fix(modern_bpf): skip syscall -1

[gnosek]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-modern-bpf

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

syscall id -1 means the system call was interrupted or cancelled (e.g. by ptrace or a signal) and is not processed normally.

Unfortunately, we also picked -1 as the "syscall does not exist" value for socketcall on architectures that do not support it. This means that syscalls interrupted by signals were actually treated as socketcall and dispatched based on whatever happened to be in the registers.

This led to tons of bogus SOCKET_X (mostly, but not only) events being reported, filling the fd table with fds that would never get cleaned up (they never really existed so nobody closed them).

Combined with copying the fd table on creating a new process, this led to fd table size explosion (thousands of bogus fds copied to all children).

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[ekoops]

/approve

[poiana]

LGTM label has been added.

Details

Git tree hash: 1ff1e4e2e04b9f16f17b4f24027b3d4cea895812

[github-actions]

Perf diff from master - unit tests

    17.07%     -0.76%  [.] std::__shared_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__weak_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
     9.90%     -0.69%  [.] sinsp_threadinfo::update_main_fdtable()
    13.52%     +0.57%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::_M_get_use_count() const
    10.76%     +0.46%  [.] sinsp_threadinfo::get_main_thread()
     4.36%     +0.36%  [.] thread_group_info::get_first_thread() const
     3.22%     -0.19%  [.] sinsp_thread_manager::create_thread_dependencies(std::shared_ptr<sinsp_threadinfo> const&)
    10.17%     +0.16%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_add_ref_lock_nothrow()
     8.33%     +0.16%  [.] sinsp_threadinfo::get_fd_table()
     7.07%     -0.15%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__weak_count<(__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
     8.99%     +0.10%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0113         -0.0112           246           243           245           243
BM_sinsp_split_median                                          -0.0138         -0.0140           246           243           246           243
BM_sinsp_split_stddev                                          -0.1891         -0.1888             2             2             2             2
BM_sinsp_split_cv                                              -0.1798         -0.1796             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0184         -0.0182            70            68            70            68
BM_sinsp_concatenate_paths_relative_path_median                -0.0215         -0.0213            69            68            69            68
BM_sinsp_concatenate_paths_relative_path_stddev                +0.0048         +0.0006             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                    +0.0236         +0.0191             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0141         +0.0142            41            42            41            42
BM_sinsp_concatenate_paths_empty_path_median                   +0.0579         +0.0578            40            42            40            42
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.1089         -0.1024             1             1             1             1
BM_sinsp_concatenate_paths_empty_path_cv                       -0.1213         -0.1150             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0059         -0.0059            69            69            69            68
BM_sinsp_concatenate_paths_absolute_path_median                -0.0069         -0.0069            69            68            69            68
BM_sinsp_concatenate_paths_absolute_path_stddev                +0.0565         +0.0592             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_cv                    +0.0628         +0.0654             0             0             0             0

[irozzo-1A]

/lgtm

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, gnosek, irozzo-1A

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• driver/OWNERS [ekoops,gnosek,irozzo-1A]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.90%. Comparing base (64306fa) to head (e0cf65f).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2938   +/-   ##
=======================================
  Coverage   74.90%   74.90%           
=======================================
  Files         297      297           
  Lines       31498    31498           
  Branches     4979     4979           
=======================================
  Hits        23595    23595           
  Misses       7903     7903           

Flag	Coverage Δ
libsinsp	74.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.