From 1f9639a256a4eae3b5ea133976beb1ead7fe39ab Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 2 Mar 2024 00:17:31 +0200
Subject: detect loss of event when exit/enter tracepoints dont match up

---
 internal/eventloop.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'internal/eventloop.go')

diff --git a/internal/eventloop.go b/internal/eventloop.go
index cb458a8..9285db4 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -39,7 +39,15 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent {
 		delete(enterEvs, exitEv.GetTid())
 		ev.exitEv = exitEv
 
-		if ev.is(SYS_ENTER_OPENAT, SYS_EXIT_OPENAT) || ev.is(SYS_ENTER_OPEN, SYS_EXIT_OPEN) {
+		// Expect ID one lower, otherwise, doesn't match.
+		if ev.enterEv.GetSyscallId()-1 != ev.exitEv.GetSyscallId() {
+			fmt.Println(fmt.Sprintf("Loss of event (not matching) %v", ev))
+			ev.enterEv.Recycle()
+			exitEv.Recycle()
+			return
+		}
+
+		if ev.is(SYS_ENTER_OPENAT) || ev.is(SYS_ENTER_OPEN) {
 			openEnterEv := ev.enterEv.(*OpenEnterEvent)
 
 			fd := ev.exitEv.(*FdEvent).Fd
@@ -63,7 +71,7 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent {
 			} else {
 				ev.file = file{fdEvent.Fd, "?"}
 			}
-			if ev.is(SYS_ENTER_CLOSE, SYS_EXIT_CLOSE) {
+			if ev.is(SYS_ENTER_CLOSE) {
 				delete(files, fdEvent.Fd)
 			}
 		}
-- 
cgit v1.2.3