netdata
diff --git a/‎.agents/sow/current/SOW-0021-20260613-netipc-at-scale.md‎
Lines changed: 13 additions & 1 deletion b/‎.agents/sow/current/SOW-0021-20260613-netipc-at-scale.md‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/crates/netipc/src/service/raw/apps_lookup.rs‎
Lines changed: 48 additions & 43 deletions b/‎src/crates/netipc/src/service/raw/apps_lookup.rs‎
Lines changed: 48 additions & 43 deletions
diff --git a/‎src/crates/netipc/src/service/raw/cgroups_lookup.rs‎
Lines changed: 50 additions & 48 deletions b/‎src/crates/netipc/src/service/raw/cgroups_lookup.rs‎
Lines changed: 50 additions & 48 deletions
diff --git a/‎src/go/pkg/netipc/protocol/apps_lookup.go‎
Lines changed: 26 additions & 14 deletions b/‎src/go/pkg/netipc/protocol/apps_lookup.go‎
Lines changed: 26 additions & 14 deletions
diff --git a/‎src/go/pkg/netipc/protocol/cgroups_lookup.go‎
Lines changed: 14 additions & 6 deletions b/‎src/go/pkg/netipc/protocol/cgroups_lookup.go‎
Lines changed: 14 additions & 6 deletions
@@ -1057,7 +1057,19 @@ Tests or equivalent validation:
   - Validation passed on POSIX: `cd src/go && go test -count=1 -timeout=300s ./pkg/netipc/protocol`; `cd src/go && go test -count=1 -timeout=300s ./pkg/netipc/service/raw`; `cargo test --manifest-path src/crates/netipc/Cargo.toml protocol::lookup -- --nocapture`; `cargo test --manifest-path src/crates/netipc/Cargo.toml lookup_dispatch_tests -- --nocapture`; `cargo test --manifest-path src/crates/netipc/Cargo.toml service::raw:: -- --nocapture`.
   - Validation passed on Windows `win11`: `cd src/go && "/c/Program Files/Go/bin/go.exe" test -count=1 -timeout=300s ./pkg/netipc/protocol`; `cd src/go && "/c/Program Files/Go/bin/go.exe" test -count=1 -timeout=300s ./pkg/netipc/service/raw`; `PATH=/c/Users/costa/.cargo/bin:$PATH cargo test --manifest-path src/crates/netipc/Cargo.toml protocol::lookup -- --nocapture`; `PATH=/c/Users/costa/.cargo/bin:$PATH cargo test --manifest-path src/crates/netipc/Cargo.toml service::raw:: -- --nocapture`.
   - Reviewer concern about suffix-reservation still losing partial responses was not reproduced: C POSIX `timeout 900 build-coverage/bin/test_service` passed with `642 passed, 0 failed`; focused POSIX Go `TestLookupLargeResponseSplit` passed; focused POSIX Rust `test_lookup_large_response_split_calls` passed; Windows Rust `test_lookup_large_response_split_calls_windows` passed. The concern was treated as rejected unless a failing reproducer is produced.
-- Note: `ctest` on `$PATH` resolved to a broken local Python wrapper missing the `cmake` module; validation used `/usr/bin/ctest`.
+  - Post-push CI failure fixes after pushed commit `ed0befa`:
+    - GitHub `Runtime Safety` run `27506742409` failed in `bash tests/run-go-race.sh`.
+    - Root cause 1: Go protocol tests fabricated impossible multi-GB slices with `unsafe.Slice`, and Go race/checkptr rejected them with `fatal error: checkptr: unsafe.Slice result straddles multiple allocations` in `src/go/pkg/netipc/protocol/frame_test.go`.
+    - Root cause 2: Go POSIX raw server stop/close had a real race between `src/go/pkg/netipc/service/raw/server_unix.go` `Run()` defer and `Stop()`, plus unsynchronized `src/go/pkg/netipc/transport/posix/uds_listener.go` listener `fd`/`path` mutation.
+    - GitHub `Static Analysis` run `27506742397` failed in the Go `src/go` matrix because `gosec` reported `G103` unsafe-pointer findings in `src/go/pkg/netipc/protocol/lookup_guard_test.go`, `src/go/pkg/netipc/service/raw/cache_test.go`, and `src/go/pkg/netipc/service/raw/lookup_common_test.go`.
+    - Fixed Go tests by replacing invalid synthetic `unsafe` slices with unexported arithmetic/count helper checks used by the production encoders/builders. This preserves overflow coverage without invalid memory.
+    - Fixed Go POSIX listener/server close races by making listener `fd`, `path`, and config access mutex-protected and making raw server listener ownership/close synchronized and idempotent. Mirrored the raw server listener ownership fix on Windows.
+    - Fixed newly exposed local `gosec` `G115` findings by replacing unchecked count and size casts with checked conversions and helper comparisons against `uint32` payload ceilings.
+    - Local validation passed after fixes: `bash tests/run-go-race.sh`; `cd src/go && go test ./...`; `cd src/go && go vet ./...`; `cd src/go && staticcheck ./...`; `cd src/go && govulncheck ./...`; `cd src/go && gosec -quiet -fmt sarif -out /tmp/plugin-ipc-gosec.sarif -exclude=G404 ./...`.
+    - Local Go static matrix validation also passed for `tests/fixtures/go` and `bench/drivers/go`: `go test ./...`, `go vet ./...`, `staticcheck ./...`, `govulncheck ./...`, and `gosec -quiet -fmt sarif ...`.
+    - Local Rust static validation passed after replacing two raw lookup `drop(view)` borrow-shortening calls with lexical scopes: `cargo fmt --manifest-path src/crates/netipc/Cargo.toml --all --check`; `cargo test --manifest-path src/crates/netipc/Cargo.toml --all-targets --all-features --no-run`; `cargo clippy --manifest-path src/crates/netipc/Cargo.toml --all-targets --all-features -- -D clippy::correctness -D clippy::suspicious`; `cargo audit`; `cargo deny check advisories bans sources`.
+    - Follow-up local validation on 2026-06-14 passed: `git diff --check`; `bash .agents/sow/audit.sh`; `bash tests/run-go-race.sh`; `bash tests/run-coverage-go.sh` with `90.4%` total coverage (`3375/3735`) against the configured `90%` threshold; `cargo fmt --manifest-path src/crates/netipc/Cargo.toml --all --check`; `cargo test --manifest-path src/crates/netipc/Cargo.toml --all-targets --all-features --no-run`; `cargo clippy --manifest-path src/crates/netipc/Cargo.toml --all-targets --all-features -- -D clippy::correctness -D clippy::suspicious`.
+  - Note: `ctest` on `$PATH` resolved to a broken local Python wrapper missing the `cmake` module; validation used `/usr/bin/ctest`.
 
 Real-use evidence:
 
 
@@ -118,61 +118,66 @@ impl RawClient {
                 RawCallKind::single(),
                 remaining_timeout,
             )?;
-            let view = AppsLookupResponseView::decode(self.response_payload(response)?)?;
-            if let Some(expected_generation) = generation {
-                if view.generation != expected_generation {
-                    return Err(NipcError::BadLayout);
-                }
-            } else {
-                generation = Some(view.generation);
-            }
-            if view.item_count != req_pids.len() as u32 {
-                return Err(NipcError::BadItemCount);
-            }
-            let mut payload_exceeded_at: Option<usize> = None;
-            for (i, expected) in req_pids.iter().enumerate() {
-                let item = view.item(i as u32)?;
-                if item.pid != *expected {
-                    return Err(NipcError::BadLayout);
+            let final_size = {
+                let view = AppsLookupResponseView::decode(self.response_payload(response)?)?;
+                if let Some(expected_generation) = generation {
+                    if view.generation != expected_generation {
+                        return Err(NipcError::BadLayout);
+                    }
+                } else {
+                    generation = Some(view.generation);
                 }
-                if item.status == PID_LOOKUP_PAYLOAD_EXCEEDED {
-                    payload_exceeded_at = Some(i);
-                    break;
+                if view.item_count != req_pids.len() as u32 {
+                    return Err(NipcError::BadItemCount);
                 }
-                raw_items.push(view.raw_item(i as u32)?.to_vec());
-            }
-            if let Some(first) = payload_exceeded_at {
-                for (i, expected) in req_pids.iter().enumerate().skip(first) {
+                let mut payload_exceeded_at: Option<usize> = None;
+                for (i, expected) in req_pids.iter().enumerate() {
                     let item = view.item(i as u32)?;
-                    if item.pid != *expected || item.status != PID_LOOKUP_PAYLOAD_EXCEEDED {
+                    if item.pid != *expected {
                         return Err(NipcError::BadLayout);
                     }
+                    if item.status == PID_LOOKUP_PAYLOAD_EXCEEDED {
+                        payload_exceeded_at = Some(i);
+                        break;
+                    }
+                    raw_items.push(view.raw_item(i as u32)?.to_vec());
+                }
+                if let Some(first) = payload_exceeded_at {
+                    for (i, expected) in req_pids.iter().enumerate().skip(first) {
+                        let item = view.item(i as u32)?;
+                        if item.pid != *expected || item.status != PID_LOOKUP_PAYLOAD_EXCEEDED {
+                            return Err(NipcError::BadLayout);
+                        }
+                    }
+                    if first == 0 {
+                        return Err(NipcError::Overflow);
+                    }
+                    start += first;
+                    continue;
+                }
+                start += req_count;
+                if start < pids.len() {
+                    continue;
+                }
+                if raw_items.len() != pids.len() {
+                    return Err(NipcError::BadItemCount);
                 }
-                if first == 0 {
+                let size = lookup_raw_response_size(
+                    APPS_LOOKUP_RESP_HDR_SIZE,
+                    raw_items.len(),
+                    &raw_items,
+                )?;
+                if size > self.max_logical_lookup_response_bytes as usize {
                     return Err(NipcError::Overflow);
                 }
-                start += first;
-                continue;
-            }
-            start += req_count;
-            if start < pids.len() {
-                continue;
-            }
-            if raw_items.len() != pids.len() {
-                return Err(NipcError::BadItemCount);
-            }
-            let size =
-                lookup_raw_response_size(APPS_LOOKUP_RESP_HDR_SIZE, raw_items.len(), &raw_items)?;
-            if size > self.max_logical_lookup_response_bytes as usize {
-                return Err(NipcError::Overflow);
-            }
-            drop(view);
-            self.transport_buf.resize(size, 0);
+                size
+            };
+            self.transport_buf.resize(final_size, 0);
             let refs: Vec<&[u8]> = raw_items.iter().map(Vec::as_slice).collect();
             let n = protocol::encode_apps_lookup_raw_response(
                 &refs,
                 generation.unwrap_or(0),
-                &mut self.transport_buf[..size],
+                &mut self.transport_buf[..final_size],
             )?;
             return AppsLookupResponseView::decode(&self.transport_buf[..n]);
         }
 
@@ -165,66 +165,68 @@ impl RawClient {
                 RawCallKind::single(),
                 remaining_timeout,
             )?;
-            let view = CgroupsLookupResponseView::decode(self.response_payload(response)?)?;
-            if let Some(expected_generation) = generation {
-                if view.generation != expected_generation {
-                    return Err(NipcError::BadLayout);
-                }
-            } else {
-                generation = Some(view.generation);
-            }
-            if view.item_count != req_paths.len() as u32 {
-                return Err(NipcError::BadItemCount);
-            }
-            let mut payload_exceeded_at: Option<usize> = None;
-            for (i, expected) in req_paths.iter().enumerate() {
-                let item = view.item(i as u32)?;
-                if item.path.as_bytes() != *expected {
-                    return Err(NipcError::BadLayout);
+            let final_size = {
+                let view = CgroupsLookupResponseView::decode(self.response_payload(response)?)?;
+                if let Some(expected_generation) = generation {
+                    if view.generation != expected_generation {
+                        return Err(NipcError::BadLayout);
+                    }
+                } else {
+                    generation = Some(view.generation);
                 }
-                if item.status == CGROUP_LOOKUP_PAYLOAD_EXCEEDED {
-                    payload_exceeded_at = Some(i);
-                    break;
+                if view.item_count != req_paths.len() as u32 {
+                    return Err(NipcError::BadItemCount);
                 }
-                raw_items.push(view.raw_item(i as u32)?.to_vec());
-            }
-            if let Some(first) = payload_exceeded_at {
-                for (i, expected) in req_paths.iter().enumerate().skip(first) {
+                let mut payload_exceeded_at: Option<usize> = None;
+                for (i, expected) in req_paths.iter().enumerate() {
                     let item = view.item(i as u32)?;
-                    if item.path.as_bytes() != *expected
-                        || item.status != CGROUP_LOOKUP_PAYLOAD_EXCEEDED
-                    {
+                    if item.path.as_bytes() != *expected {
                         return Err(NipcError::BadLayout);
                     }
+                    if item.status == CGROUP_LOOKUP_PAYLOAD_EXCEEDED {
+                        payload_exceeded_at = Some(i);
+                        break;
+                    }
+                    raw_items.push(view.raw_item(i as u32)?.to_vec());
+                }
+                if let Some(first) = payload_exceeded_at {
+                    for (i, expected) in req_paths.iter().enumerate().skip(first) {
+                        let item = view.item(i as u32)?;
+                        if item.path.as_bytes() != *expected
+                            || item.status != CGROUP_LOOKUP_PAYLOAD_EXCEEDED
+                        {
+                            return Err(NipcError::BadLayout);
+                        }
+                    }
+                    if first == 0 {
+                        return Err(NipcError::Overflow);
+                    }
+                    start += first;
+                    continue;
                 }
-                if first == 0 {
+                start += req_count;
+                if start < paths.len() {
+                    continue;
+                }
+                if raw_items.len() != paths.len() {
+                    return Err(NipcError::BadItemCount);
+                }
+                let size = lookup_raw_response_size(
+                    CGROUPS_LOOKUP_RESP_HDR_SIZE,
+                    raw_items.len(),
+                    &raw_items,
+                )?;
+                if size > self.max_logical_lookup_response_bytes as usize {
                     return Err(NipcError::Overflow);
                 }
-                start += first;
-                continue;
-            }
-            start += req_count;
-            if start < paths.len() {
-                continue;
-            }
-            if raw_items.len() != paths.len() {
-                return Err(NipcError::BadItemCount);
-            }
-            let size = lookup_raw_response_size(
-                CGROUPS_LOOKUP_RESP_HDR_SIZE,
-                raw_items.len(),
-                &raw_items,
-            )?;
-            if size > self.max_logical_lookup_response_bytes as usize {
-                return Err(NipcError::Overflow);
-            }
-            drop(view);
-            self.transport_buf.resize(size, 0);
+                size
+            };
+            self.transport_buf.resize(final_size, 0);
             let refs: Vec<&[u8]> = raw_items.iter().map(Vec::as_slice).collect();
             let n = protocol::encode_cgroups_lookup_raw_response(
                 &refs,
                 generation.unwrap_or(0),
-                &mut self.transport_buf[..size],
+                &mut self.transport_buf[..final_size],
             )?;
             return CgroupsLookupResponseView::decode(&self.transport_buf[..n]);
         }
 
@@ -123,22 +123,11 @@ func validateAppsLookupKnown(v appsLookupSemantics) error {
 
 func EncodeAppsLookupRequest(pids []uint32, buf []byte) (int, error) {
 	count := len(pids)
-	if uint64(count) > uint64(^uint32(0)) {
-		return 0, ErrOverflow
-	}
-	dirSize, ok := checkedMulInt(count, LookupDirEntrySize)
-	if !ok {
-		return 0, ErrOverflow
-	}
-	keySize, ok := checkedMulInt(count, AppsLookupKeySize)
-	if !ok {
-		return 0, ErrOverflow
-	}
-	packedStart, ok := checkedAddInt(AppsLookupReqHdr, dirSize)
+	count32, ok := checkedU32Int(count)
 	if !ok {
 		return 0, ErrOverflow
 	}
-	total, ok := checkedAddInt(packedStart, keySize)
+	packedStart, total, ok := appsLookupRequestLayoutForCount(count)
 	if !ok {
 		return 0, ErrOverflow
 	}
@@ -159,12 +148,35 @@ func EncodeAppsLookupRequest(pids []uint32, buf []byte) (int, error) {
 	}
 	ne.PutUint16(buf[0:2], 1)
 	ne.PutUint16(buf[2:4], 0)
-	ne.PutUint32(buf[4:8], uint32(count))
+	ne.PutUint32(buf[4:8], count32)
 	ne.PutUint32(buf[8:12], 0)
 	ne.PutUint32(buf[12:16], 0)
 	return total, nil
 }
 
+func appsLookupRequestLayoutForCount(count int) (packedStart, total int, ok bool) {
+	if count < 0 || uint64(count) > uint64(^uint32(0)) {
+		return 0, 0, false
+	}
+	dirSize, ok := checkedMulInt(count, LookupDirEntrySize)
+	if !ok {
+		return 0, 0, false
+	}
+	keySize, ok := checkedMulInt(count, AppsLookupKeySize)
+	if !ok {
+		return 0, 0, false
+	}
+	packedStart, ok = checkedAddInt(AppsLookupReqHdr, dirSize)
+	if !ok {
+		return 0, 0, false
+	}
+	total, ok = checkedAddInt(packedStart, keySize)
+	if !ok {
+		return 0, 0, false
+	}
+	return packedStart, total, true
+}
+
 func DecodeAppsLookupRequest(buf []byte) (*AppsLookupRequestView, error) {
 	if len(buf) < AppsLookupReqHdr {
 		return nil, ErrTruncated
 
@@ -56,14 +56,11 @@ func validateCgroupsLookupSemantics(status, orchestrator uint16, pathLen, nameLe
 
 func EncodeCgroupsLookupRequest(paths [][]byte, buf []byte) (int, error) {
 	count := len(paths)
-	if uint64(count) > uint64(^uint32(0)) {
-		return 0, ErrOverflow
-	}
-	dirSize, ok := checkedMulInt(count, LookupDirEntrySize)
+	count32, ok := checkedU32Int(count)
 	if !ok {
 		return 0, ErrOverflow
 	}
-	packedStart, ok := checkedAddInt(CgroupsLookupReqHdr, dirSize)
+	packedStart, ok := cgroupsLookupRequestPackedStartForCount(count)
 	if !ok {
 		return 0, ErrOverflow
 	}
@@ -108,12 +105,23 @@ func EncodeCgroupsLookupRequest(paths [][]byte, buf []byte) (int, error) {
 	}
 	ne.PutUint16(buf[0:2], 1)
 	ne.PutUint16(buf[2:4], 0)
-	ne.PutUint32(buf[4:8], uint32(count))
+	ne.PutUint32(buf[4:8], count32)
 	ne.PutUint32(buf[8:12], 0)
 	ne.PutUint32(buf[12:16], 0)
 	return data, nil
 }
 
+func cgroupsLookupRequestPackedStartForCount(count int) (int, bool) {
+	if count < 0 || uint64(count) > uint64(^uint32(0)) {
+		return 0, false
+	}
+	dirSize, ok := checkedMulInt(count, LookupDirEntrySize)
+	if !ok {
+		return 0, false
+	}
+	return checkedAddInt(CgroupsLookupReqHdr, dirSize)
+}
+
 func DecodeCgroupsLookupRequest(buf []byte) (*CgroupsLookupRequestView, error) {
 	if len(buf) < CgroupsLookupReqHdr {
 		return nil, ErrTruncated