From 5210f20b16a224f58117ffb71b2a0691c02a50ed Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 30 May 2026 16:31:26 +0300
Subject: test(signalfd4): lock in args[3] flags index for eventfd handler

Audit of signalfd4(2) confirmed the tracing is correct: classified as
KindEventfd in FamilyIPC like its fd-creating siblings (eventfd2,
timerfd_create, inotify_init1, signalfd), flags captured from args[3]
per signalfd4(ufd, mask, sizemask, flags), and the return value left
Unclassified (it is an fd, not a byte count).

Add testdata fixtures FormatSignalfd4/FormatExitSignalfd4 (real Linux 7.0
tracepoint data) and a codegen lock-in test asserting the generated
handler reads flags from args[3], with negative guards against args[0]
(ufd), args[1] (mask pointer) and args[2] (sizemask).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/generate/testdata.go | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

(limited to 'internal/generate/testdata.go')

diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 5b38cfd..6555fc7 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -2053,6 +2053,43 @@ format:
 print fmt: "0x%lx", REC->ret
 `
 
+// FormatSignalfd4 is real sysfs data for signalfd4(2) captured from a Linux 7.0
+// kernel. The raw syscall is signalfd4(int ufd, const sigset_t *mask, size_t
+// sizemask, int flags): ufd at args[0], user_mask at args[1], sizemask at
+// args[2], and crucially the flags (SFD_NONBLOCK/SFD_CLOEXEC) at args[3]. ior
+// classifies it as KindEventfd (an fd-creating IPC syscall), so the generator
+// must capture flags from args[3], never any earlier index.
+const FormatSignalfd4 = `name: sys_enter_signalfd4
+ID: 1087
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int ufd;	offset:16;	size:8;	signed:0;
+	field:sigset_t * user_mask;	offset:24;	size:8;	signed:0;
+	field:size_t sizemask;	offset:32;	size:8;	signed:0;
+	field:int flags;	offset:40;	size:8;	signed:0;
+
+print fmt: "ufd: 0x%08lx, user_mask: 0x%08lx, sizemask: 0x%08lx, flags: 0x%08lx", ((unsigned long)(REC->ufd)), ((unsigned long)(REC->user_mask)), ((unsigned long)(REC->sizemask)), ((unsigned long)(REC->flags))
+`
+
+const FormatExitSignalfd4 = `name: sys_exit_signalfd4
+ID: 1086
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
 // FormatMkdirat is real sysfs data for mkdirat(2): the pathname argument sits
 // at args[1], AFTER the dirfd at args[0]. Captured from a Linux 7.0 kernel,
 // which also exposes the __data_loc __pathname_val trailing field. The
-- 
cgit v1.2.3