ghostscope_compiler/ebpf/

helper_functions.rs

//! eBPF helper function management
//!
//! This module handles eBPF helper function calls, register mapping, and pt_regs
//! access for different target architectures.

use super::context::{CodeGenError, EbpfContext, Result};
use aya_ebpf_bindings::bindings::bpf_func_id::{
    BPF_FUNC_get_current_pid_tgid, BPF_FUNC_ktime_get_ns, BPF_FUNC_map_lookup_elem,
    BPF_FUNC_perf_event_output, BPF_FUNC_probe_read_user, BPF_FUNC_probe_read_user_str,
    BPF_FUNC_ringbuf_output,
};
use ghostscope_dwarf::MemoryAccessSize;
use ghostscope_platform::register_mapping;
use inkwell::types::{BasicType, BasicTypeEnum};
use inkwell::values::{BasicMetadataValueEnum, BasicValueEnum, IntValue, PointerValue};
use inkwell::AddressSpace;

impl<'ctx> EbpfContext<'ctx> {
    /// Get or create a static i8 buffer global of a given size, returning its ArrayType and pointer
    pub fn get_or_create_i8_buffer(
        &mut self,
        size: u32,
        name_prefix: &str,
    ) -> (
        inkwell::types::ArrayType<'ctx>,
        inkwell::values::PointerValue<'ctx>,
    ) {
        let array_ty = self.context.i8_type().array_type(size);
        let name = format!("{name_prefix}_{size}");
        let global_ptr = match self.module.get_global(&name) {
            Some(g) => g.as_pointer_value(),
            None => {
                let g = self
                    .module
                    .add_global(array_ty, Some(AddressSpace::default()), &name);
                g.set_initializer(&array_ty.const_zero());
                g.as_pointer_value()
            }
        };
        (array_ty, global_ptr)
    }

    /// Read a user C-string into a static buffer using bpf_probe_read_user_str.
    /// Returns (buffer_ptr, len_including_nul).
    pub fn read_user_cstr_into_buffer(
        &mut self,
        src_addr: inkwell::values::IntValue<'ctx>,
        size: u32,
        name_prefix: &str,
    ) -> Result<(
        inkwell::values::PointerValue<'ctx>,
        inkwell::values::IntValue<'ctx>,
        inkwell::types::ArrayType<'ctx>,
    )> {
        let (arr_ty, buf_global) = self.get_or_create_i8_buffer(size, name_prefix);

        let ptr_ty = self.context.ptr_type(AddressSpace::default());
        // Cast addresses to void pointers
        let dst_ptr = self
            .builder
            .build_bit_cast(buf_global, ptr_ty, "dst_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let src_ptr = self
            .builder
            .build_int_to_ptr(src_addr, ptr_ty, "src_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Helper signature: long fn(void *dst, u32 size, const void *src)
        let i64_ty = self.context.i64_type();
        let i32_ty = self.context.i32_type();
        let args: [inkwell::values::BasicValueEnum; 3] = [
            dst_ptr,
            i32_ty.const_int(size as u64, false).into(),
            inkwell::values::BasicValueEnum::PointerValue(src_ptr),
        ];
        let ret = self.create_bpf_helper_call(
            BPF_FUNC_probe_read_user_str as u64,
            &args,
            i64_ty.into(),
            "probe_read_user_str",
        )?;
        let len = if let inkwell::values::BasicValueEnum::IntValue(iv) = ret {
            iv
        } else {
            return Err(CodeGenError::LLVMError(
                "probe_read_user_str did not return integer".to_string(),
            ));
        };
        Ok((buf_global, len, arr_ty))
    }

    /// Read raw user bytes into a static buffer using bpf_probe_read_user.
    /// Returns (buffer_ptr, status==0?).
    pub fn read_user_bytes_into_buffer(
        &mut self,
        src_addr: inkwell::values::IntValue<'ctx>,
        size: u32,
        name_prefix: &str,
    ) -> Result<(
        inkwell::values::PointerValue<'ctx>,
        inkwell::values::IntValue<'ctx>,
        inkwell::types::ArrayType<'ctx>,
    )> {
        let (arr_ty, buf_global) = self.get_or_create_i8_buffer(size, name_prefix);
        let ptr_ty = self.context.ptr_type(AddressSpace::default());
        let i32_ty = self.context.i32_type();
        let i64_ty = self.context.i64_type();
        // Cast addresses to void pointers
        let dst_ptr = self
            .builder
            .build_bit_cast(buf_global, ptr_ty, "dst_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let src_ptr = self
            .builder
            .build_int_to_ptr(src_addr, ptr_ty, "src_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let args: [inkwell::values::BasicValueEnum; 3] = [
            dst_ptr,
            i32_ty.const_int(size as u64, false).into(),
            inkwell::values::BasicValueEnum::PointerValue(src_ptr),
        ];
        // Helper returns long (0 on success, -errno on failure)
        let ret = self.create_bpf_helper_call(
            BPF_FUNC_probe_read_user as u64,
            &args,
            i64_ty.into(),
            "probe_read_user",
        )?;
        let status = if let inkwell::values::BasicValueEnum::IntValue(iv) = ret {
            iv
        } else {
            return Err(CodeGenError::LLVMError(
                "probe_read_user did not return integer".to_string(),
            ));
        };
        Ok((buf_global, status, arr_ty))
    }
    /// Compute runtime address from link-time address using proc_module_offsets map
    /// section_type: 0=text, 1=rodata, 2=data, 3=bss; other values fallback to data
    pub fn generate_runtime_address_from_offsets(
        &mut self,
        link_addr: IntValue<'ctx>,
        section_type: u8,
        module_cookie: u64,
    ) -> Result<(IntValue<'ctx>, IntValue<'ctx>)> {
        let i64_type = self.context.i64_type();
        let ptr_type = self.context.ptr_type(AddressSpace::default());

        // Resolve map global pointer
        let map_global = self
            .module
            .get_global("proc_module_offsets")
            .ok_or_else(|| {
                CodeGenError::LLVMError("proc_module_offsets map not found".to_string())
            })?;
        let map_ptr = map_global.as_pointer_value();
        let map_ptr_cast = self
            .builder
            .build_bit_cast(map_ptr, ptr_type, "map_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Use per-invocation key buffer [4 x u32] pre-allocated in entry block
        // struct { u32 pid; u32 pad; u32 cookie_lo; u32 cookie_hi; }
        let i32_type = self.context.i32_type();
        let key_arr_ty = i32_type.array_type(4);
        let key_alloca = self.pm_key_alloca.ok_or_else(|| {
            CodeGenError::LLVMError("pm_key not allocated in entry block".to_string())
        })?;
        // Get i32* to the first element (&key[0])
        let zero = i32_type.const_zero();
        let base_i32_ptr = unsafe {
            self.builder
                .build_gep(key_arr_ty, key_alloca, &[zero, zero], "pm_key_i32_ptr")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };

        // Write pid (u32)
        let helper_id = i64_type.const_int(BPF_FUNC_get_current_pid_tgid as u64, false);
        let helper_fn_type = i64_type.fn_type(&[], false);
        let helper_fn_ptr = self
            .builder
            .build_int_to_ptr(helper_id, ptr_type, "get_pid_fn")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let pid_tgid = self
            .builder
            .build_indirect_call(helper_fn_type, helper_fn_ptr, &[], "pid_tgid")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .try_as_basic_value()
            .left()
            .ok_or_else(|| {
                CodeGenError::LLVMError("get_current_pid_tgid returned void".to_string())
            })?;
        let pid = if let BasicValueEnum::IntValue(v) = pid_tgid {
            // pid = upper 32 bits
            let shifted = self
                .builder
                .build_right_shift(v, i64_type.const_int(32, false), false, "pid_shift")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
            self.builder
                .build_int_truncate(shifted, i32_type, "pid32")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        } else {
            return Err(CodeGenError::LLVMError(
                "pid_tgid is not IntValue".to_string(),
            ));
        };

        // Store pid at key[0]
        self.builder
            .build_store(base_i32_ptr, pid)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Zero padding at key[1] for deterministic key bytes
        let idx1 = i32_type.const_int(1, false);
        let pad_ptr = unsafe {
            self.builder
                .build_gep(self.context.i32_type(), base_i32_ptr, &[idx1], "pad_ptr")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };
        self.builder
            .build_store(pad_ptr, self.context.i32_type().const_zero())
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Store cookie_lo at key[2] and cookie_hi at key[3] (key[1] is padding for 8-byte alignment)
        let cookie_lo = i32_type.const_int(module_cookie & 0xffff_ffff, false);
        let cookie_hi = i32_type.const_int(module_cookie >> 32, false);
        let idx2 = i32_type.const_int(2, false);
        let idx3 = i32_type.const_int(3, false);
        // key[1] left as padding = 0 by default
        let cookie_lo_ptr = unsafe {
            self.builder
                .build_gep(
                    self.context.i32_type(),
                    base_i32_ptr,
                    &[idx2],
                    "cookie_lo_ptr",
                )
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };
        let cookie_hi_ptr = unsafe {
            self.builder
                .build_gep(
                    self.context.i32_type(),
                    base_i32_ptr,
                    &[idx3],
                    "cookie_hi_ptr",
                )
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };
        self.builder
            .build_store(cookie_lo_ptr, cookie_lo)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder
            .build_store(cookie_hi_ptr, cookie_hi)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Call bpf_map_lookup_elem(map, &key)
        let lookup_id = i64_type.const_int(BPF_FUNC_map_lookup_elem as u64, false);
        let lookup_fn_type = ptr_type.fn_type(&[ptr_type.into(), ptr_type.into()], false);
        let lookup_fn_ptr = self
            .builder
            .build_int_to_ptr(lookup_id, ptr_type, "lookup_fn")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        // Pass pointer to the beginning of the key buffer (void*)
        let key_arg = self
            .builder
            .build_bit_cast(key_alloca, ptr_type, "key_arg")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let args: Vec<BasicMetadataValueEnum> = vec![map_ptr_cast.into(), key_arg.into()];
        let val_ptr_any = self
            .builder
            .build_indirect_call(lookup_fn_type, lookup_fn_ptr, &args, "val_ptr_any")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .try_as_basic_value()
            .left()
            .ok_or_else(|| CodeGenError::LLVMError("map_lookup_elem returned void".to_string()))?;

        let null_ptr = ptr_type.const_null();
        let found_block = self.context.append_basic_block(
            self.builder
                .get_insert_block()
                .unwrap()
                .get_parent()
                .unwrap(),
            "found_offsets",
        );
        let miss_block = self.context.append_basic_block(
            self.builder
                .get_insert_block()
                .unwrap()
                .get_parent()
                .unwrap(),
            "miss_offsets",
        );
        let cont_block = self.context.append_basic_block(
            self.builder
                .get_insert_block()
                .unwrap()
                .get_parent()
                .unwrap(),
            "cont_offsets",
        );

        // Compare against NULL
        let val_ptr = if let BasicValueEnum::PointerValue(p) = val_ptr_any {
            p
        } else {
            null_ptr
        };
        let is_null = self
            .builder
            .build_int_compare(
                inkwell::IntPredicate::EQ,
                self.builder
                    .build_ptr_to_int(val_ptr, i64_type, "val_ptr_i64")
                    .map_err(|e| CodeGenError::LLVMError(e.to_string()))?,
                i64_type.const_zero(),
                "is_null_offsets",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder
            .build_conditional_branch(is_null, miss_block, found_block)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Found: load appropriate offset based on section_type
        self.builder.position_at_end(found_block);
        // Cast value pointer (void*) to i64* for loading 64-bit offsets
        // Use opaque pointer type (LLVM15+): model as generic pointer
        let i64_ptr_ty = self.context.ptr_type(AddressSpace::default());
        let val_u64_ptr = self
            .builder
            .build_pointer_cast(val_ptr, i64_ptr_ty, "val_u64_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let load_field = |idx: u64,
                          ctx: &mut EbpfContext<'ctx>,
                          base: PointerValue<'ctx>|
         -> Result<IntValue<'ctx>> {
            // GEP in i64 element space
            let idx_i32 = ctx.context.i32_type().const_int(idx, false);
            let field_ptr = unsafe {
                ctx.builder
                    .build_gep(ctx.context.i64_type(), base, &[idx_i32], "field_ptr_i64")
                    .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            };
            let loaded = ctx
                .builder
                .build_load(ctx.context.i64_type(), field_ptr, "loaded_offset")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
            if let BasicValueEnum::IntValue(iv) = loaded {
                Ok(iv)
            } else {
                Err(CodeGenError::LLVMError("offset load failed".to_string()))
            }
        };
        let st = section_type;
        let off_text = load_field(0, self, val_u64_ptr)?;
        let off_rodata = load_field(1, self, val_u64_ptr)?;
        let off_data = load_field(2, self, val_u64_ptr)?;
        let off_bss = load_field(3, self, val_u64_ptr)?;
        // Build a bottom-up cascade to preserve earlier choices:
        // tmp  = (section==data)   ? off_data   : off_bss
        // tmp2 = (section==rodata) ? off_rodata : tmp
        // off  = (section==text)   ? off_text  : tmp2
        let st_val = i32_type.const_int(st as u64, false);
        let eq_text = self
            .builder
            .build_int_compare(
                inkwell::IntPredicate::EQ,
                st_val,
                i32_type.const_int(0, false),
                "is_text",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let eq_ro = self
            .builder
            .build_int_compare(
                inkwell::IntPredicate::EQ,
                st_val,
                i32_type.const_int(1, false),
                "is_ro",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let eq_da = self
            .builder
            .build_int_compare(
                inkwell::IntPredicate::EQ,
                st_val,
                i32_type.const_int(2, false),
                "is_da",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let tmp_any = self
            .builder
            .build_select(eq_da, off_data, off_bss, "sel_data_bss")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let tmp = tmp_any.into_int_value();

        let tmp2_any = self
            .builder
            .build_select(eq_ro, off_rodata, tmp, "sel_rodata_else")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let tmp2 = tmp2_any.into_int_value();

        let off_final_any = self
            .builder
            .build_select(eq_text, off_text, tmp2, "sel_text_else")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let off_final = off_final_any.into_int_value();
        let rt_addr = self
            .builder
            .build_int_add(link_addr, off_final, "runtime_addr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder
            .build_unconditional_branch(cont_block)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Miss: return link_addr as-is (will likely fault and set ReadError)
        self.builder.position_at_end(miss_block);
        self.builder
            .build_unconditional_branch(cont_block)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Phi to merge address
        self.builder.position_at_end(cont_block);
        let phi = self
            .builder
            .build_phi(i64_type, "addr_phi")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        phi.add_incoming(&[(&rt_addr, found_block), (&link_addr, miss_block)]);
        let final_addr = phi.as_basic_value().into_int_value();

        // Phi to merge found-flag (i1): 1 on found, 0 on miss
        let i1_type = self.context.bool_type();
        let one = i1_type.const_int(1, false);
        let zero = i1_type.const_int(0, false);
        let flag_phi = self
            .builder
            .build_phi(i1_type, "off_found_phi")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        flag_phi.add_incoming(&[(&one, found_block), (&zero, miss_block)]);
        let found_flag = flag_phi.as_basic_value().into_int_value();

        self.store_offsets_found_flag(found_flag)?;
        Ok((final_addr, found_flag))
    }
    /// Load a register value from pt_regs
    pub fn load_register_value(
        &mut self,
        reg_num: u16,
        pt_regs_ptr: PointerValue<'ctx>,
    ) -> Result<BasicValueEnum<'ctx>> {
        // Check cache first
        if let Some(cached_value) = self.register_cache.get(&reg_num) {
            return Ok((*cached_value).into());
        }

        // Map DWARF register number to pt_regs offset
        let pt_regs_offset = self.dwarf_reg_to_pt_regs_offset(reg_num)?;

        // Calculate pointer to register in pt_regs structure
        let i64_type = self.context.i64_type();
        let offset_value = i64_type.const_int(pt_regs_offset as u64, false);

        let reg_ptr = unsafe {
            self.builder
                .build_gep(
                    i64_type,
                    pt_regs_ptr,
                    &[offset_value],
                    &format!("reg_{reg_num}_ptr"),
                )
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };

        // Load the register value
        let reg_value = self
            .builder
            .build_load(i64_type, reg_ptr, &format!("reg_{reg_num}"))
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        if let BasicValueEnum::IntValue(int_val) = reg_value {
            // Cache the value
            self.register_cache.insert(reg_num, int_val);
            Ok(reg_value)
        } else {
            Err(CodeGenError::RegisterMappingError(format!(
                "Failed to load register {reg_num} as integer"
            )))
        }
    }

    /// Generate memory read using bpf_probe_read_user
    pub fn generate_memory_read(
        &mut self,
        addr: IntValue<'ctx>,
        size: MemoryAccessSize,
    ) -> Result<BasicValueEnum<'ctx>> {
        let i64_type = self.context.i64_type();
        let ptr_type = self.context.ptr_type(AddressSpace::default());
        let zero_const = i64_type.const_zero();
        let offsets_found = self.load_offsets_found_flag()?;
        let not_found = self
            .builder
            .build_not(offsets_found, "offsets_miss")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let result_size = size.bytes();
        let buffer_name = format!("_temp_read_buffer_{result_size}");
        let global_buffer = match self.module.get_global(&buffer_name) {
            Some(existing) => existing.as_pointer_value(),
            None => {
                let array_type = self.context.i8_type().array_type(result_size as u32);
                let global =
                    self.module
                        .add_global(array_type, Some(AddressSpace::default()), &buffer_name);
                global.set_initializer(&array_type.const_zero());
                global.as_pointer_value()
            }
        };

        let stack_ptr = global_buffer;
        let dst_ptr = self
            .builder
            .build_bit_cast(stack_ptr, ptr_type, "dst_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let base_src_ptr = self
            .builder
            .build_int_to_ptr(addr, ptr_type, "src_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let null_ptr = ptr_type.const_null();
        let src_ptr = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(
                offsets_found,
                base_src_ptr.into(),
                null_ptr.into(),
                "src_or_null",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_pointer_value();

        let i32_type = self.context.i32_type();
        let helper_id = i64_type.const_int(BPF_FUNC_probe_read_user as u64, false);
        let helper_fn_type =
            i32_type.fn_type(&[ptr_type.into(), i32_type.into(), ptr_type.into()], false);
        let helper_fn_ptr = self
            .builder
            .build_int_to_ptr(helper_id, ptr_type, "probe_read_user_fn")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let size_val = i32_type.const_int(result_size as u64, false);
        let zero_i32 = i32_type.const_zero();
        let effective_size = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(
                offsets_found,
                size_val.into(),
                zero_i32.into(),
                "size_or_zero",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_int_value();
        let call_args: Vec<BasicMetadataValueEnum> =
            vec![dst_ptr.into(), effective_size.into(), src_ptr.into()];

        let _ = self
            .builder
            .build_indirect_call(
                helper_fn_type,
                helper_fn_ptr,
                &call_args,
                "probe_read_result",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let result_type: BasicTypeEnum = match size {
            MemoryAccessSize::U8 => self.context.i8_type().into(),
            MemoryAccessSize::U16 => self.context.i16_type().into(),
            MemoryAccessSize::U32 => self.context.i32_type().into(),
            MemoryAccessSize::U64 => self.context.i64_type().into(),
        };
        let typed_ptr = self
            .builder
            .build_bit_cast(
                stack_ptr,
                self.context.ptr_type(AddressSpace::default()),
                "typed_ptr",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let loaded_value = if let BasicValueEnum::PointerValue(ptr) = typed_ptr {
            self.builder
                .build_load(result_type, ptr, "loaded_value")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        } else {
            return Err(CodeGenError::MemoryAccessError(
                "Failed to cast result pointer".to_string(),
            ));
        };

        let loaded_i64 = if let BasicValueEnum::IntValue(int_val) = loaded_value {
            if int_val.get_type().get_bit_width() < 64 {
                self.builder
                    .build_int_z_extend(int_val, i64_type, "extended")
                    .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            } else {
                int_val
            }
        } else {
            return Err(CodeGenError::MemoryAccessError(
                "Expected integer value from memory read".to_string(),
            ));
        };

        // Record failure if offsets were missing.
        let i8_type = self.context.i8_type();
        let miss_i8 = self
            .builder
            .build_int_z_extend(not_found, i8_type, "miss_i8")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let fail_ptr = self.get_or_create_flag_global("_gs_any_fail");
        let cur_fail = self
            .builder
            .build_load(i8_type, fail_ptr, "cur_fail")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_int_value();
        let new_fail = self
            .builder
            .build_or(cur_fail, miss_i8, "fail_or_miss")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder
            .build_store(fail_ptr, new_fail)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let zero_bv: BasicValueEnum = zero_const.into();
        let val_bv: BasicValueEnum = loaded_i64.into();
        let sel = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(
                offsets_found,
                val_bv,
                zero_bv,
                "offset_value_or_zero",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        Ok(sel)
    }

    /// Generate memory read with runtime status capture (for control-flow conditions).
    /// On helper failure, sets condition error code (if active) and returns zero value.
    pub fn generate_memory_read_with_status(
        &mut self,
        addr: IntValue<'ctx>,
        size: MemoryAccessSize,
    ) -> Result<BasicValueEnum<'ctx>> {
        let i64_type = self.context.i64_type();
        let ptr_type = self.context.ptr_type(AddressSpace::default());
        let zero_const = i64_type.const_zero();

        let offsets_found = self.load_offsets_found_flag()?;
        let not_found = self
            .builder
            .build_not(offsets_found, "offsets_miss_cf")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let result_size = size.bytes();
        let buffer_name = format!("_temp_read_buffer_{result_size}");
        let global_buffer = match self.module.get_global(&buffer_name) {
            Some(existing) => existing.as_pointer_value(),
            None => {
                let array_type = self.context.i8_type().array_type(result_size as u32);
                let global =
                    self.module
                        .add_global(array_type, Some(AddressSpace::default()), &buffer_name);
                global.set_initializer(&array_type.const_zero());
                global.as_pointer_value()
            }
        };

        let dst_ptr = self
            .builder
            .build_bit_cast(global_buffer, ptr_type, "dst_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let base_src_ptr = self
            .builder
            .build_int_to_ptr(addr, ptr_type, "src_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let null_ptr = ptr_type.const_null();
        let src_ptr = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(
                offsets_found,
                base_src_ptr.into(),
                null_ptr.into(),
                "src_or_null_cf",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_pointer_value();

        let i32_type = self.context.i32_type();
        let helper_id = i64_type.const_int(BPF_FUNC_probe_read_user as u64, false);
        let helper_fn_type =
            i32_type.fn_type(&[ptr_type.into(), i32_type.into(), ptr_type.into()], false);
        let helper_fn_ptr = self
            .builder
            .build_int_to_ptr(helper_id, ptr_type, "probe_read_user_fn")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let size_val = i32_type.const_int(result_size as u64, false);
        let zero_i32 = i32_type.const_zero();
        let effective_size = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(
                offsets_found,
                size_val.into(),
                zero_i32.into(),
                "size_or_zero_cf",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_int_value();
        let call_args: Vec<BasicMetadataValueEnum> =
            vec![dst_ptr.into(), effective_size.into(), src_ptr.into()];

        let call_site = self
            .builder
            .build_indirect_call(
                helper_fn_type,
                helper_fn_ptr,
                &call_args,
                "probe_read_result_cf",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let ret_iv = call_site.try_as_basic_value().left().ok_or_else(|| {
            CodeGenError::LLVMError("Expected integer return from helper".to_string())
        })?;
        let ret_i32 = ret_iv.into_int_value();

        let read_fail = self
            .builder
            .build_int_compare(
                inkwell::IntPredicate::NE,
                ret_i32,
                i32_type.const_zero(),
                "read_fail",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let combined_fail = self
            .builder
            .build_or(read_fail, not_found, "combined_fail")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let cur_block = self.builder.get_insert_block().unwrap();
        let func = cur_block.get_parent().unwrap();
        let set_block = self.context.append_basic_block(func, "set_cond_err");
        let cont_block = self.context.append_basic_block(func, "read_cont");
        self.builder
            .build_conditional_branch(combined_fail, set_block, cont_block)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder.position_at_end(set_block);
        let _ = self.set_condition_error_if_unset(2u8);
        let _ = self.set_condition_error_addr_if_unset(addr);
        self.builder
            .build_unconditional_branch(cont_block)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder.position_at_end(cont_block);

        let result_type: BasicTypeEnum = match size {
            MemoryAccessSize::U8 => self.context.i8_type().into(),
            MemoryAccessSize::U16 => self.context.i16_type().into(),
            MemoryAccessSize::U32 => self.context.i32_type().into(),
            MemoryAccessSize::U64 => self.context.i64_type().into(),
        };
        let typed_ptr = self
            .builder
            .build_bit_cast(
                global_buffer,
                self.context.ptr_type(AddressSpace::default()),
                "typed_ptr",
            )
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let loaded_value = self
            .builder
            .build_load(result_type, typed_ptr.into_pointer_value(), "loaded_value")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let loaded_i64 = if let BasicValueEnum::IntValue(iv) = loaded_value {
            if iv.get_type().get_bit_width() < 64 {
                self.builder
                    .build_int_z_extend(iv, i64_type, "ext_i64")
                    .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            } else {
                iv
            }
        } else {
            return Err(CodeGenError::MemoryAccessError(
                "Expected integer value from memory read".to_string(),
            ));
        };

        let zero_bv: BasicValueEnum = zero_const.into();
        let val_bv: BasicValueEnum = loaded_i64.into();
        let sel_bv = self
            .builder
            .build_select::<BasicValueEnum<'ctx>, _>(combined_fail, zero_bv, val_bv, "val_or_zero")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        let i8_type = self.context.i8_type();
        let combined_fail_i8 = self
            .builder
            .build_int_z_extend(combined_fail, i8_type, "combined_fail_i8")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let fail_ptr = self.get_or_create_flag_global("_gs_any_fail");
        let cur_fail = self
            .builder
            .build_load(i8_type, fail_ptr, "cur_fail_cf")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
            .into_int_value();
        let new_fail = self
            .builder
            .build_or(cur_fail, combined_fail_i8, "fail_or_miss_cf")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        self.builder
            .build_store(fail_ptr, new_fail)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        Ok(sel_bv)
    }
    /// Map DWARF register number to pt_regs offset (simplified)
    pub fn dwarf_reg_to_pt_regs_offset(&self, dwarf_reg: u16) -> Result<usize> {
        // Use platform-specific register mapping to get byte offset
        let byte_offset = register_mapping::dwarf_reg_to_pt_regs_byte_offset(dwarf_reg)
            .ok_or_else(|| {
                CodeGenError::RegisterMappingError(format!(
                    "Unsupported DWARF register: {dwarf_reg}"
                ))
            })?;

        // Convert byte offset to u64 array index for pt_regs access
        let u64_index = byte_offset / core::mem::size_of::<u64>();
        Ok(u64_index)
    }

    /// Create eBPF helper call using the correct calling convention
    /// This creates an indirect call through the eBPF helper mechanism
    pub fn create_bpf_helper_call(
        &mut self,
        helper_id: u64,
        args: &[BasicValueEnum<'ctx>],
        return_type: BasicTypeEnum<'ctx>,
        call_name: &str,
    ) -> Result<BasicValueEnum<'ctx>> {
        use inkwell::types::BasicMetadataTypeEnum;

        // Create function type for the helper
        let arg_types: Vec<BasicMetadataTypeEnum> =
            args.iter().map(|arg| arg.get_type().into()).collect();
        let fn_type = return_type.fn_type(&arg_types, false);

        // Convert helper ID to function pointer for indirect call
        let i64_type = self.context.i64_type();
        let ptr_type = self.context.ptr_type(AddressSpace::default());

        let helper_id_val = i64_type.const_int(helper_id, false);
        let helper_fn_ptr = self
            .builder
            .build_int_to_ptr(helper_id_val, ptr_type, "helper_fn")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Convert args to metadata values
        let metadata_args: Vec<BasicMetadataValueEnum> =
            args.iter().map(|arg| (*arg).into()).collect();

        // Make the indirect call
        let call_result = self
            .builder
            .build_indirect_call(fn_type, helper_fn_ptr, &metadata_args, call_name)
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Convert CallSiteValue to BasicValueEnum
        Ok(call_result.try_as_basic_value().left().unwrap_or_else(|| {
            // If it's void, return a null value of the expected type
            return_type.const_zero()
        }))
    }

    /// Get current timestamp using bpf_ktime_get_ns
    pub fn get_current_timestamp(&mut self) -> Result<IntValue<'ctx>> {
        let i64_type = self.context.i64_type();

        // Call bpf_ktime_get_ns() - takes no arguments
        let timestamp = self.create_bpf_helper_call(
            BPF_FUNC_ktime_get_ns as u64,
            &[],
            i64_type.into(),
            "timestamp",
        )?;

        if let BasicValueEnum::IntValue(int_val) = timestamp {
            Ok(int_val)
        } else {
            Err(CodeGenError::LLVMError(
                "bpf_ktime_get_ns did not return integer".to_string(),
            ))
        }
    }

    /// Get current PID/TID using bpf_get_current_pid_tgid
    pub fn get_current_pid_tgid(&mut self) -> Result<IntValue<'ctx>> {
        let i64_type = self.context.i64_type();

        // Call bpf_get_current_pid_tgid() - returns combined PID/TID
        let pid_tgid = self.create_bpf_helper_call(
            BPF_FUNC_get_current_pid_tgid as u64,
            &[],
            i64_type.into(),
            "pid_tgid",
        )?;

        if let BasicValueEnum::IntValue(int_val) = pid_tgid {
            Ok(int_val)
        } else {
            Err(CodeGenError::LLVMError(
                "bpf_get_current_pid_tgid did not return integer".to_string(),
            ))
        }
    }

    /// Create event output using either RingBuf or PerfEventArray based on compile options
    /// This is the unified interface that should be used for all event output
    pub fn create_event_output(&mut self, data: PointerValue<'ctx>, size: u64) -> Result<()> {
        match self.compile_options.event_map_type {
            crate::EventMapType::RingBuf => self.create_ringbuf_output_internal(data, size),
            crate::EventMapType::PerfEventArray => {
                self.create_perf_event_output_internal(data, size)
            }
        }
    }

    /// Create ringbuf output using bpf_ringbuf_output (internal implementation)
    fn create_ringbuf_output_internal(
        &mut self,
        data: PointerValue<'ctx>,
        size: u64,
    ) -> Result<()> {
        let i64_type = self.context.i64_type();

        // Get ringbuf map
        let ringbuf_global = self
            .map_manager
            .get_ringbuf_map(&self.module, "ringbuf")
            .map_err(|e| {
                CodeGenError::MemoryAccessError(format!("Failed to get ringbuf map: {e}"))
            })?;

        // Arguments: map, data, size, flags
        let args = [
            ringbuf_global.into(),
            data.into(),
            i64_type.const_int(size, false).into(),
            i64_type.const_zero().into(), // flags = 0
        ];

        let _result = self.create_bpf_helper_call(
            BPF_FUNC_ringbuf_output as u64,
            &args,
            i64_type.into(),
            "ringbuf_output",
        )?;

        Ok(())
    }

    /// Create ringbuf output with dynamic size (IntValue)
    pub fn create_ringbuf_output_dynamic(
        &mut self,
        data: PointerValue<'ctx>,
        size: IntValue<'ctx>,
    ) -> Result<()> {
        let i64_type = self.context.i64_type();

        // Get ringbuf map
        let ringbuf_global = self
            .map_manager
            .get_ringbuf_map(&self.module, "ringbuf")
            .map_err(|e| {
                CodeGenError::MemoryAccessError(format!("Failed to get ringbuf map: {e}"))
            })?;

        // Arguments: map, data, size (dynamic), flags
        let args = [
            ringbuf_global.into(),
            data.into(),
            size.into(),
            i64_type.const_zero().into(), // flags = 0
        ];

        let _result = self.create_bpf_helper_call(
            BPF_FUNC_ringbuf_output as u64,
            &args,
            i64_type.into(),
            "ringbuf_output",
        )?;

        Ok(())
    }

    /// Lookup per-CPU map value pointer for a given map name and u32 key constant
    pub fn lookup_percpu_value_ptr(
        &mut self,
        map_name: &str,
        key_const: u32,
    ) -> Result<PointerValue<'ctx>> {
        let ptr_ty = self.context.ptr_type(AddressSpace::default());
        let i32_ty = self.context.i32_type();
        let map_global = self
            .map_manager
            .get_map(&self.module, map_name)
            .map_err(|e| CodeGenError::LLVMError(format!("Map not found {map_name}: {e}")))?;
        let map_ptr = self
            .builder
            .build_bit_cast(map_global, ptr_ty, "map_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // Prepare stack key in the entry-block alloca (reuse pm_key's first i32 slot)
        let key_arr_ty = i32_ty.array_type(4);
        let key_alloca = self.pm_key_alloca.ok_or_else(|| {
            CodeGenError::LLVMError("pm_key not allocated in entry block".to_string())
        })?;
        let zero = i32_ty.const_zero();
        let base_i32_ptr = unsafe {
            self.builder
                .build_gep(key_arr_ty, key_alloca, &[zero, zero], "percpu_key_i32_ptr")
                .map_err(|e| CodeGenError::LLVMError(e.to_string()))?
        };
        self.builder
            .build_store(base_i32_ptr, i32_ty.const_int(key_const as u64, false))
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;
        let key_ptr = self
            .builder
            .build_bit_cast(base_i32_ptr, ptr_ty, "key_ptr")
            .map_err(|e| CodeGenError::LLVMError(e.to_string()))?;

        // long bpf_map_lookup_elem(void *map, const void *key) -> void *
        let ret = self.create_bpf_helper_call(
            BPF_FUNC_map_lookup_elem as u64,
            &[map_ptr, key_ptr],
            ptr_ty.into(),
            "map_lookup_elem",
        )?;
        let val_ptr = if let BasicValueEnum::PointerValue(p) = ret {
            p
        } else {
            return Err(CodeGenError::LLVMError(
                "map_lookup_elem did not return pointer".to_string(),
            ));
        };
        Ok(val_ptr)
    }

    /// Create perf event output using bpf_perf_event_output (internal implementation)
    fn create_perf_event_output_internal(
        &mut self,
        data: PointerValue<'ctx>,
        size: u64,
    ) -> Result<()> {
        let size_val = self.context.i64_type().const_int(size, false);
        self.create_perf_event_output_dynamic(data, size_val)
    }

    /// Create perf event output with dynamic size (IntValue)
    pub fn create_perf_event_output_dynamic(
        &mut self,
        data: PointerValue<'ctx>,
        size: IntValue<'ctx>,
    ) -> Result<()> {
        let i64_type = self.context.i64_type();

        // Get the current pt_regs pointer (first argument to eBPF program)
        let ctx_param = self
            .builder
            .get_insert_block()
            .and_then(|bb| bb.get_parent())
            .and_then(|func| func.get_first_param())
            .ok_or_else(|| {
                CodeGenError::LLVMError("Failed to get context parameter".to_string())
            })?;

        // Get perf event array map
        let events_global = self
            .map_manager
            .get_perf_map(&self.module, "events")
            .map_err(|e| {
                CodeGenError::MemoryAccessError(format!("Failed to get perf event map: {e}"))
            })?;

        // Arguments: ctx, map, flags, data, size
        // flags = BPF_F_CURRENT_CPU (0xFFFFFFFF) means use current CPU
        let args = [
            ctx_param,
            events_global.into(),
            i64_type.const_int(0xFFFFFFFF_u64, false).into(), // BPF_F_CURRENT_CPU
            data.into(),
            size.into(),
        ];

        let _result = self.create_bpf_helper_call(
            BPF_FUNC_perf_event_output as u64,
            &args,
            i64_type.into(),
            "perf_event_output",
        )?;

        Ok(())
    }
}