Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7852565rdb;
        Thu, 4 Jan 2024 09:33:31 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGVrisw0vl7/NogE9+jrZ8yBEoiJjj6AldaT6mInjkPjLh/BiuzslKpHhA3uVMKqpoklahf
X-Received: by 2002:a05:6a20:5497:b0:196:79ed:89ee with SMTP id i23-20020a056a20549700b0019679ed89eemr1256241pzk.7.1704389610658;
        Thu, 04 Jan 2024 09:33:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704389610; cv=none;
        d=google.com; s=arc-20160816;
        b=tmG9DTbcFMyxL6dAyaxGpqipGdfBfP/zDcpDKlsgHkkUFFQxlzkH6YQdxp4u1C71Pi
         sxL0TbwzD4hwnvHCWh1EWM3LkRPb3GMFM5MnYKqNKiMeDa9Cwri3YHF7+CC2Quy0cKC8
         P88e8tMexiyo+NAlJ4PqXiGQiZx6SAQb2WRV6NySRCFdR/rltrPWXk6aSOZD0UfXgO0X
         scok9EZInndkgNpS/CctV76H4AlywOPGGO7QcTzxA2lx45zOJNXsDKA1RL6bgsW7sfTi
         h8WSDOYAN5esfWpqoPO5lwdk9pTp03YX4t544hdmqB2pN/x9keiJtBm2lUz2ZKG6I7nE
         WMUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:dkim-signature:message-id;
        bh=c/MgIcwgbufD+K7MphBKN+ZekKtDYhLfSrww5v51YLg=;
        fh=cdjmqbPQrGPsb4Nmybxaz/hzud/4cLT7OhBS6vWM024=;
        b=NGcRNoTR9avA/JY9eWTH+z5MncTljKriIE6PqzV7GaoMt4U1iGoSw154JDwxnC47ld
         8H9IS5wZUFZ58G4loW9QtLALlHZK80ilA1kap4IC2lwGHUdKGsj6V16j8z8dV4LfTrg7
         fnFRH2QFt7STnbh9sd5V1pzlDYCGnqS6o/AAE6IIS9h0kCsEekeBC0JiHTvsZhN4RxDA
         t7+sdJOZuXeXez+H7MYNPR4FfCO9M3j+HeW4EBwb6rV3vCKS0Tj3Nq+Ewf7sFchECwxw
         wCoj97guA8Rz/UU/IPxkgyPRS+M7lqP+xIqKZQB+rkC1eyBYYTSLiv74ZlZvCZbRQk8R
         GDig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=DlxtnQRo;
       spf=pass (google.com: domain of linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id l3-20020a656803000000b005cdff1f4821si20151975pgt.362.2024.01.04.09.33.30
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Jan 2024 09:33:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=DlxtnQRo;
       spf=pass (google.com: domain of linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17043-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 01453B231AB
	for <linux.lists.archive@gmail.com>; Thu,  4 Jan 2024 17:32:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B641E288DF;
	Thu,  4 Jan 2024 17:32:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="DlxtnQRo"
X-Original-To: linux-kernel@vger.kernel.org
Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F084128DA7
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jan 2024 17:31:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Message-ID: <f3dd9d80-3fab-4676-b589-1d4667431287@linux.dev>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1704389518;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=c/MgIcwgbufD+K7MphBKN+ZekKtDYhLfSrww5v51YLg=;
	b=DlxtnQRovdZpb0rtMaC7tg2Xak8kiBCgOywO4W+JoXHUm9dE8IpEupVc0M8hmX5ljIteCy
	aP/rglzTtwovZyKQoTbJajQZ5eqfV+l2IBIprHLbB9HJJ08F1zVUlpSKxeQdbY5h9T+cxm
	jngvY2DYeiA2X9acjc2qgYwjknNKHFU=
Date: Thu, 4 Jan 2024 09:31:52 -0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Subject: Re: [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly
 helpers to access array elements
Content-Language: en-GB
To: Jiri Olsa <olsajiri@gmail.com>, Barret Rhoden <brho@google.com>,
 Eddy Z <eddyz87@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
 Daniel Borkmann <daniel@iogearbox.net>, Song Liu <song@kernel.org>,
 mattbobrowski@google.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20240103185403.610641-1-brho@google.com>
 <20240103185403.610641-3-brho@google.com> <ZZa1668ft4Npd1DA@krava>
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Yonghong Song <yonghong.song@linux.dev>
In-Reply-To: <ZZa1668ft4Npd1DA@krava>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Migadu-Flow: FLOW_OUT

cc Eduard.

On 1/4/24 5:43 AM, Jiri Olsa wrote:
> On Wed, Jan 03, 2024 at 01:53:59PM -0500, Barret Rhoden wrote:
>
> SNIP
>
>> +
>> +
>> +/* Test that attempting to load a bad program fails. */
>> +#define test_bad(PROG) ({						\
>> +	struct array_elem_test *skel;					\
>> +	int err;							\
>> +	skel = array_elem_test__open();					\
>> +	if (!ASSERT_OK_PTR(skel, "array_elem_test open"))		\
>> +		return;							\
>> +	bpf_program__set_autoload(skel->progs.x_bad_ ## PROG, true); 	\
>> +	err = array_elem_test__load(skel);				\
>> +	ASSERT_ERR(err, "array_elem_test load " # PROG);		\
>> +	array_elem_test__destroy(skel);					\
>> +})
> I wonder we could use the existing RUN_TESTS macro and use tags
> in programs like we do for example in progs/test_global_func1.c:
>
>    SEC("tc")
>    __failure __msg("combined stack size of 4 calls is 544")
>    int global_func1(struct __sk_buff *skb)
>
> jirka
>
>
>> +
>> +void test_test_array_elem(void)
>> +{
>> +	if (test__start_subtest("array_elem_access_all"))
>> +		test_access_all();
>> +	if (test__start_subtest("array_elem_oob_access"))
>> +		test_oob_access();
>> +	if (test__start_subtest("array_elem_access_array_map_infer_sz"))
>> +		test_access_array_map_infer_sz();
>> +	if (test__start_subtest("array_elem_bad_map_array_access"))
>> +		test_bad(map_array_access);
>> +	if (test__start_subtest("array_elem_bad_bss_array_access"))
>> +		test_bad(bss_array_access);
>> +
[...]
>> diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
>> index 2fd59970c43a..002bab44cde2 100644
>> --- a/tools/testing/selftests/bpf/progs/bpf_misc.h
>> +++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
>> @@ -135,4 +135,47 @@
>>   /* make it look to compiler like value is read and written */
>>   #define __sink(expr) asm volatile("" : "+g"(expr))
>>   
>> +/*
>> + * Access an array element within a bound, such that the verifier knows the
>> + * access is safe.
>> + *
>> + * This macro asm is the equivalent of:
>> + *
>> + *	if (!arr)
>> + *		return NULL;
>> + *	if (idx >= arr_sz)
>> + *		return NULL;
>> + *	return &arr[idx];
>> + *
>> + * The index (___idx below) needs to be a u64, at least for certain versions of
>> + * the BPF ISA, since there aren't u32 conditional jumps.
>> + */
>> +#define bpf_array_elem(arr, arr_sz, idx) ({				\
>> +	typeof(&(arr)[0]) ___arr = arr;					\
>> +	__u64 ___idx = idx;						\
>> +	if (___arr) {							\
>> +		asm volatile("if %[__idx] >= %[__bound] goto 1f;	\
>> +			      %[__idx] *= %[__size];		\
>> +			      %[__arr] += %[__idx];		\
>> +			      goto 2f;				\
>> +			      1:;				\
>> +			      %[__arr] = 0;			\
>> +			      2:				\
>> +			      "						\
>> +			     : [__arr]"+r"(___arr), [__idx]"+r"(___idx)	\
>> +			     : [__bound]"r"((arr_sz)),		        \
>> +			       [__size]"i"(sizeof(typeof((arr)[0])))	\
>> +			     : "cc");					\
>> +	}								\
>> +	___arr;								\
>> +})

The LLVM bpf backend has made some improvement to handle the case like
   r1 = ...
   r2 = r1 + 1
   if (r2 < num) ...
   using r1
by preventing generating the above code pattern.

The implementation is a pattern matching style so surely it won't be
able to cover all cases.

Do you have specific examples which has verification failure due to
false array out of bound access?

>> +
>> +/*
>> + * Convenience wrapper for bpf_array_elem(), where we compute the size of the
>> + * array.  Be sure to use an actual array, and not a pointer, just like with the
>> + * ARRAY_SIZE macro.
>> + */
>> +#define bpf_array_sz_elem(arr, idx) \
>> +	bpf_array_elem(arr, sizeof(arr) / sizeof((arr)[0]), idx)
>> +
>>   #endif
>> -- 
>> 2.43.0.472.g3155946c3a-goog
>>
>>