selftests/bpf: test refining u32/s32 bounds when ranges cross min/max boundary

Two test cases for signed/unsigned 32-bit bounds refinement
when s32 range crosses the sign boundary:
- s32 range [S32_MIN..1] overlapping with u32 range [3..U32_MAX],
  s32 range tail before sign boundary overlaps with u32 range.
- s32 range [-3..5] overlapping with u32 range [0..S32_MIN+3],
  s32 range head after the sign boundary overlaps with u32 range.

This covers both branches added in the __reg32_deduce_bounds().

Also, crossing_32_bit_signed_boundary_2() no longer triggers invariant
violations.

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260306-bpf-32-bit-range-overflow-v3-2-f7f67e060a6b@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
index 97065a26cf70603c3e4b8d43d3a04248828398fc..e526315c718ad7e7905d95cc9b52b229cb12af39 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -1148,7 +1148,7 @@ l0_%=:    r0 = 0;                                         \
 SEC("xdp")
 __description("bound check with JMP32_JSLT for crossing 32-bit signed boundary")
 __success __retval(0)
-__flag(!BPF_F_TEST_REG_INVARIANTS) /* known invariants violation */
+__flag(BPF_F_TEST_REG_INVARIANTS)
 __naked void crossing_32_bit_signed_boundary_2(void)
 {
        asm volatile ("                                 \
@@ -2000,4 +2000,41 @@ __naked void bounds_refinement_multiple_overlaps(void *ctx)
        : __clobber_all);
 }
 
+SEC("socket")
+__success
+__flag(BPF_F_TEST_REG_INVARIANTS)
+__naked void signed_unsigned_intersection32_case1(void *ctx)
+{
+       asm volatile("                                                                  \
+       call %[bpf_get_prandom_u32];                                                    \
+       w0 &= 0xffffffff;                                                               \
+       if w0 < 0x3 goto 1f;            /* on fall-through u32 range [3..U32_MAX]  */   \
+       if w0 s> 0x1 goto 1f;           /* on fall-through s32 range [S32_MIN..1]  */   \
+       if w0 s< 0x0 goto 1f;           /* range can be narrowed to  [S32_MIN..-1] */   \
+       r10 = 0;                        /* thus predicting the jump. */                 \
+1:     exit;                                                                           \
+"      :
+       : __imm(bpf_get_prandom_u32)
+       : __clobber_all);
+}
+
+SEC("socket")
+__success
+__flag(BPF_F_TEST_REG_INVARIANTS)
+__naked void signed_unsigned_intersection32_case2(void *ctx)
+{
+       asm volatile("                                                                  \
+       call %[bpf_get_prandom_u32];                                                    \
+       w0 &= 0xffffffff;                                                               \
+       if w0 > 0x80000003 goto 1f;     /* on fall-through u32 range [0..S32_MIN+3] */  \
+       if w0 s< -3 goto 1f;            /* on fall-through s32 range [-3..S32_MAX] */   \
+       if w0 s> 5 goto 1f;             /* on fall-through s32 range [-3..5] */         \
+       if w0 <= 5 goto 1f;             /* range can be narrowed to  [0..5] */          \
+       r10 = 0;                        /* thus predicting the jump */                  \
+1:     exit;                                                                           \
+"      :
+       : __imm(bpf_get_prandom_u32)
+       : __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";