Re: [PATCH v2 bpf-next 2/6] bpf: Use bpf_verifier_env buffers for reg_set_min_max

[Paul Chaignon <paul.chaignon@gmail.com>]

On Tue, Mar 31, 2026 at 10:28:06PM +0800, KaFai Wan wrote:
> On Mon, 2026-03-30 at 14:05 +0200, Paul Chaignon wrote:
> > On Mon, Mar 23, 2026 at 11:42:11AM -0700, Eduard Zingerman wrote:
> > > On Fri, 2026-03-20 at 17:49 +0100, Paul Chaignon wrote:
> > 
> > [...]
> > 
> > > > @@ -17196,30 +17192,23 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
> > > >  	 * variable offset from the compare (unless they were a pointer into
> > > >  	 * the same object, but we don't bother with that).
> > > >  	 */
> > > > -	if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
> > > > -		return 0;
> > > > -
> > > > -	/* We compute branch direction for same SCALAR_VALUE registers in
> > > > -	 * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET)
> > > > -	 * on the same registers, we don't need to adjust the min/max values.
> > > > -	 */
> > > > -	if (false_reg1 == false_reg2)
> > > 
> > > A side note:
> > > 
> > > The above hunk was added as a part of [1] to mitigate some invariant
> > > violation errors. Surprisingly, none of the tests added in [1] fail
> > > on current master if above hunk is commented out. Probably due to
> > > recent improvements in bounds deduction. Should we remove these
> > > tests as a part of the series?
> > > 
> > > [1] https://lore.kernel.org/all/20251103063108.1111764-3-kafai.wan@linux.dev/
> > 
> > Nice catch! Out of those five new tests, the three "jset on same
> > register, scalar value unknown branch" never fail if you revert the
> > commit they were testing, even at the time they were added. I believe
> 
> the five tests in [1] were intended to test the code:
> 
> 	if (reg1 == reg2) {
> 		switch (opcode) {
> 		case BPF_JGE:
> 		case BPF_JLE:
> 		case BPF_JSGE:
> 		case BPF_JSLE:
> 		case BPF_JEQ:
> 			return 1;
> 		case BPF_JGT:
> 		case BPF_JLT:
> 		case BPF_JSGT:
> 		case BPF_JSLT:
> 		case BPF_JNE:
> 			return 0;
> 		case BPF_JSET:
> 			if (tnum_is_const(t1))
> 				return t1.value != 0;
> 			else
> 				return (smin1 <= 0 && smax1 >= 0) ? -1 : 1;
> 		default:
> 			return -1;
> 		}
> 	}
> 
> Indeed, the three "jset on same register, scalar value unknown branch" tests never fail. 
> We always know if the branch taken or not on BPF_JSET, and `regs_refine_cond_op` does not 
> adjust the min/max values on BPF_JSET as it does for BPF_JLT.

Ok, let's keep these tests then :)

> 
> > these three tests were intended to cover the above "false_reg1 ==
> > false_reg2" check and supposed to fail with an invariant violation when
> > the check is missing.
> > 
> > I believe this check was never actually needed. For an invariant
> 
> this check can skip the pointless work on the same registers as Alexei said in [3].

I see. So not intended to fix the invariant violation but just avoid
unnecessary work. That makes sense, thanks!

> 
> [3] https://lore.kernel.org/bpf/CAADnVQKdMcOkkqNa3LbGWqsz9iHAODFSinokj6htbGi0N66h_Q@mail.gmail.com/
> 
> > violation to happen, we need regs_refine_cond_op to refine a register
> > based on a incorrectly-detected branch being verified. For jset, that
> > can only happen if one of the two registers is constant. In our case,
> > that would mean both registers are constant. But if both registers are
> > constant, then is_scalar_branch_taken is always able to precisely
> > deduce the outcome of the jset. Hence, we wouldn't even reach this
> > "false_reg1 == false_reg2" check.
> > 
> > I think I'll remove this check in a preparatory commit, along with the
> > related selftests and an explanation why it's all not-needed. Cc'ing
> > KaFai Wan in case I missed something.
> > 
> > > 
> > > [...]
> 
> -- 
> Thanks,
> KaFai