Plan: stack-trace builtins & runtime backtrace

Status — 2026-06-05 — L1 + L2 + L3a + `kit symbolize` + L3c (tool-side auto-backtrace) shipped (WS1–WS5); L3b remaining

L3c (WS5) — tool-side auto-backtrace for kit run and kit dbg — is now shipped. Both tools print a symbolized frame-pointer-chain backtrace at a fault/trap, reusing the DWARF reader they already own and never crossing into rt/. The decisive finding: the CFI stepper kit_dwarf_unwind_step (src/debug/dwarf_cfi.c:213) takes no memory provider, so when the return address is spilled to the stack (the normal case) it returns pc=0 and the walk dies after the leaf — the existing dbg bt was effectively single-frame. The fix is to walk the frame-pointer chain (kit's uniform fp[0]=caller fp / fp[1]=saved ra record, no .eh_frame needed), the same walk __kit_backtrace does, lifted tool-side with a memory-read callback.

Shared module driver/lib/backtrace.c + .h: the FP-step kernel (driver_bt_fp_step, with __kit_backtrace's guards) + arch FP-reg/ptr-size helpers + a PC-list symbolizer (driver_backtrace_print_pcs). Gated into the DBG/RUN tool builds (mk/driver_srcs.mk). Walks stop at the kit-image boundary (kit_jit_runtime_to_image == 0) so output ends at main and is host-independent (no libc/dyld trampoline noise).
kit dbg (driver/cmd/dbg.c): dbg_cmd_bt now advances via the FP-step kernel over kit_jit_session_read_mem (so it walks the whole stack, not just the leaf), and dbg_render_stop auto-invokes it on KIT_STOP_SIGNAL (faults + __builtin_trap/assert; not breakpoints/steps).
kit run (driver/cmd/run.c + driver/env/posix_dbg.c): a lightweight in-process crash guard (driver_run_with_crash_guard) installs SIGSEGV/SIGBUS/SIGILL/SIGFPE/SIGABRT/SIGTRAP handlers around the direct entry_fn call, reusing the existing dbg_ucontext_to_frame marshalling. Because kit run shares its stack with the program, the chain is captured inside the handler (before the post-siglongjmp stack is reused) and symbolized afterward in normal context; the process exits 128 + signo. Windows has a no-op stub (vectored-handler port is a follow-up).
Tests: test/dbg/cases/toy-trap-backtrace (multi-frame trap → auto-bt + bt), updated toy-trap-stop golden, and a kit run crash lane in test/driver/run.sh (run-backtrace-*: non-zero exit + symbolized bt_leaf/bt_mid/bt_root + source file).

Scope note: kit emu auto-backtrace is out of scope (the emulator doesn't retain the guest's DWARF after load); left as a follow-up alongside L3b.

L3a (WS4) is now shipped on top of L1/L2:

L3a print __kit_print_backtrace — rt/lib/stack/print_backtrace.c walks via __kit_backtrace(buf, 64, skip=1) (skip hides the print frame, so #0 is the caller) and writes one raw #N 0x<hex> line per frame to the weak __kit_backtrace_write(const char*, size_t) sink. Integer/hex formatting is hand-rolled (no printf/libc pulled into the panic path); the address uses uintptr_t so it is not truncated on LLP64. Declared in rt/include/kit/backtrace.h; added to RT_BASE_SRCS.
Output sink (open question resolved): weak no-op __kit_backtrace_write default, so freestanding images that never wire a sink still link; the host / _start overrides it to route bytes to write(2) (or a UART). Chosen over a mandatory explicit-sink param to keep freestanding builds link-clean.
Assert hook (deferred from L2) — rt/lib/assert/assert.c::__kit_assert_fail now emits a kit: assertion failed: <expr>, file <file>, line <line>, function <func> banner then __kit_print_backtrace() before __builtin_trap(), all through the same weak sink (printf-free). Pulling __kit_assert_fail therefore also pulls print_backtrace.o → backtrace.o from the archive — the intended wiring.
Symbolization is out-of-process via two hosted tools that share one DWARF-open + func/line core (driver/lib/dwarfsym.c):
- kit addr2line — the faithful GNU/LLVM clone (bare addresses in, file:line out), unchanged in contract.
- kit symbolize (driver/cmd/symbolize.c, shipped) — reads the raw #N 0x<hex> stream __kit_print_backtrace emits, finds the address on each line, resolves it through the same DWARF reader, and rewrites the line in place as #0 0x401136 bt_leaf at addr2line_prog.c:51:3, keeping the #N framing addr2line structurally can't. Lines with no address pass through verbatim. A single -e <image> today; multi--e/module-map (for libc.so frames that need their own load slide) is the natural extension. Verified round-trip: a static non-PIE ELF prints its own trace at runtime, and the captured addresses resolve bt_leaf/bt_mid/bt_root/test_main through both kit addr2line -f -e <image> and kit symbolize -e <image> (outer no--g frames show ??).

Tests (L3a): test/rt/cases/print_backtrace.c (in-process parse of the emitted #N 0xADDR lines, aa64/x64/rv64 under exec, exit 42) and test/rt/addr2line.sh

test/rt/addr2line_prog.c (the symbolization round-trip, make target test-rt-backtrace). The round-trip script runs the captured stream through both lanes per arch/opt: kit addr2line -f over the bare addresses, and kit symbolize over the raw #N 0xADDR stream (asserting the #N framing is preserved and <func> at file:line is appended). test/rt/smoke.c also includes <kit/backtrace.h> so the header compiles on every rt-header target.

Opt coverage — the backtrace path passes at O0 and O1 on all three arches. The rt-runtime corpus (test/rt/run.sh) and the addr2line round-trip (test/rt/addr2line.sh) now sweep both opt levels (KIT_RT_OPT_LEVELS), so backtrace_capture (L2) and print_backtrace (L3a) are exercised against optimized callers — all green at O0/O1. Sweeping O1 also surfaced two unrelated, pre-existing kit bugs, left red (not skipped) and logged in doc/plan/TODO.md: (1) x86-64 -g -O1 + the 4-operand register-pinned syscall idiom aborts the compiler (too many memory asm operands, src/arch/x64/native.c:4014) — this is why the x64/O1 lane of test-rt-backtrace is red, though x64/O1 backtrace correctness is still proven by print_backtrace/backtrace_capture (no asm); (2) setjmp/longjmp is miscompiled at -O1 on every arch (setjmp_runtime/O1 returns 1, not 42 — the second-return value isn't observed), failing test-rt-runtime.

Remaining: L3b in-process self-symbolization (and the deferred kit emu auto-backtrace). WS5/L3c (tool-side auto-backtrace) is done — see Status.

Implemented and tested through L2:

L1 builtins __builtin_frame_address / __builtin_return_address — two CG intrinsics (KIT_CG_INTRIN_FRAME_ADDRESS / _RETURN_ADDRESS), constant level carried as a single IMM operand, lowered as an unrolled FP walk on aarch64 / x86-64 / riscv (O0 and O1, same backend handler). The C target forwards __builtin_* to the host compiler; wasm reports unsupported; the C frontend validates the level via eval_const_int.
L1 O1 modeling — IR_INTRINSIC is already conservatively side-effecting in opt (never DCE'd / CSE'd / hoisted), so no new effect modeling was needed. The one real O1 hazard — riscv's frameless-leaf tier (slim_prologue) emits no prologue and never anchors s0 — is handled by a new NativeKnownFrameDesc.reads_frame flag set during frame analysis when these intrinsics appear; aarch64/x64 keep the frame record in every prologue shape, so they need no change.
L2 capture __kit_backtrace — rt/lib/stack/backtrace.c + rt/include/kit/backtrace.h, in RT_BASE_SRCS for every variant.

Open questions resolved while building:

rv64 frame-record layout — the psABI ra@s0-8 / fp@s0-16 guess in the L2 sketch is wrong for kit. kit's prologue stores the pair at and above s0: [s0+0] = caller fp, [s0+ptr] = saved ra (verified against rv_build_prologue). So the layout is uniform across all kit targets (fp[0]/fp[1] in units of void*) — __kit_backtrace needs no per-arch offset table at all, just index 0 and 1.
wasm — diagnose unsupported (confirmed acceptable); the capability hook returns false and the C frontend emits a clean error.
leaf-frame omission — handled via reads_frame (above).

Tests: test/rt/cases/backtrace_capture.c (aa64/x64/rv64 under exec), test/parse/cases/builtin_29..31_* (+ cases_err/..._nonconst) across the D/R/E/J/C lanes at O0/O1, test/toy/cases/154_frame_return_address.toy.

Remaining tasks (L3)

Nothing in L1/L2/L3a is outstanding. What's left is the rest of L3:

~~WS4 — L3a:~~ done (see Status) — __kit_print_backtrace() + weak __kit_backtrace_write sink + assert-path hook + kit addr2line round-trip.
~~WS5 — kit symbolize:~~ done (see Status) — the hosted batching symbolizer that reads the #N 0x<hex> stream and annotates it in place, sharing driver/lib/dwarfsym.c with addr2line. Tested by the second lane of test/rt/addr2line.sh.
~~WS5 — L3c (tool-side auto-backtrace):~~ done (see Status) — kit run + kit dbg auto-print a symbolized FP-chain backtrace at a fault/trap via the shared driver/lib/backtrace.c; truncated at the kit-image boundary; never crosses into rt. kit emu auto-backtrace remains deferred (it doesn't retain the guest DWARF).
L3b: in-process self-symbolization (hosted-only libkit_bt.a); deferred until a concrete consumer needs in-binary symbolized panics.

All Open-questions items are now resolved (the L3a output sink chose the weak default — see Open questions).

Overview

kit has no way for compiled code to inspect its own call stack. This roadmap adds that capability in three layers: GCC-compatible primitive builtins (__builtin_return_address, __builtin_frame_address), a freestanding runtime capture function (__kit_backtrace), and a symbolizing print path (__kit_print_backtrace) that turns return addresses into func at file:line.

Matching design docs once shipped: ../FRONTENDS.md (the builtins), ../RUNTIME.md (the rt helpers), ../DWARF.md (symbolization).

Why

Portability. __builtin_return_address / __builtin_frame_address are a de-facto part of the GCC/Clang surface. Real C code (libc backtrace, sanitizer shims, allocators, profilers, unwind-free panic handlers) uses them; kit currently can't compile any of it.
Diagnostics. __kit_assert_fail (rt/lib/assert/assert.c) and the emulator fault path (src/emu/emu.c, compiler_panic) currently die silently with __builtin_trap(). A backtrace at the trap point is the single biggest debuggability win for kit-compiled programs.
It is cheap here, specifically. kit maintains a frame pointer on every backend and has no -fomit-frame-pointer (x29 on aarch64, rbp on x64, s0/x8 on rv64; AA_FP = 29 at src/arch/aa64/native.c:61). Every prologue stores a {saved_fp, saved_ra} frame record. Frame-pointer-chain walking is therefore reliable, with no unwind tables and no .eh_frame dependency.

What already exists (and what it can't do)

.eh_frame CFI is emitted by default for hosted targets (src/arch/mc.c:736, mc_emit_eh_frame), and off for freestanding.
A CFI unwinder, kit_dwarf_unwind_step (src/debug/dwarf_cfi.c:213), interprets FDE/CIE programs — but deliberately takes no memory provider, so it cannot self-unwind a live stack. It is built for the dbg/JIT path where a session reads target memory out-of-band (driver/cmd/dbg.c:1010, the bt command). It is not a candidate for in-process capture.
Symbolization (kit_dwarf_addr_to_line, kit_dwarf_func_at, include/kit/dwarf.h:21) is mature — it backs addr2line (driver/cmd/addr2line.c) and dbg bt. But it lives in libkit.a, not the freestanding runtime rt/. Pulling it into a freestanding image is a non-goal (see L3).
The runtime has zero unwind/backtrace code today. rt/lib/stack/ exists but holds only the Windows chkstk helper — a natural home for the new capture code.

Design consequence: capture via the FP chain; symbolize via the existing DWARF reader, kept on the hosted side of the boundary. Do not reuse the CFI unwinder for self-capture.

L1 — Primitive builtins (`__builtin_return_address`, `__builtin_frame_address`)

GCC semantics: __builtin_frame_address(n) returns the frame address of the current function (n=0) or its n-th caller; __builtin_return_address(n) returns the return address into that frame. The level argument must be an integer constant (kit validates via the existing eval_const_int() path, as __builtin_offsetof already does at parse_expr.c:1331). Out-of-range / runaway walks are allowed to return a garbage-but-safe value or 0, matching GCC's "use 0 only with care" contract.

Lowering: two new CG intrinsics, FP-chain only

Add to KitCgIntrinsic (include/kit/cg.h:916):

KIT_CG_INTRIN_FRAME_ADDRESS,   /* pop level(u32 const); push void*  */
KIT_CG_INTRIN_RETURN_ADDRESS,  /* pop level(u32 const); push void*  */

Both lower through one shared FP-walk so level 0 and level N use the same path, and so level 0's return address comes from the spilled frame-record slot (not the live LR/RA, which may be clobbered mid-function):

arch	FP reg	`frame(0)`	walk one frame	return addr from frame F
aarch64	x29	x29	`fp = *(fp)`	`*(fp + 8)` (saved x30)
x86-64	rbp	rbp	`fp = *(fp)`	`*(fp + 8)` (pushed retaddr)
rv64	s0/x8	s0	`fp = *(fp)`	`*(fp + ptr)` (saved ra)

The table is uniform across kit's targets: the prologue stores [fp+0] = caller fp, [fp+ptr] = saved ra everywhere (verified against rv_build_prologue — note this differs from the RISC-V psABI's ra@s0-8 / fp@s0-16, which an early draft of this table wrongly assumed).

For a constant level the walk unrolls to level dependent loads (typically 0–2), so no loop is emitted. wasm has no FP chain → diagnose unsupported, exactly as the IRQ/cache intrinsics already do per-arch.

Files to touch (the standard "new value-producing intrinsic" path)

include/kit/cg.h — two enum entries + doc comments.
src/cg/arith.c:1726 — two rows in the KitCgIntrinsic → INTRIN_* table.
src/cg/cgtarget.h:148 — two INTRIN_* enum entries (INTRIN_FRAME_ADDRESS, INTRIN_RETURN_ADDRESS).
lang/c/parse/parse_priv.h:231 + parse.c:1526 — intern __builtin_return_address / __builtin_frame_address symbols.
lang/c/parse/parse_expr.c (in try_parse_builtin_call, ~1696–2018) — two handlers: parse the constant level via eval_const_int, then emit the intrinsic with result type void*. New cg_adapter.c helper pcg_frame_or_return_address(p, kind, level).
Per-arch O0 lowering: src/arch/aa64/native.c (~~3572), src/arch/x64/native.c (~~3378), src/arch/riscv/native.c (~~2992) — emit the FP-walk loads; src/arch/wasm/emit.c (~~1590) + src/arch/c_target/c_emit.c (~2603) — handle or diagnose (C target can emit __builtin_* straight through to the host compiler).
Capability hooks: src/arch/{aa64,x64,riscv,wasm}/arch.c (alongside the existing KIT_CG_INTRIN_TRAP cases at e.g. aa64/arch.c:197).
Optimizer (O1/O2) [done]: in practice no new effect modeling was needed — IR_INTRINSIC is already conservatively side-effecting in opt (never DCE'd, CSE'd, or hoisted; see pass_dce.c), and the FP it reads is stable across the whole function, so scheduling is harmless. The one real O1 hazard turned out to be a backend frame issue, not an opt-modeling one: riscv's frameless-leaf tier (slim_prologue) emits no prologue and never anchors s0, so a leaf that reads its own frame would walk a stale s0. Fixed with a NativeKnownFrameDesc.reads_frame flag set in pass_native_emit.c frame analysis and ANDed into riscv's slim_prologue decision; aarch64/x64 keep the frame record in every prologue shape, so they need nothing. O1 smoke tests run on all three arches.

Tests (L1) [done]

test/toy/cases/154_frame_return_address.toy — CG-API case exercising both intrinsics at levels 0/1/2 (@[.noinline] chain pins the depth).
test/parse/cases/builtin_29_return_address.c, builtin_30_frame_address.c, and builtin_31_return_address_anchor.c; error case cases_err/builtin_return_address_nonconst.c for a non-constant level.
The plan's "anchor in caller's range" smoke check is builtin_31 (run via the parse harness's qemu/podman exec lane on x64 + aa64 + rv64 at O0 and O1), not a test/smoke script. It anchors on the caller's function address, not a &&label: GNU labels-as-values whose address is taken but never goto'd break at O1 (undefined reference to '.Lcfblk.N'; see doc/plan/TODO.md).

L2 — Capture: `__kit_backtrace` (freestanding runtime fn)

Surface decision (confirmed): primitives are builtins; capture/print are runtime functions, mirroring the GCC-builtin / glibc-backtrace split. New freestanding TU rt/lib/stack/backtrace.c, declared in a new public runtime header rt/include/kit/backtrace.h:

/* Fill buf[0..max) with return addresses, innermost first, skipping the
 * innermost `skip` frames (skip >= 1 hides __kit_backtrace itself).
 * Returns the number of frames written. Freestanding: pure FP walk, no libc,
 * no DWARF, works on every target that keeps a frame pointer (all of kit's). */
int __kit_backtrace(void** buf, int max, int skip);

Implementation is the L1 walk expressed in portable C: seed from __builtin_frame_address(0), then loop fp = *(void**)fp reading the saved-RA slot, stopping on a NULL saved-RA (the synthetic stack origin), a NULL or non-increasing fp (stack grows down — detect cycles/garbage), a misaligned link, or max. No per-arch knob is needed: kit's frame layout is uniform, so the walk indexes fp[0] (caller fp) and fp[1] (saved ra) as void**, which scales to the target pointer width automatically — no offset table, no #ifdef cascade. skip discards the innermost N frames (a print wrapper passes skip >= 1).

mk/rt.mk — added rt/lib/stack/backtrace.c to RT_BASE_SRCS (built for every variant; rt/lib/stack/ already compiled the Windows chkstk helper).
Assert-path hook — landed in WS4 (was deferred): rt/lib/assert/assert.c::__kit_assert_fail now emits a banner + __kit_print_backtrace() before __builtin_trap(). It needed the L3 __kit_print_backtrace(), so it shipped with WS4 rather than L2.

Tests (L2) [done]

test/rt/cases/backtrace_capture.c — a known-depth @[.noinline] recursion; asserts depth, all return addresses non-null, that the recursive frames share a call site (proving the walk follows the chain), and the skip/max bounds; return 42 on success. Runs under test/rt/run.sh on aa64/x64/rv64.

L3 — Symbolize & print: `__kit_print_backtrace`

This is where the freestanding boundary bites: turning an address into func at file:line needs the DWARF reader, which is libkit, not rt. Three sub-options, ordered by how cleanly they respect that boundary. Recommend shipping L3a now, leaving L3b/L3c as documented extensions.

L3a — raw print + out-of-process symbolization (shipped — WS4). __kit_print_backtrace() lives in rt (rt/lib/stack/print_backtrace.c), walks via __kit_backtrace, and writes raw lines (#0 0x401136, …) to a host-provided sink (the weak __kit_backtrace_write(const char*, size_t) the host or _start wires to write(2); freestanding default is a no-op). Symbolization is a separate hosted step through either kit addr2line (bare addresses) or kit symbolize (the raw #N 0x<hex> stream, annotated in place — shipped; see Status). Both share the DWARF-open + func/line core in driver/lib/dwarfsym.c and reuse the existing reader, so the freestanding image carries zero new symbolization code, matching how minimal panic handlers work in the wild.
L3b — in-process self-symbolization (hosted-only). A trimmed line/func reader (reusing kit_dwarf_addr_to_line + kit_dwarf_func_at) linked into a hosted-only archive — e.g. libkit_bt.a or a *-hosted rt variant — that opens the running image's own DWARF. Heavy (drags in the DWARF reader and an image-self-map); strictly opt-in, never in the freestanding default. Only build if a concrete consumer needs in-binary symbolized panics.
L3c — tool-side auto-backtrace. kit run / kit emu / dbg already own a DWARF reader and the dbg bt rendering path (driver/cmd/dbg.c:1010). Hook their fault/trap handlers (e.g. the EMU_TRAP_FAULT → compiler_panic site in src/emu/emu.c) to print a symbolized backtrace automatically. This is the highest-value, lowest-risk symbolized experience because it reuses everything and never crosses into rt. Largely independent of L1/L2 (the tools can unwind via their own session memory + kit_dwarf_unwind_step).

Tests (L3)

L3a [done]: test/rt/addr2line.sh (+ addr2line_prog.c) runs a kit-compiled program that prints its own trace, then symbolizes the captured stream two ways — kit addr2line -f over the bare addresses, and kit symbolize over the raw #N 0xADDR stream (asserting the #N framing survives and <func> at file:line is appended) — checking bt_leaf/bt_mid/bt_root/test_main appear (make target test-rt-backtrace, aa64/x64/rv64). In-process companion: test/rt/cases/print_backtrace.c parses the emitted #N 0xADDR lines.
L3c: an kit emu fault test asserting a symbolized frame line on stderr.

Suggested sequencing

WS1 — L1 primitives, O0 — all three native arches + parse/toy tests. ✅ done.
WS2 — L1 at O1/O2 — opt effect-modeling audit (turned out to need only the riscv frame-record fix) + O1 tests. ✅ done.
WS3 — L2 __kit_backtrace in rt + capture test. ✅ done (assert-hook moved to WS4 — it needs the L3 print fn).
WS4 — L3a raw print (__kit_print_backtrace + weak __kit_backtrace_write sink) + kit addr2line round-trip; wire the assert hook. ✅ done.
WS5 — kit symbolize hosted batching symbolizer over the #N 0x<hex> stream, sharing driver/lib/dwarfsym.c with addr2line; second lane of test/rt/addr2line.sh. ✅ done.
WS5 — L3c tool-side auto-backtrace for kit run + kit dbg. ✅ done (kit emu deferred — no retained guest DWARF).
L3b deferred until a consumer needs in-binary symbolized panics.

Open questions

None outstanding.

Resolved in WS4:

~~Output sink for L3a:~~ weak __kit_backtrace_write (no-op default) vs. requiring the host to pass a sink explicitly. Chose the weak default — it keeps freestanding builds linking with no sink, and a host / _start overrides it to route bytes to write(2) or a UART. (Resolved while building WS4.)

Resolved while building L1/L2:

~~wasm:~~ diagnose unsupported — confirmed acceptable; the capability hook returns false and the C frontend emits a clean error. (C target separately forwards __builtin_* to the host compiler.)
~~rv64 frame-record layout:~~ verified against rv_build_prologue — kit stores [s0+0]=caller fp, [s0+ptr]=saved ra (NOT the psABI ra@s0-8 / fp@s0-16), so the layout is uniform across targets.
~~leaf-frame omission:~~ handled by NativeKnownFrameDesc.reads_frame, which forces riscv off its frameless-leaf tier when these intrinsics appear; aa64/x64 always keep the frame record. (Level-0 reads the spilled slot via the FP, so no live-LR/RA fallback is needed.)

	kit kit
	git clone https://git.ryansepassi.com/git/kit.git
	Log \| Files \| Refs \| README

kit