Handle "global and assumed valid" messages

theihor · theihor · commit b0d53be71359 · 2025-08-28T16:20:52.000-07:00
Verifier may emit a message indicating a global function call, which
is not verified inline, for example:

    565: (85) call pc+234
    Func#5 ('pick_any_bit') is global and assumed valid.

This is important for visualizer, because so far `call pc+offset`
pattern was handled exclusively as subprogram call.

A small challenge with this is that the overall design of bpfvv
expects line-by-line processing of the input log. And to handle cases
like this some backtracking (or lookahead) mechanism is necessary,
even though it is convenient to work with "lines" fundamentally.

Address this with the following changes:
* introduce ParsedLineType.KNOWN_MESSAGE and KnownMessageInfo to
  recognize particular verifier messages
* leave parser interface unchanged (parseLine)
* split parsed lines processing in the analyzer into separate steps
  * parse lines individually
  * process known messages, potentially editing parsedLines
    array (this is backtracking essentially)
  * and then build bpfStates and cSourceMap
diff --git a/src/analyzer.test.ts b/src/analyzer.test.ts
@@ -6,7 +6,14 @@ import {
   VerifierLogState,
 } from "./analyzer";
 
-import { BPF_CALLEE_SAVED_REGS, BPF_SCRATCH_REGS, Effect } from "./parser";
+import {
+  BPF_CALLEE_SAVED_REGS,
+  BPF_SCRATCH_REGS,
+  Effect,
+  ParsedLineType,
+  BpfInstructionKind,
+  BpfJmpKind,
+} from "./parser";
 
 function expectInitialBpfState(s: BpfState) {
   expect(s.frame).toBe(0);
@@ -448,4 +455,49 @@ to caller at 705:
       });
     });
   });
+
+  describe("processes known messages", () => {
+    const verifierLogWithGlobalFuncCall = `
+0: (b7) r2 = 1                        ; R2_w=1
+1: (85) call pc+10
+Func#123 ('my_global_func') is global and assumed valid.
+2: (bf) r0 = r1                       ; R0_w=ctx() R1=ctx()
+`;
+
+    describe("global func call", () => {
+      const strings = verifierLogWithGlobalFuncCall.split("\n");
+      strings.shift(); // remove the first \n
+      const logState: VerifierLogState = processRawLines(strings);
+      const { lines, bpfStates } = logState;
+
+      it("transforms global function call correctly", () => {
+        // Check that line 1 is transformed from SUBPROGRAM_CALL to HELPER_CALL
+        expect(lines[1]).toMatchObject({
+          type: ParsedLineType.INSTRUCTION,
+          bpfIns: {
+            kind: BpfInstructionKind.JMP,
+            jmpKind: BpfJmpKind.HELPER_CALL,
+            target: "my_global_func",
+            reads: BPF_SCRATCH_REGS,
+            writes: ["r0", ...BPF_SCRATCH_REGS],
+          },
+        });
+      });
+
+      it("processes BPF states correctly after transformation", () => {
+        // Check that the transformed call is processed as a helper call
+        const callState = bpfStates[1];
+        expect(callState.frame).toBe(0);
+        expect(callState.pc).toBe(1);
+        for (const reg of BPF_SCRATCH_REGS) {
+          expect(callState.values.get(reg)).toMatchObject({
+            effect: Effect.UPDATE,
+          });
+        }
+        expect(callState.values.get("r0")).toMatchObject({
+          effect: Effect.WRITE,
+        });
+      });
+    });
+  });
 });
diff --git a/src/analyzer.ts b/src/analyzer.ts
@@ -9,6 +9,8 @@ import {
   ParsedLineType,
   parseLine,
   getCLineId,
+  KnownMessageInfoType,
+  GlobalFuncValidInfo,
 } from "./parser";
 
 export type BpfValue = {
@@ -267,16 +269,54 @@ export function getEmptyVerifierState(): VerifierLogState {
   };
 }
 
+function updateGlobalFuncCall(callLine: ParsedLine, info: GlobalFuncValidInfo) {
+  // "assumed valid" message indicates that previous instructions was a call to a global function which verifier recognizes as valid.
+  // So we change the call ParsedLine to a HELPER_CALL, so that it is processed accordingly.
+  if (callLine.type !== ParsedLineType.INSTRUCTION) return;
+  const ins = callLine.bpfIns;
+  if (
+    ins.kind !== BpfInstructionKind.JMP ||
+    ins.jmpKind !== BpfJmpKind.SUBPROGRAM_CALL
+  )
+    return;
+  ins.jmpKind = BpfJmpKind.HELPER_CALL;
+  ins.target = info.funcName;
+  ins.reads = BPF_SCRATCH_REGS;
+  ins.writes = ["r0", ...BPF_SCRATCH_REGS];
+}
+
 export function processRawLines(rawLines: string[]): VerifierLogState {
   let bpfStates: BpfState[] = [];
   let lines: ParsedLine[] = [];
   let savedBpfStates: BpfState[] = [];
   let idxsForCLine: number[] = [];
   let currentCSourceLine: CSourceLine | undefined;
   const cSourceMap = new CSourceMap();
+  const knownMessageIdxs: number[] = [];
 
-  rawLines.forEach((rawLine, idx) => {
+  // First pass: parse individual lines
+  lines = rawLines.map((rawLine, idx) => {
     const parsedLine = parseLine(rawLine, idx);
+    if (parsedLine.type === ParsedLineType.KNOWN_MESSAGE) {
+      knownMessageIdxs.push(idx);
+    }
+    return parsedLine;
+  });
+
+  // Process known messages and fixup parsed lines
+  knownMessageIdxs.forEach((idx) => {
+    const parsedLine = lines[idx];
+    if (
+      idx > 0 &&
+      parsedLine.type === ParsedLineType.KNOWN_MESSAGE &&
+      parsedLine.info.type == KnownMessageInfoType.GLOBAL_FUNC_VALID
+    ) {
+      updateGlobalFuncCall(lines[idx - 1], parsedLine.info);
+    }
+  });
+
+  // Second pass: build CSourceMap and BpfState[]
+  lines.forEach((parsedLine, idx) => {
     switch (parsedLine.type) {
       case ParsedLineType.C_SOURCE: {
         if (currentCSourceLine) {
@@ -297,7 +337,6 @@ export function processRawLines(rawLines: string[]): VerifierLogState {
       savedBpfStates,
     );
     bpfStates.push(bpfState);
-    lines.push(parsedLine);
   });
   if (currentCSourceLine) {
     cSourceMap.addCSourceLine(currentCSourceLine, idxsForCLine);
diff --git a/src/components.test.tsx b/src/components.test.tsx
@@ -295,15 +295,11 @@ describe("JmpInstruction", () => {
     );
   });
 
-  describe("CallHtml argument counting", () => {
-    function setCallArgValue(
-      state: BpfState,
-      arg: string,
-      preCallValue: string,
-    ) {
-      state.values.set(arg, makeValue("", Effect.UPDATE, preCallValue));
-    }
+  function setCallArgValue(state: BpfState, arg: string, preCallValue: string) {
+    state.values.set(arg, makeValue("", Effect.UPDATE, preCallValue));
+  }
 
+  describe("CallHtml argument counting", () => {
     it("shows 3 arguments when r4 and r5 are scratched", () => {
       const ins = createTargetJmpIns(
         BpfJmpCode.JA,
@@ -360,4 +356,30 @@ describe("JmpInstruction", () => {
       expect(innerHTML).not.toMatch(/r5.*,/);
     });
   });
+
+  describe("global function call rendering", () => {
+    it("renders global function name", () => {
+      // After analyzer transformation, a global function call becomes a HELPER_CALL
+      // with the function name as the target (e.g., "my_global_func" instead of "pc+10")
+      const ins = createTargetJmpIns(
+        BpfJmpCode.CALL,
+        BpfJmpKind.HELPER_CALL,
+        "my_global_func",
+      );
+      const line = createLine(ins);
+      const state = initialBpfState();
+      setCallArgValue(state, "r1", "ctx()");
+      setCallArgValue(state, "r2", "buffer_ptr");
+      setCallArgValue(state, "r3", "");
+
+      render(<JmpInstruction ins={ins} line={line} state={state} />);
+      const divs = document.getElementsByTagName("div");
+      expect(divs.length).toBe(1);
+
+      const innerHTML = divs[0].innerHTML;
+      expect(innerHTML).toContain("my_global_func");
+      expect(innerHTML).toContain("r1");
+      expect(innerHTML).toContain("r2");
+    });
+  });
 });
diff --git a/src/components.tsx b/src/components.tsx
@@ -67,8 +67,6 @@ function CallHtml({
   if (!location) {
     return <></>;
   }
-  const start = line.raw.length + location.offset;
-  const end = start + location.size;
   const target = ins.target || "";
   const helperName = target.substring(0, target.indexOf("#"));
 
@@ -123,11 +121,7 @@ function CallHtml({
     }
 
     let contents: ReactElement[] = [];
-    contents.push(
-      <React.Fragment key="line-start">
-        {line.raw.slice(start, end)}
-      </React.Fragment>,
-    );
+    contents.push(<React.Fragment key="line-start">{target}</React.Fragment>);
 
     contents.push(<React.Fragment key="paren-open">(</React.Fragment>);
     for (let i = 1; i <= numArgs; i++) {
diff --git a/src/parser.test.ts b/src/parser.test.ts
@@ -12,6 +12,7 @@ import {
   BpfTargetJmpInstruction,
   BpfAddressSpaceCastInstruction,
   InstructionLine,
+  KnownMessageInfoType,
 } from "./parser";
 
 const AluInstructionSample = "0: (b7) r2 = 1                        ; R2_w=1";
@@ -169,4 +170,29 @@ describe("parser", () => {
       raw: CSourceLineEmptySample2,
     });
   });
+
+  describe("Known message parsing", () => {
+    const GlobalFuncValidSample =
+      "Func#123 ('my_func') is global and assumed valid.";
+    const NotAKnownMessage = "Some other verifier message that doesn't match";
+
+    it("parses global function valid messages", () => {
+      const parsed = parseLine(GlobalFuncValidSample, 10);
+      expect(parsed).toMatchObject({
+        type: ParsedLineType.KNOWN_MESSAGE,
+        idx: 10,
+        raw: GlobalFuncValidSample,
+        info: {
+          type: KnownMessageInfoType.GLOBAL_FUNC_VALID,
+          funcId: 123,
+          funcName: "my_func",
+        },
+      });
+    });
+
+    it("does not parse non-matching lines as known messages", () => {
+      const parsed = parseLine(NotAKnownMessage, 5);
+      expect(parsed.type).toBe(ParsedLineType.UNRECOGNIZED);
+    });
+  });
 });
diff --git a/src/parser.ts b/src/parser.ts
@@ -192,6 +192,7 @@ export enum ParsedLineType {
   UNRECOGNIZED = "UNRECOGNIZED",
   INSTRUCTION = "INSTRUCTION",
   C_SOURCE = "C_SOURCE",
+  KNOWN_MESSAGE = "KNOWN_MESSAGE",
 }
 
 type GenericParsedLine = {
@@ -217,7 +218,28 @@ export type CSourceLine = {
   id: string;
 } & GenericParsedLine;
 
-export type ParsedLine = UnrecognizedLine | InstructionLine | CSourceLine;
+export enum KnownMessageInfoType {
+  GLOBAL_FUNC_VALID = "GLOBAL_FUNC_VALID",
+}
+
+export type GlobalFuncValidInfo = {
+  type: KnownMessageInfoType.GLOBAL_FUNC_VALID;
+  funcId: number;
+  funcName: string;
+};
+
+export type KnownMessageInfo = GlobalFuncValidInfo;
+
+export type KnownMessageLine = {
+  type: ParsedLineType.KNOWN_MESSAGE;
+  info: KnownMessageInfo;
+} & GenericParsedLine;
+
+export type ParsedLine =
+  | UnrecognizedLine
+  | InstructionLine
+  | CSourceLine
+  | KnownMessageLine;
 
 type BpfStateExpr = {
   id: string;
@@ -815,13 +837,37 @@ function parseBpfInstruction(
   };
 }
 
+const RE_MSG_GLOBAL_FUNC_VALID =
+  /^Func#([-0-9]+) \('(.+)'\) is global and assumed valid\./;
+
+function parseKnownMessage(
+  rawLine: string,
+  idx: number,
+): KnownMessageLine | null {
+  let { match } = consumeRegex(RE_MSG_GLOBAL_FUNC_VALID, rawLine);
+  if (!match) return null;
+  return {
+    type: ParsedLineType.KNOWN_MESSAGE,
+    idx,
+    raw: rawLine,
+    info: {
+      type: KnownMessageInfoType.GLOBAL_FUNC_VALID,
+      funcId: parseInt(match[1], 10),
+      funcName: match[2],
+    },
+  };
+}
+
 export function parseLine(rawLine: string, idx: number): ParsedLine {
   let parsed: ParsedLine | null = parseCSourceLine(rawLine, idx);
   if (parsed) return parsed;
 
   parsed = parseBpfInstruction(rawLine, idx);
   if (parsed) return parsed;
 
+  parsed = parseKnownMessage(rawLine, idx);
+  if (parsed) return parsed;
+
   return {
     type: ParsedLineType.UNRECOGNIZED,
     idx,
