bpf: fix constant blinding bypass for PROBE_MEM32 stores

.github/actions/veristat_baseline_compare/action.yml

@@ -0,0 +1,49 @@
+name: 'run-veristat'
+description: 'Run veristat benchmark'
+inputs:
+  veristat_output:
+    description: 'Veristat output filepath'
+    required: true
+  baseline_name:
+    description: 'Veristat baseline cache name'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.baseline_name }}
+        if-no-files-found: error
+        path: ${{ github.workspace }}/${{ inputs.veristat_output }}
+
+    # For pull request:
+    # - get baseline log from cache
+    # - compare it to current run
+    - if: ${{ github.event_name == 'pull_request' }}
+      uses: actions/cache/restore@v4
+      with:
+        key: ${{ github.base_ref }}-${{ inputs.baseline_name }}-
+        restore-keys: |
+          ${{ github.base_ref }}-${{ inputs.baseline_name }}
+        path: '${{ github.workspace }}/${{ inputs.baseline_name }}'
+
+    - if: ${{ github.event_name == 'pull_request' }}
+      name: Show veristat comparison
+      shell: bash
+      run: ./.github/scripts/compare-veristat-results.sh
+      env:
+        BASELINE_PATH: ${{ github.workspace }}/${{ inputs.baseline_name }}
+        VERISTAT_OUTPUT: ${{ inputs.veristat_output }}
+
+    # For push: just put baseline log to cache
+    - if: ${{ github.event_name == 'push' }}
+      shell: bash
+      run: |
+        mv "${{ github.workspace }}/${{ inputs.veristat_output }}" \
+           "${{ github.workspace }}/${{ inputs.baseline_name }}"
+
+    - if: ${{ github.event_name == 'push' }}
+      uses: actions/cache/save@v4
+      with:
+        key: ${{ github.ref_name }}-${{ inputs.baseline_name }}-${{ github.run_id }}
+        path: '${{ github.workspace }}/${{ inputs.baseline_name }}'

.github/scripts/compare-veristat-results.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+veristat=$(realpath selftests/bpf/veristat)
+
+# Dump verifier logs for a list of programs
+# Usage: dump_failed_logs <progs_file>
+# - progs_file: file with lines of format "file_name,prog_name"
+dump_failed_logs() {
+    local progs_file="$1"
+    local objects_dir="${VERISTAT_OBJECTS_DIR:-$(pwd)}"
+
+    while read -r line; do
+        local file prog
+        file=$(echo "$line" | cut -d',' -f1)
+        prog=$(echo "$line" | cut -d',' -f2)
+        echo "VERIFIER LOG FOR $file/$prog:"
+        echo "=================================================================="
+        $veristat -v "$objects_dir/$file" -f "$prog"
+        echo "=================================================================="
+    done < "$progs_file"
+}
+
+if [[ ! -f "${BASELINE_PATH}" ]]; then
+    echo "# No ${BASELINE_PATH} available" >> "${GITHUB_STEP_SUMMARY}"
+
+    echo "No ${BASELINE_PATH} available"
+    echo "Printing veristat results"
+    cat "${VERISTAT_OUTPUT}"
+
+    if [[ -n "$VERISTAT_DUMP_LOG_ON_FAILURE" ]]; then
+        failed_progs=$(mktemp failed_progs_XXXXXX.txt)
+        awk -F',' '$3 == "failure" { print $1","$2 }' "${VERISTAT_OUTPUT}" > "$failed_progs"
+        if [[ -s "$failed_progs" ]]; then
+            echo && dump_failed_logs "$failed_progs"
+        fi
+        rm -f "$failed_progs"
+    fi
+
+    echo "$(basename "$0"): no baseline provided for veristat output"
+    echo "VERISTAT JOB PASSED"
+    exit 0
+fi
+
+cmp_out=$(mktemp veristate_compare_out_XXXXXX.csv)
+
+$veristat \
+    --output-format csv \
+    --emit file,prog,verdict,states \
+    --compare "${BASELINE_PATH}" "${VERISTAT_OUTPUT}" > $cmp_out
+
+python3 ./.github/scripts/veristat_compare.py $cmp_out
+exit_code=$?
+
+# print verifier log for progs that failed to load
+if [[ -n "$VERISTAT_DUMP_LOG_ON_FAILURE" ]]; then
+    failed_progs=$(mktemp failed_progs_XXXXXX.txt)
+    awk -F',' '$4 == "failure" { print $1","$2 }' "$cmp_out" > "$failed_progs"
+    if [[ -s "$failed_progs" ]]; then
+        echo && dump_failed_logs "$failed_progs"
+    fi
+    rm -f "$failed_progs"
+fi
+
+if [[ $exit_code -eq 0 ]]; then
+    echo "$(basename "$0"): veristat output matches the baseline"
+    echo "VERISTAT JOB PASSED"
+else
+    echo "$(basename "$0"): veristat output does not match the baseline"
+    echo "VERISTAT JOB FAILED"
+fi
+
+exit $exit_code

.github/scripts/download-gh-release.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$(dirname "$(realpath "$0")")
+
+GH_REPO=$1
+INSTALL_DIR=$(realpath $2)
+
+cd /tmp
+
+bash "$SCRIPT_DIR/install-github-cli.sh"
+
+tag=$(gh release list -L 1 -R ${GH_REPO} --json tagName -q .[].tagName)
+if [[ -z "$tag" ]]; then
+    echo "Could not find latest release at ${GH_REPO}"
+    exit 1
+fi
+
+url="https://github.com/${GH_REPO}/releases/download/${tag}/${tag}.tar.zst"
+echo "Downloading $url"
+wget -q "$url"
+
+tarball=${tag}.tar.zst
+dir=$(tar tf $tarball | head -1 || true)
+
+echo "Extracting $tarball ..."
+tar -I zstd -xf $tarball && rm -f $tarball
+
+rm -rf $INSTALL_DIR
+mv -v $dir $INSTALL_DIR
+
+cd -

.github/scripts/install-github-cli.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if ! command -v gh &> /dev/null; then
+    # https://github.com/cli/cli/blob/trunk/docs/install_linux.md
+    (type -p wget >/dev/null || (sudo apt update && sudo apt install wget -y)) \
+	&& sudo mkdir -p -m 755 /etc/apt/keyrings \
+	&& out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+	&& cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
+	&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+	&& sudo mkdir -p -m 755 /etc/apt/sources.list.d \
+	&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+	&& sudo apt update \
+	&& sudo apt install gh -y
+fi