feat: gotls Upload sequence; Fix the issue where disorderly arrival causes the file content to be uninterpretable

Author: skylar2826

internal/probe/base/base_probe.go

@@ -262,7 +262,7 @@ func (p *BaseProbe) StartPerfEventReader(em *ebpf.Map, decoder domain.EventDecod
 		return errors.NewEBPFAttachError(em.String(), err)
 	}
 
-	p.readers = append(p.readers, rd)
+	p.TrackReader(rd)
 
 	p.logger.Info().
 		Str("map", em.String()).
@@ -273,6 +273,16 @@ func (p *BaseProbe) StartPerfEventReader(em *ebpf.Map, decoder domain.EventDecod
 	return nil
 }
 
+// TrackReader registers a reader to be closed when the probe shuts down.
+// Probes that implement a custom perf read loop should call TrackReader with the same reader
+// instance they pass to the goroutine, matching StartPerfEventReader lifecycle.
+func (p *BaseProbe) TrackReader(c closer) {
+	if c == nil {
+		return
+	}
+	p.readers = append(p.readers, c)
+}
+
 // perfEventLoop reads events from a perf buffer.
 func (p *BaseProbe) perfEventLoop(rd *perf.Reader, em *ebpf.Map, decoder domain.EventDecoder) {
 	for {

internal/probe/gotls/event.go

@@ -36,23 +36,27 @@ const (
 // C struct layout (go_tls_event):
 //
 //	u64 ts_ns;           // offset 0,  size 8
-//	u32 pid;             // offset 8,  size 4
-//	u32 tid;             // offset 12, size 4
-//	s32 data_len;        // offset 16, size 4
-//	u8  event_type;      // offset 20, size 1
-//	u8  pad[3];          // offset 21, size 3 (alignment padding)
-//	u32 fd;              // offset 24, size 4
-//	u8  src_ip[16];      // offset 28, size 16
-//	u16 src_port;        // offset 44, size 2
-//	u16 pad2;            // offset 46, size 2 (alignment padding)
-//	u8  dst_ip[16];      // offset 48, size 16
-//	u16 dst_port;        // offset 64, size 2
-//	u8  ip_version;      // offset 66, size 1 (4=IPv4, 6=IPv6)
-//	u8  pad3;            // offset 67, size 1 (alignment padding)
-//	char comm[16];       // offset 68, size 16
-//	char data[...];      // offset 84, variable
+//	u64 seq;             // offset 8,  size 8 (per-CPU counter)
+//	u32 emit_cpu;        // offset 16, size 4
+//	u32 pid;             // offset 20, size 4
+//	u32 tid;             // offset 24, size 4
+//	s32 data_len;        // offset 28, size 4
+//	u8  event_type;      // offset 32, size 1
+//	u8  pad[3];          // offset 33, size 3 (alignment padding)
+//	u32 fd;              // offset 36, size 4
+//	u8  src_ip[16];      // offset 40, size 16
+//	u16 src_port;        // offset 56, size 2
+//	u16 pad2;            // offset 58, size 2 (alignment padding)
+//	u8  dst_ip[16];      // offset 60, size 16
+//	u16 dst_port;        // offset 76, size 2
+//	u8  ip_version;      // offset 78, size 1 (4=IPv4, 6=IPv6)
+//	u8  pad3;            // offset 79, size 1 (alignment padding)
+//	char comm[16];       // offset 80, size 16
+//	char data[...];      // offset 96, variable
 type GoTLSDataEvent struct {
 	Timestamp uint64 `json:"timestamp"`
+	Seq       uint64 `json:"seq"`
+	EmitCPU   uint32 `json:"emit_cpu"`
 	Pid       uint32 `json:"pid"`
 	Tid       uint32 `json:"tid"`
 	DataLen   int32  `json:"dataLen"`
@@ -69,6 +73,8 @@ type GoTLSDataEvent struct {
 	Comm      [16]byte `json:"comm"`
 	Data      []byte   `json:"data"`
 	Tuple     string   `json:"tuple"`
+	// BpfMonoNs is bpf_ktime_get_ns() from the probe (stable ordering with Seq/EmitCPU); not wall clock.
+	BpfMonoNs uint64 `json:"-"`
 }
 
 // DecodeFromBytes deserializes the event from raw eBPF data.
@@ -79,6 +85,13 @@ func (e *GoTLSDataEvent) DecodeFromBytes(data []byte) error {
 	if err := binary.Read(buf, binary.LittleEndian, &e.Timestamp); err != nil {
 		return errors.NewEventDecodeError("gotls.Timestamp", err)
 	}
+	e.BpfMonoNs = e.Timestamp
+	if err := binary.Read(buf, binary.LittleEndian, &e.Seq); err != nil {
+		return errors.NewEventDecodeError("gotls.Seq", err)
+	}
+	if err := binary.Read(buf, binary.LittleEndian, &e.EmitCPU); err != nil {
+		return errors.NewEventDecodeError("gotls.EmitCPU", err)
+	}
 	if err := binary.Read(buf, binary.LittleEndian, &e.Pid); err != nil {
 		return errors.NewEventDecodeError("gotls.Pid", err)
 	}
@@ -149,6 +162,18 @@ func (e *GoTLSDataEvent) DecodeFromBytes(data []byte) error {
 	return nil
 }
 
+// LessGoTLSDataEventByPerfOrder compares two events for emit order after merging per-CPU perf buffers.
+// Ordering matches gimli (bpf monotonic time, then EmitCPU, then per-CPU Seq).
+func LessGoTLSDataEventByPerfOrder(a, b *GoTLSDataEvent) bool {
+	if a.BpfMonoNs != b.BpfMonoNs {
+		return a.BpfMonoNs < b.BpfMonoNs
+	}
+	if a.EmitCPU != b.EmitCPU {
+		return a.EmitCPU < b.EmitCPU
+	}
+	return a.Seq < b.Seq
+}
+
 // GetTimestamp returns the event timestamp in nanoseconds.
 func (e *GoTLSDataEvent) GetTimestamp() uint64 {
 	return e.Timestamp

internal/probe/gotls/event_test.go

@@ -27,7 +27,7 @@ import (
 // buildEventBytes constructs a raw eBPF byte payload for GoTLSDataEvent.
 // Offsets match the C struct go_tls_event exactly.
 func buildEventBytes(t *testing.T,
-	timestamp uint64, pid, tid uint32, dataLen int32, eventType uint8,
+	timestamp uint64, seq uint64, emitCPU uint32, pid, tid uint32, dataLen int32, eventType uint8,
 	fd uint32, srcIP [16]byte, srcPort uint16, dstIP [16]byte, dstPort uint16,
 	ipVersion uint8, comm [16]byte, payload []byte,
 ) []byte {
@@ -38,23 +38,25 @@ func buildEventBytes(t *testing.T,
 			t.Fatalf("binary.Write failed: %v", err)
 		}
 	}
-	write(timestamp) // offset 0,  u64
-	write(pid)       // offset 8,  u32
-	write(tid)       // offset 12, u32
-	write(dataLen)   // offset 16, s32
-	write(eventType) // offset 20, u8
-	write([3]byte{}) // offset 21, pad[3]
-	write(fd)        // offset 24, u32
-	write(srcIP)     // offset 28, u8[16]
-	write(srcPort)   // offset 44, u16
-	write([2]byte{}) // offset 46, pad2
-	write(dstIP)     // offset 48, u8[16]
-	write(dstPort)   // offset 64, u16
-	write(ipVersion) // offset 66, u8
-	write(uint8(0))  // offset 67, pad3
-	write(comm)      // offset 68, char[16]
+	write(timestamp) // offset 0,  u64 ts_ns
+	write(seq)       // offset 8,  u64 seq
+	write(emitCPU)   // offset 16, u32 emit_cpu
+	write(pid)       // offset 20, u32
+	write(tid)       // offset 24, u32
+	write(dataLen)   // offset 28, s32
+	write(eventType) // offset 32, u8
+	write([3]byte{}) // offset 33, pad[3]
+	write(fd)        // offset 36, u32
+	write(srcIP)     // offset 40, u8[16]
+	write(srcPort)   // offset 56, u16
+	write([2]byte{}) // offset 58, pad2
+	write(dstIP)     // offset 60, u8[16]
+	write(dstPort)   // offset 76, u16
+	write(ipVersion) // offset 78, u8
+	write(uint8(0))  // offset 79, pad3
+	write(comm)      // offset 80, char[16]
 	if len(payload) > 0 {
-		buf.Write(payload) // offset 84, variable data
+		buf.Write(payload) // offset 96, variable data
 	}
 	return buf.Bytes()
 }
@@ -84,7 +86,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_IPv4_Write(t *testing.T) {
 	payload := []byte("GET / HTTP/1.1\r\n")
 
 	raw := buildEventBytes(t,
-		1000000, 42, 99, int32(len(payload)), 0, // eventType=WRITE
+		1000000, 1, 0, 42, 99, int32(len(payload)), 0, // eventType=WRITE
 		7, srcIP, 12345, dstIP, 443, 4, // ipVersion=4
 		commBytes("curl"), payload,
 	)
@@ -97,6 +99,15 @@ func TestGoTLSDataEvent_DecodeFromBytes_IPv4_Write(t *testing.T) {
 	if e.Timestamp != 1000000 {
 		t.Errorf("Timestamp = %d, want 1000000", e.Timestamp)
 	}
+	if e.BpfMonoNs != 1000000 {
+		t.Errorf("BpfMonoNs = %d, want 1000000", e.BpfMonoNs)
+	}
+	if e.Seq != 1 {
+		t.Errorf("Seq = %d, want 1", e.Seq)
+	}
+	if e.EmitCPU != 0 {
+		t.Errorf("EmitCPU = %d, want 0", e.EmitCPU)
+	}
 	if e.Pid != 42 {
 		t.Errorf("Pid = %d, want 42", e.Pid)
 	}
@@ -141,7 +152,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_IPv4_Read(t *testing.T) {
 	payload := []byte("HTTP/1.1 200 OK\r\n")
 
 	raw := buildEventBytes(t,
-		2000000, 100, 200, int32(len(payload)), 1, // eventType=READ
+		2000000, 2, 0, 100, 200, int32(len(payload)), 1, // eventType=READ
 		5, srcIP, 443, dstIP, 54321, 4,
 		commBytes("myapp"), payload,
 	)
@@ -174,7 +185,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_IPv6(t *testing.T) {
 
 	payload := []byte("hello")
 	raw := buildEventBytes(t,
-		3000000, 7, 8, int32(len(payload)), 0,
+		3000000, 3, 0, 7, 8, int32(len(payload)), 0,
 		3, ipv6Bytes(src6), 8080, ipv6Bytes(dst6), 9090, 6, // ipVersion=6
 		commBytes("server"), payload,
 	)
@@ -196,7 +207,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_IPv6(t *testing.T) {
 
 func TestGoTLSDataEvent_DecodeFromBytes_ZeroDataLen(t *testing.T) {
 	raw := buildEventBytes(t,
-		1000, 1, 2, 0, 0, // dataLen=0
+		1000, 4, 0, 1, 2, 0, 0, // dataLen=0
 		1, ipv4Bytes(1, 2, 3, 4), 100, ipv4Bytes(5, 6, 7, 8), 200, 4,
 		commBytes("app"), nil,
 	)
@@ -212,9 +223,27 @@ func TestGoTLSDataEvent_DecodeFromBytes_ZeroDataLen(t *testing.T) {
 	}
 }
 
+func TestLessGoTLSDataEventByPerfOrder(t *testing.T) {
+	a := &GoTLSDataEvent{BpfMonoNs: 100, EmitCPU: 1, Seq: 5}
+	b := &GoTLSDataEvent{BpfMonoNs: 200, EmitCPU: 0, Seq: 1}
+	if !LessGoTLSDataEventByPerfOrder(a, b) {
+		t.Fatal("expected a before b (mono time)")
+	}
+	sameT := &GoTLSDataEvent{BpfMonoNs: 100, EmitCPU: 2, Seq: 1}
+	otherCPU := &GoTLSDataEvent{BpfMonoNs: 100, EmitCPU: 1, Seq: 99}
+	if !LessGoTLSDataEventByPerfOrder(otherCPU, sameT) {
+		t.Fatal("expected CPU tie-break")
+	}
+	sameTS := &GoTLSDataEvent{BpfMonoNs: 100, EmitCPU: 1, Seq: 1}
+	sameTS2 := &GoTLSDataEvent{BpfMonoNs: 100, EmitCPU: 1, Seq: 2}
+	if !LessGoTLSDataEventByPerfOrder(sameTS, sameTS2) {
+		t.Fatal("expected seq tie-break")
+	}
+}
+
 func TestGoTLSDataEvent_DecodeFromBytes_TimestampZeroFallback(t *testing.T) {
 	raw := buildEventBytes(t,
-		0, 1, 2, 0, 0, // timestamp=0 → should be filled by time.Now()
+		0, 5, 0, 1, 2, 0, 0, // timestamp=0 → should be filled by time.Now()
 		1, ipv4Bytes(1, 2, 3, 4), 80, ipv4Bytes(5, 6, 7, 8), 8080, 4,
 		commBytes("app"), nil,
 	)
@@ -241,7 +270,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_TruncatedInput(t *testing.T) {
 func TestGoTLSDataEvent_DecodeFromBytes_DataLenExceedsBuffer(t *testing.T) {
 	// claim dataLen=100 but provide no payload bytes
 	raw := buildEventBytes(t,
-		1000, 1, 2, 100, 0, // dataLen=100
+		1000, 6, 0, 1, 2, 100, 0, // dataLen=100
 		1, ipv4Bytes(1, 2, 3, 4), 80, ipv4Bytes(5, 6, 7, 8), 8080, 4,
 		commBytes("app"), nil, // no payload
 	)
@@ -584,7 +613,7 @@ func TestGoTLSDataEvent_DecodeFromBytes_RoundTrip(t *testing.T) {
 	copy(comm[:], "myservice")
 
 	raw := buildEventBytes(t,
-		999888777, 12345, 67890, int32(len(wantPayload)), 0,
+		999888777, 7, 0, 12345, 67890, int32(len(wantPayload)), 0,
 		8, ipv4Bytes(172, 16, 0, 1), 54321, ipv4Bytes(172, 16, 0, 2), 443, 4,
 		comm, wantPayload,
 	)
@@ -594,6 +623,12 @@ func TestGoTLSDataEvent_DecodeFromBytes_RoundTrip(t *testing.T) {
 		t.Fatalf("DecodeFromBytes error: %v", err)
 	}
 
+	if e.Seq != 7 {
+		t.Errorf("Seq = %d, want 7", e.Seq)
+	}
+	if e.EmitCPU != 0 {
+		t.Errorf("EmitCPU = %d, want 0", e.EmitCPU)
+	}
 	if e.Pid != 12345 {
 		t.Errorf("Pid = %d, want 12345", e.Pid)
 	}

internal/probe/gotls/gotls_probe.go

@@ -17,6 +17,7 @@ package gotls
 import (
 	"bytes"
 	"context"
+	stderrors "errors"
 	"fmt"
 	"io"
 	"math"
@@ -25,6 +26,7 @@ import (
 	"strings"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/perf"
 	manager "github.com/gojue/ebpfmanager"
 	"golang.org/x/sys/unix"
 
@@ -137,7 +139,13 @@ func (p *Probe) Start(ctx context.Context) error {
 
 	// Start event readers for all configured maps
 	for em, decoder := range p.eventFuncMaps {
-		if err := p.StartPerfEventReader(em, decoder); err != nil {
+		var err error
+		if _, ok := decoder.(*tlsDataEventDecoder); ok {
+			err = p.startGoTLSOrderedPerfEventReader(em, decoder)
+		} else {
+			err = p.StartPerfEventReader(em, decoder)
+		}
+		if err != nil {
 			return err
 		}
 		p.Logger().Debug().
@@ -181,6 +189,84 @@ func (p *Probe) retrieveEventMaps() error {
 	return nil
 }
 
+// startGoTLSOrderedPerfEventReader reads TLS plaintext perf events and emits them ordered by
+// (BpfMonoNs, EmitCPU, Seq), matching gimli's merge semantics across CPUs.
+func (p *Probe) startGoTLSOrderedPerfEventReader(em *ebpf.Map, decoder domain.EventDecoder) error {
+	if em == nil {
+		return errors.New(errors.ErrCodeEBPFMapAccess, "eBPF map cannot be nil")
+	}
+	if decoder == nil {
+		return errors.New(errors.ErrCodeConfiguration, "event decoder cannot be nil")
+	}
+	mapSize := p.config.GetPerCpuMapSize()
+	rd, err := perf.NewReader(em, mapSize)
+	if err != nil {
+		return errors.NewEBPFAttachError(em.String(), err)
+	}
+	p.TrackReader(rd)
+	p.Logger().Info().
+		Str("map", em.String()).
+		Int("size_mb", mapSize/1024/1024).
+		Msg("Perf event reader started (GoTLS reorder)")
+	go p.goTLSOrderedPerfLoop(rd, em, decoder)
+	return nil
+}
+
+func (p *Probe) goTLSOrderedPerfLoop(rd *perf.Reader, em *ebpf.Map, decoder domain.EventDecoder) {
+	reorder := newGoTLSPerfReorder()
+	defer func() {
+		for _, ev := range reorder.flushAll() {
+			if err := p.Dispatcher().Dispatch(ev); err != nil {
+				p.Logger().Warn().Err(err).Msg("Failed to dispatch reordered GoTLS event")
+			}
+		}
+	}()
+	for {
+		select {
+		case <-p.Context().Done():
+			p.Logger().Debug().Msg("GoTLS perf reader stopping")
+			return
+		default:
+		}
+		record, err := rd.Read()
+		if err != nil {
+			if stderrors.Is(err, perf.ErrClosed) {
+				return
+			}
+			p.Logger().Warn().Err(err).Msg("Error reading from perf buffer")
+			continue
+		}
+		if record.LostSamples != 0 {
+			p.Logger().Warn().
+				Uint64("lost_samples", record.LostSamples).
+				Msg("Perf buffer full, samples lost")
+			continue
+		}
+		event, err := decoder.Decode(em, record.RawSample)
+		if err != nil {
+			if stderrors.Is(err, errors.ErrEventNotReady) {
+				p.Logger().Debug().Msg("Event not ready, skipping")
+				continue
+			}
+			p.Logger().Warn().Err(err).Msg("Failed to decode event")
+			continue
+		}
+		p.Logger().Debug().Str("event", event.String()).Msg("Perf event decoded")
+		gte, ok := event.(*GoTLSDataEvent)
+		if !ok {
+			if err := p.Dispatcher().Dispatch(event); err != nil {
+				p.Logger().Warn().Err(err).Msg("Failed to dispatch event")
+			}
+			continue
+		}
+		for _, ev := range reorder.push(gte) {
+			if err := p.Dispatcher().Dispatch(ev); err != nil {
+				p.Logger().Warn().Err(err).Msg("Failed to dispatch reordered GoTLS event")
+			}
+		}
+	}
+}
+
 // Events returns the eBPF maps for event collection.
 func (p *Probe) Events() []*ebpf.Map {
 	return p.eventMaps
@@ -554,7 +640,6 @@ type tlsDataEventDecoder struct {
 
 func (d *tlsDataEventDecoder) Decode(_ *ebpf.Map, data []byte) (domain.Event, error) {
 	event := &GoTLSDataEvent{}
-	fmt.Println("Decoding TLSDataEvent from bytes, data length:", len(data))
 	if err := event.DecodeFromBytes(data); err != nil {
 		return nil, err
 	}