From: Paul Chaignon <paul.chaignon@gmail.com>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com,
yonghong.song@linux.dev, emil@etsalapatis.com, arighi@nvidia.com,
shung-hsi.yu@suse.com
Subject: Re: [PATCH bpf v2 2/2] selftests/bpf: test refining u32/s32 bounds when ranges cross min/max boundary
Date: Fri, 6 Mar 2026 01:21:28 +0100 [thread overview]
Message-ID: <aaoeCEn0-_KWvSPS@Tunnel> (raw)
In-Reply-To: <20260305-bpf-32-bit-range-overflow-v2-2-7169206a3041@gmail.com>
On Thu, Mar 05, 2026 at 11:48:23AM -0800, Eduard Zingerman wrote:
> Two test cases for signed/unsigned 32-bit bounds refinement
> when s32 range crosses the sign boundary:
> - s32 range [S32_MIN..1] overlapping with u32 range [3..U32_MAX],
> s32 range tail before sign boundary overlaps with u32 range.
> - s32 range [-3..5] overlapping with u32 range [0..S32_MIN+3],
> s32 range head after the sign boundary overlaps with u32 range.
>
> This covers both branches added in the __reg32_deduce_bounds().
>
> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
> ---
As mentioned in the other thread, we can now also switch the
BPF_F_TEST_REG_INVARIANTS flag on the existing test:
diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
index 60ef97695915..e526315c718a 100644
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -1148,7 +1148,7 @@ l0_%=: r0 = 0; \
SEC("xdp")
__description("bound check with JMP32_JSLT for crossing 32-bit signed boundary")
__success __retval(0)
-__flag(!BPF_F_TEST_REG_INVARIANTS) /* known invariants violation */
+__flag(BPF_F_TEST_REG_INVARIANTS)
__naked void crossing_32_bit_signed_boundary_2(void)
{
asm volatile ("
With that,
Reviewed-by: Paul Chaignon <paul.chaignon@gmail.com>
> .../testing/selftests/bpf/progs/verifier_bounds.c | 37 ++++++++++++++++++++++
> 1 file changed, 37 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> index 97065a26cf70603c3e4b8d43d3a04248828398fc..60ef976959153d25c19ba08c3c2f265d8d83b33e 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> @@ -2000,4 +2000,41 @@ __naked void bounds_refinement_multiple_overlaps(void *ctx)
> : __clobber_all);
> }
>
> +SEC("socket")
> +__success
> +__flag(BPF_F_TEST_REG_INVARIANTS)
> +__naked void signed_unsigned_intersection32_case1(void *ctx)
> +{
> + asm volatile(" \
> + call %[bpf_get_prandom_u32]; \
> + w0 &= 0xffffffff; \
> + if w0 < 0x3 goto 1f; /* on fall-through u32 range [3..U32_MAX] */ \
> + if w0 s> 0x1 goto 1f; /* on fall-through s32 range [S32_MIN..1] */ \
> + if w0 s< 0x0 goto 1f; /* range can be narrowed to [S32_MIN..-1] */ \
> + r10 = 0; /* thus predicting the jump. */ \
> +1: exit; \
> +" :
> + : __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> +SEC("socket")
> +__success
> +__flag(BPF_F_TEST_REG_INVARIANTS)
> +__naked void signed_unsigned_intersection32_case2(void *ctx)
> +{
> + asm volatile(" \
> + call %[bpf_get_prandom_u32]; \
> + w0 &= 0xffffffff; \
> + if w0 > 0x80000003 goto 1f; /* on fall-through u32 range [0..S32_MIN+3] */ \
> + if w0 s< -3 goto 1f; /* on fall-through s32 range [-3..S32_MAX] */ \
> + if w0 s> 5 goto 1f; /* on fall-through s32 range [-3..5] */ \
> + if w0 <= 5 goto 1f; /* range can be narrowed to [0..5] */ \
> + r10 = 0; /* thus predicting the jump */ \
> +1: exit; \
> +" :
> + : __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> char _license[] SEC("license") = "GPL";
>
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-03-06 0:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 19:48 [PATCH bpf v2 0/2] bpf: refine u32/s32 bounds when ranges cross min/max boundary Eduard Zingerman
2026-03-05 19:48 ` [PATCH bpf v2 1/2] " Eduard Zingerman
2026-03-05 20:28 ` bot+bpf-ci
2026-03-05 20:31 ` Eduard Zingerman
2026-03-05 20:51 ` Emil Tsalapatis
2026-03-06 0:13 ` Paul Chaignon
2026-03-06 0:18 ` Eduard Zingerman
2026-03-06 0:24 ` Paul Chaignon
2026-03-12 6:45 ` Shung-Hsi Yu
2026-03-17 15:37 ` Paul Chaignon
2026-03-19 7:03 ` Shung-Hsi Yu
2026-03-19 10:21 ` Paul Chaignon
2026-03-05 19:48 ` [PATCH bpf v2 2/2] selftests/bpf: test refining " Eduard Zingerman
2026-03-05 19:54 ` Eduard Zingerman
2026-03-05 20:54 ` Emil Tsalapatis
2026-03-05 20:55 ` Emil Tsalapatis
2026-03-06 0:21 ` Paul Chaignon [this message]
2026-03-05 22:59 ` [PATCH bpf v2 0/2] bpf: refine " Eduard Zingerman
2026-03-06 5:17 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaoeCEn0-_KWvSPS@Tunnel \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=arighi@nvidia.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@linux.dev \
--cc=shung-hsi.yu@suse.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.