Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp678849rdd; Tue, 9 Jan 2024 17:02:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IEUEfqeleyAB4f35+PCBTBlCND3TM+xeXm/WdFz30pkOkeNtAl3hrWIX0B00BZ19iXqNlDP X-Received: by 2002:a05:6358:c311:b0:175:5c1a:e70c with SMTP id fk17-20020a056358c31100b001755c1ae70cmr198542rwb.3.1704848549906; Tue, 09 Jan 2024 17:02:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704848549; cv=none; d=google.com; s=arc-20160816; b=mC3/ReUFCvrCaWCFvER9W1WFLd/WOuDLsnTJBm3Q4erKGISvZZA707RuHsz+6MMN/a Wn/KscU4cvnnqc3D+iyZoEwMXDfiX/M0iySQiG/dnvOH0j8kls9rSV7fFpe0KDE1QYZs O1fMSM968AjJGf6rSnhypLwDGNDwSjulVwoQ7b+KdJql7UcyIZs+dOq4dsHyL0CXA2mQ RIE9ko1S+Ew9FfA2J9Jl4lV1vJ25WeSw5aI8HheH1ZBL/O9Uh6exx3p8kjaUnCplNrep DWtXFnsCNAsrGyfaJdqAblwYvKg2szudun2q3/qxkyeA5hBWVsjiiNnMu6NRVp3bWkoL lkKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=y1fzYemH9fFciZRIvh4hleplwmDRBtVTD60UfU5JDgM=; fh=e3CXmSNJ6rHPbQI9waUtHT7eRM+HbvcKpkfKkbbtRiA=; b=Xpcj5K3IweUr2yTSNT/aYQQ8TplTxHDWEuwAFCTcOtzIIUL68RTz2pLP08AyCRJ84/ TapUjpWhRzcyGV01xFmVGtw6jPZjGPY1uTDQzGa1Qa/I734ttKjTzBfuogURX44sMyuC OBuUfX8idjXYrI7GKPI9y5azRMVuUtqQ9h6jQJ4jDGO+4tWFul3ZvgUX0PLborYaB85V CReoS+np4a9h5MhhLlTg7ajuAy1Psk+eaIdt7vWK5mi3dlgTbzmlE6cXrzewhsPxgcYG 3BeDEj//dVKrZVme9gqfSxDK5LmuhtMERqzyFiTdQiw36jHEGkeHW1ceXTW3F5QOjim8 Vy2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=OPz5YvOd; spf=pass (google.com: domain of linux-kernel+bounces-21601-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id i188-20020a639dc5000000b005cdfef26cb1si2410733pgd.528.2024.01.09.17.02.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jan 2024 17:02:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-21601-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=OPz5YvOd; spf=pass (google.com: domain of linux-kernel+bounces-21601-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id CE3FCB24489 for ; Wed, 10 Jan 2024 01:02:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7654915C0; Wed, 10 Jan 2024 01:02:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="OPz5YvOd" Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40B991113 for ; Wed, 10 Jan 2024 01:02:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-3bc09844f29so3171421b6e.0 for ; Tue, 09 Jan 2024 17:02:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1704848538; x=1705453338; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=y1fzYemH9fFciZRIvh4hleplwmDRBtVTD60UfU5JDgM=; b=OPz5YvOdpy9JmjYAzRj7g9Y+6L93pPSkjkcRmQnySFncKR7I1P1EOxJGz3kEze/kH1 3gY/8tze06RCJun3qrwZkSrXqqdMIfQNWzFOKXXQjz6p9B2GmjQKYEQqxm6KAVNB8+BB 3w3ie3bFCBwbkXvOPxqZDuqSktWS4+UXlscQ87b2F0HREUvEww9kWUwiPBK51RYXri2u WVAfnJZ0Ym0BZKR87QKi+I8xUYK67K6lCSPJKiPJ1tLFp4/9o3HervsjeDDpu+hxYbFz Ii1tffbXj/gTKOgq648X4hT7qLocISzju54IPTjBVPM/8yfWFGzgfOpJAQtUihDd3R2K N6Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704848538; x=1705453338; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y1fzYemH9fFciZRIvh4hleplwmDRBtVTD60UfU5JDgM=; b=X6522Mx4SWTkAQsGj2SAm4g5zysQst9E9aJUHH8drhg0gkIPoJgJ6vU7Azm0qlBPsu FdNKthsfN/oJ0BqtVZJY9LgiGrBVM+aA6a6v2LAEELGrTT4zxQuie27BB8Rbv/1RtBsj APKoddk7icbPfe28E018a3A57/ObnHPhAoArpyTSa4Z7Q390FX9s5N7ZqGw9fT1LxoN3 K8uI3Ev6rpZT2APoHOpAvfvLm6lsHycWZSGO/iarL3WdiStFyRf4RyOsT4KNVPNQaU+J BqJFPXowHZah6VQXPQHu3OLgs+sjM8/L4r+uw4Hw3yVmdh9Y9wrVv4rjUx0aM4oJ6eYc 3tbg== X-Gm-Message-State: AOJu0YzgyHbr8wOIah4YxgTeJ3RXs3ZDIDtk0BcKj3/Rewm1pePLcc/A LijcdQNnYMWb//62N3ePjkLHMV316/aC X-Received: by 2002:a05:6808:1815:b0:3bd:4640:37aa with SMTP id bh21-20020a056808181500b003bd464037aamr341794oib.91.1704848538233; Tue, 09 Jan 2024 17:02:18 -0800 (PST) Received: from [192.168.1.31] (d-65-175-157-166.nh.cpe.atlanticbb.net. [65.175.157.166]) by smtp.gmail.com with ESMTPSA id b10-20020a0ce88a000000b00680aed3b8ddsm1315542qvo.107.2024.01.09.17.02.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 09 Jan 2024 17:02:17 -0800 (PST) Message-ID: <781a86b1-c02b-4bb8-bc79-bfbd4f2ff146@google.com> Date: Tue, 9 Jan 2024 20:02:16 -0500 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly helpers to access array elements Content-Language: en-US From: Barret Rhoden To: Yonghong Song , Eddy Z Cc: Jiri Olsa , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Song Liu , mattbobrowski@google.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org References: <20240103185403.610641-1-brho@google.com> <20240103185403.610641-3-brho@google.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 1/4/24 16:30, Barret Rhoden wrote: [snip] >> >> The LLVM bpf backend has made some improvement to handle the case like >>    r1 = ... >>    r2 = r1 + 1 >>    if (r2 < num) ... >>    using r1 >> by preventing generating the above code pattern. >> >> The implementation is a pattern matching style so surely it won't be >> able to cover all cases. >> >> Do you have specific examples which has verification failure due to >> false array out of bound access? > [ snip ] > > I'll play around and see if I can come up with a selftest that can run > into any of these "you did the check, but threw the check away" scenarios. I got an example for this, and will include it in my next patch version, which I'll CC you on. If we can get the compiler to spill the register r1 to the stack (L11 in the asm below), it might spill it before doing the bounds check. Then it checks the register (L12), but the verifier doesn't know that applies to the stack variable too. Later, we refill r1 from the stack (L21). The reason for the spill was that I made another bpf_map_lookup_elem() call (L19), which needed r1 as an argument. 11: (63) *(u32 *)(r10 -8) = r1 ; R1=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) R10=fp0 fp-8=????scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) 12: (35) if r1 >= 0x64 goto pc+13 ; R1=scalar(smin=smin32=0,smax=umax=smax32=umax32=99,var_off=(0x0; 0x7f)) 13: (b4) w1 = 0 ; R1_w=0 14: (63) *(u32 *)(r10 -4) = r1 ; R1_w=0 R10=fp0 fp-8=0000mmmm 15: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 16: (07) r2 += -4 ; R2_w=fp-4 17: (18) r1 = 0xffffc9000011edf0 ; R1_w=map_ptr(map=arraymap,ks=4,vs=400) 19: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=2,map=arraymap,ks=4,vs=400) 20: (15) if r0 == 0x0 goto pc+5 ; R0_w=map_value(map=arraymap,ks=4,vs=400) 21: (61) r1 = *(u32 *)(r10 -8) ; R1_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) R10=fp0 fp-8=mmmmmmmm Thanks, Barret