From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Eduard Zingerman" <eddyz87@gmail.com>, <bpf@vger.kernel.org>,
<ast@kernel.org>
Cc: <andrii@kernel.org>, <daniel@iogearbox.net>,
<martin.lau@linux.dev>, <kernel-team@fb.com>,
<yonghong.song@linux.dev>, <zhuyifei@google.com>
Subject: Re: [PATCH bpf 2/2] selftests/bpf: test fork on zero comparison with wrapping ranges
Date: Fri, 29 May 2026 13:03:13 -0400 [thread overview]
Message-ID: <DIVBMZAORQJO.3T89A5STQCKTC@etsalapatis.com> (raw)
In-Reply-To: <20260529-cnum-split-at-zero-v1-2-986c03752226@gmail.com>
On Fri May 29, 2026 at 4:13 AM EDT, Eduard Zingerman wrote:
> Add tests verifying that the verifier correctly narrows a
> sign-boundary-crossing range after comparing with zero.
> - fork_on_zero_cmp_k - BPF_K conditional instruction;
> - fork_on_zero_cmp_x -
> BPF_X conditional instruction with src being zero.
> - fork_on_zero_cmp_x_swapped -
> BPF_X conditional instruction with dst being zero.
>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
> ---
> .../testing/selftests/bpf/progs/verifier_bounds.c | 68 ++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> index bc038ac2df98..f97b0e109326 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> @@ -2294,4 +2294,72 @@ __naked void range_within_cnum_cross_both_boundaries(void)
> : __clobber_all);
> }
>
> +SEC("socket")
> +__success
> +__naked void fork_on_zero_cmp_k(void)
> +{
> + asm volatile (" \
> + call %[bpf_get_prandom_u32]; \
> + r0 &= 0xff; /* r0 ∈ [0, 255] */ \
> + r1 = 8; \
> + r1 -= r0; /* r1 ∈ [-247, 8] */ \
> + if r1 == 0 goto 1f; \
> + if r1 > 8 goto 1f; /* r1 ∈ [1, 8] */ \
> + if r1 < 1 goto 2f; /* must be dead */ \
> + if r1 > 8 goto 2f; /* must be dead */ \
> + goto 1f; \
> +2: r0 /= 0; /* unreachable */ \
> +1: r0 = 0; \
> + exit; \
> + "
> + :: __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> +SEC("socket")
> +__success
> +__naked void fork_on_zero_cmp_x(void)
> +{
> + asm volatile (" \
> + call %[bpf_get_prandom_u32]; \
> + r0 &= 0xff; /* r0 ∈ [0, 255] */ \
> + r1 = 8; \
> + r1 -= r0; /* r1 ∈ [-247, 8] */ \
> + r2 = 0; \
> + if r1 == r2 goto 1f; \
> + if r1 > 8 goto 1f; /* r1 ∈ [1, 8] */ \
> + if r1 < 1 goto 2f; /* must be dead */ \
> + if r1 > 8 goto 2f; /* must be dead */ \
> + goto 1f; \
> +2: r0 /= 0; /* unreachable */ \
> +1: r0 = 0; \
> + exit; \
> + "
> + :: __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> +SEC("socket")
> +__success
> +__naked void fork_on_zero_cmp_x_swapped(void)
> +{
> + asm volatile (" \
> + call %[bpf_get_prandom_u32]; \
> + r0 &= 0xff; /* r0 ∈ [0, 255] */ \
> + r1 = 8; \
> + r1 -= r0; /* r1 ∈ [-247, 8] */ \
> + r2 = 0; \
> + if r2 == r1 goto 1f; \
> + if r1 > 8 goto 1f; /* r1 ∈ [1, 8] */ \
> + if r1 < 1 goto 2f; /* must be dead */ \
> + if r1 > 8 goto 2f; /* must be dead */ \
> + goto 1f; \
> +2: r0 /= 0; /* unreachable */ \
> +1: r0 = 0; \
> + exit; \
> + "
> + :: __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> char _license[] SEC("license") = "GPL";
next prev parent reply other threads:[~2026-05-29 17:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 8:13 [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29 8:13 ` [PATCH bpf 1/2] " Eduard Zingerman
2026-05-29 8:58 ` bot+bpf-ci
2026-05-29 18:22 ` Eduard Zingerman
2026-05-29 8:59 ` sashiko-bot
2026-05-29 18:23 ` Eduard Zingerman
2026-05-29 16:57 ` Emil Tsalapatis
2026-05-29 8:13 ` [PATCH bpf 2/2] selftests/bpf: test fork on zero comparison with wrapping ranges Eduard Zingerman
2026-05-29 17:03 ` Emil Tsalapatis [this message]
2026-05-29 22:44 ` [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29 23:02 ` Ihor Solodrai
2026-05-29 23:53 ` Emil Tsalapatis
2026-06-10 11:07 ` Shung-Hsi Yu
2026-05-30 0:23 ` Eduard Zingerman
2026-05-30 0:43 ` Emil Tsalapatis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DIVBMZAORQJO.3T89A5STQCKTC@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@linux.dev \
--cc=yonghong.song@linux.dev \
--cc=zhuyifei@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.