Linux Perf Users
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Athira Rajeev" <atrajeev@linux.ibm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 9/9] tools/perf/powerpc: Add logical address in decoded traces
Date: Wed, 01 Jul 2026 09:13:03 +0000	[thread overview]
Message-ID: <20260701091304.AD9761F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701084115.80383-10-atrajeev@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:

New issues:
- [High] Improper error handling causes memory leak and potential segfault during initialization.
- [High] File write failures cause an infinite loop in trace line parsing.
- [High] String replacement logic corrupts output for trace lines with multiple addresses.
- [Medium] Unmapped physical addresses are incorrectly overwritten with 0x0, destroying trace information.
- [Medium] Trace lines that do not match the event label regex are silently dropped from the translated dump.

Pre-existing issues:
- [High] Malformed physical addresses cause an infinite loop in trace line parsing.
--

commit cce34e6215ec4758fecae703f279c8591debaca6
Author: Athira Rajeev <atrajeev@linux.ibm.com>

tools/perf/powerpc: Add logical address in decoded traces

This patch enhances post-processing to translate physical addresses to
logical addresses in the decoded output. It creates a new .l output file
with these translated addresses. It also allows optional LP index filtering
when dumping traces.

> diff --git a/tools/perf/util/powerpc-htm.c b/tools/perf/util/powerpc-htm.c
> index 050fbceac71eb..1bd2664453c66 100644
> --- a/tools/perf/util/powerpc-htm.c
> +++ b/tools/perf/util/powerpc-htm.c

[ ... ]

> @@ -259,36 +261,60 @@ static struct addr_map *process_trace_file(const char *trace_file,
>  	unsigned long logical_addr;
>  	size_t total_phys = 0;
>  	size_t total_phys_to_logical = 0;
> -
>  	FILE *fp = fopen(trace_file, "r");
> +	size_t prefix_len;
> +	int found_match = 0;
> +	FILE *fout;
> +	int filter_lp = 1;
> +	char *output = malloc(strlen(trace_file) + 3);  /* +3 for ".l" and null */
> +
> +	if (!output) {
> +		pr_err("Failed to allocate memory for output filename\n");
> +		fclose(fp);
> +		return NULL;
> +	}
> +
>  	if (!fp) {
>  		pr_err("Failed to open trace file %s: %s\n", trace_file, strerror(errno));
>  		return NULL;
>  	}

[Severity: High]
Does this logic mishandle failures from fopen() and malloc()?

If trace_file cannot be opened, fopen() returns NULL. If malloc() for output
succeeds, the subsequent if (!fp) block returns NULL without freeing output,
leaking the allocated memory.

Additionally, if malloc() fails when fp is NULL, the if (!output) block calls
fclose(fp), which would dereference the NULL pointer and crash the tool.

[ ... ]

> @@ -303,6 +329,10 @@ static struct addr_map *process_trace_file(const char *trace_file,
>  			while (regexec(&addr_regex, ptr, 1, pmatch, 0) == 0) {
>  				unsigned long long phys_addr = 0;
>  				struct addr_map entry = {0};
> +				char *hex_start = strstr(line, "addr:0x");

[Severity: High]
Can this strstr() call corrupt the output for trace lines with multiple
addresses?

When a trace line contains multiple addresses, the inner loop iterates over
each regex match. However, hex_start is calculated using
strstr(line, "addr:0x"), which always finds the first occurrence in the
entire line, ignoring the regex match bounds. This will cause the same prefix
and suffix to be printed multiple times, duplicating portions of the line.

> +				const char *target = "addr:0x";
> +				char *old_val_ptr;
> +				size_t written;
>  
>  				if (sscanf(ptr + pmatch[0].rm_so + strlen("addr:"),
>  					  "%llx", &phys_addr) != 1) {
>  					pr_debug("Failed to parse phys addr from trace line\n");
>  					continue;
>  				}

[Severity: High]
This is a pre-existing issue, but does this error path cause an infinite loop?

If sscanf() fails to parse a physical address, it executes continue. This
skips the ptr += pmatch[0].rm_eo; offset advancement at the bottom of the loop.
As a result, the next iteration of the while (regexec(&addr_regex, ptr...))
loop will match the exact same string and fail to parse it again, looping
indefinitely.

> @@ -315,7 +345,30 @@ static struct addr_map *process_trace_file(const char *trace_file,
>  				logical_addr = find_logical_addr(phys_addr,
>  							mem_entries_array,
>  							n_entries,
> -							lp_filter);
> +							lp_filter, filter_lp);
> +				/* create output.txt with logical address */
> +				if (dump_trace && hex_start) {
> +					old_val_ptr = hex_start + strlen(target);
> +					prefix_len = hex_start - line;
> +					written = fwrite(line, 1, prefix_len, fout);
> +					if (written != prefix_len) {
> +						pr_err("Failed to write prefix to output file\n");
> +						continue;
> +					}

[Severity: High]
Can file write failures here cause an infinite loop in trace line parsing?

If either the fwrite() or fprintf() calls fail (e.g., due to a full disk),
the code logs an error and executes continue. Similar to the parsing error
above, this skips the ptr += pmatch[0].rm_eo; advancement at the bottom of
the loop, causing regexec() to repeatedly match the same address string
forever.

> +					if (fprintf(fout, "addr:0x%llx\t", (unsigned long long)logical_addr) < 0) {

[Severity: Medium]
Are unmapped physical addresses incorrectly overwritten with 0x0 here?

If find_logical_addr() fails to find a mapping, it returns 0. The code then
unconditionally writes logical_addr to the output file. This replaces valid but
unmapped physical addresses with addr:0x0, rather than preserving the original
address.

> +						pr_err("Failed to write to output file\n");
> +						continue;
> +					}

[ ... ]

> @@ -335,6 +388,12 @@ static struct addr_map *process_trace_file(const char *trace_file,
>  
>  				ptr += pmatch[0].rm_eo;
>  			}
> +			if (dump_trace && (!found_match) && line) {
> +				if (fprintf(fout, "%s", line) < 0) {
> +					pr_err("Failed to write line to output file\n");
> +					continue;
> +				}
> +			}
>  		}
>  	}

[Severity: Medium]
Are lines that do not match the event label regex dropped entirely from the
translated dump?

The logic to dump lines to fout when dump_trace is enabled appears to be
nested completely within this if (regexec(&label_regex, line, 2, pmatch, 0) == 0)
block. There is no corresponding else block, which would cause any
non-matching lines (like headers or metadata) to be silently omitted from
the .l output file.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701084115.80383-1-atrajeev@linux.ibm.com?part=9

      reply	other threads:[~2026-07-01  9:13 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  8:41 [PATCH 0/9] tools/perf: Add interface to expose HTM trace data via perf Athira Rajeev
2026-07-01  8:41 ` [PATCH 1/9] tool/perf: Move auxtrace_record__init for powerpc-vpadtl as separate utility Athira Rajeev
2026-07-01  8:56   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 2/9] tools/perf: Add CONFIG_AUXTRACE support for HTM pmu on powerpc Athira Rajeev
2026-07-01  8:55   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 3/9] tools/perf: Add arch_record__collect_final_data to collect additional data before closing the event Athira Rajeev
2026-07-01  8:54   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 4/9] tools/perf: Add powerpc callback support for arch_record__collect_final_data Athira Rajeev
2026-07-01  8:55   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 5/9] tools/perf: process htm auxtrace events and display in perf report -D Athira Rajeev
2026-07-01  9:05   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 6/9] perf tools powerpc: Add HTM trace data processing and decoding support Athira Rajeev
2026-07-01  9:06   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 7/9] perf tools powerpc: Add physical to logical address mapping for HTM traces Athira Rajeev
2026-07-01  9:07   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 8/9] tools/perf/powerpc: Add event name as htm of PERF_TYPE_SYNTH type to present htm samples Athira Rajeev
2026-07-01  9:12   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 9/9] tools/perf/powerpc: Add logical address in decoded traces Athira Rajeev
2026-07-01  9:13   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701091304.AD9761F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atrajeev@linux.ibm.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox