From: Arnaldo Carvalho de Melo Date: Mon, 8 Jun 2026 18:32:32 +0000 (-0300) Subject: libperf: Document code simplification case for widening struct perf_cpu X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7435c4069a546a5d2421407b3d43fdc1790ce6cc;p=thirdparty%2Fkernel%2Flinux.git libperf: Document code simplification case for widening struct perf_cpu Add a bullet point to the libperf ABI TODO explaining the code simplification benefit of widening struct perf_cpu.cpu from int16_t to int: the narrow type forces defensive truncation checks at every boundary where wider CPU indices are narrowed, and values > 32767 silently wrap to negative numbers (two's complement), bypassing bounds validation without them. Acked-by: Ian Rogers Cc: Ian Rogers Cc: Namhyung Kim Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo --- diff --git a/tools/lib/perf/TODO b/tools/lib/perf/TODO index 486dd95dc5720..e179728697d8c 100644 --- a/tools/lib/perf/TODO +++ b/tools/lib/perf/TODO @@ -11,6 +11,14 @@ together. (x86_64 max is 8192, arm64 is 4096), but NR_CPUS limits keep growing. perf clamps to INT16_MAX in set_max_cpu_num() as a safety net. + - Code simplification: the int16_t forces defensive truncation + checks at every boundary where a wider CPU index (int from + sample->cpu, al->cpu, etc.) is narrowed into struct perf_cpu. + Without these checks, values > 32767 silently wrap to negative + numbers (two's complement), bypassing bounds validation. + Widening to int eliminates this entire class of silent + truncation bugs and removes the need for the INT16_MAX clamp + in set_max_cpu_num(). - Scope: struct perf_cpu is embedded everywhere — perf_cpu_map__cpu(), perf_cpu_map__min(), perf_cpu_map__max(), perf_cpu_map__has(), the for_each_cpu macros, and all internal callers. The perf_cpu_map