This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/Target/BPF/
-
Target/
-
BPF/
-
BPFAdjustOpt.cpp
-
test/CodeGen/BPF/
-
CodeGen/
-
BPF/
-
adjust-opt-icmp6.ll

Differential D121937

[BPF] handle unsigned icmp ops in BPFAdjustOpt pass
ClosedPublic

Authored by yonghong-song on Mar 17 2022, 11:25 AM.

Download Raw Diff

Details

Reviewers

ast

Commits

rG2e94d8e67a91: [BPF] handle unsigned icmp ops in BPFAdjustOpt pass

Summary

When investigating an issue with bcc tool inject.py, I found
a verifier failure with latest clang. The portion of code
can be illustrated as below:

struct pid_struct {
  u64 curr_call;
  u64 conds_met;
  u64 stack[2];
};
struct pid_struct *bpf_map_lookup_elem();
int foo() {
  struct pid_struct *p = bpf_map_lookup_elem();
  if (!p) return 0;
  p->curr_call--;
  if (p->conds_met < 1 || p->conds_met >= 3)
      return 0;
  if (p->stack[p->conds_met - 1] == p->curr_call)
      p->conds_met--;
  ...
}

The verifier failure looks like:

... 
8: (79) r1 = *(u64 *)(r0 +0) 
 R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R10=fp0 fp-8=mmmm????
9: (07) r1 += -1
10: (7b) *(u64 *)(r0 +0) = r1
 R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmm????
11: (79) r2 = *(u64 *)(r0 +8) 
 R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmm????
12: (bf) r3 = r2
13: (07) r3 += -3
14: (b7) r4 = -2
15: (2d) if r4 > r3 goto pc+13
 R0=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1=inv(id=0) R2=inv(id=2)
 R3=inv(id=0,umin_value=18446744073709551614,var_off=(0xffffffff00000000; 0xffffffff))
 R4=inv-2 R10=fp0 fp-8=mmmm????
16: (07) r2 += -1
17: (bf) r3 = r2
18: (67) r3 <<= 3
19: (bf) r4 = r0
20: (0f) r4 += r3
math between map_value pointer and register with unbounded min value is not allowed

Here the compiler optimized p->conds_met < 1 || p->conds_met >= 3 to

r2 = p->conds_met
r3 = r2
r3 += -3
r4 = -2
if (r3 < r4) return 0
r2 += -1
r3 = r2
...

In the above, r3 is initially equal to r2, but is modified used by the comparison.
But later on r2 is used again. This caused verification failure.

BPF backend has a pass, AdjustOpt, to prevent such transformation, but only
focused on signed integers since typical bpf helper returns signed integers.
To fix this case, let us handle unsigned integers as well.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

yonghong-song created this revision.Mar 17 2022, 11:25 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 17 2022, 11:25 AM

Herald added a subscriber: hiraditya. · View Herald Transcript

yonghong-song requested review of this revision.Mar 17 2022, 11:25 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 17 2022, 11:25 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Harbormaster completed remote builds in B154883: Diff 416263.Mar 17 2022, 12:17 PM

makes sense. without scalar evolution in the verfiier we cannot really propagate the range of r3 back into r2 and adjust it through reverse transformation of 13: (07) r3 += -3.
The llvm path is better.
Thanks!

This revision is now accepted and ready to land.Mar 17 2022, 3:50 PM

This revision was landed with ongoing or failed builds.Mar 17 2022, 4:36 PM

Closed by commit rG2e94d8e67a91: [BPF] handle unsigned icmp ops in BPFAdjustOpt pass (authored by yonghong-song). · Explain Why

This revision was automatically updated to reflect the committed changes.

yonghong-song added a commit: rG2e94d8e67a91: [BPF] handle unsigned icmp ops in BPFAdjustOpt pass.

Revision Contents

Path

Size

llvm/

lib/

Target/

BPF/

BPFAdjustOpt.cpp

6 lines

test/

CodeGen/

BPF/

adjust-opt-icmp6.ll

71 lines

Diff 416357

llvm/lib/Target/BPF/BPFAdjustOpt.cpp

Show First 20 Lines • Show All 258 Lines • ▼ Show 20 Lines	if (B1Op0 != B2Op0)
return false;		return false;

if (Cond1Op == ICmpInst::ICMP_SGT \|\| Cond1Op == ICmpInst::ICMP_SGE) {		if (Cond1Op == ICmpInst::ICMP_SGT \|\| Cond1Op == ICmpInst::ICMP_SGE) {
if (Cond2Op != ICmpInst::ICMP_SLT && Cond2Op != ICmpInst::ICMP_SLE)		if (Cond2Op != ICmpInst::ICMP_SLT && Cond2Op != ICmpInst::ICMP_SLE)
return false;		return false;
} else if (Cond1Op == ICmpInst::ICMP_SLT \|\| Cond1Op == ICmpInst::ICMP_SLE) {		} else if (Cond1Op == ICmpInst::ICMP_SLT \|\| Cond1Op == ICmpInst::ICMP_SLE) {
if (Cond2Op != ICmpInst::ICMP_SGT && Cond2Op != ICmpInst::ICMP_SGE)		if (Cond2Op != ICmpInst::ICMP_SGT && Cond2Op != ICmpInst::ICMP_SGE)
return false;		return false;
		} else if (Cond1Op == ICmpInst::ICMP_ULT \|\| Cond1Op == ICmpInst::ICMP_ULE) {
		if (Cond2Op != ICmpInst::ICMP_UGT && Cond2Op != ICmpInst::ICMP_UGE)
		return false;
		} else if (Cond1Op == ICmpInst::ICMP_UGT \|\| Cond1Op == ICmpInst::ICMP_UGE) {
		if (Cond2Op != ICmpInst::ICMP_ULT && Cond2Op != ICmpInst::ICMP_ULE)
		return false;
} else {		} else {
return false;		return false;
}		}

PassThroughInfo Info(Cond, BI, 0);		PassThroughInfo Info(Cond, BI, 0);
PassThroughs.push_back(Info);		PassThroughs.push_back(Info);

return true;		return true;
▲ Show 20 Lines • Show All 113 Lines • Show Last 20 Lines

llvm/test/CodeGen/BPF/adjust-opt-icmp6.ll

This file was added.

				; RUN: opt -O2 -S -mtriple=bpf-pc-linux %s -o %t1
				; RUN: llc %t1 -o - \| FileCheck -check-prefixes=CHECK,CHECK-V1 %s
				; RUN: opt -O2 -S -mtriple=bpf-pc-linux %s -o %t1
				; RUN: llc %t1 -mcpu=v3 -o - \| FileCheck -check-prefixes=CHECK,CHECK-V3 %s
				;
				; Source:
				; unsigned bar(unsigned);
				; unsigned int test(unsigned *p) {
				; if (p <= 1 \|\| p >= 7)
				; return 0;
				; return bar(*p);
				; }
				; Compilation flag:
				; clang -target bpf -O2 -S -emit-llvm -Xclang -disable-llvm-passes test.c

				; Function Attrs: nounwind
				define dso_local i32 @test(i32* noundef %p) #0 {
				entry:
				%retval = alloca i32, align 4
				%p.addr = alloca i32*, align 8
				store i32* %p, i32** %p.addr, align 8, !tbaa !3
				%0 = load i32, i32* %p.addr, align 8, !tbaa !3
				%1 = load i32, i32* %0, align 4, !tbaa !7
				%cmp = icmp ule i32 %1, 1
				br i1 %cmp, label %if.then, label %lor.lhs.false

				lor.lhs.false: ; preds = %entry
				%2 = load i32, i32* %p.addr, align 8, !tbaa !3
				%3 = load i32, i32* %2, align 4, !tbaa !7
				%cmp1 = icmp uge i32 %3, 7
				br i1 %cmp1, label %if.then, label %if.end

				if.then: ; preds = %lor.lhs.false, %entry
				store i32 0, i32* %retval, align 4
				br label %return

				if.end: ; preds = %lor.lhs.false
				%4 = load i32, i32* %p.addr, align 8, !tbaa !3
				%5 = load i32, i32* %4, align 4, !tbaa !7
				%call = call i32 @bar(i32 noundef %5)
				store i32 %call, i32* %retval, align 4
				br label %return

				return: ; preds = %if.end, %if.then
				%6 = load i32, i32* %retval, align 4
				ret i32 %6
				}

				; CHECK-LABEL: test
				; CHECK-V1: if r[[#]] > r[[#]] goto
				; CHECK-V1: if r[[#]] > 6 goto
				; CHECK-V3: if w[[#]] < 2 goto
				; CHECK-V3: if w[[#]] > 6 goto

				declare dso_local i32 @bar(i32 noundef) #1

				attributes #0 = { nounwind "frame-pointer"="all" "min-legal-vector-width"="0" "no-trapping-math"="true" "stack-protector-buffer-size"="8" }
				attributes #1 = { "frame-pointer"="all" "no-trapping-math"="true" "stack-protector-buffer-size"="8" }

				!llvm.module.flags = !{!0, !1}
				!llvm.ident = !{!2}

				!0 = !{i32 1, !"wchar_size", i32 4}
				!1 = !{i32 7, !"frame-pointer", i32 2}
				!2 = !{!"clang version 15.0.0 (https://github.com/llvm/llvm-project.git 2a25e1af85f3138f70888c4c3f359c6a09e3cfe5)"}
				!3 = !{!4, !4, i64 0}
				!4 = !{!"any pointer", !5, i64 0}
				!5 = !{!"omnipotent char", !6, i64 0}
				!6 = !{!"Simple C/C++ TBAA"}
				!7 = !{!8, !8, i64 0}
				!8 = !{!"int", !5, i64 0}