Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5679838rdb; Wed, 13 Dec 2023 16:37:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IHbxtbjEUQOPabfH0yXFjW/8WJA2WmDlM06WP1SXmMpi2N32zLxJ+lIOnrcvX9FJlcrRUoC X-Received: by 2002:a05:6a20:7f9b:b0:18f:97c:8a3b with SMTP id d27-20020a056a207f9b00b0018f097c8a3bmr12691045pzj.102.1702514219868; Wed, 13 Dec 2023 16:36:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702514219; cv=none; d=google.com; s=arc-20160816; b=Bw0I9daGpMeMUYymcRfxIdVlnL/L0yepJwlNzPr3FOcnxzIB+gHP1MD30EXfQcltuJ uNBgU5SbhGq94glYNHt3KT32v2OoZKRPlIWGpUK4IzpAyxm742bTXvHkwK3w0lBz6lXV GukjoYaR0/PrTLOMizs8u/KI0xqcLiU9WI3fA3ydjcyMsbCyrcMTK8gxVY43BWHNkUV3 XrHXjBvSbSDIYYuCvAPU90WIcoUWEA88uq1rfQI+K8gEbX8t2G1y5sKR8tXbeB5/qO7q LS+Oh/yyKbyBfR0oRFKijntgbqKHVNb8eUYExGeFtWDBU5aAmsXUxyOr3fLkgG6kcgjd 0FTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Q4/cg7NnZrD+0jLGfKo4qZyvj9UTKzYk6re95esi4sQ=; fh=+5nJfjRptkU8d6mYqvrmb6Gl5Exe0+ViAW2+u6aLzhQ=; b=bz+JsOe7NK9kfk1tGngVmOWyiwcaMAyulDXxkIOO5rjeDCep1YXNwqe+4B0SqGrFPb sQwEZwZATnVEPb7X5ZCvDKub57WWz1+jX1FwICq02FYOt5BmR4bDk2EYYdboZN0bM5hu Bz6DjuXtIUEpvilTdzRbAUBQw/93gdxU85QHJ7/SsTABlBQEdDFzhIR/yyH3Rp5NK249 xOLoXc2KmNy+9u/YtKEcsyvjaCPKRHeWJijEkVVA967Ppze6r0VH2d2JZrOD8plaW6FP oGGyESemuHPH5HVX09FrVBEPU3mbOCFhQE+BTYmmJ0Kadg4myns9S4AKabSafAKruJQS D/OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mijrqFO3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id p8-20020a170903248800b001d0c906f613si10062304plw.492.2023.12.13.16.36.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 16:36:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mijrqFO3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 5DFFA802EEE1; Wed, 13 Dec 2023 16:36:57 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234109AbjLNAgn (ORCPT + 99 others); Wed, 13 Dec 2023 19:36:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229739AbjLNAgm (ORCPT ); Wed, 13 Dec 2023 19:36:42 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5804EB0; Wed, 13 Dec 2023 16:36:48 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-9fa2714e828so981414566b.1; Wed, 13 Dec 2023 16:36:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702514207; x=1703119007; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Q4/cg7NnZrD+0jLGfKo4qZyvj9UTKzYk6re95esi4sQ=; b=mijrqFO3EoJa4IVWofcrrhjWCFUt9OGmzUo56B7MnJ9i5xFIUw1Hc3LKWhUP2BCdn6 q2XjUKG5cZ4Xy5NwIBdr+jvEtWry82okM0Rfo1loIBwcwGMASb5Xvnd0NKKuBr/MmVx0 XKY8V3UXg6vf9WCJxTxJN19w7xUAG8znlmvy8SvD+WCu1ckcU33VPlc+vN1s8Spk760N aq9mQj4/rY5EfcqaEUOP1L0LIuzvkHq33O6cVbG6WTnIBsIk/c4inisZDUUILDhlcRYu 3j8I5dBbAfn5WPgvm/RMnV+SzAZ5102OMayy8JqQWdw2HwCsALsdonm1Ef1QEKb/+t6P jJpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702514207; x=1703119007; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q4/cg7NnZrD+0jLGfKo4qZyvj9UTKzYk6re95esi4sQ=; b=ijuV25tRujZSnBJkvsCudQCO9XymD8hv0sUypfAeWlxsAo/71ngS8NSXr1F8TSa2NF YDG6is17naVrNkxcwT8J0tZE58Xs//bppwtWa7c3Zl8UKYEfFP22RtMJokh//8msKS5N KkNryYI5N2CaLXdFRTROXDGEGn/C2eciiC3AYgRVGCTU+fV+TbacFCtO/iIIShtWpkT1 1QJRWdGCjzUWVZoWKWqzVAuNeVmzl9f0Okkpm81+A8g2czfSR+S1OrIuWKg0S43aKOd0 yrScrMyfXJ9IPIMqqQOS8ricAgDN7nz0qe/PVfFsXFUCinNG6SXh8iCJcMvckMo/l/VW oUKw== X-Gm-Message-State: AOJu0Yzchyako1OcgkYiUmgoyCIUFypxQ8gTKBkn3XfU8tCaUVdxnsAi NlVRYQ9dywDl2dePYTTTE28WWpyuafkA4pwKwxo= X-Received: by 2002:a17:906:82:b0:a1f:99e1:8a61 with SMTP id 2-20020a170906008200b00a1f99e18a61mr2845709ejc.24.1702514206384; Wed, 13 Dec 2023 16:36:46 -0800 (PST) MIME-Version: 1.0 References: <35be3c5f29ee0e9a49ed29e71044f0ad25d97d9d.camel@gmail.com> In-Reply-To: <35be3c5f29ee0e9a49ed29e71044f0ad25d97d9d.camel@gmail.com> From: Andrii Nakryiko Date: Wed, 13 Dec 2023 16:36:33 -0800 Message-ID: Subject: Re: [Bug Report] bpf: incorrectly pruning runtime execution path To: Eduard Zingerman Cc: Hao Sun , Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , bpf , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 13 Dec 2023 16:36:57 -0800 (PST) On Wed, Dec 13, 2023 at 4:08=E2=80=AFPM Eduard Zingerman wrote: > > On Wed, 2023-12-13 at 15:30 -0800, Andrii Nakryiko wrote: > [...] > > Yes, thanks, the execution trace above was helpful. Let's try to > > minimize the example here, I'll keep original instruction indices, > > though: > > > > 23: (bf) r5 =3D r8 ; here we link r5 and r8 togeth= er > > 26: (7e) if w8 s>=3D w0 goto pc+5 ; here it's not always/never > > taken, so w8 and w0 remain imprecise > > 28: (0f) r8 +=3D r8 ; here link between r8 and r5 i= s broken > > 29: (d6) if w5 s<=3D 0x1d goto pc+2 ; here we know value of w5 and > > so it's always/never taken, r5 is marked precise > > > > Now, if we look at r5's precision log at this instruction: > > > > 29: (d6) if w5 s<=3D 0x1d goto pc+2 > > mark_precise: frame0: last_idx 29 first_idx 26 subseq_idx -1 > > mark_precise: frame0: regs=3Dr5 stack=3D before 28: (0f) r8 +=3D r8 > > mark_precise: frame0: regs=3Dr5 stack=3D before 27: (4f) r8 |=3D r8 > > mark_precise: frame0: regs=3Dr5 stack=3D before 26: (7e) if w8 s>=3D w0= goto pc+5 > > Sorry, maybe it's time for me to get some sleep, but I don't see an > issue here. The "before" log is printed by backtrack_insn() before > instruction is backtracked. So the following: > > > mark_precise: frame0: regs=3Dr5 stack=3D before 26: (7e) if w8 s>=3D w0= goto pc+5 > > Is a state of backtracker before "if w8 s>=3D w0 ..." is processed. > But running the test case I've shared wider precision trace for > this instruction looks as follows: > > 26: (7e) if w8 s>=3D w0 goto pc+5 ; R0=3Dscalar(smin=3Dsmin32=3D0= ,smax=3Dumax=3Dsmax32=3Dumax32=3D2,var_off=3D(0x0; 0x3)) > R8=3Dscalar(id=3D2,smax32=3D1) > 27: (4f) r8 |=3D r8 ; R8_w=3Dscalar() > 28: (0f) r8 +=3D r8 ; R8_w=3Dscalar() > 29: (d6) if w5 s<=3D 0x1d goto pc+2 > mark_precise: frame0: last_idx 29 first_idx 26 subseq_idx -1 > mark_precise: frame0: regs=3Dr5 stack=3D before 28: (0f) r8 +=3D r8 What if we had a checkpoint here and not have a checkpoint at conditional jump instruction? The general point is that the checkpoint has information about linked registers at the very end of the instruction span that it represents, but any intermediate changes will be lost. It's a similar issue to stack access tracking. At some point we know that r3 is actually fp-8, but we will lose it by the time we actually get to the checkpoint. Yet this information is important in the context of some instruction before the checkpoint. I might be missing something as well, my brain is fried from all these verifier issues. > mark_precise: frame0: regs=3Dr5 stack=3D before 27: (4f) r8 |=3D r8 > mark_precise: frame0: regs=3Dr5 stack=3D before 26: (7e) if w8 s>=3D w0= goto pc+5 > mark_precise: frame0: parent state regs=3Dr5 stack=3D: > R0_rw=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D2,v= ar_off=3D(0x0; 0x3)) > R2_w=3D4 > R3_w=3D0x1f00000034 > R4_w=3Dscalar(smin=3D0,smax=3Dumax=3D0x3fffffffc,smax32=3D0x7ffffffc= ,umax32=3D0xfffffffc, > var_off=3D(0x0; 0x3fffffffc)) > R5_rw=3DPscalar(id=3D2) > R8_rw=3Dscalar(id=3D2) R10=3Dfp0 > mark_precise: frame0: last_idx 24 first_idx 11 subseq_idx 26 would this all work if we didn't have a checkpoint here? > mark_precise: frame0: regs=3Dr5,r8 stack=3D before 24: (18) r2 =3D 0x4 = <------ !!! > mark_precise: frame0: regs=3Dr5,r8 stack=3D before 23: (bf) r5 =3D r8 > mark_precise: frame0: regs=3Dr8 stack=3D before 22: (67) r4 <<=3D 2 > ... > > Note, that right after "if w8 s>=3D w0 goto pc+5" is processed the > backtracker state is: > > mark_precise: frame0: regs=3Dr5,r8 stack=3D before 24: (18) r2 =3D 0x4 > > So both r5 and r8 are accounted for. > > > Note how at this instruction r5 and r8 *WERE* linked together, but we > > already lost this information for backtracking. So we don't mark w8 as > > precise. That's one part of the problem. > > > > The second part is that even if we knew that w8/r8 is precise, should > > we mark w0/r0 as precise? I actually need to think about this some > > more. Right now for conditional jumps we eagerly mark precision for > > both registers only in always/never taken scenarios. > > > > For now just narrowing down the issue, as I'm sure not many people > > followed all the above stuff carefully. > > > > > > P.S. For solving tracking of linked registers we can probably utilize > > instruction history, though technically they can be spread across > > multiple frames, between registers and stack slots, so that's a bit > > tricky. > > For precision back-propagation we currently rely on id values stored > in the parent state, when moving up from child to parent boundary. Everything might be good with linked IDs. But there is a real issue here, let's find what it is.