vbpf / prevail / 24958783962 / 2
86%
main: 86%

DEFAULT BRANCH: main
Ran
Files 110
Run time 3s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 87.495% (+0.004%) from 87.491%
24958783962.2

push

github

web-flow 
tighten ValidMapKeyValue packet bound; inline bounds checks (#1100)

Fixes #1099 and reshapes the bounds-check helpers around it into two primitives that each per-region case composes directly.

## The bug

`ValidMapKeyValue`'s T_PACKET branch checked the upper bound against the loose `max_packet_size` constant, while `ValidAccess`'s T_PACKET dereference path used the runtime `variable_registry.packet_size()` for a tighter check. Helper map key/value pointers are real reads/writes through the pointer (the helper copies `key_size` / `value_size` bytes), so they need the same runtime ceiling as direct dereferences. Using `max_packet_size` was unsoundly loose: a program could pass verification while accessing past the actual runtime `packet_size`.

The fix at the call site now reads as one line:

```cpp
require_upper_bound(ub, variable_registry.packet_size(), "Upper bound must be at most packet_size");
```

## The refactor

Replaced the previous `region_bounds` / `RegionBounds` / `require_region_bounds` apparatus (and a brief detour through templated overloads and a `static`/`dynamic` taxonomy) with two trivial member primitives on `EbpfChecker`:

```cpp
void require_lower_bound(const LinearExpression& access_lb,
                         const LinearExpression& floor,   const std::string& msg) const;
void require_upper_bound(const LinearExpression& access_ub,
                         const LinearExpression& ceiling, const std::string& msg) const;
```

Each per-type case (`T_STACK`, `T_CTX`, `T_PACKET`, `T_SHARED`, `T_ALLOC_MEM`) in `EbpfChecker::operator()(const ValidAccess&)` and `operator()(const ValidMapKeyValue&)` now spells out its floor and ceiling directly at the line where the access is checked, rather than routing through a per-region helper whose contract had to be carried in comments.

`ValidAccess`'s outer loop also folds its inner `is_region_access_type` switch into the per-type switch — every bounds check is now in a case with a compile-tim... (continued)

13175 of 15058 relevant lines covered (87.5%)

2289536.97 hits per line

Source Files on job run-Debug - 24958783962.2