diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-30 16:20:36 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-30 16:20:36 +0300 |
| commit | 65d276b67e65427e8cd25fd45b142e6fff1259f0 (patch) | |
| tree | 3e7d60dd6e0862fbc8060d98f340135db63edc4d /internal/c | |
| parent | 4e6d9e1a6c74e0bdb4d89df10ef22a664f84737f (diff) | |
sendfile64: capture out_fd instead of dropping both fds
sendfile64(out_fd, in_fd, offset, count) transfers bytes between two file
descriptors in the kernel and returns the number of bytes written to out_fd.
Its tracepoint fields carry no field literally named "fd", so it fell through
to KindNull and captured no descriptor at all - inconsistent with its sibling
copy_file_range (KindFd) and the read/write/sendto/recvfrom families.
Add an explicit sys_enter_sendfile64 -> KindFd override that captures out_fd
(args[0], the destination the bytes are written to), matching the single-fd
KindFd convention. The return value stays TransferClassified, consistent with
copy_file_range/splice/tee/vmsplice. Family stays Network (sendfile is
historically socket-oriented; copy_file_range=FS is pure file-to-file).
Update docs/syscall-tracing-plan.md (move sendfile64 from null to fd kind),
regenerate C/Go artifacts, fix the phase-A classify assertion, and add
TestClassifySendfile64CapturesOutFd as a lock-in + negative test. The existing
TestRetbytesPhaseA integration test still passes with the runtime change.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 7 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 2 |
2 files changed, 5 insertions, 4 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index fbf690c..a8437df 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -10118,7 +10118,7 @@ int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_sendfile64 is a struct null_event (kind=null) +/// sys_enter_sendfile64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sendfile64") int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -10128,15 +10128,16 @@ int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDFILE64)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SENDFILE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index f59a820..3587939 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -279,7 +279,7 @@ sys_enter_semctl is a struct null_event (kind=sysv-op) sys_enter_semget is a struct null_event (kind=sysv-id) sys_enter_semop is a struct null_event (kind=sysv-op) sys_enter_semtimedop is a struct null_event (kind=sysv-op) -sys_enter_sendfile64 is a struct null_event (kind=null) +sys_enter_sendfile64 is a struct fd_event (kind=fd) sys_enter_sendmmsg is a struct fd_event (kind=fd) sys_enter_sendmsg is a struct fd_event (kind=fd) sys_enter_sendto is a struct fd_event (kind=fd) |