fix: recover non-inline entry values at runtime

Map caller-side call-site metadata back to callees and lower non-inline
DW_OP_entry_value(reg) recovery to a runtime caller-PC lookup.

This preserves the existing inline path while allowing tracing to
materialize caller-provided DW_AT_call_value bindings for normal
function calls.

Author: swananan

e2e-tests/tests/entry_value_recovery_execution.rs

@@ -17,6 +17,7 @@ use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 const FIXTURE_NAME: &str = "entry_value_recovery_program";
 const FIXTURE_SOURCE: &str = "entry_value_recovery_program.c";
+const TOUCH_TRACE_LINE: u32 = 16;
 const POST_CALL_TRACE_LINE: u32 = 21;
 
 static CLANG_FIXTURE: OnceLock<Result<PathBuf, String>> = OnceLock::new();
@@ -141,6 +142,104 @@ fn shell_quote(path: &Path) -> String {
     format!("'{}'", raw.replace('\'', "'\"'\"'"))
 }
 
+#[tokio::test]
+async fn test_non_inline_entry_value_recovers_touch_parameters_at_runtime() -> anyhow::Result<()> {
+    init();
+    if !fixture_compiler_available(FixtureCompiler::ClangDwarf5) {
+        eprintln!("Skipping non-inline entry_value runtime test because clang is unavailable");
+        return Ok(());
+    }
+
+    let binary_path = compile_entry_value_recovery_program_clang()?;
+    let analyzer = ghostscope_dwarf::DwarfAnalyzer::from_exec_path(&binary_path).await?;
+    let addrs = analyzer.lookup_addresses_by_source_line(FIXTURE_SOURCE, TOUCH_TRACE_LINE);
+    anyhow::ensure!(
+        !addrs.is_empty(),
+        "No DWARF addresses found for {FIXTURE_SOURCE}:{TOUCH_TRACE_LINE}"
+    );
+
+    let target = spawn_logged_target(&binary_path).await?;
+    let script = format!(
+        "trace {FIXTURE_SOURCE}:{TOUCH_TRACE_LINE} {{
+    print \"TOUCH:{{}}:{{}}:{{}}\", x, state.total_bytes, state.stream_id;
+}}
+"
+    );
+    let (exit_code, ghostscope_stdout, ghostscope_stderr) = GhostscopeRunner::new()
+        .with_script(&script)
+        .attach_to(&target.target)
+        .timeout_secs(4)
+        .enable_sysmon_shared_lib(false)
+        .run()
+        .await?;
+    let (target_stdout, target_stderr) = target.terminate_and_collect().await?;
+
+    if should_skip_for_ebpf_env(exit_code, &ghostscope_stderr) {
+        return Ok(());
+    }
+
+    assert_eq!(
+        exit_code, 0,
+        "ghostscope stderr={ghostscope_stderr} ghostscope stdout={ghostscope_stdout} target stderr={target_stderr}"
+    );
+    assert!(
+        !ghostscope_stdout.contains("ExprError"),
+        "Expected exact non-inline entry_value recovery inside touch(). STDOUT: {ghostscope_stdout}\nSTDERR: {ghostscope_stderr}"
+    );
+    assert!(
+        !ghostscope_stdout.contains("<optimized out>"),
+        "touch() parameters should not be optimized out. STDOUT: {ghostscope_stdout}\nSTDERR: {ghostscope_stderr}"
+    );
+
+    let actual_re = Regex::new(r"ACTUAL:([0-9-]+):([0-9-]+):([0-9-]+):([0-9-]+)")?;
+    let mut actual_by_seed = HashMap::new();
+    for caps in actual_re.captures_iter(&target_stdout) {
+        actual_by_seed.insert(
+            caps[1].parse::<i64>()?,
+            (
+                caps[2].parse::<i64>()?,
+                caps[3].parse::<i64>()?,
+                caps[4].parse::<i64>()?,
+            ),
+        );
+    }
+    anyhow::ensure!(
+        !actual_by_seed.is_empty(),
+        "fixture stdout did not contain ACTUAL lines: {target_stdout}"
+    );
+
+    let trace_re = Regex::new(r"TOUCH:([0-9-]+):([0-9-]+):([0-9-]+)")?;
+    let mut seen = 0;
+    for caps in trace_re.captures_iter(&ghostscope_stdout) {
+        let seed = caps[1].parse::<i64>()?;
+        let total_bytes = caps[2].parse::<i64>()?;
+        let stream_id = caps[3].parse::<i64>()?;
+        let actual = actual_by_seed.get(&seed).ok_or_else(|| {
+            anyhow::anyhow!("missing ACTUAL record for seed={seed}; target stdout={target_stdout}")
+        })?;
+        let mut expected_result = total_bytes + (seed * 3);
+        if (expected_result & 1) != 0 {
+            expected_result += stream_id;
+        }
+        assert_eq!(
+            (total_bytes, stream_id),
+            (actual.0, actual.1),
+            "touch() recovered the wrong state for seed={seed}; ghostscope stdout={ghostscope_stdout}"
+        );
+        assert_eq!(
+            actual.2, expected_result,
+            "touch() recovered an inconsistent seed/result for seed={seed}; ghostscope stdout={ghostscope_stdout}"
+        );
+        seen += 1;
+    }
+
+    assert!(
+        seen >= 2,
+        "Expected multiple touch() trace events. GhostScope STDOUT: {ghostscope_stdout}\nTarget STDOUT: {target_stdout}"
+    );
+    Ok(())
+}
+
 #[tokio::test]
 async fn test_post_call_entry_value_recovers_state_members_at_runtime() -> anyhow::Result<()> {
     init();

ghostscope-compiler/src/ebpf/dwarf_bridge.rs

@@ -994,6 +994,20 @@ impl<'ctx> EbpfContext<'ctx> {
                     }
                 }
 
+                ComputeStep::EntryValueLookup {
+                    caller_pc_steps,
+                    cases,
+                } => {
+                    let value = self.generate_entry_value_lookup(
+                        caller_pc_steps,
+                        cases,
+                        pt_regs_ptr,
+                        _result_size,
+                        status_ptr,
+                    )?;
+                    stack.push(value);
+                }
+
                 // Add catch-all for unimplemented operations
                 _ => {
                     warn!("Unimplemented ComputeStep: {:?}", step);
@@ -1014,6 +1028,154 @@ impl<'ctx> EbpfContext<'ctx> {
         }
     }
 
+    fn generate_entry_value_lookup(
+        &mut self,
+        caller_pc_steps: &[ComputeStep],
+        cases: &[ghostscope_dwarf::core::EntryValueCase],
+        pt_regs_ptr: PointerValue<'ctx>,
+        result_size: Option<MemoryAccessSize>,
+        status_ptr: Option<PointerValue<'ctx>>,
+    ) -> Result<IntValue<'ctx>> {
+        if cases.is_empty() {
+            return Err(CodeGenError::LLVMError(
+                "EntryValueLookup requires at least one case".to_string(),
+            ));
+        }
+
+        let caller_pc = self
+            .generate_compute_steps(
+                caller_pc_steps,
+                pt_regs_ptr,
+                Some(MemoryAccessSize::U64),
+                status_ptr,
+                None,
+            )?
+            .into_int_value();
+
+        let current_block = self.builder.get_insert_block().ok_or_else(|| {
+            CodeGenError::LLVMError("No insertion block for EntryValueLookup".to_string())
+        })?;
+        let current_fn = current_block.get_parent().ok_or_else(|| {
+            CodeGenError::LLVMError("No parent function for EntryValueLookup".to_string())
+        })?;
+        let merge_bb = self
+            .context
+            .append_basic_block(current_fn, "entry_value_merge");
+        let default_bb = self
+            .context
+            .append_basic_block(current_fn, "entry_value_default");
+
+        let module_for_offsets = {
+            let ctx = self.get_compile_time_context()?;
+            self.current_resolved_var_module_path
+                .clone()
+                .unwrap_or_else(|| ctx.module_path.clone())
+        };
+        let module_cookie = self.cookie_for_module_or_fallback(&module_for_offsets);
+        let mut incoming_values = Vec::with_capacity(cases.len() + 1);
+        let mut any_missing_offsets = None;
+
+        for (index, case) in cases.iter().enumerate() {
+            let st_code = self.section_code_for_address(&module_for_offsets, case.caller_return_pc);
+            let link_pc = self
+                .context
+                .i64_type()
+                .const_int(case.caller_return_pc, false);
+            let (runtime_return_pc, found_flag) =
+                self.generate_runtime_address_from_offsets(link_pc, st_code, module_cookie)?;
+            let missing_offsets = self
+                .builder
+                .build_not(found_flag, &format!("entry_value_missing_{index}"))
+                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+            any_missing_offsets = Some(match any_missing_offsets {
+                Some(prev) => self
+                    .builder
+                    .build_or(
+                        prev,
+                        missing_offsets,
+                        &format!("entry_value_missing_or_{index}"),
+                    )
+                    .map_err(|e| CodeGenError::LLVMError(e.to_string()))?,
+                None => missing_offsets,
+            });
+
+            let is_match = self
+                .builder
+                .build_int_compare(
+                    inkwell::IntPredicate::EQ,
+                    caller_pc,
+                    runtime_return_pc,
+                    &format!("entry_value_match_{index}"),
+                )
+                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+            let case_bb = self
+                .context
+                .append_basic_block(current_fn, &format!("entry_value_case_{index}"));
+            let next_bb = if index + 1 == cases.len() {
+                default_bb
+            } else {
+                self.context
+                    .append_basic_block(current_fn, &format!("entry_value_check_{}", index + 1))
+            };
+            self.builder
+                .build_conditional_branch(is_match, case_bb, next_bb)
+                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+
+            self.builder.position_at_end(case_bb);
+            let case_value = self
+                .generate_compute_steps(
+                    &case.value_steps,
+                    pt_regs_ptr,
+                    result_size,
+                    status_ptr,
+                    None,
+                )?
+                .into_int_value();
+            let case_value_block = self.builder.get_insert_block().ok_or_else(|| {
+                CodeGenError::LLVMError(
+                    "No insertion block after EntryValueLookup case".to_string(),
+                )
+            })?;
+            self.builder
+                .build_unconditional_branch(merge_bb)
+                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+            incoming_values.push((case_value, case_value_block));
+
+            self.builder.position_at_end(next_bb);
+        }
+
+        self.builder.position_at_end(default_bb);
+        if let Some(sp) = status_ptr {
+            self.store_variable_read_status(
+                sp,
+                self.context.bool_type().const_int(1, false),
+                any_missing_offsets.unwrap_or_else(|| self.context.bool_type().const_zero()),
+                "entry_value_default",
+            )?;
+        }
+        let default_value = self.context.i64_type().const_zero();
+        let default_value_block = self.builder.get_insert_block().ok_or_else(|| {
+            CodeGenError::LLVMError("No default block for EntryValueLookup".to_string())
+        })?;
+        self.builder
+            .build_unconditional_branch(merge_bb)
+            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+        incoming_values.push((default_value, default_value_block));
+
+        self.builder.position_at_end(merge_bb);
+        let phi = self
+            .builder
+            .build_phi(self.context.i64_type(), "entry_value_phi")
+            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
+        let incoming_refs: Vec<(&dyn inkwell::values::BasicValue<'ctx>, _)> = incoming_values
+            .iter()
+            .map(|(value, block)| (value as &dyn inkwell::values::BasicValue<'ctx>, *block))
+            .collect();
+        phi.add_incoming(&incoming_refs);
+
+        Ok(phi.as_basic_value().into_int_value())
+    }
+
     /// Query DWARF for complex expression (supports member access, array access, etc.)
     pub fn query_dwarf_for_complex_expr(
         &mut self,

ghostscope-compiler/src/ebpf/helper_functions.rs

@@ -912,7 +912,7 @@ impl<'ctx> EbpfContext<'ctx> {
         Ok(())
     }
 
-    fn store_variable_read_status(
+    pub(crate) fn store_variable_read_status(
         &mut self,
         status_ptr: PointerValue<'ctx>,
         combined_fail: IntValue<'ctx>,

ghostscope-dwarf/src/core/evaluation.rs

@@ -112,6 +112,15 @@ pub struct PieceResult {
     pub bit_offset: Option<u64>,
 }
 
+/// One caller-side case for recovering a callee's DW_OP_entry_value.
+#[derive(Debug, Clone, PartialEq)]
+pub struct EntryValueCase {
+    /// Link-time caller return PC from DW_AT_call_return_pc.
+    pub caller_return_pc: u64,
+    /// Materialized ComputeStep[] that recover the original caller value.
+    pub value_steps: Vec<ComputeStep>,
+}
+
 /// Computation step for LLVM IR generation
 /// These map directly to LLVM IR operations that can be generated in eBPF
 #[derive(Debug, Clone, PartialEq)]
@@ -167,6 +176,13 @@ pub enum ComputeStep {
         then_branch: Vec<ComputeStep>,
         else_branch: Vec<ComputeStep>,
     },
+
+    /// Recover a DW_OP_entry_value at runtime by matching the recovered caller
+    /// return PC against caller-side DW_AT_call_return_pc cases.
+    EntryValueLookup {
+        caller_pc_steps: Vec<ComputeStep>,
+        cases: Vec<EntryValueCase>,
+    },
 }
 
 /// Memory access size for bpf_probe_read_user
@@ -461,6 +477,9 @@ impl DirectValueResult {
                     _ = then_branch;
                     _ = else_branch;
                 }
+                ComputeStep::EntryValueLookup { cases, .. } => {
+                    stack.push(format!("entry_value[{} cases]", cases.len()));
+                }
             }
         }
 
@@ -653,6 +672,9 @@ impl fmt::Display for ComputeStep {
                     else_branch.len()
                 )
             }
+            ComputeStep::EntryValueLookup { cases, .. } => {
+                write!(f, "entry_value_lookup[cases:{}]", cases.len())
+            }
         }
     }
 }