Re: [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero

BPF List
 help / color / mirror / Atom feed

From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Ihor Solodrai" <ihor.solodrai@linux.dev>,
	"Eduard Zingerman" <eddyz87@gmail.com>, <bpf@vger.kernel.org>,
	<ast@kernel.org>, "Emil Tsalapatis" <emil@etsalapatis.com>
Cc: <andrii@kernel.org>, <daniel@iogearbox.net>,
	<martin.lau@linux.dev>, <kernel-team@fb.com>,
	<yonghong.song@linux.dev>, <zhuyifei@google.com>
Subject: Re: [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero
Date: Fri, 29 May 2026 19:53:08 -0400	[thread overview]
Message-ID: <DIVKCTZ3SFXS.X30XCLLTRMQS@etsalapatis.com> (raw)
In-Reply-To: <5c8e69ea-df49-4604-8431-56e1b478402c@linux.dev>

On Fri May 29, 2026 at 7:02 PM EDT, Ihor Solodrai wrote:
> On 5/29/26 3:44 PM, Eduard Zingerman wrote:
>> On Fri, 2026-05-29 at 01:13 -0700, Eduard Zingerman wrote:
>>> YiFei Zhu reported [1] the verifier regression after switch to cnum
>>> based scalars representation. When the following sequence of
>>> instructions is processed:
>>>
>>>     1: ... rX setup with [negative, positive] bounds ...
>>>     2: if rX == 0 goto ...
>>>     3: if rX > C  goto ...
>>>     4: ... code relying on rX being in range [1, C] ...
>>>
>>> The cnum-based implementation only infers that rX range is [0, C]
>>> at instruction (4). The pre-cnum signed/unsigned ranges based
>>> representation could always deduct from 'rX != 0' that
>>> umin bound is 1.
>>>
>>> This patch introduces a workaround forking the verifier state when a
>>> register with sign-crossing range is compared to zero.
>>>
>>> [1] https://lore.kernel.org/bpf/96c4a1aa4333d10b882a9b5093d2d982f9f106e3.camel@gmail.com/T/
>>>
>>> ---
>>> Eduard Zingerman (2):
>>>       bpf: fork state when comparing sign crossing ranges with zero
>>>       selftests/bpf: test fork on zero comparison with wrapping ranges
>>>
>>>  kernel/bpf/verifier.c                              | 71 ++++++++++++++++++++++
>>>  .../testing/selftests/bpf/progs/verifier_bounds.c  | 68 +++++++++++++++++++++
>>>  2 files changed, 139 insertions(+)
>>> ---
>>> base-commit: e42e53ae23b7d41df22ccd7788192bf578f24da2
>>> change-id: 20260529-cnum-split-at-zero-3c03db9234d3
>> 
>> I don't know why CI misses it:
>> 
>> https://github.com/kernel-patches/bpf/pull/12235
>> 
>> But I see two libarena tests failures with this series locally:
>> 
>> File                 Program                    Verdict  Duration (us)   Insns  States  Program size  Jited size
>> -------------------  -------------------------  -------  -------------  ------  ------  ------------  ----------
>> ...
>> libarena_asan.bpf.o  asan_test_buddy_oob        failure         879905  209739    4158          3931           0
>> ...
>> libarena_asan.bpf.o  test_buddy_alloc_multiple  failure         269851  110341    2774          3897           0
>> ...
>> -------------------  -------------------------  -------  -------------  ------  ------  ------------  ----------
>> 
>> Investigating.
>
> Hi everyone,
>
> Apparently libarena_asan tests are currently skipped on BPF CI,
> because they require clang 22 [1], which is not yet enabled there.
>
> I'll work on adding clang 22 to CI, but in the meanwhile please make
> sure to test libarena locally with clang 22 if your changes are relevant.
>
> [1] https://lore.kernel.org/bpf/20260426190338.4615-6-emil@etsalapatis.com/

We actually need Clang HEAD since that's the release with address
space-specific support, is it possible to add it to the CI instead of
22? Alternatively we would have to wait for the Clang 23 RC in July.

>
> cc: Emil

next prev parent reply	other threads:[~2026-05-29 23:53 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  8:13 [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29  8:13 ` [PATCH bpf 1/2] " Eduard Zingerman
2026-05-29  8:58   ` bot+bpf-ci
2026-05-29 18:22     ` Eduard Zingerman
2026-05-29  8:59   ` sashiko-bot
2026-05-29 18:23     ` Eduard Zingerman
2026-05-29 16:57   ` Emil Tsalapatis
2026-05-29  8:13 ` [PATCH bpf 2/2] selftests/bpf: test fork on zero comparison with wrapping ranges Eduard Zingerman
2026-05-29 17:03   ` Emil Tsalapatis
2026-05-29 22:44 ` [PATCH bpf 0/2] bpf: fork state when comparing sign crossing ranges with zero Eduard Zingerman
2026-05-29 23:02   ` Ihor Solodrai
2026-05-29 23:53     ` Emil Tsalapatis [this message]
2026-06-10 11:07       ` Shung-Hsi Yu
2026-05-30  0:23   ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DIVKCTZ3SFXS.X30XCLLTRMQS@etsalapatis.com \
    --to=emil@etsalapatis.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=ihor.solodrai@linux.dev \
    --cc=kernel-team@fb.com \
    --cc=martin.lau@linux.dev \
    --cc=yonghong.song@linux.dev \
    --cc=zhuyifei@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox