diff --git a/userspace/libsinsp/sinsp_filtercheck_event.cpp b/userspace/libsinsp/sinsp_filtercheck_event.cpp index dbb376ee1d..ccabdbe291 100644 --- a/userspace/libsinsp/sinsp_filtercheck_event.cpp +++ b/userspace/libsinsp/sinsp_filtercheck_event.cpp @@ -1517,30 +1517,23 @@ uint8_t* sinsp_filter_check_event::extract_single(sinsp_evt* evt, } else { return NULL; } - case TYPE_COUNT_PROCINFO: { - uint16_t etype = evt->get_type(); + case TYPE_COUNT_PROCINFO: + case TYPE_COUNT_THREADINFO: { + m_val.u32 = 0; + if(evt->get_type() != PPME_PROCINFO_E) { + RETURN_EXTRACT_VAR(m_val.u32); + } - if(etype == PPME_PROCINFO_E) { + if(m_field_id == TYPE_COUNT_THREADINFO) { + m_val.u32 = 1; + } else if(m_field_id == TYPE_COUNT_PROCINFO) { sinsp_threadinfo* tinfo = evt->get_thread_info(); - if(tinfo != NULL && tinfo->is_main_thread()) { m_val.u32 = 1; - RETURN_EXTRACT_VAR(m_val.u32); } } + RETURN_EXTRACT_VAR(m_val.u32); } - - break; - case TYPE_COUNT_THREADINFO: { - uint16_t etype = evt->get_type(); - - if(etype == PPME_PROCINFO_E) { - m_val.u32 = 1; - RETURN_EXTRACT_VAR(m_val.u32); - } - } - - break; case TYPE_ABSPATH: return extract_abspath(evt, len); case TYPE_BUFLEN_IN: diff --git a/userspace/libsinsp/test/filterchecks/evt.cpp b/userspace/libsinsp/test/filterchecks/evt.cpp index cb35bf8eb6..8e1cfda7b5 100644 --- a/userspace/libsinsp/test/filterchecks/evt.cpp +++ b/userspace/libsinsp/test/filterchecks/evt.cpp @@ -212,7 +212,7 @@ TEST_F(sinsp_with_test_input, EVT_FILTER_check_evt_arg_uid) { } // Test that for rawarg.X we are correctly retrieving the correct field type/format. -TEST_F(sinsp_with_test_input, rawarg_madness) { +TEST_F(sinsp_with_test_input, EVT_FILTER_rawarg_madness) { add_default_init_thread(); open_inspector(); @@ -255,3 +255,38 @@ TEST_F(sinsp_with_test_input, rawarg_madness) { ASSERT_EQ(get_field_as_string(evt, "evt.rawarg.addr"), "FFFFFFFFFFFFFFFF"); ASSERT_ANY_THROW(eval_filter(evt, "evt.rawarg.addr > 0")); // PT_SOCKADDR is not comparable } + +TEST_F(sinsp_with_test_input, EVT_FILTER_thread_proc_info) { + DEFAULT_TREE + + // Random event on the init process (main thread) the field should be 0. This field are used + // only when the event is `PPME_PROCINFO_E` + auto evt = generate_random_event(INIT_TID); + ASSERT_EQ(get_field_as_string(evt, "evt.count.procinfo"), "0"); + ASSERT_EQ(get_field_as_string(evt, "evt.count.threadinfo"), "0"); + + // Same for a secondary thread + evt = generate_random_event(p1_t2_tid); + ASSERT_EQ(get_field_as_string(evt, "evt.count.procinfo"), "0"); + ASSERT_EQ(get_field_as_string(evt, "evt.count.threadinfo"), "0"); + + // Now both field shoul be 1 + evt = add_event_advance_ts(increasing_ts(), + INIT_TID, + PPME_PROCINFO_E, + 2, + (uint64_t)0, + (uint64_t)0); + ASSERT_EQ(get_field_as_string(evt, "evt.count.procinfo"), "1"); + ASSERT_EQ(get_field_as_string(evt, "evt.count.threadinfo"), "1"); + + // Since this is not a main thread only `evt.count.threadinfo` should be 1 + evt = add_event_advance_ts(increasing_ts(), + p1_t2_tid, + PPME_PROCINFO_E, + 2, + (uint64_t)0, + (uint64_t)0); + ASSERT_EQ(get_field_as_string(evt, "evt.count.procinfo"), "0"); + ASSERT_EQ(get_field_as_string(evt, "evt.count.threadinfo"), "1"); +}