cleanup(sinsp): create new methods to handle syscall return values

test/libsinsp_e2e/forking.cpp

@@ -734,13 +734,13 @@ TEST_F(sys_call_test, forking_main_thread_exit) {
 		if(param.m_evt->get_type() == PPME_SYSCALL_OPEN_X) {
 			if(param.m_evt->get_param_value_str("name") == "/etc/passwd") {
 				EXPECT_EQ("<f>/etc/passwd", param.m_evt->get_param_value_str("fd"));
-				fd = param.m_evt->get_param(0)->as<int64_t>();
+				fd = param.m_evt->get_syscall_return_value();
 				++callnum;
 			}
 		} else if(param.m_evt->get_type() == PPME_SYSCALL_OPENAT_2_X) {
 			if(param.m_evt->get_param_value_str("name") == "/etc/passwd") {
 				EXPECT_EQ("<f>/etc/passwd", param.m_evt->get_param_value_str("fd"));
-				fd = param.m_evt->get_param(0)->as<int64_t>();
+				fd = param.m_evt->get_syscall_return_value();
 				++callnum;
 			}
 		} else if(param.m_evt->get_type() == PPME_PROCEXIT_1_E && param.m_evt->get_tid() == cpid) {

userspace/libscap/scap.h

@@ -855,6 +855,7 @@ int32_t scap_event_encode_params_v(struct scap_sized_buffer event_buf,
                                    ppm_event_code event_type,
                                    uint32_t n,
                                    va_list args);
+uint8_t scap_get_size_bytes_from_type(enum ppm_param_type t);
 
 /*@}*/
 

userspace/libscap/scap_event.c

@@ -355,3 +355,57 @@ int32_t scap_event_encode_params_v(const struct scap_sized_buffer event_buf,
 
 	return SCAP_SUCCESS;
 }
+
+uint8_t scap_get_size_bytes_from_type(enum ppm_param_type t) {
+	switch(t) {
+	case PT_INT8:
+	case PT_UINT8:
+	case PT_FLAGS8:
+	case PT_ENUMFLAGS8:
+		return 1;
+
+	case PT_INT16:
+	case PT_UINT16:
+	case PT_FLAGS16:
+	case PT_ENUMFLAGS16:
+	case PT_SYSCALLID:
+		return 2;
+
+	case PT_INT32:
+	case PT_UINT32:
+	case PT_FLAGS32:
+	case PT_ENUMFLAGS32:
+	case PT_UID:
+	case PT_GID:
+	case PT_MODE:
+		return 4;
+
+	case PT_INT64:
+	case PT_UINT64:
+	case PT_RELTIME:
+	case PT_ABSTIME:
+	case PT_ERRNO:
+	case PT_FD:
+	case PT_PID:
+		return 8;
+
+	case PT_BYTEBUF:
+	case PT_CHARBUF:
+	case PT_SOCKADDR:
+	case PT_SOCKTUPLE:
+	case PT_FDLIST:
+	case PT_FSPATH:
+	case PT_CHARBUFARRAY:
+	case PT_CHARBUF_PAIR_ARRAY:
+	case PT_FSRELPATH:
+	case PT_DYN:
+		return 0;
+
+	default:
+		// We forgot to handle something
+		ASSERT(false);
+		break;
+	}
+	ASSERT(false);
+	return 0;
+}

userspace/libsinsp/event.h

@@ -719,6 +719,48 @@
 		}
 	}
 
+	inline bool is_syscall_event() const { return get_info()->category & EC_SYSCALL; }
+
+	inline bool has_return_value() {
+		// The event has a return value:
+		// * if it is a syscall event and it is an exit event.
+		if(is_syscall_event() && PPME_IS_EXIT(get_type())) {
+			return true;
+		}
+
+		return false;
+	}
+
+	inline int64_t get_syscall_return_value() {
+		if(!has_return_value()) {
+			throw sinsp_exception(
+			        "Called get_syscall_return_value() on an event that does not have a return "
+			        "value. "
+			        "Event type: " +
+			        std::to_string(get_type()));
+		}
+
+		// The return value is always the first parameter of the syscall event
+		// It could have different names depending on the event type `res`,`fd`, etc.
+		const sinsp_evt_param* p = get_param(0);
+		if(p == NULL) {
+			// We should always have the return value in the syscall
+			ASSERT(false);
+			return 0;
+		}
+
+		// the only return values should be on 32 or 64 bits
+		switch(scap_get_size_bytes_from_type(p->get_info()->type)) {
+		case 4:
+			return (int64_t)p->as<int32_t>();
+		case 8:
+			return p->as<int64_t>();
+		default:
+			ASSERT(false);
+			return 0;
+		}
+	}
+
 private:
 	sinsp* m_inspector;
 	scap_evt* m_pevt;