From: Paul Chaignon <paul.chaignon@gmail.com>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>
Subject: Re: [PATCH bpf-next v2 3/4] selftests/bpf: Test cross-sign 64bits range refinement
Date: Sat, 26 Jul 2025 12:07:31 +0200 [thread overview]
Message-ID: <aISo449B0QhMyf2H@mail.gmail.com> (raw)
In-Reply-To: <d7f52ed7d0f0b3fd2ce8336f4161b776cfc0d628.camel@gmail.com>
On Fri, Jul 25, 2025 at 12:15:18AM -0700, Eduard Zingerman wrote:
[...]
> So, going back to the question of the test cases, here is a relevant
> part with debug prints [1]:
>
> 7: (1f) r0 -= r6
> reg_bounds_sync entry: scalar(smin=-655,smax=0xeffffeee,smin32=-783,smax32=-146)
> reg_bounds_sync __update_reg_bounds #1: scalar(smin=-655,smax=0xeffffeee,smin32=-783,smax32=-146)
> __reg32_deduce_bounds #8: scalar(smin=-655,smax=0xeffffeee,smin32=-783,smax32=-146,umin32=0xfffffcf1,umax32=0xffffff6e)
> __reg_deduce_mixed_bounds #1: scalar(smin=-655,smax=0xeffffeee,umin=umin32=0xfffffcf1, umax=0xffffffffffffff6e,smin32=-783,smax32=-146, umax32=0xffffff6e)
> reg_bounds_sync __reg_deduce_bounds #1: scalar(smin=-655,smax=0xeffffeee,umin=umin32=0xfffffcf1, umax=0xffffffffffffff6e,smin32=-783,smax32=-146, umax32=0xffffff6e)
> __reg32_deduce_bounds #7: scalar(smin=-655,smax=0xeffffeee,umin=umin32=0xfffffcf1, umax=0xffffffffffffff6e,smin32=-783,smax32=-146, umax32=0xffffff6e)
> __reg32_deduce_bounds #8: scalar(smin=-655,smax=0xeffffeee,umin=umin32=0xfffffcf1, umax=0xffffffffffffff6e,smin32=-783,smax32=-146, umax32=0xffffff6e)
> __reg64_deduce_bounds #4: scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e)
> __reg_deduce_mixed_bounds #1: scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e)
> reg_bounds_sync __reg_deduce_bounds #2: scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e)
> reg_bounds_sync __reg_bound_offset: scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e,var_off=(0xfffffffffffffc00; 0x3ff))
> reg_bounds_sync __update_reg_bounds #2: scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e,var_off=(0xfffffffffffffc00; 0x3ff))
>
> 8: R0=scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e,var_off=(0xfffffffffffffc00; 0x3ff))
> R6=scalar(smin=umin=smin32=umin32=400,smax=umax=smax32=umax32=527,var_off=(0x0; 0x3ff))
>
> Important parts are:
> a. "__reg32_deduce_bounds #8" updates umin32 and umax32
> b. "__reg_deduce_mixed_bounds #1" updates umin and umax (uses values from a)
> c. "__reg64_deduce_bounds #4" updates smax and umin (enabled by b)
>
> Only at this point there is an opportunity to refine smin32 from smin
> using rule "__reg32_deduce_bounds #2", because of the conditions for
> umin and umax (umin refinement by (c) is crucial).
> Your new check is (c).
>
> So, it looks like adding third call to __reg_deduce_bounds() in
> reg_bounds_sync() is not wrong and the change is linked to this
> patch-set.
Thanks a lot for the full analysis! I've added a patch in the v3 to call
__reg_deduce_bounds a third time. I reused your analysis and trace from
above in the patch description. Note I added you as a co-author; give
me a shout if I shouldn't have.
>
> As you say, whether there is a better way to organize all these rules
> requires further analysis, and is a bit out of scope for this
> patch-set.
>
> [1] https://github.com/kernel-patches/bpf/commit/f68d4957204f21caac67d24de40fb66e4618f354
next prev parent reply other threads:[~2025-07-26 10:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-24 13:41 [PATCH bpf-next v2 0/4] bpf: Improve 64bits bounds refinement Paul Chaignon
2025-07-24 13:42 ` [PATCH bpf-next v2 1/4] bpf: Improve bounds when s64 crosses sign boundary Paul Chaignon
2025-07-24 13:43 ` [PATCH bpf-next v2 2/4] selftests/bpf: Update reg_bound range refinement logic Paul Chaignon
2025-07-24 13:43 ` [PATCH bpf-next v2 3/4] selftests/bpf: Test cross-sign 64bits range refinement Paul Chaignon
2025-07-24 19:15 ` Eduard Zingerman
2025-07-24 22:01 ` Paul Chaignon
2025-07-24 23:52 ` Eduard Zingerman
2025-07-25 7:15 ` Eduard Zingerman
2025-07-26 10:07 ` Paul Chaignon [this message]
2025-07-27 22:01 ` Eduard Zingerman
2025-07-24 13:44 ` [PATCH bpf-next v2 4/4] selftests/bpf: Test invariants on JSLT crossing sign Paul Chaignon
2025-07-24 19:24 ` Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aISo449B0QhMyf2H@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=shung-hsi.yu@suse.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.