1. Patchew
  2. linux
  3. View series

[PATCH] selftests/bpf: add a 32-bit bounds deduction case

Sun Jian posted 1 patch 2 weeks, 5 days ago 
.../selftests/bpf/progs/verifier_bounds.c     | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
[PATCH] selftests/bpf: add a 32-bit bounds deduction case
Posted by Sun Jian 2 weeks, 5 days ago 
verifier_bounds.c already has 64-bit cross-sign-boundary bounds
deduction coverage.

Recent 32-bit signed/unsigned intersection tests extended the refinement
coverage, but a corresponding negative case is still missing.

Add a 32-bit selftest for that case and assert that the program is
rejected, confirming that verifier remains conservative there.

Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
 .../selftests/bpf/progs/verifier_bounds.c     | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
index e526315c718a..242c3d6d23b1 100644
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -2037,4 +2037,24 @@ __naked void signed_unsigned_intersection32_case2(void *ctx)
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("32-bit bounds deduction cross sign boundary, two overlaps")
+__failure
+__flag(BPF_F_TEST_REG_INVARIANTS)
+__msg("frame pointer is read only")
+__naked void bounds_deduct_two_overlaps_32(void)
+{
+	asm volatile("				\
+	call %[bpf_get_prandom_u32];		\
+	r0 = (s8)r0;				\
+	w1 = 0xffffff80;			\
+	if w0 > w1 goto l0_%=;			\
+	if w0 < 128 goto l0_%=;			\
+	r10 = 0;				\
+l0_%=:	exit;					\
+"	:
+	: __imm(bpf_get_prandom_u32)
+	: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";

base-commit: a989fde763f4f24209e4702f50a45be572340e68
-- 
2.43.0
Re: [PATCH] selftests/bpf: add a 32-bit bounds deduction case
Posted by Puranjay Mohan 2 weeks, 5 days ago 
Sun Jian <sun.jian.kdev@gmail.com> writes:

> verifier_bounds.c already has 64-bit cross-sign-boundary bounds
> deduction coverage.
>
> Recent 32-bit signed/unsigned intersection tests extended the refinement
> coverage, but a corresponding negative case is still missing.
>
> Add a 32-bit selftest for that case and assert that the program is
> rejected, confirming that verifier remains conservative there.

The "recent 32-bit signed/unsigned intersection tests" are Eduard's
signed_unsigned_intersection32_case1/case2 (commit f81fdfd16771), which
cover the two refinement branches added to deduce_bounds_32_from_32() in
commit fbc7aef517d8.

Your test claims to be a "negative case" for the two-overlap scenario
where the verifier can't refine bounds. But tracing through the code,
that's not what happens. After the two w0 conditionals you have
u32=[0x80, 0xffffff80] and s32=[-128, 127]. In
deduce_bounds_32_from_32():

- (u32)s32_min_value <= (u32)s32_max_value (0xffffff80 <= 0x7f) is false,
so we enter the else branch

- u32_max < (u32)s32_min (0xffffff80 < 0xffffff80) is false, skip

- (u32)s32_max < u32_min (0x7f < 0x80) is true - the single-overlap else
if fires, successfully narrowing the register to the constant 0xffffff80

So this isn't a "two overlaps / no refinement" case at all. The verifier
resolves the value completely. This is the same else if branch that
signed_unsigned_intersection32_case1 already exercises (with u32=[3,
U32_MAX], s32=[S32_MIN, 1], where (u32)1 < 3 fires the same path).

No new coverage is added.
Re: [PATCH] selftests/bpf: add a 32-bit bounds deduction case
Posted by sun jian 2 weeks, 4 days ago 
On Wed, Mar 18, 2026 at 8:36 PM Puranjay Mohan <puranjay@kernel.org> wrote:
>
>
> No new coverage is added.
Agreed.
I'll drop this patch and revisit it later if I come up with a real
two-overlap case.

Thanks for your review.

Regards,
Sun Jian

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.