Re: [PATCH bpf-next v2 3/4] selftests/bpf: Test cross-sign 64bits range refinement

Eduard Zingerman <eddyz87@xxxxxxxxx> · Thu, 24 Jul 2025 16:52:35 -0700

On Fri, 2025-07-25 at 00:01 +0200, Paul Chaignon wrote:
> On Thu, Jul 24, 2025 at 12:15:53PM -0700, Eduard Zingerman wrote:
> > On Thu, 2025-07-24 at 15:43 +0200, Paul Chaignon wrote:
> 
> [...]
> 
> > > +SEC("socket")
> > > +__description("bounds deduction cross sign boundary, negative overlap")
> > > +__success __log_level(2) __flag(BPF_F_TEST_REG_INVARIANTS)
> > > +__msg("7: (1f) r0 -= r6 {{.*}} R0=scalar(smin=-655,smax=smax32=-146,umin=0xfffffffffffffd71,umax=0xffffffffffffff6e,smin32=-783,umin32=0xfffffcf1,umax32=0xffffff6e,var_off=(0xfffffffffffffc00; 0x3ff))")
> > 
> > Interesting, note the difference: smin=-655, smin32=-783.
> > There is a code to infer s32 range from s46 range in this situation in
> > __reg32_deduce_bounds(), but it looks like a third __reg_deduce_bounds
> > call is needed to trigger it. E.g. the following patch removes the
> > difference for me:
> 
> Hm, I can add the third __reg_deduce_bounds to the first patch in the
> series. That said, we may want to rethink and optimize reg_bounds_sync
> in a followup patchset. It's probably worth listing all the inferences
> we have and their dependencies and see if we can reorganize the
> subfunctions.

Let's not add third __reg_deduce_bounds yet. After inserting some
prints and looking more closely at the log, something funny happens at
instruction #2:

  2: (bc) w6 = (s8)w0
  reg_bounds_sync entry: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  reg_bounds_sync __update_reg_bounds #1: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  reg_bounds_sync __reg_deduce_bounds #1: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  reg_bounds_sync __reg_deduce_bounds #2: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  reg_bounds_sync __reg_bound_offset: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  reg_bounds_sync __update_reg_bounds #2: scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
  3: R0_w=scalar() R6_w=scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))

It would be good to figure out what happens here.
That being said, the issue is not related to the patch in question.
I suggest rephrasing the test to avoid the sign extension above.

[...]