Re: [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero

BPF List
 help / color / mirror / Atom feed

From: Ihor Solodrai <ihor.solodrai@linux.dev>
To: Eduard Zingerman <eddyz87@gmail.com>,
	bpf@vger.kernel.org, ast@kernel.org,
	Emil Tsalapatis <emil@etsalapatis.com>
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
	kernel-team@fb.com, yonghong.song@linux.dev, zhuyifei@google.com
Subject: Re: [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero
Date: Fri, 29 May 2026 16:02:10 -0700	[thread overview]
Message-ID: <5c8e69ea-df49-4604-8431-56e1b478402c@linux.dev> (raw)
In-Reply-To: <14c9e9e95a07b6de94a142394c69b81d6587998b.camel@gmail.com>

On 5/29/26 3:44 PM, Eduard Zingerman wrote:
> On Fri, 2026-05-29 at 01:13 -0700, Eduard Zingerman wrote:
>> YiFei Zhu reported [1] the verifier regression after switch to cnum
>> based scalars representation. When the following sequence of
>> instructions is processed:
>>
>>     1: ... rX setup with [negative, positive] bounds ...
>>     2: if rX == 0 goto ...
>>     3: if rX > C  goto ...
>>     4: ... code relying on rX being in range [1, C] ...
>>
>> The cnum-based implementation only infers that rX range is [0, C]
>> at instruction (4). The pre-cnum signed/unsigned ranges based
>> representation could always deduct from 'rX != 0' that
>> umin bound is 1.
>>
>> This patch introduces a workaround forking the verifier state when a
>> register with sign-crossing range is compared to zero.
>>
>> [1] https://lore.kernel.org/bpf/96c4a1aa4333d10b882a9b5093d2d982f9f106e3.camel@gmail.com/T/
>>
>> ---
>> Eduard Zingerman (2):
>>       bpf: fork state when comparing sign crossing ranges with zero
>>       selftests/bpf: test fork on zero comparison with wrapping ranges
>>
>>  kernel/bpf/verifier.c                              | 71 ++++++++++++++++++++++
>>  .../testing/selftests/bpf/progs/verifier_bounds.c  | 68 +++++++++++++++++++++
>>  2 files changed, 139 insertions(+)
>> ---
>> base-commit: e42e53ae23b7d41df22ccd7788192bf578f24da2
>> change-id: 20260529-cnum-split-at-zero-3c03db9234d3
> 
> I don't know why CI misses it:
> 
> https://github.com/kernel-patches/bpf/pull/12235
> 
> But I see two libarena tests failures with this series locally:
> 
> File                 Program                    Verdict  Duration (us)   Insns  States  Program size  Jited size
> -------------------  -------------------------  -------  -------------  ------  ------  ------------  ----------
> ...
> libarena_asan.bpf.o  asan_test_buddy_oob        failure         879905  209739    4158          3931           0
> ...
> libarena_asan.bpf.o  test_buddy_alloc_multiple  failure         269851  110341    2774          3897           0
> ...
> -------------------  -------------------------  -------  -------------  ------  ------  ------------  ----------
> 
> Investigating.

Hi everyone,

Apparently libarena_asan tests are currently skipped on BPF CI,
because they require clang 22 [1], which is not yet enabled there.

I'll work on adding clang 22 to CI, but in the meanwhile please make
sure to test libarena locally with clang 22 if your changes are relevant.

[1] https://lore.kernel.org/bpf/20260426190338.4615-6-emil@etsalapatis.com/

cc: Emil

next prev parent reply	other threads:[~2026-05-29 23:02 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  8:13 [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29  8:13 ` [PATCH bpf 1/2] " Eduard Zingerman
2026-05-29  8:58   ` bot+bpf-ci
2026-05-29 18:22     ` Eduard Zingerman
2026-05-29  8:59   ` sashiko-bot
2026-05-29 18:23     ` Eduard Zingerman
2026-05-29 16:57   ` Emil Tsalapatis
2026-05-29  8:13 ` [PATCH bpf 2/2] selftests/bpf: test fork on zero comparison with wrapping ranges Eduard Zingerman
2026-05-29 17:03   ` Emil Tsalapatis
2026-05-29 22:44 ` [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29 23:02   ` Ihor Solodrai [this message]
2026-05-29 23:53     ` Emil Tsalapatis
2026-06-10 11:07       ` Shung-Hsi Yu
2026-05-30  0:23   ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5c8e69ea-df49-4604-8431-56e1b478402c@linux.dev \
    --to=ihor.solodrai@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=emil@etsalapatis.com \
    --cc=kernel-team@fb.com \
    --cc=martin.lau@linux.dev \
    --cc=yonghong.song@linux.dev \
    --cc=zhuyifei@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox