On Tue, Jan 9, 2024 at 5:02 PM Barret Rhoden <brho@xxxxxxxxxx> wrote: > > On 1/4/24 16:30, Barret Rhoden wrote: > [snip] > >> > >> The LLVM bpf backend has made some improvement to handle the case like > >> r1 = ... > >> r2 = r1 + 1 > >> if (r2 < num) ... > >> using r1 > >> by preventing generating the above code pattern. > >> > >> The implementation is a pattern matching style so surely it won't be > >> able to cover all cases. > >> > >> Do you have specific examples which has verification failure due to > >> false array out of bound access? > > > [ snip ] > > > > > I'll play around and see if I can come up with a selftest that can run > > into any of these "you did the check, but threw the check away" scenarios. > > I got an example for this, and will include it in my next patch version, > which I'll CC you on. > > If we can get the compiler to spill the register r1 to the stack (L11 in > the asm below), it might spill it before doing the bounds check. Then > it checks the register (L12), but the verifier doesn't know that applies > to the stack variable too. Later, we refill r1 from the stack (L21). This is a known issue. It's addressed as part of Maxim's series: https://patchwork.kernel.org/user/todo/netdevbpf/?series=815208
