Add a test to verify that conditional jumps using the BPF_JGT opcode on
the same register (e.g., "if r0 > r0") do not trigger verifier BUG
warnings when the register contains a scalar value with range information.
Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
---
.../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
index 0a72e0228ea9..1536235c3e87 100644
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx)
: __clobber_all);
}
+SEC("socket")
+__description("JGT on same register")
+__success __log_level(2)
+__retval(0)
+__naked void jgt_same_register(void *ctx)
+{
+ asm volatile(" \
+ call %[bpf_get_prandom_u32]; \
+ w8 = 0x80000000; \
+ r0 &= r8; \
+ if r0 > r0 goto +1; \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm(bpf_get_prandom_u32)
+ : __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote:
> Add a test to verify that conditional jumps using the BPF_JGT opcode on
> the same register (e.g., "if r0 > r0") do not trigger verifier BUG
> warnings when the register contains a scalar value with range information.
>
> Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
> ---
Could you please add test cases for JSET and for one of the *E
variants?
> .../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> index 0a72e0228ea9..1536235c3e87 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> @@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx)
> : __clobber_all);
> }
>
> +SEC("socket")
> +__description("JGT on same register")
> +__success __log_level(2)
> +__retval(0)
> +__naked void jgt_same_register(void *ctx)
> +{
> + asm volatile(" \
> + call %[bpf_get_prandom_u32]; \
> + w8 = 0x80000000; \
> + r0 &= r8; \
> + if r0 > r0 goto +1; \
> + r0 = 0; \
> + exit; \
> +" :
> + : __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> char _license[] SEC("license") = "GPL";
On Mon, 2025-10-27 at 12:40 -0700, Eduard Zingerman wrote:
> On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote:
> > Add a test to verify that conditional jumps using the BPF_JGT opcode on
> > the same register (e.g., "if r0 > r0") do not trigger verifier BUG
> > warnings when the register contains a scalar value with range information.
> >
> > Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
> > ---
>
> Could you please add test cases for JSET and for one of the *E
> variants?
ok, i will add the tests in v3.
>
> > .../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++
> > 1 file changed, 18 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > index 0a72e0228ea9..1536235c3e87 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > @@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx)
> > : __clobber_all);
> > }
> >
> > +SEC("socket")
> > +__description("JGT on same register")
> > +__success __log_level(2)
> > +__retval(0)
> > +__naked void jgt_same_register(void *ctx)
> > +{
> > + asm volatile(" \
> > + call %[bpf_get_prandom_u32]; \
> > + w8 = 0x80000000; \
> > + r0 &= r8; \
> > + if r0 > r0 goto +1; \
> > + r0 = 0; \
> > + exit; \
> > +" :
> > + : __imm(bpf_get_prandom_u32)
> > + : __clobber_all);
> > +}
> > +
> > char _license[] SEC("license") = "GPL";
--
Thanks,
KaFai
© 2016 - 2026 Red Hat, Inc.