undefined | Better HN

0 pointskleendr125y ago0 comments

When there's no loop bound it cannot prove termination, see halting problem. Goal is to avoid getting an infinite loop and then freezing the kernel of course.

0 comments

mehrdadn5y ago

Right but I guess the point I'm getting at is that termination seems neither necessary nor sufficient to me. A loop (or nested loops...) that goes up to 2^63 may as well be infinite, so on the face of it it's not obvious why boundedness gets you anywhere by itself—you'd need to prove something stronger anyway. Conversely, it's not impossible to have loops that nevertheless (provably) terminate within N instructions. But if you're already bounding the number of instructions, why do you need bounded loops to begin with? Is that a necessary lemma of some sort before the algorithm is capable of proving something stronger? At first glance I don't see why the simulation (BMC?) approach you suggested would require bounded loops, since it would seem it might be capable of proving the termination of some unbounded loops within 1M instructions too.

tptacek5y ago

Forget 2^63, and forget nested loops. Think instead a loop with maybe 2000 iterations --- that seems like the frontier of what the verifier will let you do right now. The verifier's budget is 1MM cycles, for the whole program, including each tick of every loop in it. That is to say that the verifier is literally going to execute your program symbolically, and give up after that many cycles, or at any loop where it can't easily see that the induction variable is bounded by a program constant.

The idea here is that without any kind of loop, it's quite tricky to do some basic packet processing. For instance, if you want to clamp the MSS of a TCP connection, you have to grovel through TCP options, which do not occur at fixed offsets or in a particular order; you want to write a "for" loop over the (inherently limited) range of bytes at the computed offset of the TCP options. You can trivially bound that loop by the MTU of the link your program is loaded on (and also the limited possible size of TCP options), the loop won't iterate that many times, and it won't do much inside the loop.

But it's very much not the case that bounded loops give you general-purpose programming, like to implement your own data structures. BPF programs rely on kernel helpers and userland programs that maintain maps and read perf to do that stuff.

kleendr12OP5y ago

I'm not quite sure I follow your comment. If the program never terminates then it will loop forever and potentially freeze the machine depending from where it is invoked in the kernel. Example of loops that can be detected to terminate:

  int nested_loops(volatile struct pt_regs* ctx)
  {
    int i, j, sum = 0, m;

    for (j = 0; j < 300; j++)
      for (i = 0; i < j; i++) {
        if (j & 1)
          m = ctx->rax;
        else
          m = j;
        sum += i * m;
      }

    return sum;
  }

Or for example another one that is also part of selftests with induction variable i:

  int while_true(volatile struct pt_regs* ctx)
  {
    int i = 0;

    while (true) {
      if (ctx->rax & 1)
        i += 3;
      else
        i += 7;
      if (i > 40)
        break;
    }

    return i;
  }

Overall this is very useful to avoid unrolling loops & keeping the code dense and icache friendly, and to parse (e.g.) IPv6 extension headers and such.

mehrdadn5y ago

Oh! I thought bounded loops meant every loop has to have a bound (hence while (true) wouldn't work). If it can handle more complicated situations then that answers my question. The second example is identical to a do-while loop though, so it's not clear to me if it can actually handle more complicated situations that don't directly map to for/while/do-while loops.

For example, can it handle something like the following, where there's no bound, but the loop necessarily always terminates? (I assumed this loop would be called "unbounded", but maybe I'm confused by the terminology?)

  int test(unsigned i, unsigned j) {
    while (true) {
      i ^= j; j ^= i; i ^= j;
      if (i <= j) { return 0; }
      i ^= j; j ^= i; i ^= j;
      if (j <= i) { return 1; }
      i ^= j; j ^= i; i ^= j;
    }
    return 2;
  }

1 more reply

j / k navigate · click thread line to collapse

0 comments

mehrdadn5y ago

tptacek5y ago

kleendr12OP5y ago

  int nested_loops(volatile struct pt_regs* ctx)
  {
    int i, j, sum = 0, m;

    for (j = 0; j < 300; j++)
      for (i = 0; i < j; i++) {
        if (j & 1)
          m = ctx->rax;
        else
          m = j;
        sum += i * m;
      }

    return sum;
  }

Or for example another one that is also part of selftests with induction variable i:

  int while_true(volatile struct pt_regs* ctx)
  {
    int i = 0;

    while (true) {
      if (ctx->rax & 1)
        i += 3;
      else
        i += 7;
      if (i > 40)
        break;
    }

    return i;
  }

Overall this is very useful to avoid unrolling loops & keeping the code dense and icache friendly, and to parse (e.g.) IPv6 extension headers and such.

mehrdadn5y ago

  int test(unsigned i, unsigned j) {
    while (true) {
      i ^= j; j ^= i; i ^= j;
      if (i <= j) { return 0; }
      i ^= j; j ^= i; i ^= j;
      if (j <= i) { return 1; }
      i ^= j; j ^= i; i ^= j;
    }
    return 2;
  }

1 more reply

j / k navigate · click thread line to collapse