fix(userspace/libsinsp): let plugins parse events before eventually filtering them out through inspector global filter

[FedeDP]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area libsinsp

Does this PR require a change in the driver versions?

What this PR does / why we need it:

Before, it was the sinsp parser that decided if an event was to be filtered out given the inspector global filter.
This led to a problem where the plugins were actually able to parse the event, but then the event was filtered out in any case.
For example, if we had a filter on a plugin field, we evaluated the filter before the plugin parsed the event, but if the plugin field extraction relied on the parsing code to eg: write a value to a foreign key, the filter would always filter out the event.
Eg (leveraging #2179):

sudo ./libsinsp/examples/sinsp-example -p "/home/federico/Work/container/libcontainer.so" -m -f "container_plugin.id!=host"

The container_plugin.id!=host filter would have been evaluated before plugin parsers were called, leading to container_plugin.id being host instead of the real container id for the very first event in a container (ie: the clone).

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[FedeDP]

/milestone 0.20.0
/cc @jasondellaluce

[FedeDP]

Now the parser is only responsible for the big switch case (ie: the actual parsing).

[FedeDP]

All of the code below has been moved to a RAII oriented structure under sinsp.h: struct sinsp_evt_filter.

[FedeDP]

Since it is now called by sinsp, moved to public.

[FedeDP]

Keep old behavior: only process event by sinsp if the event has not been filtered out.

[FedeDP]

For plugins, as stated by the comment, we cannot know in advance if an event will modify its state; therefore always call the plugin parsers.

[github-actions]

Perf diff from master - unit tests

     6.02%     +2.14%  [.] sinsp::next
     4.90%     +1.37%  [.] sinsp_evt::get_type
     3.53%     -0.94%  [.] sinsp_thread_manager::get_thread_ref
     3.33%     -0.85%  [.] sinsp_parser::process_event
     2.58%     -0.85%  [.] sinsp::fetch_next_event
     0.63%     +0.67%  [.] libsinsp::state::stl_container_table_adapter<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, libsinsp::state::value_table_entry_adapter<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, libsinsp::state::value_table_entry_adapter<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::dynamic_fields_t>::stl_container_table_adapter
     3.64%     -0.67%  [.] sinsp_thread_manager::find_thread
     0.63%     +0.48%  [.] sinsp_evt::get_direction
     1.76%     -0.44%  [.] 0x00000000000eb3b0
     1.63%     +0.42%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0342         -0.0342           152           146           152           146
BM_sinsp_split_median                                          -0.0349         -0.0349           152           147           152           147
BM_sinsp_split_stddev                                          -0.6196         -0.6201             2             1             2             1
BM_sinsp_split_cv                                              -0.6062         -0.6067             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0485         -0.0485            60            57            60            57
BM_sinsp_concatenate_paths_relative_path_median                -0.0477         -0.0477            60            57            60            57
BM_sinsp_concatenate_paths_relative_path_stddev                +0.2594         +0.2574             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_cv                    +0.3235         +0.3214             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0150         -0.0150            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_median                   -0.0147         -0.0147            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.0661         -0.0664             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.0518         -0.0522             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.1200         -0.1200            64            56            64            56
BM_sinsp_concatenate_paths_absolute_path_median                -0.1195         -0.1195            63            56            63            56
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.0001         -0.0003             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_cv                    +0.1364         +0.1360             0             0             0             0
BM_sinsp_split_container_image_mean                            +0.0073         +0.0073           389           392           389           392
BM_sinsp_split_container_image_median                          +0.0091         +0.0091           389           392           389           392
BM_sinsp_split_container_image_stddev                          +0.1052         +0.1051             3             4             3             4
BM_sinsp_split_container_image_cv                              +0.0973         +0.0971             0             0             0             0

[codecov]

Codecov Report

Attention: Patch coverage is 87.80488% with 5 lines in your changes missing coverage. Please review.

Project coverage is 75.17%. Comparing base (556d868) to head (b162571).
Report is 3 commits behind head on master.

Files with missing lines	Patch %	Lines
userspace/libsinsp/sinsp.cpp	87.50%	5 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2182   +/-   ##
=======================================
  Coverage   75.16%   75.17%           
=======================================
  Files         257      257           
  Lines       33711    33723   +12     
  Branches     5744     5743    -1     
=======================================
+ Hits        25339    25350   +11     
- Misses       8372     8373    +1     

Flag	Coverage Δ
libsinsp	75.17% <87.80%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment