This RFC adds a compile-time check to bpf_tail_call_static() to warn
when a constant slot(index) is >= map->max_entries. This uses a small
BPF_MAP_ENTRIES() macro together with Clang's diagnose_if attribute.
Clang front-end keeps the map type with a '(*max_entries)[N]' field,
so the expression
sizeof(*(m)->max_entries) / sizeof(**(m)->max_entries)
is resolved to N entirely at compile time. This allows diagnose_if()
to emit a warning when a constant slot index is out of range.
Example:
struct { /* BPF_MAP_TYPE_PROG_ARRAY = 3 */
__uint(type, 3); // int (*type)[3];
__uint(max_entries, 100); // int (*max_entries)[100];
__type(key, __u32); // typeof(__u32) *key;
__type(value, __u32); // typeof(__u32) *value;
} progs SEC(".maps");
bpf_tail_call_static(ctx, &progs, 111);
produces:
bound.bpf.c:26:9: warning: bpf_tail_call: slot >= max_entries [-Wuser-defined-warnings]
26 | bpf_tail_call_static(ctx, &progs, 111);
| ^
/usr/local/include/bpf/bpf_helpers.h:190:54: note: expanded from macro 'bpf_tail_call_static'
190 | __bpf_tail_call_warn(__slot >= BPF_MAP_ENTRIES(map)); \
| ^
/usr/local/include/bpf/bpf_helpers.h:183:20: note: from 'diagnose_if' attribute on '__bpf_tail_call_warn':
183 | __attribute__((diagnose_if(oob, "bpf_tail_call: slot >= max_entries", "warning")));
| ^ ~~~
Out-of-bounds tail call checkup is no-ops at runtime. Emitting a
compile-time warning can help developers detect mistakes earlier. The
check is currently limited to Clang (due to diagnose_if) and constant
indices, but should catch common errors.
---
Changes in V2:
- add function definition for __bpf_tail_call_warn for compile error
Hoyeon Lee (1):
libbpf: add compile-time OOB warning to bpf_tail_call_static
tools/lib/bpf/bpf_helpers.h | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--
2.51.0
