Skip to content

ExecSolib strategy: make ddtrace.so directly executable#3711

Open
cataphract wants to merge 17 commits intomasterfrom
glopes/exec-solib
Open

ExecSolib strategy: make ddtrace.so directly executable#3711
cataphract wants to merge 17 commits intomasterfrom
glopes/exec-solib

Conversation

@cataphract
Copy link
Contributor

@cataphract cataphract commented Mar 19, 2026
edited
Loading

Introduce the ExecSolib spawn strategy by embedding an ELF entry point (_dd_solib_start) into ddtrace.so itself.

ddtrace.so becomes pie executable and runs without the dynamic linker. After self-relocation:

  • it loads the trampoline into memory, but doesn't execute it yet
  • it copies ddtrace.so (/proc/self/exe) into a memfd and massages it so its loading by the dynamic linker without php doesn't fail.
  • replaces in the command line all occurrences to ddtrace.so to /proc/self/fd/, so that dlopen from the trampoline will use the massaged version
  • loads the dynamic linker into memory
  • jumps into the dynamic linker after massaging the auxiliary vector so that ld.so executes the loaded trampoline

tested on glibc and musl on linux aarch64

Description

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@cataphract cataphract requested review from a team as code owners March 19, 2026 17:44
@datadog-datadog-prod-us1
Copy link

datadog-datadog-prod-us1 bot commented Mar 20, 2026
edited by datadog-official bot
Loading

⚠️ Tests

Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 1049 Tests failed

initializationError from com.datadog.appsec.php.integration.RemoteConfigTests   View in Datadog   (Fix with Cursor) 
java.lang.AssertionError: No request with version 0 gotten within 12000 ms for com.datadog.appsec.php.mock_agent.rem_cfg.Target(some-name, none, )

java.lang.AssertionError: No request with version 0 gotten within 12000 ms for com.datadog.appsec.php.mock_agent.rem_cfg.Target(some-name, none, )
	at com.datadog.appsec.php.mock_agent.ConfigV07Handler.waitForVersion(ConfigV07Handler.groovy:72)
	at com.datadog.appsec.php.mock_agent.MockDatadogAgent.waitForRCVersion(MockDatadogAgent.groovy:80)
	at com.datadog.appsec.php.docker.AppSecContainer.waitForRCVersion(AppSecContainer.groovy:184)
	at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321)
	at com.datadog.appsec.php.integration.RemoteConfigTests.beforeAll(RemoteConfigTests.groovy:56)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
testSearchPhpBinaries from integration.DDTrace\Tests\Integration\PHPInstallerTest   View in Datadog   (Fix with Cursor) 
Risky Test
phpvfscomposer://tests/vendor/phpunit/phpunit/phpunit:52
testSimplePushAndProcess from laravel-58-test.DDTrace\Tests\Integrations\Laravel\V5_8\QueueTest   View in Datadog   (Fix with Cursor) 
Risky Test
phpvfscomposer://tests/vendor/phpunit/phpunit/phpunit:97
View all

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 86db928 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@codecov-commenter
Copy link

codecov-commenter commented Mar 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.73%. Comparing base (b9a49fa) to head (86db928).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3711      +/-   ##
==========================================
- Coverage   68.77%   68.73%   -0.04%     
==========================================
  Files         166      166              
  Lines       19030    19030              
  Branches     1797     1797              
==========================================
- Hits        13087    13080       -7     
- Misses       5127     5135       +8     
+ Partials      816      815       -1
Flag Coverage Δ
helper-rust-integration 78.82% <ø> (-0.03%) ⬇️
helper-rust-unit 49.36% <ø> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b9a49fa...86db928. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cataphract
ExecSolib strategy: make ddtrace.so directly executable
299e4f6 
Introduce the ExecSolib spawn strategy by embedding an ELF entry point
(_dd_solib_start) into ddtrace.so itself.
@cataphract
Load trampoline directly from file
b8586b7
@cataphract
DD_TRAMPOLINE_BIN was erroneously on the list of exported syms
4342179 
But the import can't be declared hidden. In the end the symbol will be
in the got but linker to emits a RELATIVE reloc (not GLOB_DAT) -- so
should work with our self-relocation.
@cataphract
Remove asan from solib loader, do not export entrypoint
9720a80
cataphract and others added 2 commits March 20, 2026 12:29
@cataphract
upd libdatadog
e3c4da7
@cataphract @claude
solib_bootstrap: fix x86-64 ld.so jump clobbering entry address
82345e8 
The x86-64 inline asm restoring the kernel stack and jumping to ld.so:

    "mov %[sp], %%rsp\n"
    "xor %%edx, %%edx\n"   // required: rdx = 0 for ld.so startup ABI
    "jmpq *%[entry]\n"

GCC at -O0 allocated %[entry] (ldso_entry) to rdx, causing the xor to
zero the jump target before the jmpq executed → SIGSEGV at address 0x0
on every x86-64 ExecSolib launch.

The fix is to pin ldso_entry to rax via the "a" constraint.  Using the
"rdx" clobber alone is not sufficient: GCC is permitted to allocate
input operands into clobbered registers because inputs are consumed
before the asm fires.  A specific register constraint ("a" = rax) is
the correct and optimization-safe solution.

With the fix, GCC emits:
    mov  %rcx, %rsp    ; stack_top in rcx (or any non-rax "r")
    xor  %edx, %edx    ; zero rdx (harmless: entry is in rax)
    jmpq *%rax         ; jump to ldso_entry

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@pr-commenter
Copy link

pr-commenter bot commented Mar 20, 2026
edited
Loading

Benchmarks [ tracer ]

Benchmark execution time: 2026-03-22 03:32:20

Comparing candidate commit 9293858 in PR branch glopes/exec-solib with baseline commit b9a49fa in branch master.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 192 metrics, 1 unstable metrics.

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

  • 🟥 execution_time [+3.391µs; +4.449µs] or [+3.050%; +4.001%]

@cataphract cataphract force-pushed the glopes/exec-solib branch 2 times, most recently from 76bb66d to 4e0b02e Compare March 21, 2026 12:44
@cataphract cataphract force-pushed the glopes/exec-solib branch 2 times, most recently from 4cffacf to 9293858 Compare March 22, 2026 02:16
@cataphract cataphract force-pushed the glopes/exec-solib branch 2 times, most recently from 6e1977d to 09acb37 Compare March 24, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cataphract @codecov-commenter