From: Eduard Zingerman <eddyz87@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>, bpf@vger.kernel.org
Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org,
memxor@gmail.com, kernel-team@fb.com
Subject: Re: [PATCH bpf-next] bpf: Relax precision marking in open coded iters and may_goto loop.
Date: Wed, 22 May 2024 17:02:06 -0700 [thread overview]
Message-ID: <15a3deb272983d2d165dd1ac0d1a7750b200a922.camel@gmail.com> (raw)
In-Reply-To: <20240522024713.59136-1-alexei.starovoitov@gmail.com>
On Tue, 2024-05-21 at 19:47 -0700, Alexei Starovoitov wrote:
[...]
> Skipping precision mark at if (i > 1000) keeps 'i' imprecise,
> but arr[i] will mark 'i' as precise anyway, because 'arr' is a map.
> On the next iteration of the loop the patch does copy_precision()
> that copies precision markings for top of the loop into next state
> of the loop. So on the next iteration 'i' will be seen as precise.
Could you please elaborate a bit on why copy_precision() is necessary?
In general, the main idea of the patch is to skip precision marks in
certain cases, meaning that strictly more branches would be explored,
and it does not seem that copy_precision() is needed for safety reasons.
I tried turning copy_precision() off and see a single test failing:
$ ./test_progs -vvv -a iters/task_vma
...
; bpf_for_each(task_vma, vma, task, 0) { @ iters_task_vma.c:30
35: (55) if r0 != 0x0 goto pc-15 21: R0_w=ptr_vm_area_struct(id=1002) R6=1000 R10=fp0 fp-8=iter_task_vma(ref_id=1,state=active,depth=1001) refs=1
; if (bpf_cmp_unlikely(seen, >=, 1000)) @ iters_task_vma.c:31
21: (35) if r6 >= 0x3e8 goto pc+14 ; R6=1000 refs=1
; vm_ranges[seen].vm_start = vma->vm_start; @ iters_task_vma.c:34
22: (bf) r1 = r6
REG INVARIANTS VIOLATION (alu): range bounds violation u64=[0x3e8, 0x3e7] s64=[0x3e8, 0x3e7] u32=[0x3e8, 0x3e7] s32=[0x3e8, 0x3e8] var_off=(0x3e8, 0x0)
23: R1_w=1000 R6=1000 refs=1
23: (67) r1 <<= 4 ; R1_w=16000 refs=1
24: (18) r2 = 0xffffc90000342008 ; R2_w=map_value(map=iters_ta.bss,ks=4,vs=16008,off=8) refs=1
26: (0f) r2 += r1 ; R1_w=16000 R2_w=map_value(map=iters_ta.bss,ks=4,vs=16008,off=16008) refs=1
27: (79) r1 = *(u64 *)(r0 +0) ; R0_w=ptr_vm_area_struct(id=1002) R1_w=scalar() refs=1
28: (7b) *(u64 *)(r2 +0) = r1
invalid access to map value, value_size=16008 off=16008 size=8
R2 min value is outside of the allowed memory range
processed 27035 insns (limit 1000000) max_states_per_insn 65 total_states 2003 peak_states 1008 mark_read 2
I wonder, what if we forgo the 'ignore_bad_range' flag and instead
consider branches with invalid range as impossible?
E.g. when pred == -2. Or when prediction says that branch would be
taken and another branch leads to invalid range.
I'll give it a try later this evening, but still curious about the
reasoning behind copy_precision().
[...]
next prev parent reply other threads:[~2024-05-23 0:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-22 2:47 [PATCH bpf-next] bpf: Relax precision marking in open coded iters and may_goto loop Alexei Starovoitov
2024-05-22 17:33 ` Andrii Nakryiko
2024-05-22 21:09 ` Alexei Starovoitov
2024-05-24 4:19 ` Alexei Starovoitov
2024-05-22 20:18 ` Eduard Zingerman
2024-05-22 21:13 ` Alexei Starovoitov
2024-05-22 21:54 ` Eduard Zingerman
2024-05-23 0:02 ` Eduard Zingerman [this message]
2024-05-23 2:31 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15a3deb272983d2d165dd1ac0d1a7750b200a922.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox