24958783962

Committed 26 Apr 2026 02:17PM UTC coverage: 89.183% (-0.002%) from 89.185%

Build # 24958783962

Build Type

push

github

Committed by

web-flow

Commit Message

tighten ValidMapKeyValue packet bound; inline bounds checks (#1100)

Fixes #1099 and reshapes the bounds-check helpers around it into two primitives that each per-region case composes directly.

## The bug

`ValidMapKeyValue`'s T_PACKET branch checked the upper bound against the loose `max_packet_size` constant, while `ValidAccess`'s T_PACKET dereference path used the runtime `variable_registry.packet_size()` for a tighter check. Helper map key/value pointers are real reads/writes through the pointer (the helper copies `key_size` / `value_size` bytes), so they need the same runtime ceiling as direct dereferences. Using `max_packet_size` was unsoundly loose: a program could pass verification while accessing past the actual runtime `packet_size`.

The fix at the call site now reads as one line:

```cpp
require_upper_bound(ub, variable_registry.packet_size(), "Upper bound must be at most packet_size");
```

## The refactor

Replaced the previous `region_bounds` / `RegionBounds` / `require_region_bounds` apparatus (and a brief detour through templated overloads and a `static`/`dynamic` taxonomy) with two trivial member primitives on `EbpfChecker`:

```cpp
void require_lower_bound(const LinearExpression& access_lb,
                         const LinearExpression& floor,   const std::string& msg) const;
void require_upper_bound(const LinearExpression& access_ub,
                         const LinearExpression& ceiling, const std::string& msg) const;
```

Each per-type case (`T_STACK`, `T_CTX`, `T_PACKET`, `T_SHARED`, `T_ALLOC_MEM`) in `EbpfChecker::operator()(const ValidAccess&)` and `operator()(const ValidMapKeyValue&)` now spells out its floor and ceiling directly at the line where the access is checked, rather than routing through a per-region helper whose contract had to be carried in comments.

`ValidAccess`'s outer loop also folds its inner `is_region_access_type` switch into the per-type switch — every bounds check is now in a case with a compile-tim... (continued)

Coverage Stats

60 of 62 new or added lines in 1 file covered. (96.77%)

1 existing line in 1 file now uncovered.

13703 of 15365 relevant lines covered (89.18%)

4395061.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

69.23

/src/crab/region_semantics.cpp

vbpf / prevail / 24958783962

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous