Re: [PATCH v2 13/16] perf annotate-arm64: Support 'add' instruction tracking

[Tengda Wu]

On 2026/4/10 14:42, Namhyung Kim wrote:
> On Fri, Apr 03, 2026 at 09:47:57AM +0000, Tengda Wu wrote:
>> Extend update_insn_state() for arm64 to track pointer arithmetic and
>> member address calculations.
>>
>> The arm64 'add' instruction frequently calculates structure member
>> addresses, such as 'add x0, x1, #offset'. Tracking this is essential
>> to maintain the connection between a base pointer and its derived
>> member addresses.
> 
> What about other arithmetic instructions?  Can 'sub' be used in a
> similar manner?  Maybe we want to invalidate the target register state
> for all(?) other instructions.
> 
> Thanks,
> Namhyung
> 

I need to investigate further if 'sub' is practically used for member address
calculation in arm64. As for other instructions, I completely agree with the
idea of invalidating the target register state to avoid any incorrect type matching.

Thanks,
Tengda

>>
>> The implementation checks if the base register contains a pointer
>> or a structure type. When an immediate offset is added, use
>> die_get_member_type() to verify that the resulting offset points to
>> a valid member within the data type. If valid, update the target
>> register's type state with the new offset while preserving the base
>> type information.
>>
>> A real-world example is shown below:
>>
>>   ffff80008001c9a8 <flush_ptrace_hw_breakpoint>:
>>   ffff80008001c9c4:  add  x19, x0, #0xeb8 // x0 (task_struct*) + 0xeb8 -> x19
>>   ffff80008001c9d0:  ldr  x0, [x19]       // PMU sample
>>
>> Before this commit, the type flow broke at the 'add' instruction,
>> leaving the subsequent load with no type information:
>>
>>   chk [28] reg19 offset=0 ok=0 kind=0 cfa : no type information
>>   final result: no type information
>>
>> After this commit, the tracker correctly follows the member address
>> calculation:
>>
>>   var [0] reg0 offset 0 type='struct task_struct*'
>>   add [1c] address of 0xeb8(reg0) -> reg19 type='struct task_struct*'
>>   chk [28] reg19 offset=0 ok=1 kind=1 (struct task_struct*) : Good!
>>   found by insn track: 0(reg19) type-offset=0xeb8
>>   final result: type='struct task_struct'
>>
>> Signed-off-by: Tengda Wu <wutengda@xxxxxxxxxxxxxxx>
>> ---
>>  .../perf/util/annotate-arch/annotate-arm64.c  | 45 +++++++++++++++++++
>>  1 file changed, 45 insertions(+)
>>
>> diff --git a/tools/perf/util/annotate-arch/annotate-arm64.c b/tools/perf/util/annotate-arch/annotate-arm64.c
>> index 013b673f4861..d2557b9d6909 100644
>> --- a/tools/perf/util/annotate-arch/annotate-arm64.c
>> +++ b/tools/perf/util/annotate-arch/annotate-arm64.c
>> @@ -7,6 +7,7 @@
>>  #include <linux/zalloc.h>
>>  #include <linux/string.h>
>>  #include <regex.h>
>> +#include <inttypes.h>
>>  #include "../annotate.h"
>>  #include "../disasm.h"
>>  #include "../annotate-data.h"
>> @@ -308,6 +309,50 @@ static void update_insn_state_arm64(struct type_state *state,
>>  	sreg = src->reg1;
>>  	dreg = dst->reg1;
>>  
>> +	if (!strcmp(dl->ins.name, "add")) {
>> +		struct type_state_reg dst_tsr;
>> +
>> +		if (!has_reg_type(state, sreg) ||
>> +		    !has_reg_type(state, dreg) ||
>> +		    !state->regs[dreg].ok)
>> +			return;
>> +
>> +		tsr = &state->regs[sreg];
>> +		tsr->copied_from = -1;
>> +		dst_tsr = state->regs[dreg];
>> +
>> +		/* Handle calculation of a register holding a typed pointer */
>> +		if (dst_tsr.kind == TSR_KIND_POINTER ||
>> +		    (dst_tsr.kind == TSR_KIND_TYPE &&
>> +		    dwarf_tag(&dst_tsr.type) == DW_TAG_pointer_type)) {
>> +			s32 offset;
>> +
>> +			if (dst_tsr.kind == TSR_KIND_TYPE &&
>> +			    __die_get_real_type(&dst_tsr.type, &type_die) == NULL)
>> +				return;
>> +
>> +			if (dst_tsr.kind == TSR_KIND_POINTER)
>> +				type_die = dst_tsr.type;
>> +
>> +			/* Check if the target type has a member at the new offset */
>> +			offset = dst->offset + dst_tsr.offset;
>> +			if (die_get_member_type(&type_die, offset, &type_die) == NULL)
>> +				return;
>> +
>> +			tsr->type = dst_tsr.type;
>> +			tsr->kind = dst_tsr.kind;
>> +			tsr->offset = offset;
>> +			tsr->ok = true;
>> +
>> +			pr_debug_dtp("add [%x] address of %s%#x(reg%d) -> reg%d",
>> +				     insn_offset, dst->offset < 0 ? "-" : "",
>> +				     abs(dst->offset), dreg, sreg);
>> +
>> +			pr_debug_type_name(&tsr->type, tsr->kind);
>> +		}
>> +		return;
>> +	}
>> +
>>  	/* Register to register transfers */
>>  	if (!strcmp(dl->ins.name, "mov")) {
>>  		if (!has_reg_type(state, sreg))
>> -- 
>> 2.34.1
>>