Re: [PATCH RFC v2 net-next 10/16] bpf: add eBPF verifier

From: Alexei Starovoitov
Date: Thu Jul 24 2014 - 15:25:14 EST

Next message: Ard Biesheuvel: "Re: [PATCH] arm64/crypto: fix makefile rule for aes-glue-%.o"
Previous message: Cyrill Gorcunov: "Re: [rfc 1/4] mm: Introduce may_adjust_brk helper"
In reply to: Andy Lutomirski: "Re: [PATCH RFC v2 net-next 10/16] bpf: add eBPF verifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 24, 2014 at 11:25 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Thu, Jul 17, 2014 at 9:20 PM, Alexei Starovoitov <ast@xxxxxxxxxxxx> wrote:
>> Safety of eBPF programs is statically determined by the verifier, which detects:
>> - loops
>> - out of range jumps
>> - unreachable instructions
>> - invalid instructions
>> - uninitialized register access
>> - uninitialized stack access
>> - misaligned stack access
>> - out of range stack access
>> - invalid calling convention
>
> Is there something that documents exactly what conditions an eBPF
> program must satisfy in order to be considered valid?

I did a writeup in the past on things that verifiers checks and gave it
to internal folks to review. Guys have said that now they understand very
well how it works, but in reality it didn't help at all to write valid programs.
What worked is 'verification trace' = the instruction by instruction dump
of verifier state while it's analyzing the program.
I gave few simple examples of it in
'Understanding eBPF verifier messages' section:
https://git.kernel.org/cgit/linux/kernel/git/ast/bpf.git/diff/Documentation/networking/filter.txt?id=b22459133b9f52d2176c8c0f8b5eb036478a40c9
Every example there is what "program must satisfy to be valid"...

Therefore I'm addressing two things:
1. how verifier works and what it checks for.
that is described in 'eBPF verifier' section of the doc and
in 200 lines of comments inside verifier.c
2. how to write valid programs
that's more important one, since it's a key to happy users.
'verification trace' is the first step. I'm planning to add debug info and
user space tool that points out to line in C instead of assembler trace.
In other words to bring errors to user as early as possible during
compilation process.
This is not a concern when programs are written in assembler,
since the programs will be much shorter and thought through by
the author. However I don't think there will be too many users
willing to understand ebpf assembler.

I suspect you're more concerned about #1 at this point whereas
I'm concerned about #2.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ard Biesheuvel: "Re: [PATCH] arm64/crypto: fix makefile rule for aes-glue-%.o"
Previous message: Cyrill Gorcunov: "Re: [rfc 1/4] mm: Introduce may_adjust_brk helper"
In reply to: Andy Lutomirski: "Re: [PATCH RFC v2 net-next 10/16] bpf: add eBPF verifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]