Re: [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yonghong Song <yonghong.song@linux.dev>
To: Eduard Zingerman <eddyz87@gmail.com>,
	bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
	kernel-team@fb.com, kuniyu@amazon.com
Subject: Re: [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states
Date: Mon, 19 Feb 2024 16:25:22 -0800	[thread overview]
Message-ID: <f21c1a87-a657-407b-a074-496503edd20e@linux.dev> (raw)
In-Reply-To: <9e19786565a3fbfea58dcd25bba644fe8e0ed6b0.camel@gmail.com>


On 2/16/24 6:27 AM, Eduard Zingerman wrote:
> On Wed, 2024-02-14 at 09:42 -0800, Yonghong Song wrote:
>
>>>    .------------------------------------- Checkpoint / State name
>>>    |    .-------------------------------- Code point number
>>>    |    |   .---------------------------- Stack state {ctx.a,ctx.b,ctx.c}
>>>    |    |   |        .------------------- Callback depth in frame #0
>>>    v    v   v        v
>>> 1  - (0) {7P,7P,7},depth=0
>>> 2    - (3) {7P,7P,7},depth=1
>>> 3      - (0) {7P,7P,42},depth=1
>>> (a)      - (3) {7P,7,42},depth=2
>>> 4          - (0) {7P,7,42},depth=2      loop terminates because of depth limit
>>> 5            - (4) {7P,7,42},depth=0    predicted false, ctx.a marked precise
>>> 6            - (6) exit
>>> 7        - (2) {7P,7,42},depth=2
>>> 8          - (0) {7P,42,42},depth=2     loop terminates because of depth limit
>>> 9            - (4) {7P,42,42},depth=0   predicted false, ctx.a marked precise
>>> 10           - (6) exit
>>> (b)      - (1) {7P,7P,42},depth=2
>>> 11         - (0) {42P,7P,42},depth=2    loop terminates because of depth limit
>>> 12           - (4) {42P,7P,42},depth=0  predicted false, ctx.{a,b} marked precise
>>> 13           - (6) exit
>>> 14   - (2) {7P,7,7},depth=1
>>> 15     - (0) {7P,42,7},depth=1          considered safe, pruned using checkpoint (a)
>>> (c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)
>> For the above line
>>      (c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)
>> I would change to
>>      (c)  - (1) {7P,7P,7},depth=1
>>             - (0) {42P, 7P, 7},depth = 1     considered safe, pruned using checkpoint (11)
> At that point:
> - there is a checkpoint at (1) with state {7P,7P,42}
> - verifier is at (1) in state {7,7,7}
> Thus, verifier won't proceed to (0) because {7,7,7} is states_equal to {7P,7P,42}.

Okay, I think the above example has BPF_F_TEST_STATE_FREQ set as in Patch 3. It will
be great if you can explicitly mention this (BPF_F_TEST_STATE_FREQ) in the commit message.
With this flag,
   (c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)
is correct.

But then for
   14   - (2) {7P,7,7},depth=1
   15     - (0) {7P,42,7},depth=1          considered safe, pruned using checkpoint (a)
The state
   14   - (2) {7P,7,7},depth=1
will have state equal to
    7        - (2) {7P,7,42},depth=2
right?
   

>
>> For
>> 14   - (2) {7P,7,7},depth=1
>> 15     - (0) {7P,42,7},depth=1          considered safe, pruned using checkpoint (a)
>> I suspect for line 15, the pruning uses checking point at line (8).
> Right, because checkpoints for a particular insn form a stack. My bad.
>
>> Other than the above, the diagram LGTM.
> Thank you for the feedback, I'll post v2 shortly.

next prev parent reply	other threads:[~2024-02-20  0:25 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-12 14:38 [PATCH bpf-next 0/3] check bpf_func_state->callback_depth when pruning states Eduard Zingerman
2024-02-12 14:38 ` [PATCH bpf-next 1/3] selftests/bpf: update tcp_custom_syncookie to use scalar packet offset Eduard Zingerman
2024-02-12 23:58   ` Yonghong Song
2024-02-12 14:38 ` [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states Eduard Zingerman
2024-02-13  1:20   ` Yonghong Song
2024-02-13 14:21     ` Eduard Zingerman
2024-02-13 18:14       ` Eduard Zingerman
2024-02-14 17:42         ` Yonghong Song
2024-02-16 14:27           ` Eduard Zingerman
2024-02-20  0:25             ` Yonghong Song [this message]
2024-02-20 17:13               ` Eduard Zingerman
2024-02-12 14:38 ` [PATCH bpf-next 3/3] selftests/bpf: test case for callback_depth states pruning logic Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f21c1a87-a657-407b-a074-496503edd20e@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=kernel-team@fb.com \
    --cc=kuniyu@amazon.com \
    --cc=martin.lau@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.