On Tue, Dec 10, 2024 at 2:35 AM Nick Zavaritsky <mejedi@xxxxxxxxx> wrote: > > > > Tail-called programs could execute any of the helpers that invalidate > > packet pointers. Hence, conservatively assume that each tail call > > invalidates packet pointers. > > Tail calls look like a clear limitation of "auto-infer packet > invalidation effect" approach. Correct solution requires propagating > effects in the dynamic callee-caller graph, unlikely to ever happen. > > I'm curious if assuming that every call to a global sub program > invalidates packet pointers might be an option. Does it break too many > programs in the wild? It might. Assuming every global prog changes pkt data is too risky, also it would diverge global vs static verification even further, which is a bad user experience. > From an end-user perspective, the presented solution makes debugging > verifier errors harder. An error message doesn't tell which call > invalidated pointers. Whether verifier considers a particular sub > program as pointer-invalidating is not revealed. I foresee exciting > debugging sessions. There is such a risk. > It probably doesn't matter, but I don't like bpf_xdp_adjust_meta(xdp, 0) > hack to mark a program as pointer-invalidating either. > > I would've preferred a simple static rule "calls to global sub programs > invalidate packet pointers" with an optional decl tag to mark a sub > program as non-invalidating, in line with "arg:nonnull". That's not an option.