From: Paul Chaignon <paul.chaignon@gmail.com>
To: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Yonghong Song <yonghong.song@linux.dev>
Subject: Re: [PATCH bpf-next 1/4] bpf: Improve bounds when s64 crosses sign boundary
Date: Wed, 23 Jul 2025 00:09:52 +0200 [thread overview]
Message-ID: <aIAMMHJaFG9bWxJC@mail.gmail.com> (raw)
In-Reply-To: <nlfoz2zdvtrkqlxgkuvltredidcisbkkojxrqdlcnazz2s2yrp@an6hfajlukx5>
On Tue, Jul 22, 2025 at 03:32:03PM +0800, Shung-Hsi Yu wrote:
> On Sat, Jul 19, 2025 at 04:22:05PM +0200, Paul Chaignon wrote:
[...]
> > + /* If the s64 range crosses the sign boundary, then it's split
> > + * between the beginning and end of the U64 domain. In that
> > + * case, we can derive new bounds if the u64 range overlaps
> > + * with only one end of the s64 range.
> > + *
> > + * In the following example, the u64 range overlaps only with
> > + * positive portion of the s64 range.
> > + *
> > + * 0 U64_MAX
> > + * | [xxxxxxxxxxxxxx u64 range xxxxxxxxxxxxxx] |
> > + * |----------------------------|----------------------------|
> > + * |xxxxx s64 range xxxxxxxxx] [xxxxxxx|
> > + * 0 S64_MAX S64_MIN -1
> > + *
> > + * We can thus derive the following new s64 and u64 ranges.
> > + *
> > + * 0 U64_MAX
> > + * | [xxxxxx u64 range xxxxx] |
> > + * |----------------------------|----------------------------|
> > + * | [xxxxxx s64 range xxxxx] |
> > + * 0 S64_MAX S64_MIN -1
> > + *
> > + * If they overlap in two places, we can't derive anything
> > + * because reg_state can't represent two ranges per numeric
> > + * domain.
> > + *
> > + * 0 U64_MAX
> > + * | [xxxxxxxxxxxxxxxxx u64 range xxxxxxxxxxxxxxxxx] |
> > + * |----------------------------|----------------------------|
> > + * |xxxxx s64 range xxxxxxxxx] [xxxxxxxxxx|
> > + * 0 S64_MAX S64_MIN -1
> > + *
> > + * The first condition below corresponds to the diagram above.
> > + * The second condition considers the case where the u64 range
> > + * overlaps with the negative porition of the s64 range.
> > + */
> > + if (reg->umax_value < (u64)reg->smin_value) {
> > + reg->smin_value = (s64)reg->umin_value;
> > + reg->umax_value = min_t(u64, reg->umax_value, reg->smax_value);
>
> Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
>
> Just one question/comment: could the u64 and s64 ranges be disjoint? Say
>
> 0 U64_MAX
> | [xxx u64 range xxx] |
> |----------------------------|----------------------------|
> |xxxxx s64 range xxxxxxxxx] [xxxxxxx|
> 0 S64_MAX S64_MIN -1
>
> If such case this code still works as the s64 range gets a bit wider at
> the smin end (thus still safe), and u64 range stays unchanged.
>
> That said if the u64 and s64 range always overlaps somewhere, it may be
> an invariant we want to check in reg_bounds_sanity_check(). I seems to
> have some vague memory that with conditionals jumps it may be possible
> to produce such disjoint signed & unsigned ranges, but I'm not sure if
> that is still true.
My assumption is that the u64 and s64 ranges can't be disjoint or that
would mean the register can't have any value. As you noted, even if that
were to happen, we would only lose some precision, i.e. the refinement
stays sound.
I considered returning an error from __reg64_deduce_bounds if that
invariant doesn't hold, but propagating it gets a bit messy. Adding it
to reg_bounds_sanity_check would likely be cleaner. Though to be
honest, I was hoping to see the impact of the present changes on the
syzbot reports before adding even more opportunities for invariant
violation reports :)
>
> > + } else if ((u64)reg->smax_value < reg->umin_value) {
> > + reg->smax_value = (s64)reg->umax_value;
> > + reg->umin_value = max_t(u64, reg->umin_value, reg->smin_value);
> > + }
> > }
> > }
> >
> > --
> > 2.43.0
> >
next prev parent reply other threads:[~2025-07-22 22:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-19 14:20 [PATCH bpf-next 0/4] bpf: Improve 64bits bounds refinement Paul Chaignon
2025-07-19 14:22 ` [PATCH bpf-next 1/4] bpf: Improve bounds when s64 crosses sign boundary Paul Chaignon
2025-07-21 21:29 ` Eduard Zingerman
2025-07-22 7:32 ` Shung-Hsi Yu
2025-07-22 22:09 ` Paul Chaignon [this message]
2025-07-23 7:49 ` Shung-Hsi Yu
2025-07-19 14:22 ` [PATCH bpf-next 2/4] selftests/bpf: Update reg_bound range refinement logic Paul Chaignon
2025-07-21 21:29 ` Eduard Zingerman
2025-07-22 21:20 ` Paul Chaignon
2025-07-22 21:26 ` Eduard Zingerman
2025-07-19 14:23 ` [PATCH bpf-next 3/4] selftests/bpf: Test cross-sign 64bits range refinement Paul Chaignon
2025-07-21 21:30 ` Eduard Zingerman
2025-07-24 14:03 ` Paul Chaignon
2025-07-19 14:24 ` [PATCH bpf-next 4/4] selftests/bpf: Test invariants on JSLT crossing sign Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aIAMMHJaFG9bWxJC@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=shung-hsi.yu@suse.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.