verifier_bounds.c already has 64-bit cross-sign-boundary bounds deduction coverage.
Recent 32-bit signed/unsigned intersection tests extended the refinement coverage, but a corresponding negative case is still missing. Add a 32-bit selftest for that case and assert that the program is rejected, confirming that verifier remains conservative there. Signed-off-by: Sun Jian <[email protected]> --- .../selftests/bpf/progs/verifier_bounds.c | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c index e526315c718a..242c3d6d23b1 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c @@ -2037,4 +2037,24 @@ __naked void signed_unsigned_intersection32_case2(void *ctx) : __clobber_all); } +SEC("socket") +__description("32-bit bounds deduction cross sign boundary, two overlaps") +__failure +__flag(BPF_F_TEST_REG_INVARIANTS) +__msg("frame pointer is read only") +__naked void bounds_deduct_two_overlaps_32(void) +{ + asm volatile(" \ + call %[bpf_get_prandom_u32]; \ + r0 = (s8)r0; \ + w1 = 0xffffff80; \ + if w0 > w1 goto l0_%=; \ + if w0 < 128 goto l0_%=; \ + r10 = 0; \ +l0_%=: exit; \ +" : + : __imm(bpf_get_prandom_u32) + : __clobber_all); +} + char _license[] SEC("license") = "GPL"; base-commit: a989fde763f4f24209e4702f50a45be572340e68 -- 2.43.0
