Walk YJIT JIT frames via frame pointers for full stack unwinding

Replace the jit_detected flag approach with V8-style frame pointer
unwinding through Ruby JIT frames. When YJIT emits frame pointers
(always on arm64, with --yjit-perf on x86_64), the Ruby eBPF unwinder
walks the native FP chain through JIT frames, pushes each as a
RUBY_FRAME_TYPE_JIT frame, then resolves the post-JIT mapping so native
unwinding can continue below the Ruby VM stack.

When frame pointers are not available, the original behavior is
preserved: a single dummy JIT frame is pushed, cfuncs are pushed inline,
and native unwinding is stopped at the end of the Ruby stack.

Also fixes parseMappings discarding prctl-labeled [anon:...] mappings,
which prevented the YJIT JIT region from being visible to interpreter
handlers.

Author: dalehamel

interpreter/ruby/ruby.go

@@ -4,10 +4,12 @@
 package ruby // import "go.opentelemetry.io/ebpf-profiler/interpreter/ruby"
 
 import (
+	"debug/elf"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"math/bits"
+	"os"
 	"regexp"
 	"runtime"
 	"strconv"
@@ -1279,54 +1281,26 @@ func profileFrameFullLabel(classPath, label, baseLabel, methodName libpf.String,
 	return libpf.Intern(profileLabel)
 }
 
-// findJITRegion detects the YJIT JIT code region from process memory mappings.
-// YJIT reserves a large contiguous address range (typically 48-128 MiB) via mmap
-// with PROT_NONE and then mprotects individual 16k codepages to r-x as needed.
-// On systems with CONFIG_ANON_VMA_NAME, Ruby labels the region via prctl(PR_SET_VMA)
-// giving it a path like "[anon:Ruby:rb_yjit_reserve_addr_space]".
-// On systems without that config, we fall back to a heuristic: the first anonymous
-// executable mapping (by address) is assumed to be the JIT region since YJIT
-// initializes before any gems could create anonymous executable mappings.
-// Returns (start, end, found).
-func findJITRegion(mappings []process.RawMapping) (uint64, uint64, bool) {
-	var jitStart, jitEnd uint64
-	labelFound := false
-	var heuristicStart, heuristicEnd uint64
-	heuristicFound := false
-
-	for idx := range mappings {
-		m := &mappings[idx]
-
-		// Check for prctl-labeled JIT region. These mappings may be ---p (PROT_NONE)
-		// or r-xp depending on whether YJIT has activated codepages in this region.
-		if strings.Contains(m.Path, "jit_reserve_addr_space") {
-			if !labelFound || m.Vaddr < jitStart {
-				jitStart = m.Vaddr
-			}
-			if !labelFound || m.Vaddr+m.Length > jitEnd {
-				jitEnd = m.Vaddr + m.Length
-			}
-			labelFound = true
-			continue
-		}
-
-		// Heuristic fallback: first anonymous executable mapping by address.
-		// Mappings from /proc/pid/maps are sorted by address, so the first
-		// match is the lowest address.
-		if !heuristicFound && m.IsExecutable() && m.IsAnonymous() {
-			heuristicStart = m.Vaddr
-			heuristicEnd = m.Vaddr + m.Length
-			heuristicFound = true
-		}
+// hasJitFramePointers detects whether YJIT is emitting frame pointers for this process.
+// On arm64, YJIT always emits frame pointers unconditionally.
+// On x86_64, frame pointers are only emitted when --yjit-perf or --yjit-perf=fp is used.
+// When --yjit-perf is active, YJIT also creates /tmp/perf-PID.map, which we use as the
+// detection signal on x86_64.
+func hasJitFramePointers(pr process.Process) bool {
+	machine := pr.GetMachineData().Machine
+	if machine == elf.EM_AARCH64 {
+		// YJIT on arm64 always emits frame pointers (unconditionally in the backend).
+		return true
 	}
 
-	if labelFound {
-		return jitStart, jitEnd, true
-	}
-	if heuristicFound {
-		return heuristicStart, heuristicEnd, true
+	// On x86_64, check for the perf map file which indicates --yjit-perf was used.
+	// The --yjit-perf flag enables both frame pointers and the perf map.
+	perfMapPath := fmt.Sprintf("/tmp/perf-%d.map", pr.PID())
+	if _, err := os.Stat(perfMapPath); err == nil {
+		return true
 	}
-	return 0, 0, false
+
+	return false
 }
 
 func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
@@ -1375,10 +1349,18 @@ func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 	if jitFound && (r.procInfo.Jit_start != jitStart || r.procInfo.Jit_end != jitEnd) {
 		r.procInfo.Jit_start = jitStart
 		r.procInfo.Jit_end = jitEnd
+
+		// Detect whether the JIT is emitting frame pointers.
+		// On arm64, YJIT always emits frame pointers unconditionally.
+		// On x86_64, frame pointers are only emitted with --yjit-perf or --yjit-perf=fp,
+		// which also creates a /tmp/perf-PID.map file as a side effect.
+		r.procInfo.Frame_pointers_enabled = hasJitFramePointers(pr)
+
 		if err := ebpf.UpdateProcData(libpf.Ruby, pr.PID(), unsafe.Pointer(r.procInfo)); err != nil {
 			return err
 		}
-		log.Debugf("Updated JIT region %#x-%#x in ruby proc info", jitStart, jitEnd)
+		log.Debugf("Updated JIT region %#x-%#x in ruby proc info (frame_pointers=%v)",
+			jitStart, jitEnd, r.procInfo.Frame_pointers_enabled)
 	}
 	// Remove prefixes not seen
 	for prefix, generationPtr := range r.prefixes {

support/ebpf/ruby_tracer.ebpf.c

@@ -19,6 +19,11 @@ struct ruby_procs_t {
 // option is to adjust this number downwards.
 // NOTE: the maximum size stack is FRAMES_PER_WALK_RUBY_STACK * calls to tail_call().
 #define FRAMES_PER_WALK_RUBY_STACK 32
+
+// The maximum number of JIT frames to unwind via frame pointers.
+// YJIT creates one native frame per JIT entry (not per Ruby method),
+// so in practice there is typically only 1 (occasionally 2 for nested entries).
+#define MAX_JIT_FP_FRAMES 4
 // When resolving a CME, we need to traverse environment pointers until we
 // find IMEMO_MENT. Since we can't do a while loop, we have to bound this
 // the max encountered in experimentation on a production rails app is 6.
@@ -271,8 +276,9 @@ static EBPF_INLINE ErrorCode read_ruby_frame(
         // frames will almost certainly be incorrect for Ruby versions < 2.6.
         frame_type = RUBY_FRAME_TYPE_CME_CFUNC;
       } else if (record->rubyUnwindState.jit_detected) {
-        // If we detected a jit frame and are now in a cfunc, push the c frame
-        // as we can no longer unwind native anymore
+        // JIT is active but frame pointers are not available, so we cannot unwind
+        // through JIT frames to get back to native code. Push the cfunc inline
+        // instead of handing off to the native unwinder.
         frame_type = RUBY_FRAME_TYPE_CME_CFUNC;
       } else {
         // We save this cfp on in the "Record" entry, and when we start the unwinder
@@ -450,19 +456,62 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
     record->rubyUnwindState.cfunc_saved_frame = 0;
   }
 
+  // If the CPU PC is in the JIT region, walk the native frame pointer chain through JIT frames.
+  // This follows the same pattern as the V8 unwinder (v8_tracer.ebpf.c): push each JIT frame,
+  // then use unwinder_unwind_frame_pointer() to advance PC/SP/FP to the caller.
+  // YJIT creates one native FP frame per JIT entry, not per Ruby method, so there are
+  // typically only 1-2 frames to walk.
+  //
+  // If frame_pointers_enabled is false (e.g. x86_64 without --yjit-perf), we push a single
+  // dummy JIT frame and skip FP walking -- the stack will be truncated at the Ruby VM frames
+  // but won't produce garbage from following an invalid FP chain.
   if (
     rubyinfo->jit_start > 0 && record->state.pc >= rubyinfo->jit_start &&
     record->state.pc < rubyinfo->jit_end) {
-    record->rubyUnwindState.jit_detected = true;
-
-    // If the first frame is a jit PC, the leaf ruby frame should be the jit "owner"
-    // the cpu PC is also pushed as the address,
-    // as in theory this can be used to symbolize the JIT frame later
-    if (trace->num_frames == 0) {
-      ErrorCode error =
+    if (rubyinfo->frame_pointers_enabled) {
+      // Walk the native FP chain through JIT frames, pushing each as a JIT frame
+      // so it can potentially be symbolized via perf maps later.
+      UNROLL for (int j = 0; j < MAX_JIT_FP_FRAMES; j++)
+      {
+        ErrorCode jit_error =
+          push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
+        if (jit_error) {
+          return jit_error;
+        }
+
+        if (!unwinder_unwind_frame_pointer(&record->state)) {
+          // FP chain broken, cannot continue
+          *next_unwinder = PROG_UNWIND_STOP;
+          return ERR_OK;
+        }
+
+        // Check if we've left the JIT region
+        if (record->state.pc < rubyinfo->jit_start || record->state.pc >= rubyinfo->jit_end) {
+          break;
+        }
+      }
+      // After walking JIT frames, PC should be in rb_vm_exec or other native code.
+      // We must resolve the mapping for the new PC so that text_section_id/offset/bias
+      // are up to date. Without this, the native unwinder would try to use stale mapping
+      // info from the JIT region and fail with ERR_NATIVE_NO_PID_PAGE_MAPPING.
+      ErrorCode map_err = get_next_unwinder_after_native_frame(record, next_unwinder);
+      if (map_err) {
+        return map_err;
+      }
+      // The resolved unwinder should be PROG_UNWIND_RUBY (since PC is in rb_vm_exec
+      // which is in interpreter_offsets) or PROG_UNWIND_NATIVE. Either way, we continue
+      // with the Ruby VM stack walk below and the mapping state is now correct for when
+      // we eventually hand off to the native unwinder.
+    } else {
+      // No frame pointers available: push a single dummy JIT frame.
+      // We cannot walk the FP chain so we will not be able to resume native unwinding.
+      // Mark jit_detected so that cfuncs are pushed inline and end-of-stack uses
+      // PROG_UNWIND_STOP instead of PROG_UNWIND_NATIVE.
+      record->rubyUnwindState.jit_detected = true;
+      ErrorCode jit_error =
         push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
-      if (error) {
-        return error;
+      if (jit_error) {
+        return jit_error;
       }
     }
   }
@@ -474,8 +523,9 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
 
     if (last_stack_frame <= stack_ptr) {
       // We have processed all frames in the Ruby VM and can stop here.
-      // if this process has been JIT'd, the PC is invalid and we cannot resume native unwinding so
-      // we are done
+      // If we walked through JIT frames via FP, the state is clean and native unwinding
+      // can continue. If JIT was detected without FP, the PC is still in the JIT region
+      // and native unwinding would fail, so we stop.
       *next_unwinder = record->rubyUnwindState.jit_detected ? PROG_UNWIND_STOP : PROG_UNWIND_NATIVE;
       goto save_state;
     } else {

support/ebpf/types.h

@@ -491,6 +491,11 @@ typedef struct RubyProcInfo {
 
   // JIT regions, for detecting if a native PC was JIT
   u64 jit_start, jit_end;
+
+  // Whether the JIT is emitting frame pointers (e.g. --yjit-perf on x86_64, always on arm64).
+  // When true, we walk the native FP chain through JIT frames instead of stopping.
+  bool frame_pointers_enabled;
+
   // Offsets and sizes of Ruby internal structs
 
   // rb_execution_context_struct offsets:
@@ -731,7 +736,8 @@ typedef struct RubyUnwindState {
   void *last_stack_frame;
   // Frame for last cfunc before we switched to native unwinder
   u64 cfunc_saved_frame;
-  // Detect if JIT code ran in the process (at any time)
+  // Set when JIT code is detected in the current trace and frame pointers are not available.
+  // Used to suppress native unwinding and push cfuncs inline.
   bool jit_detected;
 } RubyUnwindState;