From 8b64d566300b7e952da63e11cba7575d7b06e7e2 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 30 May 2026 17:16:09 +0300
Subject: test(generate): lock in lseek classification (offset, not byte count)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audit of lseek(2) confirmed the tracing implementation is already correct:
enter is a KindFd fd_event capturing the fd from args[0], the syscall is
FamilyFS alongside its read/write/fsync siblings, and the exit is a plain
ret_event that stays UNCLASSIFIED. lseek returns the RESULTING file offset
(off_t, bytes from the start of the file), which is a file position, NOT a
count of bytes transferred — so it must never be READ/WRITE/TRANSFER
classified, which would wrongly inflate I/O byte totals.

Add lock-in tests pinning that behaviour so a future reclassification trips:
- FormatLseek/FormatExitLseek tracepoint fixtures.
- TestClassifyFdLseek: enter resolves to KindFd (fd at args[0]).
- TestClassifyRetExitLseek: exit is KindRet and ClassifyRet stays UNCLASSIFIED.
- lseek entry in TestClassifySyscallPairAccepted (end-to-end pair).
- FS-family asserts for sys_enter/exit_lseek in family_test.
- Enriched UNCLASSIFIED comment in retclassify_test explaining offset != bytes.

No generated-artifact changes (mage generate produces no diff); no in-scope
bugs and no out-of-scope follow-ups found.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/generate/testdata.go | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'internal/generate/testdata.go')

diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 3a5920f..c2d47ba 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -124,6 +124,47 @@ format:
 print fmt: "0x%lx", REC->ret
 `
 
+// FormatLseek mirrors the real sys_enter_lseek tracepoint
+// (lseek(unsigned int fd, off_t offset, unsigned int whence)). The first
+// field is a generic "fd" of an fd-like type, so ClassifyFormat resolves it
+// to KindFd via classifyByField (fd at args[0]) — exactly like read/write.
+// The off_t offset and whence args are not captured by an fd_event.
+const FormatLseek = `name: sys_enter_lseek
+ID: 853
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:unsigned int fd;	offset:16;	size:8;	signed:0;
+	field:off_t offset;	offset:24;	size:8;	signed:0;
+	field:unsigned int whence;	offset:32;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, offset: 0x%08lx, whence: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->offset)), ((unsigned long)(REC->whence))
+`
+
+// FormatExitLseek mirrors sys_exit_lseek. lseek returns the RESULTING FILE
+// OFFSET (bytes from the start of the file), or -1 on error — a file
+// position, NOT a count of bytes transferred. So its exit is a plain
+// ret_event and stays UNCLASSIFIED; it must never be ReadClassified /
+// WriteClassified / TransferClassified, which would wrongly inflate I/O byte
+// totals.
+const FormatExitLseek = `name: sys_exit_lseek
+ID: 852
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
 const FormatClose = `name: sys_enter_close
 ID: 778
 format:
-- 
cgit v1.2.3