verifier_regalloc.c source code [linux/tools/testing/selftests/bpf/progs/verifier_regalloc.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/ Converted from tools/testing/selftests/bpf/verifier/regalloc.c /
3
4	#include <linux/bpf.h>
5	#include <bpf/bpf_helpers.h>
6	#include "bpf_misc.h"
7
8	#define MAX_ENTRIES 11
9
10	struct test_val {
11	unsigned int index;
12	int foo[MAX_ENTRIES];
13	};
14
15	struct {
16	__uint(type, BPF_MAP_TYPE_HASH);
17	__uint(max_entries, `1`);
18	__type(key, long long);
19	__type(value, struct test_val);
20	} map_hash_48b SEC(".maps");
21
22	SEC("tracepoint")
23	__description("regalloc basic")
24	__success __flag(BPF_F_ANY_ALIGNMENT)
25	__naked void regalloc_basic(void)
26	{
27	asm volatile (" \
28	r6 = r1; \
29	r1 = 0; \
30	(u64)(r10 - 8) = r1; \
31	r2 = r10; \
32	r2 += -8; \
33	r1 = %[map_hash_48b] ll; \
34	call %[bpf_map_lookup_elem]; \
35	if r0 == 0 goto l0_%=; \
36	r7 = r0; \
37	call %[bpf_get_prandom_u32]; \
38	r2 = r0; \
39	if r0 s> 20 goto l0_%=; \
40	if r2 s< 0 goto l0_%=; \
41	r7 += r0; \
42	r7 += r2; \
43	r0 = (u64)(r7 + 0); \
44	l0_%=: exit; \
45	" :
46	: __imm(bpf_get_prandom_u32),
47	__imm(bpf_map_lookup_elem),
48	__imm_addr(map_hash_48b)
49	: __clobber_all);
50	}
51
52	SEC("tracepoint")
53	__description("regalloc negative")
54	__failure __msg("invalid access to map value, value_size=48 off=48 size=1")
55	__naked void regalloc_negative(void)
56	{
57	asm volatile (" \
58	r6 = r1; \
59	r1 = 0; \
60	(u64)(r10 - 8) = r1; \
61	r2 = r10; \
62	r2 += -8; \
63	r1 = %[map_hash_48b] ll; \
64	call %[bpf_map_lookup_elem]; \
65	if r0 == 0 goto l0_%=; \
66	r7 = r0; \
67	call %[bpf_get_prandom_u32]; \
68	r2 = r0; \
69	if r0 s> 24 goto l0_%=; \
70	if r2 s< 0 goto l0_%=; \
71	r7 += r0; \
72	r7 += r2; \
73	r0 = (u8)(r7 + 0); \
74	l0_%=: exit; \
75	" :
76	: __imm(bpf_get_prandom_u32),
77	__imm(bpf_map_lookup_elem),
78	__imm_addr(map_hash_48b)
79	: __clobber_all);
80	}
81
82	SEC("tracepoint")
83	__description("regalloc src_reg mark")
84	__success __flag(BPF_F_ANY_ALIGNMENT)
85	__naked void regalloc_src_reg_mark(void)
86	{
87	asm volatile (" \
88	r6 = r1; \
89	r1 = 0; \
90	(u64)(r10 - 8) = r1; \
91	r2 = r10; \
92	r2 += -8; \
93	r1 = %[map_hash_48b] ll; \
94	call %[bpf_map_lookup_elem]; \
95	if r0 == 0 goto l0_%=; \
96	r7 = r0; \
97	call %[bpf_get_prandom_u32]; \
98	r2 = r0; \
99	if r0 s> 20 goto l0_%=; \
100	r3 = 0; \
101	if r3 s>= r2 goto l0_%=; \
102	r7 += r0; \
103	r7 += r2; \
104	r0 = (u64)(r7 + 0); \
105	l0_%=: exit; \
106	" :
107	: __imm(bpf_get_prandom_u32),
108	__imm(bpf_map_lookup_elem),
109	__imm_addr(map_hash_48b)
110	: __clobber_all);
111	}
112
113	SEC("tracepoint")
114	__description("regalloc src_reg negative")
115	__failure __msg("invalid access to map value, value_size=48 off=44 size=8")
116	__flag(BPF_F_ANY_ALIGNMENT)
117	__naked void regalloc_src_reg_negative(void)
118	{
119	asm volatile (" \
120	r6 = r1; \
121	r1 = 0; \
122	(u64)(r10 - 8) = r1; \
123	r2 = r10; \
124	r2 += -8; \
125	r1 = %[map_hash_48b] ll; \
126	call %[bpf_map_lookup_elem]; \
127	if r0 == 0 goto l0_%=; \
128	r7 = r0; \
129	call %[bpf_get_prandom_u32]; \
130	r2 = r0; \
131	if r0 s> 22 goto l0_%=; \
132	r3 = 0; \
133	if r3 s>= r2 goto l0_%=; \
134	r7 += r0; \
135	r7 += r2; \
136	r0 = (u64)(r7 + 0); \
137	l0_%=: exit; \
138	" :
139	: __imm(bpf_get_prandom_u32),
140	__imm(bpf_map_lookup_elem),
141	__imm_addr(map_hash_48b)
142	: __clobber_all);
143	}
144
145	SEC("tracepoint")
146	__description("regalloc and spill")
147	__success __flag(BPF_F_ANY_ALIGNMENT)
148	__naked void regalloc_and_spill(void)
149	{
150	asm volatile (" \
151	r6 = r1; \
152	r1 = 0; \
153	(u64)(r10 - 8) = r1; \
154	r2 = r10; \
155	r2 += -8; \
156	r1 = %[map_hash_48b] ll; \
157	call %[bpf_map_lookup_elem]; \
158	if r0 == 0 goto l0_%=; \
159	r7 = r0; \
160	call %[bpf_get_prandom_u32]; \
161	r2 = r0; \
162	if r0 s> 20 goto l0_%=; \
163	/* r0 has upper bound that should propagate into r2 */\
164	(u64)(r10 - 8) = r2; /* spill r2 */ \
165	r0 = 0; \
166	r2 = 0; /* clear r0 and r2 */\
167	r3 = (u64)(r10 - 8); /* fill r3 */ \
168	if r0 s>= r3 goto l0_%=; \
169	/* r3 has lower and upper bounds */ \
170	r7 += r3; \
171	r0 = (u64)(r7 + 0); \
172	l0_%=: exit; \
173	" :
174	: __imm(bpf_get_prandom_u32),
175	__imm(bpf_map_lookup_elem),
176	__imm_addr(map_hash_48b)
177	: __clobber_all);
178	}
179
180	SEC("tracepoint")
181	__description("regalloc and spill negative")
182	__failure __msg("invalid access to map value, value_size=48 off=48 size=8")
183	__flag(BPF_F_ANY_ALIGNMENT)
184	__naked void regalloc_and_spill_negative(void)
185	{
186	asm volatile (" \
187	r6 = r1; \
188	r1 = 0; \
189	(u64)(r10 - 8) = r1; \
190	r2 = r10; \
191	r2 += -8; \
192	r1 = %[map_hash_48b] ll; \
193	call %[bpf_map_lookup_elem]; \
194	if r0 == 0 goto l0_%=; \
195	r7 = r0; \
196	call %[bpf_get_prandom_u32]; \
197	r2 = r0; \
198	if r0 s> 48 goto l0_%=; \
199	/* r0 has upper bound that should propagate into r2 */\
200	(u64)(r10 - 8) = r2; /* spill r2 */ \
201	r0 = 0; \
202	r2 = 0; /* clear r0 and r2 */\
203	r3 = (u64)(r10 - 8); /* fill r3 */\
204	if r0 s>= r3 goto l0_%=; \
205	/* r3 has lower and upper bounds */ \
206	r7 += r3; \
207	r0 = (u64)(r7 + 0); \
208	l0_%=: exit; \
209	" :
210	: __imm(bpf_get_prandom_u32),
211	__imm(bpf_map_lookup_elem),
212	__imm_addr(map_hash_48b)
213	: __clobber_all);
214	}
215
216	SEC("tracepoint")
217	__description("regalloc three regs")
218	__success __flag(BPF_F_ANY_ALIGNMENT)
219	__naked void regalloc_three_regs(void)
220	{
221	asm volatile (" \
222	r6 = r1; \
223	r1 = 0; \
224	(u64)(r10 - 8) = r1; \
225	r2 = r10; \
226	r2 += -8; \
227	r1 = %[map_hash_48b] ll; \
228	call %[bpf_map_lookup_elem]; \
229	if r0 == 0 goto l0_%=; \
230	r7 = r0; \
231	call %[bpf_get_prandom_u32]; \
232	r2 = r0; \
233	r4 = r2; \
234	if r0 s> 12 goto l0_%=; \
235	if r2 s< 0 goto l0_%=; \
236	r7 += r0; \
237	r7 += r2; \
238	r7 += r4; \
239	r0 = (u64)(r7 + 0); \
240	l0_%=: exit; \
241	" :
242	: __imm(bpf_get_prandom_u32),
243	__imm(bpf_map_lookup_elem),
244	__imm_addr(map_hash_48b)
245	: __clobber_all);
246	}
247
248	SEC("tracepoint")
249	__description("regalloc after call")
250	__success __flag(BPF_F_ANY_ALIGNMENT)
251	__naked void regalloc_after_call(void)
252	{
253	asm volatile (" \
254	r6 = r1; \
255	r1 = 0; \
256	(u64)(r10 - 8) = r1; \
257	r2 = r10; \
258	r2 += -8; \
259	r1 = %[map_hash_48b] ll; \
260	call %[bpf_map_lookup_elem]; \
261	if r0 == 0 goto l0_%=; \
262	r7 = r0; \
263	call %[bpf_get_prandom_u32]; \
264	r8 = r0; \
265	r9 = r0; \
266	call regalloc_after_call__1; \
267	if r8 s> 20 goto l0_%=; \
268	if r9 s< 0 goto l0_%=; \
269	r7 += r8; \
270	r7 += r9; \
271	r0 = (u64)(r7 + 0); \
272	l0_%=: exit; \
273	" :
274	: __imm(bpf_get_prandom_u32),
275	__imm(bpf_map_lookup_elem),
276	__imm_addr(map_hash_48b)
277	: __clobber_all);
278	}
279
280	static __naked __noinline __attribute__((used))
281	void regalloc_after_call__1(void)
282	{
283	asm volatile (" \
284	r0 = 0; \
285	exit; \
286	" ::: __clobber_all);
287	}
288
289	SEC("tracepoint")
290	__description("regalloc in callee")
291	__success __flag(BPF_F_ANY_ALIGNMENT)
292	__naked void regalloc_in_callee(void)
293	{
294	asm volatile (" \
295	r6 = r1; \
296	r1 = 0; \
297	(u64)(r10 - 8) = r1; \
298	r2 = r10; \
299	r2 += -8; \
300	r1 = %[map_hash_48b] ll; \
301	call %[bpf_map_lookup_elem]; \
302	if r0 == 0 goto l0_%=; \
303	r7 = r0; \
304	call %[bpf_get_prandom_u32]; \
305	r1 = r0; \
306	r2 = r0; \
307	r3 = r7; \
308	call regalloc_in_callee__1; \
309	l0_%=: exit; \
310	" :
311	: __imm(bpf_get_prandom_u32),
312	__imm(bpf_map_lookup_elem),
313	__imm_addr(map_hash_48b)
314	: __clobber_all);
315	}
316
317	static __naked __noinline __attribute__((used))
318	void regalloc_in_callee__1(void)
319	{
320	asm volatile (" \
321	if r1 s> 20 goto l0_%=; \
322	if r2 s< 0 goto l0_%=; \
323	r3 += r1; \
324	r3 += r2; \
325	r0 = (u64)(r3 + 0); \
326	exit; \
327	l0_%=: r0 = 0; \
328	exit; \
329	" ::: __clobber_all);
330	}
331
332	SEC("tracepoint")
333	__description("regalloc, spill, JEQ")
334	__success
335	__naked void regalloc_spill_jeq(void)
336	{
337	asm volatile (" \
338	r6 = r1; \
339	r1 = 0; \
340	(u64)(r10 - 8) = r1; \
341	r2 = r10; \
342	r2 += -8; \
343	r1 = %[map_hash_48b] ll; \
344	call %[bpf_map_lookup_elem]; \
345	(u64)(r10 - 8) = r0; /* spill r0 */ \
346	if r0 == 0 goto l0_%=; \
347	l0_%=: /* The verifier will walk the rest twice with r0 == 0 and r0 == map_value */\
348	call %[bpf_get_prandom_u32]; \
349	r2 = r0; \
350	if r2 == 20 goto l1_%=; \
351	l1_%=: /* The verifier will walk the rest two more times with r0 == 20 and r0 == unknown */\
352	r3 = (u64)(r10 - 8); /* fill r3 with map_value */\
353	if r3 == 0 goto l2_%=; /* skip ldx if map_value == NULL */\
354	/* Buggy verifier will think that r3 == 20 here */\
355	r0 = (u64)(r3 + 0); /* read from map_value */\
356	l2_%=: exit; \
357	" :
358	: __imm(bpf_get_prandom_u32),
359	__imm(bpf_map_lookup_elem),
360	__imm_addr(map_hash_48b)
361	: __clobber_all);
362	}
363
364	char _license[] SEC("license") = "GPL";
365

source code of linux/tools/testing/selftests/bpf/progs/verifier_regalloc.c