update(userspace): Make offset extraction per-value instead of per-field

Add support for extracting offsets for each value instead of just the
first one.

Signed-off-by: Gerald Combs <[email protected]>

Author: geraldcombs

userspace/libsinsp/filter_cache.h

@@ -83,7 +83,7 @@ class sinsp_filter_extract_cache {
 
 	inline bool result() const { return m_result; }
 
-	inline const std::vector<extract_offset_t>& offsets() const { return m_offsets; }
+	inline const std::vector<extract_offset_t>& offsets() const { return m_value_offsets; }
 
 private:
 	template<typename T>
@@ -97,7 +97,7 @@ class sinsp_filter_extract_cache {
 	bool m_result = false;
 	std::vector<extract_value_t> m_values;
 	std::vector<std::vector<uint8_t>> m_storage;
-	std::vector<extract_offset_t> m_offsets;
+	std::vector<extract_offset_t> m_value_offsets;
 };
 
 /**

userspace/libsinsp/plugin.cpp

@@ -985,7 +985,7 @@ std::unique_ptr<sinsp_filter_check> sinsp_plugin::new_filtercheck(
 bool sinsp_plugin::extract_fields_and_offsets(sinsp_evt* evt,
                                               uint32_t num_fields,
                                               ss_plugin_extract_field* fields,
-                                              ss_plugin_extract_field_offsets* field_offsets) {
+                                              ss_plugin_extract_value_offsets* value_offsets) {
 	if(!m_inited) {
 		throw sinsp_exception(std::string(s_not_init_err) + ": " + m_name);
 	}
@@ -1002,7 +1002,7 @@ bool sinsp_plugin::extract_fields_and_offsets(sinsp_evt* evt,
 	in.owner = (ss_plugin_owner_t*)this;
 	in.get_owner_last_error = sinsp_plugin::get_owner_last_error;
 	in.table_reader_ext = &table_reader_ext;
-	in.field_offsets = field_offsets;
+	in.value_offsets = value_offsets;
 	sinsp_plugin::table_read_api(in.table_reader, table_reader_ext);
 	auto res = m_handle->api.extract_fields(m_state, &ev, &in) == SS_PLUGIN_SUCCESS;
 

userspace/libsinsp/plugin.h

@@ -187,7 +187,7 @@ class sinsp_plugin : public libsinsp::state::sinsp_table_owner {
 	bool extract_fields_and_offsets(sinsp_evt* evt,
 	                                uint32_t num_fields,
 	                                ss_plugin_extract_field* fields,
-	                                ss_plugin_extract_field_offsets* field_offsets);
+	                                ss_plugin_extract_value_offsets* value_offsets);
 
 	/** Event Parsing **/
 	inline const std::unordered_set<std::string>& parse_event_sources() const {

userspace/libsinsp/plugin_filtercheck.cpp

@@ -170,11 +170,9 @@ bool sinsp_filter_check_plugin::extract_nocache(sinsp_evt* evt,
 	efield.arg_present = m_arg_present;
 	efield.ftype = type;
 	efield.flist = m_info->m_fields[m_field_id].m_flags & EPF_IS_LIST;
-	ss_plugin_extract_field_offsets eoffset;
-	ss_plugin_extract_field_offsets* eoptr = nullptr;
+	ss_plugin_extract_value_offsets eoffset = {nullptr, nullptr};
+	ss_plugin_extract_value_offsets* eoptr = nullptr;
 	if(offsets) {
-		eoffset.start = UINT32_MAX;
-		eoffset.length = UINT32_MAX;
 		eoptr = &eoffset;
 	}
 	if(!m_eplugin->extract_fields_and_offsets(evt, num_fields, &efield, eoptr) ||
@@ -216,11 +214,10 @@ bool sinsp_filter_check_plugin::extract_nocache(sinsp_evt* evt,
 			break;
 		}
 		values.push_back(res);
-	}
 
-	if(offsets) {
-		extract_offset_t res_offset = {eoffset.start, eoffset.length};
-		offsets->push_back(res_offset);
+		if(offsets && eoffset.start && eoffset.length) {
+			offsets->emplace_back(extract_offset_t{eoffset.start[i], eoffset.length[i]});
+		}
 	}
 
 	return true;

userspace/libsinsp/test/plugins.ut.cpp

@@ -376,8 +376,8 @@ TEST_F(sinsp_with_test_input, plugin_custom_source) {
 	ASSERT_FALSE(field_has_value(evt, "fd.name", filterlist));
 	ASSERT_EQ(get_field_as_string(evt, "evt.pluginname", filterlist), src_pl->name());
 	ASSERT_EQ(get_field_as_string(evt, "sample.hello", filterlist), "hello world");
-	ASSERT_EQ(get_field_offset_start(evt, "sample.hello", filterlist), 0);
-	ASSERT_EQ(get_field_offset_length(evt, "sample.hello", filterlist), 11);
+	ASSERT_EQ(get_value_offset_start(evt, "sample.hello", filterlist, 0), 0);
+	ASSERT_EQ(get_value_offset_length(evt, "sample.hello", filterlist, 0), 11);
 	ASSERT_EQ(next_event(), nullptr);  // EOF is expected
 }
 

userspace/libsinsp/test/plugins/plugin_extract.cpp

@@ -133,15 +133,18 @@ ss_plugin_rc plugin_extract_fields(ss_plugin_t* s,
 	for(uint32_t i = 0; i < in->num_fields; i++) {
 		switch(in->fields[i].field_id) {
 		case 0:  // test.hello
+		{
 			ps->strstorage = "hello world";
 			ps->strptr = ps->strstorage.c_str();
+			static uint32_t res_start = 0;
+			static uint32_t res_length = ps->strstorage.size();
 			in->fields[i].res.str = &ps->strptr;
 			in->fields[i].res_len = 1;
-			if(in->field_offsets) {
-				in->field_offsets[i].start = 0;
-				in->field_offsets[i].length = ps->strstorage.size();
+			if(in->value_offsets) {
+				in->value_offsets[i].start = &res_start;
+				in->value_offsets[i].length = &res_length;
 			}
-			break;
+		} break;
 		default:
 			in->fields[i].res_len = 0;
 			return SS_PLUGIN_FAILURE;

userspace/libsinsp/test/sinsp_with_test_input.cpp

@@ -667,9 +667,10 @@ std::string sinsp_with_test_input::get_field_as_string(sinsp_evt* evt,
 	return result;
 }
 
-extract_offset_t sinsp_with_test_input::get_field_offsets(sinsp_evt* evt,
+extract_offset_t sinsp_with_test_input::get_value_offsets(sinsp_evt* evt,
                                                           std::string_view field_name,
-                                                          filter_check_list& flist) {
+                                                          filter_check_list& flist,
+                                                          size_t val_idx) {
 	if(evt == nullptr) {
 		throw sinsp_exception("The event class is NULL");
 	}
@@ -688,19 +689,26 @@ extract_offset_t sinsp_with_test_input::get_field_offsets(sinsp_evt* evt,
 	if(offsets.size() == 0) {
 		throw sinsp_exception("Unable to extract offsets for " + std::string(field_name));
 	}
-	return offsets.at(0);
+	if(val_idx >= values.size()) {
+		throw sinsp_exception("Offset index " + std::to_string(val_idx) + " out of range for " +
+		                      std::string(field_name));
+	}
+
+	return offsets.at(val_idx);
 }
 
-uint32_t sinsp_with_test_input::get_field_offset_start(sinsp_evt* evt,
+uint32_t sinsp_with_test_input::get_value_offset_start(sinsp_evt* evt,
                                                        std::string_view field_name,
-                                                       filter_check_list& flist) {
-	return get_field_offsets(evt, field_name, flist).start;
+                                                       filter_check_list& flist,
+                                                       size_t val_idx) {
+	return get_value_offsets(evt, field_name, flist, val_idx).start;
 }
 
-uint32_t sinsp_with_test_input::get_field_offset_length(sinsp_evt* evt,
+uint32_t sinsp_with_test_input::get_value_offset_length(sinsp_evt* evt,
                                                         std::string_view field_name,
-                                                        filter_check_list& flist) {
-	return get_field_offsets(evt, field_name, flist).length;
+                                                        filter_check_list& flist,
+                                                        size_t val_idx) {
+	return get_value_offsets(evt, field_name, flist, val_idx).length;
 }
 
 bool sinsp_with_test_input::eval_filter(sinsp_evt* evt,

userspace/libsinsp/test/sinsp_with_test_input.h

@@ -300,9 +300,18 @@ class sinsp_with_test_input : public ::testing::Test {
 	bool field_has_value(sinsp_evt*, std::string_view field_name, filter_check_list&);
 	std::string get_field_as_string(sinsp_evt*, std::string_view field_name);
 	std::string get_field_as_string(sinsp_evt*, std::string_view field_name, filter_check_list&);
-	extract_offset_t get_field_offsets(sinsp_evt*, std::string_view field_name, filter_check_list&);
-	uint32_t get_field_offset_start(sinsp_evt*, std::string_view field_name, filter_check_list&);
-	uint32_t get_field_offset_length(sinsp_evt*, std::string_view field_name, filter_check_list&);
+	extract_offset_t get_value_offsets(sinsp_evt*,
+	                                   std::string_view field_name,
+	                                   filter_check_list&,
+	                                   size_t val_idx);
+	uint32_t get_value_offset_start(sinsp_evt*,
+	                                std::string_view field_name,
+	                                filter_check_list&,
+	                                size_t val_idx);
+	uint32_t get_value_offset_length(sinsp_evt*,
+	                                 std::string_view field_name,
+	                                 filter_check_list&,
+	                                 size_t val_idx);
 	bool eval_filter(sinsp_evt* evt,
 	                 std::string_view filter_str,
 	                 std::shared_ptr<sinsp_filter_cache_factory> cachef = nullptr);

userspace/plugin/plugin_api.h

@@ -371,9 +371,13 @@ typedef struct ss_plugin_field_extract_input {
 	// Vtable for controlling a state table for read operations.
 	ss_plugin_table_reader_vtable_ext* table_reader_ext;
 
-	// An array of ss_plugin_extract_field_offsets structs. This member
-	// is optional, and might be ignored by extractors.
-	ss_plugin_extract_field_offsets* field_offsets;
+	// An array of ss_plugin_extract_value_offsets structs. The start
+	// and length in each entry should be set to nullptr, and as with
+	// the "fields" member, memory pointers set as output must be
+	// allocated by the plugin and must not be deallocated or modified
+	// until the next extract_fields() call.
+	// This member is optional, and might be ignored by extractors.
+	ss_plugin_extract_value_offsets* value_offsets;
 } ss_plugin_field_extract_input;
 
 // Input passed to the plugin when parsing an event for the event parsing

userspace/plugin/plugin_types.h

@@ -128,19 +128,19 @@ typedef struct ss_plugin_byte_buffer {
 	const void* ptr;
 } ss_plugin_byte_buffer;
 
-// Used in extract_fields_and_offsets to receive field offsets along
-// with field data.
-// Extraction functions might not support offsets. In order to detect
-// this, callers can initialize this to an invalid pair, such as
-// {UINT32_MAX, UINT32_MAX}. Extraction functions that support offsets
-// should be set these to the zero-indexed start offset and length of
-// the field in the event or log data. {0, 0} can be used to indicate
-// that there are no valid offsets, e.g. if the field was generated or
+// Used in extract_fields_and_offsets to receive field value offsets
+// along with field data.
+// Extraction functions that support offsets should be set these to an
+// array of zero-indexed start offsets and lengths of each returned
+// value in the event or log data. {0, 0} can be used to indicate that
+// there are no valid offsets, e.g. if the value was generated or
 // computed from other data.
-typedef struct ss_plugin_extract_field_offsets {
-	uint32_t start;
-	uint32_t length;
-} ss_plugin_extract_field_offsets;
+// Extraction functions might not support offsets. In order to detect
+// this, callers should initialize the start and length to nullptr.
+typedef struct ss_plugin_extract_value_offsets {
+	uint32_t* start;
+	uint32_t* length;
+} ss_plugin_extract_value_offsets;
 
 // Used in extract_fields functions below to receive a field/arg
 // pair and return an extracted value.