In check_cond_jmp_op(), the is_branch_taken() is called when
1) SRC op is imm
2) the value of SRC op is known
Here comes the question: what if the value of DST op is known.
Consider the following instructions:
BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1),
BPF_EXIT_INSN(),
BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0),
BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1),
BPF_EXIT_INSN(),
BPF_EXIT_INSN(), ==> point_a
At point_a, the state of regs[7] is
(gdb) p /x $regs[7]
$219 = {
type = 0x1,
{
range = 0x0,
map_ptr = 0x0,
btf_id = 0x0,
mem_size = 0x0,
raw = 0x0
},
off = 0x0,
id = 0x0,
ref_obj_id = 0x0,
var_off = {
value = 0x7fffffc0,
mask = 0xffffffff0000003f
},
smin_value = 0x800000007fffffc0,
smax_value = 0x7fffffff7fffffff,
umin_value = 0x7fffffc0,
umax_value = 0xffffffff7fffffff,
s32_min_value = 0x7ffffff1,
s32_max_value = 0x7fffffdf,
u32_min_value = 0x7ffffff1,
u32_max_value = 0x7fffffdf,
parent = 0xffff88807127e348,
frameno = 0x0,
subreg_def = 0x0,
live = 0x4,
precise = 0x1
}
u32_min_value is larger than u32_max_value.
The point_a instructions should be dead code. I wonder if the
verifier do this on purpose. Do we need to handle this situation?
Thanks.
