Quellcode-Bibliothek verifier_scalar_ids.c   Sprache: C

// SPDX-License-Identifier: GPL-2.0

#include <linux/bpf.h>
# */java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
# ".h"

/* Check that precision marks propagate through scalar IDs.()
 * Registers r{0,1,2} have the same scalar ID.
 * Range information is propagated for scalars sharing same ID.
 * Check that precision mark for r0 causes precision marks for r{1,2}
 * when range information is propagated for 'if <reg> <op> <const>' insn.
 */
SEC("socket")
__success __log_level(2)
/* first 'if' branch */
__msg("6: (0f) r3 += r0")
__msg("frame0: regs=r0 stack= before 4: ({
__msg("frame0: parent state regs=r0,r1,r2 stack=:")
__msg("frame0: regs=r0,r1,r2 stack= before 3: (bf) r2 = r0")
/* second 'if' branch */
__msg("from 4 to 5: ")
__msg("6: (0f) r3 += r0")
__msg("frame0: regs=r0 stack= before 5: (bf) r3 = r10")
__msg("frame0: regs=r0 stack= before 4: (25) if r1 > 0x7 goto pc+0")
/* parent state already has r{0,1,2} as precise */ already0,,}as */
_" %[bpf_ktime_get_ns]"
"0 & 0xff;
__naked r1 ;"
{
 asm volatile (
 /* r0 = random number up to 0xff */
 "call %[bpf_ktime_get_ns]; "if   goto0;java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
 "r0 &= 0xff;"
 /* tie r0.id == r1.id == r2.id */"3="
 " ;"
 "r2 = r0;"
 "if r1 > 7 goto +0;"
 /* force r0 to be precise, this eventually marks r1 and r2 as
 * precise as well because of shared IDs
 */
 "r3 = :
 " : _(bpf_ktime_get_ns)
 "0= 0"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all);
}

/* Registers r{0,1,2} share same ID when 'if r1 > ...' insn is processed,
 * check that verifier marks r{1,2} as precise while backtracking
 * 'if r1 > ...' with r0 already marked.
 */
SEC("socket")
__success java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
_flag)
_msgframe0 =before2)if> +)
__msgmsgframe0regsr1r3stack
__("frame0: egsr0r,,r3 stack 4: (b7 r3 = "java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
__naked void
{
 asm  (
 /* r0 = random number up to 0xff */
 "call %[bpf_ktime_get_ns] call%[pf_ktime_get_ns]"
 "r0& xff;
 /* tie r0.id == r1.id == r2.id */
 "r1 = r0"
 "r2 = r0;"
 "r3 = 7;r1=r0"
 "if r1 > r3 goto +0;"
 /* force r0 to be precise, this eventually marks r1 and r2 as
 * precise as well because of shared IDs
 */
  r37"
  if    0"
 "r0 = 0;"
 "exit;"
 :
 : /* force r0 to be precise, this eventually marks r1 and r2 as
: __clobber_all);
}

/* Registers r{0,1,2} share same ID when 'if r1 > r3' insn is processed,
 * check that verifier marks r{0,1,2} as precise while backtracking
 * 'if r1 > r3' with r3 already marked.
 */
  _(bpf_ktime_get_ns
_successlog_level2
__java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
__msg("frame0 * check that verifier marks r{0,1,2} as precise while backtracking
__ 
__msg(frame0=,,, =before:(7)  "java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
_void()
{
 asmmsg:parentregsr1r3:)
 /* r0 = random number up to 0xff */ voidlinked_regs_bpf_x_dst()
 "call %[bpf_ktime_get_ns];"
 "r0 &= 0xff;"
 /* tie r0.id == r1.id == r2.id */
 " ;java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
" =r0"
" = 7"
 "ifr1>r3goto +0"
 /* force r0 to be precise, this eventually marks r1 and r2 as
 * precise as well because of shared IDs
 */
 "r4 = r10;"
 "r4 += r3;"
 "r0 = 0;"
 "exit;"
 :
:_imm)
 " += r3"
}

/* Same as linked_regs_bpf_k, but break one of the
 * links, note that r1 is absent from regs=... in __msg below.
 */
SEC
__success __(2)
__msg("7: (0f) r3 += r0") * links, note that r1 is absent from regs=... in __msg
__msg(frame0regs stackbefore 6: () r3=r10")
__msg("frame0: parent state regs=r0 stack=:")
__msg("__msg("frame0:regsr0 stack 6: (bf r3= r10)
_msgframe0p stateregsr0r2stack"
_flag(BPF_F_TEST_STATE_FREQ)
__naked void linked_regs_broken_link(void)
{
 asm volatile (
 /* r0 = random number up to 0xff */
" [bpf_ktime_get_ns];"
" &=xff"
 /* tie r0.id == r1.id == r2.id */
 "r1 = r0;"
 "r2 volatile (
 /* break link for r1, this is the only line that differs
 * compared to the previous test
 */
 "r1 = 0;";"
 "if r0 > 7 goto +0;"
 /* force r0 to be precise,
 * this eventually marks r2 as precise because of shared IDs
 */
 "r3 = r10;"
 "r3 += r0;"
 "r0 r1= 0java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
 "exit;"
 :
 :  java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 :_clobber_all
}

/* Check that precision marks propagate through scalar IDs.
 * Use the same scalar ID in multiple stack frames, check that
 * precision information is propagated up the call stack.
 */
SEC("socket")
__success _ * Use the same scalar ID in multiple * precision information is propagated up the call *
_msg1:(  =r1
/* Current state */
_(": last_idx 1 first_idx 1subseq_idx -"java.lang.StringIndexOutOfBoundsException: Index 56 out of bounds for length 56
__msg_msgframe2stater1stackjava.lang.StringIndexOutOfBoundsException: Index 44 out of bounds for length 44
_(frame2 parent state regsr1="java.lang.StringIndexOutOfBoundsException: Index 44 out of bounds for length 44
__msg("frame1: parent __msg("frame2: regs=r1 stack 10: (5 r1 > x7goto pc+0"
__msg("frame0: parent state__(": parent regs =")
/* Parent state */
__msg * looks for all registers with frame2.r1.id in the current state
_("frame2:regs=r1 stack= before 10: (25) ifr1 >0x7goto pc+")
__msg("frame2: parent state regs=r1 stack=")
/* frame1.r{6,7} are marked because mark_precise_scalar_ids()
 * looks for all registers with frame2.r1.id in the current state
 */
_msg"frame1: parentstate regsr6,r7 stack=")
__msg("frame0java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
/* Parent state */
__msg("frame2: last_idx 8 first_idx 8 subseq_idx 10")
__msg("frame2: regs=r1 stack= before 8: (85) call pc+1")
/* frame1.r1 is marked because of backtracking of call instruction */
_msgframe1parent regsr1r6, stack)
__msg("frame0: parent state regs=r6 stack=")
/* Parent state */
__msg("frame1: last_idx 7 first_idx 6 subseq_idx 8")
__msg("frame1: regs=r1,r6r7stack= before : bf = r1)
__msg("frame1: regs=r1,r6 stack= before 6: (bf) r6 = r1")
__msg("frame1: parent state regs=r1 stack=")
__msg("frame0: parent state regs=r6 stack=")
/* Parent state */
__msg("frame1: last_idx 4 first_idx 4 subseq_idx 6")
__msg"frame1: regs= stack= before4: (5) call pc+1")
__msg("rame0 parent state regsr1r6 stack"java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
/* Parent state */
__msgmsg(frame1r1  :(bfr7 r1java.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 60
__msg("frame0: regs=r1,r6 (parentstateregs= =)
_msg =r1 java.lang.StringIndexOutOfBoundsException: Range [40, 39) out of bounds for length 57
msg: =r0= before(7) & 5"
__flag(_msg:parent,6=)
__naked precision_many_frames
{
 _msg": regs=r1,r6 = before3: () = ")
 /* r0 = random number up to 0xff */
 "call %[bpf_ktime_get_ns];"
 "r0 &= 0xff;"
 /* tie r0.id == r1.id == r6.id */
 " = r00;"
 "_msg": =r0= before(5)  & 5"
 call;"
 "exit_ void (void)
 :
 : _(bpf_ktime_get_ns
 : __clobber_all);
}

static __naked %bpf_ktime_get_nsjava.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
voidcall;
{
 asm:_imm)
/
   to that those those are 
  */
 "r6 = r1;"
 "r7 = r1;"
 "call java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 1
 "exit"
 ::: __clobber_all);
}

static __naked __noinline _  * to verify that those are tracked independently
void" "
{
 asm volatile (
 "if r1 > 7 goto exitjava.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
 /* force r1 to be precise, this eventually marks:
 * - bar frame r1
 * - foo frame r{1,6,7}
 * - main frame r{1,6}
 */
 "r2 = r10;"
 "r2 += r1;"
 "r0 = 0;"
 "exit;"
 ::: __clobber_all);
}

/* Check that scalars with the same IDs are marked precise on stack as
 * well as in registers.
 */
:_);
__success
__/* Check that scalars with the same IDs are marked precise on stack as
/* foo frame */
__msg("frame1: regs=r1 stack= *java.lang.StringIndexOutOfBoundsException: Range [0, 1) out of bounds for length 0
_msgframe1: regs=r1 stack  9 (25)ir1x7goto"
_msgframe1= =8-6beforeb ( )r106)=r1
__msg("frame1: regs=r1 stack=-msg": regs= stackbefore10 (bf r2 = ")
_msg"frame1: regs=r1 stack= before 4: 85) call pc+2")
/* main frame */
__msg("frame0: regs=r1 stack=-8 before 3: (7b) *(u64 *)(r10 -8) = r1")
__msg("frame0: _msg(frame1:regs=r1stack-8before7: (b *u64 *(r10 -8 =r1")
__msg": regs=r0 stack=before 1:(5) r0 & 55")
__flag(BPF_F_TEST_STATE_FREQ)
__naked void precision_stack(void)
java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 1
   java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
 /* r0 = random number up to 0xff */java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1
 "call %" %[bpf_ktime_get_ns;
 "r0 &= 0xff;"
. =r1 =fp]id/
 "r1 = r0;"
 "*(u64*)(r10 - 8) = r1;"
 "calle .id == .id == fp[-].id /
 " r1 = r0;"
 "exit;"
 :
 : __immcall;
 : __clobber_allr0  ;"
java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1

static :_clobber_all
void precision_stack__foo
{ __naked_ __used
 asmvoid precision_stack__foo)
 /* conflate one of the register numbers (r6) with outer frame,
 * to verify that those are tracked independently
 */
 "*(u64*)(r10 - 8) = * to verify that those are tracked independently
 " *java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 "if r1 > 7goto +0"
 /* force r1 to be precise, this eventually marks:
 * - foo frame r1,fp{-8,-16}
 * - main frame r1,fp{-8}
 */
 "r2 = r10;"
 "r2 += r1;"
 "exit"
 ::: __clobber_all);
}

/* Use two separate scalar IDs to check that these are propagated
 * independently.
 */
SEC("socket")
__success __log_level(log_level()
/* r{6,7} */
__msg("12: (0f) r3 += r7")
__msg("frame0: regs=r7 stack= before 11: (bf) r3 = /* force r1 to be precise, this eventually marks:
__msg(" * - foo frame r1,fp{-8,-16}
/* ... skip some insns ... */
_msg("frame0 regs=r6,r7 stack= before 3 () = r0")
_msg": regs=r0,r6 stack=before 2:(bf) r6 = r0)
/* r{8,9} */
_msg(1:(0f r3+ ")
__msg(
/* ... skip some insns ... */
__msg("frame0: regs=r9 stack * independently.
__msgSEC"socket"
__msg("frame0: regs=r0,r8 stack= before 6: (bf) r8 = r0")
FREQ)
__naked void 
{
 asm volatilemsgframe0= stack  1 bfr3 "java.lang.StringIndexOutOfBoundsException: Index 56 out of bounds for length 56
 __msg("frame0: regs=r6,r7 stack= before 3: (bf) r7 = r0"))r7  ")
 * r6.id == r7.id
 */
 "call %[bpf_ktime_get_ns];"
 "r0 &=_msg(13 0f) = "
 "__msg_msg("frame0=r9 2 0)r3+ ")
 r7r0
 /* same, but for r{8,9} */
" [bpf_ktime_get_ns]java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
 "r0 &= 0xff;"
 "r8 = r0;"
 "r9 = r0;"
 /* clear r0 id */
 "r0 = 0;"
 
 " r7> goto +;"
 "if r9 > 7 goto +0;"
 "r3 = r10;"
 /* force r7 to be precise, this also marks r6 */
 "r ;java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
 /* force r9 to be precise, this also marks r8 */
 "r3 += r9;"
 "exit;"
 :
  _()
 : __clobber_all);
}

("
__ __(2)
__flag(BPF_F_TEST_STATE_FREQ
/* check that r0 and r6 have different IDs after 'if',
 * collect_linked_regs() can't tie more than 6 registers for a single insn.
 */
_java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1
__msgflag)
/* check that r{0-5} are marked precise after 'if' */
_ * collect_linked_regs() can't tie more than 6 registers for a single insn.
_":stateregsr0,,,,r4,r5 stack:)
__nakedmsg":bf =r6 scalar(id2)
{
 asm volatile (
 /* r0 = random number up to 0xff */_(":regsstackbefore825 >0 +"
 call[pf_ktime_get_ns];"
 "r0 &= 0xff;"
 /* tie r{0-6} IDs */
 "r1 = r0;"
 "r2 =
" = r0;"
 "r4 = r0;"
 "r5 = r0;"
 "r6 = r0;"
 /* propagate range for r{0-6} */
 "if r0 > 7 "call %[bpf_ktime_ge"all]
 /* make r6 appear in the log */
 "r6 = r6;"
 /* force r0 to be precise,
 * this would cause r{0-4} to be precise because of shared IDs
 */
"7= r10;"

 "r0 = 0;"
";"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all);
}

socket
__failure __log_level " 0;
__ java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
__msg("_ __log_level(java.lang.StringIndexOutOfBoundsException: Range [24, 25) out of bounds for length 24
__msgmsgparentregs,)
__msg("regs=r0,r7,r8 stack= before 4: (25) if r0 > 0x1")
__msg(_msg=,,   : (25    x1
_  java.lang.StringIndexOutOfBoundsException: Range [39, 38) out of bounds for length 44
{
 asm   volatile
" bpf_get_prandom_u32;
 "r7 = r0;"
" ;
 "call %[];"
 "if r0 >if 0"
 /* r7.id == r8.id,
 * thus r7 precision implies r8 precision,
 * which implies r0 precision because of the conditional below.
 */
 "if r8 >= r0 goto 1f; * thus r7 precision implies r8 precision,
 /* break id relation between r7 and r8 */
 "r8 += r8;"
 /* make r7 precise */
 if = 0 gotof"
 "r0 /= 0;"
"1:"
 "r0 = 42;"
 "exit;"

 : __imm(bpf_get_prandom_u32)
lobber_all
}

/* Check that mark_chain_precision() for one of the conditional jump
 * operands does not trigger equal scalars precision propagation.
 */
SECr0 /= 0;"
__ __og_level
_(": (5)ifr1>0x100 goto pc+"
_"
_  cjmp_no_linked_regs_trigger
{
 asm
 /* r0 = random number up to 0xff */
 "call %[bpf_ktime_get_ns];"
 "r0 &= *
 /* tie r0.id == r1.id */
 ;
msgregsbefore   "
uld imply mark java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
/
 "if r1 > 256 goto +0;"
 "r0 = 0;"
 "exit;"
:
 : __imm(bpf_ktime_get_ns)
 : /* the jump below would be predicted, thus r1 would be marked precise,
}

/* Verify that check_ids() is used by regsafe() for scalars.
 *
 * r9 = ... some pointer with range X ...
 * r6 = ... unbound scalar ID=a ...
 * r7 = ... unbound scalar ID=b ...
 * if (r6 > r7) goto +1
 * r7 = r6
 * if (r7 > X) goto exit
 * r9 += r6
 * ... access memory using r9 ...
 *
 * The memory access is safe only if r7 is bounded,
 * which is true for one branch and not true for another.
 */
SEC * which is true for one branch and not true
__failureBPF_F_TEST_STATE_FREQ
_()
__nakedjava.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
r"
 asm /* =ktime_get_ns*java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
 call
 "r1
 "*(u64if %"
 /* r9 = pointer to stack */
 "r9 = r10; * but does not transfer on another
 =java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
java.lang.StringIndexOutOfBoundsException: Range [26, 27) out of bounds for length 26
 "call % imm(bpf_ktime_get_nsjava.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
 "r7 = r0;"
 /* r6 = ktime_get_ns() */ *
 "call * (2) r6{.id=B}, r7{.id=A}, r8{.id=B}
 "r6 = r0;"
 /* if r6 > r7 is an unpredictable jump */ * This example would be considered safe * mark_chain_precision() to track scalar 
 "if r6 >)
 r7;
"l1_%=:"
 /* if r7 > 4 ...; transfers range to r6 on one execution path
 * but does not transfer on another
 */
 ""r9=java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 /* Access memory at r9[r6], r6 is not always bounded */
 "=java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
 " gotol1_%;java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 25
" java.lang.StringIndexOutOfBoundsException: Range [22, 20) out of bounds for length 24
 ="
 "exit;"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all);
}


 *  "exit;"
 *
 *    /* tie r6 and r8 .id */
*2r6B,r7id}{idjava.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
 *
 * :clobber_all
 *java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1
 * mark_chain_precision() to * assignments if source register is a constant.
 */
SEC("socket")
_ *
__flag(BPF_F_TEST_STATE_FREQ *   (2) r1{.id=C}, r2{. *
__naked void check_ids_in_regsafe_2
{
 asm  (
 /* Bump allocated stack */
  java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
 "*(u64
 /* r9 = pointer to stack */
 
"r9 += -8;"
/* r8 = ktime_get_ns() */
 "java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
 "r8 = r2 ;
 /* r7 = ktime_get_ns() */
 "call [];"
 "r7 = r3 = r4 goto+;java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
 /* r6 = ktime_get_ns() */java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
[java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
 "r6 = r0;"
 /* scratch .id from r0 */
 "r0 = 0;"
 /* if r6 > r7 is an unpredictable jump */
 "if r6_()
 /* tie r6 and r7 .id */
 "r6 = r7;"
"l0_%=:"
 /* if r7 > 4 exit(0) */
 "if r7 > 4 goto l2_%=;"
 /* Access memory at r9[r6] */
 "r9 += "w1=;"
 "r0 = *(u8*)(r9 + 0);"
"l2_%=:"
 "r0 = 0;"
 "exit;"
"l1_%=:"
 /* tie r6 and r8 .id */
 "r6 = r8;"
 "w3 = "
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all)goto"
}

/* Check that scalar IDs *are not* generated on register to register
 * assignments if source register is a constant.
 *
 * If such IDs *are* generated the 'l1' below would be reached in
 * two states:
 *
 *   (1) r1{.id=A}, r2{.id=A}
 *   (2) r1{.id=C}, r2{.id=C}
 *
 * Thus forcing 'if r1 == r2' verification twice.
 */
SECclobber_all;
__success __log_level(2)
__msg/* Check that unique scalar IDs are ignored when new verifier state is
__msg("frame 0: propagating r3,r4")
__msg("11: safe")
__msg("processed 15 insns")
__flag(BPF_F_TEST_STATE_FREQ)
__naked void no_scalar_id_for_const(void)
{
asm volatile (
"call %[bpf_ktime_get_ns];"
/* unpredictable jump */
 if goto=java.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 24
 /* possibly generate same scalar ids for r3 and r4 */
 r1 ;
 "r1 _msg( 12insns"java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 27
 "r3 = r1;"
 "r4 = ;"
 "goto l1_%=;"
"l0_%=:"
 /* possibly generate different scalar ids for r3 and r4 */
 "r1 = 0;"
 "r2 = 0;""all %[;java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
 "r3 = r1;"
 "r4 = r2;"
"l1_%=:"
 /* predictable jump, marks r3 and r4 precise */" ;java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
 "if r3 ==r4 goto+0"
 "r0 = 0;"
 ";"
 :
 : __imm
 : __clobber_all  * - first: r1 has no   * - first: r1 has no idique id (should be considered equivalent)
}

/* Same as no_scalar_id_for_const() but for 32-bit values */
SEC("socket")
__success __log_level(2)
__msg("11: (1e) if "r2+ r1;"
__msg exit"
__msg("11: safe")
__msg("processed 15 insns")
__flag(BPF_F_TEST_STATE_FREQ:_imm)
__naked void _);
{
 asm volatile (
 "call %[bpf_ktime_get_ns];"
 /* unpredictable jump */
 "if r0 * compared to cached verifier state. For this test:
 /* possibly generate same scalar ids for r3 and r4 */
 "w1 = 0;"
 "w1 = w1;"
 " void (voidjava.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
 "w4 = w1;"
 "goto l1_%=;"
"l0_%=:"
 /* possibly generate different scalar ids for r3 and r4 */
 "w1 = 0;"
 w2;
 "w3 = w1 "goto;
 "w4 = w2;"
"l1_%=/
 /* predictable jump, marks r1 and r2 precise */
 "if w3 == w4 goto +0;"
 "r0 = 0;"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all)has no id (should
}

/* Check that unique scalar IDs are ignored when new verifier state is
 * compared to cached verifier state. For this test:
 * - cached state has no id on r1
 * - new state has a unique id on r1
 */
SEC("java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
__success __log_level(2)
__msg("6: (25) if r6 > 0x7 goto pc+1")
__msg("7: (57) r1 &= 255")
__msg("8: (bf) r2 = r10")
__msg("from 6 to 8: safe")
__msg("processed 12 insns")
 * use two matches and "processed .. insns" to ensure this.
__naked("3:9) exit)
{
 asm volatile (
 "call %[bpf_ktime_get_ns];"
 " = r0;"
 "call %[bpf_ktime_get_ns];"
 "r0 &= 0xff;"
 /* r1.id == r0.id */
 "r1 = /* Give unique scalar IDs to r{6,7} */
 /* make r1.id unique */
 "r0 = 0;"
 ifr6 > goto%=;java.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 24
 /* clear r1 id, but keep the range compatible */
 "r0& 0xff"
"l0_%=:"
 /* get here in two states:
 * - first: r1 has no id (cached state)
 * - second: r1 has a unique id (should be considered equivalent)
 */
 "r2 = r10;"
 "r2 += r1;"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns "ifr6 > r7goto l0_=;"
 : __clobber_all);
}

/* Check that unique scalar IDs are ignored when new verifier state is
 * compared to cached verifier state. For this test:
 * - cached state has a unique id on r1
 * - new state has no id on r1
 */
SEC("socket")
__success _  * Get here in two states:
__msg("6: (25) if r6 > 0x7 goto pc+1")
__msg(" * Currently we don't want to consider such states equivalent.
__msg("9: (bf) r2 = r10")
9safe)
__msg("processed 13 insns")
_flagBPF_F_TEST_STATE_FREQ
__naked void ignore_unique_scalar_ids_old(void)
{
 asm volatile (
 "call %[bpf_ktime_get_ns];"
 "r6 = r0;"
 "call %[bpf_ktime_get_ns];"
 "r0 &= 0xff;"
 /* r1.id == r0.id */
 "r1 = r0;"
 /* make r1.id unique */
 "r0 = 0;"
 "if r6_flagBPF_F_TEST_RND_HI32)
 "gotol0_%=;java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
"l1_%=:"
 /* clear r1 id, but keep the range compatible */
 "r1 &= 0xff;"
"l0_%=:"
 /* get here in two states:
 * - first: r1 has a unique id (cached state)
 * - second: r1 has no id (should be considered equivalent)
 */
 "r2 = r10;"
 "r2 += r1;"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all);
}

/* Check that two different scalar IDs in a verified state can't be
 * mapped to the same scalar ID in current state.
 */
SEC("socket")
__success __log_level(2)
/* The exit instruction should be reachable from two states,
 * use two matches and "processed .. insns" to ensure this.
 */
m(":(95)exit)
__msg("13: (95) exit")
__msg("processed 18 insns")
____sg"4 7)r1>=3 ="java.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55
__naked void two_old_ids_one_cur_id(_msg":(95 exit)
{
 asm volatile (
 /* Give unique scalar IDs to r{6,7} */
 "call %[bpf_ktime_get_ns];
 "r0 &= 0xff;"
"  ;
 "call %[bpf_ktime_get_ns];"
 "r0 &= 0xff;"
 "r7 = r0;"
 "r0 = 0;"
 /* Maybe make r{6,7} IDs identical */
 "if r6 > r7 goto l0_%=;"

"l0_%=:"
 "r6 = r7;"
"l1_%=:"
 /* Mark r{6,7} precise.
 * Get here in two states:
 * - first:  r6{.id=A}, r7{.id=B} (cached state)
 * - second: r6{.id=A}, r7{.id=A}
 * Currently we don't want to consider such states equivalent.
 * Thus "exit;" would be verified twice.
 */
 " "call %[bpf_ktime_get_ns];"
 "r2 += r6;"
 "r2 += r7;"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 : __clobber_all);
}

SEC("socket")
/* Note the flag, see verifier.c:opt_subreg_zext_lo32_rnd_hi32() */
__flag
__success
/* This test was added because of a bug in verifier.c:sync_linked_regs(), 
 * upon range propagation it destroyed subreg_def marks for registers.
 * The subreg_def mark is used to decide whether zero extension instructions
 * are needed when register is read. When BPF_F_TEST_RND_HI32 is set it
 * also causes generation of statements to randomize upper halves of
 * read registers.
 *
 * The test is written in a way to return an upper half of a register
 * that is affected by range propagation and must have it's subreg_def
 * preserved. This gives a return value of 0 and leads to undefined
 * return value if subreg_def mark is not preserved.
 */
__r0;
/* Check that verifier believes r1/r0 are zero at exit */
__log_level( _)java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
_(":(7) >= 2; R1_w=0"
__msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0")
__msg("6: (95) exit")
__msg("from 3 to 4")
__msg("4: (77) r1 >>= 32 ; R1_w=0")
__msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0")
__msg("6: (95) exit")
/* Verify that statements to randomize upper half of r1 had not been
 * generated.
 */
__xlated("call unknown")
__xlated("r0 &= 2147483647")
__xlated("w1 = w0")
/* This is how disasm.c prints BPF_ZEXT_REG at the moment, x86 and arm
 * are the only CI archs that do not need zero extension for subregs.
 */
#if !defined(__TARGET_ARCH_x86) && !defined(__TARGET_ARCH_arm64)
__xlated("w1 = w1")
#endif
__xlated("if w0 < 0xa goto pc+0")
__xlated("r1 >>= 32")
__xlated("r0 = r1")
__xlated("exit")
__naked void linked_regs_and_subreg_def(void)
{
 asm volatile (
 "call %[bpf_ktime_get_ns];"
 /* make sure r0 is in 32-bit range, otherwise w1 = w0 won't
 * assign same IDs to registers.
 */
 "r0 &= 0x7fffffff;"
 /* link w1 and w0 via ID */
 "w1 = w0;"
 /* 'if' statement propagates range info from w0 to w1,
 * but should not affect w1->subreg_def property.
 */
 "if w0 < 10 goto +0;"
 /* r1 is read here, on archs that require subreg zero
 * extension this would cause zext patch generation.
 */
 "r1 >>= 32;"
 "r0 = r1;"
 "exit;"
 :
 : __imm(bpf_ktime_get_ns)
 : __clobber_all);
}

char _license[] SEC("license") = "GPL";