<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - BPF code generation emits "|" instead of "+", causing problems for BPF verifier"
href="https://bugs.llvm.org/show_bug.cgi?id=43994">43994</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>BPF code generation emits "|" instead of "+", causing problems for BPF verifier
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>9.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>-New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>eugene.loh@oracle.com
</td>
</tr>
<tr>
<th>CC</th>
<td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org, neeilans@live.com, richard-llvm@metafoo.co.uk
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=22808" name="attach_22808" title="C code, run script, generated BPF code">attachment 22808</a> <a href="attachment.cgi?id=22808&action=edit" title="C code, run script, generated BPF code">[details]</a></span>
C code, run script, generated BPF code
Here is an issue with clang/LLVM's BPF code generation.
Technically, the generated code is not wrong, but it causes
an unnecessary problem for the BPF verifier.
Consider the C source code BPF.c. The generated BPF code can be
seen in objdump.txt and verifier.txt. Here are the C and BPF code,
redacted for readability and shown side-by-side:
BPF.c objdump.txt/verifier.txt
==================================== =====================
u64 dest = -1; *(u64 *)(r10-24) = -1
u64 offset;
u64 garbage = 0x3141592654; *(u64 *)(r10- 8) = 0x3141592654
// set offset to some mystery value r1 = r10-16
bpf_probe_read(&offset, r2 = 8
sizeof (offset), &garbage); r3 = r10- 8
call bpf_probe_read#4
// clip offset to be offset within dest r1 = *(u64 *)(r10 - 16)
offset &= sizeof (dest) - 1; r1 &= 7
*(u64 *)(r10 - 16) = r1
// copy byte to mystery offset in dest r2 = r10-24
bpf_probe_read(((u64) &dest) + offset, r1 |= r2 ======> PROBLEM!
1, &garbage); r2 = 1
r3 = r10- 8
call bpf_probe_read#4
return 0; r0 = 0
exit
To compute ((u64)&dest)+offset, the generated BPF uses "offset |= &dest".
The replacement of "+" with "|" presumably gives the correct result
in this particular case, but then the BPF verifier complains:
R1 bitwise operator |= on pointer prohibited
That is, the replacement of "+" with "|" causes this correct program to be
rejected unnecessarily by the BPF verifier.
This problem occurred on a system with an upstream kernel with
% uname -r
5.3.0+
with clang/LLVM built from source:
% clang --version
clang version 9.0.0 (trunk 364493)
[...]</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>