bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* branch prediction issue
@ 2021-10-08 14:28 zerons
  2021-10-22  0:43 ` Alexei Starovoitov
  0 siblings, 1 reply; 2+ messages in thread
From: zerons @ 2021-10-08 14:28 UTC (permalink / raw)
  To: bpf

In check_cond_jmp_op(), the is_branch_taken() is called when
1) SRC op is imm
2) the value of SRC op is known

Here comes the question: what if the value of DST op is known.

Consider the following instructions:

BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1),
BPF_EXIT_INSN(),
BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0),
BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1),
BPF_EXIT_INSN(),
BPF_EXIT_INSN(), ==> point_a

At point_a, the state of regs[7] is
(gdb) p /x $regs[7]
$219 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    mem_size = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x7fffffc0,
    mask = 0xffffffff0000003f
  },
  smin_value = 0x800000007fffffc0,
  smax_value = 0x7fffffff7fffffff,
  umin_value = 0x7fffffc0,
  umax_value = 0xffffffff7fffffff,
  s32_min_value = 0x7ffffff1,
  s32_max_value = 0x7fffffdf,
  u32_min_value = 0x7ffffff1,
  u32_max_value = 0x7fffffdf,
  parent = 0xffff88807127e348,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x4,
  precise = 0x1
}

u32_min_value is larger than u32_max_value.

The point_a instructions should be dead code. I wonder if the
verifier do this on purpose. Do we need to handle this situation?

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: branch prediction issue
  2021-10-08 14:28 branch prediction issue zerons
@ 2021-10-22  0:43 ` Alexei Starovoitov
  0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2021-10-22  0:43 UTC (permalink / raw)
  To: zerons; +Cc: bpf

On Fri, Oct 8, 2021 at 7:30 AM zerons <sironhide0null@gmail.com> wrote:
>
> In check_cond_jmp_op(), the is_branch_taken() is called when
> 1) SRC op is imm
> 2) the value of SRC op is known
>
> Here comes the question: what if the value of DST op is known.
>
> Consider the following instructions:
>
> BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
> BPF_JMP32_IMM(BPF_JGT, BPF_REG_7, 0x7ffffff0, 1),
> BPF_EXIT_INSN(),
> BPF_LD_IMM64(BPF_REG_3, 0x7fffffe0),
> BPF_JMP32_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 1),
> BPF_EXIT_INSN(),
> BPF_EXIT_INSN(), ==> point_a
...
> The point_a instructions should be dead code. I wonder if the
> verifier do this on purpose. Do we need to handle this situation?

The compiler would never generate such code. It would be optimized.
What's the point of adding complexity to the verifier for an
artificial use case?

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-22  0:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-08 14:28 branch prediction issue zerons
2021-10-22  0:43 ` Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).