Refactor JIT FP walk to per-iteration unwind and fix JIT region detection

Restructure the eBPF JIT frame pointer walk: instead of a separate loop
before the main CFP walk, advance the native FP chain by one frame per
main loop iteration. This keeps the native unwind state in lockstep with
the Ruby VM stack, supporting both YJIT (1 JIT frame, exits after first
iteration) and ZJIT (1 JIT frame per iseq, 1:1 with CFPs).

Fix JIT region detection in SynchronizeMappings to scan all mappings
(including non-executable ---p reservations) for the prctl-labeled JIT
region, then only register LPM prefixes for executable pages. This
ensures jit_start/jit_end cover the full reserved address range even
when the r-xp committed pages don't carry the label.

Also fix IsAnonymous() to recognize [anon:...] labeled mappings, and
remove debug log spam from parseMappings.

Author: dalehamel

interpreter/ruby/ruby.go

@@ -1167,38 +1167,56 @@ func hasJitFramePointers(pr process.Process) bool {
 
 func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 	_ reporter.ExecutableReporter, pr process.Process, mappings []process.Mapping) error {
-	var jitMapping *process.Mapping
-
 	pid := pr.PID()
-	jitFound := false
 	r.mappingGeneration++
 
 	log.Debugf("Synchronizing ruby mappings")
 
+	// First pass: detect JIT bounds from ALL mappings (including non-executable).
+	// Ruby reserves a large address range for JIT code via mmap and labels it with
+	// prctl(PR_SET_VMA), giving it a path like "[anon:Ruby:rb_jit_reserve_addr_space]".
+	// The reserved region is typically ---p (non-executable). Ruby then mprotects individual
+	// pages to r-xp as JIT code is compiled. We need the full reserved region bounds for
+	// jit_start/jit_end so the eBPF program can recognize any PC within the JIT range,
+	// even as new pages are made executable.
+	var jitStart, jitEnd uint64
+	jitFound := false
+	for idx := range mappings {
+		m := &mappings[idx]
+		if strings.Contains(m.Path.String(), "jit_reserve_addr_space") {
+			if !jitFound || m.Vaddr < jitStart {
+				jitStart = m.Vaddr
+			}
+			if !jitFound || m.Vaddr+m.Length > jitEnd {
+				jitEnd = m.Vaddr + m.Length
+			}
+			jitFound = true
+		}
+	}
+
+	// Second pass: register LPM prefixes for executable anonymous/JIT mappings.
+	// This only covers r-xp pages so the eBPF unwinder is invoked for JIT code that
+	// has actually been committed. If no labeled JIT region was found above, fall back
+	// to heuristic detection from executable anonymous mappings.
+	var heuristicJitMapping *process.Mapping
 	for idx := range mappings {
 		m := &mappings[idx]
 		if !m.IsExecutable() {
 			continue
 		}
 
-		// Check for prctl-labeled JIT region first.
-		// On Linux with CONFIG_ANON_VMA_NAME, Ruby labels its JIT memory via prctl(PR_SET_VMA)
-		// which gives it a path like "[anon:Ruby:rb_yjit_reserve_addr_space]".
-		// This is NOT considered anonymous by IsAnonymous() since the path is non-null,
-		// so we must check for it explicitly before the IsAnonymous() filter.
-		if strings.Contains(m.Path.String(), "jit_reserve_addr_space") {
-			jitMapping = m
-			jitFound = true
-		} else if !m.IsAnonymous() {
+		isJitLabeled := strings.Contains(m.Path.String(), "jit_reserve_addr_space")
+		if !isJitLabeled && !m.IsAnonymous() {
 			continue
 		}
 
-		// Use the first executable anon region we find if it isn't labeled
-		// If we find more, prefer ones earlier in memory or larger in size
-		if !jitFound && (jitMapping == nil || m.Vaddr < jitMapping.Vaddr || m.Length > jitMapping.Length) {
-			// Don't set jitFound here as it is a heuristic, we aren't sure
-			// could be on a system without linux config flag to allow prctl to label memoy
-			jitMapping = m
+		// Heuristic fallback: if no prctl label was found, use the first/smallest-addr
+		// executable anonymous mapping as the JIT region.
+		if !jitFound && !isJitLabeled {
+			if heuristicJitMapping == nil || m.Vaddr < heuristicJitMapping.Vaddr ||
+				m.Length > heuristicJitMapping.Length {
+				heuristicJitMapping = m
+			}
 		}
 
 		if _, exists := r.mappings[*m]; exists {
@@ -1211,7 +1229,6 @@ func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 		mappingGeneration := r.mappingGeneration
 		r.mappings[*m] = &mappingGeneration
 
-		// Just assume all anonymous and executable mappings are Ruby for now
 		log.Debugf("Enabling Ruby interpreter for %#x/%#x", m.Vaddr, m.Length)
 
 		prefixes, err := lpm.CalculatePrefixList(m.Vaddr, m.Vaddr+m.Length)
@@ -1230,9 +1247,18 @@ func (r *rubyInstance) SynchronizeMappings(ebpf interpreter.EbpfHandler,
 			r.prefixes[prefix] = &mappingGeneration
 		}
 	}
-	if jitMapping != nil && (r.procInfo.Jit_start != jitMapping.Vaddr || r.procInfo.Jit_end != jitMapping.Vaddr+jitMapping.Length) {
-		r.procInfo.Jit_start = jitMapping.Vaddr
-		r.procInfo.Jit_end = jitMapping.Vaddr + jitMapping.Length
+
+	// Determine final JIT bounds: prefer labeled region, fall back to heuristic.
+	if !jitFound && heuristicJitMapping != nil {
+		jitStart = heuristicJitMapping.Vaddr
+		jitEnd = heuristicJitMapping.Vaddr + heuristicJitMapping.Length
+		jitFound = true
+	}
+
+	// Update proc info if JIT bounds changed.
+	if jitStart != 0 && (r.procInfo.Jit_start != jitStart || r.procInfo.Jit_end != jitEnd) {
+		r.procInfo.Jit_start = jitStart
+		r.procInfo.Jit_end = jitEnd
 
 		// Detect whether the JIT is emitting frame pointers.
 		// On arm64, YJIT always emits frame pointers unconditionally.

process/process.go

@@ -265,7 +265,6 @@ func parseMappings(mapsFile io.Reader) ([]Mapping, uint32, error) {
 				// This is an anonymous mapping, keep it
 			} else if strings.HasPrefix(fields[5], "[anon:") {
 				// This is an anonymous mapping, that has been named with prctl, keep the name
-				log.Debugf("Got named mapping: %s", fields[5])
 				path = libpf.Intern(trimMappingPath(fields[5]))
 			} else {
 				// Ignore other mappings that are invalid, non-existent or are special pseudo-files

process/types.go

@@ -45,7 +45,7 @@ func (m *Mapping) IsExecutable() bool {
 }
 
 func (m *Mapping) IsAnonymous() bool {
-	return m.Path == libpf.NullString || m.IsMemFD()
+	return m.Path == libpf.NullString || m.IsMemFD() || strings.HasPrefix(m.Path.String(), "[anon:")
 }
 
 func (m *Mapping) IsMemFD() bool {

support/ebpf/ruby_tracer.ebpf.c

@@ -20,17 +20,13 @@ struct ruby_procs_t {
 // NOTE the maximum size stack is this times 33
 #define FRAMES_PER_WALK_RUBY_STACK 32
 
-// The maximum number of JIT frames to unwind via frame pointers.
-// YJIT creates one native frame per JIT entry (not per Ruby method),
-// so in practice there is typically only 1 (occasionally 2 for nested entries).
-#define MAX_JIT_FP_FRAMES 4
 // When resolving a CME, we need to traverse environment pointers until we
 // find IMEMO_MENT. Since we can't do a while loop, we have to bound this
 // the max encountered in experimentation on a production rails app is 6.
 // This increases insn for the kernel verifier all code in the ep check "loop"
 // is M*N for instruction checks, so be extra sensitive about additions there.
 // If we get ERR_RUBY_READ_CME_MAX_EP regularly, we may need to raise it.
-#define MAX_EP_CHECKS     6
+#define MAX_EP_CHECKS 6
 
 // Constants related to reading a method entry
 // https://github.com/ruby/ruby/blob/523857bfcb0f0cdfd1ed7faa09b9c59a0266e7e2/method.h#L118
@@ -407,55 +403,27 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
     record->rubyUnwindState.cfunc_saved_frame = 0;
   }
 
-  // If the CPU PC is in the JIT region, walk the native frame pointer chain through JIT frames.
-  // This follows the same pattern as the V8 unwinder (v8_tracer.ebpf.c): push each JIT frame,
-  // then use unwinder_unwind_frame_pointer() to advance PC/SP/FP to the caller.
-  // YJIT creates one native FP frame per JIT entry, not per Ruby method, so there are
-  // typically only 1-2 frames to walk.
+  // Detect if the CPU PC is in the JIT region.
+  // When frame pointers are available, we keep the native unwind state in sync with
+  // the Ruby VM stack by advancing the FP chain by one frame per loop iteration.
+  // This handles both YJIT (1 JIT frame, exits after first iteration) and ZJIT
+  // (1 JIT frame per iseq, 1:1 with CFPs, stays in sync throughout the walk).
   //
-  // If frame_pointers_enabled is false (e.g. x86_64 without --yjit-perf), we push a single
-  // dummy JIT frame and skip FP walking -- the stack will be truncated at the Ruby VM frames
-  // but won't produce garbage from following an invalid FP chain.
-  if (
-    rubyinfo->jit_start > 0 && record->state.pc > rubyinfo->jit_start &&
-    record->state.pc < rubyinfo->jit_end) {
-    if (rubyinfo->frame_pointers_enabled) {
-      // Walk the native FP chain through JIT frames, pushing each as a JIT frame
-      // so it can potentially be symbolized via perf maps later.
-      UNROLL for (int j = 0; j < MAX_JIT_FP_FRAMES; j++)
-      {
-        ErrorCode jit_error =
-          push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
-        if (jit_error) {
-          return jit_error;
-        }
+  // When frame pointers are not available, we push a single dummy JIT frame and
+  // set jit_detected to suppress native unwinding.
+  bool in_jit = rubyinfo->jit_start > 0 && record->state.pc > rubyinfo->jit_start &&
+                record->state.pc < rubyinfo->jit_end;
 
-        if (!unwinder_unwind_frame_pointer(&record->state)) {
-          // FP chain broken, cannot continue
-          *next_unwinder = PROG_UNWIND_STOP;
-          return ERR_OK;
-        }
-
-        // Check if we've left the JIT region
-        if (record->state.pc < rubyinfo->jit_start || record->state.pc >= rubyinfo->jit_end) {
-          break;
-        }
-      }
-      // After walking JIT frames, PC should be in rb_vm_exec or other native code.
-      // We must resolve the mapping for the new PC so that text_section_id/offset/bias
-      // are up to date. Without this, the native unwinder would try to use stale mapping
-      // info from the JIT region and fail with ERR_NATIVE_NO_PID_PAGE_MAPPING.
-      ErrorCode map_err = get_next_unwinder_after_native_frame(record, next_unwinder);
-      if (map_err) {
-        return map_err;
+  if (in_jit) {
+    if (rubyinfo->frame_pointers_enabled) {
+      // Push a leaf JIT frame with the raw machine PC for perf-map symbolization.
+      ErrorCode jit_error =
+        push_ruby(&record->state, trace, RUBY_FRAME_TYPE_JIT, (u64)record->state.pc, 0, 0);
+      if (jit_error) {
+        return jit_error;
       }
-      // The resolved unwinder should be PROG_UNWIND_RUBY (since PC is in rb_vm_exec
-      // which is in interpreter_offsets) or PROG_UNWIND_NATIVE. Either way, we continue
-      // with the Ruby VM stack walk below and the mapping state is now correct for when
-      // we eventually hand off to the native unwinder.
     } else {
       // No frame pointers available: push a single dummy JIT frame.
-      // We cannot walk the FP chain so we will not be able to resume native unwinding.
       // Mark jit_detected so that cfuncs are pushed inline and end-of-stack uses
       // PROG_UNWIND_STOP instead of PROG_UNWIND_NATIVE.
       record->rubyUnwindState.jit_detected = true;
@@ -464,19 +432,39 @@ static EBPF_INLINE ErrorCode walk_ruby_stack(
       if (jit_error) {
         return jit_error;
       }
+      in_jit = false;
     }
   }
 
   UNROLL for (u32 i = 0; i < FRAMES_PER_WALK_RUBY_STACK; ++i)
   {
+    // Keep the native unwind state in sync: if the native PC is still in the JIT
+    // region, advance it by one frame pointer to match the Ruby VM stack pop.
+    // For YJIT this exits JIT on the first iteration. For ZJIT this pops one JIT
+    // native frame per CFP, keeping the two stacks in lockstep.
+    if (in_jit) {
+      if (!unwinder_unwind_frame_pointer(&record->state)) {
+        *next_unwinder = PROG_UNWIND_STOP;
+        return ERR_OK;
+      }
+      if (record->state.pc < rubyinfo->jit_start || record->state.pc >= rubyinfo->jit_end) {
+        // Exited the JIT region. Resolve the mapping for the post-JIT PC so that
+        // text_section_id/offset/bias are correct for native unwinding later.
+        in_jit            = false;
+        ErrorCode map_err = get_next_unwinder_after_native_frame(record, next_unwinder);
+        if (map_err) {
+          return map_err;
+        }
+      }
+    }
+
     error = read_ruby_frame(record, rubyinfo, stack_ptr, next_unwinder);
     if (error != ERR_OK)
       return error;
 
     if (last_stack_frame <= stack_ptr) {
       // We have processed all frames in the Ruby VM and can stop here.
-      // If we walked through JIT frames via FP, the state is clean and native unwinding
-      // can continue. If JIT was detected without FP, the PC is still in the JIT region
+      // If JIT was detected without FP, the PC is still in the JIT region
       // and native unwinding would fail, so we stop.
       *next_unwinder = record->rubyUnwindState.jit_detected ? PROG_UNWIND_STOP : PROG_UNWIND_NATIVE;
       goto save_state;