From: sashiko-bot@kernel.org
To: "Chun-Tse Shao" <ctshao@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH] perf stat: Merge CPU maps when merging uncore aliases
Date: Thu, 16 Apr 2026 21:56:09 +0000 [thread overview]
Message-ID: <20260416215610.21210C2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416204828.1303734-1-ctshao@google.com>
Sashiko AI review found 2 potential issue(s):
- [Medium] Expanding `evsel->core.cpus` without reallocating parallel arrays causes a deterministic NULL pointer dereference and out-of-bounds access.
- [Medium] Missing error handling for `perf_cpu_map__merge()`, masking memory allocation failures.
--
commit ca357f612c76d14c9a719708c9f0cdce0f262717
Author: Chun-Tse Shao <ctshao@google.com>
perf stat: Merge CPU maps when merging uncore aliases
This commit merges CPU maps for aliases in evsel__merge_aggr_counters() to
prevent the display logic from hiding sockets with zero counts. It aims to
ensure the aggregated event correctly reflects all underlying PMU instances.
> diff --git a/tools/perf/util/stat.c b/tools/perf/util/stat.c
> index 14d169e22e8f5..d696d217f98d6 100644
> --- a/tools/perf/util/stat.c
> +++ b/tools/perf/util/stat.c
[ ... ]
> @@ -535,6 +535,12 @@ static int evsel__merge_aggr_counters(struct evsel *evsel, struct evsel *alias)
> aggr_counts_a->run += aggr_counts_b->run;
> }
>
> + /*
> + * Merge the CPU maps so that the display logic (e.g. should_skip_zero_counter)
> + * knows this merged event covers all CPUs from both aliases.
> + */
> + perf_cpu_map__merge(&evsel->core.cpus, alias->core.cpus);
perf_cpu_map__merge() can fail and return an error code like -ENOMEM.
Should we check the return value here and propagate the error, instead of
ignoring it?
Additionally, does expanding the CPU map in-place here cause out-of-bounds
memory accesses?
Arrays like evsel->counts and evsel->prev_raw_counts are allocated earlier
based on the original size of evsel->core.cpus:
tools/perf/util/stat.c:evsel__alloc_prev_raw_counts() {
int cpu_map_nr = evsel__nr_cpus(evsel);
int nthreads = perf_thread_map__nr(evsel->core.threads);
struct perf_counts *counts;
counts = perf_counts__new(cpu_map_nr, nthreads);
...
}
If perf_cpu_map__merge() increases the number of CPUs in the map, later
iterations over the CPU map (such as in interval mode) will access these
parallel xyarrays out of bounds. When the loop index exceeds the original
array size, the access returns NULL and causes a segmentation fault when
unconditionally dereferenced.
Do we need to reallocate evsel->counts and evsel->prev_raw_counts when
merging these CPU maps?
> +
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260416204828.1303734-1-ctshao@google.com?part=1
prev parent reply other threads:[~2026-04-16 21:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 20:48 [PATCH] perf stat: Merge CPU maps when merging uncore aliases Chun-Tse Shao
2026-04-16 21:05 ` Ian Rogers
2026-04-16 21:56 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416215610.21210C2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ctshao@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox