From: sashiko-bot@kernel.org
To: "Paul Chaignon" <paul.chaignon@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RFC bpf-next 4/7] bpf: Improve 64bits bounds refinement from u32 bounds
Date: Thu, 16 Apr 2026 19:33:24 +0000 [thread overview]
Message-ID: <20260416193325.2ED9DC2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <b2a0346a5b0818008503b721c62621918d84ad0a.1776344897.git.paul.chaignon@gmail.com>
Sashiko AI review found 1 potential issue(s):
- [Medium] The test framework simulator `prog_tests/reg_bounds.c` introduces unconditional early returns, preventing simultaneous refinement of boundaries and causing divergence from the verifier.
--
commit 12b1f0ea2a161fbaa54af860eb0602fc32004fbd
Author: Paul Chaignon <paul.chaignon@gmail.com>
bpf: Improve 64bits bounds refinement from u32 bounds
This commit improves the refinement of 64-bit bounds from u32 bounds in the
BPF verifier, tightening the umin64/umax64 and smin64/smax64 values when
their lower 32 bits fall outside the known u32 range. It also updates the
selftests bounding simulator to match this logic.
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 1d5d2b7e5140b..bcf8a38a4d720 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> @@ -2273,17 +2273,51 @@ static void deduce_bounds_64_from_32(struct bpf_reg_state *reg)
[ ... ]
> + umin_32lower = reg->umin_value & 0xffffffffULL;
> + if (umin_32lower < reg->u32_min_value || umin_32lower > reg->u32_max_value) {
> + new_umin = (reg->umin_value & ~0xffffffffULL) | reg->u32_min_value;
[ ... ]
> + reg->umin_value = new_umin;
> + }
> + umax_32lower = reg->umax_value & 0xffffffffULL;
> + if (umax_32lower < reg->u32_min_value || umax_32lower > reg->u32_max_value) {
> + new_umax = (reg->umax_value & ~0xffffffffULL) | reg->u32_max_value;
[ ... ]
> + reg->umax_value = new_umax;
> + }
[ ... ]
> diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
> index c0b3a357a0f4c..d38550fc16240 100644
> --- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
> +++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
[ ... ]
> @@ -518,8 +518,8 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
> */
> if (xmin_swap < x.a)
> xmin_swap += 0x100000000;
> - if (xmin_swap == x.b)
> - return range(x_t, x.b, x.b);
> + if (xmin_swap != x.a)
> + return range(x_t, xmin_swap, x.b);
> } else if (xmax_lower32 < y.a || xmax_lower32 > y.b) {
> /* Same for the umax64, but we want to *decrease*
> * umax64 to the *maximum* value that matches the u32
> @@ -528,8 +528,8 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
> xmax_swap = swap_low32(x.b, y.b);
> if (xmax_swap > x.b)
> xmax_swap -= 0x100000000;
> - if (xmax_swap == x.a)
> - return range(x_t, x.a, x.a);
> + if (xmax_swap != x.b)
> + return range(x_t, x.a, xmax_swap);
> }
> }
Since the actual verifier logic in deduce_bounds_64_from_32() evaluates and
updates umin and umax sequentially, should the simulation logic here allow
both bounds to be refined simultaneously?
By using an "else if" and immediately returning when the lower bound is
refined, won't the simulator skip upper bound refinement entirely and produce
looser expected bounds than the verifier's actual output?
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1776344897.git.paul.chaignon@gmail.com?part=4
next prev parent reply other threads:[~2026-04-16 19:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 13:09 [PATCH RFC bpf-next 0/7] bpf: Fix reg_bounds' slow mode and improve verifier refinement Paul Chaignon
2026-04-16 13:11 ` [PATCH RFC bpf-next 1/7] bpf/verifier: Use intersection checks when simulating to detect dead branches Paul Chaignon
2026-04-16 14:03 ` bot+bpf-ci
2026-04-16 18:39 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 2/7] selftests/bpf: Test for empty intersection of tnum and u64 Paul Chaignon
2026-04-16 14:03 ` bot+bpf-ci
2026-04-16 18:53 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 3/7] selftests/bpf: Fix reg_bounds to prune on range violations Paul Chaignon
2026-04-16 19:08 ` sashiko-bot
2026-04-16 13:12 ` [PATCH RFC bpf-next 4/7] bpf: Improve 64bits bounds refinement from u32 bounds Paul Chaignon
2026-04-16 19:33 ` sashiko-bot [this message]
2026-04-16 13:12 ` [PATCH RFC bpf-next 5/7] bpf: Remove dead code from u32->*64 refinement logic Paul Chaignon
2026-04-16 13:13 ` [PATCH RFC bpf-next 6/7] selftests/bpf: Hardcode insteresting 32->64 refinement cases Paul Chaignon
2026-04-16 13:13 ` [PATCH RFC bpf-next 7/7] selftests/bpf: new cases handled by 32->64 range refinements Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416193325.2ED9DC2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox