| Age | Commit message (Collapse) | Author |
|---|
|
Classification correctness (which family/kind/return-class a syscall maps
to) is verified by inspection against the man pages and the classifier
rules, not by dedicated unit tests. The tracing-relevant outcome — which
fd/path/byte-count the generated BPF C actually captures — is covered by
the GenerateTracepointsC codegen tests and the end-to-end integration
tests, all of which are retained.
Removed:
- internal/generate/family_test.go (ClassifySyscallFamily / .Family table)
- internal/generate/retclassify_test.go (ClassifyRet read/write/transfer/
unclassified tables)
- ~70 pure-classification tests trimmed from classify_test.go, keeping only
the GenerateTracepointsC codegen/tracing tests plus the shared helpers
(mustParseAll, mqFormats, phaseAFormats, syntheticEnter/Exit, itoa) used
by codegen_test.go.
- pure-classification funcs interleaved in codegen_test.go
(TestClassifyRet*Unclassified, TestClassifyTkillFallsThroughToNull,
Test{Mkdirat,Rmdir}FamilyAndKindMatchSiblings).
Kept all TestGenerate* handler tests (they assert the generated BPF C
captures the correct fd/path/arg-index/return classification), the
isNoreturnSyscall tests, docs-drift guards, eventloop dispatch tests, and
the integration suite — so every affected syscall still has tracing
coverage. No tracing gaps discovered.
generate package: go test (incl. -race) green; mage build green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
listxattrat(2) (Linux 6.13+) returns the size in bytes of the list of
extended attribute names, exactly like listxattr/llistxattr/flistxattr,
but its exit was classified UNCLASSIFIED, so its read bytes were dropped
from I/O totals. Classify it as ReadClassified and regenerate the BPF
handler (ret_type now READ_CLASSIFIED). This mirrors the getxattrat fix
(task ku, commit c3177bd) and completes xattr-family consistency:
get-family and list-family are READ_CLASSIFIED while set-family and
remove-family stay UNCLASSIFIED (they return 0/-1).
Update the docs ReadClassified list and the retclassify expectation, and
add an ioworkload scenario plus integration test: the workload sets a
user xattr then lists names via the raw listxattrat(2) syscall with
AT_FDCWD, and the test asserts enter_listxattrat captures the file path
and accounts the returned name-list size as read bytes.
Task: r20
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
getxattrat(2) (Linux 6.13+) returns the xattr value size in bytes,
exactly like getxattr/lgetxattr/fgetxattr, but its exit was classified
UNCLASSIFIED, so its read bytes were dropped from I/O totals. Classify
it as ReadClassified and regenerate the BPF handler (ret_type now
READ_CLASSIFIED). Path extraction (args[1], after the dirfd) and the
name-not-captured-as-path behaviour were already correct.
Update the docs ReadClassified list and the retclassify expectation,
and add the first xattr integration coverage: an ioworkload scenario
that sets then getxattrat-reads a user xattr on tmpfs, plus a test that
asserts enter_getxattrat captures the file path (not the xattr name)
and accounts the returned value size as read bytes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of lseek(2) confirmed the tracing implementation is already correct:
enter is a KindFd fd_event capturing the fd from args[0], the syscall is
FamilyFS alongside its read/write/fsync siblings, and the exit is a plain
ret_event that stays UNCLASSIFIED. lseek returns the RESULTING file offset
(off_t, bytes from the start of the file), which is a file position, NOT a
count of bytes transferred — so it must never be READ/WRITE/TRANSFER
classified, which would wrongly inflate I/O byte totals.
Add lock-in tests pinning that behaviour so a future reclassification trips:
- FormatLseek/FormatExitLseek tracepoint fixtures.
- TestClassifyFdLseek: enter resolves to KindFd (fd at args[0]).
- TestClassifyRetExitLseek: exit is KindRet and ClassifyRet stays UNCLASSIFIED.
- lseek entry in TestClassifySyscallPairAccepted (end-to-end pair).
- FS-family asserts for sys_enter/exit_lseek in family_test.
- Enriched UNCLASSIFIED comment in retclassify_test explaining offset != bytes.
No generated-artifact changes (mage generate produces no diff); no in-scope
bugs and no out-of-scope follow-ups found.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
kexec_load(2) and kexec_file_load are documented together on the same
man page and both load a new kernel for later execution by reboot(2).
kexec_file_load was already FamilySecurity, but kexec_load fell through
to FamilyMisc. Move kexec_load to FamilySecurity so the siblings share
a family. Kind classification was already correct: kexec_load takes raw
user pointers (KindNull, no fd/path) while kexec_file_load takes fds
(KindFd); the return value (long 0/-1, no byte count) stays UNCLASSIFIED.
Update docs/syscall-tracing-plan.md to match, regenerate artifacts, and
add lock-in tests for the family and UNCLASSIFIED return of both kexec
syscalls plus reboot.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of bind(2): int bind(int sockfd, const struct sockaddr *addr,
socklen_t addrlen). Verified the existing classification is correct and
consistent with its socket-setup siblings connect/listen/accept/
getsockname/getpeername:
- KindFd, capturing ev->fd = args[0] (the sockfd); the addr pointer and
addrlen are not captured.
- FamilyNetwork.
- Exit is UNCLASSIFIED (returns 0/-1, no transferred byte count).
No implementation or doc changes were needed (docs/syscall-tracing-plan.md
already lists bind under Network and fd; drift test green). Added
regression coverage:
- FormatBind/FormatExitBind fixtures mirroring the real kernel tracepoint.
- TestGenerateBindHandler with negative guards (no probe_read on the
sockaddr, no fd capture from args[1]/args[2], exit stays UNCLASSIFIED).
- bind + connect/listen/getsockname/getpeername added to the
family (FamilyNetwork) and ret-classification (UNCLASSIFIED) lock-in
lists.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
set_tid_address(2) always returns the caller's thread ID and never
fails (no -1, no byte count). Assert its exit stays UNCLASSIFIED in
TestClassifyRetUnclassified alongside its pid/tid-returning Process
siblings setsid/getsid/getpid/getppid, so a stray byte-count
reclassification trips the test.
Audit of yz confirmed the existing classification is correct: KindNull
(single userspace tidptr, no fd/path) and FamilyProcess. The KindNull
case is already covered by TestClassify97NameOnlyKinds; this adds the
previously-missing return-value assertion.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of setpgid(pid_t pid, pid_t pgid): both args are process/process-
group identifiers (kernel tracepoint type pid_t), never an fd or path;
the call returns int 0/-1. Verified it is correctly classified KindNull
(null_event), FamilyProcess, and UNCLASSIFIED ret, and that the Process
and null lists in docs/syscall-tracing-plan.md stay in sync. No
classification change was needed.
Add lock-in tests so a future stray reclassification trips immediately:
- TestClassifySetpgidNullEnter feeds the REAL tracepoint fields (pid_t
pid, pid_t pgid) and asserts KindNull, proving args[0] (pid) is never
mistaken for an fd: isFdType matches only int/unsigned int/unsigned
long (not pid_t) and the fd heuristic also requires field name fd.
- TestClassifyExitSetpgidUnclassifiedRet asserts the exit is KindRet and
ClassifyRet stays UNCLASSIFIED (status code, not a byte count).
- Add setpgid to the retclassify UNCLASSIFIED cluster beside setsid/getsid.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of times(2) (clock_t times(struct tms *buf)) confirmed its
classification is correct and consistent with its time/clock siblings:
- sys_enter_times: KindNull (single userspace output struct tms *buf;
no fd or pathname argument).
- sys_exit_times: ret_event UNCLASSIFIED — times() returns a clock_t
tick count (or (clock_t)-1 on error), which is a tick tally, not a
transferred byte count.
- family: FamilyTime, alongside gettimeofday/clock_gettime, and NOT
FamilyProcess where getrusage lives.
No misclassification was found; docs/syscall-tracing-plan.md already
lists times under the Time family and the null kind. Add lock-in tests
so any stray reclassification trips a unit test:
- family_test.go: assert sys_enter/exit_times == FamilyTime.
- retclassify_test.go: assert sys_exit_times stays UNCLASSIFIED.
KindNull is already covered by TestClassifyM7NameOnlyKinds.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of migrate_pages(2) confirmed its tracing classification matches
the man page and its NUMA siblings:
- KindNull (null_event): args are pid (a pid, NOT an fd), maxnode, and
two userspace bitmask pointers; the BPF handler emits a null_event and
never reads args[0] as an fd.
- FamilyMemory: consistent with set_mempolicy/mbind/move_pages/
set_mempolicy_home_node (the lone get_mempolicy->Security inconsistency
is tracked separately and out of scope here).
- exit UNCLASSIFIED (ret_event): the return is the count of pages that
could NOT be moved (>=0) or -1, a page tally rather than a transferred
byte count.
Add explicit lock-in assertions for migrate_pages and its sibling
move_pages to TestClassifyRetUnclassified so a future stray
read/write/transfer reclassification trips the test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
setsid(2) takes no arguments and returns the new session ID (a pid_t)
on success or (pid_t)-1 on error. Audit confirms it is correctly
classified as KindNull (null_event enter handler, captures nothing),
FamilyProcess (alongside its session/process-group siblings
getsid/setpgid/getpgid/getpgrp and the pid-returning getpid/getppid),
and its exit ret_type stays UNCLASSIFIED so the session-id return is
never mistaken for a transferred byte count.
No codegen or doc changes were required (mage generate yields no diff).
Add lock-in assertions so a stray reclassification trips a test:
- family_test.go: setsid + session/pgrp/pid siblings -> FamilyProcess
- retclassify_test.go: setsid + pid-returning siblings -> Unclassified
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of syncfs(2) confirmed the existing tracing is correct: single fd
arg (fd=args[0], KindFd), FamilyFS like its fsync/fdatasync/
sync_file_range siblings, and an int 0/-1 return that stays Unclassified
(plain ret_event). No code or generated artifacts changed.
Add lock-in tests so a stray reclassification trips CI:
- TestClassifySyncFamilyFdSyscallsByName: enter -> KindFd for the
fsync/fdatasync/syncfs/sync_file_range group.
- TestClassifyExitSyncfs: exit -> KindRet.
- sync-family FamilyFS assertions in TestClassifySyncallFamily.
- syncfs added to the ret-UNCLASSIFIED list.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the set_mempolicy_home_node(2) NUMA syscall (task mz) confirmed
it is correctly classified: KindNull (name-only, ior does not capture the
addr/len range), FamilyMemory (matching its siblings set_mempolicy, mbind,
migrate_pages, move_pages and docs/syscall-tracing-plan.md), and an
Unclassified return (0/-1 with no byte count).
Add lock-in tests so the classification cannot silently drift:
- family_test.go asserts FamilyMemory for set_mempolicy_home_node and its
NUMA siblings, with a note that get_mempolicy is the lone sibling still
on FamilySecurity (tracked separately, out of scope here).
- retclassify_test.go asserts the exit stays UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the rseq(2) syscall confirmed the existing classification is
correct and consistent with its siblings:
- KindNull: the rseq argument is a userspace struct pointer (not an fd or
filesystem path), and args[2] flags are intentionally not captured, in
line with the KindNull convention shared with set_robust_list and
membarrier. (Already covered by classify_test.go.)
- FamilyMisc: rseq is not in the explicit family table and falls through
to Misc, grouped with its closest per-thread sibling
set_robust_list/get_robust_list (also Misc).
- Return value is int 0/-1 with no byte count, so its exit stays
UNCLASSIFIED.
Add lock-in tests for the family and return-value classification (kind
was already covered) so a future drift in either is caught.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of gettimeofday(2) confirmed the existing implementation is
correct: it is classified KindNull (userspace timeval/timezone pointer
args, not fd/path) and FamilyTime alongside its clock_gettime/
settimeofday/time siblings; its exit emits a plain ret_event carrying
the int 0/-1 return as UNCLASSIFIED. mage generate produces no diff.
Add lock-in tests mirroring prior syscall audits:
- family_test.go asserts sys_enter/exit_gettimeofday => FamilyTime
- retclassify_test.go asserts gettimeofday exit stays UNCLASSIFIED
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
Amp-Thread-ID: https://ampcode.com/threads/T-019c7f4e-cc5f-76f1-aaf0-dd7cbaabbb18
Co-authored-by: Amp <amp@ampcode.com>
|
