chore(events): parseSyscall with no lock

Bypass the lock contention accessing the read-only map directly.

pkg/events/parse_args_bench_test.go

@@ -1,6 +1,7 @@
 package events
 
 import (
+	"sync"
 	"testing"
 
 	"github.com/aquasecurity/tracee/types/trace"
@@ -297,3 +298,20 @@ func BenchmarkParseArgs_Uintptr(b *testing.B) {
 		}
 	}
 }
+
+func Benchmark_parseSyscall(b *testing.B) {
+	for n := 0; n < b.N; n++ {
+		wg := sync.WaitGroup{}
+		wg.Add(10)
+
+		for i := 0; i < 10; i++ {
+			syscallArg := &trace.Argument{ArgMeta: trace.ArgMeta{Name: "syscall"}, Value: int32(0)}
+			go func() {
+				defer wg.Done()
+				parseSyscall(syscallArg, 0)
+			}()
+		}
+
+		wg.Wait()
+	}
+}

pkg/events/parse_args_helpers.go

@@ -68,13 +68,19 @@ func parseMemProtAlert(arg *trace.Argument, alert uint32) {
 }
 
 func parseSyscall(arg *trace.Argument, id int32) {
-	if Core.IsDefined(ID(id)) {
-		eventDefinition := Core.GetDefinitionByID(ID(id))
-		if eventDefinition.IsSyscall() {
-			arg.Value = eventDefinition.GetName()
-			arg.Type = "string"
-		}
+	// Bypass the lock contention accessing the read-only map directly, avoiding
+	// locking the map for reading.
+	//
+	// NOTE: This might cause data races in the future if the map is modified.
+	// One solution to keep better CPU time is to segregate the map into two maps:
+	// one for proper core (read-only) events and another for the dynamic events.
+	def, ok := CoreEvents[ID(id)]
+	if !ok || !def.IsSyscall() {
+		return
 	}
+
+	arg.Type = "string"
+	arg.Value = def.GetName()
 }
 
 func parsePtraceRequestArgument(arg *trace.Argument, req uint64) {