Re: [PATCH bpf-next v3 09/24] bpf: Extend liveness analysis to track stack argument slots

[Yonghong Song <yonghong.song@linux.dev>]

On 5/11/26 8:19 AM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/const_fold.c b/kernel/bpf/const_fold.c
>> --- a/kernel/bpf/const_fold.c
>> +++ b/kernel/bpf/const_fold.c
>> @@ -58,6 +58,14 @@ struct const_arg_info unknown = { .state = CONST_ARG_UNKNOWN, .val = 0 };
>>   	u8 opcode = BPF_OP(insn->code) | BPF_SRC(insn->code);
>>   	int r;
>>
>> +	/* Stack arg stores (r11-based) are outside the tracked register set. */
>> +	if (is_stack_arg_st(insn) || is_stack_arg_stx(insn))
>> +		return;
>> +	if (is_stack_arg_ldx(insn)) {
>> +		ci_out[insn->dst_reg] = unknown;
>> +		return;
>> +	}
>> +
>>   	switch (class) {
>>   	case BPF_ALU:
>>   	case BPF_ALU64:
>> diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
>> --- a/kernel/bpf/liveness.c
>> +++ b/kernel/bpf/liveness.c
> [ ... ]
>
>> @@ -1576,19 +1651,19 @@ struct arg_track none = { .frame = ARG_NONE };
>>   		goto err_free;
>>
>>   	for (i = 0; i < len; i++) {
>> -		for (r = 0; r < MAX_BPF_REG; r++)
>> +		for (r = 0; r < MAX_AT_TRACK_REGS; r++)
>>   			at_in[i][r] = unvisited;
>>   		for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++)
>>   			at_stack_in[i][r] = unvisited;
>>   	}
>>
>> -	for (r = 0; r < MAX_BPF_REG; r++)
>> +	for (r = 0; r < MAX_AT_TRACK_REGS; r++)
>>   		at_in[0][r] = none;
>>
>>   	/* Entry: R10 is always precisely the current frame's FP */
>>   	at_in[0][BPF_REG_FP] = arg_single(depth, 0);
>>
>> -	/* R1-R5: from caller or ARG_NONE for main */
>> +	/* R1-R5 and outgoing stack args: from caller or ARG_NONE for main */
>>   	if (callee_entry) {
>>   		for (r = BPF_REG_1; r <= BPF_REG_5; r++)
>>   			at_in[0][r] = callee_entry[r];
> The comment says "R1-R5 and outgoing stack args" but the following code
> only copies R1-R5 from callee_entry to at_in[0]. The outgoing stack arg
> slots at at_in[0][MAX_BPF_REG..MAX_AT_TRACK_REGS-1] remain at ARG_NONE
> (set by the earlier loop).
>
> Looking further down in the function, the incoming stack args from the
> caller are actually placed in the separate at_stack_arg_entry[] array:
>
> 	/* Entry: incoming stack args from caller, or ARG_NONE for main */
> 	for (r = 0; r < MAX_STACK_ARG_SLOTS; r++)
> 		at_stack_arg_entry[r] = callee_entry ? callee_entry[MAX_BPF_REG + r] : none;
>
> The comment conflates the outgoing stack arg state carried in
> at_in[0][MAX_BPF_REG + r] (which always starts at ARG_NONE and gets
> updated later by arg_track_xfer when the subprog performs stack-arg
> stores) with the incoming stack arg state (stored in
> at_stack_arg_entry[], read back via stack-arg ldx).
>
> Should the comment be revised to only mention R1-R5, since the incoming
> stack args are handled separately below?

Yes. Will fix the comment. The old comment is a leftover from the v2.

>
>> @@ -1598,6 +1673,10 @@ struct arg_track none = { .frame = ARG_NONE };
>>   	for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++)
>>   		at_stack_in[0][r] = none;
>>
>> +	/* Entry: incoming stack args from caller, or ARG_NONE for main */
>> +	for (r = 0; r < MAX_STACK_ARG_SLOTS; r++)
>> +		at_stack_arg_entry[r] = callee_entry ? callee_entry[MAX_BPF_REG + r] : none;
>> +
> [ ... ]
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25652623893