On 04/02/2019 04:08 AM, Alexei Starovoitov wrote: > On 4/1/19 9:35 AM, Daniel Borkmann wrote: >> On 04/01/2019 04:17 PM, Daniel Borkmann wrote: >>> On 03/30/2019 01:16 AM, Alexei Starovoitov wrote: >>>> Add 3 basic tests that stress verifier scalability. >>>> >>>> test_verif_scale1.c calls non-inlined jhash() function 90 times on >>>> different position in the packet. >>>> This test simulates network packet parsing. >>>> jhash function is ~140 instructions and main program is ~1200 insns. >>>> >>>> test_verif_scale2.c force inlines jhash() function 90 times. >>>> This program is ~15k instructions long. >>>> >>>> test_verif_scale3.c calls non-inlined jhash() function 90 times on >>>> But this time jhash has to process 32-bytes from the packet >>>> instead of 14-bytes in tests 1 and 2. >>>> jhash function is ~230 insns and main program is ~1200 insns. >>>> >>>> $ test_progs -s >>>> can be used to see verifier stats. >>>> >>>> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> >>> >>> Do you also have some test cases with actual 1M insns resp. such that hit >>> the new complexity limit to check timing / resources it consumes? I think >>> these would be good to have as well as part of selftests. >> >> (Another thought on why it would be good to have such tests would be to >> see if we would otherwise break long jumps again due to offset truncation >> which we had in the core as well as in JITs in the past.) > > llvm truncates jump offsets for large programs. > Unfortunately we need to introduce JA instruction > with 32-bit offset on kernel side before we can fix llvm. > There are plenty of other scalability issues on the kernel side. > This patch set is the first step. Right. > Only non-jumpy program of 1m insn loads and works. > Realistically we're still far away from accepting large programs, > but to get there we need to bump the limit and experience these issues. I think my main worry is that if we're realistically still far away from accepting 1M insns programs and have potential unknown blockers in the road wrt verifying safety, then why lifting the limit for root to 1M today already? I think the complexity limit itself is fine, but why not being more conservative on the number of instructions to something we believe verifier can realistically handle /today/ wrt worst case consumptions in case of complexity attacks, and go further from there? Once it's on 1M in UAPI it's effectively frozen and then we'll be re-adding slightly similar upper limits again which caps the 1M to something much lower (though I doubt we'll see such large programs any time soon). Thanks, Daniel
