* branch prediction issue
@ 2021-10-08 14:28 zerons
2021-10-22 0:43 ` Alexei Starovoitov
0 siblings, 1 reply; 2+ messages in thread
From: zerons @ 2021-10-08 14:28 UTC (permalink / raw)
To: bpf
In check_cond_jmp_op(), the is_branch_taken() is called when
1) SRC op is imm
2) the value of SRC op is known
Here comes the question: what if the value of DST op is known.
Consider the following instructions:
BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1),
BPF_EXIT_INSN(),
BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0),
BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1),
BPF_EXIT_INSN(),
BPF_EXIT_INSN(), ==> point_a
At point_a, the state of regs[7] is
(gdb) p /x $regs[7]
$219 = {
type = 0x1,
{
range = 0x0,
map_ptr = 0x0,
btf_id = 0x0,
mem_size = 0x0,
raw = 0x0
},
off = 0x0,
id = 0x0,
ref_obj_id = 0x0,
var_off = {
value = 0x7fffffc0,
mask = 0xffffffff0000003f
},
smin_value = 0x800000007fffffc0,
smax_value = 0x7fffffff7fffffff,
umin_value = 0x7fffffc0,
umax_value = 0xffffffff7fffffff,
s32_min_value = 0x7ffffff1,
s32_max_value = 0x7fffffdf,
u32_min_value = 0x7ffffff1,
u32_max_value = 0x7fffffdf,
parent = 0xffff88807127e348,
frameno = 0x0,
subreg_def = 0x0,
live = 0x4,
precise = 0x1
}
u32_min_value is larger than u32_max_value.
The point_a instructions should be dead code. I wonder if the
verifier do this on purpose. Do we need to handle this situation?
Thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: branch prediction issue
2021-10-08 14:28 branch prediction issue zerons
@ 2021-10-22 0:43 ` Alexei Starovoitov
0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2021-10-22 0:43 UTC (permalink / raw)
To: zerons; +Cc: bpf
On Fri, Oct 8, 2021 at 7:30 AM zerons <sironhide0null@gmail.com> wrote:
>
> In check_cond_jmp_op(), the is_branch_taken() is called when
> 1) SRC op is imm
> 2) the value of SRC op is known
>
> Here comes the question: what if the value of DST op is known.
>
> Consider the following instructions:
>
> BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
> BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1),
> BPF_EXIT_INSN(),
> BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0),
> BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1),
> BPF_EXIT_INSN(),
> BPF_EXIT_INSN(), ==> point_a
...
> The point_a instructions should be dead code. I wonder if the
> verifier do this on purpose. Do we need to handle this situation?
The compiler would never generate such code. It would be optimized.
What's the point of adding complexity to the verifier for an
artificial use case?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-22 0:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-08 14:28 branch prediction issue zerons
2021-10-22 0:43 ` Alexei Starovoitov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.