Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7268531rdb;
        Wed, 3 Jan 2024 09:52:35 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEL21hb5e4m335fv9iipeuv9EhXdaljYQm19+wJe5dO4ulcPWBvhAQQu171cA+Zav2MW2oX
X-Received: by 2002:a05:6a20:6a13:b0:198:fb49:bed3 with SMTP id p19-20020a056a206a1300b00198fb49bed3mr585195pzk.2.1704304355600;
        Wed, 03 Jan 2024 09:52:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704304355; cv=none;
        d=google.com; s=arc-20160816;
        b=mHBLU8JyLnxE2RE8DAbreOsFgE+Z1+wkGD54jmyZV497ZCm0G/5mU/H61Czg2ef3ub
         EQ1MPPmGHAuTWrHmfsErLO2IJyd8qA47WSgFUttztpQUN0SyZCeCi9VHX8Um4I908wXd
         JRisswod+yU9bNp19CqtQeOZ826ro6s8Vi1EkibhmWToODRAGK3MkuR8Pyr0VJIuj5y8
         aAmQ7PIRgcDn9SxtrW7bDou9rLK3edDCECJrSr2nn/g1G4+4/0JtSsveih7xcRGsMOrw
         vH/TYxP1DlhoLlh1UisJXaX9qeQmkZctKvNWEgWx222udUm49Sh8JXL1MOz7hmIpaLDN
         hqZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:subject:references:in-reply-to
         :message-id:cc:to:from:date:dkim-signature;
        bh=c1u+y8thQpwuQt5r3QOSdLTyH/3CCtpM+csiirjZfe8=;
        fh=YFlt4lhmopQWRzAmblzhrNxhjGVT2q6QxlsBqrXHloU=;
        b=zLpQeGlCg3O5Ed0kH7Pd2/HToGJAC5DS2BFajRR29E3FS9WrbV0NcP7RuUpdBmoKa1
         jD3jbqTsX5YRlSl0lNzQLZtpsy3EushX0sdQyghQWbgvhTV3nxI8o3EX5iJ015LruEEF
         qKlDmKmsOZkUJVRtKs+1astIAaxlaiBzW7/57BqfURURXXAERakSqrBqPzp+wM4K9dVI
         tFBPAHZnt6rV93uSlYzn3qrEAmzHMittt/JH7/01T+fZBWyHOAijOm7mz48PB1L4z6CR
         pcHLZh6k0f+b4JS41b0ZAqPTEdE7sw9IkxaErZMVc1X20S4D3Hyq5x/+Wr6IS7/RpHxb
         NREQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=RJBpSxEA;
       spf=pass (google.com: domain of linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id b2-20020a655cc2000000b005cd8f461cf1si21222965pgt.515.2024.01.03.09.52.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Jan 2024 09:52:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=RJBpSxEA;
       spf=pass (google.com: domain of linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15822-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 3F028286B39
	for <linux.lists.archive@gmail.com>; Wed,  3 Jan 2024 17:52:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B61D11C2BB;
	Wed,  3 Jan 2024 17:52:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RJBpSxEA"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97A911C680;
	Wed,  3 Jan 2024 17:52:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1d3f3ee00a2so40042935ad.3;
        Wed, 03 Jan 2024 09:52:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1704304340; x=1704909140; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:subject:references
         :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=c1u+y8thQpwuQt5r3QOSdLTyH/3CCtpM+csiirjZfe8=;
        b=RJBpSxEAwP7g/gMhc8FryRXDTGR3Ay9QT0Et9M9Rn6g7wTpKLAvTGYWFn+LjzLinBz
         9RK3/C27suYj1Ir0G9/hnEaymjrHwqaEZ63I2FGgjvz6a3/wVryzO7+jFjpjGGvZK23C
         zWgrsRrVgMojtnM2By9KE7tsD5ClO3pTCHYIVmDbf+ewPDbYe8GOQM46uwIqn9oROpX8
         5MgOaheFc6cyTkovmnGMrgdNwX2Ox9ZFuRGUG9hOs9U/X5LQaA6d+OmbbCvw/upM9TC7
         8caClk6nBaksf4XYTKQj+bJOOYzQUEdUQm72eQn8l2dfyE0Une4or7O0NsqiQ+Ig08Gi
         VvsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1704304340; x=1704909140;
        h=content-transfer-encoding:mime-version:subject:references
         :in-reply-to:message-id:cc:to:from:date:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=c1u+y8thQpwuQt5r3QOSdLTyH/3CCtpM+csiirjZfe8=;
        b=AThDDugukD92LawujO9Pu3bwvWyh7d9QoYEOEVRbtM8B5lgWHAkZvYtx3cse+Q/SUy
         8pu6pF8V41CXqtF08wY89VL1S29u1KxPRoWklCqn37qogWFmjAj58b30JD4NlF1YNGLo
         OVxZtSOMK6q0Jwlqe73qBVyyIwniZ51WIpwSAO8DMzB0Ra3enCV2SDb4mN8o4z5bx+4J
         HIR5zIUq5tyijqEGzdP3OA4tEAAqUqjDVUEmkxdW6av55+M5526WlR6GGki7yLf+YwG2
         tRrDjQq3BshoeF0ApmPsJmuVpDjL4Y4YVLodE9ppeyynCmj0Nq0GdOY9V0471PluYTNk
         IVDw==
X-Gm-Message-State: AOJu0YxMHuXdl6kVBfJO3/ErRHAmzG3uD6/JsdDvZeryAhbnDS43KfM/
	gDUaOppJAjq5+A9hBAneH2w=
X-Received: by 2002:a17:902:d545:b0:1d4:a81b:9cc with SMTP id z5-20020a170902d54500b001d4a81b09ccmr4067078plf.90.1704304339755;
        Wed, 03 Jan 2024 09:52:19 -0800 (PST)
Received: from localhost ([98.97.37.198])
        by smtp.gmail.com with ESMTPSA id z21-20020a1709028f9500b001d46d9953a3sm15702643plo.241.2024.01.03.09.52.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Jan 2024 09:52:18 -0800 (PST)
Date: Wed, 03 Jan 2024 09:52:17 -0800
From: John Fastabend <john.fastabend@gmail.com>
To: Barret Rhoden <brho@google.com>, 
 Andrii Nakryiko <andrii@kernel.org>, 
 Alexei Starovoitov <ast@kernel.org>, 
 Daniel Borkmann <daniel@iogearbox.net>, 
 Song Liu <song@kernel.org>, 
 Yonghong Song <yonghong.song@linux.dev>
Cc: mattbobrowski@google.com, 
 bpf@vger.kernel.org, 
 linux-kernel@vger.kernel.org
Message-ID: <65959ed1b9e86_2384720818@john.notmuch>
In-Reply-To: <20240103153307.553838-3-brho@google.com>
References: <20240103153307.553838-1-brho@google.com>
 <20240103153307.553838-3-brho@google.com>
Subject: RE: [PATCH bpf-next 2/2] selftests/bpf: add inline assembly helpers
 to access array elements
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: 7bit

Barret Rhoden wrote:
> When accessing an array, even if you insert your own bounds check,
> sometimes the compiler will remove the check, or modify it such that the
> verifier no longer knows your access is within bounds.
> 
> The compiler is even free to make a copy of a register, check the copy,
> and use the original to access the array.  The verifier knows the *copy*
> is within bounds, but not the original register!
> 
> Signed-off-by: Barret Rhoden <brho@google.com>
> ---
>  tools/testing/selftests/bpf/Makefile          |   2 +-
>  .../bpf/prog_tests/test_array_elem.c          | 112 ++++++++++
>  .../selftests/bpf/progs/array_elem_test.c     | 195 ++++++++++++++++++
>  tools/testing/selftests/bpf/progs/bpf_misc.h  |  43 ++++
>  4 files changed, 351 insertions(+), 1 deletion(-)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/test_array_elem.c
>  create mode 100644 tools/testing/selftests/bpf/progs/array_elem_test.c
> 
> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
> index 617ae55c3bb5..651d4663cc78 100644
> --- a/tools/testing/selftests/bpf/Makefile
> +++ b/tools/testing/selftests/bpf/Makefile
> @@ -34,7 +34,7 @@ LIBELF_CFLAGS	:= $(shell $(PKG_CONFIG) libelf --cflags 2>/dev/null)
>  LIBELF_LIBS	:= $(shell $(PKG_CONFIG) libelf --libs 2>/dev/null || echo -lelf)
>  
>  CFLAGS += -g $(OPT_FLAGS) -rdynamic					\
> -	  -Wall -Werror 						\
> +	  -dicks -Wall -Werror 						\
>  	  $(GENFLAGS) $(SAN_CFLAGS) $(LIBELF_CFLAGS)			\
>  	  -I$(CURDIR) -I$(INCLUDE_DIR) -I$(GENDIR) -I$(LIBDIR)		\
>  	  -I$(TOOLSINCDIR) -I$(APIDIR) -I$(OUTPUT)
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_array_elem.c b/tools/testing/selftests/bpf/prog_tests/test_array_elem.c
> new file mode 100644
> index 000000000000..c953636f07c9
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_array_elem.c
> @@ -0,0 +1,112 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Google LLC. */
> +#include <test_progs.h>
> +#include "array_elem_test.skel.h"
> +
> +#define NR_MAP_ELEMS 100

[...]

> diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
> index 2fd59970c43a..002bab44cde2 100644
> --- a/tools/testing/selftests/bpf/progs/bpf_misc.h
> +++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
> @@ -135,4 +135,47 @@
>  /* make it look to compiler like value is read and written */
>  #define __sink(expr) asm volatile("" : "+g"(expr))
>  
> +/*
> + * Access an array element within a bound, such that the verifier knows the
> + * access is safe.
> + *
> + * This macro asm is the equivalent of:
> + *
> + *	if (!arr)
> + *		return NULL;
> + *	if (idx >= arr_sz)
> + *		return NULL;
> + *	return &arr[idx];
> + *
> + * The index (___idx below) needs to be a u64, at least for certain versions of
> + * the BPF ISA, since there aren't u32 conditional jumps.
> + */

This is nice, but in practice what we've been doing is making
our maps power of 2 and then just masking them as needed. I think
this is more efficient if you care about performance.

FWIW I'm not opposed to having this though.

> +#define bpf_array_elem(arr, arr_sz, idx) ({				\
> +	typeof(&(arr)[0]) ___arr = arr;					\
> +	__u64 ___idx = idx;						\
> +	if (___arr) {							\
> +		asm volatile("if %[__idx] >= %[__bound] goto 1f;	\
> +			      %[__idx] *= %[__size];		\
> +			      %[__arr] += %[__idx];		\
> +			      goto 2f;				\

+1 for using asm goto :)

> +			      1:;				\
> +			      %[__arr] = 0;			\
> +			      2:				\
> +			      "						\
> +			     : [__arr]"+r"(___arr), [__idx]"+r"(___idx)	\
> +			     : [__bound]"r"((arr_sz)),		        \
> +			       [__size]"i"(sizeof(typeof((arr)[0])))	\
> +			     : "cc");					\
> +	}								\
> +	___arr;								\
> +})
> +
> +/*
> + * Convenience wrapper for bpf_array_elem(), where we compute the size of the
> + * array.  Be sure to use an actual array, and not a pointer, just like with the
> + * ARRAY_SIZE macro.
> + */
> +#define bpf_array_sz_elem(arr, idx) \
> +	bpf_array_elem(arr, sizeof(arr) / sizeof((arr)[0]), idx)
> +
>  #endif
> -- 
> 2.43.0.472.g3155946c3a-goog
> 
>