Re: [PATCH v4 bpf-next 2/4] bpf: Recognize that two registers are safe when their ranges match

BPF List
 help / color / mirror / Atom feed

From: Eduard Zingerman <eddyz87@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>, bpf@vger.kernel.org
Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org,
	 memxor@gmail.com, john.fastabend@gmail.com, kernel-team@fb.com
Subject: Re: [PATCH v4 bpf-next 2/4] bpf: Recognize that two registers are safe when their ranges match
Date: Sun, 03 Mar 2024 16:12:26 +0200	[thread overview]
Message-ID: <136a8fbc350dacbb8b8a4a4c0236c11f1c49d4cb.camel@gmail.com> (raw)
In-Reply-To: <20240302020010.95393-3-alexei.starovoitov@gmail.com>

On Fri, 2024-03-01 at 18:00 -0800, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@kernel.org>
> 
> When open code iterators, bpf_loop or may_goto is used the following two states
> are equivalent and safe to prune the search:
> 
> cur state: fp-8_w=scalar(id=3,smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=11,var_off=(0x0; 0xf))
> old state: fp-8_rw=scalar(id=2,smin=umin=smin32=umin32=1,smax=umax=smax32=umax32=11,var_off=(0x0; 0xf))
> 
> In other words "exact" state match should ignore liveness and precision marks,
> since open coded iterator logic didn't complete their propagation,
> but range_within logic that applies to scalars, ptr_to_mem, map_value, pkt_ptr
> is safe to rely on.
>
> Avoid doing such comparison when regular infinite loop detection logic is used,
> otherwise bounded loop logic will declare such "infinite loop" as false
> positive. Such example is in progs/verifier_loops1.c not_an_inifinite_loop().
>
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

I think this makes sense, don't see counter-examples at the moment.
One nit below.

Also, I'm curious if there is veristat results impact,
could be huge for some cases with bpf_loop().

[...]

> @@ -17257,7 +17263,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
>  		 */
>  		loop_entry = get_loop_entry(&sl->state);
>  		force_exact = loop_entry && loop_entry->branches > 0;
> -		if (states_equal(env, &sl->state, cur, force_exact)) {
> +		if (states_equal(env, &sl->state, cur, force_exact ? EXACT : NOT_EXACT)) {

Logically this checks same condition as checks for calls_callback() or
is_iter_next_insn() above: whether current state is equivalent to some
old state, where old state had not been tracked to 'exit' for each
possible path yet.
Thus, 'exact' flags used in these checks should be the same:
"force_exact ? RANGE_WITHIN : NOT_EXACT".

>  			if (force_exact)
>  				update_loop_entry(cur, loop_entry);
>  hit:

next prev parent reply	other threads:[~2024-03-03 14:12 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-02  2:00 [PATCH v4 bpf-next 0/4] bpf: Introduce may_goto and cond_break Alexei Starovoitov
2024-03-02  2:00 ` [PATCH v4 bpf-next 1/4] bpf: Introduce may_goto instruction Alexei Starovoitov
2024-03-04 11:55   ` Eduard Zingerman
2024-03-04 16:59     ` Alexei Starovoitov
2024-03-02  2:00 ` [PATCH v4 bpf-next 2/4] bpf: Recognize that two registers are safe when their ranges match Alexei Starovoitov
2024-03-03 14:12   ` Eduard Zingerman [this message]
2024-03-03 17:21     ` Alexei Starovoitov
2024-03-05  3:44       ` Alexei Starovoitov
2024-03-02  2:00 ` [PATCH v4 bpf-next 3/4] bpf: Add cond_break macro Alexei Starovoitov
2024-03-02  2:00 ` [PATCH v4 bpf-next 4/4] selftests/bpf: Test may_goto Alexei Starovoitov
2024-03-04 16:45 ` [PATCH v4 bpf-next 0/4] bpf: Introduce may_goto and cond_break dthaler1968
2024-03-04 16:45   ` [Bpf] " dthaler1968=40googlemail.com
2024-03-04 17:05   ` Alexei Starovoitov
2024-03-04 17:05     ` [Bpf] " Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=136a8fbc350dacbb8b8a4a4c0236c11f1c49d4cb.camel@gmail.com \
    --to=eddyz87@gmail.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=john.fastabend@gmail.com \
    --cc=kernel-team@fb.com \
    --cc=martin.lau@kernel.org \
    --cc=memxor@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox