On Tue, Jan 31, 2023 at 12:29 AM Eduard Zingerman <eddyz87@xxxxxxxxx> wrote:
>
> On Mon, 2023-01-30 at 18:42 -0800, Alexei Starovoitov wrote:
> [...]
> > > >
> > > > Hi Alexei, Andrii,
> > > >
> > > > Please note that the patch
> > > > "bpf: Fix to preserve reg parent/live fields when copying range info"
> > > > that started this conversation was applied to `bpf` tree, not `bpf-next`,
> > > > so I'll wait until it gets its way to `bpf-next` before submitting formal
> > > > patches, as it changes the performance numbers collected by veristat.
> > > > I did all my experiments with this patch applied on top of `bpf-next`.
> > > >
> > > > I adapted the patch suggested by Alexei and put it to my github for
> > > > now [1]. The performance gains are indeed significant:
> > > >
> > > > $ ./veristat -e file,states -C -f 'states_pct<-30' master.log uninit-reads.log
> > > > File States (A) States (B) States (DIFF)
> > > > -------------------------- ---------- ---------- ----------------
> > > > bpf_host.o 349 244 -105 (-30.09%)
> > > > bpf_host.o 1320 895 -425 (-32.20%)
> > > > bpf_lxc.o 1320 895 -425 (-32.20%)
> > > > bpf_sock.o 70 48 -22 (-31.43%)
> > > > bpf_sock.o 68 46 -22 (-32.35%)
> > > > bpf_xdp.o 1554 803 -751 (-48.33%)
> > > > bpf_xdp.o 6457 2473 -3984 (-61.70%)
> > > > bpf_xdp.o 7249 3908 -3341 (-46.09%)
> > > > pyperf600_bpf_loop.bpf.o 287 145 -142 (-49.48%)
> > > > strobemeta.bpf.o 15879 4790 -11089 (-69.83%)
> > > > strobemeta_nounroll2.bpf.o 20505 3931 -16574 (-80.83%)
> > > > xdp_synproxy_kern.bpf.o 22564 7009 -15555 (-68.94%)
> > > > xdp_synproxy_kern.bpf.o 24206 6941 -17265 (-71.33%)
> > > > -------------------------- ---------- ---------- ----------------
> > > >
> > > > However, this comes at a cost of allowing reads from uninitialized
> > > > stack locations. As far as I understand access to uninitialized local
> > > > variable is one of the most common errors when programming in C
> > > > (although citation is needed).
> > >
> > > Yeah, a citation is really needed :) I don't see this often in
> > > practice, tbh. What I do see in practice is that people are
> > > unnecessarily __builtint_memset(0) struct and initialize all fields
> > > with field-by-field initialization, instead of just using a nice C
> > > syntax:
> > >
> > > struct my_struct s = {
> > > .field_a = 123,
> > > .field_b = 234,
> > > };
> > >
> > >
> > > And all that just because there is some padding between field_a and
> > > field_b which the compiler won't zero-initialize.
>
> Andrii, do you have such example somewhere? If the use case is to pass
> 's' to some helper function it should already work if function
> argument type is 'ARG_PTR_TO_UNINIT_MEM'. Handled by the following
> code in the verifier.c:check_stack_range_initialized():
>
> ...
> if (meta && meta->raw_mode) {
> ...
> meta->access_size = access_size;
> meta->regno = regno;
> return 0;
> }
>
> But only for fixed stack offsets. I'm asking because it might point to
> some bug.
I don't have specifics at hand, but there were at least few different
internal cases where this popped up. And just grepping code base, we
have tons of
__builtin_memset(&event, 0, sizeof(event));
in our code base, even if struct initialization would be more convenient.
I don't remember how exactly that struct was used, but one of the use
cases was passing it to bpf_perf_event_output(), which expects
initialized memory.
>
> > >
> > > >
> > > > Also more tests are failing after register parentage chains patch is
> > > > applied than in Alexei's initial try: 10 verifier tests and 1 progs
> > > > test (test_global_func10.c, I have not modified it yet, it should wait
> > > > for my changes for unprivileged execution mode support in
> > > > test_loader.c). I don't really like how I had to fix those tests.
> > > >
> > > > I took a detailed look at the difference in verifier behavior between
> > > > master and the branch [1] for pyperf600_bpf_loop.bpf.o and identified
> > > > that the difference is caused by the fact that helper functions do not
> > > > mark the stack they access as REG_LIVE_WRITTEN, the details are in the
> > > > commit message [3], but TLDR is the following example:
> > > >
> > > > 1: bpf_probe_read_user(&foo, ...);
> > > > 2: if (*foo) ...
> > > >
> > > > Here `*foo` will not get REG_LIVE_WRITTEN mark when (1) is verified,
> > > > thus `*foo` read at (2) might lead to excessive REG_LIVE_READ marks
> > > > and thus more verification states.
> > >
> > > This is a good fix in its own right, of course, we should definitely do this!
> >
> > +1
> >
> > > >
> > > > I prepared a patch that changes helper calls verification to apply
> > > > REG_LIVE_WRITTEN when write size and alignment allow this, again
> > > > currently on my github [2]. This patch has less dramatic performance
> > > > impact, but nonetheless significant:
> > > >
> > > > $ veristat -e file,states -C -f 'states_pct<-30' master.log helpers-written.log
> > > > File States (A) States (B) States (DIFF)
> > > > -------------------------- ---------- ---------- ----------------
> > > > pyperf600_bpf_loop.bpf.o 287 156 -131 (-45.64%)
> > > > strobemeta.bpf.o 15879 4772 -11107 (-69.95%)
> > > > strobemeta_nounroll1.bpf.o 2065 1337 -728 (-35.25%)
> > > > strobemeta_nounroll2.bpf.o 20505 3788 -16717 (-81.53%)
> > > > test_cls_redirect.bpf.o 8129 4799 -3330 (-40.96%)
> > > > -------------------------- ---------- ---------- ----------------
> > > >
> > > > I suggest that instead of dropping a useful safety check I can further
> > > > investigate difference in behavior between "uninit-reads.log" and
> > > > "helpers-written.log" and maybe figure out other improvements.
> > > > Unfortunately the comparison process is extremely time consuming.
> > > >
> > > > wdyt?
> > >
> > > I think reading uninitialized stack slot concerns are overblown in
> > > practice (in terms of their good implications for programmer's
> > > productivity), I'd still do it if only in the name of improving user
> > > experience.
> >
> > +1
> > Let's do both (REG_LIVE_WRITTEN for helpers and allow uninit).
> >
> > Uninit access should be caught by the compiler.
> > The verifier is repeating the check for historical reasons when we
> > tried to make it work for unpriv.
> > Allow uninit won't increase the number of errors in bpf progs.
>
> Thank you for the feedback. I'll submit both patches when
> "bpf: Fix to preserve reg parent/live fields when copying range info"
> will get to bpf-next.
>
> Thanks,
> Eduard.
