-side sibling.
- TestClassifySyscallFamily: pin setsockopt (enter+exit) and getsockopt to
FamilyNetwork.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of lseek(2) confirmed the tracing implementation is already correct:
enter is a KindFd fd_event capturing the fd from args[0], the syscall is
FamilyFS alongside its read/write/fsync siblings, and the exit is a plain
ret_event that stays UNCLASSIFIED. lseek returns the RESULTING file offset
(off_t, bytes from the start of the file), which is a file position, NOT a
count of bytes transferred — so it must never be READ/WRITE/TRANSFER
classified, which would wrongly inflate I/O byte totals.
Add lock-in tests pinning that behaviour so a future reclassification trips:
- FormatLseek/FormatExitLseek tracepoint fixtures.
- TestClassifyFdLseek: enter resolves to KindFd (fd at args[0]).
- TestClassifyRetExitLseek: exit is KindRet and ClassifyRet stays UNCLASSIFIED.
- lseek entry in TestClassifySyscallPairAccepted (end-to-end pair).
- FS-family asserts for sys_enter/exit_lseek in family_test.
- Enriched UNCLASSIFIED comment in retclassify_test explaining offset != bytes.
No generated-artifact changes (mage generate produces no diff); no in-scope
bugs and no out-of-scope follow-ups found.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
kexec_load(2) and kexec_file_load are documented together on the same
man page and both load a new kernel for later execution by reboot(2).
kexec_file_load was already FamilySecurity, but kexec_load fell through
to FamilyMisc. Move kexec_load to FamilySecurity so the siblings share
a family. Kind classification was already correct: kexec_load takes raw
user pointers (KindNull, no fd/path) while kexec_file_load takes fds
(KindFd); the return value (long 0/-1, no byte count) stays UNCLASSIFIED.
Update docs/syscall-tracing-plan.md to match, regenerate artifacts, and
add lock-in tests for the family and UNCLASSIFIED return of both kexec
syscalls plus reboot.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of gettid(2) ('pid_t gettid(void)', no args, always succeeds) found
the classification correct and consistent with its no-arg id-returning
siblings getpid/getppid/getuid/getgid (FamilyProcess, KindNull enter,
ret_event UNCLASSIFIED exit), and mage generate produces no diff. However
gettid lacked dedicated lock-in coverage and was missing entirely from the
family_test.go Process table despite its siblings being asserted there.
Add TestClassifyGettidNullEnter and TestClassifyExitGettidUnclassifiedRet
(mirroring the getgid pattern: enter null_event capturing nothing, exit ret
classified UNCLASSIFIED so the returned tid is never mistaken for a byte
count) plus gettid enter+exit FamilyProcess assertions in family_test.go.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of bind(2): int bind(int sockfd, const struct sockaddr *addr,
socklen_t addrlen). Verified the existing classification is correct and
consistent with its socket-setup siblings connect/listen/accept/
getsockname/getpeername:
- KindFd, capturing ev->fd = args[0] (the sockfd); the addr pointer and
addrlen are not captured.
- FamilyNetwork.
- Exit is UNCLASSIFIED (returns 0/-1, no transferred byte count).
No implementation or doc changes were needed (docs/syscall-tracing-plan.md
already lists bind under Network and fd; drift test green). Added
regression coverage:
- FormatBind/FormatExitBind fixtures mirroring the real kernel tracepoint.
- TestGenerateBindHandler with negative guards (no probe_read on the
sockaddr, no fd capture from args[1]/args[2], exit stays UNCLASSIFIED).
- bind + connect/listen/getsockname/getpeername added to the
family (FamilyNetwork) and ret-classification (UNCLASSIFIED) lock-in
lists.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Resolve the family-split question for set_tid_address vs its per-thread
registration siblings rseq/set_robust_list/get_robust_list (Misc).
DECISION: keep set_tid_address in FamilyProcess. The 520 registration-vs-
operation rule governs the IPC-vs-Misc boundary (does the syscall perform the
futex/sync op?), not Process-vs-Misc. set_tid_address registers
clear_child_tid, the kernel's primary thread-EXIT notification mechanism
(zeroed + FUTEX_WAKEd at teardown), set by the C runtime for essentially every
thread via clone(2) CLONE_CHILD_CLEARTID, and returns the caller's tid like
gettid/getpid -- mandatory thread-lifecycle plumbing belonging with
clone/fork/exit/gettid. rseq (scheduling optimization) and robust_list (opt-in
futex cleanup) are OPTIONAL per-thread features and stay Misc.
- family.go: add Process-vs-Misc boundary-rule block (mandatory-thread-
lifecycle vs optional-opt-in-feature axis) next to set_tid_address.
- family_test.go: lock in set_tid_address enter+exit as Process with a WHY
comment contrasting it against the rseq/robust_list Misc cluster.
No generated-artifact or docs drift: classification unchanged (Process list in
docs/syscall-tracing-plan.md already correct); mage generate is idempotent.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of tkill(2) (task 310) confirmed correct tracing: tkill(tid, sig)
is FamilySignals, kind=null, ret UNCLASSIFIED, matching its siblings
kill/tgkill/rt_sig*. tkill/tgkill are intentionally absent from the
name-only kind table; ClassifyFormat returns KindNone for them (the
pid_t tid is not matched by the fd rule, so the thread id is never
misread as a file descriptor) and classifyEnterForGeneration promotes
that to KindNull at generation time.
This was untested, so add lock-in coverage closing the gap:
- TestGenerateTkillHandler: enter emits null_event, captures no arg
(tid is not an fd), exit reports raw status as UNCLASSIFIED.
- TestClassifyTkillFallsThroughToNull: pins ClassifyFormat=KindNone and
the KindNull generation fallback, so a future fd-rule regression fails.
- TestClassifyRetTkillUnclassified: 0/-1 status is not a byte count.
- Extend TestClassifySyscallFamily with kill/tkill/tgkill (enter+exit)
so a stray reclassification out of FamilySignals trips the test.
No generated output or runtime behavior changed (mage generate clean).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Resolve the get_robust_list/set_robust_list classification decision: keep
both as FamilyMisc rather than promoting them to FamilyIPC alongside the
recently-moved futex_* syscalls.
Rule (now documented in family.go next to the futex IPC block): a syscall
is IPC only if it PERFORMS the actual IPC/sync operation (futex
wait/wake/requeue on the futex word, or an op on an IPC object). Per-thread
registration/bookkeeping that merely hands the kernel a pointer it consults
later -- rseq and get_robust_list/set_robust_list -- stays Misc. man 2
get_robust_list confirms the robust futex list is 'managed in user space:
the kernel knows only about the location of the head'; these syscalls
register/query that per-thread head pointer and never wait/wake or touch
shared memory, structurally identical to rseq. The split axis is
operation-vs-registration, not name similarity.
No classification change, so mage generate is a no-op (generated artifacts
and docs/syscall-tracing-plan.md unchanged). Strengthened the rseq/
robust_list comments in family_test.go and the TestClassifyGetRobustListPidNotFd
lock-in comment in classify_test.go to cite the rule and mark the decision
resolved.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
classify.go has KindNull entries for sys_enter_seteuid/sys_enter_setegid,
but family.go's FamilyProcess credential cluster omitted them, so
ClassifySyscallFamily returned Misc — inconsistent with their siblings
setuid/setgid/setresuid/setreuid/setfsuid. Add seteuid/setegid to the
FamilyProcess group with a comment noting they are latent: current kernels
expose no dedicated seteuid/setegid tracepoints (glibc wraps them over
setreuid/setresuid), so they never reach the generated tracepoint map or
docs/syscall-tracing-plan.md. mage generate confirmed idempotent with no
diff, so docs/drift test are untouched. Lock-in unit tests assert Process
for seteuid/setegid (enter+exit) by name directly, since no tracepoint exists.
Refs task 620.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
get_mempolicy(2) retrieves the NUMA memory policy for a thread or
address range and is logically a Memory-family syscall, sharing
FamilyMemory with its NUMA siblings set_mempolicy, set_mempolicy_home_node,
mbind, migrate_pages, and move_pages. It was misclassified FamilySecurity
(a copy/paste/alphabetical-ordering slip alongside the security modules).
Move it to the Memory group in internal/generate/family.go, update the
Memory and Security lists in docs/syscall-tracing-plan.md (keeps the
docs_drift_test green), and regenerate artifacts (traceId2Family 735/734
and syscallFamilies[get_mempolicy] flip Security->Memory; C unchanged,
mage generate idempotent). Add enter+exit family lock-in assertions for
get_mempolicy and set_mempolicy alongside the NUMA siblings so the whole
cluster is pinned.
Task 120.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of times(2) (clock_t times(struct tms *buf)) confirmed its
classification is correct and consistent with its time/clock siblings:
- sys_enter_times: KindNull (single userspace output struct tms *buf;
no fd or pathname argument).
- sys_exit_times: ret_event UNCLASSIFIED — times() returns a clock_t
tick count (or (clock_t)-1 on error), which is a tick tally, not a
transferred byte count.
- family: FamilyTime, alongside gettimeofday/clock_gettime, and NOT
FamilyProcess where getrusage lives.
No misclassification was found; docs/syscall-tracing-plan.md already
lists times under the Time family and the null kind. Add lock-in tests
so any stray reclassification trips a unit test:
- family_test.go: assert sys_enter/exit_times == FamilyTime.
- retclassify_test.go: assert sys_exit_times stays UNCLASSIFIED.
KindNull is already covered by TestClassifyM7NameOnlyKinds.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of setuid(2) confirmed correct tracing classification:
- KindNull (single uid_t arg, never an fd or path)
- FamilyProcess (credential-setting, consistent with siblings)
- Unclassified exit ret (int 0/-1 status, not a byte count)
Add lock-in tests asserting the setuid enter (KindNull, no pathname
capture) and exit (KindRet, UNCLASSIFIED) classification, plus a
family assertion covering the credential-setting cluster
(setuid/setresuid/setreuid/setfsuid, the gid analogues, and the
getuid/geteuid/... readers).
Discovered out of scope: family.go omits seteuid/setegid from the
FamilyProcess list (they fall through to Misc), unlike their siblings.
These have no dedicated kernel tracepoints today, so it is latent;
tracked as follow-up task 620.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of access(2) found the tracing implementation already correct:
FS family, KindPathname capturing the real path, and an UNCLASSIFIED
int 0/-1 ret_event on exit. access(2) captures its path from args[0]
(no dirfd), while siblings faccessat(2)/faccessat2(2) capture from
args[1] (dfd precedes the path). mage generate produces no diff and the
docs/integration coverage already match.
Add unit lock-in tests mirroring prior syscall audits:
- FormatAccess/FormatFaccessat tracepoint fixtures (real kernel formats).
- classify tests asserting both classify as KindPathname/"filename".
- family_test cluster asserting access/faccessat/faccessat2 stay FamilyFS.
- codegen test proving access reads ctx->args[0] while faccessat reads
ctx->args[1], guarding against a wrong-arg or dropped-path regression.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of ioprio_set found a family inconsistency. ioprio_set(which, who,
ioprio) and ioprio_get(which, who) query/set the I/O scheduling class and
priority of a process, process group, or user. They are the direct
I/O-priority analogues of getpriority/setpriority (the CPU nice value) and
share the identical which/who selector signature, yet were falling through to
FamilyMisc while getpriority/setpriority are FamilyProcess.
Reclassify both ioprio syscalls to FamilyProcess for consistency with their
priority siblings, update docs/syscall-tracing-plan.md, and regenerate the
tracepoint/type artifacts (mage generate is idempotent).
Argument capture is unchanged and confirmed correct: the args are all ints
(which/who/ioprio), none named fd/path, so ClassifyFormat returns KindNone and
the generator promotes the enter format to KindNull (null_event). In
particular the 'who' argument (a pid/pgid/uid, never an fd) is not
misclassified as KindFd. The exit is a ret_event (UNCLASSIFIED, int 0/-1).
Add lock-in tests:
- TestClassifyIoprioNullKind asserts KindNone/KindNull using the real kernel
tracepoint fields, proving 'who' is not captured as an fd.
- Family assertions for the ioprio pair alongside getpriority/setpriority so a
stray reclassification of any of them trips the test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of fallocate(2) found the tracing correct and consistent with its
fd-based siblings, so add lock-in tests rather than fixing anything:
- fallocate(int fd, int mode, off_t offset, off_t len) returns int 0/-1
(a status code, NOT a transferred byte count). Its exit must stay a
plain ret_event with ret_type UNCLASSIFIED so it is never mistaken for
a READ/WRITE/TRANSFER byte count.
- The enter tracepoint carries a leading fd field (args[0]); only fd is
captured into a fd_event (KindFd), matching fadvise64/ftruncate/
sync_file_range which likewise drop their trailing offset/len/advice
args.
- fallocate belongs to FamilyFS alongside fadvise64/ftruncate/
sync_file_range.
TestClassifyFallocateEnterFd and TestClassifyExitFallocateUnclassifiedRet
assert the per-syscall behavior; TestClassifySyscallFamily now also
covers fallocate/fadvise64/ftruncate so a stray reclassification trips a
test. No classification logic or generated artifacts changed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
setsid(2) takes no arguments and returns the new session ID (a pid_t)
on success or (pid_t)-1 on error. Audit confirms it is correctly
classified as KindNull (null_event enter handler, captures nothing),
FamilyProcess (alongside its session/process-group siblings
getsid/setpgid/getpgid/getpgrp and the pid-returning getpid/getppid),
and its exit ret_type stays UNCLASSIFIED so the session-id return is
never mistaken for a transferred byte count.
No codegen or doc changes were required (mage generate yields no diff).
Add lock-in assertions so a stray reclassification trips a test:
- family_test.go: setsid + session/pgrp/pid siblings -> FamilyProcess
- retclassify_test.go: setsid + pid-returning siblings -> Unclassified
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of syncfs(2) confirmed the existing tracing is correct: single fd
arg (fd=args[0], KindFd), FamilyFS like its fsync/fdatasync/
sync_file_range siblings, and an int 0/-1 return that stays Unclassified
(plain ret_event). No code or generated artifacts changed.
Add lock-in tests so a stray reclassification trips CI:
- TestClassifySyncFamilyFdSyscallsByName: enter -> KindFd for the
fsync/fdatasync/syncfs/sync_file_range group.
- TestClassifyExitSyncfs: exit -> KindRet.
- sync-family FamilyFS assertions in TestClassifySyncallFamily.
- syncfs added to the ret-UNCLASSIFIED list.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sysinfo(2): int sysinfo(struct sysinfo *info) returns overall
system statistics into a single userspace output pointer (not an fd or
path) and returns 0/-1. The existing classification was already correct
(KindNull, FamilyMisc, UNCLASSIFIED return) and docs/generated artifacts
are consistent; no behavior change was needed.
Add dedicated lock-in regression tests mirroring the rt_sigpending audit:
- TestGenerateSysinfoHandler: enter emits a null_event and captures no
args; exit emits a ret_event with ctx->ret tagged UNCLASSIFIED.
- TestClassifyRetSysinfoUnclassified: the 0/-1 status is never a byte
count.
- family_test.go: assert sysinfo/newuname/sysfs stay in FamilyMisc, with
a note that ustat is FamilyFS (matched by the 'stat' name marker) and
is intentionally not grouped here.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
utime(2) and utimes(2) change a file's access/modification times by a real
filesystem path (filename at args[0]). The path was already captured
(KindPathname), but both syscalls fell through to FamilyMisc instead of
joining their siblings utimensat/futimesat in FamilyFS. Add them to
fsSyscalls and regenerate; the only generated change is trace IDs
1034-1037 flipping FamilyMisc -> FamilyFS.
Lock-in coverage:
- family_test.go asserts utime/utimes/utimensat/futimesat are all FamilyFS.
- classify_test.go + FormatUtime fixture assert utime is KindPathname with
PathnameField "filename" (path captured even though it is a char* string,
unlike domain/host name args).
- New ioworkload scenarios utime-basic/utimes/enoent and integration tests
TestUtimeBasic/Utimes/Enoent verify the path is captured at runtime,
including on the ENOENT error path.
Docs updated: moved utime/utimes from Misc to FS in
docs/syscall-tracing-plan.md to keep the drift tests green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of rt_sigpending(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindNull: int rt_sigpending(sigset_t *set, size_t sigsetsize). args[0] is
a userspace output pointer to a sigset_t (a signal mask, not a traced I/O
resource) and args[1] is the byte size; neither is an fd or path. The enter
handler emits a null_event and must not capture either arg. Added
TestGenerateRtSigpendingHandler with a negative assertion guarding against
any ctx->args[] capture in the enter handler.
- Exit ret_type=UNCLASSIFIED: rt_sigpending returns 0/-1, a status code, not
a byte count, so it must never be tagged READ/WRITE/TRANSFER. Added an exit
handler assertion plus TestClassifyRetRtSigpendingUnclassified.
- FamilySignals: shares the family with the whole rt_sig* group plus
kill/pause/sigaltstack/tkill/tgkill. Added lock-in family cases asserting
every rt_sig* sibling alongside rt_sigpending in TestClassifySyscallFamily.
No classification/codegen/doc changes were required; mage generate produces
no diff. Full ./internal/... passes (only the known pre-existing flake
TestCleanupLeakedWorkloadTempDirCaughtByAssertion fails, unrelated).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the set_mempolicy_home_node(2) NUMA syscall (task mz) confirmed
it is correctly classified: KindNull (name-only, ior does not capture the
addr/len range), FamilyMemory (matching its siblings set_mempolicy, mbind,
migrate_pages, move_pages and docs/syscall-tracing-plan.md), and an
Unclassified return (0/-1 with no byte count).
Add lock-in tests so the classification cannot silently drift:
- family_test.go asserts FamilyMemory for set_mempolicy_home_node and its
NUMA siblings, with a note that get_mempolicy is the lone sibling still
on FamilySecurity (tracked separately, out of scope here).
- retclassify_test.go asserts the exit stays UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of process_madvise(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindFd with fd=args[0]: the first arg is a pidfd (a PID file descriptor
selecting the target process), not an address, so it must NOT be treated
like madvise(2) (KindMem, addr=args[0]). Extended the enter-handler test
with a negative assertion guarding against the KindMem addr wiring.
- Exit ret_type=UNCLASSIFIED: process_madvise returns the number of bytes
advised, but that is advisory accounting, not real I/O data movement, so it
stays UNCLASSIFIED like madvise(2). Added an exit-handler assertion plus
TestClassifyRetProcessMadviseUnclassified.
- FamilyMemory: shares the family with madvise/process_mrelease/process_vm_*
siblings rather than FamilyIPC (pidfd_* lifecycle). Added family lock-in
cases in family_test.go.
No classification/codegen changes were required; mage generate produces no
diff. Full ./internal/... passes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the rseq(2) syscall confirmed the existing classification is
correct and consistent with its siblings:
- KindNull: the rseq argument is a userspace struct pointer (not an fd or
filesystem path), and args[2] flags are intentionally not captured, in
line with the KindNull convention shared with set_robust_list and
membarrier. (Already covered by classify_test.go.)
- FamilyMisc: rseq is not in the explicit family table and falls through
to Misc, grouped with its closest per-thread sibling
set_robust_list/get_robust_list (also Misc).
- Return value is int 0/-1 with no byte count, so its exit stays
UNCLASSIFIED.
Add lock-in tests for the family and return-value classification (kind
was already covered) so a future drift in either is caught.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of gettimeofday(2) confirmed the existing implementation is
correct: it is classified KindNull (userspace timeval/timezone pointer
args, not fd/path) and FamilyTime alongside its clock_gettime/
settimeofday/time siblings; its exit emits a plain ret_event carrying
the int 0/-1 return as UNCLASSIFIED. mage generate produces no diff.
Add lock-in tests mirroring prior syscall audits:
- family_test.go asserts sys_enter/exit_gettimeofday => FamilyTime
- retclassify_test.go asserts gettimeofday exit stays UNCLASSIFIED
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of futex_wake found that the futex family syscalls (futex,
futex_wait, futex_wake, futex_requeue, futex_waitv) were absent from the
syscallFamilies map and fell through to FamilyMisc. Per futex(2) ("fast
user-space locking"), these are shared-memory synchronization/IPC
primitives, conceptually identical to the System V semaphores
(semop/semget) already tagged FamilyIPC. Group them under IPC so
per-family aggregation/reporting bins them with the other synchronization
primitives.
Argument and return-value handling were already correct: futex_wake's
first arg (uaddr) is a userspace pointer, captured via KindFutex
(null_event), and the exit ret_event records the woken-waiter count
(>=0) or -1 on error.
Add lock-in unit tests in family_test.go and regenerate the C/Go
artifacts (generated_tracepoints.go, generated_types.go).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of ioperm(2) confirmed the syscall is traced correctly: classified
as KindNull (name-only enter, no arg decoding) with the exit handler
capturing the raw int return value, matching the man-page semantics
(int ioperm(unsigned long from, unsigned long num, int turn_on) -> 0/-1).
ioperm and its x86 port/CPU-state siblings (iopl, modify_ldt) are not in
the explicit family table and intentionally fall through to Misc. Add
explicit family-classification assertions so a future regression that
accidentally remaps them is caught. No implementation change was needed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
|
