21458222544
78%

Ran 28 Jan 2026 10:58PM UTC

Jobs 6

Files 130

Run time 1min

Badge

Embed ▾

Committed 28 Jan 2026 10:40PM UTC coverage: 78.042% (-0.006%) from 78.048%

Build # 21458222544

Build Type

push

github

Committed by

web-flow

Commit Message

ARM64 JIT: Implement constant blinding support (#733)

* Implement ARM64 constant blinding support in JIT

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* Fix register allocation bug in emit_movewide_immediate_blinded

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* ARM64 JIT: avoid clobbering temp register in constant blinding

* ARM64: Blind all immediate operations when constant blinding enabled

When constant blinding is enabled, now force all immediate operations
(including simple immediates < 0x1000) through the blinded path by
converting them to register operations. This matches x86-64 behavior
and ensures all attacker-controlled immediates are properly blinded.

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* ARM64: Blind helper index and atomic offsets in constant blinding

Extended constant blinding to cover all remaining attacker-controlled
immediates:
- Helper function index in emit_dispatched_external_helper_call
- Large atomic operation offsets in emit_atomic_operation

These values come from BPF instruction fields (inst.imm, inst.offset)
and must be blinded when constant_blinding_enabled is true.

Note: JIT-internal constants (e.g., stack sizes, shift amounts) remain
unblinded as they provide no security benefit and hurt performance.

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* ARM64 JIT: fix large negative load/store offsets

* ARM64 JIT: remove unused load/store helper

* ARM64: Optimize MOV_IMM blinding to avoid extra ORR instruction

Excluded MOV_IMM/MOV64_IMM from the immediate-to-register conversion
path when constant blinding is enabled. These instructions are now
handled directly in their switch case, which blinds the immediate
without requiring an extra ORR instruction to copy from temp_register
to dst.

Before: MOVZ temp, #blinded → EOR temp, temp, #random → ORR dst, RZ, temp
After:  MOVZ dst, #blinde... (continued)

Run Details

40 of 43 new or added lines in 1 file covered. (93.02%)

2 existing lines in 2 files now uncovered.

6344 of 8129 relevant lines covered (78.04%)

550877.43 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
3	92.83	-0.23%	vm/ubpf_jit_arm64.c

Uncovered Existing Lines

Lines	Coverage	∆	File
1	64.32	-0.68%	custom_tests/srcs/ubpf_test_constant_blinding.cc
1	92.83	-0.23%	vm/ubpf_jit_arm64.c

Jobs

ID	Job ID	Ran	Files	Coverage
1	run-Debug-ubuntu-latest-x86_64 - 21458222544.1	28 Jan 2026 11:20PM UTC	68	74.03	GitHub Action Run
2	run-RelWithDebInfo-macos-latest-x86_64 - 21458222544.2	28 Jan 2026 11:06PM UTC	84	75.75	GitHub Action Run
3	run-RelWithDebInfo-ubuntu-latest-x86_64 - 21458222544.3	28 Jan 2026 11:17PM UTC	68	74.01	GitHub Action Run
4	run-RelWithDebInfo-ubuntu-24.04-arm-arm64 - 21458222544.4	28 Jan 2026 10:58PM UTC	69	58.74	GitHub Action Run
5	run-Debug-macos-latest-x86_64 - 21458222544.5	28 Jan 2026 11:15PM UTC	84	75.88	GitHub Action Run
6	run-Debug-ubuntu-24.04-arm-arm64 - 21458222544.6	28 Jan 2026 10:58PM UTC	69	58.73	GitHub Action Run

iovisor / ubpf / 21458222544
78%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21458222544

iovisor / ubpf / 21458222544 78%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21458222544

iovisor / ubpf / 21458222544
78%

README BADGES
x