Implement ebpf_check_constraints_at_label

Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>

Author: Alan Jowett

src/asm_parse.hpp

@@ -3,7 +3,21 @@
 #pragma once
 
 #include <string>
+#include <vector>
 
 #include "asm_syntax.hpp"
+#include "crab/interval.hpp"
+#include "crab/linear_constraint.hpp"
 
 Instruction parse_instruction(const std::string& line, const std::map<std::string, label_t>& label_name_to_label);
+
+/***
+ * Parse a set of string form linear constraints into a vector of crab::linear_constraint_t
+ *
+ * @param[in] constraints: A set of string form linear constraints.
+ * @param[out] numeric_ranges: A vector of numeric ranges that are extracted from the constraints.
+ *
+ * @return A vector of crab::linear_constraint_t
+ */
+std::vector<crab::linear_constraint_t> parse_linear_constraints(const std::set<std::string>& constraints,
+                                                          std::vector<crab::interval_t>& numeric_ranges);

src/asm_syntax.hpp

@@ -23,6 +23,29 @@ struct label_t {
     explicit label_t(const int index, const int to = -1, std::string stack_frame_prefix = {}) noexcept
         : from(index), to(to), stack_frame_prefix(std::move(stack_frame_prefix)) {}
 
+    explicit label_t(std::string_view string_label) {
+        auto pos = string_label.find(STACK_FRAME_DELIMITER);
+        if (pos != std::string_view::npos) {
+            stack_frame_prefix = std::string(string_label.substr(0, pos));
+            string_label = string_label.substr(pos + 1);
+        }
+
+        pos = string_label.find(':');
+        try {
+            if (pos != std::string_view::npos) {
+                from = std::stoi(std::string(string_label.substr(0, pos)));
+                to = std::stoi(std::string(string_label.substr(pos + 1)));
+            } else {
+                from = std::stoi(std::string(string_label));
+                to = -1;
+            }
+        } catch (const std::invalid_argument& e) {
+            throw std::invalid_argument("Invalid label format: " + std::string(string_label));
+        } catch (const std::out_of_range& e) {
+            throw std::out_of_range("Label value out of range: " + std::string(string_label));
+        }
+    }
+
     static label_t make_jump(const label_t& src_label, const label_t& target_label) {
         return label_t{src_label.from, target_label.from, target_label.stack_frame_prefix};
     }

src/config.cpp

@@ -14,4 +14,5 @@ const ebpf_verifier_options_t ebpf_verifier_default_options = {
     .allow_division_by_zero = true,
     .setup_constraints = true,
     .big_endian = false,
+    .store_pre_invariants = false, // Enable this to permit usage of the ebpf_check_constraints_at_label and ebpf_get_invariants_at_label functions.
 };

src/config.hpp

@@ -21,6 +21,9 @@ struct ebpf_verifier_options_t {
     bool big_endian;
 
     bool dump_btf_types_json;
+
+    // Store pre-invariants for use in ebpf_check_constraints_at_label and ebpf_get_invariants_at_label.
+    bool store_pre_invariants;
 };
 
 struct ebpf_verifier_stats_t {

src/crab_verifier.cpp

@@ -17,6 +17,7 @@
 #include "crab_utils/lazy_allocator.hpp"
 
 #include "asm_syntax.hpp"
+#include "asm_parse.hpp"
 #include "crab_verifier.hpp"
 #include "string_constraints.hpp"
 
@@ -161,6 +162,14 @@ static checks_db get_analysis_report(std::ostream& s, cfg_t& cfg, const crab::in
     return db;
 }
 
+static thread_local std::optional<crab::invariant_table_t> saved_pre_invariants = std::nullopt;
+
+static void save_invariants_if_needed(const crab::invariant_table_t& pre_invariants) {
+    if (thread_local_options.store_pre_invariants) {
+        saved_pre_invariants = pre_invariants;
+    }
+}
+
 static checks_db get_ebpf_report(std::ostream& s, cfg_t& cfg, program_info info, const ebpf_verifier_options_t* options,
                                  const std::optional<InstructionSeq>& prog = std::nullopt) {
     global_program_info = std::move(info);
@@ -172,6 +181,7 @@ static checks_db get_ebpf_report(std::ostream& s, cfg_t& cfg, program_info info,
         // Get dictionaries of pre-invariants and post-invariants for each basic block.
         ebpf_domain_t entry_dom = ebpf_domain_t::setup_entry(true);
         auto [pre_invariants, post_invariants] = run_forward_analyzer(cfg, std::move(entry_dom));
+        save_invariants_if_needed(pre_invariants);
         return get_analysis_report(s, cfg, pre_invariants, post_invariants, prog);
     } catch (std::runtime_error& e) {
         // Convert verifier runtime_error exceptions to failure.
@@ -221,6 +231,7 @@ std::tuple<string_invariant, bool> ebpf_analyze_program_for_test(std::ostream& o
     try {
         cfg_t cfg = prepare_cfg(prog, info, options.simplify, false);
         auto [pre_invariants, post_invariants] = run_forward_analyzer(cfg, std::move(entry_inv));
+        save_invariants_if_needed(pre_invariants);
         const checks_db report = get_analysis_report(std::cerr, cfg, pre_invariants, post_invariants);
         print_report(os, report, prog, false);
 
@@ -267,4 +278,65 @@ void ebpf_verifier_clear_thread_local_state() {
     global_program_info.clear();
     crab::domains::clear_thread_local_state();
     crab::domains::SplitDBM::clear_thread_local_state();
+    saved_pre_invariants = std::nullopt;
+}
+
+bool ebpf_check_constraints_at_label(std::ostream& os, const std::string& label_string,
+                                     const std::set<std::string>& constraints) try {
+    label_t label = label_t(label_string);
+    if (!saved_pre_invariants.has_value()) {
+        os << "No pre-invariants available\n";
+        return false;
+    }
+    if (saved_pre_invariants.value().find(label) == saved_pre_invariants.value().end()) {
+        os << "No pre-invariants available for label " << label << "\n";
+        return false;
+    }
+    ebpf_domain_t from_inv(saved_pre_invariants.value().at(label));
+    auto concrete_domain = ebpf_domain_t::from_constraints(constraints, false);
+
+    if (concrete_domain.is_bottom()) {
+        os << "The provided constraints are unsatisfiable (concrete domain is bottom)\n";
+        os << "Concrete constraints are self-contradictory\n";
+        os << concrete_domain << "\n";
+        return false;
+    }
+
+    if (from_inv.is_bottom()) {
+        os << "The abstract state is unreachable\n";
+        os << from_inv << "\n";
+        return false;
+    }
+
+    if ((from_inv & concrete_domain).is_bottom()) {
+        os << "Concrete state does not match invariant\n";
+
+        // Print the concrete state
+        os << "--- Concrete state ---\n";
+        os << concrete_domain << "\n";
+
+        os << "--- Abstract state ---\n";
+        os << from_inv << "\n";
+
+        return false;
+    }
+
+    return true;
+} catch (std::exception& e) {
+    os << "Error occurred while checking constraints: " << e.what() << "\n";
+    return false;
+}
+
+std::set<std::string> ebpf_get_invariants_at_label(const std::string& label)
+{
+    // If the label is malformed, throw an exception so the caller can handle it.
+    label_t l = label_t(label);
+
+    if (!saved_pre_invariants.has_value()) {
+        return {};
+    }
+    if (saved_pre_invariants.value().find(l) == saved_pre_invariants.value().end()) {
+        return {};
+    }
+    return saved_pre_invariants.value().at(l).to_set().value();
 }

src/crab_verifier.hpp

@@ -26,3 +26,41 @@ int create_map_crab(const EbpfMapType& map_type, uint32_t key_size, uint32_t val
 EbpfMapDescriptor* find_map_descriptor(int map_fd);
 
 void ebpf_verifier_clear_thread_local_state();
+
+/**
+ * @brief Given a label and a set of concrete constraints, check if the concrete constraints match the abstract
+ * verifier constraints at the label. Requires the `store_pre_invariants` option to be set.
+ *
+ * Abstract constraints are computed by the verifier and stored if the `store_pre_invariants` option is set.
+ * These constraints represent the program state at a specific point in the control flow graph,
+ * as determined by the static analysis performed by the verifier.
+ *
+ * If the 'store_pre_invariants' option is not set, this function will always return false along with an error message.
+ * This is because the verifier did not store the abstract constraints at each label.
+ *
+ * For invalid labels, this function will return false along with an error message.
+ *
+ * @param[in,out] os Print output to this stream.
+ * @param[in] label The location in the CFG to check against.
+ * @param[in] constraints The concrete state to check.
+ * @return true If the state is valid.
+ * @return false If the state is invalid.
+ * @throw std::invalid_argument If the label format is invalid
+ * @throw std::out_of_range If the label value causes numeric overflow
+ */
+bool ebpf_check_constraints_at_label(std::ostream& os, const std::string& label,
+                                     const std::set<std::string>& constraints);
+/**
+ * @brief Get the invariants at a given label. Requires the `store_pre_invariants` option to be set.
+ *
+ * If the 'store_pre_invariants' option is not set, this function will return an empty set
+ * as no invariants were stored during verification.
+ *
+ * @param[in] label The label in the CFG where invariants should be retrieved
+ * @return The set of invariants at the given label.
+ *         Each invariant represents a constraint on the program state at this point.
+ *         Returns an empty set if no invariants are available.
+ * @throw std::invalid_argument If the label format is invalid
+ * @throw std::out_of_range If the label value causes numeric overflow
+ */
+std::set<std::string> ebpf_get_invariants_at_label(const std::string& label);

src/test/ebpf_yaml.cpp

@@ -99,6 +99,7 @@ struct RawTestCase {
     vector<std::tuple<string, vector<string>>> raw_blocks;
     vector<string> post;
     std::set<string> messages;
+    std::map<std::string, std::set<std::string>> invariants_to_check;
 };
 
 static vector<string> parse_block(const YAML::Node& block_node) {
@@ -126,6 +127,21 @@ static std::set<string> as_set_empty_default(const YAML::Node& optional_node) {
     return vector_to_set(optional_node.as<vector<string>>());
 }
 
+static std::map<std::string, std::set<std::string>> parse_invariants_to_check(const YAML::Node& case_node) {
+    if (!case_node["invariants-to-check"].IsDefined() || case_node["invariants-to-check"].IsNull()) {
+        return {};
+    }
+    std::map<std::string, std::set<std::string>> res;
+    try {
+        for (const auto& node : case_node["invariants-to-check"]) {
+            res.emplace(node.first.as<string>(), vector_to_set(node.second.as<vector<string>>()));
+        }
+    } catch (const YAML::Exception& e) {
+        throw std::runtime_error("Error parsing 'invariants-to-check': " + std::string(e.what()));
+    }
+    return res;
+}
+
 static RawTestCase parse_case(const YAML::Node& case_node) {
     return RawTestCase{
         .test_case = case_node["test-case"].as<string>(),
@@ -134,6 +150,7 @@ static RawTestCase parse_case(const YAML::Node& case_node) {
         .raw_blocks = parse_code(case_node["code"]),
         .post = case_node["post"].as<vector<string>>(),
         .messages = as_set_empty_default(case_node["messages"]),
+        .invariants_to_check = parse_invariants_to_check(case_node),
     };
 }
 
@@ -210,7 +227,9 @@ static TestCase read_case(const RawTestCase& raw_case) {
                     .assumed_pre_invariant = read_invariant(raw_case.pre),
                     .instruction_seq = raw_cfg_to_instruction_seq(raw_case.raw_blocks),
                     .expected_post_invariant = read_invariant(raw_case.post),
-                    .expected_messages = raw_case.messages};
+                    .expected_messages = raw_case.messages,
+                    .invariants_to_check = raw_case.invariants_to_check,
+                    };
 }
 
 static vector<TestCase> read_suite(const string& path) {
@@ -251,6 +270,10 @@ std::optional<Failure> run_yaml_test_case(TestCase test_case, bool debug) {
         test_case.options.simplify = false;
     }
 
+    if (!test_case.invariants_to_check.empty()) {
+        test_case.options.store_pre_invariants = true;
+    }
+
     ebpf_context_descriptor_t context_descriptor{64, 0, 4, -1};
     EbpfProgramType program_type = make_program_type(test_case.name, &context_descriptor);
 
@@ -261,6 +284,21 @@ std::optional<Failure> run_yaml_test_case(TestCase test_case, bool debug) {
         ss, test_case.instruction_seq, test_case.assumed_pre_invariant, info, test_case.options);
     std::set<string> actual_messages = extract_messages(ss.str());
 
+    for (auto& [label, expected_invariant] : test_case.invariants_to_check) {
+        ss = {};
+        try {
+            if (!ebpf_check_constraints_at_label(ss, label, expected_invariant)) {
+                // If debug is enabled, print the output of ebpf_check_constraints_at_label.
+                if (debug) {
+                    std::cout << ss.str();
+                }
+                actual_messages.insert(label + ": Concrete invariants do not match abstract invariants");
+            }
+        } catch (const std::exception& e) {
+            actual_messages.insert(label + ": Exception occurred during invariant check");
+        }
+    }
+
     if (actual_last_invariant == test_case.expected_post_invariant && actual_messages == test_case.expected_messages) {
         return {};
     }

src/test/ebpf_yaml.hpp

@@ -14,6 +14,7 @@ struct TestCase {
     InstructionSeq instruction_seq;
     string_invariant expected_post_invariant;
     std::set<std::string> expected_messages;
+    std::map<std::string, std::set<std::string>> invariants_to_check; ///< Map from label to expected invariants, used for validating program state at specific labels during test execution.
 };
 
 void foreach_suite(const std::string& path, const std::function<void(const TestCase&)>& f);