From: Paul Chaignon <paul.chaignon@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Eduard Zingerman <eddyz87@gmail.com>, bpf <bpf@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: [PATCH bpf] bpf: Don't run arg-tracking analysis twice on main subprog
Date: Mon, 11 May 2026 12:19:47 +0200 [thread overview]
Message-ID: <agGtQ0PY3ziCoFsn@mail.gmail.com> (raw)
In-Reply-To: <CAADnVQLpbXdoqo11c1a4mS5XYPG+5WXrd+MP9EFoDGj1_B0uaQ@mail.gmail.com>
On Sat, May 09, 2026 at 04:16:10PM -0700, Alexei Starovoitov wrote:
> On Sat, May 9, 2026 at 4:50 AM Eduard Zingerman <eddyz87@gmail.com> wrote:
> >
> > On Fri, 2026-05-08 at 16:24 -0700, Alexei Starovoitov wrote:
> > > On Thu, May 7, 2026 at 11:22 AM Paul Chaignon <paul.chaignon@gmail.com> wrote:
> > > >
> > > > Because subprog 0, the main subprog, is considered a global function,
> > > > we end up running the arg-tracking dataflow analysis twice on it. That
> > > > results in slightly longer verification but mostly in more verbose
> > > > verifier logs. This patch fixes it by keeping only the iteration over
> > > > global subprogs.
> > > >
> > > > When running over all of Cilium's programs with BPF_LOG_LEVEL2, this
> > > > reduces verbosity by ~20% on average.
> > > >
> > > > Fixes: bf0c571f7feb6 ("bpf: introduce forward arg-tracking dataflow analysis")
> > > > Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> > > > ---
> > > > kernel/bpf/liveness.c | 11 ++---------
> > > > 1 file changed, 2 insertions(+), 9 deletions(-)
> > > >
> > > > diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
> > > > index 332e6e003f27..505250998f36 100644
> > > > --- a/kernel/bpf/liveness.c
> > > > +++ b/kernel/bpf/liveness.c
> > > > @@ -1914,15 +1914,6 @@ int bpf_compute_subprog_arg_access(struct bpf_verifier_env *env)
> > > > return -ENOMEM;
> > > > }
> > > >
> > > > - instance = call_instance(env, NULL, 0, 0);
> > > > - if (IS_ERR(instance)) {
> > > > - err = PTR_ERR(instance);
> > > > - goto out;
> > > > - }
> > > > - err = analyze_subprog(env, NULL, info, instance, callsites);
> > > > - if (err)
> > > > - goto out;
> > > > -
> > > > /*
> > > > * Subprogs and callbacks that don't receive FP-derived arguments
> > > > * cannot access ancestor stack frames, so they were skipped during
> > > > @@ -1934,6 +1925,8 @@ int bpf_compute_subprog_arg_access(struct bpf_verifier_env *env)
> > > > * each subprog is analyzed before its callees, allowing the
> > > > * recursive walk inside analyze_subprog() to naturally
> > > > * reach nested callees that also lack FP-derived args.
> > > > + *
> > > > + * Note the main subprog is also analyzed as part of this loop.
> > > > */
> > >
> > > Thanks for the report.
> > > I guess the fix is correct.
> > > This part of the comment needs to be adjusted:
> > > "they were skipped during
> > > * the recursive walk above."
> > >
> > > I wonder whether something like this is cleaner?
> > > - if (info[sub].at_in && !bpf_subprog_is_global(env, sub))
> > > + if (info[sub].at_in && (!bpf_subprog_is_global(env,
> > > sub) || sub == 0))
> > >
> > > This part of the comment:
> > > "Async callbacks (timer, workqueue) are
> > > * also not reachable from the main program's call graph."
> > >
> > > is also not quite correct.
> > > In here:
> > > } else if (bpf_calls_callback(env, idx)) {
> > > callee = find_callback_subprog(env, insn, idx,
> > > &caller_reg, &cb_callee_reg);
> > >
> > > they could have been reached, but find_callback_subprog()
> > > will ignore timers because FP-derived args won't be passed
> > > into them.
> > >
> > > Eduard,
> > > wdyt?
> >
> > This is a nice catch. Idk if 'sub == 0' part is necessary, tbh.
> > Paul, please add my acked-by when you respin with fixed comments.
> >
> > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> Reworded myself and applied.
Thanks!
prev parent reply other threads:[~2026-05-11 10:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 18:22 [PATCH bpf] bpf: Don't run arg-tracking analysis twice on main subprog Paul Chaignon
2026-05-08 23:24 ` Alexei Starovoitov
2026-05-09 11:50 ` Eduard Zingerman
2026-05-09 23:16 ` Alexei Starovoitov
2026-05-11 10:19 ` Paul Chaignon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agGtQ0PY3ziCoFsn@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.