bpf: Relax precision marking in open coded iters and may_goto loop. #7127
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 531876c |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
c939103
to
bb7890b
Compare
|
Upstream branch: 96a27ee |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
4fd2760
to
59df82d
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
bb7890b
to
b0f7439
Compare
|
Upstream branch: ce5249b |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
59df82d
to
6d5f677
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
b0f7439
to
f23cdc2
Compare
|
Upstream branch: ec1249d |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
6d5f677
to
4056cb7
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
f23cdc2
to
5580482
Compare
|
Upstream branch: 49784c7 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
4056cb7
to
7934c13
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
5580482
to
8d70356
Compare
|
Upstream branch: 49df001 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
7934c13
to
8356e7b
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
8d70356
to
483d798
Compare
added 2 commits
June 4, 2024 10:19
v1->v2->v3:
- Algorithm changed completely.
v3->v4:
- Fixed widening for Rx < Ry case and added more tests
Motivation for the patch
------------------------
Open coded iterators and may_goto is a great mechanism to implement loops,
but counted loops are problematic. For example:
for (i = 0; i < 100 && can_loop; i++)
is verified as a bounded loop, since i < 100 condition forces the verifier to
mark 'i' as precise and loop states at different iterations are not equivalent.
That removes the benefit of open coded iterators and may_goto.
The workaround is to do:
int zero = 0; /* global or volatile variable */
for (i = zero; i < 100 && can_loop; i++)
to hide from the verifier the value of 'i'.
It's unnatural and so far users didn't learn such odd programming pattern.
This patch aims to improve the verifier to support
for (i = 0; i < 100000 && can_loop; i++)
as open coded iter loop (when 'i' doesn't need to be precise).
Algorithm
---------
First of all:
if (is_may_goto_insn_at(env, insn_idx)) {
+ update_loop_entry(cur, &sl->state);
if (states_equal(env, &sl->state, cur, RANGE_WITHIN)) {
- update_loop_entry(cur, &sl->state);
It changes the definition of the verifier states loop.
Previously, we considered a state loop to be such a sequence of states
Si -> ... -> Sj -> ... -> Sk that states_equal(Si, Sk, RANGE_WITHIN)
is true.
With this change Si -> ... -> Sj -> ... Sk is a loop if call sites and
instruction pointers for Si and Sk match.
Whether or not Si and Sk are in the loop influences two things:
(a) if exact comparison is needed for states cache;
(b) if widening transformation could be applied to some scalars.
All pairs (Si, Sk) marked as a loop using old definition would be
marked as such using new definition (in a addition to some new pairs).
Hence it is safe to apply (a) and (b) in strictly more cases.
Note that update_loop_entry() relies on the following properties:
- every state in the current DFS path (except current)
has branches > 0;
- states not in the DFS path are either:
- in explored_states, are fully explored and have branches == 0;
- in env->stack, are not yet explored and have branches == 0
(and also not reachable from is_state_visited()).
With that the get_loop_entry() can be used to gate is_branch_taken() logic.
When the verifier sees 'r1 > 1000' inside the loop and it can predict it
instead of marking r1 as precise it widens both branches, so r1 becomes
[0, 1000] in fallthrough and [1001, UMAX] in other_branch.
Consider the loop:
bpf_for_each(...) {
if (r1 > 1000)
break;
arr[r1] = ..;
}
At arr[r1] access the r1 is bounded and the loop can quickly converge.
Unfortunately compilers (both GCC and LLVM) often optimize loop exit
condition to equality, so
for (i = 0; i < 100; i++) arr[i] = 1
becomes
for (i = 0; i != 100; i++) arr[1] = 1
Hence treat != and == conditions specially in the verifier.
Widen only not-predicted branch and keep predict branch as is. Example:
r1 = 0
goto L1
L2:
arr[r1] = 1
r1++
L1:
if r1 != 100 goto L2
fallthrough: r1=100 after widening
other_branch: r1 stays as-is (0, 1, 2, ..)
Also recognize the case where both LHS and RHS are constant and equal to each
other. In this case don't widen at all and take the predicted path.
This key heuristic allows the verifier detect loop end condition.
Such 'for (i = 0; i != 100; i++)' is validated just like bounded loop.
With that the users can use 'for (i = 0; ...' pattern everywhere
and many i = zero workarounds can be removed.
One tests has drastic improvement. The rest are noise.
File Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
-------------------- --------- --------- ---------------- ---------- ---------- ----------------
iters_task_vma.bpf.o 22043 132 -21911 (-99.40%) 1006 10 -996 (-99.01%)
Few extra tests are added to iters_task_vma.bpf.o that demonstrate quick
convergence though they iterate over 100k elements.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
. remove i = zero workaround from various tests . improve arena based tests . add asm test for this_branch_reg->id == other_branch_reg->id condition . add several loop inside open coded iter tests Signed-off-by: Alexei Starovoitov <ast@kernel.org>
|
Upstream branch: 49df001 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/854891=>bpf-next
branch
from
8356e7b
to
928b53e
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=857895 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Relax precision marking in open coded iters and may_goto loop.
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=857895