Re: R? min value is negative, either use unsigned or 'var &= const'

Simon

I tried to understand again this verifier error again and probably my previous post does not contain enough information.

I  understand that :

```93: (67) r0 <<= 32
294: (c7) r0 s>>= 32
295: (b7) r1 = 0
296: (b7) r2 = 0
297: (bf) r3 = r8
298: (79) r4 = *(u64 *)(r10 -40)
299: (bf) r5 = r0
300: (85) call bpf_csum_diff#28
R4 min value is negative, either use unsigned or 'var &= const'```

is about this line  (in` ipv4_l4_csum`)

`  *csum = bpf_csum_diff(0, 0, data_start, data_size, *csum);`

R1=0,
R2=0,
R3= R8=pkt(id=0,off=34,r=42,imm=0) = data_start =  a pointer to struct udphdr *udp
R4= something in the stack  = data_size = __u16 udp_len

So I can not understand how this bring to R4 min value is negative, either use unsigned or 'var &= const'

`298: (79) r4 = *(u64 *)(r10 -40)`

As I understand this line, r4 will get a value in the stack (`R10=fp0,call_-1 fp-48=pkt`) and cast  this value in a u64, so unsigned. (min value = 0)

(By the way I can not understand why this is a u64 and not a u16 as `udp_len` variable or u32 as  `data_size` parameter of `ipv4_l4_csum` function or u32 as `tosize` from `bpf_csum_diff` function...)

I tried to use the &= tricks like :

`data_size = data_size & 0x1ff;*csum = bpf_csum_diff(0, 0, data_start, data_size, *csum);`

Same issue ...

Here a more longer trace from the verifier :

```R0=inv(id=0,umax_value=4295032831,var_off=(0x0; 0x1ffffffff)) R1=inv(id=0,umax_value=65536,var_off=(0x0; 0x1ffff)) R6=ctx(id=0,off=0,imm=0) R7=pkt(id=0,off=0,r=42,imm=0) R8=pkt(id=0,off=34,r=42,imm=0) R9=pkt(id=0,off=30,r=42,imm=0) R10=fp0,call_-1 fp-48=pkt
239: (57) r0 &= 65535
240: (0f) r0 += r1
241: (bf) r1 = r0
242: (77) r1 >>= 16
243: (0f) r1 += r0
244: (a7) r1 ^= -1
245: (6b) *(u16 *)(r7 +24) = r1
246: (b7) r1 = 0
247: (6b) *(u16 *)(r7 +40) = r1
248: (b7) r1 = 0
249: (b7) r2 = 0
250: (79) r3 = *(u64 *)(r10 -48)
251: (b7) r4 = 4
252: (b7) r5 = 0
253: (85) call bpf_csum_diff#28
254: (67) r0 <<= 32
255: (c7) r0 s>>= 32
256: (b7) r1 = 0
257: (b7) r2 = 0
258: (bf) r3 = r9
259: (b7) r4 = 4
260: (bf) r5 = r0
261: (85) call bpf_csum_diff#28
262: (71) r1 = *(u8 *)(r7 +23)
263: (dc) r1 = be32 r1
264: (63) *(u32 *)(r10 -24) = r1
265: (67) r0 <<= 32
266: (c7) r0 s>>= 32
267: (bf) r9 = r10
268: (07) r9 += -24
269: (b7) r1 = 0
270: (b7) r2 = 0
271: (bf) r3 = r9
272: (b7) r4 = 4
273: (bf) r5 = r0
274: (85) call bpf_csum_diff#28
275: (79) r1 = *(u64 *)(r10 -40)
276: (dc) r1 = be32 r1
277: (63) *(u32 *)(r10 -24) = r1
278: (67) r0 <<= 32
279: (c7) r0 s>>= 32
280: (b7) r1 = 0
281: (b7) r2 = 0
282: (bf) r3 = r9
283: (b7) r4 = 4
284: (bf) r5 = r0
285: (85) call bpf_csum_diff#28
286: (67) r0 <<= 32
287: (c7) r0 s>>= 32
288: (b7) r1 = 0
289: (b7) r2 = 0
290: (bf) r3 = r8
291: (79) r4 = *(u64 *)(r10 -40)
292: (bf) r5 = r0
293: (85) call bpf_csum_diff#28
```

I reference the commit instead of repository to keep the link consistent over the time : https://github.com/sbernard31/udploadbalancer/tree/5ca93d0893a60bc70a75f30eb5cfde496a9e5d93

Again do not hesitate to redirect me to better place if I'm not asking at the right place :)

Thx again for your time.

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.