Read EC offset from disassembly for static ruby

Author: dalehamel

interpreter/ruby/ec.go

@@ -0,0 +1,51 @@
+package ruby // import "go.opentelemetry.io/ebpf-profiler/interpreter/ruby"
+
+import (
+	"debug/elf"
+	"fmt"
+
+	"go.opentelemetry.io/ebpf-profiler/internal/log"
+	"go.opentelemetry.io/ebpf-profiler/libpf"
+	"go.opentelemetry.io/ebpf-profiler/libpf/pfelf"
+)
+
+// extractEcOffset extracts the ec offset from disassembly
+func extractEcOffset(ef *pfelf.File) (int64, error) {
+	symbolName := libpf.SymbolName("rb_current_ec_noinline")
+	_, code, err := ef.SymbolData(symbolName, 2048)
+	if err != nil {
+		found := false
+		if err = ef.VisitSymbols(func(s libpf.Symbol) bool {
+			if s.Name == symbolName {
+				data, err := ef.VirtualMemory(int64(s.Address), int(s.Size), 2048)
+				if err != nil {
+					log.Errorf("Failed to read memory for %s, %v", symbolName, err)
+				} else {
+					code = data
+					found = true
+				}
+				return false
+			}
+			return true
+		}); err != nil {
+			log.Warnf("failed to visit symbols: %v", err)
+		}
+
+		if !found {
+			return 0, fmt.Errorf("unable to read 'rb_current_ec_noinline': %s", err)
+		}
+	}
+	if len(code) < 8 {
+		return 0, fmt.Errorf("rb_current_ec_noinline function size is %d", len(code))
+	}
+	var offset int64
+	switch ef.Machine {
+	case elf.EM_X86_64:
+		offset, err = extractRubyECOffsetX86(code)
+	case elf.EM_AARCH64:
+		offset, err = extractRubyECOffsetARM(code)
+	default:
+		return 0, fmt.Errorf("unsupported arch %s", ef.Machine.String())
+	}
+	return offset, nil
+}

interpreter/ruby/ec_aarch64.go

@@ -0,0 +1,75 @@
+package ruby // import "go.opentelemetry.io/ebpf-profiler/interpreter/ruby"
+
+import (
+	"errors"
+
+	ah "go.opentelemetry.io/ebpf-profiler/armhelpers"
+	aa "golang.org/x/arch/arm64/arm64asm"
+)
+
+// extractRubyECOffsetARM extracts the Ruby EC offset from aarch64 assembly
+func extractRubyECOffsetARM(code []byte) (int64, error) {
+	const (
+		Unspec int = iota
+		ECBase
+	)
+
+	type regState struct {
+		status int
+		offset int64
+	}
+
+	// Track all registers
+	var regs [32]regState
+
+	for offs := 0; offs < len(code); offs += 4 {
+		inst, err := aa.Decode(code[offs:])
+		if err != nil {
+			continue
+		}
+		if inst.Op == aa.RET {
+			break
+		}
+
+		destReg, ok := ah.Xreg2num(inst.Args[0])
+		if !ok {
+			continue
+		}
+
+		switch inst.Op {
+		case aa.MRS:
+			// MRS X0, tpidr_el0 (S3_3_C13_C0_2)
+			if inst.Args[1].String() == "S3_3_C13_C0_2" {
+				regs[destReg] = regState{
+					status: ECBase,
+					offset: 0,
+				}
+			}
+		case aa.ADD:
+			srcReg, ok := ah.Xreg2num(inst.Args[1])
+			if !ok {
+				continue
+			}
+			if regs[srcReg].status == ECBase {
+				i, ok := ah.DecodeImmediate(inst.Args[2])
+				if !ok {
+					continue
+				}
+				regs[destReg] = regState{
+					status: ECBase,
+					offset: regs[srcReg].offset + i,
+				}
+			}
+		case aa.LDR:
+			// LDR doesn't change the offset we're calculating
+			continue
+		}
+	}
+
+	// The offset should be in X0 (return register)
+	if regs[0].status != ECBase {
+		return 0, errors.New("could not extract Ruby EC offset from ARM code")
+	}
+
+	return regs[0].offset, nil
+}

interpreter/ruby/ec_test.go

@@ -0,0 +1,65 @@
+package ruby
+
+import (
+	"debug/elf"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestExtractEcOffset(t *testing.T) {
+	testCases := map[string]struct {
+		machine elf.Machine
+		code    []byte
+		offset  int64
+	}{
+		"ruby 4.0 static / x86_64": {
+			machine: elf.EM_X86_64,
+			code: []byte{
+				// mov    %fs:0xffffffffffffff88,%rax
+				// ret
+				0x64, 0x48, 0x8b, 0x04, 0x25, 0x88, 0xff, 0xff, 0xff,
+				0xc3,
+			},
+			offset: -120,
+		},
+		"ruby 3.4.7 static / x86_64": {
+			//machine: elf.EM_AARCH64,
+			machine: elf.EM_X86_64,
+			code: []byte{
+				// mov    %fs:0xfffffffffffffff8,%rax
+				// ret
+				0x64, 0x48, 0x8b, 0x04, 0x25, 0xf8, 0xff, 0xff, 0xff,
+				0xc3,
+			},
+			offset: -8,
+		},
+		"ruby 3.4.7 static / aarch64": {
+			machine: elf.EM_AARCH64,
+			code: []byte{
+				0x40, 0xd0, 0x3b, 0xd5, // mrs     x0, tpidr_el0
+				0x00, 0x00, 0x40, 0x91, // add     x0, x0, #0x0, lsl #12
+				0x00, 0xe0, 0x00, 0x91, // add     x0, x0, #0x38
+				0x00, 0x00, 0x40, 0xf9, // ldr     x0, [x0]
+				0xc0, 0x03, 0x5f, 0xd6, // ret
+			},
+			offset: 56,
+		},
+	}
+
+	for name, test := range testCases {
+		t.Run(name, func(t *testing.T) {
+			var offset int64
+			var err error
+			switch test.machine {
+			case elf.EM_X86_64:
+				offset, err = extractRubyECOffsetX86(test.code)
+			case elf.EM_AARCH64:
+				offset, err = extractRubyECOffsetARM(test.code)
+			}
+			if assert.NoError(t, err) {
+				assert.Equal(t, test.offset, offset, "Wrong ruby EC offset extraction")
+			}
+		})
+	}
+}

interpreter/ruby/ec_x86_64.go

@@ -0,0 +1,45 @@
+package ruby // import "go.opentelemetry.io/ebpf-profiler/interpreter/ruby"
+
+import (
+	"errors"
+	//"fmt"
+
+	"go.opentelemetry.io/ebpf-profiler/asm/amd"
+	e "go.opentelemetry.io/ebpf-profiler/asm/expression"
+	"golang.org/x/arch/x86/x86asm"
+)
+
+// extractRubyECOffsetX86 extracts the Ruby EC (execution context) offset from x86_64 assembly
+func extractRubyECOffsetX86(code []byte) (int64, error) {
+	it := amd.NewInterpreterWithCode(code)
+	_, err := it.LoopWithBreak(func(op x86asm.Inst) bool {
+		return op.Op == x86asm.RET
+	})
+	if err != nil {
+		return 0, err
+	}
+	res := it.Regs.Get(amd.RAX)
+
+	offset := e.NewImmediateCapture("offset")
+
+	// Match: mov %fs:offset,%rax
+	// The result should be a memory read from FS segment
+	expected := e.Mem8(
+		e.Add(
+			e.MemWithSegment8(x86asm.FS, e.Imm(0)),
+			offset,
+		),
+	)
+
+	if res.Match(expected) {
+		return int64(int32(offset.CapturedValue())), nil
+	}
+
+	// Try direct segment access pattern
+	expected = e.MemWithSegment8(x86asm.FS, offset)
+	if res.Match(expected) {
+		return int64(int32(offset.CapturedValue())), nil
+	}
+
+	return 0, errors.New("could not extract Ruby EC offset from x86_64 code")
+}

interpreter/ruby/ruby.go

@@ -86,7 +86,8 @@ const (
 
 var (
 	// regex to identify the Ruby interpreter executable
-	rubyRegex = regexp.MustCompile(`^(?:.*/)?libruby(?:-.*)?\.so\.(\d)\.(\d)\.(\d)$`)
+	libRubyRegex = regexp.MustCompile(`^(?:.*/)?libruby(?:-.*)?\.so\.(\d)\.(\d)\.(\d)$`)
+	binRubyRegex = regexp.MustCompile(`^(?:.*/)?(?:bin/)?ruby$`)
 	// regex to extract a version from a string
 	rubyVersionRegex = regexp.MustCompile(`^(\d)\.(\d)\.(\d)$`)
 
@@ -114,6 +115,9 @@ type rubyData struct {
 	// Address to the ruby_current_ec variable in TLS, as an offset from tpbase
 	currentEcTpBaseTlsOffset libpf.Address
 
+	// In local exec / static mode, the EC is an absolute offset from tpbase
+	absoluteTpBaseOffset int64
+
 	// Address to global symbols, for id to string mappings
 	globalSymbolsAddr libpf.Address
 
@@ -291,10 +295,14 @@ func (r *rubyData) String() string {
 func (r *rubyData) Attach(ebpf interpreter.EbpfHandler, pid libpf.PID, bias libpf.Address,
 	rm remotememory.RemoteMemory,
 ) (interpreter.Instance, error) {
-	var tlsOffset uint64
-	if r.currentEcTpBaseTlsOffset != 0 {
+	var tlsOffset int64
+	if r.absoluteTpBaseOffset == 0 && r.currentEcTpBaseTlsOffset != 0 {
 		// Read TLS offset from the TLS descriptor.
-		tlsOffset = rm.Uint64(bias + r.currentEcTpBaseTlsOffset + 8)
+		tlsOffset = int64(rm.Uint64(bias + r.currentEcTpBaseTlsOffset + 8))
+	}
+
+	if r.absoluteTpBaseOffset != 0 {
+		tlsOffset = r.absoluteTpBaseOffset
 	}
 
 	var modId uint64
@@ -1371,7 +1379,8 @@ func determineRubyVersion(ef *pfelf.File) (uint32, error) {
 }
 
 func Loader(ebpf interpreter.EbpfHandler, info *interpreter.LoaderInfo) (interpreter.Data, error) {
-	if !rubyRegex.MatchString(info.FileName()) {
+	var isBinRuby = binRubyRegex.MatchString(info.FileName())
+	if !libRubyRegex.MatchString(info.FileName()) && !isBinRuby {
 		return nil, nil
 	}
 
@@ -1414,6 +1423,7 @@ func Loader(ebpf interpreter.EbpfHandler, info *interpreter.LoaderInfo) (interpr
 
 	var globalSymbols libpf.SymbolValue
 	var currentEcTpBaseTlsOffset libpf.Address
+	var absoluteTpBaseOffset int64
 	var interpRanges []util.Range
 
 	globalSymbolsName := libpf.SymbolName("ruby_global_symbols")
@@ -1512,12 +1522,21 @@ func Loader(ebpf interpreter.EbpfHandler, info *interpreter.LoaderInfo) (interpr
 		log.Warnf("failed to mod offset: %v", err)
 	}
 
+	if isBinRuby {
+		offset, err := extractEcOffset(ef)
+		if err != nil {
+			return nil, fmt.Errorf("unable to extract ec offset for static ruby %v", err)
+		}
+		absoluteTpBaseOffset = offset
+	}
+
 	log.Debugf("Discovered EC tls tpbase offset %x, fallback ctx %x, interp ranges: %v, global symbols: %x", currentEcTpBaseTlsOffset, currentCtxPtr, interpRanges, globalSymbols)
 
 	rid := &rubyData{
 		version:                  version,
 		currentEcTpBaseTlsOffset: libpf.Address(currentEcTpBaseTlsOffset),
 		tlsModuleIdOffset:        tlsModuleIdOffset,
+		absoluteTpBaseOffset:     absoluteTpBaseOffset,
 		currentEcTlsOffset:       libpf.Address(currentEcSymbolAddress),
 		currentCtxPtr:            libpf.Address(currentCtxPtr),
 		hasGlobalSymbols:         globalSymbols != 0,

support/ebpf/ruby_tracer.ebpf.c

@@ -573,6 +573,7 @@ static EBPF_INLINE int unwind_ruby(struct pt_regs *ctx)
 
     u64 tls_current_ec_addr = tsd_base + rubyinfo->current_ec_tpbase_tls_offset;
 
+    DEBUG_PRINT("ruby: reading EC from TLS %lld", rubyinfo->current_ec_tpbase_tls_offset);
     if (bpf_probe_read_user(
           &current_ctx_addr, sizeof(current_ctx_addr), (void *)(tls_current_ec_addr))) {
       goto exit;

support/ebpf/types.h

@@ -484,7 +484,7 @@ typedef struct RubyProcInfo {
   u32 version;
 
   // tls_offset holds TLS base + ruby_current_ec tls symbol, as an offset from tpbase
-  u64 current_ec_tpbase_tls_offset;
+  s64 current_ec_tpbase_tls_offset;
 
   // current_ec_tls_offset is the offset of the current EC within the TLS
   u64 current_ec_tls_offset;