auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE
commit 193e20530319c6eba1f81ea7ee1f5f023b885881
parent 6ae7b16a191faf0b0da81403533ecffef84c99be
Author: Jared Tobin <jared@jtobin.io>
Date:   Fri, 13 Feb 2026 08:52:30 +0400

feat: hide GHC runtime findings by default in NCT scan

Add --show-ghc-runtime flag to display GHC runtime patterns in NCT
scan output. By default, only non-runtime findings are shown for
cleaner output focused on user code.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Diffstat:

Mapp/Main.hs | 51++++++++++++++++++++++++++++++---------------------


1 file changed, 30 insertions(+), 21 deletions(-)

diff --git a/app/Main.hs b/app/Main.hs
@@ -32,6 +32,7 @@ data Options = Options
   , optDisplayUnknown :: !Bool
   , optScanNct        :: !Bool
   , optNctDetail      :: !Bool
+  , optShowGhcRuntime :: !Bool
   } deriving (Eq, Show)
 
 optParser :: Parser Options
@@ -80,6 +81,10 @@ optParser = Options
       ( long "nct-detail"
      <> help "Show per-instruction details in NCT scan mode"
       )
+  <*> switch
+      ( long "show-ghc-runtime"
+     <> help "Show GHC runtime patterns in NCT scan (hidden by default)"
+      )
 
 optInfo :: ParserInfo Options
 optInfo = info (optParser <**> helper)
@@ -170,15 +175,17 @@ outputText opts ar = do
 -- | Output NCT scan results.
 outputNct :: Options -> LineMap -> Map.Map Text [NctFinding] -> IO ()
 outputNct opts lineMap findings = do
-  let syms = Map.toList findings
-      -- Count only non-GHC-runtime findings
-      countReal = length . filter (not . isGhcRuntimeFinding lineMap)
-      -- Filter to symbols with at least one real finding
-      realSyms = filter ((> 0) . countReal . snd) syms
-      total = sum (map (countReal . snd) realSyms)
+  let showGhc = optShowGhcRuntime opts
+      isReal = not . isGhcRuntimeFinding lineMap
+      -- Filter findings per symbol
+      filterFindings = if showGhc then id else filter isReal
+      syms = [(sym, filterFindings fs) | (sym, fs) <- Map.toList findings]
+      -- Filter to symbols with at least one finding
+      realSyms = filter (not . null . snd) syms
+      total = sum (map (length . snd) realSyms)
   if optNctDetail opts
-    then mapM_ (printNctDetail lineMap) realSyms
-    else mapM_ (printNctSummary lineMap) realSyms
+    then mapM_ (printNctDetail showGhc lineMap) realSyms
+    else mapM_ (printNctSummary showGhc lineMap) realSyms
   if optQuiet opts
     then pure ()
     else do
@@ -189,31 +196,33 @@ outputNct opts lineMap findings = do
     then exitSuccess
     else exitFailure
 
-printNctSummary :: LineMap -> (Text, [NctFinding]) -> IO ()
-printNctSummary lineMap (sym, fs) = do
-  let realCount = length (filter (not . isGhcRuntimeFinding lineMap) fs)
-  TIO.putStrLn $ sym <> ": " <> T.pack (show realCount)
-  mapM_ (printFindingIndented lineMap) fs
+printNctSummary :: Bool -> LineMap -> (Text, [NctFinding]) -> IO ()
+printNctSummary showGhc lineMap (sym, fs) = do
+  TIO.putStrLn $ sym <> ": " <> T.pack (show (length fs))
+  mapM_ (printFindingIndented showGhc lineMap) fs
 
-printFindingIndented :: LineMap -> NctFinding -> IO ()
-printFindingIndented lineMap f =
+printFindingIndented :: Bool -> LineMap -> NctFinding -> IO ()
+printFindingIndented showGhc lineMap f =
   let isGhc = isGhcRuntimeFinding lineMap f
       content = T.pack (show (nctLine f)) <> ": "
              <> nctReasonText (nctReason f) <> ": " <> instrText (nctInstr f)
-      line = if isGhc
+      line = if showGhc && isGhc
              then "  (ghc runtime) " <> content
              else "  " <> content
   in  TIO.putStrLn line
 
-printNctDetail :: LineMap -> (Text, [NctFinding]) -> IO ()
-printNctDetail lineMap (sym, fs) = mapM_ (printFinding lineMap sym) fs
+printNctDetail :: Bool -> LineMap -> (Text, [NctFinding]) -> IO ()
+printNctDetail showGhc lineMap (sym, fs) =
+  mapM_ (printFinding showGhc lineMap sym) fs
 
-printFinding :: LineMap -> Text -> NctFinding -> IO ()
-printFinding lineMap sym f =
+printFinding :: Bool -> LineMap -> Text -> NctFinding -> IO ()
+printFinding showGhc lineMap sym f =
   let isGhc = isGhcRuntimeFinding lineMap f
       content = sym <> ":" <> T.pack (show (nctLine f)) <> ": "
              <> nctReasonText (nctReason f) <> ": " <> instrText (nctInstr f)
-      line = if isGhc then "(ghc runtime) " <> content else content
+      line = if showGhc && isGhc
+             then "(ghc runtime) " <> content
+             else content
   in  TIO.putStrLn line
 
 nctReasonText :: NctReason -> Text