Skip to content

Commit

Permalink
Update ebpf verifier (#4121)
Browse files Browse the repository at this point in the history 
* Update to latest ebpf-verifier

Signed-off-by: Alan Jowett <[email protected]>

* API contract changes

Signed-off-by: Alan Jowett <[email protected]>

* Fix test failure

Signed-off-by: Alan Jowett <[email protected]>

---------

Signed-off-by: Alan Jowett <[email protected]>
  • Loading branch information
@Alan-Jowett
Alan-Jowett authored Jan 10, 2025
1 parent 2cae00c commit 1cc9131
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 14 deletions.
2 changes: 1 addition & 1 deletion external/ebpf-verifier
Submodule ebpf-verifier updated 38 files
+1 −1 ebpf-samples
+1 −1 external/bpf_conformance
+1 −1 external/libbtf
+150 −78 src/asm_cfg.cpp
+3 −4 src/asm_files.cpp
+73 −100 src/asm_ostream.cpp
+1 −1 src/asm_parse.cpp
+2 −8 src/asm_syntax.hpp
+3 −2 src/asm_unmarshal.cpp
+4 −12 src/assertions.cpp
+6 −1 src/config.hpp
+0 −5 src/crab/array_domain.cpp
+0 −2 src/crab/array_domain.hpp
+67 −324 src/crab/cfg.hpp
+1 −0 src/crab/ebpf_checker.cpp
+14 −15 src/crab/fwd_analyzer.cpp
+2 −2 src/crab/fwd_analyzer.hpp
+36 −23 src/crab/split_dbm.cpp
+3 −6 src/crab/split_dbm.hpp
+7 −9 src/crab/thresholds.cpp
+1 −1 src/crab/thresholds.hpp
+2 −0 src/crab/type_domain.hpp
+1 −2 src/crab/var_factory.cpp
+7 −5 src/crab/wto.cpp
+5 −0 src/crab/wto.hpp
+96 −145 src/crab_utils/graph_ops.hpp
+7 −7 src/crab_utils/heap.hpp
+12 −15 src/crab_verifier.cpp
+11 −11 src/crab_verifier.hpp
+1 −1 src/ebpf_verifier.hpp
+12 −12 src/main/check.cpp
+3 −2 src/main/linux_verifier.cpp
+73 −0 src/program.hpp
+1 −1 src/string_constraints.hpp
+9 −9 src/test/ebpf_yaml.cpp
+12 −9 src/test/test_marshal.cpp
+33 −29 src/test/test_verify.cpp
+25 −61 src/test/test_wto.cpp
14 changes: 8 additions & 6 deletions libs/api/Verifier.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -506,15 +506,17 @@ ebpf_api_elf_enumerate_programs(
memset(info, 0, sizeof(*info));

if (verbose) {
std::variant<InstructionSeq, std::string> programOrError = unmarshal(raw_program);
if (std::holds_alternative<std::string>(programOrError)) {
std::cout << "parse failure: " << std::get<std::string>(programOrError) << "\n";
std::variant<InstructionSeq, std::string> instruction_sequence_or_error = unmarshal(raw_program);
if (std::holds_alternative<std::string>(instruction_sequence_or_error)) {
std::cout << "parse failure: " << std::get<std::string>(instruction_sequence_or_error) << "\n";
ebpf_free(info);
return 1;
}
auto& program = std::get<InstructionSeq>(programOrError);
cfg_t controlFlowGraph = prepare_cfg(program, raw_program.info, verifier_options.cfg_opts);
std::map<std::string, int> stats = collect_stats(controlFlowGraph);
auto& instruction_sequence = std::get<InstructionSeq>(instruction_sequence_or_error);
// auto program = crab::prepare_cfg(program, raw_program.info, verifier_options.cfg_opts);
auto program =
Program::from_sequence(instruction_sequence, raw_program.info, verifier_options.cfg_opts);
std::map<std::string, int> stats = collect_stats(program);
for (auto it = stats.rbegin(); it != stats.rend(); ++it) {
_ebpf_add_stat(info, it->first, it->second);
}
Expand Down
12 changes: 6 additions & 6 deletions libs/api_common/api_common.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ ebpf_clear_thread_local_storage() noexcept
bool
ebpf_verify_program(
std::ostream& os,
_In_ const InstructionSeq& prog,
_In_ const InstructionSeq& instruction_sequence,
_In_ const program_info& info,
_In_ const ebpf_verifier_options_t& options,
_Out_ ebpf_api_verifier_stats_t* stats)
Expand All @@ -176,21 +176,21 @@ ebpf_verify_program(

// Convert the instruction sequence to a control-flow graph.
try {
const cfg_t cfg = prepare_cfg(prog, info, options.cfg_opts);
auto invariants = analyze(cfg);
const auto program = Program::from_sequence(instruction_sequence, info, options.cfg_opts);
auto invariants = analyze(program);
if (options.verbosity_opts.print_invariants) {
print_invariants(os, cfg, options.verbosity_opts.simplify, invariants);
print_invariants(os, program, options.verbosity_opts.simplify, invariants);
}
bool pass;
if (options.verbosity_opts.print_failures) {
auto report = invariants.check_assertions(cfg);
auto report = invariants.check_assertions(program);
thread_local_options.verbosity_opts.print_line_info = true;
print_warnings(os, report);
pass = report.verified();
stats->total_warnings = (int)report.warning_set().size();
stats->total_unreachable = (int)report.reachability_set().size();
} else {
pass = invariants.verified(cfg);
pass = invariants.verified(program);
}
stats->max_loop_count = invariants.max_loop_count();
return pass;
Expand Down
1 change: 1 addition & 0 deletions libs/api_common/api_common.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
// result to a 8 byte value.
#undef min // don't interfere with C++ min/max definitions required inside platform.hpp.
#undef max
#include "asm_syntax.hpp"
#include "platform.hpp"
#define max(a, b) (((a) > (b)) ? (a) : (b))
#define min(a, b) (((a) < (b)) ? (a) : (b))
Expand Down
2 changes: 1 addition & 1 deletion tests/end_to_end/netsh_test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,10 +195,10 @@ TEST_CASE("show sections bpf.o .text", "[netsh][sections]")
"arith32 : 0\n"
"arith64 : 1\n"
"assign : 1\n"
"basic_blocks : 4\n"
"call_1 : 0\n"
"call_mem : 0\n"
"call_nomem : 0\n"
"instructions : 4\n"
"joins : 0\n"
"jumps : 0\n"
"load : 0\n"
Expand Down

0 comments on commit 1cc9131

Please sign in to comment.