From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Zhenzhong Wu <jt26wzz@gmail.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, ast@kernel.org,
daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, kpsingh@kernel.org, haoluo@google.com,
jolsa@kernel.org, menglong8.dong@gmail.com, eddyz87@gmail.com,
stable@vger.kernel.org, mykolal@fb.com, tamird@kernel.org
Subject: Re: [PATCH bpf-next] selftests/bpf: add helper retval linked scalar pruning selftest
Date: Fri, 12 Jun 2026 18:18:39 +0800 [thread overview]
Message-ID: <aivZ9jYGw6QRxLQQ@u94a> (raw)
In-Reply-To: <DJ6DMGTPWXJN.1YKSBHULQ1PB9@gmail.com>
On Thu, Jun 11, 2026 at 09:55:55AM -0700, Alexei Starovoitov wrote:
> On Thu Jun 11, 2026 at 9:07 AM PDT, Zhenzhong Wu wrote:
> > Add a verifier runtime test for a branch pattern where a helper return
> > value and a related scalar stay live across the same control-flow
> > sequence. Rust/Aya-generated eBPF can naturally produce this shape when
> > a match on a helper status keeps data derived before the helper call
> > live across the same branches. Such code commonly uses the helper return
> > value in r0, where 0 means success, producing an r0 == 0 / r0 != 0
> > branch shape.
[...]
> > +SEC("tc")
> > +__description("helper retval linked scalar pruning")
> > +__success __retval(0)
> > +__naked void helper_retval_linked_scalar_pruning(void)
> > +{
> > + asm volatile (
> > + "r7 = *(u32 *)(r1 + %[__sk_buff_data_end]);"
> > + "r5 = *(u32 *)(r1 + %[__sk_buff_data]);"
> > + "r7 -= r5;"
> > + "r2 = 0;"
> > + "r3 = r10;"
> > + "r3 += -8;"
> > + "r4 = 1;"
> > + "call %[bpf_skb_load_bytes];"
> > + "r0 += 1;"
> > + "r6 = 1;"
> > + /* success path keeps r7 independent; failure path links r7 to r0. */
> > + "if r0 == 1 goto l0_%=;"
>
> this exercises linked registers with BPF_ADD_CONST logic.
> We already have such tests. Why do we need this one?
> How is it different?
BPF_ADD_CONST wasn't what was meant to be tested.
The main logic is r7.id == r0.id only happens on "if r0 == 1 goto l0_%="
fall through, and does not have such link otherwise. I only check tests
added in commit c0087d59e504 ("selftests/bpf: tests for per-insn
sync_linked_regs() precision tracking"), but it doesn't seem like such
conditional linking was tested.
The other rational is that this seem like a common pattern that is
genereated from Rust-based BPF program.
> > + /* success path keeps r7 independent; failure path links r7 to r0. */
> > + "if r0 == 1 goto l0_%=;"
> > + "r7 = r0;"
^^^^^^^ conditional scalar linking
> > +"l0_%=: if r0 != 1 goto l1_%=;"
> > + "r7 <<= 32;"
> > + "r7 >>= 32;"
> > + "if r7 != %[test_data_len] goto l1_%=;"
> > + "r0 = 0;"
> > + "exit;"
> > +"l1_%=: r0 = r6;"
> > + "exit;"
> > + :
> > + : __imm(bpf_skb_load_bytes),
> > + __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)),
> > + __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)),
> > + __imm_const(test_data_len, TEST_DATA_LEN)
> > + : __clobber_all);
> > +}
[...]
next prev parent reply other threads:[~2026-06-12 10:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 16:07 [PATCH bpf-next] selftests/bpf: add helper retval linked scalar pruning selftest Zhenzhong Wu
2026-06-11 16:55 ` Alexei Starovoitov
2026-06-12 10:18 ` Shung-Hsi Yu [this message]
2026-06-11 16:58 ` bot+bpf-ci
2026-06-12 6:32 ` Zhenzhong Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aivZ9jYGw6QRxLQQ@u94a \
--to=shung-hsi.yu@suse.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jt26wzz@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=menglong8.dong@gmail.com \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tamird@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox