Commit fbc0b025 authored by Alexei Starovoitov's avatar Alexei Starovoitov

Merge branch 'Add precision propagation for subprogs and callbacks'

Andrii Nakryiko says:

====================
As more and more real-world BPF programs become more complex
and increasingly use subprograms (both static and global), scalar precision
tracking and its (previously weak) support for BPF subprograms (and callbacks
as a special case of that) is becoming more and more of an issue and
limitation. Couple that with increasing reliance on state equivalence (BPF
open-coded iterators have a hard requirement for state equivalence to converge
and successfully validate loops), and it becomes pretty critical to address
this limitation and make precision tracking universally supported for BPF
programs of any complexity and composition.

This patch set teaches BPF verifier to support SCALAR precision
backpropagation across multiple frames (for subprogram calls and callback
simulations) and addresses most practical situations (SCALAR stack
loads/stores using registers other than r10 being the last remaining
limitation, though thankfully rarely used in practice).

Main logic is explained in details in patch #8. The rest are preliminary
preparations, refactorings, clean ups, and fixes. See respective patches for
details.

Patch #8 has also veristat comparison of results for selftests, Cilium, and
some of Meta production BPF programs before and after these changes.

v2->v3:
  - drop bitcnt and ifs from bt_xxx() helpers (Alexei);
v1->v2:
  - addressed review feedback form Alexei, adjusted commit messages, comments,
    added verbose(), WARN_ONCE(), etc;
  - re-ran all the tests and veristat on selftests, cilium, and meta-internal
    code: no new changes and no kernel warnings.
====================
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 7866fc6a c91ab90c
...@@ -18,8 +18,11 @@ ...@@ -18,8 +18,11 @@
* that converting umax_value to int cannot overflow. * that converting umax_value to int cannot overflow.
*/ */
#define BPF_MAX_VAR_SIZ (1 << 29) #define BPF_MAX_VAR_SIZ (1 << 29)
/* size of type_str_buf in bpf_verifier. */ /* size of tmp_str_buf in bpf_verifier.
#define TYPE_STR_BUF_LEN 128 * we need at least 306 bytes to fit full stack mask representation
* (in the "-8,-16,...,-512" form)
*/
#define TMP_STR_BUF_LEN 320
/* Liveness marks, used for registers and spilled-regs (in stack slots). /* Liveness marks, used for registers and spilled-regs (in stack slots).
* Read marks propagate upwards until they find a write mark; they record that * Read marks propagate upwards until they find a write mark; they record that
...@@ -238,6 +241,10 @@ enum bpf_stack_slot_type { ...@@ -238,6 +241,10 @@ enum bpf_stack_slot_type {
#define BPF_REG_SIZE 8 /* size of eBPF register in bytes */ #define BPF_REG_SIZE 8 /* size of eBPF register in bytes */
#define BPF_REGMASK_ARGS ((1 << BPF_REG_1) | (1 << BPF_REG_2) | \
(1 << BPF_REG_3) | (1 << BPF_REG_4) | \
(1 << BPF_REG_5))
#define BPF_DYNPTR_SIZE sizeof(struct bpf_dynptr_kern) #define BPF_DYNPTR_SIZE sizeof(struct bpf_dynptr_kern)
#define BPF_DYNPTR_NR_SLOTS (BPF_DYNPTR_SIZE / BPF_REG_SIZE) #define BPF_DYNPTR_NR_SLOTS (BPF_DYNPTR_SIZE / BPF_REG_SIZE)
...@@ -541,6 +548,15 @@ struct bpf_subprog_info { ...@@ -541,6 +548,15 @@ struct bpf_subprog_info {
bool is_async_cb; bool is_async_cb;
}; };
struct bpf_verifier_env;
struct backtrack_state {
struct bpf_verifier_env *env;
u32 frame;
u32 reg_masks[MAX_CALL_FRAMES];
u64 stack_masks[MAX_CALL_FRAMES];
};
/* single container for all structs /* single container for all structs
* one verifier_env per bpf_check() call * one verifier_env per bpf_check() call
*/ */
...@@ -578,6 +594,7 @@ struct bpf_verifier_env { ...@@ -578,6 +594,7 @@ struct bpf_verifier_env {
int *insn_stack; int *insn_stack;
int cur_stack; int cur_stack;
} cfg; } cfg;
struct backtrack_state bt;
u32 pass_cnt; /* number of times do_check() was called */ u32 pass_cnt; /* number of times do_check() was called */
u32 subprog_cnt; u32 subprog_cnt;
/* number of instructions analyzed by the verifier */ /* number of instructions analyzed by the verifier */
...@@ -606,8 +623,10 @@ struct bpf_verifier_env { ...@@ -606,8 +623,10 @@ struct bpf_verifier_env {
/* Same as scratched_regs but for stack slots */ /* Same as scratched_regs but for stack slots */
u64 scratched_stack_slots; u64 scratched_stack_slots;
u64 prev_log_pos, prev_insn_print_pos; u64 prev_log_pos, prev_insn_print_pos;
/* buffer used in reg_type_str() to generate reg_type string */ /* buffer used to generate temporary string representations,
char type_str_buf[TYPE_STR_BUF_LEN]; * e.g., in reg_type_str() to generate reg_type string
*/
char tmp_str_buf[TMP_STR_BUF_LEN];
}; };
__printf(2, 0) void bpf_verifier_vlog(struct bpf_verifier_log *log, __printf(2, 0) void bpf_verifier_vlog(struct bpf_verifier_log *log,
......
This diff is collapsed.
...@@ -55,6 +55,7 @@ ...@@ -55,6 +55,7 @@
#include "verifier_spill_fill.skel.h" #include "verifier_spill_fill.skel.h"
#include "verifier_spin_lock.skel.h" #include "verifier_spin_lock.skel.h"
#include "verifier_stack_ptr.skel.h" #include "verifier_stack_ptr.skel.h"
#include "verifier_subprog_precision.skel.h"
#include "verifier_subreg.skel.h" #include "verifier_subreg.skel.h"
#include "verifier_uninit.skel.h" #include "verifier_uninit.skel.h"
#include "verifier_unpriv.skel.h" #include "verifier_unpriv.skel.h"
...@@ -154,6 +155,7 @@ void test_verifier_sock(void) { RUN(verifier_sock); } ...@@ -154,6 +155,7 @@ void test_verifier_sock(void) { RUN(verifier_sock); }
void test_verifier_spill_fill(void) { RUN(verifier_spill_fill); } void test_verifier_spill_fill(void) { RUN(verifier_spill_fill); }
void test_verifier_spin_lock(void) { RUN(verifier_spin_lock); } void test_verifier_spin_lock(void) { RUN(verifier_spin_lock); }
void test_verifier_stack_ptr(void) { RUN(verifier_stack_ptr); } void test_verifier_stack_ptr(void) { RUN(verifier_stack_ptr); }
void test_verifier_subprog_precision(void) { RUN(verifier_subprog_precision); }
void test_verifier_subreg(void) { RUN(verifier_subreg); } void test_verifier_subreg(void) { RUN(verifier_subreg); }
void test_verifier_uninit(void) { RUN(verifier_uninit); } void test_verifier_uninit(void) { RUN(verifier_uninit); }
void test_verifier_unpriv(void) { RUN(verifier_unpriv); } void test_verifier_unpriv(void) { RUN(verifier_unpriv); }
......
...@@ -86,6 +86,10 @@ ...@@ -86,6 +86,10 @@
#define POINTER_VALUE 0xcafe4all #define POINTER_VALUE 0xcafe4all
#define TEST_DATA_LEN 64 #define TEST_DATA_LEN 64
#ifndef __used
#define __used __attribute__((used))
#endif
#if defined(__TARGET_ARCH_x86) #if defined(__TARGET_ARCH_x86)
#define SYSCALL_WRAPPER 1 #define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__x64_" #define SYS_PREFIX "__x64_"
......
...@@ -651,29 +651,25 @@ int iter_stack_array_loop(const void *ctx) ...@@ -651,29 +651,25 @@ int iter_stack_array_loop(const void *ctx)
return sum; return sum;
} }
#define ARR_SZ 16 static __noinline void fill(struct bpf_iter_num *it, int *arr, __u32 n, int mul)
static __noinline void fill(struct bpf_iter_num *it, int *arr, int mul)
{ {
int *t; int *t, i;
__u64 i;
while ((t = bpf_iter_num_next(it))) { while ((t = bpf_iter_num_next(it))) {
i = *t; i = *t;
if (i >= ARR_SZ) if (i >= n)
break; break;
arr[i] = i * mul; arr[i] = i * mul;
} }
} }
static __noinline int sum(struct bpf_iter_num *it, int *arr) static __noinline int sum(struct bpf_iter_num *it, int *arr, __u32 n)
{ {
int *t, sum = 0;; int *t, i, sum = 0;;
__u64 i;
while ((t = bpf_iter_num_next(it))) { while ((t = bpf_iter_num_next(it))) {
i = *t; i = *t;
if (i >= ARR_SZ) if (i >= n)
break; break;
sum += arr[i]; sum += arr[i];
} }
...@@ -685,7 +681,7 @@ SEC("raw_tp") ...@@ -685,7 +681,7 @@ SEC("raw_tp")
__success __success
int iter_pass_iter_ptr_to_subprog(const void *ctx) int iter_pass_iter_ptr_to_subprog(const void *ctx)
{ {
int arr1[ARR_SZ], arr2[ARR_SZ]; int arr1[16], arr2[32];
struct bpf_iter_num it; struct bpf_iter_num it;
int n, sum1, sum2; int n, sum1, sum2;
...@@ -694,25 +690,25 @@ int iter_pass_iter_ptr_to_subprog(const void *ctx) ...@@ -694,25 +690,25 @@ int iter_pass_iter_ptr_to_subprog(const void *ctx)
/* fill arr1 */ /* fill arr1 */
n = ARRAY_SIZE(arr1); n = ARRAY_SIZE(arr1);
bpf_iter_num_new(&it, 0, n); bpf_iter_num_new(&it, 0, n);
fill(&it, arr1, 2); fill(&it, arr1, n, 2);
bpf_iter_num_destroy(&it); bpf_iter_num_destroy(&it);
/* fill arr2 */ /* fill arr2 */
n = ARRAY_SIZE(arr2); n = ARRAY_SIZE(arr2);
bpf_iter_num_new(&it, 0, n); bpf_iter_num_new(&it, 0, n);
fill(&it, arr2, 10); fill(&it, arr2, n, 10);
bpf_iter_num_destroy(&it); bpf_iter_num_destroy(&it);
/* sum arr1 */ /* sum arr1 */
n = ARRAY_SIZE(arr1); n = ARRAY_SIZE(arr1);
bpf_iter_num_new(&it, 0, n); bpf_iter_num_new(&it, 0, n);
sum1 = sum(&it, arr1); sum1 = sum(&it, arr1, n);
bpf_iter_num_destroy(&it); bpf_iter_num_destroy(&it);
/* sum arr2 */ /* sum arr2 */
n = ARRAY_SIZE(arr2); n = ARRAY_SIZE(arr2);
bpf_iter_num_new(&it, 0, n); bpf_iter_num_new(&it, 0, n);
sum2 = sum(&it, arr2); sum2 = sum(&it, arr2, n);
bpf_iter_num_destroy(&it); bpf_iter_num_destroy(&it);
bpf_printk("sum1=%d, sum2=%d", sum1, sum2); bpf_printk("sum1=%d, sum2=%d", sum1, sum2);
......
This diff is collapsed.
...@@ -38,25 +38,24 @@ ...@@ -38,25 +38,24 @@
.fixup_map_array_48b = { 1 }, .fixup_map_array_48b = { 1 },
.result = VERBOSE_ACCEPT, .result = VERBOSE_ACCEPT,
.errstr = .errstr =
"26: (85) call bpf_probe_read_kernel#113\ "mark_precise: frame0: last_idx 26 first_idx 20\
last_idx 26 first_idx 20\ mark_precise: frame0: regs=r2 stack= before 25\
regs=4 stack=0 before 25\ mark_precise: frame0: regs=r2 stack= before 24\
regs=4 stack=0 before 24\ mark_precise: frame0: regs=r2 stack= before 23\
regs=4 stack=0 before 23\ mark_precise: frame0: regs=r2 stack= before 22\
regs=4 stack=0 before 22\ mark_precise: frame0: regs=r2 stack= before 20\
regs=4 stack=0 before 20\ mark_precise: frame0: parent state regs=r2 stack=:\
parent didn't have regs=4 stack=0 marks\ mark_precise: frame0: last_idx 19 first_idx 10\
last_idx 19 first_idx 10\ mark_precise: frame0: regs=r2 stack= before 19\
regs=4 stack=0 before 19\ mark_precise: frame0: regs=r9 stack= before 18\
regs=200 stack=0 before 18\ mark_precise: frame0: regs=r8,r9 stack= before 17\
regs=300 stack=0 before 17\ mark_precise: frame0: regs=r0,r9 stack= before 15\
regs=201 stack=0 before 15\ mark_precise: frame0: regs=r0,r9 stack= before 14\
regs=201 stack=0 before 14\ mark_precise: frame0: regs=r9 stack= before 13\
regs=200 stack=0 before 13\ mark_precise: frame0: regs=r9 stack= before 12\
regs=200 stack=0 before 12\ mark_precise: frame0: regs=r9 stack= before 11\
regs=200 stack=0 before 11\ mark_precise: frame0: regs=r9 stack= before 10\
regs=200 stack=0 before 10\ mark_precise: frame0: parent state regs= stack=:",
parent already had regs=0 stack=0 marks",
}, },
{ {
"precise: test 2", "precise: test 2",
...@@ -100,20 +99,20 @@ ...@@ -100,20 +99,20 @@
.flags = BPF_F_TEST_STATE_FREQ, .flags = BPF_F_TEST_STATE_FREQ,
.errstr = .errstr =
"26: (85) call bpf_probe_read_kernel#113\ "26: (85) call bpf_probe_read_kernel#113\
last_idx 26 first_idx 22\ mark_precise: frame0: last_idx 26 first_idx 22\
regs=4 stack=0 before 25\ mark_precise: frame0: regs=r2 stack= before 25\
regs=4 stack=0 before 24\ mark_precise: frame0: regs=r2 stack= before 24\
regs=4 stack=0 before 23\ mark_precise: frame0: regs=r2 stack= before 23\
regs=4 stack=0 before 22\ mark_precise: frame0: regs=r2 stack= before 22\
parent didn't have regs=4 stack=0 marks\ mark_precise: frame0: parent state regs=r2 stack=:\
last_idx 20 first_idx 20\ mark_precise: frame0: last_idx 20 first_idx 20\
regs=4 stack=0 before 20\ mark_precise: frame0: regs=r2 stack= before 20\
parent didn't have regs=4 stack=0 marks\ mark_precise: frame0: parent state regs=r2 stack=:\
last_idx 19 first_idx 17\ mark_precise: frame0: last_idx 19 first_idx 17\
regs=4 stack=0 before 19\ mark_precise: frame0: regs=r2 stack= before 19\
regs=200 stack=0 before 18\ mark_precise: frame0: regs=r9 stack= before 18\
regs=300 stack=0 before 17\ mark_precise: frame0: regs=r8,r9 stack= before 17\
parent already had regs=0 stack=0 marks", mark_precise: frame0: parent state regs= stack=:",
}, },
{ {
"precise: cross frame pruning", "precise: cross frame pruning",
...@@ -153,15 +152,16 @@ ...@@ -153,15 +152,16 @@
}, },
.prog_type = BPF_PROG_TYPE_XDP, .prog_type = BPF_PROG_TYPE_XDP,
.flags = BPF_F_TEST_STATE_FREQ, .flags = BPF_F_TEST_STATE_FREQ,
.errstr = "5: (2d) if r4 > r0 goto pc+0\ .errstr = "mark_precise: frame0: last_idx 5 first_idx 5\
last_idx 5 first_idx 5\ mark_precise: frame0: parent state regs=r4 stack=:\
parent didn't have regs=10 stack=0 marks\ mark_precise: frame0: last_idx 4 first_idx 2\
last_idx 4 first_idx 2\ mark_precise: frame0: regs=r4 stack= before 4\
regs=10 stack=0 before 4\ mark_precise: frame0: regs=r4 stack= before 3\
regs=10 stack=0 before 3\ mark_precise: frame0: regs= stack=-8 before 2\
regs=0 stack=1 before 2\ mark_precise: frame0: falling back to forcing all scalars precise\
last_idx 5 first_idx 5\ force_precise: frame0: forcing r0 to be precise\
parent didn't have regs=1 stack=0 marks", mark_precise: frame0: last_idx 5 first_idx 5\
mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT, .result = VERBOSE_ACCEPT,
.retval = -1, .retval = -1,
}, },
...@@ -179,16 +179,19 @@ ...@@ -179,16 +179,19 @@
}, },
.prog_type = BPF_PROG_TYPE_XDP, .prog_type = BPF_PROG_TYPE_XDP,
.flags = BPF_F_TEST_STATE_FREQ, .flags = BPF_F_TEST_STATE_FREQ,
.errstr = "last_idx 6 first_idx 6\ .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\
parent didn't have regs=10 stack=0 marks\ mark_precise: frame0: parent state regs=r4 stack=:\
last_idx 5 first_idx 3\ mark_precise: frame0: last_idx 5 first_idx 3\
regs=10 stack=0 before 5\ mark_precise: frame0: regs=r4 stack= before 5\
regs=10 stack=0 before 4\ mark_precise: frame0: regs=r4 stack= before 4\
regs=0 stack=1 before 3\ mark_precise: frame0: regs= stack=-8 before 3\
last_idx 6 first_idx 6\ mark_precise: frame0: falling back to forcing all scalars precise\
parent didn't have regs=1 stack=0 marks\ force_precise: frame0: forcing r0 to be precise\
last_idx 5 first_idx 3\ force_precise: frame0: forcing r0 to be precise\
regs=1 stack=0 before 5", force_precise: frame0: forcing r0 to be precise\
force_precise: frame0: forcing r0 to be precise\
mark_precise: frame0: last_idx 6 first_idx 6\
mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT, .result = VERBOSE_ACCEPT,
.retval = -1, .retval = -1,
}, },
......
...@@ -141,6 +141,7 @@ static struct env { ...@@ -141,6 +141,7 @@ static struct env {
bool verbose; bool verbose;
bool debug; bool debug;
bool quiet; bool quiet;
bool force_checkpoints;
enum resfmt out_fmt; enum resfmt out_fmt;
bool show_version; bool show_version;
bool comparison_mode; bool comparison_mode;
...@@ -209,6 +210,8 @@ static const struct argp_option opts[] = { ...@@ -209,6 +210,8 @@ static const struct argp_option opts[] = {
{ "log-level", 'l', "LEVEL", 0, "Verifier log level (default 0 for normal mode, 1 for verbose mode)" }, { "log-level", 'l', "LEVEL", 0, "Verifier log level (default 0 for normal mode, 1 for verbose mode)" },
{ "log-fixed", OPT_LOG_FIXED, NULL, 0, "Disable verifier log rotation" }, { "log-fixed", OPT_LOG_FIXED, NULL, 0, "Disable verifier log rotation" },
{ "log-size", OPT_LOG_SIZE, "BYTES", 0, "Customize verifier log size (default to 16MB)" }, { "log-size", OPT_LOG_SIZE, "BYTES", 0, "Customize verifier log size (default to 16MB)" },
{ "test-states", 't', NULL, 0,
"Force frequent BPF verifier state checkpointing (set BPF_F_TEST_STATE_FREQ program flag)" },
{ "quiet", 'q', NULL, 0, "Quiet mode" }, { "quiet", 'q', NULL, 0, "Quiet mode" },
{ "emit", 'e', "SPEC", 0, "Specify stats to be emitted" }, { "emit", 'e', "SPEC", 0, "Specify stats to be emitted" },
{ "sort", 's', "SPEC", 0, "Specify sort order" }, { "sort", 's', "SPEC", 0, "Specify sort order" },
...@@ -284,6 +287,9 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state) ...@@ -284,6 +287,9 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state)
argp_usage(state); argp_usage(state);
} }
break; break;
case 't':
env.force_checkpoints = true;
break;
case 'C': case 'C':
env.comparison_mode = true; env.comparison_mode = true;
break; break;
...@@ -989,6 +995,9 @@ static int process_prog(const char *filename, struct bpf_object *obj, struct bpf ...@@ -989,6 +995,9 @@ static int process_prog(const char *filename, struct bpf_object *obj, struct bpf
/* increase chances of successful BPF object loading */ /* increase chances of successful BPF object loading */
fixup_obj(obj, prog, base_filename); fixup_obj(obj, prog, base_filename);
if (env.force_checkpoints)
bpf_program__set_flags(prog, bpf_program__flags(prog) | BPF_F_TEST_STATE_FREQ);
err = bpf_object__load(obj); err = bpf_object__load(obj);
env.progs_processed++; env.progs_processed++;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment