[PATCH v9 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes
From: Ian Rogers
Date: Thu Jun 04 2026 - 13:29:47 EST
This patch series introduces the new 'perf inject --aslr' feature to
remap virtual memory addresses or drop physical memory event leaks
when profile record data is shared between machines. Bundled with this
feature is a bug fix inside the core map tracking tool that hardens
perf session analysis against concurrent lookup data races.
Detailed Mechanism of MMAP Mapping and ASLR virtual Address Allocation:
The ASLR tool virtualizes the address space of the recorded processes by
intercepting MMAP and MMAP2 events to build a consistent translation
database, which is subsequently used to rewrite sample addresses.
It maintains two primary lookup databases using hash maps:
1. 'remap_addresses': Maps an original mapping key to its new remapped
base address. The key uses a topological invariant coordinates:
(machine, dso, invariant). The invariant is computed as (start - pgoff)
for DSO-backed mappings. This invariant remains constant even when
perf's internal overlap-resolution splits a VMA into fragmented
pieces, ensuring split maps resolve consistently back to the same
remapped base.
2. 'top_addresses': Tracks the allocation state per process (machine, pid).
It maintains 'remapped_max' (the highest allocated address in the
virtualized space) and 'orig_last_end' (the end address of the last
processed original mapping).
For each MMAP/MMAP2 event:
- We look up the DSO and invariant key in 'remap_addresses'. If found, we
reuse the translation, preserving the offset within the mapping.
- If not found, we allocate a new remapped address space:
- If the new mapping is contiguous to the previous one in the original
address space (start == orig_last_end), we place it contiguously in
the remapped space. This is critical to preserve the contiguity of
mappings for downstream merging (e.g. symbols split by HugeTLB, or
anonymous .bss segments adjacent to initialized data).
- If not contiguous, we insert a 1-page gap (using page_size) from the
previous maximum allocated address to prevent accidental merging of
unrelated VMAs.
- The event's start address (and pgoff for kernel maps) is rewritten,
and the event is delegated to the output writer.
To remain strictly conservative and guarantee security, the tool
scrubs breakpoint addresses (bp_addr) from all synthesized stream
headers, completely drops PERF_RECORD_TEXT_POKE events to prevent
absolute immediate pointer operands leaks, and drops unsupported
complex payloads (such as user register stacks, raw tracepoints, and
hardware AUX tracing frames).
Verification is reinforced with shell test ('inject_aslr.sh').
Prerequisite Bug Fix (Patch 1). During development, a core map
indexing issue was identified and resolved to prevent concurrent
lookup data races during session analysis.
Changes since v8:
- Split the large "Add aslr tool" commit into two patches:
- Patch 2: Add ASLR tool infrastructure and MMAP tracking
- Patch 3: Implement sample address remapping
- Address Sashiko and internal feedback.
Ian Rogers (5):
perf maps: Add maps__mutate_mapping
perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking
perf inject/aslr: Implement sample address remapping
perf test: Add inject ASLR test
perf aslr: Strip sample registers
tools/perf/builtin-inject.c | 70 +-
tools/perf/tests/shell/inject_aslr.sh | 517 ++++++++++
tools/perf/util/Build | 1 +
tools/perf/util/aslr.c | 1263 +++++++++++++++++++++++++
tools/perf/util/aslr.h | 41 +
tools/perf/util/machine.c | 32 +-
tools/perf/util/maps.c | 77 ++
tools/perf/util/maps.h | 3 +
tools/perf/util/symbol-elf.c | 41 +-
tools/perf/util/symbol.c | 17 +-
10 files changed, 2029 insertions(+), 33 deletions(-)
create mode 100755 tools/perf/tests/shell/inject_aslr.sh
create mode 100644 tools/perf/util/aslr.c
create mode 100644 tools/perf/util/aslr.h
--
2.54.0.1032.g2f8565e1d1-goog