Profiling with pprof/allocs showed newAuditBuf() to be allocating more than expected. Also there are a copylock problems:
go vet vql/linux/audit/*go
vql/linux/audit/audit_service.go:177:18:
literal copies lock value from rawBufPool: sync.Pool contains sync.noCopy
go vet utils/refcount.go
utils/refcount.go:15:9:
return copies lock value: command-line-arguments.Refcount
contains sync/atomic.Int32 contains sync/atomic.noCopy
After fixing the copylocks by using pointers, trying to reuse buffers from the pool would cause a panic because the refcount was zero. Fix by resetting the refcount when returning the buffer the pool.
Profiling with pprof/allocs showed newAuditBuf() to be allocating more than expected. Also there are a copylock problems:
go vet vql/linux/audit/*go vql/linux/audit/audit_service.go:177:18: literal copies lock value from rawBufPool: sync.Pool contains sync.noCopy
go vet utils/refcount.go utils/refcount.go:15:9: return copies lock value: command-line-arguments.Refcount contains sync/atomic.Int32 contains sync/atomic.noCopy
After fixing the copylocks by using pointers, trying to reuse buffers from the pool would cause a panic because the refcount was zero. Fix by resetting the refcount when returning the buffer the pool.