All of lore.kernel.org
 help / color / mirror / Atom feed
From: Yonghong Song <yonghong.song@linux.dev>
To: Eduard Zingerman <eddyz87@gmail.com>,
	bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
	kernel-team@fb.com, kuniyu@amazon.com
Subject: Re: [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states
Date: Wed, 14 Feb 2024 09:42:39 -0800	[thread overview]
Message-ID: <1fbcd9f1-6c83-4430-b797-a92285d1d151@linux.dev> (raw)
In-Reply-To: <0e5b990eeaa63590e067c8ac10642b6bc6d0e9a8.camel@gmail.com>


On 2/13/24 10:14 AM, Eduard Zingerman wrote:
> Updated diagram with a few fixes, line numbers would be removed in the
> final version.
>
> --- 8< ---------------------------------
>
>   .------------------------------------- Checkpoint / State name
>   |    .-------------------------------- Code point number
>   |    |   .---------------------------- Stack state {ctx.a,ctx.b,ctx.c}
>   |    |   |        .------------------- Callback depth in frame #0
>   v    v   v        v
> 1  - (0) {7P,7P,7},depth=0
> 2    - (3) {7P,7P,7},depth=1
> 3      - (0) {7P,7P,42},depth=1
> (a)      - (3) {7P,7,42},depth=2
> 4          - (0) {7P,7,42},depth=2      loop terminates because of depth limit
> 5            - (4) {7P,7,42},depth=0    predicted false, ctx.a marked precise
> 6            - (6) exit
> 7        - (2) {7P,7,42},depth=2
> 8          - (0) {7P,42,42},depth=2     loop terminates because of depth limit
> 9            - (4) {7P,42,42},depth=0   predicted false, ctx.a marked precise
> 10           - (6) exit
> (b)      - (1) {7P,7P,42},depth=2
> 11         - (0) {42P,7P,42},depth=2    loop terminates because of depth limit
> 12           - (4) {42P,7P,42},depth=0  predicted false, ctx.{a,b} marked precise
> 13           - (6) exit
> 14   - (2) {7P,7,7},depth=1
> 15     - (0) {7P,42,7},depth=1          considered safe, pruned using checkpoint (a)
> (c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)

For the above line
    (c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)
I would change to
    (c)  - (1) {7P,7P,7},depth=1
           - (0) {42P, 7P, 7},depth = 1     considered safe, pruned using checkpoint (11)

For
14   - (2) {7P,7,7},depth=1
15     - (0) {7P,42,7},depth=1          considered safe, pruned using checkpoint (a)
I suspect for line 15, the pruning uses checking point at line (8).

Other than the above, the diagram LGTM.

>
> Here checkpoint (b) has callback_depth of 2, meaning that it would
> never reach state {42,42,7}.
> While checkpoint (c) has callback_depth of 1, and thus
> could yet explore the state {42,42,7} if not pruned prematurely.
> This commit makes forbids such premature pruning,
> allowing verifier to explore states sub-tree starting at (c):
>
> (c)  - (1) {7,7,7P},depth=1
> 16     - (0) {42P,7,7P},depth=1
>           ...
> 17       - (2) {42,7,7},depth=2
> 18         - (0) {42,42,7},depth=2      loop terminates because of depth limit
> 19           - (4) {42,42,7},depth=0    predicted true, ctx.{a,b,c} marked precise
> 20             - (5) division by zero
>
> --------------------------------- >8 ---

  reply	other threads:[~2024-02-14 17:42 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-12 14:38 [PATCH bpf-next 0/3] check bpf_func_state->callback_depth when pruning states Eduard Zingerman
2024-02-12 14:38 ` [PATCH bpf-next 1/3] selftests/bpf: update tcp_custom_syncookie to use scalar packet offset Eduard Zingerman
2024-02-12 23:58   ` Yonghong Song
2024-02-12 14:38 ` [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states Eduard Zingerman
2024-02-13  1:20   ` Yonghong Song
2024-02-13 14:21     ` Eduard Zingerman
2024-02-13 18:14       ` Eduard Zingerman
2024-02-14 17:42         ` Yonghong Song [this message]
2024-02-16 14:27           ` Eduard Zingerman
2024-02-20  0:25             ` Yonghong Song
2024-02-20 17:13               ` Eduard Zingerman
2024-02-12 14:38 ` [PATCH bpf-next 3/3] selftests/bpf: test case for callback_depth states pruning logic Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1fbcd9f1-6c83-4430-b797-a92285d1d151@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=kernel-team@fb.com \
    --cc=kuniyu@amazon.com \
    --cc=martin.lau@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.