From: Eduard Zingerman <eddyz87@gmail.com>
To: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>,
bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Paul Chaignon <paul.chaignon@gmail.com>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>,
Srinivas Narayana <srinivas.narayana@rutgers.edu>,
Santosh Nagarakatte <santosh.nagarakatte@rutgers.edu>
Subject: Re: [PATCH bpf-next 1/2] bpf/verifier: Use intersection checks when simulating to detect dead branches
Date: Wed, 15 Apr 2026 18:10:49 -0700 [thread overview]
Message-ID: <2ec3db2d2960d9c13577d630306f16873ebb53e5.camel@gmail.com> (raw)
In-Reply-To: <20260415160728.657270-2-harishankar.vishwanathan@gmail.com>
On Wed, 2026-04-15 at 12:07 -0400, Harishankar Vishwanathan wrote:
> This commit introduces checks to detect if the ranges and/or tnums have
> intersections between them, and uses the checks in
> simulate_both_branches_taken and reg_bounds_sync.
>
> The verifier is known to evolve the reg_states correctly (i.e. soundly)
> on a live branch. In a previous commit [1], we used the ill-formedness
> of a range (e.g. umin > umax), identified by range_bounds_violation, to
> detect dead branches and prune the branch along which the ill-formedness
> occurs.
>
> Another opportunity to prune branches is when the ranges and/or tnums
> have don't intersect. When the verifier evolves the reg_state along a
> dead branch, it is possible that abstract value in one domain (e.g tnum)
> doesn't match with the abstract value in the other domain (e.g. u64), so
> that there is no single value x, that is contained in both the abstract
> values.
>
> First, we introduce intersection checks for each of the 5 domains (for a
> total of 10 domain pairs), and wrap it in reg_bounds_intersect.
Hi Harishankar,
I thought some more on the topic if checks for all 10 domain pairs are
necessary and now have some doubts. Ideally, what one wants to check
is that there exist a value included in all 5 domains. Unfortunately,
it is too complicated to encode such a check, so the patch-set
approximates this doing pairwise intersections. Since we already are
talking about an approximation, it might be fine to do additional
simplifications.
For example, given the current implementations for
is_scalar_branch_taken(), regs_refine_cond_op(),
deduce_bounds_64_from_64() is it ever possible for u64 range not to
intersect with s64 range?
After spending some time with pen and paper for BPF_JLE operation I
suspect that it is not possible. I also encoded this as a small cbmc
test: https://github.com/eddyz87/intersection-check.
I suspect that same reasoning applies for other operations.
I'd suggest to drop the u32/s32 and u64/s64 checks, unless a counter
example can be found. I'm not sure about 64/32-bit checks.
Wdyt?
[...]
next prev parent reply other threads:[~2026-04-16 1:10 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 16:07 [PATCH bpf-next 0/2] Detect and prune dead branches using intersection checks Harishankar Vishwanathan
2026-04-15 16:07 ` [PATCH bpf-next 1/2] bpf/verifier: Use intersection checks when simulating to detect dead branches Harishankar Vishwanathan
2026-04-15 17:04 ` bot+bpf-ci
2026-04-15 19:02 ` Paul Chaignon
2026-04-16 1:10 ` Eduard Zingerman [this message]
2026-04-16 17:23 ` Eduard Zingerman
2026-04-16 23:13 ` Harishankar Vishwanathan
2026-04-16 23:33 ` Eduard Zingerman
2026-04-17 5:24 ` Eduard Zingerman
2026-04-17 5:34 ` Harishankar Vishwanathan
2026-04-17 21:17 ` Eduard Zingerman
2026-04-17 23:19 ` Eduard Zingerman
2026-04-18 0:38 ` Harishankar Vishwanathan
2026-04-18 0:45 ` Eduard Zingerman
2026-04-18 0:22 ` Harishankar Vishwanathan
2026-04-15 16:07 ` [PATCH bpf-next 2/2] selftests/bpf: Test for empty intersection of tnum and u64 Harishankar Vishwanathan
2026-04-15 18:29 ` sashiko-bot
2026-04-16 17:51 ` Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2ec3db2d2960d9c13577d630306f16873ebb53e5.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=harishankar.vishwanathan@gmail.com \
--cc=paul.chaignon@gmail.com \
--cc=santosh.nagarakatte@rutgers.edu \
--cc=shung-hsi.yu@suse.com \
--cc=srinivas.narayana@rutgers.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox