From: sashiko-bot@kernel.org
To: "Paul Chaignon" <paul.chaignon@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RFC bpf-next 2/7] selftests/bpf: Test for empty intersection of tnum and u64
Date: Thu, 16 Apr 2026 18:53:19 +0000 [thread overview]
Message-ID: <20260416185320.2262BC2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <cf4061f2e91d271f1f44160a0b87a87ec6df5428.1776344897.git.paul.chaignon@gmail.com>
Sashiko AI review found 2 potential issue(s):
- [Medium] Fragile test design relies on verifier's ignorance of `bpf_get_prandom_u32()` bounds, risking silent test decay.
- [Low] Misplaced and factually incorrect inline comments misrepresent verifier state.
--
commit 8da3729bc39d37f67823aa031e7ba1b8b0d69fe0
Author: Paul Chaignon <paul.chaignon@gmail.com>
selftests/bpf: Test for empty intersection of tnum and u64
This patch adds a verifier selftest for the case where tnum and u64
don't intersect on a branch, allowing the verifier to deduce that the
branch is dead code.
> diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> index c1ae013dee29c..151c7a479a6b8 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> @@ -2184,4 +2184,29 @@ __naked void tnums_equal_impossible_constant(void *ctx)
[ ... ]
> +SEC("socket")
> +__description("dead branch: tnum and u64 don't intersect on true branch")
> +__success
> +__naked void empty_tnum_u64_intersection(void *ctx)
> +{
> + asm volatile(" \
> + call %[bpf_get_prandom_u32]; \
> + r6 = r0; \
> + r1 = 0xe00000002 ll; \
> + r2 = 0xf00000000 ll; \
> + if r6 s< r1 goto +2; \
Will this test silently decay if the verifier improves its tracking of helper
return values?
bpf_get_prandom_u32() returns a 32-bit unsigned integer. If the verifier is
updated to track that this helper returns a value bounded by 0xffffffff, it
will statically deduce that the condition r6 s< 0xe00000002 is always true.
This would prune the fallthrough path as dead code, causing the test to
silently pass without ever exercising the complex tnum vs u64 intersection
logic it was explicitly created to test.
Could we use a true 64-bit unknown scalar, such as bpf_ktime_get_ns(), to
ensure the test remains robust?
> + /* On fallthrough, r6's u64=[0xe00000002;0xf00000000] */ \
> + /* tnum=(0xe00000000; 0x1ffffffff) */ \
> + if r6 s> r2 goto +1; \
Are these inline comments misplaced?
The upper bound of 0xf00000000 is only established after the
if r6 s> r2 goto +1 instruction falls through, not before it.
> + /* On fallthrough, r6's tnum=(0xe00000001; 0x100000000) */ \
> + /* It doesn't intersect with the u64 so the condition is always false */ \
> + if w6 == 1 goto +1; \
Does this tnum state actually exist on the fallthrough?
According to the verifier log in the commit message, the tnum state of
(0xe00000001; 0x100000000) only exists on the true branch of
if w6 == 1 goto +1, not on the fallthrough.
Describing the taken branch as a fallthrough and placing the state annotations
before the instructions that actually establish them might make the test code
confusing for maintainers trying to understand the exact verifier state at
each step.
> + exit; \
> + r10 = 0; \
> + exit; \
> +" :
> + : __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1776344897.git.paul.chaignon@gmail.com?part=2
next prev parent reply other threads:[~2026-04-16 18:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 13:09 [PATCH RFC bpf-next 0/7] bpf: Fix reg_bounds' slow mode and improve verifier refinement Paul Chaignon
2026-04-16 13:11 ` [PATCH RFC bpf-next 1/7] bpf/verifier: Use intersection checks when simulating to detect dead branches Paul Chaignon
2026-04-16 14:03 ` bot+bpf-ci
2026-04-16 18:39 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 2/7] selftests/bpf: Test for empty intersection of tnum and u64 Paul Chaignon
2026-04-16 14:03 ` bot+bpf-ci
2026-04-16 18:53 ` sashiko-bot [this message]
2026-04-16 13:12 ` [PATCH RFC bpf-next 3/7] selftests/bpf: Fix reg_bounds to prune on range violations Paul Chaignon
2026-04-16 19:08 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 4/7] bpf: Improve 64bits bounds refinement from u32 bounds Paul Chaignon
2026-04-16 19:33 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 5/7] bpf: Remove dead code from u32->*64 refinement logic Paul Chaignon
2026-04-16 13:13 ` [PATCH RFC bpf-next 6/7] selftests/bpf: Hardcode insteresting 32->64 refinement cases Paul Chaignon
2026-04-16 13:13 ` [PATCH RFC bpf-next 7/7] selftests/bpf: new cases handled by 32->64 range refinements Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416185320.2262BC2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox