From: sashiko-bot@kernel.org
To: "Tengda Wu" <wutengda@huaweicloud.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 16/21] perf annotate-arm64: Support stack variable tracking
Date: Wed, 01 Jul 2026 04:16:47 +0000 [thread overview]
Message-ID: <20260701041647.81CE41F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701035355.752944-17-wutengda@huaweicloud.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [Medium] Incomplete handling of ARM64 load/store pair instructions (ldp/stp) causes type tracking corruption by ignoring the second register.
- [Medium] Missing invalidation of destination register when type resolution fails during a memory load.
- [Medium] Missing invalidation of stack state when storing an unknown register type.
- [Medium] Incorrect stack offset calculation when accessing memory via the stack pointer while a different frame base register is active.
--
commit 3e734515747646c2063edf487f47005c1433cf1a
Author: Tengda Wu <wutengda@huaweicloud.com>
perf annotate-arm64: Support stack variable tracking
This commit extends update_insn_state() for arm64 to track data types
stored on the stack. It handles stack loads and stores to update the
register's type state or stack state. This allows 'perf annotate' to
maintain type information for local variables as they move between registers
and memory.
> diff --git a/tools/perf/util/annotate-arch/annotate-arm64.c b/tools/perf/util/annotate-arch/annotate-arm64.c
> index f283596bb0589..255ccaf331309 100644
> --- a/tools/perf/util/annotate-arch/annotate-arm64.c
> +++ b/tools/perf/util/annotate-arch/annotate-arm64.c
[ ... ]
> @@ -368,6 +371,8 @@ static void update_load_insn_state(struct type_state *state,
> int reg_offset;
> int sreg = src->reg1;
> int dreg = dst->reg1;
^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
When handling ARM64 load pair instructions (ldp), does this code ignore the
second destination register (dst->reg2)? The second register of a load pair
could retain its stale type instead of being updated, which might lead to
false type propagation.
> + int fbreg = dloc->fbreg;
> + int fboff = 0;
>
> if (!has_reg_type(state, dreg))
> goto out_adjust;
> @@ -375,7 +380,52 @@ static void update_load_insn_state(struct type_state *state,
> tsr = &state->regs[dreg];
> tsr->copied_from = -1;
>
> + if (dloc->fb_cfa) {
> + u64 ip = dloc->ms->sym->start + dl->al.offset;
> + u64 pc = map__rip_2objdump(dloc->ms->map, ip);
> +
> + if (die_get_cfa(dloc->di->dbg, pc, &fbreg, &fboff) < 0)
> + fbreg = -1;
> + }
> +
> retry:
> + /* Check stack variables with offset */
> + if (sreg == fbreg || sreg == state->stack_reg) {
> + struct type_state_stack *stack;
> + int offset = src->offset - fboff;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
Will this subtract the frame base offset even when the access is relative to
the stack pointer (when sreg == state->stack_reg)? If the stack pointer is
used and fbreg is different (e.g., x29), this could yield an incorrect
internal stack offset and lose type information.
> +
> + stack = find_stack_state(state, offset);
[ ... ]
> @@ -413,6 +463,70 @@ static void update_load_insn_state(struct type_state *state,
> adjust_reg_index_state(state, src, "ldr", insn_offset);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
Is the destination register left uninvalidated if type resolution fails
during a memory load and the code falls through the multi-regs retry logic
to the out_adjust label? The destination register could retain its prior type
instead of being invalidated, even though its value was overwritten by an
unknown memory load.
> }
>
> +static void update_store_insn_state(struct type_state *state,
> + struct data_loc_info *dloc,
> + struct disasm_line *dl,
> + struct annotated_op_loc *src,
> + struct annotated_op_loc *dst)
> +{
> + struct type_state_reg *tsr;
> + u32 insn_offset = dl->al.offset;
> + int sreg = src->reg1;
> + int dreg = dst->reg1;
^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
Similar to the load instructions, does this logic ignore the second source
register (src->reg2) for ARM64 store pair instructions (stp)? The second
register of a store pair wouldn't be saved to the stack.
> + int fbreg = dloc->fbreg;
> + int fboff = 0;
> +
> + if (!has_reg_type(state, sreg) || !state->regs[sreg].ok)
> + goto out_adjust;
^^^^^^^^^^^^^^^^
[Severity: Medium]
By skipping the rest of the function here, are we bypassing the invalidation
of the stack state? If an untracked register is stored into a stack slot that
previously held a tracked type, the stale type might persist on the stack.
> +
> + if (dloc->fb_cfa) {
> + u64 ip = dloc->ms->sym->start + dl->al.offset;
> + u64 pc = map__rip_2objdump(dloc->ms->map, ip);
> +
> + if (die_get_cfa(dloc->di->dbg, pc, &fbreg, &fboff) < 0)
> + fbreg = -1;
> + }
> +
> + /* Check stack variables with offset */
> + if (dreg == fbreg || dreg == state->stack_reg) {
> + struct type_state_stack *stack;
> + int offset = dst->offset - fboff;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
Could this calculation yield an incorrect internal stack offset by
subtracting the frame base offset even when the access is relative to the
stack pointer? This could happen if the frame base register is different from
the stack pointer.
> +
> + tsr = &state->regs[sreg];
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701035355.752944-1-wutengda@huaweicloud.com?part=16
next prev parent reply other threads:[~2026-07-01 4:16 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 3:53 [PATCH v3 00/21] perf arm64: Support data type profiling Tengda Wu
2026-07-01 3:53 ` [PATCH v3 01/21] perf capstone: Fix kernel map reference count leak Tengda Wu
2026-07-01 3:53 ` [PATCH v3 02/21] perf capstone: Fix arm64 jump/adrp disassembly mismatch with objdump Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 6:44 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 03/21] perf llvm: Fix arm64 adrp instruction " Tengda Wu
2026-07-01 4:05 ` sashiko-bot
2026-07-01 6:45 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 04/21] perf annotate-arm64: Generalize arm64_mov__parse to support more instructions Tengda Wu
2026-07-01 4:03 ` sashiko-bot
2026-07-01 6:57 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 05/21] perf annotate-arm64: Handle load and store instructions Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 7:03 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 06/21] perf dwarf-regs: Adapt get_dwarf_regnum() for arm64 Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 7:14 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 07/21] perf annotate: Adapt arch__dwarf_regnum() " Tengda Wu
2026-07-01 3:53 ` [PATCH v3 08/21] perf annotate: Introduce extract_op_location callback for arch-specific parsing Tengda Wu
2026-07-01 4:06 ` sashiko-bot
2026-07-01 7:29 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 09/21] perf annotate-arm64: Implement extract_op_location() callback Tengda Wu
2026-07-01 4:10 ` sashiko-bot
2026-07-01 7:36 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 10/21] perf annotate: Deduplicate overlapping ARM SPE events for data type profiling Tengda Wu
2026-07-01 4:06 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 11/21] perf auxtrace: Set default period to 1 for PERF_ITRACE_PERIOD_INSTRUCTIONS type Tengda Wu
2026-07-01 4:05 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 12/21] perf annotate-data: Extract invalidate_reg_state() as a common helper Tengda Wu
2026-07-01 3:53 ` [PATCH v3 13/21] perf annotate-arm64: Enable instruction tracking support Tengda Wu
2026-07-01 4:12 ` sashiko-bot
2026-07-01 7:56 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 14/21] perf annotate-arm64: Support load instruction tracking Tengda Wu
2026-07-01 4:14 ` sashiko-bot
2026-07-01 8:37 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 15/21] perf annotate-arm64: Support store " Tengda Wu
2026-07-01 3:53 ` [PATCH v3 16/21] perf annotate-arm64: Support stack variable tracking Tengda Wu
2026-07-01 4:16 ` sashiko-bot [this message]
2026-07-01 3:53 ` [PATCH v3 17/21] perf annotate-arm64: Support 'mov' instruction tracking Tengda Wu
2026-07-01 4:21 ` sashiko-bot
2026-07-01 8:46 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 18/21] perf annotate-arm64: Support 'add' " Tengda Wu
2026-07-01 4:16 ` sashiko-bot
2026-07-01 8:47 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 19/21] perf annotate-arm64: Support 'adrp' instruction to track global variables Tengda Wu
2026-07-01 4:15 ` sashiko-bot
2026-07-01 8:48 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 20/21] perf annotate-arm64: Support per-cpu variable access tracking Tengda Wu
2026-07-01 4:18 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 21/21] perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer Tengda Wu
2026-07-01 4:16 ` sashiko-bot
2026-07-01 8:56 ` Tengda Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701041647.81CE41F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wutengda@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox