[PATCH] D121937: [BPF] handle unsigned icmp ops in BPFAdjustOpt pass
Yonghong Song via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Mar 17 11:25:50 PDT 2022
yonghong-song created this revision.
yonghong-song added a reviewer: ast.
Herald added a subscriber: hiraditya.
Herald added a project: All.
yonghong-song requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.
When investigating an issue with bcc tool inject.py, I found
a verifier failure with latest clang. The portion of code
can be illustrated as below:
struct pid_struct {
u64 curr_call;
u64 conds_met;
u64 stack[2];
};
struct pid_struct *bpf_map_lookup_elem();
int foo() {
struct pid_struct *p = bpf_map_lookup_elem();
if (!p) return 0;
p->curr_call--;
if (p->conds_met < 1 || p->conds_met >= 3)
return 0;
if (p->stack[p->conds_met - 1] == p->curr_call)
p->conds_met--;
...
}
The verifier failure looks like:
...
8: (79) r1 = *(u64 *)(r0 +0)
R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R10=fp0 fp-8=mmmm????
9: (07) r1 += -1
10: (7b) *(u64 *)(r0 +0) = r1
R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmm????
11: (79) r2 = *(u64 *)(r0 +8)
R0_w=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmm????
12: (bf) r3 = r2
13: (07) r3 += -3
14: (b7) r4 = -2
15: (2d) if r4 > r3 goto pc+13
R0=map_value(id=0,off=0,ks=4,vs=32,imm=0) R1=inv(id=0) R2=inv(id=2)
R3=inv(id=0,umin_value=18446744073709551614,var_off=(0xffffffff00000000; 0xffffffff))
R4=inv-2 R10=fp0 fp-8=mmmm????
16: (07) r2 += -1
17: (bf) r3 = r2
18: (67) r3 <<= 3
19: (bf) r4 = r0
20: (0f) r4 += r3
math between map_value pointer and register with unbounded min value is not allowed
Here the compiler optimized `p->conds_met < 1 || p->conds_met >= 3` to
r2 = p->conds_met
r3 = r2
r3 += -3
r4 = -2
if (r3 < r4) return 0
r2 += -1
r3 = r2
...
In the above, r3 is initially equal to r2, but is modified used by the comparison.
But later on r2 is used again. This caused verification failure.
BPF backend has a pass, AdjustOpt, to prevent such transformation, but only
focused on signed integers since typical bpf helper returns signed integers.
To fix this case, let us handle unsigned integers as well.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D121937
Files:
llvm/lib/Target/BPF/BPFAdjustOpt.cpp
llvm/test/CodeGen/BPF/adjust-opt-icmp6.ll
Index: llvm/test/CodeGen/BPF/adjust-opt-icmp6.ll
===================================================================
--- /dev/null
+++ llvm/test/CodeGen/BPF/adjust-opt-icmp6.ll
@@ -0,0 +1,71 @@
+; RUN: opt -O2 -S -mtriple=bpf-pc-linux %s -o %t1
+; RUN: llc %t1 -o - | FileCheck -check-prefixes=CHECK,CHECK-V1 %s
+; RUN: opt -O2 -S -mtriple=bpf-pc-linux %s -o %t1
+; RUN: llc %t1 -mcpu=v3 -o - | FileCheck -check-prefixes=CHECK,CHECK-V3 %s
+;
+; Source:
+; unsigned bar(unsigned);
+; unsigned int test(unsigned *p) {
+; if (*p <= 1 || *p >= 7)
+; return 0;
+; return bar(*p);
+; }
+; Compilation flag:
+; clang -target bpf -O2 -S -emit-llvm -Xclang -disable-llvm-passes test.c
+
+; Function Attrs: nounwind
+define dso_local i32 @test(i32* noundef %p) #0 {
+entry:
+ %retval = alloca i32, align 4
+ %p.addr = alloca i32*, align 8
+ store i32* %p, i32** %p.addr, align 8, !tbaa !3
+ %0 = load i32*, i32** %p.addr, align 8, !tbaa !3
+ %1 = load i32, i32* %0, align 4, !tbaa !7
+ %cmp = icmp ule i32 %1, 1
+ br i1 %cmp, label %if.then, label %lor.lhs.false
+
+lor.lhs.false: ; preds = %entry
+ %2 = load i32*, i32** %p.addr, align 8, !tbaa !3
+ %3 = load i32, i32* %2, align 4, !tbaa !7
+ %cmp1 = icmp uge i32 %3, 7
+ br i1 %cmp1, label %if.then, label %if.end
+
+if.then: ; preds = %lor.lhs.false, %entry
+ store i32 0, i32* %retval, align 4
+ br label %return
+
+if.end: ; preds = %lor.lhs.false
+ %4 = load i32*, i32** %p.addr, align 8, !tbaa !3
+ %5 = load i32, i32* %4, align 4, !tbaa !7
+ %call = call i32 @bar(i32 noundef %5)
+ store i32 %call, i32* %retval, align 4
+ br label %return
+
+return: ; preds = %if.end, %if.then
+ %6 = load i32, i32* %retval, align 4
+ ret i32 %6
+}
+
+; CHECK-LABEL: test
+; CHECK-V1: if r[[#]] > r[[#]] goto
+; CHECK-V1: if r[[#]] > 6 goto
+; CHECK-V3: if w[[#]] < 2 goto
+; CHECK-V3: if w[[#]] > 6 goto
+
+declare dso_local i32 @bar(i32 noundef) #1
+
+attributes #0 = { nounwind "frame-pointer"="all" "min-legal-vector-width"="0" "no-trapping-math"="true" "stack-protector-buffer-size"="8" }
+attributes #1 = { "frame-pointer"="all" "no-trapping-math"="true" "stack-protector-buffer-size"="8" }
+
+!llvm.module.flags = !{!0, !1}
+!llvm.ident = !{!2}
+
+!0 = !{i32 1, !"wchar_size", i32 4}
+!1 = !{i32 7, !"frame-pointer", i32 2}
+!2 = !{!"clang version 15.0.0 (https://github.com/llvm/llvm-project.git 2a25e1af85f3138f70888c4c3f359c6a09e3cfe5)"}
+!3 = !{!4, !4, i64 0}
+!4 = !{!"any pointer", !5, i64 0}
+!5 = !{!"omnipotent char", !6, i64 0}
+!6 = !{!"Simple C/C++ TBAA"}
+!7 = !{!8, !8, i64 0}
+!8 = !{!"int", !5, i64 0}
Index: llvm/lib/Target/BPF/BPFAdjustOpt.cpp
===================================================================
--- llvm/lib/Target/BPF/BPFAdjustOpt.cpp
+++ llvm/lib/Target/BPF/BPFAdjustOpt.cpp
@@ -264,6 +264,12 @@
} else if (Cond1Op == ICmpInst::ICMP_SLT || Cond1Op == ICmpInst::ICMP_SLE) {
if (Cond2Op != ICmpInst::ICMP_SGT && Cond2Op != ICmpInst::ICMP_SGE)
return false;
+ } else if (Cond1Op == ICmpInst::ICMP_ULT || Cond1Op == ICmpInst::ICMP_ULE) {
+ if (Cond2Op != ICmpInst::ICMP_UGT && Cond2Op != ICmpInst::ICMP_UGE)
+ return false;
+ } else if (Cond1Op == ICmpInst::ICMP_UGT || Cond1Op == ICmpInst::ICMP_UGE) {
+ if (Cond2Op != ICmpInst::ICMP_ULT && Cond2Op != ICmpInst::ICMP_ULE)
+ return false;
} else {
return false;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D121937.416263.patch
Type: text/x-patch
Size: 3546 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20220317/bd3db820/attachment.bin>
More information about the llvm-commits
mailing list