From: Yonghong Song <yonghong.song@linux.dev>
To: Eduard Zingerman <eddyz87@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
kernel-team@fb.com, Martin KaFai Lau <martin.lau@kernel.org>
Subject: Re: [PATCH bpf-next v3 2/2] selftests/bpf: Add ldsx selftests for ldsx and subreg compare
Date: Tue, 16 Jul 2024 15:38:56 -0700 [thread overview]
Message-ID: <9ff9b619-aa69-42eb-9c71-39bd5ef425cc@linux.dev> (raw)
In-Reply-To: <5ce8b885e35e780d3ec6e730d9be2b45be3fea05.camel@gmail.com>
On 7/15/24 5:44 PM, Eduard Zingerman wrote:
> On Fri, 2024-07-12 at 16:44 -0700, Yonghong Song wrote:
>
> Note: it feels like these test cases should be a part of the
> reg_bounds.c:test_reg_bounds_crafted(), e.g.:
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
> index eb74363f9f70..4918414f8e36 100644
> --- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
> +++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
> @@ -2108,6 +2108,7 @@ static struct subtest_case crafted_cases[] = {
> {S32, U32, {(u32)S32_MIN, 0}, {0, 0}},
> {S32, U32, {(u32)S32_MIN, 0}, {(u32)S32_MIN, (u32)S32_MIN}},
> {S32, U32, {(u32)S32_MIN, S32_MAX}, {S32_MAX, S32_MAX}},
> + {S64, U32, {0x0, 0x1f}, {0xffffffff80000000ULL, 0x00000000ffffffffULL}},
> };
>
> /* Go over crafted hard-coded cases. This is fast, so we do it as part of
>
> Which produces the following log:
>
> VERIFIER LOG:
> ========================
> ...
> 21: (ae) if w6 < w7 goto pc+3 ; R6=scalar(id=1,smin=0xffffffff80000000,smax=0xffffffff)
> R7=scalar(id=2,smin=smin32=0,smax=umax=smax32=umax32=31,var_off=(0x0; 0x1f))
> ...
> from 21 to 25: ... R6=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=30,var_off=(0x0; 0x1f))
> R7=scalar(id=2,smin=umin=smin32=umin32=1,smax=umax=smax32=umax32=31,var_off=(0x0; 0x1f)
> 25: ... R6=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=30,var_off=(0x0; 0x1f))
> R7=scalar(id=2,smin=umin=smin32=umin32=1,smax=umax=smax32=umax32=31,var_off=(0x0; 0x1f))
> ...
>
> However, this would require adjustments to reg_bounds.c logic to
> include this new range rule.
I added some logic in reg_bounds.c.
diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
index eb74363f9f70..c88602908cfe 100644
--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
@@ -441,6 +441,22 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
if (t_is_32(y_t) && !t_is_32(x_t)) {
struct range x_swap;
+ /* If we know that
+ * - *x* is in the range of signed 32bit value
+ * - *y_cast* range is 32-bit sign non-negative, and
+ * then *x* range can be narrowed to the interaction of
+ * *x* and *y_cast*. Otherwise, if the new range for *x*
+ * allows upper 32-bit 0xffffffff then the eventual new
+ * range for *x* will be out of signed 32-bit range
+ * which violates the origin *x* range.
+ */
+ if (x_t == S64 && y_t == S32 &&
+ !(y_cast.a & 0xffffffff80000000ULL) && !(y_cast.b & 0xffffffff80000000) &&
+ (long long)x.a >= S32_MIN && (long long)x.b <= S32_MAX) {
+ return range(S64, max_t(S64, y_cast.a, x.a),
+ min_t(S64, y_cast.b, x.b));
+ }
+
/* some combinations of upper 32 bits and sign bit can lead to
* invalid ranges, in such cases it's easier to detect them
* after cast/swap than try to enumerate all the conditions
@@ -2108,6 +2124,9 @@ static struct subtest_case crafted_cases[] = {
{S32, U32, {(u32)S32_MIN, 0}, {0, 0}},
{S32, U32, {(u32)S32_MIN, 0}, {(u32)S32_MIN, (u32)S32_MIN}},
{S32, U32, {(u32)S32_MIN, S32_MAX}, {S32_MAX, S32_MAX}},
+ {S64, U32, {0x0, 0x1f}, {0xffffffff80000000ULL, 0x000000007fffffffULL}},
+ {S64, U32, {0x0, 0x1f}, {0xffffffffffff8000ULL, 0x0000000000007fffULL}},
+ {S64, U32, {0x0, 0x1f}, {0xffffffffffffff80ULL, 0x000000000000007fULL}},
};
/* Go over crafted hard-coded cases. This is fast, so we do it as part of
The logic is very similar to kernel implementation but has a difference in generating
the final range. In reg_bounds implementation, the range is narrowed by intersecting
y_cast and x range which are necessary.
In kernel implementation, there is no interection since we only have one register
and two register has been compared before.
Eduard, could you take a look at the above code?
>
> [...]
>
>> +SEC("socket")
>> +__description("LDSX, S8, subreg compare")
> ^^^ ^^^
>
> Nit: test_progs parsing logic for -t option is too simplistic to
> understand comas inside description, for example here is happens
> after the command below:
>
> # ./test_progs-cpuv4 -t "verifier_ldsx/LDSX, S8, subreg compare"
> #455/1 verifier_ldsx/LDSX, S8:OK
> #455/2 verifier_ldsx/LDSX, S8 @unpriv:OK
> #455/3 verifier_ldsx/LDSX, S16:OK
> #455/4 verifier_ldsx/LDSX, S16 @unpriv:OK
> #455/5 verifier_ldsx/LDSX, S32:OK
> ...
>
> As far as I understand, this happens because test_progs tries to
> match words LDSX, S8 and "subreg compare" separately.
>
> This does not happen when comas are not used in the description
> (or if description is omitted in favor of the C function name of the test
> (it is not possible to do -t verifier_ldsx/ldsx_s8_subreg_compare
> if __description is provided)).
There are around 10 (or more) verifier_*.c files which has ',' in their
description. So I think we should add ',' support in test_progs infrastructure
w.r.t. description tag. I think this can be a follow up.
>> +__success __success_unpriv
>> +__naked void ldsx_s8_subreg_compare(void)
>> +{
>> + asm volatile (
>> + "call %[bpf_get_prandom_u32];"
>> + "*(u64 *)(r10 - 8) = r0;"
>> + "w6 = w0;"
>> + "if w6 > 0x1f goto l0_%=;"
>> + "r7 = *(s8 *)(r10 - 8);"
>> + "if w7 > w6 goto l0_%=;"
>> + "r1 = 0;"
>> + "*(u64 *)(r10 - 8) = r1;"
>> + "r2 = r10;"
>> + "r2 += -8;"
>> + "r1 = %[map_hash_48b] ll;"
>> + "call %[bpf_map_lookup_elem];"
>> + "if r0 == 0 goto l0_%=;"
>> + "r0 += r7;"
>> + "*(u64 *)(r0 + 0) = 1;"
>> +"l0_%=:"
>> + "r0 = 0;"
>> + "exit;"
>> + :
>> + : __imm(bpf_get_prandom_u32),
>> + __imm_addr(map_hash_48b),
>> + __imm(bpf_map_lookup_elem)
>> + : __clobber_all);
>> +}
> [...]
next prev parent reply other threads:[~2024-07-16 22:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-12 23:43 [PATCH bpf-next v3 1/2] bpf: Get better reg range with ldsx and 32bit compare Yonghong Song
2024-07-12 23:44 ` [PATCH bpf-next v3 2/2] selftests/bpf: Add ldsx selftests for ldsx and subreg compare Yonghong Song
2024-07-16 0:44 ` Eduard Zingerman
2024-07-16 22:38 ` Yonghong Song [this message]
2024-07-17 0:12 ` Eduard Zingerman
2024-07-17 6:06 ` Yonghong Song
2024-07-15 23:55 ` [PATCH bpf-next v3 1/2] bpf: Get better reg range with ldsx and 32bit compare Eduard Zingerman
2024-07-17 7:27 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ff9b619-aa69-42eb-9c71-39bd5ef425cc@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.