From 4a206d3dcabbab801d8e47b2fef185e72b81220d Mon Sep 17 00:00:00 2001
From: Tom Yu <yyuuttaaoo@gmail.com>
Date: Wed, 26 Feb 2025 08:42:36 +0000
Subject: [PATCH] fix argument parse and assign in ProcessCache

---
 core/common/ProcParser.cpp                    |  37 +--
 core/common/ProcParser.h                      |   4 +-
 core/common/StringTools.h                     | 103 +++++-
 core/ebpf/driver/EbpfDriver.cpp               |   3 +
 core/ebpf/driver/FileFilter.cpp               |   3 +
 core/ebpf/driver/FileFilter.h                 |   3 +
 core/ebpf/driver/eBPFWrapper.h                |   1 -
 core/ebpf/eBPFServer.cpp                      |  37 ++-
 core/ebpf/eBPFServer.h                        |   4 +-
 core/ebpf/plugin/AbstractManager.cpp          |   7 +-
 core/ebpf/plugin/AbstractManager.h            |  15 +-
 core/ebpf/plugin/ProcessCacheManager.cpp      | 311 ++++++++++--------
 core/ebpf/plugin/ProcessCacheManager.h        |   6 +-
 .../file_security/FileSecurityManager.cpp     |   8 +-
 .../NetworkSecurityManager.cpp                |   8 +-
 .../ProcessSecurityManager.cpp                |  24 +-
 .../process_security/ProcessSecurityManager.h |   2 +-
 core/ebpf/type/ProcessEvent.h                 |   2 +-
 core/unittest/ebpf/AggregatorUnittest.cpp     |  20 +-
 core/unittest/ebpf/ConsumerUnittest.cpp       |  10 +-
 core/unittest/ebpf/IdAllocatorUnittest.cpp    |   2 +-
 core/unittest/ebpf/ManagerUnittest.cpp        | 109 +++---
 .../unittest/ebpf/NetworkObserverUnittest.cpp |   8 +-
 core/unittest/ebpf/eBPFDriverUnittest.cpp     |  24 +-
 core/unittest/ebpf/eBPFServerUnittest.cpp     |   6 -
 core/unittest/ebpf/eBPFWrapperUnittest.cpp    |  23 +-
 .../input/InputFileSecurityUnittest.cpp       |   8 +-
 .../input/InputNetworkSecurityUnittest.cpp    |  14 +-
 .../input/InputProcessSecurityUnittest.cpp    |   2 +-
 core/unittest/models/ArrayViewUnittest.cpp    |  14 +-
 30 files changed, 481 insertions(+), 337 deletions(-)

diff --git a/core/common/ProcParser.cpp b/core/common/ProcParser.cpp
index c55a0c7530..bbbcdf3077 100644
--- a/core/common/ProcParser.cpp
+++ b/core/common/ProcParser.cpp
@@ -77,44 +77,33 @@ std::string ProcParser::ReadPIDLink(uint32_t pid, const std::string& filename) c
     return netStr;
 }
 
-std::string ProcParser::ReadPIDFile(uint32_t pid, const std::string& filename, const std::string& delimiter) const {
+std::string ProcParser::ReadPIDFile(uint32_t pid, const std::string& filename) const {
     std::filesystem::path fpath = mProcPath / std::to_string(pid) / filename;
     std::ifstream ifs(fpath);
     if (!ifs) {
         return "";
     }
-    std::string line;
-    size_t fileSize = ifs.tellg();
-    std::string res;
-    res.reserve(fileSize << 1);
-    while (std::getline(ifs, line)) {
-        if (delimiter == "") {
-            res += line;
-        } else {
-            res += delimiter + line;
+    try {
+        std::string res((std::istreambuf_iterator<char>(ifs)), std::istreambuf_iterator<char>());
+        if (!res.empty() && res[res.size() - 1] == 0) {
+            res.pop_back();
         }
+        return res;
+    } catch (const std::ios_base::failure& e) {
     }
-    // Strip out extra null character at the end of the string.
-    if (!res.empty() && res[res.size() - 1] == 0) {
-        res.pop_back();
-    }
-    // Replace all nulls with spaces. Sometimes the command line has
-    // null to separate arguments and others it has spaces. We just make them all spaces
-    // and leave it to upstream code to tokenize properly.
-    std::replace(res.begin(), res.end(), static_cast<char>(0), ' ');
-    return res;
+    return "";
 }
 
 std::string ProcParser::GetPIDCmdline(uint32_t pid) const {
-    return ReadPIDFile(pid, "cmdline", "");
+    return ReadPIDFile(pid, "cmdline");
 }
 
 std::string ProcParser::GetPIDComm(uint32_t pid) const {
-    return ReadPIDFile(pid, "comm", "");
+    return ReadPIDFile(pid, "comm");
 }
 
 std::string ProcParser::GetPIDEnviron(uint32_t pid) const {
-    return ReadPIDFile(pid, "environ", "");
+    return ReadPIDFile(pid, "environ");
 }
 
 std::tuple<std::string, int> ProcParser::ProcsContainerIdOffset(const std::string& subdir) const {
@@ -183,7 +172,7 @@ std::tuple<std::string, int> ProcParser::ProcsFindDockerId(const std::string& cg
 }
 
 std::string ProcParser::GetPIDDockerId(uint32_t pid) const {
-    std::string cgroups = ReadPIDFile(pid, "cgroup", "\n");
+    std::string cgroups = ReadPIDFile(pid, "cgroup");
     auto [dockerId, offset] = ProcsFindDockerId(cgroups);
     LOG_DEBUG(sLogger, ("[GetPIDDockerId] failed, pid:", pid)("containerid", dockerId));
     return dockerId;
@@ -402,7 +391,7 @@ int ProcParser::FillStatus(uint32_t pid, Status& status) const {
 
 int ProcParser::FillLoginUid(uint32_t pid, Status& status) const {
     try {
-        std::string loginUid = ReadPIDFile(pid, "loginuid", "");
+        std::string loginUid = ReadPIDFile(pid, "loginuid");
         status.loginUid = loginUid;
     } catch (std::runtime_error& error) {
         return -1;
diff --git a/core/common/ProcParser.h b/core/common/ProcParser.h
index d760933868..91ff8585a7 100644
--- a/core/common/ProcParser.h
+++ b/core/common/ProcParser.h
@@ -24,7 +24,7 @@
 
 namespace logtail {
 
-// TODO use bpf...
+// TODO use definations in bpf_process_event_type.h
 #define DOCKER_ID_LENGTH 128
 
 enum class ApiEventFlag : uint32_t {
@@ -121,7 +121,7 @@ class ProcParser {
     std::filesystem::path ProcPidPath(uint32_t pid, const std::string& subpath) const;
     int FillStatus(uint32_t pid, Status& status) const;
     int FillLoginUid(uint32_t pid, Status& status) const;
-    std::string ReadPIDFile(uint32_t pid, const std::string& filename, const std::string& delimiter) const;
+    std::string ReadPIDFile(uint32_t pid, const std::string& filename) const;
     std::string ReadPIDLink(uint32_t pid, const std::string& filename) const;
     std::tuple<std::string, int> ProcsFindDockerId(const std::string& cgroups) const;
     std::vector<std::string> split(const std::string& str, char delimiter) const;
diff --git a/core/common/StringTools.h b/core/common/StringTools.h
index a284e48bfa..a7da8e9994 100644
--- a/core/common/StringTools.h
+++ b/core/common/StringTools.h
@@ -16,12 +16,14 @@
 
 #pragma once
 #include <algorithm>
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-local-typedefs"
+#include <boost/lexical_cast.hpp>
+#pragma GCC diagnostic pop
+#include <boost/regex.hpp>
 #include <string>
 #include <vector>
 
-#include "boost/lexical_cast.hpp"
-#include "boost/regex.hpp"
-
 #include "models/StringView.h"
 
 namespace logtail {
@@ -153,4 +155,99 @@ void RemoveFilePathTrailingSlash(std::string& path);
 int fnmatch(const char* pattern, const char* dirPath, int flag);
 #endif
 
+// trim from start (returns a new string_view)
+static inline std::string_view Ltrim(std::string_view s, const std::string_view blank = " \t\n\r\f\v") {
+    s.remove_prefix(std::min(s.find_first_not_of(blank), s.size()));
+    return s;
+}
+
+// trim from end (returns a new string_view)
+static inline std::string_view Rtrim(std::string_view s, const std::string_view blank = " \t\n\r\f\v") {
+    s.remove_suffix(std::min(s.size() - s.find_last_not_of(blank) - 1, s.size()));
+    return s;
+}
+
+// trim from both ends (returns a new string_view)
+static inline std::string_view Trim(std::string_view s) {
+    return Ltrim(Rtrim(s));
+}
+
+class StringViewSplitterIterator {
+public:
+    using iterator_category = std::forward_iterator_tag;
+    using value_type = std::string_view;
+    using difference_type = std::ptrdiff_t;
+    using pointer = value_type*;
+    using reference = value_type&;
+
+    StringViewSplitterIterator() = default;
+
+    StringViewSplitterIterator(std::string_view str, std::string_view delimiter)
+        : mStr(str), mDelimiter(delimiter), mPos(0) {
+        findNext();
+    }
+
+    value_type operator*() { return mField; }
+
+    pointer operator->() { return &mField; }
+
+    StringViewSplitterIterator& operator++() {
+        findNext();
+        return *this;
+    }
+
+    StringViewSplitterIterator operator++(int) {
+        StringViewSplitterIterator tmp = *this;
+        ++(*this);
+        return tmp;
+    }
+
+    friend bool operator==(const StringViewSplitterIterator& a, const StringViewSplitterIterator& b) {
+        return a.mPos == b.mPos;
+    }
+
+    friend bool operator!=(const StringViewSplitterIterator& a, const StringViewSplitterIterator& b) {
+        return !(a == b);
+    }
+
+private:
+    void findNext() {
+        if (mPos == std::string_view::npos) {
+            mField = {};
+            return;
+        }
+
+        auto end = mStr.find(mDelimiter, mPos);
+        if (end == std::string_view::npos) {
+            mField = mStr.substr(mPos);
+            mPos = std::string_view::npos;
+        } else {
+            mField = mStr.substr(mPos, end - mPos);
+            mPos = end + mDelimiter.size();
+        }
+    }
+
+    std::string_view mStr;
+    std::string_view mDelimiter;
+    std::string_view mField;
+    size_t mPos = std::string_view::npos;
+};
+
+class StringViewSplitter {
+public:
+    using value_type = std::string_view;
+    using iterator = StringViewSplitterIterator;
+
+    StringViewSplitter(std::string_view str, std::string_view delimiter) : mStr(str), mDelimiter(delimiter) {}
+
+    iterator begin() const { return iterator(mStr, mDelimiter); }
+
+    iterator end() const { return iterator(); }
+
+private:
+    std::string_view mStr;
+    std::string_view mDelimiter;
+};
+
+
 } // namespace logtail
diff --git a/core/ebpf/driver/EbpfDriver.cpp b/core/ebpf/driver/EbpfDriver.cpp
index 7285414359..f55b98b6e2 100644
--- a/core/ebpf/driver/EbpfDriver.cpp
+++ b/core/ebpf/driver/EbpfDriver.cpp
@@ -13,7 +13,10 @@
 // limitations under the License.
 
 
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
 #include <coolbpf/security.skel.h>
+#pragma GCC diagnostic pop
 
 #include "ebpf/include/export.h"
 
diff --git a/core/ebpf/driver/FileFilter.cpp b/core/ebpf/driver/FileFilter.cpp
index 7a52001052..ca101e0a65 100644
--- a/core/ebpf/driver/FileFilter.cpp
+++ b/core/ebpf/driver/FileFilter.cpp
@@ -17,7 +17,10 @@ extern "C" {
 #include <coolbpf/coolbpf.h>
 };
 
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
 #include <coolbpf/security.skel.h>
+#pragma GCC diagnostic pop
 #include <unistd.h>
 
 #include <string>
diff --git a/core/ebpf/driver/FileFilter.h b/core/ebpf/driver/FileFilter.h
index 4b2e4a7994..bcd70e71fb 100644
--- a/core/ebpf/driver/FileFilter.h
+++ b/core/ebpf/driver/FileFilter.h
@@ -17,7 +17,10 @@
 extern "C" {
 #include <bpf/libbpf.h>
 #include <coolbpf/coolbpf.h>
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
 #include <coolbpf/security.skel.h>
+#pragma GCC diagnostic pop
 };
 
 #include <unistd.h>
diff --git a/core/ebpf/driver/eBPFWrapper.h b/core/ebpf/driver/eBPFWrapper.h
index 731ba23309..daefecc364 100644
--- a/core/ebpf/driver/eBPFWrapper.h
+++ b/core/ebpf/driver/eBPFWrapper.h
@@ -15,7 +15,6 @@
 #pragma once
 
 extern "C" {
-
 #include <bpf/libbpf.h>
 #include <coolbpf/coolbpf.h>
 };
diff --git a/core/ebpf/eBPFServer.cpp b/core/ebpf/eBPFServer.cpp
index 54dc2acb69..c551c82713 100644
--- a/core/ebpf/eBPFServer.cpp
+++ b/core/ebpf/eBPFServer.cpp
@@ -192,7 +192,8 @@ void eBPFServer::Init() {
     mSourceManager = std::make_shared<SourceManager>();
     mSourceManager->Init();
 
-    mBaseManager = std::make_shared<ProcessCacheManager>(mSourceManager, mHostName, mHostPathPrefix, mDataEventQueue);
+    mProcessCacheManager
+        = std::make_shared<ProcessCacheManager>(mSourceManager, mHostName, mHostPathPrefix, mDataEventQueue);
     // ebpf config
     auto configJson = AppConfig::GetInstance()->GetConfig();
     mAdminConfig.LoadEbpfConfig(configJson);
@@ -279,8 +280,8 @@ bool eBPFServer::StartPluginInternal(const std::string& pipeline_name,
 
     if (type != PluginType::NETWORK_OBSERVE) {
         LOG_INFO(sLogger, ("hostname", mHostName)("mHostPathPrefix", mHostPathPrefix));
-        auto res = mBaseManager->Init();
-        LOG_INFO(sLogger, ("basemanager init ", res));
+        auto res = mProcessCacheManager->Init();
+        LOG_INFO(sLogger, ("ProcessCacheManager init ", res));
     }
 
     // init self monitor
@@ -296,10 +297,11 @@ bool eBPFServer::StartPluginInternal(const std::string& pipeline_name,
     switch (type) {
         case PluginType::PROCESS_SECURITY: {
             if (!pluginMgr) {
-                pluginMgr = ProcessSecurityManager::Create(mBaseManager, mSourceManager, mDataEventQueue, mScheduler);
+                pluginMgr
+                    = ProcessSecurityManager::Create(mProcessCacheManager, mSourceManager, mDataEventQueue, mScheduler);
                 UpdatePluginManager(type, pluginMgr);
             } else {
-                pluginMgr->UpdateBaseManager(mBaseManager);
+                pluginMgr->UpdateProcessCacheManager(mProcessCacheManager);
             }
             pluginMgr->UpdateContext(ctx, ctx->GetProcessQueueKey(), plugin_index);
             ret = (pluginMgr->Init(options) == 0);
@@ -308,10 +310,11 @@ bool eBPFServer::StartPluginInternal(const std::string& pipeline_name,
 
         case PluginType::NETWORK_OBSERVE: {
             if (!pluginMgr) {
-                pluginMgr = NetworkObserverManager::Create(mBaseManager, mSourceManager, mDataEventQueue, mScheduler);
+                pluginMgr
+                    = NetworkObserverManager::Create(mProcessCacheManager, mSourceManager, mDataEventQueue, mScheduler);
                 UpdatePluginManager(type, pluginMgr);
             } else {
-                pluginMgr->UpdateBaseManager(mBaseManager);
+                pluginMgr->UpdateProcessCacheManager(mProcessCacheManager);
             }
             NetworkObserveConfig nconfig;
             // TODO @qianlu.kk register k8s metadata callback for metric ??
@@ -324,10 +327,11 @@ bool eBPFServer::StartPluginInternal(const std::string& pipeline_name,
 
         case PluginType::NETWORK_SECURITY: {
             if (!pluginMgr) {
-                pluginMgr = NetworkSecurityManager::Create(mBaseManager, mSourceManager, mDataEventQueue, mScheduler);
+                pluginMgr
+                    = NetworkSecurityManager::Create(mProcessCacheManager, mSourceManager, mDataEventQueue, mScheduler);
                 UpdatePluginManager(type, pluginMgr);
             } else {
-                pluginMgr->UpdateBaseManager(mBaseManager);
+                pluginMgr->UpdateProcessCacheManager(mProcessCacheManager);
             }
 
             pluginMgr->UpdateContext(ctx, ctx->GetProcessQueueKey(), plugin_index);
@@ -337,10 +341,11 @@ bool eBPFServer::StartPluginInternal(const std::string& pipeline_name,
 
         case PluginType::FILE_SECURITY: {
             if (!pluginMgr) {
-                pluginMgr = FileSecurityManager::Create(mBaseManager, mSourceManager, mDataEventQueue, mScheduler);
+                pluginMgr
+                    = FileSecurityManager::Create(mProcessCacheManager, mSourceManager, mDataEventQueue, mScheduler);
                 UpdatePluginManager(type, pluginMgr);
             } else {
-                pluginMgr->UpdateBaseManager(mBaseManager);
+                pluginMgr->UpdateProcessCacheManager(mProcessCacheManager);
             }
             pluginMgr->UpdateContext(ctx, ctx->GetProcessQueueKey(), plugin_index);
             ret = (pluginMgr->Init(options) == 0);
@@ -379,7 +384,7 @@ bool eBPFServer::EnablePlugin(const std::string& pipeline_name,
     return StartPluginInternal(pipeline_name, plugin_index, type, ctx, options, mgr);
 }
 
-bool eBPFServer::CheckIfNeedStopBaseManager() const {
+bool eBPFServer::CheckIfNeedStopProcessCacheManager() const {
     std::lock_guard<std::mutex> lk(mMtx);
     auto nsMgr = mPlugins[static_cast<int>(PluginType::NETWORK_SECURITY)];
     auto psMgr = mPlugins[static_cast<int>(PluginType::PROCESS_SECURITY)];
@@ -412,13 +417,13 @@ bool eBPFServer::DisablePlugin(const std::string& pipeline_name, PluginType type
         pluginManager->UpdateContext(nullptr, -1, -1);
         int ret = pluginManager->Destroy();
         if (ret == 0) {
-            pluginManager->UpdateBaseManager(nullptr);
+            pluginManager->UpdateProcessCacheManager(nullptr);
             LOG_DEBUG(sLogger, ("stop plugin for", magic_enum::enum_name(type))("pipeline", pipeline_name));
             if (type == PluginType::NETWORK_SECURITY || type == PluginType::PROCESS_SECURITY
                 || type == PluginType::FILE_SECURITY) {
-                // check if we need stop basemanager
-                if (CheckIfNeedStopBaseManager()) {
-                    mBaseManager->Stop();
+                // check if we need stop ProcessCacheManager
+                if (CheckIfNeedStopProcessCacheManager()) {
+                    mProcessCacheManager->Stop();
                 }
             }
         } else {
diff --git a/core/ebpf/eBPFServer.h b/core/ebpf/eBPFServer.h
index fc996f1dd4..67222b6b3c 100644
--- a/core/ebpf/eBPFServer.h
+++ b/core/ebpf/eBPFServer.h
@@ -91,7 +91,7 @@ class eBPFServer : public InputRunner {
 
     std::string GetAllProjects();
 
-    bool CheckIfNeedStopBaseManager() const;
+    bool CheckIfNeedStopProcessCacheManager() const;
 
     void PollPerfBuffers();
     void HandlerEvents();
@@ -135,7 +135,7 @@ class eBPFServer : public InputRunner {
     CounterPtr mSuspendPluginTotal;
 
     // hold some managers ...
-    std::shared_ptr<ProcessCacheManager> mBaseManager;
+    std::shared_ptr<ProcessCacheManager> mProcessCacheManager;
 
     std::shared_ptr<Timer> mScheduler;
 
diff --git a/core/ebpf/plugin/AbstractManager.cpp b/core/ebpf/plugin/AbstractManager.cpp
index d63df14456..6f924b7caa 100644
--- a/core/ebpf/plugin/AbstractManager.cpp
+++ b/core/ebpf/plugin/AbstractManager.cpp
@@ -27,11 +27,14 @@ const std::string AbstractManager::sEventTypeKey = "event_type";
 const std::string AbstractManager::sKprobeValue = "kprobe";
 
 
-AbstractManager::AbstractManager(std::shared_ptr<ProcessCacheManager> bm,
+AbstractManager::AbstractManager(std::shared_ptr<ProcessCacheManager> processCacheMgr,
                                  std::shared_ptr<SourceManager> sourceManager,
                                  moodycamel::BlockingConcurrentQueue<std::shared_ptr<CommonEvent>>& queue,
                                  std::shared_ptr<Timer> scheduler)
-    : mBaseManager(bm), mSourceManager(sourceManager), mCommonEventQueue(queue), mScheduler(scheduler) {
+    : mProcessCacheManager(processCacheMgr),
+      mSourceManager(sourceManager),
+      mCommonEventQueue(queue),
+      mScheduler(scheduler) {
     mTimeDiff = GetTimeDiffFromMonotonic();
 }
 
diff --git a/core/ebpf/plugin/AbstractManager.h b/core/ebpf/plugin/AbstractManager.h
index 49041b3f07..3efb9855ff 100644
--- a/core/ebpf/plugin/AbstractManager.h
+++ b/core/ebpf/plugin/AbstractManager.h
@@ -114,25 +114,24 @@ class AbstractManager {
         mPluginIndex = index;
     }
 
-    void UpdateBaseManager(std::shared_ptr<ProcessCacheManager> other) {
+    void UpdateProcessCacheManager(std::shared_ptr<ProcessCacheManager> other) {
         WriteLock lk(mBaseMgrLock);
-        mBaseManager = std::move(other);
+        mProcessCacheManager = std::move(other);
     }
 
-    std::shared_ptr<ProcessCacheManager> GetBaseManager() const {
+    std::shared_ptr<ProcessCacheManager> GetProcessCacheManager() const {
         ReadLock lk(mBaseMgrLock);
-        return mBaseManager;
+        return mProcessCacheManager;
     }
 
-    std::atomic<bool> mFlag = false;
-    std::atomic<bool> mSuspendFlag = false;
-
 private:
     mutable ReadWriteLock mMtx;
     mutable ReadWriteLock mBaseMgrLock;
-    std::shared_ptr<ProcessCacheManager> mBaseManager;
+    std::shared_ptr<ProcessCacheManager> mProcessCacheManager;
 
 protected:
+    std::atomic<bool> mFlag = false;
+    std::atomic<bool> mSuspendFlag = false;
     std::shared_ptr<SourceManager> mSourceManager;
     moodycamel::BlockingConcurrentQueue<std::shared_ptr<CommonEvent>>& mCommonEventQueue;
     std::shared_ptr<Timer> mScheduler;
diff --git a/core/ebpf/plugin/ProcessCacheManager.cpp b/core/ebpf/plugin/ProcessCacheManager.cpp
index 0ffae3f85b..2c5b1e0d27 100644
--- a/core/ebpf/plugin/ProcessCacheManager.cpp
+++ b/core/ebpf/plugin/ProcessCacheManager.cpp
@@ -22,16 +22,19 @@
 
 #include <algorithm>
 #include <atomic>
+#include <string_view>
 #include <unordered_map>
 
 #include "rapidjson/document.h"
 #include "rapidjson/stringbuffer.h"
 #include "rapidjson/writer.h"
 
+#include "_thirdparty/coolbpf/src/security/bpf_process_event_type.h"
 #include "common/CapabilityUtil.h"
 #include "common/EncodingUtil.h"
 #include "common/LRUCache.h"
 #include "common/ProcParser.h"
+#include "common/StringTools.h"
 #include "ebpf/type/ProcessEvent.h"
 #include "ebpf/type/table/ProcessTable.h"
 #include "logger/Logger.h"
@@ -42,8 +45,8 @@ namespace ebpf {
 
 /////////// ================= for perfbuffer handlers ================= ///////////
 void HandleKernelProcessEvent(void* ctx, int cpu, void* data, uint32_t data_sz) {
-    auto* bm = static_cast<ProcessCacheManager*>(ctx);
-    if (!bm) {
+    auto* processCacheMgr = static_cast<ProcessCacheManager*>(ctx);
+    if (!processCacheMgr) {
         LOG_ERROR(sLogger, ("ProcessCacheManager is null!", ""));
         return;
     }
@@ -57,24 +60,23 @@ void HandleKernelProcessEvent(void* ctx, int cpu, void* data, uint32_t data_sz)
         case MSG_OP_CLONE: {
             auto* event = static_cast<struct msg_clone_event*>(data);
             // TODO enqueue
-            bm->RecordCloneEvent(event);
+            processCacheMgr->RecordCloneEvent(event);
             break;
         }
         case MSG_OP_EXIT: {
             auto* event = static_cast<struct msg_exit*>(data);
             // TODO set into delete queue ...
-            bm->RecordExitEvent(event);
+            processCacheMgr->RecordExitEvent(event);
             break;
         }
         case MSG_OP_EXECVE: {
-            auto* event_ptr = static_cast<struct msg_execve_event*>(data);
-            bm->RecordExecveEvent(event_ptr);
+            auto* eventPtr = static_cast<struct msg_execve_event*>(data);
+            processCacheMgr->RecordExecveEvent(eventPtr);
             break;
         }
         case MSG_OP_DATA: {
             auto* eventPtr = static_cast<msg_data*>(data);
-            bm->RecordDataEvent(eventPtr);
-            // TODO
+            processCacheMgr->RecordDataEvent(eventPtr);
             break;
         }
         default: {
@@ -166,6 +168,7 @@ void ProcessCacheManager::DataAdd(msg_data* dataPtr) {
     auto size = dataPtr->common.size - offsetof(msg_data, arg);
     if (size <= MSG_DATA_ARG_LEN) {
         // std::vector<uint64_t> key = {dataPtr->id.pid, dataPtr->id.time};
+        std::lock_guard<std::mutex> lk(mDataCacheMutex);
         auto res = mDataCache.find(dataPtr->id);
         if (res != mDataCache.end()) {
             std::string prevData = mDataCache[dataPtr->id];
@@ -183,20 +186,20 @@ void ProcessCacheManager::DataAdd(msg_data* dataPtr) {
         LOG_ERROR(sLogger, ("pid", dataPtr->id.pid)("ktime", dataPtr->id.time)("size limit exceeded", size));
     }
 }
-std::string ProcessCacheManager::DataGet(data_event_desc* desc) {
-    std::vector<uint64_t> key = {desc->id.pid, desc->id.time};
-    auto res = mDataCache.find(desc->id);
-    static std::string sEmpty;
-    if (res == mDataCache.end()) {
-        return sEmpty;
-    }
+std::string ProcessCacheManager::DataGetAndRemove(data_event_desc* desc) {
     std::string data;
-    data.swap(res->second);
-    mDataCache.erase(res);
-
+    {
+        std::lock_guard<std::mutex> lk(mDataCacheMutex);
+        auto res = mDataCache.find(desc->id);
+        if (res == mDataCache.end()) {
+            return data;
+        }
+        data.swap(res->second);
+        mDataCache.erase(res);
+    }
     if (data.size() != desc->size - desc->leftover) {
         LOG_WARNING(sLogger, ("size bad! data size", data.size())("expect", desc->size - desc->leftover));
-        return sEmpty;
+        return data;
     }
 
     return data;
@@ -209,74 +212,41 @@ void ProcessCacheManager::RecordDataEvent(msg_data* eventPtr) {
     DataAdd(eventPtr);
 }
 
-std::tuple<std::string, std::string> ArgsDecoder(const std::string& args, uint32_t flags) {
-    LOG_DEBUG(sLogger, ("args", args)("flags", flags));
-    int hasCWD = 0;
-    std::string cwd;
-    if (((flags & EVENT_NO_CWD_SUPPORT) | (flags & EVENT_ERROR_CWD) | (flags & EVENT_ROOT_CWD)) == 0) {
-        hasCWD = 1;
-    }
-
-    std::vector<std::string> argTokens;
-    std::string item;
-
-    // split with \0
-    for (auto x : args) {
-        if (x == '\0') {
-            if (item.size()) {
-                argTokens.push_back(item);
-                item.clear();
-            }
-        } else {
-            item += x;
-        }
-    }
-    if (item.size()) {
-        argTokens.push_back(item);
-    }
-
-    LOG_DEBUG(sLogger, ("args", args)("flags", flags)("length", argTokens.size())("hasCWD", hasCWD));
-
-    if (flags & EVENT_NO_CWD_SUPPORT) {
-        LOG_DEBUG(sLogger, ("args", args)("flags", flags)("length", argTokens.size())("hasCWD", hasCWD));
-        hasCWD = 1;
-    } else if (flags & EVENT_ERROR_CWD) {
-        LOG_DEBUG(sLogger, ("args", args)("flags", flags)("length", argTokens.size())("hasCWD", hasCWD));
-        cwd = "ERROR";
-        hasCWD = 1;
-    } else if (flags & EVENT_ROOT_CWD) {
-        LOG_DEBUG(sLogger, ("args", args)("flags", flags)("length", argTokens.size())("hasCWD", hasCWD));
-        cwd = "/";
-        hasCWD = 1;
-    } else {
-        LOG_DEBUG(sLogger, ("args", args)("flags", flags)("length", argTokens.size())("hasCWD", hasCWD));
-        if (argTokens.size()) {
-            cwd = argTokens[argTokens.size() - 1];
-        }
-    }
-
-    std::string arguments;
-
-    if (argTokens.empty()) {
-        LOG_DEBUG(sLogger, ("arg", args)("cwd", cwd)("arguments", arguments)("flag", flags));
-        return std::make_tuple(std::move(arguments), std::move(cwd));
-    }
-
-    for (size_t i = 0; i < argTokens.size() - hasCWD; i++) {
-        if (argTokens[i].find(' ') != std::string::npos) {
-            arguments += ("\"" + argTokens[i] + "\"");
+std::string DecodeArgs(std::string_view& rawArgs) {
+    std::string args;
+    if (rawArgs.empty()) {
+        return args;
+    }
+    args.reserve(rawArgs.size() * 2);
+    StringViewSplitter splitter(args, "\0");
+    bool first = true;
+    for (auto field : splitter) {
+        if (first) {
+            first = false;
         } else {
-            if (arguments.empty()) {
-                arguments = argTokens[i];
-            } else {
-                arguments = arguments + " " + argTokens[i];
+            args += " ";
+        }
+        if (field.find(' ') != std::string::npos || field.find('\t') != std::string::npos
+            || field.find('\n') != std::string::npos) {
+            args += "\"";
+            for (char c : field) {
+                if (c == '"' || c == '\\') {
+                    args += '\\'; // Escape the character
+                }
+                if (c == '\n') {
+                    args += "\\n";
+                } else if (c == '\t') {
+                    args += "\\t";
+                } else {
+                    args += c;
+                }
             }
+            args += "\"";
+        } else {
+            args += field;
         }
     }
-
-    LOG_DEBUG(sLogger, ("arg", args)("cwd", cwd)("arguments", arguments)("flag", flags));
-
-    return std::make_tuple(std::move(arguments), std::move(cwd));
+    return args;
 }
 
 void ProcessCacheManager::RecordExecveEvent(msg_execve_event* eventPtr) {
@@ -307,13 +277,14 @@ void ProcessCacheManager::RecordExecveEvent(msg_execve_event* eventPtr) {
     event->process.testCmdline = mProcParser.GetPIDCmdline(event->process.pid);
 #endif
 
-
     // args && filename
-
     // verifier size
-    // constexpr auto argOffset = offsetof(msg_process, args); // 56
+    // SIZEOF_EVENT is the total size of all fixed fields, = offsetof(msg_process, args) = 56
     auto size = eventPtr->process.size - SIZEOF_EVENT; // remain size
-    if (size > PADDED_BUFFER - SIZEOF_EVENT) {
+    if (size > PADDED_BUFFER - SIZEOF_EVENT) { // size exceed args buffer size
+        LOG_ERROR(sLogger,
+                  ("error", "msg exec size larger than argsbuffer")("pid", event->process.pid)("ktime",
+                                                                                               event->process.ktime));
         event->process.args = "enomem enomem";
         event->process.filename = "enomem";
         eventPtr->process.size = SIZEOF_EVENT;
@@ -321,81 +292,135 @@ void ProcessCacheManager::RecordExecveEvent(msg_execve_event* eventPtr) {
         return;
     }
 
-    char* argStart = eventPtr->buffer + SIZEOF_EVENT;
-    // auto args = std::string(eventPtr->buffer + SIZEOF_EVENT, size);
-    if (eventPtr->process.flags & EVENT_DATA_FILENAME) {
+    // executable filename
+    char* buffer = eventPtr->buffer + SIZEOF_EVENT; // equivalent to eventPtr->process.args;
+    if (eventPtr->process.flags & EVENT_DATA_FILENAME) { // filename should be in data cache
         if (size < sizeof(data_event_desc)) {
+            LOG_ERROR(sLogger,
+                      ("EVENT_DATA_FILENAME", "msg exec size less than sizeof(data_event_desc)")(
+                          "pid", event->process.pid)("ktime", event->process.ktime));
             event->process.args = "enomem enomem";
             event->process.filename = "enomem";
             eventPtr->process.size = SIZEOF_EVENT;
             PostHandlerExecveEvent(eventPtr, std::move(event));
             return;
         }
-        auto* desc = reinterpret_cast<data_event_desc*>(argStart);
+        auto* desc = reinterpret_cast<data_event_desc*>(buffer);
         LOG_DEBUG(sLogger,
                   ("EVENT_DATA_FILENAME, size",
                    desc->size)("leftover", desc->leftover)("pid", desc->id.pid)("ktime", desc->id.time));
-        auto data = DataGet(desc);
+        auto data = DataGetAndRemove(desc);
         if (data.empty()) {
-            PostHandlerExecveEvent(eventPtr, std::move(event));
-            return;
+            LOG_WARNING(
+                sLogger,
+                ("EVENT_DATA_FILENAME", "not found in data cache")("pid", desc->id.pid)("ktime", desc->id.time));
         }
         event->process.filename = data;
-        argStart += sizeof(data_event_desc);
+        buffer += sizeof(data_event_desc);
         size -= sizeof(data_event_desc);
-    } else if ((eventPtr->process.flags & EVENT_ERROR_FILENAME) == 0) {
-        // args 中找第一个 \0 的索引 idx
-        for (uint32_t i = 0; i < size; i++) {
-            if (argStart[i] == '\0') {
-                event->process.filename = std::string(argStart, i);
-                argStart += (i + 1);
-                size -= i;
-                break;
-            }
+    } else if ((eventPtr->process.flags & EVENT_ERROR_FILENAME) == 0) { // filename should be in process.args
+        char* nullPos = std::find(buffer, buffer + size, '\0');
+        event->process.filename = std::string(buffer, nullPos - buffer);
+        size -= nullPos - buffer;
+        if (size == 0) { // no tailing \0 found
+            buffer = nullPos;
+        } else {
+            buffer = nullPos + 1; // skip \0
+            --size;
         }
+    } else {
+        LOG_WARNING(
+            sLogger,
+            ("EVENT_DATA_FILENAME", "ebpf get data error")("pid", event->process.pid)("ktime", event->process.ktime));
     }
 
-    // cmd args
-    if (eventPtr->process.flags & EVENT_DATA_ARGS) {
-        auto* desc = reinterpret_cast<data_event_desc*>(argStart);
-        LOG_DEBUG(sLogger,
-                  ("EVENT_DATA_FILENAME, size",
-                   desc->size)("leftover", desc->leftover)("pid", desc->id.pid)("ktime", desc->id.time));
-        auto data = DataGet(desc);
-        if (data.empty()) {
+    // args & cmd
+    std::string data;
+    std::string_view args;
+    std::string_view cwd;
+    if (eventPtr->process.flags & EVENT_DATA_ARGS) { // arguments should be in data cache
+        if (size < sizeof(data_event_desc)) {
+            LOG_ERROR(sLogger,
+                      ("EVENT_DATA_ARGS", "msg exec size less than sizeof(data_event_desc)")("pid", event->process.pid)(
+                          "ktime", event->process.ktime));
+            event->process.args = "enomem enomem";
+            eventPtr->process.size = SIZEOF_EVENT;
             PostHandlerExecveEvent(eventPtr, std::move(event));
             return;
         }
-        // cwd
-        event->process.cwd = std::string(argStart + sizeof(data_event_desc), size - sizeof(data_event_desc));
-        event->process.args.reserve(data.size() + 1 + event->process.cwd.size());
-        event->process.args.assign(data).append("\0").append(event->process.cwd);
+        auto* desc = reinterpret_cast<data_event_desc*>(buffer);
+        LOG_DEBUG(sLogger,
+                  ("EVENT_DATA_ARGS, size", desc->size)("leftover",
+                                                        desc->leftover)("pid", desc->id.pid)("ktime", desc->id.time));
+        data = DataGetAndRemove(desc);
+        if (data.empty()) {
+            LOG_WARNING(sLogger,
+                        ("EVENT_DATA_ARGS", "not found in data cache")("pid", desc->id.pid)("ktime", desc->id.time));
+        }
+        args = data;
+        // the remaining data is cwd
+        cwd = std::string_view(buffer + sizeof(data_event_desc), size - sizeof(data_event_desc));
     } else {
-        event->process.args = std::string(argStart, size);
+        bool hasCwd = false;
+        if (((eventPtr->process.flags & EVENT_NO_CWD_SUPPORT) | (eventPtr->process.flags & EVENT_ERROR_CWD)
+             | (eventPtr->process.flags & EVENT_ROOT_CWD))
+            == 0) {
+            hasCwd = true;
+        }
+        char* nullPos = nullptr;
+        args = std::string_view(buffer, size - 1); // excluding tailing zero
+        if (hasCwd) {
+            // find the last \0 to serapate args and cwd
+            for (int i = size - 1; i >= 0; i--) {
+                if (buffer[i] == '\0') {
+                    nullPos = buffer + i;
+                    break;
+                }
+            }
+            if (nullPos == nullptr) {
+                cwd = std::string_view(buffer, size);
+                args = std::string_view(buffer, 0);
+            } else {
+                cwd = std::string_view(nullPos + 1, size - (nullPos - buffer + 1));
+                args = std::string_view(buffer, nullPos - buffer);
+            }
+        }
+    }
+    // Post handle cwd
+    if (eventPtr->process.flags & EVENT_ROOT_CWD) {
+        event->process.cwd = "/";
+    } else if (eventPtr->process.flags & EVENT_PROCFS) {
+        event->process.cwd = Trim(cwd);
+    } else {
+        event->process.cwd = cwd;
+    }
+    // Post handle args
+    event->process.args = DecodeArgs(args);
+    if (eventPtr->process.flags & EVENT_ERROR_ARGS) {
+        LOG_WARNING(
+            sLogger,
+            ("EVENT_DATA_ARGS", "ebpf get data error")("pid", event->process.pid)("ktime", event->process.ktime));
+    }
+    if (eventPtr->process.flags & EVENT_ERROR_CWD) {
+        LOG_WARNING(
+            sLogger,
+            ("EVENT_DATA_CWD", "ebpf get data error")("pid", event->process.pid)("ktime", event->process.ktime));
+    }
+    if (eventPtr->process.flags & EVENT_ERROR_PATH_COMPONENTS) {
+        LOG_WARNING(sLogger,
+                    ("EVENT_DATA_CWD",
+                     "cwd too long, maybe truncated")("pid", event->process.pid)("ktime", event->process.ktime));
     }
-
     PostHandlerExecveEvent(eventPtr, std::move(event));
 }
 
 void ProcessCacheManager::PostHandlerExecveEvent(msg_execve_event* eventPtr,
                                                  std::unique_ptr<MsgExecveEventUnix>&& event) {
-#ifdef APSARA_UNIT_TEST_MAIN
-    LOG_DEBUG(
-        sLogger,
-        ("before ArgsDecoder", event->process.pid)("ktime", event->process.ktime)("cmdline", event->process.cmdline)(
-            "filename", event->process.filename)("dockerid", event->kube.docker)("raw_args", event->process.args)(
-            "cwd", event->process.cwd)("flag", eventPtr->process.flags)(
-            "procParser.exePath", event->process.testFileName)("procParser.cmdLine", event->process.testCmdline));
-#endif
-
-    auto [args, cwd] = ArgsDecoder(event->process.args, event->process.flags);
-    event->process.args = args;
-    event->process.cwd = cwd;
     // set binary
     if (event->process.filename.size()) {
         if (event->process.filename[0] == '/') {
             event->process.binary = event->process.filename;
-        } else {
+        } else if (!event->process.cwd.empty()) {
             event->process.binary.reserve(event->process.cwd.size() + 1 + event->process.filename.size());
             event->process.binary.assign(event->process.cwd).append("/").append(event->process.filename);
         }
@@ -408,7 +433,11 @@ void ProcessCacheManager::PostHandlerExecveEvent(msg_execve_event* eventPtr,
         sLogger,
         ("begin enqueue pid", event->process.pid)("ktime", event->process.ktime)("cmdline", event->process.cmdline)(
             "filename", event->process.filename)("dockerid", event->kube.docker)("args", event->process.args)(
-            "cwd", event->process.cwd)("flag", eventPtr->process.flags));
+            "cwd", event->process.cwd)("flag", eventPtr->process.flags)
+#ifdef APSARA_UNIT_TEST_MAIN
+            ("procParser.exePath", event->process.testFileName)("procParser.cmdLine", event->process.testCmdline)
+#endif
+    );
 
     mRecordQueue.enqueue(std::move(event));
 
@@ -652,19 +681,21 @@ std::string PrependPath(const std::string& exe, const std::string& cmdline) {
     return res;
 }
 
-
-const uint32_t MSG_UNIX_SIZE = 640;
 int ProcessCacheManager::PushExecveEvent(const std::shared_ptr<Procs>& proc) {
     if (proc == nullptr) {
         return 1;
     }
-    std::string rawArgs = PrependPath(proc->exe, proc->cmdline);
-    std::string rawPargs = PrependPath(proc->pexe, proc->pcmdline);
+    std::string_view rawArgs = proc->cmdline;
+    auto nullPos = rawArgs.find('\0');
+    if (nullPos != std::string::npos) {
+        rawArgs = rawArgs.substr(nullPos + 1);
+    }
+    // std::string rawPargs = PrependPath(proc->pexe, proc->pcmdline);
 
-    auto [args, filename] = mProcParser.ProcsFilename(rawArgs);
-    LOG_DEBUG(sLogger, ("raw_args", rawArgs)("args", args)("filename", filename));
+    auto args = DecodeArgs(rawArgs);
+    LOG_DEBUG(sLogger, ("raw_args", rawArgs)("args", args));
     std::string cwd;
-    uint32_t flags = static_cast<uint32_t>(ApiEventFlag::RootCWD);
+    uint32_t flags = 0U;
 
     std::pair<std::string, uint32_t> cwdRes = mProcParser.GetPIDCWD(proc->pid);
     cwd = cwdRes.first;
@@ -701,7 +732,7 @@ int ProcessCacheManager::PushExecveEvent(const std::shared_ptr<Procs>& proc) {
             LOG_ERROR(sLogger, ("user thread, proc is null", ""));
             return 1;
         }
-        event->msg.common.size = MSG_UNIX_SIZE + proc->psize + proc->size;
+        event->msg.common.size = SIZEOF_EVENT;
 
         if (proc->pid) {
             std::string dockerId = mProcParser.GetPIDDockerId(proc->pid);
diff --git a/core/ebpf/plugin/ProcessCacheManager.h b/core/ebpf/plugin/ProcessCacheManager.h
index d3a49fbbda..f39992fca1 100644
--- a/core/ebpf/plugin/ProcessCacheManager.h
+++ b/core/ebpf/plugin/ProcessCacheManager.h
@@ -83,7 +83,7 @@ class ProcessCacheManager {
     void PollPerfBuffers();
 
     void DataAdd(msg_data* data);
-    std::string DataGet(data_event_desc*);
+    std::string DataGetAndRemove(data_event_desc*);
 
     bool Init();
     void Stop();
@@ -112,7 +112,9 @@ class ProcessCacheManager {
         DataEventIdEqual>;
     lru11::Cache<data_event_id, std::shared_ptr<MsgExecveEventUnix>, std::mutex, ExecveEventMap> mCache;
     using DataEventMap = std::unordered_map<data_event_id, std::string, DataEventIdHash, DataEventIdEqual>;
-    DataEventMap mDataCache;
+
+    std::mutex mDataCacheMutex;
+    DataEventMap mDataCache; // TODO：ebpf中也没区分filename和args，如果两者都超长会导致filename被覆盖为args
 
     // lru11::Cache<std::vector<uint64_t>, std::shared_ptr<std::string>, std::mutex, std::map<std::vector<uint64_t>,
     // std::shared_ptr<std::string>>> mDataCache;
diff --git a/core/ebpf/plugin/file_security/FileSecurityManager.cpp b/core/ebpf/plugin/file_security/FileSecurityManager.cpp
index 7f71ec5e9c..10610dc6eb 100644
--- a/core/ebpf/plugin/file_security/FileSecurityManager.cpp
+++ b/core/ebpf/plugin/file_security/FileSecurityManager.cpp
@@ -124,12 +124,12 @@ bool FileSecurityManager::ConsumeAggregateTree(const std::chrono::steady_clock::
         aggTree.ForEach(node, [&](const FileEventGroup* group) {
             // set process tag
             if (!init) {
-                auto bm = GetBaseManager();
-                if (bm == nullptr) {
-                    LOG_WARNING(sLogger, ("basemanager is null", ""));
+                auto processCacheMgr = GetProcessCacheManager();
+                if (processCacheMgr == nullptr) {
+                    LOG_WARNING(sLogger, ("ProcessCacheManager is null", ""));
                     return;
                 }
-                processTags = bm->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
+                processTags = processCacheMgr->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
                 init = true;
             }
             if (processTags.mInner.empty()) {
diff --git a/core/ebpf/plugin/network_security/NetworkSecurityManager.cpp b/core/ebpf/plugin/network_security/NetworkSecurityManager.cpp
index 0d34825a17..2335cba085 100644
--- a/core/ebpf/plugin/network_security/NetworkSecurityManager.cpp
+++ b/core/ebpf/plugin/network_security/NetworkSecurityManager.cpp
@@ -146,14 +146,14 @@ bool NetworkSecurityManager::ConsumeAggregateTree(const std::chrono::steady_cloc
             LOG_DEBUG(sLogger, ("step", "enter for each"));
             // set process tag
             if (!init) {
-                auto bm = GetBaseManager();
-                if (bm == nullptr) {
-                    LOG_WARNING(sLogger, ("basemanager is null", ""));
+                auto processCacheMgr = GetProcessCacheManager();
+                if (processCacheMgr == nullptr) {
+                    LOG_WARNING(sLogger, ("ProcessCacheManager is null", ""));
                     return;
                 }
                 LOG_DEBUG(sLogger,
                           ("step", "before finalize process tags")("pid", group->mPid)("ktime", group->mKtime));
-                processTags = bm->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
+                processTags = processCacheMgr->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
                 init = true;
             }
             LOG_DEBUG(sLogger, ("step", "after finalize process tags"));
diff --git a/core/ebpf/plugin/process_security/ProcessSecurityManager.cpp b/core/ebpf/plugin/process_security/ProcessSecurityManager.cpp
index 32bdebf5da..db29b6c04e 100644
--- a/core/ebpf/plugin/process_security/ProcessSecurityManager.cpp
+++ b/core/ebpf/plugin/process_security/ProcessSecurityManager.cpp
@@ -78,12 +78,12 @@ bool ProcessSecurityManager::ConsumeAggregateTree(const std::chrono::steady_cloc
         aggTree.ForEach(node, [&](const ProcessEventGroup* group) {
             SizedMap processTags;
             // represent a process ...
-            auto bm = GetBaseManager();
-            if (bm == nullptr) {
-                LOG_WARNING(sLogger, ("basemanager is null", ""));
+            auto processCacheMgr = GetProcessCacheManager();
+            if (processCacheMgr == nullptr) {
+                LOG_WARNING(sLogger, ("ProcessCacheManager is null", ""));
                 return;
             }
-            processTags = bm->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
+            processTags = processCacheMgr->FinalizeProcessTags(sourceBuffer, group->mPid, group->mKtime);
             if (processTags.mInner.empty()) {
                 LOG_WARNING(sLogger, ("cannot find tags for pid", group->mPid)("ktime", group->mKtime));
                 return;
@@ -156,13 +156,13 @@ int ProcessSecurityManager::Init(
     mSuspendFlag = false;
 
     mStartUid++;
-    auto bm = GetBaseManager();
-    if (bm == nullptr) {
-        LOG_WARNING(sLogger, ("basemanager is null", ""));
+    auto processCacheMgr = GetProcessCacheManager();
+    if (processCacheMgr == nullptr) {
+        LOG_WARNING(sLogger, ("ProcessCacheManager is null", ""));
         return 1;
     }
 
-    bm->MarkProcessEventFlushStatus(true);
+    processCacheMgr->MarkProcessEventFlushStatus(true);
     std::unique_ptr<AggregateEvent> event = std::make_unique<AggregateEvent>(
         2,
         [this](const std::chrono::steady_clock::time_point& execTime) { // handler
@@ -185,12 +185,12 @@ int ProcessSecurityManager::Init(
 
 int ProcessSecurityManager::Destroy() {
     mFlag = false;
-    auto bm = GetBaseManager();
-    if (bm == nullptr) {
-        LOG_WARNING(sLogger, ("basemanager is null", ""));
+    auto processCacheMgr = GetProcessCacheManager();
+    if (processCacheMgr == nullptr) {
+        LOG_WARNING(sLogger, ("ProcessCacheManager is null", ""));
         return 1;
     }
-    bm->MarkProcessEventFlushStatus(false);
+    processCacheMgr->MarkProcessEventFlushStatus(false);
     return 0;
 }
 
diff --git a/core/ebpf/plugin/process_security/ProcessSecurityManager.h b/core/ebpf/plugin/process_security/ProcessSecurityManager.h
index 4bebccbdcc..7ac98b4ec9 100644
--- a/core/ebpf/plugin/process_security/ProcessSecurityManager.h
+++ b/core/ebpf/plugin/process_security/ProcessSecurityManager.h
@@ -57,7 +57,7 @@ class ProcessSecurityManager : public AbstractManager {
 
     bool ConsumeAggregateTree(const std::chrono::steady_clock::time_point& execTime);
 
-    // process perfbuffer was polled by baseManager ...
+    // process perfbuffer was polled by processCacheManager ...
     int PollPerfBuffer() override { return 0; }
 
     std::unique_ptr<PluginConfig> GeneratePluginConfig(
diff --git a/core/ebpf/type/ProcessEvent.h b/core/ebpf/type/ProcessEvent.h
index f0dd540b44..c55e77f813 100644
--- a/core/ebpf/type/ProcessEvent.h
+++ b/core/ebpf/type/ProcessEvent.h
@@ -78,7 +78,7 @@ struct Procs {
     uint32_t auid;
     uint32_t flags;
     uint64_t ktime;
-    std::string cmdline;
+    std::string cmdline; // \0 separated binary and args
     std::string exe;
     uint64_t effective;
     uint64_t inheritable;
diff --git a/core/unittest/ebpf/AggregatorUnittest.cpp b/core/unittest/ebpf/AggregatorUnittest.cpp
index b40541a850..4031e63955 100644
--- a/core/unittest/ebpf/AggregatorUnittest.cpp
+++ b/core/unittest/ebpf/AggregatorUnittest.cpp
@@ -117,7 +117,6 @@ std::array<size_t, 2> GenerateAggKey(const std::shared_ptr<FileEvent> event) {
     std::array<size_t, 2> hash_result;
     hash_result.fill(0UL);
     std::hash<std::string> hasher;
-    std::hash<uint64_t> hasher0;
 
     hash_result[0] = uint64_t(event->mPid) ^ (event->mKtime >> 32) ^ (event->mKtime << 32);
     // LOG_INFO(sLogger, ("ktime", event->mKtime) ("hash result", hash_result[0]));
@@ -160,7 +159,7 @@ void AggregatorUnittest::TestAggregator() {
     }
 
     auto nodes = mAggregateTree->GetNodesWithAggDepth(1);
-    APSARA_TEST_EQUAL(2, nodes.size());
+    APSARA_TEST_EQUAL(2UL, nodes.size());
 
     int globalNodeCnt = 0;
     int globalEventCnt = 0;
@@ -180,7 +179,7 @@ void AggregatorUnittest::TestAggregator() {
             for (const auto& innerEvent : group->mInnerEvents) {
                 globalEventCnt++;
                 if (innerEvent->mTimestamp == 9) {
-                    APSARA_TEST_EQUAL(group->mPid, 1);
+                    APSARA_TEST_EQUAL(group->mPid, 1U);
                     FileEvent* fe = static_cast<FileEvent*>(innerEvent.get());
                     APSARA_TEST_EQUAL(fe->mPath, "path-2");
                 }
@@ -219,7 +218,6 @@ void AggregatorUnittest::TestAggregator() {
 
 void AggregatorUnittest::TestAggManager() {
     auto now = std::chrono::steady_clock::now();
-    auto nextTime = now + std::chrono::seconds(1);
 
     std::unique_ptr<AggregateEvent> event = std::make_unique<AggregateEvent>(
         1,
@@ -245,10 +243,10 @@ void AggregatorUnittest::TestAggManager() {
     std::this_thread::sleep_for(std::chrono::seconds(4));
     mFlag = false;
     std::this_thread::sleep_for(std::chrono::seconds(3));
-    APSARA_TEST_EQUAL(mVec.size(), 3);
+    APSARA_TEST_EQUAL(mVec.size(), 3UL);
     mFlag = true;
     std::this_thread::sleep_for(std::chrono::seconds(3));
-    APSARA_TEST_EQUAL(mVec.size(), 3);
+    APSARA_TEST_EQUAL(mVec.size(), 3UL);
 }
 
 void AggregatorUnittest::TestBasicAgg() {
@@ -258,11 +256,11 @@ void AggregatorUnittest::TestBasicAgg() {
     Aggregate({"a", "b", "c", "e"}, 4);
     Aggregate({"a", "b", "c"}, 3);
     APSARA_TEST_EQUAL(GetDataNodeCount(), 4);
-    APSARA_TEST_EQUAL(agg->NodeCount(), 4);
+    APSARA_TEST_EQUAL(agg->NodeCount(), 4UL);
     APSARA_TEST_EQUAL(GetSum(), 5);
     agg->Reset();
     APSARA_TEST_EQUAL(GetDataNodeCount(), 0);
-    APSARA_TEST_EQUAL(agg->NodeCount(), 0);
+    APSARA_TEST_EQUAL(agg->NodeCount(), 0UL);
     APSARA_TEST_EQUAL(GetSum(), 0);
 }
 
@@ -273,15 +271,15 @@ void AggregatorUnittest::TestGetAndReset() {
     Aggregate({"a", "b", "c", "e"}, 4);
     Aggregate({"a", "b", "c"}, 3);
     APSARA_TEST_EQUAL(GetDataNodeCount(), 4);
-    APSARA_TEST_EQUAL(agg->NodeCount(), 4);
+    APSARA_TEST_EQUAL(agg->NodeCount(), 4UL);
     APSARA_TEST_EQUAL(GetSum(), 5);
     auto newTree(agg->GetAndReset());
     APSARA_TEST_EQUAL(GetDataNodeCount(), 0);
-    APSARA_TEST_EQUAL(agg->NodeCount(), 0);
+    APSARA_TEST_EQUAL(agg->NodeCount(), 0UL);
     APSARA_TEST_EQUAL(GetSum(), 0);
 
     APSARA_TEST_EQUAL(GetDataNodeCount(newTree), 4);
-    APSARA_TEST_EQUAL(newTree.NodeCount(), 4);
+    APSARA_TEST_EQUAL(newTree.NodeCount(), 4UL);
     APSARA_TEST_EQUAL(GetSum(newTree), 5);
 }
 
diff --git a/core/unittest/ebpf/ConsumerUnittest.cpp b/core/unittest/ebpf/ConsumerUnittest.cpp
index 771082ceb8..e900ca527c 100644
--- a/core/unittest/ebpf/ConsumerUnittest.cpp
+++ b/core/unittest/ebpf/ConsumerUnittest.cpp
@@ -59,7 +59,7 @@ void ConsumerUnittest::BasicFunctionality() {
 
     std::this_thread::sleep_for(std::chrono::milliseconds(200));
     // consumer_.suspend();
-    APSARA_TEST_EQUAL(processed_items_.size(), 3);
+    APSARA_TEST_EQUAL(processed_items_.size(), 3UL);
     APSARA_TEST_EQUAL(processed_items_[0], 1);
     APSARA_TEST_EQUAL(processed_items_[1], 2);
     APSARA_TEST_EQUAL(processed_items_[2], 3);
@@ -68,7 +68,7 @@ void ConsumerUnittest::BasicFunctionality() {
 void ConsumerUnittest::SuspendAndResume() {
     processed_items_.clear();
     // consumer_.resume();
-    APSARA_TEST_EQUAL(processed_items_.size(), 0);
+    APSARA_TEST_EQUAL(processed_items_.size(), 0UL);
     queue_.enqueue(4);
     queue_.enqueue(5);
 
@@ -76,17 +76,17 @@ void ConsumerUnittest::SuspendAndResume() {
     LOG_INFO(sLogger, ("begin to suspend", ""));
     consumer_.suspend();
     LOG_INFO(sLogger, ("after suspend", ""));
-    APSARA_TEST_EQUAL(processed_items_.size(), 2);
+    APSARA_TEST_EQUAL(processed_items_.size(), 2UL);
 
     std::this_thread::sleep_for(std::chrono::milliseconds(200));
     queue_.enqueue(6);
-    APSARA_TEST_EQUAL(processed_items_.size(), 2);
+    APSARA_TEST_EQUAL(processed_items_.size(), 2UL);
 
     LOG_INFO(sLogger, ("begin to resume", ""));
     consumer_.resume();
     LOG_INFO(sLogger, ("after resume", ""));
     std::this_thread::sleep_for(std::chrono::milliseconds(200));
-    APSARA_TEST_EQUAL(processed_items_.size(), 3);
+    APSARA_TEST_EQUAL(processed_items_.size(), 3UL);
     APSARA_TEST_EQUAL(processed_items_[0], 4);
     APSARA_TEST_EQUAL(processed_items_[1], 5);
     APSARA_TEST_EQUAL(processed_items_[2], 6);
diff --git a/core/unittest/ebpf/IdAllocatorUnittest.cpp b/core/unittest/ebpf/IdAllocatorUnittest.cpp
index 26e7408a34..57c05887f8 100644
--- a/core/unittest/ebpf/IdAllocatorUnittest.cpp
+++ b/core/unittest/ebpf/IdAllocatorUnittest.cpp
@@ -43,7 +43,7 @@ void IdAllocatorUnittest::TestMaxId() {
     // add until max
     int maxId = IdAllocator::GetInstance()->GetMaxId<StringPrefixMap>();
     APSARA_TEST_EQUAL(maxId, BPFMapTraits<StringPrefixMap>::outter_max_entries);
-    for (size_t i = 0; i < maxId + 20; i++) {
+    for (int i = 0; i < maxId + 20; i++) {
         int nextIdx = IdAllocator::GetInstance()->GetNextId<StringPrefixMap>();
         if (i >= maxId) {
             APSARA_TEST_EQUAL(nextIdx, -1);
diff --git a/core/unittest/ebpf/ManagerUnittest.cpp b/core/unittest/ebpf/ManagerUnittest.cpp
index 56da8762d2..b3a9684398 100644
--- a/core/unittest/ebpf/ManagerUnittest.cpp
+++ b/core/unittest/ebpf/ManagerUnittest.cpp
@@ -37,7 +37,7 @@ class ManagerUnittest : public ::testing::Test {
 protected:
     void SetUp() override {
         mSourceManager = std::make_shared<SourceManager>();
-        mBaseManager = std::make_shared<ProcessCacheManager>(mSourceManager, "test_host", "/", mEventQueue);
+        mProcessCacheManager = std::make_shared<ProcessCacheManager>(mSourceManager, "test_host", "/", mEventQueue);
         mTimer = std::make_shared<Timer>();
     }
 
@@ -71,22 +71,22 @@ class ManagerUnittest : public ::testing::Test {
     // 测试Manager的错误处理
     void TestManagerErrorHandling();
 
-    // BaseManager测试用例
-    void TestBaseManagerCache();
-    void TestBaseManagerProcessEvents();
-    void TestBaseManagerDataEvents();
-    void TestBaseManagerProcessTags();
-    void TestBaseManagerPerfBuffer();
+    // ProcessCacheManager测试用例
+    void TestProcessCacheManagerCache();
+    void TestProcessCacheManagerProcessEvents();
+    void TestProcessCacheManagerDataEvents();
+    void TestProcessCacheManagerProcessTags();
+    void TestProcessCacheManagerPerfBuffer();
 
 protected:
     std::shared_ptr<SourceManager> mSourceManager;
-    std::shared_ptr<ProcessCacheManager> mBaseManager;
+    std::shared_ptr<ProcessCacheManager> mProcessCacheManager;
     std::shared_ptr<Timer> mTimer;
     moodycamel::BlockingConcurrentQueue<std::shared_ptr<CommonEvent>> mEventQueue;
 };
 
 void ManagerUnittest::TestProcessSecurityManagerBasic() {
-    auto manager = std::make_shared<ProcessSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<ProcessSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
 
     // 测试初始化
     SecurityOptions options;
@@ -107,7 +107,7 @@ void ManagerUnittest::TestProcessSecurityManagerBasic() {
 }
 
 void ManagerUnittest::TestProcessSecurityManagerEventHandling() {
-    auto manager = std::make_shared<ProcessSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<ProcessSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -127,7 +127,7 @@ void ManagerUnittest::TestProcessSecurityManagerEventHandling() {
 }
 
 void ManagerUnittest::TestFileSecurityManagerBasic() {
-    auto manager = std::make_shared<FileSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<FileSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
 
     // 测试初始化
     SecurityOptions options;
@@ -148,7 +148,7 @@ void ManagerUnittest::TestFileSecurityManagerBasic() {
 }
 
 void ManagerUnittest::TestFileSecurityManagerEventHandling() {
-    auto manager = std::make_shared<FileSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<FileSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -180,8 +180,9 @@ void ManagerUnittest::TestFileSecurityManagerEventHandling() {
 }
 
 void ManagerUnittest::TestManagerConcurrency() {
-    auto processManager = std::make_shared<ProcessSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
-    auto fileManager = std::make_shared<FileSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto processManager
+        = std::make_shared<ProcessSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
+    auto fileManager = std::make_shared<FileSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
 
     SecurityOptions options;
     processManager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
@@ -215,7 +216,7 @@ void ManagerUnittest::TestManagerConcurrency() {
 }
 
 void ManagerUnittest::TestManagerErrorHandling() {
-    auto manager = std::make_shared<ProcessSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<ProcessSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
 
     auto event = std::make_shared<ProcessEvent>(1234, 5678, KernelEventType::PROCESS_EXECVE_EVENT, 0);
     APSARA_TEST_EQUAL(manager->HandleEvent(event), 0);
@@ -232,7 +233,7 @@ void ManagerUnittest::TestManagerErrorHandling() {
 }
 
 
-void ManagerUnittest::TestBaseManagerCache() {
+void ManagerUnittest::TestProcessCacheManagerCache() {
     // 测试缓存操作
     data_event_id key{12345, 1234567890};
     auto execveEvent = std::make_shared<MsgExecveEventUnix>();
@@ -242,11 +243,11 @@ void ManagerUnittest::TestBaseManagerCache() {
     execveEvent->process.binary = "test_binary";
 
     // 测试缓存更新
-    mBaseManager->UpdateCache(key, execveEvent);
-    APSARA_TEST_TRUE(mBaseManager->ContainsKey(key));
+    mProcessCacheManager->UpdateCache(key, execveEvent);
+    APSARA_TEST_TRUE(mProcessCacheManager->ContainsKey(key));
 
     // 测试缓存查找
-    auto cachedEvent = mBaseManager->LookupCache(key);
+    auto cachedEvent = mProcessCacheManager->LookupCache(key);
     APSARA_TEST_TRUE(cachedEvent != nullptr);
     APSARA_TEST_EQUAL(cachedEvent->process.pid, execveEvent->process.pid);
     APSARA_TEST_EQUAL(cachedEvent->process.ktime, execveEvent->process.ktime);
@@ -254,11 +255,11 @@ void ManagerUnittest::TestBaseManagerCache() {
     APSARA_TEST_EQUAL(cachedEvent->process.binary, execveEvent->process.binary);
 
     // 测试缓存释放
-    mBaseManager->ReleaseCache(key);
-    APSARA_TEST_FALSE(mBaseManager->ContainsKey(key));
+    mProcessCacheManager->ReleaseCache(key);
+    APSARA_TEST_FALSE(mProcessCacheManager->ContainsKey(key));
 }
 
-void ManagerUnittest::TestBaseManagerProcessEvents() {
+void ManagerUnittest::TestProcessCacheManagerProcessEvents() {
     // 测试Execve事件处理
     auto execveEvent = std::make_unique<MsgExecveEventUnix>();
     execveEvent->process.pid = 1234;
@@ -269,23 +270,23 @@ void ManagerUnittest::TestBaseManagerProcessEvents() {
     msg_execve_event kernelExecveEvent;
     kernelExecveEvent.process.pid = execveEvent->process.pid;
     kernelExecveEvent.process.ktime = execveEvent->process.ktime;
-    mBaseManager->RecordExecveEvent(&kernelExecveEvent);
+    mProcessCacheManager->RecordExecveEvent(&kernelExecveEvent);
 
     // 测试Exit事件处理
     msg_exit exitEvent;
     exitEvent.current.pid = 1234;
     exitEvent.current.ktime = 5678;
     exitEvent.info.code = 0;
-    mBaseManager->RecordExitEvent(&exitEvent);
+    mProcessCacheManager->RecordExitEvent(&exitEvent);
 
     // 测试Clone事件处理
     msg_clone_event cloneEvent;
     cloneEvent.tgid = 1234;
     cloneEvent.ktime = 5678;
-    mBaseManager->RecordCloneEvent(&cloneEvent);
+    mProcessCacheManager->RecordCloneEvent(&cloneEvent);
 }
 
-void ManagerUnittest::TestBaseManagerDataEvents() {
+void ManagerUnittest::TestProcessCacheManagerDataEvents() {
     // 测试数据事件处理
     std::string testArg = "test_arg";
     msg_data dataEvent;
@@ -294,7 +295,7 @@ void ManagerUnittest::TestBaseManagerDataEvents() {
     memcpy(dataEvent.arg, testArg.c_str(), testArg.size());
     dataEvent.common.size = offsetof(msg_data, arg) + testArg.size();
 
-    mBaseManager->RecordDataEvent(&dataEvent);
+    mProcessCacheManager->RecordDataEvent(&dataEvent);
 
     // 测试数据事件ID生成和查找
     data_event_desc desc{};
@@ -303,12 +304,12 @@ void ManagerUnittest::TestBaseManagerDataEvents() {
     desc.size = testArg.size();
     desc.leftover = 0;
 
-    // mBaseManager->DataAdd(&dataEvent);
-    std::string retrievedData = mBaseManager->DataGet(&desc);
+    // mProcessCacheManager->DataAdd(&dataEvent);
+    std::string retrievedData = mProcessCacheManager->DataGetAndRemove(&desc);
     APSARA_TEST_FALSE(retrievedData.empty());
 }
 
-void ManagerUnittest::TestBaseManagerProcessTags() {
+void ManagerUnittest::TestProcessCacheManagerProcessTags() {
     // 创建进程事件
     auto execveEvent = std::make_shared<MsgExecveEventUnix>();
     execveEvent->process.pid = 1234;
@@ -328,30 +329,31 @@ void ManagerUnittest::TestBaseManagerProcessTags() {
 
     // 更新缓存
     data_event_id key{execveEvent->process.pid, execveEvent->process.ktime};
-    mBaseManager->UpdateCache(key, execveEvent);
+    mProcessCacheManager->UpdateCache(key, execveEvent);
     key = {pExecveEvent->process.pid, pExecveEvent->process.ktime};
-    mBaseManager->UpdateCache(key, pExecveEvent);
+    mProcessCacheManager->UpdateCache(key, pExecveEvent);
 
     // 测试进程标签生成
     auto sourceBuffer = std::make_shared<SourceBuffer>();
-    auto tags = mBaseManager->FinalizeProcessTags(sourceBuffer, execveEvent->process.pid, execveEvent->process.ktime);
+    auto tags
+        = mProcessCacheManager->FinalizeProcessTags(sourceBuffer, execveEvent->process.pid, execveEvent->process.ktime);
     APSARA_TEST_FALSE(tags.mInner.empty());
 }
 
-void ManagerUnittest::TestBaseManagerPerfBuffer() {
-    // 初始化BaseManager
-    APSARA_TEST_TRUE(mBaseManager->Init());
+void ManagerUnittest::TestProcessCacheManagerPerfBuffer() {
+    // 初始化ProcessCacheManager
+    APSARA_TEST_TRUE(mProcessCacheManager->Init());
 
     // 测试PerfBuffer轮询
-    mBaseManager->PollPerfBuffers();
+    mProcessCacheManager->PollPerfBuffers();
 
     // 测试停止操作
-    mBaseManager->Stop();
+    mProcessCacheManager->Stop();
 }
 
 
 void ManagerUnittest::TestNetworkSecurityManagerBasic() {
-    auto manager = std::make_shared<NetworkSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<NetworkSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
 
     // 测试初始化
     SecurityOptions options;
@@ -372,7 +374,7 @@ void ManagerUnittest::TestNetworkSecurityManagerBasic() {
 }
 
 void ManagerUnittest::TestNetworkSecurityManagerEventHandling() {
-    auto manager = std::make_shared<NetworkSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<NetworkSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -428,7 +430,7 @@ void ManagerUnittest::TestNetworkSecurityManagerEventHandling() {
 }
 
 void ManagerUnittest::TestNetworkSecurityManagerAggregation() {
-    auto manager = std::make_shared<NetworkSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<NetworkSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -473,7 +475,7 @@ void ManagerUnittest::TestNetworkSecurityManagerAggregation() {
     execveEvent->msg.parent.ktime = 6789;
 
     // 测试缓存更新
-    mBaseManager->UpdateCache(key, execveEvent);
+    mProcessCacheManager->UpdateCache(key, execveEvent);
 
     auto pExecveEvent = std::make_shared<MsgExecveEventUnix>();
     data_event_id pkey{2345, 6789};
@@ -486,7 +488,7 @@ void ManagerUnittest::TestNetworkSecurityManagerAggregation() {
     pExecveEvent->process.args = "test_arg";
     pExecveEvent->process.cmdline = "test_cmdline";
 
-    mBaseManager->UpdateCache(pkey, pExecveEvent);
+    mProcessCacheManager->UpdateCache(pkey, pExecveEvent);
 
     // 触发聚合
     auto execTime = std::chrono::steady_clock::now();
@@ -496,7 +498,7 @@ void ManagerUnittest::TestNetworkSecurityManagerAggregation() {
 }
 
 void ManagerUnittest::TestProcessSecurityManagerAggregation() {
-    auto manager = std::make_shared<ProcessSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<ProcessSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -534,7 +536,7 @@ void ManagerUnittest::TestProcessSecurityManagerAggregation() {
     execveEvent->msg.parent.ktime = 6789;
 
     // 测试缓存更新
-    mBaseManager->UpdateCache(key, execveEvent);
+    mProcessCacheManager->UpdateCache(key, execveEvent);
 
     auto pExecveEvent = std::make_shared<MsgExecveEventUnix>();
     data_event_id pkey{2345, 6789};
@@ -547,7 +549,7 @@ void ManagerUnittest::TestProcessSecurityManagerAggregation() {
     pExecveEvent->process.args = "test_arg";
     pExecveEvent->process.cmdline = "test_cmdline";
 
-    mBaseManager->UpdateCache(pkey, pExecveEvent);
+    mProcessCacheManager->UpdateCache(pkey, pExecveEvent);
 
     // 触发聚合
     auto execTime = std::chrono::steady_clock::now();
@@ -557,7 +559,7 @@ void ManagerUnittest::TestProcessSecurityManagerAggregation() {
 }
 
 void ManagerUnittest::TestFileSecurityManagerAggregation() {
-    auto manager = std::make_shared<FileSecurityManager>(mBaseManager, mSourceManager, mEventQueue, mTimer);
+    auto manager = std::make_shared<FileSecurityManager>(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     SecurityOptions options;
     manager->Init(std::variant<SecurityOptions*, ObserverNetworkOption*>(&options));
 
@@ -596,7 +598,7 @@ void ManagerUnittest::TestFileSecurityManagerAggregation() {
     execveEvent->msg.parent.ktime = 6789;
 
     // 测试缓存更新
-    mBaseManager->UpdateCache(key, execveEvent);
+    mProcessCacheManager->UpdateCache(key, execveEvent);
 
     auto pExecveEvent = std::make_shared<MsgExecveEventUnix>();
     data_event_id pkey{2345, 6789};
@@ -609,7 +611,7 @@ void ManagerUnittest::TestFileSecurityManagerAggregation() {
     pExecveEvent->process.args = "test_arg";
     pExecveEvent->process.cmdline = "test_cmdline";
 
-    mBaseManager->UpdateCache(pkey, pExecveEvent);
+    mProcessCacheManager->UpdateCache(pkey, pExecveEvent);
 
     // 触发聚合
     auto execTime = std::chrono::steady_clock::now();
@@ -624,11 +626,10 @@ UNIT_TEST_CASE(ManagerUnittest, TestProcessSecurityManagerEventHandling);
 UNIT_TEST_CASE(ManagerUnittest, TestFileSecurityManagerEventHandling);
 UNIT_TEST_CASE(ManagerUnittest, TestManagerConcurrency);
 UNIT_TEST_CASE(ManagerUnittest, TestManagerErrorHandling);
-UNIT_TEST_CASE(ManagerUnittest, TestBaseManagerCache);
-UNIT_TEST_CASE(ManagerUnittest, TestBaseManagerProcessEvents);
-UNIT_TEST_CASE(ManagerUnittest, TestBaseManagerDataEvents);
-UNIT_TEST_CASE(ManagerUnittest, TestBaseManagerProcessTags);
-// UNIT_TEST_CASE(ManagerUnittest, TestBaseManagerPerfBuffer);
+UNIT_TEST_CASE(ManagerUnittest, TestProcessCacheManagerCache);
+UNIT_TEST_CASE(ManagerUnittest, TestProcessCacheManagerProcessEvents);
+UNIT_TEST_CASE(ManagerUnittest, TestProcessCacheManagerDataEvents);
+UNIT_TEST_CASE(ManagerUnittest, TestProcessCacheManagerProcessTags);
 // UNIT_TEST_CASE(ManagerUnittest, TestNetworkSecurityManagerBasic);
 UNIT_TEST_CASE(ManagerUnittest, TestNetworkSecurityManagerEventHandling);
 UNIT_TEST_CASE(ManagerUnittest, TestNetworkSecurityManagerAggregation);
diff --git a/core/unittest/ebpf/NetworkObserverUnittest.cpp b/core/unittest/ebpf/NetworkObserverUnittest.cpp
index faff13602a..ad6eef9059 100644
--- a/core/unittest/ebpf/NetworkObserverUnittest.cpp
+++ b/core/unittest/ebpf/NetworkObserverUnittest.cpp
@@ -49,7 +49,7 @@ class NetworkObserverManagerUnittest : public ::testing::Test {
         mTimer->Init();
         mSourceManager = std::make_shared<SourceManager>();
         mSourceManager->Init();
-        mBaseManager = std::make_shared<ProcessCacheManager>(mSourceManager, "test_host", "/", mEventQueue);
+        mProcessCacheManager = std::make_shared<ProcessCacheManager>(mSourceManager, "test_host", "/", mEventQueue);
         ProtocolParserManager::GetInstance().AddParser(support_proto_e::ProtoHTTP);
     }
 
@@ -57,12 +57,12 @@ class NetworkObserverManagerUnittest : public ::testing::Test {
 
 private:
     std::shared_ptr<NetworkObserverManager> CreateManager() {
-        return NetworkObserverManager::Create(mBaseManager, mSourceManager, mEventQueue, mTimer);
+        return NetworkObserverManager::Create(mProcessCacheManager, mSourceManager, mEventQueue, mTimer);
     }
 
     std::shared_ptr<Timer> mTimer;
     std::shared_ptr<SourceManager> mSourceManager;
-    std::shared_ptr<ProcessCacheManager> mBaseManager;
+    std::shared_ptr<ProcessCacheManager> mProcessCacheManager;
     moodycamel::BlockingConcurrentQueue<std::shared_ptr<CommonEvent>> mEventQueue;
 };
 
@@ -213,7 +213,7 @@ void NetworkObserverManagerUnittest::TestDataEventProcessing() {
 
     std::vector<std::shared_ptr<AbstractRecord>> items(10, nullptr);
     size_t count = manager->mRecordQueue.wait_dequeue_bulk_timed(items.data(), 1024, std::chrono::milliseconds(200));
-    APSARA_TEST_EQUAL(count, 1);
+    APSARA_TEST_EQUAL(count, 1UL);
     APSARA_TEST_TRUE(items[0] != nullptr);
 
     AbstractAppRecord* record = static_cast<AbstractAppRecord*>(items[0].get());
diff --git a/core/unittest/ebpf/eBPFDriverUnittest.cpp b/core/unittest/ebpf/eBPFDriverUnittest.cpp
index 94280e3e47..fbaf2f4f10 100644
--- a/core/unittest/ebpf/eBPFDriverUnittest.cpp
+++ b/core/unittest/ebpf/eBPFDriverUnittest.cpp
@@ -103,12 +103,12 @@ void eBPFDriverUnittest::TestNetworkFilter() {
     APSARA_TEST_EQUAL(gAddr4Filters.size(), 2);
     APSARA_TEST_EQUAL(gAddr4Filters[0].mOpType, OP_TYPE_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[0].mIdx, 0);
-    APSARA_TEST_EQUAL(gAddr4Filters[0].mArg4.addr, 16820416);
+    APSARA_TEST_EQUAL(gAddr4Filters[0].mArg4.addr, 16820416U);
     APSARA_TEST_EQUAL(gAddr4Filters[0].mArg4.prefix, 32);
 
     APSARA_TEST_EQUAL(gAddr4Filters[1].mOpType, OP_TYPE_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[1].mIdx, 0);
-    APSARA_TEST_EQUAL(gAddr4Filters[1].mArg4.addr, 33597632);
+    APSARA_TEST_EQUAL(gAddr4Filters[1].mArg4.addr, 33597632U);
     APSARA_TEST_EQUAL(gAddr4Filters[1].mArg4.prefix, 14);
 
     SetDaddrFilter(bw, -1, kernelFilters, &filter);
@@ -116,12 +116,12 @@ void eBPFDriverUnittest::TestNetworkFilter() {
     APSARA_TEST_EQUAL(gAddr4Filters.size(), 4);
     APSARA_TEST_EQUAL(gAddr4Filters[2].mOpType, OP_TYPE_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[2].mIdx, 1);
-    APSARA_TEST_EQUAL(gAddr4Filters[2].mArg4.addr, 16820416);
+    APSARA_TEST_EQUAL(gAddr4Filters[2].mArg4.addr, 16820416U);
     APSARA_TEST_EQUAL(gAddr4Filters[2].mArg4.prefix, 32);
 
     APSARA_TEST_EQUAL(gAddr4Filters[3].mOpType, OP_TYPE_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[3].mIdx, 1);
-    APSARA_TEST_EQUAL(gAddr4Filters[3].mArg4.addr, 33597632);
+    APSARA_TEST_EQUAL(gAddr4Filters[3].mArg4.addr, 33597632U);
     APSARA_TEST_EQUAL(gAddr4Filters[3].mArg4.prefix, 14);
 
     SetSaddrBlackFilter(bw, -1, kernelFilters, &filter);
@@ -129,12 +129,12 @@ void eBPFDriverUnittest::TestNetworkFilter() {
     APSARA_TEST_EQUAL(gAddr4Filters.size(), 6);
     APSARA_TEST_EQUAL(gAddr4Filters[4].mOpType, OP_TYPE_NOT_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[4].mIdx, 2);
-    APSARA_TEST_EQUAL(gAddr4Filters[4].mArg4.addr, 16820416);
+    APSARA_TEST_EQUAL(gAddr4Filters[4].mArg4.addr, 16820416U);
     APSARA_TEST_EQUAL(gAddr4Filters[4].mArg4.prefix, 32);
 
     APSARA_TEST_EQUAL(gAddr4Filters[5].mOpType, OP_TYPE_NOT_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[5].mIdx, 2);
-    APSARA_TEST_EQUAL(gAddr4Filters[5].mArg4.addr, 33597632);
+    APSARA_TEST_EQUAL(gAddr4Filters[5].mArg4.addr, 33597632U);
     APSARA_TEST_EQUAL(gAddr4Filters[5].mArg4.prefix, 14);
 
     SetDaddrBlackFilter(bw, -1, kernelFilters, &filter);
@@ -142,29 +142,29 @@ void eBPFDriverUnittest::TestNetworkFilter() {
     APSARA_TEST_EQUAL(gAddr4Filters.size(), 8);
     APSARA_TEST_EQUAL(gAddr4Filters[6].mOpType, OP_TYPE_NOT_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[6].mIdx, 3);
-    APSARA_TEST_EQUAL(gAddr4Filters[6].mArg4.addr, 16820416);
+    APSARA_TEST_EQUAL(gAddr4Filters[6].mArg4.addr, 16820416U);
     APSARA_TEST_EQUAL(gAddr4Filters[6].mArg4.prefix, 32);
 
     APSARA_TEST_EQUAL(gAddr4Filters[7].mOpType, OP_TYPE_NOT_IN);
     APSARA_TEST_EQUAL(gAddr4Filters[7].mIdx, 3);
-    APSARA_TEST_EQUAL(gAddr4Filters[7].mArg4.addr, 33597632);
+    APSARA_TEST_EQUAL(gAddr4Filters[7].mArg4.addr, 33597632U);
     APSARA_TEST_EQUAL(gAddr4Filters[7].mArg4.prefix, 14);
 
     SetSportFilter(bw, -1, kernelFilters, &filter);
     auto gPortFilters = GetPortFilters();
-    APSARA_TEST_EQUAL(gPortFilters.size(), 3);
+    APSARA_TEST_EQUAL(gPortFilters.size(), 3UL);
 
     SetDportFilter(bw, -1, kernelFilters, &filter);
     gPortFilters = GetPortFilters();
-    APSARA_TEST_EQUAL(gPortFilters.size(), 6);
+    APSARA_TEST_EQUAL(gPortFilters.size(), 6UL);
 
     SetSportBlackFilter(bw, -1, kernelFilters, &filter);
     gPortFilters = GetPortFilters();
-    APSARA_TEST_EQUAL(gPortFilters.size(), 9);
+    APSARA_TEST_EQUAL(gPortFilters.size(), 9UL);
 
     SetDportBlackFilter(bw, -1, kernelFilters, &filter);
     gPortFilters = GetPortFilters();
-    APSARA_TEST_EQUAL(gPortFilters.size(), 12);
+    APSARA_TEST_EQUAL(gPortFilters.size(), 12UL);
 }
 
 void eBPFDriverUnittest::TestFileFilter() {
diff --git a/core/unittest/ebpf/eBPFServerUnittest.cpp b/core/unittest/ebpf/eBPFServerUnittest.cpp
index 6717bb30bb..752e3c3867 100644
--- a/core/unittest/ebpf/eBPFServerUnittest.cpp
+++ b/core/unittest/ebpf/eBPFServerUnittest.cpp
@@ -12,12 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#include <algorithm>
-#include <iostream>
-#include <random>
-
-#include "json/json.h"
-
 #include "app_config/AppConfig.h"
 #include "collection_pipeline/CollectionPipeline.h"
 #include "collection_pipeline/CollectionPipelineContext.h"
diff --git a/core/unittest/ebpf/eBPFWrapperUnittest.cpp b/core/unittest/ebpf/eBPFWrapperUnittest.cpp
index f2725454a4..efa15a450f 100644
--- a/core/unittest/ebpf/eBPFWrapperUnittest.cpp
+++ b/core/unittest/ebpf/eBPFWrapperUnittest.cpp
@@ -1,7 +1,24 @@
+// Copyright 2025 iLogtail Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 extern "C" {
 #include <coolbpf/net.h>
-}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
 #include <coolbpf/security.skel.h>
+#pragma GCC diagnostic pop
+}
 #include <sys/resource.h>
 
 #include "ebpf/driver/eBPFWrapper.h"
@@ -128,9 +145,9 @@ void eBPFWrapperUnittest::TestTailCall() {
 }
 
 UNIT_TEST_CASE(eBPFWrapperUnittest, TestInitialization);
-// UNIT_TEST_CASE(eBPFWrapperUnittest, TestMapOperations);
+UNIT_TEST_CASE(eBPFWrapperUnittest, TestMapOperations);
 UNIT_TEST_CASE(eBPFWrapperUnittest, TestPerfBufferOperations);
-// UNIT_TEST_CASE(eBPFWrapperUnittest, TestAttachOperations);
+UNIT_TEST_CASE(eBPFWrapperUnittest, TestAttachOperations);
 UNIT_TEST_CASE(eBPFWrapperUnittest, TestTailCall);
 
 } // namespace ebpf
diff --git a/core/unittest/input/InputFileSecurityUnittest.cpp b/core/unittest/input/InputFileSecurityUnittest.cpp
index 8f6eac9226..3e7bb49885 100644
--- a/core/unittest/input/InputFileSecurityUnittest.cpp
+++ b/core/unittest/input/InputFileSecurityUnittest.cpp
@@ -145,7 +145,7 @@ void InputFileSecurityUnittest::OnFailedInit() {
     APSARA_TEST_EQUAL(input->sName, "input_file_security");
     logtail::ebpf::SecurityFileFilter thisFilter
         = std::get<logtail::ebpf::SecurityFileFilter>(input->mSecurityOptions.mOptionList[0].mFilter);
-    APSARA_TEST_EQUAL(0, thisFilter.mFilePathList.size());
+    APSARA_TEST_EQUAL(0UL, thisFilter.mFilePathList.size());
 
     // invalid optional param
     configStr = R"(
@@ -168,7 +168,7 @@ void InputFileSecurityUnittest::OnFailedInit() {
     APSARA_TEST_EQUAL(input->sName, "input_file_security");
     logtail::ebpf::SecurityFileFilter thisFilter1
         = std::get<logtail::ebpf::SecurityFileFilter>(input->mSecurityOptions.mOptionList[0].mFilter);
-    APSARA_TEST_EQUAL(0, thisFilter1.mFilePathList.size());
+    APSARA_TEST_EQUAL(0UL, thisFilter1.mFilePathList.size());
 
     // lose mandatory param
     configStr = R"(
@@ -185,8 +185,8 @@ void InputFileSecurityUnittest::OnFailedInit() {
     input->SetMetricsRecordRef("test", "1");
     APSARA_TEST_TRUE(input->Init(configJson, optionalGoPipeline));
     APSARA_TEST_EQUAL(input->sName, "input_file_security");
-    APSARA_TEST_EQUAL(1, input->mSecurityOptions.mOptionList.size()); // default callname
-    APSARA_TEST_EQUAL(3, input->mSecurityOptions.mOptionList[0].mCallNames.size()); // default callname
+    APSARA_TEST_EQUAL(1UL, input->mSecurityOptions.mOptionList.size()); // default callname
+    APSARA_TEST_EQUAL(3UL, input->mSecurityOptions.mOptionList[0].mCallNames.size()); // default callname
 }
 
 void InputFileSecurityUnittest::OnSuccessfulStart() {
diff --git a/core/unittest/input/InputNetworkSecurityUnittest.cpp b/core/unittest/input/InputNetworkSecurityUnittest.cpp
index 8ae4a18d07..c1e324370b 100644
--- a/core/unittest/input/InputNetworkSecurityUnittest.cpp
+++ b/core/unittest/input/InputNetworkSecurityUnittest.cpp
@@ -94,9 +94,9 @@ void InputNetworkSecurityUnittest::OnSuccessfulInit() {
         = std::get<logtail::ebpf::SecurityNetworkFilter>(input->mSecurityOptions.mOptionList[0].mFilter);
     APSARA_TEST_EQUAL("10.0.0.0/8", thisFilter1.mDestAddrList[0]);
     APSARA_TEST_EQUAL("92.168.0.0/16", thisFilter1.mDestAddrList[1]);
-    APSARA_TEST_EQUAL(1, thisFilter1.mDestPortList.size());
+    APSARA_TEST_EQUAL(1UL, thisFilter1.mDestPortList.size());
     APSARA_TEST_EQUAL("127.0.0.1/8", thisFilter1.mSourceAddrBlackList[0]);
-    APSARA_TEST_EQUAL(9300, thisFilter1.mSourcePortBlackList[0]);
+    APSARA_TEST_EQUAL(9300U, thisFilter1.mSourcePortBlackList[0]);
 }
 
 void InputNetworkSecurityUnittest::OnFailedInit() {
@@ -153,10 +153,10 @@ void InputNetworkSecurityUnittest::OnFailedInit() {
     APSARA_TEST_TRUE(input->Init(configJson, optionalGoPipeline));
     logtail::ebpf::SecurityNetworkFilter thisFilter5
         = std::get<logtail::ebpf::SecurityNetworkFilter>(input->mSecurityOptions.mOptionList[0].mFilter);
-    APSARA_TEST_EQUAL(thisFilter5.mDestAddrList.size(), 0);
-    APSARA_TEST_EQUAL(thisFilter5.mDestPortList.size(), 0);
-    APSARA_TEST_EQUAL(thisFilter5.mSourceAddrBlackList.size(), 0);
-    APSARA_TEST_EQUAL(thisFilter5.mSourcePortBlackList.size(), 0);
+    APSARA_TEST_EQUAL(thisFilter5.mDestAddrList.size(), 0UL);
+    APSARA_TEST_EQUAL(thisFilter5.mDestPortList.size(), 0UL);
+    APSARA_TEST_EQUAL(thisFilter5.mSourceAddrBlackList.size(), 0UL);
+    APSARA_TEST_EQUAL(thisFilter5.mSourcePortBlackList.size(), 0UL);
 
     // valid and invalid optional param
     // if the optional param in a list is invalid, the valid param after it will be read
@@ -181,7 +181,7 @@ void InputNetworkSecurityUnittest::OnFailedInit() {
     APSARA_TEST_TRUE(input->Init(configJson, optionalGoPipeline));
     logtail::ebpf::SecurityNetworkFilter thisFilter6
         = std::get<logtail::ebpf::SecurityNetworkFilter>(input->mSecurityOptions.mOptionList[0].mFilter);
-    APSARA_TEST_EQUAL(2, thisFilter6.mDestAddrList.size());
+    APSARA_TEST_EQUAL(2UL, thisFilter6.mDestAddrList.size());
 }
 
 void InputNetworkSecurityUnittest::OnSuccessfulStart() {
diff --git a/core/unittest/input/InputProcessSecurityUnittest.cpp b/core/unittest/input/InputProcessSecurityUnittest.cpp
index a3c9341cd1..4e64e76eb0 100644
--- a/core/unittest/input/InputProcessSecurityUnittest.cpp
+++ b/core/unittest/input/InputProcessSecurityUnittest.cpp
@@ -80,7 +80,7 @@ void InputProcessSecurityUnittest::OnSuccessfulInit() {
     input->SetMetricsRecordRef("test", "1");
     APSARA_TEST_TRUE(input->Init(configJson, optionalGoPipeline));
     APSARA_TEST_EQUAL(input->sName, "input_process_security");
-    APSARA_TEST_EQUAL(input->mSecurityOptions.mOptionList[0].mCallNames.size(), 5);
+    APSARA_TEST_EQUAL(input->mSecurityOptions.mOptionList[0].mCallNames.size(), 5UL);
     // no general filter, default is monostate
     APSARA_TEST_EQUAL(std::holds_alternative<std::monostate>(input->mSecurityOptions.mOptionList[0].mFilter), true);
 }
diff --git a/core/unittest/models/ArrayViewUnittest.cpp b/core/unittest/models/ArrayViewUnittest.cpp
index 7350cbab55..926e5e0772 100644
--- a/core/unittest/models/ArrayViewUnittest.cpp
+++ b/core/unittest/models/ArrayViewUnittest.cpp
@@ -40,7 +40,7 @@ class ArrayViewUnittest : public ::testing::Test {
 void ArrayViewUnittest::TestDefaultConstructor() {
     // 测试默认构造函数
     ArrayView<int> view;
-    APSARA_TEST_EQUAL(view.size(), 0);
+    APSARA_TEST_EQUAL(view.size(), 0UL);
 }
 
 void ArrayViewUnittest::TestArrayConstructor() {
@@ -48,7 +48,7 @@ void ArrayViewUnittest::TestArrayConstructor() {
     const int arr[] = {1, 2, 3, 4, 5};
     ArrayView<int> view(arr);
 
-    APSARA_TEST_EQUAL(view.size(), 5);
+    APSARA_TEST_EQUAL(view.size(), 5UL);
     for (size_t i = 0; i < 5; ++i) {
         APSARA_TEST_EQUAL(view[i], arr[i]);
     }
@@ -59,7 +59,7 @@ void ArrayViewUnittest::TestPointerConstructor() {
     const int arr[] = {1, 2, 3, 4, 5};
     ArrayView<int> view(arr, 3); // 只使用前3个元素
 
-    APSARA_TEST_EQUAL(view.size(), 3);
+    APSARA_TEST_EQUAL(view.size(), 3UL);
     for (size_t i = 0; i < 3; ++i) {
         APSARA_TEST_EQUAL(view[i], arr[i]);
     }
@@ -70,7 +70,7 @@ void ArrayViewUnittest::TestStdArrayConstructor() {
     std::array<int, 4> arr = {1, 2, 3, 4};
     ArrayView<int> view(arr);
 
-    APSARA_TEST_EQUAL(view.size(), 4);
+    APSARA_TEST_EQUAL(view.size(), 4UL);
     for (size_t i = 0; i < 4; ++i) {
         APSARA_TEST_EQUAL(view[i], arr[i]);
     }
@@ -86,9 +86,9 @@ void ArrayViewUnittest::TestSize() {
     auto view1Size = view1.size();
     auto view2Size = view2.size();
     auto view3Size = view3.size();
-    APSARA_TEST_EQUAL(view1Size, 0);
-    APSARA_TEST_EQUAL(view2Size, 5);
-    APSARA_TEST_EQUAL(view3Size, 3);
+    APSARA_TEST_EQUAL(view1Size, 0UL);
+    APSARA_TEST_EQUAL(view2Size, 5UL);
+    APSARA_TEST_EQUAL(view3Size, 3UL);
 }
 
 void ArrayViewUnittest::TestSubscriptOperator() {