On Fri, Oct 8, 2021 at 7:30 AM zerons <sironhide0null@xxxxxxxxx> wrote: > > In check_cond_jmp_op(), the is_branch_taken() is called when > 1) SRC op is imm > 2) the value of SRC op is known > > Here comes the question: what if the value of DST op is known. > > Consider the following instructions: > > BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), > BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1), > BPF_EXIT_INSN(), > BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0), > BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1), > BPF_EXIT_INSN(), > BPF_EXIT_INSN(), ==> point_a ... > The point_a instructions should be dead code. I wonder if the > verifier do this on purpose. Do we need to handle this situation? The compiler would never generate such code. It would be optimized. What's the point of adding complexity to the verifier for an artificial use case?
