wip: fix(userspace/libsinsp): recognize statically (un)satisfiable evt.num leaves in ppm_codes

[leogr]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area automation

/area drivers

/area driver-kmod

/area driver-modern-bpf

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

The event code search (libsinsp::filter::ast::ppm_event_codes / ppm_sc_codes) over-approximates every non-evt.type leaf to the full set of event types. That's sound but imprecise: a condition like evt.num=0 - which can never be true at runtime, since evt.num starts at 1 - is reported as matching all event types instead of none.

This PR teaches the visitor to statically resolve evt.num leaves against the evt.num >= 1 runtime invariant:

• provably unsatisfiable leaves (e.g. evt.num=0, evt.num<1, evt.num<=0, evt.num in (0)) now resolve to the empty set
• tautological leaves (e.g. evt.num!=0, evt.num>0, evt.num>=1) resolve to the full set
• anything we cannot decide (other fields, non-decimal literals, transformers, ...) keeps falling back to the previous over-approximation, so the change is conservative by construction

Negation is handled at the leaf level (since the visitor pushes negation down via De Morgan's laws), so not (evt.num=0) correctly resolves back to all event types.

We need this since it's the libs half of fixing the LOAD_NO_EVTTYPE false positive that Falco emits for the never_true idiom ((evt.num=0)) - the canonical placeholder used across the default ruleset for tuning. See falcosecurity/falco#3883.

Which issue(s) this PR fixes:

Related to falcosecurity/falco#3883

N.B. I'm intentionally not using Fixes here, since the user-facing warning lives in Falco. This PR is a prerequisite, and a follow-up Falco PR will complete the fix.

Special notes for your reviewer:

This is the same warning family - and the same kind of narrow, targeted visitor improvement - as falcosecurity/falco#3546, which was fixed in libs by 4cd3f96.

I deliberately avoided a general satisfiability pass and scoped this to a single field with a documented invariant.

/milestone 0.26.0

Does this PR introduce a user-facing change?:

fix(libsinsp): `ppm_event_codes`/`ppm_sc_codes` now resolve statically (un)satisfiable `evt.num` conditions (e.g. `evt.num=0`) to the correct event-type set instead of over-approximating to all event types

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Perf diff from master - unit tests

    10.16%     +6.89%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_add_ref_lock_nothrow()
    21.73%     -6.79%  [.] std::__shared_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__weak_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
    15.59%     +6.61%  [.] sinsp_threadinfo::get_main_thread()
    12.66%     -3.18%  [.] sinsp_thread_manager::create_thread_dependencies(std::shared_ptr<sinsp_threadinfo> const&)
     8.78%     -3.06%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::_M_get_use_count() const
     9.22%     +0.70%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
     5.11%     -0.35%  [.] thread_group_info::get_first_thread() const
     0.29%     -0.15%  [.] sinsp_utils::find_longest_matching_evt_param(std::basic_string_view<char, std::char_traits<char> >)
     3.29%     +0.14%  [.] sinsp_threadinfo::get_fd_table()
     0.18%     -0.12%  [.] void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag)

Heap diff from master - unit tests

peak heap memory consumption: -5.47K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                                               Time             CPU      Time Old      Time New       CPU Old       CPU New
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                                                  +0.0095         +0.0093           269           271           268           271
BM_sinsp_split_median                                                                +0.0086         +0.0078           269           271           269           271
BM_sinsp_split_stddev                                                                +0.9347         +0.8830             2             3             2             3
BM_sinsp_split_cv                                                                    +0.9165         +0.8657             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                                        +0.0225         +0.0226            82            84            82            84
BM_sinsp_concatenate_paths_relative_path_median                                      +0.0289         +0.0289            82            84            82            84
BM_sinsp_concatenate_paths_relative_path_stddev                                      -0.8494         -0.8494             1             0             1             0
BM_sinsp_concatenate_paths_relative_path_cv                                          -0.8527         -0.8528             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                                           -0.0386         -0.0387            46            45            46            45
BM_sinsp_concatenate_paths_empty_path_median                                         -0.0383         -0.0383            46            45            46            45
BM_sinsp_concatenate_paths_empty_path_stddev                                         +8.2906         +9.8647             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                                             +8.6640        +10.3016             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                                        -0.0117         -0.0118            87            86            87            86
BM_sinsp_concatenate_paths_absolute_path_median                                      -0.0117         -0.0118            86            85            86            85
BM_sinsp_concatenate_paths_absolute_path_stddev                                      -0.0678         -0.0702             1             1             1             1
BM_sinsp_concatenate_paths_absolute_path_cv                                          -0.0568         -0.0591             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_short_mean                                  -0.0006         -0.0007            19            19            19            19
BM_sinsp_sanitize_string_fast_path_ascii_short_median                                -0.0001         -0.0002            19            19            19            19
BM_sinsp_sanitize_string_fast_path_ascii_short_stddev                                +0.0567         +0.0802             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_short_cv                                    +0.0574         +0.0810             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_long_mean                                   -0.0005         -0.0005           165           165           165           165
BM_sinsp_sanitize_string_fast_path_ascii_long_median                                 -0.0002         -0.0001           165           165           165           165
BM_sinsp_sanitize_string_fast_path_ascii_long_stddev                                 +2.7137         +2.9555             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_long_cv                                     +2.7157         +2.9577             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_short_mean                              -0.0419         -0.0418            15            14            15            14
BM_sinsp_sanitize_string_fast_path_multibyte_short_median                            -0.0403         -0.0400            15            14            15            14
BM_sinsp_sanitize_string_fast_path_multibyte_short_stddev                            -0.0080         -0.0078             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_short_cv                                +0.0353         +0.0355             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_long_mean                               -0.0891         -0.0891          5473          4985          5471          4983
BM_sinsp_sanitize_string_fast_path_multibyte_long_median                             -0.0940         -0.0941          5472          4957          5470          4956
BM_sinsp_sanitize_string_fast_path_multibyte_long_stddev                            +58.7394        +61.4497             2           104             2           104
BM_sinsp_sanitize_string_fast_path_multibyte_long_cv                                +64.5816        +67.5583             0             0             0             0
BM_sinsp_sanitize_string_fast_path_mixed_long_mean                                   +0.0197         +0.0197          2292          2337          2291          2336
BM_sinsp_sanitize_string_fast_path_mixed_long_median                                 +0.0093         +0.0093          2308          2330          2307          2329
BM_sinsp_sanitize_string_fast_path_mixed_long_stddev                                 -0.5141         -0.5137            25            12            25            12
BM_sinsp_sanitize_string_fast_path_mixed_long_cv                                     -0.5235         -0.5231             0             0             0             0
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_mean                       +0.0003         +0.0004          6142          6144          6140          6142
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_median                     +0.0010         +0.0011          6141          6147          6139          6146
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_stddev                     +6.3114         +6.8834             2            18             2            18
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_cv                         +6.3089         +6.8806             0             0             0             0
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_mean                     -0.0766         -0.0766          6020          5559          6018          5557
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_median                   -0.1007         -0.1008          6020          5414          6018          5411
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_stddev                 +161.2557       +165.1053             2           260             2           260
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_cv                     +174.7235       +178.8941             0             0             0             0
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_mean                    -0.0001         +0.0000           325           325           325           325
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_median                  -0.0052         -0.0051           325           323           325           323
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_stddev                  +2.3518         +2.3003             1             5             1             5
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_cv                      +2.3521         +2.3002             0             0             0             0
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_mean                  +0.0018         +0.0019           219           219           219           219
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_median                +0.0018         +0.0020           219           219           219           219
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_stddev                +0.5101         +0.4995             1             1             1             1
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_cv                    +0.5074         +0.4966             0             0             0             0
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_mean                       -0.0134         -0.0135         12459         12292         12456         12288
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_median                     +0.0006         +0.0006         12459         12467         12455         12463
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_stddev                    +43.5197        +45.7962             6           282             6           283
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_cv                        +44.1245        +46.4353             0             0             0             0
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_mean                     -0.0687         -0.0687         12249         11408         12245         11403
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_median                   -0.0967         -0.0967         12249         11065         12245         11060
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_stddev                 +109.3808       +115.6186             5           537             5           537
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_cv                     +117.5248       +124.2263             0             0             0             0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.74%. Comparing base (38a4d4f) to head (cf88a3d).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3009      +/-   ##
==========================================
+ Coverage   75.65%   75.74%   +0.09%     
==========================================
  Files         299      299              
  Lines       32936    33059     +123     
  Branches     5119     5136      +17     
==========================================
+ Hits        24919    25042     +123     
  Misses       8017     8017              

Flag	Coverage Δ
libsinsp	75.74% <100.00%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.