Walk YJIT JIT frames via frame pointers for full stack unwinding

Replace the jit_detected flag approach with V8-style frame pointer
unwinding through Ruby JIT frames. When YJIT emits frame pointers
(always on arm64, with --yjit-perf on x86_64), the Ruby eBPF unwinder
walks the native FP chain through JIT frames, pushes each as a
RUBY_FRAME_TYPE_JIT frame, then resolves the post-JIT mapping so native
unwinding can continue below the Ruby VM stack.

When frame pointers are not available, the original behavior is
preserved: a single dummy JIT frame is pushed, cfuncs are pushed inline,
and native unwinding is stopped at the end of the Ruby stack.

Also fixes parseMappings discarding prctl-labeled [anon:...] mappings,
which prevented the YJIT JIT region from being visible to interpreter
handlers.

Author: dalehamel

interpreter/ruby/ruby.go

@@ -4,10 +4,12 @@
 package ruby // import "go.opentelemetry.io/ebpf-profiler/interpreter/ruby"
 
 import (
+	"debug/elf"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"math/bits"
+	"os"
 	"regexp"
 	"runtime"
 	"strconv"
@@ -1141,6 +1143,28 @@ func profileFrameFullLabel(classPath, label, baseLabel, methodName libpf.String,
 	return libpf.Intern(profileLabel)
 }
 
+// hasJitFramePointers detects whether YJIT is emitting frame pointers for this process.
+// On arm64, YJIT always emits frame pointers unconditionally.
+// On x86_64, frame pointers are only emitted when --yjit-perf or --yjit-perf=fp is used.
+// When --yjit-perf is active, YJIT also creates /tmp/perf-PID.map, which we use as the
+// detection signal on x86_64.
+func hasJitFramePointers(pr process.Process) bool {
+	machine := pr.GetMachineData().Machine
+	if machine == elf.EM_AARCH64 {
+		// YJIT on arm64 always emits frame pointers (unconditionally in the backend).
+		return true
+	}
+
+	// On x86_64, check for the perf map file which indicates --yjit-perf was used.
+	// The --yjit-perf flag enables both frame pointers and the perf map.
+	perfMapPath := fmt.Sprintf("/tmp/perf-%d.map", pr.PID())
+	if _, err := os.Stat(perfMapPath); err == nil {
+		return true
+	}
+
+	return false
+}
+
 func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 	_ reporter.ExecutableReporter, pr process.Process, mappings []process.Mapping) error {
 	var jitMapping *process.Mapping
@@ -1153,15 +1177,22 @@ func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 
 	for idx := range mappings {
 		m := &mappings[idx]
-		if !m.IsExecutable() || !m.IsAnonymous() {
+		if !m.IsExecutable() {
 			continue
 		}
-		// If prctl is allowed, ruby should label the memory region
-		// always prefer that
+
+		// Check for prctl-labeled JIT region first.
+		// On Linux with CONFIG_ANON_VMA_NAME, Ruby labels its JIT memory via prctl(PR_SET_VMA)
+		// which gives it a path like "[anon:Ruby:rb_yjit_reserve_addr_space]".
+		// This is NOT considered anonymous by IsAnonymous() since the path is non-null,
+		// so we must check for it explicitly before the IsAnonymous() filter.
 		if strings.Contains(m.Path.String(), "jit_reserve_addr_space") {
 			jitMapping = m
 			jitFound = true
+		} else if !m.IsAnonymous() {
+			continue
 		}
+
 		// Use the first executable anon region we find if it isn't labeled
 		// If we find more, prefer ones earlier in memory or larger in size
 		if !jitFound && (jitMapping == nil || m.Vaddr < jitMapping.Vaddr || m.Length > jitMapping.Length) {
@@ -1202,10 +1233,18 @@ func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 	if jitMapping != nil && (r.procInfo.Jit_start != jitMapping.Vaddr || r.procInfo.Jit_end != jitMapping.Vaddr+jitMapping.Length) {
 		r.procInfo.Jit_start = jitMapping.Vaddr
 		r.procInfo.Jit_end = jitMapping.Vaddr + jitMapping.Length
+
+		// Detect whether the JIT is emitting frame pointers.
+		// On arm64, YJIT always emits frame pointers unconditionally.
+		// On x86_64, frame pointers are only emitted with --yjit-perf or --yjit-perf=fp,
+		// which also creates a /tmp/perf-PID.map file as a side effect.
+		r.procInfo.Frame_pointers_enabled = hasJitFramePointers(pr)
+
 		if err := ebpf.UpdateProcData(libpf.Ruby, pr.PID(), unsafe.Pointer(r.procInfo)); err != nil {
 			return err
 		}
-		log.Debugf("Added jit mapping %08x ruby proc info, %08x", r.procInfo.Jit_start, r.procInfo.Jit_end)
+		log.Debugf("Added jit mapping %08x-%08x ruby proc info (frame_pointers=%v)",
+			r.procInfo.Jit_start, r.procInfo.Jit_end, r.procInfo.Frame_pointers_enabled)
 	}
 	// Remove prefixes not seen
 	for prefix, generationPtr := range r.prefixes {

process/process.go

@@ -263,6 +263,10 @@ func parseMappings(mapsFile io.Reader) ([]Mapping, uint32, error) {
 				inode = vdsoInode
 			} else if fields[5] == "" {
 				// This is an anonymous mapping, keep it
+			} else if strings.HasPrefix(fields[5], "[anon:") {
+				// This is an anonymous mapping, that has been named with prctl, keep the name
+				log.Debugf("Got named mapping: %s", fields[5])
+				path = libpf.Intern(trimMappingPath(fields[5]))
 			} else {
 				// Ignore other mappings that are invalid, non-existent or are special pseudo-files
 				continue

support/ebpf/ruby_tracer.ebpf.c

@@ -19,13 +19,18 @@ struct ruby_procs_t {
 // option is to adjust this number downwards.
 // NOTE the maximum size stack is this times 33
 #define FRAMES_PER_WALK_RUBY_STACK 32
+
+// The maximum number of JIT frames to unwind via frame pointers.
+// YJIT creates one native frame per JIT entry (not per Ruby method),
+// so in practice there is typically only 1 (occasionally 2 for nested entries).
+#define MAX_JIT_FP_FRAMES 4
 // When resolving a CME, we need to traverse environment pointers until we
 // find IMEMO_MENT. Since we can't do a while loop, we have to bound this
 // the max encountered in experimentation on a production rails app is 6.
 // This increases insn for the kernel verifier all code in the ep check "loop"
 // is M*N for instruction checks, so be extra sensitive about additions there.
 // If we get ERR_RUBY_READ_CME_MAX_EP regularly, we may need to raise it.
-#define MAX_EP_CHECKS              6
+#define MAX_EP_CHECKS     6
 
 // Constants related to reading a method entry
 // https://github.com/ruby/ruby/blob/523857bfcb0f0cdfd1ed7faa09b9c59a0266e7e2/method.h#L118
@@ -222,8 +227,9 @@ static EBPF_INLINE ErrorCode read_ruby_frame(
         // frames will almost certainly be incorrect for Ruby versions < 2.6.
         frame_type = RUBY_FRAME_TYPE_CME_CFUNC;
       } else if (record->rubyUnwindState.jit_detected) {
-        // If we detected a jit frame and are now in a cfunc, push the c frame
-        // as we can no longer unwind native anymore
+        // JIT is active but frame pointers are not available, so we cannot unwind
+        // through JIT frames to get back to native code. Push the cfunc inline
+        // instead of handing off to the native unwinder.
         frame_type = RUBY_FRAME_TYPE_CME_CFUNC;
       } else {
         // We save this cfp on in the "Record" entry, and when we start the unwinder
@@ -401,19 +407,62 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
     record->rubyUnwindState.cfunc_saved_frame = 0;
   }
 
+  // If the CPU PC is in the JIT region, walk the native frame pointer chain through JIT frames.
+  // This follows the same pattern as the V8 unwinder (v8_tracer.ebpf.c): push each JIT frame,
+  // then use unwinder_unwind_frame_pointer() to advance PC/SP/FP to the caller.
+  // YJIT creates one native FP frame per JIT entry, not per Ruby method, so there are
+  // typically only 1-2 frames to walk.
+  //
+  // If frame_pointers_enabled is false (e.g. x86_64 without --yjit-perf), we push a single
+  // dummy JIT frame and skip FP walking -- the stack will be truncated at the Ruby VM frames
+  // but won't produce garbage from following an invalid FP chain.
   if (
     rubyinfo->jit_start > 0 && record->state.pc > rubyinfo->jit_start &&
     record->state.pc < rubyinfo->jit_end) {
-    record->rubyUnwindState.jit_detected = true;
+    if (rubyinfo->frame_pointers_enabled) {
+      // Walk the native FP chain through JIT frames, pushing each as a JIT frame
+      // so it can potentially be symbolized via perf maps later.
+      UNROLL for (int j = 0; j < MAX_JIT_FP_FRAMES; j++)
+      {
+        ErrorCode jit_error =
+          push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
+        if (jit_error) {
+          return jit_error;
+        }
+
+        if (!unwinder_unwind_frame_pointer(&record->state)) {
+          // FP chain broken, cannot continue
+          *next_unwinder = PROG_UNWIND_STOP;
+          return ERR_OK;
+        }
 
-    // If the first frame is a jit PC, the leaf ruby frame should be the jit "owner"
-    // the cpu PC is also pushed as the address,
-    // as in theory this can be used to symbolize the JIT frame later
-    if (trace->num_frames == 0) {
-      ErrorCode error =
+        // Check if we've left the JIT region
+        if (record->state.pc < rubyinfo->jit_start || record->state.pc >= rubyinfo->jit_end) {
+          break;
+        }
+      }
+      // After walking JIT frames, PC should be in rb_vm_exec or other native code.
+      // We must resolve the mapping for the new PC so that text_section_id/offset/bias
+      // are up to date. Without this, the native unwinder would try to use stale mapping
+      // info from the JIT region and fail with ERR_NATIVE_NO_PID_PAGE_MAPPING.
+      ErrorCode map_err = get_next_unwinder_after_native_frame(record, next_unwinder);
+      if (map_err) {
+        return map_err;
+      }
+      // The resolved unwinder should be PROG_UNWIND_RUBY (since PC is in rb_vm_exec
+      // which is in interpreter_offsets) or PROG_UNWIND_NATIVE. Either way, we continue
+      // with the Ruby VM stack walk below and the mapping state is now correct for when
+      // we eventually hand off to the native unwinder.
+    } else {
+      // No frame pointers available: push a single dummy JIT frame.
+      // We cannot walk the FP chain so we will not be able to resume native unwinding.
+      // Mark jit_detected so that cfuncs are pushed inline and end-of-stack uses
+      // PROG_UNWIND_STOP instead of PROG_UNWIND_NATIVE.
+      record->rubyUnwindState.jit_detected = true;
+      ErrorCode jit_error =
         push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
-      if (error) {
-        return error;
+      if (jit_error) {
+        return jit_error;
       }
     }
   }
@@ -426,8 +475,9 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
 
     if (last_stack_frame <= stack_ptr) {
       // We have processed all frames in the Ruby VM and can stop here.
-      // if this process has been JIT'd, the PC is invalid and we cannot resume native unwinding so
-      // we are done
+      // If we walked through JIT frames via FP, the state is clean and native unwinding
+      // can continue. If JIT was detected without FP, the PC is still in the JIT region
+      // and native unwinding would fail, so we stop.
       *next_unwinder = record->rubyUnwindState.jit_detected ? PROG_UNWIND_STOP : PROG_UNWIND_NATIVE;
       goto save_state;
     } else {

support/ebpf/types.h

@@ -463,6 +463,10 @@ typedef struct RubyProcInfo {
   // JIT regions, for detecting if a native PC was JIT
   u64 jit_start, jit_end;
 
+  // Whether the JIT is emitting frame pointers (e.g. --yjit-perf on x86_64, always on arm64).
+  // When true, we walk the native FP chain through JIT frames instead of stopping.
+  bool frame_pointers_enabled;
+
   // Offsets and sizes of Ruby internal structs
 
   // rb_execution_context_struct offsets:
@@ -689,7 +693,8 @@ typedef struct RubyUnwindState {
   void *last_stack_frame;
   // Frame for last cfunc before we switched to native unwinder
   u64 cfunc_saved_frame;
-  // Detect if JIT code ran in the process (at any time)
+  // Set when JIT code is detected in the current trace and frame pointers are not available.
+  // Used to suppress native unwinding and push cfuncs inline.
   bool jit_detected;
 } RubyUnwindState;