[PATCH v2 16/16] perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer

[Tengda Wu]

Extend update_insn_state() for arm64 to handle the 'mrs' instruction,
enabling the tracking of the 'current' task pointer in the kernel.

On arm64, the kernel uses the 'sp_el0' system register to store the
address of the currently executing 'struct task_struct'. This is
typically accessed via the 'get_current()' inline function, resulting
in the instruction 'mrs xN, sp_el0'.

To resolve the data type of the target register, first verify the
access is to 'sp_el0' within a kernel DSO. Then, locate the
'get_current()' inline function's DWARF Die at the current PC and
extract its return type (which is 'struct task_struct *').

Introduce a global 'task_struct_off' cache to store the DWARF offset
of this type. This is particularly important because the compiler-generated
stack canary check code (which loads from 'current') often exists in
code sections or leaf functions where the local Compilation Unit (CU)
lacks a full 'struct task_struct' definition. Caching the offset allows
'perf annotate' to consistently resolve task-related fields across the
entire kernel binary.

A real-world example is shown below:

  ffff8000800deee8 <kthread_blkcg>:
  ffff8000800deef0:  mrs  x0, sp_el0    // x0 = current
  ffff8000800deef4:  ldr  w1, [x0, #44] // Access task_struct member

Before this commit, the type flow starts with no information:

  chk [c] reg0 offset=0x2c ok=0 kind=0 cfa : no type information
  final result: no type information

After this commit, the tracker identifies the 'current' pointer
from the system register:

  mrs [8] sp_el0 -> reg0 type='struct task_struct*'
  chk [c] reg0 offset=0x2c ok=1 kind=1 (struct task_struct*) : Good!
  found by insn track: 0x2c(reg0) type-offset=0x2c
  final result: type='struct task_struct'

Signed-off-by: Li Huafei <lihuafei1@xxxxxxxxxx>
Signed-off-by: Tengda Wu <wutengda@xxxxxxxxxxxxxxx>
---
 .../perf/util/annotate-arch/annotate-arm64.c  | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/tools/perf/util/annotate-arch/annotate-arm64.c b/tools/perf/util/annotate-arch/annotate-arm64.c
index 89b6b596f984..b03b12594260 100644
--- a/tools/perf/util/annotate-arch/annotate-arm64.c
+++ b/tools/perf/util/annotate-arch/annotate-arm64.c
@@ -14,6 +14,7 @@
 #include "../debug.h"
 #include "../map.h"
 #include "../symbol.h"
+#include "../dso.h"
 
 struct arch_arm64 {
 	struct arch arch;
@@ -289,6 +290,8 @@ static void adjust_reg_index_state(struct type_state *state, int reg,
 	pr_debug_type_name(&tsr->type, tsr->kind);
 }
 
+static Dwarf_Off task_struct_off;
+
 static void update_insn_state_arm64(struct type_state *state,
 				    struct data_loc_info *dloc, Dwarf_Die *cu_die,
 				    struct disasm_line *dl)
@@ -309,6 +312,56 @@ static void update_insn_state_arm64(struct type_state *state,
 	sreg = src->reg1;
 	dreg = dst->reg1;
 
+	if (!strcmp(dl->ins.name, "mrs")) {
+		Dwarf_Die func_die;
+		Dwarf_Attribute attr;
+		u64 ip, pc;
+
+		if (!has_reg_type(state, sreg))
+			return;
+
+		/* Handle case difference: LLVM (SP_EL0) vs objdump (sp_el0) */
+		if (!dso__kernel(map__dso(dloc->ms->map)) ||
+		    strcasecmp(dl->ops.target.raw, "sp_el0"))
+			return;
+
+		ip = dloc->ms->sym->start + dl->al.offset;
+		pc = map__rip_2objdump(dloc->ms->map, ip);
+
+		if (!task_struct_off ||
+		    !dwarf_offdie(dloc->di->dbg, task_struct_off, &type_die)) {
+			/*
+			 * Find the inline function 'get_current()' Dwarf_Die
+			 * and obtain its return value data type, which should
+			 * be 'struct task_struct *'.
+			 */
+			if (!die_find_inlinefunc(cu_die, pc, &func_die) ||
+			    !dwarf_attr_integrate(&func_die, DW_AT_type, &attr) ||
+			    !dwarf_formref_die(&attr, &type_die))
+				return;
+
+			/*
+			 * Cache the 'struct task_struct *' die offset globally.
+			 * This allows us to resolve stack canary accesses even
+			 * in CUs that lack a full task_struct definition (e.g.,
+			 * compiler-generated entry/exit code).
+			 */
+			task_struct_off = dwarf_dieoffset(&type_die);
+		}
+
+		tsr = &state->regs[sreg];
+		tsr->copied_from = -1;
+		tsr->type = type_die;
+		tsr->kind = TSR_KIND_TYPE;
+		tsr->offset = 0;
+		tsr->addr = 0;
+		tsr->ok = true;
+
+		pr_debug_dtp("mrs [%x] sp_el0 -> reg%d", insn_offset, sreg);
+		pr_debug_type_name(&type_die, tsr->kind);
+		return;
+	}
+
 	if (!strcmp(dl->ins.name, "adrp")) {
 		if (!has_reg_type(state, sreg) || !dl->ops.target.addr)
 			return;
-- 
2.34.1