From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
To: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Sandipan Das <sandipan@linux.ibm.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Michael Ellerman <mpe@ellerman.id.au>
Cc: bpf@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
netdev@vger.kernel.org, Jiri Olsa <jolsa@redhat.com>
Subject: bpf jit PPC64 (BE) test_verifier PTR_TO_STACK store/load failure
Date: Wed, 13 Mar 2019 12:54:16 +0200 [thread overview]
Message-ID: <xuny4l87qc2v.fsf@redhat.com> (raw)
Hi!
I found a failure:
```
# ./test_verifier 722
#722/u PTR_TO_STACK store/load FAIL retval -1 != -87117812
0: (bf) r1 = r10
1: (07) r1 += -10
2: (7a) *(u64 *)(r1 +2) = -87117812
3: (79) r0 = *(u64 *)(r1 +2)
4: (95) exit
processed 5 insns (limit 131072), stack depth 8
#722/p PTR_TO_STACK store/load FAIL retval -1 != -87117812
0: (bf) r1 = r10
1: (07) r1 += -10
2: (7a) *(u64 *)(r1 +2) = -87117812
3: (79) r0 = *(u64 *)(r1 +2)
4: (95) exit
processed 5 insns (limit 131072), stack depth 8
Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
```
The reason is in the JIT. The code is jitted into:
[...]
d00000000580e7f8: f9 23 00 00 std r9,0(r3)
d00000000580e7fc: e9 03 00 02 lwa r8,0(r3)
[...]
so, it stores DW to the location r3, but loads W, i.e. in BE it is:
saves
r3: FF FF FF FF FA CE B0 0C
loads
r3: FF FF FF FF
(in LE it works semicorretly, saves 0C B0 CE FA FF FF FF FF, loads 0C B0 CE FA)
This is because of the handling of the +2 offset. For stores it is:
#define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \
___PPC_RA(base) | ((i) & 0xfffc))
and for loads
#define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \
___PPC_RA(base) | IMM_L(i))
#define IMM_L(i) ((uintptr_t)(i) & 0xffff)
So, in the load case the offset +2 (immediate value) is not
masked and turns the instruction to lwa instead of ld.
Would it be correct to & 0xfffc the immediate value as well?
BTW, the full run on big endian:
Summary: 1190 PASSED, 125 SKIPPED, 4 FAILED
--
WBR,
Yauheni Kaliuta
WARNING: multiple messages have this Message-ID (diff)
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
To: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Sandipan Das <sandipan@linux.ibm.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Michael Ellerman <mpe@ellerman.id.au>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, Jiri Olsa <jolsa@redhat.com>
Subject: bpf jit PPC64 (BE) test_verifier PTR_TO_STACK store/load failure
Date: Wed, 13 Mar 2019 12:54:16 +0200 [thread overview]
Message-ID: <xuny4l87qc2v.fsf@redhat.com> (raw)
Hi!
I found a failure:
```
# ./test_verifier 722
#722/u PTR_TO_STACK store/load FAIL retval -1 != -87117812
0: (bf) r1 = r10
1: (07) r1 += -10
2: (7a) *(u64 *)(r1 +2) = -87117812
3: (79) r0 = *(u64 *)(r1 +2)
4: (95) exit
processed 5 insns (limit 131072), stack depth 8
#722/p PTR_TO_STACK store/load FAIL retval -1 != -87117812
0: (bf) r1 = r10
1: (07) r1 += -10
2: (7a) *(u64 *)(r1 +2) = -87117812
3: (79) r0 = *(u64 *)(r1 +2)
4: (95) exit
processed 5 insns (limit 131072), stack depth 8
Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
```
The reason is in the JIT. The code is jitted into:
[...]
d00000000580e7f8: f9 23 00 00 std r9,0(r3)
d00000000580e7fc: e9 03 00 02 lwa r8,0(r3)
[...]
so, it stores DW to the location r3, but loads W, i.e. in BE it is:
saves
r3: FF FF FF FF FA CE B0 0C
loads
r3: FF FF FF FF
(in LE it works semicorretly, saves 0C B0 CE FA FF FF FF FF, loads 0C B0 CE FA)
This is because of the handling of the +2 offset. For stores it is:
#define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \
___PPC_RA(base) | ((i) & 0xfffc))
and for loads
#define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \
___PPC_RA(base) | IMM_L(i))
#define IMM_L(i) ((uintptr_t)(i) & 0xffff)
So, in the load case the offset +2 (immediate value) is not
masked and turns the instruction to lwa instead of ld.
Would it be correct to & 0xfffc the immediate value as well?
BTW, the full run on big endian:
Summary: 1190 PASSED, 125 SKIPPED, 4 FAILED
--
WBR,
Yauheni Kaliuta
next reply other threads:[~2019-03-13 10:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 10:54 Yauheni Kaliuta [this message]
2019-03-13 10:54 ` bpf jit PPC64 (BE) test_verifier PTR_TO_STACK store/load failure Yauheni Kaliuta
2019-03-13 13:51 ` Naveen N. Rao
2019-03-13 13:51 ` Naveen N. Rao
2019-03-13 22:14 ` Segher Boessenkool
2019-03-13 22:14 ` Segher Boessenkool
2019-03-15 13:16 ` Naveen N. Rao
2019-03-15 13:16 ` Naveen N. Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xuny4l87qc2v.fsf@redhat.com \
--to=yauheni.kaliuta@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jolsa@redhat.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=sandipan@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.